Monday, 9 April 2012

First time FTKImager tutorial

Welcome everyone to my first blog. Its been a goal of mine to improve my skills with Incident Response and Ethical hacking and this will be the first of many posts as I begin that process.

For this entry I've decided to focus on FTK Imager. I've never used this software until today but felt it was a good place to start as it leads into many other tools that I'm keen to use.

Currently my lab is running from VM workstation. I've created one Windows XP SP3 contained in a host only network with the ip address range of  10.10.10.x. I've also installed Ubuntu 11.10 which is currently operating squid proxy. This VM has two interfaces and proxies connections out through my local network. With a limitation on hardware this is currently my best method of containment. I've also configured the SANS SIFT virtual machine which I'll be using in later posts.

The long term plan is to run some live malware in my labs and then use tools that I've learnt along the way to investigate what actions the malware has actioned. In this case this is a clean install of Windows and currently there is no malware located on the machine.

So I began by downloading FTK Imager and installing it on my local computer. I've then grabbed a copy and placed it on a USB drive and connected it to my Windows XP virtual machine. This machine currently only has a 10gb hard drive for ease of imaging now and in the future.

Once the USB drive was connected I ran the FTKImager.exe application. Once the application loads I select the option to Create Disk Image.

 I selected Physical Drive as I wanted to grab the whole drive. There may be cases where you might want to grab only the Logical Drive or certain other content. If you're ever unsure you're best to take the Phyical Drive. I don't believe I've ever met an investigator that complained that they had too much information to deal with an incident which is why the physical drive is always the best.
The virtual machine only has one hard drive which is the first one listed in the screenshot. Select this option and press next
There are a number of image type outputs and for this case I selected Raw (dd). I've read a number of articles and they recommend this one as providing the most flexibility which is something that I want as I may use a number of tools so the flexibility should allow me to use any tool I'd like to learn.
The following step involves adding some information or meta data to the final image. Regardless of what purpose you are creating this image I find that you're best to be as descriptive as possible in this section. You never know when you'll come back to an image or want a reason for why it was taken and this information should be able to provide you those details.
Finally select the image destination. In this case I've connected one of my larger hard drives with enough room to store the 10 gb hard image.
Once you press finish the image creation process will begin. As my drive wasn't too large the process only took around 18 minutes but obviously depending on the size of your hard drive it may take much longer.
When the imaging is complete you're provided with the verification results and the hashes.
In my next tutorial I'll begin by using the SANS SIFT virtual machine to open this image and begin investigating it with tools such as RegRipper and The Sleuth Kit. Once i've become familiar with these basics I'll begin by running live malware and we'll begin to investigate what has occured.

No comments:

Post a Comment