Tuesday, September 26, 2017

Command Line FTK Imager

FTK Imager has been around for years but it wasn't until recently that AccessData released a break out version for use on the Command Line for the general public.  Or maybe I was just unaware of it.  They've made these command line tools freely available to the general public as well as multi-platform (Windows, Debian, Red-Hat, and Mac OS).  Technically, these aren't open source; however, I'd consider them to be the best command line imaging solutions for people wanting to use the E01 format.

The imager can be downloaded from http://accessdata.com/product-download?/support/product-downloads.

Below are some examples of CLI FTK Imager use.  These are all related to debian based systems.  The command syntax will be the same on Windows and Max OS' but the path's to physical and logical disks will differ greatly.



Here is the majority of the FTK Imager Helpfile which you can get by simply executing the pre-compiled binary:

Usage:  ftkimager source [dest_file] [options]
source can specify a block device, a supported image file, or `-' for stdin
if dest_file is specified, proper extension for image type will be appended
if dest_file is `-' or not specified, raw data will be written to stdout
Options:
  --help        : display this information
  --list-drives : show detected physical drives
  --verify      : hash/verify the destination image,
                  or the source image if no destination is specified
  --print-info  : print information about a drive or image and then exit
  --quiet       : do not show create/verify progress information
  --no-sha1     : do not compute SHA1 hash during acquire or verify
(The following options are valid only when dest_file is specified):
  --s01         : create a SMART ew-compressed image
  --e01         : create an E01 format image
  --frag x{K|M|G|T} : create image fragments at most x {K|M|G|T} in size
                  also accepts kB, MB, GB, and TB for powers of 10 instead of 2
  --compress C  : set compression level to C (0=none, 1=fast, ..., 9=best)
  e01/smart metadata (use quote marks when X contains spaces):
    --case-number X
    --evidence-number X
    --description X
    --examiner X
    --notes X
AD Encryption Options:
  --inpass P      : decrypt source file using password P
  --incert C [P]  : decrypt source file using certificate C with password P
  --outpass P     : encrypt dest file using password P
  --outcert C [P] : encrypt dest file using certificate C with password P



First of all, you can use it to list drives (convenient) but you'll have to navigate to the unzipped binary file (ftkimager) or add it to your path.

$ ./ftkimager --list-drives

This did not work for me but it may work out for you.  There are other ways to do this as well.  You can review a previous post for more on that.



Basic physical disk collection usage with compression.

$ ./ftkimager /dev/sdd /path/to/destinationfile/EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes."

Above /dev/sdd is the source drive or container you are attempting to capture, in this case a physical disk on a *nix system.

/path/to/destinationfile/EvidenceItem001 is the path to the location you want to store the image file

Note that you DO NOT HAVE TO PUT THE .E01 FILE EXTENSION on the destination filename because this tool can generate multiple types of images like AD, SWF, and RAW/dd images.

The --e01 option indicates that we are capturing it to an Expert Witness Formatted file.

And the --compress 9 option sets the images compression level.  The compression can be 0 (none), or 1 for the lowest and 9 for the highest levels of compression.  Obviously, 5 would be somewhere towards the middle.  Compression takes time so pick your poison.

The imaging tool also provides a few things for you when it runs.  First, it continually updates the imaging status with a line at the bottom of the terminal window that looks similar to this:

5590.99 / 305245.55 MB (79.95 MB/sec) - 45:55 left



In addition to imaging physical disks, FTK can also image logical disks (good for capturing encrypted volumes that are in an unlocked state.  This can be done by pointing to the correct source point.  On a modern Windows host (using and ADMINISTRATOR CMD INSTANCE), you can capture a logical image like this:

> ftkimager.exe C:/ E:\path\to\destinationfile\EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes.  The decrypted logical volume is being captured live because the container is encrypted with Bitlocker."

Alternatively a physical disk would look something like this:

> ftkimager.exe \\.\PHYSICALDRIVE1 E:\path\to\destinationfile\EvidenceItem001 --e01 --compress 9 --case-number 1700345498 --evidence-number ITEM001 --description "This HP was located in the suspects kitchen."  --examiner "Adam" --notes "Case and collection notes.  The decrypted logical volume is being captured live because the container is encrypted with Bitlocker."

To get a list of physical disks on Windows you can do this:

> wmic diskdrive list brief /format:list

Caption=ATA ST2000DM001-1ER1 SCSI Disk Device
DeviceID=\\.\PHYSICALDRIVE1
Model=ATA ST2000DM001-1ER1 SCSI Disk Device
Partitions=1

Size=2000396321280

[SHORTENED FOR SANITY]

To get a list of logical containers on Windows you can do this:

wmic logicaldisk get caption,description,drivetype,providername,volumename

Caption  Description       DriveType  ProviderName  VolumeName
C:       Local Fixed Disk  3                        Windows
D:       Local Fixed Disk  3                        DELL_RECOVERY
E:       Local Fixed Disk  3                        
F:       CD-ROM Disc       5

G:       Local Fixed Disk  3                        

5 comments:

  1. If I boot into Linux, and use a tool like dislocker to open a bitlocker partition with the recovery key, I can mount the unlocked partition into a mount point, but ftkimager won't take an image, giving an error that the source "Is a directory". Any way to make it work like it does in Windows? Maybe a different way of mounting the unlocked partition?

    ReplyDelete
    Replies
    1. If you are already using the dislocker tool, I'm going to assume you have the recover key or UN/PW to decrypt the bitlocked container.

      I've never used dislocker before but after reviewing the documentation (https://github.com/Aorimn/dislocker#introduction-and-explanations), I would recommend that you use the dislocker-file binary to create a decypted NTFS file representation if the entire bitlocker partition.

      Then I would use something like ewfacquire to create a logical image that contained the NTFS file. That would preserve the NTFS file system contained therein. Alternatively, you could use ewfacquire to logically acquire the directory and sub-directories where you've mounted the bitlocked partition but this would miss some forensic artifact under some circumstances.

      Of course, this is just a couple of ways to accomplish your goal. You may need to come up with an alternative method if your circumstances require something else.

      Delete
  2. Hello! i have a problem with ftk imager command line. I'm working on a Windows 10 64bits. When i try to copy a logical drive using:

    "ftkimager.exe C:/ image.bin" i get the next error:

    "C:/: The system cannot find the path specified. (3). Filename = "C:\"

    I tried C:/ and C:\. I'm executing cmd as administrator. The only "fix" i found is using C: but then i get an image from the whole physical drive and not the logical volume. Do you know any fix to this? or how can i make an image from logical volume with ftkimager command line? Thank you for your time and blog.

    ReplyDelete
    Replies
    1. Hikari, try just C: without / or \, using the WMIC logicaldisk get output as identified in the write up.

      Delete
  3. Booting to a WinPE 64 bit USB, the FTK CLI will not run. This poses a problem for me, I need to boot to 64 bit to run Symantec Endpoint Encryption to unlock the drive. Right now my workaround is to fully decrypt the drive, then reboot to a 32 bit version of WinPE and run FTK CLI. This adds hours (if not a day) to the process.

    Any other options that will image a drive from the command line of a 64 bit boot USB?

    ReplyDelete