Digital Forensics:Using FTK Imager on CLI with Mac OS, Macbook
การทำสำเนาพยานหลักฐานดิจิทัลโดยใช้โปรแกรม FTK Imager ผ่านคำสั่ง command line บนเครื่อง Macbook
Step 1: Source
First things first, We can use Mac’s built-in diskutil list command to display disks and partitions.
My hard drive is mapped as /dev/disk0 — this is fairly typical. Note we’ve got 4 “partitions”; right now we care about one:
Step 2: Tools
First thing, download AccessData FTK Imager CLI for Mac(https://accessdata.com/product-download/mac-os-10-5-and-10-6x-version-3-1-1, looking for “Command Line Versions of FTK”.
Ok, We know that /dev/disk0 is my full disk, Here’s my command:
Image 11. Full command to run FTK Imager
1. /dev/disk0 – Is the source, the disk to acquire the image.
2. /Volumes/TABLEAU/CF_MAC/CF001 – The destination of forensic image files, CF_MAC Folder is where the files will be storage, CF001 is the name of the file.
3. --e01 – The format of the image, this kind is for Encase image file format.
4. --frag 1500MB, each file will have a maximum of 1500 Megabytes, ftkimager split the entire image in the necessary files with this size.
5. --compress 9, level of compression for the disk image.
6. --case-number, the number of the case.
7. --evidence-number, the evidence number.
8. --description, any comment for your case.
9. --examiner, your full name or acronym of your name.
10. --notes, any additional comment you want.
--verify Hash/verify the destination image, or the source image if no destination is specified
Running the command and options above, the following will show even with the ongoing process
* The Mac version of Command Line Imager supports OS 10.5 and 10.6
The print-info command on Mac and Linux images (in E01 and S01 formats), under
“Acquired on OS:” gives the kernel version number, not the OS version. For example, an
image acquired on Mac OS 10.6.3, displays version 10.3.0 (which is the Darwin kernel
version).Step 3:Running FTK Imager acquiring
Step 4:Create complete.
Step 5:The information it has acquired.
Also, you can create a forensic image from a running or dead machine. It is a literal snapshot in time that has integrity checking.
Referent: Imager Command Line Help
#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #MOBILEFORENSICS
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
No comments:
Post a Comment