Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on:Capturing an Image with AccessData

FTK Imager

Guide to Computer Forensics and Investigations 2

Capturing an Image with AccessData FTK Imager

• Included on AccessData Forensic Toolkit• View evidence disks and disk-to-image files• Makes disk-to-image copies of evidence drives– At logical partition and physical drive level– Can segment the image file

• Evidence drive must have a hardware write-blocking device– Or the USB write-protection Registry feature enabled

• FTK Imager can’t acquire drive’s host protected area


Capturing an Image with AccessData FTK Imager (continued)


• Steps– Boot to Windows– Connect evidence disk to a write-blocker– Connect target disk to write-blocker– Start FTK Imager– Create Disk Image• Use Physical Drive option










Creating a Virtual Machine


Understanding Virtual Machines

• Virtual machine– Allows you to create a representation of another

computer on an existing physical computer• A virtual machine is just a few files on your

hard drive– Must allocate space to it

• A virtual machine recognizes components of the physical machine it’s loaded on– Virtual OS is limited by the physical machine’s OS



Understanding Virtual Machines (continued)

• In computer forensics– Virtual machines make it possible to restore a

suspect drive on your virtual machine• And run nonstandard software the suspect might have

loaded

• From a network forensics standpoint, you need to be aware of some potential issues, such as:– A virtual machine used to attack another system

or network


Creating a Virtual Machine

• Two popular applications for creating virtual machines– VMware and Microsoft Virtual PC

• Using Virtual PC– You must download and install Virtual PC first


Creating a Virtual Machine (continued)







• You need an ISO image of an OS– Because no OSs are provided with Virtual PC

• Virtual PC creates two files for each virtual machine:– A .vhd file, which is the actual virtual hard disk– A .vmc file, which keeps track of configurations you

make to that disk• See what type of physical machine your virtual

machine thinks it’s running– Open the Virtual PC Console, and click Settings





Current Computer Forensic Tools

Analyze Data


Using AccessData Forensic Toolkit to Analyze Data

• Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs

• FTK can analyze data from several sources, including image files from other vendors

• FTK produces a case log file• Searching for keywords– Indexed search– Live search– Supports options and advanced searching

techniques, such as stemming


Using AccessData Forensic Toolkit to Analyze Data (continued)





• Analyzes compressed files• You can generate reports– Using bookmarks



Recovering Password


Recovering Passwords

• Techniques– Dictionary attack– Brute-force attack– Password guessing based on suspect’s profile

• Tools– AccessData PRTK– Advanced Password Recovery Software Toolkit– John the Ripper


Recovering Passwords (continued)

• Using AccessData tools with passworded and encrypted files– AccessData offers a tool called Password

Recovery Toolkit (PRTK)• Can create possible password lists from many sources

– Can create your own custom dictionary based on facts in the case

– Can create a suspect profile and use biographical information to generate likely passwords









• Using AccessData tools with passworded and encrypted files (continued)– FTK can identify known encrypted files and those

that seem to be encrypted• And export them

– You can then import these files into PRTK and attempt to crack them




Understanding Steganography


Understanding Steganography in Graphics Files (continued)

• Substitution– Replaces bits of the host file with bits of data– Usually change the last two LSBs– Detected with steganalysis tools

• Usually used with image files– Audio and video options

• Hard to detect






Using Steganalysis Tools

• Detect variations of the graphic image– When applied correctly you cannot detect hidden

data in most cases

• Methods– Compare suspect file to good or bad image

versions– Mathematical calculations verify size and palette

color– Compare hash values

Packet Snifferswireshark lab 으로 바꾸기

(passwd sniffing)


Using Packet Sniffers

• Packet sniffers– Devices or software that monitor network traffic– Most work at layer 2 or 3 of the OSI model

• Most tools follow the PCAP format• Some packets can be identified by examining

the flags in their TCP headers• Tools– Tcpdump– Tethereal


Using Packet Sniffers (continued)



• Tools (continued)– Snort– Tcpslice– Tcpreplay– Tcpdstat– Ngrep– Etherape– Netdude– Argus– Ethereal







Viewing email header


Viewing E-mail Headers

• Learn how to find e-mail headers– GUI clients– Command-line clients– Web-based clients

• After you open e-mail headers, copy and paste them into a text document– So that you can read them with a text editor

• Headers contain useful information– Unique identifying numbers, IP address of sending

server, and sending time


Viewing E-mail Headers (continued)

• Outlook– Open the Message Options dialog box– Copy headers– Paste them to any text editor

• Outlook Express– Open the message Properties dialog box– Select Message Source– Copy and paste the headers to any text editor








• Novell Evolution– Click View, All Message Headers– Copy and paste the e-mail header

• Pine and ELM– Check enable-full-headers

• AOL headers– Click Action, View Message Source– Copy and paste headers











• Hotmail– Click Options, and then click the Mail Display Settings– Click the Advanced option button under Message

Headers– Copy and paste headers

• Apple Mail– Click View from the menu, point to Message, and

then click Long Header– Copy and paste headers







• Yahoo– Click Mail Options– Click General Preferences and Show All headers

on incoming messages– Copy and paste headers


Recovering email


Using AccessData FTK to Recover E-mail

• FTK– Can index data on a disk image or an entire drive for

faster data retrieval– Filters and finds files specific to e-mail clients and

servers• To recover e-mail from Outlook and Outlook

Express– AccessData integrated dtSearch

• dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files



Using AccessData FTK to Recover E-mail (continued)








Documents

Hands-on: Capturing an Image with AccessData FTK Imager