Monday, March 4, 2013

Using FTK Imager Lite Command Line


The Options


As with nearly all programs in Linux there is a help file that allows the user to see what options are available and the proper syntax.  Unfortunately ftkimager does not have a man or info page so we will have to settle with the help file.  You can access the help file by either typing a wrong syntax after ftkimager OR you can type the following syntax sudo ftkimager –help and hit enter. 

It is also important to note that double dashes “—“ are required to make all the options work instead of the standard single dash or forward slash. 


A list of options and a short explanation for each will appear.  I will try to go into a little better detail for some of the options while others are self-explanatory.  I will explain the different options first and then go into detail about how to use the syntax correctly after.  If you want to just see how to run the syntax you can jump to near the end.

--help    : This will show the help file.  (duh)

--list-drives   : This will show you a list of drives that are available to use, either to copy from or a drive to copy the information to.  It can be shown as a /dev/sda or a /media/[media name] or however you have your media connected.  It is not as important to know which type of connection it is as long as you know which drive is which.

--verify  : This option will allow you to verify that the image was successful in copying correctly.  This will usually take about as long as it did to image the drive so be prepared to wait a while if you have a large drive you are imaging.  It will also provide you with the hash value of the source and destination images so that you can be sure that they are the same.  I would suggest this for any drive that you want to ensure the integrity of and I usually use it all the time even for small things like testing just so I am in the habit.

--print-info /drive  : This option will allow the user to identify different characteristics about the drive they are either acquiring or the drive they are putting the image on.  It will tell you the drive geometry as well as the physical information such as connection type and drive model.  This can be useful if you are not 100% sure about which drive is which and need to see more information about the device. It can also be useful when doing documentation of the drive for your paperwork if needed.  As a side note here, this will not actually perform any function other than listing the information.  If this is added to a string then the whole thing will be “theoretical” in the sense that no actual image will be created.

--quiet  : This should be obvious to anyone with a little common sense.  If you use this option you will not see any information during the imaging process.  I would suggest not using this option ever because there is no real legitimate purpose for using it that I can see. 

--no-sha1  : This is another one of those options where it is not really necessary to have it included in your syntax.  It will make the program not compute the SHA1 has value during the acquisition phase or the verify phase.

(The following options are only to be used when you specify the name of the file on the destination drive)

--s01  : Creates a .s01 file out of your image so that you can use it programs that work with .s01 files.  (http://www.dfrws.org/CDESF/survey-dfrws-cdesf-diskimg-01.pdf ) provides a list of different forensics image file types that are used and the .s01 is on the last 2 pages.  It is a file type that is supported in FTK as well as SMART Linux, which I have not had the pleasure of working with but can be found here [http://www.asrdata.com/forensic-software/smart-linux/ ] {gogo inception style side remarks}).  Please do not judge the quality of this blog off of the last sentence structure, I should probably change it but it does reflect well of my sense of humor so I believe I will leave it.

--e01  : If you have any experience with forensics and more specifically EnCase, you should have a pretty good idea about what this option does.  I will give you a hint *It creates an .e01 file so you can run it in EnCase*… O wait that was a little more than a hint.  O well let us move on to the next section which deals directly with the .s01 and .e01 files that were created (if you used the previous options). 

--case-number “x” : Provides you with the ability to set a case number for your acquisition.  If there is a space in the number then you must put them in quotation marks or you will end up with an error.  This rule applies to all of the following options as well.

--evidence-number “x”  : Creates an evidence number for your imaged drive when you convert it to .e01/.s01 so that the program you use will be able to automatically fill that section in. 

--description “x”  : Allows you to write up a description of the image that you are creating such as “Suspect_Whover_Laptop”.  Does not have to be elaborate or specific, really depends on the way that your investigation needs or your company does it.

--examiner “x:  : Examiners name…. That’s you dummy.  Sorry, but seriously put your name there or they will wonder who did the amazing job of imaging the drive (as long as you follow my blog it should be no problem).

--notes “x”  : Put your case notes here if needed.  It can be useful if there is something special about the image or if there is information that anyone working on the image will need to know.

That ends the section about e01/s01 files specifically. 

--frag x {K|M|G|T}  : This option will allow you to break the image into fragments of a predetermined size for easier storage.  The size of each fragment will be “x” in whatever size section that you selected.  You could also put Kb|Mb|Gb|Tb as well for powers of 10 instead of 2 which is normally used.

--compress x  : sets the compression level from (0-9) where 0=no compression (which makes on sense because if you put 0 you may as well have not added this option), 1= fastest compression method, 2= fast but better compression, and so on and so forth until 9 which creates the best compression rate but will also be the slowest.

The next section is about encrypting the image
*Note – This section is optional but if you are working with all Access Data tools such as the Forensics ToolKit (FTK) for the main investigation it may be worth using these options.  That being said, if you are planning on using EnCase, Autopsy, or any other number of forensics tools I would suggest not using the encryption methods mentioned here and instead use something like Truecrypt or other means to protect your information.  I also do not have a lot of experience using the encryption functions with FTK imager lite so I would strongly urge you to think about using the following functions.  I will continue to research this section more and will have another update on it at a later date. (for now you can read Zoltan Szabo’s blog post about FTK imager encryption as it is really good. http://zoltandfw.blogspot.com/2012/10/ftk-imager-cli-with-certificate.html)

--outpass “x”   : Encrypts the image with the password “x”.  This should be used if it the image needs to be kept private from other people or if being used on a drive that multiple people use.  It is probably good habit to use this command if you deal with lots of sensitive information.

--inpass “x”  :  decrypts an image from the source file with the password “x”.  This is the opposite of the outpass option and is used to decrypt what that encrypted.

--outcert C “x”  : this encrypts the image using a certificate “C” with the password “x”.  This will ensure that your image can only work with Access Data products by creating a certificate that is unique to their forensics tools.  I would be hesitant about using this

--incert C “x”  : decrypts the image using the certificate “C” and password “x”


Usage


Wooo, now we get to the part where I stop droning on about options and what not and get to the good stuff, how to actually use this tool.  Overall it is not a hard tool to understand once you know what the options do and that is why I included that section first.  The syntax for to make an image is as follows:

sudo ftkimager source [dest_file] [options]

Beautiful isn’t it? Simple and elegant in design and function, and now you should be able to understand exactly what is needed!  Let us try a few practice commands

sudo ftkimager /sda /sdb1/cases/Randy\ 5/ --e01 –frag 2GB

This command will make a copy of /sda (the source) and place it in /sdb1/cases/ (the dest_file) and name it “Randy 5”. It will be an E01 file and be segmented into 2GB files.  Pretty easy right?  Let’s try another

sudo ftkimager /sda /media/travel\ drive/example/john –s01 –quiet

Well how about that, do you know what all that did?  I will tell you if you don’t.  It created a S01 image of the /sda (usually the main hard drive) and placed it in the “travel drive” attached media and the example folder in there with the name john.  O and there would be no information present in the imaging phase to let us know how much longer it has because of the quiet option.

One more should do the trick and then we will have a whole bunch of investigators who are proficient at using this simple tool.

sudo ftkimager /sdb /media/trave\ drive/example –s01 –print-info –compress 5 –outpass th1sisAg00d1!

What would that accomplish?  If you said absolutely nothing you would be correct!! By including the print-info option we have eliminated any actual work and replaced it with what would happen if we ran it including the hash and and compression and password.

I hope that this has been helpful for everyone and you enjoy reading it as much as I did writing it.  I plan on doing more work with the SIFT workstation and reviewing more of their tools.  If you have any good ideas let me know and maybe I will get around to doing a review/test of that.  Comments are always appreciated and I will try to take time to answer any questions.

Friday, February 22, 2013

Installing FTK Imager Lite in Linux Command Line


Using the SANS SIFT workstation you have many options available when you are trying to image a hard drive, no matter if it is: dead, alive, internal, or external.  One of my favorite tools to image with is the FTK Imager command line program.   It is a lightweight, fast, and efficient means to extract the image from your suspect drive.  You can run the CMD line program on any operating system with very little difference in syntax but I will be focusing on the Linux version that comes with SIFT.

This blog post will focus on downloading and installing FTK Imager on your computer and I will put up another post in a couple days about how to actually use the command line tool.  I didn't want to overwhelm readers with a huge block of text so I decided to break up the information into two separate posts.

Before we can use FTK Imager we need to have it installed on the computer.  If you have SIFT it is already installed and you do not need to know how to install it but other versions of Linux do not have it installed by default and need to grab it from (http://www.accessdata.com/support/product-downloads).  You can select the version that you need and it will be downloaded to your machine for installation.



 I am assuming that the majority of people reading this will know at least a small bit about Linux that they will be able to install it without any troubles but for those of you who are completely new to the glory that is Linux I will give you a short explanation of how to install FTK on your computer. 

First thing is first, find out whether you have a 32-bit or 64-bit version of Linux by typing the following command in the terminal uname –m. if it comes back with “x86_64” then you have a 64-bit kernel and if it comes back with “i686” you have a 32-bit kernel.  Select the appropriate version and download it to whatever directory that you use, it is set to the Downloads folder by default. 



You can install it through the GUI, but what fun is that?  We are using Linux so we should know how to do everything through the terminal because it really allows you to know what is going on under the hood as well as making you feel like a superstar computer user. 

Upon downloading the file to the Downloads folder, open up your terminal and navigate there by using the cd command.  If you want to cheat and are in your own accounts terminal rather than root you can just type cd ~/Downloads. The ~ character represents your home folder and if used in with the cd command will take you to your home folder no matter where you are in the computer.  When you get to the Downloads folder you can use the ls command to view all of the files in that directory. (On a side note I use the words directory and folder interchangeably when dealing with Linux, which they are) Determine what the FTK download is named, usually “ftkimager.x.x.x_UbuntuXX.tar.gz where x.x.x stands for the version number of FTK that was downloaded and XX is the version that was selected (32 or 64 bit).



The next step is to extract the executable from the tar.gz file by using the command sudo tar –zxvf [filename] the switches used mean different things and must be used in the correct case, in this instance they are all lower case.  The z is for the .gz portion of the compression, x is to extract the information from the .tar portion of the compression, v stands for verbose but this switch is optional, and finally f stands for the file that will be extracted from. 



HURRAY!!! We now have the file extracted and are ready to install it and start acquiring everything in sight! Now installing this can be incredibly difficult for anyone, even those with lots of experience…. No not really, it is actually as simple as moving the extracted file to a new directory.  Now I am going to use the directory that SIFT uses for ftkimager: “/usr/local/bin/”.  The syntax for the move is simple: sudo mv ftkimager /usr/local/bin/ and that is all there is to it.  




Now we are ready to start using the command line version of FTK Imager.

Wednesday, February 13, 2013

Random Update

Hey Everyone,

I've been pretty quite on here lately due to graduating, moving to New York City to start my new job, and everything else that is changing but I am going to try to start writing here on a more regular basis.  I started my new job at Huron Consulting Group as a computer forensics analyst in their legal department and I can say that it is an interesting experience coming from college to the real world finally.

In between projects I have the opportunity to do some research of my own and I have been dedicating my time to reading Digital Forensics with Open Source Tools (http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867)and following along with that as well as teaching myself Java programming.

I have also had the opportunity to continue working with the SIFT workstation that is provided by SANS Forensics.(http://computer-forensics.sans.org/community/downloads)  This is one of my favorite forensics tools to use as it already has a fantastic collection of tools and is available as a live cd so that I can image or run tools on the go without having to install anything. I would like to start doing a tutorial of the different tools involved with SIFT and how it can be used either by itself or in conjunction with other tools for verification or to fill in the gaps of other tools.

Another tool that I have been really excited to work with is the Tapeworm tool. (http://feedthetapeworm.com/)  This tool was created by a team of Champlain College students/faculty and TASC Inc.  It is a great project that automates some important tools and gives the investigators a nice record of the results.  It is only available as a VM right now and should only be used in VMware Workstation 7 or VMware Player 3 due to memory leak issues when used with newer versions of VMware.  I would highly recommend everyone taking a look at the site and trying it out.

As I said earlier I will be trying to make an effort to update this blog more often and have some more research on my different projects and research.