Chapter 23: Tool Kits to Aid in Forensic Analysis | Anti-Hacker Tool Kit, Third Edition

In Chapters 21 and 22, we reviewed tools that can forensically duplicate a source hard drive. That is the first phase of a two-phase process to perform a successful forensic investigation. The second phase is the analytical component. This chapter discusses the tools used to analyze the data we previously acquired . All of the forensic analysis tool kits we review are capable of importing more than one kind of forensic image format. dd images can be used with all of these tools, and many of these tools are building capabilities into their import mechanisms that will accept other (including competing) formats.

THE FORENSIC TOOLKIT

The Forensic Toolkit (FTK) by AccessData (http://www.accessdata.com) attempts to help the analyst by reducing large datasets to a subset of important information. FTK is a commercial product and can be purchased from AccessData . At the time of this writing, Forensic Toolkit costs around a thousand dollars. Although this may sound steep, it can be a lifesaver on a large case or across multiple datasets because of its ability to index and correlate data. You can get their Ultimate Toolkit for investigations that includes Forensic Toolkit bundled with their Password Recovery Toolkit and other assorted software. This will cost you around $2,000.

Note	FTK requires a dongle to operate . If you do not have an FTK-specific dongle, you should contact AccessData. The demo version available from their web site will allow you to do everything we discuss here.

FTK automatically extracts Microsoft Office documents, client-based e-mail, web-based e-mail, Internet activity, and more. Because the tool does this for you automatically, it can save you a tremendous amount of time so that the analyst can go about the business of analyzing only relevant data. FTK's ability to fully index data yields nearly instantaneous keyword searches. This may not sound important, but on a multigigabyte hard drive image, this can alleviate hours of search time at the forensic workstation. Having immediate results to a large keyword search set is alone worth the price of the product.

FTK analyzes all Microsoft Windows file systems including NTFS, NTFS compressed, and FAT 12/16/32. FTK also analyzes Linux ext2 & ext3. Therefore, if the system you are investigating uses a different file system, you will need to use another tool to perform your analysis such as EnCase or the Coroner's Toolkit.

Implementation

FTK provides an easy-to-use GUI interface, so command-line options are not needed to use the tool. The first thing you do when you start FTK is to decide whether you want to create a new case or open an existing one.

We will create a new case and then import our source evidence data files into it. These evidence files were created from the source drive using the EnCase forensic duplication tool (see Chapter 21). When we select Start A New Case, the screen shown in Figure 23-1 appears so we can enter the specifics of our case.

Figure 23-1: Use this screen in AccessData's Forensic Toolkit to enter specific information about your case.

The next set of screens allows us to enter specific information about the examiner and choose our case options. FTK comes with several options for logging information, and under Case Log Options, shown at right, the user can customize automatic logging. Optionally, the user may add comments during the case by choosing Files View Case Log.

The next screen, Processes To Perform, highlights several options available to FTK while building the case file. KFF Lookup and Full Text Index are of particular interest. KFF stands for known-file filter. This option filters out files that are presumably harmless. The Windows operating system requires hundreds of standard system files to run properly. These files, if unchanged, will provide little information to the analyst in most scenarios. The KFF Lookup option allows us to reduce the set of files we analyze by eliminating the known files from the case; therefore, it can save us time, money, and resources in our investigation.

If you think you may want to perform keyword searches on the data, you should check the Full Text Index option. The import process will take a significantly longer time, but the price will be worth paying if you search the data more than once. By default, FTK will index everything when creating a new case. However, if time is an issue, this may not be your best option. You can still index all items or selected items after creating the case by choosing Tools Analyze Tools.

Caution

Indexing by choosing Tools Analyze Tools is not as fast as indexing using the New Case wizard. If you can spare the time, it helps to index with the New Case wizard when importing the evidence.

FTK automated what used to be a previously painstaking and slow manual process called data carving. FTK will now automatically search through files and free space for hidden or remaining pieces of files and carve them out for you. This feature recovers data that other tools may overlook unless they are set up properly, but it takes extra time. The data carving options include BMP, GIF, JPEG, EMF, PDF, HTML, AOL/AIM, and OLE files.

FTK gives us the option to exclude certain kinds of data under the Refine Case screen in the New Case wizard, shown next. These may include executables, graphics, e-mail, KFF, deleted files, and more. To help the novice or hurried user, settings are offered for graphic, text, and e-mail- intensive cases. Here is an example of the Email Emphasis settings.

If the Full Text Index option is selected in the Processes To Perform screen, the Refine Index screen, shown next, allows you to define the criteria for indexing files. For example, it may not make sense to index data in the Known File Filter.

On the next screen, Add Evidence To Case, FTK asks us to add evidence to the case. Evidence can be either EnCase evidence files or dd image files. EnCase evidence files and acquisition of a hard drive with dd were covered in Chapter 22.

On this screen, we are presented with several options regarding the type of evidence we want to add: We can import an evidence file, analyze a local drive, analyze the contents of a directory, or analyze an individual file. Usually, we will want to import an evidence file (the Acquired Image Of Drive option), but the other methods of analysis are also worth considering. For instance, we may want to connect a drive to the forensic workstation instead of providing FTK with an evidence file (Local Drive). If we have only a logical copy of the subject machine, we may want to analyze the contents of a directory, and that directory would contain the logical copy of the subject machine (Contents Of A Folder). Or we may have a single, very large file that we want to index and search (Individual File).

Since most of the time we will be importing evidence files, we will discuss this method here. In Chapter 21, you created an image using EnCase. You can now add these files to the newly created case in FTK by selecting Continue on the Add Evidence To Case screen. You'll see the Open dialog box. Select all of your evidence files for the current case and then click the Open button.

Next, choose any final options and enter the evidence information into the case for this particular item in the Evidence Information dialog box (as shown at right), and then click OK to return to the wizard.

Note	A full text index will require a significant amount of time to create during the import process. However, if you do not create the index now, you will need to create it later if you want to execute quick keyword searches.

When you are ready, click Next, and the import process begins.

FTK then informs you that the new case setup is complete. Click Finish to begin the import process.

When processing is finished, the main FTK navigation screen appears. Tabs across the top allow us to click through to explore the different parts of the evidence. The Overview tab, shown in Figure 23-2, however, provides an accurate overview of the information found in the evidence. Moreover, it is the most efficient means of quickly reviewing the evidence found in the data. Each of the buttons under File Items, File Status, and File Category is clickable. When you click these buttons , the files are presented to the analyst in the lower half of the FTK screen.

Figure 23-2: The Overview tab

The Evidence Items button lists the evidence files we imported for analysis. The bottom window displays summary information about each of the evidence files collected.

The Total File Items button lists all of the files discovered within the evidence data files. This screen shows the investigator a great overview of the files existing on the suspect's system.

Perhaps one of the investigator's dreams is to see all images present in the evidence quickly. By clicking the Graphics button, we can see every image on the system and browse for any contraband , as shown in Figure 23-3.

Figure 23-3: Click the Graphics button to see any images that exist in a document that you select.

Extracting e-mail is one of the laborious tasks of computer forensics. FTK tries to reduce this burden by automatically indexing the e-mail if you so choose, and also by providing an easy-to-use exploration tree. In this illustration it looks like someone is looking for a job.

In nearly every case, the suspect deletes files. Clicking the Deleted Files button on the Overview tab displays a list of the files that were deleted from the system. This illustration shows a deleted picture of nuclear blast model.

The Slack/Free Space button displays a list of all of the unallocated and slack space portions of the disk. Although typically you would not search this space by hand, it is available to you if you so choose. However, as you will see later, you can use automated ways to search this space in the file system.

During most investigations, especially during the discovery process for legal cases, it is advantageous to reproduce all of the documents available from a subject's machine. The Documents button displays all of the documents for the investigator. Documents are Microsoft Office document files, text files, HTML files, and so on (see Figure 23-4).

Figure 23-4: Notice how the user of this computer was apparently reading stories about creating bombs .

Any general e-mail messages can be located by clicking the E-mail Messages button.

The other tabs allow us to take a more granular view of the data. The Explore tab, shown in Figure 23-5, gives us a Windows Explorerlike interface to browse the evidence's contents.

Figure 23-5: The Explore tab has a Windows Explorerlike interface to browse evidence contents.

Skipping over a few tabs, the Search tab provides the functionality that makes FTK shine . With full-text indexing applied to the data, the searching capabilities will be almost instantaneous. For instance, we will enter the keywords Johnson and Brazil because doing so will pertain to the Case Study at the end of this chapter. In the Composite Search field, we will choose the option Only Count Files With Hits On ALL Files. This value indicates an AND logical relationship between each search keyword. The drop-down box provides the ability to perform OR searches, too.

If your keywords do not result in many hits, you can use FTK's search-broadening options, which mutate the keywords to find hits that may be close to, but not identical to, your criteria. Initially, though, you should disable these options to see a narrower view of the results. These options are available by clicking the options box directly under the Search tab.

When the search is complete, the results will be displayed in the right pane.

If you chose not to create a full text index on the data when you added it to the case, you can always perform a live search at any time. This type of searching will take a significant amount of time, but it will produce the same results as the keyword searches already discussed.

All of the actions performed on the evidence will be logged by FTK. The Tools menu on the main menu bar lets us view and add comments to the case log.

Because of FTK's ability to extract important data quickly, FTK is a great forensic analysis tool kit for those who are just starting to learn about forensics or do not have the time to invest significant resources.