- Windows Forensics Cookbook
- Oleg Skulkin Scar de Courcier
- 142字
- 2021-07-02 20:57:43
Drive acquisition in E01 format with FTK Imager
FTK Imager is an imaging and data preview tool by AccessData which allows an examiner not only to create forensic images in different formats, including RAW, SMART, E01, and AFF, but also to preview data sources in a forensically sound manner. In the first recipe of this chapter, we will show you how to create a forensic image of a hard drive from a Windows system in E01 format.
E01 or EnCase's Evidence File is a standard format for forensic images in law enforcement. Such images consist of a header with case info, including acquisition date and time, examiner's name, acquisition notes, and password (optional), a bit-by-bit copy of an acquired drive (consisting of data blocks, verified with its own CRC or Cyclical Redundancy Check), and a footer with MD5 hash for the bitstream.
推薦閱讀
- 一步一步學Spring Boot 2:微服務項目實戰
- 數字媒體應用教程
- Learning ArcGIS Pro 2
- 程序員面試筆試寶典
- Hands-On Data Structures and Algorithms with JavaScript
- Mastering Python Scripting for System Administrators
- SQL語言從入門到精通
- C++程序設計基礎教程
- Python機器學習算法與實戰
- Visual C#.NET程序設計
- C#實踐教程(第2版)
- Learning jQuery(Fourth Edition)
- Android移動開發案例教程:基于Android Studio開發環境
- 代替VBA!用Python輕松實現Excel編程
- JavaScript悟道