Subtitles of the Movie

Once we click finish what FTK is going to do is start analyzing that image, uh, the image file that we've given it, the 500 mg image that we took from Adepto and what it's doing is its going to go through the entire image. It's going to look at it as if it were a hard drive, it's looking for file types and it's looking for different things that we specified earlier such as document types, word documents, excel documents, so forth. It's is also going to look for jpeg's, pictures, media files, e-mail, whatever we specify and it's going to pull that data up here in a moment. Now of course we're working with a Forensics Copy, we're not working with the original drive; we're working with just an image. I always recommend that you work with an image of a drive or a copy of the drive, a forensically sound copy verses the drive itself because you don't want to accidentally tamper with the drive, change settings on it, because in a court of a law or in an administrative proceeding that might not hold up. Your methods might be questioned as a Forensic Examiner. So I always work with a copy and that's what we're doing now. So once we process it, this information, what FTK is going to do is going to present this information to us, its going to show us what kind of documents its found, document types and so forth and some other information about the image itself. It will be up to us as forensics examiners to actually look at the files and determine what we're looking for and what we want to get out of the analysis. For example the example we used earlier was suppose we got this drive from a employee who we think have been using hacker tools to look around, poke around on the company network, something that is against company policy. So we seize the drive, we imaged it and now we're looking at the image itself. So what we're going to be looking for in this particular case might be executable files, hacker tools and so forth, just to show that individual had them on their computer and they weren't suppose to. If we were looking at another case, another type of case, such as possible violation of policy, maybe accessing pornography from a company computer or illegal online gambling that's in violation of policy we might be looking for those things as well. But right now we're just going to be looking for whatever we find on here. We want to see what this person's got on here. So its carving all the files up right now and it should be done in just a moment. Now this is only a 500 mg drive, just for an example or demonstration, imagine how long it would take if it were 40 gig drive, you know an average size drive that might come with the computer that may have thousands and thousands of files on it. This could actually take several hours, so sometimes you have to be prepared for something that'll take a while for it to process. So it's done and as you can see we've got a quite a few items that it came up with. We've got a few encrypted files we might want to look at those in-depth because maybe the suspect encrypted data that he doesn't want us to look at. We may have graphics files on here so we might want to see what kind of graphics the individual has been looking at maybe, we might find pictures of things that they shouldn't be looking at in our company computers. Multimedia files and so forth, in this case just a simple wav file but we might find a lot of MP3's that the suspect downloaded illegally. We can also look for files in the recycle bin if there were any in there, we could also look for e-mail, we specified that there was no e-mail on this particular image but there could have been. So different things that we can look at on here and to give you an idea of some of the things we can look at, let's go to the top here and hit explore and in this view we can look at the data as it looked on the hard drive. In other words we can look at the directory structure and explore through it and on this side you might have the hex View of different files and stuff so you can find stuff in there. In this tab we would have the Graphics Tab and if there were graphics on there that we wanted to View we could view them through here. For e-mail if there were e-mail on here that maybe we recovered from the Internet cache such as web mail. If a person goes to Yahoo Mail for example or hotmail that e-mail sometimes shows up in their Internet cache. Or we might find e-mail from a POP3 account such as something you might use through Alec Express or Eudora or Thunderbird or so forth. We would find that mail here and we'd be able to look through it. When we go to the Search Tab what this allows us to do is perform Keyword Searches using operatives. So we might use combinations of words and phrases to see if those words and phrases are contained in any document or in any file on the drive. We could also bookmark items that we want to come back to and look at later. Because sometimes with a massive drive an 80 gig drive, a 100 gig drive there's going to be so many files and things you're going to lose track of things, sometimes so you might want to bookmark so you can come back to it. So that's essentially FTK and again it's a very good commercial product, it's on par with some of its contemporaries such as incase or Autopsy. Although there are some things that FTK does well, there's some things it doesn't do as well as other tools so you might want to consider getting FTK and keeping it in your toolkit but you also might want to include other tools in there such as Autopsy, open source tools, freeware tools or even other commercial tools because there's some things that they all have their strengths and some things though that they may not do as well as other tools. But FTK is a very good tool, now we've looked at just a few tools from a Forensics Standpoint, a few security tools, but there's thousands out there and they're all very good tools, you just have to find what works for you and what's best for you. Some may be very specific tools that do one or two things really well and some may be general purpose tools. So don't be afraid to add a lot of tools to your Forensics Toolbox so that you're able to perform all kinds of security operations in Computer Forensics.