Ftk Imager Handling: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 34: Zeile 34:
 
|}
 
|}
 
=Resultat=
 
=Resultat=
[/share/forensic]
+
*ls
└─# ls                                                                                                                      
 
 
  win10.E01  win10.E01.txt
 
  win10.E01  win10.E01.txt
 +
 +
*cat win10.E01.txt 
 +
<pre>
 +
Case Information:
 +
Acquired using: ADI3
 +
Case Number: 01
 +
Evidence Number: 01
 +
Unique description: secure.local.forensic
 +
Examiner: tw,ng
 +
Notes: first-run
 +
 +
--------------------------------------------------------------
 +
 +
Information for /share/forensic/win10:
 +
 +
Physical Evidentiary Item (Source) Information:
 +
[Device Info]
 +
Source Type: Physical
 +
[Drive Geometry]
 +
Cylinders: 6527
 +
Heads: 255
 +
Sectors per Track: 63
 +
Bytes per Sector: 512
 +
Sector Count: 104857600
 +
[Physical Drive Information]
 +
Drive Model: VBOX HARDDISK                         
 +
Drive Serial Number: VB5ace20dd-ef3d9b78
 +
Source data size: 51200 MB
 +
Sector count:    104857600
 +
[Computed Hashes]
 +
MD5 checksum:    6b73c19fe0d71af2acf91ee3310006cb
 +
SHA1 checksum:  7d235bb67f42065ca4c01948b3d25fd75a566c95
 +
 +
Image Information:
 +
Acquisition started:  Tue Aug  3 21:06:40 2021
 +
Acquisition finished:  Tue Aug  3 21:24:39 2021
 +
Segment list:
 +
  /share/forensic/win10.E01
 +
</pre>
  
 
=Quelle=
 
=Quelle=
 
*https://it-dad.de/2019/03/13/ftk-imager-und-autopsy-unter-linux-nutzen/
 
*https://it-dad.de/2019/03/13/ftk-imager-und-autopsy-unter-linux-nutzen/

Version vom 3. August 2021, 19:28 Uhr

Download

Install

  • tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz

Image erstellen

  • ftkimager /dev/sdb /share/forensic/win10 --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw,ng --notes first-run

Beschreibung

Optionen
/dev/sdb Quelle
/share/forensic/win10 Ziel
--e01 Format
--case-number 01 Fallnummer
--evidence-number 01 Beweisnummer
--description secure.local.forensic Beschreibung
--examiner tw,ng Ermittler
--notes first-run Notizen

Resultat

  • ls
win10.E01  win10.E01.txt
  • cat win10.E01.txt
Case Information: 
Acquired using: ADI3
Case Number: 01
Evidence Number: 01
Unique description: secure.local.forensic
Examiner: tw,ng
Notes: first-run

--------------------------------------------------------------

Information for /share/forensic/win10:

Physical Evidentiary Item (Source) Information:
[Device Info]
 Source Type: Physical
[Drive Geometry]
 Cylinders: 6527
 Heads: 255
 Sectors per Track: 63
 Bytes per Sector: 512
 Sector Count: 104857600
[Physical Drive Information]
 Drive Model: VBOX HARDDISK                           
 Drive Serial Number: VB5ace20dd-ef3d9b78 
 Source data size: 51200 MB
 Sector count:    104857600
[Computed Hashes]
 MD5 checksum:    6b73c19fe0d71af2acf91ee3310006cb
 SHA1 checksum:   7d235bb67f42065ca4c01948b3d25fd75a566c95

Image Information:
 Acquisition started:   Tue Aug  3 21:06:40 2021
 Acquisition finished:  Tue Aug  3 21:24:39 2021
 Segment list:
  /share/forensic/win10.E01

Quelle

Abgerufen von „http://wiki.ixheim.de/index.php?title=Ftk_Imager_Handling&oldid=26512