Advanced Computer Forensics
Windows FTK Forensics Lab
Read the ENTIRE document before starting to be sure you have all the necessary tools and files required to complete the lab. You should further explore the tools used in this lab to ensure your familiarity with alternative investigation options.
Lab Setup for using RLES vCloud
This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. You have created a vApp in your previous labs. Now, you will add the vApp template, 841_Win_Forensics_Updated , from the Public Catalogs, to the same vApp following the instruction of Add Virtual Machines to a vApp without a network required (see RLES vCloud User Guide).
FTK software including FTK 1.8, Registry Viewer and FTK Imager are install in the 841_Win_Forensics_Updated VM. The EnCase evidence file, WinLabEnCase, is located in the local E:\ drive in RLES VM. Please read FTK 1.80 User Manual, posted in RLES, for FTK details.
The 841_Win_Forensics_Updated VM login
Username: Administrator
Password: netsys
NOTE: If you are not able to open the VM, please reset the VM’s mac address (right click on the VM, choose property, then click on the Hardware tab, click on the drop down arrow of mace address to reset the mac address)
PART I: Familiar with FTK Imager
Bonus Exercise 1 (5 points): Assume that you have a write-protected USB device.
Image a USB device or a floppy disk to create an image in a DD format. (Note: You are not able to use the 841_Win_Forensics_Updated VM to perform this bonus exercise. You have to use your own computer for this exercise).
Provide a snapshot from FTK Imager.
Requires: a USB device or a floppy disk
Launch FTK Imager
Click File > Create Disk Image
Click Physical Drive and Next
Select the device and select Raw (dd) Image Type
Exercise 2: View images
Click File > Add Evidence Item
Select Image file and then click Next
Browse to your WinLabEnCase.E01 image and click Finish
View the image in the Evidence Tree view
Question 1: What is the VBR file used for? How to export this file? How to export a file Hash?
Exercise 3: Convert the WinLabEnCase image to a DD image
In the Evidence Tree view, select the WinLabEnCase image
Click File > Export Disk Image
In the Create Image dialog, click Add
Select the raw image type and name it as converted.
Exercise 4: Verify images
Select the Encase Image and click File > Verify Drive/Image
Add in the converted raw image to the FTK Imager and click File > Verify Drive/Image.
Question 2: What are the results of verification? Comparing both hashes, are they same or not?
PART II: Working with FTK 1.8x
All exercises and questions in this part are designed for FTK 1.8x.
NOTE: If you choose to use FTK 4 instead of FTK 1.8x, please follow PART III.
Objective: Based on the experience you have in the previous lab, you will utilize FTK to conduct an analysis of an incident. This project will help you tie all of the pieces and techniques together, so that you have a better understanding of the whole picture of forensics investigation.
Requires: FTK and a windows’ disk image provided by your instructor.
Descriptions: In this lab you will be given a scenario and a disk image to go along with it. You will use FTK to analyze the disk image, retrieve deleted files and terms that have been purposefully hidden, and then use FTK to create a report about this incident.
Scenario: ACME Industries develops custom software for the aviation industry. Its main competitors are companies Raytheon and Boeing and a few smaller contractors.
Pat Smith has worked for ACME Industries for 5 years. His supervisor has noted that after being past over several times for a promotion, Pat has become quite disgruntled. The company fears that Pat may be offering proprietary company information to a competitor in exchange for a job.
The first investigator has created an Encase image of Pat’s computer’s hard drive. Your job is to examine it and extract all pertinent information to the investigation. You are to make no assumptions of innocence or guilt, just to gather information.
Steps involved:
1) Locate the EnCase evidence file “WinLabEnCase.E01”
2) Create a new case and add the EnCase evidence file to FTK for investigation.
3) Analyze the image.
Show the activities such as recovering deleted files; finding information that have been purposefully hidden; analyzing MAC time, signatures and Hash sets; searching keywords; gathering pertinent information from compound files such as outlook express .dbx files and registry files; examining IE history file, searching recycled files though the hidden Recycled folder and printer’s spool files located in WINDOWS\system32\spool\PRINTERS etc.
4) Generate a report
Note: All information in your report needs to be verified and repeatable in order to be admissible in court.
DETAILED PROCEDURES THAT MAY HELP YOU TO GO THROUGH THE FTK SOFTWARE
Exercise 1: Starting a New Case
Click File > “New Case” to begin a new case.
Name the case “FTK Case 1”
Enter your name as the examiner.
Enter your information as the forensic Examiner Information
Question 3: What information is required to create a new case using the FTK New Case Wizard?
In the Case Log Options window, leave all options marked. Try to understand each of the options.
In the Processes to Perform window, leave all options marked. Try to understand each of the options.
In both the Refine Case Default and the Refine Index Default windows, leave all options marked. Try to understand each of the options.
Add an Image to the exist case
In the Add Evidence to the Case window click “Add Evidence”, choose “Acquired Image of Drive”
Question 4: What are the types of evidence that can be added to a case in FTK?
Select the “WinLabEnCase.E01” file.
Set the Time Zone
When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.)
To set the time zone in FTK, in the Local Evidence Time Zone Selection window, choose your local time zone.
Exercise 2: Working with FTK
Click the OVERVIEW tab; note the numbers for each type of file.
Question 5: How to make the number of the Checked Items to go up? How to make the number of Flagged Thumbnails to go up?
File Signatures
A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header.
Question 6: Click on Bad Extension from Overview tab. Do you find any signature mismatch? What are they?