Forensic Analysis using FTK Imager

The case you will be investigating involves a thumb drive obtained under mysterious circumstances by a group of UFO enthusiasts. They claim it contains evidence of a top secret government program that involves regular contact with alien races and space exploration they are performing using alien technology. Their agent inside the government agency was fearful that s/he had been compromised and attempted to destroy some of the information. After leaving the thumb drive at their arranged drop-off point, their agent has disappeared and they have had no further contact. They have imaged the thumb drive and retained your investigative services firm to determine what conclusions can be drawn from the information in the thumb drive image. A set of numbered questions appear at the end of the lab and must be answered to receive credit for the lab. It might be helpful to refer to these questions as you perform the steps in the lab. FTK Imager is an imaging utility developed by AccessData and in addition to its capabilities for creating disk images; it can also be used to explore the contents of a disk image. FTK Imager can be downloaded from the FTK Imager section of http://accessdata.com/support/adownloads . Download the full version (not the Lite version) and install it on your Windows system. Note that a reference manual is also available for the product and may be used as an additional resource during this lab. Download the image of the thumb drive, alienimage.dd, and its hash, alienimage.md5, from the course website onto your computer. Confirm that the image hash matches that in the MD5 file.

Start FTK Imager by clicking on its icon program to run.

If you receive a security warning, click OK to allow the

Click on File and then Add Evidence Item in the menu.

Forensic Analysis using FTK Imager

Select Image File in the Select Source dialog and click on Next.

In the Select File dialog, browse to the location where you downloaded the alienimage.dd file, select it and click on Finish.

Forensic Analysis using FTK Imager

FTK Imagers default display will appear with the contents of the thumb drive visible in the View pane at the lower right.

Click on the Properties tab below the lower left pane to view the properties for the disk image.

Lick on the + sign next to alenimage.dd in the Evidence Tree and then on 200801102 [FAT16} to cause the file system properties to appear in the Properties tab.

Forensic Analysis using FTK Imager

Click on the + sign next to 200801102 [FAT16} to expand it note that the other panes automatically update to match your action.

Click on the [root] in the Evidence Tree pane to display the root directory of the drive. In the File List pane, you will see the list of files present on the drive. Note that deleted files will have a red X over the icon derived from their file extension. Some deleted files will have a 0 size and this will indicate that their data has been overwritten and is no longer recoverable. Note in the View tab that the hex contents of the directory are displayed. Select one of the files in the File List by clicking on it and notice that the properties and view panes update. In the Properties pane, the MAC times for the file are displayed as well as its size and other information. Select the file biodomesunset.jpg with a filesize of 339KB. Note that a display of the image appears in the view pane. Click on Mode and select Hex from the dropdown menu. This will change the view

Forensic Analysis using FTK Imager

pane from image to hex view.

In the hex view, notice the circled text mentioning Adobe Photoshop. This text is part of the Exchangeable Image File Format or EXIF information which is inserted into image files by many digital cameras and graphics programs. The information can be interpreted by an EXIF viewer many of which are available on the Internet. Switch the view mode back to automatic by clicking on Mode on the toolbar and selecting Automatic. Note that the view pane switches back to showing the image. Select the file Lily.jpg in the File List pane. Note that a red x is displayed in the View pane indicating that the file cannot be interpreted as an image. This may be due to the file being corrupted or

Forensic Analysis using FTK Imager

perhaps another reason. Swith the view to hex using the same method as before.

Note the string PDF in the first few bytes of the file. This suggests that there may be a signature mismatch between the contents of the file and the file extension. Right click the file lily.jpg and choose Export Files from the pop-up menu. Follow the dialog to export the file from the image into a file on your computer. On your computer, rename the exported file to lily.pdf and attempt to open it as a PDF document (you may need to download Adobe Acrobat Reader if its not already installed). The file with the ZZZZ extension looks unusual. Examine its contents to see if you can draw any conclusions as to what it is. Examine the remainder of the files to assess their bearing on the case question(s).

Conclusion
Forensic Analysis using FTK Imager
Though FTK Imager is by no means a full-function forensic tool, it does illustrate how much information relevant to a forensic investigation can be gathered using a free tool. Credits The digital images used in this lab are the artistic work of Mr. Ryan Bliss (www.digitalblasphemy.com) and are used with his gracious permission.

Lab Questions
1. From the hex content of the drive image, what file system was in use on the drive? 2. Based on the image file properties, what are the sector count and image type for the drive image? 3. Based on the file system properties for the image, what is the cluster size? How many clusters are in use? How many clusters are free? 4. In the hex view of the directory, what is the significance of the pattern E5 that often appears as the first character of a filename? 5. An important source of information for constructing a timeline of activities on the system are the so-called file MAC-times (where MAC stands for Modified, Accessed, Created). Examining the MAC-times for all the files in the root directory, do you find them consistent with the UFO groups story? 6. What does the EXIF information present on some of the photographs suggest about their origin? 7. Is there a signature mismatch for the file lily.jpg? Does the content of this file add any weight to your overall conclusions? 8. Based on the images you recovered, what would be your conclusion as to the UFO groups suspicion of off-world activities of a secret government organization? 9. Examining the files present on the image, can you identify any traces of the use of a secure deletion utility? Hint: Research the operation of the utility sdelete available from the sysinternals web site.

Forensic Analysis using FTK Imager

Name

Date

ISA4350 FTK Lab Answer Sheet

1. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 2. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 3. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 4. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 5. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 6. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 7. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 8. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 9. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________

Forensic Analysis using FTK Imager