HOW TO CREATE FORENSIC

IMAGE FILE
WITH THE FTK IMAGER
AND
FORENSIC ANALYSIS WITH
AUTOPSY
(WINDOWS ONLY)
PREPARATION – TURN OFF
PROTECTION
SOURCE FILES
1. Link: https://terabox.com/s/1OU4rqamY0up9nUkSj8eEAw
Password: vtu9
2. Download files in directory: New Tools/FTK Imager and New
Tools/Autopsy
IMAGE FILES FOR EXERCISE
1. Link: https://terabox.com/s/1OU4rqamY0up9nUkSj8eEAw
Password: vtu9
2. Download file in directory: Boot CD Image/Evidence
Image/DELevidence01.001
FTK
FTK IMAGER INSTALLATION
1. Link: https://terabox.com/s/1OU4rqamY0up9nUkSj8eEAw
Password: vtu9
2. Download file in directory: New Tools/FTK Imager
3. Open file Access_Data_FTK_Imager_xxx_(xxx).exe
4. Follow step by step instruction until FINISH, restart if needed
5. Open Access Data FTK Imager Icon on Desktop or Windows Menu
ADD EVIDENCE ITEM /
CREATE DISK IMAGE
SELECT SOURCE = PHYSICAL
DRIVE (FLASH DISK)
EVIDENCE TYPE – TARGET /
OBJECT
a. Physical Drive, a hard disk, flash disk, or ANY physical drive. If the target
capacity is 500 Giga Bytes, the resulting image size will be the same or smaller
if compression is available
b. A physical clone, copy the entire target bit by bit, including blank space and
deleted files
c. Logical Drive, a target recognized by the OS, Drive A:, C:, etc. Or it could be a
partition
d. An image file is the result of bit by bit cloning from Forensic Imager applications
such as FTK in the form of files with .raw, .dd, E01, .AFF extensions or backup
conversion results in the form of .img, .iso, .vc4, etc. extensions files depending
on the application being used
e. Contents of a folder, is a targeted object – folders and/or files, be copied in the
form of a folder and its contents including subfolders, whose contents are
already known (targeted)
PILIH IMAGE TYPE = E01
FORENSIC IMAGE FORMAT
1. DD /RAW (Linux “Disk Dump”), legacy UNIX, no compression,
split RAW (.00n)
2. SMART (Linux), not common, the image is stored in a single or
multiple segment files each with metadata. Support split image,
no compression
3. E01 (EnCase®), most common, next to the RAW image format,
split, compression
4. AFF (Advanced Forensic Format), open format for the storage of
forensic images
5. Reference : Forensics 101: What is a forensic image?
ISI EVIDENCE INFORMATION
- START
IMAGE FRAGMENT SIZE (MB)
= 0, COMPRESS = 6
IMAGE SUMMARY AND
VERIFY HASH RESULT
IMAGE MOUNTING – SELECT
TARGET IMAGE
MOUNT IMAGE TO DRIVE –
PHYSICAL & LOGICAL
DRIVE LETTER (SELECT
AFTER NEXT AVAILABLE)
MOUNT METHOD – BLOCK
DEVICE/READ ONLY
MOUNTED TARGET IMAGE
AS DRIVE (G:)
ADD EVIDENCE ITEM –
SELECT MOUNTED IMAGE
PARTITION, FILE SYSTEM,
DELETED AREA [X]
RECOVER DELETED FILES
[X]– EXPORT FILES
CREATE WORKING COPY
1. Image file already mounted, select = EXPORT IMAGE
2. If image file not mounted, select = CREATE NEW IMAGE
3. Compare HASH after EXPORT / CREATE working image copy
SELECT IMAGE SOURCE
SELECT IMAGE DESTINATION
(TARGET COPY)
IMAGE SUMMARY
AUTOPSY
AUTOPSY INSTALLATION
1. Link: https://terabox.com/s/1OU4rqamY0up9nUkSj8eEAw
Password: vtu9
2. Download file in directory: New Tools/Autopsy
3. Open file Autopsy_xxx_(xxx).exe allow any restriction
4. Follow step by step instruction until FINISH, restart if needed
5. Open Access Data FTK Imager Icon on Desktop or Windows Menu
AUTOPSY FEATURES
1. Similar with FTK, but have more specific features for forensic
analysis
2. Limited object imaging / copy / export, but can open ANY image
file
3. File system and partition map, deleted file / data recovery /
export
4. Data Viewer, HEX Editor, File Carving, Index / Object / Content
Searching
5. Image / Video, Communication, Geolocation, Timeline, Discovery
analysis tools
6. Full Forensic Analysis Report in HTML, Microsoft Excel and .csv
format, etc.
AUTOPSY FEATURES (1)
1. Recent Activity Module extracts user activity as saved by web browsers and
the OS. Also runs REGRIPPER on the registry hive
2. Hash Database Lookup Module uses hash databases to ignore known files
from the NIST NSRL and flag known bad files. Use the "Advanced" button to add
and configure the hash databases to use during this process. You will get updates
on known bad file hits as the ingest occurs. You can later add hash databases via
the Tools -> Options menu in the main UI. Index of the NIST NSRL
https://sourceforge.net/projects/autopsy/files/NSRL/
3. File Type Identification Module determines file types based on signatures and
reports them based on MIME type. It stores the results in the Blackboard and
many modules depend on this. It uses the Tika open source library. You can define
your own custom file types in Tools, Options, File Types
4. Embedded File Extraction Module opens ZIP, RAR, other archive formats, Doc,
Docx, PPT, PPTX, XLS, and XLSX and sends the derived files from those files back
through the ingest pipeline for analysis
AUTOPSY FEATURES (2)
1. EXIF Parser Module extracts EXIF information from JPEG files and posts
the results into the tree in the main UI
2. Keyword Search Module uses keyword lists to identify files with
specific words in them. You can select the keyword lists to search for
automatically and you can create new lists using the "Advanced" button.
Note that with keyword search, you can always conduct searches after
ingest has finished. The keyword lists that you select during ingest will be
searched for at periodic intervals and you will get the results in real-time.
You do not need to wait for all files to be indexed before performing a
keyword search, however you will only get results from files that have
already been indexed when you perform your search
3. Email Parser Module identifies Thunderbird MBOX files and PST format
files based on file signatures, extracting the e-mails from them, adding
the results to the Blackboard
AUTOPSY FEATURES (3)
1. Extension Mismatch Detector Module uses the results from the File Type
Identification and flags files that have an extension not traditionally associated
with the file's detected type. Ignores 'known' (NSRL) files. You can customize the
MIME types and file extensions per MIME type in Tools, Options, File Extension
Mismatch
2. E01 Verifier Module computes a checksum on E01 files and compares with the
E01 file's internal checksum to ensure they match
3. Android Analyzer Module allows you to parse common items from Android
devices. Places artifacts into the BLACKBOARD
4. Interesting Files Identifier Module searches for files and directories based on
user-specified rules in Tools, Options, Interesting Files. It works as a "File Alerting
Module". It generates messages in the inbox when specified files are found
5. PhotoRec Carver Module carves files from unallocated space and sends them
through the file processing chain
OPEN AUTOPSY – CREATE
NEW CASE
NEW CASE INFORMATION
1. You can freely fill-in the Case Information and Optional
Information
2. Every organization may have standardize Case Information
format
SELECT DATA SOURCE TYPE
1. Select Host and Data Source Type: Disk Image or VM File, Local
Disk, Logical Files, Unallocated Space Image File, Autopsy Logical
Imager Result, XRY Text Export
SELECT DATA SOURCE
1. Adjust Time Zone and sector size
2. Select Data Source (image file)
CONFIGURE INGEST – ADD
DATA SOURCE
1. Select All Ingest Process to obtain complete automatic analysis
2. During automatic analysis process, you can proceed other tasks
DATA SOURCE ANALYSIS
PROCESS (WAIT)
AUTOPSY DASHBOARD VIEW
EXPLANATION
1. Data Source: Image File DELevidence01.001 copy of Flash Disk
2. Vol 1: Unallocated Partition and Vol 2: NTFS / exFAT Partition
3. Findings: Orphan Files, Carved Files, Unallocated Files, readable
folders
4. Findings: [X] deleted folder and files, not formatted, possible to
recover
5. Artifacts grouping: based on file types views, size, extension,
metadata, etc.
FIND DELETED
FOLDERS/FILES [X] –
EXTRACT
DATA SOURCE
SUMMARY
USING ANALYSIS TOOLS
IMAGES / VIDEO
GEOLOCATION
TIMELINE
DISCOVERY
GENERATE REPORT
COMPLETE REPORT
DIRECTORY