All good things are three, or maybe four? After learning how to acquire a disk Image with dd, dcfldd and ewfacquire there is another way to do the same.
In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The FTK Imager is installed on the lab machine.
Objective:Create a disk image for evidence hard disk using FTK Imager tool.
Like in the previous exercises I’ll made sure that the disk is not mounted
umount /dev/sdc
Let’s check the command switches, to see how we get the disk image
ftkimager --help
If I compare that with ewfacquire there are more command line swiches needed. Let’s go ahead
ftkimager /dev/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'
ftkimager evidence.E01 --print-info
Schreib einen Kommentar