FTK lab session

October 24, 2017 Labels: Computer forensics and cryptography lecture and lab sessions NTFS

FTK lab session

Ftk log book- lab session 2

Made sure that Ethernet cable plugged into the blue socket

Started FTK- logged in

Created a working folder in both desktop and usb- desktop labelled FTK lab6 and in usb FTK lab2

Pictures taken and then deleted on a camera

Logical image created of camera in ftk imager

Had a brief experiment within this – could see one deleted was there but could no view fully

Added all 3 images

Malaysia

Mantooth

Camera

Saved in folder

Added evidence item: washer

Found following in properties

Showing it had been imaged by Nick Drehel

Also shows case number

Has only one partition

Shows us the name is partition 1

Sector It starts at (63)

I know it is NTFS at it says so on FTK

Is shown upon viewing properties the the documents and settings directory

Owner of document and settings is

Couldn’t find who has used this partition however

Then went to the overview tab which showed me following

So I can see how many file extensions etc

Opening up file status showed the following

Ok so I did this, but now I’ve been asked to find a file called mantooth 2003 cigarette gladiator powerboat for sale in texas .htm

So I went to index search and searched as below

As you can see, it appeared

Appears to the right, giving me the exact location

I can view it in content viewer

Properties showed its UNIX permissions

So rwxr- read write execute for owner but notice execute stays throughout

Right clicking on the file and then find on disk gave me the following information

So I know where it starts

Navigated to overview- file extensions then found the file secure2(1).Gif- looked at properties, could see when it was created etc

Then file category- documents- options.doc which was a dtsearch document giving information about keyword searches which uses things such as phonetic spellings

Then viewed excel spreadsheets which were all conveniently empty

So I can see its size, who created, owns etc

Navigated to multimedia and was able to play the files

Located an extension under bad extensions labelled feed4.data

Upon viewing its hex in content I saw

Can deduce it is .html not .data

Opened up emails tab and I was able to see emails- could see sent and received as well as contacts and attachments

Viewed pictures in graphics tab, was able ot see deleted file

Went into internet tab and could see visited sites such as Adobe, Gmail

Did a search with both index and live, didn’t feel like I noticed a difference

Live did show results in unallocated docs and files

Found less hits with live than index

Checking my verficiation found that

Interesting- as other files were verified

Search This Blog

Digital Forensics

FTK lab session

Comments

Post a Comment

Popular Posts

MACB Timestamps and $I30in NTFS File Systems

Creating a case in FTK