Attributing FTK dat...
 
Notifications
Clear all

Attributing FTK data carved images to a particular user.

15 Posts
7 Users
0 Likes
1,078 Views
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

What is the best way, if at all possible, to attribute images that were recovered from "drive free space" to a particular user on a machine? There are 45 different profiles on this particular computer, and I have recovered images using the Data Carving feature in FTK that would be of use to the case but have no way of tying them to a user. Any ideas on how I could do this?

 
Posted : 08/09/2005 2:18 am
(@gmarshall139)
Posts: 378
Reputable Member
 

If these are images taken by a digital camera you may compare the metadata with images found in one of the profiles. 45 users is tough to work through. You may also try and determine how these images came to be on the computer. If they were emailed then look for them in base64 format under one of the profiles. If they were downloaded from the internet try to determine from what sites and work through the temp internet files.

 
Posted : 08/09/2005 7:16 am
(@djpnp)
Posts: 24
Eminent Member
 

MRU's and link files immediately spring to mind.

 
Posted : 08/09/2005 1:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think that it really depends on whether you want to say "definitely" or "most likely" or "perhaps" when making your attribution.

The first thing one needs to do in a situation like this is reason through the issues. First, the images were pulled from "drive free space". Presumably, this means unallocated sectors/clusters…meaning that the files themselves had been deleted.

At this point, do the images have any identifying information with them, such as a filename? Are the images JPGs that have EXIF data embedded? If there is embedded EXIF data, or a filename included in a comments field within the image, what is the likelihood that the names had been changed?

Think about how tools like FTK go about their data carving…they locate sectors in unallocated space that may have what looks to be a file of a particular type. It then attempts to open the file using the necessary viewing algorithm for the type of file it thinks it's found. Since the file is in unallocated 'free space' and was deleted, there likely isn't a FAT or MFT table entry pointing to the file, so filenames and MAC times are gone.

Given this, how would one go about associating MRU lists and shortcut (.lnk) files with a particular image?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 08/09/2005 3:45 pm
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

The graphics are .jpgs that I assume were downloaded from the internet. You are right and there isn't a FAT or MFT table entry pointing to the file, and the filenames and MAC times are indeed gone. There is no metadata associated with the graphics that FTK could recover, so it is really just an assumption that they were downloaded via the web.

 
Posted : 08/09/2005 6:37 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

You may try parsing them out. Hash each (complete) image. Add them in to your known file filter as a custom hash set (not sure how this works in FTK). Then run the KFF and look for identical images in the allocated space. If you are able to find 10 out of a 100 or 1000 identical files in a single user's profile, then it's not much of a stretch to point to that user.

 
Posted : 08/09/2005 7:33 pm
(@jlindmar)
Posts: 30
Eminent Member
 

What about internet history? You may find the same images cached. Try running NetAnalysis' Deleted History Extractor accross the image or write-protected drive. It will pull all interent history available (not just deleted), including user information. There may be alot of information to filter though.

 
Posted : 08/09/2005 7:39 pm
markfu14
(@markfu14)
Posts: 14
Active Member
Topic starter
 

I did run NetAnalysis and found some of the images that way, but unfortunately, the user was using Netscape, and like I said earlier, there are thirty or fourty profiles on the machine and there is no way to tie the browsing history to a particular user unless I can prove that the user was physically at the machine..possibly with the SecEvent log.

 
Posted : 08/09/2005 7:43 pm
(@armresl)
Posts: 1011
Noble Member
 

Take a step away from the computer forensic realm for a second and put the user at the machine through other means. Work, activities, church, favorite shows, sporting activities, credit card receipts, calling card items, etc.

 
Posted : 09/09/2005 12:06 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

If you found the images in "free space" I would try and locate an INFO2 file. This may tell you the full path that the image was deleted from as well as time.

Andrew-

 
Posted : 09/09/2005 7:15 pm
Page 1 / 2
Share: