Running head: FTK IMAGER 1

Transcription

1 Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett

2 FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although FTK Imager allows different source options for adding individual files and folders as evidence items including physical, logical, image and contents of a folder; for purposes of this lab the recommended practice will be to create an image. This is because images contain every bit of data from the source disk and a copy operation will only retrieve currently accessible files. An image is a static snapshot that can be analyzed and used as evidence in a courtroom, while still preserving the original source disk. It contains current files in addition to slack space and unallocated space, which may include deleted files and hidden data (Vandeven, n.d.). If you want to image a USB Flash drive for example, ensure you have a write blocker to avoid inadvertently writing anything to the source drive. From there, open up FTK Imager, go to file, and select create disk image.

3 FTK IMAGER 3 Select physical drive as the source and the USB device from the drop down. The two most widely used imaging formats is the EnCase evidence file format (E01) and the RAW image format, so for the purposes of this lab select E01 and next. Enter the evidence item information, the new image name, select the destination folder and finish.

4 FTK IMAGER 4 Once the image has been created, you can now view the contents and add individual files and folders as evidence items by going to file, add evidence item and browse to select the USB image file that was created.

5 FTK IMAGER 5 From there you can right click on files and folders and either export a copy to review with native software or add to custom content image to begin compiling a list of files to put into an image, allowing you to selectively include specific files instead of all of the files from the device into the image file you create.

6 FTK IMAGER 6 Explain Differences Between Hexadecimal & Text View Computers store text as numbers and with hex view you display the numbers not as a decimal number, but in base 16. Hex or base 16 or hexadecimal is a numeral system that uses 16 symbols. The symbols include 0-9 and a-f (sometimes A-F). While computers work with binary data, it can be difficult for humans to work with a large number of digits. Humans typically use a base 10 system, while for computer applications it is easier to work with hexadecimal than decimal. As hex saves space (either paper space or screen space), you can more efficiently use hex instead of a large number of ones and zeros. Hex numbers represent large numbers compactly and are used in programming since computers use bytes as a unit of information. In hex you need two digits, whereas you need 8 binary digits to represent a byte ("About Convert Hexadecimal to Text Tool", 2017). Text mode allows you to preview a file s contents as ASCII or Unicode characters, even if the file is not a text file. This mode can be useful for viewing text and binary data that is not visible when a file is viewed in its native application. Hex mode allows you to view every byte of data in a file as hexadecimal code. You can use the Hex Value Interpreter in FTK Imager to interpret hexadecimal values as decimal integers and possible time and date values. Preview modes apply only when displaying file data. The data contained in folders or other non-file objects is always displayed in hexadecimal format ("Accessdata Ftk Imager", n.d.

7 FTK IMAGER 7 Strengths of FTK Imager FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence and create forensic images of computer data without making changes to the original evidence. Some of the strengths of FTK Imager include: Creation and preview of forensic images of hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or individual files from various places within the media. Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive. Export files and folders from forensic images. See and recover files deleted from the Recycle Bin, but have not yet been overwritten on the drive. Create Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) hash files. Generate hash reports for regular files and disk images you can later use as a benchmark to prove the integrity of your case evidence. When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition ("About Ftk Imager", n.d.).

8 FTK IMAGER 8 Weaknesses of FTK Imager To be honest, as compared to its competition; there was very little if any, I could determine as a weakness for FTK Imager. Each time I researched the disadvantages of FTK Imager, it implied weaknesses such as lack of an image mount, a 2 million file limit, the inability to open cases if the drive letter changed, no scripting support, Photoshop (PSD) and AVI support (McAnn, 2017). However, those constraints were in previous versions of FTK Imager, and since then the latest version has resolved those limitations. About the only real disadvantage was I could find was that FTK Imager and FTK Imager CLI is unable to generate output formats Ex01, which can be compressed using the bzip algorithm and encrypted using the AES-256 encryption cipher, whereas the competition EnCase and SAN SIFT s Workstation ewfacqure can (Vandeven, n.d.).

9 FTK IMAGER 9 Zimmerman Telegram JPG Hex Code Below is the Zimmerman Telegram JPG displayed as hex code FF D8 FF ("Jpg Signature Format: Documentation & Recovery Example", 2017)..

10 FTK IMAGER 10 References Vandeven, S. (n.d.). Forensic Images: For Your Viewing Pleasure. Retrieved from About Convert Hexadecimal to Text Tool. (2017). Retrieved from AccessData FTK Imager. (n.d.). Retrieved from About FTK Imager. (n.d.). Retrieved from McAnn, J. (2017). The Real World Forensics. Retrieved from JPG Signature Format: Documentation & Recovery Example. (2017). Retrieved from