The Forensic Toolkit

 < Day Day Up > 



The Forensic Toolkit (FTK) by AccessData (http://www.accessdata.com) attempts to help the analyst by reducing large datasets to a subset of important information. FTK is a commercial product and must be purchased from AccessData for around $700. Until late last year, FTK was bundled with SnapBack, a commercial forensic duplication tool (see Chapter 21).

Caution 

FTK requires a dongle to operate. If you do not have a dongle, you must contact AccessData, and that could delay your investigative efforts.

FTK can automatically extract Microsoft Office documents, e-mail, Internet activity, and more. Because the tool does this for you automatically, it saves time so that the analyst can go about the business of analyzing only the important data. FTK fully indexes the data so that keyword searches are nearly instantaneous. This may not sound important, but on a multigigabyte hard drive image, this can alleviate hours of search time at the forensic workstation. Having immediate results to a large keyword search set is alone worth the price of the product.

FTK analyzes only Microsoft Windows file systems. Therefore, if the system you are investigating belongs to a Unix system, you will need to use another tool to perform your analysis: either EnCase or the Coroner’s Toolkit.

Implementation

FTK provides a GUI interface, so command-line options are not needed to use the tool. The first thing you do when you start FTK is decide whether you want to create a new case or open an existing one:

click to expand

We will create a new case and then import our source evidence data files into it. These evidence files were created from the source drive using the EnCase forensic duplication tool (see Chapter 21). When we select Start A New Case, the screen shown in Figure 23-1 appears so we can enter the specifics of our case:

click to expand
Figure 23-1: Enter the specific information about your case.

The next set of screens allows us to choose our case options. FTK comes with several options for logging information, and under Case Log Options, shown next, the user can customize automatic logging. Optionally, the user may add comments during the case by choosing Files | View Case Log.

click to expand

The next screen, Processes to Perform, highlights several options available to FTK while building the case file. KFF and Full Text Index are of particular interest. KFF stands for known-file filter. This option filters out files that are presumably harmless. The Windows operating system requires hundreds of standard system files to run properly. These files, if unchanged, will provide little information to the analyst in most scenarios. The KFF option allows us to reduce the set of files we analyze. Therefore, it can save us time, money, and resources in our investigation.

click to expand

If you think you may want to perform keyword searches on the data, you should check the Full Text Index option. The import process will take a significantly longer time, but the price will be worth paying if you search the data more than once. By default, FTK will index everything when creating a new case. However, if time is an issue, this may not be your best option. You can still index all items or selected items after creating the case by choosing Tools | Analyze Tools.

Note 

Indexing by choosing Tools | Analyze Tools is not as fast as indexing using the New Case Wizard. If you can spare the time, it helps to index with the New Case Wizard when importing the evidence.

FTK gives us the option to exclude certain kinds of data under the Refine Case screen in the New Case Wizard, shown next. These may include executables, graphics, e-mail, KFF, deleted files, and more. To help the novice or hurried user, settings are offered for graphic, text, and e-mail-intensive cases.

click to expand

If the option for Full Text Index is selected in the Processes to Perform screen, the Refine Index screen, shown next, allows you to define the criteria for indexing files. For example, it may not make sense to index data in the KFF.

click to expand

On the next screen, Add Evidence, FTK asks us to add evidence to the case. Evidence can be either EnCase evidence files or dd image files. EnCase evidence files and acquisition of a hard drive with dd were covered in Chapter 22.

When we select Add Evidence, we are presented with several options regarding the type of evidence we want to add: We can import an evidence file, analyze a local drive, analyze the contents of a directory, or analyze an individual file. Usually, we will want to import an evidence file (the Acquired Image Of Drive option), but the other methods of analysis are also worth considering. For instance, we may want to connect a drive to the forensic workstation instead of providing FTK with an evidence file (Local Drive). If we have only a logical copy of the subject machine, we may want to analyze the contents of a directory, and that directory would contain the logical copy of the subject machine (Contents Of A Folder). Or we may have a single very large file that we want to index and search (Individual File).

Since most of the time we will be importing evidence files, we discuss that method in this book. In Chapter 21, you created a duplication using EnCase. Now add these files to the newly created case by selecting Continue in the Add Evidence To Case screen. You’ll see the Open dialog box. Add all of the evidence files (*.Enn) to the current case by clicking the Open button.

Next, choose any final options and enter the evidence information into the case for this particular item in the Evidence Information dialog box, and then click OK to return to the Wizard:

Note 

A full text index will require a significant amount of time to create during the import process. However, if you do not create the index now, you will need to create it later if you want to execute quick keyword searches.

When we are ready, we click Next, and the import process begins.

click to expand

FTK then informs us that the new case setup is complete. Click Finish to begin the import process.

When processing is finished, the main FTK navigation screen appears. Tabs across the top allow us to click through to explore the different parts of the evidence. The Overview tab, shown in Figure 23-2, however, provides an accurate overview of the information found in the evidence. Moreover, it is the most efficient means of quickly reviewing the evidence found in the data. Each of the buttons under File Items, File Status, and File Category is clickable. When you click these buttons, the files are presented to the analyst in the lower half of the FTK screen.

click to expand
Figure 23-2: The Overview tab

The Evidence Items button lists the evidence files we imported for analysis. The bottom window displays summary information about each of the evidence files collected. The Total File Items button lists all of the files discovered within the evidence data files. This screen shows the investigator a great overview of the files existing on the suspect’s system.

Perhaps one of the investigator’s dreams is to see all images present in the evidence quickly. By clicking the Graphics button, we can see every image on the system and browse for any contraband, as shown in Figure 23-3.

click to expand
Figure 23-3: Click the Graphics button to see any images from the system.

Extracting e-mail is one of the laborious tasks of computer forensics. FTK tries to reduce this burden by providing a From E-mail button. Clicking it displays all of the e-mail that was sent using this computer, as shown in the next illustration.

click to expand

In nearly every case, the suspect deletes files. Clicking the Deleted Files button displays a list of the files that were deleted from the system.

click to expand

The Slack/Free Space button displays a list of all of the unallocated and slack space portions of the disk. Although typically you would not search this space by hand, it is available to you if you so choose. However, as you will see later, you can use automated ways to search this space in the file system.

During most investigations, especially during the discovery process for legal cases, it is advantageous to reproduce all of the documents available from a subject’s machine. The Documents button displays all of the documents for the investigator. Documents are Microsoft Office document files, text files, HTML files, and so on (see Figure 23-4).

click to expand
Figure 23-4: Notice how the user of this computer was apparently reading web sites about creating bombs.

Any general e-mail messages can be located by clicking the E-mail Messages button.

The other tabs allow us to take a more granular view of the data. The Explore tab, shown in Figure 23-5, gives us a Windows Explorer–like interface to browse the evidence’s contents.

click to expand
Figure 23-5: The Explore tab

Skipping over a few tabs, the Search tab provides the functionality that makes FTK shine. With full-text indexing applied to the data, the searching capabilities will be almost instantaneous. For instance, we will enter the keywords Johnson and Brazil because it will pertain to the Case Study later in the chapter. In the Composite Search field, we will choose the option Only Count Files With Hits On ALL Files. This value indicates an AND logical relationship between each search keyword. The drop-down box provides the ability to perform OR searches, too.

If your keywords do not result in many hits, you can use FTK’s search-broadening options, which mutate the keywords to find hits that may be close to, but not identical to, your criteria. Initially, though, you should disable these options to see a narrower view of the results.

click to expand

When the search is complete, the results will be displayed in the right pane.

If you chose not to create a full text index on the data when you added it to the case, you can always perform a live search at any time. This type of searching will take a significant amount of time, but it will produce the same results as the keyword searches already discussed.

All of the actions performed on the evidence will be logged by FTK. The Tools menu on the main menu bar lets us view and add comments to the case log:

Because of FTK’s ability to extract important data quickly, FTK is a great forensic analysis tool kit for those who are just starting to learn about forensics or do not have the time to invest significant resources.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net