FTK Bootcamp Intermediate

Level: Intermediate.

Duration: 3 days.

The AccessData BootCamp – Intermediate three-day course provides the knowledge and skills necessary to install, configure, and effectively use Forensic Toolkit (FTK), Password Recovery Tool Kit (PRTK) and Registry Viewer.

Prerequisites

This hands-on class is intended for intermediate users, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this class, you should meet the following requirements:

• Perform most operations on a personal computer
• Have a intermediate knowledge of computer forensic investigations and acquisition procedures
• Be familiar with the Microsoft Windows environment

Class Materials and Software

You will receive the associated materials prior to the course.

During this three-day, hands-on course, participants will perform the following tasks:

• Install and configure FTK, FTK Imager, and Registry Viewer
• Review Registry Viewer functions: also conduct advanced searching and produce registry summary reports
• Conduct more detailed email analysis
• Use advanced processing options of FTK such as: EID, OCR, PhotoDNA, Event Log analysis, and Volume Shadow Copy
• Increase abilities to conduct more advanced Index and Live searches
• Create and use more complex filters
• Learn to use the Visualization tool
• Learn the basics of PRTK, including: custom profile creation, creation of custom dictionaries and the breaking of basic passwords.

Modules

Module 1: Introduction

Objectives:

• Identify the FTK components
• List the FTK and PRTK system requirements
• Describe how to receive upgrades and support for AccessData tools
• Install required applications and drivers

Lab:

Participants will install the UTK components—FTK, KFF Library, PRTK, and Registry Viewer

Module 2: FTK Imager 201

Objectives:

• Learn how to make FTK Imager portable
• Use features of FTK Imager in an incident response capacity
• Learn how to extract volatile data from live machines

Lab:

During the practical participants acquire volatile data from virtual machine, simulating a suspect machine.

Module 3: Registry Viewer 201

Objectives:

• Use basic and advanced searching through the Windows Registry
• Create Registry Summary Reports
• Select keys to put report in a specific order
• Discuss running summary reports during case processing

Lab:

During the practical, participants use Registry Viewer to search for specific registry keys and recover registry artifacts in a specific order, for a custom report. Students will also create registry summary reports and select summary reports to be run during case processing.

Module 4: Case Setup

Objectives:

• Optimum Setup
• Configuring Preferences
• Archive and Backup Operations
• Copying a case from an older version of FTK to a newer version.

Lab:

Students will learn how to copy a case from one version of FTK to another and perform backup and archive functions for cases.

Module 5: Email Analysis

Objectives:

• Review Email tab
• Learn about the function of Persons of Interest
• Describe the different abilities of FTK to export email
• Use the features of email threading

Lab:

Students will walk through a case containing processed email and see the full abilities of FTK to deal with email.

Module 6: Disk Analysis Features

Objectives:

• Learn about the FTK Disk Viewer
• Use the Deleted Partition Finder
• Conduct Image Verification
• Use the Meta Carve feature

Lab:

Participants will go over the features listed in the topics above, using various evidence files.

Module 7: Advanced Processing Options

Objectives:

Students will use each of the below listed advanced processing options of FTK:

• Analyze Windows Event Logs
• Explicit Image Detection
• Optical Character Recognition
• Examining Videos
• XRY images and UFDR reports
• PhotoDNA
• Language Identification
• Entity Extraction
• Document Content Analysis (DCA)
• Volume Shadow Copy

Lab:

During the practical, participants will explore the advanced capabilities of FTK to analyze case data. The steps performed here will walk through the usage of each of the advanced processing options listed above, using various evidence files and cases.

Module 8: Advanced Searching

Objectives:

Students will conduct live and index searches using the follow features of the search tabs:

• Live Search Options
  • Text
  • Pattern
  • Hex
• Index Search
  • Indexing Options
  • Conducting an Index Search
  • Importing/Exporting Search Terms
  • Search Operators
  • Searching for a phrase
  • Boolean Searches
  • Searching Options
  • TR1 Regular Expressions

Lab:

Students will see how to make searches more effective by making subtle to advanced changes to index options and search parameters.

Module 9: Advanced Filtering

Objectives:

• Defining of global filters to manage case items
• Filters with multiple rules
• Filter Nesting
• Compound Filtering
• Tab Filters

Lab:

Participants will build and use complex filters to take large amounts of data and find specific items within that dataset.

Module 10: Visualization

Objectives:

• Launch the Visualization tool.
• Describe the Visualization page.
• Use Timeline views to review case data.
• Select a Theme.
• Use the Visualization function to review file data.
• Use the Visualization function to process email data.
• Perform an Email Social Analysis.
• Examine Email Traffic details.
• Visualize Internet browser history.
• Use the Geolocation function to map evidence items that have geolocation information associated with them.

Lab:

Students learn how to use the functionality of the Visualization interface.

Module 11: PRTK 101

Objectives:

• Navigate within the PRTK interface
• Identify the available password recovery modules and their associated attack types
• Import user-defined dictionaries and FTK word lists to use in a password recovery attack
• Create biographical dictionaries
• Set up profiles
• Explain what a PRTK profile is and how it is used
• Recount the AccessData Methodology

Lab:

During the labs, participants will use PRTK to recover passwords from data files. Students will also apply the AccessData Methodology to decrypt files in a sample image. This process will require students to export the FTK case index and Registry Viewer’s registry index to create a custom dictionary, create a biographical dictionary and custom profiles, then re-apply intel gathered from decrypted files to attack other encrypted files.