Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

FinalForensics 3.0用户手册 by wuzhenguang

VIEWS: 7 PAGES: 52

									电子证据调查文摘汇编(09-4)




               FinalForensics 3.0用户手册




              北京天宇宁企业技术秘密保护咨询服务中心

                             电子证据调查文摘汇编

                               2009 年 9 月




原文:FinalForensics 3.0 用户手册                  版权: Finaldata   Cflab.CN
QuickGuide_속지_첫페이지로 대체될 페이
지
                                                                       FINALForensics 3.0 Quick Guide                     3




 CONTENT

1 . FINALFORENSICS INSTALLATION & UNINSTALL................. 4
  1.1. FINALFORENSICS INSTALLATION ....................................................................4
  1.2. FINALFORENSICS UNINSTALL.........................................................................5
  1.3. FINALFORENSICS EXECUTION ........................................................................5
2 . COLLECT DIGITAL EVIDENCE ................................................... 7
  2.1. GENERATE EVIDENCE DISK IMAGE FILE ............................................................7
  2.2. COLLECT VOLATILE DATA .................................................................................8
3 . SCANNING EVIDENCE DISK IMAGE .................................... 10
  3.1. LOADING FINALFORENSICS EVIDENCE DISK IMAGE .................................. 10
  3.2. RAID COMPOSITION DRIVE ........................................................................... 11
  3.3. RECOVERY OF DELETED DATA ....................................................................... 12
  3.4. RECOVERY LOST DATA .................................................................................. 17
  3.5. SEARCH OF EXTENSION CHANGE OR FILES WITH PASSWORDS .................. 21
  3.6. SCANNING DAMAGED PARTITIONS ............................................................... 24
  3.7. RECOVERY OF DELETED E-MAIL ................................................................. 25
  3.8. RECOVERY OF DB ........................................................................................ 28
  3.9 RECOVERY OF DAMAGED OFFICE FILES ......................................................... 32
4 . DATA ANALYSIS AND SEARCH............................................ 33
  4.1. FILE SEARCH.................................................................................................. 33
  4.2. SEARCH WITH SPECIFIC KEYWORD ............................................................. 37
  4.3. SYSTEM REGISTRY ANALYSIS ....................................................................... 39
  4.4. LOGGED WEB PAGE INFORMATION................................................................ 41
  4.5. FILTER MANAGER........................................................................................... 42
  4.6. HASH SET MANAGEMENT TOOL .................................................................... 44
  4.7. THUMBNAIL ANALYSIS ................................................................................. 46
5 . ANALYSIS REPORT FUNCTION ............................................. 48
  5.1. BOOKMARK FUNCTION .................................................................................. 48
  5.2. GENERATING ANALYSIS REPORT ................................................................... 49
4   FINALForensics 3.0 Quick Guide




    1 . FINALForensics Installation & Uninstall


    1.1. FINALForensics Installation
      When you insert the FINALForensics 3.0 installation CD into the CD-ROM, the setup
      program will be launched automatically. If it does not launch, please follow the steps
      below.




               FINALForensics Installation: Installs the FINALForensics Program on the
                   system.
               Execute FINALForensics from CD:      Directly Executes the
                 FINALForensics program from CD without installing it in the system
               Install USB Verification Key Driver: Installs the driver for USB

                Verification Dongle/Key
               Exit: End the Installation Program
                                                        FINALForensics 3.0 Quick Guide        5




Please select [Install FINALForensics] button:
      The FINALForensics Installation program is launched.         Upon clicking the [Next
      (N)] button, the driver for USB Verification Key is installed. Since this process may
      take several minutes, please wait while installing the driver.
       After reading the Software License Agreement relating to FINALForensics, please
      click [Yes (Y)] button.
      After inputting user name and company information, please click [Next (N)] button.
      To change the folder to install the program, please press the [Browse] button and
      select a folder of which you want to install FinalForesincs. Then, click [Next (N)]
      button.
      The installation is completed.       Please click the [Finish] button to exit the
      Installation program.

1.2. FINALForensics Uninstall




      Press the [Start] button at the Task Bar located at the bottom of Windows screen
      and select [Program] – [FINALForensics] – [Uninstall FINALForensics].          Then
      FINALForensics Program will automatically be uninstalled from the system.

1.3. FINALForensics Execution


 In order to execute the FINALForensics Program, you must install a USB
Verification Key provided with the FINALForensics Program in the system.




    <USB Verification Key>                < USB verification Key in an open USB port>
After inserting the USB verification Key into an open USB port, execute the
FINALForensics Program as follows:
 1. FINALForensics Program is installed in the system


In this case, you can execute FINALForensics Program by selecting [Start] –
[Programs (P)] – [FINALForensics] – [FINALForensics].
6   FINALForensics 3.0 Quick Guide




     2. Directly executing the FINALForensics program from CD without installing it in
     the system
     In the case that the FinalForensic Program is not installed in the system, you
    must install the driver for USB Verification Key from the auto execution program
    when inserting the FINALForensics CD by selecting [Install USB Verification Key
    Driver]. For systems with Windows 98/ME, you will have to restart the system
    after installing the driver.




    After installing the driver, you can execute the FINALForensics Program directly
    from the FINALForensics CD.         The FINALForensics Program is entitled
    “FINALForensics.exe” inside the ₩FINALForensics folder of the CD.
                                                       FINALForensics 3.0 Quick Guide        7




2. . Collect Digital Evidence


2.1. Generate evidence disk image file
 During disk image generation, FINALForensics creates a hash value and checks the
 readability of the data


 Step 1. Select [file] - [new case], and input information of the case.




 Step 2. To select the target file location, select [analysis]-[Create Evidence file] menu




 Step 3. When the image generation window appears, select [File compression level],
 [File Segment size] and fill in other appropriate information, then click [Create image]
 button.
 As image generation is completed, “image file list” is added at the bottom of the
8   FINALForensics 3.0 Quick Guide




     analysis window.




    2.2. Collect volatile data

     Gathers the current machine’s volatile data (Network Info, Process List, etc.).


     Step 1. Select [analysis] - [collect volatile data]




     Step 2. As the “volatile data collecting” window appears, confirm the data and save as
     a text file.
                                                  FINALForensics 3.0 Quick Guide       9




Memory Dump function
If you want to analyze a process, select the target process and select [Dump Process
Memory]. You will then have the option to save the memory contents as a Dump file.




Step 1. Select your target process from the list.
Step 2. Initiate memory dump by selecting [Dump Process Memory] button.
10   FINALForensics 3.0 Quick Guide




     3 . Scanning Evidence Disk Image

     3.1. Loading FINALForensics Evidence Disk Image


      Step 1. Upon clicking [Add a list] - [Add Evidence File]. [Read evidence file]
      dialog box is shown




              .


      Step 2. [Evidence File List] displays current evidence drive images.




       Note

     FINALForensics provides the capability of analyzing image files created by
     EnCase
                                                      FINALForensics 3.0 Quick Guide   11




3.2. Raid composition drive
  If RAID drive is not automatically recognized, you can register it manually.


  Step 1. Select [add a list] - [add RAID drive] [Add RAID manually/ automatically/
  composed]




  Step 2. When addition is completed, “RAID drive list” is added like below figure.




 If RAID drive is not automatically recognized, you can register it manually.


Step 1.   Select a drive which will be composed by RAID, and compose RAID by
pressing [add] button.
12   FINALForensics 3.0 Quick Guide




      Step 2. Assign chunk size and click [OK], then “RAID drive list” is added.




     3.3. Recovery of deleted data
      In the case of deleted data, a simple scan is executed by the [Deleted File Scan]
      function.
                                                     FINALForensics 3.0 Quick Guide    13




Step 1.
1. Select evidence disk. 2. Select [Simple scan] from the menu. (You can also search
an evidence image file, by selecting [add list]-[add image file] menu)




3. From [Option] , select [Default Scan Method] to use pre-set scanning
functions
14   FINALForensics 3.0 Quick Guide




      Step 2. From [option]->[Default Sort Extension], a {Sort File Extensions} window
      appears. Using FINALForensics, you can classify the searched files by their types




       In “add other file extensions” menu, you can add other types of extensions which are
      not registered within the “select file extension to be classified” dialogue. For instance, if
      you want to additionally assign files which have extensions called “TTC” and “OOP”,
      input the extension name into this field, as displayed below.
                                                  FINALForensics 3.0 Quick Guide         15




Step 4. During scanning or completion of the scanning, the “ evidence analysis
screen” appears. A list of normal files and deleted files are shown in the “directory
window” and “list window”.




Step 5. Select the data to recover from the “list window” and right click the mouse.
You can recover the deleted data, by selecting [Recover selected file] from the pop-up
menu. .




Step 6. Select a path to store the recovered files and click the “OK” button, to save
the recovered data.
16   FINALForensics 3.0 Quick Guide




      Step 7. You can then access the deleted data within the selected path.
                                                    FINALForensics 3.0 Quick Guide         17




3.4. Recovery lost data
 Lost file scan
 Files damaged by formatting or partially overwritten after deletion, can be recovered
 using the “lost file scan” function.
 Step 1. 1. Select [Evidence Disk]. 2. Select [Detail scan] (If the evidence is an image
 file, select [add item] – [add image file] menu) 3. Using [option]->[Default      scan
 method], you can assign settings to operate detailed scanning of lost files, when the
 Scan function is selected.
18   FINALForensics 3.0 Quick Guide




      Step 2. When you select [option]->[Default Damaged file scan extension], a dialogue is
      shown. In FINALForensics, you can specify the searched files by file types.




      Step 3. You can customize the file search from this window. Selecting [Detail scan],
      searches the specified items and includes the searched file types.
                                                   FINALForensics 3.0 Quick Guide       19




Step 4. When the scanning is completed, “evidence analysis screen” is shown as
below. A list of normal files and lost files are shown in both the “Directory Window”
and “List Window”.




Step 5. From the “List window” select the data and right click the mouse. You can
recover the lost data by selecting [Recover Selected File] from the pop-up menu.
20   FINALForensics 3.0 Quick Guide




      Step 6. The scanning process consists of two steps which are ‘Detail scan step 1’ and
      ‘Detail scan step 2’
              Detail scan step 1 - search deleted files
              Detail scan step 2 - search lost files and sort within the classification window.




                 <Detail scan step1>                           <Detail scan step2>




      Step 7. Select a path/folder to save the recovered lost data.
                                                     FINALForensics 3.0 Quick Guide          21




 Step 8. You can check that the lost data is recovered through your selected path, upon
 completion.




3.5. Search of extension change or files with passwords


 Signature scan
 You can search for a file with an altered extension or password protected files utilizing
 [Signature Scan].
 .
 Step 1. 1.[select evidence Disk] - 2. select [Signature Scan] (if the evidence is an
 image file, select [add item]-[add image file] menu) 3. Signature Scan can be set as
 default through [Options]-[Default scan method]
22   FINALForensics 3.0 Quick Guide




      Step 2. Scanning process consists of two steps: ‘Simple scan step 1’ and ‘Detail
      scan step 2'. (Analysis of file signatures occurs with the deleted file scanning process,
      simultaneously)
              Signature scan step 1 - search deleted file.
              Signature scan step 2 - search lost files and register within the classification
               window.
                                                    FINALForensics 3.0 Quick Guide     23




       Signature scan step 1                        Signature scan step 2




Step 3. When the scanning process is completed, “evidence analysis screen” is
shown. You can find “altered extension files” by comparing the file signature to the
extension of the data shown on the “list window”.




Step 4. You can also view password protected files, through “directory window” -
“password assigned file”
24   FINALForensics 3.0 Quick Guide




     3.6. Scanning damaged partitions
      If a partition is deleted or damaged, you can recover the deleted drive using [Find
      Partition] and [Find Format]. Since [Find Partition] is much faster than [Find Format],
      use [Find Format] only after “partition search” function does not produce desired
      results.


      [How to use “Partition Search”]
      From the “partition search” option, the scanning process starts after the program
      identifies a partition.
      Step 1. Select a disk which you want to find the format in, and select [Find Format] with
      the right mouse button.




      Step 2. Determine the range of search and click “OK” button.
                                                       FINALForensics 3.0 Quick Guide          25




  Step 3. Select the desired format and click [OK]




3.7. Recovery of Deleted E-Mail


Recovery of E-mail
Since the deletion of email from Outlook or other similar programs deletes the email’s
  information but not the actual email. FINALForensics can typically recover the data.


Recovery of Email is achieved with the following steps


  Step 1. The drive containing the mail box file, is scanned with one of following: Deleted
  File Scan, Lost Fine Scan and Signature Scan. Then, select [Email] from the directory
  window. After selecting the file for recovery and analysis, right click the mouse and then
  select [Email Analysis].
26   FINALForensics 3.0 Quick Guide




      Step 2. When the email analysis is completed and a message to be recovered is
      selected from ‘List Window’ of ‘Email Analysis’ pane, you can recover the selected
      message by clicking the [Recovery] icon.




      Step 3. Assign a folder to save the recovered email and click ‘ok’ button, then the
      email message is saved as a .eml file.
                                                      FINALForensics 3.0 Quick Guide   27




    Note
    E-mail filtering function
Simplifies the data by filtering for desired contents (sender, receiver, send date,
specific data, user input keyword) and sorting capabilities.




Example: If you select Charsyam as the Addressee, it filters out all but Charsyam.
28   FINALForensics 3.0 Quick Guide




     3.8. Recovery of DB
     Ability to recover dropped or truncated tables of Oracle, db2, Sybase, MS SQL, Access.
      In the case of Oracle, FINALForensics can recover a deleted record which was deleted
      by Delete command.
      You can search for desired data by selecting [Live] / [Drop] / [Delete] which is located at
      the bottom of the left side of screen.




      Step 1. Select [Database] - [DB option] and change the settings of “Data Block size” or
      “database type” and other settings.


      Step 2. In the case of Oracle and DB2, select a file which saves schema, then select
      [DataBase] - [Oracle/DB2 system table analysis]. When the table analysis is completed,
      you can check and edit the schema of table using “edit table” menu. Also you can use
      existing saved schema for your analysis by re-reading of the schema.


      Step 3. Select a DB file to be checked and select [DataBase] - [open DB file].
                                                           FINALForensics 3.0 Quick Guide      29




Step 4. When the search process is completed, you can review, recover and search a
  table as shown in the following figure. In the Drop table window, connect a table
  schema by the following procedures, to check the original contents of the table
          Check text contents of the table using [File Viewer].
          Input table schema manually in [Edit Table]
          Select table schema in [Select Table]




  3.9.1 [Conditional search] function
  “Conditional” search function is a function which searches utilizing a select statement of
  the database.
  You can search data which has specific conditions by inputting the conditional
  statement (include, =,>, <) like the following figure.
  “Conditional search” shows its search results on a new window and if you press the
30   FINALForensics 3.0 Quick Guide




      right mouse button on the search results, you are able to search again within the
      previous search results.




      3.9.2 [Find] function
                                                      FINALForensics 3.0 Quick Guide   31




Input record that you wish to find into the Find List and press [Add to Find List].
Select [Find Next], then you can initiate the Find function.
If it finds desired data, a cursor moves to the corresponding record.
32   FINALForensics 3.0 Quick Guide




     3.9 Recovery of damaged office files


      Step 1. Select [Recover]->[MS EXCEL/POWERPOINT/WORD file recover]




      Step 2. Check the level of damage of the file.




      Step 3. Select location where the file will be saved and recover it.
                                                    FINALForensics 3.0 Quick Guide   33




4 . Data analysis and search


4.1. File search
 In FINALForensics, you can search files with the following methods.
 ◈ File/Folder Tree
 ◈ Timeline
 ◈ Filename


 4.1.1 Navigating File/Folder tree
34   FINALForensics 3.0 Quick Guide




      4.1.2 Using Timeline




      A search using “Timeline analysis“ finds a file by date, month or year information
      using either accessed date, modified date, or created date information of the
      file(s).


      4.1.3 Using file name
      “File name search” is method which uses file information, to find a specific file. The
      search conditions provided by File name search function are ‘file name’, ‘cluster
      number’ and ‘date’.


      Initiate “Filename search” by [Search]->[Filename Search] menu on the “Evidence
      Analysis Screen”.
                                                          FINALForensics 3.0 Quick Guide             35




  4.1.4 Find by file name
When you enter your target filename in the “filename” field of the “filename” tab and
click [Search], the filename is searched within the scanned files of current evidence.
Since wild cards are supported, you can search by partial filename or extension of the file.
Also, a special search function allows confined searches within a specified folder
[checked directory or subordinate folder of that].




  4.1.5 Using cluster number
  A selective search in a particular cluster can be executed by entering start and end
numbers of that cluster from the [Cluster] tab. It attempts to find all files, even deleted files.
(For NTFS file systems, MFT number is used to find the file(s))
36   FINALForensics 3.0 Quick Guide




       4.1.6 Using date
       If you select desired format in “Ignore Date”, “Created Date’, “Modified Date” or
     “Accessed Date” field under the [date] tab, and input start and end periods of the
     corresponding date, all files (including deleted files) within the corresponding date range
     are located.




        Note
     You can view the searched files results in the {Search Result} item of the “Classification
     Window””
                                                      FINALForensics 3.0 Quick Guide   37




4.2. Search with specific keyword
“Keyword Search” is a function which searches one or more keywords within the
  contents of a file. Advanced search options allow you to search the entire disk,
  including non-allocated clusters. This function supports formal expressions.


This function is performed from the {Keyword Search} screen. The Keyword search
  screen can be initiated by the [search]->[keyword search] menu in the Evidence
  analysis screen.
The Keyword search function can also be refined to include only check marked and
  selected files.




 {Keyword Search} screen consists of five sub-windows. Each window is used to
show searched keyword information.




 If you want to find data which includes a keyword of ‘data’, you can enter your
  search with the following steps
38   FINALForensics 3.0 Quick Guide




      Step 1. Input your keyword into Keyword input window.




      Step 2. Set up condition for search in search option.




      Step 3. Filtering the search by extension type will increase the search time.




      Step 4. Start search by selecting [Start Search] button.




      Step 5. {Search Result} window shows the results of the search
                                                    FINALForensics 3.0 Quick Guide       39




 Step 6. Analyze the keyword search results in the Search contents window.




  Step 7. View the entire file contents which includes the keyword, in the Quickview
  window




   Note
FINALForensics can save results of the keyword search as a file with an extension type
of FIF(Find Information File). This saved result can be opened by “Open Keyword Search
Contents” function




4.3. System registry analysis
You can conveniently check registry data using System Registry Analysis.
If you want to check registry information about a USB device that was connected
with the PC, the following steps are an example.


  Step 1. First, search your system drives by selecting one of these methods: Deleted
40   FINALForensics 3.0 Quick Guide




       File Scan, Lost File Scan and Signature Scan. On the active window, select a drive,
       right click the mouse and select [System Registry analysis].




       Step 2. When the analysis is completed, you can check the contents within [View
       System Registry] dialogue.




        Note
     Since registry information is recorded differently by individual user account, you may
     select the user account that you want to emulate, under the User Setting function.


       Step 3. You can quickly locate important information by using pre-defined Bookmarks.
                                                      FINALForensics 3.0 Quick Guide        41




  Among these items, if you select “USB drive information”, you can view information
  about the USB equipment which was connected with the PC.




   Note
You can easily check various information (Network Drive Connection Information, IDE
Drive Connection Information, Recent SW Use Information) by Bookmark shortcuts.
Custom bookmark creation is an option.




4.4. Logged web page information
  Information related to user’s logged webpages, is saved in the file Index.dat.
  FINALForensics analyzes this Index.dat file by {web history file analysis}. Logged
  Webpage addresses can be found using these steps:
  Step 1. Search your system drive by selecting one of methods: Deleted File Scan, Lost
  File Scan and Signature Scan. From the active screen, select a drive, right-click mouse
42   FINALForensics 3.0 Quick Guide




       and select [System Web History Analysis].




       Step 2. Logged webpage information is accessed from the [View URL] dialogue. The
       URL address of the webpage can be located in the upper-right-hand corner pane and
       the contents of the corresponding page in lower-right-hand pane by selecting [View]->
       [Preview].




        Note
     Since contents of the web page are not saved in the web history file but downloaded
     upon user’s request, some contents or images may not be shown if the analyzer’s
     computer is not connected to the internet.


     4.5. Filter manager
     You can quickly sort the desired data within the List window, using Filter manager which
                                                         FINALForensics 3.0 Quick Guide            43




can sort by the file’s size, name, path, type, created date, edited date, etc.
The filter manger filters normal/deleted files, directory/file and displays refined files in the
List window, so you can analyze most relevant files quickly.




 [Filter management tool] function
You can save your required filters so you do not have to continually input filtering contents.


  Step 1. Select [filter manager] - [add] and choose/input contents to be filtered out.




  Step 2. Select (check) a filter to be applied among filters on the Input Filter List and
  press [OK].




   Note
You can apply the filter to other folders when you uncheck “filter initialization” in [option] –
44   FINALForensics 3.0 Quick Guide




     [Preference] - [filter] tab.




     4.6. Hash set management tool
       Using pre-defined hash value you can easily search for specific hash/file.




       You can apply and manage several evidence files as a set by binding the files, using
       Hash set management tool.




      Step 1. Calculate hash value by selecting data to be used for evidence file.
                                                       FINALForensics 3.0 Quick Guide         45




Step 2. Select [Analysis]-[compute hash value Checked item] and record a name of
hash set and coverage. Then select [OK].




Step 3. Select [analysis]-[hash set management tool] and check the hash set. (basic
location for saving of hash set is C:\. You can change it by [setting] - [top-level path].)
46   FINALForensics 3.0 Quick Guide




     4.7. Thumbnail Analysis

     Thumbnail function

     Displays thumbnail images of the files/folders..
     Step 1. Select [view]-[thumbnail], then you can see the images on file list.
                                                FINALForensics 3.0 Quick Guide    47




Select thumbs.db file
From the “Preview window” select the deleted file and right click the mouse.
You can recover the file by selecting [Save Checked File] from the pop-up menu.
48   FINALForensics 3.0 Quick Guide




     5 . Analysis report function
     .



     5.1. Bookmark function
         Bookmarking files allows the user to manage and show data on reports easily.


         Step 1. Select “bookmark” menu of pop-up menu which is shown when you click right
         mouse button on the specific file of List window. Or you can select and add [analysis]-
         [bookmark].




         Step 2. When the properties of the bookmark appears, select additional contents to be
         recorded and click OK button.
                                                       FINALForensics 3.0 Quick Guide   49




5.2. Generating analysis report
  Creates a report by organizing the total analyzed results of the evidence.
 Step 1. Select [analysis report] - [write report] and check contents of the report.




 You can preview bookmark results like the figures below.
50   FINALForensics 3.0 Quick Guide




      You can change print settings, outline styles,or cover sheet, using [analysis report]-
      >[report setting].
FINALForensics 3.0 Quick Guide   51

								
To top