Hands-on: Capturing an Image with AccessData FTK Imager - PowerPoint PPT Presentation

Loading...

PPT – Hands-on: Capturing an Image with AccessData FTK Imager PowerPoint presentation | free to download - id: 6cdc75-NTBkY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Hands-on: Capturing an Image with AccessData FTK Imager

Description:

Hands-on: Capturing an Image with AccessData FTK Imager Guide to Computer Forensics and Investigations * Guide to Computer Forensics and Investigations * Using ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 72
Provided by: Radfo51
Learn more at: http://www.radford.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Hands-on: Capturing an Image with AccessData FTK Imager


1
Hands-on Capturing an Image with AccessData FTK
Imager
2
Capturing an Image with AccessData FTK Imager
  • Included on AccessData Forensic Toolkit
  • View evidence disks and disk-to-image files
  • Makes disk-to-image copies of evidence drives
  • At logical partition and physical drive level
  • Can segment the image file
  • Evidence drive must have a hardware
    write-blocking device
  • Or the USB write-protection Registry feature
    enabled
  • FTK Imager cant acquire drives host protected
    area

3
Capturing an Image with AccessData FTK Imager
(continued)
4
Capturing an Image with AccessData FTK Imager
(continued)
  • Steps
  • Boot to Windows
  • Connect evidence disk to a write-blocker
  • Connect target disk to write-blocker
  • Start FTK Imager
  • Create Disk Image
  • Use Physical Drive option

5
Capturing an Image with AccessData FTK Imager
(continued)
6
Capturing an Image with AccessData FTK Imager
(continued)
7
Capturing an Image with AccessData FTK Imager
(continued)
8
Capturing an Image with AccessData FTK Imager
(continued)
9
Creating a Virtual Machine
10
Understanding Virtual Machines
  • Virtual machine
  • Allows you to create a representation of another
    computer on an existing physical computer
  • A virtual machine is just a few files on your
    hard drive
  • Must allocate space to it
  • A virtual machine recognizes components of the
    physical machine its loaded on
  • Virtual OS is limited by the physical machines OS

11
(No Transcript)
12
Understanding Virtual Machines (continued)
  • In computer forensics
  • Virtual machines make it possible to restore a
    suspect drive on your virtual machine
  • And run nonstandard software the suspect might
    have loaded
  • From a network forensics standpoint, you need to
    be aware of some potential issues, such as
  • A virtual machine used to attack another system
    or network

13
Creating a Virtual Machine
  • Two popular applications for creating virtual
    machines
  • VMware and Microsoft Virtual PC
  • Using Virtual PC
  • You must download and install Virtual PC first

14
Creating a Virtual Machine (continued)
15
Creating a Virtual Machine (continued)
16
Creating a Virtual Machine (continued)
17
Creating a Virtual Machine (continued)
  • You need an ISO image of an OS
  • Because no OSs are provided with Virtual PC
  • Virtual PC creates two files for each virtual
    machine
  • A .vhd file, which is the actual virtual hard
    disk
  • A .vmc file, which keeps track of configurations
    you make to that disk
  • See what type of physical machine your virtual
    machine thinks its running
  • Open the Virtual PC Console, and click Settings

18
Creating a Virtual Machine (continued)
19
Creating a Virtual Machine (continued)
20
Current Computer Forensic Tools
21
Analyze Data
22
Using AccessData Forensic Toolkit to Analyze Data
  • Supported file systems FAT12/16/32, NTFS,
    Ext2fs, and Ext3fs
  • FTK can analyze data from several sources,
    including image files from other vendors
  • FTK produces a case log file
  • Searching for keywords
  • Indexed search
  • Live search
  • Supports options and advanced searching
    techniques, such as stemming

23
Using AccessData Forensic Toolkit to Analyze Data
(continued)
24
Using AccessData Forensic Toolkit to Analyze Data
(continued)
25
Using AccessData Forensic Toolkit to Analyze Data
(continued)
  • Analyzes compressed files
  • You can generate reports
  • Using bookmarks

26
Using AccessData Forensic Toolkit to Analyze Data
(continued)
27
Recovering Password
28
Recovering Passwords
  • Techniques
  • Dictionary attack
  • Brute-force attack
  • Password guessing based on suspects profile
  • Tools
  • AccessData PRTK
  • Advanced Password Recovery Software Toolkit
  • John the Ripper

29
Recovering Passwords (continued)
  • Using AccessData tools with passworded and
    encrypted files
  • AccessData offers a tool called Password Recovery
    Toolkit (PRTK)
  • Can create possible password lists from many
    sources
  • Can create your own custom dictionary based on
    facts in the case
  • Can create a suspect profile and use biographical
    information to generate likely passwords

30
Recovering Passwords (continued)
31
Recovering Passwords (continued)
32
Recovering Passwords (continued)
33
Recovering Passwords (continued)
  • Using AccessData tools with passworded and
    encrypted files (continued)
  • FTK can identify known encrypted files and those
    that seem to be encrypted
  • And export them
  • You can then import these files into PRTK and
    attempt to crack them

34
(No Transcript)
35
Recovering Passwords (continued)
36
Understanding Steganography
37
Understanding Steganography in Graphics Files
(continued)
  • Substitution
  • Replaces bits of the host file with bits of data
  • Usually change the last two LSBs
  • Detected with steganalysis tools
  • Usually used with image files
  • Audio and video options
  • Hard to detect

38
Understanding Steganography in Graphics Files
(continued)
39
Understanding Steganography in Graphics Files
(continued)
40
Using Steganalysis Tools
  • Detect variations of the graphic image
  • When applied correctly you cannot detect hidden
    data in most cases
  • Methods
  • Compare suspect file to good or bad image
    versions
  • Mathematical calculations verify size and palette
    color
  • Compare hash values

41
Packet Sniffers wireshark lab?? ??? (passwd
sniffing)
42
Using Packet Sniffers
  • Packet sniffers
  • Devices or software that monitor network traffic
  • Most work at layer 2 or 3 of the OSI model
  • Most tools follow the PCAP format
  • Some packets can be identified by examining the
    flags in their TCP headers
  • Tools
  • Tcpdump
  • Tethereal

43
Using Packet Sniffers (continued)
44
Using Packet Sniffers (continued)
  • Tools (continued)
  • Snort
  • Tcpslice
  • Tcpreplay
  • Tcpdstat
  • Ngrep
  • Etherape
  • Netdude
  • Argus
  • Ethereal

45
Using Packet Sniffers (continued)
46
Using Packet Sniffers (continued)
47
Using Packet Sniffers (continued)
48
Viewing email header
49
Viewing E-mail Headers
  • Learn how to find e-mail headers
  • GUI clients
  • Command-line clients
  • Web-based clients
  • After you open e-mail headers, copy and paste
    them into a text document
  • So that you can read them with a text editor
  • Headers contain useful information
  • Unique identifying numbers, IP address of sending
    server, and sending time

50
Viewing E-mail Headers (continued)
  • Outlook
  • Open the Message Options dialog box
  • Copy headers
  • Paste them to any text editor
  • Outlook Express
  • Open the message Properties dialog box
  • Select Message Source
  • Copy and paste the headers to any text editor

51
Viewing E-mail Headers (continued)
52
Viewing E-mail Headers (continued)
53
(No Transcript)
54
Viewing E-mail Headers (continued)
  • Novell Evolution
  • Click View, All Message Headers
  • Copy and paste the e-mail header
  • Pine and ELM
  • Check enable-full-headers
  • AOL headers
  • Click Action, View Message Source
  • Copy and paste headers

55
Viewing E-mail Headers (continued)
56
Viewing E-mail Headers (continued)
57
Viewing E-mail Headers (continued)
58
Viewing E-mail Headers (continued)
59
Viewing E-mail Headers (continued)
  • Hotmail
  • Click Options, and then click the Mail Display
    Settings
  • Click the Advanced option button under Message
    Headers
  • Copy and paste headers
  • Apple Mail
  • Click View from the menu, point to Message, and
    then click Long Header
  • Copy and paste headers

60
Viewing E-mail Headers (continued)
61
Viewing E-mail Headers (continued)
62
Viewing E-mail Headers (continued)
  • Yahoo
  • Click Mail Options
  • Click General Preferences and Show All headers on
    incoming messages
  • Copy and paste headers

63
(No Transcript)
64
Recovering email
65
Using AccessData FTK to Recover E-mail
  • FTK
  • Can index data on a disk image or an entire drive
    for faster data retrieval
  • Filters and finds files specific to e-mail
    clients and servers
  • To recover e-mail from Outlook and Outlook
    Express
  • AccessData integrated dtSearch
  • dtSearch builds a b-tree index of all text data
    in a drive, an image file, or a group of files

66
(No Transcript)
67
Using AccessData FTK to Recover E-mail
(continued)
68
(No Transcript)
69
Using AccessData FTK to Recover E-mail
(continued)
70
Using AccessData FTK to Recover E-mail
(continued)
71
Using AccessData FTK to Recover E-mail
(continued)
About PowerShow.com