Guide to AccessData FTK Forensic Investigation

Module XVIII – Forensic Investigation
Using AccessData FTK

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Forensic Toolkit (FTK)
• Installation of FTK
• Starting with FTK
• Working with FTK
• Working with Cases
• Searching a Case
• Data Carving
• Using Filters
• Decrypting Encrypted Files
• Working with Reports
• Customizing the Interface
This module will familiarize you with:

EC-Council
Module Flow
Forensic Toolkit (FTK)
Customizing the Interface
Searching a Case
Starting with FTK
Data Carving
Working with Reports
Installation of FTK
Working with FTK
Using Filters
Decrypting Encrypted Files
Working with Cases

EC-Council
Forensic Toolkit (FTK®)
Forensic Toolkit® (FTK®) is recognized around the world as the standard in
computer forensic investigation technology
This court-validated platform delivers cutting edge analysis, decryption and
password cracking all within an intuitive, customizable and user-friendly
interface
In addition, with FTK, you have the option of utilizing a back-end database to
handle large data sets or you can work without one if application simplicity is
your goal

EC-Council
Features of FKT
An Integrated Solution
• Create images, analyze the registry, conduct an investigation, decrypt files, crack
passwords, identify stegonograpy, and build a report all with a single solution
• Recover passwords from over 80 applications; harness idle CPUs across the
network to decrypt files and perform robust dictionary attacks
• KFF hash library with 45 million hashes
Embedded Oracle Database & Powerful Searching
Powerful Processing and Speed
Intuitive Interface and Rich Functionality

EC-Council
Installation of FTK

EC-Council
Software Requirement
The required software for operation of AccessData Forensic
Toolkit (FTK) 2.1:
CodeMeter 3.30a Runtime software for the CodeMeter Stick
Oracle 10g Database
FTK Program
Additional program required to aid in processing cases:
FTK Known File Filter (KFF) Library
AccessData LanguageSelector
AccessData LicenseManager

EC-Council
Installing FTK (cont’d)
FTK can be set up in three different
configurations:
• Single Machine
• Separate Machines
• Separate Machines with an pre-installed
Oracle

EC-Council
FTK Installation
Insert the FTK 2.1 DVD into the drive Click Install Forensic Toolkit 2.1

EC-Council
Codemeter Stick Installation
Follow the directions for installation, accepting all defaults, and click Finish to
complete the installation

EC-Council
Oracle Installation
1. Launch the Oracle
installer
2. Click Next
3. Read the license agreement, agree
to it, and click Next

EC-Council
Oracle Installation (cont’d)
4. Wait for the installer to
configure the installation
5. Select the installation drive
letter and click Next
6. Agree to the Oracle
Admin Password
Agreement and click
Next

EC-Council
Oracle Installation (cont’d)
7. Provide an Oracle System Administrator
password and click Submit
8. Wait for the installation and
configuration to finish
9. Click Finish to end the installation
process

EC-Council
Single Computer Installation
1. Click Install FTK 2.1
2. Click Next 3. Read and accept the
AccessData license agreement
and click Next
4. Select the location for the FTK components

EC-Council
Choosing an Evidence Server
Select computer if evidence files are stored on a volume on the computer running FTK, or on
another computer that is not part of a domain
If the evidence is stored elsewhere on a domain network, set up access to the evidence
storage computer by choosing other computer on the network
Click Next

EC-Council
Installing the KFF Library
1. Click Install KFF Library
2. Click Next
3. Accept the KFF license
agreement and click Next
4. Allow installation to
progress
5. Click Finish to end the
installation

EC-Council
Installing on Separate Computers
Change the step to 2,4,1,3
Perform steps 2 and 4 on the
computer to run Oracle
Perform steps 1 and 3 on the
computer designated to run the FTK
Program

EC-Council
Starting with FTK

EC-Council
Starting FTK
Start >
All Programs >
AccessData >
Forensic Toolkit >
AccessData Forensic Toolkit 2.1

EC-Council
Setting Up The Application
Administrator
Database > Add User

EC-Council
Case Manager Window
After logging in, the FTK Case Manager window appears with following
Menus:
• File
• Database
• Case
• Tools
• Help

EC-Council
Toolbar Components
The FTK interface provides a toolbar for applying QuickPicks and
filters to the case

EC-Council
Toolbar Components

EC-Council
Properties Pane

EC-Council
Hex Interpreter Pane

EC-Council
Web Tab

EC-Council
Filtered Tab

EC-Council
Text Tab

EC-Council
Hex Tab

EC-Council
Explore Tab

EC-Council
Quickpicks Filter

EC-Council
Data Processing Status Dialog
Data Processing Status: In Progress Data Processing Status: Successfully
Completed

EC-Council
Overview Tab

EC-Council
Email Tab

EC-Council
Graphics Tab

EC-Council
Thumbnails Pane

EC-Council
Bookmarks Tab

EC-Council
Live Search Tab

EC-Council
Index Search Tab

EC-Council
Creating Tabs

EC-Council
Launching FKT
Click Start> All Programs > AccessData > Forensic Toolkit >
AccessData Forensic Toolkit 2.1
Log in using the case-sensitive user name and password provided by
the application administrator

EC-Council
Launching FKT
Click Database > Add User to open the Add New User
dialog
Enter a user name
Enter the full name of the user as it is to appear in reports.
Assign a role
Enter a password
Verify the password
Click OK to save the new user and close the dialog

EC-Council
Working with FTK

EC-Council
Creating A Case
Launch FTK 2.1 and login and open the Case Manager
window
Click Case > New
Enter a name for the case in the Case Name field
Enter the specific reference information in the Reference
field
Enter a short description of the case in the Description
field
If you wish to specify a different location for the case,
click the browse button

EC-Council
Creating a Case
Click Detailed Options to choose settings for the case
• Click the Evidence Processing icon in the left pane, and select the processing options to run on
the evidence
• Click the Evidence Discovery icon to specify the location of the File Identification File, if
one is to be used
• Click the Evidence Refinement (Advanced) icon to select the custom file identification file to
use on this case
• Click the Index Refinement (Advanced) icon to select which types of evidence to not index
• Click OK
Mark the Open the Case check box to see the case after clicking OK to close the New
Case Options dialog
Click OK

EC-Council
Evidence Processing Options

EC-Council
Selecting Data Carving Options
Select Data Carve
Click Carving Options
Mark the Exclude KFF Ignorables box to specify not to carve those files
Select the types of files to be carved
• Click Select All to select all file types to be carved.
• Click Clear All to unselect all file types.
• Select individual file types by marking the checkboxes
Define the limiting factors to be applied to each file
• Define the minimum byte file size for the selected type
• Define the minimum pixel height for graphic files
• Define the minimum pixel width for graphic files
Click OK

EC-Council
Selecting Evidence Discovery
Options

EC-Council
Selecting Evidence Refinement
(Advanced) Options
Click the Evidence Refinement (Advanced) icon in the left pane
The Evidence Refinement (Advanced) dialog is organized into two
tabs:
• Refine Evidence by File Status/Type
• Refine Evidence by File Date/Size
Click the corresponding tab to access the desired refinement type
Set the needed refinements for the current evidence item
To reset the menu to the default settings, click Reset

EC-Council
Selecting Evidence Refinement
(Advanced) Options

EC-Council
Selecting Index Refinement
(Advanced) Options
Click Index Refinement (Advanced) in the left pane
The Index Refinement (Advanced) dialog is organized into two
tabs:
• Refine Index by File Status/Type
• Refine Index by File Date/Size
Click the corresponding tab to access the desired refinement type
Set the refinements for the current evidence item
To reset the menu to the default settings, click Reset

EC-Council
Selecting Index Refinement
(Advanced) Options

EC-Council
Refining an Index by File
Date/Size

EC-Council
Adding Evidence
Click Add, Select Evidence Type dialog appears
Select the type of evidence item to add to the case at this time
Click OK
Browse to the evidence item to add > Select the item(s)>Click Open
Complete the Manage Evidence dialog

EC-Council
Backing Up the Case
In the Case Manager window, click Case > Backup
Select an archive folder location
Click Save

EC-Council
Restoring a Case
In the Case Manager window, click Case > Restore
Browse to and select the archive folder to be restored
Click OK

EC-Council
Deleting a Case
In the Case Manager window, highlight the case to delete from the
database
Click Case > Delete
Click Yes to confirm deletion

EC-Council
Working with Cases

EC-Council
Opening an Existing Case
Log on to FTK2.1
Double-click on the case you want to open, or highlight the case and click
Case > Open

EC-Council
Adding Evidence
1
• Click Add to choose the type of evidence items to insert into a new
case
2
• Mark the type of evidence to add, then click OK
3
• Browse to and select the evidence item from the stored location
4
• Click OK
5
• Fill in the ID/Name field with any specific ID or Name data applied
to this evidence for this case
6
• Use the Description field to enter a description of the evidence
being added
7
• Select the Time Zone of the evidence where it was seized in the
Time Zone field

EC-Council
Adding Evidence
8
• Click Refinement Options to open the Refinement Options dialog with a set
similar to the Refinement Options set at case creation

EC-Council
Adding Evidence
9 • Click OK to accept the settings and to exit the Manage Evidence dialog
10
• Select the KFF Options button to display the KFF Admin dialog
11
• Click Done to accept settings and return to Manage Evidence dialog
12
• Click Language Settings to change the codepage for the language to view the evidence in
13
• Click OK to add and process the evidence

EC-Council
Selecting a Language
Click Language Settings

EC-Council
Additional Analysis
Click Evidence > Additional Analysis

EC-Council
Properties Tab
The properties pane is organized
into the following sections:
• General Info
• File Attributes
• File Content Info

EC-Council
The Hex Interpreter Tab
Switch the File Content pane to Hex view
Select one to eight couplets

EC-Council
The Hex Interpreter Tab
Right-click the Hex view to see a context menu with more options
Click Save Selection as carved file to manually carve data from files,
and the go to offset dialog to specify offset amounts and origins
Click OK to close Go To Offset dialog

EC-Council
Using the Bookmark
Information Pane
Bookmarks help organize the case evidence by grouping related or
similar files

EC-Council
Creating a Bookmark
Right-click the files or thumbnails and click create bookmark or click the
bookmark button on the file list toolbar to open the create new bookmark dialog

EC-Council
Creating a Bookmark
Enter a name for the bookmark in the Bookmark Name field
(Optional) In the Bookmark Comment field, type comments about the bookmark or its
contents
Click one of the following options to specify which items to add to the bookmark:
• All Highlighted: Highlighted items from the current file list; Items remain highlighted only as
long as the same tab is displayed
• All Checked: All items checked in the case
• All Listed: Bookmarks the contents of the File List
(Optional) Type a description for each file in the File Comment field

EC-Council
Creating a Bookmark
Click Attach to add files external to the case that should be referenced from this
bookmark
For FTK to remember the highlighted text in a file and automatically highlight it
when the bookmark is re-opened, check Bookmark Selection in File
Select the parent bookmark under which you would like to save the bookmark
Click OK

EC-Council
Bookmarking Selected Text
Open the file containing the text you want to select
From the Natural, Text, Filtered or Hex views, click Create Bookmark in the
File List toolbar to open the Create New Bookmark dialog
When creating your bookmark, check Bookmark Selection in File

EC-Council
Adding Evidence to an Existing
Bookmark
Right-click the new file
Click Add to Bookmark
Select the parent bookmark
Select the child bookmark to add the
file
Click OK

EC-Council
Moving a Bookmark
From either the Bookmark or Overview tab, select the bookmark you
want to move
Using the left or right mouse button, drag the bookmark to the desired
location and release the mouse button

EC-Council
Removing a Bookmark
In the Bookmark tab, expand the bookmark list and highlight the
bookmark to be removed
Press the Delete key

EC-Council
Deleting Files from a Bookmark
Right-click the file in the Bookmark File List
Select Remove from Bookmark

EC-Council
Verifying Drive Image Integrity
Select Tools > Verify Image Integrity to open the Verify Image Integrity dialog
Click either Calculate, or Verify according to what displays in the Command column, to
begin hashing the evidence file

EC-Council
Copying Information From FTK
In the file list on any tab, select the files that you want to copy information about
Select Edit > Copy Special, click the Copy Special button on the file list pane, or right-
click the file in the file list and click Copy Special
In Copy Special dialog, you can select the options: Choose Columns, Include header
row, All Highlighted, All Checked, Currently Listed, All

EC-Council
Copying Information From FTK
In the Choose Columns drop-down list, select the column template that
contains the file information that you want to copy
To define a new column settings template click Column Settings to open the
Column Settings manager
• Create the column settings template you need
• Click Save to save the changes made
• Close the Column Settings manager
• Select the new columns setting template from the drop-down list
Click OK to initiate the Copy Special task

EC-Council
Exporting File List Info
Select File > Export File List Info
Select the File List Items to Export
Choose whether to include a header row in the
exported file
Select column information
Specify the filename for the exported information
Browse to and select the destination folder for the
exported file
Click Save

EC-Council
Exporting the Word List
Select File > Export Word List
Select the file and location to which you want to write the word list
Click Save

EC-Council
Creating a Fuzzy Hash Library
Fuzzy hashing is a tool which provides the ability to compare two
distinctly different files and determine a fundamental level of similarity
Tools>FuzzyHash>Manage Library

EC-Council
Selecting Fuzzy Hash Options
During Initial Processing
After choosing to create a new case, click Detailed Options

EC-Council
Selecting Fuzzy Hash Options
During Initial Processing
Select FuzzyHash
• (Optional) If FTK already refers to a fuzzy hash
library then select to match ok new evidence against
the existing library by selecting Match Fuzzy Hash
Library
• Click FuzzyHash Options to set additional options
for fuzzy hashing
• Set the size of files to hash; the size defaults to 20
MB, 0 indicates no limit
• Click OK to set the value
Select OK to close the Detailed Options
dialog

EC-Council
Additional Analysis Fuzzy
Hashing
Click Evidence > Additional Analysis

EC-Council
Additional Analysis Fuzzy
Hashing
Select FuzzyHash
• (Optional) Select if the evidence needs to matched against
the fuzzy hash library
• (Optional) If performing this additional analysis after
adding new information, the fuzzy hashing can be done
again against previously processed items
• (Optional) Click Fuzzy Hash Options to open the Fuzzy
Hash Options dialog
• Set the file size limit on the files to be hashed
• Click OK
Click OK to close the Additional Analysis dialog
and begin the fuzzy hashing

EC-Council
Comparing Files Using Fuzzy
Hashing
Tools>
Fuzzy Hash>
Find Similar Files

EC-Council
Viewing Fuzzy Hash Results
To view the fuzzy hash results in FTK, several pre-defined column
settings can be selected in the Column Settings field under the
Common Features category
Those settings are:
• Fuzzy Hash
• Fuzzy Hash block size
• Fuzzy Hash library group
• Fuzzy Hash library score
• Fuzzy Hash library status

EC-Council
Searching a Case

EC-Council
Conducting A Live Search
In the Live Search tab, click the Text, Pattern,
or Hex tab
Click to select the needed sets
Click to include EBCDIC, Mac, and Multibyte as
needed
Click OK to close the dialog
Click to mark Case Sensitive
Enter the term in the Search Term field

EC-Council
Conducting A Live Search
Click Add to add the term to the Search Terms window
Click Clear to remove all search terms
In the Max Hits Per File field, enter the maximum number of times you want a
search hit to be listed per file; default is 200
(Optional) Apply a filter from the drop-down list; Applying a filter speeds
searching by eliminating items that do not match the filter
Click Search
Select the results to see from the Live Search Results pane

EC-Council
Customizing the Live Search Tab
Change the order of the Live Search tabs by dragging and dropping them
into the desired order and the following figure shows the live search tabs

EC-Council
Documenting Search Results
Right-click an item in the Search Results list to open the quick menu
with the following options:
• Copy to Clipboard:
• Copies the selected data to the clipboard where it can be copied to another
Windows application, such as an Excel spreadsheet
• Export to File:
• Copies information to a file
• Select the name and location for the information file

EC-Council
Using Copy Special to Document
Search Results
Find that file highlighted in the File List view
Right-click on the desired file
Select Copy Special
In the Copy Special dialog, under Choose Columns, click the dropdown select the columns
definition to use, or click Column Settings to define a new column template
• Modify the column template in the Column Settings Manager
Mark Include Header Row if you want a header row included in the exported file
Under File List Items to Copy, select from All Highlighted, All Checked, Currently Listed, or
All to specify which files you want the Copy Special to apply to
Click OK

EC-Council
Using Copy Special to Document
Search Results (cont’d)

EC-Council
Bookmarking Search Results
Select the files you want to include in the bookmark
Right-click the selected files then select Create Bookmark
Complete the Create New Bookmark dialog
Click OK

EC-Council
Data Carving

EC-Council
Data Carving
Data carving can be done when adding evidence to a case, or by clicking
Evidence > Additional Analysis > Data Carve from within a case
Search for following files types:
• AOL Bag Files
• BMP Files
• EMF Files
• GIF Files
• HTML Files
• JPEG Files
• Link Files
• PDF Files
• OLE Archive Files (Office Documents)
• PDF Files
• PNG Files

EC-Council
Data Carving Files in an Existing
Case
From the Evidence > Additional Analysis
Check Data Carve
Click Carving Options
Set the data carving options to use
Click OK to close the Carving Options dialog
Select the target items to carve data from
Click OK

EC-Council
Using Filters

EC-Council
Creating a Filter
Select Unfiltered from the Select a Filter drop-down menu
Click Filter > New, or click Define on the Filter toolbar
Type a name and a short description of the filter
Select a property from the drop-down menu
Select an operator from the Operators drop-down menu
Select the applicable criteria from the Criteria drop-down menu
Select the Match Any operator to filter out data that satisfies any one of the filter rules
Click Save

EC-Council
Refining a Filter
Select the filter you want to modify from the Filter drop-down list
Click Define
To make your filters more precise, click the Plus (+) button to add a
rule, or the Minus (–) button to remove one.
When you are satisfied with the filter you have created or modified, click
Save, then Close

EC-Council
Deleting a Filter
Select the filter to delete from the Filter drop-down menu list
Click Filter > Delete or click the Delete Filter button on the Filter
toolbar
Confirm the deletion

EC-Council
Decrypting Encrypted Files

EC-Council
Decrypting Files and Folders
Click Tools > Decrypt Files

EC-Council
Decrypting Files and Folders
(cont’d)
Type a password in the Password box
Mark Permanently Mask to display the password in the Saved Passwords list as
asterisks, hiding the actual password
Click Save Password to save the password into the Saved Password List
Mark Attempt Blank Password to decrypt files with no password, or whose
password is blank
Click Decrypt to begin the decryption process
Click Cancel to return to the case

EC-Council
Viewing Decrypted Files
Click File Status > Decrypted Files

EC-Council
Decrypting Domain Account EFS
Files
Create a new case with no evidence added
From the main menu, click Evidence > Add/Remove

EC-Council
Decrypting Domain Account EFS
Files
Click Add
Select Individual File
Click OK
Navigate to the PFX file (domain recovery key) or type the full path and filename into the
File Name field of the Open dialog
Click Open
Click No when the application asks if you want to create an image of the evidence you are
adding
Select the proper time zone for the PFX file from the Time Zone drop-down list in the
Manage Evidence window, and click OK

EC-Council
Decrypting Credant Files
Click Tools > Credant Decryption

EC-Council
Decrypting Safeguard Utimaco
Files
Safeguard Utimaco is a full-disk encryption program

EC-Council
Working with Reports

EC-Council
Creating a Report
Enter basic case information
Select the properties of bookmarks
Decide how to handle graphics
Decide whether to add a file path list
Decide whether to add a file properties list
Select the properties of the file properties list
Add the Registry Viewer sections

EC-Council
Saving Settings
To export report settings do the following:
• Click Export then Export Selections dialog will open
• Check the sections to export the settings for
• Click OK
• Type a name for the setting file
• Click OK to save the settings as an .XML file
To import settings to a new report in another case, perform the following steps:
• Open a different case
• Click File > Report > Import
• Browse to and select the settings file you want to import
• Click Open to import the settings file to your current case and report

EC-Council
Entering Basic Case Information
To add an entry for case information do the following:
• Click Add
• Provide a label and a value for the new entry
To remove a Case Information entry, do the following:
• Highlight the entry line to be removed
• Click Remove

EC-Council
Including Bookmarks

EC-Council
Including Graphics

EC-Council
Selecting a File Path List

EC-Council
Selecting a File Properties List

EC-Council
Registry Selections

EC-Council
Selecting the Report Location
Type the folder to save the report to, or use the
Browse button to find a location
Use the drop-down arrow to select the output
language of the report
Indicate the output format to publish the report
Select the optional Export Options for the report:
• Use object identification number for filename
• Append extension to filename if bad/absent
When output selections have been made, click OK to
generate report

EC-Council
HTML Case Report

EC-Council
PDF Report

EC-Council
Customizing the Interface

EC-Council
Creating Custom Tabs
Click View > Tab Layout > Add
Enter a name for the new tab and click OK
From the View menu, select the features you need in your new tab
When satisfied with your new tab’s content, click Save to save the current
tab’s settings, or View > Tab Layout > Save
(Optional) Click View > Tab Layout > Save All to save all changed and
added features
To remove tabs, click View > Tab Layout > Remove

EC-Council
Customizing File List Columns
To export column settings to an .xml file, do the
following:
• Click Export
• Select a folder and provide a filename for the exported
column settings file
• Click Save
To import a column settings file, do the
following:
• From the Column Settings dialog, click Import
• Find and select the column settings .xml file
• Click Open

EC-Council
Creating and Modifying Column
Settings
Right-click a heading in the File List, or click the Column Settings button to
open the Manage Columns context menu
Click Column Settings then column settings dialog will opens
From the Available Columns pane, select a category from which to use a
column heading
Add the entire contents of a category or expand the category to select
individual headings

EC-Council
Summary
FKT is validated platform delivers edge analysis, decryption and password cracking facility and
customizable interface
Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify
stegonograpy, and build a report all with a single solution
Advanced data carving engine allows to carve allocated and unallocated data and which specify criteria, such
as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall
thoroughness
FTK can be set up in three different configurations
Fuzzy hashing is a tool which provides the ability to compare two distinctly different files and determine a
fundamental level of similarity

Guide to AccessData FTK Forensic Investigation

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Guide to AccessData FTK Forensic Investigation

Ähnlich wie Guide to AccessData FTK Forensic Investigation (20)

Mehr von Desmond Devendran

Mehr von Desmond Devendran (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Guide to AccessData FTK Forensic Investigation