Computer Forensic Software - Coursework Example

Computer Forensic Software Chapter This is an introductory thesis as well as a demonstration of the advantages that come with using the Forensics Toolkit (FTK). The FTK is invaluable computer software that was developed several decades ago by AccesData Company. The software is currently in use by many investigative organizations worldwide. Several subjects that include evidence imaging, e-mail investigations, data recovery, analysis of file structures, hidden and deleted file recovery, password recovery, and decryption of encrypted data in addition to forensics visualization, which are important in reducing the amount of time required in inspecting as well as analyzing vast amounts of data. This thesis will also cover three integrated toolkits that are mainly related to FTK. These include the FTK imager, which can be defined as a disk imaging program that saves a hard drive’s image in a single files so that it can be analyzed later using FTK, the Registry Viewer Toolkit and the Password Recovery Toolkit [5]. Furthermore, the FTK lab machine will also be used to deal with the toolkits and will be applied in different cases related to FTK. Other important subjects to be covered include how a forensic mage is created as well as previewing and organizing available evidence by creation of a case in AccessData’s FTK, which is compulsory. The procedure for managing as well as processing case data effectively will also be explained by the use of bookmarks and checkmarks. The procedure for creating a professional report that summarizes evidence for use in the courtroom in addition to identification of the basic elements of the Windows registry will also be covered alongside the procedure of creating dictionary profiles that are essential in the recovery of passwords. Chapter 2: Introduction The contemporary society has advanced towards extensive application of electronic devices in almost all aspects of the society. The computer infrastructure is one of the most important parts of the modern organizations ranging from small, medium to large. Although computers are essential in most modern activities, the incorporation of information devices and technology has elevated risks to the most important part of the organizations, which is information [1]. The need to eliminates or alleviate this risk has brought investigative tools that are mostly used in curbing cybercrimes as well as obtain digital evidence that is used in prosecuting criminals who exploit the technology for malicious intent. FTK software was used to showcase speed, stability as well as ease of use and is one of the few court accepted investigation applications in use in the modern world. The software provides comprehensive processing and indexing making it easier and faster to search and locate specific information. This ensures that the overall analysis speed is improved to the point that most countries recognize the FTK software as the standard application in Computer Forensics. The enterprise-class and the database-driven architecture has the capabilities to handle huge amounts of data sets while exhibiting stability and high processing speeds which are not present in other Forensics Software. FTK has managed to maintain its superiority in industry standard forensic technologies for at least two decades [1]. The Big Picture The basic procedures for undertaking a computer forensic examination while using FTK and FTK imager include acquisition and reservation of the evidence, analysis of the evidence, presentation of the evidence through a case report for documenting the evidence and investigation of the final results [3]. Handling evidence Computer forensics usually involves analysis and preservation as well as presentation of the computer evidence. However, this information can be modifies or even destroyed. For information obtained through forensics to be accepted as valid information especially in court cases, it must be obtained following the pre-determined procedures. To assure the integrity of the evidence, procedures require individuals to refrain from working using the original files but instead, take an image of the hard disk or the subject file so as to ensure that the original files are not tampered with [4]. Moreover, to confirm the authenticity of the original files in that the files have not been tampered with, the investigators compare hash information of the original file against the images used in investigation. Hashing is a very important aspect in forensic investigation since it provides mathematical validation of the information used during investigation to ensure that files match the contents of the original files. FTK Advantages 1. FTK has the ability to analyze data from diverse sources such as image files from different vendors and can produce a case log file when instructed to do so. 2. FTK provides a simple and friendly user interface, fast searching, Bookmarking, Password Dictionary Creation, reporting, and EFS Decryption. 3. FTK develops a keyword index of an entire image during the start of a procedure, which makes it easier and faster to perform future searches. Without the keyword index, the search usually takes longer. 4. FTK’s e-mail function allows the user to view e-mails in user friendly HTM displays. The e-mail display also allows the user to document the e-mails in HTML reports as well as print and export e-mail messages along with any associated attachments. This is one of the program’s best advantages [17]. Chapter 3: Starting FTK Imager The FTK Imager is a preview and data imaging tool that allows the user to access electronic information and lets them scan hard drives while looking for specified information. This tool has the capability to create computer data copies without altering the content of the original files and data [4]. With this tool, an individual can export files and folders from a forensic image and create forensic images of local floppy drives, hard drives, DVDs and CDs. The same tool can generate hash reports for regular files as well as disk images. Set up a Virtual Lab This part deals with real cases to show how essential it is for investigators to use FTK applications. To accomplish the virtual lab set up, this part will make use of the Lewis University FTK laboratory through VMware View Client software. To access the DTK lab remotely, the SW must first be downloaded. Starting a New case- Mantooth case This thesis part deals with a case which is assessed in details to show how beneficial the toolkit is in field application. The case shows hidden or deleted files. To acquire a hard drive image, there are two main mandatory requirements that include Accessing Data on FTK Imager which is required by the forensic analyst [5]. An external USB hard drive disk where the acquired image files are saved for easier portability. The FTK Imager, which is a separate tool included with FTK allows the analyst to preview the images and the drives without the need to include the original evidence in the case [3]. The application also has the capacity to convert images, view images, show file and folder properties in addition to showing the file system. Within the application, an analyst can add evidence item by navigating to add evidence item under the file menu. Acquiring a Disk Image First, the analyst requires determining whether the disk is logical or physical. This distinction is essential and depends on the goal of the analyst. When analyzing a physical disk, it requires creating an image of the entire physical hard drive beginning from sector zero to the last sector. This action also acquires all logical volumes on the disk. One of the main advantages of acquiring a physical drive is that the analyst obtains all information including the essential master boot record, MBR. However, despite this being a benefit, it is also a disadvantage in that the process takes longer and requires more storage space on the evidence drive or the target drive. On the other hand, acquiring a logical drive implies imaging a single logical volume. By analyzing a logical drive, the only thing that the analyst acquires is the data space allotted to the specific volume [4]. This means the space beginning with the volume boot record to the last sector allotted to that volume. The type of analysis to choose depends on the investigative goals. When the analyst is in doubt of the type of analysis to undertake, it is always recommended to take a physical disk image [16]. However, if time and space are of essence or when the investigative issue is contained in a single volume then a logical image is recommended. To save the obtained image, there are different available formats that can be used. This depends on what an individual prefers and the most common ones include Raw (dd) and E01. The E01 format is used by Encase forensic tools and more reliable since it is recognized by most forensic investigation tools. It is usually recommended that the acquired images be placed on encrypted evidence disks especially when shipping the evidence drive using common carriers that include UPS, USPS, and FedEx. Chapter 4: Starting FTK Analyzing the Evidence To undertake an extensive analysis, FTK makes use of a variety of tools that include hashing, Known File Filter (KFF), searching, and database. Hashing Hashing can be defined as generating a unique value that is usually based on the contents of the files being hashed. Hash value is usually used in verifying the integrity as well as the identity of the duplicate and known files. Hashing produces an expected value to be valid. The FTK and FTK Imager offer two hash functions that include Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1). FTK develops the MD5 hashes by default. FTK chooses the hashing options automatically based on the KFF databases available. Typically, hashing is comparing the result with a known hash database such as KFF. Hashing multiple files is confirming the authenticity of the working file against the original [5]. Known File Filter This is an FTK utility that compares specific file hashes against an existing database of known hash files. The main purpose of this process is to eliminate ignorable files or alert the analyst of a dangerous or illicit file. Additionally, this procedure is also used to check for duplicate files. Container files are those files that contain additional content such as e-mail files and zip files that comprise different files. If the KFF identifies a file as ignorable, then the contents of that file are not extracted by FTK [4]. As such, evidence is then separated into ignored files and evidence that is examined further. Searching FTK comprises both live search and indexed search. The live search is time consuming and incorporates item-by-item comparison against the search term. Live searches allow the analyst to perform a regular expression search and searching of non-alphanumeric characters. In contrast, the indexed search makes use of the index file to search a term [13]. The index file holds either discrete words or number strings that are located in both allocate and unallocated space in case evidence. Presenting the evidence FTK present the evidence by creation of a case report and a case log used to document the evidence as well as the investigation results. This process uses the Report Wizard to either create or modify a report. Bookmarks can be added to the report, which represent the information that was selected during file examination. Book marks include file listings, supplementary files, case logs, and customized graphic references [11]. Bookmarked files as well as flagged graphics can be exported to the report to ensure that all information is available within the report. While the report is mostly generated in HTML format, the case log assists in documenting as well as logging activities during analysis and investigation of the case. This information is essential in a report and can be used to find out the activities that have taken place for a new analyst who is assigned to an ongoing case. The case log is generated automatically by FTK and given the name ftk.log. The main FTK Case Interface The interface includes menu items such as E-mils, Overview, Internet/Chat/ Graphics, live and Index Search, Filters, and Bookmarks. These are mainly used in creating reports. Explore window This includes certain functions that include: Tree view which is responsible for listing directory structures of available evidence items and is similar to the directory structure of Windows Explorer. An evidence item can be a physical drive, a partition, or a logical drive. The List all Descendants option in the Tree View Toolbar option is responsible for displaying the current directory’s files in File List [9]. The Viewer option displays the content of the file that is currently selected. The Viewer toolbar, on the other hand, enables selection of diverse view formats. The File List option displays available information concerning a file including the file path, file name, and the file type. Graphics Window This window displays the case in the style of a photo album where every graphic file is displayed in a thumbnail view. When a graphic is selected, it is displayed in the viewer. There is an indicator button which displays either red or green beneath every thumbnail image. The indicator button is only significant to the case report where it allows the selection to include all graphics in the case or those flagged green. To mark all thumbnails green, the individual can click the green button located within the Tree View toolbar [10]. The same is true when the analyst intends to mark all thumbnails red; the red button is responsible for this. Within the graphics window, the only files displayed are graphic files available in the File List. This makes working with graphic files easier. E-mail Window This window displays mail boxes that include messages and attachments in the HTML format. The File List shows the subject of the e-mail message or the file that has been attached along with the message. Search Window The search window holds both indexed search and live search. An indexed search is usually very fast while the live search is more flexible and tedious. The search results list displays the results of the most recent search as a line item. To view the search items in detail, the user is required to click the (+) that appears next to the search results. This expands the results for better viewing. To view an individual search result, the file is selected through clicking. This highlights all results according to the search phrase. Bookmark Window In this window, all bookmarks that are listed or bookmarked as important items in the subject case are displayed. This window also holds the option to add bookmarks. This option adds comments and marks them for inclusion in the subject case. Chapter 5: Searching the Registry One of the functions of the Windows Registry is to allow the host operating system to control various aspects specific to the system such as software, hardware, user information, and the overall working of the host interface, which is the Windows interface. The FTK Registry Viewer is different from the Windows Registry. This is because while the Windows registry only displays the current system’s registry, the FTK Registry Viewer allows the analyst to view registry files from any system and provides complete access to the protected registry storage that contains sensitive information. This information includes usernames, passwords, and other investigation crucial information not displayed by the normal Windows registry Editor [7]. Starting Registry Viewer This tool can be launched in two ways. It can be launched from within the FTK forensic toolkit or ran as a separate application [2]. Launching the Registry viewer from within the FTK The integration of Registry Viewer within the FTK allows the analyst to easily view the registry files as well as create registry reports from within the forensic program. All created report file are saved in the current FTK case file by default. Integration also allows the analyst to extract as well as open registry files on-the-fly from the obtained images. The integration also has other advantages such as ensuring the original registry file is not tampered with. This is accomplished through FTK’s capability to create a temporary file automatically and opens the temporary file in the Registry Viewer. When analysis is complete, the program deletes the temporary file [2]. Understanding the Registry Viewer Windows The Registry Viewer comprises of three main viewing windows that help an individual in obtaining and reporting essential registry information. All windows in the Registry Viewer comprise a hex viewer that displays the values of a selected key in the hexadecimal format. Password Recovery Software The Password Recovery Toolkit allows the user to recover passwords from known applications. This functionality makes the FTK program reliable since its success rate in password recovery is very high. The PRTK or Password Recovery Toolkit is essential for law enforcement as well as corporate security professionals. If the security professionals require access to certain files the tool comes in handy. Additionally, if users have locked the files and are unable to access the content of the files, then the PRTK is the answer to this issue since it is effective in cracking passwords allowing access to files [6]. AccessData has been one of the most reliable companies in the field of commercial software encryption since the year 1987. AccessData has a variety of tools available that can be used in password recovery that include: Password Recovery Toolkit or the (PRTKTM) that incorporates a wide range of individual password cracking modules. These modules are applied in different times such as when the password to be recovered is presumed to be too long or to contain special characters [10]. Distributed Network Attack or DNA, which provides an advanced way of recovering passwords. This tool uses many machines within a network or across the globe to undertake dictionary attacks and key space. While other approaches are restricted to the local system, this tool goes further so as to increase the chances of a successful password recovery [8]. Password Recovery Toolkit Features Leverage GPUs, Graphic Processing Units, on Microsoft Windows systems with CUDA-compatible GPUs. Allows password management. Examines files and corresponding credentials such as passwords with a report file which is optional. Has the capacity to analyze multiple files at the same time or simultaneously file analysis. Has the ability to recover multilingual passwords. Has the ability to prevent any unauthorized access where access is given through a personal security code. PRTK has the capacity to recover passwords from at least 100 different applications [2]. Secure Detection tools The Wipe Drive tool is applied when the user wants to perform a complete Department of Defense (DoD) wipe on a drive. The tool has a very high wipe speed. The application wipes a drive’s content at a rate of 1GB of data every three minutes. This tool is one of the fastest available in the modern world and complies with pre-determined DoD standards. Dictionaries Dictionaries are files that comprise keywords that are used to try password when attempting to recover a password. A dictionary comprise of words in the languages that it corresponds with. PRTK has predetermined dictionaries for some languages. This makes it more reliable since the user does not have to install dictionaries for common languages. The program PRTK also has the capability to create custom dictionaries using the information about the individual who created the encrypted or the password protected files [12]. This is an optional feature and used if the user suspects that the password was created from that person’s information. The custom dictionaries could be created using the person’s date of birth, the names or other information specific to the individual such as the school attended or the pet’s name. This makes it easier to recover the password since the crack is restricted to this information [20]. The encrypted files have to be exported so as to create a custom dictionary. This information is then used to create a profile that will be referred to by the program when attempting to break the password. Chapter 6: Forensic visualizations Good visualizations and visual interfaces can be essential in reducing the time required to analyze data. This helps the user in acquiring overview information concerning the data, anomalies, and spot patterns [19]. This helps in reducing tedium and errors. Current forensic analysis tools often generate large quantities of data, which is presented in a tabular format. This makes it increasingly difficult for forensic investigators to deal with vast amounts of data. Contemporary forensic investigators have hundreds of specific application packages as well as hardware devices that qualify as cyber forensic tools. However, most of these tools perform similar tasks [14]. The usual basic requirement for computer forensics tool is to ensure that the acquired files are converted in to human readable formats that are used by forensic experts and investigators. This shows that visualization can improve the time required to not only inspect but also analyze vast amounts of data. Visualizations can function as temporary storage area specifically for human cognitive processes. This reduces the amount of data held in the working memory and enables the brain to hold as well as process additional information simultaneously, which aids the overall analysis procedure. Graphical representations can also increase efficiency of the procedure. For instance, graphical representations of mathematical problems allow these problems to be substituted for easier to understand perceptual interfaces. This is important since the human visual system has the capacity to comprehend graphical information that includes videos and pictures in a parallel way while the text is only comprehended sequentially. Visualization is an essential technique in analysis and exploration of large and complex sets of data, which is generated by forensic tools [15]. Visualization capitalizes on the immense bandwidth, pattern recognition, and power of the human visual recognition system. This helps the analysts to view large quantities of data in a single display as well as discover patterns, outliers, and trends within the subject data. FTK Visualizations AccessData Visualization was also made by the leader in forensic technology; AccessData. This FTK add-on feature extends the capabilities of FTK in improving efficiency and enriching communication concerning case specifics. Email Visualization Adjusts focus and scale of communication periods in time. Allows the user to convey and determine peak communication periods of time in a graphical format. Enables viewing of email custodian level details incorporating sent as well as received statistics that pinpoints specific periods of concern to investigators. Allows a graphical representation of the social network of the email custodian so as to determine the frequency of communication [18]. Provides key insight in the interaction between potential persons of concern which leads to flagging these emails in FTK. File Visualization Adjusts focus and scale of creation, modification, and last accessed file data to help in quick identification of gaps as well as areas of concern. Provides an immediate picture concerning the data profile as well as makeup. Facilitates comprehension of file volume as well as counts through its interactive interface. Can sort as well as group files by a wide range of attributes. Effectively establish and flag files to be check marked in FTK. Can modify the graphical theme so as to match the reports’ and case files context [21]. Has the capacity to create tree maps of underlying directory structures of the subject machine for an understanding of comparative file size as well as location. References [1] P. Kanellis. Digital Crime and Forensic Science in Cyberspace. Hershey PA: Idea Group Pub, 2006. [2] Cyber Defense Training Systems and Lewis J. A. Corporate Computer Forensics Training System Laboratory Manual. North Caroline: Lulu.com. 2007. [3] H. A. Carvey, and C. Eoghan Windows Forensic Analysis Dvd Toolkit 2e. Burlington, Mass: Syngress Pub, 2009. [4] C. Pogue, A. Cory and H. Todd. Unix and Linux Forensic Analysis Dvd Toolkit. Burlington, Mass: Syngress Pub, 2008. [5] I Ray and S. Shonoi. Advances in Digital Forensics IV. New York: Springer. 2008. [6] M. Solomon, T. Rudolph, B. Neil and B. Diane. Computer Forensics Jumpstart. Indianapolis, Indiana: Wiley Publishing, Inc, 2011. [7] I. Baggili. Digital Forensics and Cyber Crime: Second International Icst Conference, Icdf2c 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers. Berlin: Springer, 2011. [8] J A. Lewis. Corporate Computer Forensics Training System Text Manual. Volume I. Leslie, Mich: Cyber Defense and Research Initiative, 2007. [9] J. Wiles and R. Anthony. The Best Damn Cybercrime and Digital Forensics Book Period. Rockland, Mass: Syngress, 2007. [10] S. Morrissey and C. Tony. Ios Forensic Analysis for Iphone, Ipad, and Ipod Touch. New York: Apress, 2010. [11] C. Eastton System Forensics, Investigation and Response. New York: Jones & Bartlett Publishers. 2013. [12] J. Wiles. Techno Securitys Guide to E-Discovery and Digital Forensics. Burlington, MA: Syngress Pub, 2007. [13] L. Volonino and A. Reynaldo. Computer Forensics for Dummies. Hoboken, N.J: Wiley, 2008. [14] A. Marcella and D. Menendez. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. Florida: CRC Press. 2010. [15] S. Anson, B. Steve, J. Ryan and P. Scott. Mastering Windows Network Forensics and Investigation. Hoboken, N.J: Wiley, 2012. [16] M. Cross and S. Debra L. Scene of the Cybercrime. Burlington, MA: Syngress Pub, 2008. [17] M. Olivier. Advances in Digital Forensics Ii: Ifip International Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida, January 29 - February 1, 2006. New York, NY: Springer, 2006. [18] D. Kleiman The Official Chfi Exam 312-49 Study Guide: For Computer Hacking Forensics Investigators. Burlington, MA: Syngress Pub, 2007. [19] Ec-Council, Investigating Data and Image Files. Course Technology Ptr, 2009. [20] E. Casey. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. London: Academic, 2010. [21] C. Easttom and T. Jeffrey. Computer Crime, Investigation, and the Law. Boston, MA: Course Technology, a part of Cengage Learning, 2010. Read More