Ftk Imager Handling: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 4: Zeile 4:
 
*tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz
 
*tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz
 
=Image erstellen=
 
=Image erstellen=
*ftkimager  /dev/sdb /share/forensic/win10 --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw,ng --notes first-run
+
*ftkimager  /dev/sdb /root/share/forensic/opfer --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw --notes first-run
 +
 
 
=Beschreibung=
 
=Beschreibung=
 
{| class="wikitable"
 
{| class="wikitable"
Zeile 12: Zeile 13:
 
|Quelle
 
|Quelle
 
|-
 
|-
|/share/forensic/win10
+
|/root/share/forensic/opfer
 
|Ziel
 
|Ziel
 
|-
 
|-
Zeile 27: Zeile 28:
 
|Beschreibung
 
|Beschreibung
 
|-
 
|-
|<nowiki>--examiner tw,ng</nowiki>
+
|<nowiki>--examiner tw</nowiki>
 
|Ermittler
 
|Ermittler
 
|-
 
|-
Zeile 33: Zeile 34:
 
|Notizen
 
|Notizen
 
|}
 
|}
 +
 
=Resultat=
 
=Resultat=
 
*ls
 
*ls
  win10.E01  win10.E01.txt
+
  opfer.E01  opfer.E01.txt
  
*cat win10.E01.txt   
+
*cat opfer.E01.txt   
 
<pre>
 
<pre>
 
Case Information:  
 
Case Information:  
Zeile 44: Zeile 46:
 
Evidence Number: 01
 
Evidence Number: 01
 
Unique description: secure.local.forensic
 
Unique description: secure.local.forensic
Examiner: tw,ng
+
Examiner: tw
 
Notes: first-run
 
Notes: first-run
  
 
--------------------------------------------------------------
 
--------------------------------------------------------------
  
Information for /share/forensic/win10:
+
Information for /root/share/forensic/opfer:
  
 
Physical Evidentiary Item (Source) Information:
 
Physical Evidentiary Item (Source) Information:
Zeile 55: Zeile 57:
 
  Source Type: Physical
 
  Source Type: Physical
 
[Drive Geometry]
 
[Drive Geometry]
  Cylinders: 6527
+
  Cylinders: 2610
 
  Heads: 255
 
  Heads: 255
 
  Sectors per Track: 63
 
  Sectors per Track: 63
 
  Bytes per Sector: 512
 
  Bytes per Sector: 512
  Sector Count: 104857600
+
  Sector Count: 41943040
 
[Physical Drive Information]
 
[Physical Drive Information]
 
  Drive Model: VBOX HARDDISK                           
 
  Drive Model: VBOX HARDDISK                           
  Drive Serial Number: VB5ace20dd-ef3d9b78
+
  Drive Serial Number: VB18564db3-30f8dabe
  Source data size: 51200 MB
+
  Source data size: 20480 MB
  Sector count:    104857600
+
  Sector count:    41943040
 
[Computed Hashes]
 
[Computed Hashes]
  MD5 checksum:    6b73c19fe0d71af2acf91ee3310006cb
+
  MD5 checksum:    cca8e23d99e50878ce5ad5f7cca0abe3
  SHA1 checksum:  7d235bb67f42065ca4c01948b3d25fd75a566c95
+
  SHA1 checksum:  50dd6908d572a534d6a2322e44587bbe4aa4f47a
  
 
Image Information:
 
Image Information:
  Acquisition started:  Tue Aug 3 21:06:40 2021
+
  Acquisition started:  Thu Aug 12 10:29:36 2021
  Acquisition finished:  Tue Aug 3 21:24:39 2021
+
  Acquisition finished:  Thu Aug 12 10:31:56 2021
 
  Segment list:
 
  Segment list:
   /share/forensic/win10.E01
+
   /root/share/forensic/opfer.E01
 +
                                 
 
</pre>
 
</pre>
  
 
=Quelle=
 
=Quelle=
 
*https://it-dad.de/2019/03/13/ftk-imager-und-autopsy-unter-linux-nutzen/
 
*https://it-dad.de/2019/03/13/ftk-imager-und-autopsy-unter-linux-nutzen/

Aktuelle Version vom 12. August 2021, 08:34 Uhr

Download

Install

  • tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz

Image erstellen

  • ftkimager /dev/sdb /root/share/forensic/opfer --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw --notes first-run

Beschreibung

Optionen
/dev/sdb Quelle
/root/share/forensic/opfer Ziel
--e01 Format
--case-number 01 Fallnummer
--evidence-number 01 Beweisnummer
--description secure.local.forensic Beschreibung
--examiner tw Ermittler
--notes first-run Notizen

Resultat

  • ls
opfer.E01  opfer.E01.txt
  • cat opfer.E01.txt
Case Information: 
Acquired using: ADI3
Case Number: 01
Evidence Number: 01
Unique description: secure.local.forensic
Examiner: tw
Notes: first-run

--------------------------------------------------------------

Information for /root/share/forensic/opfer:

Physical Evidentiary Item (Source) Information:
[Device Info]
 Source Type: Physical
[Drive Geometry]
 Cylinders: 2610
 Heads: 255
 Sectors per Track: 63
 Bytes per Sector: 512
 Sector Count: 41943040
[Physical Drive Information]
 Drive Model: VBOX HARDDISK                           
 Drive Serial Number: VB18564db3-30f8dabe 
 Source data size: 20480 MB
 Sector count:    41943040
[Computed Hashes]
 MD5 checksum:    cca8e23d99e50878ce5ad5f7cca0abe3
 SHA1 checksum:   50dd6908d572a534d6a2322e44587bbe4aa4f47a

Image Information:
 Acquisition started:   Thu Aug 12 10:29:36 2021
 Acquisition finished:  Thu Aug 12 10:31:56 2021
 Segment list:
  /root/share/forensic/opfer.E01

Quelle

Abgerufen von „http://wiki.ixheim.de/index.php?title=Ftk_Imager_Handling&oldid=27349