Create FTKImager.yaml (Velocidex#18)

content/exchange/artifacts/FTKImager.yaml

@@ -0,0 +1,47 @@
+name: Windows.Applications.FTKImager
+description: |
+    Create an E01 Image of the C drive using FTK Imager (Command Line Version)
+    
+    SourceDriveToImage usually will be 0 (as in \\.\PHYSICALDRIVE0) for the C: drive, on a Windows system.
+    
+    If you intend to image the secondary drive, use, for example, SourceDriveToImage = 1, for \\.\PHYSICALDRIVE1
+
+author: Eduardo Mattos - @eduardfir
+
+reference:
+  - https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager
+
+type: CLIENT
+
+tools:
+  - name: FTKImager
+    url: https://ad-zip.s3.amazonaws.com/FTKImager.3.1.1_win32.zip
+
+precondition: SELECT OS From info() where OS = 'windows'
+
+parameters:
+  - name: SourceDriveToImage
+    default: "0"
+
+  - name: OutputPath
+    default: "D:\\E01"
+
+sources:
+  - query: |
+      -- get context on target binary
+      LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
+                    ToolName="FTKImager")
+
+      LET tmpdir <= tempdir()
+
+      LET zip_file <= SELECT *
+                        FROM unzip(filename=bin[0].FullPath,
+                        output_directory=tmpdir)
+                        WHERE OriginalPath =~ "ftkimager.exe"
+
+      -- execute payload
+        SELECT Stdout, Stderr
+        FROM execve(argv=[
+            zip_file.NewPath[0],
+            "\\\\.\\PHYSICALDRIVE" + SourceDriveToImage,
+            OutputPath])