Friday, February 22, 2013

Installing FTK Imager Lite in Linux Command Line

Using the SANS SIFT workstation you have many options available when you are trying to image a hard drive, no matter if it is: dead, alive, internal, or external.  One of my favorite tools to image with is the FTK Imager command line program.   It is a lightweight, fast, and efficient means to extract the image from your suspect drive.  You can run the CMD line program on any operating system with very little difference in syntax but I will be focusing on the Linux version that comes with SIFT.

This blog post will focus on downloading and installing FTK Imager on your computer and I will put up another post in a couple days about how to actually use the command line tool.  I didn't want to overwhelm readers with a huge block of text so I decided to break up the information into two separate posts.

Before we can use FTK Imager we need to have it installed on the computer.  If you have SIFT it is already installed and you do not need to know how to install it but other versions of Linux do not have it installed by default and need to grab it from (  You can select the version that you need and it will be downloaded to your machine for installation.

 I am assuming that the majority of people reading this will know at least a small bit about Linux that they will be able to install it without any troubles but for those of you who are completely new to the glory that is Linux I will give you a short explanation of how to install FTK on your computer. 

First thing is first, find out whether you have a 32-bit or 64-bit version of Linux by typing the following command in the terminal uname –m. if it comes back with “x86_64” then you have a 64-bit kernel and if it comes back with “i686” you have a 32-bit kernel.  Select the appropriate version and download it to whatever directory that you use, it is set to the Downloads folder by default. 

You can install it through the GUI, but what fun is that?  We are using Linux so we should know how to do everything through the terminal because it really allows you to know what is going on under the hood as well as making you feel like a superstar computer user. 

Upon downloading the file to the Downloads folder, open up your terminal and navigate there by using the cd command.  If you want to cheat and are in your own accounts terminal rather than root you can just type cd ~/Downloads. The ~ character represents your home folder and if used in with the cd command will take you to your home folder no matter where you are in the computer.  When you get to the Downloads folder you can use the ls command to view all of the files in that directory. (On a side note I use the words directory and folder interchangeably when dealing with Linux, which they are) Determine what the FTK download is named, usually “ftkimager.x.x.x_UbuntuXX.tar.gz where x.x.x stands for the version number of FTK that was downloaded and XX is the version that was selected (32 or 64 bit).

The next step is to extract the executable from the tar.gz file by using the command sudo tar –zxvf [filename] the switches used mean different things and must be used in the correct case, in this instance they are all lower case.  The z is for the .gz portion of the compression, x is to extract the information from the .tar portion of the compression, v stands for verbose but this switch is optional, and finally f stands for the file that will be extracted from. 

HURRAY!!! We now have the file extracted and are ready to install it and start acquiring everything in sight! Now installing this can be incredibly difficult for anyone, even those with lots of experience…. No not really, it is actually as simple as moving the extracted file to a new directory.  Now I am going to use the directory that SIFT uses for ftkimager: “/usr/local/bin/”.  The syntax for the move is simple: sudo mv ftkimager /usr/local/bin/ and that is all there is to it.  

Now we are ready to start using the command line version of FTK Imager.

Wednesday, February 13, 2013

Random Update

Hey Everyone,

I've been pretty quite on here lately due to graduating, moving to New York City to start my new job, and everything else that is changing but I am going to try to start writing here on a more regular basis.  I started my new job at Huron Consulting Group as a computer forensics analyst in their legal department and I can say that it is an interesting experience coming from college to the real world finally.

In between projects I have the opportunity to do some research of my own and I have been dedicating my time to reading Digital Forensics with Open Source Tools ( following along with that as well as teaching myself Java programming.

I have also had the opportunity to continue working with the SIFT workstation that is provided by SANS Forensics.(  This is one of my favorite forensics tools to use as it already has a fantastic collection of tools and is available as a live cd so that I can image or run tools on the go without having to install anything. I would like to start doing a tutorial of the different tools involved with SIFT and how it can be used either by itself or in conjunction with other tools for verification or to fill in the gaps of other tools.

Another tool that I have been really excited to work with is the Tapeworm tool. (  This tool was created by a team of Champlain College students/faculty and TASC Inc.  It is a great project that automates some important tools and gives the investigators a nice record of the results.  It is only available as a VM right now and should only be used in VMware Workstation 7 or VMware Player 3 due to memory leak issues when used with newer versions of VMware.  I would highly recommend everyone taking a look at the site and trying it out.

As I said earlier I will be trying to make an effort to update this blog more often and have some more research on my different projects and research.