TINAELLIS\Cybersecurity

Welcome to my blog!

---

Home Projects .py TI Linux DFED Networks Community

Forensic Toolkit Basics

Back

A Note On FTK Tools

AccessData.com provides a suite of forensics tools.

• Forensic Toolkit (FTK): Referred to as "FTK". This program provides robust forensics analysis options, including disk imaging, file decryption, password cracking, registry file parsing, data carving, reporting, and more. This toolkit has a 5000 file limit on the demo version.
• AccessData FTK Imager: This program is the go-to for creating disk images, features include hash reporting, image mounting, APFS image captures, and more. Especially useful to view and export a smaller subset of folders or files from the evidence tree of an image.

Add Evidence to FTK

Forensic Toolkit FTK

• Open Forensic Toolkit FTK
• Select “No” to run in Demo Mode
• Start a new case
• Input Case Information (this will be used on the generated report)
• Select Case Path (where you would like the case files stored)
• Forensic Examiner Info (you can leave this blank)
• Case Log Options (information included in case log)
• Processes to Perform
• These options will need to change depending on your objectives. Unselect options you’re not using to shorten processing time.
• Refine Case & Index Defaults
• You can add these options on later as needed, which shortens initial processing time.
• Add Evidence
• Select Next
• Select Finish

Additional Resources

• Simplified process of loading forensics image

Using FTK

Overview Tab

Evidence Item: Select the evidence item to see the loaded content.

File Status Column

• Bad Extension: File extension doesn’t match the file type
• Deleted Files and Recycle Bin: files are different because of the additional system files that are created and placed in the recycle bin when a file is marked for deletion
• OLE Subitems: links and embedded items

File Category Column

Items are broken up by actual file type. word docs, plain text docs, html docs, etc and anything plaintext will be able to be read there. Archives are zipped files. Slack free space (so if it found files in the slack space).

Explore Tab

Allows us to look at the files like we would through windows explorer. From here we can pick off low-hanging fruit in forensics investigation (my pictures / my documents) folders.

Graphics Tab

The graphics tab is meant for finding easy stuff and analyzing image files.

Additional Resources

• Finding and viewing files with bad extensions
• Bookmarking evidence and creating reports
• Exporting and Viewing Videos

Performing Basic Text Searches

Build a Word Index

• Select File > Add Evidence
• Select “Full Text Index” checkbox
• This option takes some time to process. It builds an index with every word that is in the image.
• Allows you to perform text searches using the search field.

Build a word index after an image has been processed

• Tools > Analysis Tools > Full Text Indexing

Indexed Search

• Select the Search Tab
• Select Indexed Search
• Type in term or import from file
• After the search is completed, select “View Item Results” to see results
• Add additional search terms to perform a Compound search

Additional Resources

• Expand or narrow searches with stemming (adding ed / ing onto a word)
• Phonics - find words like “raise, race, raze, rays”
• Fuzzy option - spelling errors
• Set date limits
• Size and Filename Patterns
• Using Wildcards in Search String
• Export List of Words

Regular Expressions

• Select Search
• Live Search
• Select “Regular Expression” checkbox
• Select > arrow
• A list of prebuilt Regular Expressions appears

Additional Resources

• Regular Expressions
• Building Regular Expressions
• Download / Install Regular Expressions