DFIR FTK Imager

FTK Image Create

1. Select source

1. Select Drive

2. Create Image

3. Select Image Type

1. Define the length of the segments or set it as "0" to create a single raw image.

   

Convert segments into a single raw file (dd)

copy /b filesprefix.* single.raw

The "/b" parameter means: binary.

Convert from E01 files into single RAW file

ewfexport -t xxx.raw -f raw disco_1.E01

Convert from VMDK into RAW format with qemu

qemu-img convert xxxxx-flat.vmdk xxxxx.raw

Convert from RAW format into VDI (VirtualBox)

VBoxManage convertdd xxxx.raw xxxx.vdi

Change SAM Password to boot machines

kon-bootCD-2.7.iso

cd140201.iso

Hirens' Boot

HomepageHiren's BootCD PE

Can not you login after patch the SAM?

If you can't change the SAM file or the login doesn't work, you can simply create a ISO file with the needed tools (e.g.: velociraptor collector) and execute it locally with Hiron's Boot.

mkisofs -o output.iso input_directory

Add the iso file via CD drive on virtualbox.

Use the dissect-shell after that to dump the outputed .zip file with all the artifacts .