• Like
File000131
Upcoming SlideShare
Loading in...5
×

File000131

  • 155 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
155
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module XVIII – Forensic Investigation Using AccessData FTK
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Forensic Toolkit (FTK) • Installation of FTK • Starting with FTK • Working with FTK • Working with Cases • Searching a Case • Data Carving • Using Filters • Decrypting Encrypted Files • Working with Reports • Customizing the Interface This module will familiarize you with:
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Forensic Toolkit (FTK) Customizing the Interface Searching a Case Starting with FTK Data Carving Working with Reports Installation of FTK Working with FTK Using Filters Decrypting Encrypted Files Working with Cases
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Toolkit (FTK®) Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensic investigation technology This court-validated platform delivers cutting edge analysis, decryption and password cracking all within an intuitive, customizable and user-friendly interface In addition, with FTK, you have the option of utilizing a back-end database to handle large data sets or you can work without one if application simplicity is your goal
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Features of FKT An Integrated Solution • Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify stegonograpy, and build a report all with a single solution • Recover passwords from over 80 applications; harness idle CPUs across the network to decrypt files and perform robust dictionary attacks • KFF hash library with 45 million hashes Embedded Oracle Database & Powerful Searching Powerful Processing and Speed Intuitive Interface and Rich Functionality
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installation of FTK
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Software Requirement The required software for operation of AccessData Forensic Toolkit (FTK) 2.1: CodeMeter 3.30a Runtime software for the CodeMeter Stick Oracle 10g Database FTK Program Additional program required to aid in processing cases: FTK Known File Filter (KFF) Library AccessData LanguageSelector AccessData LicenseManager
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing FTK (cont’d) FTK can be set up in three different configurations: • Single Machine • Separate Machines • Separate Machines with an pre-installed Oracle
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FTK Installation Insert the FTK 2.1 DVD into the drive Click Install Forensic Toolkit 2.1
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Codemeter Stick Installation Follow the directions for installation, accepting all defaults, and click Finish to complete the installation
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation 1. Launch the Oracle installer 2. Click Next 3. Read the license agreement, agree to it, and click Next
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation (cont’d) 4. Wait for the installer to configure the installation 5. Select the installation drive letter and click Next 6. Agree to the Oracle Admin Password Agreement and click Next
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Oracle Installation (cont’d) 7. Provide an Oracle System Administrator password and click Submit 8. Wait for the installation and configuration to finish 9. Click Finish to end the installation process
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Single Computer Installation 1. Click Install FTK 2.1 2. Click Next 3. Read and accept the AccessData license agreement and click Next 4. Select the location for the FTK components
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Choosing an Evidence Server Select computer if evidence files are stored on a volume on the computer running FTK, or on another computer that is not part of a domain If the evidence is stored elsewhere on a domain network, set up access to the evidence storage computer by choosing other computer on the network Click Next
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing the KFF Library 1. Click Install KFF Library 2. Click Next 3. Accept the KFF license agreement and click Next 4. Allow installation to progress 5. Click Finish to end the installation
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Installing on Separate Computers Change the step to 2,4,1,3 Perform steps 2 and 4 on the computer to run Oracle Perform steps 1 and 3 on the computer designated to run the FTK Program
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Starting with FTK
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Starting FTK Start > All Programs > AccessData > Forensic Toolkit > AccessData Forensic Toolkit 2.1
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Setting Up The Application Administrator Database > Add User
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Manager Window After logging in, the FTK Case Manager window appears with following Menus: • File • Database • Case • Tools • Help
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Toolbar Components The FTK interface provides a toolbar for applying QuickPicks and filters to the case
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Toolbar Components
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Properties Pane
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hex Interpreter Pane
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Web Tab
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Filtered Tab
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Text Tab
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hex Tab
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Explore Tab
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Quickpicks Filter
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Processing Status Dialog Data Processing Status: In Progress Data Processing Status: Successfully Completed
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Overview Tab
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Email Tab
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Graphics Tab
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Thumbnails Pane
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarks Tab
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Live Search Tab
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Index Search Tab
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Tabs
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Launching FKT Click Start> All Programs > AccessData > Forensic Toolkit > AccessData Forensic Toolkit 2.1 Log in using the case-sensitive user name and password provided by the application administrator
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Launching FKT Click Database > Add User to open the Add New User dialog Enter a user name Enter the full name of the user as it is to appear in reports. Assign a role Enter a password Verify the password Click OK to save the new user and close the dialog
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with FTK
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating A Case Launch FTK 2.1 and login and open the Case Manager window Click Case > New Enter a name for the case in the Case Name field Enter the specific reference information in the Reference field Enter a short description of the case in the Description field If you wish to specify a different location for the case, click the browse button
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Case Click Detailed Options to choose settings for the case • Click the Evidence Processing icon in the left pane, and select the processing options to run on the evidence • Click the Evidence Discovery icon to specify the location of the File Identification File, if one is to be used • Click the Evidence Refinement (Advanced) icon to select the custom file identification file to use on this case • Click the Index Refinement (Advanced) icon to select which types of evidence to not index • Click OK Mark the Open the Case check box to see the case after clicking OK to close the New Case Options dialog Click OK
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Processing Options
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Data Carving Options Select Data Carve Click Carving Options Mark the Exclude KFF Ignorables box to specify not to carve those files Select the types of files to be carved • Click Select All to select all file types to be carved. • Click Clear All to unselect all file types. • Select individual file types by marking the checkboxes Define the limiting factors to be applied to each file • Define the minimum byte file size for the selected type • Define the minimum pixel height for graphic files • Define the minimum pixel width for graphic files Click OK
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Discovery Options
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Refinement (Advanced) Options Click the Evidence Refinement (Advanced) icon in the left pane The Evidence Refinement (Advanced) dialog is organized into two tabs: • Refine Evidence by File Status/Type • Refine Evidence by File Date/Size Click the corresponding tab to access the desired refinement type Set the needed refinements for the current evidence item To reset the menu to the default settings, click Reset
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Evidence Refinement (Advanced) Options
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Index Refinement (Advanced) Options Click Index Refinement (Advanced) in the left pane The Index Refinement (Advanced) dialog is organized into two tabs: • Refine Index by File Status/Type • Refine Index by File Date/Size Click the corresponding tab to access the desired refinement type Set the refinements for the current evidence item To reset the menu to the default settings, click Reset
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Index Refinement (Advanced) Options
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Refining an Index by File Date/Size
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence Click Add, Select Evidence Type dialog appears Select the type of evidence item to add to the case at this time Click OK Browse to the evidence item to add > Select the item(s)>Click Open Complete the Manage Evidence dialog
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Backing Up the Case In the Case Manager window, click Case > Backup Select an archive folder location Click Save
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Restoring a Case In the Case Manager window, click Case > Restore Browse to and select the archive folder to be restored Click OK
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting a Case In the Case Manager window, highlight the case to delete from the database Click Case > Delete Click Yes to confirm deletion
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with Cases
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Opening an Existing Case Log on to FTK2.1 Double-click on the case you want to open, or highlight the case and click Case > Open
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 1 • Click Add to choose the type of evidence items to insert into a new case 2 • Mark the type of evidence to add, then click OK 3 • Browse to and select the evidence item from the stored location 4 • Click OK 5 • Fill in the ID/Name field with any specific ID or Name data applied to this evidence for this case 6 • Use the Description field to enter a description of the evidence being added 7 • Select the Time Zone of the evidence where it was seized in the Time Zone field
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 8 • Click Refinement Options to open the Refinement Options dialog with a set similar to the Refinement Options set at case creation
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence 9 • Click OK to accept the settings and to exit the Manage Evidence dialog 10 • Select the KFF Options button to display the KFF Admin dialog 11 • Click Done to accept settings and return to Manage Evidence dialog 12 • Click Language Settings to change the codepage for the language to view the evidence in 13 • Click OK to add and process the evidence
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a Language Click Language Settings
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Click Evidence > Additional Analysis
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Properties Tab The properties pane is organized into the following sections: • General Info • File Attributes • File Content Info
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Hex Interpreter Tab Switch the File Content pane to Hex view Select one to eight couplets
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Hex Interpreter Tab Right-click the Hex view to see a context menu with more options Click Save Selection as carved file to manually carve data from files, and the go to offset dialog to specify offset amounts and origins Click OK to close Go To Offset dialog
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using the Bookmark Information Pane Bookmarks help organize the case evidence by grouping related or similar files
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Right-click the files or thumbnails and click create bookmark or click the bookmark button on the file list toolbar to open the create new bookmark dialog
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Enter a name for the bookmark in the Bookmark Name field (Optional) In the Bookmark Comment field, type comments about the bookmark or its contents Click one of the following options to specify which items to add to the bookmark: • All Highlighted: Highlighted items from the current file list; Items remain highlighted only as long as the same tab is displayed • All Checked: All items checked in the case • All Listed: Bookmarks the contents of the File List (Optional) Type a description for each file in the File Comment field
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Bookmark Click Attach to add files external to the case that should be referenced from this bookmark For FTK to remember the highlighted text in a file and automatically highlight it when the bookmark is re-opened, check Bookmark Selection in File Select the parent bookmark under which you would like to save the bookmark Click OK
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarking Selected Text Open the file containing the text you want to select From the Natural, Text, Filtered or Hex views, click Create Bookmark in the File List toolbar to open the Create New Bookmark dialog When creating your bookmark, check Bookmark Selection in File
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Evidence to an Existing Bookmark Right-click the new file Click Add to Bookmark Select the parent bookmark Select the child bookmark to add the file Click OK
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Moving a Bookmark From either the Bookmark or Overview tab, select the bookmark you want to move Using the left or right mouse button, drag the bookmark to the desired location and release the mouse button
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Removing a Bookmark In the Bookmark tab, expand the bookmark list and highlight the bookmark to be removed Press the Delete key
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting Files from a Bookmark Right-click the file in the Bookmark File List Select Remove from Bookmark
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Verifying Drive Image Integrity Select Tools > Verify Image Integrity to open the Verify Image Integrity dialog Click either Calculate, or Verify according to what displays in the Command column, to begin hashing the evidence file
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copying Information From FTK In the file list on any tab, select the files that you want to copy information about Select Edit > Copy Special, click the Copy Special button on the file list pane, or right- click the file in the file list and click Copy Special In Copy Special dialog, you can select the options: Choose Columns, Include header row, All Highlighted, All Checked, Currently Listed, All
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copying Information From FTK In the Choose Columns drop-down list, select the column template that contains the file information that you want to copy To define a new column settings template click Column Settings to open the Column Settings manager • Create the column settings template you need • Click Save to save the changes made • Close the Column Settings manager • Select the new columns setting template from the drop-down list Click OK to initiate the Copy Special task
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exporting File List Info Select File > Export File List Info Select the File List Items to Export Choose whether to include a header row in the exported file Select column information Specify the filename for the exported information Browse to and select the destination folder for the exported file Click Save
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exporting the Word List Select File > Export Word List Select the file and location to which you want to write the word list Click Save
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Fuzzy Hash Library Fuzzy hashing is a tool which provides the ability to compare two distinctly different files and determine a fundamental level of similarity Tools>FuzzyHash>Manage Library
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Fuzzy Hash Options During Initial Processing After choosing to create a new case, click Detailed Options
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting Fuzzy Hash Options During Initial Processing Select FuzzyHash • (Optional) If FTK already refers to a fuzzy hash library then select to match ok new evidence against the existing library by selecting Match Fuzzy Hash Library • Click FuzzyHash Options to set additional options for fuzzy hashing • Set the size of files to hash; the size defaults to 20 MB, 0 indicates no limit • Click OK to set the value Select OK to close the Detailed Options dialog
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Fuzzy Hashing Click Evidence > Additional Analysis
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Additional Analysis Fuzzy Hashing Select FuzzyHash • (Optional) Select if the evidence needs to matched against the fuzzy hash library • (Optional) If performing this additional analysis after adding new information, the fuzzy hashing can be done again against previously processed items • (Optional) Click Fuzzy Hash Options to open the Fuzzy Hash Options dialog • Set the file size limit on the files to be hashed • Click OK Click OK to close the Additional Analysis dialog and begin the fuzzy hashing
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Comparing Files Using Fuzzy Hashing Tools> Fuzzy Hash> Find Similar Files
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Fuzzy Hash Results To view the fuzzy hash results in FTK, several pre-defined column settings can be selected in the Column Settings field under the Common Features category Those settings are: • Fuzzy Hash • Fuzzy Hash block size • Fuzzy Hash library group • Fuzzy Hash library score • Fuzzy Hash library status
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching a Case
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting A Live Search In the Live Search tab, click the Text, Pattern, or Hex tab Click to select the needed sets Click to include EBCDIC, Mac, and Multibyte as needed Click OK to close the dialog Click to mark Case Sensitive Enter the term in the Search Term field
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting A Live Search Click Add to add the term to the Search Terms window Click Clear to remove all search terms In the Max Hits Per File field, enter the maximum number of times you want a search hit to be listed per file; default is 200 (Optional) Apply a filter from the drop-down list; Applying a filter speeds searching by eliminating items that do not match the filter Click Search Select the results to see from the Live Search Results pane
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing the Live Search Tab Change the order of the Live Search tabs by dragging and dropping them into the desired order and the following figure shows the live search tabs
  • 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting Search Results Right-click an item in the Search Results list to open the quick menu with the following options: • Copy to Clipboard: • Copies the selected data to the clipboard where it can be copied to another Windows application, such as an Excel spreadsheet • Export to File: • Copies information to a file • Select the name and location for the information file
  • 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Copy Special to Document Search Results Find that file highlighted in the File List view Right-click on the desired file Select Copy Special In the Copy Special dialog, under Choose Columns, click the dropdown select the columns definition to use, or click Column Settings to define a new column template • Modify the column template in the Column Settings Manager Mark Include Header Row if you want a header row included in the exported file Under File List Items to Copy, select from All Highlighted, All Checked, Currently Listed, or All to specify which files you want the Copy Special to apply to Click OK
  • 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Copy Special to Document Search Results (cont’d)
  • 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarking Search Results Select the files you want to include in the bookmark Right-click the selected files then select Create Bookmark Complete the Create New Bookmark dialog Click OK
  • 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving
  • 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving Data carving can be done when adding evidence to a case, or by clicking Evidence > Additional Analysis > Data Carve from within a case Search for following files types: • AOL Bag Files • BMP Files • EMF Files • GIF Files • HTML Files • JPEG Files • Link Files • PDF Files • OLE Archive Files (Office Documents) • PDF Files • PNG Files
  • 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Carving Files in an Existing Case From the Evidence > Additional Analysis Check Data Carve Click Carving Options Set the data carving options to use Click OK to close the Carving Options dialog Select the target items to carve data from Click OK
  • 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Using Filters
  • 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Filter Select Unfiltered from the Select a Filter drop-down menu Click Filter > New, or click Define on the Filter toolbar Type a name and a short description of the filter Select a property from the drop-down menu Select an operator from the Operators drop-down menu Select the applicable criteria from the Criteria drop-down menu Select the Match Any operator to filter out data that satisfies any one of the filter rules Click Save
  • 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Refining a Filter Select the filter you want to modify from the Filter drop-down list Click Define To make your filters more precise, click the Plus (+) button to add a rule, or the Minus (–) button to remove one. When you are satisfied with the filter you have created or modified, click Save, then Close
  • 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Deleting a Filter Select the filter to delete from the Filter drop-down menu list Click Filter > Delete or click the Delete Filter button on the Filter toolbar Confirm the deletion
  • 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Encrypted Files
  • 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Files and Folders Click Tools > Decrypt Files
  • 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Files and Folders (cont’d) Type a password in the Password box Mark Permanently Mask to display the password in the Saved Passwords list as asterisks, hiding the actual password Click Save Password to save the password into the Saved Password List Mark Attempt Blank Password to decrypt files with no password, or whose password is blank Click Decrypt to begin the decryption process Click Cancel to return to the case
  • 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Decrypted Files Click File Status > Decrypted Files
  • 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Domain Account EFS Files Create a new case with no evidence added From the main menu, click Evidence > Add/Remove
  • 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Domain Account EFS Files Click Add Select Individual File Click OK Navigate to the PFX file (domain recovery key) or type the full path and filename into the File Name field of the Open dialog Click Open Click No when the application asks if you want to create an image of the evidence you are adding Select the proper time zone for the PFX file from the Time Zone drop-down list in the Manage Evidence window, and click OK
  • 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Credant Files Click Tools > Credant Decryption
  • 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Decrypting Safeguard Utimaco Files Safeguard Utimaco is a full-disk encryption program
  • 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working with Reports
  • 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a Report Enter basic case information Select the properties of bookmarks Decide how to handle graphics Decide whether to add a file path list Decide whether to add a file properties list Select the properties of the file properties list Add the Registry Viewer sections
  • 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Saving Settings To export report settings do the following: • Click Export then Export Selections dialog will open • Check the sections to export the settings for • Click OK • Type a name for the setting file • Click OK to save the settings as an .XML file To import settings to a new report in another case, perform the following steps: • Open a different case • Click File > Report > Import • Browse to and select the settings file you want to import • Click Open to import the settings file to your current case and report
  • 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Entering Basic Case Information To add an entry for case information do the following: • Click Add • Provide a label and a value for the new entry To remove a Case Information entry, do the following: • Highlight the entry line to be removed • Click Remove
  • 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Including Bookmarks
  • 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Including Graphics
  • 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a File Path List
  • 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting a File Properties List
  • 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Registry Selections
  • 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Selecting the Report Location Type the folder to save the report to, or use the Browse button to find a location Use the drop-down arrow to select the output language of the report Indicate the output format to publish the report Select the optional Export Options for the report: • Use object identification number for filename • Append extension to filename if bad/absent When output selections have been made, click OK to generate report
  • 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Case Report
  • 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited PDF Report
  • 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing the Interface
  • 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Custom Tabs Click View > Tab Layout > Add Enter a name for the new tab and click OK From the View menu, select the features you need in your new tab When satisfied with your new tab’s content, click Save to save the current tab’s settings, or View > Tab Layout > Save (Optional) Click View > Tab Layout > Save All to save all changed and added features To remove tabs, click View > Tab Layout > Remove
  • 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Customizing File List Columns To export column settings to an .xml file, do the following: • Click Export • Select a folder and provide a filename for the exported column settings file • Click Save To import a column settings file, do the following: • From the Column Settings dialog, click Import • Find and select the column settings .xml file • Click Open
  • 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating and Modifying Column Settings Right-click a heading in the File List, or click the Column Settings button to open the Manage Columns context menu Click Column Settings then column settings dialog will opens From the Available Columns pane, select a category from which to use a column heading Add the entire contents of a category or expand the category to select individual headings
  • 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary FKT is validated platform delivers edge analysis, decryption and password cracking facility and customizable interface Create images, analyze the registry, conduct an investigation, decrypt files, crack passwords, identify stegonograpy, and build a report all with a single solution Advanced data carving engine allows to carve allocated and unallocated data and which specify criteria, such as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall thoroughness FTK can be set up in three different configurations Fuzzy hashing is a tool which provides the ability to compare two distinctly different files and determine a fundamental level of similarity