Step by Step Tutorial of FTK Imager

FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Access Data® Forensic Toolkit® (FTK) is warranted. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence. With FTK Imager, you can:

·         Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or  individual files from various places within the media.

·         Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs, and DVDs

·         Preview the contents of forensic images stored on the local machine or on a network drive

·         Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive

·         Export files and folders from forensic images.

·         See and recover files that have been deleted from the Recycle Bin, but have not yet been overwritten on  the drive.

·         Create hashes of files using either of the two hash functions available in FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)

First Download FTK Imager From here and install in your pc.

ADD Evidence Item

Click on Add Evidence Item to add evidence from disk, image file or folder.

Now select the source evidence type as physical drive, logical drive or image file. We have selected image file and click on next.

Select virtual drive image & click on open option.

Select the source path and click on finish.

Now select Evidence Tree and analyze the virtual disk as physical disk.

Similarly to add raw image select again add evidence item and click on image file and click on open option.

Click on finish.

Now raw image will be added as physical drive to analyze.

Mounting an Image as a Local Drive

To mount an image file, click on Image Mounting option.

Select virtual drive image.

Select Mount Type, Drive Letter and Mount Method and click on mount option.

Now it will show the virtual drive.

Now select the image file to mount image to drive.

Capture Memory

Click on button “Capture Memory” how the picture below:

On the next window choice the directory to storage the extracted files, and click on the button “Capture Memory”

Wait for the process finish.

A memory dump file will be created on the source directory.

Create RAW Image

Now open the FTK Imager and Click on Create Disk Image

Now a “Select source” box will open and choose “Physical Drive” click NEXT  

Now choose the drive of the Suspect Evidence you want to make image.

After choosing the Drive Click on finish to Start Creating Image of Suspect Evidence

(Note: choose option “Verify images after they are created”)

Now in Select Image Type Choose “Raw (dd)” and click on NEXT

Now In” Evidence Item Information” Fill the Following attributes, as you can see some random information given can be random as per the Suspects Evidence. Click NEXT

Now choose the location of the image you want to create and Name the Image Filename. And click on FINISH

Now in final Step Click START button to start Creating Image.

Successfully the Suspects Evidence Image Is Created .Now you can audit the Suspects evidence from the image Created from FTK Image.

Forensic Investigation of RAW Image using Forensics Explorer (Part 1)

Forensic Explorer is a tool for the analysis of electronic evidence. Primary users of this software are law enforcement, corporate investigations agencies and law firms. Forensic Explorer has the features you expect from the very latest in forensic software. Inclusive with Mount Image Pro, Forensic Explorer will quickly become an important part of your forensic software toolkit.

It enables investigators to:

·         Manage the analysis of large volumes of information from multiple sources in a case file structure;

·         Access and examine all available data, including hidden and system files, deleted files, file and disk slack and unallocated clusters;

·         Automate complex investigation tasks;

·         Produce detailed reports; and,

·         Provide non forensic investigators a platform to easily review evidence.

Supported File Formats

Forensics Explorer supports the analysis of the following file formats:

·         Apple DMG

·         DD or RAW;

·         EnCase® (.E01, .L01, Ex01);

·         Forensic File Format .AFF

·         FTK® (.E01, .AD1 formats);

·         ISO (CD and DVD image files);

·         Microsoft VHD

·         NUIX File Safe MFS01

·         ProDiscover®

·         SMART®

·         VMWare®

·         XWays E01 and CTR

First Download Forensics Explorer From here and install in your pc. And Click on New Option

Enter the Case Name and click on new option in Investigator TAB

Here in next step you have to enter the FULL NAME, TITLE, and Organization, Department and email details and click on ok to proceed to next step.

Select the cases folder where Forensic Evidence will be created. And click on ok

Now Click ‘Add Image.

Now select the path of RAW Image. To create RAW Image Select the given LINK.

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

Now Select tasks to be processed on RAW image   from given list and click on Start.

After Process completion, it will show Result for all the tasks selected earlier.

Now Click on File System. The File System module is the primary Forensic Explorer window where actions such as highlighting, selecting, sorting, filtering, flagging, exporting and opening occur.

 Select Registry analysis: Open and examine Windows registry hives. Filter, categorize and keyword search registry keys. Automate registry analysis with RegEx scripts.

Bookmark selection enables almost any item (e.g. file, folder, keyword, search hit, etc.), or a selection from an item (e.g. a fragment of text from a file or unallocated clusters), to be bookmarked and listed in the Bookmarks module. 

Reports: The purpose of the Reports Module is to assist in the generation of a report that documents the forensic analysis. The Reports module is based on the use of templates that can be re-used across multiple investigations.

How to Show all Possible Exploits in Victim PC using Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

First Download windows exploit suggester from here and unzip in your pc

Now to update the script using

 ./windows-exploit-suggester.py --update

Now download xlrd-0.9.4 from here and install in your pc using

./setup.py install  ( which is prerequisite)

Now run systeminfo command in windows prompt and save the resultant file on the Desktop as

Win7-ultimate.txt.

Now copy File Win7-ultimate.txt in Windows-Exploit-Suggester-master folder on Kali Linux as shown below.

Now run the following command & you will get the result.

./windows-exploit-suggester.py --database 2015-09-25-mssb.xlsx --systeminfo win7-ultimate-systeminfo.txt

Now it will show all possible exploits for an operating system Victim windows PC.

Forensic Investigation Tutorial Using DEFT

DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pen drives, etc…) connected to the PC where the boot process takes place.

The DEFT system is based on GNU Linux; it can run live (via DVDROM or USB pen drive), installed or run as a Virtual Appliance on VMware or Virtual box. DEFT employs LXDE as desktop environment and WINE for executing Windows tools under Linux. It features a comfortable mount manager for device management.

First Download ISO image of deft Linux from here

After having started the DEFT boot loader, you will see a screen with several boot options. Now click on Install DEFT Linux 8

Now click on continue

Now Select the third party software option and click on continue.

Now it will ask the option to install Kubuntu.

Select Guided-use entire disk and click on install now

Now select your time zone and click ok

Now fill your personal Details and select Continue. Click on Restart Now.

Analysis - Analysis Tools files of different types

Antimalware - Search for root kits, viruses, malware and malicious PDFs.

Data Recovery - File Recovery Software

Hashing - Scripts that allow the realization of calculating hashes of certain processes (SHA1, SHA256, MD5 ...)

Imaging - Applications that we can use to make cloned and imaging of hard drives or other sources.

Mobile Forensics - Analysis Blackberry, Android, iPhone, as well as information about typical databases SQLite mobile devices used by applications.

Network Forensics - Tools for processing information stored in network

OSINT - Applications that facilitate obtaining information associated with users and their activity.

Password recovery - Recovery BIOS passwords, compressed files, office, brute force, etc.

Reporting tools - Finally, within this section you will find tools that will facilitate the task of reporting and obtaining evidence that will serve to document forensics. Screen capture, collection of notes, desktop activity log, etc.