(For more resources related to this topic, see here.)
Changing the time zone
The correct use of the Time Zone feature is of the utmost importance for computer forensics because it might reflect the wrong MAC time of files contained in the evidence, making a professional use the wrong information in an investigation report.
Based on this, you must configure the time zone to reflect the location where the evidence was acquired. For example, if you conducted the acquisition of a computer that was located in Los Angeles, US, and bring the evidence to Sao Paulo, Brazil, where your lab is situated, you should adjust the time zone to Los Angeles so that the MAC time of files can reflect the actual moment of its modification, alteration, or creation.
The FTK allows you to make that time zone change at the same time that you add a new evidence to the case. Select the time zone of the evidence where it was seized from the drop-down list in the Time Zone field. This is required to add evidence in the case.
Take a look at the following screenshot:
You can also change the value of Time Zone after adding the evidence. In the menu toolbar, click on View and then click on Time Zone Display.
Mounting compound files
To locate important information during your investigation, you should expand individual compound file types. This lets you see the child files that are contained within a container, such as ZIP or RAR files. You can access this feature from the case manager's new case wizard, or from the Add Evidence or Additional Analysis dialogs.
The following are some of the compound files that you can mount:
- E-mail files: PST, NSF, DBX, and MSG
- Compressed files: ZIP, RAR, GZIP, TAR, BZIP, and 7-ZIP
- System files: Windows thumbnails, registry, PKCS7, MS Office, and EVT
If you don't mount compound files, the child files will not be located in keyword searches or filters.
To expand compound files, perform the following steps:
- Do one of the following:
- For new cases, click on the Custom button in the New Case Options dialog
- For existing cases, go to Evidence | Additional Analysis
- Select Expand Compound Files.
- Click on Expansion Options….
- In the Compound File Expansions Options dialog, select the types of files that you want to mount.
- Click on OK:
File and folder export
You may need to export part of the files or folders to help you perform some action outside of the FTK platform, or simply for the evidence presentation.
To export files or folders you need to perform the following steps:
- Select one or more files that you would like to export.
- Right-click on the selection and select Export.
- A new dialog will open. You can configure some settings before exporting as follows:
- File Options: This field has advanced options to export files and folders. You can use the default options for a simple export.
- Items to Include: This field has the selection of files and folders that you will export. The options can be checked, listed, highlighted, or selected all together.
- Destination base path: This field has the folder to save the files.
Take a look at the following screenshot:
Columns are responsible for presenting the information property or metadata related to evidence data. By default, the FTK presents the most commonly used columns. However, you can add or remove columns to aid you in quickly finding relevant information. To manage columns in FTK, in the File List view, right-click on column bars and select Column Settings…. The number of columns available is huge. You can add or remove the columns that you need by just selecting the type and clicking on the Add button:
The FTK has some templates of columns settings. You can access them by clicking on Manage and navigating to Columns | Manage Columns:
You can use some ready-made templates, edit them, or create your own.
Creating and managing bookmarks
A bookmark is a group of files that you want to reference in your case. These are user-created groups and the list is stored for later reference and for use in the report output. You can create as many bookmarks as needed in a case. Bookmarks can be nested within other bookmarks for convenience and categorization purposes. Bookmarks help organize the case evidence by grouping related or similar files. For example, you can create a bookmark of graphics that contain similar or related graphic images. The Bookmarks tab lists all bookmarks that have been created in the current case.
To create a bookmark, perform the following steps:
- In the File List view, select the files that you want to add to the bookmark.
- Right-click on selected files and click on Create Bookmark.
- Enter the information about the bookmark.
- Click on OK:
The main options to create new bookmarks are as follows:
- Bookmark Name: This is the name of your new bookmark.
- Bookmark Comment: This option includes free text regarding your bookmark.
- Timeline Bookmark: Select this option to create a timeline bookmark. This option shows the chronological relationships of the files in your case.
- File to Include: With this option, you can see the files that you had selected earlier.
- File Comment: This option includes free text about your file.
- Supplementary Files: With this option, you can attach external files that can help in your investigation case.
- Also include: In this option, you can include Parent index.dat, Email Attachments, and Parent Email if applicable.
- Select Bookmark Parent: This is the folder that you will use to create the bookmark, and it will determine if the bookmark will be private or shared.
Once the bookmark is created, you can add or remove files when necessary.
You can bookmark other information such as selected text, e-mails, and e-mail attachments.
The Additional Analysis feature
After the evidence has been added to a case and processed, you may wish to perform other analysis tasks. To further analyze the selected evidence, click on Evidence and then click on Additional Analysis.
Most of the tasks available during the initial evidence processing remain available with Additional Analysis. You can perform multiple processing tasks at the same time. Make your selections and click on OK to create a new job, as shown in the following screenshot:
Carving the data
Data carving is the process of looking for data in the evidence that was deleted from the filesystem. This is done by identifying file headers and footers in mainly unallocated clusters. The FTK provides several predefined carvers that you can select when adding evidence to a case. You can also create your own custom carvers to meet your exact needs.
Data carving can be selected in the New Case Wizard or later, using the Additional Analysis feature:
In the Carving Options dialog box, you can select the file types that you want to try to recover and click on OK to go back to Detailed Options to then perform the task.
You can also create your own carvers, informing the header and footers of the files that you would like to recover. To create the carver, perform the following steps:
- In the toolbar menu, click on Manage.
- Click on the Carvers option
- Next, select Manage Custom Carvers.
After the carver is processed, you can find the carved files using the Carved Files filter or through the following steps:
- Change the view to the Overview tab.
- Select the File Status option.
- Finally, click on Data Carved Files.
Narrowing the case with KFF
The Known File Filter (KFF) is a database utility that compares known filehash values against your case files.
Using the KFF during your analysis, we can do the following:
- Immediately identify and ignore 40 to 70 percent of files
- Immediately identify known contraband files
A hash is based on data and not names or extensions.
The KFF database is based on NSRL from National Institute of Standards and Technology (NIST) and can be downloaded from the AccessData website at http://www.accessdata.com/support/product-downloads.
The KFF can be selected in the New Case Wizard or later, using the Additional Analysis feature.
To import a new KFF database and define a group, perform the following steps:
- Click on Manage and select KFF.
- Click on Import to select a new database.
- To locate a database file, click on Add File.
- Select the Status: Alert or Ignore.
- Insert the path where file is located.
- Click on OK to go back to KFF Hash Import Tool.
- Click on Import to process your new KFF database.
- In KFF Admin Case, click on New to create a group.
- Add the KFF database processed previously.
- Click on Done to finish.
To run the KFF in your case, open the Additional Analysis options:
- Select KFF and click on KFF Groups….
- Check the name of the group created previously.
- Click on Done.
- Finally, click on OK to start new job.
To use the results of the KFF to hide a known file from your case, use the following filters:
- KFF Alert Files
- KFF Ignore Files
This article several important features to assist in the identification of relevant information quickly and efficiently through the use of filters and keywords. The use of the KFF and how its features can be useful to save time during an investigation by eliminating the known files of your investigation case was covered.
Resources for Article:
- FAQs on BackTrack 4 [Article]
- BackTrack Forensics [Article]
- Web app penetration testing in Kali [Article]