Transcript Document
2012 Provides the backstory behind the crime Provides pertinent information related to the motive behind the crime Requires the use of 2 software packages: ◦ Forensics Tool Kit (FTK) Version 1.8.0 or 1.8.1 ◦ S-Tools Software must be downloaded on your laptop prior to the competition 1. 2. 3. 4. 5. Creating & Opening a Computer Forensics Case Finding Hidden Data in Slack Space or Unallocated Space Finding a Recently Deleted File Finding a File with an Improper File Extension Finding a Stego’d Image or Data Hidden in a JPG File How you do it? A. Start FTK and Create a New Case B. Add evidence C. Save the case on exiting Once created you only need to start FTK and open an existing file to continue working on the case A case represents an ‘incident’ You will need to supply: ◦ Name or number of Case ◦ Investigator’s name ◦ Evidence to be added to the case New cases can be Created You can Open existing cases previously created Should run in “administrator mode” ◦ Right-click FTK icon and select “run as administrator” Or… click properties, and select appropriate option for icon (then you won’t need to repeat each FTK startup) You may receive a prompt looking for “security device” ◦ It’s OK to run without the dongle or security device USB “dongle” is required to run FTK in “Full Mode” Also might ask for “Code Meter ◦ We’re running in Demo Mode Limits us to 5,000 files in the case, but otherwise fully functional! Known File Filter ◦ Used to “ignore” Known Files ◦ OK to load FTK without KFF Select the appropriate option ◦ Generally you’ll either be creating new case or opening an existing case Enter Captions for ◦ Case Number I chose LIPD-2012-0001 Long Island Police Dept., Case 1 of 2012 ◦ Case Name Something meaningful ◦ Case Path The folder where case saved on hard drive The default is the case name Enter information about investigator Case Log Options Processes to perform Refine case Refine index ◦ Next screen ◦ Select all options ◦ Next screen ◦ Keep default values ◦ Next screen ◦ Accept defaults ◦ Next screen ◦ Accept defaults ◦ Next screen Information to be added to the Case ◦ Acquired forensic “image” of Drive This is a single file, but contains contents of an entire drive!!! Similar to a “zip file” Also referred to as “image file” Bitstream file Bit-for-bit image file This “image file” is captured and produced by some forensic software or utility program Viewed with forensic software which “understands” the file structure It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and IS a single file ◦ Local Drive (not on CSI 2012) Attached to the system and addressable as a disk drive For example, the C: or E: disk Could include a CD, DVD, USB, etc.. ◦ Contents of a Folder ◦ Individual File Created earlier by someone using ◦ Utility program or Forensic software Fill in captions ◦ Evidence Name/Number For example, an item number of the evidence list Serial number, if unique ◦ Comments (optional) How acquired or unusual circumstances, etc.. ◦ Local Evidence Time Zone Evidence Added. -05:00 for NY All timezone Click “Next” Don’t forget about Daylight Savings, if it applies! Used for time comparisons After clicking “Finish” ◦ FTK will Process Files ◦ Add them to the case As part of adding evidence FTK will ◦ Keep track of certain items and summarize them ◦ Build an “index” of words or terms encountered Can be used to short-cut a search Can be used to identify words in the entire case Might provide insight into something not normally considered For example, seeing “gun”, “secret” or “password” as one of the words in the index FTK presents 3 “panes” or “panels” by default FTK provides a list of “summary” buttons with counts ◦ Users can configure the placement if desired ◦ Clicking on these can bring up those items in a detail pane so that you focus on them Bad extensions Image files Deleted files Documents Unknown types Folders Bookmarked items etc Tabs on the main window ◦ ◦ ◦ ◦ ◦ ◦ Overview Explore Graphics Email Search Bookmark Shows general information about the case ◦ Selection in one “pane” shows details in another “pane” or sub-window The “bad extensions” shows 7 files in the bottom pane ◦ Selecting one of the files in the bottom pane shows the contents in the 3rd pane (upper right) File list contains information about files ◦ “X” icon indicates deleted file ◦ File extension might indicate one type of file In reality, another type of file Shows a “Windows Explorer” style of presentation ◦ 3 evidence items seen Each has sub-items ◦ Collapsible or expandable levels Click on Plus or Minus signs to expand/collapse views Selected item is shown in 3rd pane List of items in the selected item are shown in bottom (2nd) pane ◦ Clicking on one of these will present that item in the 3rd (top-right) pane Icons at top of 3rd pane ◦ Alter the “presentation” of data View as native application Text view Hexadecimal view ◦ It’s the same data, just a different way of viewing it! The following demonstrates what a user sees if selecting a single file in Explorer Tab Selecting Giants Tickets.doc in Explorer Tab Word document ◦ Really made up of different “components” Selecting the file shows an item list of components in the file File slack is one of them Shows a pane with thumbnails of images in the currently selected item in your case On the main menu ◦ Select “File” Close Closes the case, remains in FTK Save Allows you to continue working on the case Exit Allows you to save (and backup.. Optional) the case Shuts down FTK What is “Slack Space”? ◦ It’s disk space which belongs to a file, but is not considered part of the file’s data Happens because of the way the system allocates disk space to files ◦ How does the system give disk space to a file? By “clusters”… a collection of 1 or more disk “sectors” A “sector” is 512 bytes (depends on the system) A cluster can be 1, 2, 4, or 8 sectors Files are written in these clusters, and don’t normally fill up an entire sector or cluster ◦ Two types of “Slack Space” Ram slack Disk space after the file data and before the end of that sector File slack Disk space in sectors not used by the file, but belonging to the file What’s the significance of “slack space”? ◦ Contents of RAM slack is generally whatever was in memory when the file was saved last Might be a password, credit card number, etc.. Or garbage ◦ File slack’s contents can simply be whatever was left over and not erased when no longer needed by some other file Maybe even another user created that other file ◦ Slack can be used to hide information It’s not visible to users It won’t be “grabbed” by system and overwritten In Overview Tab ◦ Select Slack/Free Space button Details pane contains all slack/free space items Full Path describes where that slack space is located In a specific file ◦ It’s part of the file, but not part of the data itself Comes after the “end of file” marker Do a “search” ◦ Word might appear in “slack”, which might indicate an attempt at hiding something Start from the “Explore” Tab ◦ Locate the file (Giants Tickets.doc) This file is deleted ◦ Highlight the file in Explore You’ll see: Pane 2 (Lower pane): list of embedded “stuff” in the file, INCLUDING FileSlack Pane 3 (Upper right): The document as presented by FTK believing it to be a “Word doc” ◦ Then… in pane 2, select “File Slack” and observe what’s displayed in pane 3 Conduct a search ◦ Examine the returned “hits” of the search Search results (“hits”) indicate where the occurrence was Even if in slack space Each “hit” also shows the data immediately before and after the “hit” phrase Click the SEARCH tab ◦ As you type a word or “character string” Indexed words in case show up ◦ Once you’ve found or typed your search term ADD it to the search You’ll see # of hits You’ll see # of files containing those “hits” Select the “hits” for the search item ◦ Then “View Item Results” ◦ You can use “AND” or “OR” logic when looking for multiple search items in the same file AND requires all to be present OR requires any one of them to be present Indexed vs. Live ◦ Indexed Looks up terms indexed by FTK as evidence was added ◦ Live Looks up a term which wasn’t necessarily in the index built by FTK Options Text ASCII UNICODE CASE SENSITIVE REGULAR EXPRESSION Hexadecimal Keep ASCII and Unicode selected Default is “ignore case” Will take time Regular expressions (NOT IN CSI 2012) ◦ They’re both defaults ◦ Won’t care if upper or lower ◦ Searches the entire case ◦ A “pattern” to match Zip code Telephone number Social security number Credit card number Hexadecimal ◦ Look for “non-printable” character values How do you find a deleted file? ◦ Overview Tab Select the summary button for Deleted Files All those files appear in the lower pane ◦ In the Explorer Tab You can view the “directory structure” in the 1st pane Deleted files appear with a red “X” on the icon of the file or folder ◦ Deleted files are often recoverable You need to EXPORT the file Why could this be significant? ◦ Investigator might recover information the suspect was attempting to hide or destroy ◦ might demonstrate intent to evade detection It can be demonstrated that a large number of files were deleted Just prior to execution of a search warrant After being interviewed by the police After receiving a call from a victim or conspirator When taken into account, might provide circumstantial evidence of intent How you do it? ◦ Overview Tab Find the Summary Button for “Bad Extensions” Pane 2 lists all those files ◦ Explorer Tab Navigate to the location Pane 2 shows files in that location, with additional information for each file What is “exporting”? ◦ Exporting allows an investigator to Select a file or files Save them as discrete files to another location outside of the FTK Case file Why? ◦ Allows investigators to process the exported file “natively” using applications such as Word, Excel, Paint, etc Some files must be processed natively (for example a Stego’d file must be exported and handled using S-Tools as explained in section 5) ◦ Can burn to a DVD and give to DA or other investigator ◦ Allows investigator to consolidate items of interest in one place and present only those items How do you export a file? ◦ Select the file (highlight it) in Explorer Tab ◦ Right-click on the file, and “Export it” How do we find the file? ◦ Overview Tab Click on the “Improper Name” summary button ◦ Explorer Tab In pane 2 (lower pane), improper file extensions will be noted What it means ◦ It might be a deliberate attempt to evade detection and hide information Information might be important ◦ It could also just be a mistake on the part of the user File saved or renamed with the wrong extension How do I process a file with an “Improper File Extension”? ◦ Note the type of file it really should be ◦ Export the file ◦ Use the appropriate software to view the file, according to the “real type” of file it is How you do it? ◦ Certain files, such as Windows “BMP” files, can be “containers” ◦ Software such as S-Tools can hide information inside these “container files” a. Locate a suspected “stego’d” file (the container file) a. Should be a “BMP” file b. Export it from FTK’s Case i. This saves it as a separate file you can then process outside of FTK c. Use S-Tools to extract the “message file” from the “container file” i. Password or a passphrase might be required! Open S-Tools Drag the “exported” file believed to be a “container file” into S-Tools Right-click the “container” in S-Tools ◦ Select “Reveal” ◦ When prompted, provide the “passphrase” Can be a single word or a phrase Could be case sensitive ◦ A “revealed archive” window shows with the hidden file name and size ◦ Select the file in the “Reveal Archive” box Right-click the file you wish to extract from the container file Save as… Choose a location You’ve now successfully extracted the hidden message! The result! What it means ◦ Definitely a means of evading detection. It’s not accidental!! 1. Data is hidden 2. passphrase might be required ◦ Whoever can be demonstrated to know the passphrase either put the hidden data there, or knew how to retrieve it Guilty knowledge! Best of luck to all CSI Challenge participants!