Digital Forensics:Using FTK Imager on CLI with Mac OS, Macbook

Digital Forensics:Using FTK Imager on CLI with Mac OS, Macbook

การทำสำเนาพยานหลักฐานดิจิทัลโดยใช้โปรแกรม FTK Imager ผ่านคำสั่ง command line บนเครื่อง Macbook

Step 1: Source 

First things first, We can use Mac’s built-in diskutil list command to display disks and partitions. 

My hard drive is mapped as /dev/disk0 — this is fairly typical. Note we’ve got 4 “partitions”; right now we care about one:

Step 2: Tools

 First thing, download AccessData FTK Imager CLI   for Mac(https://accessdata.com/product-download/mac-os-10-5-and-10-6x-version-3-1-1, looking for “Command Line Versions of FTK”. 

Ok, We know that /dev/disk0 is my full disk,    Here’s my command:

Image 11. Full command to run FTK Imager

1.       /dev/disk0 – Is the source, the disk to acquire the image.

2.       /Volumes/TABLEAU/CF_MAC/CF001 – The destination of forensic image files, CF_MAC Folder is where the files will be storage, CF001 is the name of the file.

3.       --e01 – The format of the image, this kind is for Encase image file format.

4.       --frag 1500MB, each file will have a maximum of 1500 Megabytes, ftkimager split the entire image in the necessary files with this size.

5.       --compress 9, level of compression for the disk image.

6.       --case-number, the number of the case.

7.       --evidence-number, the evidence number.

8.       --description, any comment for your case.

9.       --examiner, your full name or acronym of your name.

10.   --notes, any additional comment you want.

 

--verify   Hash/verify the destination image, or the source image if no destination is specified

Running the command and options above, the following will show even with the ongoing process

* The Mac version of Command Line Imager supports OS 10.5 and 10.6 The print-info command on Mac and Linux images (in E01 and S01 formats), under “Acquired on OS:” gives the kernel version number, not the OS version. For example, an image acquired on Mac OS 10.6.3, displays version 10.3.0 (which is the Darwin kernel version).

Step 3:Running FTK Imager acquiring

Step 4:Create complete.

Step 5:The information it has acquired.

When the process of acquiring the image is done, FTK creates a (CF001.E01.txt) file with the summary    in the folder where is stored the image’s files, including features of the disk like the image’s hash values. 

Download  Summary    CF001.E01.txt file of FTK Imager on CLI,

This file lists the evidence information, details of the drive, check sums, and times the image acquisition started and finished:

Also, you can create a forensic image from a running or dead machine. It is a literal snapshot in time that has integrity checking.

Referent:   Imager Command Line Help

                Forensics 101: Acquiring an Image with FTK Imager

                Acquiring an Image with FTK Imager

สรุป  การทดสอบตามสถานการณ์จำลองเพื่อทำลองคำสั่ง  และให้ทำตาม Steps of Digital Forensics  การทำสำเนาพยานหลักฐานดิจิทัลโดยใช้โปรแกรม FTK Imager ผ่านคำสั่ง command line  

     - พบว่าคำสั่ง --compress  สามารถบีบอัด (Image File )ไฟล์ให้เล็กลง

     - ให้เพิ่มคำสั่ง --verify   Hash/verify the destination image, or the source image if no destination is specified

       

 

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #MOBILEFORENSICS

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ