91.580.203 Computer & Network

Forensics

FTK Forensic Toolkit

Xinwen Fu

Dr. Xinwen Fu 2

Big Picture AccessData download

FTK Imager version 2.5.4

Known Filter Library File version 27_jun_2007

Forensic Toolkit®(FTK™) version 1.81

1. Acquire and preserve the evidence

2. Analyze the case

3. Prepare a report

Dr. Xinwen Fu 3

Acquire and Preserve the Evidence Create an image of the suspect drive using

hardware devices Create an image of the suspect drive using

software applications FTK Imager dd

Key point of creating an image No changes to the evidence should be made

Dr. Xinwen Fu 4

Big Picture1. Acquire and

Preserve the evidence

2. Analyze the case

3. Prepare a report

Dr. Xinwen Fu 5

Analyze the Case - Hashing Refer to the process of generating a

unique value based on a file’s contents Used to verify file integrity and identify

duplicate and known files MD5, SHA1

FTK Imager -> File -> Export File Hash List

Demo

Dr. Xinwen Fu 6

Analyze the Case - Known File Filter (KFF) An FTK utility that compares file hashes against a

database of hashes from known files Three purposes

Eliminate ignorable files (such as known system and program files)

Alert you to known illicit or dangerous files Check for duplicate files (maybe different file names)

Container files: Files which contain other files, such as zip and e-mail files with attachments When KFF identifies a container file as ignorable, FTK

does not extract its component files KFF includes the HashKeeper database, which is

updated periodically and is available for download on the FTK update page

Dr. Xinwen Fu 7

Analyze the Case - Searching Live search

Involve an item-by-item comparison with the search term: time consuming

Allow you to search non-alphanumeric characters and perform regular expression searches

Indexed search Use the index file to find a search term The index file contains all discrete words or

number strings found in both the allocated and unallocated space in the case evidence

Dr. Xinwen Fu 8

Data Carving Search for items, such as graphics embedded in

other files Search the index for specific file headers and carves the

file’s associated data Find any embedded or deleted item as long as the file

header still exists Recover previously deleted files located in

unallocated space Data carving during evidence processing (when a

new case is added) Select Data Carve in the Process to Perform Screen

during the New Case Wizard Data carving done in an existing case

Select Tools > Data Carving

Dr. Xinwen Fu 9

Live Search1. In the Search window, click Live Search2. In the Search Term field, enter the term you

want to search for3. In the Item Type column, specify if you want

FTK to search in Text or Hexadecimal4. Click Add to add the search term to the Search

Items column5. In the Max Hits Per File field, enter the

maximum number of times you want a search hit to be listed per file

Dr. Xinwen Fu 10

Indexed Search FTK uses the search engine, dtSearch, to perform all

indexed searches To index evidence when it is added to the case, check the

Full Text Index box on the Evidence Processing Options form

To index evidence after it is added to the case, select Tools -> Analysis Tools -> Full Text Indexing

1. In the Search window, click Indexed Search2. In the Search Term field, enter the term you want to

search for, including any wildcard characters3. Click Add to add the search term to the search list 4. To refine the search, click Options5. In the Search Items column, select the index term you

want to search6. Click View Item Results to initiate the search

Dr. Xinwen Fu 11

Using Filters If you want to minimize the number of

evidence items to examine, you can apply an existing filter or create a customized filter to exclude unwanted items

FTK allows you to filter your case evidence by file status, type, size, and date parameters

Dr. Xinwen Fu 12

Overview Window - Unfiltered

Dr. Xinwen Fu 13

Overview Window - Filtered

Dr. Xinwen Fu 14

Overview Window – Filtered + Actual Files

Dr. Xinwen Fu 15

Search by Regular Expression Page 295 of FTK Manual (V1.81.0) Search through large quantities of text

information for patterns of data such as the following Telephone Numbers Social Security Numbers Computer IP Addresses Credit Card Numbers

Dr. Xinwen Fu 16

Regular Expressions for Data Pattern Arithmetic expression: 5/((1+2)*3)

Regular expressions also have operands, operators, sub-expressions, and a value Operands in regular expressions can be any

printable characters

Component Example

Operands 5, 1, 2, 3

Operators /, ( ), +, *

Sub-Expressions (1+2), ((1+2)*3)

Value Approximately 0.556

Dr. Xinwen Fu 17

Simple Regular Expressions Made up entirely of operands

Regular expression dress causes to return a list of all files that contain the sequence of characters dress

Dr. Xinwen Fu 18

Complex Regular Expressions Operators allow regular expressions to search

patterns of data rather than specific values Find all Visa and MasterCard credit card numbers

in case evidence files: \<((\d\d\d\d)[\- ]){3}\d\d\d\d\>

Dr. Xinwen Fu 19

\<((\d\d\d\d)[\- ]){3}\d\d\d\d\> \: Escape character

Modification of operands: \< Modification of operators: \-

\<: begin-a-word operator The first character immediately follows a non-word

character such as white space or other word delimiter ( ): Parentheses

Group together a sub-expression \d: any decimal digit character from 0-9 [ ]: next character must be a character listed

between the brackets {3}: the preceding sub-expression must repeat

three times, back to back \>: end-a-word operator

Dr. Xinwen Fu 20

Other Variations on the Same Expression \<((\d\d\d\d)(\-| )){3}\d\d\d\d\>

| (union operator): the next character to match is either the left operand (the hyphen) or the right operand (the spacebar space)

\<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>

Dr. Xinwen Fu 21

Predefined Regular Expressions Visa and MasterCard Numbers

\<((\d\d\d\d)[\- ]){3}\d\d\d\d\> U.S. Social Security Numbers

\<\d\d\d[\- ]\d\d[\- ]\d\d\d\d\> U.S. Phone Number

((\<1[\-\. ])?(\(|\<)\d\d\d[\)\.\-/ ] ?)?\<\d\d\d[\.\- ]\d\d\d\d\>

?: the sub-expression immediately to its left appear exactly zero or one time in any search hits

IP Addresses \<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.

[1-2]?[0-9]?[0-9]\>

Dr. Xinwen Fu 22

Big Picture1. Acquire and

Preserve the evidence

2. Analyze the case

3. Prepare a report

Dr. Xinwen Fu 23

Prepare a Report Create a case report and case log to document

the evidence and investigation results Use the Report Wizard to create and modify

reports: FTK -> File -> Report Wizard

The report may include Bookmarks (information you selected during the

examination): FTK -> Tools -> Create Bookmark … Customize graphics references Select file listings Include supplementary files and the case log

Dr. Xinwen Fu 24

Dr. Xinwen Fu 25

Discussion: Case Studies How digital forensics might relate to you,

your firm or your case Case Studies

What tools, knowledge and techniques you may use for the case