Forensic Toolkit® (FTK®): Recognized around the World as the Standard in Computer Forensics Software

FTK is a court-accepted digital investigations platform built for speed, stability and ease of use. It provides comprehensive processing and indexing up front, so filtering and searching is faster than with any other product. This means you can zero in on the relevant evidence quickly, dramatically increasing your analysis speed. The database-driven, enterprise-class architecture allows you to handle massive data sets, as it provides stability and processing speeds not possible with other tools. Furthermore, because of this architecture, FTK can be upgraded easily to expand distributed processing and incorporate web-based case management and collaborative analysis.

NOW INCLUDED IN FTK® 5…

Data Visualization for Automated Graphical Timeline Construction and Social Analysis
Automated graphical timeline construction and analysis of social relationships… two of the most essential but time consuming tasks during an examination.

Explicit Image Detection (EID)
EID is NOT just detecting flesh tones. It will analyze shape and orientation as well.

  • Invaluable for anybody dealing with CP cases
  • Zero in on illicit images in minutes

Add Cerberus Malware Triage & Analysis to Forensic Toolkit, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is available as an add-on to FTK. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

INTEGRATED COMPUTER FORENSICS SOLUTION

Create images, process a wide range of data types from forensic images to email archives, analyze the registry, conduct an investigation, decrypt files, crack passwords, and build a report all with a single solution.

  • Recover passwords from 100+ applications.
  • KFF hash library with 45 million hashes.
  • Advanced, automated analysis without the scripting.

UNIQUE FTK® ARCHITECTURE PROVIDES UNMATCHED STABILITY

FTK is database driven so you won’t experience the crashing and lost work associated with memory-based tools. FTK components are compartmentalized, so for example, if the GUI crashes, the processing workers continue to process data.

UNMATCHED PROCESSING

  • Distributed processing with total of 4 workers – 1 on the examiner machine and 3 distributed
  • True multi-threaded / multi-core support.
  • Wizard-driven processing ensures no data is missed.
    • Cancel/Pause/Resume functionality
    • Real-time processing status
    • CPU resource throttling
    • Email notification upon processing completion
  • Pre- and post-processing refinement
  • Advanced data carving engine allows you to specify criteria, such as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall thoroughness.
  • Create, import and export reusable processing profiles with pre-defined processing options for different investigative needs.

LOG2TIMELINE CSV SUPPORT

This processing option treats CSV files within the Log2timeline format and parses the data within a single CSV into individual records within the case. In addition, users can leverage the FTK Visualization engine to perform a more advanced timeline analysis across a broad set of data.

BROAD FILE SYSTEM, FILE TYPE AND EMAIL SUPPORT

  • Support for 700+ image, archive and file types
  • Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833
  • Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), Blackberry IPD backup files, Android YAFFS / YAFFS 2 and many more.
  • Create and process Advanced Forensic Format (AFF) images.

BROAD ENCRYPTION SUPPORT

  • Now, FTK® users can send files directly to PRTK®  for on-the-fly password recovery during evidence review.
  • FTK® is able to decrypt almost as many file formats as PRTK. Users can also import password lists to decrypt files during the processing phase.
  • File families supported include: Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec,  S/MIME OpenOffice, TrueCrypt, FileVault (Apple), FileVault 2 (Apple), DMG files (Apple),  RAR,  ZIP,  including WinZip advanced encryption, 7-Zip, password protected iOS backup files, PGP password files, BCArchive, BCTextEncoder,  ABICoder,  AdvancedFileLock,  AShampoo,  CryptoForge,  Cypherus and more.
  • FTK is the only computer forensics solution that can identify encrypted PDFs.

DATA VISUALIZATION FOR AUTOMATED TIMELINE CONSTRUCTION AND SOCIAL ANALYSIS

  • Adjust scale and focus of communication periods in days, weeks, months, years and decades.
  • Quickly determine and convey peak communication periods in a graphical format.
  • Graphically represent social relationships visualizing domains “talking” to each other, as well as each individual’s email interactions.
  • View email custodian-level details including sent / received statistics to pinpoint periods of interest.
  • Adjust the scale and focus of created, modified and last accessed dates for files to identify gaps or areas of interest.
  • Understand file volume and counts, and sort and group by a variety of attributes.
  • Include timeline screenshots in your case reports.

FASTER, MORE COMPREHENSIVE INDEX AND BINARY SEARCHING

FTK processes and indexes your data up front, so you can conduct search and analysis faster than you can with other products. Leveraging the powerful dtSearch engine, as well as a full-featured regular expression engine, FTK produces fast and accurate results.

  • Regular expression support in index searching allows you to search for advanced combinations of characters within indexed data.

SINGLE-NODE ENTERPRISE

Install a persistent or “dissolving” agent on a single computer to enable the remote analysis and incident response capabilities of AD Enterprise. Preview, acquire and analyze hard drive data, peripheral device data, and volatile/memory data on Windows®, Apple®, UNIX® and Linux® operating systems. Uninstall the agent at any time, and push it out to a different computer for multi-machine analysis.

  • Easy, wizard-driven agent deployment.
  • Secure remote device mounting using the Pico agent.

ADVANCED VOLATILE / MEMORY ANALYSIS

  • Supports Windows® (32- and 64-bit), Apple®, UNIX® and Linux® operating systems
  • Comprehensive analysis of volatile data
  • Static RAM analysis from an image or against a live system
  • Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
  • Dump a process and associated DLLs for further analysis in third-party tools.
  • Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
  • FTK provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.

MICROSOFT® PHOTODNA® INTEGRATION

A new processing option has been added to provide integration with the PhotoDNA algorithm. It creates a unique signature for a digital image, something like a fingerprint, which can be compared with the signatures of other images to find copies of that image. Like the Known File Filter (KFF), this algorithm can be used to filter images in a case to reduce review time.

INTERNET AND CHAT ANALYSIS

  • Internet / Chat tab
  • Advanced Google Chrome analysis
  • 50+ Internet, Chat, P2P and online game carvers to automatically expose this critical evidence during processing

EXCEPTIONAL APPLE® OS ANALYSIS

  • Process B-Trees attributes for metadata
  • PLIST support
  • SQLite database support
  • Apple DMG and DD_DMG disk image support
  • JSON file support

AUTOMATED LANGUAGE IDENTIFICATION

FTK identifies the different languages contained within documents, so you can filter documents by a language field, streamlining the document review process.

ADVANCED GALLERY VIEW FOR IMAGES AND VIDEO WITH EXPLICIT IMAGE DETECTION

  • Video thumbnails
  • Explicit Image Detection auto-identifies potentially pornographic images by analyzing shapes, orientation and flesh tones.

RICH REPORTING

  • Generate detailed reports in native format, HTML, PDF, XML, RTF, and more – with links back to the original evidence.
  • Define Registry Supplemental Reports (RSR) during pre-processing or additional analysis.
  • See which files could not be processed or indexed with the Processing Exception/Case Info report.
  • Generate a CSV-formatted timeline report from bookmarked items.
  • Include graphical timeline and social analysis screenshots from Data Visualization in your case reports.
  • Export MSGs for all supported email types.

CONFIGURATION OPTION 1 – Single PC/Server

Specifications for FTK 4 with the PostgreSQL Database, FTK UI and Primary Processing Engine on the Same PC/Server

Software
Operation System
Server 2008 R2 / Windows7 (64-bit)
Hardware
Processor
Intel® i7, Dual Quad Core Xeon, or AMD equivalent
Memory
32 GB (or more)
OS / Application drive
7200 RPM drive with 64MB cache or SSD drive
Storage for PostgreSQL database
160GB Solid State Drive (SSD) dedicated exclusively to PostgreSQL.
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Drive Configuration
Drive 1: OS

Drive 2: PostgreSQL Database (SSD or HW RAID)
Drive 3: Case Folder and HD Image
Drive 4: Temp Directory (SSD or RAID0)

CONFIGURATION OPTION 2 – Two PC/Server

Specification for FTK 4 UI and Processing Engine on one machine and PostgreSQL on a Separate (2nd) Machine (2 Node Configuration)

Node 1: Specifications for GUI and Worker

Software
Operation System
Server 2008 R2 or Windows7 (64-bit)
Hardware
Processor
Intel® Dual Quad Core, i7 or AMD equivalent
CD/DVD Drive
DVD
Memory
32 GB (or more)
OS/Application Drive Size
7200 RPM drive with 64MB cache
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Storage for Index and Images
As necessary
Temporary Folder Location
SSD drive or RAID0 partition w/ write-through
Drive Configuration
Drive Set 1: OS
Drive Set 2: Hard Drive Image and Case Folder
Drive 3 (temp folder): SSD or RAID0

Node 2: Stand-alone Database Specifications for Windows-based PostgreSQL

Software
Operation System
Server 2008 R2 or Windows7 (64-bit)
Hardware
Processor
Intel® i7, Dual Quad Core Xeon, or AMD equivalent
Memory
32 GB (or more)
OS/Application Drive Size
7200 RPM drive with 64MB cache or SSD drive
Storage for PostgreSQL database
Solid State Drive (SSD) dedicated exclusively to PostgreSQL.
Network Card
Gigabit
HW RAID Controller
Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0
Drive Configuration
Drive Set 1: OS

Drive Set 2: PostgreSQL Database (SSD or HW RAID)

AccessData, Forensic Toolkit and FTK are registered trademarks owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Any reference to non-AccessData marks are for the purposes of enumerating the technologies AccessData solutions will address during the course of a digital investigation.

Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

Cerberus Triage vs. Traditional Malware Analysis
Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.

               

Traditional methods each have its own shortcomings, which Cerberus methodologies avoid…

  • Dynamic Analysis is often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
  • Traditional Heuristics are not based on the fundamental characteristics of malware and have high false positive / false negative rates.
  • Signature-based / Byte String Analysis cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.
Cerberus is able to uncover the following attributes during analysis…

Stage One Analysis

The following first-level analysis is conducted to quickly tally  threat scores.

  • Product Name
  • Product Version
  • Company Name, etc.
  • Functions included in the Import Table
    • Network
    • Process
    • Security
    • Registry
  • Dynamic Loading, etc.
  • Does the binary have high entropy (obfuscated)?
  • Does the binary have signatures of:
    • Internet Relay Chat ("IRC")
    • Shellcode
    • Cryptography ("Crypto")
  • Does the binary contain strings associated with autoruns?
  • Digital Signature Verification

Stage Two Analysis

Stage two involves more complex disassembly analysis to give you  more detailed behavioral information. This simulation and data flow  analysis is possible without running binaries in a sandbox, and there  is no reliance on white lists or signatures.

Basic Disassembly Analysis:

  • Integrated disassembly engine
  • If using network functionality, potentially what host it is  communicating with and over what protocol(s)
  • If using network functionality, can it bypass proxy servers?
  • For functions that require usernames and/or passwords, does  the executable contain a static string, indicating insider or advanced  knowledge?
  • More advanced Functionality Interpretation
    • IP addresses and Domain Names Used
    • Debugger and Sandbox avoidance
    • Command and Control Functionality
    • Hooking Techniques
    • Arbitrary Code Execution
    • Host Forensic Artifacts
    • Registry Settings
    • Temp Files
    • Configuration Files