Project 4: FTK Investigations
Watch Video https://youtu.be/i2szxZ3OfDI
One of the most commonly used commercial digital forensic tools is Forensic Toolkit from Access Data, more commonly known as FTK. FTK is an integrated tool used in many types of digital forensic investigations, with a particular focus on computers and servers. Additional Access Data tools that are commonly used with FTK include Password Recovery Toolkit (PRTK) and Registry Viewer. FTK Imager, which is license free, is used to create forensic images of various types of media in a variety of formats. that can be utilized by a wide variety of digital forensic tools. In this project you will use all four of these Access Data tools in a typical law enforcement scenario.
There are three steps in this project. In those steps you use FTK and other Access Data tools to image two computers and a thumb drive or USB stick. Each step in the project requires you to respond to detectives’ questions based on computer images.
The final assignment is a paper that helps detectives better understand the use of FTK Imager and other Access Data tools to access and image computers and thumb drives. In Step 1, you introduce detectives to the basics of forensic digital investigation by creating an image using FTK Imager. Let’s begin!
One of the first steps in conducting forensic investigations often involves creating an image of the forensic evidence. Forensic evidence can be found in operating systems, network traffic (including e-mails), and software applications. To help the detectives in your department understand the digital forensics investigation process better, you have offered to show them how you create an image using FTK Imager. FTK Imager can be used to analyze many types of media including audio, pictures, and videos. Graphics files can be a rich source of forensic evidence.
Because you are pressed for time, you go to the virtual lab and decide to create an image of the “My Pictures” directory on your computer. This process is very similar to making a full computer image, but it takes only a few minutes rather than several hours. You are preparing a report describing the steps that you follow so the detectives can refer to it later. You will include a screenshot and text file (CSEC662_Lab1_Name.ad1) that documents your imaging process with information such as hash values.
User Name and password for the Labs
User Name: VKING15
PWD: 1Heart=1Love!
Here are some resources that will help you complete the lab:
Provide any information related to the issue that you are experiencing and attach any screenshot that you may be able to produce related to the issue.
Additional Lab Support Information:
More lab-related self-help information is available if you register for CLAB 699, our free online graduate Cyber Computing Lab Assistance hub.
Registering for Cyber Computing Lab Assistance
Submit your report for review and ungraded feedback from the detectives (your instructor). Incorporate any suggested changes; you will include your report in the Use of Access Data Tools paper that you submit in Step 4.
Now that you have demonstrated the imaging process and investigative techniques to detectives, you are ready to proceed to the next step in which you demonstrate the use of Registry Viewer.
Keywords: Examining meta data, File systems, Hexadecimal and ASCII,Operating Systems, Report writing, File system information gathering
In the previous step you imaged a directory for a forensic report using FTK Imager. Now the detectives have requested additional analysis so you decide to go to the virtual lab and use Registry Viewer to access user account information for the image from the Mantooth computer.
Here are some resources that will help you complete the lab:
Provide any information related to the issue that you are experiencing and attach any screenshot that you may be able to produce related to the issue.
Additional Lab Support Information:
More lab-related self-help information is available if you register for CLAB 699, our free online graduate Cyber Computing Lab Assistance hub.
Registering for Cyber Computing Lab Assistance
The Mantooth image is a subset of a full computer image. While it is rich in artifacts, it is small enough to process in minutes rather than hours. Registry Viewer provides the ability to view the contents of various types of registry files so it will help to answer some of the questions posed by detectives. You can also investigate the suspect Mantooth’s e-mail activity and picture files.
The detectives have requested the following information:
The detectives are also asking for:
You review your responses and summary information carefully for accuracy and completeness, and save them in a single file to be included in your final paper on Using Access Data tools (Step 4).
Just when you think that the detectives are satisfied with the information that you’ve provided, they request even more information on the suspects and the crime. You can’t say no, so you turn to PRTK to help you access that data…
Keywords: Examining metadata, File systems, Hexadecimal and ASCII, Operating Systems, File system information gathering
The Mantooth image has provided a lot of new information, but the detectives want more. PRTK is the tool that can uncover it. An image has been taken of the hard drive in a computer belonging to a suspect named Washer.
Here are some resources that will help you complete the lab:
Provide any information related to the issue that you are experiencing and attach any screenshot that you may be able to produce related to the issue.
Additional Lab Support Information:
More lab-related self-help information is available if you register for CLAB 699, our free online graduate Cyber Computing Lab Assistance hub.
Registering for Cyber Computing Lab Assistance
The Washer image is a subset of a full computer image (similar to the Mantooth image) so processing time is reduced. While it is rich in artifacts, it is small enough to process in minutes rather than hours. You have full confidence that an investigation of the Washer image will approximate the investigation of a full computer image. Registry Viewer allows you to view the contents of various types of registry files, but PRTK can decrypt files as well. Passwords for certain files may be recoverable from other artifacts on the image as well.
The detectives have asked you to analyze the Washer and thumb drive processed images within FTK to ferret out the following facts. You will include your answers to these questions in your final paper on the Use of Access Data tools.
Rasco Badguy and John Washer plan to camp.
Please provide this additional information:
Once again the detectives are asking for a summary of your investigative procedures and findings so you document the following:
You review your responses and summary documentation carefully for accuracy and completeness for you will be including them in your final paper.
The time has come to combine work products from Steps 1, 2, and 3 into a final paper summarizing the Use of Access Data Tools. You submit it to the detectives (your instructor) and cross your fingers that it contains everything they need to know about the most widely-used tools available for accessing and imaging forensic data.