1. CSI Challenge
2012

2. Computer Forensics at the CSI Challenge
Provides the backstory behind the crime
Provides pertinent information related to the motive behind the crime
Requires the use of 2 software packages:
Forensics Tool Kit (FTK)
Version or 1.8.1
S-Tools
Software must be downloaded on your laptop prior to the competition
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

3. Evaluation = 5 Critical Skills
Creating & Opening a Computer Forensics Case
Finding Hidden Data in Slack Space or Unallocated Space
Finding a Recently Deleted File
Finding a File with an Improper File Extension
Finding a Stego’d Image or Data Hidden in a JPG File
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

4. 1. Creating & Opening a Computer Forensics Case
How you do it?
Start FTK and Create a New Case
Add evidence
Save the case on exiting
Once created you only need to start FTK and open an existing file to continue working on the case
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

5. What is a “Case”? A case represents an ‘incident’
You will need to supply:
Name or number of Case
Investigator’s name
Evidence to be added to the case
New cases can be Created
You can Open existing cases previously created

6. 1.A. FTK Should run in “administrator mode”
Right-click FTK icon and select “run as administrator”
Or… click properties, and select appropriate option for icon (then you won’t need to repeat each FTK startup)
You may receive a prompt looking for “security device”
It’s OK to run without the dongle or security device
USB “dongle” is required to run FTK in “Full Mode”
Also might ask for “Code Meter
We’re running in Demo Mode
Limits us to 5,000 files in the case, but otherwise fully functional!

7. KFF Hash Library Known File Filter Used to “ignore” Known Files
OK to load FTK without KFF

8. Startup Select the appropriate option
Generally you’ll either be creating new case or opening an existing case

9. New Case Enter Captions for Case Number Case Name Case Path
I chose LIPD
Long Island Police Dept., Case 1 of 2012
Case Name
Something meaningful
Case Path
The folder where case saved on hard drive
The default is the case name

10. Case setup (cont.) Enter information about investigator
Next screen
Case Log Options
Select all options
Processes to perform
Keep default values
Refine case
Accept defaults
Refine index

12. 1.B. Finally… Add Evidence
Click “Add Evidence”

13. What is Evidence Information to be added to the Case
Acquired forensic “image” of Drive
This is a single file, but contains contents of an entire drive!!!
Similar to a “zip file”
Also referred to as
“image file”
Bitstream file
Bit-for-bit image file
This “image file” is captured and produced by some forensic software or utility program
Viewed with forensic software which “understands” the file structure
It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and IS a single file
Local Drive (not on CSI 2012)
Attached to the system and addressable as a disk drive
For example, the C: or E: disk
Could include a CD, DVD, USB, etc..
Contents of a Folder
Individual File

14. Add… Acquired Image Created earlier by someone using
Hard Drive “Image files” captured earlier
*.img ending added by creator
Other endings dependent on software used to create them
Created earlier by someone using
Utility program or Forensic software

15. Adding the Acquired Image File
Fill in captions
Evidence Name/Number
For example, an item number of the evidence list
Serial number, if unique
Comments (optional)
How acquired or unusual circumstances, etc..
Local Evidence Time Zone
-05:00 for NY timezone
Don’t forget about Daylight Savings, if it applies!
Used for time comparisons
All Evidence Added.
Click “Next”

16. Finish adding evidence
After clicking “Finish”
FTK will Process Files
Add them to the case

17. FTK processing added evidence
As part of adding evidence FTK will
Keep track of certain items and summarize them
Build an “index” of words or terms encountered
Can be used to short-cut a search
Can be used to identify words in the entire case
Might provide insight into something not normally considered
For example, seeing “gun”, “secret” or “password” as one of the words in the index

18. 1. Opening a Computer Forensics Case (cont)…what you’ll see
FTK presents 3 “panes” or “panels” by default
Users can configure the placement if desired
FTK provides a list of “summary” buttons with counts
Clicking on these can bring up those items in a detail pane so that you focus on them
Bad extensions
Image files
Deleted files
Documents
Unknown types
Folders
Bookmarked items
etc
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

19. FTK Panes/Panels Tabs on the main window Overview Explore Graphics
Search
Bookmark

20. Overview Shows general information about the case
Selection in one “pane” shows details in another “pane” or sub-window

21. Still in “Overview”
The “bad extensions” shows 7 files in the bottom pane
Selecting one of the files in the bottom pane shows the contents in the 3rd pane (upper right)

22. Overview (cont.) File list contains information about files
“X” icon indicates deleted file
File extension might indicate one type of file
In reality, another type of file

23. Explore Tab Shows a “Windows Explorer” style of presentation
3 evidence items seen
Each has sub-items
Collapsible or expandable levels
Click on Plus or Minus signs to expand/collapse views
Selected item is shown in 3rd pane
List of items in the selected item are shown in bottom (2nd) pane
Clicking on one of these will present that item in the 3rd (top-right) pane

24. Same item… different view of it
Icons at top of 3rd pane
Alter the “presentation” of data
View as native application
Text view
Hexadecimal view
It’s the same data, just a different way of viewing it!

25. Selecting a single file
The following demonstrates what a user sees if selecting a single file in Explorer Tab

26. Giants Tickets.doc Selecting Giants Tickets.doc in Explorer Tab
Word document
Really made up of different “components”
Selecting the file shows an item list of components in the file
File slack is one of them

27. Graphics Tab
Shows a pane with thumbnails of images in the currently selected item in your case

28. 1.C. How to exit and save On the main menu Select “File” Close Save
Closes the case, remains in FTK
Save
Allows you to continue working on the case
Exit
Allows you to save (and backup.. Optional) the case
Shuts down FTK

29. 2. Finding Hidden Data in Slack Space
What is “Slack Space”?
It’s disk space which belongs to a file, but is not considered part of the file’s data
Happens because of the way the system allocates disk space to files
How does the system give disk space to a file?
By “clusters”… a collection of 1 or more disk “sectors”
A “sector” is 512 bytes (depends on the system)
A cluster can be 1, 2, 4, or 8 sectors
Files are written in these clusters, and don’t normally fill up an entire sector or cluster
Two types of “Slack Space”
Ram slack
Disk space after the file data and before the end of that sector
File slack
Disk space in sectors not used by the file, but belonging to the file
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

30. 2. Finding Hidden Data in Slack Space (cont)
What’s the significance of “slack space”?
Contents of RAM slack is generally whatever was in memory when the file was saved last
Might be a password, credit card number, etc.. Or garbage
File slack’s contents can simply be whatever was left over and not erased when no longer needed by some other file
Maybe even another user created that other file
Slack can be used to hide information
It’s not visible to users
It won’t be “grabbed” by system and overwritten

31. 2. Finding Hidden Data in Slack Space (cont)
In Overview Tab
Select Slack/Free Space button
Details pane contains all slack/free space items
Full Path describes where that slack space is located
In a specific file
It’s part of the file, but not part of the data itself
Comes after the “end of file” marker
Do a “search”
Word might appear in “slack”, which might indicate an attempt at hiding something
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

32. Slack: Overview Tab

33. Slack: Specific File Start from the “Explore” Tab
Locate the file (Giants Tickets.doc)
This file is deleted
Highlight the file in Explore
You’ll see:
Pane 2 (Lower pane): list of embedded “stuff” in the file, INCLUDING FileSlack
Pane 3 (Upper right): The document as presented by FTK believing it to be a “Word doc”
Then… in pane 2, select “File Slack” and observe what’s displayed in pane 3

34. Slack: Search Conduct a search
Examine the returned “hits” of the search
Search results (“hits”) indicate where the occurrence was
Even if in slack space
Each “hit” also shows the data immediately before and after the “hit” phrase

35. Searching Click the SEARCH tab
As you type a word or “character string”
Indexed words in case show up
Once you’ve found or typed your search term
ADD it to the search
You’ll see # of hits
You’ll see # of files containing those “hits”

36. Searching Select the “hits” for the search item
Then “View Item Results”
You can use “AND” or “OR” logic when looking for multiple search items in the same file
AND requires all to be present
OR requires any one of them to be present

37. Searching Indexed vs. Live Indexed Live
Looks up terms indexed by FTK as evidence was added
Live
Looks up a term which wasn’t necessarily in the index built by FTK
Options
Text
ASCII
UNICODE
CASE SENSITIVE
REGULAR EXPRESSION
Hexadecimal

38. Live Search Keep ASCII and Unicode selected Default is “ignore case”
They’re both defaults
Default is “ignore case”
Won’t care if upper or lower
Will take time
Searches the entire case
Regular expressions (NOT IN CSI 2012)
A “pattern” to match
Zip code
Telephone number
Social security number
Credit card number
Hexadecimal
Look for “non-printable” character values

39. 3. Finding a Recently Deleted File
How do you find a deleted file?
Overview Tab
Select the summary button for Deleted Files
All those files appear in the lower pane
In the Explorer Tab
You can view the “directory structure” in the 1st pane
Deleted files appear with a red “X” on the icon of the file or folder
Deleted files are often recoverable
You need to EXPORT the file
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

40. 3. Finding a Recently Deleted File (cont)
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

41. 3. Finding a Recently Deleted File (cont)
Why could this be significant?
Investigator might recover information the suspect was attempting to hide or destroy
might demonstrate intent to evade detection
It can be demonstrated that a large number of files were deleted
Just prior to execution of a search warrant
After being interviewed by the police
After receiving a call from a victim or conspirator
When taken into account, might provide circumstantial evidence of intent
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

42. 4. Finding a File with an Improper File Extension
How you do it?
Overview Tab
Find the Summary Button for “Bad Extensions”
Pane 2 lists all those files
Explorer Tab
Navigate to the location
Pane 2 shows files in that location, with additional information for each file
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

43. Exporting a file What is “exporting”? Why?
Exporting allows an investigator to
Select a file or files
Save them as discrete files to another location outside of the FTK Case file
Why?
Allows investigators to process the exported file “natively” using applications such as Word, Excel, Paint, etc
Some files must be processed natively (for example a Stego’d file must be exported and handled using S-Tools as explained in section 5)
Can burn to a DVD and give to DA or other investigator
Allows investigator to consolidate items of interest in one place and present only those items

44. Exporting a file How do you export a file?
Select the file (highlight it) in Explorer Tab
Right-click on the file, and “Export it”

45. 4. Finding a File with an Improper File Extension
How do we find the file?
Overview Tab
Click on the “Improper Name” summary button
Explorer Tab
In pane 2 (lower pane), improper file extensions will be noted
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

46. 4. Finding a File with an Improper File Extension (cont)
What it means
It might be a deliberate attempt to evade detection and hide information
Information might be important
It could also just be a mistake on the part of the user
File saved or renamed with the wrong extension
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

47. 4. Finding a File with an Improper File Extension (cont)
How do I process a file with an “Improper File Extension”?
Note the type of file it really should be
Export the file
Use the appropriate software to view the file, according to the “real type” of file it is
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

48. 5. Finding a Stego’d Image or Data Hidden in a JPEG File
How you do it?
Certain files, such as Windows “BMP” files, can be “containers”
Software such as S-Tools can hide information inside these “container files”
Locate a suspected “stego’d” file (the container file)
Should be a “BMP” file
Export it from FTK’s Case
This saves it as a separate file you can then process outside of FTK
Use S-Tools to extract the “message file” from the “container file”
Password or a passphrase might be required!
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

49. 5. Finding a Stego’d Image or Data Hidden in a JPEG File
Open S-Tools
Drag the “exported” file believed to be a “container file” into S-Tools
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

50. 5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
Right-click the “container” in S-Tools
Select “Reveal”
When prompted, provide the “passphrase”
Can be a single word or a phrase
Could be case sensitive
A “revealed archive” window shows with the hidden file name and size
Select the file in the “Reveal Archive” box
Right-click the file you wish to extract from the container file
Save as…
Choose a location
You’ve now successfully extracted the hidden message!

52. 5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
The result!

53. 5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
What it means
Definitely a means of evading detection. It’s not accidental!!
1. Data is hidden
2. passphrase might be required
Whoever can be demonstrated to know the passphrase either put the hidden data there, or knew how to retrieve it
Guilty knowledge!
2. Introduce the Program You represent the first ever…in the history of the world…to attend a CSI Academy! Who here likes solving a mystery? (video clip) Who here like to watch CSI? (video clip) Over the next five days, you will be taught many things that will enable you to become Crime Scene Investigators…and solve a crime! Who likes to compete? We will be teaching you crime scene concepts, such as ……… all in a competitive setting We will be dividing you into three teams…and demonstrate the concept and importance of teamwork We will be keeping score, using our CSI Summer Scoreboard Besides teaching you cool techniques to manage a crime scene, we will be having a CSI Obstacle Course Competition and at the very end a CSI Summer Academy Challenge where you will use all the techniques you learned all week to solve a crime

54. The End!
Best of luck to all CSI Challenge participants!