PART I: Familiar with FTK Imager

jamaicaitalianMechanics

Nov 18, 2013 (3 years and 4 months ago)

351 views

Computer Forensics
-

FTK


1



FTK report


PART I: Familiar with
FTK Imager


Bonus
Exercise
1 (5 points)
:

Assume that you have a write
-
protected USB device.

Image a USB device or a floppy disk to create an image
in a DD format. (
Note: You
are not able to
use the
841_Win_Forensics_Updated

VM to perform

this bonus exercise
.

Y
ou have to use your own computer for this exercise).

Provide a snapshot from FTK Imager
.


Requires:
a USB device or a floppy disk

Launch FTK
Imager

Click
File > Create Disk Image

Click
Physical Drive

and
Next

Select the device and select
Raw (dd)

Image Type



Computer Forensics
-

FTK


2

Exercise
2
:

View images


Click
File > Add Evidence Item

Select
Image file

and then click
Next

Browse to your
WinLabEnCase.E01
image

and click Finish

View the image in the Evidence Tree view


Question

1
:
What is the VBR file used for
?

How to export this file? How to export a file Hash?


VBR file contain information that will enable client machine to use the remote application .
we can
export this file by press export , hash file will export as a plain text.


Exercise
3
:

Convert the WinLabEnCase image to a DD image

Exercise
4
:

Verify images


Question

2
:
What are the results of verification? Comparing both hashes, are they same or
not?


The verification matched and both hashes are the same


PART I
I
:
Working

with
FTK 1.8x


DETAILED PROCEDURES THAT MAY HELP YOU TO GO THROUGH
THE FTK SOFTWARE



Exercise
1
: Starting a New Case



Question

3
:
What information is required to create a new case
using the FTK New Case
Wizard?


The information needed are : in
vestigator name , address , phone , email , case
number , case name , case path , case folder and case destination



Question

4
:
What are the types of evidence that can be added to a case in
FTK?


Image of drive , local drive , folders and individual file




Computer Forensics
-

FTK


3

Exercise
2
:
Work
ing
with FTK


Click the
OVERVIEW

tab; note the numbers for each type of file.


Question

5
:
How to make the number of the Checked Items to go up? How to make the
number of
Flagged Thumbnails to go up?


After open each file , items will added to the checked item folder , flagged
thumbnails will go up with each file we change the point which down it from
red to green .


File Signatures


A file type (JPEG, Word Document, MP3
file) can be determined by the file’s extension and by
a header that precedes the data in the file. If a file’s extension has been changed, then the only
way to determine its type is by looking at its header.


Question

6
:
Click on Bad Extension from Overvi
ew tab. Do you find any signature mismatch?
What are they?


There are 11 files , 8 of them are TMP extension , 1 XLS , 1 PDF and 1 DOC



Data Carved Files:


Question

7
:
Check the number of Data Carved Files, what is the number?


zero


Question

8
: Check the

number of Data Carved Files from Overview, how many files added to
the case by data carving?


TWO


Question

9
:
What are those files found by performing data carving process
?

Why is this
process so important?


The files which found are the files with GIF e
xtension , this process is very
important because it helps the investigator to focus on one type of files which
he looking for .


Explore

Tab

Check

mark

List all descendants
.


Computer Forensics
-

FTK


4

Question

10
:
What is the file system of this Image
?


FAT 16



Question

11
:

Right
-
click a folder and select File Properties
, What information do you get
?


Path , file name , system attributes , file source info and file content info .


Question

12
:

Select a file, and r
ight
-
click
on that file

and select File Properties
, What
information do you get
?


Path , file name , system attributes , file source info
,

file content info

and file
size

.



Question

13
:
Select Documents and Settings
\
psmith
\
Recent, what kind of files contain in this
folder
?

Select each file in this folder, what kind of information do you get from the up
-
right
window?


The latest files which open on this machine
are on recent file .

We can get information about each file like creation time , last write time , last
access tim
e and what kind of file it is.



Question

14
:
Select
Documents and Settings
\
psmith
\
Local
Settings
\
History
\
History.IE5
\
index.dat
, what kind of files contain in this file
?

Select each file,
what kind of information do you get from the up
-
right window?


We ca
n fine internet explorer daily browsing history , we can get last accessed
time for different websites which opened in the browser .



Question

15
:
Select
Documents and Settings
\
psmith
\
Favorites, what are psmith’s favorite
links?


www.monster.com

www.aerospace
-
technology.com/contractors


www.jsfirm.com/searchcontractors.asp

yahoojobs

as we see the suspect man was looking for a job


Computer Forensics
-

FTK


5

Question

16
:
Looking into the Recycled folder, which files are currently in the recycler? Select
the INFO2 file from the Recycled folder, what information do you get from that file?


We found 2 files , ogdi
agram.gif , tse082800.pdf , in the info2 file we get
information about last file which put in the recycle , what is the name and the
time when the file deleted .


Question

17
:
Looking into WINDOWS
\
System32
\
spool folder, what information can you get
from th
is folder?


From spool we get information about all the drivers and printers which install
on that machine .


Windows Registry


Locate ntuser.dat from the
Documents and Settings
\
psmith

folder

Export the ntuse.dat; then launch the AccessData Registry Viewer

to include this file in the
Registry Viewer. (You may also right click the file and choose
View in Registry Viewer

In the Registry Viewer, explore the list.


Action 18:
List any interesting results


All the information about registry and all softwares
which are on that
machine .



Graphics Tab


The Graphics Tab allows you to quickly see all the pictures in the case.


Check

mark

List all descendants
.


You will now see all of the pictures contained on all of the devices in the case.


Question

19
: If a
file’s extension has been changed to a non
-
graphics file type (such as
changing jpg to txt), will it be displayed

in the Gallery view
?
Provide one example to support
your statement. Does EnCase work in the same way?


Yes it does , and this is an advantage
of FTK compared to encase



Export and Copy Special

Export

these five graphics to your desktop.

Computer Forensics
-

FTK


6


Question

20
:
What is the major difference between Export a file and Copy Special a file?


Export will copy the file to a specific location on the machine whi
le copy
special give us option to copy what we need from file like
file type ,
modification date and so on.


Keywords and Searching


Searching evidence for information pertaining to a case can be one of the most crucial steps in
the examination. FTK
support two kind of search, indexed and live searches. An indexed search
uses the index file to find a search term while a live search involves an item
-
by
-
item comparison
with a search term. The index file could be generated during the creation of a case o
r be indexed
later.


Question

21
:
What is the advantage to use indexed search vs. the live search?


Index search will look inside the files for the needed information while live
search check the subject of each file only



Examining the
Options

and
Import

feature in the indexed Search

Question

22
:
What are these two features used for
?


Options need for change search brooding options , search result options and
search limiting options.

Import search in side the files as a text file




Question

23
:
Do you
find any files containing US Phone numbers
?

List two files that in the
result list.


I found 299 hits in 8 files .

Aviation.htm

Contacts.htm


Email





Computer Forensics
-

FTK


7

Question 24: Read the manual and find out what kind of email formats do FTK support?


FTK now supports the decryption of RSA standard PKCS7 S/MIME email
items. This

includes support for MBOX, DBX, RFC822, and some PST/EDB archives




Question 25: Did anything happen? Do you find any important information? If so, what kind
of information
you got?


ye s I found a lot of information like that the suspect talk with someone about
meeting and offering him an offer of work



Case Report


After performing a thorough forensic investigation, it is critical that you are able to publish and
present
your findings. FTK has a sophisticated report wizard that allows you to assemble and
publish case information. The final report generated by the FTK wizard is in HTML format.


Click File > Report Wizard

Fill in the Case information which will appear on the

Case Information page of the report.

Create a report to include the following:

a)

all bookmarks and export all bookmarked files

b)

Export full
-
size graphics and
link

them to the thumbnails

c)

Include the Date and Time file Properties for the Bookmarked Files

d)

Inclu
de only graphics flagged green in the Graphics View

e)

Group 6 thumbnail per row

f)

Include Bad Extension files in the report and export the files to the report along with its
data and time property

g)

Add one or more of your own file to the report that support you
r statement

h)

Create a custom graphic for the report.


Action 26:
Include two screenshots of this report in your submission.


Computer Forensics
-

FTK


8










Computer Forensics
-

FTK


9












Computer Forensics
-

FTK


10