README (1)
-
Upload
chidseymatt -
Category
Documents
-
view
77 -
download
5
description
Transcript of README (1)
FTK (Forensic Tool Kit) 5.1
Task 1: Acquire Santini’s thumb drive and build evidence files using AD1 (file level) and E01 (bit level)
format.
AccessData FTK Imager allows you to acquire (create) evidence files from hard drives, thumb drives, and
other media. You can also use FTK Imager to quickly view and search through files, though care should
be taken never to alter any media that will be used as evidence. FTK Imager can create evidence files
using the following formats:
AD1: Access Data Native Format
E01: Encase format
AFF: Advanced Forensic Format used by both FTK and EnCase
RAW: This is equivalent to the Unix dd (disk copy) command, works with all forensic programs
SMART legacy EnCase (Expert Witness) format
The AD1 format is primarily used to create a file level copy or “sandbox” copy of a given media. In this
way files and folders behave just as they do on the source media. E01, AFF, RAW, and SMART images are
bit-for-bit copies of the evidence media. Bit level copies include file system metadata, deleted files, and
unallocated space, etc. which can contain important clues. Both the sandbox and bit level formats have
their strengths and weaknesses, and both are valuable ways to view and manage acquired evidence.
In this task you will use the FTK Imager program to create two images of Santini’s thumb drive (attached
as drive X:): an AD1 image and an E01 image.
1. Start the FTK Imager program by double clicking the AccessData FTK Imager icon on the desktop.
2. Take a moment to familiarize yourself with the FTK Imager layout:
1. Evidence Tree Pane (Files, Folders and Drive image)
2. File List Pane (Controlled by Evidence Tree Pane)
3. Properties Pane (Displays content that has focus)
4. Content View Pane (Displays content that has focus in Normal view, Hex, Text)
3. To get started, click the Add Evidence Item button (Green Plus Sign) as seen in the illustration
below.
4. In the Select Source window, chose the Contents of a Folder radio button and click Next.
5. In the Select File window, type X: into the Please enter the source path text box. Then click Finish.
6. In the Evidence Tree pane, expand the X: drive (click the + sign) and then select X: in the navigation
tree to display the contents of the attached thumb drive.
7. In the File List pane select encrypt.txt then look to the Properties pane. You will notice that the file
is encrypted, but FTK Imager will decrypt it on the fly because the forensic workstation has the
Windows EFS certificate to decode it.
Note: If you are creating a sandbox image to be reviewed on another forensic workstation, the EFS
certificate will need to be exported from the thumb drive itself using native Windows tools, and put
on a separate media device (as one never copies anything to evidence media).
8. We will now create an AD1 image of Santini’s thumb drive. In the FTK Imager click File, and then
select Create Disk Image.
9. In the Select Source window choose the Contents of a Folder radio button and click Next.
10. Folder contents are saved in the AD1 (“sandbox”) format, which is not a bit-for-bit copy. The
advantage to this type of disk image is that files behave as they do on the original media. However,
we would not want to rely on AD1 images alone. As we also plan to acquire a bit-for-bit copy of this
data, click Yes to bypass the warning.
11. In the Select File window, type X: into the Please enter the source path text box. Then click Finish.
12. In the Create Image window under Image Destinations(s) click Add.
13. In the Evidence Item Information window enter the following, and then click Next.
Case Number: 00001
Evidence Number: 1001
Unique Description: James Santini’s Thumb Drive
Examiner: <Your Name>
Notes: <leave blank>
14. In the Select Image Destination window enter F:\cases\FTK in the Image Destination Folder text
box, and enter Santini_ThumbDrive in the Image Filename (Excluding Extension) text box. When
done click Finish.
Note: Depending on the sensitivity of the case you may be instructed to use AD Encryption. In this
case we are not. AD encryption will protect the contents of an image file in the event it is lost or
stolen.
15. We are now ready to acquire our sandbox copy of Santini’s thumb drive. In the Create Image
window click Start to begin the acquisition process.
16. You will see a Creating Image… progress window while the thumb drive is acquired.
17. Once the Acquisition is complete a Drive/Image Verify Results window will appear.
The hashes shown uniquely identify this drive image. Click Close.
18. On the Creating Image… window click Close.
19. Now we will repeat the acquisition process to create a bit-for-bit copy of Santini’s thumb drive. In
FTK Imager click File > Create Disk Image
20. In the Select Source window choose the Physical Drive radio button and click Next.
21. In the drop down list select the 5GB drive and click Finish.
22. In the Create Image window, click Add under Image Destination(s).
23. You will be prompted to select an image format. In the Select Image Type window choose the E01
radio button, and click Next.
24. In the Evidence Item Information window fill out the fields as shown, then click Next.
Case Number: 00001
Evidence Number: 1001
Unique Description: James Santini’s Thumb Drive
Examiner: <Your Name>
Notes: E01
25. In the Select Image Destination folder enter F:\Cases\FTK in the Image Destination Folder text box,
and enter Santini_ThumbDriveE01 in the Image Filename (Excluding Extension) text box. Then click
Finish.
26. In the Create Image window click Start to begin the acquisition process and create the E01 file.
27. The process will take about 2 minutes to complete, so be patient.
28. In the Drive/Image Verify Results window click Close.
29. Click Close on the Creating Image… window.
30. We are now done acquiring the AD1 and E01 evidence files. Close FTK Imager by selecting File >
Exit.
Task 2: Use the FTK Case Manager to open a new case and add the acquired E01 and AD1 evidence
files.
1. Double click FTK 5.1 icon on your Desktop, please have patience this will take about 4 to 6 minutes
to fully start up.
2. Once FTK Case Manager is ready, you will be prompted for a username and password. Enter
student for the username and IT4075Admin for the password and click OK.
3. Once you enter in the correct username and password you will be presented with a blank database
manager window. In order to work on the two evidence files we will need to create a new case
which will be stored in a local database. To create a new case select Case > New.
4. Fill in the New Case Options worksheet as follows, and click OK when done.
Owner: Student
Case Name: State v Santini (Thumb Drive)
Reference: 00001
Description: State v Santini
Description File: default blank
Case Folder Directory: F:\Cases\FTK
Database Directory: Check mark In the case folder
Processing Profile: AD Standard
5. You will see a progression window asking to you to Please wait… as the case is created in a local
PostgreSQL database. FTK can store its data either locally or to a central secured database.
6. You will be presented with a Manage Evidence window. We will use this window to add the two
evidence files we created in Task1. Click the Add button.
7. In the Select Evidence Type window choose the Acquired Image(s) radio button and click OK.
8. In the Open window select Santini_ThumbDriveE01.E01 image and click Open.
9. Fill out the following fields in the Manage Evidence window, then click OK when done.
ID / Name: 00001 / Santini
Description: State v Santini Thumb Drive
Evidence Group: select Rosewood files from the drop-down list
Time Zone: choose your time zone
10. The Data Processing Status window will open. Please have patience this will take 5 to 8 minutes to
complete.
11. Once the process is finished click Close.
12. You will be presented with the multi tab Forensic Toolkit (as seen in the illustration below). To see
Santini’s thumb drive expand Rosewood Files (click on the + sign) in the Evidence Items pane.
13. Now lets add the AD1 sandbox file created in Task 1. Click Evidence and then select Add/Remove to
re-invoke the Manage Evidence window.
14. From the Manage Evidence window click Add.
15. In the Select Evidence Type window choose the Acquired Image(s) radio button and click Ok.
16. In the Open window select Santini_ThumbDrive.ad1 image and click Open.
17. Fill out the following fields in the Manage Evidence window, then click OK to process the evidence
into your existing case.
ID / Name: 00001a Santini Thumb Drive AD1
Description: State v Santini
Evidence Group: select Rosewood files from the drop-down list
Time Zone: choose your time zone
18. To watch the processing progress, click Santini_ThumbDrive.ad1 in the Data Processing Status
window.
19. Once the process is complete click Close.
20. You are now ready to search for clues inside your evidence files.
Task 3: Use FTK Forensic Toolkit Case Manager to search for clues within the processed evidence files
and create bookmarks.
1. In the Evidence Items pane (left), click the + sign next to the Santini_ThumbDriveE01.E01 image file and drill down to the [root] folder.
2. In the File List pane (bottom) click the encrypt.txt file.
3. Notice that in the File Content pane (right) you see that encrypt .txt cannot be viewed.
4. Now in the Evidence Item pane select Santini_ThumbDrive.ad1, and in the File List pane click
on encrypt.txt. Again we see “Unable to View Document is encrypted” displayed in the File
Contents pane. However, if you double-click the encrypt.txt file the embedded EFS certificate
decrypts the file just as if encrypted.txt was on the thumb drive itself. This trick will not work on
files within a bit level evidence file.
5. Before closing the decrypted text document notice that a person named Charles Borrows is on
the “client” list. We will see this name later in the lab. Note that all of these names are valid
candidates for additional follow-up and all would make good search queries (see Task 4 below).
We don’t know at this point if any of these are real names or pseudonyms.
6. This client list is clearly an important piece of evidence. We will now create a bookmark for the
encrypt.txt file. Bookmarks are used to help the investigator quickly find and annotate evidence
inside a sandbox or bit copy image. From the File List pane right-click the encrypt.txt file and
select Create Bookmark
7. This will bring up the Create New Bookmark wizard. Under Bookmark Name enter encrypted
file. Under Bookmark Comment enter Research additional clients, what does certificates
mean? In the Select Bookmark Parent section (bottom) select Student. When done click OK. If
you are unable to see the OK button at the bottom of the screen, you may hit the Enter key as
another option.
8. Back in the File List pane click the secret.eml file.
In the File Content pane view the Natural tab. This file is an email and it identifies a possible
bond buyer who we also saw listed in the encrypt.txt file (Charles Borrows). Mr. Borrows may
be a victim, but he may also be an accomplice. In the email Santini writes, “I am glad to inform
you that the bonds will be delivered on time.” Perhaps “certificates” are “bonds”. We also find
the name of a possible co-conspirator, Norman Peterson: let’s bookmark this clue.
9. Right-click the secret.eml file and then select Add to Bookmark.
10. Under Select Existing Bookmark (bottom) expand student, select encrypted file then click OK or
press the Enter key.
11. To view or edit existing bookmarks select the Bookmarks tab.
12. Under Bookmarks expand student and select the encrypted file bookmark. Note the Bookmark
information pane to the right.
13. In the Bookmark Information pane, in the File Comment text box, type Charles Borrows, client
to purchase fake bonds. When you click outside the File Comment area you will be prompted to
save, your changes: click Yes. (You can also simply click the Save Changes button.)
Task 4: Use queries to search for clues within the processed evidence files.
While it is possible to search manually for clues, it is far better to use the powerful search and
categorization tools provided by FTK. When the FTK Case Manager processes the evidence files it
creates searchable indexes. Using these indexes we can construct queries to help us find additional
clues. FTK also creates a list of file categories, which we will see later in the lab.
In this task we will look for all files containing the words Santini, Borrows, James, and Charles.
1. In the FTK Case Manager, select the Index Search tab, and add the following names in the Terms
field. Click Add after each entry:
Santini (click Add)
Borrows (click Add)
James (click Add)
Charles (click Add)
2. Depending on your screen resolution, you may find that the dtSearch Index pane is unable to
show all its available buttons.
a. To remedy this, bring the cursor to between the dtSearch Index pane and the File
Content pane. The cursor should turn into a double-sided arrow as shown.
b. Drag the cursor down to expand the dtSearch Index pane such that the other buttons,
including the Search Now button, becomes visible.
3. Once all the Search Terms are entered, click Search Now. As the default Search Criteria is set to
And, FTK will look for files containing ALL of the search terms.
4. In the Indexed Search Filter Option pop-up window, select Include all files and click OK.
5. Review your results on the right Index Search Results pane. You should get four hits.
6. Perform another search, only this time select Or as the Search Criteria then click Search Now
7. Once again, select Include all files and click OK.
8. Review your new results in the Index Search Results pane to the right. You should see many
more hits. As an investigator you will use searches to comb though the acquired files, looking
for clues, making connections, and making new bookmarks as your investigation progresses.
Task 5: Recover and export a deleted file
As noted previously, an E01 image contains a complete bit-for-bit copy of a given media. Unlike AD1
files, bit-level copies can be used to find and recover files that have been deleted. This can be a
particularly powerful tool in a forensic investigation. In this task we will recover what appears to be
another copy of Santini’s customer list.
1. In the FTK Case Manager select the Overview tab, and then expand File Status.
2. Under File Status are the file categories mentioned earlier. These categories can help you instantly
find files of a given type. Select Deleted Files from the list of file catagories in the Case Overview
pane. Notice in the File List pane there is a deleted copy of the encrypt.txt file called
encrypt.txt.gpg. The GPG extension tells us that this file was encrypted with GNU Privacy Guard:
likely so that it could be sent securely via email. While we can’t know for certain that this is another
(or perhaps older) customer list, it is definitely a file worth recovering.
3. Right click encrypt.txt.gpg and select Export. In the Export window, under Destination base
path, enter F:\Cases\FTK\State v Santini (Thumb Drive)\Export and Click Ok.
4. When prompted to create the Export directory click Yes.
5. When the export completes click OK.
6. Once the export is complete a window will automatically pop up showing the recovered file.
While we cannot open the file (we do not have the corresponding public key) investigators could
use this file to convince Santini that they know more than they do. It may also be possible to
crack open the file using FTK’s Password Recovery Toolkit (PRTK).
7. Close FTK Forensic Toolkit 5.1.
8. Once FTK Case Manager is closed the Database will display your case. Close out the Database by
clicking the X in the top right corner.
This completes the lab, please close out your student desktop.