Forensic Analysis Using FTK

Lab 3: Analysis Using FTK
Lab 3: Forensic Analysis Using FTK
This lab uses a full version of AccessData’s Forensic Tool Kit (FTK) to analyze an
image of a suspect disk for evidence.
The Situation
At Price Software Company, a particular employee (Patrick R. Casey) has been behaving
very erratically and his behavior has been brought to management’s attention. Of
particular concern has been the reported conversations revealing anger with location of a
new retail store in a rural area and a particular interest in arson.
An image of the person’s disk has been collected and presented to you for analysis.
Time Required
This is a complex lab and will require up to 2 hours to complete.
As usual, answer the numbered questions on the answer sheet provided as the last page of
the lab.
Loading the Image into FTK
To improve performance, this image will be copied to the hard disk. Create the following
directory structure:
C:\2009-03-xxxx replace xxxx with last 4 of KSUnumber
└───Evidence
Copy the Firestarter.E01 file into the evidence subdirectory using the following
command:
C:\>xcopy d:\firestarter.e01 2009-03-xxxx\evidence\
D:\Firestarter.E01
1 File(s) copied
Start FTK by clicking on the desktop icon.
Select “Start New Case” in the dialog box and fill in the case details in the new case
wizard:
KSU ISA4350 – Page 1 of 11

Lab 3: Analysis Using FTK
Note: If you receive a warning that the directory already exists and click “Yes” to erase
it, click “Yes” because the evidence file will not be erased.
Click “Next” and fill in your name on the “Examiner Information” dialog and click
“Next.” Accept the defaults for the “Case Log” options by clicking “Next.” Accept the
defaults on “Processes to Perform” by clicking “Next.” Accept the defaults on “Refine
Case – Default” by clicking “Next.” Accept the defaults on “Refine Index – Default” by
clicking “Next.”
In the “Add Evidence” dialog box, click on “Add Evidence” and select “Acquired Image
of Drive” and click “Continue.” Navigate to the “Evidence” subdirectory you created:
KSU ISA4350 – Page 2 of 11

Lab 3: Analysis Using FTK
Select the “Firestarter.E01” file and click “Open.” FTK will process briefly and present
a dialog for describing the evidence item and selecting a timezone. Select “Eastern
Time…” and click “Next.”
Click “Finish” in the “New Case Setup Complete” panel to begin processing the evidence
file. This processing will take some time (10 – 15 minutes) as FTK is analyzing the
evidence file, recovering deleted files and indexing all the items it finds.
KSU ISA4350 – Page 3 of 11

Lab 3: Analysis Using FTK
When processing is finished, the case overview screen appears:
1. How many files were detected as having bad extensions (indicating that their
extension does not match the internal header)?
Looking for Evidence
A forensics investigation can sometimes seem like looking for the proverbial needle in a
haystack and leave you wondering where you might start. There are a couple of options:
Search terms
Records of activities such as EMAIL, chat logs, etc
For a law enforcement professional, it is very critical that your choice of actions match
the authorization of the search warrant. For example, if the warrant authorizes you to
search for spreadsheets and documents that might provide evidence in a fraud
investigation, it would be inappropriate to search graphic files looking for pornography.
In fact, exceeding the authorized scope of the warrant in such a fashion might cause all
the evidence to be ruled inadmissible at trial.
For an investigator in private industry, the restrictions are somewhat more lax. However,
keep in mind that clients typically do not appreciate an investigator’s discovery of things
they weren’t retained to look for (e.g., presenting them with child pornography that must
be turned over to law enforcement when you were supposed to be searching for diddled
expense reports). Also the pressure of a case backlog will limit the amount of time that
can be devoted to an individual case. The guiding rule is to discover all relevant
evidence regarding the matter under investigation.
Search Terms
The specific search terms or keywords used will be determined by the specifics of
the case. In a case involving bomb threats, the inexperienced analyst might be tempted to
KSU ISA4350 – Page 4 of 11

Lab 3: Analysis Using FTK
leap immediately to a search for the word “bomb” but a wiser analyst will spend some
time designing a set of search terms that will identify the maximum amount of evidence.
Remember that there is no such thing as too much relevant evidence.
Legal researchers also have to wade through mounds of law and legal precedent
in order to identify the relevant laws and cases for a pending case and they have
developed a technique called “cartwheeling” to help them develop a more complete set of
search terms (Statsky, 1998). To make a cartwheel, put the central term in the center and
then group related terms around it on the spokes of an imaginary wheel. Extend the
cartwheel with terms related to those terms.
Fuze
or Fuse
Detonator
BOMB
Explosive
“Fuze or fuse” illustrates an important point – sticks of dynamite have fuzes while
electrical devices have fuses – but don’t depend on your suspect knowing or abiding by
the distinction. Words that sound the same but are spelled differently are known as
homophones and your search terms should include all the spellings of relevant
homophones.
Be creative yet reasonable in identifying search terms. While “dynamite” and
“C4” are both explosives, a software developer is not likely to have access to them and
may be more likely to research ways to make explosives from common materials.
FTK indexes words during its initial processing of the case and these indices can
be accessed on the “Search” tab. An obvious keyword for the current investigation is
“arson” so click on the “Search” tab and type the word “arson” into the “Search Term”
box.
KSU ISA4350 – Page 5 of 11

Lab 3: Analysis Using FTK
As you type characters, FTK automatically locates the term in the “Indexed Words” box
which shows how many times the word occurs in the case. In this case, “arson” occurs
13 times.
Click “Add,” “View Cumulative Results” and then click “OK” in the “Filter Search Hits”
popup to retrieve the actual search hits.
Details of the search hits are shown in the bottom pane. Note that some of the search hits
are located in free space meaning that the file that contained them has been deleted but
not yet overwritten (and illustrating that a normal “delete” operation is no barrier at all to
a forensic tool).
As you conduct your analysis, do not lose sight of the requirement to document your
findings in a report. FTK assists in this process through the concept of “bookmarks” that
let you identify significant findings to be included in your report. In the upper right hand
KSU ISA4350 – Page 6 of 11

Lab 3: Analysis Using FTK
pane, right click on the query result and select “Bookmark Search Query Result”to bring
up the “Create New Bookmark” dialog.
Enter a name for the bookmark and check the “Include in report” box. Note that there is
also an option to “export” all the files from the case file for further analysis or inclusion
in the report. Leave this box blank and click “OK.”
Click on the “Bookmark” tab and note that the new bookmark has been created.
2. Develop 3-5 additional search terms related to the facts of the case. What are your
terms?
Now conduct a search using your terms by typing them individually into the “Search
Term” box and clicking “Add.”
3. How many hits were found for each of your search terms?
You have the option of searching for terms individually (OR) or in combination (AND)
by selecting the appropriate “Cumulative Operator” (“OR” is the default).
Searching is quite flexible and includes the option for a “Live Search” that allows use of
terms composed of regular expressions. Note that a live search actually must search the
evidence file and may require a substantial amount of time.
My Documents
The “My Documents” directory is the default storage for documents and graphics.
Explore the /My Documents/Pleasure directory using the Graphics pane to see what kinds
of pictures the suspect may have regarded as interesting enough to save.
Bookmark any pictures that are relevant to the investigation.
KSU ISA4350 – Page 7 of 11

Lab 3: Analysis Using FTK
EMAIL
During processing, FTK identifies EMAIL messages and provides quick access to them
on the “Overview” panel. Click on “Overview” and then click on the “EMAIL
Messages” button (on the right under “File Categories”).
This displays the EMAIL messages in the bottom pane. There is a lot of information
displayed and it can make it difficult to organize the EMAILs into conversations, etc. To
reduce the amount of information, click on “View” on the toolbar and select “Column
Settings.” This allows you to select the columns that will be displayed. Clear the
checkboxes next to everything except the following:
EMAIL date
Subject
Dup
From
To
CC
Note that you can also reorder the columns with the “Move Up” and “Move Down”
buttons but leave them at the default in this case. Click “Save and Apply” and enter a
name for your selections. Resize the widths of the columns by dragging their boundaries
so all the text is displayed. Your lower pane display should resemble this:
Since forensic tools retrieve information from free space, etc, it is not unusual to find
multiple copies of a given item. The “Dup” column identifies duplicates as “secondary.”
Selecting one of the EMAILs in the lower pane displays its contents in the upper right
pane as shown above.
KSU ISA4350 – Page 8 of 11

Lab 3: Analysis Using FTK
Review the EMAILs and identify the conversations between various people, their
subjects, and additional terms that you might want to search on.
4. What is the name of the retailer that the suspect dislikes?
Bookmark the messages referencing this retailer and add them to the report.
More Searching
Analysis is not a linear process and it is common to loop back to different techniques
based on findings. In the EMAILs, a common name or title is “Burninator.” Search on
this term to see if you can locate a chat log between “MasterBlaster” and another person
that contains this phrase (hint: the file will have a .log extension).
5. What is the “handle” of the other person in this chat?
Encrypted Files
Concerns about privacy, identity theft, etc, are increasing the use of encryption for both
lawful and unlawful purposes. FTK highlights encrypted files on the “Case Overview”
pane and you can display a list of them by clicking on the “Encrypted Files” button.
Note: You can restore the “All Columns” view in the lower pane by selecting “All
Columns” in the drop down menu.
6. Using a web search engine, find two tools that might be used to “crack” the encryption
on one of the file types found to be encrypted in this case.
Drawing a Conclusion
7. Based on what you’ve seen in the evidence, what would be your recommendation on
further action for this case?
Generating a Report
Assuming you’ve bookmarked relevant evidence as you worked through the case,
generating a report is almost automatic. Start the report wizard by clicking on “File” on
the menu bar and selecting “Report Wizard” in the drop down box.
Fill in the dialogs and generate the report for your case and view it.
KSU ISA4350 – Page 9 of 11

Lab 3: Analysis Using FTK
KSU ISA4350 – Page 10 of 11

Lab 3: Analysis Using FTK
Name Date
ISA4350 Lab 3 Answer Sheet
1. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
2. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
3. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
4. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
5. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
6. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
7. __________________________________________________________________
__________________________________________________________________
__________________________________________________________________
KSU ISA4350 – Page 11 of 11