Tuesday, September 26, 2017

Command Line FTK Imager

FTK Imager has been around for years but it wasn't until recently that AccessData released a break out version for use on the Command Line for the general public.  Or maybe I was just unaware of it.  They've made these command line tools freely available to the general public as well as multi-platform (Windows, Debian, Red-Hat, and Mac OS).  Technically, these aren't open source; however, I'd consider them to be the best command line imaging solutions for people wanting to use the E01 format.

The imager can be downloaded from http://accessdata.com/product-download?/support/product-downloads.

Below are some examples of CLI FTK Imager use.  These are all related to debian based systems.  The command syntax will be the same on Windows and Max OS' but the path's to physical and logical disks will differ greatly.

Here is the majority of the FTK Imager Helpfile which you can get by simply executing the pre-compiled binary:

Usage:  ftkimager source [dest_file] [options]
source can specify a block device, a supported image file, or `-' for stdin
if dest_file is specified, proper extension for image type will be appended
if dest_file is `-' or not specified, raw data will be written to stdout
  --help        : display this information
  --list-drives : show detected physical drives
  --verify      : hash/verify the destination image,
                  or the source image if no destination is specified
  --print-info  : print information about a drive or image and then exit
  --quiet       : do not show create/verify progress information
  --no-sha1     : do not compute SHA1 hash during acquire or verify
(The following options are valid only when dest_file is specified):
  --s01         : create a SMART ew-compressed image
  --e01         : create an E01 format image
  --frag x{K|M|G|T} : create image fragments at most x {K|M|G|T} in size
                  also accepts kB, MB, GB, and TB for powers of 10 instead of 2
  --compress C  : set compression level to C (0=none, 1=fast, ..., 9=best)
  e01/smart metadata (use quote marks when X contains spaces):
    --case-number X
    --evidence-number X
    --description X
    --examiner X
    --notes X
AD Encryption Options:
  --inpass P      : decrypt source file using password P
  --incert C [P]  : decrypt source file using certificate C with password P
  --outpass P     : encrypt dest file using password P
  --outcert C [P] : encrypt dest file using certificate C with password P

First of all, you can use it to list drives (convenient) but you'll have to navigate to the unzipped binary file (ftkimager) or add it to your path.

$ ./ftkimager --list-drives

This did not work for me but it may work out for you.  But there are other ways to do this as well.  You can review a previous post for more on that.

Basic physical disk collections using with compression.

$ ./ftkimager /dev/sdd /path/to/destinationfile/EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes."

Above /dev/sdd is the source drive or container you are attempting to capture, in this case a physical disk on a *nix system.

/path/to/destinationfile/EvidenceItem001 is the path to the location you want to store the image file

Note that you DO NOT HAVE TO PUT THE .E01 FILE EXTENSION on the destination filename because this tool can generate multiple types of images like AD, SWF, and RAW/dd images. 

The --e01 option indicates that we are capturing it to an Expert Witness Formatted file.

And the --compress 9 option sets the images compression level.  The compression can be 0 (none), or 1 for the lowest and 9 for the highest levels of compression.  Obviously, 5 would be somewhere towards the middle.  Compression takes time so pick your poison.

The imaging tool also provides a few things for you when it runs.  First, it continually updates the imaging status with a line at the bottom of the terminal window that looks similar to this:

5590.99 / 305245.55 MB (79.95 MB/sec) - 45:55 left

In addition to imaging physical disks, FTK can also image logical disks (good for capturing encrypted volumes that are in an unlocked state.  This can be done by pointing to the correct source point.  On a modern Windows host (using and ADMINISTRATOR CMD INSTANCE), you can capture a logical image like this:

> ftkimager.exe C:/ E:\path\to\destinationfile\EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes.  The decrypted logical volume is being captured live because the container is encrypted with Bitlocker."

Alternatively a physical disk would look something like this:

> ftkimager.exe \\.\PHYSICALDRIVE1 E:\path\to\destinationfile\EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes.  The decrypted logical volume is being captured live because the container is encrypted with Bitlocker."

To get a list of physical disks on Windows you can do this:

> wmic diskdrive list brief /format:list

Caption=ATA ST2000DM001-1ER1 SCSI Disk Device
Model=ATA ST2000DM001-1ER1 SCSI Disk Device



To get a list of logical containers on Windows you can do this:

wmic logicaldisk get caption,description,drivetype,providername,volumename

Caption  Description       DriveType  ProviderName  VolumeName
C:       Local Fixed Disk  3                        Windows
D:       Local Fixed Disk  3                        DELL_RECOVERY
E:       Local Fixed Disk  3                        
F:       CD-ROM Disc       5

G:       Local Fixed Disk  3