Disk acquisition with FTK Imager

In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The FTK Imager is installed on the lab machine.

Create a disk image for evidence hard disk using FTK Imager tool.

Like in the previous exercises we have to made sure that the target disk is not mounted

umount /dev/sdc

Let’s check the command switches, to see how we get the disk image

ftkimager --help

If I compare that with ewfacquire there are more command line swiches needed. Let’s go ahead

ftkimager /dev/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'

ftkimager evidence.E01 --print-info

Last updated 2 years ago