Forensic Challenge 2010

Tools:
These files can be downloaded and used on a Windows platform PC (may not work on a MAC using "boot camp"). They include the demo version of the Forensics Toolkit, documentation from their site in PDF format, and two different sample images to practice with.

The analysis at the 2010 CSI Challenge will be done using AccessData's FTK (Forensic Tool Kit version 1.8.1). FTK can be downloaded by clicking here to get to FTK from AccessData's website and you can run on it with Windows XP or Vista. While version 2.x is available, you will require a "dongle" in order to use it, as well as install a version of Oracle datbase on your computer.
An easier alternative is to get FTK 1.8.1 from the our website using the links below:
- FTK 1.8.1 (copy of FTK on this server for download. This is another place to download it instead of AccessData's site).
- FTK 1.7.1 PDF User Guide (Adobe Reader can be downloaded in order to read PDF files)
  (The demo version of FTK is fully functional for a case containing 5000 files or less. This demo version, along with S-Tools, is all that is needed for the 2010 CSI Challenge.)
Download these sample files which will be used to get you familiar with FTK; these are "image" files. An "image" is a 'snapshot' of a disk or device (hard drive, floppy, CD, DVD, USB key, etc.) which contains all the information on that device.
FTK allows you to add evidence directly from a disk, folder or file. The alternative is to add evidence which has been 'captured' forensically (so as not to alter data), and is provided on what is called a 'bit-for-bit' image.
While you cannot directly read the image and make sense of it, the software tool FTK can read the image and 'interpret' or 'decipher' the "image" of the data you are analyzing.
You should download these two files as they will be referenced in the tutorials below which will teach you how to use FTK and S-Tools.
- Download the sample floppy image used in the avi (video) tutorials. This is a small file and will quickly be 'added as evidence.'
- Download the Precious image file. This file contains the "image" of a hard drive and is about 122Mb in size. It will take a couple of minutes for FTK to add this image file to the case, so be patient.
3. Steganography is a method used to 'hide' information. With Steganography, we have a file acting as a 'container', and we can use a piece of software and embed or hide another file inside the container file. Typically, a container file is a Windows BMP (bitmap image) file, or a GIF (another image format) file, or could even be an audio file. The 'hidden' files can be other images, documents, or just about any sort of file.
It's been alleged that terrorist organizations use steganography in order to hide information "in plain sight." For example, an image on a computer, or even an image which is part of a web page, can contain other images, or even plans (in a text or Word document). The program below, S-Tools, complements FTK by allowing you to see if digital evidence has any hidden information.
You should be familiar with this for the 2010 CSI Challenge.
- Download S-tools steganography tool in zip format.
- Download a "stego'd" picture to practice with S-tools.

Back to the CSI Challenge Computer Forensic Page. Go To the CSI Challenge Computer Forensic Tutorials Page.