Holli: Hi, everyone. We’ll get started in just a minute.
Okay. It looks like we have a good amount of people that have entered into the webinar, so I’ll go ahead and get started.
Thank you for joining us today for What The Tech? Using FTK Imager. My name is Holli Hagene and I’m a Marketing Director at AccessData. Before I hand things over to our presenters, I wanted to mention that today’s webinar is being recorded and we’ll post the recording on our social channels. In the next few days, you can also visit our webinar page to view on demand and upcoming webinars. And we also encourage your questions, please type them in the Q&A box, and we will answer them as we can throughout the webinar, and at the end of the webinar, if there is time.
So today our presenters are Daz Menzies, International Training Instructor, and Sarah Hargreaves, Director of International Training. Sarah, you can take over.
Sarah: Thank you, Holli. Thanks everyone. Welcome to today’s webinar. I’m really looking forward to talking to you all about Imager.
Let’s for a moment, just talk about the tool, the products. We all know Imager really well. It’s one of AccessData’s principal tools and is most well known and well loved in the forensic community. Why? Well, because it does exactly what we expect it to. It creates forensic images, it’s reliable, it’s robust, and it’s free. And this presents us with a huge opportunity to be able to create forensic images with the integrity in place for us to start the forensic process.
And forensic imaging, for all of us that do it, and for all of us who’ve been doing it for many, many years, we know is not just a feature of forensic analysis, but it’s also one of the most important features of forensic analysis. Because it’s potentially one of the most volatile phases in that process because we’re dealing with live exhibits. We’re placing our hands on exhibits, we’re breaking the seals on exhibit bags, and we’re starting that forensic process.
And it’s important that we spend that time thinking about how we’re going to undertake that process. And in being able to understand how we’re going to do that, then we really need to understand that too. And FTK provides us with lots and lots of different functionalities to be able to make all of those decisions and find the right way that we can create a forensic image.
Now, I would love to tell you about every feature, and I’m sure that I’m speaking for Daz as well. We would love to tell you about every feature that’s in FTK Imager, but there just isn’t enough time because it’s so feature packed. But what we can do is take the benefit of some of our experience, and some of the questions that we’ve received as trainers along the way, to talk to you about some of the features that perhaps you didn’t know about, or perhaps the features that we liked the best, so that hopefully then when you use the tools too, then you can learn a little bit more about how to use them more effectively.
So what I’m going to do is I’m going to move into using the tool.
Now, when we open up FTK Imager, not a great deal is going on. And that’s because we need to wake it up. Now FTK Imager contains four principal panes when we open it up and we can follow these panes as we go along. We have our evidence tree, we have our file list, we have our viewer pane. And then we have this guy at the bottom, which I like to think of as my best friend in this tool, which is our properties pane, which has got a number of features inside it.
Now using FTK Imager, as we said, is going to be part of the very first phase of the forensic analysis process. And that’s to create the forensic image. But how are we going to do it? What things do we need to consider? Are we dealing with a device that’s been… a piece of media that’s been extracted from a device? A hard drive, perhaps? Are dealing with a device that is switched on? Are we also dealing with a device that maybe we can’t, or don’t want to, take all of the data on that device?
There are all of these constraints that we’re faced with us forensic analysts on a daily basis. And it might be that we’re dealing with the fact that we’ve got to take evidence in the scene. We’ve got to take evidence back in the lab. And we need a tool that provides us with a varying choice of functionality based upon all of these hurdles that we have to overcome. And sometimes we have to make those decisions in a stressful situation. Sometimes we have to make those in a stressful environment. So we need to be able to know what our tools do, so that we can help, we can work to make those decisions.
Now, at the moment, I’m using FTK Imager as an installed tool. For most of us that are already using it, this is the main way that we use the tool, install a tool, and we commence our forensic process. But, that doesn’t mean to say that we can’t use FTK Imager in more than that way, because FTK Imager allows us to use it on an external device — a USB device, for example. And then we can take that portable device and we can go and take Imager to the device, rather than taking the device to Imager on our forensic workstation. And it’s a very simple process that we can do. And that allows us to then use FTK Imager in the field, whether it be with a server, or whether it be that it’s on a device that’s inside a crime scene, or even a device that we’re not able to switch off yet or at all.
Now Imager does lots and lots of things. Imager allows us to create forensic images. It allows us to do forensic preview. It allows us to be able to take certain types of images: types of images where we don’t take all of the data. We can take lots and lots of different types of images, and it has lots and lots of functionality within it.
But one thing it doesn’t do is that it doesn’t write block. So when we’re using FTK Imager, depending on the circumstances that we’re presented with, we have to be working with our write blocking tools as well. And that’s a really important thing to remember.
Now, when we’re working with FTK Imager, when we’re working in our forensic laboratories, when we’re working with devices, we’re constantly working with things that make our job difficult. Specific file systems; encryption; things that may present themselves as obstacles and stand in our way when we’re trying to get the best evidence that we possibly can. And obtaining the best evidence is something that is underpinned by the role that we do. We always want to get the best evidence that we possibly can.
And when I teach FTK Imager — and I’m sure that Daz is the same — when I teach FTK Imager. One of the things that I sometimes say to people is, well, here’s FTK Imager. You’re going to create a forensic image, tell me what you’re going to do. Well, a lot of people sometimes will automatically go to File, Create disc image. And that’s absolutely fine, because creating a disk image is what FTK Imager is there to do, of course.
But sometimes, we just need to take a moment and keep ourselves in that thought process just for a little bit longer. Because evidence sometimes presents us with unexpected problems. And it could be that we need to just take a moment to check that we’ve got everything that we want to see. That nothing is not visible to us. That we can see the file system, that we can understand the partitions on the disk. And it might be that we’re just not quite ready to make the commitment to creating the forensic image just yet.
And that’s not a problem, because FTK Imager allows us to just take that tentative step and tiptoe into the evidence. Because what we can do is we can go and add an evidence item first. And what we’re doing is that we’re previewing the evidence before we’re making the decision to go all in and create the forensic image. And this is a really important phase, because once we know that we’ve got this opportunity to sort of pause before we make that decision, we can have a look at how we’re going to create the forensic image.
The first option that we can see is very similar to the options that we have when we create a forensic image. What do you want to see? Do you want to see the physical devices? Do you want to see just the logical devices? Do we want to focus on looking at a file that has already been imaged, or presents itself as an image, or do we want to focus on the contents of a folder?
So let’s look at physical drives. When we go in, what we will now be able to see is that we can make a choice as to what we’re going to connect to. So we can choose the device that we want to connect to, and finish. And in doing so, what we’re now doing is communicating with that device, potentially using the write blocker, to determine what we’re going to take an image of.
Can we see the file system? Can we see the contents of the file system? Do we understand the nature of the file system that we’re being presented with? As we can see at the moment, FTK Imager will tell us. It will tell us that we are working with — in this physical device — more than just one partition. And it might be that we are not dealing with a unified file system as well. So we can see here that we have an NTFS partition, but we also have an Ext2 partition. So we’re dealing with two different types of file systems. Does it matter? Possibly not, but it might matter.
Additionally, it can allow us to make decisions about the scope of the data that we’re going to take. Do we want to take it all? Are we only focused on taking some of the data? And we have to consider all of the constraints that we have as a forensic investigator: time, space, and all of that will allow us to make the right decisions as to how we’re going to create the forensic image. And we don’t have to make that commitment from the outset, because looking at it in this method of previewing allows us to just take a moment.
Now, once we’ve taken the time to have a look at this, and we’ve previewed and we’ve understood what we’re dealing with, there is nothing at this moment to stop us from going a little deeper and having a look at the file system in a deeper way. What’s inside this thing? And as we go through, we can see just as we would expect to, that we could communicate with the device and we can see what’s going on. We’re effectively previewing the device.
And by doing that, we can start to think about triage; making sure that we’re working with the right device; making sure that we can go in a little deeper and find the types of data that we’re looking for. And we’ll talk about triage a little bit more shortly.
But in doing so, what we can then do is we can have a look and make a distinction as to which piece of data that we’re interested in is the piece of data that we’re looking for here. And once we’ve done that, then we can see that we can preview the devices. We can go and have a look at what’s going on on this data. And we can go and have a look at whatever it is that we want to see.
The viewer that’s in the tool will allow us to preview the material that we’ve got in this device. So we can again preview. And it might be that all we need to do is demonstrate that a piece of data is present and then it will allow us to help us to make our decisions moving forward. FTK Imager allows us to do that in this preview mode.
Now, when we’ve made the decision, or when we’ve located the type of data that we’re interested in looking at, then what we can also do is that we can take advantage of what we’ve got here, because of course, when we move along and we can have a look at the type of data that we’re looking at and preview the data as well, the system properties — or the properties of that file — will be available to us to review in the properties window.
The benefit to this is that we get more than just the date modified, which we have at the top. As we focus in on the data that we want to see, we also see lots and lots and lots of additional data about that particular artifact. And this is really useful to know, because FTK Imager now provides us with a really robust way of being able to preview the evidence, decide if it’s relevant, look at things like the file ownership, look at whether this is a hidden file. All of this information that we can have a look at, even before we’ve made the commitment to create the forensic image.
So assuming that we’ve now made that decision, we’re assuming that we’ve had a look at the device. We’re not presented with any difficulties. We can see the file systems that we want to look at. We’ve chosen the right device. We know that we can see the file system. We know that we want to take a particular type of forensic image. So let’s start.
Well, that’s absolutely fine. And we’ve got a number of options from here. The first thing that we can do is that whilst we’re in this preview mode, we can right-click and we can take a disk image right from here.
Or, if we want to take this away, even though we’ve got this open, we can go straight in and create the desk image. Just as before, now that you’ve had the opportunity to do that cursory preview and make a decision about what you want to image. Do you want to take the physical device? And for lots of people who are forensic people, it’s always best where possible to take the physical device, of course, but it might be that we can’t. It might be that we are prohibited from doing so based upon the circumstances of the case. It might be that we’re in the field and we don’t have the ability, nor permission, nor space, nor time to take everything. We have all of those decisions within FTK Imager to give us the data that we want.
And also, bear in mind the fact that FTK Imager allows us to place onto an external device, a USB device, connect that to something like a server, and then create that forensic image potentially of that logical drive, so that we don’t necessarily have to worry about things like rebuilding a RAID because we took it to pieces because we wanted to take those physical devices. We can take that logical data as well.
Once we’ve made the decision, then of course we can proceed through the flow and process of creating the forensic image.
Imager allows us to create different types of forensic image. And it’s going to depend on your personal preferences, policies, and procedures as to how you do that. When we take a physical device, then we have the options of taking that raw image, the DD image. We can also take smart, E01, and AFF. If we’re going to take something like an E01 image, then we also have the opportunity to apply compression so that we can compress the size of the disk down. Just as we would expect to see with an E01 file, we can apply all of that compression to the desk to create as optimized, space-wise, a forensic image as we possibly can.
The other thing that we can do is that we can choose to fragment or not fragment the forensic evidence file that we’re going to create. So what I’ll do now is I’ll just send this to here. The compression is set to half way. We can turn that right up to nine, if we want to. And we can choose whether we want to fragment or not fragment the desk. And it’s entirely up to us, whether we do that.
But what we will also be able to do is if I go back… whoops. Hang on. Is that when we choose to create… when we choose to fragment the image, one of the things that FTK allows us to do, and it’s really, really worth knowing about, especially if you’re going to be imaging in the field, is that everybody’s used to — who creates forensic images — everybody’s used to the process of fragmenting the forensic image.
FTK also allows us to do something called adding an overflow location. And what that basically means is that if we… if Daz and I turn up to a location, we’ve got to take a forensic image, and when we arrive, we realize that the data that we want to take is of, say, some four terabytes. But what we actually have are a collection of two terabyte disks, because that’s what we brought with us, yhen what FTK Imager is going to allow us to do is connect those destination devices together, so that when Imager is finished and filled the first device, it will jump to the second device. And it allows us to keep those devices in align, so that if, when Daz and I turned up to the crime scene and all we have to do our onsite imaging are a number of devices just don’t fit the size of our target, then we don’t have to walk away with nothing. We can continue, because we can connect those devices together.
And it’s really useful to know about, but it’s also really useful for you to have that in your mind when you’re making your decisions about disk fragmentation or image fragmentation. Because if you’re not going to fragment your disk — your image — then of course, we’ve got to think about the fact that if we’re using an overflow location, there has to be a way of breaking that image. So the two thought processes have to go together. The idea being, is that we can create and fulfill the objective that we went into the process with. We have to come out with a resulting verified forensic image.
Now, verification is something that’s really, really important to us. And it’s one of the cornerstones of the forensic investigation process. We have to be able to demonstrate, wherever we can, that evidence can be verified for its integrity.
And of course, everything that we do in Imager, we have the ability to verify the evidence. And what we can see is that when we create the forensic image, we can automatically verify images as soon as they’ve been created, which means that as soon as the forensic imaging process is complete, the verification process will commence. And it’s that verification process that is our demonstration of the integrity of the resulting forensic image that we’ve taken.
Now let’s move on. Rather than sitting here and watching the forensic image create, let’s move on a little to when we’ve created the forensic image.
Now, when we’ve created the forensic image, is that the end of what we can do with FTK Imager? Well, no, it’s not, because what we can now do is, we can talk about the more advanced features of using FTK Imager. Because sometimes we’re faced with scenarios where — and we’ve talked about only taking some of the data.
Now, sometimes we’re working with, and we’ll use the example of a server. For example, it might be that we can only take certain data from that server. It might be that we can only take Daz’s profile and Sarah’s profile, and we can’t touch any of the other data that’s there. It may also be that we need to create a subset of data from an image that has been created before.
So if Daz has gone in and created that full physical image, it might be that the data that he created — the evidence file that he created — I might need to make a subsequent subset of data from that. And FTK Imager allows you to do this. Because one of the things that FTK Imager does is a really, really handy tool called Custom Content Images.
And Custom Content Images allows us to fulfill everything that we’ve just talked about, which is to create a[n] image of a subset of data. I don’t want the whole logical drive. I don’t even want the whole physical drive. I just want some. And it also might be that I need to take a subset of data from an image that has already been taken by somebody else.
So how do we do it? Well, this is how we do it. First thing that we want to do is start off with a clean playing field. So when we go up, we can File, and we can remove any evidence items that we’re dealing with already, and what we’re going to do in this demo, if you will, is that we’re going to use a piece of evidence that’s already been created. But the principle is exactly the same as if we were previewing the evidence and adding the evidence item. The thought process is the same. What am I going to image? What am I going to take? What am I going to take and create in this subset of data?
So I’m going to go and add that evidence item again, but this time I’m going to use an image file, because remember FTK Imager allows us to use and review data that’s been imaged already. And I’m going to go out to my path, and I’m going to take my evidence files, and here they are. And I’m going to take my case that I wanted use, and Finish.
So now I’m dealing with a piece of evidence that has previously been imaged, but it’s exactly the same process if I am previewing the evidence using the art evidence item, it’s exactly the same.
Now, when we go down here and we have a look in the Properties window that’s at the bottom left of FTK Imager. We’ve used the Properties window. The Properties window is really, really helpful because that’s when we can get that additional value from looking at the artifacts that are inside FTK Imager at the moment. So all of that additional information. We want to see more than just the date modified. We want to be able to see all of that additional information, things like the MFT record number, et cetera. The date that it was created, not just modified. All of that stuff is useful to us.
But what we also have on the other side is something called Custom Content Sources. And Custom Content Sources is where we can affectively create a shopping list. And what I mean by that is that we can go through the forensic image, or we can go through the evidence item that we are communicating with in FTK Imager, and use that as our way of creating a shopping list of the items that we want to create the image of.
So go back to the scenario of when Daz and I turn up at a business premises and we are only permitted to take certain pieces of data, then this is how we can do it. Now, if we go through the file system, what we’ll be able to see as we go through is that we can see — just as we would expect to see — the file system. When we go in and have a look at the users, this might be the place where we have to say, well, we only want certain ones, certain items, certain people. We don’t have the permission to take the whole device, nor do we have the capability to take the whole device, because it just might be that it’s a very, very large server with many, many user accounts on it.
So what we would like to do is just take specific pieces of data. That’s really easy and straightforward to do in FTK Imager. When we’ve chosen the item that we want with a right-click, what we’ll be able to say is add to custom content image. And when we click on that, what is going to happen is that our shopping list, if you will, is going to fill up. These are the items that I want to add to my resulting image. We can see the data that we want to take. So as I continue to add specific pieces of data, we are now filling up the list of the things that we want to take inside this.
Now you might think, or somebody might think, well, why don’t I just export the files? And arguably yes, you could. The issue that exporting files presents you with is — well, there are a number of them — but one of those, of course, is that when we export files, and when people give us files that are exported, what happens is that we can potentially lose things like relative file paths. So where did this file originate from? So if we want to go through that exercise of provenance in a file, we might need to be able to understand the full file path that that came from.
When we export a file, what we do is that we break that chain, because at the point of export is where we’re going to create that export chain from. But what about all of the file paths that exist above it? If we want to be able to do this provenance exercise, then those relative file paths are really, really important, and we don’t want to lose them, especially if we’re going to then take this data and bring it into another tool: FTK, Quin-C, or another forensic tool. Those relative file paths are really important.
Moreover, when we export files, what we do is that we take them out of the protection of the forensic environment, and by taking them out of the that protected environment, what that can mean is that we run a number of risks. We run the risks of inadvertently modifying the data, inadvertently changing the data, and inadvertently taking that protection of, what if this data has got malware on it, or something like that? So let’s try to stay within this forensic environment as much as we possibly can.
By creating a custom content image, we can limit the amount of data that we want to take to a very focused subset of data. I only want to take certain pieces of data. I only want to take certain profiles. And in doing so, when I create that resulting forensic image, what will happen is that I am only taking the data that I want to take. I can be sure, — and I can demonstrate to the people that restricted my access to this data — that I did not take the data that I was not permitted to take. And it allows me to walk away with a piece of evidence that retains things like those relative file paths.
So that’s a fantastic feature, but what about if we’re trying to deal with this in more of a triage sense of the word? What if the job that we need to do is identify a specific file type? What if we are looking for JPEG files, or PDF files, or any type of file? What if it is our job to take all of the PST files from a server regardless of the user profile? Because of the fact that we know that type of data, then what we can then do is then we can go and say, well, I only need one type. I have no particular issue as to where it’s located, but I do need to know that I want a particular file type.
Well, you can do that too in FTK Imager. So if Daz and I turn up and we need to take just the JPEG files, because we need to see if there’s something on there of a particular nature, FTK Imager allows us to do that using the same concept of custom content images.
If the objective is that we need to go into the whole case, the whole piece of evidence, and just remove certain file types, then rather than making a commitment to do them at this level here, let’s go right up to the top. And let’s say, where this partition is concerned, let’s take everything.
But let’s take this a little bit further. What we can do now is that, where we see the shopping list that we’ve added, we can click and edit. And when we click and edit, we’ve got a number of options, including: do we want just the directory where we right clicked? Or do we want all of the subdirectories? Invariably, we do want the subdirectories. And as a consequence, that’s chosen by default.
But what we can also do is, we can take this and do something a little bit more advanced, because what we can do is that if we go to the very end, we go to the very end of the string, at the moment, what we have there is a wild card that basically says, if it’s in that path, we want it. Anything. What we can do is we can change that to a specific file type. So I just want the JPEGs. And as a result of that, match all of the occurrences of the JPEGs, because that’s the only thing that I want to take out of this image or from this device.
And FTK Imager allows us to do that. So we can make decisions about this. We can also say, give me all of the data that contains the word ‘Daz.’ Give me all of the data that is a PST. We can focus in on the types of data that we want to image. When we do that, when we’ve made the decision about what we want to take, we can go ahead and create the forensic image.
And we go through the same process that we go through when we’re creating any other forensic image. The thing that’s different here is that because we’re making something quite unique, then our options to take the different types of evidence file are restricted to the AD1 forensic image format — AccessData, proprietary image format. We still verify, we can still add those overflow locations. All of those things are the same. And therefore we can create a forensic image, either from the original device all the time or taking a subset of data from an original forensic image.
So again, rather than sitting watching something image, let’s look at something that happens when we’ve created the forensic image.
So let’s go into another version of FTK Imager, exactly the same. And what we have here is we have our piece of evidence that we added just a moment ago into our other FTK Imager, our evidence file. But what we did here is that, when I followed exactly what I just did a moment ago and said, you know what? I just want the JPEGs. I only want to see the JPEGs in this case. When I add that evidence item when that process is finished, I can use FTK Imager or any forensic tool to be able to go and review that resulting data. Which means that now, when I go through, what we can certainly see here is that we haven’t lost the relative file paths of the evidence.
Even though we only specified that we wanted to take certain types of data, we restricted it to a JPEG, a bitmap, a PST, whatever it was that we wanted to take, or JPEGs and PSTs and PNGs and whatever. We have not lost those relative file paths, which means that when we’re reviewing the evidence later, we have still got the right context to the information that we’re looking at. And this is what is really important to as us forensic investigators.
But what we can see is that only the data that we asked for — only the type of data that we asked for — has been recovered and produced into this resulting evidence file. And this is a really great way of being able to isolate specific types of data for different review projects. And it might be that there’s data of a particular type that you don’t want or require a colleague to see or work with. And FTK Imager does all of that for you.
Daz, I’ll hand over to you to ask if there’s anything you want to add on that?
Daz: No, there isn’t anything. Well, the only thing that I would add on to content, custom content, is that it doesn’t just have to be a folder. That actually, you can put in specific files as well. Obviously, the example that Sarah has given there is, it’s kind of the user profiles. And that is a great example, because that’s the sort of scenario where you would use this sort of process. It would be that example that Sarah gave where you’ve gone to a company and they’ve said, right, you can only take this person, this person and this person.
But actually, if you’re going through and doing that triaging process as well, and you see, Oh, okay, actually I only want certain files, in the file list itself, you can just specify just certain files as well. It doesn’t have to be at a folder level. You can go in and specify certain things as well. Just really to expand on that more than anything, Sarah.
Sarah: Thanks, Daz.
Daz: That’s alright.
Sarah: So it would be lovely. It would be lovely to be able to tell you all of the features of Imager. It really would be. Because I’m a really massive fan of this tool and I’ve used it for many, many years. But there just isn’t enough time. So what I want to do is talk to you about some of the additional features quite quickly, actually, looking at the clock. But some of the additional features of the tool, because it’s, again, worth you knowing that they’re there.
The first thing that we can do is that, when we bring a piece of evidence into the lab, it might be that I have not created that forensic image. It might be that Daz is working on a case, but another colleague has created that forensic image for him. And as a consequence of that, we always want to be sure that, when we’re doing our forensic investigations, that we’re going through that verification process. At any time in FTK Imager — at any time at all — we can choose an item and verify the file integrity of that item. And that’s a really useful thing to know about.
The other thing that’s also really, really useful to know about is that, when we create a forensic image, what is created is a resulting text file. And that text file sits with the image. It carries the same name as the forensic image. And as we continue to verify evidence — so as this evidence goes on its travels from the server to the local machine, from the local machine to the archive, to the backup tape on wherever, and then when it comes back — every time we re-verify this piece of evidence, providing that text file is there with the evidence file, then these subsequent verifications will also be logged in that evidence, in that text file as well. So it’s a really useful thing for you to know about.
The other thing that we can also do is that, wherever we want to be, is that we can take a hash list. Imager allows us to take a hash list from any piece of evidence that we want to take. And this is really useful. We’re working on an investigation, we’re working away, and then suddenly a new piece of evidence comes in. And that new piece of evidence might be from the same suspect, but the suspect is suggesting that it has nothing to do with them. Hashing is a great way for us to be able to look at evidence and evidence objects that are the same within one or more device. Is there the same evidence on this piece of evidence is as there is on another piece of evidence? And hashing is a fantastic way of being able to do that.
And we use hashing all of the time in forensics. But if we want to take a piece of evidence and very quickly obtain a hash list of the data that exists on a device, then FTK Imager allows us to do that really, really quickly. Because we have the right click capability to just say: give me a hash list of the data that’s in this device, in this image. And then we can take that hash list and we can pull it into our forensic tools — FTK, or any of our other forensic tools — and to be able to then correlate those two pieces of evidence and determine if there is common evidence and common features to those pieces of evidence.
The final thing that I want to talk to you about, before Daz and I move on to questions, are two additional features that are really, really worth you knowing about. But a pause for a moment, just to remind you that what we are looking at at the moment is in the environment of Imager installed on the local machine, on the forensic workstation, and us looking at devices that have been connected to that machine: either a third party hard drive or a forensic image.
Let’s reverse that now and assume that we’ve taken FTK Imager on our USB device — and we go through all of these processes in our training classes — but when we take FTK Imager and we add it to that USB device, we can then take that USB device and we can plug it into the running workstation, with all of our appropriate note taking going on, and open up FTK Imager. And it will present itself exactly the same as you see on the screen.
Now, because of the fact that we are running it on a live device, we can now unlock some of the additional features that FTK Imager comes with. And the first is the guy up here, which allows you to take a memory capture of the live running machine. So if we are dealing with that incident response style investigation — we’re going into a location, the machine is running, we need to do a triage, we need to do a preview of the evidence, or even take a forensic image — we can also take a copy of the running memory as well, from the live running machine. FTK Imager allows us to do that with no problems whatsoever.
The other thing that Imager will allow us to do, is it will allow us to take, from the running machine, the registry files. Now the registry files might be very useful to us at this stage while the machine is running, because it might be those registry files that aid and support us with understanding things like user passwords and other information that we might need to know about, and understand before we make the decision as to whether we want to shut this machine down. And it’s better to sort of make that decision based upon as much information as we possibly can get.
Imager will allow us to take the registry files from the running machine so that we can then take those into our forensic tools and perhaps check that we don’t have any issues. We can have a look at the installed tools, et cetera, and make sure that we’re not missing something relating to encryption. Look at our registry files to see the recently opened devices. See if there’s anything suspicious in there, et cetera. Imager allows us to do that from the running machine.
Now I will talk all day about this, but I can’t, unfortunately. So what I need to do now is, Daz, I need to hand over to you and ask if there’ve been any questions that we’ve been asked, and perhaps we can answer those together.
Daz: Yeah, absolutely. There’s been some fantastic questions. So the first one, really, is: when you view the physical disk — so say you’re loading the physical disk into Imager like you showed at the beginning — are you modifying any of the, say, the modified, accessed or created timestamps? Now, I can answer that one if you want Sarah?
Sarah: Please, go ahead, yeah.
Daz: As long as that physical device is connected via write blocker, whether that be software or hardware write blocker — obviously more commonly recommended to use hardware write blockers, if possible — you’re not going to alter any of those date and timestamps. As long as that write blocker is used, you are hopefully going to get your pristine date and timestamps on that one.
Next one: can FTK Imager support credent encryption by Dell? Because FTK proper — so, like, lab or normal FTK — will support that decryption side of things. Now, my understanding on this, Sarah, is that we can’t decrypt in Imager at all. We can’t do any decryption sort of things, but we can create that image and then use other forensic tools, whether that be something like FTK or other forensic tools out in the marketplace, or Quin-C, anything along those lines, to decrypt those files themselves. FTK will create that image and have them in there. It just can’t decrypt them.
Sarah: Yeah, absolutely. And this is the real benefit to be able to just preview the evidence first, because it might be that if you’re previewing evidence, especially in a live setting, then it might be that you can make those decisions about whether or not you want to make that step of shutting the machine down. The other thing, as well, is of course, if we’re dealing with a dead system, it might be that we can see the device, but we cannot see the evidence because it’s encrypted. It means that by looking at this in Imager, absolutely, as Daz says, we can’t do any of that in decryption in Imager, but what we can do is that we will have the foresight that that encryption is present. And then we can take those steps to be able to do that decryption as it follows on the forensic process.
Daz: The big question that we’ve been asked a few times, Sarah: where can I download FTK Imager?
Sarah: Aha! Good question. So you can download FTK image from the AccessData website. FTK Imager is a free tool, and by and large, it’s the most commonly used imaging tool around. Go ahead, go to AccessData.com. And if you go to product downloads, you’ll be able to access a copy of FTK Imager. You’ll have to fill in a quick form, just so that we know who’s got it and we can learn all about you and why you’re going to use it. And then you are absolutely free to use the tool and and learn and use all of the wonderful features that are in there.
Daz: Okay. Next one we’ve got — I’m just keeping an eye on the time: FTK. Does it allow a dump of the RAM memory of a mobile device? Now it’s up to you, do you want to go, or shall I go?
Sarah: Yeah, you go ahead, Daz.
Daz: Okay. So, when it comes to memory capture, memory capture is only available — as Sarah mentioned when she went over that bit — it’s only available on the actual local device that FTK Imager is currently running on. FTK doesn’t doesn’t image mobile phones, per se. So actually having the ability to get in that RAM capture, that memory capture from a mobile phone, probably not going to actually be available, because you probably won’t be able to get Imager onto a mobile phone. Depending on the settings on mobile phones, all that sort of stuff. Is it, is it jailbroken or is it rooted. Potentially, you might have that ability, but it’s probably very rare that that would be able to happen.
Sarah: Thanks, Daz.
Daz: Not a problem. So, when you were doing custom content images and you showed us how to do the… say the .JPEG. Can you search for multiple… can you actually, sorry, create that shopping list of multiple file types, or can you only do it for one at a time?
Sarah: Good question. So the answer is you can do it for a multitude. You can either do it by using a semi-colon to say and this, and this and this, or you could do it quite specifically. And you could add a custom content image and just say this one, I just want JPEGs; this one, I just want PSTs. Or it might be that you say from the Daz profile, I just want the pictures and from the Sarah profile, I just want the documents. It’s absolutely up to you. It’s a very, very flexible way of taking specific file types from all different locations in the file system.
Daz: Great answer. Thank you, Sarah. Next question I’ve got: so sticking on, really, to that custom content side of life. Where has it gone? Few seconds, I just scrolled and it’s gone now. Well, let me find the next one then. So the next one… where has it gone? Sorry, sorry about this.
So, when you’re doing a live acquisition, what is the best practice to avoid modifying that disk? So not a live preview, but that actual acquisition side.
Sarah: Really good question. The first thing that you’ve got to think about is, you’ve got to think about your environment. You’ve got to think about what things that you’re working with. You’ve also got to think about the fact that you’ve got to do the best that you can, and you’ve got to ensure that, wherever you possibly can, we’ve got to demonstrate that we’re competent to be able to do this process. If you’re dealing with a line of acquisition, it is the case, and it’s unavoidable that you, when you are going to do things like inserting a third-party USB device into the system, then you are going to affect some of the files on that system. There is nothing that we can do about that. But what we have to do is we have to demonstrate that we took all reasonable steps to prevent… or keep that to a minimized state.
So good practice will tell you that you need to follow a methodology that will limit the amount of changes that you’re going to make in to a system by doing that. And it’s worth sort of putting a plan in place and testing that plan, and validating that plan, to demonstrate that you really have thought about all of the scenarios that might present themselves. Sometimes we just don’t know. But the answer to good practice is to test and to answer and to make sure that you’re comfortable and competent to do that. And that, to me, is the answer to good practice.
So Daz, maybe we’ll take one more question, because I’m looking and we’re very close to the top of the hour.
Daz: Absolutely. Just a really quick one on the custom content, as well. Can you collect them via user SID? Now I know you can, but is there a way that you can just show that really quickly, that you can filter by owner?
Sarah: Yes. So you can. So basically when you create the forensic image, so right click and… let’s do… What you will be able to see is that you can, when you… if you are dealing in an NTFS based system, then what you will be able to do is, when you create your forensic image, one of the last boxes that you will see is that you will see: do you want to filter by owner? And you can do that. And then what it will be able to do is, you can determine in your custom content images, whether… let me see if I can show you that.
So unfortunately I can’t show it to you, but it will allow you to be able to filter by owner. So it’s absolutely right. And if it is demonstrating in the file system, then it will be able to allow you to say: just by this file owner, and just by that file owner. And it is going to use the SID to do that. So, yeah. It, it will allow you to do that.
Daz: Okay. On that one, Sarah, just last question, really. So somebody who’s asked, obviously there’s a lot more to go through on FTK, and they’ve said thank you for the seminar, but obviously they can tell there’s a lot more to go through. How do they get more training on FTK?
Sarah: So, good question. And one of the things that that we’ve been doing at AccessData is a lot of development around our training. And previously, we know that the technician’s role in forensics is a really important one. And for the most part it’s, you know, like we said right at the beginning of this webinar, it’s one of the most volatile stages.
Previously, what we found was that the training for Imager was embedded inside other training courses. So we’ve made a significant change to that. And what we now have is a[n] entirely focused technicians’ training. And that technicians’ training is focused specifically around forensic imaging and the use of FTK Imager, and actually also carries a certification at the end of that as well. So our forensic technicians’ certification is a demonstration of competency of using the FTK Imager tool in that role of the technician as well. So that’s something I would definitely encourage you to go and have a look at. And you can see all of that information on training.accessdata.com.
And what I will do now is that, Holli, I’ll hand back to you. But what I will do is, I’ll say thank you for everybody’s attention today. I really hope that we’ve given you a small insight into the use of FTK Imager. Daz and I could really talk all day about all of this, and we love to do so as well, I’m sure that you can tell. The benefit to you, of course, is that you can go and play with this tool and you can go and get used to it. And for those of us who’ve been using it a long time, maybe we’ve given you some insight into using it in slightly different ways. But thank you so much for the time that you’ve spent with us this afternoon. Daz?
Daz: No, yeah, thanks. Thank you everyone. And like I say, there is a lot more that we can do with Imager, and like Sarah says, we could do this for hours. And we do that. That’s our job. And so yeah, if you do want more on it, please, please check out the website. And we’ll be more than happy to get you loaded onto a training course, because there is a lot more that we can do with this training side of things. So, but thank you for everyone’s attention. Thank you for some great questions. Sorry we couldn’t answer them all. But yeah, thank you.
Sarah: Okay, Holli, we’ll hand back to you.
Holli: All right. Thank you. If we did not get to your question we will contact you after the webinar to make sure we answer that. And then when we close out the webinar, there will be a short survey, if you could answer that and let us know how we did today, and provide any suggestions for future webinars, we would appreciate that. So thank you very much Daz and Sarah for your time today. And thank you everyone who joined us. This concludes today’s webinar. Thank you and have a good day.
Sarah: Thank you.