91.580.203 Computer

1
91.580.203 Computer Network Forensics
Xinwen Fu

• FTK Forensic Toolkit

2
Big Picture

• AccessData download
• FTK Imager version 2.5.4
• Known Filter Library File version 27_jun_2007
• Forensic Toolkit(FTK) version 1.81
• Acquire and preserve the evidence
• Analyze the case
• Prepare a report

3
Acquire and Preserve the Evidence

• Create an image of the suspect drive using
  hardware devices
• Create an image of the suspect drive using
  software applications
• FTK Imager
• dd
• Key point of creating an image
• No changes to the evidence should be made

4
Big Picture

1. Acquire and Preserve the evidence
2. Analyze the case
3. Prepare a report

5
Analyze the Case - Hashing

• Refer to the process of generating a unique value
  based on a files contents
• Used to verify file integrity and identify
  duplicate and known files
• MD5, SHA1
• FTK Imager -gt File -gt Export File Hash List

Demo
6
Analyze the Case - Known File Filter (KFF)

• An FTK utility that compares file hashes against
  a database of hashes from known files
• Three purposes
• Eliminate ignorable files (such as known system
  and program files)
• Alert you to known illicit or dangerous files
• Check for duplicate files (maybe different file
  names)
• Container files Files which contain other files,
  such as zip and e-mail files with attachments
• When KFF identifies a container file as
  ignorable, FTK does not extract its component
  files
• KFF includes the HashKeeper database, which is
  updated periodically and is available for
  download on the FTK update page

7
Analyze the Case - Searching

• Live search
• Involve an item-by-item comparison with the
  search term time consuming
• Allow you to search non-alphanumeric characters
  and perform regular expression searches
• Indexed search
• Use the index file to find a search term
• The index file contains all discrete words or
  number strings found in both the allocated and
  unallocated space in the case evidence

8
Data Carving

• Search for items, such as graphics embedded in
  other files
• Search the index for specific file headers and
  carves the files associated data
• Find any embedded or deleted item as long as the
  file header still exists
• Recover previously deleted files located in
  unallocated space
• Data carving during evidence processing (when a
  new case is added)
• Select Data Carve in the Process to Perform
  Screen during the New Case Wizard
• Data carving done in an existing case
• Select Tools gt Data Carving

9
Live Search

1. In the Search window, click Live Search
2. In the Search Term field, enter the term you want
   to search for
3. In the Item Type column, specify if you want FTK
   to search in Text or Hexadecimal
4. Click Add to add the search term to the Search
   Items column
5. In the Max Hits Per File field, enter the maximum
   number of times you want a search hit to be
   listed per file

10
Indexed Search

• FTK uses the search engine, dtSearch, to perform
  all indexed searches
• To index evidence when it is added to the case,
  check the Full Text Index box on the Evidence
  Processing Options form
• To index evidence after it is added to the case,
  select Tools -gt Analysis Tools -gt Full Text
  Indexing
• In the Search window, click Indexed Search
• In the Search Term field, enter the term you want
  to search for, including any wildcard characters
• Click Add to add the search term to the search
  list
• To refine the search, click Options
• In the Search Items column, select the index term
  you want to search
• Click View Item Results to initiate the search

11
Using Filters

• If you want to minimize the number of evidence
  items to examine, you can apply an existing
  filter or create a customized filter to exclude
  unwanted items
• FTK allows you to filter your case evidence by
  file status, type, size, and date parameters

12
Overview Window - Unfiltered
13
Overview Window - Filtered
14
Overview Window Filtered Actual Files
15
Search by Regular Expression

• Page 295 of FTK Manual (V1.81.0)
• Search through large quantities of text
  information for patterns of data such as the
  following
• Telephone Numbers
• Social Security Numbers
• Computer IP Addresses
• Credit Card Numbers

16
Regular Expressions for Data Pattern

• Arithmetic expression 5/((12)3)
• Regular expressions also have operands,
  operators, sub-expressions, and a value
• Operands in regular expressions can be any
  printable characters

Component Example
Operands 5, 1, 2, 3
Operators /, ( ), ,
Sub-Expressions (12), ((12)3)
Value Approximately 0.556
17
Simple Regular Expressions

• Made up entirely of operands
• Regular expression dress causes to return a list
  of all files that contain the sequence of
  characters dress

18
Complex Regular Expressions

• Operators allow regular expressions to search
  patterns of data rather than specific values
• Find all Visa and MasterCard credit card numbers
  in case evidence files
• \lt((\d\d\d\d)\- )3\d\d\d\d\gt

19
\lt((\d\d\d\d)\- )3\d\d\d\d\gt

• \ Escape character
• Modification of operands \lt
• Modification of operators \-
• \lt begin-a-word operator
• The first character immediately follows a
  non-word character such as white space or other
  word delimiter
• ( ) Parentheses
• Group together a sub-expression
• \d any decimal digit character from 0-9
• next character must be a character listed
  between the brackets
• 3 the preceding sub-expression must repeat
  three times, back to back
• \gt end-a-word operator

20
Other Variations on the Same Expression

• \lt((\d\d\d\d)(\- ))3\d\d\d\d\gt
• (union operator) the next character to match
  is either the left operand (the hyphen) or the
  right operand (the spacebar space)
• \lt\d\d\d\d(\- )\d\d\d\d(\- )\d\d\d\d(\-
  )\d\d\d\d\gt

21
Predefined Regular Expressions

• Visa and MasterCard Numbers
• \lt((\d\d\d\d)\- )3\d\d\d\d\gt
• U.S. Social Security Numbers
• \lt\d\d\d\- \d\d\- \d\d\d\d\gt
• U.S. Phone Number
• ((\lt1\-\. )?(\(\lt)\d\d\d\)\.\-/
  ?)?\lt\d\d\d\.\- \d\d\d\d\gt
• ? the sub-expression immediately to its left
  appear exactly zero or one time in any search
  hits
• IP Addresses
• \lt1-2?0-9?0-9\.1-2?0-9?0-9\.1-2?0-9
  ?0-9\.1-2?0-9?0-9\gt

22
Big Picture

1. Acquire and Preserve the evidence
2. Analyze the case
3. Prepare a report

23
Prepare a Report

• Create a case report and case log to document the
  evidence and investigation results
• Use the Report Wizard to create and modify
  reports
• FTK -gt File -gt Report Wizard
• The report may include
• Bookmarks (information you selected during the
  examination) FTK -gt Tools -gt Create Bookmark
• Customize graphics references
• Select file listings
• Include supplementary files and the case log

24
(No Transcript)
25
Discussion Case Studies

• How digital forensics might relate to you, your
  firm or your case
• Case Studies
• What tools, knowledge and techniques you may use
  for the case