# DFIR FTK Imager

## FTK Image Create

1. **Select source**

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FhHvytsbCgRE8q6jMG03U%2Fimage.png?alt=media&#x26;token=29860724-5eca-4495-977f-a979b8b99890" alt=""><figcaption></figcaption></figure>

2. Se**lect Drive**
3. **Create Image**
4. **Select Image Type**

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FEITHm1iSD4hwjdLXLN5C%2Fimage.png?alt=media&#x26;token=fe592f88-98a2-46bf-8ef6-a80d2489287f" alt=""><figcaption></figcaption></figure>

5. **Define the length of the segments or set it as "0" to create a single raw image.**<br>

   <figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2Fc02BkkgEdboq6AYQKi8o%2Fimage.png?alt=media&#x26;token=846a3e37-d387-4609-829f-5d267637bfc9" alt=""><figcaption></figcaption></figure>

## Convert segments into a single raw file (dd)

```
copy /b filesprefix.* single.raw
```

The "**/b**" parameter means: **binary**.

## Convert from E01 files into single RAW file

```
ewfexport -t xxx.raw -f raw disco_1.E01
```

## Convert from  VMDK into RAW format with qemu

```
qemu-img convert xxxxx-flat.vmdk xxxxx.raw
```

## Convert from RAW format into VDI (VirtualBox)

```
VBoxManage convertdd xxxx.raw xxxx.vdi
```

## Change SAM Password to boot machines

### kon-bootCD-2.7.iso

{% file src="<https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FBOPx1q6lPJj3atP3yNdf%2Fkon-bootCD-2.7.iso?alt=media&token=02ec0e74-f88b-4fc7-83b1-d4fe5d93fdc8>" %}

### cd140201.iso

{% file src="<https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2F4JtJvITis4UDQ6RYLeqN%2Fcd140201.zip?alt=media&token=1a1e5eb4-b24e-48f2-b504-b38a89137366>" %}

### Hirens' Boot

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FQHHaPJqCOXrN2Gt34pPO%2Fimage.png?alt=media&#x26;token=839ed54e-255a-4fc5-b844-a4c1e2a24856" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.hirensbootcd.org/>" %}

### Can not you login after patch the SAM?

If you can't change the SAM file or the login doesn't work, you can simply create a ISO file with the needed tools (e.g.: velociraptor collector) and execute it locally with Hiron's Boot.

```
mkisofs -o output.iso input_directory
```

Add the iso file via CD drive on virtualbox.

Use the **dissect-shell** after that to dump the outputed .zip file with all the artifacts .&#x20;