In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The FTK Imager is installed on the lab machine.
Objective:Create a disk image for evidence hard disk using FTK Imager tool.
Like in the previous exercises I’ll made sure that the disk is not mounted
Let’s check the command switches, to see how we get the disk image
If I compare that with ewfacquire there are more command line swiches needed. Let’s go ahead
ftkimager /dev/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'
ftkimager evidence.E01 --print-info