Using the SANS SIFTworkstation you have many options available when you are trying to image a harddrive, no matter if it is: dead, alive, internal, or external. One of my favorite tools to image with is theFTK Imager command line program. It isa lightweight, fast, and efficient means to extract the image from your suspectdrive. You can run the CMD line programon any operating system with very little difference in syntax but I will befocusing on the Linux version that comes with SIFT.
In this video we will use FTK Imager to acquire an image of physical memory on a suspect computer. FTK Imager is a GUI tool for acquiring various types of da. This video demonstrates how to mount a VM Image in FTK Imager.This could be useful for password enumeration during a pen test. If you are able to find vmdk f. System Specification Guide - FTK Created by: Justin Johns Created date: December 13, 2014 17:27. AccessData Imager 4.3.0 Has Been Released; Powered by Zendesk. The FTK Imager has the ability to save an image of a hard disk in one file or in segments that may be later reconstructed. It calculates MD5 hash values and confirms the integrity of the data before closing the files. In addition to the FTK Imager tool can mount devices (e.g., drives) and recover deleted files. FTK Imager: Lesson.
This blog post will focus on downloading and installing FTK Imager on your computer and I will put up another post in a couple days about how to actually use the command line tool. I didn't want to overwhelm readers with a huge block of text so I decided to break up the information into two separate posts.
Before we can use FTK Imagerwe need to have it installed on the computer. If you have SIFT it is already installed and you do not need to know howto install it but other versions of Linux do not have it installed by defaultand need to grab it from (http://www.accessdata.com/support/product-downloads). You canselect the version that you need and it will be downloaded to your machine forinstallation.
I am assuming that the majority of people readingthis will know at least a small bit about Linux that they will be able toinstall it without any troubles but for those of you who are completely new tothe glory that is Linux I will give you a short explanation of how to installFTK on your computer.
First thing is first, findout whether you have a 32-bit or 64-bit version of Linux by typing thefollowing command in the terminal uname –m. if it comes back with“x86_64” then you have a 64-bit kernel and if it comes back with “i686” youhave a 32-bit kernel. Select theappropriate version and download it to whatever directory that you use, it isset to the Downloads folder by default.
You can install it throughthe GUI, but what fun is that? We areusing Linux so we should know how to do everything through the terminal becauseit really allows you to know what is going on under the hood as well as makingyou feel like a superstar computer user.
Upon downloading the file tothe Downloads folder, open up your terminal and navigate there by using the cdcommand. If you want to cheat and are inyour own accounts terminal rather than root you can just type cd~/Downloads. The ~ characterrepresents your home folder and if used in with the cd command will take you to your home folder no matter where youare in the computer. When you get to theDownloads folder you can use the ls commandto view all of the files in that directory. (On a side note I use the wordsdirectory and folder interchangeably when dealing with Linux, which they are)Determine what the FTK download is named, usually“ftkimager.x.x.x_UbuntuXX.tar.gz where x.x.x stands for the version number ofFTK that was downloaded and XX is the version that was selected (32 or 64 bit).
The next step is to extractthe executable from the tar.gz file by using the command sudo tar –zxvf [filename]the switches used mean different things and must be used in the correct case,in this instance they are all lower case. The z is for the .gz portionof the compression, x is to extractthe information from the .tar portion of the compression, v stands for verbose but this switch is optional, and finally f stands for the file that will beextracted from.
HURRAY!!! We now have thefile extracted and are ready to install it and start acquiring everything insight! Now installing this can be incredibly difficult for anyone, even thosewith lots of experience…. No not really, it is actually as simple as moving theextracted file to a new directory. Now Iam going to use the directory that SIFT uses for ftkimager: “/usr/local/bin/”. The syntax for the move is simple: sudo mv ftkimager /usr/local/bin/ andthat is all there is to it.
Ftk Imager Install
Ftk Imager For Windows
Ftk-imager
Now we areready to start using the command line version of FTK Imager.