Join Us!

FTK toolkit 6.0 hel...
 
Notifications
Clear all

FTK toolkit 6.0 help  

  RSS
KatT1989
(@katt1989)
New Member

Hi everyone

I am doing an assignment on FTK toolkit (6.0). I am a masters student but otherwise have no forensic background or many IT skills! I need help with the following

1) How to recover deleted files (mov and m4v videos and jpeg and IND graphics) from an image file of a USB. I have tried to export but they will not open/play. The hex view appears empty so i think these have been overwritten and not recoverable?

2) I also have an image file of a hard drive. I can see on the system information tab, and on registry viewer, that 5 USBs have been attached. I can see the last accessed information, product ID, instance ID etc. However, the things I need to find out are

-Can i identify the last file opened/transferred with each USB?
-Can I link the USB to the user of the hard drive via a unique user number?

The forensic tools i have access to are FTK imager, toolkit 6.0, registry viewer and PRTK only. Again i am not very technical so any step by step advice would be really appreciated!!

Thanks!
Kat

Quote
Posted : 13/03/2019 1:26 pm
kastajamah
(@kastajamah)
Member

I am not sure of FTK 6.0, but are you able to look at the link files? Also, have you looked at the Edge/Internet Explorer history to see if there is any file browsing history? You could also look at jump lists and shellbags, but the first two is where I would start.

It would be helpful if you can determine in the USB history the last connected date, last assigned drive letter, and the serial number of the USB itself. Sometimes there will be a name for the USB or just the VID and PID. If you can locate the VID and the PID you can find websites that will tell you the vendor and the model of the drives.

Depending on the program used to create the image of the USB, you should be able to find the serial number for the USB in the report created by the imaging program. You can then search for that in the USBstor in the registry to see if it was connected to the computer you have the image for. You can also do a search of the case overall for the serial number to see if it shows up in other places like the Windows Event logs.

I hope this helps.

ReplyQuote
Posted : 13/03/2019 3:03 pm
jaclaz
(@jaclaz)
Community Legend

1) you can try direct carving (i.e. Photorec) for the images.
2)
a. -Can i identify the last file opened/transferred with each USB?
Yes/No.
b. Can I link the USB to the user of the hard drive via a unique user number?
Yes/No.

But you are starting with the "wrong foot" (terminology).

You don' t have "an image file of a hard drive" you (hopefully) have "an image file of a hard drive that contains boot/system volume(s) for an Operating System running on a (virtual or) physical PC".

So what you can do is to make a complete timeline of the operating system and from that derive (if possible) when a USB device was connected, which files (if any) were accessed or deleted or created at that time, which user (if any) was connected at that time, etc. i.e. simplified and condensed in one page
https://www.forensicfocus.com/timeline-analysis-one-page-guide

Tools
https://articles.forensicfocus.com/2014/09/25/a-guide-to-regripper-and-the-art-of-timeline-building/
https://github.com/keydet89/RegRipper2.8
https://github.com/log2timeline/plaso
https://plaso.readthedocs.io/en/latest/

jaclaz

ReplyQuote
Posted : 13/03/2019 3:34 pm
mahsanqureshi
(@mahsanqureshi)
New Member

1) you can try direct carving (i.e. Photorec) for the images. jaclaz

Agree. While indexing the evidence, enable data carving options.

ReplyQuote
Posted : 04/05/2019 3:12 pm
Share: