1 / 24

91.580.203 Computer Network Forensics

raleigh
Download Presentation

91.580.203 Computer Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 91.580.203 Computer & Network Forensics FTK Forensic Toolkit

    2. Dr. Xinwen Fu 2 Big Picture AccessData download FTK Imager version 2.5.4 Known Filter Library File version 27_jun_2007 Forensic Toolkit®(FTK™) version 1.81 Acquire and preserve the evidence Analyze the case Prepare a report

    3. Dr. Xinwen Fu 3 Acquire and Preserve the Evidence Create an image of the suspect drive using hardware devices Create an image of the suspect drive using software applications FTK Imager dd Key point of creating an image No changes to the evidence should be made

    4. Dr. Xinwen Fu 4 Big Picture Acquire and Preserve the evidence Analyze the case Prepare a report

    5. Dr. Xinwen Fu 5 Analyze the Case - Hashing Refer to the process of generating a unique value based on a file’s contents Used to verify file integrity and identify duplicate and known files MD5, SHA1 FTK Imager -> File -> Export File Hash List

    6. Dr. Xinwen Fu 6 Analyze the Case - Known File Filter (KFF) An FTK utility that compares file hashes against a database of hashes from known files Three purposes Eliminate ignorable files (such as known system and program files) Alert you to known illicit or dangerous files Check for duplicate files (maybe different file names) Container files: Files which contain other files, such as zip and e-mail files with attachments When KFF identifies a container file as ignorable, FTK does not extract its component files KFF includes the HashKeeper database, which is updated periodically and is available for download on the FTK update page

    7. Dr. Xinwen Fu 7 Analyze the Case - Searching Live search Involve an item-by-item comparison with the search term: time consuming Allow you to search non-alphanumeric characters and perform regular expression searches Indexed search Use the index file to find a search term The index file contains all discrete words or number strings found in both the allocated and unallocated space in the case evidence

    8. Dr. Xinwen Fu 8 Data Carving Search for items, such as graphics embedded in other files Search the index for specific file headers and carves the file’s associated data Find any embedded or deleted item as long as the file header still exists Recover previously deleted files located in unallocated space Data carving during evidence processing (when a new case is added) Select Data Carve in the Process to Perform Screen during the New Case Wizard Data carving done in an existing case Select Tools > Data Carving

    9. Dr. Xinwen Fu 9 Live Search In the Search window, click Live Search In the Search Term field, enter the term you want to search for In the Item Type column, specify if you want FTK to search in Text or Hexadecimal Click Add to add the search term to the Search Items column In the Max Hits Per File field, enter the maximum number of times you want a search hit to be listed per file

    10. Dr. Xinwen Fu 10 Indexed Search FTK uses the search engine, dtSearch, to perform all indexed searches To index evidence when it is added to the case, check the Full Text Index box on the Evidence Processing Options form To index evidence after it is added to the case, select Tools -> Analysis Tools -> Full Text Indexing In the Search window, click Indexed Search In the Search Term field, enter the term you want to search for, including any wildcard characters Click Add to add the search term to the search list To refine the search, click Options In the Search Items column, select the index term you want to search Click View Item Results to initiate the search

    11. Dr. Xinwen Fu 11 Using Filters If you want to minimize the number of evidence items to examine, you can apply an existing filter or create a customized filter to exclude unwanted items FTK allows you to filter your case evidence by file status, type, size, and date parameters

    12. Dr. Xinwen Fu 12 Overview Window - Unfiltered

    13. Dr. Xinwen Fu 13 Overview Window - Filtered

    14. Dr. Xinwen Fu 14 Overview Window – Filtered + Actual Files

    15. Dr. Xinwen Fu 15 Search by Regular Expression Page 295 of FTK Manual (V1.81.0) Search through large quantities of text information for patterns of data such as the following Telephone Numbers Social Security Numbers Computer IP Addresses Credit Card Numbers

    16. Dr. Xinwen Fu 16 Regular Expressions for Data Pattern Arithmetic expression: 5/((1+2)*3) Regular expressions also have operands, operators, sub-expressions, and a value Operands in regular expressions can be any printable characters

    17. Dr. Xinwen Fu 17 Simple Regular Expressions Made up entirely of operands Regular expression dress causes to return a list of all files that contain the sequence of characters dress

    18. Dr. Xinwen Fu 18 Complex Regular Expressions Operators allow regular expressions to search patterns of data rather than specific values Find all Visa and MasterCard credit card numbers in case evidence files: \<((\d\d\d\d)[\- ]){3}\d\d\d\d\>

    19. Dr. Xinwen Fu 19 \<((\d\d\d\d)[\- ]){3}\d\d\d\d\> \: Escape character Modification of operands: \< Modification of operators: \- \<: begin-a-word operator The first character immediately follows a non-word character such as white space or other word delimiter ( ): Parentheses Group together a sub-expression \d: any decimal digit character from 0-9 [ ]: next character must be a character listed between the brackets {3}: the preceding sub-expression must repeat three times, back to back \>: end-a-word operator

    20. Dr. Xinwen Fu 20 Other Variations on the Same Expression \<((\d\d\d\d)(\-| )){3}\d\d\d\d\> | (union operator): the next character to match is either the left operand (the hyphen) or the right operand (the spacebar space) \<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\>

    21. Dr. Xinwen Fu 21 Predefined Regular Expressions Visa and MasterCard Numbers \<((\d\d\d\d)[\- ]){3}\d\d\d\d\> U.S. Social Security Numbers \<\d\d\d[\- ]\d\d[\- ]\d\d\d\d\> U.S. Phone Number ((\<1[\-\. ])?(\(|\<)\d\d\d[\)\.\-/ ] ?)?\<\d\d\d[\.\- ]\d\d\d\d\> ?: the sub-expression immediately to its left appear exactly zero or one time in any search hits IP Addresses \<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\>

    22. Dr. Xinwen Fu 22 Big Picture Acquire and Preserve the evidence Analyze the case Prepare a report

    23. Dr. Xinwen Fu 23 Prepare a Report Create a case report and case log to document the evidence and investigation results Use the Report Wizard to create and modify reports: FTK -> File -> Report Wizard The report may include Bookmarks (information you selected during the examination): FTK -> Tools -> Create Bookmark … Customize graphics references Select file listings Include supplementary files and the case log

    24. Dr. Xinwen Fu 24

    25. Dr. Xinwen Fu 25 Discussion: Case Studies How digital forensics might relate to you, your firm or your case Case Studies What tools, knowledge and techniques you may use for the case

More Related