- Windows Forensics Cookbook
- Oleg Skulkin Scar de Courcier
- 142字
- 2021-07-02 20:57:43
Drive acquisition in E01 format with FTK Imager
FTK Imager is an imaging and data preview tool by AccessData which allows an examiner not only to create forensic images in different formats, including RAW, SMART, E01, and AFF, but also to preview data sources in a forensically sound manner. In the first recipe of this chapter, we will show you how to create a forensic image of a hard drive from a Windows system in E01 format.
E01 or EnCase's Evidence File is a standard format for forensic images in law enforcement. Such images consist of a header with case info, including acquisition date and time, examiner's name, acquisition notes, and password (optional), a bit-by-bit copy of an acquired drive (consisting of data blocks, verified with its own CRC or Cyclical Redundancy Check), and a footer with MD5 hash for the bitstream.
推薦閱讀
- Spring Cloud Alibaba核心技術(shù)與實(shí)戰(zhàn)案例
- R語言數(shù)據(jù)分析從入門到精通
- JavaScript+DHTML語法與范例詳解詞典
- 華為HMS生態(tài)與應(yīng)用開發(fā)實(shí)戰(zhàn)
- Learning Selenium Testing Tools(Third Edition)
- Windows Server 2016 Automation with PowerShell Cookbook(Second Edition)
- Android移動(dòng)開發(fā)案例教程:基于Android Studio開發(fā)環(huán)境
- 計(jì)算機(jī)應(yīng)用基礎(chǔ)項(xiàng)目化教程
- 深度探索Go語言:對(duì)象模型與runtime的原理特性及應(yīng)用
- Scala編程實(shí)戰(zhàn)
- Selenium WebDriver Practical Guide
- HTML5與CSS3權(quán)威指南
- Scratch編程從入門到精通
- Mastering ASP.NET Web API
- AI輔助編程Python實(shí)戰(zhàn):基于GitHub Copilot和ChatGPT