FTK Imager Pro adds BitLocker‑decrypted imaging and iOS advanced logical: a DFIR how‑to

Exterro has introduced FTK Imager Pro as a paid add-on to the longstanding free FTK Imager, bringing BitLocker decryption during imaging and iOS logical/advanced logical collection while keeping the free edition available; the Pro and Free editions share the same download with license-gated features, and the Pro subscription is currently listed at $499 USD. Android acquisition is “on the roadmap,” according to Exterro’s public remarks on a recorded interview. (Forensic Focus transcript, Nov 24, 2025; Exterro FTK Imager Pro store page).

Overview

FTK Imager Pro layers three capabilities onto the familiar imager workflow:

• Encryption detection and decryption for BitLocker volumes, including a “Direct Decrypted - Live Data” workflow to preview and selectively acquire decrypted content once valid credentials are provided. (Exterro product page).
• iOS logical and advanced logical collection (photos, messages, app data, call logs, etc.). (Exterro product page).
• Free FTK Imager remains available; Pro is activated by license in the same installer. (Forensic Focus transcript).

For context, the current FTK Imager line also supports modern evidence containers such as AFF4 in recent releases, which many labs use to balance performance and metadata needs. (Exterro FTK Imager 4.7 page).

Acquisition and Extraction (platform-specific)

Windows endpoints with BitLocker

BitLocker encrypts entire volumes and is commonly deployed with TPM-backed protectors; volumes can be unlocked using recovery passwords/keys, PINs, or certificate-based protectors. (Microsoft Learn - BitLocker overview). In enterprise settings, recovery material is often escrowed in AD DS attributes (ms-FVE*). (Microsoft Learn - BitLocker recovery guide).

Recommended field flow with FTK Imager Pro:

1. Confirm BitLocker state and available protectors before touching the GUI.

C:\> manage-bde -status
C:\> manage-bde -protectors -get <drive>

(Use the recovery password, external recovery key (.bek), PIN, or DRA certificate that policy permits.) (Microsoft Learn - manage-bde unlock). 2) In FTK Imager Pro, add the live source. When prompted, supply the recovery material to decrypt. Use “Direct Decrypted - Live Data” to triage and acquire only what you need, or proceed to a standard full-disk acquisition with decryption applied during imaging when that fits your SOPs. (Exterro product page). 3) If policy requires escrow verification, retrieve the recovery password by Password ID in AD DS prior to unlock and record it in your case notes. (Microsoft Learn - recovery process).

Notes:

• Decrypt-and-copy workflows provide logical content, not slack or unallocated space. That is consistent with the definition of logical vs. physical acquisition in mobile/forensic guidance. (SWGDE Best Practices - Mobile Device Evidence Collection & Acquisition). When you need full artifact recovery, also capture a sector-accurate image (e.g., E01/raw) of the encrypted device and retain keys separately for examination.
• EWF/E01 remains widely interoperable across tools via libewf if you need to mount or convert for downstream analysis. (Debian manpage - ewfacquire; Debian manpage - ewfmount).

iOS devices (logical and advanced logical)

“Logical” extractions copy logical objects via vendor/OS services; “advanced logical” extends coverage using additional APIs/techniques without requiring a full physical dump. These terms and tradeoffs are defined in standard references. (NIST SP 800-101r1; SWGDE Best Practices - Analysis). FTK Imager Pro adds iOS logical and advanced logical collection in-tool. (Exterro product page).

Pre-conditions to check:

• Device trust and screen unlock are typically required for backup/collection services to function. If iOS local backup encryption is enabled, you must supply the backup password to decrypt the resulting data. (Apple Support - About encrypted backups).
• If the backup password is unknown on iOS 11+, “Reset All Settings” removes the existing backup password but does not decrypt prior encrypted backups; plan authority and scope accordingly. (Apple Support - If you can’t remember encrypted backup password).

Acquisition steps:

1. Place the device in a shielded environment per your SOP (airplane mode alone may not fully block radios). (SWGDE Best Practices - Network Isolation).
2. Connect via USB and launch FTK Imager Pro. Choose iOS Logical or Advanced Logical collection and follow the prompts for scope (e.g., messages, photos, app data). (Exterro product page).
3. Preserve the export in an evidence container your lab standardizes on (e.g., AD1, E01 for disk sources, AFF4 where supported) and compute hashes for the produced files. (Container support details for Imager family, including AFF4 support, are documented by Exterro.) (Exterro FTK Imager 4.7 page).

Artifact Locations and Paths

• iOS computer backups (Finder/Apple Devices/iTunes) are stored at:
  • macOS: ~/Library/Application Support/MobileSync/Backup/
  • Windows (Apple Devices app or Microsoft Store iTunes): %USERPROFILE%\Apple\MobileSync\Backup\
  • Windows (standalone iTunes): %APPDATA%\Apple Computer\MobileSync\Backup\ These locations are documented by Apple. (Apple Support - Locate backups).
• Key iOS backup files you will see post-collection include Info.plist, Manifest.db, Manifest.plist, and Status.plist; Manifest.db is a SQLite database enumerating files (domain, relativePath, fileID). (The Apple Wiki - iTunes Backup; O’Reilly - Practical Mobile Forensics excerpt).
• In enterprise BitLocker environments, recovery material may be stored on the computer object in AD DS (e.g., ms-FVE-RecoveryPassword, ms-FVE-KeyPackage), retrievable by Password ID. (Microsoft Learn - recovery guide; Microsoft Learn - recovery process).

Analysis and Correlation

• Decrypted BitLocker acquisitions: If you used Direct Decrypted - Live Data, treat the result as a logical set. Triage in your analysis suite and consider correlating with a full, sector-level image retained for later deep-dive work (file system recovery, slack/unallocated). The logical-vs-physical distinction mirrors mobile guidance and should be reflected in reporting. (SWGDE Best Practices - Mobile Device Evidence Collection).
• iOS backups: Query Manifest.db to quickly locate key artifacts.

-- Examples
SELECT domain, relativePath FROM Files WHERE relativePath LIKE '%sms.db%';
SELECT domain, relativePath FROM Files WHERE relativePath LIKE '%CallHistory.storedata%';

(Manifest.db schema and usage are well-described in mobile forensics literature.) (O’Reilly - Practical Mobile Forensics excerpt).

Validation and Pitfalls

• Scope mismatch: Logical (including “advanced logical”) does not capture unallocated space or some deleted content; plan for a physical/bitstream capture when needed to meet evidentiary requirements. (NIST SP 800-101r1).
• iOS encrypted backups: If the device’s local backup encryption is enabled, the collection completes but the data remains encrypted until the correct password is supplied; document the password source and validation. (Apple Support - About encrypted backups).
• Keys handling (BitLocker): Treat recovery passwords/keys as sensitive evidence. Record the Password ID, source of authority, and exact unlock method used. AD escrowed keys can be verified and retrieved by Password ID. (Microsoft Learn - recovery process).
• Container interoperability: If downstream tooling requires EWF/E01, use FTK Imager to acquire in E01 or convert with libewf utilities as needed in the lab. (Debian manpage - ewfacquire; Debian manpage - ewfmount).

Reporting Notes (chain of custody, reproducibility)

• Document tool version, license state (Free vs. Pro), and acquisition options (e.g., Direct Decrypted - Live Data vs. full image). (Forensic Focus transcript confirms Free/Pro split in one installer).
• Capture immutable logs: FTK Imager/Pro outputs, hash reports, and any command-line transcripts (manage-bde, directory listings, SQLite queries) with timestamps.
• For iOS, record device state (locked/unlocked, trusted/not, backup encryption on/off) and where the exported backup resides (path), referencing Apple’s documented backup locations. (Apple Support - Locate backups).
• For BitLocker, record the protector type used and Password ID; if AD retrieval was involved, preserve the query steps/screens.

Tools

• FTK Imager Pro (BitLocker decryption; iOS logical/advanced logical). (Exterro product page).
• FTK Imager (Free) for traditional preview/imaging and AFF4/E01/RAW workflows. (Exterro FTK Imager 4.7 page).
• Microsoft BitLocker utilities (manage-bde; recovery/AD guidance). (Microsoft Learn - manage-bde unlock; Microsoft Learn - recovery guide).
• libewf tools for EWF acquisition/mounting in Linux/macOS forensic rigs. (Debian manpage - ewfacquire; Debian manpage - ewfmount).
• References on mobile acquisition/analysis to support validation. (NIST SP 800-101r1; SWGDE Best Practices - Analysis).

Takeaways

• Add FTK Imager Pro to your triage kit when you routinely face BitLocker-protected endpoints or need low-friction iOS logical collection; it’s license-gated in the same installer you already know. (Forensic Focus transcript; Exterro product page).
• For Windows, pair a decrypted logical capture with a retained sector-level image of the encrypted device when full recovery options are required. (Microsoft Learn - BitLocker overview; SWGDE).
• For iOS, plan for backup-encryption realities and validate outputs by inspecting Manifest.db and key plists post-acquisition. (Apple Support - About encrypted backups; The Apple Wiki - iTunes Backup).