File000131

680 views
576 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
680
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
54
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000131

  1. 1. Module XVIII – Forensic Investigation Using AccessData FTK
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Forensic Toolkit (FTK) • Installation of FTK • Starting with FTK • Working with FTK • Working with Cases • Searching a Case • Data Carving • Using Filters • Decrypting Encrypted Files • Working with Reports • Customizing the Interface This module will familiarize you with:
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Forensic Toolkit (FTK) Customizing the Interface Searching a Case Starting with FTK Data Carving Working with Reports Installation of FTK Working with FTK Using Filters Decrypting Encrypted Files Working with Cases
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Toolkit (FTK®) Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensic investigation technology This court-validated platform delivers cutting edge analysis, decryption and password cracking all within an intuitive, customizable and user-friendly interface In addition, with FTK, you have the option of utilizing a back-end database to handle large data sets or you can work without one if application simplicity is your goal
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Features of FKT An Integrated Solution • Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify stegonograpy, and build a report all with a single solution • Recover passwords from over 80 applications; harness idle CPUs across the network to decrypt files and perform robust dictionary attacks • KFF hash library with 45 million hashes Embedded Oracle Database & Powerful Searching Powerful Processing and Speed Intuitive Interface and Rich Functionality
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installation of FTK
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Software Requirement The required software for operation of AccessData Forensic Toolkit (FTK) 2.1: CodeMeter 3.30a Runtime software for the CodeMeter Stick Oracle 10g Database FTK Program Additional program required to aid in processing cases: FTK Known File Filter (KFF) Library AccessData LanguageSelector AccessData LicenseManager
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing FTK (cont’d) FTK can be set up in three different configurations: • Single Machine • Separate Machines • Separate Machines with an pre-installed Oracle
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Installation Insert the FTK 2.1 DVD into the drive Click Install Forensic Toolkit 2.1
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Codemeter Stick Installation Follow the directions for installation, accepting all defaults, and click Finish to complete the installation
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation 1. Launch the Oracle installer 2. Click Next 3. Read the license agreement, agree to it, and click Next
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation (cont’d) 4. Wait for the installer to configure the installation 5. Select the installation drive letter and click Next 6. Agree to the Oracle Admin Password Agreement and click Next
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation (cont’d) 7. Provide an Oracle System Administrator password and click Submit 8. Wait for the installation and configuration to finish 9. Click Finish to end the installation process
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Single Computer Installation 1. Click Install FTK 2.1 2. Click Next 3. Read and accept the AccessData license agreement and click Next 4. Select the location for the FTK components
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choosing an Evidence Server Select computer if evidence files are stored on a volume on the computer running FTK, or on another computer that is not part of a domain If the evidence is stored elsewhere on a domain network, set up access to the evidence storage computer by choosing other computer on the network Click Next
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing the KFF Library 1. Click Install KFF Library 2. Click Next 3. Accept the KFF license agreement and click Next 4. Allow installation to progress 5. Click Finish to end the installation
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing on Separate Computers Change the step to 2,4,1,3 Perform steps 2 and 4 on the computer to run Oracle Perform steps 1 and 3 on the computer designated to run the FTK Program
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Starting with FTK
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Starting FTK Start > All Programs > AccessData > Forensic Toolkit > AccessData Forensic Toolkit 2.1
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Setting Up The Application Administrator Database > Add User
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Manager Window After logging in, the FTK Case Manager window appears with following Menus: • File • Database • Case • Tools • Help
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Toolbar Components The FTK interface provides a toolbar for applying QuickPicks and filters to the case
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Toolbar Components
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Properties Pane
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hex Interpreter Pane
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Tab
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Filtered Tab
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Text Tab
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hex Tab
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Explore Tab
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Quickpicks Filter
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Processing Status Dialog Data Processing Status: In Progress Data Processing Status: Successfully Completed
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Overview Tab
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Tab
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Graphics Tab
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Thumbnails Pane
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarks Tab
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Live Search Tab
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index Search Tab
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Tabs
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Launching FKT Click Start> All Programs > AccessData > Forensic Toolkit > AccessData Forensic Toolkit 2.1 Log in using the case-sensitive user name and password provided by the application administrator
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Launching FKT Click Database > Add User to open the Add New User dialog Enter a user name Enter the full name of the user as it is to appear in reports. Assign a role Enter a password Verify the password Click OK to save the new user and close the dialog
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with FTK
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating A Case Launch FTK 2.1 and login and open the Case Manager window Click Case > New Enter a name for the case in the Case Name field Enter the specific reference information in the Reference field Enter a short description of the case in the Description field If you wish to specify a different location for the case, click the browse button
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Case Click Detailed Options to choose settings for the case • Click the Evidence Processing icon in the left pane, and select the processing options to run on the evidence • Click the Evidence Discovery icon to specify the location of the File Identification File, if one is to be used • Click the Evidence Refinement (Advanced) icon to select the custom file identification file to use on this case • Click the Index Refinement (Advanced) icon to select which types of evidence to not index • Click OK Mark the Open the Case check box to see the case after clicking OK to close the New Case Options dialog Click OK
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Processing Options
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Data Carving Options Select Data Carve Click Carving Options Mark the Exclude KFF Ignorables box to specify not to carve those files Select the types of files to be carved • Click Select All to select all file types to be carved. • Click Clear All to unselect all file types. • Select individual file types by marking the checkboxes Define the limiting factors to be applied to each file • Define the minimum byte file size for the selected type • Define the minimum pixel height for graphic files • Define the minimum pixel width for graphic files Click OK
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Discovery Options
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Refinement (Advanced) Options Click the Evidence Refinement (Advanced) icon in the left pane The Evidence Refinement (Advanced) dialog is organized into two tabs: • Refine Evidence by File Status/Type • Refine Evidence by File Date/Size Click the corresponding tab to access the desired refinement type Set the needed refinements for the current evidence item To reset the menu to the default settings, click Reset
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Refinement (Advanced) Options
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Index Refinement (Advanced) Options Click Index Refinement (Advanced) in the left pane The Index Refinement (Advanced) dialog is organized into two tabs: • Refine Index by File Status/Type • Refine Index by File Date/Size Click the corresponding tab to access the desired refinement type Set the refinements for the current evidence item To reset the menu to the default settings, click Reset
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Index Refinement (Advanced) Options
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Refining an Index by File Date/Size
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence Click Add, Select Evidence Type dialog appears Select the type of evidence item to add to the case at this time Click OK Browse to the evidence item to add > Select the item(s)>Click Open Complete the Manage Evidence dialog
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backing Up the Case In the Case Manager window, click Case > Backup Select an archive folder location Click Save
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Restoring a Case In the Case Manager window, click Case > Restore Browse to and select the archive folder to be restored Click OK
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting a Case In the Case Manager window, highlight the case to delete from the database Click Case > Delete Click Yes to confirm deletion
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with Cases
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Opening an Existing Case Log on to FTK2.1 Double-click on the case you want to open, or highlight the case and click Case > Open
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 1 • Click Add to choose the type of evidence items to insert into a new case 2 • Mark the type of evidence to add, then click OK 3 • Browse to and select the evidence item from the stored location 4 • Click OK 5 • Fill in the ID/Name field with any specific ID or Name data applied to this evidence for this case 6 • Use the Description field to enter a description of the evidence being added 7 • Select the Time Zone of the evidence where it was seized in the Time Zone field
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 8 • Click Refinement Options to open the Refinement Options dialog with a set similar to the Refinement Options set at case creation
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 9 • Click OK to accept the settings and to exit the Manage Evidence dialog 10 • Select the KFF Options button to display the KFF Admin dialog 11 • Click Done to accept settings and return to Manage Evidence dialog 12 • Click Language Settings to change the codepage for the language to view the evidence in 13 • Click OK to add and process the evidence
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a Language Click Language Settings
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Click Evidence > Additional Analysis
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Properties Tab The properties pane is organized into the following sections: • General Info • File Attributes • File Content Info
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Hex Interpreter Tab Switch the File Content pane to Hex view Select one to eight couplets
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Hex Interpreter Tab Right-click the Hex view to see a context menu with more options Click Save Selection as carved file to manually carve data from files, and the go to offset dialog to specify offset amounts and origins Click OK to close Go To Offset dialog
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using the Bookmark Information Pane Bookmarks help organize the case evidence by grouping related or similar files
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Right-click the files or thumbnails and click create bookmark or click the bookmark button on the file list toolbar to open the create new bookmark dialog
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Enter a name for the bookmark in the Bookmark Name field (Optional) In the Bookmark Comment field, type comments about the bookmark or its contents Click one of the following options to specify which items to add to the bookmark: • All Highlighted: Highlighted items from the current file list; Items remain highlighted only as long as the same tab is displayed • All Checked: All items checked in the case • All Listed: Bookmarks the contents of the File List (Optional) Type a description for each file in the File Comment field
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Click Attach to add files external to the case that should be referenced from this bookmark For FTK to remember the highlighted text in a file and automatically highlight it when the bookmark is re-opened, check Bookmark Selection in File Select the parent bookmark under which you would like to save the bookmark Click OK
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarking Selected Text Open the file containing the text you want to select From the Natural, Text, Filtered or Hex views, click Create Bookmark in the File List toolbar to open the Create New Bookmark dialog When creating your bookmark, check Bookmark Selection in File
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence to an Existing Bookmark Right-click the new file Click Add to Bookmark Select the parent bookmark Select the child bookmark to add the file Click OK
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Moving a Bookmark From either the Bookmark or Overview tab, select the bookmark you want to move Using the left or right mouse button, drag the bookmark to the desired location and release the mouse button
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Removing a Bookmark In the Bookmark tab, expand the bookmark list and highlight the bookmark to be removed Press the Delete key
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting Files from a Bookmark Right-click the file in the Bookmark File List Select Remove from Bookmark
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Verifying Drive Image Integrity Select Tools > Verify Image Integrity to open the Verify Image Integrity dialog Click either Calculate, or Verify according to what displays in the Command column, to begin hashing the evidence file
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copying Information From FTK In the file list on any tab, select the files that you want to copy information about Select Edit > Copy Special, click the Copy Special button on the file list pane, or right- click the file in the file list and click Copy Special In Copy Special dialog, you can select the options: Choose Columns, Include header row, All Highlighted, All Checked, Currently Listed, All
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copying Information From FTK In the Choose Columns drop-down list, select the column template that contains the file information that you want to copy To define a new column settings template click Column Settings to open the Column Settings manager • Create the column settings template you need • Click Save to save the changes made • Close the Column Settings manager • Select the new columns setting template from the drop-down list Click OK to initiate the Copy Special task
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exporting File List Info Select File > Export File List Info Select the File List Items to Export Choose whether to include a header row in the exported file Select column information Specify the filename for the exported information Browse to and select the destination folder for the exported file Click Save
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exporting the Word List Select File > Export Word List Select the file and location to which you want to write the word list Click Save
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Fuzzy Hash Library Fuzzy hashing is a tool which provides the ability to compare two distinctly different files and determine a fundamental level of similarity Tools>FuzzyHash>Manage Library
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Fuzzy Hash Options During Initial Processing After choosing to create a new case, click Detailed Options
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Fuzzy Hash Options During Initial Processing Select FuzzyHash • (Optional) If FTK already refers to a fuzzy hash library then select to match ok new evidence against the existing library by selecting Match Fuzzy Hash Library • Click FuzzyHash Options to set additional options for fuzzy hashing • Set the size of files to hash; the size defaults to 20 MB, 0 indicates no limit • Click OK to set the value Select OK to close the Detailed Options dialog
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Fuzzy Hashing Click Evidence > Additional Analysis
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Fuzzy Hashing Select FuzzyHash • (Optional) Select if the evidence needs to matched against the fuzzy hash library • (Optional) If performing this additional analysis after adding new information, the fuzzy hashing can be done again against previously processed items • (Optional) Click Fuzzy Hash Options to open the Fuzzy Hash Options dialog • Set the file size limit on the files to be hashed • Click OK Click OK to close the Additional Analysis dialog and begin the fuzzy hashing
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Comparing Files Using Fuzzy Hashing Tools> Fuzzy Hash> Find Similar Files
  88. 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Fuzzy Hash Results To view the fuzzy hash results in FTK, several pre-defined column settings can be selected in the Column Settings field under the Common Features category Those settings are: • Fuzzy Hash • Fuzzy Hash block size • Fuzzy Hash library group • Fuzzy Hash library score • Fuzzy Hash library status
  89. 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching a Case
  90. 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting A Live Search In the Live Search tab, click the Text, Pattern, or Hex tab Click to select the needed sets Click to include EBCDIC, Mac, and Multibyte as needed Click OK to close the dialog Click to mark Case Sensitive Enter the term in the Search Term field
  91. 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting A Live Search Click Add to add the term to the Search Terms window Click Clear to remove all search terms In the Max Hits Per File field, enter the maximum number of times you want a search hit to be listed per file; default is 200 (Optional) Apply a filter from the drop-down list; Applying a filter speeds searching by eliminating items that do not match the filter Click Search Select the results to see from the Live Search Results pane
  92. 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing the Live Search Tab Change the order of the Live Search tabs by dragging and dropping them into the desired order and the following figure shows the live search tabs
  93. 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting Search Results Right-click an item in the Search Results list to open the quick menu with the following options: • Copy to Clipboard: • Copies the selected data to the clipboard where it can be copied to another Windows application, such as an Excel spreadsheet • Export to File: • Copies information to a file • Select the name and location for the information file
  94. 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Copy Special to Document Search Results Find that file highlighted in the File List view Right-click on the desired file Select Copy Special In the Copy Special dialog, under Choose Columns, click the dropdown select the columns definition to use, or click Column Settings to define a new column template • Modify the column template in the Column Settings Manager Mark Include Header Row if you want a header row included in the exported file Under File List Items to Copy, select from All Highlighted, All Checked, Currently Listed, or All to specify which files you want the Copy Special to apply to Click OK
  95. 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Copy Special to Document Search Results (cont’d)
  96. 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarking Search Results Select the files you want to include in the bookmark Right-click the selected files then select Create Bookmark Complete the Create New Bookmark dialog Click OK
  97. 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving
  98. 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving Data carving can be done when adding evidence to a case, or by clicking Evidence > Additional Analysis > Data Carve from within a case Search for following files types: • AOL Bag Files • BMP Files • EMF Files • GIF Files • HTML Files • JPEG Files • Link Files • PDF Files • OLE Archive Files (Office Documents) • PDF Files • PNG Files
  99. 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving Files in an Existing Case From the Evidence > Additional Analysis Check Data Carve Click Carving Options Set the data carving options to use Click OK to close the Carving Options dialog Select the target items to carve data from Click OK
  100. 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Filters
  101. 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Filter Select Unfiltered from the Select a Filter drop-down menu Click Filter > New, or click Define on the Filter toolbar Type a name and a short description of the filter Select a property from the drop-down menu Select an operator from the Operators drop-down menu Select the applicable criteria from the Criteria drop-down menu Select the Match Any operator to filter out data that satisfies any one of the filter rules Click Save
  102. 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Refining a Filter Select the filter you want to modify from the Filter drop-down list Click Define To make your filters more precise, click the Plus (+) button to add a rule, or the Minus (–) button to remove one. When you are satisfied with the filter you have created or modified, click Save, then Close
  103. 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting a Filter Select the filter to delete from the Filter drop-down menu list Click Filter > Delete or click the Delete Filter button on the Filter toolbar Confirm the deletion
  104. 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Encrypted Files
  105. 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Files and Folders Click Tools > Decrypt Files
  106. 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Files and Folders (cont’d) Type a password in the Password box Mark Permanently Mask to display the password in the Saved Passwords list as asterisks, hiding the actual password Click Save Password to save the password into the Saved Password List Mark Attempt Blank Password to decrypt files with no password, or whose password is blank Click Decrypt to begin the decryption process Click Cancel to return to the case
  107. 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Decrypted Files Click File Status > Decrypted Files
  108. 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Domain Account EFS Files Create a new case with no evidence added From the main menu, click Evidence > Add/Remove
  109. 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Domain Account EFS Files Click Add Select Individual File Click OK Navigate to the PFX file (domain recovery key) or type the full path and filename into the File Name field of the Open dialog Click Open Click No when the application asks if you want to create an image of the evidence you are adding Select the proper time zone for the PFX file from the Time Zone drop-down list in the Manage Evidence window, and click OK
  110. 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Credant Files Click Tools > Credant Decryption
  111. 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Safeguard Utimaco Files Safeguard Utimaco is a full-disk encryption program
  112. 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with Reports
  113. 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Report Enter basic case information Select the properties of bookmarks Decide how to handle graphics Decide whether to add a file path list Decide whether to add a file properties list Select the properties of the file properties list Add the Registry Viewer sections
  114. 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Saving Settings To export report settings do the following: • Click Export then Export Selections dialog will open • Check the sections to export the settings for • Click OK • Type a name for the setting file • Click OK to save the settings as an .XML file To import settings to a new report in another case, perform the following steps: • Open a different case • Click File > Report > Import • Browse to and select the settings file you want to import • Click Open to import the settings file to your current case and report
  115. 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Entering Basic Case Information To add an entry for case information do the following: • Click Add • Provide a label and a value for the new entry To remove a Case Information entry, do the following: • Highlight the entry line to be removed • Click Remove
  116. 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Including Bookmarks
  117. 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Including Graphics
  118. 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a File Path List
  119. 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a File Properties List
  120. 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Selections
  121. 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting the Report Location Type the folder to save the report to, or use the Browse button to find a location Use the drop-down arrow to select the output language of the report Indicate the output format to publish the report Select the optional Export Options for the report: • Use object identification number for filename • Append extension to filename if bad/absent When output selections have been made, click OK to generate report
  122. 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Case Report
  123. 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDF Report
  124. 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing the Interface
  125. 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Custom Tabs Click View > Tab Layout > Add Enter a name for the new tab and click OK From the View menu, select the features you need in your new tab When satisfied with your new tab’s content, click Save to save the current tab’s settings, or View > Tab Layout > Save (Optional) Click View > Tab Layout > Save All to save all changed and added features To remove tabs, click View > Tab Layout > Remove
  126. 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing File List Columns To export column settings to an .xml file, do the following: • Click Export • Select a folder and provide a filename for the exported column settings file • Click Save To import a column settings file, do the following: • From the Column Settings dialog, click Import • Find and select the column settings .xml file • Click Open
  127. 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating and Modifying Column Settings Right-click a heading in the File List, or click the Column Settings button to open the Manage Columns context menu Click Column Settings then column settings dialog will opens From the Available Columns pane, select a category from which to use a column heading Add the entire contents of a category or expand the category to select individual headings
  128. 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary FKT is validated platform delivers edge analysis, decryption and password cracking facility and customizable interface Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify stegonograpy, and build a report all with a single solution Advanced data carving engine allows to carve allocated and unallocated data and which specify criteria, such as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall thoroughness FTK can be set up in three different configurations Fuzzy hashing is a tool which provides the ability to compare two distinctly different files and determine a fundamental level of similarity

×