DFIR FTK Imager

FTK Image Create

Select source

Select Drive
Create Image
Select Image Type

Define the length of the segments or set it as "0" to create a single raw image.

Convert segments into a single raw file (dd)

copy /b filesprefix.* single.raw

The "/b" parameter means: binary.

Convert from E01 files into single RAW file

ewfexport -t xxx.raw -f raw disco_1.E01

Convert from VMDK into RAW format with qemu

qemu-img convert xxxxx-flat.vmdk xxxxx.raw

Convert from RAW format into VDI (VirtualBox)

VBoxManage convertdd xxxx.raw xxxx.vdi

Change SAM Password to boot machines

kon-bootCD-2.7.iso

cd140201.iso

Hirens' Boot

If you can't change the SAM file or the login doesn't work, you can simply create a ISO file with the needed tools (e.g.: velociraptor collector) and execute it locally with Hiron's Boot.

mkisofs -o output.iso input_directory

Add the iso file via CD drive on virtualbox.

Use the dissect-shell after that to dump the outputed .zip file with all the artifacts .

PreviousResources NextConvert IP Range into CIDR

Last updated 4 months ago

Was this helpful?

FTK Image Create

Convert segments into a single raw file (dd)

Convert from E01 files into single RAW file

Convert from VMDK into RAW format with qemu

Convert from RAW format into VDI (VirtualBox)

Change SAM Password to boot machines

kon-bootCD-2.7.iso

cd140201.iso

Hirens' Boot

Can not you login after patch the SAM?

FTK Image Create

Convert segments into a single raw file (dd)

Convert from E01 files into single RAW file

Convert from VMDK into RAW format with qemu

Convert from RAW format into VDI (VirtualBox)

Change SAM Password to boot machines

kon-bootCD-2.7.iso

cd140201.iso

Hirens' Boot

Can not you login after patch the SAM?