91.580.203 Computer & Network Forensics Xinwen Fu FTK Forensic Toolkit

Big Picture AccessData download Acquire and preserve the evidence FTK Imager version 2.5.4 Known Filter Library File version 27_jun_2007 Forensic Toolkit®(FTK™) version 1.81 Acquire and preserve the evidence Analyze the case Prepare a report Dr. Xinwen Fu

Acquire and Preserve the Evidence Create an image of the suspect drive using hardware devices Create an image of the suspect drive using software applications FTK Imager dd Key point of creating an image No changes to the evidence should be made Dr. Xinwen Fu

Big Picture Acquire and Preserve the evidence Analyze the case Prepare a report Dr. Xinwen Fu

Analyze the Case - Hashing Refer to the process of generating a unique value based on a file’s contents Used to verify file integrity and identify duplicate and known files MD5, SHA1 FTK Imager -> File -> Export File Hash List Demo Dr. Xinwen Fu

Analyze the Case - Known File Filter (KFF) An FTK utility that compares file hashes against a database of hashes from known files Three purposes Eliminate ignorable files (such as known system and program files) Alert you to known illicit or dangerous files Check for duplicate files (maybe different file names) Container files: Files which contain other files, such as zip and e-mail files with attachments When KFF identifies a container file as ignorable, FTK does not extract its component files KFF includes the HashKeeper database, which is updated periodically and is available for download on the FTK update page Dr. Xinwen Fu

Analyze the Case - Searching Live search Involve an item-by-item comparison with the search term: time consuming Allow you to search non-alphanumeric characters and perform regular expression searches Indexed search Use the index file to find a search term The index file contains all discrete words or number strings found in both the allocated and unallocated space in the case evidence Dr. Xinwen Fu

Data Carving Search for items, such as graphics embedded in other files Search the index for specific file headers and carves the file’s associated data Find any embedded or deleted item as long as the file header still exists Recover previously deleted files located in unallocated space Data carving during evidence processing (when a new case is added) Select Data Carve in the Process to Perform Screen during the New Case Wizard Data carving done in an existing case Select Tools > Data Carving Dr. Xinwen Fu

Live Search In the Search window, click Live Search In the Search Term field, enter the term you want to search for In the Item Type column, specify if you want FTK to search in Text or Hexadecimal Click Add to add the search term to the Search Items column In the Max Hits Per File field, enter the maximum number of times you want a search hit to be listed per file Dr. Xinwen Fu

Indexed Search FTK uses the search engine, dtSearch, to perform all indexed searches To index evidence when it is added to the case, check the Full Text Index box on the Evidence Processing Options form To index evidence after it is added to the case, select Tools -> Analysis Tools -> Full Text Indexing In the Search window, click Indexed Search In the Search Term field, enter the term you want to search for, including any wildcard characters Click Add to add the search term to the search list To refine the search, click Options In the Search Items column, select the index term you want to search Click View Item Results to initiate the search Dr. Xinwen Fu

Using Filters If you want to minimize the number of evidence items to examine, you can apply an existing filter or create a customized filter to exclude unwanted items FTK allows you to filter your case evidence by file status, type, size, and date parameters Dr. Xinwen Fu

Overview Window - Unfiltered Dr. Xinwen Fu

Overview Window - Filtered Dr. Xinwen Fu

Overview Window – Filtered + Actual Files Dr. Xinwen Fu

Search by Regular Expression Page 295 of FTK Manual (V1.81.0) Search through large quantities of text information for patterns of data such as the following Telephone Numbers Social Security Numbers Computer IP Addresses Credit Card Numbers Dr. Xinwen Fu

Regular Expressions for Data Pattern Arithmetic expression: 5/((1+2)*3) Regular expressions also have operands, operators, sub-expressions, and a value Operands in regular expressions can be any printable characters Component Example Operands 5, 1, 2, 3 Operators /, ( ), +, * Sub-Expressions (1+2), ((1+2)*3) Value Approximately 0.556 Dr. Xinwen Fu

Simple Regular Expressions Made up entirely of operands Regular expression dress causes to return a list of all files that contain the sequence of characters dress Dr. Xinwen Fu

Complex Regular Expressions Operators allow regular expressions to search patterns of data rather than specific values Find all Visa and MasterCard credit card numbers in case evidence files: \<((\d\d\d\d)[\- ]){3}\d\d\d\d\> Dr. Xinwen Fu

\<((\d\d\d\d)[\- ]){3}\d\d\d\d\> \: Escape character Modification of operands: \< Modification of operators: \- \<: begin-a-word operator The first character immediately follows a non-word character such as white space or other word delimiter ( ): Parentheses Group together a sub-expression \d: any decimal digit character from 0-9 [ ]: next character must be a character listed between the brackets {3}: the preceding sub-expression must repeat three times, back to back \>: end-a-word operator Dr. Xinwen Fu

Other Variations on the Same Expression \<((\d\d\d\d)(\-| )){3}\d\d\d\d\> | (union operator): the next character to match is either the left operand (the hyphen) or the right operand (the spacebar space) \<\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d(\-| )\d\d\d\d\> Dr. Xinwen Fu

Predefined Regular Expressions Visa and MasterCard Numbers \<((\d\d\d\d)[\- ]){3}\d\d\d\d\> U.S. Social Security Numbers \<\d\d\d[\- ]\d\d[\- ]\d\d\d\d\> U.S. Phone Number ((\<1[\-\. ])?(\(|\<)\d\d\d[\)\.\-/ ] ?)?\<\d\d\d[\.\- ]\d\d\d\d\> ?: the sub-expression immediately to its left appear exactly zero or one time in any search hits IP Addresses \<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\> Dr. Xinwen Fu

Big Picture Acquire and Preserve the evidence Analyze the case Prepare a report Dr. Xinwen Fu

Prepare a Report Create a case report and case log to document the evidence and investigation results Use the Report Wizard to create and modify reports: FTK -> File -> Report Wizard The report may include Bookmarks (information you selected during the examination): FTK -> Tools -> Create Bookmark … Customize graphics references Select file listings Include supplementary files and the case log Dr. Xinwen Fu

Dr. Xinwen Fu

Discussion: Case Studies How digital forensics might relate to you, your firm or your case Case Studies What tools, knowledge and techniques you may use for the case Dr. Xinwen Fu