Forensic Toolkit® (FTK®): Recognized around the World as the Standard in Computer Forensics Software
FTK is a court-accepted digital investigations platform that is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs.
In addition AccessData offers new expansion modules delivering an industry-first malware analysis capability and state-of-the-art visualization. These modules integrate with FTK to create the most comprehensive computer forensics platform on the market.
Cerberus
Cerberus is a malware triage technology that is available as an add-on for FTK 4. The first step towards automated reverse engineering, Cerberus provides threat scores and disassembly analysis to determine both the behavior and intent of suspect binaries.
Visualization
View data in multiple display formats, including timelines, cluster graphs, pie charts and more. Quickly determine relationships in the data, find key pieces of information, and generate reports that are easily consumed by attorneys, CIOs or other investigators.
Integrated Computer Forensics Solution
- Create images, process a wide range of data types from forensic images to email archives, analyze the registry, conduct an investigation, decrypt files, crack passwords, and build a report all with a single solution.
- Recover passwords from 100+ applications.
- KFF hash library with 45 million hashes.
- Advanced, automated analysis without the scripting.
Since FTK is Database Driven, it means you don't lose work due to crashing
Unlike other products on the market, FTK is database driven so
you won't experience the crashing associated with memory-based tools.
In addition FTK components are compartmentalized, so for example,
if the GUI crashes, the processing workers continue to process data.
Unmatched Processing
FTK is different from other computer forensics solutions in that
it processes data up front, so you're not wasting time waiting for
searches to execute during the analysis phase. However, the product
is designed to provide the fastest, most accurate and consistent
forensic processing possible with distributed processing and true
multi-threaded / multi-core support. Every copy of FTK includes
a total of 4 processing workers – 1 on the examiner machine and
3 distributed. If you are interested in having multiple examiners
share a common processing farm and centralized database for collaborative
analysis, please contact your sales representative to inquire about AccessData Lab.
- Wizard-driven processing ensures no data is missed.
- Cancel/Pause/Resume functionality
- Real-time processing status
- CPU resource throttling
- Email notification upon processing completion
- Pre- and post-processing refinement
- Advanced data carving engine allows you to specify criteria, such as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall thoroughness.
Single-Node Enterprise
Install a persistent or “dissolving” agent on a single computer to enable the
remote analysis and incident response capabilities of AD Enterprise.
Preview, acquire and analyze hard drive data, peripheral device
data, and volatile/memory data on Apple® , UNIX® and Linux® operating systems. Uninstall the agent at any time, and push it out
to a different computer for multi-machine analysis.
- Easy, wizard-driven agent deployment.
- Secure remote device mounting using the Pico agent.
Advanced Volatile / Memory Analysis
- Supports Windows® (32- and 64-bit), Apple®, UNIX® and Linux® operating systems
- Comprehensive analysis of volatile data
- Static RAM analysis from an image or against a live system
- Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
- Dump a process and associated DLLs for further analysis in third-party tools.
- Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
- FTK 4 now provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.
Exceptional Apple® OS Analysis
- Process B-Trees attributes for metadata
- PLIST support
- SQLite database support
- Apple DMG and DD_DMG disk image support
- JSON file support
Faster, More Comprehensive Index and Binary Searching
FTK processes and indexes your data up front, so search and analysis
is faster than other products. Leveraging the powerful dtSearch
engine, as well as a full-featured regular expression engine, FTK produces fast and accurate results.
- New in FTK 4: Regular expression support in index searching allows you to search for advanced combinations of characters within indexed data.
Broad File System. File Type and Email Support
- Support for 700+ image, archive and file types
- Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833
- Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), Blackberry IPD backup files, Android YAFFS / YAFFS 2 and many more.
- Create and process Advanced Forensic Format (AFF) images.
Broad Encryption Support
- Automatically decrypt (with proper credentials) Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
- FTK is the only computer forensics solution that can identify encrypted PDFs.
Explicit Image Detection (EID) Add-On
This image detection technology not only recognizes flesh tones,
but has been trained on a library of more than 30,000 images to
enable auto-identification of potentially pornographic images.
Rich Reporting
- Generate detailed reports in native format, HTML, PDF, XML, RTF, and more – with links back to the original evidence.
- Define Registry Supplemental Reports (RSR) during pre-processing or additional analysis.
- See which files could not be processed or indexed with the Processing Exception/Case Info report.
- Create a CSV of processed files that can be imported into Excel or a database application.
- Export MSGs for all supported email types.
CONFIGURATION OPTION 1 – Single PC/Server
Specifications for FTK 4 with the PostgreSQL Database, FTK UI and Primary Processing Engine on the Same PC/Server
Software
Operation System
Server 2008 R2 / Windows7 (64-bit)
Hardware
Processor
Intel® i7, Dual Quad Core Xeon, or AMD equivalent
Memory
32 GB (or more)
OS / Application drive
7200 RPM drive with 64MB cache or SSD drive
Storage for PostgreSQL database
160GB Solid State Drive (SSD) dedicated exclusively to PostgreSQL.
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Drive Configuration
Drive 1: OS
Drive 2: PostgreSQL Database (SSD or HW RAID)
Drive 3: Case Folder and HD Image
Drive 4: Temp Directory (SSD or RAID0)
Drive 2: PostgreSQL Database (SSD or HW RAID)
Drive 3: Case Folder and HD Image
Drive 4: Temp Directory (SSD or RAID0)
CONFIGURATION OPTION 2 – Two PC/Server
Specification for FTK 4 UI and Processing Engine on one machine and PostgreSQL on a Separate (2nd) Machine (2 Node Configuration)
Node 1: Specifications for GUI and Worker
Software
Operation System
Server 2008 R2 or Windows7 (64-bit)
Hardware
Processor
Intel® Dual Quad Core, i7 or AMD equivalent
CD/DVD Drive
DVD
Memory
32 GB (or more)
OS/Application Drive Size
7200 RPM drive with 64MB cache
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Storage for Index and Images
As necessary
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Drive Configuration
Drive Set 1: OS
Drive Set 2: Hard Drive Image and Case Folder
Drive 3 (temp folder): SSD or RAID0
Drive Set 2: Hard Drive Image and Case Folder
Drive 3 (temp folder): SSD or RAID0
Node 2: Stand-alone Database Specifications for Windows-based PostgreSQL
Software
Operation System
Server 2008 R2 or Windows7 (64-bit)
Hardware
Processor
Intel® i7, Dual Quad Core Xeon, or AMD equivalent
Memory
32 GB (or more)
OS/Application Drive Size
7200 RPM drive with 64MB cache or SSD drive
Storage for PostgreSQL database
Solid State Drive (SSD) dedicated exclusively to PostgreSQL.
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Drive Configuration
Drive Set 1: OS
Drive Set 2: PostgreSQL Database (SSD or HW RAID)
Drive Set 2: PostgreSQL Database (SSD or HW RAID)
BROCHURES
- [Deutsch] – OFD Niedersachsen setzt auf Digital Investigations mit AccessData
- Case Study: Royal Military Police seeks out AccessData for Digital Forensics
- Case Study: Processing 1TB+ of Complex Data in 12 Hours
- Explicit Image Detection
- Case Study: The Scott Peterson Trial
- FTK Brochure
- Cerberus Data Sheet
- Visualization Data Sheet
WHITE PAPERS
Our experienced team can provide in depth product or service explanations as well as, schedule a demo, and/or price quotes. You can expect a reply within 24-48 hours.
For an immediate response please contact us at: Domestic US: 800.574.5199 | Int’l: +44(0)20 7010 7800.
AccessData, Forensic Toolkit and FTK are registered trademarks owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Any reference to non-AccessData marks are for the purposes of enumerating the technologies AccessData solutions will address during the course of a digital investigation.
Stop relying on third-party tools to see visual relationships within data. AccessData's new FTK add-on, Visualization, allows you to view data in seconds in multiple display formats, including timelines, cluster graphs, pie charts and more.
By combining the state-of-the-art backend processing of FTK with this graphical analytic interface you will dramatically enhance the accuracy and speed with which you analyze case data.
Visualization Highlights
Graphical Email Analytics
- Adjust scale and focus of communication periods in days, weeks, months, years and decades.
- Quickly determine and convey peak communication periods in a graphical format.
- View email custodian-level details including sent and received statistics to pinpoint periods of interest.
- Graphically represent the social network of an email custodian to determine strength/frequency of communication.
- Obtain key insight into the interaction among potential persons of interest and flag these email exchanges in FTK.
Graphical File Analytics
- Adjust scale and focus of created, modified and last accessed dates to identify gaps or areas of interest.
- Provide a complete picture of the data profile and makeup.
- Understand file volume and counts through an interactive interface.
- Sort and group files by a variety of metadata attributes.
- Efficiently identify and tag files for checking in FTK.
Mac features… that can't be found in any other Windows Analysis
Tool.
Ryan Kubasiak
www.AppleExaminer.com