Toriality's Blog

COMPUTER FORENSICS - 12

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 12 SOURCES: INFOSECINSTITUTE.COM

FTK FORENSIC TOOLKIT OVERVIEW

INTRODUCTION

In your career as a computer forensic professional, you will often find that your efficiency boils down to which tool you are usng for your investigations. Your skill set as critical as it is to your success, can oly take you so far - at the end of the day, you will have to rely on one forensic tool or another. Enter Forensic Toolkit (FTK), developed by Access Data, is one of the most admred software suites available for digital forensic professionals. In this article, we will dissect the various features offered by FTK, in addition to discussing its standalones disk imaging tool, FTK Imager.

WHAT IS FORENSIC TOOLKIT (FTK) ?

FTK is intended to be a complete computer forensic solution. It gives investigators an aggregation of the most common forensic tools in one place. Wheter you are trying to crack a password, analyze emails or look for specific characters in files, FTK has got you covered. And, to sweeten the pot further, it comes with an intuitive GUI to boot.
There are a few distinguising qualities that set FTK apart from the rest of the pack. First and foremost is performance. Subscribing to a distributed processing approach, it is the only forensic software that utilizes multi-core CPUs to parallellize action.s This results in momentous performance boost - according to FTK's documentation, one could cut case investigation time by 400% compared to other tool, in some instances. 
Another unique feature of FK is its use of a shared case database. Rather than having multiple working copies of data sets, FTK uses only a single central database for a single case. This enables team members to collabore more efficiently, saving valuable resources. The use of a database also provides stability, unlike other forensics softwares that solely rely on memory, which is prone to crashing if capacity exceeds limits, FTK's database allows for persistence of data that is accessible even if the program itself crashes.
Robust searching speeds are another hallmark of FTK. Due to the tool's emphasis on indexing of files up front, investigators can greatly reduce search times, FTK generates a shared index file, which means that you don't need to duplicate or recreate files.

WHICH TOOLS DOES IT CONTAIN?

EMAIL ANALYSIS:
FTK provides an intuitive interface for email analysis for forensic professionals. This includes having the ability to parse emails for certain words, header analysis for source IP address, etc. 
    
FILE DECRYPTION:
A central feature of FTK, file decryption is arguably the most common use of the software. Whether you want to crack passwords or decrypt entire files, FTK has an answer for it. You can retrieve passwords for over 100 applications with FTK 
    
DATA CARVING:
FTK includes a robust data carving engine. Investigators have the option to search file based on size, data type and even pixel size. 
    
DATA VISUALIZATION:
Evidence visualization is an up-and-coming paradigm in computer forensics. Rather than alayzing textual data, forensic experts can now use various data visualization techniques to generate a more intuitive picture of a case. FTK empowers such users, with timeline construction, cluster graphs and geolocation. 
    
WEB VIEWER:
One of the most recent additions to the suite, the FTK Web Viewer is a tool that accelerates case assements by granting access of the case files to attorneys in real time, while evidence is still being processed by FTK. It alsos allows for multi-case searching, which means that you don't have to manually cross-reference evidence from different cases. 
    
CARBERUS:
Embracing the shift towards analytics, FTK has included a powerful automated malware detection feature called Cerberus. It uses machine intelligence to sniff malware on a computer, subsequently suggesting actions to deal with it if found. 
    
OCR:
Anothe feature that borrows heavily from AI and computer vision, FTK's Optical Character Recognition engine allows for fast conversion of images to readable text. Multi-language support is also included.

WHAT IS FTK IMAGER?

Though we've established just how versatile a toolkit FTK is for forensic investigators, it is never a good idea to start feeding it the original files. A sound forensic practice is to acquire copies (images) of the affected system's data and operate on those copies. To aid in this process, Access Data offers investigators a standalone disk imaging software known as FTK Imager.
In addition to creating images of hard drives, CDs and USB devices, FTK Imager also features data preview capatibilities. This can be used to preview both files/folders and the contents residing in those files. FTK Imager also support image mounting, which enhances its portability. The tool is one of very few that can create multiple file formats: EOI, SMART or DD raw. You cam also easily track activities through its basic text log file. 
While creating copies of original disk drives, a critical aspect to check file integrity, FTK Imager also assists in this area, with support for creating MD5 and SHA1 hashes. Furthermore, you can generate hash reports that can be archived for later use. For instance, if you want to check whether an image has been changed since its acquisition.
Once you've created images of disk drives, using FTK Imager, you can then move on to a more thorough investigation of the case with FTK.

ENCASE PRODUCT SUITE OVERVIEW

GUIDANCE SOFTWARE INC.

All EnCase product line is developed and maintaned by Guidance Software Inc. The company has been a leader in the forensics industry by providing robust tools and solutions for digital invstigators which matches individuals and industries requirements. Guidance Software Inc was founded in 1997. Other than industrial purposes Guidance Software is used by legal as well as law enforcement personnel.
Guidance Software provides all Forensic Products, Services & Training. Further information: https://www.guidancesoftware.com/services?cmpid=nav_r

ENFORCE RISK MANAGER:

EnForce Risk Manager is a tool that provides solution for automatically identifying, categorizing, and remediating confidential data across the enterprise. Enforce Risk Manger gives in-depth insight and control to electronic data across all storage solution and devices like file shares, servers and cloud repositories. This enables organizations to improve focus onto busiess intelligence, complicance and strengthen their security solution.
Features are: 
PATENTED GRAF TECHNOLOGY:
    
    Sensitive data can be categorized on vast storage solutions with the depth of 'paragraph-level'.
    
AUTOMATED REMEDIATION:
Users are able to view the file's matter and remove sensitive content from one storage or evey storage where that information resides. 
    
COMPLETE RELATIONAL DATA INTELLIGENCE:
Co-relation ability of sensitive data on basis of machines, users, geo-locations, and other data points provide additional context for greater insight. 
    
CUSTOMIZED DASHBOARDS:
Custom dashboards allow the user to clear review and reporting on risk distribuition and reduction as senstive data manifests throughout an organization and create statistical based risk reports 
    
Every organization has valuable data, that's most often the driving force of their business. However, with storing valuable or sensitive data comes inherent external risk.
RISK OF LOSS OR THEFT: 
    Through EnForce Risk Manager you can automatically pin point, classify and control sensitive data anywhere it is stored on premises or rin the cloud, this is achieved with its 60 degree visibility feature augmented with powerful data analytics and meaningful visualizations, hence reducing the surface area of inherent risk and indeed protecting data from internal and external threats.

ENCASE ENDPOINT SECURITY:

EnCase Endpoint Security is created to merge the two separate industry processes, Incident Detection and Incident Prevention, to help security teams proactively address the gaps in their security process framewrok.
FEATURES: 
    - On demand data search & collection from enterprise-wide endpoints.
    
    - Representable view of endpoint, data and aactivities, no data expertise required.
    
    - Integration with third-party data sources to receive and share intelligence.
    
    - Customizable Report-sharing & exporting as images, PDF or spreedsheet files.
    
    - Checking false positive and validate alerts detected by other security technologies.
    
    - Automatically run scans to find sensitive and classified or sensitive data, exposing systems that prevent a risk and classified information on system which pose the greatest Security risk.
    
    - Web-based reporting offers a convenient way to swiftly review, act on and present finding for small and large security teams.
    
    - Kill running malware, morphed instances and related processes.
    
    - Terminating any suspicious processes running from within your IT infraestructure.
    
    - Remotely delete sensitive data files from unauthorized locations.
    
SCENARIO OF USAGE:
    
    This EnCase product is actually a combination of three products:
    
        - Alert triage: where you can discover and prioritize handlng of security events and make sure you are tackling the biggest issues first.
        
        - Incident Response: where you can bring the full collection of tools to prevent tan infection from spreading or continuing to confound your network.
        
        - Threat detection and remediation: where you can visualize what is happening to your network. This is still a work in progress.

ENCASE EDISCOVERY:

This product provides with continuous case assessment, an optimized process with the help of which, legal teams can quickly check necessary facts. EnCase eDiscovery is designed for enterprise professionals, and provides the following:

  • Reiable, protected and non-disruptive collection and preservation.

  • Customizable e-discovery support for any combination of cases, uses and data volumes.

  • Collaborated secure Central Legal Repository. Strong oversight and management of the entire e-discovery process.

    ENCASE FORENSIC 8

    Some simple features are:

    TRIAGE REPORTING:

    There is an implementation of new triage reporting features so you can quickly share a report with filed investigators, attorneys, controllers, or any other involved party. With the help of few clicks you can extract the exact inforamtion for your report and generate an HTML report.

    INVESTIGATION WORKFLOW:

    With a click an examiner can take a case from adding and processing evidence section to creating a report of finding. One of the important parts of an investigation depends on the ability of examiners to uncover evidences. Examiners can be rest assured that navigating EnCase Forensic would never slow down their progress.

    PERSISTENT BLUE-CHECKS:

    In EnCase Forensic 8, you can now "blue-check" important files and those selections will appear no matter what screen you navigate.

    TREE-VIEW REFRESH:

    In EnCase Forensic 8 you would never need to navigate away from the entry view after analyzing the hash, adding a new partition or processing the evidences to see the results. With hjust one click of the refresh button your view will get refresh.

    MULTI-COLORED SWEEPING BOOKMARKS:

    You can easily hone in on a definite portion of a bookmarked string, noting its relevance to the case.

    And more important features for forensic investigation:

    RECOVERING FOLDERS:

    Attempts to recover files from FAT and NTFS volumes.

    FILE SIGNATURE ANALYSIS:

    A commonly used technique for data masking is to name a file and change the extension. Image files can be renamed so that they look like Windows DLL files. Signature analysis component verifies file type by comparing the file headers, or signature, with the file extension.

    The signature analysis process flags all files with signature-extension mismatches according to its File Typs tables. Signature analysis is always enalbed so that it can support other Encase v8 operations.

    THUMBNAIL CREATION:

    When you select the Thumbnail creation option, the Encase v8 creates thumbnail records for all images files in the selected evidence. This facilitates image browsing.

    HASH ANALYSIS:

    A hash is basically a digital fingerprint of a file, commonly represented as a string data written in a hexadecimal format. The most common use for are to verify that data has not changed, in which case the hash should be the same in both before and after the verification.

    Encase v8 supports MD5 and SHA1 hashes.

    EXPAND COMPOUND FILES:

    For archive files, Expand Compound Files extract compressed or archived files, and processes them according to the selected Encase V8 settings. This includes nested archive files or zip files or rar files.

    FIND EMAIL:

    Select the setting to extract individual messages and attachments from email archives. Find Email supprots the follwoing email types:

    • PST (Microsoft Outlook)

    • NSF (Lotus Notes)

    • DBX (Microsoft Outlook Express)

    • EDB (Microsoft Exchange)

    • AOL

    • MBOX

    • EMILX (Apple Mail)

      FIND INTERNET ARTIFACTS:

    This can identify the internet related artifacts such as browser histories, cookie and cached web pages. You can examine the unallocated space for artifacts.

    INDEX TEXT AND METADATA:

    Encase V8 creates an index which allows you to quickly search for the string. Since the encase v8 is recursive, all files, emails and module output are indexed, including such EnScript modules as the IM Parser and Systeme Info Parser. The advantage of having these items indexed is that you will later be able to search across all types of informations and the view results in email, files, smartphones, and any other processed data in a one search results view.

    INDEX PERSONAL INFORMATION:

    When creating an index of case data, select Personal Information to additionally indetify and include the following personal information types:

    • Credit cards.

    • Phone numbers.

    • Email addresses.

    • Social security numbers.

      INDEX TEXT IN SLACK AND UNALLOCATED SPACE:

    As you select options for indexing evidence such as files and emails, you can choose to include text identified in the RAM slack, file slack, disk slack, and the unallocated space.

    RUN ENSCRIPT MODULES;

    The EnCase v8 has the ability to run add-in modules during evidence processing. Some of them are:

    SYSTEM INFO PARSER:

    The System Information Parser module indetifies hardware, software and user information from Windows and Linux computers.

    IM PARSER:

    It searchs for instant messenger artifacts from MSN, Yahoo, AOL. These artifacts includes messages and buddy list contents.

    FILE CARVER:

    Searches evidence for file fragments based on a specific set of parameters. It examines unallocated space and search for file fragments on the disk. It generates a report of carved files on the disk by default and can optionally be configured to export carved artifacts to the disk for external review or production.

    OS X ARTIFACT PARSE:

    Performs the task or searchinf for common OS X operating system artifacts of potential forensic values.