Forensic Blogs

An aggregator for digital forensics blogs

by

FTK Tool Evaluation Update

Introduction

In our tool eval team, we are researching and evaluating AccessData’s Forensic Toolkit. This program advertises itself as an all encompassing tool for extracting, analyzing, and compiling digital evidence into a readable format that is acceptable for use in a court of law. Our primary goal is to understand FTK in every aspect possible, with preference given to the searching and efficiency aspects of its use.

Current Progress

Over the past month, we spent a significant amount of time familiarizing ourselves with online FTK manuals and tutorials. We felt it was important to understand exactly which functions and features would help digital investigators the most before trying to run data through FTK’s systems. When we felt we were proficient in our knowledge, we set up our virtual machine with support from the LCDI helpdesk.

More recently, we have been participating in a multi-team effort to generate test data. To do this, we recreated digital footprints of a professor killing another for tenure. We knew that we had to make our test data as realistic as possible, so we threw searches of jazz musicians and golf tournaments into our fictional professor’s data stream. We plan to sift through the test data in Forensic ToolKit to discern how reliable the program is at catching criminal data in a stream of normal internet browsing.

We have been documenting our shift-to-shift progress on a website with updates in a shorter bullet point format. Along with the website, we have created and started maintenance of our twitter handle, @FTKToolEvalLCDI. We have also been researching any and all aspects of FTK that remain beyond the scope of our knowledge. This is a rather time consuming process, made much more difficult by the lack of guides and videos online. Regardless, we appear to be on track for a timely end to this project.

Conclusion

We have already accomplished a lot, but still have a long way to go. Once we get our data gen back, we can begin benchmark tests and can report with more hard data. Getting everything set up on the virtual machine was a small hurdle that we overcame. We are eager to continue our progress and report back with more concrete data on FTK.

After we complete our research, we plan to compare statistics of multiple digital forensic programs, such as Encase and Autopsy, to FTK. Our hope is to provide an accurate comparison of digital forensic tools so digital investigators all over the world can have accurate knowledge and preparation in their own ventures.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post FTK Tool Evaluation Update appeared first on The Leahy Center for Digital Investigation.

by

VMWare Analysis Update 1

Introduction

The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM. The end goal for this project is a quad comparison between the both operating system versions and their respective VMs.  

VMWare/Physical Machines Used

Three VMs have been set up for this project: a Windows 7 VM; Windows 10 VM; and a SANS SIFT VM running Ubuntu. The SANS SIFT is a free VM built by SANS DFIR (Digital Forensics and Incident Response). It has a variety of Digital Forensics tools, such as Volatility and Bulk Extractor. This VM is being used for memory forensics analysis of the four machines. The VMWare Analysis team is going to be extracting, analyzing, and comparing Windows artifacts. These include Prefetch files, LNK files, Jump Lists, and Windows Memory.

Progress

Thus far, the team has completed datagen and analysis of the Windows 7 machine and Windows 7 VM. Both machines used the same data generation process to keep the results consistent. There are a few specific things that we analyze for the comparisons. One is network information within the registries. Another is what changes VMware tools makes to the virtual machine. And the last is general information on artifacts. This includes where the system stores them and what information they reveal about the system.

VMWare

The team was having troubles generating Prefetch data for Notepad, Notepad ++, and Adobe Reader. After a few minutes of troubleshooting, the team discovered that the Prefetch folder only allows up to 168 “.pf” files at one time. The folder had reached capacity and could not fit files for those applications.

Conclusion

So far, the only identified difference between the VM and the Machine is in the prefetch files. The Windows 7 Machine had 140 prefetch files, while the VM only had 114. It is also noted that the VM image contained a prefetch for VMware (VMTOOLSD.EXE-CD82EC13.pf). The physical machine did not.

VMWare

In the upcoming weeks, the VMware analysis team is planning on starting the Windows 10 physical machine and VM. Once we complete data generation and analysis, we’ll start comparing differences between the virtual machine and physical machine. We’ll also compare Windows 10 and Windows 7.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post VMWare Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.