Forensic Investigation: Using FTK Imager

FTK Imager is an open-source software by AccessData that is used for creating accurate copies of the original evidence without actually making any changes to it. The Image of the original evidence is remaining the same and allows us to copy data at a much faster rate, which can be soon be preserved and can be analyzed further.

The FTK imager also provides you with the inbuilt integrity checking function which generates a hash report which helps in matching the hash of the evidence before and after creating the image of the original Evidence.

Table of Contents

·        Creating a Forensic Image

·        Capturing Memory

·        Analyzing memory dump

·        Mounting Image to Drive

·        Custom Content Image using AD encryption

·        Decrypt AD Encryption

·        Obtain Protected Files

·        Detect EFS Encryption

·        Export Files

Lets us begin with creating an image copy of the original evidence.

Creating a Forensic Image:

Forensic Imaging is one of the most crucial steps involved in digital forensic investigation. It is the process of making an archival or backup copy of the entire hard drive. It is a storage file that contains all the necessary information to boot to the operating system. However, this imaged disk needs to be applied to the hard drive to work. One cannot restore a hard drive by placing the disk image files on it as it needs to be opened and installed on the drive using an imaging program. A single hard drive can store many disk images on it. Disk images can also be stored on flash drives with a larger capacity.

Open FTK Imager by AccessData after installing it, and you will see the window pop-up which is the first page to which this tool opens.FTK Imager is an open-source software by AccessData that is used for creating accurate copies of the original evidence without actually making any changes to it. The Image of the original evidence is remaining the same and allows us to copy data at a much faster rate, which can be soon be preserved and can be analyzed further.

The FTK imager also provides you with the inbuilt integrity checking function which generates a hash report which helps in matching the hash of the evidence before and after creating the image of the original Evidence.

Table of Contents

·        Creating a Forensic Image

·        Capturing Memory

·        Analyzing memory dump

·        Mounting Image to Drive

·        Custom Content Image using AD encryption

·        Decrypt AD Encryption

·        Obtain Protected Files

·        Detect EFS Encryption

·        Export Files

Lets us begin with creating an image copy of the original evidence.

Creating a Forensic Image:

Forensic Imaging is one of the most crucial steps involved in digital forensic investigation. It is the process of making an archival or backup copy of the entire hard drive. It is a storage file that contains all the necessary information to boot to the operating system. However, this imaged disk needs to be applied to the hard drive to work. One cannot restore a hard drive by placing the disk image files on it as it needs to be opened and installed on the drive using an imaging program. A single hard drive can store many disk images on it. Disk images can also be stored on flash drives with a larger capacity.

Open FTK Imager by AccessData after installing it, and you will see the window pop-up which is the first page to which this tool opens. 

Now, to create a Disk Image. Click on File > Create Disk Image.

Now you can choose the source based on the drive you have. It can be a physical or a logical Drive depending on your evidence.

A Physical Drive is the primary storage hardware or the component within a device, which is used to store, retrieve, and organize data. 

A Logical Drive is generally a drive space that is created over a physical hard disk. A logical drive has its parameters and functions because it operates independently.

Now choose the source of your drive that you want to create an image copy of.

Add the Destination path of the image that is going to be created. From the forensic perspective, It should be copied in a separate hard drive and multiple copies of the original evidence should be created to prevent loss of evidence.

Select the format of the image that you want to create. The different formats for creating the image are:

Raw(dd): It is a bit-by-bit copy of the original evidence which is created without any additions and or deletions. They do not contain any metadata.

SMART: It is an image format that was used for Linux which is not popularly used anymore.

E01: It stands for EnCase Evidence File, which is a commonly used format for imaging and is similar to

AFF: It stands for Advanced Forensic Format that is an open-source format type.

Now, add the details of the image to proceed.

Now finally add the destination of the image file, name the image file and then click on Finish.

Once you have added the destination path, you can now start with the Imaging and also click on the verify option to generate a hash.

Now let us wait for a few minutes for the image to be created.

After the image is created, a Hash result is generated which verifies the MD5 Hash, SHA1 Hash, and the presence of any bad sector.

Capturing Memory

It is the method of capturing and dumping the contents of a volatile content into a non-volatile storage device to preserve it for further investigation. A ram analysis can only be successfully conducted when the acquisition has been performed accurately without corrupting the image of the volatile memory. In this phase, the investigator has to be careful about his decisions to collect the volatile data as it won’t exist after the system undergoes a reboot. 

Now, let us begin with capturing the memory.

To capture the memory, click on File > Capture Memory.

 Choose the destination path and the destination file name, and click on capture memory.

Now let us wait for a few minutes till the ram is being captured.

Analyzing Memory Dump

Now let us analyze the volatile memory once it has been acquired using FTK imager. To start with analysis, click on File> Add Evidence Item.

Now select the source of the dump file that you have already created, so here you have to select the image file option and click on Next.

Choose the path of the memory dump that you have captured by clicking on Browse.

Once the ram dump is attached to the analysis part,  you will see an evidence tree which has the contents of the files of the memory dump. This could have deleted as well as overwritten data.

To analyze other things further, we will now remove this evidence item by right-clicking on the case and click on Remove Evidence Item

Mounting Image to Drive

To mount the image as a drive in your system, click on File > Image Mounting

Once the Mount Image to Drive window appears, you can add the path to the image file that you want to mount and click on Mount.

Now you can see that the image file has now been mounted as a drive.

Custom Content Image with AD Encryption

FTK imager has a feature that allows it to encrypt files of a particular type according to the requirement of the examiner. Click on the files that you want to add to the custom content Image along with AD encryption.

All the selected files will be displayed in a new window and then click on Create Image to proceed.

Fill in the required details for the evidence that is to be created.

Now add the destination of the image file that is to be created, name the image file and then check the box with AD encryption, and then click on Finish.

A new window will pop-up to encrypt the image, Now renter and re-enter the password that you want to add for your image.

Now to see the encrypted files, click on File> Add Evidence Item…

The window to decrypt the encrypted files will appear once you add the file source. Enter the password and click OK.

You will now see the two encrypted files on entering the valid passwords.

Decrypt AD1 Image

To decrypt the custom content image, click on File> Decrypt AD1 Image..

Now you need to enter the password for the image file that was encrypted and click on Ok.

Now, wait for a few minutes till the decrypted image is created.

To view the decrypted custom content image, add the path of the decrypted file and click on Finish.

You will now be able to see the encrypted files by using the correct password to decrypt it.

Obtain Protected Files

Certain files are protected on recovery, to obtain those files,  click on File> Obtain Protected Files

A new window will pop and click on browse to add the destination of the file that is protected and click on the option that says password recovery and all registry files and click on OK.

Now you will see all the protected files in one place

Detect EFS Encryption

When a folder or a file is encrypted, we can detect it using this feature of the FTK Imager. 

A file is encrypted in a folder to secure its content.

 To detect the EFS encryption, click on File >Detect EFS Encryption

You can see that the encryption is detected.

Export Files

To export the files and folders from the imaged file to your folder, you can click File > Export Files.

 

You can now see the results of the export of the number of files and folders that have been copied to the system.

Memory Forensics: Using Volatility Framework

Cyber Criminals and attackers have become so creative in their crime type that they have started finding methods to hide data in the volatile memory of the systems. Today, in this article we are going to have a greater understanding of live memory acquisition and its forensic analysis. Live Memory acquisition is a method that is used to collect data when the system is found in an active state at a scene of the crime.

Table of Contents

·        Memory Acquisition

·        Importance of Memory Acquisition

·        Dump Format Supported

·        Memory Analysis Plugins

·         Imageinfo

·         Kdbgscan

·         Processes

·         DLLs

·         Handles

·         Netscan

·         Hivelist

·         Timeliner

·         Hashdump

·         Lsadump

·         Modscan

·         Filescan

·         Svcscan

·         History

·         Dumpregistry

·         Moddump

·         Procdump

·         Memdump

·         notepad

Memory Acquisition

It is the method of capturing and dumping the contents of a volatile content into a non-volatile storage device to preserve it for further investigation. A ram analysis can only be successfully conducted when the acquisition has been performed accurately without corrupting the image of the volatile memory. In this phase, the investigator has to be careful about his decisions to collect the volatile data as it won’t exist after the system undergoes a reboot. The volatile memory can also be prone to alteration of any sort due to the continuous processes running in the background. Any external move made on the suspect system may impact the device’s ram adversely.

Importance of Memory Acquisition

When a volatile memory is a capture, the following artifacts can be discovered which can be useful to the investigation:

·         On-going processes and recently terminated processes

·         Files mapped in the memory (.exe, .txt, shared files, etc.)

·         Any open TCP/UDP ports or any active connections

·         Caches (clipboard data, SAM databases, edited files, passwords, web addresses, commands)

·         Presence of hidden data, malware, etc.

Here, we have taken a memory dump of a Windows7 system using the Belkasoft RAM Capturer, which can be downloaded from here.

Memory Analysis

Once the dump is available, we will begin with the forensic analysis of the memory using the Volatility Memory Forensics Framework which can be downloaded from here. The volatility framework support analysis of memory dump from all the versions and services of Windows from XP to Windows 10. It also supports Server 2003 to Server 2016. In this article, we will be analyzing the memory dump in Kali Linux where Volatility comes pre-installed.

Dump Format Supported

·         Raw format

·         Hibernation File

·         VM snapshot

·         Microsoft crash dump

Switch on your Kali Linux Machines, and to get a basic list of all the available options, plugins, and flags to use in the analysis, you can type

volatility -h

Imageinfo

When a Memory dump is taken, it is extremely important to know the information about the operating system that was in use. Volatility will try to read the image and suggest the related profiles for the given memory dump. The image info plugin displays the date and time of the sample that was collected, the number of CPUs present, etc. To obtain the details of the ram, you can type;

volatility -f ram.mem image info

A profile is a categorization of specific operating systems, versions and its hardware architecture, A profile generally includes metadata information, system call information, etc. You may notice multiple profiles would be suggested to you.

Kdbgscan

This plugin finds and analyses the profiles based on the Kernel debugger data block. The Kdbgscan thus provides the correct profile related to the raw image. To supply the correct profile for the memory analysis, type

volatility -f ram.mem kdbgscan

Processes

When a system is in an active state it is normal for it to have multiple processes running in the background and can be found in the volatile memory. The presence of any hidden process can also be parsed out of a memory dump. The recently terminated processes before the reboot can also be recorded and analyzed in the memory dump. There are a few plugins that can be used to list down the processes

Pslist

To identify the presence of any rogue processes and to view any high-level running processes, one can use

volatility -f ram.mem --profile=Win7SP1x64 pslist -P

On executing this command, the list of processes running is displayed, their respective process ID assigned to them and the parent process ID is also displayed along. The details about the threads, sessions, handles are also mentioned. The timestamp according to the start of the process is also displayed. This helps to identify whether an unknown process is running or was running at an unusual time.

Psscan

This plugin can be used to give a detailed list of processes found in the memory dump. It can not detect hidden or unlinked processes.

volatility -f ram.mem --profile=Win7SP1x64 psscan

Pstree

In this plugin, the pslist is represented with child-parent relationship and shows any unknown or abnormal processes. The child process is represented by indention and periods.

volatility -f ram.mem --profile=Win7SP1x64 pstree

 

 

DLLs

DLLlist

volatility -f ram.mem --profile=Win7SP1x64 dlllist -p 116,788

DLLs stand for Dynamic-link library automatically that is added to this list when a process according to calls Load Library and they aren't removed until. To display the DLLs for any particular process instead of all processes.

 

DLLDump

This plugin is used to dump the DLLs from the memory space of the processes into another location to analyze it. To take a dump of the DLLs you can type,

volatility -f ram.mem --profile=Win7SP1x64 dlldump –dump-dir /root/ramdump/

 

Handles

This plugin is used to display the open handles that are present in a process. This plugin applies to files, registry keys, events, desktops, threads, and all other types of objects. To see the handles present in the dump, you can type,

volatility -f ram.mem --profile=Win7SP1x64 handles

 

Getsids

This plugin is used to view the SIDs stands for Security Identifiers that are associated with a process. This plugin can help in identifying processes that have maliciously escalated privileges and which processes belong to specific users. To get detail on a particular process id, you can type

volatility -f ram.mem --profile=Win7SP1x64 gets its -p 464

 

Netscan

This plugin helps in finding network-related artifacts present in the memory dump. It makes use of pool tag scanning. This plugin finds all the TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It provides details about the local and remote IP and also about the local and remote port. To get details on the network artifacts, you can type:

volatility -f ram.mem --profile=Win7SP1x64 netscan

Hivelist

This plugin can be used to locate the virtual addresses present in the registry hives in memory, and their entire paths to hive on the disk. To obtain the details on the hivelist from the memory dump, you can type:

volatility -f ram.mem --profile=Win7SP1x64 hivelist

 

Timeliner

This plugin usually creates a timeline from the various artifacts found in the memory dump. To locate the artifacts according to the timeline, you can use the following command:

volatility -f ram.mem --profile=Win7SP1x64 timeliner

Hashdump

This plugin can be used to extract and decrypt cached domain credentials stored in the registry which can be availed from the memory dump. The hashes that are availed from the memory dump can be cracked using John the Ripper, Hashcat, etc. To gather the hashdump, you can use the command:

volatility -f ram.mem --profile=Win7SP1x64 hashdump

Lsadump

This plugin is used to dump LSA secrets from the registry in the memory dump. This plugin gives out information like the default password, the RDP public key, etc. To perform a lsadump, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 lsadump

Modscan

This plugin is used to locate kernel memory and its related objects. It can pick up all the previously unloaded drivers and also those drivers that have been hidden or have been unlinked by rootkits in the system. To

volatility -f ram.mem --profile=Win7SP1x64 modscan

Filescan

This plugin is used to find FILE_OBJECTs present in the physical memory by using pool tag scanning. It can find open files even if there is a hidden rootkit present in the files. To make use of this plugin, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 filescan

 

Svcscan

This plugin is used to see the services are registered on your memory image, use the svcscan command. The output shows the process ID of each service the service name, service name, display name, service type, service state, and also shows the binary path for the registered service – which will be a .exe for user mode services and a driver name for services that run from kernel mode. To find the details on the services

volatility -f ram.mem --profile=Win7SP1x64 svcscan

Cmdscan

This plugin searches the memory dump of XP/2003/Vista/2008 and Windows 7 for commands that the attacker might have entered through a command prompt (cmd.exe). It is one of the most powerful commands that one can use to gain visibility into an attacker’s actions on a victim system. To conduct a cmdscan, you can make use of the following command:

volatility -f ram.mem --profile=Win7SP1x64 cmdscan

Iehistory

This plugin recovers the fragments of Internet Explorer history by finding index.dat cache file. To find iehistory files, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 iehistory

Dumpregistry

This plugin allows one to dump a registry hive into a disk location. To dump the registry hive, you use the following command.

volatility -f ram.mem --profile=Win7SP1x64 dumpregistry --dump-dir /root/ramdump/

 

Moddump

This plugin is used to extract a kernel driver to a file, you can do this by using the following command:

volatility -f ram.mem --profile=Win7SP1x64 moddump --dump-dir /root/ramdump/

 

Procdump

This plugin is used to dump the executable processes in a single location, If there is malware present it will intentionally forge size fields in the PE header for the memory dumping tool to fail. To collect the dump on processes, you can type:

volatility -f ram.mem --profile=Win7SP1x64 procdump --dump-dir /root/ramdump/

 

Memdump

The memdump plugin is used to dump the memory-resident pages of a process into a separate file. You can also lookup a particular process using -p and provide it with a directory path -D to generate the output. To take a dump on memory-resident pages, you can use the following command:

volatility -f ram.mem --profile=Win7SP1x64 memdump --dump-dir /root/ramdump/

Notepad

Notepad files are usually highly looked up files in the ram dump. To find the contents present in the notepad file, you can use the following command:

volatility -f ram.mem --profile=WinXPSP2x86 notepad