FTK Bootcamp Advanced

Level: Advanced.

Duration: 3 days.

The AccessData BootCamp – Advanced is a three-day course providing the knowledge and skills necessary to conduct advanced and specialized functionality of FTK and PRTK.

Prerequisites

This hands-on class is intended for experienced users, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this class, you should meet the following requirements:

• Perform most operations on a personal computer
• Have a intermediate to advanced knowledge of computer forensic investigations and acquisition procedures
• Be very familiar with the Microsoft Windows environment
• Have moderate to advanced experience with FTK and its component software

Class Materials and Software

You will receive the associated materials prior to the course.

During this three-day, hands-on course, participants will perform the following tasks:

• Conduct Intermediate level concepts with PRTK and be introduced to DNA
• Use specialized features of FTK, such as: Timeline Reporting, Find Similar Files and Restore Image to Disk
• Use the malware add-on Cerberus
• Understand the concept of Distributed Processing
• Be introduced to the concept of the Adding Remote Data
• Use the memory analysis functionality of FTK.
• Conduct an extensive student exercise
• Discuss concepts of workflow and forensic analysis theory

Modules

Module 1: Introduction

Objectives:

• Identify the FTK components
• List the FTK and PRTK system requirements
• Describe how to receive upgrades and support for AccessData tools
• Install required applications and drivers

Lab:

Participants will install the UTK components—FTK, KFF Library, PRTK, and Registry Viewer

Module 2: PRTK 201

Objectives:

• Perform automatic decryption from FTK
• Understand DNA basics
• Decrypt files upon finding key
• Dictionary Browser
• Merging Golden Dictionaries
• Generation of Non-traditional dictionaries

Lab:

During the practical participants will decrypt files from FTK, manage dictionaries, and save decrypted copies of files once the key has been found.

Module 3: Specialized FTK Features

Objectives:

• Evidence and Index Processing Options
• Timeline Reporting
• Restore Image to Disk
• Find similar Files
• Reassign File Category

Lab:

During the practical, participants will understand the usage for the advanced features of FTK in this module.

Module 4: Cerberus

Objectives:

• Explain what Cerberus analysis is.
• Describe the Cerberus processing stages:
  • Stage 1: Threat scoring and file information analysis
  • Stage 2: Reporting
• Perform a Cerberus analysis.
• Review Cerberus analysis results in FTK Examiner.
• Export a Cerberus report.
• Bookmark and report Cerberus files

Lab:

Students will process a case with live malware for purposes of understanding the function of the Cerberus FTK add-on.

Module 5: Distributed Processing

Objectives:

• Describe distributed processing.
• Describe the requirements for distributed processing.
• Describe how distributed processing works.
• Set up distributed processing.

Lab:

Students will walk through the process of setting up distributed processing workers.

Module 6: Adding Remote Data

Objectives:

• Describe in general the Remote Disk Mounting Service (RDMS) and parameters necessary for successful deployment and collection of data.
• Deploy a Temporary Agent and collect data with that agent
• Set up and deploy Enterprise level agents that will permanently reside on the target computer.
• Access, collect, and analyze remote data, including memory, with the remote agents.
• Mount a drive remotely so that the file system can be viewed and analyzed on the examiner’s computer with third-party tools.

Lab:

Module 7: Memory Analysis

Objectives:

• List artifacts that may be collected from RAM.
• Outline what happens in Windows when a user or program executes a binary.
• Define what volatile data is.
• Perform a Volatile Data Snapshot.
• Explain what a differential comparison is and how it can be used.
• Perform live, index, and regular expression searches on a memory snapshot and a memory dump.
• List the differences between a memory dump and a memory snapshot.
• Import a memory dump into FTK.
• Explain why an investigator would add a memory dump to a case so it can be indexed.
• Create a Volatile Data report.

Lab:

During the practical, participants will see how FTK can process a memory dump.

Module 8: Student Exercise

Objectives:

• Students will process the student exercise
• Students will create a report on located artifacts

Lab:

Students will process a practice case. Students will apply all knowledge learned from all FTK courses and produced a report based on the scenario provided.

Module 9: Workflow and Theory Discussion

Objectives:

• Discussion of general forensic workflow
• Discussion of various case type forensic workflows
• Discussion of changes in case processing options based on case type and content desired.

Lab:

Participants will participate in discussion about the various topics involved in processing forensic cases of different needs.