Transcript Document
2012
Provides the backstory behind the crime
Provides pertinent information related to the motive
behind the crime
Requires the use of 2 software packages:
◦ Forensics Tool Kit (FTK)
Version 1.8.0 or 1.8.1
◦ S-Tools
Software must be downloaded on your laptop prior to
the competition
1.
2.
3.
4.
5.
Creating & Opening a Computer Forensics Case
Finding Hidden Data in Slack Space or Unallocated
Space
Finding a Recently Deleted File
Finding a File with an Improper File Extension
Finding a Stego’d Image or Data Hidden in a JPG File
How you do it?
A. Start FTK and Create a New Case
B. Add evidence
C. Save the case on exiting
Once created you only need to start FTK and open an
existing file to continue working on the case
A case represents an ‘incident’
You will need to supply:
◦ Name or number of Case
◦ Investigator’s name
◦ Evidence to be added to the case
New cases can be Created
You can Open existing cases previously
created
Should run in “administrator mode”
◦ Right-click FTK icon and select “run as administrator”
Or… click properties, and select appropriate option for icon
(then you won’t need to repeat each FTK startup)
You may receive a prompt looking for “security
device”
◦ It’s OK to run without the dongle or security device
USB “dongle” is required to run FTK in “Full Mode”
Also might ask for “Code Meter
◦ We’re running in Demo Mode
Limits us to 5,000 files in the case, but otherwise fully
functional!
Known File Filter
◦ Used to “ignore” Known Files
◦ OK to load FTK without KFF
Select the appropriate option
◦ Generally you’ll either be creating new case or
opening an existing case
Enter Captions for
◦ Case Number
I chose LIPD-2012-0001
Long Island Police Dept., Case 1 of 2012
◦ Case Name
Something meaningful
◦ Case Path
The folder where case saved on hard drive
The default is the case name
Enter information about investigator
Case Log Options
Processes to perform
Refine case
Refine index
◦ Next screen
◦ Select all options
◦ Next screen
◦ Keep default values
◦ Next screen
◦ Accept defaults
◦ Next screen
◦ Accept defaults
◦ Next screen
Information to be added to the Case
◦ Acquired forensic “image” of Drive
This is a single file, but contains contents of an entire drive!!!
Similar to a “zip file”
Also referred to as
“image file”
Bitstream file
Bit-for-bit image file
This “image file” is captured and produced by some forensic software or
utility program
Viewed with forensic software which “understands” the file structure
It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and
IS a single file
◦ Local Drive (not on CSI 2012)
Attached to the system and addressable as a disk drive
For example, the C: or E: disk
Could include a CD, DVD, USB, etc..
◦ Contents of a Folder
◦ Individual File
Created earlier by someone using
◦ Utility program or Forensic software
Fill in captions
◦ Evidence Name/Number
For example, an item number of the evidence list
Serial number, if unique
◦ Comments (optional)
How acquired or unusual circumstances, etc..
◦ Local Evidence Time Zone
Evidence Added.
-05:00 for NY All
timezone
Click “Next”
Don’t forget about Daylight Savings, if it applies!
Used for time comparisons
After clicking “Finish”
◦ FTK will Process Files
◦ Add them to the case
As part of adding evidence FTK will
◦ Keep track of certain items and summarize them
◦ Build an “index” of words or terms encountered
Can be used to short-cut a search
Can be used to identify words in the entire case
Might provide insight into something not normally
considered
For example, seeing “gun”, “secret” or “password” as one of
the words in the index
FTK presents 3 “panes” or “panels” by default
FTK provides a list of “summary” buttons with counts
◦ Users can configure the placement if desired
◦ Clicking on these can bring up those items in a detail pane so
that you focus on them
Bad extensions
Image files
Deleted files
Documents
Unknown types
Folders
Bookmarked items
etc
Tabs on the main window
◦
◦
◦
◦
◦
◦
Overview
Explore
Graphics
Email
Search
Bookmark
Shows general information about the case
◦ Selection in one “pane” shows details in another
“pane” or sub-window
The “bad extensions” shows 7 files in the
bottom pane
◦ Selecting one of the files in the bottom pane shows
the contents in the 3rd pane (upper right)
File list contains information about files
◦ “X” icon indicates deleted file
◦ File extension might indicate one type of file
In reality, another type of file
Shows a “Windows Explorer” style of
presentation
◦ 3 evidence items seen
Each has sub-items
◦ Collapsible or expandable levels
Click on Plus or Minus signs to expand/collapse views
Selected item is shown in 3rd pane
List of items in the selected item are shown in
bottom (2nd) pane
◦ Clicking on one of these will present that item in
the 3rd (top-right) pane
Icons at top of 3rd pane
◦ Alter the “presentation” of data
View as native application
Text view
Hexadecimal view
◦ It’s the same data, just a different way of viewing it!
The following demonstrates what a user sees
if selecting a single file in Explorer Tab
Selecting Giants Tickets.doc in Explorer Tab
Word document
◦ Really made up of different “components”
Selecting the file shows an item list of
components in the file
File slack is one of them
Shows a pane with thumbnails of images in
the currently selected item in your case
On the main menu
◦ Select “File”
Close
Closes the case, remains in FTK
Save
Allows you to continue working on the case
Exit
Allows you to save (and backup.. Optional) the case
Shuts down FTK
What is “Slack Space”?
◦ It’s disk space which belongs to a file, but is not considered part of
the file’s data
Happens because of the way the system allocates disk space to files
◦ How does the system give disk space to a file?
By “clusters”… a collection of 1 or more disk “sectors”
A “sector” is 512 bytes (depends on the system)
A cluster can be 1, 2, 4, or 8 sectors
Files are written in these clusters, and don’t normally fill up an entire
sector or cluster
◦ Two types of “Slack Space”
Ram slack
Disk space after the file data and before the end of that sector
File slack
Disk space in sectors not used by the file, but belonging to the file
What’s the significance of “slack space”?
◦ Contents of RAM slack is generally whatever was in
memory when the file was saved last
Might be a password, credit card number, etc.. Or
garbage
◦ File slack’s contents can simply be whatever was
left over and not erased when no longer needed by
some other file
Maybe even another user created that other file
◦ Slack can be used to hide information
It’s not visible to users
It won’t be “grabbed” by system and overwritten
In Overview Tab
◦ Select Slack/Free Space button
Details pane contains all slack/free space items
Full Path describes where that slack space is located
In a specific file
◦ It’s part of the file, but not part of the data itself
Comes after the “end of file” marker
Do a “search”
◦ Word might appear in “slack”, which might indicate an attempt
at hiding something
Start from the “Explore” Tab
◦ Locate the file (Giants Tickets.doc)
This file is deleted
◦ Highlight the file in Explore
You’ll see:
Pane 2 (Lower pane): list of embedded “stuff” in the file,
INCLUDING FileSlack
Pane 3 (Upper right): The document as presented by FTK
believing it to be a “Word doc”
◦ Then… in pane 2, select “File Slack” and observe
what’s displayed in pane 3
Conduct a search
◦ Examine the returned “hits” of the search
Search results (“hits”) indicate where the occurrence
was
Even if in slack space
Each “hit” also shows the data immediately before and
after the “hit” phrase
Click the SEARCH tab
◦ As you type a word or “character string”
Indexed words in case show up
◦ Once you’ve found or typed your search term
ADD it to the search
You’ll see # of hits
You’ll see # of files containing those “hits”
Select the “hits” for the search item
◦ Then “View Item Results”
◦ You can use “AND” or “OR” logic when looking for
multiple search items in the same file
AND requires all to be present
OR requires any one of them to be present
Indexed vs. Live
◦ Indexed
Looks up terms indexed by FTK as evidence was added
◦ Live
Looks up a term which wasn’t necessarily in the index
built by FTK
Options
Text
ASCII
UNICODE
CASE SENSITIVE
REGULAR EXPRESSION
Hexadecimal
Keep ASCII and Unicode selected
Default is “ignore case”
Will take time
Regular expressions (NOT IN CSI 2012)
◦ They’re both defaults
◦ Won’t care if upper or lower
◦ Searches the entire case
◦ A “pattern” to match
Zip code
Telephone number
Social security number
Credit card number
Hexadecimal
◦ Look for “non-printable” character values
How do you find a deleted file?
◦ Overview Tab
Select the summary button for Deleted Files
All those files appear in the lower pane
◦ In the Explorer Tab
You can view the “directory structure” in the 1st pane
Deleted files appear with a red “X” on the icon of the file or folder
◦ Deleted files are often recoverable
You need to EXPORT the file
Why could this be significant?
◦ Investigator might recover information the suspect was
attempting to hide or destroy
◦ might demonstrate intent to evade detection
It can be demonstrated that a large number of files were deleted
Just prior to execution of a search warrant
After being interviewed by the police
After receiving a call from a victim or conspirator
When taken into account, might provide circumstantial evidence
of intent
How you do it?
◦ Overview Tab
Find the Summary Button for “Bad Extensions”
Pane 2 lists all those files
◦ Explorer Tab
Navigate to the location
Pane 2 shows files in that location, with additional information for
each file
What is “exporting”?
◦ Exporting allows an investigator to
Select a file or files
Save them as discrete files to another location outside of the
FTK Case file
Why?
◦ Allows investigators to process the exported file
“natively” using applications such as Word, Excel, Paint,
etc
Some files must be processed natively (for example a
Stego’d file must be exported and handled using S-Tools as
explained in section 5)
◦ Can burn to a DVD and give to DA or other investigator
◦ Allows investigator to consolidate items of interest in
one place and present only those items
How do you export a file?
◦ Select the file (highlight it) in Explorer Tab
◦ Right-click on the file, and “Export it”
How do we find the file?
◦ Overview Tab
Click on the “Improper Name” summary button
◦ Explorer Tab
In pane 2 (lower pane), improper file extensions will be noted
What it means
◦ It might be a deliberate attempt to evade detection and hide
information
Information might be important
◦ It could also just be a mistake on the part of the user
File saved or renamed with the wrong extension
How do I process a file with an “Improper File
Extension”?
◦ Note the type of file it really should be
◦ Export the file
◦ Use the appropriate software to view the file, according to the
“real type” of file it is
How you do it?
◦ Certain files, such as Windows “BMP” files, can be
“containers”
◦ Software such as S-Tools can hide information inside these
“container files”
a. Locate a suspected “stego’d” file (the container file)
a.
Should be a “BMP” file
b. Export it from FTK’s Case
i.
This saves it as a separate file you can then process outside of
FTK
c. Use S-Tools to extract the “message file” from the “container
file”
i.
Password or a passphrase might be required!
Open S-Tools
Drag the “exported” file believed to be a “container
file” into S-Tools
Right-click the “container” in S-Tools
◦ Select “Reveal”
◦ When prompted, provide the “passphrase”
Can be a single word or a phrase
Could be case sensitive
◦ A “revealed archive” window shows with the hidden file
name and size
◦ Select the file in the “Reveal Archive” box
Right-click the file you wish to extract from the container file
Save as…
Choose a location
You’ve now successfully extracted the hidden message!
The result!
What it means
◦ Definitely a means of evading detection. It’s not accidental!!
1. Data is hidden
2. passphrase might be required
◦ Whoever can be demonstrated to know the passphrase either
put the hidden data there, or knew how to retrieve it
Guilty knowledge!
Best of luck to all CSI Challenge participants!