Offers

Saturday 18 April 2020

FTK Image Lite

(FTK Imager Lite: Lesson 1)

{ Create FTK Imager Lite ISO with DoISO  }
Section 0. Background Information
  1. What is the Purpose of this lab?
    • In this lab I am showing a student how to create an ISO from FTK Imager Lite.
    • Running FTK Imager from a CD or ISO does not require a forensics investigator to actually install software on the machine that is being analyzed.
  2. What is FTK Imager Lite?
    • The Forensic Toolkit Imager (FTK Imager) is a commercial forensic imaging software package distributed by AccessData.
    • The FTK Imager Lite version can be installed and executed from a CD/DVD or USB media.
     
  3. What is DoISO?
    • DoISO is a simple and great free ISO creation frontend for mkisofs.
  4. Pre-Requisite Labs
    1. DoISO: Lesson 1: Install DoISO
  5. Lab Notes
    • In this lab we will do the following:
      1. Create a VMware Shared Folder
      2. Download FTK IMAGER LITE
      3. Burn FTK IMAGER LITE to an ISO/CD
      4. Test FTK IMAGER LITE ISO/CD
  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.
Section 1. Log into Damn Vulnerable WXP-SP2
  1. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button
  3. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine
  4. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: Use the Class Password or whatever you set it.

Section 2. Enabled VMware Shared Folder
  1. Virtual Machine Settings...
    • Instructions:
      1. Player --> Manage --> Virtual Machine Settings...
  2. Virtual Machine Options
    • Instructions:
      1. Click on the Options Tab
  3. Folder Sharing
    • Instructions:
      1. Click on Shared Folder
      2. Click on the Enabled until power off or suspend radio button
      3. Click on the Add button
  4. Add Shared Folder Wizard
    • Instructions:
      1. Click on the Next Button
  5. Browse to Shared Folder
    • Instructions:
      1. Click the Browse... button
  6. Browse For Folder
    • Instructions:
      1. Select either your C: Drive or USB: Drive
        • Note: In my case, I am using a USB Drive (G:)
      2. Click on Make New Folder
  7. Name Folder
    • Instructions:
      1. Name the folder --> "FTK IMAGER LITE ISO"
      2. Click the OK Button
  8. Name the Shared Folder
    • Instructions:
      1. Host path: G:\FTK IMAGER LITE ISO
        • Note: In my case, I am using a USB Drive (G:)
      2. Name: FTK IMAGER LITE ISO
      3. Click Next
  9. Specify Shared Folder Attributes
    • Instructions:
      1. Check the Enable this share checkbox
      2. Click the Finish button
  10. View Shared Folder Results
    • Instructions:
      1. Notice the share that you just created
      2. Click the OK Button

Section 3. Verify Network Connectivity
  1. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt
  2. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
      • Record your Damn Vulnerable WXP-SP2's IP Address.
Section 4. Download FTK IMAGER LITE
  1. Open Firefox
    • Instructions:
      1. Start --> All Programs --> Firefox
  2. Navigate to FTK Imager Lite
    • Instructions:
      1. Place the following URL into the address textbox and press enter (See Picture)
        • http://www.accessdata.com/support/product-downloads
      2. Click on FTK IMAGER
      3. Click the FTK Imager Lite version 3.1.1 Download Link
    •  
  3. Save FTK IMAGER LITE
    • Instructions:
      1. Click the Save File radio button
      2. Click the OK button
  4. Go To the Downloads Folder
    • Instructions:
      1. Tools --> Downloads
  5. Open Containing Folder
    • Instructions:
      1. Right Click on Imager_Lite_3.1.1.zip
      2. Click Open Containing Folder
  6. Extract Files
    • Instructions:
      1. Right Click on Imager_Lite_3.1.1.zip
      2. Click on Extract All...
  7. Extraction Wizard
    • Instructions:
      1. Click the Next Button
  8. Select a Destination
    • Instructions:
      1. Click the Next Button
  9. Extract Completion
    • Instructions:
      1. Click the Finish Button

Section 5. Create FTK IMAGER LITE ISO
  1. Start DoISO
    • Notes(FYI):
      1. It is not necessary to use DoISO to burn FTK Imager Lite to an ISO.  You can use Nero, Roxio, or whatever.  However, DoISO is free and good.
    • Instructions:
      1. Start --> All Programs --> DoISO --> DoISO
  2. Browse For Folder
    • Instructions:
      1. Select the Create ISO Tab
      2. Click the Blue Circle
      3. My Documents --> Downloads --> Imager_Lite_3.1.1
      4. Click the OK Button
  3. Start ISO Creation
    • Instructions:
      1. Check the DVD Video Filesystem
      2. Click the Start Button
  4. Save Filename
    • Instructions:
      1. Save in: Select My Documents
      2. File name: Imager_Lite_3.1.1.iso
      3. Click the Save Button
  5. Operation Completion
    • Instructions:
      1. Click the Close Button

Section 6. Copy ISO to VMware Shared Folder
  1. Copy ISO
    • Instructions:
      1. Navigate to the following directory
        • C:\Documents and Settings\Administrator\My Documents
      2. Right click on Imager_Lite_3.1.1.iso
      3. Select Copy
  2. Create VMware Shared Folders Desktop Shortcut
    • Instructions:
      1. Navigate to \\vmware-host
      2. Right Click on Shared Folders
      3. Select Create Shortcut
      4. Click the Yes Button
  3. Navigate to the VMware Shared Folders
    • Instructions:
      1. Double Click on the VMware Shared Folders located on the desktop
  4. Paste ISO File
    • Instructions:
      1. Navigate to the FTK IMAGER LITE ISO
        • \\vmware-host\Shared Folders\FTK IMAGER LITE ISO
      2. Right Click in the white window pain (See Picture)
      3. Select Paste

Section 7. Test the ISO/CD Image
  1. Virtual Machine Settings...
    • Instructions:
      1. Player --> Manage --> Virtual Machine Settings...
  2. Set CD/DVD
    • Instructions:
      1. Highlight CD/DVD
      2. Click the Use ISO image file radio button
      3. Click the Browse... button
  3. Browse for ISO Image
    • Instructions:
      1. Navigate to ISO Image Folder
      2. Click on Imager_Lite_3.1.1.iso
      3. Click the Open Button
      4. Click the OK Button
  4. Start FTK Imager from CD
    • Instructions:
      1. A Windows Explorer window should have opened up to the D: drive.
      2. Right Click on FTK Imager.exe
      3. Select Open
  5. Congratuations
    • Note(FYI):
      1. Congratuations you successfully burned FTK IMAGER LITE to a CD and tested it!!!

Section 8. Proof of Lab

  1. Proof of Lab
    • Instructions:
      1. dir D:\ | findstr "FTK"
      2. date /t
      3. echo "Your Name"
        • This should be your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Past into a word document
      3. Upload to Moodle.
Posted by at No comments:
Labels:

FTK

(FTK Imager: Lesson 1)

{ Install FTK Imager  }
Section 0. Background Information
  1. What is FTK Imager?
    • The FTK toolkit includes a standalone disk imaging program called FTK Imager. The FTK Imager has the ability to save an image of a hard disk in one file or in segments that may be later reconstructed.
    • It calculates MD5 hash values and confirms the integrity of the data before closing the files.
    • In addition to the FTK Imager tool can mount devices (e.g., drives) and recover deleted files.
  2. Lab Notes
    • In this lab we will do the following:
      1. Download FTK Imager.
      2. Install FTK Imager.
  3. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.
Section 1: Log into Damn Vulnerable WXP-SP2
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player
  2. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.
  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button
  4. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine
  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: Use the Class Password or whatever you set it.
  6. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt
  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine that will be attacked by Metasploit.
      • Record your Damn Vulnerable WXP-SP2's IP Address.
    • .
Section 2: Download FTK Imager
  1. Open Firefox
    • Instructions:
      1. Start --> All Programs --> Firefox
  2. Download FTK Imager 3.1.4
    • Instructions:
      1. Place the following URL into the address textbox (See Picture)
        • https://docs.google.com/uc?id=0BwWG59jwoT6tMUlSWkNFUlAxanM&export=download
      2. Click Download anyway
      3. Select the Save File radio button
      4. Click on the OK Button
    • Note(FYI):
      • This lesson is based on FTK Imager 3.1.x.  FTK Imager 3.1.x is no longer downloadable from Access Data.
      • In order to complete this lesson, FTK Imager 3.1.x has been made available on Google Drive. Accordingly, you must comply with Access Data's License Agreements.
      • The latest version of FTK Imager can be found below.
    •  
  3. Go To Downloads
    • Instructions: (On Firefox)
      1. Tools --> Downloads
  4. Open Containing Folder
    • Instructions:
      1. Right Click on the AccessData_FTK_Imager_3.1.4.zip
      2. Select Open Containing Folder
  5. Extract Executable
    • Instructions:
      1. Right Click on AccessData_FTK_Imager_3.1.4.zip
      2. Select Extract All...
  6. Extraction Wizard
    • Instructions:
      1. Click Next
  7. Extraction Wizard (Select a Destination)
    • Instructions:
      1. Click Next
  8. Extraction Wizard (Extraction Complete)
    • Instructions:
      1. Check Show extracted files
      2. Click Finish
  9. Open FTK Imager Executable
    • Instructions:
      1. Right Click on the FTK Imager Executable
      2. Select Open
  10. AccessData FTK Imager - InstallShield Wizard
    • Instructions:
      1. Click the Next Button
  11. AccessData FTK Imager - License Agreement
    • Instructions:
      1. Click the "I accept..." Radio Button.
      2. Click the Next Button
  12. AccessData FTK Imager - Destination Folder
    • Instructions:
      1. Click the Next Button
  13. AccessData FTK Imager - Install
    • Instructions:
      1. Click the Install Button
  14. AccessData FTK Imager - Complete
    • Instructions:
      1. Un-Check the "Launch AccessData FTK Imager" checkbox.
      2. Click the Finish Button
Section 3: Proof of Lab

  1. Proof of Lab
    • Instructions:
      1. dir "C:\Program Files\AccessData" | findstr "FTK"
      2. date /t
      3. echo "Your Name"
        • This should be your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)