1 / 54

Computer Forensics with FTK: Unleashing Critical Skills

Follow the CSI Challenge story, learn about motive, and use FTK & S-Tools. Master file recovery, hidden data, and steganography in this hands-on competition scenario.

siusan
Download Presentation

Computer Forensics with FTK: Unleashing Critical Skills

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSI Challenge 2012

  2. Computer Forensics at the CSI Challenge • Provides the backstory behind the crime • Provides pertinent information related to the motive behind the crime • Requires the use of 2 software packages: • Forensics Tool Kit (FTK) • Version 1.8.0 or 1.8.1 • S-Tools • Software must be downloaded on your laptop prior to the competition

  3. Evaluation = 5 Critical Skills • Creating & Opening a Computer Forensics Case • Finding Hidden Data in Slack Space or Unallocated Space • Finding a Recently Deleted File • Finding a File with an Improper File Extension • Finding a Stego’d Image or Data Hidden in a JPG File

  4. 1. Creating & Opening a Computer Forensics Case • How you do it? • Start FTK and Create a New Case • Add evidence • Save the case on exiting • Once created you only need to start FTK and open an existing file to continue working on the case

  5. What is a “Case”? • A case represents an ‘incident’ • You will need to supply: • Name or number of Case • Investigator’s name • Evidence to be added to the case • New cases can be Created • You can Open existing cases previously created

  6. 1.A. FTK • Should run in “administrator mode” • Right-click FTK icon and select “run as administrator” • Or… click properties, and select appropriate option for icon (then you won’t need to repeat each FTK startup) • You may receive a prompt looking for “security device” • It’s OK to run without the dongle or security device • USB “dongle” is required to run FTK in “Full Mode” • Also might ask for “Code Meter • We’re running in Demo Mode • Limits us to 5,000 files in the case, but otherwise fully functional!

  7. KFF Hash Library • Known File Filter • Used to “ignore” Known Files • OK to load FTK without KFF

  8. Startup • Select the appropriate option • Generally you’ll either be creating new case or opening an existing case

  9. New Case • Enter Captions for • Case Number • I chose LIPD-2012-0001 • Long Island Police Dept., Case 1 of 2012 • Case Name • Something meaningful • Case Path • The folder where case saved on hard drive • The default is the case name

  10. Case setup (cont.) • Enter information about investigator • Next screen • Case Log Options • Select all options • Next screen • Processes to perform • Keep default values • Next screen • Refine case • Accept defaults • Next screen • Refine index • Accept defaults • Next screen

  11. 1.B. Finally… Add Evidence Click “Add Evidence”

  12. What is Evidence • Information to be added to the Case • Acquired forensic “image” of Drive • This is a single file, but contains contents of an entire drive!!! • Similar to a “zip file” • Also referred to as • “image file” • Bitstream file • Bit-for-bit image file • This “image file” is captured and produced by some forensic software or utility program • Viewed with forensic software which “understands” the file structure • It is NOTthe same as a GIF or JPEG, which is a PICTURE type of image file and IS a single file • Local Drive (not on CSI 2012) • Attached to the system and addressable as a disk drive • For example, the C: or E: disk • Could include a CD, DVD, USB, etc.. • Contents of a Folder • Individual File

  13. Add… Acquired Image • Hard Drive “Image files” captured earlier • *.img ending added by creator • Other endings dependent on software used to create them • Created earlier by someone using • Utility program or Forensic software

  14. Adding the Acquired Image File • Fill in captions • Evidence Name/Number • For example, an item number of the evidence list • Serial number, if unique • Comments (optional) • How acquired or unusual circumstances, etc.. • Local Evidence Time Zone • -05:00 for NY timezone • Don’t forget about Daylight Savings, if it applies! • Used for time comparisons All Evidence Added. Click “Next”

  15. Finish adding evidence • After clicking “Finish” • FTK will Process Files • Add them to the case

  16. FTK processing added evidence • As part of adding evidence FTK will • Keep track of certain items and summarize them • Build an “index” of words or terms encountered • Can be used to short-cut a search • Can be used to identify words in the entire case • Might provide insight into something not normally considered • For example, seeing “gun”, “secret” or “password” as one of the words in the index

  17. 1. Opening a Computer Forensics Case (cont)…what you’ll see • FTK presents 3 “panes” or “panels” by default • Users can configure the placement if desired • FTK provides a list of “summary” buttonswith counts • Clicking on these can bring up those items in a detail pane so that you focus on them • Bad extensions • Image files • Deleted files • Documents • Unknown types • Folders • Bookmarked items • etc

  18. FTK Panes/Panels • Tabs on the main window • Overview • Explore • Graphics • Email • Search • Bookmark

  19. Overview • Shows general information about the case • Selection in one “pane” shows details in another “pane” or sub-window

  20. Still in “Overview” • The “bad extensions” shows 7 files in the bottom pane • Selecting one of the files in the bottom pane shows the contents in the 3rd pane (upper right)

  21. Overview (cont.) • File list contains information about files • “X” icon indicates deleted file • File extension might indicate one type of file • In reality, another type of file

  22. Explore Tab • Shows a “Windows Explorer” style of presentation • 3 evidence items seen • Each has sub-items • Collapsible or expandable levels • Click on Plus or Minus signs to expand/collapse views • Selected item is shown in 3rd pane • List of items in the selected item are shown in bottom (2nd) pane • Clicking on one of these will present that item in the 3rd (top-right) pane

  23. Same item… different view of it • Icons at top of 3rd pane • Alter the “presentation” of data • View as native application • Text view • Hexadecimal view • It’s the same data, just a different way of viewing it!

  24. Selecting a single file • The following demonstrates what a user sees if selecting a single file in Explorer Tab

  25. Giants Tickets.doc • Selecting Giants Tickets.doc in Explorer Tab • Word document • Really made up of different “components” • Selecting the file shows an item list of components in the file • File slack is one of them

  26. Graphics Tab • Shows a pane with thumbnails of images in the currently selected item in your case

  27. 1.C. How to exit and save • On the main menu • Select “File” • Close • Closes the case, remains in FTK • Save • Allows you to continue working on the case • Exit • Allows you to save (and backup.. Optional) the case • Shuts down FTK

  28. 2. Finding Hidden Data in Slack Space • What is “Slack Space”? • It’s disk space which belongs to a file, but is not considered part of the file’s data • Happens because of the way the system allocates disk space to files • How does the system give disk space to a file? • By “clusters”… a collection of 1 or more disk “sectors” • A “sector” is 512 bytes (depends on the system) • A cluster can be 1, 2, 4, or 8 sectors • Files are written in these clusters, and don’t normally fill up an entire sector or cluster • Two types of “Slack Space” • Ram slack • Disk space after the file data and before the end of that sector • File slack • Disk space in sectors not used by the file, but belonging to the file

  29. 2. Finding Hidden Data in Slack Space (cont) • What’s the significance of “slack space”? • Contents of RAM slack is generally whatever was in memory when the file was saved last • Might be a password, credit card number, etc.. Or garbage • File slack’s contents can simply be whatever was left over and not erased when no longer needed by some other file • Maybe even another user created that other file • Slack can be used to hide information • It’s not visible to users • It won’t be “grabbed” by system and overwritten

  30. 2. Finding Hidden Data in Slack Space (cont) • In OverviewTab • Select Slack/Free Space button • Details pane contains all slack/free space items • Full Path describes where that slack space is located • In a specific file • It’s part of the file, but not part of the data itself • Comes after the “end of file” marker • Do a “search” • Word might appear in “slack”, which might indicate an attempt at hiding something

  31. Slack: Overview Tab

  32. Slack: Specific File • Start from the “Explore” Tab • Locate the file (Giants Tickets.doc) • This file is deleted • Highlight the file in Explore • You’ll see: • Pane 2 (Lower pane): list of embedded “stuff” in the file, INCLUDING FileSlack • Pane 3 (Upper right): The document as presented by FTK believing it to be a “Word doc” • Then… in pane 2, select “File Slack” and observe what’s displayed in pane 3

  33. Slack: Search • Conduct a search • Examine the returned “hits” of the search • Search results (“hits”) indicate where the occurrence was • Even if in slack space • Each “hit” also shows the data immediately before and after the “hit” phrase

  34. Searching • Click the SEARCH tab • As you type a word or “character string” • Indexed words in case show up • Once you’ve found or typed your search term • ADD it to the search • You’ll see # of hits • You’ll see # of files containing those “hits”

  35. Searching • Select the “hits” for the search item • Then “View Item Results” • You can use “AND” or “OR” logic when looking for multiple search items in the same file • AND requires all to be present • OR requires any one of them to be present

  36. Searching • Indexed vs. Live • Indexed • Looks up terms indexed by FTK as evidence was added • Live • Looks up a term which wasn’t necessarily in the index built by FTK • Options • Text • ASCII • UNICODE • CASE SENSITIVE • REGULAR EXPRESSION • Hexadecimal

  37. Live Search • Keep ASCII and Unicode selected • They’re both defaults • Default is “ignore case” • Won’t care if upper or lower • Will take time • Searches the entire case • Regular expressions (NOT IN CSI 2012) • A “pattern” to match • Zip code • Telephone number • Social security number • Credit card number • Hexadecimal • Look for “non-printable” character values

  38. 3. Finding a Recently Deleted File • How do you find a deleted file? • Overview Tab • Select the summary button for Deleted Files • All those files appear in the lower pane • In the Explorer Tab • You can view the “directory structure” in the 1st pane • Deleted files appear with a red “X” on the icon of the file or folder • Deleted files are often recoverable • You need to EXPORT the file

  39. 3. Finding a Recently Deleted File (cont)

  40. 3. Finding a Recently Deleted File (cont) • Why could this be significant? • Investigator might recover information the suspect was attempting to hide or destroy • might demonstrate intent to evade detection • It can be demonstrated that a large number of files were deleted • Just prior to execution of a search warrant • After being interviewed by the police • After receiving a call from a victim or conspirator • When taken into account, might provide circumstantial evidence of intent

  41. 4. Finding a File with an Improper File Extension • How you do it? • Overview Tab • Find the Summary Button for “Bad Extensions” • Pane 2 lists all those files • Explorer Tab • Navigate to the location • Pane 2 shows files in that location, with additional information for each file

  42. Exporting a file • What is “exporting”? • Exporting allows an investigator to • Select a file or files • Save them as discrete files to another location outside of the FTK Case file • Why? • Allows investigators to process the exported file “natively” using applications such as Word, Excel, Paint, etc • Some files must be processed natively (for example a Stego’d file must be exported and handled using S-Tools as explained in section 5) • Can burn to a DVD and give to DA or other investigator • Allows investigator to consolidate items of interest in one place and present only those items

  43. Exporting a file • How do you export a file? • Select the file (highlight it) in Explorer Tab • Right-click on the file, and “Export it”

  44. 4. Finding a File with an Improper File Extension • How do we find the file? • Overview Tab • Click on the “Improper Name” summary button • Explorer Tab • In pane 2 (lower pane), improper file extensions will be noted

  45. 4. Finding a File with an Improper File Extension (cont) • What it means • It might be a deliberate attempt to evade detection and hide information • Information might be important • It could also just be a mistake on the part of the user • File saved or renamed with the wrong extension

  46. 4. Finding a File with an Improper File Extension (cont) • How do I process a file with an “Improper File Extension”? • Note the type of file it really should be • Export the file • Use the appropriate software to view the file, according to the “real type” of file it is

  47. 5. Finding a Stego’d Image or Data Hidden in a JPEG File • How you do it? • Certain files, such as Windows “BMP” files, can be “containers” • Software such as S-Tools can hide information inside these “container files” • Locate a suspected “stego’d” file (the container file) • Should be a “BMP” file • Export it from FTK’s Case • This saves it as a separate file you can then process outside of FTK • Use S-Tools to extract the “message file” from the “container file” • Password or a passphrase might be required!

  48. 5. Finding a Stego’d Image or Data Hidden in a JPEG File • Open S-Tools • Drag the “exported” file believed to be a “container file” into S-Tools

  49. 5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont) • Right-click the “container” in S-Tools • Select “Reveal” • When prompted, provide the “passphrase” • Can be a single word or a phrase • Could be case sensitive • A “revealed archive” window shows with the hidden file name and size • Select the file in the “Reveal Archive” box • Right-click the file you wish to extract from the container file • Save as… • Choose a location • You’ve now successfully extracted the hidden message!

More Related