Ftk Imager Handling

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

Download

Install

  • tar -C /usr/local/sbin -xvzf ftkimager.3.1.1_ubuntu64.tar.gz

Image erstellen

  • ftkimager /dev/sdb /root/share/forensic/opfer --e01 --case-number 01 --evidence-number 01 --description secure.local.forensic --examiner tw --notes first-run

Beschreibung

Optionen
/dev/sdb Quelle
/share/forensic/win10 Ziel
--e01 Format
--case-number 01 Fallnummer
--evidence-number 01 Beweisnummer
--description secure.local.forensic Beschreibung
--examiner tw,ng Ermittler
--notes first-run Notizen

Resultat

  • ls
win10.E01  win10.E01.txt
  • cat win10.E01.txt
Case Information: 
Acquired using: ADI3
Case Number: 01
Evidence Number: 01
Unique description: secure.local.forensic
Examiner: tw,ng
Notes: first-run

--------------------------------------------------------------

Information for /share/forensic/win10:

Physical Evidentiary Item (Source) Information:
[Device Info]
 Source Type: Physical
[Drive Geometry]
 Cylinders: 6527
 Heads: 255
 Sectors per Track: 63
 Bytes per Sector: 512
 Sector Count: 104857600
[Physical Drive Information]
 Drive Model: VBOX HARDDISK                           
 Drive Serial Number: VB5ace20dd-ef3d9b78 
 Source data size: 51200 MB
 Sector count:    104857600
[Computed Hashes]
 MD5 checksum:    6b73c19fe0d71af2acf91ee3310006cb
 SHA1 checksum:   7d235bb67f42065ca4c01948b3d25fd75a566c95

Image Information:
 Acquisition started:   Tue Aug  3 21:06:40 2021
 Acquisition finished:  Tue Aug  3 21:24:39 2021
 Segment list:
  /share/forensic/win10.E01

Quelle

Abgerufen von „http://wiki.ixheim.de/index.php?title=Ftk_Imager_Handling&oldid=27346