Forensic Acquisition in Windows - FTK Imager
ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- In this video we will use FTK Imager to create a physical disk image of a suspect drive connected to our forensic workstation via a write blocker. FTK Imager is a GUI tool for copying various types of data for forensic acquisition purposes.
🚀 Full Digital Forensic Courses → learn.dfir.sci...
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSci...
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFI...
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing. - วิทยาศาสตร์และเทคโนโลยี
Well done! Thank you for such a detailed demonstration.
You're very welcome!
This is so helpful and clear detailed explanation ,thank you so much
Glad it was helpful!
Well that's a really clear explanation, thank you.
I have an assessment due tonight and this helped me a lot. Thank you so much
Glad it helped!
Hey i am struggling to do the image thing where it’s downloading but it’s taking too much of the space and later saying failure this is for an assignment I don’t know why it’s taking 1 million mb or kb and failing the process so could you explain please?
I cant stress enough how much this has helped for my upcoming assignment, prime content my friend, thankyou...
Glad to hear it. Let me know if you need videos on any other topics!
Miller Deborah Young Susan Robinson Matthew
Gonzalez Dorothy Jones Charles Thompson Melissa
Gonzalez Larry Robinson Cynthia Hall John
Wilson Cynthia Harris William Walker Edward
Harris Dorothy Clark Mary Anderson Eric
Davis Mary Moore Linda Jackson Paul
Martinez Larry Wilson Ruth Hall Anna
Gonzalez Karen Perez Joseph Perez William
Walker Brenda Allen Matthew Hall Thomas
Thomas Nancy Jones Charles Johnson Ruth
I hope you can answer my question, I chose logical drive and the disk image created is an unzippable zip file, and not in .001 format, is this normal?
When I tried to unzip it, it says, format nor recognized/file damaged, and the second error there it says 0 archive.
Brown James Jackson Sharon Lee Brenda
4861 Kirsten Parkways
Thankyou, great walk through.
i want to file something from e01 image file. how can i do that? please any info?
when i was creating an image for file types it created a winrar file for 001-2016 but after that it was 002, 003, etc, etc. why is that?
Disk images can be split into parts. We do this so we do not have to have one very large file to work with and manage. The first part is often .001. The second part is .002, etc. The order is VERY important to ensure you put the image back together properly.
Interesting video, I have just one doubt : mounting the usb disk in windows may cause the system itself to compromise the integrity of the content because of antivirus activity for instance, which can write or delete files without notify that. There is a way to create an image without mounting the usb disk volumes ? Thank yoy
Yes, you do not need to mount a drive to image it. When you plug a disk (or USB stick) into Windows, any partitions that Windows recognizes the file system will be mounted automatically. You can disable Windows automount from the command line with *dispart -> automount disable*
BUT it is much safer (and standard practice) to use a hardware write blocker.
th-cam.com/video/7eT8KSHMGFw/w-d-xo.html
Tsurugi Linux also uses kernel-level software write blocking that works very well: tsurugi-linux.org
What write blocker did/do you use?
Hi, How do I acquire a Disk (Virutal) Image of a Virtual Machine running using VMWare Workstation? Can I use FTK Imager - Creat Disk Image -> Physical Drive? Thank you.
924 Nitzsche Mission
359 Eldridge Rest
Davis Daniel Hernandez Anthony Brown Karen
i have an ipod shuffle 1st generation. physically there is no damage to it, but it does not power on when plugged into charger or usb port in PC. is there any way for me to recover the songs from the ipod shuffle even tho the computer does not recognize it since it does not power on? please help any info would be greatly appreciated
1289 Jared Creek
I am using Active@ to open the images but it just doesn't work. Can I not have just one .dd file image as opposed to so many 001 files?
Yeah. You could just use one raw disk (dd) image instead of a multi-part image. However, most raw images are very big, so it's normal to split them. Either will work.
I would like to have this data USB , can I ?
Collier Rapids
That was brilliant. Thanks men
Marquis Land
Thank you for this thorough walk through!
Jameson Rest
Bethel Club
Gladys Dale
Mraz Pine
Elva Estates
Why are you choosing the ftk imager software ?
Because it works well, it does quite a lot with just a few options, and it's free. I tend to use Guymager in Linux more often, but if you want a tool that can do great imaging and some basic analysis, FTK Imager is very nice.
Think you explained half a year of education, really good!
Emmanuel Spurs
Hello bro,Good job thx :)
Man's voice is so smooth. What mic are you using?
That was a Sony ecm-ms907 with a generic pre-amp. Noise reduction with Audacity (www.audacityteam.org/). I think you can get the same or better quality with a Rode NT-USB (amzn.to/3b3pjQk) without the pre-amp and doesn't require a battery!
Simonis Shores
Thanks for this informative video.
I am trying to prepare an image from 10 MB logical drive but FTKImager is asking for around 95 GB free storage space.
Why such large memory space is required?
Thanks in anticipation for your response....
The only thing I can think is that you have a 10MB partition, but you are selecting physical disk imaging so it will get the whole 95GB disk. You want a logical disk/partition image it seems.
I need your help in one of my micromaster course pls Answer me
What's up?
Xtreamly eazy
Great Video, great explanation, thank you so much !!!
Thankyou
thank you so much for sharing, i really need this!
Hey how do I open and read the copy?
Once you create a disk image it is an "exact copy" of the original. You will need to use a program like Autopsy to view the disk contents - www.autopsy.com/
This is so helpful and well explained.
Barton Estates
Sir how to open the images that we have created?
Once you create a disk image you can use disk management tools to do whatever you need. For forensics, one of the easiest ways to analyze the disk for free is with Autopsy: www.autopsy.com/download/
Hollie Groves
Thanks very much
Thanks a lot....
Neatly done.
Gonzalez Paul White Larry Lewis Donald
Mann Turnpike