Digital Forensics: Evidence Analysis in FTK

Category: Digital Forensics & Evidence Handling
Difficulty: Intermediate
Tools Used: AccessData Forensic Toolkit (FTK), MD5 Hashing Tools, Hex/Text Viewers, Metadata Analyzers​

 

Brief Description:
This project used AccessData Forensic Toolkit (FTK) to perform a full evidence analysis for a simulated ATM breach (case number ATMBoA2022). The investigation focused on cataloging digital artifacts from multiple devices, verifying evidence integrity with cryptographic hashing, and reconstructing activity through cross-device correlation. The workflow emphasized correct chain-of-custody documentation and repeatable forensic procedures to support investigative findings.

​

Extended Explanation:
In this project I loaded and analyzed a forensic image set in FTK that contained data from an iPhone, tablet, and an unknown laptop. The process began with creating and completing a CFR 101 Evidence Chain of Custody form for each artifact, recording file names, descriptions, logical paths, and MD5 hashes to preserve integrity. Using FTK’s evidence tree, I examined message files (e.g., messagesfile4.txt, messagesfile7.txt) and media (e.g., james1.jfif, John1.jfif, img3.JPG) to identify communications and photographic evidence related to the case. I also inspected executable and script files (e.g., jackpotting.py, ComputerKiller.py) that indicated malware used for ATM “jackpotting.” Hex and text analysis revealed hidden instructions embedded in files such as HI_THERE.png.

Throughout the analysis I validated each artifact’s MD5 hash to ensure chain-of-custody integrity and used timeline correlation between devices to reconstruct events. Correlating timestamps, message contents, images, and malware artifacts allowed me to determine roles and interactions among the persons of interest. The final analysis concluded John Campbell was the primary offender with James as an accomplice, while other named individuals were not implicated.

 

Images:

​

​

​

​

​

​

​

​

Key Stats:

• Tools / Platform: AccessData FTK, MD5 hashing, hex/text viewers

• Case number: ATMBoA2022

• Date of analysis: April 18–19, 2024

• Data sources: iPhone message exports, tablet image set, laptop file system image

• Notable artifacts: messagesfile4.txt, messagesfile7.txt, img3.JPG, james1.jfif, jackpotting.py, HI_THERE.png

• Completion time: ~6–12 hours (acquisition, triage, analysis, reporting)

• Outcome: Primary suspect identified; evidence chain documented and verified

​

Key Takeaways:

• Chain of custody matters: Proper documentation (forms, timestamps, and hashes) preserves admissibility and trustworthiness of digital evidence.

• Hash verification is essential: MD5 checksums confirmed artifacts were unchanged during analysis.

• Cross-device correlation uncovers intent: Messages, images, and scripts on different devices combined to reveal the attack plan and suspect roles.

• Hidden data may be embedded in innocuous files: Hex/metadata analysis (e.g., hidden text in images) can expose instructions or additional evidence.

• Forensic repeatability: Clear, repeatable steps in FTK and well-documented commands/paths enable others to reproduce findings for validation or legal use.