Access Data FTK Graphics Overview Lab

[toggle_content title="Transcript"] Hi, Leo Dregier here. I want to talk to you about the FTK, uh, graphics and imaging features. Now some of the things that are, uh, basically an overview or relative to, to the section, is basically working to the software and using some of the Graphics tabs, and that’s basically going to start right here on this tab here. Also, you know, you should understand the different types of graphic images. Um, one easy way to do that is to look at all of your file extensions and the file extensions associated on your computer, uh, and if you have problems with that, you know, you could easily do a quick Google search and learn how to change your, uh, file extensions. But, I’d like to point out here that we’re typically, uh, working with layers six and layer seven, the Presentation and Application layers of the OSI model. Um, also what we can do with these graphic files is we can hash them and create a hash database out of them, um, and also view them basically as, as thumbnails. So this overview of this feature here really comes straight of the, you know, the official FTK, uh, you know, forensics course. So one of the things we want to do is either open a case or create a new case. Um, so we’ll just as easily create a new case. You’re going to, uh, apply the investigator’s name, in this case I’m just going to use my name. The case number I’m going to use is 54321; the case name is, you know, um, you know, ‘Pornographic Images’, okay? And then I’m going to actually create the case path, I’m actually going to store that in a directory that I have called ‘Labs’, and we’ll do a new folder here, you know, we’ll call it ‘FTK2’, okay, and then a case description, ‘Investigation of Pornographic’, um, ‘materials called into the helpdesk’. Okay? Just something basic, just an overview here. Next you’re going to go, um, look at the agency, their name, so we’ll just put, you know, ‘Company’; the examinator’s name, I’m going to put my own name, D-R-E-G-I-E-R, and I live at 1234 Address Rd; my phone number that I can be reached at is going to be 123-456-7888. Uh, the email would be, and no comment. Go ahead and select Next. In here you have some case log options, and this is relatively self-explanatory; the case log is a text file, um, named ftk.log in your case folder, and this gets created automatically by FTK and, and contains a record of all events that occur during the, the course of the case. You can choose what types of events you would like to be logged. You can also add your own comments to the log file, uh, by selecting “Add Case Log Entry…” under the “Tools” menu item. So, case and evidence events and these sort of error messages, bookmarking, searching events, uh, data carving, which is looking for specific keywords from files, and then these sort of other events. You can leave all of these checked, and we’ll go ahead and select Next. Here, the processes to perform on the case, um, you’re going to, definitely going to want to create your message digest. Um, so they have md5 and SHA, whatever one you’re using just check appropriately. You’ve got your Known File Filter which compares hashes of known files against the database. Um, kind of similar to a, uh, a dictionary or a rainbow table attack, but more just referencing the integrity of images. You’ve got entropy tests; for unknown file types, an entropy test is used to determine whether the file’s data is compressed or encrypted or what kind of contents are in it, um, or basically what you, what recon you can do on this specific file. Let’s just say that you had a file when it was just called ‘File’. Uh, no file extension or anything. Well, entropy will tell, determine what type of, uh, file it actually is. You’ve got full text indexing, you can store thumbnails, you can decrypt, uh, Encrypting File System files, uh, you can – uh, file listing; this creates a Microsoft Access (Jet) database, uh, for indexing the files, you can do an HTML file listing, uh, more data carving options and, uh, you can add in a registry report. Uh, you can just leave the defaults here for now, as this is just an overview. Also, you can refine the case, look at default options; you can include specific items, you can check optimize settings, uh, you got email options, text options, and graphic options here. I typically, at this point, just leave all of these at the default, but, you know, you can check for things in slack space and free space and use your known file, um, checker, and things like that. So, um, there’s also file type criteria which you can add and you can just leave all of this as the, the default for now. Alright, in order to save time and resources and in order to make searching more efficient you can choose to exclude certain types of data from being indexed, so this is specifically is an index option. Um, for now, you can just leave all of this as the default, uh, and then hit the Next button and then you can get to the point where you actually can add evidence, and this is the, the key to the graphics feature. So we’re going to add some evidence here. You can do ‘Acquire an Image of a Drive’ if you have a specific image and you can import that image right in here. You can do a local drive if you’re analyzing, like a USB hard drive or something, um, or the contents of a folder, and for the, this, this demonstration, we’re going to do contents of a folder. Alright, well, one of the things that we can do here is we can actually use the, uh, CHFI, uh, tool list that they have in their, uh, forensics toolkit, so it actually contains some images files that we can use. So at the very, very end of the, um, the file, you got all sorts of stuff in here, but I have a directory called ‘Porn Images’ and that’s going to be what we’re going to relate specifically, uh, you know, to the case. Now I will tell you here that this is going to be a completely G-rated experience here even though we, I do have a folder called, you know, ‘Porn Images’, or ‘Pornographic Images’. So we’re going to go ahead and select ‘Pornographic Images’; it has the location in which they are. You can add an Evidence Identification Number so this would be consistent with your conventional format, so since my evidence, um, name is 54321, I’m going to do ‘5’, um, ‘4321.001’, being the first evidence file, and, uh, ‘Images from’, uh, ‘folder’, uh, is what I put in the comments, you know, ‘from suspect’s hard drive.’ That way I have, uh, at least a little insight as to what this is for. You can also, uh, configure time zone information here but I’m going to leave that as the default for now. So once I have my pornographic images I can go ahead and click next, uh, and we get a new case wrap-up here and it says “The case directory where all of this is going to be kept is basically going to be the name in which we called the, the case, and then ‘Pornographic Images,’” uh, and then you can go ahead and hit Finish. And it’ll take a second and it will import those cases. Now one of the features that I, that I like that we actually cover in the official course is you can add the ‘List All Descendants’; that’s kind of like any image from here on out, and the reason why I like this is ‘cos you can just select the, the root of the drive, and then see everything on that. So here we have our suspect’s, uh, you know, quote-on-quote ‘pornographic images’, okay? So, you know, well we can just, kind of, validate the actual content of them and determine if they weren’t actual, you know, pornographic images or not, so if I found something like this on a user’s hard drive, you know, it may indicate that the user had, you know, the suspicious, the, you know, web surfing behavior, um, but I don’t see anything that I would deem, you know, offensive, or that something that wouldn’t slip through the, uh, content filter of the organization, right? So these all look relatively harmless, okay? But let’s check out some other features. So one of the things you can do with graphics to just do your background on this is these options right in here, okay? So you can actually view the file, um, there’s this little, uh, I guess, I don’t know, pink filter here, and I like this button because this goes through and just gives you any text that it can extrapolate from the image, so for example you can see here that this was created in Adobe Photoshop CS2, uh, the format, or if it’s, you know, Adobe CM-related, so this is clearly an Adobe file, and I’ma just go through here and then look for any sort of, you know, text or XML or, uh, anything that would kind of get me the idea of what this file realistically. And then we’ll pick another image, we’ll look at the text of the file, if there’s any text; we can look at the hexadecimal information, so you can see that this is a PNG file, uh, at least, so it suggests in the header. Um, you can don’t view the files, you can turn that completely off, uh, or you can view them in Internet Explorer, uh, directly from within here. So, this, these are realistically all of the elements of the graphics case and how you would import them into the case file. Uh, again I showed you a little bit of, you know, how to identify the graphic formats, um, how to use the graphic tab here within this application, um, and you can even export, uh, all of these files if you want. Now they’re already stored in your case, but you can certainly export ‘em if you want. Uh, you can tag them, you could just look at the thumbnails up here, etc., etc., etc. And so that’s how we would basically get a case going and evaluate specific images in our investigations. Uh, so thank you for all of the awesome comments; don’t forget, at the end of the course you can get your badge of completion. These are great for continuing education credits. My name is Leo Dregier and I will see you and continue the discussion on Facebook, LinkedIn, YouTube and Twitter. [/toggle_content] This lab discuss in depth the benefits of using graphics tabs within the Access Data FTK, as well as how to use and identify the graphics images, change file extensions when needed. The graphics tools for the FTK deals with layers 5 nd 6 of the OSI model, so you’ll observe a demonstration and learn why image use and its correct reference is really critical to both case management as well as your case reporting.
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?