FTK (Forensic Tool Kit) 5.1

Task 1: Acquire Santini’s thumb drive and build evidence files using AD1 (file level) and E01 (bit level)

format.

AccessData FTK Imager allows you to acquire (create) evidence files from hard drives, thumb drives, and

other media. You can also use FTK Imager to quickly view and search through files, though care should

be taken never to alter any media that will be used as evidence. FTK Imager can create evidence files

using the following formats:

AD1: Access Data Native Format

E01: Encase format

AFF: Advanced Forensic Format used by both FTK and EnCase

RAW: This is equivalent to the Unix dd (disk copy) command, works with all forensic programs

SMART legacy EnCase (Expert Witness) format

The AD1 format is primarily used to create a file level copy or “sandbox” copy of a given media. In this

way files and folders behave just as they do on the source media. E01, AFF, RAW, and SMART images are

bit-for-bit copies of the evidence media. Bit level copies include file system metadata, deleted files, and

unallocated space, etc. which can contain important clues. Both the sandbox and bit level formats have

their strengths and weaknesses, and both are valuable ways to view and manage acquired evidence.

In this task you will use the FTK Imager program to create two images of Santini’s thumb drive (attached

as drive X:): an AD1 image and an E01 image.

1. Start the FTK Imager program by double clicking the AccessData FTK Imager icon on the desktop.

2. Take a moment to familiarize yourself with the FTK Imager layout:

1. Evidence Tree Pane (Files, Folders and Drive image)

2. File List Pane (Controlled by Evidence Tree Pane)

3. Properties Pane (Displays content that has focus)

4. Content View Pane (Displays content that has focus in Normal view, Hex, Text)

3. To get started, click the Add Evidence Item button (Green Plus Sign) as seen in the illustration

below.

4. In the Select Source window, chose the Contents of a Folder radio button and click Next.

5. In the Select File window, type X: into the Please enter the source path text box. Then click Finish.

6. In the Evidence Tree pane, expand the X: drive (click the + sign) and then select X: in the navigation

tree to display the contents of the attached thumb drive.

7. In the File List pane select encrypt.txt then look to the Properties pane. You will notice that the file

is encrypted, but FTK Imager will decrypt it on the fly because the forensic workstation has the

Windows EFS certificate to decode it.

Note: If you are creating a sandbox image to be reviewed on another forensic workstation, the EFS

certificate will need to be exported from the thumb drive itself using native Windows tools, and put

on a separate media device (as one never copies anything to evidence media).

8. We will now create an AD1 image of Santini’s thumb drive. In the FTK Imager click File, and then

select Create Disk Image.

9. In the Select Source window choose the Contents of a Folder radio button and click Next.

10. Folder contents are saved in the AD1 (“sandbox”) format, which is not a bit-for-bit copy. The

advantage to this type of disk image is that files behave as they do on the original media. However,

we would not want to rely on AD1 images alone. As we also plan to acquire a bit-for-bit copy of this

data, click Yes to bypass the warning.

11. In the Select File window, type X: into the Please enter the source path text box. Then click Finish.

12. In the Create Image window under Image Destinations(s) click Add.

13. In the Evidence Item Information window enter the following, and then click Next.

Case Number: 00001

Evidence Number: 1001

Unique Description: James Santini’s Thumb Drive

Examiner: <Your Name>

Notes: <leave blank>

14. In the Select Image Destination window enter F:\cases\FTK in the Image Destination Folder text

box, and enter Santini_ThumbDrive in the Image Filename (Excluding Extension) text box. When

done click Finish.

Note: Depending on the sensitivity of the case you may be instructed to use AD Encryption. In this

case we are not. AD encryption will protect the contents of an image file in the event it is lost or

stolen.

15. We are now ready to acquire our sandbox copy of Santini’s thumb drive. In the Create Image

window click Start to begin the acquisition process.

16. You will see a Creating Image… progress window while the thumb drive is acquired.

17. Once the Acquisition is complete a Drive/Image Verify Results window will appear.

The hashes shown uniquely identify this drive image. Click Close.

18. On the Creating Image… window click Close.

19. Now we will repeat the acquisition process to create a bit-for-bit copy of Santini’s thumb drive. In

FTK Imager click File > Create Disk Image

20. In the Select Source window choose the Physical Drive radio button and click Next.

21. In the drop down list select the 5GB drive and click Finish.

22. In the Create Image window, click Add under Image Destination(s).

23. You will be prompted to select an image format. In the Select Image Type window choose the E01

radio button, and click Next.

24. In the Evidence Item Information window fill out the fields as shown, then click Next.

Case Number: 00001

Evidence Number: 1001

Unique Description: James Santini’s Thumb Drive

Examiner: <Your Name>

Notes: E01

25. In the Select Image Destination folder enter F:\Cases\FTK in the Image Destination Folder text box,

and enter Santini_ThumbDriveE01 in the Image Filename (Excluding Extension) text box. Then click

Finish.

26. In the Create Image window click Start to begin the acquisition process and create the E01 file.

27. The process will take about 2 minutes to complete, so be patient.

28. In the Drive/Image Verify Results window click Close.

29. Click Close on the Creating Image… window.

30. We are now done acquiring the AD1 and E01 evidence files. Close FTK Imager by selecting File >

Exit.

Task 2: Use the FTK Case Manager to open a new case and add the acquired E01 and AD1 evidence

files.

1. Double click FTK 5.1 icon on your Desktop, please have patience this will take about 4 to 6 minutes

to fully start up.

2. Once FTK Case Manager is ready, you will be prompted for a username and password. Enter

student for the username and IT4075Admin for the password and click OK.

3. Once you enter in the correct username and password you will be presented with a blank database

manager window. In order to work on the two evidence files we will need to create a new case

which will be stored in a local database. To create a new case select Case > New.

4. Fill in the New Case Options worksheet as follows, and click OK when done.

Owner: Student

Case Name: State v Santini (Thumb Drive)

Reference: 00001

Description: State v Santini

Description File: default blank

Case Folder Directory: F:\Cases\FTK

Database Directory: Check mark In the case folder

Processing Profile: AD Standard

5. You will see a progression window asking to you to Please wait… as the case is created in a local

PostgreSQL database. FTK can store its data either locally or to a central secured database.

6. You will be presented with a Manage Evidence window. We will use this window to add the two

evidence files we created in Task1. Click the Add button.

7. In the Select Evidence Type window choose the Acquired Image(s) radio button and click OK.

8. In the Open window select Santini_ThumbDriveE01.E01 image and click Open.

9. Fill out the following fields in the Manage Evidence window, then click OK when done.

ID / Name: 00001 / Santini

Description: State v Santini Thumb Drive

Evidence Group: select Rosewood files from the drop-down list

Time Zone: choose your time zone

10. The Data Processing Status window will open. Please have patience this will take 5 to 8 minutes to

complete.

11. Once the process is finished click Close.

12. You will be presented with the multi tab Forensic Toolkit (as seen in the illustration below). To see

Santini’s thumb drive expand Rosewood Files (click on the + sign) in the Evidence Items pane.

13. Now lets add the AD1 sandbox file created in Task 1. Click Evidence and then select Add/Remove to

re-invoke the Manage Evidence window.

14. From the Manage Evidence window click Add.

15. In the Select Evidence Type window choose the Acquired Image(s) radio button and click Ok.

16. In the Open window select Santini_ThumbDrive.ad1 image and click Open.

17. Fill out the following fields in the Manage Evidence window, then click OK to process the evidence

into your existing case.

ID / Name: 00001a Santini Thumb Drive AD1

Description: State v Santini

Evidence Group: select Rosewood files from the drop-down list

Time Zone: choose your time zone

18. To watch the processing progress, click Santini_ThumbDrive.ad1 in the Data Processing Status

window.

19. Once the process is complete click Close.

20. You are now ready to search for clues inside your evidence files.

Task 3: Use FTK Forensic Toolkit Case Manager to search for clues within the processed evidence files

and create bookmarks.

1. In the Evidence Items pane (left), click the + sign next to the Santini_ThumbDriveE01.E01 image file and drill down to the [root] folder.

2. In the File List pane (bottom) click the encrypt.txt file.

3. Notice that in the File Content pane (right) you see that encrypt .txt cannot be viewed.

4. Now in the Evidence Item pane select Santini_ThumbDrive.ad1, and in the File List pane click

on encrypt.txt. Again we see “Unable to View Document is encrypted” displayed in the File

Contents pane. However, if you double-click the encrypt.txt file the embedded EFS certificate

decrypts the file just as if encrypted.txt was on the thumb drive itself. This trick will not work on

files within a bit level evidence file.

5. Before closing the decrypted text document notice that a person named Charles Borrows is on

the “client” list. We will see this name later in the lab. Note that all of these names are valid

candidates for additional follow-up and all would make good search queries (see Task 4 below).

We don’t know at this point if any of these are real names or pseudonyms.

6. This client list is clearly an important piece of evidence. We will now create a bookmark for the

encrypt.txt file. Bookmarks are used to help the investigator quickly find and annotate evidence

inside a sandbox or bit copy image. From the File List pane right-click the encrypt.txt file and

select Create Bookmark

7. This will bring up the Create New Bookmark wizard. Under Bookmark Name enter encrypted

file. Under Bookmark Comment enter Research additional clients, what does certificates

mean? In the Select Bookmark Parent section (bottom) select Student. When done click OK. If

you are unable to see the OK button at the bottom of the screen, you may hit the Enter key as

another option.

8. Back in the File List pane click the secret.eml file.

In the File Content pane view the Natural tab. This file is an email and it identifies a possible

bond buyer who we also saw listed in the encrypt.txt file (Charles Borrows). Mr. Borrows may

be a victim, but he may also be an accomplice. In the email Santini writes, “I am glad to inform

you that the bonds will be delivered on time.” Perhaps “certificates” are “bonds”. We also find

the name of a possible co-conspirator, Norman Peterson: let’s bookmark this clue.

9. Right-click the secret.eml file and then select Add to Bookmark.

10. Under Select Existing Bookmark (bottom) expand student, select encrypted file then click OK or

press the Enter key.

11. To view or edit existing bookmarks select the Bookmarks tab.

12. Under Bookmarks expand student and select the encrypted file bookmark. Note the Bookmark

information pane to the right.

13. In the Bookmark Information pane, in the File Comment text box, type Charles Borrows, client

to purchase fake bonds. When you click outside the File Comment area you will be prompted to

save, your changes: click Yes. (You can also simply click the Save Changes button.)

Task 4: Use queries to search for clues within the processed evidence files.

While it is possible to search manually for clues, it is far better to use the powerful search and

categorization tools provided by FTK. When the FTK Case Manager processes the evidence files it

creates searchable indexes. Using these indexes we can construct queries to help us find additional

clues. FTK also creates a list of file categories, which we will see later in the lab.

In this task we will look for all files containing the words Santini, Borrows, James, and Charles.

1. In the FTK Case Manager, select the Index Search tab, and add the following names in the Terms

field. Click Add after each entry:

Santini (click Add)

Borrows (click Add)

James (click Add)

Charles (click Add)

2. Depending on your screen resolution, you may find that the dtSearch Index pane is unable to

show all its available buttons.

a. To remedy this, bring the cursor to between the dtSearch Index pane and the File

Content pane. The cursor should turn into a double-sided arrow as shown.

b. Drag the cursor down to expand the dtSearch Index pane such that the other buttons,

including the Search Now button, becomes visible.

3. Once all the Search Terms are entered, click Search Now. As the default Search Criteria is set to

And, FTK will look for files containing ALL of the search terms.

4. In the Indexed Search Filter Option pop-up window, select Include all files and click OK.

5. Review your results on the right Index Search Results pane. You should get four hits.

6. Perform another search, only this time select Or as the Search Criteria then click Search Now

7. Once again, select Include all files and click OK.

8. Review your new results in the Index Search Results pane to the right. You should see many

more hits. As an investigator you will use searches to comb though the acquired files, looking

for clues, making connections, and making new bookmarks as your investigation progresses.

Task 5: Recover and export a deleted file

As noted previously, an E01 image contains a complete bit-for-bit copy of a given media. Unlike AD1

files, bit-level copies can be used to find and recover files that have been deleted. This can be a

particularly powerful tool in a forensic investigation. In this task we will recover what appears to be

another copy of Santini’s customer list.

1. In the FTK Case Manager select the Overview tab, and then expand File Status.

2. Under File Status are the file categories mentioned earlier. These categories can help you instantly

find files of a given type. Select Deleted Files from the list of file catagories in the Case Overview

pane. Notice in the File List pane there is a deleted copy of the encrypt.txt file called

encrypt.txt.gpg. The GPG extension tells us that this file was encrypted with GNU Privacy Guard:

likely so that it could be sent securely via email. While we can’t know for certain that this is another

(or perhaps older) customer list, it is definitely a file worth recovering.

3. Right click encrypt.txt.gpg and select Export. In the Export window, under Destination base

path, enter F:\Cases\FTK\State v Santini (Thumb Drive)\Export and Click Ok.

4. When prompted to create the Export directory click Yes.

5. When the export completes click OK.

6. Once the export is complete a window will automatically pop up showing the recovered file.

While we cannot open the file (we do not have the corresponding public key) investigators could

use this file to convince Santini that they know more than they do. It may also be possible to

crack open the file using FTK’s Password Recovery Toolkit (PRTK).

7. Close FTK Forensic Toolkit 5.1.

8. Once FTK Case Manager is closed the Database will display your case. Close out the Database by

clicking the X in the top right corner.

This completes the lab, please close out your student desktop.