 Welcome back everyone. Today we're going to talk about how to work with a AD1 disk image. An AD1 disk image is created by access data. It's their own proprietary format. You sometimes see them around, but they're not very well supported on a lot of different tools, so they're not very popular. But whenever you do see them, you need to know how to be able to extract the data from them. You can think of them kind of like a zip file. This is a logical container and you can put different files inside of it. You can put partition information inside of it or whole physical disk information if you want to. But usually we see them filled with files that have been copied directly. So whenever you do a file level acquisition of a disk or maybe cloud storage or something like that, where you don't want all of the data, you only need specific files, you might see them in an AD1 format if they were collected with something like FTK imager. Now the problem is, because it's proprietary to access data, you're going to need something like access data is FTK imager or FTK to be able to open and work with it. So FTK imager is freely available. So let's go ahead and download that first. So first we go to accessdata.com and Xtero has recently bought access data, so they've changed things around a little bit. Go to products and services. You'll find FTK imager link by itself. Click download FTK imager. They'll ask for your email and some other information about you, but once you put that in, then you do get access to FTK imager download. And the download will look like this and it's access data FTK imager download and I have the 64 bit version. At the time of this video, 4.5.0 is the most recent version. Whenever you want to install it, just double click on the installer, click yes to allow permissions and then it just goes through like a normal install in Windows. You can basically just click next, next, next. So now we can open access data's FTK imager and make sure it does have permissions. Click yes. You will need permissions if you want to access any of the disks, but since we're dealing with a disk image, you don't have to give it administrative access. Again, I have version 4.5.0 and the interface looks a lot like it used to since a long time ago. However, the backend has been changed quite a bit and newer version of FTK imager is much faster at imaging. So I do recommend you upgrade. Okay, so to add the AD1 file, we go to file and add evidence item. It's the top selection and then we want to add not a physical drive, not a logical drive. We want to add an image file, click next and then enter the source path. I have mine on the desktop and then I click finish and then you can see the file name that I had was just disk.ad1 and that's what shows up in the evidence tree. If I expand this, then we can see that it's a custom content image, multi AD1 and then we have what looks like a copy of partition 2. Okay, and then we have root and we have a recycle bin. So we do have partition information here and then we have our users, we have John Doe. Let's go to desktop and then just looking at a link, we have the Zinmap link and it is from April 28th, 2021. Okay, so the easiest way to get all of these files out and work with them, then we go up to the where it says custom content image or this might be your partition information. Don't click on the disk file directly, the file name of the file that you added, instead click on one level below that where it has kind of like these black file tree icon. But when we right click on that, then we can go to export files. So we can choose or anywhere we want to export them. I'm just going to say the export folder on my desktop, I would normally be exporting these to an external storage disk specifically for that case. Okay, so I'll click my export, click okay. Now it's going to export every single file because I got the top of that file tree. Now I could have clicked on any of these other files or folders and exported them directly, but instead since I clicked on the top, it's going to get everything. So if we go in and look at that folder, desktop and export. Okay, I have my partition two, I have root, I have users, John Doe, and then I go to desktop and we can see our ZIN map icon again, and it's 429 2020 239 AM. Again, this is going to be my local time because now I've copied this to my local computer. So whatever time zone my computer is in, that's going to be the time that shows up in date modified. Let's look at John Doe again, and we have our desktop. Desktop folder itself was last modified 429 2021 at say 6pm. We can see that the desktop folder that was created underneath John Doe is 929 2021 basically today's date. Okay, so whenever you're creating folders, I'm copying all of this data out to my local disk that is formatted with NTFS. So these file folders are going to be have a created and modified time essentially of whatever today's data is because they're being created locally on my system. Just make sure that you realize that some of this data whenever you copy it out, it's going to get local metadata instead of copying out the metadata directly. So that's kind of the gotcha with especially folders, some of the files we don't have to worry about too much, but just be aware of the difference between the suspects metadata that was captured in the image versus the data that you've exported the metadata and timestamp specifically. If you're only interested in the contents, this won't affect contents in any way, but it will affect your file system metadata like timestamps. So that's how you can get out the files from an AD1 image. And now we can process all of these files with basically any tool that supports just adding bulk files to it. FTK Imager itself gives you a lot of tools for analysis. And then I usually just go through and pick only the files that I'm interested in analyzing further and then export them out and use them in another tool to figure out what's going on. So all of the file metadata information I would be looking at inside FTK Imager. So I'm just going to have to export the files that I want to analyze and then put them into my other tool export folder and then just basically throw this folder into another analysis tool that I'm using. Okay, so I hope that works. There's a little bit of confusion around AD1 images, how to access them and how they work. Basically, if you see AD, just look at access data's FTK Imager. See if you can analyze it with that and most likely access data will be able to open it and then you can extract the data you need and then if you need to throw it into another tool. Okay, so I hope that was helpful. Thank you very much.