 Welcome back, everyone. Today, we're going to be talking about using FTK imager from command line to verify or create a hash value for a physical disk drive. Okay. So we're using FTK imager command line. And I've already downloaded FTK imager command line from the access data website. And I'll put a link below. And I've already extracted it just comes in a kind of like a zip file. So I've already extracted FTK imager command line. And I've copied the files into C drive program files FTK imager. Now I'm imagining that this this virtual machine is my forensic workstation. So I'm going to kind of install this command line program. So I've copied the files into C program files FTK imager. And so now we need to tell the computer where FTK imager is located. Okay. So we do that by going to the start menu. And then just click on the start menu and windows 10 and start typing path. Okay. Whenever you type path, you'll get the best matches edit system environment variables. So click on that. And then on the system properties window should pop up. You'll have the advanced tab. And then you'll see this environment variables button. So go ahead and click the environment variables button. And you should see a couple user variables for whatever the login name is. Okay. So we need to select path. You should see the path variable. So click on that and click edit. And then you'll see a list of all of the variables that are currently in your path. Now, most likely if you've just installed FTK imager command line version, then you won't see C drive program files FTK imager. So we need to add that. So what you can do is go to the folder where FTK imager is, select all of the path, right click and copy. And then go find an empty, the next empty space and double click. And whenever you double click, you saw that it turned blue here. You can just paste the path into that new empty space. I already have it. So I'm not going to do it here. And then what you should see is basically the location of your, your binaries, the folder that they're in should just be added to your path. So I have C program files FTK imager. Now we're basically telling the computer, whenever I type a command, you can also look in here for different programs that I have installed. Okay. So this is how you can install one location for the computer to look in. I usually put a lot of utilities in one folder and set up my environment variables. So then just click okay, okay, okay. And then next we, I can go ahead and close this now. So next we want to open the command line. So today I'm going to be using Windows PowerShell. So again, we click on the start menu. Just start typing Windows PowerShell P O W E R S H E L L. And it has this little greater than sign. Kind of purpley. Whenever you see that in the start menu, right click, not left click, but right click on that and run as administrator. So right click on the icon and run as administrator. It'll be, do you want to allow PowerShell to make changes to your device? We say yes. Now the reason we have to run this as administrator is because we're trying to access the physical disks in the system. And when we ask access physical disks, we need administrator privileges. Okay. So I'm on a system with Korean installed on it. So instead of slashes, you'll have this W sign. So don't be confused. If it looks a little bit different, most likely you have slashes. I have the, the one symbol. So if you see a W on mine, just think slash on your computer. Okay. So now what we can do since we've added FTK imager to our path, we should be able to run FTK imager dash dash help FTK imager and then two dashes or two minus signs help. Okay. If we hit enter, might take it a second, but then it should show the help menu. If you do not see the help menu, if it says that it can't find the tool FTK imager, then most likely you have not set the path properly. So go back and set your path. Okay. So we can see here that the help menu did work. And in this help menu, you can see there's a lot of different things that FTK imager command line can do. We are going to focus on list drives and verify. We want to show detected physical drives and hash or verify the destination image or the source image of no destination is specified. Okay. So we're going to use list drives and verify. Okay. So going back down in the system 32. So now we can do FTK imager. FTK imager is our tool. Then we want to dash dash list drives. Was it disks or drives? I think it was drives. Yeah, drives. List drives. So that should hopefully list our drives. You can see here I have physical drive zero is the system disk and it's 53 gig V box hard disk. Okay. So this is the basically the hard drive that Windows is installed on. And then there's physical drive one. It's a USB 2.0 USB device for gigabytes. Okay. So we want to hash or verify physical drive one. Now again, because I'm on a Korean system, I have these double use, you will probably have slashes. So it'll be slash slash period slash physical drive one, or it might be another character, but basically, this just means the physical drive device. Okay. So a little bit about, let me check here. So we can see that I have the USB 2.0 connected. So if you haven't already connected your physical device, you want to make sure that you're using a hardware right blocker if you have one or at minimum a software right blocker to be able to Before you connect the device to your system. So go ahead now if you haven't and connect your physical device, hopefully using some sort of right blocking hardware or software. Okay. Okay. So now we can type FTK imager. And then we want to verify because even if we don't have a hash value for the physical disk yet, we can still verify it to generate the hash value. Okay. So FTK imager dash dash verify. And then I want to give it the physical device physical drive one. So I'm going to verify physical drive one. I don't have the hash value yet. So whatever hash value I get will be I guess the first the first one. So here it says here we're using access data FTK imager three version three one one, which if you know it's it's quite old right so August 2012 access data core, yep, this licensing information and then it just says verifying image and now it's going through and hashing all of the USB stick. And whenever it's finished I will come back. Okay, we're back. And after verifying the image image verification complete because we didn't actually have any other files or any other image data. We didn't have the hash values from this this disk. They computed these hashes and now we have the hash for MD five and Sha one. I'm not sure but I don't think we can actually give it the flag to calculate other types of hashes yet I'm pretty sure it is too old. Yeah, I don't think we can calculate any other hashes yet maybe if they ever come out with a new version. I don't include maybe shot 256 or something like that but for now we have MD five and Sha one so that's how you use FTK imager from the command line to calculate hashes for a physical disk image. Thank you very much.