>> Well-known forensic analysis tools commonly support various file systems used
in Linux UNIX, Windows, and MAC systems.
>>著名的取证分析工具通常支持Linux UNIX、Windows和MAC系统中使用的各种文件系统。
The Sleuth Kit and Autopsy, an Open Source forensic analysis tool we use the Linux UNIX
forensic analysis can be used to analyze Windows images.
侦探工具包和尸检,一个开源的法医分析工具,我们使用Linux UNIX法医分析可以用来分析Windows图像。
Commercial tools such as EnCase, FTK, OSForensics, ProDiscover,
and the Forensic Explore support more features to analyze Windows artifacts.
诸如EnCase、FTK、osforensic sics、ProDiscover和Forensic Explore等商业工具支持更多特性来分析Windows工件。
OSForensics provide a 30 day trial.
法医提供了30天的审判。
FTK had demo versions for FTK1.8 and the registry viewer that allowed you
to work small images less than 5000 files.
FTK为FTK1.8提供了演示版本,注册表查看器允许您处理少于5000个文件的小图像。
However, FTK does not support the demo versions anymore.
然而,FTK不再支持演示版本。
Although the demo versions of FTK and the registry viewer are still available
on untrusted websites, it is at your own risk to use them.
虽然FTK的演示版本和注册表查看器在不受信任的网站上仍然可用,但使用它们的风险由您自己承担。
In this unit's lecture and demonstrations, I will go through some basic analysis features
from both FTK and EnCase Forensic.
在本单元的演讲和示范中,我将从FTK和EnCase Forensic两方面介绍一些基本的分析特性。
I encourage you to try the similar features supporting Open Source
or child versions of forensic analysis tools.
我鼓励您尝试支持法医分析工具的开源或子版本的类似特性。
As we discussed earlier, you always start by creating a new case then add evidence items
to the case for the analysis to find clues.
正如我们前面讨论的,您总是从创建一个新案例开始,然后向案例中添加证据项,以便分析找到线索。
Finally, you complete your report.
最后,您完成您的报告。
Forensic analysis tools commonly include the features
of deleted file recovery including data carving, MAC time analysis, index and live search,
e-mail analysis, hash analysis, graphs view, Internet and website analysis,
registry analysis, recycle bin shortcut and other Windows artifact analysis.
法医分析工具通常包括删除文件恢复功能,包括数据雕刻、MAC时间分析、索引和实时搜索、电子邮件分析、哈希分析、图形视图、互联网和网站分析、注册表分析、回收站快捷方式等Windows工件分析。
FTK is easy to use.
FTK使用方便。
When you create a case and load evidence items, by default FTK will preprocess evidence
to categorize files by their types such as documents, graphics, e-mails, Xcodables,
Internet files, slack space, etcetera, all based on file status that can alert investigators
to problem files such as bad extensions, data conf files,
deleted files and e-mails, hash alerts.
当您创建一个案例和加载项证据,默认情况下FTK将预处理的证据分类文件的类型,例如文档、图像、电子邮件、Xcodables,互联网文件,松弛空间,等等,都是基于文件状态,可以提醒调查问题文件如坏扩展,数据配置文件,删除文件和电子邮件,哈希警报。
For example, FTK will perform file -- a signature analysis to compare the file extension
with its signature.
例如,FTK将执行file——一个签名分析,将文件扩展名与其签名进行比较。
If they do not match, the file will be put in the bad extension group.
如果它们不匹配,文件将被放入错误的扩展名组中。
Once the case is created, all the files and the directories are grouped
into different categories for analysis.
一旦创建了案例,所有的文件和目录都被分组到不同的类别中进行分析。
The overview tab provides a general view of a case and lets you narrow your search
to specific document types or to items by status or file extension.
overview选项卡提供案例的一般视图,允许您根据状态或文件扩展名将搜索范围缩小到特定的文档类型或项。
By contrast, EnCase Forensic does not preprocess evidence.
相比之下,装箱取证不预处理证据。
Investigators will use EnCase evidence processor during the investigation
to explicitly perform process actions such as signature analysis, hash analysis,
Internet artifact search, etcetera.
调查人员将在调查过程中使用装箱证据处理器显式地执行过程操作,如签名分析、哈希分析、Internet工件搜索等。
Both FTK and EnCase Forensic will automatically recover deleted files and display both active
and deleted files along with their metadata information.
FTK和EnCase Forensic将自动恢复已删除的文件,并显示活动文件和已删除文件及其元数据信息。
EnCase use a tree table view where files are listed in the tree view in the top left pane
or metadata information, including file name and the path, file size, extension, MAC times,
hash values, and deleted time for recover deleted files are shown
in table view, the top right pane.
使用树形表视图,其中文件在左上角窗格的树形视图中列出,或者元数据信息,包括文件名和路径、文件大小、扩展名、MAC时间、哈希值,以及恢复已删除文件的已删除时间,显示在右上角窗格的表视图中。
When you click on each file, its content is displayed in the view pane, the bottom one.
FTK uses explore tab to let you view files, metadata, and content information.
当您单击每个文件时,它的内容将显示在视图窗格中,即底部窗格中。
FTK使用explore选项卡来查看文件、元数据和内容信息。
FTKs graphics tab and EnCase Forensic's gallery view tab allow a quick and easy way
to view images that are stored on a subject media.
FTKs图形选项卡和EnCase Forensic的图片库视图选项卡允许以一种快速简便的方式查看存储在主题媒体上的图像。
The shown images include both purposely stored images
and images inadvertently downloaded from the web.
显示的图像包括有意存储的图像和无意从web下载的图像。
Please be aware that the display is based on file extension which means
if a picture is renamed to dot text and a signature analysis has not yet been performed,
this picture will not be shown in EnCase's gallery view
since EnCase does not preprocess evidence.
请注意,显示基于文件扩展名,这意味着如果一幅图片被重命名为点文本,并且还没有执行签名分析,那么这幅图片将不会显示在EnCase的gallery视图中,因为EnCase没有预处理证据。
Therefore, investigators should always perform signature analysis before graphics analysis.
Most EnCase and FTK support keyword search.
因此,研究人员在进行图形分析之前,应始终先进行签名分析。
大多数装箱和FTK支持关键字搜索。
The live search approach, also known as raw search,
involves an item by item comparison with the search item.
实时搜索方法,也称为原始搜索,涉及到逐项与搜索项进行比较。
The search item can be presented in a regular expression for pattern recognition.
搜索项可以用正则表达式表示,用于模式识别。
Obviously, this process is powerful but time-consuming.
显然,这个过程很强大,但很耗时。
To perform an index search, on the other hand, evidence must be indexed first.
另一方面,要执行索引搜索,必须首先索引证据。
FTK includes indexing in its preprocessing list by default.
FTK默认在其预处理列表中包含索引。
If you use EnCase, you will perform indexing through EnCase's evidence processor.
如果使用EnCase,将通过EnCase的证据处理器执行索引。
Since the indexing process takes time for large pieces of evidence, some investigators
prefer to perform this process only when they need
them.
由于索引过程需要大量证据,因此一些调查人员只在需要时才会执行此过程。
Once your evidence index is generated, index search allows
for fast searching based on keywords.
一旦证据索引生成,索引搜索允许基于关键字的快速搜索。
Both live and index searches include allocated and unallocated spaces.
活动搜索和索引搜索都包括已分配和未分配的空间。
Index search is faster but a live search is more flexible
because it can find patterns of alphanumerical characters.
索引搜索更快,但实时搜索更灵活,因为它可以找到字母数字字符的模式。
Bookmark feature is supported by most of forensic analysis tools
to bookmark supporting evidences.
书签功能是目前大多数法医分析工具所支持的一种支持证据的书签功能。
It provides investigators with organizing data for writing a report.
它为调查人员编写报告提供组织数据。
To create a bookmark of a file, a picture, or a portion of its content, simply highlight
and then right-click the content you are interested in then choose create bookmark.
要创建文件、图片或其内容的一部分的书签,只需突出显示并右键单击感兴趣的内容,然后选择create bookmark。
Many forensic analysis tools also support generating reports.
许多法医分析工具也支持生成报告。
The report wizard, GUI, will guide you through steps
to include various information and the supporting data.
报表向导GUI将指导您完成包括各种信息和支持数据的步骤。
This software generated reports can be a starting point of your final forensic report.
这个软件生成的报告可以作为最终取证报告的起点。
EnCase Forensic Demo 1
>> Talking about forensic analysis tools, you cannot miss out EnCase Forensic.
>>谈到法医分析工具,你不能错过装箱法医。
It is one of the earliest and the most sophisticated forensic analysis tools on market.
它是市场上最早、最先进的法医分析工具之一。
I have showed you how to use EnCase to analyze file systems and disk use.
我已经向您展示了如何使用EnCase来分析文件系统和磁盘使用。
But today I want to start from beginning to create a case.
但今天我想从头开始讲一个案例。
And show you some basic functions which EnCase support.
并向您展示一些封装支持的基本功能。
Now, unfortunately, EnCase never have any demo version or any free version.
不幸的是,EnCase从来没有任何演示版本或免费版本。
But the license is not that expensive.
但是许可证并不贵。
And I believe it is between 3,000 to 4,000 per license.
我相信每个许可证有3000到4000个。
So let me open up the EnCase Forensic.
让我打开法医的箱子。
Depend on what is your memory power, and it may take a while.
这取决于你的记忆能力,可能需要一段时间。
Because my machine is a Windows.
因为我的机器是一个窗口。
It's a 32 bit.
So once open up, and then the first thing you need to look is on the left corner.
一旦打开,首先要看的是左上角。
On the top corner it says EnCase Forensic training.
在最上面的角落里写着,封闭法医训练。
That means you have the license.
这意味着你有执照。
Because this one, I have a license to connect to the dongle, connect to the license server.
因为这个,我有许可证连接到加密狗,连接到许可证服务器。
If you do not have license, and once you open up, it will say EnCase Forensic acquisition.
如果你没有许可证,一旦你打开它,它会说,装箱取证获取。
Because acquisition is free.
因为收购是免费的。
Let's look at EnCase's main interface here.
让我们看一下EnCase的主界面。
Now, if you created case, you can open the case.
现在,如果你创建了case,你可以打开case。
Use open.
And also it lists some recent cases here just for,
provide you an easier way to connecting to that.
它还列出了一些最近的案例,为你们提供一个更简单的连接方式。
Certainly, you can going through the open connection tool, see this case as well.
当然,您也可以通过open connection工具查看这个案例。
If you want to create new case, then you click on new case.
如果要创建新案例,则单击new case。
It supports several templates with very subtle difference.
它支持几个有细微差别的模板。
In this case we'll just use the default, basic.
在本例中,我们只使用默认的basic。
And then we create a new case and provide a name.
然后我们创建一个新case并提供一个名称。
Let's say EdX test, okay.
比如说EdX测试。
And then here, pretty much you can use the default.
在这里,你可以使用默认值。
It tells you where the case will be located.
它会告诉你箱子的位置。
All the information will be in a folder saved in the username root,
because our username student because I logged in as student.
所有信息都保存在用户名根目录下的文件夹中,因为我们的用户名是student因为我是以student的身份登录的。
And in the documents, EnCase, in a case folder.
并在文档中,装箱,放在一个case文件夹中。
So you will see in the case still is either EdX test.
你会看到在这个例子中仍然是EdX测试。
And then the other things, way is the cache information.
另一个是缓存信息。
And if you want to browsing it, it's fine, you can browsing it.
如果你想浏览它,没关系,你可以浏览它。
And then the backup, just use the default, all right.
然后是备份,使用默认值。
You say click okay.
你说点击ok。
It says, allow backup location and the base case folder on the same drive.
它说,允许备份位置和基本情况文件夹在同一驱动器上。
Because sometimes we would prefer to have a backup location in other drives.
因为有时我们希望在其他驱动器上有一个备份位置。
So in case one drive crashed, has issue, and then we, it will not affect the backup.
如果一个驱动器崩溃,有问题,那么我们,它不会影响备份。
In this case it's in the same case I said okay.
这种情况和我说的是一样的。
And, again, backup location was the cache.
再说一次,备份位置是缓存。
It's on the same drive.
在同一个车道上。
You can say okay.
你可以说ok。
But it will preferable to put it into another partition.
但是最好把它放到另一个分区。
It's done.
这是完成了。
Actually, now it's case created.
实际上,现在已经创建了case。
I want you to compare this case creation with FTK later.
我想让你稍后将这个案例的创建与FTK进行比较。
Because I will show you in FTK demoing another video.
因为我会在FTK的另一个视频中展示给你们看。
FTK normally do lots of things during the case creation time.
FTK通常在案例创建期间做很多事情。
So it takes a long time to create case.
所以创建case需要很长时间。
But for EnCase it didn't do much.
但对于装箱,它没做什么。
So it's just immediately the case created.
所以它马上就产生了。
We haven't even add evidence yet.
我们甚至还没有添加证据。
Now, we have an empty case right now.
现在,我们有一个空箱子。
First thing we need to add evidence, okay.
首先我们需要增加证据。
So you have various choices to add different type of evidence.
所以你有不同的选择来添加不同类型的证据。
You can add local device.
您可以添加本地设备。
And then you might use FastBloc.
然后你可以使用FastBloc。
We talk about that software, right, Bloc.
我们讨论软件,对吧。
And then it lets you to choose which one, this is the whole drive.
然后它让你选择哪一个,这是整个驱动。
Now, this is the C. The whole drive, including all the partitions and then the
mass boot record.
现在,这是c。整个驱动器,包括所有分区,然后是大量引导记录。
And then here is only C drive.
这里只有C驱动器。
And here is the A. Now, if you notice, the blue triangle here.
这是a,如果你注意到,这个蓝色三角形。
This means currently we're not acquiring.
这意味着我们目前没有收购。
It's just previewing.
这只是预览。
Previewing, okay.
预览。
In this case, okay, I'm going back.
在这种情况下,我要回去。
I'm not doing anything on that.
我不会做任何事情。
Okay, so add evidence file.
添加证据文件。
Add evidence file, you can see it allowed you to add the E01, EX01.
添加证据文件,你可以看到它允许你添加E01, EX01。
Those are the EnCase evidence image.
这些是证据图片。
.001.
When we create, use FTK imageer, remember if we, by default it has created a .001.
创建时,使用FTK imageer,记住,默认情况下它创建了。001。
And also vmdk.
而且vmdk。
And an L01, that's the EnCase logic volume.
L01是封装逻辑卷。
So you can add those type of image through this button.
你可以通过这个按钮添加这些类型的图像。
So here I have one EnCase image.
这里我有一个封闭的图像。
So I just say open.
所以我说打开。
Now, it's done.
现在,它的完成。
So you have a case.
你有一个案例。
And then you have evidence.
然后你就有了证据。
Anything in EnCase, if this is bluish color, that's link you can click on it.
封装中的任何东西,如果这是蓝色的,那就是链接,你可以点击它。
So if click on that, this image and all you can start analysis now.
如果点击这个,这个图像,你就可以开始分析了。
All right.
Let me go back again.
让我再回去。
It's, let's say, if I want to add one more evidence.
如果我想再增加一个证据。
Currently, I add one evidence; right?
目前,我增加了一个证据;对吧?
If I want to add one more evidence, I need to really going back to the first main interface.
如果我想再添加一个证据,我需要回到第一个主界面。
I can add anything here.
我可以在这里添加任何东西。
Okay, so this is the one, once you already get inside, you can add evidence.
好,这是一个,一旦你已经进去了,你可以添加证据。
But to choose add evidence, you see same list here.
但是要选择添加证据,您可以在这里看到相同的列表。
You see same list.
你会看到相同的列表。
Early on we talk about add local device.
早期我们讲过添加本地设备。
And I said I picked add evidence.
我说我选择了添加证据。
There's couple of other things I haven't talk about that here.
还有几件事我还没讲到。
You can add a raw image.
可以添加原始图像。
And the raw image means that's the dd image.
原始图像意味着这是dd图像。
And you can acquire smartphone.
你还可以购买智能手机。
Or, if you have a machine which is using crossover cable connected, you can even preview
or later acquire the crossover machine.
或者,如果您有一台使用交叉电缆连接的机器,您甚至可以预览或稍后获取交叉机器。
That machine use the crossover cable.
那台机器使用交叉电缆。
So let's add one more.
再加一个。
So now when you say add raw image, okay.
当你说添加原始图像时。
And then in this case, here in the name, you say right click new.
在这个例子中,在名字中,你说右键点击new。
This is my desktop.
这是我的桌面。
And I do have a dd image.
我有一个dd图像。
Now in dd image, you can name it .dd.
在dd映像中,可以将其命名为。dd。
Name it .image.
它.image名称。
Or whatever you like to call it.
或者随便你怎么称呼它。
Just meaningful one.
有意义的一个。
In this case I called it .image, okay.
在这个例子中,我叫它。image。
Because that extension does not really matter.
因为这个扩展并不重要。
But for EnCase or other image, then the extension really it's meaningful.
但对于EnCase或其他图像,扩展是有意义的。
It's a meaningful extension.
这是一个有意义的扩展。
But this case I said, okay, this is just dd, raw dd image.
但在这个例子中,我说,这只是原始的dd图像。
And I open it.
我打开它。
So now it's included here.
现在它包含在这里。
You can add multiple images here.
您可以在这里添加多个图像。
But now I only add one.
但现在我只加了一个。
I said okay.
So now, if you look at that, I have two image now.
现在,如果你看这个,我有两个图像。
One is the one, the EnCase image I added.
一个是我添加的装箱图像。
And one is the raw image I added.
To get into either one, because this is blue link.
You can click any one.
If you click on the disk image, then you go into the dd image.
And then if here is a green arrow, you can always going back, okay.
Or you can click home.
Then it will come going to the homepage, okay.
So because last time I always stopped here.
Remember we could add image, then we went to it.
Now in the homepage, you can even go into the previous one.
If you go into the tab here, that's evidence.
What if I, at this page I want to look into another evidence?
So I go to home.
And I say evidence.
So now I come into this, all the evidence page again.
So I can choose to look into the EnCase image now, okay.
So the case created image has been added.
We are on this pane now.
We can move onto the analysis phase.
This time let me just quickly going through a couple of things.
There are lots of rich functionalities I may not cover.
But, if you get chance to use it later on, they have a very,
very detailed user guide documentation for EnCase Forensic.
Step by step with screen shots to help you go through that.
So roughly, if we look at that, I'm on the evidence tab right now.
On the left side, on the left top corner, that is the tree view
of the files in this image, okay.
And, if I click on anything and then if, so currently is, currently on entry.
If you're currently on the entry, it will always show you what's beneath it.
So beneath of that is MD5 image.
So you see now on the right-hand side, there are three views in the table view.
It say, okay, show this is the Lab5 image.
If I do green select, this can choose what I see in this table.
So now, if I select this one, green select image, Lab5 image,
it will show me all the directory and subdirectories in this table view.
In this table view.
And if I do, change to I say only look at SMITH, PSMITH.
So then only show the content lay out flat to show you everything in this folder.
Okay, in this folder.
All right.
Now, what kind of information in the table columns?
You will see the name.
Extension.
And logical size.
The category.
Now, those are the other thing information.
Say signature analysis means, if you analyze the file,
whether this is consistently with the extension or not.
Because currently the extension means, yeah, if you give my, you said it's a .GIF file.
Then I just say it's .GIF file.
After you're done with the signature analysis, it will tell you whether the extension match
with my analysis of your header or footer information.
So this is signature analysis, okay.
File type.
And whether it's protected or not.
And a time stamps.
Is picture or not.
MD5, SHA by default has not been created yet.
So for EnCase it's, the process is you want EnCase to do.
You have to expressly tell him to create hash.
Then it will create the list here, okay.
And, again, not all files has a hash directory.
It does not have hash.
Only files has hash.
And then what if the file, only the file content, right, has hash.
If the file is deleted, cannot locate it to the content, then cannot have hash either.
And descriptions.
There are lots of lots of more information.
When this is information?
Where is this image acquired?
So they are in a physical location.
If it's deleted or not.
All information list in this table columns.
Now, you can select, you can choose whether this column you want it or not.
And you can, you basically can choose from which you want to only show couple
of columns instead of that many or not.
This is basic, the interpretation, okay, for all, each files.
There's a timeline.
Timeline is the Mac timeline.
Now, if you look into that, this is, if you double click into that.
Okay, those are all the timeline.
Now you are kind of defining it to tell, now you're looking into which day?
What time?
Here you see those information.
So those are the timelines.
It's a graphic view, in graphic view, all right.
You, now, if you click even further, then you see the daytime and seconds.
You will see, oh, so many files actually has activities in this period of time, all right.
So that's the timeline information.
And then you can look at the legend to find out what does the green mean?
And what is that different color mean?
So this is the timeline information gathering here.
By the way, if I click here, you can see my, the left side,
the tree actually changed as well, okay.
It is match to it.
Now, I'm not sure whether I have picture here.
Oh, yeah, I do.
So this means all the pictures get review at the selected place.
I selected PSMITH.
And all the pictures, it showed up here.
It's full so conveniently you see all the pictures.
If this is a child pornography case and if you want to identify some non-decent pictures.
And it just everything, it's located here.
And you can highlight that and then check it.
So for later for bookmark and for other information.
If this picture is, caught your attention, you want to make notes on that, okay.
Let's go back to, so those are the three ones here.
And on the bottom there's other things, okay.
So click, if you click on each file, let's go back to the table, okay.
Click on any file.
And then it, on the bottom.
So this one I clicked this .GIF file.
And then on the bottom this tells you what is the meta data information here, okay.
And a lot of information show up on the table as well.
And you can see the report.
Talk about this file information.
And in hex view, in hex view.
In doc view, if this is document, okay.
And transcript is for PDF, okay.
And if this is a picture and a picture view.
All that information is located on the bottom pane.
All right, so we haven't done lots of other stuff yet.
I will stop here.
So this is just the introduction for understanding how do you create a case.
And then to add image.
Add evidence into it.
In the next video I will show you more detail about analysis.
EnCase Forensic Demo 2
>> In Encase Forensic Demo One, I showed you how to create a new case,
and we called the new case as EdX test.
And I also added two evidence files into that new case.
Now when I open EnCase again, you should see EdX test.
That case is under Recent Cases now.
All right.
Let me choose one -- the Case One I created earlier.
Let me click on that.
From this interface, you can look into many things.
You can add more evidence into it.
You can process evidence, which I will cover shortly, as EnCase --
to perform a lot of more actions.
And in Evidence, it will show you that the evidence I added in.
So I added the three evidence in this case.
If I click any of Evidence, it will bring me to that view, with the tree view
and then table view, a gallery view and then all each individual interpretations.
All right.
So first to analysis and how about deleted files?
EnCase actually automatically will recover a deleted file in a deleted folder
and include all together in this tree view, including the Recycled.
All right.
There is the Recycled file.
It's included that, the file into it in a recovered file.
So if you look at the recycle bin here, and you can see those are the recycled folder
and the files.
And then INFO2 file.
Now, I told you, I said INFO2 file is a binary file.
In another demo, I show you how to use IE history view to look in to interpret INFO2
or use refudy [phonetic] to interpret that.
But if you don't believe me, and you can use Text to find.
See, it's not much -- it is not really much readable in this binary file.
Now I also want to show you is the Print file.
So I have one print file here, SPOOL file.
Okay.
I covered in the lecture if you print a file, there are two for one printing,
and you have a shadow file associated with that and then the spool file associated with
that.
Shadow file contains information about the metadata
about this printer jobs in the past and all that.
The SPOOL file in common case, it is a user EMF picture to have that.
That's why it's called Picture, you see.
For the print page, it's saved as a picture.
So how do you find what kind of picture looks like, right?
And a couple ways you can do it.
One way is really manually carve out.
Okay, so if you look at the Hex view -- now by the way, you needn't know that,
because later I will tell you more easy way to how to carve this out.
But just for curiosity, okay, for any of those EMF files, if you look at the Hex view,
and you identify EMF keyword and then highlight 41 bytes -- okay.
So here you see you've identified this EMF keyword
and start one right before EMF and you highlight for 41.
So less 41, you see it here.
Okay.
And then you decode it -- decode as a picture.
So this is basically the page you want to print.
Now, obviously in this case, it's confidential project.
That information is crucial, because people deleted -- when a person print that,
this file created, certainly when the printing job was done,
the .SPL and the shadow file will be deleted.
What if you can recover that?
Right.
So that is the print information you can retrieve.
But without using this manual, how can you do that, to recover?
And you can use a data carving.
We talk about data carving, and then in the Linux/Unix case,
we talk about use foremost to do data copy.
And certainly you can use foremost in here as well,
because it doesn't matter which file system.
It only look at -- allocate a space to look into the header for the information.
But for EnCase certainly has a data carving feature built into it.
So that's fun.
And other things, for example, we talk about the registry file.
Let me locate one, so for example in PSMITH.
And now I need to find -- big issue here is so many files, I am not able to really easily
to find which file based on name.
And one thing I always do is click on the Name -- see, my cursors click on the Name,
and I quickly type -- okay, hopefully it will bring me there.
Sometimes it do.
So it's NTUSER.DAT, right?
NT.
So I did just type NT.
Actually it brought me to here.
So NTUSER.DAT.
Now my favorite tool to analyze registry file is the data access's registry view, because
that, if you watched the demo I showed you in the
registry -- last week's demos, and then you -- probably
you loved to see that.
But in here, EnCase, now everything, if it's blue,
and then you can click that, click on that.
Because this is a registry file.
Okay.
If you click on that, it will create -- it will generate the directory structures for
you.
And then this is the key structure, key and a value structure -- NTUSER.DAT.
And then you can click through each one to analyze it.
So now you can, just like the tree view, okay?
It's not as convenient as an access.data, the interpretation, but it's also very useful.
This is similarly, you are looking through a registry file --
the tree structure getting to it.
Okay?
All right.
So now let's go back to the original evidence.
Okay, again, if this is green arrow, then you can click previous page
and the next page, you know, all of that.
All right.
So we have talked about many actions.
But I said that those actions EnCase, you -- for investigator you have to explicitly
tell EnCase to do it, to perform those actions.
Those actions are included in this Process Evidence.
So it takes a while to bring it up.
Okay.
So now once this is up -- because here I have all three images.
So I need to choose -- select which image I want to process, which image I want to process.
And now by the way you have seen here Acquire.
Like for example, for this device, okay, for my overview, my current windows,
this is a zero, that one, you can acquire also.
But I don't want to acquire, because it takes a long time, right?
If you want acquisition, you can do that.
Because if you are in a preview mode and then you change to acquisition,
then you own this image instead of preview it.
All right, going back to here, to process.
There are many processes here.
Recover Folder -- it will do.
So recover to read the folder.
If this is a dot here, it means it won't do it anyway, no matter what you -- it required.
File signature analysis -- this step is reading each file's header.
If there's a footer, then also footer image.
The header, look at the header information to make for extension.
Because if it's JPEG, JPEG has a specific header for JPEG.
If this is a DOCX, then document, then you have a specific document header.
So analyze the header versus the given extension.
Because extension can cheat.
You can modify extension easy.
If match, then it says match.
If it doesn't match, it tells you actually this is this type
of file instead of the extension told you.
Don't trust the extension.
So this is a file analysis.
And a thumbnail creation -- so it will create thumbnail.
Hash analysis -- it will generate hash.
Expanded compound files, for example, is a file and all that information.
And find email, find email -- it's what type of email you wanted to recover
and do you want to search lost or deleted.
So that information.
Search for keywords -- this is a raw search, because we talk about there are two types
of search.
One is the -- based on index, which you have to generate index and then to search.
This one is search based on regular expression.
So this is a raw search.
You can add a Keyword List, and you can right-click to new,
for new and add the keywords into that.
It can search it.
Now, the index text and metadata, that's the one -- if you need to create index, generate
index, and then search based on the index.
Generating index takes time.
It's takes -- it's time-consuming, and the reason why EnCase --
when you create case that's so quickly, because those actions, it has not been performed --
only it will perform one investigative request.
Okay.
So here there's two types of search -- one is keyword search from raw data,
the regular expression, and one is for index search.
Now, other information.
We talked about data carving.
That's here.
Okay.
Data carving -- which type of data do you carve out, you want to carve out?
If you only care about let's say printing, then EMF file, you want to carve out.
You can choose.
There's many, many of types here you can pick and choose from.
So that's data carving.
Do you want to carve out from an unallocated space and a file slack?
And then all the details you need to provide.
So data carving -- that's important.
IM Parser, so today it's parsing out IM message.
And a Windows Evidence Log Parser and a Windows Artifact Parser.
Remember we talked about Recycle Bin?
Search for deleted Recycle Bin File.
Search for MFT Transactions.
Search for Link -- the Link File shortcuts.
So that information is here.
And now certainly it includes the Linux/Unix in case this is a Linux/Unix image.
Okay.
So for find internet artifacts -- this one because for this process, it's already done.
If I -- that's why you don't see it -- it gives you options.
Let me pick this one.
Hopefully that still work.
Yeah.
So this one I haven't processed anything yet.
So you can do find internet artifact.
It asks you do you want to search unallocated space for internet artifacts or not.
So those are the internet artifacts, like for example URLs visited
and then cookies download and all that.
Yeah, so here basically those are the actions --
those actions you have to tell EnCase say to perform that.
Each of that action, it's corresponding to one programming.
It is called EnScript.
E-N-S-C-R-I-P-T, EnScript.
EnScript is very similar to Java-looking.
It's kind of -- it's object-oriented language, but it has its own rich library.
You know that it will -- because it has to search in the deleted field and all that.
So this is so important in here.
Those are the action part for EnCase.
For EnCase.
Okay.
So let me get out here -- let me to show -- see what else I need to show you.
So the other -- the rich -- so many rich functions I don't have time to cover one by one.
One more thing I want to talk about is in View.
So I have a tab here, right?
But you can bring in more tabs come through here.
Let me just search through it here.
Like for example, I can bring Evidence here.
Now I already have evidence.
If I brought Search here, okay, this is index search.
Remember when we're doing the Process Evidence, we can see index search included in Process
Evidence.
Many of those functions in Process Evidence are also spread along in other locations.
The Index search -- search allowed in here.
So once you create the index, and then you can search.
So this is basic index search, okay?
This is not regular expression search.
So let's say, if you look at me type -- I type along.
It already has information -- those are all because text.
Okay?
Because it tells you how many queue, hits -- files it contain.
How many items and how many keywords it match for that.
Index search is very quick, but creating index takes time.
Okay.
So now you've brought up the tag search, and I can close this search and the results,
many of other information -- like for example, see, I did not show you here,
because it's just too much to show.
If I do a condition search or the result will be matched,
to search the information over here.
This is -- I searched the file based on category or extension and then the results.
And here if I do some kind of search, the search result is here.
So that's the result.
Yeah, so other information and then what kind of file types that EnCase support.
I talk about EnScript, which all those actions carried on by this EnScript.
And then the condition filter, those are all EnScript, and you can create your own EnScript.
For those people who love to program Java, now you can program inside of EnCase, using
three or four lines, it's able to cover deleted
files and all that and even provide your GUI for inputs and all
that.
All right.
It's just there's so many things to cover.
And then now previously I also showed you how to do a desk view to look at the disc
image layout.
Recover Folder -- so you see that in the evidence, process evidence.
It also shows up here.
Okay.
So many -- it's just spread around.
EnCase is not as easy as FTK, in terms of using it.
But EnCase has rich, rich resources, and no other software can compare with EnCase.
Because I haven't seen any other program analysis tools allow you to have its own program
to programming it to bring up new information.
I haven't seen any other tools, then, can compare with EnCase.
All right?
So I will stop here.
And once again, for this EnCase -- for this tool, you can spend not only hours --
I think weeks and months to look into that, to get into that.
Even at this stage, I have used for, since 2003 I started to use EnCase.
I still cannot say I'm expertise or in this -- I just say I have some experience.
It is so rich functionality.
I really hope you enjoy it and hopefully, you'll get chance to use it.
FTK Demo
>> In this demo let's look at FTK's basic functions.
So when I open FTK and the first page is this one and then on temp,
that's the one I have already created before.
So, if you double-click on temp then that's the previous case,
you're getting into previous cases analyzed.
So if you click Case and certainly the first thing you need to do is Create Case,
create a new case and the case name.
It's again called EdX test and you can put the different descriptions,
what kind of case this involves and again this says where do you want to save the file?
Now in this case it's saved on the Desktop and I just leave it as is, database directory
and where do you want your database directory and all that.
Alright, so before I click okay and I want to show you detailed options.
One difference, a huge difference between EnCase and FTK is for FTK many
of the process information is doing ahead of time.
When I showed you EnCase, EnCase evidence process
for evidence process an investigator needs to check one and then EnCase will do one
so it creates a case for EnCase, is very.
They are quick because and it pushes all those processing time
to later whenever specifically you want it, Encase to do.
The FTK is different, FTK, you pick what you want to do.
For example hash, in EnCase you, it's in the evidence processing so when we open
up a new case no hash generates, is generated but in this case,
in FTK it says do you want to generate a hash?
What type of hash do you want to generate?
Do you want to do the signature analysis on that and flag bad extensions?
Do you want to do index?
And do you want to create thumbnails?
And do you want, it's a carving, in this case is not select.
You can select a carving as well.
So all that information can be done ahead of time, can be done ahead of time okay.
But all that, if you check, if you uncheck those things, again inside of that,
some of that you can do it for example if you want to index later, that's also fine
alright.
And so here I do okay and now I leave it as is and I say okay.
At this point it's still not done yet because I haven't added evidence.
Once you add evidence then it will take a while
because it will do index and all of that information.
Now adding evidence you can do as add and then you choose which evidence to add, okay.
For example, so I will not really do it because it takes a long time
so I will say take acquired image.
Acquired images can be EnCase, can be raw dd image
or very similarly in for, compare with EnCase.
So here it says where do you want to, want me to find the image?
Then that's, I say okay if that's the one I want to open it.
So now the evidence is here.
Past information I leave it at default.
Now a couple more things, settings come up.
Refinement option okay and this is the one that I showed you and then all that.
See, if you look at the evidence refinement, so al that features you can refine it
and index refinement, so all that, you can pick and choose,
sort of like configurations right, configurations.
And then after that, and then even then with your settings
and after that then you can click okay.
Okay, click okay.
It will take a long time for, even for, for a media-size image to process
because once it's done it's in good shape already.
So in this case I'm not doing it because it takes a long time
because I have already created one.
Let me see so I want to close it.
We close the case.
Okay, we want to close the case.
Once I close the case then I come back to here.
Now the temp1 one I have processed already.
So, this is the one I have already processed.
So back to previous case in the EdX test, if you add evidence and just leave all other
options as default you click okay, then it will take
a while okay, take minutes, maybe take a, in my image, small image probably take 5 to
10 minutes and up I got here.
So this is the one I added, the WinLabEnCase.E01.
So if you look at here now this is very similar to, very similar to EnCase interface so on
that, on the top view that's a tree view and then
that interpretation is on the right-hand side.
And also this arrangement you can change.
You can pull this to the different locations.
You can pull the other one so that arrangement it's free, you can pull along,
change but anyway similar to EnCase there's a tree view.
There's a list and so the log list isn't in here.
If I look at, so all the files if I click on the green click here then all the files
under this directory are listed including deleted files.
It shows you which file and all the table views and.
Now hashes are generated because this is all.
Remember I checked all the MD5, the SHA1 and the SHA2 56,
I checked it so whatever the files have hash, it's included here,
all the hashes already generated and all the processes done.
So I just need to look around that's it and then create time and access time
and a modification time and the size and the category.
It also did signature analysis as well so it did all that, where is the path?
The deleted file is included here as well.
If it deleted in a slack data everything is here.
Okay, if you select one of the files, one of the file, if you select then it shows on
top, natural view or hex view and that's the view
okay, so this is similar to EnCase.
File content, we look at.
Then you can look at a property.
The property is the metadata for that file, for metadata information.
Now the overview tab, that's very interesting okay.
It's already categorized everything for you so evidence group and file items.
If you check a file, originally I did not check.
If we check here then it will be in the checked file category.
I only have one category so everything is unchecked at this point.
And they also categorize for different extensions, 700 different extensions,
database or gif file, html, how many files fall into each category,
see jpeg 29, so everything is categorized.
And the file categorized and then there are archives so what kind, how many archives,
how many databases is zero and the document emails, how many emails in there?
And the folders, executables, slack spaces, so allocated space,
my unknown type that's the one I cannot identify the file type, those information.
And then file status, bad extension, so those are the ones, if say the extension says,
is categorized as some, now the extension says doc but actually it is a gif file so
this is, to get this result it's from the signature
analysis okay because it's all done front end so it's all
listed here.
The data carving file because I did not check right, I did not check the data carving file
so that's why it currently is zero.
Now we can do a data carving even though we did not choose to process it
because data carving is also a very time-consuming process.
So I look at here say additional analysis, now this one actually it's very similar
to previously, you see when we pre-checked right.
All the other stuff if you didn't want to do it ahead of time you can check here to
do it.
File signature analysis, what kind of hashes do you want to create?
And do you want to do an index because for index search you have to have an index.
So all those processes, if you choose don't want to do it in front end then you can do
it here.
Now this is the data carving, very similar to EnCase.
You can.
You can open up a carving option and say what file type you want to carve out.
If you want to carve out emf file then just data carving here.
Alright, so this is, there is much information you can check there but if you are not doing
in the front end then you will not have such an impressive list.
So because you waited for a while, for the file to create then it's all organized.
After data carving and then you can add that data carving into your analysis.
Decrypted zero and then deleted files so the list categorized all the deleted files
together even duplicated files and email attachments if it has any, it will
do that as well.
So encrypted files, it's all, it's categorized for you and email status.
So this overview tab which gives you a very, very good starting point to understand.
Now look at the email.
So emails, it's categorized for you as well and email attachments listing them zero
and the email related and this email reply and.
We don't have much here.
Let's look at email archives deleted items, so those are the deleted emails it recovered.
If I look into it, okay those are deleted emails.
Certainly it's interesting to a forensics investigator.
So if you click on email, now it's in the natural view.
The natural view is to look at this as an email so it's in the email view.
You can have a different set of views so this is clearly showing you
in the email format from where and then content.
You can look at that, each one, one by one so it's categorized for you.
And the drafts folders, if you have any case or other Pop3
and those are all categorized for you.
And then this is the email and then similar sets of email but categorized
by submitted date and delivered so it's all.
It's done a lot of work for you and the email addresses, senders so interestingly in all
that, using the same sets of information but categorized
all that for you, so that's the email.
Now graphics we have seen in EnCase.
It's just the graphics view.
Alright so I think currently I select some other stuff like if I select psmith [phonetic],
then graphic has more, depending on where do you, depending on what do you want to focus?
What do you want the graphics view to analyze?
So if you green select and then you go back to do not refresh,
yeah so the graphics, it showed you okay.
And again you clicked and it's a natural view because it's a picture and the content.
One difference is it seems here we have already done file analysis so even though,
if a picture is saved as a dot text since the file signature already analyzed,
it will show in this location.
And the bookmarks if you have created, if you created any bookmarks and search,
alright live search means a regular expression search, regular expression search.
Now I don't quite like the setting here because it's just, you.
Every time, you cannot even see that information but if you double-click or let's see
if I can move down a little bit so this layout sometimes is not very good.
So for regular expression and let me look at the pattern so that's a regular expression
pattern.
Let's look at this couple of familiar ones like INFO2 okay.
So this is the regular expression, it's already created for you
so then you just only need to pick, alright MAC address.
What is the regular expression or VISA?
Those are already created for you.
And you can create your own.
You can create your own at say edit, okay.
Let's say edit and then you can edit this file and this has all the regular expressions
for built in and then you can add your own ones into it.
So once you select and it can add, it can search,
and now the search results will immediately show on the right-hand side.
It will highlight the key words which match for the regular expression.
For the index search certainly it's for index because we have already created an index
so everything, search should be very quick.
Alright, so if I again I say, if I say type in a word it will guess already, security.
Now again see this one, it's a layout, it's not very good.
Sometimes I can move it down, sometimes not.
Sometimes I pop this out and then will that give me more room?
So I just need to show here, okay there's not enough room to show.
I want to move down this list so I can show you more.
Yeah, so here, so this is the total hit and then I type in the words,
and then you can use multiple key words, use in or or.
Then you search and then the search result will show up here.
If you click on that the content will show on this, in this pane okay.
Volatile, that's the tab which allowed you to do a dump, not only a dump of this one,
a dump, to dump out volatile memory if we use aging,
put an aging into the remote system's memory and then the aging tool, and then here FTK
will contact the aging to dump out a remote system's memory.
Alright so since it's very interesting and impressive tools as well
and as I said both EnCase and FTK those are the two leading forensic analysis tools.
Now I still haven't covered lots of information yet and you can look into the tools
and also, always try right-click.
Right-click, it sometimes has many of the options as well.
You may not get the chance to play with those two but the study guide,
the user guide, both of the user, the guide.
The user guide you can download from, online.
If you have a chance, if you have the product I strongly recommend you to try both.
Alright, so I will simply stop here.
1936
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
