Important Notice (the first three lines of ABOUT FTK):
FOR TRAINING AND DEMO PURPOSES ONLY. PER THIS PROGRAM'S LICENSE AGREEMENT, COMPUTER FORENSICS INFORMATION GATHERED FROM A NON-LICENSED VERSION OF THE FTK IS NOT ADMISSIBLE IN COURT AS EVIDENCE. (Pic 1)Ok, now that you have FTK installed (along with KFF), it's time to start adding "evidence" to a case as you would during an investigation. Keep in mind that this is a guide for using FTK and NOT a guide for conducting a forensic investigation.
First, open FTK and you get to see the lovely reminder that the Demo version of FTK can only handle 5,000 files (Pic 2). That's ok because AccessData was nice enough to give us this version for FREE. Besides, if you are serious about using FTK as a professional invesitgation tool this version should give you enough information for you to figure out if you like it. Then, you can pay for it or get your company to pay.
On to the "evidence". First, we need some "evidence" to learn the ins and outs of FTK. A good place for test images is the Digital Forensics Tool Testing Images website which is run by Brian Carrier, who also happens to be the author of Autopsy and The Sleuth Kit. For this exercise, I'll use the Basic Data Carving Test #1 image. Download, save, and unzip the image into a directory of your choosing.
Open FTK and you'll be presented with a dialogue asking you to Start a New Case, Open an existing case, Preview evidence, or Go Directly to using the program. Since we're budding FTK users and forensic investigators, we'll choose "Start a New Case". (Pic 3)
This choice will bring us to the wizard for creating a new case. Enter the appropriate information for yourself (the investigator) and the case and press Next. (Pic 4)
Take the default settings on the next two windows. On "Processes to Perform", check all of the available options. (Pic 5)
When you get to the "Add Evidence to Case" window, click "Add Evidence". (Pic 6)
Choose add an "Acquired Image of Drive". Pic 7
Browse to the image you wish to add and select it. In this case, I choose "12-carve-ext2.dd" and press "Open". (Pic 8)
Add any relevant image information on the following screen and click "Ok". When you have added all of the "evidence" that you want to the case, click "Next" on the "Add Evidence to Case" window. Click "Finish" to finish the case setup.
Once the case setup is done, FTK will process the "evidence" (Pic 9)that was added to the case. For larger images this may take some time. However, for our example it shouldn't take very long.
Ok, now we have an image added to a case (Pic 10).
Now what? "What" is the topic for the next installment of Forensic Tools: FTK.
In the meantime, feel free to browse around and figure some things out. After all, while you are still learning is the best time to make mistakes and learn the intricacies of a program. Until next time...
No comments:
Post a Comment