Workshop Protocol Introduction To FTK - Anthony Vance

gasownerΔιαχείριση Δεδομένων

31 Ιαν 2013 (πριν από 3 χρόνια και 10 μήνες)

1.577 εμφανίσεις


Workshop Protocol


Introduction To
FTK




Anthony Vance

Richard Baskerville




Acknowledgement:

Parts of this protocol are based on
Quick Start Training Manual f
or Education Distribution

revision 4.0
Copyright 2003 guidance software




Version 2.2


January 18, 2012





Creating a Case

Copying Evidence Files

1.

Logon to your lab computer
as Labuser and open VirtualBox. Start up the Forensics VM. This
semester you will use VirtualBox to run the forensics tools and analyze evidence.

2.

On your VM (
note:

all o
f the following instructions refer to your forensics VM, not the lab
workstation)
and create the following
directory structure:

C:
\
Users
\
Forensics
\
Cases
\
Workshop
\
Evidence

3.

Go to
http://anthonyvance.com/forensics/files

and download
FTK
_Tutorial_files.zip
.

Unzip the
archive and copy the following evidence files into the
Evidence

folder:

a.

EnCaseWrkShp4E.E01

b.

EnCaseWrkShp4E.E01.txt

EnCaseWrkshp4E.E01 is an EnCase evidence file created f
rom a USB thumbstick drive
using the FTK imager available on the Helix CD.

This imager records hash verification
information in the file EnCaseWrkshp4
.
E01
.txt
. Because the file includes case information
and block CRC codes, a simple hash of the evidence fi
le, outside of the EnCase utilities will
NOT produce a matching hash. The hash for EnCase evidence files can only be calculated by
a forensic tool that can read the
EnCase

evidence file, like EnCase or FTK
.


Figure 1
.

Imaging record accompanying evidence
file.

Case Management

Before starting
an
investigation and acquiring media, consider how to access the case once it has been
created.

It may be necessary for more than one investigator to view the information simultaneously.

FTK’s
PostgresSQL

database all
ows multiple concurrent users to access the same evidence information.
However, if each workstation has their own instance of the FTK database, evidence files
file should be
placed on a central file server and copies of the case file should be used on each

investigator’s
computer
.


One of the ways of organizing cases is to create a folder for each case and place the case file and
evidence files associated with that case in that folder.

The reports and evidence copies may be placed in
the same folder or in
subfolders.


Forensic best practices calls for

examiner
s

to
use a second hard drive or at least a second partition on
the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an
entire drive or partition,
rather than individual folders, to ensure all of the temporary, suspect related
data is destroyed.

This will aid in deflecting any claims of cross contamination by the opposing counsel if
the forensic hard drive is used in other cases.

1.

Start FTK
from the l
ink on the desktop.

After the splash screen disappears, you will be presented
with a login dialog box in order to access the
Case Management

window.


a.

Username:
Forensics

b.

Password:
Password1


2.

Select

Case…New
.

The
New Case Options

dialog bo
x will appear.

In the
Case Name

field, enter
Workshop
.

Leave the
other

field
s

blank.

Choose the
Workshop
folder you set up
previously

for
the
Case Folder Directory

field.

Figure
1

Creating a new case.


Figure
2

New Case options.

After entry, click
OK
.

Adding Evidence Files

In preparation for the acquisition of evidence, devices (such as
forensic images,
local drives, cell phones,
etc.) must be added to the case.

1.

After clicking
OK

from the previous step, you shou
ld see the following screen:


Figure
3

Managing Evidence window.

2.

Click the
Add

button and select the default (
Acquired Image(s)
).

3.

Navigate to where you un
zipped the EnCase evidence file and select
EnCaseWrkShp4E.E01
.

4.

Select the
appropriate time zone (
Denver
) and click
OK
.

5.

FTK will then process the evidence file and add it to your case.

Click
Close

after processing has
finished.

6.

Once the evidence file has been added, it is important to verify that nothing has changed on the
image.

This can be done by comparing the hash of the acquired image with the hash of the
unzipped image saved to the workstation’s hard drive.

To see the hash of the acquired image in
FTK,
click on the
Properties Tab

under the
File Content

pane and scroll to the
Verification
Hashes

section.

You can compare this hash with the hash found in the
EnCaseWrkShp4E.E01.txt

text file.


Figure
4

Verifying the MD5 hash in FTK.

The EnCase Evidence File

The
EnCase evidence file

(sometimes called the Expert Witness format)

is a de facto standard in the
forensics field. It

contains three basic components


the header, checksum, and data blocks


to work
together to provide a secure and self
-
checking description of the state of the

computer disk at the time
of analysis.

Cyclical Redundancy Check (CRC)

The cyclical redundancy check is a variation of the checksum, and works much the same way.

The
advantage of the CRC is that it is order sensitive.

That is, the string “1234” and “4321”

will produce the
same checksum, but not the same CRC.

In fact, the odds that two sectors containing different data will
produce the same CRC is roughly one in a billion.

Most hard drives store one CRC for every sector.

When a read error is generated from
a disk, this usually
means that the CRC value of the sector on the disk does not match the value that is recomputed by the
drive hardware after the sector is read.

If this happens, a low level read error occurs.

Evidence File Format

Each file is an exact s
ector by sector copy of a floppy or hard disk.

When a file is created, the user
supplied information relevant to the investigation.

EnCase archives of this and other information inside
the evidence file along with the contents of the disk.

Every byte of th
e file is verified using a 23
-
bit CRC,
making it extremely difficult, if not impossible, to tamper with the evidence once it has be
en

acquired.

This allows the investigators and legal team to
confidently stand by the evidence in court.

Rather than compute
a CRC value for the entire disk image, EnCase computes a CRC for every block of
64 sectors (32 KB) written to the evidence file.

This provides a good compromise between integrity and
speed.

A typical disk image will have many tens of thousands of CRC check
s.

The investigator will be able
to identify the location of any error in the file and disregard that group of sectors, if necessary.


Compression

Compression technology allows EnCase to store data from a large disk in a relatively small file.

It uses an
industry standard compression algorithm that achieves an average size reduction of 50%.

If most of the
disk is unused, the compression ratio may be much higher.

This can result in great savings in this storage
space.

Compressed evidence files

take longer t
o generate because of the additional processing time
required to compress the information.

Compression never has any effect on the final evidence and
compressed blocks are checked for validity in the same way as uncompressed ones.

Automatic Verification

Wh
enever an evidence file is added to a case,
FTK

will begin to verify the integrity of the entire disk
image in the background.

This is usually qute fast for a small evidence file but can take a long time for
hard disk files.

During the verification
process, the investigator can continue working on the case
normally.

If the case is saved and closed while the verification process is running, the verification
process is canceled.

This process then starts over when the case is reopened.

Navigating the
FT
K Examiner User Interface

After logging in and creating a case or selecting an existing case from the FTK Case Manager, FTK opens
into the FTK Examiner view.

The Examiner view is used to navigate through the evidence that has been
added to the case.

From
this view, you can view the files on a single piece of evidence or all the files
found on several pieces of evidence.

The overview, email, graphics, bookmarks, live search, index
search, and volatile views are all accessed from the default Examiner view.

B
asic Layout

The screen is initially divided into three sections:
Tab pane, File Content pane, and File List pane.

The
Filter Toolbar can be found under the Me
nu Bar.

Figure
5

The basic layout of the FTK Examiner User Interface.

Ta
bs

The tabs in FTK help the investigator to explore and refine evidence.

The FTK interface contains eight
main tabs, and there may be other optional tabs if their correlating product is installed, each with a
specific focus.

Most tabs also contain a common

toolbar and file list with customizable columns.

Additional tabs can be user
-
defined.

Changing tabs helps the investigator to zero
-
in on meaningful
evidence.


The following are the default tabs included in FTK:



Explore Tab



Overview Tab



Email Tab



Graphics
Tab



Bookmarks Tab



Live Search Tab



Index Search Tab



Volatile Tab

Explore Tab
: the Explore tab displays all the contents of the case evidence files and
directories

as the
original user would have seen them
.

Overview Tab
: the Overview tab provides a general v
iew of a case.

You can find the number of items in
various categories, view lists of items and lists of individual files by category, status, and extension.

Email Tab
: the Email tab displays email mailboxes and their associated messages and attachments.

Th
e
display is a coded HTML format.

Graphics Tab
: the Graphics tab displays the case in photo
-
album style.

Each graphic file is shown in a
thumbnail view.

A graphic displays in the Graphics Tab Thumbnail view when its thumbnail is checked in
the File Content
s pane.

Bookmarks Tab
: a bookmark is a group of files that you want to reference in your case.

These are user
-
created
and the

list is stored for later reference, and for us
e

in the report output.

You can create as
many bookmarks as needed in a case.

Bookmarks can be nested within other bookmarks for
convenience and categorization purposes. Bookmarks help organize the case evidence by grouping
related or similar files.

For example, you can create a bookmark of graphics that contain similar or
related
graphic images.

The Bookmarks tab lists all bookmarks that have been created in the current
case.

Search Tabs
: the Search Tabs give you tools for conducting an indexed search or a live search on the
evidence.

An indexed search is faster, while a live searc
h is more flexible and powerful.

Live Search
:
a process that involves a bit
-
by
-
bit comparison of the entire evidence set with the
search term.

Index Search
: scans the case Index file to find the search term.

Volatile Tab
: the Volatile tab provides tools
for viewing, finding, and comparing data gathered from live
agent systems in your network.

Tree Pane

The
Explore

tab

contains several
pane
s
. The top
-
left pane, called the
Tree
pane

works a lot like Windows
Explorer, providing the user with at tree
-
structur
ed view of the evidence, and illustrating the
relationship of each folder hierarchically.

It presents each evidence file in a folder that contains
additional folder and files.

Only evidence files and folders contained within them are displayed in this
view
.

Individual files are not displayed.

An icon that quickly identifies the type of evidence precedes
each evidence file.

The plus and minus signs can be used to expand and contract the tree structure.

Right
-
clicking on a
folder will bring up the context men
u.

A useful feature of the tree pane is the
arrow
-
shaped
QuickPicks button to the left of every node in the
tree

(see Figure 7)
.

After clicking this button, the arrow becomes green. This feature displays all contents
of the current directory, as well as th
e contents of all sub
-
directories in the File Content pane.

You can
turn QuickPicks on or off quickly by selecting the QuickPicks filter button on the
Filter
bar.


Figure 7. The QuickPicks Button

File List Pane

The File List Pane lists the files available

in the current tabbed view.

In this pane you can choose which
columns to display, as well as the order of those columns, create bookmarks, crate labels, and copy or
export file lists.

The File List pane is displayed by default in all default tabs.

Then vi
ewing data in the File List, use the type
-
down control feature to locate specific files.

When the
list is sorted by name, select an item in the list, then type the first letter of the desired file.

The cursor
moves down the list the the first file beginnin
g with that letter.

The more letters you type, the closer the
match will be to the file you are looking for.

The File List Pane includes both the File List Toolbar and the
File List view.

File Content Pane

The File Content Pane displays the contents of the

item selected in the File List Pane.

A large amount of
evidence gathering is conducted from the File Content Pane.

Here, you can select various amount of
data and bookmark that information which can then be included in the report.

The File Content Pane
co
ntains several sub
-
tabs that provide different views of the same file.

Viewer Top Tabs: Hex Tab

The Hex tab shows the file content in Hex view.

It is different from the Hex Interpreter tab at the bottom
of the screen.


Figure
8

The Hex display in FTK.

Rig
ht
-
clicking on the Hex display will make available a number of different options.


Viewer Top Tabs: Text Tab

The Text tab displays the file’s content as text using the code page selected from the drop
-
down menu.

The File Content Pane currently provides man
y code pages from which to choose.

When the desired
code page is selected, the Text tab will present the view of the selected file in text using the selected
code page language.


Figure
9

The Text view in FTK.

View Top Tabs: Filtered Tab

The Filtered tab
shows the file’s text created during indexing.


Figure
10

The Filtered View in FTK.

The text is taken from an index created for the current FTK session if indexing was not previously
selected.

Viewer Top Tabs: Natural Tab

The Natural tab displays a file’s

contents as it would appear normally.

This viewer uses the Oracle
Stellent INSO filters for viewing hundreds of file formats without the native application being installed.

Note:

Viewing large items in their vative applications is often faster than waitin
g for them to be
rendered in an FTK viewer.


Figure
6

The Natural View in FTK.


Where it is possible to recover deleted files or directories automatically, these are recovered and appear
in the table view.

Files and directories
recovered from deleted entries appear with a red “x”.



Navigate to the “Terrorist” directory.

The deletion indicators show that all of the files in this
directory had been deleted from the original media.



Searching the Case

FTK provides a powerful search
engine to locate information anywhere on the physical or logical media.

It comes with an Index Search that gives instantaneous results, as well as three different Live Search
modes: text, pattern (regex), and hexadecimal.

Search results, or “hits,” are eas
ily viewed from the
Search Tab File List and File Contents views.

Conducting an Index Search

The Index Search uses the index to find the search term.

Indexing is simply the process of creating an
index, or a searchable list of the discrete words, or string
s of characters in a case.

Evidence items may be
indexed when they are first added to the case
.

Index searches are instantaneous.


Index evidence when it is added to the case by checking the dtSearch Text Index box on the Evidence
Processing Options dialog
, or index after the fact by clicking and specifying indexing options
.

1.

Click on the
Index Search

tab in the FTK interface.

2.

In the top left in the
Terms

pane, type in the term
cookbook
.

Notice that hits on that term as
well as similar terms are
instantaneously
listed
below the
Terms

field.

3.

Select the term
cookbook

from the list and hit the
Add

button.

4.

The search term will now show up in the
Search Criteria

pane to the right.

You can adjust the
search with the options shown (
And
,
Or
,
All
,
Selected
).

For now, use the default settings and hit
the
Search Now

button.

5.

Select the
Include all files

option (should be the default) and hit
OK
.

6.

The results will be listed in the
Index Search Results

pane.

7.

Select the
AnarchistCookbook.doc

hit from the
Index Sea
rch Results

pane and
right
-
click

on it.

8.

Select
Create

Bookmark

from the context menu.

This will bring up the
Bookmark

dialog.

Or you
can select the
Bookmark

button on the File List Toolbar.



A bookmark is a group of files that you want to reference in your

case.

These are user
-
created
and the list is stored for later reference and for use in the report output.

You can create as many
bookmarks as needed in a case.

Bookmarks can be nested within other bookmarks for
convenience and categorization purposes.

Boo
kmarks help organize the case evidence by
grouping related or similar files.

For example, you can create a bookmark of graphics that
contain similar or related graphic images.

The
Bookmarks

tab lists all bookmarks that have been
created in the current case
.

Bookmarked files are pink.



Bookmarks can also be made from selected text.

From any tab, select a file to be displayed in
the
File Content

pane.

Select the text you want to bookmark and hit the
Bookmark

button on
the
File List

Toolbar.

9.

Give your bookmark
the

name
“Anarchist Cookbook”
and
in the comment write “This file
contains a version of the Anarchist Cookbook” or something similar. S
elect
the
Forensics user

as
the
Bookmark Parent
.

Hit
OK
.

10.

Switch over to the
Bookmarks

tab at the top of the main interface and you should be able to see
your new bookmark listed under
Forensics
.

Conducting a Live Search

The live search takes slightly more time than an index search because it involves a bit
-
by
-
bit comparison
of the search t
erm to the evidence.

A live search is flexible because it can find patterns of non
-
alphanumeric characters, including those that are not generally indexed.

It is powerful because you can
define those patterns to meet your needs in an investigation.

The dif
ference between a Pattern search and a Text search is that a text search searches for the exact
typed text, there are no operands so the results return exactly as ty
ped.
A

Pattern search allows you to
find all strings that match a certain pattern, such as
for any 10
-
digit phone number (
nnn
-
nnn
-
nnnn
), or a
nine
-
digit social security number (
nnn
-
nn
-
nnnn
). A Text search finds all strings that match an exact entry,
such as a specific phone number (801
-
377
-
5410).

A Live Text Search gives you options such as ANSI
, Unicode with UTF
-
16 Little Endian, UTF
-
16 Big Endian,
and UTF
-
8. The latter two are always case
-
sensitive. You can also choose from a list of other Code Pages
to apply to the current search. In addition, you can select Case Sensitivity for any Live Text
Search.

Search terms can be entered then exported as .XML files, then imported at any time, or with any case,
depending on the folder where it is saved. Text (.TXT) files can be imported and used in Live Search,
however the Live Search Export feature suppo
rts only .XML format.

1.

Click on the
Live Search

tab in the FTK interface.

2.

In the
Live Search

tab, click the
Text

tab.


Figure
7

Performing a Live Search.

3.

Check
Case Sensitive

if you want to search specifically the uppercase or low
ercase letters as
entered.

FTK ignores case if this box is not checked.

4.

Enter the term
cookbook

in the
Search Term

field.

5.

Click
Add

to add the term to the Search Terms window.

You can add as many search terms as
needed.

6.

In the
Max Hits per File

field, enter the maximum number of search hits you want listed per file.

The default is 200.

The range is 1 to 65,535.

Leave the default.

7.

Hit
Search
.

A Data Processing window will open that displays the progress of the live search.

Let
it finish and then
hit
Close
.

8.

The results are displayed in the
Live Search Results

pane.


9.

Notice any differences between the
Live Search

and the
Index Search

you performed previously.

10.

You can bookmark any results here just like in the Index Search.

Email

Email messages will
have a typical format with data fields such as from, to, subject, created date, sent
date, received date, header, and attachments.

There are a variety of email application programs, each of
which has its own file formats for this data.

In addition to a var
iety of different data file formats, email
programs may encrypt the file.

It is up to the examiner to survey systems under examination to
determine what email clients may have existed on the system.


The Email tab displays email mailboxes and their associa
ted messages and attachments.

The d
isplay is a
coded HTML format.

Email Status Tree

The Email Status tree lists information such as the send of the email and whether an email has
attachments.

They are listed according to the groups they belong to.

It lists

email items by stats, as
follows:



Email Attachments (Contains only attachments to emails)



Email Reply (Contains emails with replies)



Forwarded Email (Contains only emails that have been forwarded)



From Email (Contains everything derived from an email sour
ce, i.e. email related)

Email Archives Tree

The Email Archives tree lists Email related files that are considered “containers.”

Item types include
.dbx
,
.mbx
,
.pst
,
Saved Mail
,
Sent Mail
,
Trash
, and so forth.

The tree is limited to archive types found
with
in the evidence during processing.

Email Tree

The Email tree lists messages counts, AOL DBX counts, PST counts, NSF counts, MBOX counts, and other
such counts.

Exchange and PST Emails can be exported to MSG format.

In addition, MSG files resulting from an
export
of Internet email look the way they should.


Figure
13

FTK makes it easy to process email.



Acquiring Additional Evidence

Raw image files can be added to FTK in much the same way that an EnCase evidence file is acquired
from a device.

Copying and
Verifying Raw Images

1.

From the
FTK
_Tutorial_files.zip

file you downloaded previously, copy three files into
the
Evidence

folder

you previously

created
:

a.

WrkshpFlppy1.dd

b.

WrkshpFlppy1.dd_audit_log

c.

md5deep
64
.exe

WrkshpFlppy1.dd

is a 1.4k raw image file created
from a floppy drive using the imager available
on the Helix CD.

This imager records hash verification information in the file
WrkshpFlppy1.dd_audit.log
.

After downloading, use the following process to verify that the
MD5 hash of your copy of the image dupl
icates exactly the verified hash recorded in the file
WrkshpFlppy1.dd_audit.log
.

2.

Select
Run

from the Start menu and enter the command
cmd

to bring up a command prompt.

3.

Change directories with the following commands:

cd c
:
\
Users
\
Cases
\
Workshop
\
Evidence

4.

View

the text file containing the original verified hash using the
type

command:

Type WrkshpFlppy1.dd_audit.log

5.

Calculate the MD5 hash for the image file using the md5deep program:

md5deep
64


e WrkshpFlppy1.dd


Figure
14

Verifying the MD5 hash of a raw image
with md5deep.

1.

Now that you’ve verified the MD5 hash, we can add the floppy drive image to our current case.

2.

Select the
Evidence

menu and then
Add/Remove…


3.

This will open the
Manage Evidence
dialog you saw when you first created the case except it
should ha
ve the
EnCaseWrkshp4E.E01

image listed already.

4.

Hit the
Add

button and select
Acquired Image(s)

(should be the default).

Hit
OK
.

5.

Navigate to the
images

folder you just created and select the
WrkShpFlppy1.dd

file and hit
Open
.

6.

Select the
Denver

time zone
.

7.

Hit
OK

and FTK will add the raw image to the case.



Recovering Data from Formatted Drives using Meta Carving

Some people believe that formatting the drive is the same as wiping it. This is not the case. Formatting
the drive is analogous to erasing a tabl
e of contents of a book and writing a new table of contents in its
place. The official contents of the book have changed, but the actual pages of the book have not.

In this case, the floppy disk that was imaged to the
WrkshpFlppy1.dd

file was formatted. Yo
u can use
FTK’s meta carve feature to recover the contents of the drive before it was formatted. Meta carving
“carves” or
searches the volume free space for deleted directories that have been orphaned. An
orphaned directory is a directory whose parent dire
ctory or whose entry in its parent directory has been
overwritten.
The deleted directory entries often lead to data and file fragments tha
t can prove useful to
the case
that could not be found otherwise.

1.

Go to the
Evidence

menu, and select
Additional Analy
sis…

2.

Check t
he meta carve box (see Figure 14
). Click
OK
.

3.

The
Data Processing Status

window should pop
-
up. For these small evidence files, it should take
a few minutes to complete the meta carve process.

4.

Once the meta carving process completes, expanding th
e WrkShpFlppy1.dd evidence file and
the FAT12 nodes in the tree pane will reveal the Meta carve folder with th
e recovered files (see
Figure 16
).



Figure 15
. The meta carve option.


Figure 16
. The recovered “2” directory using meta carving.


Bookmarking
for Reports


Bookmarks provide the basis for annotating evidence as it is found. These bookmarks can also
be exported directly into word processing or web
-
base reports. Because of this export capability,
much of the report construction can be developed i
n FTK, leaving only minor formatting and
organizing tasks for web page and document editing tools.

Sweep Bookmarks for Data

Perform an indexed search for “dry ice”. In the results, under “Allocated Space”, click “Documents” and
expand the search hits for
document “Dc555.doc”.

Select hit #19 “USES FOR DRY ICE”. In the “File Content” pane, highlight the first two
paragraphs. Click the “Create Bookmark” button on the “File Content” toolbar.

Enter “Dry Ice” in the “Bookmark Name” field. In the “Bookmark Commen
t” field, enter:

“One of several copies of the Anarchist’s Cookbook found on the thumb drive.
The cookbook contains instructions for making simple, delayed action time
bombs by sealing dry ice in a plastic container.”


Check the “Bookmark Selection in Fil
e” box, select your username in the “Select Bookmark
Parent” field, and click “OK”.

Sweep Bookmarks for Documents

With the “Dc555.doc” document selected in the previous search hit, select the “Natural” tab of
the File Content Pane. Scroll to the top of the

document, and highlight the title, author and table
of contents. In the bookmark comment field include the following:


Title
,
Author
and Table of Contents of ‘The Anarchists'
Cookbook’”

Check the “Bookmark Selection in File” box, select your username in t
he “Select Bookmark
Parent” field, and click “OK”.


Sweep Bookmarks for Email

Some email programs store emails in database files (for example, Outlook stores email in a PST
file). In order to search these database files, they must first be expanded. Under
the “Evidence”
menu, select, “Additional Analysis”. Under Miscellany, check the “Expand Compound Files”
box, as well as the “dtSearch Text Index” box under “Search Indexes”. Click “OK”.

Perform a search using two separate search terms: “Dry Ice” and “Yew a
lley”. Find the search
hit from the Outlook PST file. Bookmark the text of the email with the comment, “Reference to
Yew Alley & Dry Ice

in Email.


Notable Files Bookmarks

Go to folder “2” in the MetaCarve folder under WrkShpFlppy1.dd (previously found usi
ng the
meta
-
carve case processing step). Bookmark the document, “NE Dictonary.Doc” with the name
“Nigerian
-
English Dictionary”. In the comment field, enter “Perhaps related to 419 scam.” Click
OK.


File Group Bookmarks for Deleted Material.

Navigate to th
e My Documents
\
Terrorist directory. Note that all entries have been deleted. Sort
by extension and highlight and bookmark all JPG files. In the comment field, type:

All files in the terrorist subdirectory had been deleted. These
included multiple versi
ons of the Anarchist Cookbook and many
images of bombs and explosions.


Create a bookmark for the “Prizes” folder with the comment, “
The entire Prizes Folder, with its
four images of terrorist explosions had been deleted.
” Select all four deleted images i
n the
“Prizes” folder, right
-
click, and select “Add to Bookmark”, and select the bookmark you just
created for the “Prizes” folder.


Creating a Report

At any time during or after the investigation and analysis of a case, you can have AccessData FTK create
a report that summarizes the relevant evidence of the case. The final report is made available in several
formats, including HTML and PDF formats plus one that is viewable in a standard Web browser.

Use the
Report Wizard

to create a report. Access the Re
port Wizard by selecting
File

>
Report
. The
Report Wizard is then displayed.


Entering Case Information

The
Case Information

dialog provides fields for basic case information, such as the investigator and the
organization that analyzed the case.

1.

Check
the
Case Information

box in the
Report Outline

on the left side of the screen.

2.

Double
-
click the
Value

field for each entry and enter the following information:


3.

Add and remove entries with the
Add

and
Remove

buttons below
Default Entries
.

a.

To add additiona
l entries, click
Add

and edit the
Label

and
Value

fields.

b.

To remove entries, highlight the entry line to be removed and click
Remove
.

4.

Add a new entry and call it
Prepared For
. Place the following in the
Value

field:

a.

Duke Buntline; Rollingcat Corporation;
Assignment in ISYS 565

5.

Do not mark the
Include File Extensions

box to include a File Extensions List and count in the
File Overview portion of the report.



The
Include File Extensions

box is unmarked by default. If you wish to include in the report
a list
of file extensions such as is found in
Overview
>
File Extensions
, mark the
Include File
Extensions

box. The list of file extensions will appear in the report under Case Information,
after File Items and File Category, and before File Status. The File Ext
ensions List is long and
may span many pages. If you intend to print the Report, this may not be desirable.

6.

Only click
OK

once all report creation information has been entered or selected.



If you inadvertently close the Report Wizard, simply re
-
open it by

clicking
File

>
Report
.
Verify the Case Information and move to the next section. Report settings are persistent,
meaning that once set, the settings remain until changed by the user.

Managing Bookmarks in a Report

The Bookmarks dialog allows you to cre
ate a section in the report that lists the bookmarks that were
created during the case investigation. You can also choose not to create a bookmark section by
unselecting the
Bookmarks

check box.



Both the
Sort

options and
Column

settings can be unique for
each bookmark.


1.

Select any of the bookmarks made previously to include in the Report.

2.

You can apply any filter to the bookmarks by selecting one from the filter dropdown box.



Customize the properties columns to display in the report

3.

Click
Columns
.

4.

You can select or customize the properties columns to include in the report. You can import an
existing custom column template and use it here if the template you want is not readily
available or would take too long to re
-
create. We will use the
default
settings

for now.

5.

When you are done defining the columns settings to use, click
OK
.

6.

When you make changes to the columns settings, you can apply them to child files by clicking on
Apply these settings to children
.

Managing Graphics in a Report

The graphics

dialog allows you to create a section in the report that displays thumbnail images of the
case graphics and can link them to original graphics if desired.

7.

Mark the box labeled
Export and link full
-
size graphics to thumbnails
.

8.

Select
Include checked graphi
cs only
.

9.

Enter
3

as the number of graphics to display per row.

10.

Leave unchecked the checkbox
Group all filenames at end of report
. Check this box if you want
to group all the graphics filenames at the end of the report.

11.

You can sort the graphics by
Name

o
r by
Path

a.

Click
Sort Options
.

b.

Click the dropdown arrow on the right side of the line to select either
Name

or
Path
.

c.

Click
OK
.

Selecting a File Path List

The File Paths dialog allows you to create a section in the report that lists the file paths of files
in
selected categories. The File Paths section simply displays the files and their file paths; it does not
contain any additional information.

12.

Click on
File Paths

in the left pane.

13.

Expand the
File Items

group in the
Available Categories
.

14.

Select and drag
Evidence Items

to the
Selected Categories

pane.

15.

Mark the box to select
Evidence Items
.

Adding a File Properties List

The File Properties dialog allows you to create a section in the report that lists the file properties of files
in selected categories. Th
ere are several options to choose from, allowing you to make the File
Properties List in the report as specific or as general as you want it to be.

16.

Under
File
Category
,

drag the graphics category to the
Selected
Categories

pane. Similarly,
under
Documents
,

drag
Microsoft Documents
to the
Selected Categories
pane.

17.

Click
OK

when you have made all of the modifications needed.

18.

Specify

HTML

and
DOCX
as the file type and choose the
case

directory

to save the report.

19.

Click
OK

to generate the report.

Supplement
the Report

Open the report in Word to make other additions to the report.

Case Overview

On November 10, 2015, Duke Buntline, head of security for RollingCat Corporation, requested forensic
examination of two items of computer media: one thumbstick and one

floppy diskette. Mr. Buntline
reported that the media had been removed from the office of Mr. Dan Kojak, a computer information
systems intern with the company. Mr. Buntline suspected that Kojak was operating a 419 scam among
RollingCat employees using
his assigned computer workstation, a violation of company policy. The
investigation was hampered by the destruction of the hard drive of Kojak’s computer workstation. It
appeared to have been was destroyed by a powerful acid, perhaps nitric, set to opera
te as a timed
internal pipe bomb, perhaps using dry ice as a timer.


Mr. Buntline asked that the media be examined for any evidence of time bombs, pipe bombs, dry ice, or
“419 Nigerian” scams, or any other notable evidence of suspicious activity by Kojak.

Executive Summary:

The thumb drive contained several copies of “The Anarchist Cookbook” which included many references
to both pipe bombs and time bombs. There were also references to the construction of time bombs
using dry ice. The cookbook includes in
structions for constructing such devices. There were also many
photos of explosion scenes. All of this evidence was in a subdirectory named “Terrorist”, and these files
had been deleted. The files were recovered from free space or the Recycler.


The thu
mb drive also contained a collection of cook books, recipes, photos of food, and text files of
books and literature.


There was also one email message with a reference to dry ice and a “yew alley”. This may have been a
reference to a “yew alley” mentioned

in one of the literary works (“The Hound of the Baskervilles”), but
the meaning of this connection is not clear to the examiner.


The floppy diskette had been formatted, but we recovered one directory containing a small Danish
-
English dictionary and a dic
tionary of “Nigerian English”. There is no obvious relationship between the
material on the floppy and the material on the thumb drive, although the latter dictionary could be
somehow related to the 419 scam.

Examination Findings

[Discuss bookmarks and fi
ndings here]

Validation

The evidence item, original memory stick, was attached via a write protection block o a computer
operating under Windows XP, and imaged using the FTK Imager as an EnCase Evidence file. The MD5
hash of the original device was calcul
ated in this process. An image of this memory stick was then
copied to a Virtual Computer operating EnCase Forensics Analysis software. Upon completion of the
transfer process, EnCase was again used to verify the integrity of the evidence file and calcul
ate a MD5
Hash for the evidence and it was verified that the evidence image was unchanged by the imaging or the
transfer process. The original memory stick was then removed from the computer and stored in a
locked repository.


The evidence item, the flop
py diskette was write protected, read by a computer operating under
Windows XP, and imaged as a simple dd image file using the FTK imager. The MD5 hash of the original
floppy volume was calculated in this process. attached via a write protection block o,
and a hash
calculated md5deep. An image of this memory stick was then copied to a Key Computer Service hard
disk drive using dd for windows).


The image of this diskette was then copied to a Virtual Computer operating EnCase Forensics Analysis
software.
Upon completion of the transfer process, md5deep was used to calculate a MD5 Hash for the
image and it was verified that the evidence image was unchanged by the imaging or the transfer
process. This evidence was then loaded into EnCase, acquired by EnCase
, and EnCase again used to
verify the integrity of the evidence file and calculate a MD5 Hash for the evidence. It was verified that
the evidence image was unchanged by the imaging, transfer or acquisition process. The original diskette
was then removed
from the computer and stored in a locked repository.


Recovery

Encase automatically recovered the files deleted from the original thumb stick, most notably all files in
the directory “Terrorist”. There was a single outlook pst (personal folders) file,
unencrypted, on the
thumb drive. The structure of this file was restored by means of an EnCase keyword search.

The floppy diskette appeared to be blank, however, applying the “Recover Folders” procedure of EnCase
recovered one folder, indicating that the
floppy was likely formatted.


Chain of custody

Nov 10, 9.50 am. Bloomguys received the two evidence items from Buntline at his offices in Broad St.

Nov 10, 11.30 am. Bloomguys seals the two evidence items in a tamperproof bag and locks the parcel in
his
evidence repository safe in his offices in Broad St.

See the Chain of Custody Form attached to this report for further details


License statement

All software utilized is licensed to, or authorized for use by, the examiner and/or
Brigham Young
University
.


Examiner Qualifications

Buck Bloomguys is a forensics examiner trained at
Brigham Young University
, in its information security
and its digital forensics courses. He has two years of experience as a computer specialist. Expecting to
graduate in 2015, Blo
omguys will hold a Master’s Degree in Management Information Systems
Management.

Finalizing the Report

Reorder the sections of the report so that the most important findings (the bookmarks) appear
immediately after the “Case Overview” and “Executive Summar
y” sections.

Since forensic reports are generally for managerial audiences, create appendices for highly detailed
information. You can then reference these appendices as needed.

Finally, format your report professionally as you see fit.

Email your complete
d report to Kent Norman at
kqnorman+isys565@gmail.com
.