1 / 71

Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager. Capturing an Image with AccessData FTK Imager. Included on AccessData Forensic Toolkit View evidence disks and disk-to-image files Makes disk-to-image copies of evidence drives At logical partition and physical drive level

dunne
Download Presentation

Hands-on: Capturing an Image with AccessData FTK Imager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hands-on:Capturing an Image with AccessData FTK Imager

  2. Capturing an Image with AccessData FTK Imager • Included on AccessData Forensic Toolkit • View evidence disks and disk-to-image files • Makes disk-to-image copies of evidence drives • At logical partition and physical drive level • Can segment the image file • Evidence drive must have a hardware write-blocking device • Or the USB write-protection Registry feature enabled • FTK Imager can’t acquire drive’s host protected area Guide to Computer Forensics and Investigations

  3. Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

  4. Capturing an Image with AccessData FTK Imager (continued) • Steps • Boot to Windows • Connect evidence disk to a write-blocker • Connect target disk to write-blocker • Start FTK Imager • Create Disk Image • Use Physical Drive option Guide to Computer Forensics and Investigations

  5. Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

  6. Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

  7. Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

  8. Capturing an Image with AccessData FTK Imager (continued) Guide to Computer Forensics and Investigations

  9. Creating a Virtual Machine

  10. Understanding Virtual Machines • Virtual machine • Allows you to create a representation of another computer on an existing physical computer • A virtual machine is just a few files on your hard drive • Must allocate space to it • A virtual machine recognizes components of the physical machine it’s loaded on • Virtual OS is limited by the physical machine’s OS Guide to Computer Forensics and Investigations

  11. Guide to Computer Forensics and Investigations

  12. Understanding Virtual Machines (continued) • In computer forensics • Virtual machines make it possible to restore a suspect drive on your virtual machine • And run nonstandard software the suspect might have loaded • From a network forensics standpoint, you need to be aware of some potential issues, such as: • A virtual machine used to attack another system or network Guide to Computer Forensics and Investigations

  13. Creating a Virtual Machine • Two popular applications for creating virtual machines • VMware and Microsoft Virtual PC • Using Virtual PC • You must download and install Virtual PC first Guide to Computer Forensics and Investigations

  14. Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

  15. Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

  16. Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

  17. Creating a Virtual Machine (continued) • You need an ISO image of an OS • Because no OSs are provided with Virtual PC • Virtual PC creates two files for each virtual machine: • A .vhd file, which is the actual virtual hard disk • A .vmc file, which keeps track of configurations you make to that disk • See what type of physical machine your virtual machine thinks it’s running • Open the Virtual PC Console, and click Settings Guide to Computer Forensics and Investigations

  18. Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

  19. Creating a Virtual Machine (continued) Guide to Computer Forensics and Investigations

  20. Current Computer Forensic Tools

  21. Analyze Data

  22. Using AccessData Forensic Toolkit to Analyze Data • Supported file systems: FAT12/16/32, NTFS, Ext2fs, and Ext3fs • FTK can analyze data from several sources, including image files from other vendors • FTK produces a case log file • Searching for keywords • Indexed search • Live search • Supports options and advanced searching techniques, such as stemming Guide to Computer Forensics and Investigations

  23. Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

  24. Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

  25. Using AccessData Forensic Toolkit to Analyze Data (continued) • Analyzes compressed files • You can generate reports • Using bookmarks Guide to Computer Forensics and Investigations

  26. Using AccessData Forensic Toolkit to Analyze Data (continued) Guide to Computer Forensics and Investigations

  27. Recovering Password

  28. Recovering Passwords • Techniques • Dictionary attack • Brute-force attack • Password guessing based on suspect’s profile • Tools • AccessData PRTK • Advanced Password Recovery Software Toolkit • John the Ripper Guide to Computer Forensics and Investigations

  29. Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files • AccessData offers a tool called Password Recovery Toolkit (PRTK) • Can create possible password lists from many sources • Can create your own custom dictionary based on facts in the case • Can create a suspect profile and use biographical information to generate likely passwords Guide to Computer Forensics and Investigations

  30. Recovering Passwords (continued) Guide to Computer Forensics and Investigations

  31. Recovering Passwords (continued) Guide to Computer Forensics and Investigations

  32. Recovering Passwords (continued) Guide to Computer Forensics and Investigations

  33. Recovering Passwords (continued) • Using AccessData tools with passworded and encrypted files (continued) • FTK can identify known encrypted files and those that seem to be encrypted • And export them • You can then import these files into PRTK and attempt to crack them Guide to Computer Forensics and Investigations

  34. Guide to Computer Forensics and Investigations

  35. Recovering Passwords (continued) Guide to Computer Forensics and Investigations

  36. Understanding Steganography

  37. Understanding Steganography in Graphics Files (continued) • Substitution • Replaces bits of the host file with bits of data • Usually change the last two LSBs • Detected with steganalysis tools • Usually used with image files • Audio and video options • Hard to detect Guide to Computer Forensics and Investigations

  38. Understanding Steganography in Graphics Files (continued) Guide to Computer Forensics and Investigations

  39. Understanding Steganography in Graphics Files (continued) Guide to Computer Forensics and Investigations

  40. Using Steganalysis Tools • Detect variations of the graphic image • When applied correctly you cannot detect hidden data in most cases • Methods • Compare suspect file to good or bad image versions • Mathematical calculations verify size and palette color • Compare hash values Guide to Computer Forensics and Investigations

  41. Packet Snifferswireshark lab으로 바꾸기(passwd sniffing)

  42. Using Packet Sniffers • Packet sniffers • Devices or software that monitor network traffic • Most work at layer 2 or 3 of the OSI model • Most tools follow the PCAP format • Some packets can be identified by examining the flags in their TCP headers • Tools • Tcpdump • Tethereal Guide to Computer Forensics and Investigations

  43. Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

  44. Using Packet Sniffers (continued) • Tools (continued) • Snort • Tcpslice • Tcpreplay • Tcpdstat • Ngrep • Etherape • Netdude • Argus • Ethereal Guide to Computer Forensics and Investigations

  45. Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

  46. Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

  47. Using Packet Sniffers (continued) Guide to Computer Forensics and Investigations

  48. Viewing email header

  49. Viewing E-mail Headers • Learn how to find e-mail headers • GUI clients • Command-line clients • Web-based clients • After you open e-mail headers, copy and paste them into a text document • So that you can read them with a text editor • Headers contain useful information • Unique identifying numbers, IP address of sending server, and sending time Guide to Computer Forensics and Investigations

  50. Viewing E-mail Headers (continued) • Outlook • Open the Message Options dialog box • Copy headers • Paste them to any text editor • Outlook Express • Open the message Properties dialog box • Select Message Source • Copy and paste the headers to any text editor Guide to Computer Forensics and Investigations

More Related