Using the SANS SIFT
workstation you have many options available when you are trying to image a hard
drive, no matter if it is: dead, alive, internal, or external. One of my favorite tools to image with is the
FTK Imager command line program. It is
a lightweight, fast, and efficient means to extract the image from your suspect
drive. You can run the CMD line program
on any operating system with very little difference in syntax but I will be
focusing on the Linux version that comes with SIFT.
This blog post will focus on downloading and installing FTK Imager on your computer and I will put up another post in a couple days about how to actually use the command line tool. I didn't want to overwhelm readers with a huge block of text so I decided to break up the information into two separate posts.
Before we can use FTK Imager
we need to have it installed on the computer.
If you have SIFT it is already installed and you do not need to know how
to install it but other versions of Linux do not have it installed by default
and need to grab it from (http://www.accessdata.com/support/product-downloads). You can
select the version that you need and it will be downloaded to your machine for
installation.
I am assuming that the majority of people reading
this will know at least a small bit about Linux that they will be able to
install it without any troubles but for those of you who are completely new to
the glory that is Linux I will give you a short explanation of how to install
FTK on your computer.
First thing is first, find
out whether you have a 32-bit or 64-bit version of Linux by typing the
following command in the terminal uname –m. if it comes back with
“x86_64” then you have a 64-bit kernel and if it comes back with “i686” you
have a 32-bit kernel. Select the
appropriate version and download it to whatever directory that you use, it is
set to the Downloads folder by default.
You can install it through
the GUI, but what fun is that? We are
using Linux so we should know how to do everything through the terminal because
it really allows you to know what is going on under the hood as well as making
you feel like a superstar computer user.
Upon downloading the file to
the Downloads folder, open up your terminal and navigate there by using the cd
command. If you want to cheat and are in
your own accounts terminal rather than root you can just type cd
~/Downloads. The ~ character
represents your home folder and if used in with the cd command will take you to your home folder no matter where you
are in the computer. When you get to the
Downloads folder you can use the ls command
to view all of the files in that directory. (On a side note I use the words
directory and folder interchangeably when dealing with Linux, which they are)
Determine what the FTK download is named, usually
“ftkimager.x.x.x_UbuntuXX.tar.gz where x.x.x stands for the version number of
FTK that was downloaded and XX is the version that was selected (32 or 64 bit).
The next step is to extract
the executable from the tar.gz file by using the command sudo tar –zxvf [filename]
the switches used mean different things and must be used in the correct case,
in this instance they are all lower case.
The z is for the .gz portion
of the compression, x is to extract
the information from the .tar portion of the compression, v stands for verbose but this switch is optional, and finally f stands for the file that will be
extracted from.
HURRAY!!! We now have the
file extracted and are ready to install it and start acquiring everything in
sight! Now installing this can be incredibly difficult for anyone, even those
with lots of experience…. No not really, it is actually as simple as moving the
extracted file to a new directory. Now I
am going to use the directory that SIFT uses for ftkimager: “/usr/local/bin/”. The syntax for the move is simple: sudo mv ftkimager /usr/local/bin/ and
that is all there is to it.
Now we are
ready to start using the command line version of FTK Imager.