Processing the Case - Computer Forensics with FTK (2014)

Computer Forensics with FTK (2014)

Chapter 5. Processing the Case

This chapter will cover how to use the most important features for processing and filtering data during an investigation process.

The processing step is considered to be the most important step because the correct utilization of its functionality can be decisive in the relevant results of an investigation.

You will understand the importance of the correct use of the Time Zone feature and how this impacts the properties of the files, and learn how to use filters and searches. Finally, you will be able to generate a report of your findings.

Changing the time zone

The correct use of the Time Zone feature is of the utmost importance for computer forensics because it might reflect the wrong MAC time of files contained in the evidence, making a professional use the wrong information in an investigation report.

Based on this, you must configure the time zone to reflect the location where the evidence was acquired. For example, if you conducted the acquisition of a computer that was located in Los Angeles, US, and bring the evidence to Sao Paulo, Brazil, where your lab is situated, you should adjust the time zone to Los Angeles so that the MAC time of files can reflect the actual moment of its modification, alteration, or creation.

The FTK allows you to make that time zone change at the same time that you add a new evidence to the case. Select the time zone of the evidence where it was seized from the drop-down list in the Time Zone field. This is required to add evidence in the case.

Take a look at the following screenshot:

Changing the time zone

Tip

You can also change the value of Time Zone after adding the evidence. In the menu toolbar, click on View and then click on Time Zone Display.

Mounting compound files

To locate important information during your investigation, you should expand individual compound file types. This lets you see the child files that are contained within a container, such as ZIP or RAR files. You can access this feature from the case manager's new case wizard, or from the Add Evidence or Additional Analysis dialogs.

The following are some of the compound files that you can mount:

· E-mail files: PST, NSF, DBX, and MSG

· Compressed files: ZIP, RAR, GZIP, TAR, BZIP, and 7-ZIP

· System files: Windows thumbnails, registry, PKCS7, MS Office, and EVT

Note

If you don't mount compound files, the child files will not be located in keyword searches or filters.

To expand compound files, perform the following steps:

1. Do one of the following:

· For new cases, click on the Custom button in the New Case Options dialog

· For existing cases, go to Evidence | Additional Analysis

2. Select Expand Compound Files.

3. Click on Expansion Options….

4. In the Compound File Expansions Options dialog, select the types of files that you want to mount.

5. Click on OK:

Mounting compound files

File and folder export

You may need to export part of the files or folders to help you perform some action outside of the FTK platform, or simply for the evidence presentation.

To export files or folders you need to perform the following steps:

1. Select one or more files that you would like to export.

2. Right-click on the selection and select Export.

3. A new dialog will open. You can configure some settings before exporting as follows:

· File Options: This field has advanced options to export files and folders. You can use the default options for a simple export.

· Items to Include: This field has the selection of files and folders that you will export. The options can be checked, listed, highlighted, or selected all together.

· Destination base path: This field has the folder to save the files.

Take a look at the following screenshot:

File and folder export

Column settings

Columns are responsible for presenting the information property or metadata related to evidence data. By default, the FTK presents the most commonly used columns. However, you can add or remove columns to aid you in quickly finding relevant information. To manage columns in FTK, in the File List view, right-click on column bars and select Column Settings….The number of columns available is huge. You can add or remove the columns that you need by just selecting the type and clicking on the Add button:

Column settings

The FTK has some templates of columns settings. You can access them by clicking on Manage and navigating to Columns | Manage Columns:

Column settings

You can use some ready-made templates, edit them, or create your own.

Creating and managing bookmarks

A bookmark is a group of files that you want to reference in your case. These are user-created groups and the list is stored for later reference and for use in the report output. You can create as many bookmarks as needed in a case. Bookmarks can be nested within other bookmarks for convenience and categorization purposes. Bookmarks help organize the case evidence by grouping related or similar files. For example, you can create a bookmark of graphics that contain similar or related graphic images. The Bookmarks tab lists all bookmarks that have been created in the current case.

To create a bookmark, perform the following steps:

1. In the File List view, select the files that you want to add to the bookmark.

2. Right-click on selected files and click on Create Bookmark.

3. Enter the information about the bookmark.

4. Click on OK:

Creating and managing bookmarks

The main options to create new bookmarks are as follows:

· Bookmark Name: This is the name of your new bookmark.

· Bookmark Comment: This option includes free text regarding your bookmark.

· Timeline Bookmark: Select this option to create a timeline bookmark. This option shows the chronological relationships of the files in your case.

· File to Include: With this option, you can see the files that you had selected earlier.

· File Comment: This option includes free text about your file.

· Supplementary Files: With this option, you can attach external files that can help in your investigation case.

· Also include: In this option, you can include Parent index.dat, Email Attachments, and Parent Email if applicable.

· Select Bookmark Parent: This is the folder that you will use to create the bookmark, and it will determine if the bookmark will be private or shared.

Once the bookmark is created, you can add or remove files when necessary.

Tip

You can bookmark other information such as selected text, e-mails, and e-mail attachments.

The Additional Analysis feature

After the evidence has been added to a case and processed, you may wish to perform other analysis tasks. To further analyze the selected evidence, click on Evidence and then click on Additional Analysis.

Most of the tasks available during the initial evidence processing remain available with Additional Analysis. You can perform multiple processing tasks at the same time. Make your selections and click on OK to create a new job, as shown in the following screenshot:

The Additional Analysis feature

The explanation of all the processing options has been detailed previously. Refer to Chapter 4, Working with FTK Forensics.

Carving the data

Data carving is the process of looking for data in the evidence that was deleted from the filesystem. This is done by identifying file headers and footers in mainly unallocated clusters. The FTK provides several predefined carvers that you can select when adding evidence to a case. You can also create your own custom carvers to meet your exact needs.

Data carving can be selected in the New Case Wizard or later, using the Additional Analysis feature:

Carving the data

In the Carving Options dialog box, you can select the file types that you want to try to recover and click on OK to go back to Detailed Options to then perform the task.

You can also create your own carvers, informing the header and footers of the files that you would like to recover. To create the carver, perform the following steps:

1. In the toolbar menu, click on Manage.

2. Click on the Carvers option

3. Next, select Manage Custom Carvers.

After the carver is processed, you can find the carved files using the Carved Files filter or through the following steps:

1. Change the view to the Overview tab.

2. Select the File Status option.

3. Finally, click on Data Carved Files.

Narrowing the case with KFF

The Known File Filter (KFF) is a database utility that compares known filehash values against your case files.

Using the KFF during your analysis, we can do the following:

· Immediately identify and ignore 40 to 70 percent of files

· Immediately identify known contraband files

Note

A hash is based on data and not names or extensions.

The KFF database is based on NSRL from National Institute of Standards and Technology (NIST) and can be downloaded from the AccessData website at http://www.accessdata.com/support/product-downloads.

The KFF can be selected in the New Case Wizard or later, using the Additional Analysis feature.

To import a new KFF database and define a group, perform the following steps:

1. Click on Manage and select KFF.

2. Click on Import to select a new database.

3. To locate a database file, click on Add File.

4. Select the Status: Alert or Ignore.

5. Insert the path where file is located.

6. Click on OK to go back to KFF Hash Import Tool.

7. Click on Import to process your new KFF database.

Narrowing the case with KFF

8. In KFF Admin Case, click on New to create a group.

9. Add the KFF database processed previously.

10. Click on Done to finish.

To run the KFF in your case, open the Additional Analysis options:

1. Select KFF and click on KFF Groups….

2. Check the name of the group created previously.

3. Click on Done.

4. Finally, click on OK to start new job.

Narrowing the case with KFF

To use the results of the KFF to hide a known file from your case, use the following filters:

· KFF Alert Files

· KFF Ignore Files

Searching the case

One of the most important features of the tool, the search keyword, is used in almost all cases of research and can help you locate relevant information contained in files, documents, and e-mails.

The Index Search and Live Search options

A live search is a bit-by-bit comparison of the entire evidence set with the search term and takes slightly more time than an index search. Live searches also allow you to search regular expressions and hex values.

To conduct a live search, you can perform the following steps:

1. Click on the Live Search tab.

2. In the Text tab, insert your keyword and click on Add.

3. You will now see the keyword inserted in the Search Terms list; click on Search.

4. The results will appear in Live Search Results with the numbers of hits:

The Index Search and Live Search options

The Index Search option compares search terms with the indexed database. You should choose to generate an index file during preprocessing to use this kind of search.

To perform an index search, you can perform the following steps:

1. Click on the Index Search tab.

2. In the Terms section, insert your keyword and click on Add.

3. The possible hits of your keyword will be displayed immediately. Select the most appropriate and double-click on it.

4. You will see the keyword inserted in the Search Terms list; click on Search Now.

5. The results will appear in Index Search Results with the numbers of hits:

The Index Search and Live Search options

Regular expressions

A regular expression (regex) is a special text string used for describing a search pattern and can help identify information that has some predefined pattern, such as a phone number or credit card. The following screenshot shows such search patterns:

Regular expressions

As you can see, the FTK has a huge list of ready-to-use regular expressions. However, you can create your own regular expressions to better achieve your goals.

Regular expressions are complex to construct. To understand better the techniques for building regular expressions, you can consult other sources such as Wikipedia at http://en.wikipedia.org/wiki/Regular_expression.

Working with filters

Filters can help to locate specific data very quickly, reducing the amount of time spent on examining data, because they can narrow a large data set down to a very specific focus.

You can use the predefined filters or you can create your own filters. To use predefined filters, just click on the combobox in the Filter toolbar as shown in the following screenshot:

Working with filters

You also can make a combination between filters. Click on Filter Manager… to create your combinations.

To create a new filter, perform the following steps:

1. Click on Manage and navigate to Filters | Manager Filters.

2. Click on New.

3. Enter a name and a description for the new filter.

4. Select properties from the drop-down menu.

5. Select operators from the drop-down menu.

6. Select the applicable criteria from the drop-down menu.

7. Click on the + button to add new item in the rules.

8. Select the Match Any option to use the OR operator or the Match All option to use the AND operator.

9. To test a filter without having to save it first, check the Live Preview box.

10. Click on Save and then click on Close.

Working with filters

Reporting the case

The report is the most important part of your process. This is what is seen of the work by recipients. All the analysis work is useless if the report cannot clearly show the links between the identified evidence and the alleged offence.

You can create a case report about the relevant information of your investigation case. Reports can be generated in different formats, including HTML and PDF.

To create a case report, perform the following steps:

1. Click on File and then click on Report… to run the Report wizard:

Reporting the case

2. Select the information that will be used for the generation of the report in the Report Outline box and fill the information related to each.

3. Click on OK:

Reporting the case

4. In the Report Folder field, set the path to output your report.

5. Select a language to use on report.

6. Select the output file format.

7. Click on OK to generate a final report.

You can distribute your report in a printed form by e-mail, portable media, or as a website.

Summary

This chapter covered several important features to assist in the identification of relevant information quickly and efficiently through the use of filters and keywords. The use of the KFF and how its features can be useful to save time during an investigation by eliminating the known files of your investigation case was covered. The creation and management of bookmarks and how you can generate a final report using this information was also covered.

In the next chapter, you will learn about the new features of FTK v5.