{"id":842,"date":"2020-10-01T11:25:20","date_gmt":"2020-10-01T10:25:20","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=842"},"modified":"2020-10-01T11:25:20","modified_gmt":"2020-10-01T10:25:20","slug":"disk-forensics-p8","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=842","title":{"rendered":"Disk Forensics P8"},"content":{"rendered":"<p style=\"text-align: justify;\">All good things are three, or maybe four? After learning how to acquire a disk Image with <a href=\"https:\/\/cybercop-training.ch\/?p=809\" target=\"_blank\" rel=\"noopener noreferrer\">dd<\/a>, <a href=\"https:\/\/cybercop-training.ch\/?p=822\" target=\"_blank\" rel=\"noopener noreferrer\">dcfldd<\/a> and <a href=\"https:\/\/cybercop-training.ch\/?p=831\" target=\"_blank\" rel=\"noopener noreferrer\">ewfacquire<\/a> there is another way to do the same.<\/p>\n<blockquote>\n<p dir=\"ltr\" style=\"text-align: justify;\">In this lab, the evidence hard disk is mounted on \u2018\/dev\/sdc\u2019. The\u00a0<a href=\"https:\/\/accessdata.com\/product-download\/debian-and-ubuntu-x64-3-1-1\" target=\"_blank\" rel=\"noopener noreferrer\"><b>FTK Imager<\/b><\/a> is installed on the lab machine.<\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><b>Objective:<\/b>Create a disk image for evidence hard disk using FTK Imager tool.<\/p>\n<\/blockquote>\n<p dir=\"ltr\">Like in the previous exercises I&#8217;ll made sure that the disk is not mounted<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-846\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk1.png\" alt=\"\" width=\"830\" height=\"440\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk1.png 830w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk1-300x159.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk1-768x407.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/a><\/p>\n<p dir=\"ltr\"><code>umount \/dev\/sdc<\/code><\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-848\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk2.png\" alt=\"\" width=\"843\" height=\"485\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk2.png 843w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk2-300x173.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk2-768x442.png 768w\" sizes=\"auto, (max-width: 843px) 100vw, 843px\" \/><\/a><\/p>\n<p dir=\"ltr\">Let&#8217;s check the command switches, to see how we get the disk image<\/p>\n<p dir=\"ltr\"><code>ftkimager --help<\/code><\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-850\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3-1024x869.png\" alt=\"\" width=\"1024\" height=\"869\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3-1024x869.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3-300x255.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3-768x652.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk3.png 1146w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p dir=\"ltr\">If I compare that with ewfacquire there are more command line swiches needed. Let&#8217;s go ahead<\/p>\n<p dir=\"ltr\"><code>ftkimager \/dev\/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'<\/code><\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-851\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4-1024x538.png\" alt=\"\" width=\"1024\" height=\"538\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4-1024x538.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4-300x158.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4-768x404.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk4.png 1063w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p dir=\"ltr\"><code>ftkimager evidence.E01 --print-info<\/code><\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-852\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5-1024x858.png\" alt=\"\" width=\"1024\" height=\"858\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5-1024x858.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5-300x251.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5-768x643.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2020\/10\/ftk5.png 1079w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p dir=\"ltr\">\n<p dir=\"ltr\">\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>All good things are three, or maybe four? After learning how to acquire a disk Image with dd, dcfldd and ewfacquire there is another way <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=842\" title=\"Disk Forensics P8\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":843,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,16],"tags":[],"class_list":["post-842","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-linux"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=842"}],"version-history":[{"count":5,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/842\/revisions"}],"predecessor-version":[{"id":853,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/842\/revisions\/853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/843"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}