FTK
Components
Preview
Acquisition
New Case Setup
Adding Evidence
FTK - Components
FTK – Forensic Toolkit, FTK Imager, License
manager, Password Recovery Toolkit, Register
Viewer, etc.
FTK – Components
License Manager
License Manager





Add or remove licenses
from your dongle.
Purchase additional
licenses.
Renew your
subscription.
Download product
updates.
Start > All Programs >
AccessData >
LicenseManager >
LicenseManager
FTK – Components
Password Recovery Tool Kit
PRTK – Password
Recovery Tool Kit
FTK – Components
Registry Viewer
AccessData Registry
Viewer

Registry Viewer
provides access to a
registry’s protected
areas, which contain
useful forensic data
not accessible in
Windows regedit.
FTK – Components
Registry Viewer
Some of the forensic data found in the
registry files consists of:





Usernames and passwords
A history of Internet sites accessed, including date
and time
A record of Internet searches performed on
Google, Yahoo, etc.
Lists of recently accessed files
A list of all programs installed on the system
FTK Imager
Preview
Acquisition
FTK – Imager
FTK Imager

Used to make a copy of a device (i.e., hard drive, CD, thumb
drive, etc.)
Imager Screens

Evidence Tree, File List, Properties, Viewer
FTK Imager - Preview
FTK Imager - Preview
Physical drives – Used to image an entire HD.
Logical drives – Used to image a single partition (A, C, D,
etc).
FTK Imager - Preview
In the File List window, click once on the second item.
In the Properties window, note the Date Accessed.
FTK Imager - Preview
Exit out of FTK Imager and open My computer > A
drive.
Note that only one item is listed on the floppy.
After you open the file, close the picture and exit out of
FTK Imager - Preview
Once again, start FTK Imager.
Add the “A” drive as evidence.
Select the second file and note the date stamp.
FTK Imager - Preview
Preview of the
Recycle bin


SID
Info2 files
FTK Imager - Preview
Preview of
unallocated
space.
FTK Imager - Preview
Preview of
unallocated
space cont.

Note the text.
FTK Imager - Preview
Preview mode allows you to export items of
interest without changing the data.
FTK Imager - Preview
Exporting items in
class.


Class labs will be
located on the
Forensics partition.
Items exported from
your cases should be
stored on the “F”
drive.
FTK Imager - Acquisition
Image types



EnCase .E01
SMART .S01
Linux dd
FTK can read:








Encase
SMART
Linux dd
WinImage
Ghost
ICS
Safeback
CUE and ISO
FTK Imager - Acquisition
Physical drive – Represents the entire contents of a hard drive,
includes all partitions.
Logical drive - Represents the contents of a single partition or
Windows drive letter.
FTK Imager - Acquisition
Logical Drive selection

Note, your Drive Selection options change.
FTK Imager - Acquisition
Click on the Add button. This will bring up the Select
Image Type screen.
Select Image Type

CD or DVD – This screen is omitted since the image is
created as ISO or CUE.
FTK Imager - Acquisition
Enter an Case Number:

Such as (070522-010)
 Year 07, month 05 day 22.
The 010 allows multiple cases
in a given day.
Enter an Evidence Number:

Such as (0010)
 The 0010 allows additional
data to be added to the case at
a later date.
Case Name.


It’s a good idea to add device
type in name i.e., desktop,
floppy, laptop, etc.
Example: smithdesktopHD1,
smithdesktopHD2,
smithfloppy1, etc.
FTK Imager - Acquisition
FTK Imager - Acquisition
FTK Imager - Acquisition
FTK Imager - Acquisition
Forensic Toolkit (FTK)
New Case Setup
Adding Evidence
General Settings
FTK – New Case Setup
Start a new case
Open an existing case
Preview evidence

This option will startup FTK Imager.
Go directly to work
FTK – New Case Setup
Case Number


Note! Case Number
doesn’t include the
Evidence Number
What’s wrong with
the case number?
Case Name

Note! The name is
appended to the
path to create the a
case folder.
FTK – New Case Setup
Depending on your
site policy you may
or may not have to
complete this
screen.
Select Next.
FTK - New Case Setup
Case Log Options


Allows you to determine
what to include in the case
log file.
It documents case
activities.
The log file is called:


FTK.log
Located in the case folder.
Usage


Reports
Identifying case
status/progress.
Manually modifiable

Tools > Add Case Log Entry
FTK - New Case Setup
KFF - Skip system files
Entropy - Skip encrypted file indexing
Full Text Index - Longest step in case creation.
FTK - New Case Setup
Decrypt EFS Files - Requires PRTK to decrypts EFS files.
File Listing DB - MS Access db of files
Dave Carve - Finds files embedded in other files and free space.
FTK - New Case Setup
Data Carving:





Picture - Porn
PDF – Theft of
intellectual property.
HTML – Porn, time
charging, etc.
AOL/AIM – Time
charging, theft of
intellectual property.
Office Documents Time charging, theft of
intellectual property.
FTK - New Case Setup
Only use the “Include All Items” option!!!
FTK - New Case Setup
Don’t limit yourself.
FTK - New Case Setup
You have now finished defining the global settings for
this case and are ready to add an image file.
Select Add Evidence.
FTK - New Case Setup
FTK - New Case Setup
FTK - New Case Setup
FTK - New Case Setup
FTK - New Case Setup
FTK – Overview
FTK – Overview - Explore
FTK – Overview - Graphics
FTK – Overview - Email
FTK – Overview - Email
FTK – Overview - Bookmark
FTK – Adding Evidence
FTK – Adding Evidence
On the first screen
you can only change
the name of the
investigator.
On the Processes to
Perform you can
change each of the
settings.
FTK – Adding Evidence
Select the Add
Evidence button.
Then select Acquired
Image of Drive.
FTK – Adding Evidence
FTK – Adding Evidence
FTK – Adding Evidence
FTK – General Topics
FTK – General
Column Settings
Column Settings allows you to customize the
arrangement of the columns.

Click on the item highlighted in red above in order
to access the column options.
FTK – General
Column Settings
You can use this
screen to select
what you want
displayed as well as
the order the items
appear.
FTK – General
File Properties
In the Overview tab right-click on a file and
select File Properties.

The General Info tab provides basic file info.
FTK – General
File Properties
File Source Info




Evidence Info
Deletion Info
Physical Info
Container Info
FTK – General
File Properties
File Content Info




KFF status
MD5 hash
Password
Encryption
FTK – General
File Properties
Case-Specific Info

This tab lists various
actions and settings
applied to this item.
FTK – General
Bad Extension
FTK compares the file header with the file
extension to determine if there is a match.
FTK – General
File Export
Right-click on the file and select “Export File”
FTK – General
Folder Export
Right-click on the folder and select “Recursive
File Export”
Next select the location to place the folder
content.
FTK – General
Copy Special
Copy Special



You can copy specific information, such as time and date
stamps.
It only copies the info, not the file.
Note the copy destination.
Right-click on the file and select “Copy Special”
FTK – General
Sorting & Type Down
Sorting


FTK allows two level of sorting.
When two columns are selected, the first
column selected becomes the secondary
sort.
Type Down


FTK allows up to 5 characters
The characters must be types in rapid
succession.
FTK – General
Time Zone
Time zone setting - View > Time Zone Display
Determining time zone setting – DTZ button
The time zone defaults to the local machine.
FTK – Graphics
File content


Inappropriate material - Porn
Case related – Money graphics
File location


Temporary Internet Files – may be accidental
User created directories
File time and date stamp

Creation date and last accessed
Status – Deleted files
FTK – Graphics
List all descendants – Selecting will display all items in the current
folder and its subfolders.
Green buttons – Indicate flagged items.
FTK – Graphics
Detached Viewer
FTK – Graphics
Detached Viewer
Detached viewer
makes it possible for
you to do the
following:




Rotate a photo
Change its size
Zoom in or out
Display, print or save
to the clipboard
FTK – Graphics
Associated Programs
To open a file with
another program utilize
one of the following
View options:


Launch Associated
Program - will display
the file with the program
associated with its file
type.
View With – Displays a
list of installed programs
to choose from.
FTK – Graphics
Marking Graphics for Reports
There are two ways to include a graphic in a
report:


Flagging
Bookmarking
FTK – Graphics
Marking Graphics for Reports
Flagging

Graphics Tab – For each graphic you want
included in the report select the Red button.
Doing so will change it from Red to Green.
FTK – Graphics
Marking Graphics for Reports
Flagging cont.

To flag all the files in a folder
 Select the folder > Select List all descendants > Select
the Green button.
FTK – Graphics
Marking Graphics for Reports
Bookmarking
FTK – Graphics
Marking Graphics for Reports
FTK – Known File Filter (KFF)
Known File Filter


Hashkeeper –
National Drug
Intelligence Center
(NDIC).
National Institute of
Standards and
Technology (NIST)
FTK – Known File Filter (KFF)
Known file filter compares the hash
values of the files in your case against a
database of known hash values.


It can help you identify files that should be
ignored (i.e., operating system and
application files).
It can help you identify known files
pertinent to your case.
FTK – Known File Filter (KFF)
The hash value used is based on the
data contained in the file not its name
or extension.
The hash value can prove that the file
has not been altered.
Two common hashing algorithms are:


Message Digest 5 (MD5)
Secure Hash Algorithm (SHA)
FTK – Known File Filter (KFF)
FTK – Known File Filter (KFF)
To add custom hash values:

Use FTK or FTK Imager to create a hash
set and them import it into KFF.
Update KFF



Download the zip file from AccessData
Extract the .hdb file into a temp folder
Using FTK import the .hdb file
 Tools > Import KFF Hashes . . .
FTK – Search and Reporting
Checked Items
Filtered Items
Searching
Reporting
FTK – Checked Items
You can select items
on any of the six
main tabs and they
will appear in the
list of “Checked
Items” on the
Overview tab.
FTK – Checked Items,
Exporting
Exporting Checked Items.


Right click an item and select
export file.
Then select All checked files.
FTK – Checked Items,
Exporting
Select the export folder in your case folder.
Note, the two check boxes at the bottom.
FTK – Checked Items,
Exporting
Deleted files Note, the first 2
files have a “!”
at the beginning
of the file name.
Prepend archive
name to file
name.
FTK – Checked Items,
Copy Special
Copy Special


Can be used to copy
information about all
checked files.
Right click an item and
select copy special.
FTK – Checked Items,
Copy Special
Next select All
Checked Items.
Then pick a Copy
destination.
FTK – Checked Items,
Bookmarking
Bookmarking
Checked Items:



To narrow future
work.
Reduce search
efforts.
Tools > Create
Bookmark
FTK – Checked Items,
Bookmarking
Enter a name
Select “All
checked items”
To add “All
checked items” to
your report select
the “Include in
report option”.
FTK – Checked Items,
Bookmarking
FTK – Filter Items
File Filter Manager is
designed to reduce
viewable data based on
your needs.
You can isolate viewable
files based on file:




Status – Deleted,
encrypted, KFF, etc.
Type – graphic, email,
zip, document, etc.
Size
Date
FTK – Filter Items
To apply a filter, the
filter button must be
selected as well as a
filter.
FTK – Filter Items
Actual Files – Note
the change in files
displayed when
selecting this button.
All Items button will include email
attachments, Zip file
contents, etc.
Actual Files – will
only include files.
FTK – Filter Items
Selecting pre-built
and custom made
filters.
Note the number of
Total File Items and
Encrypted Files.
Select the pre-built
Encrypted Files filter.
FTK – Filter Items
Note the number of
items displayed.
FTK – Filter Items
Building custom
filters.


Clear all filters by
selecting the
“Unfiltered” menu
item.
Next, select the
Graphics Files filter.
FTK – Filter Items
Graphic Files filter enabled:

Note, the change in items displayed.
FTK – Filter Items
Select the File Filter Manager button.

Note the Graphic type setting is Conditional Show.
FTK – Filter Items
Select the
Legend Show
button.



Next, Select
the Graphic
type button
until it turns
red.
Name your
filter.
Select
Save/Apply.
FTK – Filter Items
The graphic files
remain represent
files with a graphic
file extension,
however FTK
doesn’t recognize
the file type.
FTK - Searching
An index file is generally created during the
case creation process.




The index file contains all words and number
strings found in allocated and unallocated space.
Special character are not included.
FTK utilizes a third party tool, called dtSearch, to
index the case.
If indexing wasn’t preformed during case setup,
the investigator can use Tools > Analysis Tools >
Full Text Index to create the index file.
FTK - Searching
FTK - Searching
Search options



All files
Checked files
Filtered files
FTK - Searching
FTK - Searching
Regular expressions:




Phone numbers
Credit card numbers
Social Security
numbers.
IP addresses
FTK - Reporting
FTK - Reporting
To generate a
report:

File > Report Wizard
FTK - Reporting
FTK - Reporting
FTK - Reporting
FTK - Reporting
FTK - Reporting
FTK - Reporting
FTK - Reporting
Stop