Disk acquisition with FTK Imager

1. Introduction

In this lab, the evidence hard disk is mounted on ‘/dev/sdc’. The FTK Imager is installed on the lab machine.

Create a disk image for evidence hard disk using FTK Imager tool.

2. Create Disk Image with FTK Imager

Like in the previous exercises we have to made sure that the target disk is not mounted

umount /dev/sdc

Let’s check the command switches, to see how we get the disk image

ftkimager --help

If I compare that with ewfacquire there are more command line swiches needed. Let’s go ahead

ftkimager /dev/sdc evidence --e01 --case-number 102 --evidence-number 2 --description 'Acquired image for case number 102' --examiner 'Cybercop'

ftkimager evidence.E01 --print-info

PreviousDisk acquisition with ewftoolsNextMount disk image (raw)

Last updated