The Options
As with nearly all programs
in Linux there is a help file that allows the user to see what options are
available and the proper syntax.
Unfortunately ftkimager does not have a man or info page so we
will have to settle with the help file.
You can access the help file by either typing a wrong syntax after
ftkimager OR you can type the following syntax sudo ftkimager –help and hit enter.
It is also important to note
that double dashes “—“ are required to make all the options work instead of the
standard single dash or forward slash.
A list of options and a short
explanation for each will appear. I will
try to go into a little better detail for some of the options while others are self-explanatory. I will explain the different options first
and then go into detail about how to use the syntax correctly after. If you want to just see how to run the syntax you can jump to near the end.
--help : This will show the help file. (duh)
--list-drives :
This will show you a list of drives that are available to use, either to copy
from or a drive to copy the information to.
It can be shown as a /dev/sda
or a /media/[media name] or however
you have your media connected. It is not
as important to know which type of connection it is as long as you know which
drive is which.
--verify :
This option will allow you to verify that the image was successful in copying
correctly. This will usually take about
as long as it did to image the drive so be prepared to wait a while if you have
a large drive you are imaging. It will
also provide you with the hash value of the source and destination images so
that you can be sure that they are the same.
I would suggest this for any drive that you want to ensure the integrity
of and I usually use it all the time even for small things like testing just so
I am in the habit.
--print-info /drive :
This option will allow the user to identify different characteristics about the
drive they are either acquiring or the drive they are putting the image on. It will tell you the drive geometry as well
as the physical information such as connection type and drive model. This can be useful if you are not 100% sure
about which drive is which and need to see more information about the device.
It can also be useful when doing documentation of the drive for your paperwork
if needed. As a side note here, this
will not actually perform any function other than listing the information. If this is added to a string then the whole
thing will be “theoretical” in the sense that no actual image will be created.
--quiet :
This should be obvious to anyone with a little common sense. If you use this option you will not see any
information during the imaging process.
I would suggest not using this option ever because there is no real
legitimate purpose for using it that I can see.
--no-sha1 :
This is another one of those options where it is not really necessary to have
it included in your syntax. It will make
the program not compute the SHA1 has value during the acquisition phase or the
verify phase.
(The
following options are only to be used when you specify the name of the file on
the destination drive)
--s01 : Creates a .s01 file out of your image so that you
can use it programs that work with .s01 files.
(http://www.dfrws.org/CDESF/survey-dfrws-cdesf-diskimg-01.pdf ) provides a list of
different forensics image file types that are used and the .s01 is on the last
2 pages. It is a file type that is
supported in FTK as well as SMART Linux, which I have not had the pleasure of
working with but can be found here [http://www.asrdata.com/forensic-software/smart-linux/
] {gogo inception style side remarks}).
Please do not judge the quality of this blog off of the last sentence
structure, I should probably change it but it does reflect well of my sense of
humor so I believe I will leave it.
--e01 : If you have any experience with forensics and more
specifically EnCase, you should have a pretty good idea about what this option
does. I will give you a hint *It creates
an .e01 file so you can run it in EnCase*… O wait that was a little more than a
hint. O well let us move on to the next
section which deals directly with the .s01 and .e01 files that were created (if
you used the previous options).
--case-number “x” : Provides you with the
ability to set a case number for your acquisition. If there is a space in the number then you
must put them in quotation marks or you will end up with an error. This rule applies to all of the following
options as well.
--evidence-number “x” : Creates an evidence number for your imaged drive
when you convert it to .e01/.s01 so that the program you use will be able to
automatically fill that section in.
--description “x” : Allows you to write up a description of the image
that you are creating such as “Suspect_Whover_Laptop”. Does not have to be elaborate or specific,
really depends on the way that your investigation needs or your company does
it.
--examiner “x: : Examiners name…. That’s you dummy. Sorry, but seriously put your name there or
they will wonder who did the amazing job of imaging the drive (as long as you
follow my blog it should be no problem).
--notes “x” : Put your case notes here if needed. It can be useful if there is something
special about the image or if there is information that anyone working on the
image will need to know.
That
ends the section about e01/s01 files specifically.
--frag x {K|M|G|T} : This option will allow you to break the image into
fragments of a predetermined size for easier storage. The size of each fragment will be “x” in whatever
size section that you selected. You could
also put Kb|Mb|Gb|Tb as well for powers of 10 instead of 2 which is normally
used.
--compress x : sets the compression level from (0-9) where 0=no
compression (which makes on sense because if you put 0 you may as well have not
added this option), 1= fastest compression method, 2= fast but better
compression, and so on and so forth until 9 which creates the best compression
rate but will also be the slowest.
The next section is about
encrypting the image
*Note – This section is optional but if you are
working with all Access Data tools such as the Forensics ToolKit (FTK) for the
main investigation it may be worth using these options. That being said, if you are planning on using
EnCase, Autopsy, or any other number of forensics tools I would suggest not
using the encryption methods mentioned here and instead use something like Truecrypt
or other means to protect your information.
I also do not have a lot of experience using the encryption functions
with FTK imager lite so I would strongly urge you to think about using the
following functions. I will continue to
research this section more and will have another update on it at a later date.
(for now you can read Zoltan Szabo’s blog post about FTK imager encryption as
it is really good. http://zoltandfw.blogspot.com/2012/10/ftk-imager-cli-with-certificate.html)
--outpass “x” : Encrypts
the image with the password “x”. This
should be used if it the image needs to be kept private from other people or if
being used on a drive that multiple people use.
It is probably good habit to use this command if you deal with lots of sensitive
information.
--inpass “x” : decrypts an
image from the source file with the password “x”. This is the opposite of the outpass option and is used to decrypt
what that encrypted.
--outcert C “x” : this encrypts the image using a certificate “C”
with the password “x”. This will ensure
that your image can only work with Access Data products by creating a certificate
that is unique to their forensics tools.
I would be hesitant about using this
--incert C “x” : decrypts the image using the certificate “C” and
password “x”
Usage
Wooo,
now we get to the part where I stop droning on about options and what not and
get to the good stuff, how to actually use this tool. Overall it is not a hard tool to understand
once you know what the options do and that is why I included that section
first. The syntax for to make an image
is as follows:
sudo ftkimager
source [dest_file] [options]
Beautiful
isn’t it? Simple and elegant in design and function, and now you should be able
to understand exactly what is needed! Let
us try a few practice commands
sudo ftkimager /sda
/sdb1/cases/Randy\ 5/ --e01 –frag 2GB
This
command will make a copy of /sda (the source) and place it in /sdb1/cases/ (the
dest_file) and name it “Randy 5”. It will be an E01 file and be segmented into
2GB files. Pretty easy right? Let’s try another
sudo ftkimager /sda
/media/travel\ drive/example/john –s01 –quiet
Well
how about that, do you know what all that did?
I will tell you if you don’t. It
created a S01 image of the /sda (usually the main hard drive) and placed it in
the “travel drive” attached media and the example folder in there with the name
john. O and there would be no
information present in the imaging phase to let us know how much longer it has
because of the quiet option.
One
more should do the trick and then we will have a whole bunch of investigators
who are proficient at using this simple tool.
sudo ftkimager /sdb
/media/trave\ drive/example –s01 –print-info –compress 5 –outpass th1sisAg00d1!
What
would that accomplish? If you said absolutely
nothing you would be correct!! By including the print-info option we have eliminated any actual work and replaced
it with what would happen if we ran it including the hash and and compression
and password.
I
hope that this has been helpful for everyone and you enjoy reading it as much
as I did writing it. I plan on doing
more work with the SIFT workstation and reviewing more of their tools. If you have any good ideas let me know and
maybe I will get around to doing a review/test of that. Comments are always appreciated and I will
try to take time to answer any questions.
