What functionality does FTK provide for examining file systems?

FTK (Forensic Toolkit) is designed for digital forensic investigations and provides extensive functionality for examining file systems. One of its key features is the ability to navigate through file structures, which allows examiners to analyze the organization of files and folders on a drive. This navigation capability is crucial for investigators as it helps them understand how files are arranged and to identify relevant data within those structures.

Additionally, FTK can recover deleted files, which is an essential aspect of forensic analysis. When files are deleted from a file system, they are often not immediately removed; instead, the space they occupied can be marked as available for new data. FTK employs various techniques to recover these files, making it an invaluable tool for forensic examiners searching for evidence that may be hidden or deleted.

In contrast, the other choices do not accurately represent FTK's primary functionalities. The toolkit does not allow users to modify files directly or to restore previous versions of files, as these actions could compromise the integrity of the evidence. File encryption is a separate process that FTK does not enable; instead, it focuses on examining and recovering data rather than altering it.