Disk Forensics P8

All good things are three, or maybe four? After learning how to acquire a disk Image with dd, dcfldd and ewfacquire there is another way to do the same.

In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The FTK Imager is installed on the lab machine.

Objective:Create a disk image for evidence hard disk using FTK Imager tool.

Like in the previous exercises I’ll made sure that the disk is not mounted

umount /dev/sdc

Let’s check the command switches, to see how we get the disk image

ftkimager --help

If I compare that with ewfacquire there are more command line swiches needed. Let’s go ahead

ftkimager /dev/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'

ftkimager evidence.E01 --print-info

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.