1 / 118

FTK

FTK. Components Preview Acquisition New Case Setup Adding Evidence. FTK - Components. FTK – Forensic Toolkit, FTK Imager, License manager, Password Recovery Toolkit, Register Viewer, etc. FTK – Components License Manager. License Manager Add or remove licenses from your dongle.

danielp
Download Presentation

FTK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FTK Components Preview Acquisition New Case Setup Adding Evidence

  2. FTK - Components • FTK – Forensic Toolkit, FTK Imager, License manager, Password Recovery Toolkit, Register Viewer, etc.

  3. FTK – Components License Manager • License Manager • Add or remove licenses from your dongle. • Purchase additional licenses. • Renew your subscription. • Download product updates. • Start > All Programs > AccessData > LicenseManager > LicenseManager

  4. FTK – Components Password Recovery Tool Kit • PRTK – Password Recovery Tool Kit

  5. FTK – Components Registry Viewer • AccessData Registry Viewer • Registry Viewer provides access to a registry’s protected areas, which contain useful forensic data not accessible in Windows regedit.

  6. FTK – Components Registry Viewer • Some of the forensic data found in the registry files consists of: • Usernames and passwords • A history of Internet sites accessed, including date and time • A record of Internet searches performed on Google, Yahoo, etc. • Lists of recently accessed files • A list of all programs installed on the system

  7. FTK Imager Preview Acquisition

  8. FTK – Imager • FTK Imager • Used to make a copy of a device (i.e., hard drive, CD, thumb drive, etc.) • Imager Screens • Evidence Tree, File List, Properties, Viewer

  9. FTK Imager - Preview

  10. FTK Imager - Preview • Physical drives – Used to image an entire HD. • Logical drives – Used to image a single partition (A, C, D, etc).

  11. FTK Imager - Preview • In the File List window, click once on the second item. • In the Properties window, note the Date Accessed.

  12. FTK Imager - Preview • Exit out of FTK Imager and open My computer > A drive. • Note that only one item is listed on the floppy. • After you open the file, close the picture and exit out of the floppy window and My Computer.

  13. FTK Imager - Preview • Once again, start FTK Imager. • Add the “A” drive as evidence. • Select the second file and note the date stamp.

  14. FTK Imager - Preview • Preview of the Recycle bin • SID • Info2 files

  15. FTK Imager - Preview • Preview of unallocated space.

  16. FTK Imager - Preview • Preview of unallocated space cont. • Note the text.

  17. FTK Imager - Preview • Preview mode allows you to export items of interest without changing the data.

  18. FTK Imager - Preview • Exporting items in class. • Class labs will be located on the Forensics partition. • Items exported from your cases should be stored on the “F” drive.

  19. FTK Imager - Acquisition • Image types • EnCase .E01 • SMART .S01 • Linux dd • FTK can read: • Encase • SMART • Linux dd • WinImage • Ghost • ICS • Safeback • CUE and ISO

  20. FTK Imager - Acquisition • Physical drive – Represents the entire contents of a hard drive, includes all partitions. • Logical drive - Represents the contents of a single partition or Windows drive letter.

  21. FTK Imager - Acquisition • Logical Drive selection • Note, your Drive Selection options change.

  22. FTK Imager - Acquisition • Click on the Add button. This will bring up the Select Image Type screen. • Select Image Type • CD or DVD – This screen is omitted since the image is created as ISO or CUE.

  23. FTK Imager - Acquisition • Enter an Case Number: • Such as (070522-010) • Year 07, month 05 day 22. The 010 allows multiple cases in a given day. • Enter an Evidence Number: • Such as (0010) • The 0010 allows additional data to be added to the case at a later date. • Case Name. • It’s a good idea to add device type in name i.e., desktop, floppy, laptop, etc. • Example: smithdesktopHD1, smithdesktopHD2, smithfloppy1, etc.

  24. FTK Imager - Acquisition

  25. FTK Imager - Acquisition

  26. FTK Imager - Acquisition

  27. FTK Imager - Acquisition

  28. Forensic Toolkit (FTK) New Case Setup Adding Evidence General Settings

  29. FTK – New Case Setup • Start a new case • Open an existing case • Preview evidence • This option will startup FTK Imager. • Go directly to work

  30. FTK – New Case Setup • Case Number • Note! Case Number doesn’t include the Evidence Number • What’s wrong with the case number? • Case Name • Note! The name is appended to the path to create the a case folder.

  31. FTK – New Case Setup • Depending on your site policy you may or may not have to complete this screen. • Select Next.

  32. FTK - New Case Setup • Case Log Options • Allows you to determine what to include in the case log file. • It documents case activities. • The log file is called: • FTK.log • Located in the case folder. • Usage • Reports • Identifying case status/progress. • Manually modifiable • Tools > Add Case Log Entry

  33. FTK - New Case Setup • KFF - Skip system files • Entropy - Skip encrypted file indexing • Full Text Index - Longest step in case creation.

  34. FTK - New Case Setup • Decrypt EFS Files - Requires PRTK to decrypts EFS files. • File Listing DB - MS Access db of files • Dave Carve - Finds files embedded in other files and free space.

  35. FTK - New Case Setup • Data Carving: • Picture - Porn • PDF – Theft of intellectual property. • HTML – Porn, time charging, etc. • AOL/AIM – Time charging, theft of intellectual property. • Office Documents - Time charging, theft of intellectual property.

  36. FTK - New Case Setup • Only use the “Include All Items” option!!!

  37. FTK - New Case Setup • Don’t limit yourself.

  38. FTK - New Case Setup • You have now finished defining the global settings for this case and are ready to add an image file. • Select Add Evidence.

  39. FTK - New Case Setup

  40. FTK - New Case Setup

  41. FTK - New Case Setup

  42. FTK - New Case Setup

  43. FTK - New Case Setup

  44. FTK – Overview

  45. FTK – Overview - Explore

  46. FTK – Overview - Graphics

  47. FTK – Overview - Email

  48. FTK – Overview - Email

  49. FTK – Overview - Bookmark

  50. FTK – Adding Evidence

More Related