AccessData Forensic Toolkit 5.1.1 Release Notes

AccessData Forensic Toolkit 5.1.1
Release Notes
Document Date: 12/17/2013
©2013 AccessData Group, Inc. All rights reserved
Introduction
This document lists the new features, fixed issues, and known issues for Forensic Toolkit® (FTK®) 5.1.1. Please
be aware that all known issues published under previous release notes still apply until they are listed under
“Fixed Issues.”
Important Information
Installation and upgrade:
For
FTK installation and upgrade instructions, see the FTK Quick Install Guide and the detailed FTK
Installation Guide which are available at
http://www.accessdata.com/support/product-downloads/ftk-download-page
Whenever
possible, install FTK on a physical system. Due to performance, AccessData does not
recommend configurations where the database or the Evidence Processing Engine is running on a virtual
machine.
FTK
supports Distributed Processing Engines (DPEs). Distributed Processing allows the installation of up
to three additional processing engines to share the work load of processing evidence in a case.
Before installing Distributed Processing, see the Install Guide.
Offline
versions of the maps used for Geolocation are available. Use the links Geolocation Map for
Offline Use and Geolocation Map for Offline ReadMe on the FTK Product download page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
AccessData Forensic Toolkit 5.1.1 Release Notes
Important Information
| 1
PostgreSQL
If
using PostgreSQL, please note the following:
If
the computer has fewer than 16 cores ( < 16), then in the PostgreSQL configuration file, set the
max_connections to 60 per computer.
For example, if there are 4 computers in the Distributed Processing Model in which every computer
has fewer than 16 cores, then set max_connections to 240 (60*4).
If
the computer has 16 or more cores ( >= 16), then in the PostgreSQL configuration file, set the
max_connections to 125 per computer.
For
example, if there are 4 computers in the Distributed Processing Model in which 3 computers are 8
core (<16) and 1 computer is 16 core (>=16), then set max_connections to 245 (60*3 + 125*1).
If
there is just one computer in the Distributed Processing Model, the max_connections should be no
less than 100.
Oracle
Oracle
10g is not compatible with Windows 8.
If
you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle,
you must change the Oracle SID from ADG to FTK2.
When
using an Oracle database, it must be installed on a computer with a name that begins with a letter
(a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle
if the computer’s name begins with a number. If the Oracle computer name begins with a number, you
must change the machine name before installing Oracle.
Known File Filter
For
information on installing and configuring KFF, see the KFF Install Guide, available in the User Guide
or at:
http://www.accessdata.com/support/product-downloads > Known File Filter (KFF).
To
install the KFF server, you must have admin privileges. Otherwise, you get the following error:
Unhandled exception has occurred in your application. (9092)
You
may need to adjust the KFF Server thread counts in order for KFF to complete processing.
The KFF Lookup Interface is the port used to lookup KFF hashes. (Default value is 300)
If you have too few KFF Lookup Interface threads configured, it can result in KFF not completing and
generating the following error in the error log:
“[Date] Failure on item ... Could not connect to KFF Server ..., token ...”
If you get the error, increase the thread count.
For instructions on configuring KFF, see the Working with the KFF Library chapter in the FTK User
Guide.
If
you are installing KFF in a distributed processing environment, you must specify the KFF server by its
IP address and not use ‘localhost’. Otherwise you may get incorrect KFF counts.
AccessData Forensic Toolkit 5.1.1 Release Notes
Important Information
| 2
Exporting Emails to PST
The
Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft
Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to
PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email
messages. To export Unicode email messages, install Outlook.
For more information, see the Quick Installation Guide.
See Where to get more information on page 16.
Bookmarks
If
you bookmark a manually carved item that has not been processed, the file does not display in a
bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in
the Evidence drop-down menu to process the manually carved item. (57812)
Recommendations
AccessData
recommends that, whenever possible, you not have an active internet connection when
running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you
are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with
specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such
as running malicious code or scripts.
It
is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL,
Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance
and data integrity.
If
you choose to have a case’s database files placed in the case folder, do not move your case folder
without first archiving and detaching the case. (64450)
Fixed Issues in 5.1.1
For information about fixed issues for previous 5.x releases, see the following:
Fixed
Issues in 5.1 (page 11)
Fixed
Issues in 5.0.1 (page 19)
Fixed
Issues in 5.0 (page 31)
The following issues have been fixed in this release.
Fixed
the issue that caused a “Processing Options Validation Error” when processing evidence after
adding foreign characters to the Indexing Options. (32396)
Fixed
the issue that caused a "Failed to retrieve: memory scan” error on Windows 7 and XP computers.
(35163)
Fixed
the issue that caused a buffer overrun on computers that have 32 cores or more when doing an
index search. (35704)
AccessData Forensic Toolkit 5.1.1 Release Notes
Fixed Issues in 5.1.1
| 3
Where to get more information
Use the following documentation resources to learn more about this product. Each document is available in PDF
format in the download ISO file. The User Guide is also available through the Help menu in FTK.
The latest version of each document is available in the Product Release pane on the FTK product download
page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
Document
Description
Quick Installation Guide
Basic information about how to install and upgrade this and related
products.
FTK Installation Guide
Information about how to install and upgrade this and related products.
User Guide
Information about how to use this product, including detailed technical
information and instructions for performing tasks.
Upgrading, Migrating, and Moving
Cases
Information about upgrading and migrating cases from 4.1 to 4.2, and
moving cases from one database to another.
Upgrading Cases
Information about upgrading cases from 4.1 to 4.2.
Migrating Archived Cases
Information about upgrading or migrating cases that you have archived
in a previous release.
KFF Quick Install Guide and KFF
installation files
For the most current KFF Server and KFF data installation files, as well
as the KFF Quick Install Guide, visit the AccessData Product
Downloads page:
http://www.accessdata.com/support/product-downloads
Under Current Releases, expand the Known File Filter (KFF) section
and then the KFF Server section.
Comments?
We value all feedback from our customers. Please contact us at support@accessdata.com, or send
documentation issues to documentation@accessdata.com.
AccessData Forensic Toolkit 5.1.1 Release Notes
Where to get more information
| 4
AccessData Forensic Toolkit 5.1
Release Notes
Document Date: 12/1/2013
©2013 AccessData Group, Inc. All rights reserved
Introduction
This document lists the new features, fixed issues, and known issues for Forensic Toolkit® (FTK®) 5.1. Please
be aware that all known issues published under previous release notes still apply until they are listed under
“Fixed Issues.”
Important Information
Installation and upgrade:
For
FTK installation and upgrade instructions, see the FTK Quick Install Guide and the detailed FTK
Installation Guide which are available at
http://www.accessdata.com/support/product-downloads/ftk-download-page
Whenever
possible, install FTK on a physical system. Due to performance, AccessData does not
recommend configurations where the database or the Evidence Processing Engine is running on a virtual
machine.
FTK
supports Distributed Processing Engines (DPEs). Distributed Processing allows the installation of up
to three additional processing engines to share the work load of processing evidence in a case.
Before installing Distributed Processing, see the Install Guide.
Offline
versions of the maps used for Geolocation are available. Use the links Geolocation Map for
Offline Use and Geolocation Map for Offline ReadMe on the FTK Product download page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
PostgreSQL
If
using PostgreSQL, please note the following:
If
the computer has fewer than 16 cores ( < 16), then in the PostgreSQL configuration file, set the
max_connections to 60 per computer.
For example, if there are 4 computers in the Distributed Processing Model in which every computer
has fewer than 16 cores, then set max_connections to 240 (60*4).
If
the computer has 16 or more cores ( >= 16), then in the PostgreSQL configuration file, set the
max_connections to 125 per computer.
AccessData Forensic Toolkit 5.1 Release Notes
Important Information
| 5
For
example, if there are 4 computers in the Distributed Processing Model in which 3 computers are 8
core (<16) and 1 computer is 16 core (>=16), then set max_connections to 245 (60*3 + 125*1).
If
there is just one computer in the Distributed Processing Model, the max_connections should be no
less than 100.
Oracle
Oracle
10g is not compatible with Windows 8.
If
you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle,
you must change the Oracle SID from ADG to FTK2.
When
using an Oracle database, it must be installed on a computer with a name that begins with a letter
(a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle
if the computer’s name begins with a number. If the Oracle computer name begins with a number, you
must change the machine name before installing Oracle.
Known File Filter
For
information on installing and configuring KFF, see the KFF Install Guide, available in the User Guide
or at:
http://www.accessdata.com/support/product-downloads > Known File Filter (KFF).
To
install the KFF server, you must have admin privileges. Otherwise, you get the following error:
Unhandled exception has occurred in your application. (9092)
You
may need to adjust the KFF Server thread counts in order for KFF to complete processing.
The KFF Lookup Interface is the port used to lookup KFF hashes. (Default value is 300)
If you have too few KFF Lookup Interface threads configured, it can result in KFF not completing and
generating the following error in the error log:
“[Date] Failure on item ... Could not connect to KFF Server ..., token ...”
If you get the error, increase the thread count.
For instructions on configuring KFF, see the Working with the KFF Library chapter in the FTK User
Guide.
If
you are installing KFF in a distributed processing environment, you must specify the KFF server by its
IP address and not use ‘localhost’. Otherwise you may get incorrect KFF counts.
Exporting Emails to PST
The
Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft
Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to
PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email
messages. To export Unicode email messages, install Outlook.
For more information, see the Quick Installation Guide.
See Where to get more information on page 16.
Bookmarks
If
you bookmark a manually carved item that has not been processed, the file does not display in a
bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in
the Evidence drop-down menu to process the manually carved item. (57812)
AccessData Forensic Toolkit 5.1 Release Notes
Important Information
| 6
Recommendations
AccessData
recommends that, whenever possible, you not have an active internet connection when
running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you
are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with
specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such
as running malicious code or scripts.
It
is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL,
Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance
and data integrity.
If
you choose to have a case’s database files placed in the case folder, do not move your case folder
without first archiving and detaching the case. (64450)
5.1 New and Improved
For information about new features in previous 5.x releases, see:
5.0.1
5.0
New and Improved (page 19).
New and Improved (page 27).
The following items are new and improved features and feature enhancements for this release:
Evidence Processing
Volume
Shadow Copy
Native Volume Shadow Copy (VSC) support is available for a fast and accurate examination of file
system snapshots captured by Microsoft’s Volume Shadow Service (VSS) technology. You can now
identify and parse VSC files as a separate evidence item within a case. You can select which restore
points to include, as well as the preferred expansion options. Expansion options show dated snapshot
views of available restore points that can be selected as:
Latest
to oldest, in which the latest restore point is presented as a full file system and the rest as
“deltas”
Oldest
to latest, in which the oldest restore point is presented as a full file system and the rest as
“deltas”
Full,
in which all checked restore points are presented as full file systems
Multi
Indexer
FTK has implemented the use of multiple indexers within a case in order to speed up processing times.
This new feature distributes the indexing work, allowing smaller jobs to complete without having to wait
for larger jobs in the queue.
Include
Extended Information in the Index
This is a new processing option on the Lab/eDiscovery Options page. If you create a case in FTK or Lab
and are going to review it in Summation or eDiscovery, select this option to make the index data fully
compatible with Summation/eDiscovery.
File
Signature Analysis Option in Additional Analysis
Previously, when performing additional analysis, if you selected certain processing options, such as Flag
Bad Extensions, dtSearch Text Index, Data Carve, OCR, Explicit Image Detection, or Decrypt Credant
Files, the File Signature Analysis option was automatically selected and the option was disabled so that
you could not un-select it. Now, if you select one of those options, the File Signature Analysis option is
still automatically selected, but the option is not disabled and you can manually un-select it. This does not
apply to the initial processing options.
AccessData Forensic Toolkit 5.1 Release Notes
5.1 New and Improved
| 7
Language
Identification
The identification of foreign languages in Office documents has been improved.
Outlook
2013
Corrupted Outlook 2013 PST and OST files are now supported.
Fuzzy
Hashing
This feature has been deprecated in version 5.1 and is no longer supported.
Encoded
Text Documents
Enhanced support for detecting text encoding.
Internet Artifacts
Web
page reconstruction
The
ability to view a reconstruction of cached Chrome Web pages from HTML artifacts in the Natural
view has been improved.
IE
9 internet artifacts enhancements
Reconstruction
of web pages for IE 9
You can now see a reconstruction of the web page that was cached when the user was browsing the
respective web site.
Note: Note: If there is not enough data in the cache, the web page will not be reconstructed.
Informational data about the history will be displayed instead.
Deeper
drill down into IE 9 artifacts
A processing option enables you to expand and create individual records from IE 9 data. This
provides better granular organization of IE 9 internet artifacts for quickly searching and locating
specific artifacts. If data is present, the expanded data is displayed in the following sub-folders in the
Internet/Chat view: IE Cache Entries, IE Cookies Entries, IE History Entries, IE Download Entries, and
MSIE Recovery dat entry.
Expansion
of IE 9 Recovery data
There is a new processing option that lets you expand IE Recovery data that was stored when access
to a Web site was lost.
Visualization
Geolocation
You can now view a map with real-world geographic location of evidence items containing geolocation
information. This provides a visual depiction of where digital activities and actions took place, allowing
you to post that data back to the case or include it in a report.
Geolocation supports Photos with GPS information in the EXIF data.
New columns are also available for the File List that shows geolocation data such as City, Region (State),
Country Code, Latitude, and Longitude.
AccessData Forensic Toolkit 5.1 Release Notes
5.1 New and Improved
| 8
Note: This feature requires the latest KFF Server and KFF Geolocation (GeoIP) data. For information on
installing and configuring KFF, see the KFF Install Guide, available in the User Guide or at http://
www.accessdata.com/support/product-downloads > Known File Filter (KFF).
Search
Term
Browser / Keyword Expansion
When performing an Index Search, you can use the Term Browser, which is a semantic word expansion
capability to help you identify additional keywords. You select which expanded terms you want to include
in the search.
To expand terms, a lexical database is used. When you expand terms, you can use the following lists:
Synonyms, Related, Specific, and General.
Decryption
Note: These features require PRTK or the DNA host 7.3 to be installed on the same computer as the Examiner.
Right-click
PRTK/DNA integration
The integration with PRTK/DNA has been enhanced so that you can use an Auto Decrypt option. You
can right-click an encrypted file in the File List and it will send the file to PRTK/DNA for password
recovery. If the password is found, it will be returned automatically to the FTK interface, which will begin
the FTK decryption process.
Status
of Password Recovery Job
When using PRTK/DNA integration or recover a password, a dialog is displayed showing the progress of
the recovery job. When a password has been recovered, the status in the dialog will turn green and it will
display “A password has been recovered. Attempting to decrypt the file.”
Token
Challenge Decryption for Check Point
When decrypting Check Point 7.6.150 encrypted files, using the token challenge is now supported.
Support
for BestCrypt
Support for BestCrypt files has been added when performing decryption.
Support
for StuffIt
Support for StuffIt files has been added when performing decryption.
Support
for RAR v5
Support for RAR v5 files has been added when performing decryption.
Examiner
Identify
processing-generated items
There are some files that are created during processing, such as data broken out from compound files,
EXIF data from images, file metadata, and so on. There is now a column called Actual File which can be
used in the File List to designate if the file was in the original data (True) or if it was generated during
processing (False).
Also, when looking at the file name at the bottom of the File List, if the file was generated during
processing, there is an >> after the parent file name and before the generated file name.
For example, photo.jpg>>photo.exif.html or mystuff.zip>>passwrds.doc
Relate
FTK-created items on Bookmarks
You can use bookmarks to relate FTK-created files (such as data broken out from compound files, EXIF
data from images, and so on) with the actual source file in the evidence. All parent items are recursively
AccessData Forensic Toolkit 5.1 Release Notes
5.1 New and Improved
| 9
related within the bookmark from the FTK-created item to the actual source file and not just a parent
folder.
Screen
capture in the Examiner interface
You can now take screen captures within the Examiner interface. This allows any element within FTK to
be included in reports.
Reports
Updated
Reporting Template
The cascading style sheets have been updated for a better user experience. Updates include persistent
highlighting on the navigation tree (so examiners know which item they are viewing) and better
organization of data within the report.
However, if you have created personalized templates in previous versions, you will need to re-create
them for 5.1.
KFF
Updated
KFF Server version 1.22
The KFF Server has been updated. The KFF Server and KFF Geolocation (Geo IP) Data are required
for the new Geolocation feature.
For information on installing and configuring KFF, see the KFF Install Guide, available in the User Guide
or at:
http://www.accessdata.com/support/product-downloads > Known File Filter (KFF).
Complete
NSRL Data Installation
All NSRL data has been combined into a single installation up through version 2.40. You no longer have
to install a previous core set and then install multiple updates.
KFF
Config
You must now be logged into the computer with admin privileges in order to run KFF Config.
PhotoDNA
New
PhotoDNA column
A new column, PhotoDNA Hash, has been added. This shows the value of the PhotoDNA hash for the
image.
Export
Limit
Path Length default settings
In Export settings, the Limit Path Length option is now off by default. This prevents getting only partial
paths in the export.
File System
Support
for Microsoft Resilient File System (MS ReFS)
The Microsoft Resilient File System (ReFS) found in Windows 8 and Windows Server 2012 is now
supported.
Support
of Tableau-created files
Opening ‘incomplete’ Tableau-created files is now supported.
Support
for Encase Lx01 image files
Lx01 files can be added as evidence and the files inside it will get expanded.
AccessData Forensic Toolkit 5.1 Release Notes
5.1 New and Improved
| 10
MPE+ Essential License
Inclusion
of MPE+ Essential
With your FTK subscription, you can obtain a free license to use MPE+ for 30 days and MPE+ Essential
afterwards.
The installation files for MPE+ are included on the FTK installation discs.
You must obtain the MPE+ license by visiting the following:
http://marketing.accessdata.com/acton/form/4390/012a:d-0001/1/index.htm
Migration
Command
Line migration utility
There is now a two-step migration process that allows you to upgrade older cases from versions between
3.4 and 4.0 to 5.1 without having to upgrade cases through each release. The first step upgrades cases
between 3.4 and 4.0 to 4.1. The second step upgrades cases from 4.1 to 5.1. For more information on
this utility, contact your Technical Account Manager or Technical Support.
Fixed Issues in 5.1
For information about fixed issues for previous 5.x releases, see the following:
Fixed
Issues in 5.0.1 (page 19)
Fixed
Issues in 5.0 (page 31)
The following issues have been fixed in this release.
Installation and Upgrade
If
you try to install the 32-bit version of the Distributed Processing Manager on a 64-bit computer, the
installation will stop and a message is displayed that explains that the 64-bit installer must be used.
(32004)
The
installer for the Distributed Processing Manager now automatically runs as Administrator. (28672)
Fixed
the issue that caused User IDs to not be updated properly when restoring a case to a new
database(. 33357)
Processing
Processing
Fixed
speeds have been improved (15288)
the issue that caused OCR to sometimes not launch the OCR engine. (32028)
Fixed
the issue that caused the Data Processing Status to be incorrect after multiple jobs have been
processed. (22172)
Fixed
an issue that sometimes caused Custom Processing options to retain the AD Standard options.
(21569)
The
Additional Analysis dialog now has tabs so that all the options can be displayed on displays with
lower resolutions. (10210)
Fixed
the issue that prevented processing to complete when processing multiple individual files. (32175)
Fixed
the issue the prevented the Exclude KFF Ignorable option in the Data Carving options from working
correctly. (32435)
AccessData Forensic Toolkit 5.1 Release Notes
Fixed Issues in 5.1
| 11
Fixed
the issue that caused performance issues when processing HFS+ file system images. (30328)
Fixed
the issue that prevented the OLE Created and Modified timestamps from being displayed. (22976)
Fixed
an issue that prevented the parsing of Office Metadata for MS Word 2007 and later DOCX files.
(23200)
Decryption
Fixed
the issue that prevented Credant files from being decrypted properly when using the Credant
Decryption processing option. (26670)
Fixed
the issue that prevented the prompting of the BitLocker recovery key when adding an encrypted
BitLocker image from a thumb drive. (23588)
Fixed
the issue the prevented the decryption of a Lotus Notes NSF file from v8.5.1 FP5 SHF2. (33936)
Reports
Fixed
the issue that caused the application to crash when generating a report from a case with a
Windows 98 image. (17836)
Filters and Bookmarks
Fixed
the issue that caused high CPU utilization when using labels as an exclude filter. (31363)
Fixed
the issue that caused copied filters to display different results than the original filters. (29002)
Fixed
the issue that caused the Examiner to hang when cancelling a bookmark. (28683)
Fixed
the issue that caused the Manual Timeline Comments to go inactive. (33708)
Columns
Fixed
the issue that caused the application to sometimes crash when the Zip Code column/filter was
used. (30647)
KFF
Fixed
the issue that when running large cases, the KFF Server could hang and the case wouldn't
complete. (26167)
Fixed
the issue that sometimes caused the following error when selecting KFF in Additional Analysis:
"KFF processing is selected, but no KFF groups have been chosen. Please select the KFF groups you
wish to process with." (21260)
Fixed
the issue that after uninstalling KFF data and the defined sets, the groups remained. (13858)
Fixed
the issue that caused importing a group to fail if the data directory had not been previously created.
(23416)
Fixed
the issue that if any mandatory field is empty and you click Apply, a message is displayed that you
have to fill those fields. The Apply button is now disabled until changes are made in this window. (17393)
Fixed
the issue that caused the KFF lookup to fail. (21844)
Fixed
the issue that when doing an import, the correct number of imported hashes was not reported.
(32605)
Fixed
the issue that prevented the cancelling of a KFF import. (17986)
AccessData Forensic Toolkit 5.1 Release Notes
Fixed Issues in 5.1
| 12
Visualization
When
using the Extensions Distribution chart, you can now select an extension in the legend in order to
select or unselect extensions. (26522)
Fixed
the issue that caused a delay in the Files Visualization view when switching from the Created to
Modified file date option. (21960)
Fixed
the issue that prevented files from populating in the File List after clicking a category in the File
Categories Distribution Chart. (2918)
Fixed
the issue that sometimes caused a delay in the Social Analyzer screen capture function. (28765)
Evidence
Fixed
the issue that prevented the removal of evidence if it failed during processing. (30514)
Fixed
the issue that prevented the creation of an image on a remote computer. (29420)
Export
Fixed
the issue that when exporting emails to PST, the exported emails were not viewable in Outlook.
(18708, 25163, 29423)
Search
Fixed
the issue that when doing an Index Search of a pagefile.sys file, it did not highlight the correct
section of the file in the 'File Content' pane. (14614)
Imaging

NTFS support has been enhanced so the MFT is now used to build the file tree, not relying on $I30s
directory indexes which may be corrupt. (24868)
Other
Fixed
the issue that when configuring Additional Analysis or reports, if you selected a tab, then pressed
escape, the tap display went blank. If you clicked another tab and the view is restored. (27688, 27689)
Fixed
the issue that caused a “File access error” when selecting the “Optimize for large cases” database
option when used with a remote PostgreSQL database. (12041)
Fixed
the issue caused the Examiner to sometimes crash when viewing .DOC files. (26976)
Fixed
the issue that caused FTK to not launch properly when using a “-caseid” command-line parameter.
(30318)
Known Issues in 5.1
For a list of known issues for previous 5.x releases, see the following:
Known
Issues in 5.0.1 (page 21)
Known
Issues in 5.0 (page 33).
The following items are known issues:

AccessData Forensic Toolkit 5.1 Release Notes
Known Issues in 5.1
| 13
Decryption

If a file is decrypted using two different technologies, such as Microsoft Office file decryption and EFS,
there may be an issue where only one decryption is performed. When using Tools > Decrypt Files, if you
select to decrypt certain file types such as EFS, Lotus Notes, S/MIME, and so on, do not select Perform
Automatic Decryption at the same time. Use one option at a time. (34470)
If
you have a spreadsheet that has sheet/cell protection passwords, the file is recognized as an encrypted
file. If you perform an Auto Decrypt on the file, PRTK/DNA will attempt to recover the password.
However, if the password is found, the file will not be recognized as a decrypted file. (30705)

Processing
When
configuring the Indexing Options within Processing Options, if you use accented letters, you may
get the following error when adding evidence, “Error occurred while adding evidence”. (25944)
When
creating a custom processing profile, and if you select Decrypt Credant Files and Send Email Alert
on Job Completion, the selections may not be saved in the profile. (21752)
OCR
for PNG, BMP, and TIFF file types doesn’t work properly when performed in Additional Analysis. It
does work correctly during regular processing. (32331)
Internet Artifacts
When
viewing Gmail Offline Messages under Chrome Browser Files in the Overview tab > File Category
folder, the counts are correct, but if viewed from the Internet/Chat tab, the counts may be incorrect.
(22810)
Bookmarks
When
creating a report with a bookmark that has the ‘&’ character in the name, the application may close
without completing the report. (28856)
Agent
When
pushing the agent to remote computer, and if the credentials or IP address are incorrect, it will fail
with an error that the Username or Password is incorrect. However, it will then attempt to use WMI, but
may delay several minutes before displaying the error that the Agent deployment failed. (26279)
Search
If
you have applied a filter to an index search, you may not be able to save exported search results.
(33312)
If
you press the Delete key while in the Search Results pane, you get the following error:
'Encountered an improper argument'. (31847)
Summation/Insight Integration
When
opening a project from Insight that has data from a job, in the Explore tab, the evidence is listed as
the path name of the project folder and not the name of the job. (33244)
When
trying to detach a case that also exists in Summation/Insight, it fails. (33250)
Insight
user roles do not work with Enterprise login. Insight users cannot use the Enterprise ADMS to log
into Insight. (31584)
AccessData Forensic Toolkit 5.1 Release Notes
Known Issues in 5.1
| 14
Reports
If
you generate a report in RTF format, and if you open it in WordPad, the graphics do not display. If you
open it in Word, they will display. (33693)
KFF
If
you install either DHS data or NDIC data after previously installing KFF Geolocation (GeoIP) data, you
will get an error that a newer version is already installed and will need to be uninstalled first. (34687)
Workaround: Uninstall the GeoIP data, install the DHS and/or NDIC data, then re-install the GeoIP data.
When
importing a CSV file that is made up of email files, no data is added to the set list. (24261)
When
processing with default options and KFF (not including ignore files in the Evidence Refinement
option) you don't get any ignore results in indexing. (33309)
PhotoDNA
Adding
more than 5,000 images to a Photo DNA Library may cause the application to hang. (30264)
Other
If
trying load ReFS as a logical drive, it will not recognize the file system type. If you create an E01 image,
and add it that way, it will recognize the file system. (32047)
Computers
with NVIDIA GeForce graphics card will prevent FTK from running and will display the
following error:
"The application was unable to start correctly (0xc0000142). Click OK to close the application."
The
wrong MFT Record date for NTFS images is displayed in the properties tab. (30490)
Mapped
drive locations on a Windows 8 computer are not viewable.
You can use the following workaround:
Create HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/
EnableLinkedConnections (a DWORD) with value "1"
Reference: http://support.microsoft.com/kb/937624
AccessData Forensic Toolkit 5.1 Release Notes
Known Issues in 5.1
| 15
Where to get more information
Use the following documentation resources to learn more about this product. Each document is available in PDF
format in the download ISO file. The User Guide is also available through the Help menu in FTK.
The latest version of each document is available in the Product Release pane on the FTK product download
page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
Document
Description
Quick Installation Guide
Basic information about how to install and upgrade this and related
products.
FTK Installation Guide
Information about how to install and upgrade this and related products.
User Guide
Information about how to use this product, including detailed technical
information and instructions for performing tasks.
Upgrading, Migrating, and Moving
Cases
Information about upgrading and migrating cases from 4.1 to 4.2, and
moving cases from one database to another.
Upgrading Cases
Information about upgrading cases from 4.1 to 4.2.
Migrating Archived Cases
Information about upgrading or migrating cases that you have archived
in a previous release.
KFF Quick Install Guide and KFF
installation files
For the most current KFF Server and KFF data installation files, as well
as the KFF Quick Install Guide, visit the AccessData Product
Downloads page:
http://www.accessdata.com/support/product-downloads
Under Current Releases, expand the Known File Filter (KFF) section
and then the KFF Server section.
Comments?
We value all feedback from our customers. Please contact us at support@accessdata.com, or send
documentation issues to documentation@accessdata.com.
AccessData Forensic Toolkit 5.1 Release Notes
Where to get more information
| 16
AccessData Forensic Toolkit 5.0.1
Release Notes
Document Date: 08/26/2013
©2013 AccessData Group, Inc. All rights reserved
Introduction
This document lists the new features, fixed issues, and known issues for Forensic Toolkit® (FTK®) 5.0.1. Please
be aware that all known issues published under previous release notes still apply until they are listed under
“Fixed Issues.”
Important Information
Installation and upgrade:
For
installation instructions, see the Quick Install Guide or the Detailed Install Guide. You can access
these guides at
http://www.accessdata.com/support/product-downloads/ftk-download-page.
FTK
supports Distributed Processing Engines (DPEs). Distributed Processing allows the installation of up
to three additional processing engines to share the work load of processing evidence in a case.
Before installing Distributed Processing, see either the Quick Install Guide or the Detailed Install Guide.
FTK
does not support skipping versions when you upgrade cases from previous major or minor versions.
You must upgrade in the order of the released versions. For example, you cannot upgrade cases from
FTK 4.1 or earlier directly to FTK 5.x. You must first upgrade 4.1 to FTK 4.2.x and then upgrade from FTK
4.2.x to FTK 5.x.
Whenever
possible, install FTK on a physical system. Due to performance, AccessData does not
recommend configurations where the database or the Evidence Processing Engine is running on a virtual
machine.
Oracle
10g is not compatible with Windows 8.
If
you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle,
you must change the Oracle SID from ADG to FTK2.
To
install the KFF server, you must have admin privileges. Otherwise, you get the following error:
Unhandled exception has occurred in your application. (9092)
AccessData Forensic Toolkit 5.0.1 Release Notes
Important Information
| 17
You
may need to adjust the KFF Server thread counts in order for KFF to complete processing.
If you have too few KFF Lookup Interface threads configured, it can result in KFF not completing and
generating the following error in the error log:
[Date] Failure on item ... Could not connect to KFF Server ..., token ...
For a computer with a quad core, the default amount of 300 threads should be adequate. If you have a
computer with fewer cores, the thread count can be increased. If you get the error, increase the thread
count.
For instructions on configuring KFF, see the Working with the KFF Library chapter in the FTK User
Guide.
The
Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft
Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to
PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email
messages. To export Unicode email messages, install Outlook.
For more information, see the Quick Installation Guide.
See Where to get more information on page 35.
Data and Database Management
AccessData
recommends that, whenever possible, you not have an active internet connection when
running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you
are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with
specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such
as running malicious code or scripts.
If
using PostgreSQL, please note the following:
If
the computer has fewer than 16 cores ( < 16), then in the PostgreSQL configuration file, set the
max_connections to 60 per computer.
For example, if there are 4 computers in the Distributed Processing Model in which every computer
has fewer than 16 cores, then set max_connections to 240 (60*4).
If
the computer has 16 or more cores ( >= 16), then in the PostgreSQL configuration file, set the
max_connections to 125 per computer.
For
example, if there are 4 computers in the Distributed Processing Model in which 3 computers are 8
core (<16) and 1 computer is 16 core (>=16), then set max_connections to 245 (60*3 + 125*1).
If
there is just one computer in the Distributed Processing Model, the max_connections should be no
less than 100.
It
is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL,
Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance
and data integrity.
When
using an Oracle database, it must be installed on a computer with a name that begins with a letter
(a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle
if the computer’s name begins with a number. If the Oracle computer name begins with a number, you
must change the machine name before installing Oracle.
If
you choose to have a case’s database files placed in the case folder, do not move your case folder
without first archiving and detaching the case. (64450)
If
you bookmark a manually carved item that has not been processed, the file does not display in a
bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in
the Evidence drop-down menu to process the manually carved item. (57812)
AccessData Forensic Toolkit 5.0.1 Release Notes
Important Information
| 18
5.0.1 New and Improved
For a list of new and improved features for 5.0, see 5.0 New and Improved (page 27).
The following items are new and improved features and feature enhancements for this release:
Evidence Processing
The
time to perform Static Ram and Memory analysis has been improved.
The
time to perform Field Mode processing jobs has been improved.
The
time to perform Remote Preview jobs has been improved.
Internet Artifacts
After
expanding compound SQLITE files, such as Google Chrome internet history, you can now view the
HTML-rendered index within the table. You can also view the structure of the database itself on the
Explore tab.
KFF
Updated
KFF Server
The KFF Server has been updated to version 1.2.1.x.
You can install these updates from one of the following locations:
The
physical KFF Installation Disc
The
KFF Installation Disc ISO
Individual
installation files
Both the ISO and the individual files are available in the KFF or the FTK sections on the AccessData
product download page:
http://www.accessdata.com/support/product-downloads
DNA
There
is a new module for DNA (Distributed Network Attack) 7.2 that provides support for RAR 5.0 files.
The RAR update file is available in the Decryption section on the AccessData product download page:
http://www.accessdata.com/support/product-downloads
Fixed Issues in 5.0.1
For a list of issues that were fixed 5.0, see Fixed Issues in 5.0 (page 31).
The following issues have been fixed for FTK 5.0.1:
AccessData Forensic Toolkit 5.0.1 Release Notes
5.0.1 New and Improved
| 19
Decryption
Fixed
an issue that prevented the decryption of S/MIME encrypted messages from a PST. The option to
decrypt S/MIME files under Tools > Decrypt Files is now available. (21684)
Fixed
an issue that prevented the decryption of Credant files and not displaying an error. (26316)
Search
Fixed
an issue that sometimes caused slow results when running an indexed search. (25584).
Fixed
an issue that caused the item numbers in exported search results (CSV file) to not match the object
numbers in the application. (26304)
Fixed
an issue that sometimes caused a slow response when expanding and retracting search options.
(15156)
Processing
When
running Additional Analysis and selecting Explicit Image Detection, the required option of File
Signature Analysis is now automatically selected as well. (26749)
Fixed
an issued that caused Facebook JSON files from being listed in the Overview tab under Unknown
Types\Unknown. They are now listed under Other Known Types in a JSON file category. (26824)
Reports
Fixed
an issue that when generating a Timeline Report, the forward slashes did not appear correctly in
Excel (25596).
Filters
Fixed
an issue that caused an error [Missing string: 11611] when creating a filter using the Language
filter. (24992).
Fixed
an issue that caused filtering to sometimes not work properly when attempting to exclude nonEnglish files. (24942)
Fixed
an issue that caused an edited custom filter to not save when the filter referred to other filters.
(26747)
Fixed
an issue that caused a Label filter to filter out all files rather than the ones that were labeled.
(27793)
Fixed
an issue that caused rules to sometimes not work properly in filters causing files to be listed that
were not expected. (29505)
KFF
Fixed
an issue that caused KFF groups to sometimes not function properly after uninstalling and reinstalling KFF data. (23522)
Fixed
an issue that caused FTK to become unresponsive if the KFF server was stopped and Additional
Analysis was run with KFF selected. (24027)
AccessData Forensic Toolkit 5.0.1 Release Notes
Fixed Issues in 5.0.1
| 20
Fixed
an issue that sometimes caused an Error 22 to be returned when importing a KFF or XML file.
(24129)
Fixed
an issue that sometimes caused the following error when installing the KFF Server on XP
computers: "Error 1920. Service AccessData KFF Server (ad_kff) failed to start. Verify that you have
sufficient privileges to start system services." (25290)
Fixed
an issue that sometimes caused the default KFF group from being used when processing rather
than the selected group. (28434)
Fixed
an issue that sometimes caused a “Failure on item...Could not perform KFF lookup on object” error.
(26645)
Agent
Fixed
an issue that when adding remote data (Image Drive) using the Temporary Agent, the agent
sometimes failed. (27692)
Other
Fixed
an issue that caused the UI to be very slow when expanding the Explore tab when there are many
disk images in the case. (28891)
When
managing column settings, fixed an error that sometimes caused duplicate column names to
appear. (23820)
In
the column settings dialog, the columns associated with PhotoDNA now have descriptions (23719).
Fixed
an issue that prevented the scroll bar to appear in the Administer User page. (24154)
Fixed
an issue that sometimes caused errors when importing multiple carvers files. (23720)
Fixed
an issue that if the case folder was manually deleted or moved during the time that the case was
created, it caused the interface to hang. (21587)
Fixed
an issue that sometimes an occurred when closing FTK on Windows XP computers and getting a
message that “It encountered a problem and needs to close”. (25739)
When
running in evaluation mode, the product title bar now displays “Evaluation Version” at the end of
the title. (26997)
All
items assigned to the OLE Storage category now have a folder icon instead of a light bulb icon.
(26626)
In
the column settings dialog, the columns associated with PhotoDNA now have descriptions. (23719)
Fixed
an issue that caused inconsistent counts when enumerating NTFS file systems with additional
threading. (24868)
Known Issues in 5.0.1
For a list of known issues that existed in 5.0, see Known Issues in 5.0 (page 33).
The following items are known issues:
AccessData Forensic Toolkit 5.0.1 Release Notes
Known Issues in 5.0.1
| 21
Rights and Permissions
If
you only have one user account with the Application Administrator role, and you change that user’s
role, you no longer have a user with Application Administrator rights. The application does not prevent or
warn you that there is not another admin. You must re-install the application and the database. (25369)
Decryption
When
running an environment that has Microsoft RMS and that has Outlook on it, and you restrict emails,
Outlook emails cannot be decrypted. (25505)
When
running an environment that has Microsoft RMS, and you restrict Office documents, they cannot be
decrypted. (25608)
When
using the Decrypt Credant Files processing option, Credant files may not get decrypted. If using
the Tools > Credant Decryption option in the Examiner, decryption works properly. (24443)
Clicking
on a file in the Examiner that is encrypted with Credant may cause the Examiner to crash.
(26492)
When
using Distributed Network Attack (DNA), if more than one job is running, and if you delete one job
and then re-add it, the job that was not deleted and re-added is placed in a queued status and you must
manually pause and resume the job for it to continue. (26201)
The
following encrypted file types cannot be decrypted using the Perform Automatic Decryption option
during processing:
EFS, Lotus Notes (whole), Lotus Notes/emails, SMIME, and Credant
Instead, you must use the Tools > Decrypt Files option in the Examiner. (26665)
Processing
Selecting
the Expand Compound Files > RFC822 Internet Email option does not expand internet mail
files. (25606)
The
Fuzzy Hash feature is not reporting correct data. (24883)
When
performing Additional Analysis, the Registry Reports option requires that File Signature Analysis
also be selected. It is not automatically selected and you must select manually in order to generate the
reports. (27001)

Search
If
using Oracle as the database, and if you apply over 100 individual index searches, additional files are
not displayed in the list. Then if you apply any filter and then attempt to export all the hits in file, the
dialogue box will not appear for the export. (26136)
Internet Artifacts
If
the full_path column is missing in the Chrome History SQLite file, you are unable to view data in the
Natural view or drill down into the History file. (26433)
AccessData Forensic Toolkit 5.0.1 Release Notes
Known Issues in 5.0.1
| 22
Reports
When
creating reports using the File Category, File Extension, or File Status categories, you are unable
to generate the report in the following formats: RTF, WML, DOCX, and ODT. You will get a Format
Transformation error. (26294)
Agent
When
adding remote data (Image Drive) using the Temporary Agent, and then trying to cancel the job,
the cancel buttons turn inactive (for both the Creating Image and the Verifying Image tasks). Then when
trying to exit FTK, you may get the error message "Cannot disconnect agent while there are active
acquisitions." You must end FTK.exe in task manager. (27694)
If
you attempt to install the FTK Temporary Agent and you specify an invalid IP address, you get a Server
Busy error and you cannot cancel it. You must restart FTK. (27648)
KFF
When
a connection with the KFF Server is lost, and then trying to add evidence to a case, you get an
error that the evidence can not be processed. (27909)
Internet Carvers
The
following carvers that were added in FTK 5.0 are not available in the Processing Options. (28169)

Ares P2P

Flickr

Hotmail

SkyDrive

Chrome History

Google Docs

ICQ 7M Chat History

Skype\Skype 3

Dropbox

Google Drive

Internet Explorer 10

Torrent

eMule

Google Plus

Safari

Twitter

Facebook

Google Plus Chat

Shareaza

World of Warcraft

Yahoo
Other
The
language identification feature may sometimes mis-identify languages when they are similar. For
example, Italian may be mistaken for Spanish and Dutch for German. (21872).
When
configuring Additional Analysis, if you select a tab, then press escape, the tap display goes blank.
Click another tab and the view is restored. (27688)
From
the File > Reports page, if you click a tree item and then press escape, the tree view goes blank.
You must restart Examiner. (27689)
When
creating a new filter, the Zip Code property is not not recognized. (26278)
AccessData Forensic Toolkit 5.0.1 Release Notes
Known Issues in 5.0.1
| 23
Where to get more information
Use the following documentation resources to learn more about this product. Each document is available in PDF
format in the download ISO file. The User Guide is also available through the Help menu in FTK.
The latest version of each document is available in the Product Release pane on the FTK product download
page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
Document
Description
Quick Installation Guide
Information about how to install and upgrade this and related products.
User Guide
Information about how to use this product, including detailed technical
information and instructions for performing tasks.
Upgrading, Migrating, and Moving
Cases
Information about upgrading and migrating cases from 4.1 to 4.2, and
moving cases from one database to another.
Upgrading Cases
Information about upgrading cases from 4.1 to 4.2.
Migrating Archived Cases
Information about upgrading or migrating cases that you have archived
in a previous release.
Comments?
We value all feedback from our customers. Please contact us at support@accessdata.com, or send
documentation issues to documentation@accessdata.com.
AccessData Forensic Toolkit 5.0.1 Release Notes
Where to get more information
| 24
AccessData Forensic Toolkit 5.0
Release Notes
Document Date: 06/04/2013
©2013 AccessData Group, Inc. All rights reserved
Introduction
This document lists the new features, fixed issues, and known issues for Forensic Toolkit® (FTK®) 5.0. Please
be aware that all known issues published under previous release notes still apply until they are listed under
“Fixed Issues.”
Important Information
Installation and upgrade:
FTK
does not support skipping versions when you upgrade cases from previous major or minor versions.
You must upgrade in the order of the released versions. For example, you cannot upgrade cases from
FTK 4.1 or earlier directly to FTK 5.0. You must first upgrade 4.1 to FTK 4.2.x and then upgrade from
FTK 4.2.x to FTK 5.0.
Whenever
possible, install FTK on a physical system. Due to performance, AccessData does not
recommend configurations where the database or the Evidence Processing Engine is running on a virtual
machine.
If
you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle,
you must change the Oracle SID from ADG to FTK2.
To
install the KFF server, you must have admin privileges. Otherwise, you get the following error:
Unhandled exception has occurred in your application. (9092)
You
may need to adjust the KFF Server thread counts in order for KFF to complete processing.
If you have too few KFF Lookup Interface threads configured, it can result in KFF not completing and
generating the following error in the error log:
[Date] Failure on item ... Could not connect to KFF Server ..., token ...
For a computer with a quad core, the default amount of 50 threads should be adequate. If you have a
computer with less cores, the thread count should be at least 150. If you get the error, increase the
thread count.
For instructions on configuring KFF, see the Working with the KFF Library chapter in the FTK User
Guide.
AccessData Forensic Toolkit 5.0 Release Notes
Important Information
| 25
The
Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft
Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to
PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email
messages. To export Unicode email messages, install Outlook.
For more information, see the Quick Installation Guide.
See Where to get more information on page 35.
Data and Database Management
AccessData
recommends that, whenever possible, you not have an active internet connection when
running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you
are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with
specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such
as running malicious code or scripts.
It
is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL,
Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance
and data integrity.
When
using an Oracle database, it must be installed on a computer with a name that begins with a letter
(a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle
if the computer’s name begins with a number. If the Oracle computer name begins with a number, you
must change the machine name before installing Oracle.
If
you choose to have a case’s database files placed in the case folder, do not move your case folder
without first archiving and detaching the case. (64450)
If
you bookmark a manually carved item that has not been processed, the file does not display in a
bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in
the Evidence drop-down menu to process the manually carved item. (57812)
AccessData Forensic Toolkit 5.0 Release Notes
Important Information
| 26
5.0 New and Improved
The following items are new and improved features and feature enhancements for this release:
Evidence Processing
Processing
Profiles
When you create a case, you can configure and re-use profiles, like templates, of processing options.
You can create different profiles for different investigative needs. For example you can create one profile
for email investigations and another for media investigations. You can then choose from these profiles
prior to processing data in a case. This provides processing consistency and saves time by not requiring
you to define the exact processing settings for each case. There are two pre-configured profiles: a
standard default and a field mode. You can also export and import processing profiles so that they can be
shared.
Processing profiles replace the Save As My Default and the Reset to Factory Defaults options.
The Field Mode check box has been removed and is replaced by a Field Mode processing profile.
New
internet artifact carvers
Several new internet carvers have been added to the processing options. These provide additional
carving capability for more internet artifacts. The following is a list of programs identified by the new
carvers:

Ares P2P

Flickr

Hotmail

SkyDrive

Chrome History

Google Docs

ICQ 7M Chat History

Skype\Skype 3

Dropbox

Google Drive

Internet Explorer 10

Torrent

eMule

Google Plus

Safari

Twitter

Facebook

Google Plus Chat

Shareaza

World of Warcraft

Yahoo
Ability
to add CSV as individual records to support timeline analysis
There is a new processing option that will recognize CSV files that are in the Log2timeline format and
parses the data within the single CSV into individual records within the case. The individual records from
the CSV will be interspersed with other data, giving you the ability to perform more advanced timeline
analysis across a very broad set of data. In addition you can leverage the visualization engine to perform
more advanced timeline based visual analysis. When you expand CSV files into separate records, you
can use several new columns in the File List to view each CSV Log2timeline field.
Visualization
Visualization
is now a standard feature
The visualization module lets you view file, email, and internet browser history data in multiple display
formats, including time lines, cluster graphs, pie charts and more. This functionality lets you quickly
determine relationships in the data and find key pieces of information.
New
Social Analyzer II Visualization
Email Social Analyzer has been improved and now supports case wide visual analytics. The Social
Analyzer Visualization function lets you see the big picture of email domain clusters talking to each other.
AccessData Forensic Toolkit 5.0 Release Notes
5.0 New and Improved
| 27
You can multi-select and drill-down into specific domains to see individual email addresses and who the
communicated with in other domains. This feature provides a more interactive way to view email
communication and cull data based off of domain and emails of interest.
Screenshot
support for Visualization
A method for taking a screenshot of a Visualization filter and including it as part of a report has been
added. While working within the Visualization screen, you may want to capture the graphic
representation of the data you are viewing for reporting purposes. There is now an option to take this
screenshot, add a note, and include them as part of the final report.
Mobile Phone Examiner Plus (MPE+)
FTK 5.0 ships with the following features:
30-day
evaluation license of MPE+
MPE+ is a stand-alone mobile forensics software solution that supports 6800+ devices, Including iOS®,
Android™, and Blackberry® devices. MPE+ images integrate seamlessly with FTK software, allowing
you to correlate evidence from multiple mobile devices with evidence from multiple computers within a
single interface.
One
year of MPE+ Essentials
MPE+ Essentials is a modified version of MPE+ that allows you to analyze data from only iOS and
Android devices.
Explicit Image Detection
Explicit
Image Detection is now a standard feature
Much more than just a flesh tone detector, the Explicit Image Detection (EID) feature allows for easier
location and identification of potentially explicit material. This option is available when creating a new
case.
File Decryption
Decrypt
files during processing with a password list
A new processing option allows you to automatically decrypt encrypted files during processing by predefining a password list. As files are identified as encrypted, the passwords are used to try to decrypt
them and the contents become available. After processing, you can use the Decrypted Files filter to view
a list of the decrypted files.
Integration
with Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) for
password recovery
You can select encrypted files from the file list and submit them directly to PRTK or DNA for password
recovery. Once the passwords have been recovered they can be used in FTK to decrypt the respective
files. To use this integration, either PRTK or the DNA host must be installed on the same computer as the
Examiner.
AccessData Forensic Toolkit 5.0 Release Notes
5.0 New and Improved
| 28
Integration
with Password Recovery Toolkit (PRTK) for enhanced file decryption
With the appropriate passwords, you can now decrypt most all of the same file formats that AccessData
PRTK and DNA can decrypt.
File families now supported include the following:

ABICoder

AShampoo

PDF

AdvancedFileLock

CryptoForge

PGP password file

Apple DMG

Cypherus

RAR

Apple FileVault

iOS backup files

WinZip adv.encryption

Apple FileVault 2

OpenOffice

ZIP
Enhanced

7-Zip
Bitlocker Support
You
can now decrypt partitions from Windows 8 Bitlocker.
You
can now enter credentials for and decrypt multiple Bitlocker partitions.
Reports
Timeline
support for bookmarked items in reports
A new bookmark feature lets you send specific bookmarks to a timeline report based on the Created,
Accessed, and Modified date of the document. Additionally you can create manual timeline items for
notes or other items that are not an actual document in the case. From these bookmarked items, you can
generate a CSV formatted timeline report that will put the bookmarked items in chronological order. This
provides you a way of putting documents in chronological order for easier visibility into the events that
took place for the case.
Internet Artifacts
Google
Chrome internet artifacts enhancements
Better
organization and support for Google Chrome
Google Chrome internet artifacts are now more granularly organized in the Overview Tab
(Bookmarks, Cookies, Credit Card Data, Data Profile, Downloads, History, Key Words, Login Data,
Top Sites, and Web AutoFill Data) so that you can look for specific artifacts in an easier manner.
Reconstruction
of web pages for Chrome
You can now see a reconstruction of the web page that was cached when the user was browsing the
respective web site.
Note: If there is not enough data in the cache, the web page will not be reconstructed. Informational
data about the history will be displayed instead.
Deeper
drill down into Google Chrome artifacts
A new processing option enables you to create individual records from a Google Chrome artifact
SQLite Database. This provides investigators the ability to bookmark specific records from within the
database. For example, if you are looking for a specific Top Site record, you can more easily find and
bookmark the record you need.
New
Internet/Chat Tab
A new Internet/Chat tab has been added to the Examiner interface to help you quickly view internet
artifacts data. This displays the same data that is shown in the Overview tab under the Internet/Chat
section.
AccessData Forensic Toolkit 5.0 Release Notes
5.0 New and Improved
| 29
Renamed
Mozilla folder
In the Internet/Chat folder, the Netscape folder has been renamed to Mozilla Files.
KFF
Updated
KFF NSRL 2.40 library
The NSRL library has been updated to NSRL 2.40.
When you install an NSRL update, you must keep the previous NSRL versions installed in order to
maintain the complete set of NSRL data.
Updated
KFF Server
The KFF Server has been updated to version 1.2.0.
You can install these updates from one of the following locations:
The
Database (PostgreSQL) and KFF Installation Disc ISO
Individual
installation files
Both are available on the AccessData product download page:
http://www.accessdata.com/support/product-downloads
Media Investigation
Microsoft
PhotoDNA Integration
A new processing option has been added to provide integration with the PhotoDNA algorithm. PhotoDNA
is an image-matching technology developed by Microsoft Research in collaboration with Dartmouth
College. It creates a unique signature for a digital image, something like a fingerprint, which can be
compared with the signatures of other images to find copies of that image. Like the Known File Filter
(KFF), this algorithm can be used to filter images in a case to reduce review time.
When an image is compared to a PhotoDNA library, the software generates a score between the image
and the closest match in the library. The score represents the distance between the two images. If the
score is 0 then it means it is an identical or near-identical visual match. If the score is greater than
41943.04 then it is not a match and FTK will not record the match and the field will be blank.
This feature allows you to:
Create
a library of DNA values
Import
and export your DNA libraries
View
the calculated distance between the values of known images in the library and the images in
your case
Three new columns have been added to allow you to use this feature:
PhotoDNA
Data
PhotoDNA
Distance
PhotoDNA
File ID
Imager
Destination
Spanning
When creating an image, you can now specify secondary locations to be used if the first location fills up.
Enhanced
Features for Command-line Imager
You
can now capture the RAM of a target computer
You
can now capture the Pagefile contents of the target computer
AccessData Forensic Toolkit 5.0 Release Notes
5.0 New and Improved
| 30
Database Compatibility with Summation 5.0 and eDiscovery 5.0
Now FTK and Summation or eDiscovery users can work collaboratively -- accessing the same case data on the
same database to perform legal review and forensic examination simultaneously.
You can do the following with Summation or eDiscovery cases:
Open
a case
Backup
Add
and restore a case
and remove evidence
Perform
Search
Export
Additional Analysis
and Index data
data
Other
Enhanced
Vista /Windows 7 Recycle bin parsing
Previously, when data was analyzed from the recycle bin, attributes of a file were parsed into different
records making it difficult to reconcile the attributes of a single file because they were listed as multiple
records within the case. With this enhancement, all of the attributes of a single file are consolidated into a
single record for that file. This feature provides an easier way to view and export the data for files within
the recycle bin.
Automated
Language Identification
A new processing option has been added that will analyze the first two pages of every document to
identify the languages contained within. The user will be able to filter by a Language field within review
and determine who needs to review which documents based on the language contained within the
document.
Modified
Additional Analysis page
The Additional Analysis page has been separated into three function-based tabs to provide faster
identification of processing options.
Agent
Data Acquisition
The speed of acquiring data through an agent has been improved.
Fixed Issues in 5.0
The following issues have been fixed for FTK 5.0:
Export
Fixed
an issue that caused the “'Export messages from email archives to PST” feature to fail. (15196)
Fixed
an issue that when you decrypted a file, and then exported it to an image, if you processed that
image, the file was not decrypted. The exported file is now viewable. (17319)
Fixed
an issue that prevented an NSF file from being exported to a PST file. (11580)
Fixed
an issue that when exporting an AOL Email Archive (PFC) file, either as individual emails (MSG) or
the entire archive (PST) the resulting emails did not contain the FROM: field data. (20340)
AccessData Forensic Toolkit 5.0 Release Notes
Fixed Issues in 5.0
| 31
Processing
Fixed
an issue that caused some processing information to not be stored in the jobinformation.log.
(17532)
Fixed
an issue that caused processing to sometimes fail when the Indexing processing option was
enabled and you added data with SWF files. (15746)
Fixed
an issue that if using OCR and selecting the B&W and Grayscale option, and then setting the Filter
to OCR Graphics, the File List pane may display graphics with color. (13140)
Visualization
Fixed
an issue that caused the Traffic Details in Email Visualization to sometimes show all Sent and
Received mail as the total count for Received Mail. (17657)
Fixed
an issue that sometimes caused the Visualization pane to be become unresponsive when changing
the Timeline date from Created to Modified. (15171, 21964)
Fixed
an issue that may cause the Visualization pane to be become unresponsive when launching the
Social Analyzer if there was no data in the Timespan bar. Now, if no data is available, the Social Analyzer
button is deactivated. (22174)
Fixed
an issue that caused the Timeline to change when switching from the Created to Modified file
values. (22598)
Fixed
an issue that caused the Row Highlighting to not work correctly in some circumstances. (11589)
Fixed
an issue that caused the email traffic details to sometimes not display properly. (22504)
Bookmarks
Fixed
an issue that when deleting a file from a bookmark, you were prompted to confirm the deletion
a second time, and regardless of your response, the file was deleted. This issue only occurred
when using Microsoft SQL Server for the database. (18215)
Search
Fixed
an issue that prevented the “Limit Search Hits” from working correctly when doing an Index Search.
(14619)
Fixed
an issue that when performing a Live Search, if you clicked Remove more than once, it would clear
the whole list. (14896)
KFF
Fixed
an issue that caused an “Error 1721” when uninstalling NSRL data after stopping or uninstalling the
KFF Server. (17617)
Fixed
an issue that caused the KFF Server to not restart after uninstalling NDIC data. (18122)
Fixed
an issue that when the 64-bit KFF Server was installed, it was installed to the Program Files (x86).
instead of the normal Program Files folder. (22022)
Fixed
an issue that after uninstalling the KFF Server and trying to uninstall the KFF Data, an Error 1721
was returned and you could not uninstall the data. (13920)
AccessData Forensic Toolkit 5.0 Release Notes
Fixed Issues in 5.0
| 32
You
no longer need to perform a manual reboot of the computer after installing the KFF Server on 64-bit
computers. (15000)
Fixed
an issue that when uninstalling the KFF server, the service was not removed. (7279)
Other
Fixed
an issue that caused the Codemeter installation to fail on Windows 8 computers. (68531)
Fixed
an issue that prevented you from viewing deleted emails in a PST. (21582)
When
adding live evidence (files or folders) through Evidence Processing, if it encountered a file that it
could not open, there was no error recorded in a log and a 0-byte file was added to the case. An error is
now displayed and the error gets reported in the JobInformation.log. (18458)
Fixed
an issue that caused the tree view to not work correctly if graphic thumbnails were dragged off the
dock of the Graphics tab. (23359)
Known Issues in 5.0
The following items are known issues:
Search
When
You
doing a live search with multiple Chinese characters, no results are found. (9471)
can only get unicode search results when using Live Search and not dtSearch. (15338)
Reports
Links
to files in a PDF report do not open if Japanese characters are in the file name. The link does work
in HTML reports. (22936)
When
creating a report in ODT format, the page numbers display as 0. If you do a page preview, the page
numbers will be generated. (22952)
Processing
Some
information is not saved in processing profiles. (21000)
When you create a custom profile, the settings for Custom File Identification or Event Audit Log options
are not stored in the processing profile. The Send Email Alert and Decrypt Credant Files settings on the
Evidence Processing tab are also not stored in the processing profile.
When
performing data carving, you may get different results when done during Additional Analysis versus
processing when adding evidence. This is because during processing when adding evidence, the
thumb.db files are included whereas when using Additional Analysis, they are not. (23693)
KFF
You
cannot import .HASH files. (16520, 21671)
When
you import an XML or KFF file, the import will be successful but you may see the following error:
"Import returned error of: 22"
You can ignore the error. (24129)
AccessData Forensic Toolkit 5.0 Release Notes
Known Issues in 5.0
| 33
The
version numbers of installed KFF libraries are not displayed in the KFF Manager. (13650)
Decryption
When
decrypting files from the Tools > Decrypt Files page, the decryption progress dialog appears briefly
then closes. (23234)
Visualization
When
viewing large amounts of email data in Visualization and adjusting the range of data, the display
may take some time to refresh the data. (21881)
Other
FTK
may not launch correctly if installed on Windows Server 2008 R2 or Server 2003 R2 if you also have
Adobe Acrobat installed. You may get an error: "The application failed to initialize properly
(0xc00000142)”. (19148)
When
exporting emails to a PST and using the 'Preserve file structure' option selected, some emails may
not display in Outlook. (19086)
CIRT Compatibility
CIRT
job names are only viewable in FTK by node.
For example, if a job in CIRT is called Collection One, in FTK you only see the IP address of the node it
ran against and not the name. (16161)
Computer
software inventory data from a CIRT job does not display when the case is viewed in FTK.
(15818)
FTK
does not recognize CIRT users who log into CIRT using Windows authentication. To use a CIRT
user in FTK, you must create the user account in CIRT and grant the user the permissions that you want
them to have in FTK. (15813)
Summation and eDiscovery Compatibility
The
same documents may be displayed differently in the Natural Views of each product. (23084)
The
search results counts for the same case may be different when viewed in the different products due
to the way search options are executed in the respective products. (23005)
If
using Summation or eDiscovery to add evidence to a case that was created in FTK, search does not
return results from the new data. (23006) You can do one of the following as a workaround for this issue:
Add
new evidence to a case using the same application that was used to add the original
evidence.
After
adding the new evidence using eDiscovery or Summation, add either a label or a code to the
new data which will cause the new data to be re-indexed.
If
using Summation or eDiscovery to add evidence to a case that was created in FTK, the Processing and
Indexing counts may be different due to different processing options. (22945)
Attempting
to view an FTK case in Summation or eDiscovery may sometimes cause an exception error
message. (22947)
The
processing options applied to a case are different from which ever product the case is created in.
For example, you may create a case in eDiscovery, process the evidence, and then add more evidence
using FTK. If you compare the JobInformation.log files, the processing options applied by FTK are
different from eDiscovery. (17186)
AccessData Forensic Toolkit 5.0 Release Notes
Known Issues in 5.0
| 34
Where to get more information
Use the following documentation resources to learn more about this product. Each document is available in PDF
format in the download ISO file. The User Guide is also available through the Help menu in FTK.
The latest version of each document is available in the Product Release pane on the FTK product download
page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
Document
Description
Quick Installation Guide
Information about how to install and upgrade this and related products.
User Guide
Information about how to use this product, including detailed technical
information and instructions for performing tasks.
Upgrading, Migrating, and Moving
Cases
Information about upgrading and migrating cases from 4.1 to 4.2, and
moving cases from one database to another.
Upgrading Cases
Information about upgrading cases from 4.1 to 4.2.
Migrating Archived Cases
Information about upgrading or migrating cases that you have archived
in a previous release.
Comments?
We value all feedback from our customers. Please contact us at support@accessdata.com, or send
documentation issues to documentation@accessdata.com.
AccessData Forensic Toolkit 5.0 Release Notes
Where to get more information
| 35