These files can be downloaded and used on a Windows platform PC (may not work on a MAC using "boot camp").
They include the demo version of the Forensics Toolkit, documentation
from their site in PDF format, and two different sample images to practice with.
- The analysis at the 2010 CSI Challenge will be done using AccessData's FTK (Forensic Tool Kit version 1.8.1).
FTK can be downloaded
by clicking here to get to FTK from AccessData's
website and you can run on it with Windows XP or Vista. While version 2.x is available, you will require
a "dongle" in order to use it, as well as install a version of Oracle datbase on your computer.
An easier alternative is to get FTK 1.8.1 from the our website using the links below:
- Download these sample files which will be used to get you familiar with FTK;
these are "image" files. An "image" is a 'snapshot' of a disk or device
(hard drive, floppy, CD, DVD, USB key, etc.) which contains all the
information on that device.
FTK allows you to add evidence directly from a disk, folder or file.
The alternative is to add evidence which has been 'captured' forensically
(so as not to alter data), and is provided on what is called a 'bit-for-bit' image.
While you cannot directly read the image and make sense of it, the software
tool FTK can read the image and 'interpret' or 'decipher'
the "image" of the data you are analyzing.
You should download these two files as they will be referenced
in the tutorials below which will teach you how to use FTK and S-Tools.
- Download the sample floppy image used in the avi
(video) tutorials. This is a small file and will quickly be 'added as evidence.'
- Download the Precious image file. This file contains the "image" of a hard drive and is about 122Mb in size. It will take a couple of minutes for FTK to add this image file to the case, so be patient.
3. Steganography is a method used to 'hide' information.
With Steganography, we have a file acting as a 'container', and we can use
a piece of software and embed or hide another file inside the container file.
Typically, a container file is a Windows BMP (bitmap image) file,
or a GIF (another image format) file, or could even be an audio file.
The 'hidden' files can be other images, documents, or just about any sort
It's been alleged that terrorist organizations use steganography
in order to hide information "in plain sight." For example,
an image on a computer, or even an image which is part of a web page,
can contain other images, or even plans (in a text or Word document).
The program below, S-Tools, complements FTK by allowing
you to see if digital evidence has any hidden information.
You should be familiar with this for the 2010 CSI Challenge.
Back to the CSI Challenge Computer Forensic Page.
Go To the CSI Challenge Computer Forensic Tutorials Page.