ftk imager background i. the process for adding individual ...€¦ · encase v7.09 (dhs, 2014a)...
TRANSCRIPT
Ryan Nye
University of San Diego
CSOL590, MODULE 5
06/26/2017
FTK Imager
Background
FTK Imager version 3.4.3 downloaded successfully to Windows 10 computer. Videos listed in
the presentation section of CSOL590 provided suitable installation and process steps. In addition
to the requirements of the assignment, I took the time to document loading a USB drive and
recovering deleted data in the unallocated disk section.
I. The Process for Adding Individual Files or File Folders as Evidence Items.
In Chapter 3 of the FTK user guide titled “Working with Evidence”, provides the following
instruction to add a single evidence item, or several at one time:
Adding Evidence Items
You can add a single evidence item, or several at one time. These procedures are explained in
this section.
Adding a Single Evidence Item- To add an evidence item to the Evidence Tree
1. Do one of the following:
Click File > Add Evidence Item.
Click the Add Evidence Item button on the Toolbar
2. Select the source type you want to preview, then click Next
3. Select the drive or browse to the source you want to preview, then click Finish. The evidence
item appears in the Evidence Tree.
4. Repeat these steps to add more evidence items.
(AccessData, 2012, p. 22)
In the screenshots below, I select a physical USB drive to be added as evidence.
After adding the drive, we can see the file layout on the left window in FTK:
II. Hexadecimal vs. Text
On the Computer Science section of the BBC website, breaks down Hexadecimal and Text very
well with graphics. Hexadecimal is described as the following:
Text and numbers can be encoded in a computer as patterns of binary digits. Hexadecimal is a
shortcut for representing binary. Hexadecimal (or hex) is a base 16 system used to simplify the
binaries representing the file. A hex digit can be any of the following 16 digits: 0 1 2 3 4 5 6 7 8
9 A B C D E F. Each hex digit reflects a 4-bit binary sequence (BBC, n.d., p.1).
For example, a binary value of 01111010 is 7A in hex. When describing the text, it provides the
following descriptions for both ASCII and Unicode characters:
ASCII: The ASCII character set is a 7-bit set of codes that allows 128 different characters. That
is enough for every upper-case letter, lower-case letter, digit and punctuation mark on most
keyboards. ASCII is only used for the English language…Extended ASCII code is an 8-bit
character set that represents 256 different characters, making it possible to use characters such
as é or ©. Extended ASCII is useful for European languages(BBC, n.d., p.5).
Unicode: Unicode uses between 8 and 32 bits per character, so it can represent characters from
languages from all around the world. It is commonly used across the internet. As it is larger than
ASCII, it might take up more storage space when saving documents…Global companies, like
Facebook and Google, would not use the ASCII character set because their users communicate
in many different languages (BBC, n.d., p.5).
In Chapter 3 of the FTK user guide titled “Working with Evidence”, provides the following
definition of Text and Hex modes.
Text Mode
Text mode allows you to preview a file’s contents as ASCII or Unicode characters, even if the
file is not a text file. This mode can be useful for viewing text and binary data that is not visible
when a file is viewed in its native application.
(AccessData, 2012, p. 21)
Hex Mode
Hex mode allows you to view every byte of data in a file as hexadecimal code. You can use the
Hex Value Interpreter to interpret hexadecimal values as decimal integers and possible time and
date values.
Note: Preview modes apply only when displaying file data. The data contained in folders or
other non-file objects is always displayed in hexadecimal format.
(AccessData, 2012, p. 22)
III. Strengths and Weaknesses of FTK Imager
Strengths of FTK Manager
FTK has noticeable fast loading of evidence and a user friendly searchable index once a folder or
drive is loaded. For first time users, it is relatively easy to locate existing or hidden files. For
example, a pic was loaded to a USB drive and was deleted off the drive. FTK was able to pull the
image from unallocated space:
Second strength of FTK would be recovering a variety of incomplete file types. This strength
was identified when going through the Department of Homeland Security test results of EnCase
and FTK carving capability published on July of 2014. From a quick view of the test results of
FTK and EnCase, it appears FTK has a high precision and recall of images. Precision and recall
is defined by DHS as:
Precision is the fraction of retrieved instances that are relevant, while recall is the fraction
of relevant instances that are retrieved. Both precision and recall are therefore based on an
understanding and measure of relevance. In simple terms, high recall means that an algorithm
returned most of the relevant results, while high precision means that an algorithm returned
substantially more relevant results than irrelevant. The two measures are sometimes used
together to provide a single measurement for a system known as an f-score.
FTK v4.1
(DHS, 2014c)
Encase v7.09
(DHS, 2014a)
*NOTE: Typo shown below from DHS. Title for results below read PhotoRec_v7.0 for results in the EnCase 6.18.0.
Most likely a typo when using previous data as a template for the new report. Data does not appear to be the same in
PhotoRec v7.0.
Encase v6.18
(DHS, 2014b)
We can clearly see FTK v4.1 has a better f-score than both versions of EnCase showing a strong
capability to recover files.
Third noticeable strength, FTK Imager is portable on a USB Drive. This helps the software be
competitive with other imagers that have this capability. According to the manual, the software
“can be run from a portable device such as a USB thumb drive connected to a machine in the
field, so there is no need to install it on a suspect’s computer to capture its image” (AccessData,
2012, p. 22).
Weaknesses of FTK Manager v 3.4.3
First weakness was spotted in the capabilities for FTK version 3.4.3 when it listed MD-5 and
SHA-1 has its hashing functions. Both MD-5 and SHA-1 are currently known to be weak.
The National Institute of Standards and Technology (NIST) listed the vulnerability for MD-5 in
CVE-2004-2761: “The MD5 Message-Digest Algorithm is not collision resistant, which makes it
easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks
on the use of MD5 in the signature algorithm of an X.509 certificate” (NIST, 2009).
NIST listed the vulnerability for SHA-1 in CVE-2005-4900: “SHA-1 is not collision resistant,
which makes it easier for context-dependent attackers to conduct spoofing attacks, as
demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a
common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself,
a technology recommendation…SHA-1 is likely present in a large number of products across the
entire IT sector. The applicability statement for this CVE will be updated when specific products
are identified, as time and resources permit” (NIST, 2016).
An investigator using FTK version 3.4.3 will have a difficult time providing admissible evidence
in court. NIST current policy on the SHA-1 has function:
“SHA-1: Federal agencies should stop using SHA-1 for generating digital signatures, generating
time stamps and for other applications that require collision resistance. Federal agencies may
use SHA-1 for the following applications: verifying old digital signatures and time stamps,
generating and verifying hash-based message authentication codes (HMACs), key derivation
functions (KDFs), and random bit/number generation. Further guidance on the use of SHA-1 is
provided in SP 800-131A” (NIST, 2015).
Current standard is using a minimum of SHA-256: “NIST encourages application and protocol
designers to implement SHA-256 at a minimum for any applications of hash functions requiring
interoperability. Further guidance on the use of SHA-2 is provided in SP 800-57 Part 1, section
5.6.2 and SP 800-131A” (NIST, 2015).
FTK’s second major weakness is it falling short of X-Ways Forensics precision and recall
according to a DHS carving tool study in 2014. X-Ways test results not only show higher
precision and recall of gif and tif files, but appear to outscore FTK across the board.
X-WAYS Results- out performs FTK in every category
(DHS, 2014d)
FTK Results- no tiff files recovered and low f-score for .gif
(DHS, 2014c)
*FTK appeared to add .tif carving ability in its 5.4 Toolkit
*FTK known issue in 5.4 “GIF carving produces inconsistent results”
(AccessData, 2014).
IV. Assignment: “Once you have completed the above, access the Zimmerman telegram
image from module 1 and save it to your hard drive as a JPG image. Next, add the image as
evidence to the FTK Imager by clicking “Add Evidence Item” then Select “Content of a
Folder" then Browse to the image file and click “OK.” Once you have added the image,
write down the hex code.”
Image copied from Module 1 discussion forum opening post (thread) titled “Discussion 1.4
Zimmerman Telegram“.
Saved as “Zim.jpg”
The we follow the instructions to add Zim.jpg to FTK using “Add Evidence Item” icon then
selecting the “Contents of a Folder” radio button (per Assignment instruction).
Then we browse to source path:
We have now added the file as evidence as presented in FTK’s “Evidence Tree” window on the
top left:
We create a hash using the “Export File Hash List” icon and save file as CSV in hex code:
We can click the “View Files in Hex Format” icon to view file in hex format in the bottom
right window.
Then we can use the following instruction to copy the hex code:
1) CTRL-A in Hex Window (highlights all)
2) Right-click > “Copy Hex”
HEX of Zimmerman Telegram
FFD8FFE000104A46494600010101006000600000FFDB0043000302020302020303030304030
304050805050404050A070706080C0A0C0C0B0A0B0B0D0E12100D0E110E0B0B101610111
3141515150C0F171816141812141514FFDB00430103040405040509050509140D0B0D141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
1414141414141414FFC0001108030002BE03012200021101031101FFC4001F00000105010101
01010100000000000000000102030405060708090A0BFFC400B5100002010303020403050504
040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02
433627282090A161718191A25262728292A3435363738393A434445464748494A5354555657
58595A636465666768696A737475767778797A838485868788898A92939495969798999AA2
A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7
D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FAFFC4001F01000301010101010
10101010000000000000102030405060708090A0BFFC400B5110002010204040304070504040
0010277000102031104052131061241510761711322328108144291A1B1C109233352F015627
2D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758
595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2
A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7
D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00
F46B1924B8FB24A93C7046B9665BA611AA7C87962412A065739047CC99FBD191D6E996
13BDC5D3DC3C5219646CC72108C5C79608C101B218ED201C871B189901739FA4412EC2
AB1CA8C1832B3072A3E5C153824820B37627E63804E42F49A66A30C7A7C705BA5CA5B
48C51572E4FCBB51483920808A17824601C12B97AF876D743F4B95D3BA5D497CBB5135
B399239FE50B198664CCA0C8FB5500037160AC5718DC1642A542B86B82DED2D6194B5C
5AF97E43365EE22DB08113319189521500392C4150A4120A90A327C53E3ED23C20F6675B
D43C992F2486D218A49591A795FF854315049F95882460282D8F9374DE38F8889F0D6CE1
9B578B52921BC7582DDAD609A4D923901092A0B280C49C804FA0DDC544AEED6EA617
4936F7303E357C33D33E26F84356D0EF9A485E6CB9F2E48D5C326D07099DD90700A924E
594124B02287C21D3658AC2DECAEEDADE1D26C523B1D3AE2368CB5C45E620476C905
59CA488AA40F995946D285E49F5CFDA63C391D9C33CFA66BC9A76A107DA2D665D3D9
94AB162A005C8036AB80338EA0646EC6145FB54784EC6D4F9BA5EBC896A8C42FF64C8
1915625925C7183FBB923E7A11D70A013B28CF96D6EA42925BAB348EFB5248ECB4CBB
05C1B58D0B92D2DB8F2311B36FDDBB90172E4804ED52D838F2CD45B63B9A016A6189E
4245BB34224242272DFBC60010EAD82781229EAC447E73AFF00ED3FE15B98A609A3F89
E7579040AC7499916472C91862C067024753C739C11F362B1B5FF00DACF4C59DAF2CF42
F13057DCB0E34F3B76EE641B40033CC727419EBFC5BA8F6737B22E35611576CFA5B41F
08DB4D17F695AC823BC8A4682392375F2C0336D28486C338D9E591D33C038F9CC965E24
8E6D592C6F6CA6B3D4237522D26DBBE465DCE19497C30217701D404248C850DF34F87F
F006D6B4D3D65B29FC2BAF820A3F3624332ECF3C360004FEEFA01C0E3F838ABB71FB5
D787FC4D6A167F0C7888DDA9654B9FB2AA38FBA870ED80BF348879E3A13CECC1EC2
A5F5466AAC6ED37A1F56E836F6F22C4EF684C922AB3CB1AB01365410C0939C73919C1
C1EC7207591DBBC308658479AECCDB70772A93800F3D7A8E0E33D0E3247C65A0FED98
E9ACDCC77BE0FD7E2B48585B59DC0B5DCEE3250330E08224046D249F5F9B35D969FFB
615BCD34F6CDE0FF001149247B6768FC84006F0CEAC1B760E4291C647048C0522A3D8C
D7439EA5E6D24CF72D4B4F6B8DD8B294EEB8475F9583330624E4EEC60E075200039C7C
B9E6740BF9A6B94BE9ECEE30B0AF9B208E5284E189DBC92727E60080E738203FCB5E33
71FB6B69074FB8D46E7C27E233690B36666B7411C850860A496C0077AF241ED9CE40195
07ED1C60BEB5593C23AD18A39FEC601F2C39656F28950D264824E72493D892DCD1EC66
BA1B45AD9B3EB2B7F134BF6312C7148EB1960ADE53E10845241C7DE3CE32B9073C642
B91CA78D6DE6D7B4DD66DE44D9692A0F3163CA9901954360B109823AEE2011CB614A9
3E4963F1FF51B3B0612FC3EF11982E17CD6882C614AB46770187EA0C7920000839000041
E2F54FDA9A78D6E6FD7C09AF4514ACE5249225408B16D9486E4803040048209E3046009
54E4F6411A7C8DCB6F91D4E99F0D7C4167AB379373710C4B248E91B2CD954336460005F
24AEEE4070700812100FA0E9BE1B9EEF47D363373225A7D9E38ED44658617CB62036DC
A9E58FDD24750BD24AF265FDAB22B2D41EDA5F01788CCACBE508A38776F6126D2E00
7DD9064F53C8EA4F23B0F85FF001F2C7E22341A3BF8775AD0F526B24BD782FE328D345
968700646326304631C64E0725B4A909A5AA3552E67BEA73BAD785F538AFAF5239A4588
07F3E4955D43623507EF0C608DA096F9157E77FDD6D20B5F87656E2F1B53BEF32659564
C5AB4EA4B06008C32EEC92C17006FDF807E72A6BD8B5286D6D9656F21A278A29A58E4
9246D9136C53F3124E473939078C707EE8E53C4F1AC7752DBC7677D12B022285588607CC
5008C49CFA63381C723EF2C293691B7338EA8A3369B6DE1DD25459DC66C8AAB2CCD2
3392DE6300400BC67630000E4860B8612138F79AE5CAE8764B6E618AF372B15924D98C29
25CEE500204F998F2A10876062214ED5FDADC5B0D323BA6B8926019E594962B73234C77
6086C0C85030319C7380017E73C47F10F42D1BCAB4BED5ED6D6F53138FB74FB1E32A8C
E18866CE06770600919CE0B7EEE84AEEC8BE6BDA4CA77972F328CDC7953B298CC8CD
913B795F7304643125570486C955C8664224BAD3E0927BA920B8B631C9E646F2C72ABF94
09450B900039659172072EB220C32C8CCDD2FC65E1BF115E9D3B4ED6EDAF2EE288A8B
4B6B80EEAA220AD80AE79C315233DF938C916BC55F14BC39A26A37F05EEAF6BA7DF4
6AFF00E8334E63215991012A4839658F03200214F45019ED5EF6B135396D74CCC9E37B69
9208AF2D5E0488B0134C8106D9B2
References
AccessData Group, LLC. (2012, March 21). FTK Imager User Guide. Access Data. Retrieved
from https://ole.sandiego.edu/bbcswebdav/pid-974989-dt-content-rid-3922453_1/courses/CSOL-
590-MASTER/M5/Imager_UG.pdf
AccessData Group, Inc. (2014, December 8). AccessData Forensic Toolkit 5.6 Release Notes.
Access Data. Retrieved from https://ad-pdf.s3.amazonaws.com/ftk/ftk%205.6/FTK_5_6_RN.pdf
BBC. (n.d.). Hexadecimal and character sets. BBC.co.uk. Retrieved from
http://www.bbc.co.uk/education/guides/zp73wmn/revision\
DHS.Gov. (2014a, July 16). Test Results for Graphic File Carving Tool: EnCase Forensic
v7.09.05. Department of Homeland Security. Retrieved from
https://www.dhs.gov/sites/default/files/publications/508_Test%20Report_NIST_EnCase%20For
ensic%20v7.09.05_0_September%202015_Final_0.pdf
DHS.Gov. (2014b, July 16). Test Results for Graphic File Carving Tool: EnCase Forensic
v6.18.0.59. Department of Homeland Security. Retrieved from
https://www.dhs.gov/sites/default/files/publications/EnCase%20Forensic%20v6.18.0.59%20Test
%20Report_IKS_0.pdf
DHS.Gov. (2014c, July 16). Test Results for Graphic File Carving Tool: FTK v4.1. Department
of Homeland Security. Retrieved from
https://www.dhs.gov/sites/default/files/publications/508_Test%20Report_NIST_FTK%20v4.1%
20Test_%20August%202015_Final.pdf
DHS.Gov. (2014d, July 16). Test Results for Graphic File Carving Tool: X-Ways Forensics
v17.6. Department of Homeland Security. Retrieved from
https://www.dhs.gov/sites/default/files/publications/508_Test%20Report_NIST_X-
Ways%20Forensics%20v17.6_0_August%202015_Final_0.pdf
NIST. (2009, January 5). CVE-2004-2761 Detail. National Institute of Standards and
Technology. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2004-2761
NIST. (2015, August 5). NIST’s Policy on Hash Functions. National Institute of Standards and
Technology. Retrieved from http://csrc.nist.gov/groups/ST/hash/policy.html
NIST. (2016, October 14). CVE-2005-4900 Detail. National Institute of Standards and
Technology. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2005-4900