CNIT 121 Project 15: Using FTK (25 pts.)

What You Need for This Project

A Windows machine, with FTK installed. It can be real or virtual. I used a Windows XP virtual machine.

Downloading the Evidence File

Dowload the file below:

Use Hashcalc to calculate the hash of the file you downloaded. It should match the figure below:

Unzip the file with 7-Zip.

Starting FTK in your VM

Double-click the "FTK Forensic Toolkit" icon on your desktop. ( When you get an Error box saying "No security device was found...", click No.

When you get an Error box saying "The KFF Hash library file was not found...", click OK.

When a box pops up explaining the limitations of the demonstration version, click OK.

Starting a New Case

In the "AccessData FTK Startup" box, select "Start a new case" and click OK.

In the screen titled "Wizard for Creating a New Case", fill in the fields as shown below, changing "YOUR_NAME" to your own name. click Next.

In the screen titled "Forensic Examiner Information", leave the fields blank and click Next.

In the screen titled "Case Log Options", accept the default selections, which will log everything. click Next.

In the screen titled "Processes to Perform", deselect "KFF Lookup" and "Decrypt EFS Files". click Next.

In the screen titled "Refine Case-Default", accept the default of "Include All Items". click Next.

In the screen titled "Refine Index - Default", click Next.

Adding Evidence

In the "Add Evidence" box, click the "Add Evidence...". button.

In the "Add Evidence to Case" box, select "Acquired Image of Drive", and click Continue.

In the "Browse for Folder" box, navigate to your Desktop, open the "E" folder, and double-click the anon1a.E01 file.

In the "Evidence Information" box, click OK.

In the "Add Evidence" box, click Next.

In the "New Case Setup is Now Complete" box, click Finish.

A "Processing Files..." box appears. Wait a few seconds for the processing to finish.

Click the Explore tab.

In the left center, check the "List all Descendants" box. You should see a long list of files, with "104 Listed" in the Status Bar, as shown below on this page.

Case Background

This evidence was seized from a computer found in a room used by a suspected computer hacker from the Anonymous gang.

Search Procedure 1: File-by-file

In the lower pane of FTK, click the first item. Look in the upper-right pane to see what's in the file. Press the down-arrow key on the keyboard to move to the next file. The first 20 files contain very little useful information--as you can see, this is not an efficient way to find relevant evidence.

Search Procedure 2: Keyword Search

A much better procedure is to use keyword search. FTK is designed to work this way--it makes an index of all the words in the evidence file. Open Notepad and type in the keywords shown in the figure below. Since all we know now is that the case involves Anonymous, the keywords come from the common Anonymous slogans "Expect Us" and "We never forgive, we never forget".

Save this file on your desktop as "keywords.txt".

In FTK, click the Search tab.

Click the Import button.

In the "Import Search Terms" box, navigate to your desktop and double-click the keywords.txt file.

A "Import Search Terms" box pops up, saying 'Do you wish to show items that have 0 hits?". Click No.

Results of the Search

Five of the keywords were found, as shown in the top pane of FTK:

In the "Cumulative Operator" line, click the OR button.

In the "Cumulative Operator" line, click the "View Cumulative Results" button.

In the "Filter Search Hits" box, accept the default selection of "All files" and click the OK button.

The upper right pane should now show "81 Hits in 22 Files", as shown below.

Saving a Screen Image

Make sure your screen shows "81 Hits in 22 Files".

Click on the host machine's taskbar.

Capture your whole desktop with the PrintScrn key.

YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.

Save the image with the filename "Your Name Proj 15a".

Examining the Hits

Click the first item in the upper-right pane. This is a container, labeled "81 Hits in 22 Files". Expand it by pressing the right-arrow key on the keyboard. Then press the down-arrow to go to the next item, labeled "[7 Hits -- Message004]".

Your screen should now look like the image shown below on this page. This file is an email message, and you can read it in the lower-center pane. This is obviously unimportant spam.

Procedure

Here's how to quickly inspect the hits. Refer to the figure below.

In the HITS section at the top right, press the down-arrow key to highlight the next item.
Examine the PREVIEW in the center of the screen.
If the file is important, check the box at the left of the shaded line in the FILES section at the bottom of the screen.

Proceed through all 22 files in this manner.

You should find an email bragging about an obvious crime, and several suspicious files.

Saving a Screen Image

Make sure your screen shows the obviously incriminating email you found.

Click on the host machine's taskbar.

Capture your whole desktop with the PrintScrn key.

YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.

Save the image with the filename "Your Name Proj 15b".

Viewing the Images

One weakness of the keyword search is that it won't find words in images.

To see the images, click the Graphics tab at the top of the FTK window.

In the center left, there is a tree structure showing files and folders. Click the top item, Case, and use the down-arrow to move to the next item.

When you encounter containers, use the right-arrow to expand them.

When you highlight a container that has graphics in it, you will see thumbnails in the top pane, as shown below:

The kittens are not incriminating, but you might want a closer look at them to be sure.

In the top pane, click one of the thumbnails. The image is shown full-size in the center right pane, as shown below:

Continue to examine all the containers until you find suspicious images. Mark all the suspicious images with by checking the boxes in the lower pane, just as you did with the email messages.

One of the images shows a defaced Web page. Adjust it so that the defacement is clearly visible.

Saving a Screen Image

Make sure your screen shows the obviously incriminating image you found.

Click on the host machine's taskbar.

Capture your whole desktop with the PrintScrn key.

YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.

Save the image with the filename "Your Name Proj 15c".

Making a Report

In FTK, from the top menu bar, click File, "Report Wizard".

In the "Case Information" screen, click Next, as shown below.

In the "Bookmarks - A" page, click the "Yes, export all bookmarked files" button, as shown below. Then click Next.

In the "Bookmarks - B" page, click Next.

In the "Graphic Thumbnails" page, click "Export full-size graphics and link them to the thumbnails", as shown below. Then click Next.

In the "List by File Path" page, click Next.

In the "List File Properties - A" page, click Next.

In the "Supplementary Files" page, click Next.

In the "Report Location" page, click Finish.

A "Report Wizard" box pops up, asking "Do you wish to view the report?".

Click Yes.

The Report appears, as shown below.

Saving a Screen Image

Make sure your screen shows a report with your name on it as the Investigator, as shown above.

Click on the host machine's taskbar.

Capture your whole desktop with the PrintScrn key.

YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.

Save the image with the filename "Your Name Proj 15d".

Exporting the Checked Files

The Report doesn't include the checked files--we need to export them separately.

In FTK, from the top menu bar, click File, "Export Files".

In the "Export Files" box, click "All checked files", as shown below. Then click OK.

To see the exported files, click Start, Computer, and navigate to the C:\Program Files\AccessData\AccessData Forensic Toolkit 1.81.6\DefaultCase\Export" folder.

The files are there, as shown below.

Turning in your Project

Email the images to me. Send the email to: cnit.121@gmail.com with a subject line of "Proj 15 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Last Modified: 4-10-13