Presentation is loading. Please wait.

Presentation is loading. Please wait.

2012.  Provides the backstory behind the crime  Provides pertinent information related to the motive behind the crime  Requires the use of 2 software.

Similar presentations


Presentation on theme: "2012.  Provides the backstory behind the crime  Provides pertinent information related to the motive behind the crime  Requires the use of 2 software."— Presentation transcript:

1 2012

2  Provides the backstory behind the crime  Provides pertinent information related to the motive behind the crime  Requires the use of 2 software packages: ◦ Forensics Tool Kit (FTK)  Version or ◦ S-Tools  Software must be downloaded on your laptop prior to the competition

3 1. Creating & Opening a Computer Forensics Case 2. Finding Hidden Data in Slack Space or Unallocated Space 3. Finding a Recently Deleted File 4. Finding a File with an Improper File Extension 5. Finding a Stego’d Image or Data Hidden in a JPG File

4  How you do it? A.Start FTK and Create a New Case B.Add evidence C.Save the case on exiting  Once created you only need to start FTK and open an existing file to continue working on the case

5  A case represents an ‘incident’  You will need to supply: ◦ Name or number of Case ◦ Investigator’s name ◦ Evidence to be added to the case  New cases can be Created  You can Open existing cases previously created

6  Should run in “administrator mode” ◦ Right-click FTK icon and select “run as administrator”  Or… click properties, and select appropriate option for icon (then you won’t need to repeat each FTK startup)  You may receive a prompt looking for “security device” ◦ It’s OK to run without the dongle or security device  USB “dongle” is required to run FTK in “Full Mode”  Also might ask for “Code Meter ◦ We’re running in Demo Mode  Limits us to 5,000 files in the case, but otherwise fully functional!

7  Known File Filter ◦ Used to “ignore” Known Files ◦ OK to load FTK without KFF

8  Select the appropriate option ◦ Generally you’ll either be creating new case or opening an existing case

9  Enter Captions for ◦ Case Number  I chose LIPD  Long Island Police Dept., Case 1 of 2012 ◦ Case Name  Something meaningful ◦ Case Path  The folder where case saved on hard drive  The default is the case name

10  Enter information about investigator ◦ Next screen  Case Log Options ◦ Select all options ◦ Next screen  Processes to perform ◦ Keep default values ◦ Next screen  Refine case ◦ Accept defaults ◦ Next screen  Refine index ◦ Accept defaults ◦ Next screen

11

12 Click “Add Evidence”

13  Information to be added to the Case ◦ Acquired forensic “image” of Drive  This is a single file, but contains contents of an entire drive!!!  Similar to a “zip file”  Also referred to as  “image file”  Bitstream file  Bit-for-bit image file  This “image file” is captured and produced by some forensic software or utility program  Viewed with forensic software which “understands” the file structure  It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and IS a single file ◦ Local Drive (not on CSI 2012)  Attached to the system and addressable as a disk drive  For example, the C: or E: disk  Could include a CD, DVD, USB, etc.. ◦ Contents of a Folder ◦ Individual File

14  Created earlier by someone using ◦ Utility program or Forensic software Hard Drive “Image files” captured earlier *.img ending added by creator Other endings dependent on software used to create them

15  Fill in captions ◦ Evidence Name/Number  For example, an item number of the evidence list  Serial number, if unique ◦ Comments (optional)  How acquired or unusual circumstances, etc.. ◦ Local Evidence Time Zone  -05:00 for NY timezone  Don’t forget about Daylight Savings, if it applies!  Used for time comparisons All Evidence Added. Click “ Next ”

16  After clicking “Finish” ◦ FTK will Process Files ◦ Add them to the case

17  As part of adding evidence FTK will ◦ Keep track of certain items and summarize them ◦ Build an “index” of words or terms encountered  Can be used to short-cut a search  Can be used to identify words in the entire case  Might provide insight into something not normally considered  For example, seeing “gun”, “secret” or “password” as one of the words in the index

18  FTK presents 3 “panes” or “panels” by default ◦ Users can configure the placement if desired  FTK provides a list of “summary” buttons with counts ◦ Clicking on these can bring up those items in a detail pane so that you focus on them  Bad extensions  Image files  Deleted files  Documents  Unknown types  Folders  Bookmarked items  etc

19  Tabs on the main window ◦ Overview ◦ Explore ◦ Graphics ◦ ◦ Search ◦ Bookmark

20  Shows general information about the case ◦ Selection in one “pane” shows details in another “pane” or sub-window

21  The “bad extensions” shows 7 files in the bottom pane ◦ Selecting one of the files in the bottom pane shows the contents in the 3 rd pane (upper right)

22  File list contains information about files ◦ “X” icon indicates deleted file ◦ File extension might indicate one type of file  In reality, another type of file

23  Shows a “Windows Explorer” style of presentation ◦ 3 evidence items seen  Each has sub-items ◦ Collapsible or expandable levels  Click on Plus or Minus signs to expand/collapse views  Selected item is shown in 3 rd pane  List of items in the selected item are shown in bottom (2 nd ) pane ◦ Clicking on one of these will present that item in the 3 rd (top-right) pane

24  Icons at top of 3 rd pane ◦ Alter the “presentation” of data  View as native application  Text view  Hexadecimal view ◦ It’s the same data, just a different way of viewing it!

25  The following demonstrates what a user sees if selecting a single file in Explorer Tab

26  Selecting Giants Tickets.doc in Explorer Tab  Word document ◦ Really made up of different “components”  Selecting the file shows an item list of components in the file  File slack is one of them

27  Shows a pane with thumbnails of images in the currently selected item in your case

28  On the main menu ◦ Select “File”  Close  Closes the case, remains in FTK  Save  Allows you to continue working on the case  Exit  Allows you to save (and backup.. Optional) the case  Shuts down FTK

29  What is “Slack Space”? ◦ It’s disk space which belongs to a file, but is not considered part of the file’s data  Happens because of the way the system allocates disk space to files ◦ How does the system give disk space to a file?  By “clusters”… a collection of 1 or more disk “sectors”  A “sector” is 512 bytes (depends on the system)  A cluster can be 1, 2, 4, or 8 sectors  Files are written in these clusters, and don’t normally fill up an entire sector or cluster ◦ Two types of “Slack Space”  Ram slack  Disk space after the file data and before the end of that sector  File slack  Disk space in sectors not used by the file, but belonging to the file

30  What’s the significance of “slack space”? ◦ Contents of RAM slack is generally whatever was in memory when the file was saved last  Might be a password, credit card number, etc.. Or garbage ◦ File slack’s contents can simply be whatever was left over and not erased when no longer needed by some other file  Maybe even another user created that other file ◦ Slack can be used to hide information  It’s not visible to users  It won’t be “grabbed” by system and overwritten

31  In Overview Tab ◦ Select Slack/Free Space button  Details pane contains all slack/free space items  Full Path describes where that slack space is located  In a specific file ◦ It’s part of the file, but not part of the data itself  Comes after the “end of file” marker  Do a “search” ◦ Word might appear in “slack”, which might indicate an attempt at hiding something

32

33  Start from the “Explore” Tab ◦ Locate the file (Giants Tickets.doc)  This file is deleted ◦ Highlight the file in Explore  You’ll see:  Pane 2 (Lower pane): list of embedded “stuff” in the file, INCLUDING FileSlack  Pane 3 (Upper right): The document as presented by FTK believing it to be a “Word doc” ◦ Then… in pane 2, select “File Slack” and observe what’s displayed in pane 3

34  Conduct a search ◦ Examine the returned “hits” of the search  Search results (“hits”) indicate where the occurrence was  Even if in slack space  Each “hit” also shows the data immediately before and after the “hit” phrase

35  Click the SEARCH tab ◦ As you type a word or “character string”  Indexed words in case show up ◦ Once you’ve found or typed your search term  ADD it to the search  You’ll see # of hits  You’ll see # of files containing those “hits”

36  Select the “hits” for the search item ◦ Then “View Item Results” ◦ You can use “AND” or “OR” logic when looking for multiple search items in the same file  AND requires all to be present  OR requires any one of them to be present

37  Indexed vs. Live ◦ Indexed  Looks up terms indexed by FTK as evidence was added ◦ Live  Looks up a term which wasn’t necessarily in the index built by FTK  Options  Text  ASCII  UNICODE  CASE SENSITIVE  REGULAR EXPRESSION  Hexadecimal

38  Keep ASCII and Unicode selected ◦ They’re both defaults  Default is “ignore case” ◦ Won’t care if upper or lower  Will take time ◦ Searches the entire case  Regular expressions (NOT IN CSI 2012) ◦ A “pattern” to match  Zip code  Telephone number  Social security number  Credit card number  Hexadecimal ◦ Look for “non-printable” character values

39  How do you find a deleted file? ◦ Overview Tab  Select the summary button for Deleted Files  All those files appear in the lower pane ◦ In the Explorer Tab  You can view the “directory structure” in the 1 st pane  Deleted files appear with a red “X” on the icon of the file or folder ◦ Deleted files are often recoverable  You need to EXPORT the file

40

41  Why could this be significant? ◦ Investigator might recover information the suspect was attempting to hide or destroy ◦ might demonstrate intent to evade detection  It can be demonstrated that a large number of files were deleted  Just prior to execution of a search warrant  After being interviewed by the police  After receiving a call from a victim or conspirator  When taken into account, might provide circumstantial evidence of intent

42  How you do it? ◦ Overview Tab  Find the Summary Button for “Bad Extensions”  Pane 2 lists all those files ◦ Explorer Tab  Navigate to the location  Pane 2 shows files in that location, with additional information for each file

43  What is “exporting”? ◦ Exporting allows an investigator to  Select a file or files  Save them as discrete files to another location outside of the FTK Case file  Why? ◦ Allows investigators to process the exported file “natively” using applications such as Word, Excel, Paint, etc  Some files must be processed natively (for example a Stego’d file must be exported and handled using S-Tools as explained in section 5) ◦ Can burn to a DVD and give to DA or other investigator ◦ Allows investigator to consolidate items of interest in one place and present only those items

44  How do you export a file? ◦ Select the file (highlight it) in Explorer Tab ◦ Right-click on the file, and “Export it”

45  How do we find the file? ◦ Overview Tab  Click on the “Improper Name” summary button ◦ Explorer Tab  In pane 2 (lower pane), improper file extensions will be noted

46  What it means ◦ It might be a deliberate attempt to evade detection and hide information  Information might be important ◦ It could also just be a mistake on the part of the user  File saved or renamed with the wrong extension

47  How do I process a file with an “Improper File Extension”? ◦ Note the type of file it really should be ◦ Export the file ◦ Use the appropriate software to view the file, according to the “real type” of file it is

48  How you do it? ◦ Certain files, such as Windows “BMP” files, can be “containers” ◦ Software such as S-Tools can hide information inside these “container files” a.Locate a suspected “stego’d” file (the container file) a.Should be a “BMP” file b.Export it from FTK’s Case i.This saves it as a separate file you can then process outside of FTK c.Use S-Tools to extract the “message file” from the “container file” i.Password or a passphrase might be required!

49  Open S-Tools  Drag the “exported” file believed to be a “container file” into S-Tools

50  Right-click the “container” in S-Tools ◦ Select “Reveal” ◦ When prompted, provide the “passphrase”  Can be a single word or a phrase  Could be case sensitive ◦ A “revealed archive” window shows with the hidden file name and size ◦ Select the file in the “Reveal Archive” box  Right-click the file you wish to extract from the container file  Save as…  Choose a location  You’ve now successfully extracted the hidden message!

51

52  The result!

53  What it means ◦ Definitely a means of evading detection. It’s not accidental!!  1. Data is hidden  2. passphrase might be required ◦ Whoever can be demonstrated to know the passphrase either put the hidden data there, or knew how to retrieve it  Guilty knowledge!

54  Best of luck to all CSI Challenge participants!


Download ppt "2012.  Provides the backstory behind the crime  Provides pertinent information related to the motive behind the crime  Requires the use of 2 software."

Similar presentations


Ads by Google