Forensics: FTK 3 Reviews

Accesss Data’s FTK 3 was launched on 24th August, just under a fortnight ago.  There was not the same  fan fare that accompanied FTK 2.0, and there has not been the howls of derision either, in fact there had been very little comment at all.

There are no glowing, or for that matter terrbile,  hard hitting reports out there. Its all very quiet. Is it because nobody is using it yet (in anger)?

Just from a PR point of view AccessData seem to be doing a very good job of re-branding the company. The ACE, Access Certified Examiner, qualification is now free, easy to access, and open to all. Some may say its too easy to access, but it gets people into using their tool and certified. The ACE shows a level of accomplishment on their tool, which is what vendor certificaion is all about.

AccessData now even have a YouTube Channel, which looks slick and is the same style as their ACE videos.

So AccessData looks good, their certification is easy to access, and they are engaging with their clients. But does FTK 3 work, or is it style over substance?

This author has no idea, but is looking forward to finding out.

Forensics: FTK 3

Today, 24th August 2009, is the preview day for FTK 3.0.

Could this be the long awaited FTK product that FTK 2 should have been?

Several months ago a determined attempt was made by this author to get FTK 2.x working this failed. A few weeks ago another attempt was made to get FTK 2 working. This also failed, until AccessData’s technical support was called

The support from AccessData was superb: However it did take several hours, of continual assistance on the phone, to get FTK almost working. After a day or so FTK 2 was running. But the penalty was huge, and involved writing off two complete days to get FTK 2 running on a single machine (as well as the previously time wasted). The time penalty was so huge that FTK 2.x was not installed on any other machines as the time penalty was just too  great.

Because FTK could not effectively  (i.e. in realistic time scales) be installed on multiple machines in the same lab, its not currently being used by this author.

AccessData has had all the pieces in place to create a top of the range tool for a very long time, they have had indexing, file carving, reporting, a fantastic imaging tool and a brilliant registry viewer; one which  knocks the spots of EnCase. They just can’t put them together [This is not strictly fair as FTK 1.x was also a great product but limited by its age]

AccessData let the market down by the FTK 2, however the company has moved on since then, new staff, new products, new outlook, and a revamped  qualification.

The market were quite rightly angry at AccessData for the farce that was the FTK 2.0 release, but the anger was probably only so high as because people wanted so much from the new tool and had waited so long in so much anticipation.

The FTK 3 will be a different release. People are not as hopeful as they were with FTK 2, expectations are lower. This means that AccessData can’t fall as far.

In fact if FTK 3 works and can be installed easily people will probably be quietly happy. If, and its a big if, it can deliver what it says it can, it will be great tool.

Below is the marketing spiel about FTK 3

AccessData has announced the preview of Forensic Toolkit® 3.0 (FTK®) which will be demonstrated at HTCIA International on August 24th in Lake Tahoe, California. Below are just a few highlights of the FTK 3.0 release…

Reengineered for Improved Performance:

* UI Performance: The FTK GUI is 10 times more responsive across the board, even on machines with only 4GB of RAM.
* Indexing: Indexes quickly and search results populate fast, even with large result sets.
* Distributed Processing: Every copy of FTK 3 comes with 4 workers, allowing you to leverage CPU resources from up to 4 computers (3 distributed workers and 1 worker on the main FTK examiner system).

Compelling New Capabilities:

* RAM Analysis: Enumerate all running processes from 32-bit machines, search memory strings, and process RAM captures for passwords, html pages, lnk files and MS Office documents.
* Mac Analysis: Many new capabilities, such as processing B-Trees attributes for metadata, decrypting Sparse Images or Sparse Bundles, PLIST support, SQLite support and more.
* Pornographic Image Identification: Enables the automated detection and identification of pornographic images by analyzing visual features in the image to assess its actual visual content.

About AccessData

AccessData has pioneered digital investigations for twenty years, providing the technology and training that empower law enforcement, government agencies and corporations to perform computer investigations of any kind with speed and efficiency. Recognized throughout the world as an industry leader, AccessData delivers state-of-the-art computer forensic, network forensic, password cracking and decryption solutions. AccessData’s Forensic Toolkit® and enterprise investigative solutions enable examiners to search for, analyze and forensically preserve electronic evidence for the purposes of criminal investigations, internal investigations, incident response and eDiscovery. AccessData is also a leading provider of digital forensics training and certification with its much sought after AccessData Certified Examiners (ACE) program. For more information on AccessData visit http://www.accessdata.com.

Forensic Cloner: LogiCube Dossier

Its here, and about time to. At last a cloner that can produce E01 images, the Logicube Dossier. It follows on from Logicubes Quest, which was a nice bit of kit ayway.

The Logicube Dossier has pretty much everything you want from a cloner

Forensic Dossier

Forensic Dossier

  • 6/gb min imaging rates
  • The ability to create clones, DD images or EO1 Images
  • Logging facility
  • Multiple Images.
    • It can be used to create two images, from one evidence drive simultaneously.
    • Alternatively it can image/clone two hard drives simultaneously.
  • It can handle SCSI, S-ATA, IDE, or USB
  • It can image direct from a computer (laptop or mac) by booting the device with software provided
    • This will slow the imaging down, compared to the 6 GB/min through put rate, which is based on imaging S-ATA to S-ATA

What more is needed from a forensic imaging tool? Well, the price could be less. These things are not cheap. Especially when compared to a laptop to do the imaging on.

Forensic Cloner: LogiCube Quest Cloner

Note: This device has now been superseded by the Logicube Dossier

The Logicube Quest Cloner is an upgrade from the Logicube Talon, which already surpassed the ICS Solo3 in speed.

Quest Forensic Cloner

Quest Forensic Cloner

Reaching just upto 6 GB/min, this is now twice the speed of the ICS Solo3. Its finish is better than the Talon, and can image the DCO and HPA (like the Solo3 and Talon).

Currently, its probably the best one to one cloning device on the market.

Forensic Cloners: ICS Mass Cloner

For years Logicube have always produce a cloner that is slightly faster, or with slightly more features than ICS. But now ICS have produced the mother of all cloners the  Rapid Image 7020.

ICS Mass Cloner

ICS Mass Cloner

This machine, with levers big enough to make Dr Frankenstein happy, can image 10 drives at a time. Each with a maximum speed of 6 GB min. This would mean that a total of  60 GB a min or 3.6 TB of data per hour can be imaged with one device.

It also has the ability to log everything that is occurring, through a SQL database.  For those collecting hundreds of drives onsite, this would all the process to be done simply and easily, from a single centralized room.

But the device is not without its problems. Firstly, its $11,000 (USD). While that’s not very much for any company involved in large scale data collection, its still a hefty chunk of change. For the same price 10 laptops could be bought, to achieve the same goal  (but with more cables).

Secondly, by default, it does not seem very portable, what with those big levers. Large data collections are not a problem in the lab, but onsite. So it needs to be taken onsite.

Thirdly, it doesn’t support laptops by default, that’s an “add on” and its not clear if can support 10 laptop drives at a time, or just a few.

They still don’t produce Eo1 images, but staying with the DD image, which means there is no compression.

Overall its big, its yellow, it can image a lot of drives, and will be great for those large scale onsites, where you fully immerse yourself in the company. But for the smaller cases, imaging using the local machine, or with laptops its just too much.


Forensics Cloners: Talon

The Forensic Talon cloner, by Logicube, has been available for serveral years now, and at the time of its release it was the fastest on the market.

The Pro’s:

  • Its fast. Very fast. It states it can get upto 4 GB a min, and it can. If both drives are good S-ATA drives you will get those speeds.
  • It has a really good logging functionality, and stores everything you need to on flash media.

    Talon Cloner

    Talon Cloner

  • It can conduct a “keyword search” across the drive during the imaging (don’t expect the functionality of EnCase or FTK).
  • It has a good level of functionality, with cloning, imaging, and wiping functionality, as well as MD5 of SHA hashing, and verification methods.
  • If can be used as a write blocker as well as a cloning/imaging device.
  • It checks to see if data is moving over the cables correctly.

The Cons

  • Its plastic and feels cheap. Its not, but it looks and feels it.
  • The logging is fantastic, but it if the flash media is not present it will not image as it cannot log. i.e. if you leave the  flash media out of the kit, by mistake, you may as well not have the cloner at all.
  • It images to FAT32 only, no NTFS capability, and file names are restricted to 8 characters.
  • If you open the device, while the external IDE cables are connected (easy and often done) it can damage the connectors and ruin the cloner
  • The verification methods, involving data lines, can some times produce false negatives. I.e. The system will sometimes state that there is an error with the imaging/cloning functionality, even though the image is good.

Forensics: What is imaging?

What does “imaging” a hard drive mean?

Imaging is the process of taking an exact copy of a hard drive, and is the very foundation of computer forensics, data recovery and electronic discovery processing.  It takes every single 0 and 1 on one hard drive and puts it on another

The imaging process, for most tools, takes an exact copy of each sector, starting at the first sector, Sector 0, then continues until the last sector.

Once a sector is read by the imaging tool it is then written down again onto another media.  Depending on the tool, the settings, and the users requirements, will depend on the how the data is stored.

Generally the options are:

Copy one sector to another sector: Cloning.  In this process each sector is mirrored onto another sector. Sector 1 of the source is copied to sector 1 of the destination, sector 63 is copied to sector 63, etc. At the end of the process the media being written to will be an exact copy of the original drive. In theory you could put the cloned drive into the computer the original computer came from and it would boot successfully. For example, if the original drive is 100 GB, with one 100GB partition)  and the destination media is 250 GB all of the 100 GB would be cloned to the 250 GB drive and the rest of the 250 GB would be blank. If the 250 GB drive was connected to a hard it would state that there was one 100 GB partition, and the remaining 150 GB would be “unused”.  The drive could be navigated and used as if it were the original drive.

As long as the exact number of sectors that have been imaged have been recorded the exact end of the 100GB clone on the 250 GB drive could be demonstrated.  This is a perfectly legitimate method of imaging drives, and historically was the most popular.

Note for this reason the destination drive must be zeroed/blank before the process starts.

Copying to a file: Raw/DD. In this process every sector is copied to another sector on the destination drive, but rather than cloning the data. e.g. Sector 1 is copied to Sector 1,  the data is put into a file. This is a very important difference. Firstly it means that the destination media HAS to be formatted, i.e the imaging drive cannot be completely blank. Secondly it means that you cannot boot a physical machine from the image directly (there are options using virtual machines, mounting the drive, or creating a clone). It is also important to understand that as the data does not have to be sequential or contiguous in a file (as it can be fragmented) the data being written on the destination drive will not be necessarily be sequential.

Example A 40 GB drive is to be imaged to a 250 GB hard drive. The 250 GB drive is formatted with NTFS. The imaging tool is set to create a raw file, called image1.raw, on the destination (250 GB) drve.  Sector 0 of the source drive is read and written to the first sector of image1.raw, sector 1 is then read and written to sector 2 of the file…sector 63 is then writen to the 64th sector of file..etc.  While the sector numbers appear very similar they are not because the first sector of the file image1.raw, could be 1,453,642, and therefore the second sector would be 1,453,643, and the third 1,453,644. As NTFS has the ability to fragment files, the 4th sector could be 2,743,203, or any other available sector. The actual physical sectors on the destination hard drive do not matter because that is handled by the NTFS. This will continue until every sector of the 250 GB drive is completed. The end result is a 100 GB file that is an exact duplicate of the original hard drive, that can be moved between media, across networks, backed up, and examined by tools like Encase, FTK, etc.

The difference between a Raw and DD format is that the latter will chunk up the data into set sizes, so that a single large file does not have to be created. For example, if a 1 TB drive is required to be imaged then the raw image would create 1 1 TB file, which could be problematic. However, if DD is used it will create multiple files of a set size (determined by the user) e.g. the max file size for the DD file could be set to 2 GB. This would mean that 500 2GB images would be created. This would result in image files like this image1.dd.1 image1.dd.2…image1.dd.500. When the DD is opened by FTK,  EnCase, or the like the DD image is then reassembled and the drive is viewed as if it were a raw or clone.

Copying to an image/propietary  file: E.g. E01.

This is the next stage on from an a raw or DD file. In this case when a sector is written down it is not a case of 1 sector to 1 sector, this is for several reasons. Firstly, programs like EnCase allow for compression, this means that muple sectors are compresed into a single sector. This is most effective when imaging hard drives with a lot of blank data. This means that a very large drive can be compressed significantly, an example of this is the Eo1 image created for the NTFS quiz on this site. This is a 40 GB drive, that has been compressed down to a few hundred MB, using EnCase, because most of the drive is blank. In addition to the compression of image files, such as E01, put in a variety of check sums and security features todetect if the files have been tampered with. More information on the E01 file is avaiable here.

Imaging Tools

There are many imaging tools and systems on the market from the boot drive BackTrack which has a DD imaging tool installed and ready to Encase, the most famous/popular/expensive of forensic toosl which can only create E01 files, to FTK Imager, a light weight free imaging tool that can produce E01 Files, RAW, or DD images.

Despite claims of perfect imaging etc, no image tool is really perfect and deals with errors in different ways, this article shows the effectiveness of different imaging tools

Follow

Get every new post delivered to your Inbox.

Join 29 other followers