Create an E01 Image of the C drive using FTK Imager (Command Line Version)
SourceDriveToImage usually will be 0 (as in \.\PHYSICALDRIVE0) for the C: drive, on a Windows system.
If you intend to image the secondary drive, use, for example, SourceDriveToImage = 1, for \.\PHYSICALDRIVE1
name: Windows.Applications.FTKImager
description: |
Create an E01 Image of the C drive using FTK Imager (Command Line
Version)
SourceDriveToImage usually will be 0 (as in \\.\PHYSICALDRIVE0)
for the C: drive, on a Windows system.
If you intend to image the secondary drive, use, for example,
SourceDriveToImage = 1, for \\.\PHYSICALDRIVE1
author: Eduardo Mattos - @eduardfir
reference:
- https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager
type: CLIENT
tools:
- name: FTKImager
url: https://ad-zip.s3.amazonaws.com/FTKImager.3.1.1_win32.zip
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: SourceDriveToImage
default: "0"
- name: OutputPath
default: "D:\\E01"
sources:
- query: |
-- get context on target binary
LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName="FTKImager")
LET tmpdir <= tempdir()
LET zip_file <= SELECT *
FROM unzip(filename=bin[0].FullPath,
output_directory=tmpdir)
WHERE OriginalPath =~ "ftkimager.exe"
-- execute payload
SELECT Stdout, Stderr
FROM execve(argv=[
zip_file.NewPath[0],
"\\\\.\\PHYSICALDRIVE" + SourceDriveToImage,
OutputPath])