FTK and ProDiscover

Digital Forensics Tutorials – Viewing Image Contents in Windows
Explanation Section
About Disk Analysis
Once the proper steps have been taken to secure and verify the disk image, the actual contents of the
image must be analyzed for suspicious or incriminating evidence. When looking at the contents of an
image, it is necessary to not only look at the clearly visible contents such as folders on the desktop and
images in user files, but the image must also be checked for hidden, encrypted, or deleted files. It is
always better to assume that a suspect may have known that they were to be investigated and took
steps to hide, delete, or otherwise make it difficult to find the information they had been storing on
their USB or computer.
About FTK
One of the tools we will be using in this tutorial will be FTK (Forensic Toolkit). This is a program released
by AccessData for digitally-based forensic investigations. The more robust versions are highly expensive,
but allow for password recovery, encryption protection, and analysis for both Windows and MAC OS
images. We are using a free version which is much more limited, but is still ideal for finding deleted and
hidden files or partitions within a disk image. Though the free version has limited reporting capabilities,
FTK is still ideal for working with disk image files on Windows systems. Note that the demo version of
this software is no longer offered by AccessData, and so the version we are using is relatively old.
About ProDiscover Basic
ProDiscover Basic is a free version of this program which is used for both creating disk images and
viewing disk image contents. In the scope of this tutorial we will be using it for the purpose of viewing
image contents. Just note that it can easily be used to create a disk image as well, like FTK with some
limitations. While ProDiscover Basic has advanced reporting tools and is excellent for generating reports,
it does not have the abilities to show most deleted file or hidden partitions. However, it is helpful to
understand how to use it, as it is a relatively up-to-date piece of free forensics software, which is why it
is a decent alternative to the rather outdated FTK software.
In This Tutorial
Once a disk image has been created, hashed, and write-blocked to prevent changes, it is necessary to
analyze the image. During the analysis process, the investigator must search for information pertinent to
the case being compiled. This means not only looking for current contents on the drive, but also
searching for deleted files, missing or hidden information, and hidden partitions that may not appear at
first glance. Oftentimes a suspect will attempt to hide and delete information as a precaution. Using FTK
and ProDiscover can help uncover information that might otherwise never be found.
In this particular tutorial, we will be using the disk image created in an earlier tutorial, ‘Georges Drive
Image.001’. This is the disk image we created in FTK Imager using ‘Z: Georges Drive’ as the target. We
will be reviewing the various options available in FTK and ProDiscover Basic, with the emphasis being on
FTK, which is the more thorough of the two tools.
Tutorial Section
LEARNING OBJECTIVES:






Successfully open a disk image file
View the immediately available current contents of the disk image file
Search the contents for deleted information or hidden information
Take a successful copy of information for further analysis
Hash each individual piece of evidence and keep a log
Recalculate the hash value of the image file to verify it has not been compromised
Part 1 – Analyzing the Disk Image File in ProDiscover Basic
1. Login to the Virtual Lab website (https://v5.unm.edu/cloud/org/ialab), and enter the ‘NEST Digital
Forensics’ vApp. Click on the Windows 8 machine to open the VM.
2. At the login screen of the Windows 8 machine use the password letmein.
3. Launch ProDiscover Basic from the desktop. A screen will open asking for information about a new
or existing project. Since this is a new project, we will fill out the information for the number and
name. Then click Open.
4. The new project will open. At this point there is nothing to analyze since the project is empty.
5. To add ‘Georges Drive Image.001’ to the project for analysis, navigate to Action>>Add>>Image File.
Open the ‘Y:\ Investigative Drive’, and select Georges Drive Image.001. Then click Open. The drive
has now been added to the project. Click on Images which is nested beneath Content View in the
left navigation menu. You will see the disk image.
6. To look at the contents of Georges Drive Image, expand the ‘+’ symbol to the left of Images until
reaching C:. The contents of the disk appear in the right side analysis window. You can click into
each folder to see its contents.
7. It looks like George has some images on his drive. In this folder, ‘Vacation Photos’, we can see he has
four images.
8. What if we want to take a better look at those photos in a viewer-friendly program? We can’t
change anything within the disk image file, as that would damage the integrity of the evidence. Also,
we have the disk image set to read-only, so we can’t make any changes anyway. So we need to
make a copy of the individual photos. Remember that each individual piece of evidence must be
hashed. To copy ‘eiffel-tower-paris-2.jpg’ to the Investigative Drive, right click over the file and
select Copy File.
9. You will be asked to save the photo to a location. Choose the Investigative Drive. Now we must hash
the image. Open WinHex, then navigate to File>>Open. Open the photo from the Investigative
Drive. Then navigate to Tools>>Compute Hash. Select md5 and hash the file. Copy the hash value
into a text document and save it to the Investigative Drive. This way you have a complete record
that will be used as evidence that the photo is not altered during your analysis.
10. Now you can safely look at the photo in a photo viewer.
11. Go back to ProDiscover and look at other folders and files on the disk image. Do you see anything of
interest? How about in the Deleted Files and Recycle Bin folders? Is there anything that looks
suspicious? Is there anything that seems difficult to find or locate within ProDiscover Basic? Practice
copying evidence files and hashing them. Keep track of everything you copy and hash.
12. When finished, save the project file (File>>Save Project) and close out of ProDiscover Basic.
Part 2 – Creating a Case in Forensic Toolkit (FTK)
1. FTK (Forensic Toolkit) is the better alternative to ProDiscover Basic. If files have been deleted, or
attempts have been made to wipe or hide files, or if the drive contains hidden partitions, chances
are that they will be much easier to find and recover in FTK.
Right click on FTK and select Run as Administrator. Sometimes it refuses to run if not launched this
way. Click OK for the library and Code Meter errors. Click OK to acknowledge you are using a demo
version.
2. Click Start a new case in the window that appears. Click OK. You will be asked to enter information
about the case as in ProDiscover Basic. You can choose to save the case to the Investigative Drive.
Enter the information and click Next.
3. Enter the ‘Forensic Examiner Information’ if desired and click Next.
4. Leave the defaults for ‘Case Log Options’. This will designate how logs of what you are doing are
kept. These logs can be later used to print a report of the analysis. Click Next.
5. Leave the default options set on the ‘Processes to Perform’ page.
This gives you an idea of what will be done when the disk image is imported.
 FTK will create an md5 and sha1 hash
 The disk image will be tested for encryption
 A text index will be created for search purposes,
 Thumbnails will be created for all images for easier viewing
 EFS files with be automatically decrypted
 A database of all items on the disk image will be created
If you wanted to also generate other reports and have FTK check for data carving (a way to hide
data), you may check these options as well. Click Next.
6. Leave the defaults on the ‘Refine Case’ page. This indicates what kinds of data will be included in the
case. The defaults allow all data to be shown in the case except for files in KFF ignorable containers.
Click Next.
7. Do the same for the ‘Refine Index Page’. The defaults will index the file slack space (space that is
beyond the end of the logical file but within the area allocated to that file by the file system) as well
as the free space (areas not allocated to a file but that might possibly contain deleted files). Click
Next.
8. Add the disk image file by clicking ‘Add Evidence’. Select ‘Acquired Image of Drive’ and navigate to
and select ‘Georges Drive Image.001’. Give the image an identification name/number and click OK.
9. The disk image has now been added to the case. Click Next.
10. Click Finish to complete building the case. The case will take a few moments to index and complete
the required processes. Once this has finished, the disk image will be available to analyze.
Part 3 – Analyzing the Disk Image File in Forensic Toolkit
1. To analyze the contents of the disk image, click on the Explore tab near the top of the program. You
can then browse through the contents of the disk image.
2. Note that you can see a new zip file. This file was hidden on the original drive as a means of
protection. However, FTK displays hidden files, so it is now visible. Browse through the contents of
the drive – note that FTK is generally considered to be not only more thorough, but also more usefriendly in how disk image contents are displayed.
3. To copy a piece of evidence such as a photo or text file, right click the file. Select ‘Extract This File’,
and save the file to the Investigative Drive. Before examining the photo, be sure to use the same
hashing steps from Part 1.
4. FTK also allows for full text searches. Click the Search tab. Type in words that might appear on
suspicious drives. For example, in this case, you might search for money, deal, buyer, etc. I am using
million as my search term. After typing the term, click Add to add it as a search term. To view results
of a search term, click View Item Results. Make sure that All Files is selected so that everything is
searched. You can then browse the results on the right side of the screen.
5. Continue to browse through the contents and familiarize yourself with Forensic Toolkit.
Conclusion
You should now have a general idea of how to create a disk image file, hash the file, write block the file,
and perform a first-level analysis of the disk image in a Windows environment. This is the basis of any
digital forensics investigation. Knowing these basics will enable you to focus on learning more involved
and advanced aspects of digital forensics. In later tutorials you will learn about some of the reporting
tools available in Linux and Windows. Since reports and notes are often used in court and to verify the
integrity of evidence, it is important to keep a log of any changes made or anything noted during the
course of the investigation. These reports and logs will potentially be used in a court of law.