Lab-Project 11: Using FTK: What You Need For This Part
Lab-Project 11: Using FTK: What You Need For This Part
1. Introduction to FTK
What You Need for This Part
• A virtual Windows XP machine, as you used in previous projects.
• A small second virtual hard disk, which you added to your virtual.
Making a Clean Disk
You should have a small virtual hard drive attached to your VM, which you created in a
previous project. If you don't have one, create one now, or plug in a USB flash drive. It
doesn't matter what data is on it for now.
Click Start, right-click "My Computer", and click Manage.
You should see your second small disk labelled "Disk 1", as shown, e.g. below.
To test your file, you need Hashcalc. If you don't have Hashcalc, get it here:
http://www.slavasoft.com/hashcalc/
Open Hashcalc.
Drag the "FTK-Forensic_Toolkit-1.81.6.exe" file and drop it on the Hashcalc window.
You should see the correct hash value, ending in fb13, as shown below:
Installing FTK
Double-click the "FTK-Forensic_Toolkit-1.81.6.exe" file and install the software with the
default options.
Starting FTK
After installation, FTK will launch.
When you get an Error box saying "No security device was found...", click No.
When you get an Error box saying "The KFF Hash library file was not found...", click OK.
When a box pops up explaining the limitations of the demonstration version, click OK.
Starting a New Case
In the "AccessData FTK Startup" box, accept the default selection of "Start a new case", as
shown below, and click OK.
In the screen titled "Wizard for Creating a New Case", fill in the fields as shown below,
replacing "Your Name" with your own name. Click Next.
In the screen titled "Forensic Examiner Information", leave the fields blank and click Next.
In the screen titled "Case Log Options", accept the default selections, which will log
everything. Click Next.
In the screen titled "Processes to Perform", deselect "KFF Lookup" and "Decrypt EFS Files",
because those features won't work in the demo version, as shown below. Click Next.
In the screen titled "Refine Case-Default", accept the default of "Include All Items".
Click Next.
In the screen titled "Refine Index -Default", accept the default options. Click Next.
Now you see the "Add Evidence" screen, as shown below.
This is just like the HxD utility you used in a previous project. As you can see, the file is
empty--it's not really a file at all, because it has no header or footer or file name or any data at
all. FTK just breaks empty space up into chunks it calls 'Files" for handling.
To see that the disk is really empty, look at the "File Status" and "File Category" columns in
the upper left portion of the FTK window. You can see that FTK was unable to find any
usable data in any known format on this disk--it's clean.
2. Using FTK
What You Need for This Part
• A Windows machine, with FTK installed. It can be real or virtual. I used a Windows
XP virtual machine.
Downloading the Evidence File
Dowload the file below:
anon-E.7z
Use Hashcalc to calculate the hash of the file you downloaded. It should match the figure
below:
Unzip the file with 7-Zip.
Starting FTK in your VM
Double-click the "FTK Forensic Toolkit" icon on your desktop. ( When you get an Error
box saying "No security device was found...", click No.
When you get an Error box saying "The KFF Hash library file was not found...", click OK.
When a box pops up explaining the limitations of the demonstration version, click OK.
Starting a New Case
In the "AccessData FTK Startup" box, select "Start a new case" and click OK.
In the screen titled "Wizard for Creating a New Case", fill in the fields as shown below,
changing "YOUR_NAME" to your own name. click Next.
In the screen titled "Forensic Examiner Information", leave the fields blank and click Next.
In the screen titled "Case Log Options", accept the default selections, which will log
everything. click Next.
In the screen titled "Processes to Perform", deselect "KFF Lookup" and "Decrypt EFS
Files". click Next.
In the screen titled "Refine Case-Default", accept the default of "Include All Items".
click Next.
In the screen titled "Refine Index - Default", click Next.
Adding Evidence
In the "Add Evidence" box, click the "Add Evidence...". button.
In the "Add Evidence to Case" box, select "Acquired Image of Drive", and click Continue.
In the "Browse for Folder" box, navigate to your Desktop, open the "E" folder, and double-
click the anon1a.E01 file.
In the "Evidence Information" box, click OK.
In the "Add Evidence" box, click Next.
In the "New Case Setup is Now Complete" box, click Finish.
A "Processing Files..." box appears. Wait a few seconds for the processing to finish.
Click the Explore tab.
In the left center, check the "List all Descendants" box. You should see a long list of files,
with "104 Listed" in the Status Bar, as shown below on this page.
Case Background
This evidence was seized from a computer found in a room used by a suspected computer
hacker from the Anonymous gang.
Search Procedure 1: File-by-file
In the lower pane of FTK, click the first item. Look in the upper-right pane to see what's in
the file. Press the down-arrow key on the keyboard to move to the next file. The first 20 files
contain very little useful information--as you can see, this is not an efficient way to find
relevant evidence.
Search Procedure 2: Keyword Search
A much better procedure is to use keyword search. FTK is designed to work this way--it
makes an index of all the words in the evidence file. Open Notepad and type in the keywords
shown in the figure below. Since all we know now is that the case involves Anonymous, the
keywords come from the common Anonymous slogans "Expect Us" and "We never forgive,
we never forget".
Save this file on your desktop as "keywords.txt".
In FTK, click the Search tab.
Click the Import button.
In the "Import Search Terms" box, navigate to your desktop and double-click
the keywords.txt file.
A "Import Search Terms" box pops up, saying 'Do you wish to show items that have 0 hits?".
Click No.
Results of the Search
Five of the keywords were found, as shown in the top pane of FTK:
The kittens are not incriminating, but you might want a closer look at them to be sure.
In the top pane, click one of the thumbnails. The image is shown full-size in the center right
pane, as shown below:
Continue to examine all the containers until you find suspicious images. Mark all the
suspicious images with by checking the boxes in the lower pane, just as you did with the
email messages.
One of the images shows a defaced Web page. Adjust it so that the defacement is clearly
visible.
Saving a Screen Image
Make sure your screen shows the obviously incriminating image you found.
Click on the host machine's taskbar.
Capture your whole desktop with the PrintScrn key.
YOU MUST TURN IN A COMPLETE DESKTOP IMAGE TO GET FULL CREDIT.
Save the image with the filename "Your Name Lab-Proj 11d".
Making a Report
In FTK, from the top menu bar, click File, "Report Wizard".
In the "Case Information" screen, click Next, as shown below.
In the "Bookmarks - A" page, click the "Yes, export all bookmarked files" button, as shown
below. Then click Next.
To see the exported files, click Start, Computer, and navigate to the C:\Program
Files\AccessData\AccessData Forensic Toolkit 1.81.6\DefaultCase\Export" folder.
The files are there, as shown below.