Download

• wget https://ad-zip.s3.amazonaws.com/ftkimager.3.1.1_ubuntu64.tar.gz

Install

• tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz

Image erstellen

• ftkimager /dev/sdb /root/share/forensic/opfer --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw --notes first-run

Beschreibung

Resultat

• ls

win10.E01  win10.E01.txt

• cat win10.E01.txt

Case Information: 
Acquired using: ADI3
Case Number: 01
Evidence Number: 01
Unique description: secure.local.forensic
Examiner: tw,ng
Notes: first-run

--------------------------------------------------------------

Information for /share/forensic/win10:

Physical Evidentiary Item (Source) Information:
[Device Info]
 Source Type: Physical
[Drive Geometry]
 Cylinders: 6527
 Heads: 255
 Sectors per Track: 63
 Bytes per Sector: 512
 Sector Count: 104857600
[Physical Drive Information]
 Drive Model: VBOX HARDDISK                           
 Drive Serial Number: VB5ace20dd-ef3d9b78 
 Source data size: 51200 MB
 Sector count:    104857600
[Computed Hashes]
 MD5 checksum:    6b73c19fe0d71af2acf91ee3310006cb
 SHA1 checksum:   7d235bb67f42065ca4c01948b3d25fd75a566c95

Image Information:
 Acquisition started:   Tue Aug  3 21:06:40 2021
 Acquisition finished:  Tue Aug  3 21:24:39 2021
 Segment list:
  /share/forensic/win10.E01

Quelle

• https://it-dad.de/2019/03/13/ftk-imager-und-autopsy-unter-linux-nutzen/