FTK Imager


Status
This thread has been solved! Go to solution…

sjc502

New Member
Jul 17, 2019
2
1
#1
I am relatively new to digital forensics and I am having problems obtaining an image of a laptop. I have FTK imager and a laptop that needs imaging. However, we do not have the windows password for it. I do however have access to the BitLocker password to decrypt it if necessary.

However, I am not able to obtain an image of the computer at this time. The FTK Imager manual and guide show you how to do it from windows but not when you don't actually have the password in the first place.

Is anyone able to advise how I am able to image the computer without a windows password?

Thank you,
 

kalinko

New Member
Oct 27, 2018
6
Ratings
8
3
Germany
bebinary4n6.blogspot.com
Twitter
https://twitter.com/inko6nito
#2
Hey sjc502,

just short: When I read your post/question I understand it in the following way: You want to boot this laptop, log in (if you would have the password) and than create an image of the disk. Please don't do it this way. The moment you boot the system you change data. The moment you login in to the system you change even more data. And you , as for as i know (never tested it), would not be able to create a full physical copy of the system disk when the system is active. If I understood your post wrong than nevermind.

Now to your question (for imaging it is not important if there is Bitlocker enabled or not):

1. Remove the Hard Disk from the machine (in your case from the laptop). Because you are relatively new to the field I just want to mention: Make pictures of the Laptop and the Hard Disk! Documentation is very important!
2. Attach this Hard Disk WRITE_BLOCKED to a PC where FTK Imager is installed or can be run.
3. Create the image of the hard disk like explained in the manual of the FTK Imager.

After that you'll have an image of the hard disk from the laptop.

PS: If the Laptop don't have a removable disk (this means it has not a SSD, HD or NVME) or you are not able to remove the disk you would need to boot a Live-System like Windows FE or a linux-based solution like e.g. Paladin or CAINE from USB. But I think that's another topic.
 

sjc502

New Member
Jul 17, 2019
2
1
#3
Thank you for your response.

I am not trying to get into the computer using the subject's password. I want to avoid that! I want to do it without removing the hard drive but from what you are saying, that is not possible.

I will look at getting the hard drive removed.

Thanks for your assistance.
 

kalinko

New Member
Oct 27, 2018
6
Ratings
8
3
Germany
bebinary4n6.blogspot.com
Twitter
https://twitter.com/inko6nito
#4
Okay, understood.

I want to do it without removing the hard drive
I also gave you an answer for this:
you would need to boot a Live-System like Windows FE or a linux-based solution like e.g. Paladin or CAINE from USB.

You can go this way without removing the disk.
 

Lids

Member
Experienced Member
Oct 23, 2018
30
Ratings
31
18
#5
Completely agree with @kalinko's solution - preferred course of imaging is physical removal however if not possible (missing adapters - e.g. for the M2 SSD drives - covert collection, etc) then boot from USB - may require some BIOS settings to be changed to disable SecureBoot and UEFI - into Paladin, Raptor, Helix, CAINE, etc and perform full physical image from this.
 
Status
This thread has been solved! Go to solution…

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu