Lab-Project 11: Using FTK

1. Introduction to FTK
What You Need for This Part
• A virtual Windows XP machine, as you used in previous projects.
• A small second virtual hard disk, which you added to your virtual.
Making a Clean Disk
You should have a small virtual hard drive attached to your VM, which you created in a
previous project. If you don't have one, create one now, or plug in a USB flash drive. It
doesn't matter what data is on it for now.
Click Start, right-click "My Computer", and click Manage.
You should see your second small disk labelled "Disk 1", as shown, e.g. below.

Click Start, Run. Type CMD and press Enter.

Execute these commands to clean your second disk. Be careful not to erase the wrong disk!
DISKPART
LIST DISK
SELECT DISK 1
CLEAN ALL
Downloading FTK
We are using a really old version of FTK that has a free demo mode. It's so old, you can't get
it from AccessData anymore.
Download FTK (50 MB):
FTK-Forensic_Toolkit-1.81.6.exe.7z
(or Lab-Proj.11-1_FTK-Forensic_Toolkit-1.81.6.7z from the instructor)
Right-click the FTK-Forensic_Toolkit-1.81.6.exe.7z file and click 7-Zip, "Extract Here".
A file appears, named "FTK-Forensic_Toolkit-1.81.6.exe".
Verifying the Hash
Here's a screen shot from the old AccessData Web page when they provided this version:

To test your file, you need Hashcalc. If you don't have Hashcalc, get it here:
http://www.slavasoft.com/hashcalc/
Open Hashcalc.
Drag the "FTK-Forensic_Toolkit-1.81.6.exe" file and drop it on the Hashcalc window.
You should see the correct hash value, ending in fb13, as shown below:

Installing FTK
Double-click the "FTK-Forensic_Toolkit-1.81.6.exe" file and install the software with the
default options.
Starting FTK
After installation, FTK will launch.
When you get an Error box saying "No security device was found...", click No.
When you get an Error box saying "The KFF Hash library file was not found...", click OK.
When a box pops up explaining the limitations of the demonstration version, click OK.
Starting a New Case
In the "AccessData FTK Startup" box, accept the default selection of "Start a new case", as
shown below, and click OK.

In the screen titled "Wizard for Creating a New Case", fill in the fields as shown below,
replacing "Your Name" with your own name. Click Next.

In the screen titled "Forensic Examiner Information", leave the fields blank and click Next.
In the screen titled "Case Log Options", accept the default selections, which will log
everything. Click Next.
In the screen titled "Processes to Perform", deselect "KFF Lookup" and "Decrypt EFS Files",
because those features won't work in the demo version, as shown below. Click Next.
In the screen titled "Refine Case-Default", accept the default of "Include All Items".
Click Next.
In the screen titled "Refine Index -Default", accept the default options. Click Next.
Now you see the "Add Evidence" screen, as shown below.

Adding Evidence to the Case

In the "Add Evidence" box, click the "Add Evidence...". button.
In the "Add Evidence to Case" box, select "Local Drive", and click Continue.
In the "Select Local Drive" box, click "Physical Analysis" and select the drive "Physical
Drive 1", as shown below. Click OK.
In the "Evidence Information" box, click OK.
In the "Add Evidence" box, click Next.
In the "New Case Setup is Now Complete" box, click Finish.
A "Processing Files" box appears. Wait till the processing completes - it won't take long if
you have a small drive.
You should now see a screen like that shown below, showing "Evidence Items: 1" in the
upper left portion of the window.

Saving a Screen Image

Make sure your screen shows the "Evidence Items: 1" message.
Capture the whole desktop with the PrntScn key.
YOU MUST TURN IN THE WHOLE DESKTOP TO GET FULL CREDIT!
Save the image with the filename "Your Name Lab-Proj 11a".
The FTK Window
Look in the upper left of the FTK window. In the "File Items" section, FTK says 'Total File
Items" is 5. How can that be, on a totally empty disk?
To find out, click the "Total File Items:" button. The lower pane now shows five items,
named "DriveFreeSpace1","DriveFreeSpace2","DriveFreeSpace3", etc.
In the bottom pane of the FTK window, click "DriveFreeSpace1". The upper right corner
now shows a hexadecimal view of the bytes in that file, as shown below.

This is just like the HxD utility you used in a previous project. As you can see, the file is
empty--it's not really a file at all, because it has no header or footer or file name or any data at
all. FTK just breaks empty space up into chunks it calls 'Files" for handling.
To see that the disk is really empty, look at the "File Status" and "File Category" columns in
the upper left portion of the FTK window. You can see that FTK was unable to find any
usable data in any known format on this disk--it's clean.
2. Using FTK
What You Need for This Part
• A Windows machine, with FTK installed. It can be real or virtual. I used a Windows
XP virtual machine.
Downloading the Evidence File
Dowload the file below:
anon-E.7z
Use Hashcalc to calculate the hash of the file you downloaded. It should match the figure
below:
Unzip the file with 7-Zip.
Starting FTK in your VM
Double-click the "FTK Forensic Toolkit" icon on your desktop. ( When you get an Error
box saying "No security device was found...", click No.
When you get an Error box saying "The KFF Hash library file was not found...", click OK.
When a box pops up explaining the limitations of the demonstration version, click OK.
Starting a New Case
In the "AccessData FTK Startup" box, select "Start a new case" and click OK.
In the screen titled "Wizard for Creating a New Case", fill in the fields as shown below,
changing "YOUR_NAME" to your own name. click Next.

In the screen titled "Forensic Examiner Information", leave the fields blank and click Next.
In the screen titled "Case Log Options", accept the default selections, which will log
everything. click Next.
In the screen titled "Processes to Perform", deselect "KFF Lookup" and "Decrypt EFS
Files". click Next.
In the screen titled "Refine Case-Default", accept the default of "Include All Items".
click Next.
In the screen titled "Refine Index - Default", click Next.
Adding Evidence
In the "Add Evidence" box, click the "Add Evidence...". button.
In the "Add Evidence to Case" box, select "Acquired Image of Drive", and click Continue.
In the "Browse for Folder" box, navigate to your Desktop, open the "E" folder, and double-
click the anon1a.E01 file.
In the "Evidence Information" box, click OK.
In the "Add Evidence" box, click Next.
In the "New Case Setup is Now Complete" box, click Finish.
A "Processing Files..." box appears. Wait a few seconds for the processing to finish.
Click the Explore tab.
In the left center, check the "List all Descendants" box. You should see a long list of files,
with "104 Listed" in the Status Bar, as shown below on this page.

Case Background
This evidence was seized from a computer found in a room used by a suspected computer
hacker from the Anonymous gang.
Search Procedure 1: File-by-file
In the lower pane of FTK, click the first item. Look in the upper-right pane to see what's in
the file. Press the down-arrow key on the keyboard to move to the next file. The first 20 files
contain very little useful information--as you can see, this is not an efficient way to find
relevant evidence.
Search Procedure 2: Keyword Search
A much better procedure is to use keyword search. FTK is designed to work this way--it
makes an index of all the words in the evidence file. Open Notepad and type in the keywords
shown in the figure below. Since all we know now is that the case involves Anonymous, the
keywords come from the common Anonymous slogans "Expect Us" and "We never forgive,
we never forget".
Save this file on your desktop as "keywords.txt".
In FTK, click the Search tab.
Click the Import button.
In the "Import Search Terms" box, navigate to your desktop and double-click
the keywords.txt file.
A "Import Search Terms" box pops up, saying 'Do you wish to show items that have 0 hits?".
Click No.
Results of the Search
Five of the keywords were found, as shown in the top pane of FTK:

In the "Cumulative Operator" line, click the OR button.

In the "Cumulative Operator" line, click the "View Cumulative Results" button.
In the "Filter Search Hits" box, accept the default selection of "All files" and click
the OK button.
The upper right pane should now show "81 Hits in 22 Files", as shown below.
Saving a Screen Image
Make sure your screen shows "81 Hits in 22 Files".
Click on the host machine's taskbar.
Capture your whole desktop with the PrintScrn key.
YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.
Save the image with the filename "Your Name Lab-Proj 11b".
Examining the Hits
Click the first item in the upper-right pane. This is a container, labeled "81 Hits in 22 Files".
Expand it by pressing the right-arrow key on the keyboard. Then press the down-arrow to go
to the next item, labeled "[7 Hits -- Message004]".
Your screen should now look like the image shown below on this page. This file is an email
message, and you can read it in the lower-center pane. This is obviously unimportant spam.
Procedure
Here's how to quickly inspect the hits. Refer to the figure below.
1. In the HITS section at the top right, press the down-arrow key to highlight the next
item.
2. Examine the PREVIEW in the center of the screen.
3. If the file is important, check the box at the left of the shaded line in the FILES
section at the bottom of the screen.

Proceed through all 22 files in this manner.

You should find an email bragging about an obvious crime, and several suspicious files.
Saving a Screen Image
Make sure your screen shows the obviously incriminating email you found.
Click on the host machine's taskbar.
Capture your whole desktop with the PrintScrn key.
YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.
Save the image with the filename "Your Name Lab-Proj 11c".
Viewing the Images
One weakness of the keyword search is that it won't find words in images.
To see the images, click the Graphics tab at the top of the FTK window.
In the center left, there is a tree structure showing files and folders. Click the top item, Case,
and use the down-arrow to move to the next item.
When you encounter containers, use the right-arrow to expand them.
When you highlight a container that has graphics in it, you will see thumbnails in the top
pane, as shown, e.g. below:

The kittens are not incriminating, but you might want a closer look at them to be sure.
In the top pane, click one of the thumbnails. The image is shown full-size in the center right
pane, as shown below:

Continue to examine all the containers until you find suspicious images. Mark all the
suspicious images with by checking the boxes in the lower pane, just as you did with the
email messages.
One of the images shows a defaced Web page. Adjust it so that the defacement is clearly
visible.
Saving a Screen Image
Make sure your screen shows the obviously incriminating image you found.
Click on the host machine's taskbar.
Capture your whole desktop with the PrintScrn key.
YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.
Save the image with the filename "Your Name Lab-Proj 11d".
Making a Report
In FTK, from the top menu bar, click File, "Report Wizard".
In the "Case Information" screen, click Next, as shown below.

In the "Bookmarks - A" page, click the "Yes, export all bookmarked files" button, as shown
below. Then click Next.

In the "Bookmarks - B" page, click Next.

In the "Graphic Thumbnails" page, click "Export full-size graphics and link them to the
thumbnails", as shown below. Then click Next.
In the "List by File Path" page, click Next.
In the "List File Properties - A" page, click Next.
In the "Supplementary Files" page, click Next.
In the "Report Location" page, click Finish.
A "Report Wizard" box pops up, asking "Do you wish to view the report?".
Click Yes.
The Report appears, as shown below.

Saving a Screen Image

Make sure your screen shows a report with your name on it as the Investigator, as shown
above.
Click on the host machine's taskbar.
Capture your whole desktop with the PrintScrn key.
YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.
Save the image with the filename "Your Name Lab-Proj 11e".
Exporting the Checked Files
The Report doesn't include the checked files--we need to export them separately.
In FTK, from the top menu bar, click File, "Export Files".
In the "Export Files" box, click "All checked files", as shown below. Then click OK.

To see the exported files, click Start, Computer, and navigate to the C:\Program
Files\AccessData\AccessData Forensic Toolkit 1.81.6\DefaultCase\Export" folder.
The files are there, as shown below.

Turning in your Project

Email the images to the instructor. Send the email to: [email protected] with a subject line of
"Lab-Proj 11 From Your Name", replacing Your Name with your own first and last name.
Send a Cc to yourself.