ftk 1.80 manual

Instead, they create an exact replica of the files and work on this image to ensure that the original files remain intact. To verify the files they are working on have not been altered, investigators can compare a hash of the original files at the time they were seized with a hash of the imaged files used in the investigation. Hashing provides mathematical validation that a forensic image exactly matches the contents of the original computer. Another important legal element in computer forensics is the continuity, or chain of custody, of computer evidence. The2 Forensic Toolkit User Guide Forensic investigators must be able to account for all that has happened to the evidence between its point of acquisition or seizure and its eventual appearance in court. There are many cases in which personnel trained in information technology have made incriminating computer evidence legally inadmissible because of their reckless or ill- conceived examinations. Only properly trained computer forensics specialists should obtain and examine computer evidence.Role of Forensic Toolkit When you acquire computer evidence, you can use FTK ImagerTM to create an image of the source drives or files. You can also create a hash of the original image that you can later use as a benchmark to prove the validity of your case evidence. FTK Imager verifies that the image hash and the drive hash match when the image is created. After you create the image and hash the data, you can then use FTK to perform a complete and thorough computer forensic examination and create a report of your findings. For a big-picture view of FTK, see“FTK Overview” on page 5.Other AccessData Products In addition to FTK and FTK Imager, AccessData offers other industry-leading products. Preface 3 AccessData has multiple tools available for password recovery: Password Recovery ToolkitTM (PRTKTM) has a wide variety of individual password-breaking modules that can help you recover lost passwords.

• ftk 1.80 manual, ftk 1.80 manual pdf, ftk 1.80 manual download, ftk 1.80 manual free, ftk 1.80 manual 2017.

If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.If you wish to opt out, please close your SlideShare account. Learn more. You can change your ad preferences anytime. Check out, please ? www.HelpWriting.net ?This awesome company. After I was continuously complaining to my family and friends about the ordeals of student life. They wrote my entire research paper for me, and it turned out brilliantly. I highly recommend this service to anyone in my shoes. ? www.WritePaper.info ?.It depends on the individual skill set also. You can get help from research paper writing. Check out, please ? www.HelpWriting.net ?Save so as not to loseFurther, AccessData Corp.Further, AccessData Corp. All rights reserved. No part of this publication may be reproduced,photocopied, stored on a retrieval system, or transmitted without the express written consent ofthe publisher.Version 1.80.0May 22, 2008AccessData Corp.384 South 400 WestLindon, Utah 84042U.S.A.www.accessdata.comii Forensic Toolkit User Guide FTK features powerful file filtering and searchfunctionality and is recognized as the leading forensic tool fore-mail analysis.This chapter contains the following sections: “Audience” on page 2 “Handling Evidence” on page 2 “Role of Forensic Toolkit” on page 3 “Other AccessData Products” on page 3 1 This type of evidence is fragile and can easily, even inadvertently, be altered, destroyed, or rendered inadmissible as evidence. Computer evidence must be properly obtained, preserved, and analyzed to be accepted as reliable and valid in a court of law. To preserve the integrity of case evidence, forensic investigators do not work on the original files themselves.

The forensic image is identical in every way to the original, including file slack and unallocated space or free space. For information about file slack and unallocated space, see the Glossary on page 343. FTK Overview 7 Hash values are used to verify file integrity and identify duplicate and known files. (Known files are standard system files that can be ignored in your investigation as well as known illicit or dangerous files.) Two hash functions are available in FTK and FTK Imager: Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1). By default, FTK creates MD5 hashes. The hashing options are selected automatically by FTK based on the KFF databases that are available. For more information about KFF, see “Known File Filter” on page 9. The following graphic shows a sample file with a list of MD5 and SHA-1 hashes. Typically, you hash individual files to compare the results with a known database of hashes, such as KFF. However, you can also hash multiple files or an image to verify that the working copy is identical to the original. You can create hashes with FTK Imager or FTK. For information on creating hashes with FTK, see “Selecting Evidence Processes” on page 65.8 Forensic Toolkit User Guide The purpose of KFF is to eliminate ignorable files (such as known system and program files) or to alert you to known illicit or dangerous files. It also checks for duplicate files. Files which contain other files, such as Zip and e-mail files with attachments, are called container files. When KFF identifies a container file as ignorable, FTK does not extract its component files. When KFF is used, the evidence is separated into ignored files (such as system files) and evidence that you continue to examine. KFF includes the HashKeeper database, which is updated periodically and is available for download on the FTK update page ( ). For information on defining the location of the KFF database, see “KFF Database Location” on page 259.

For more information about PRTK, the AccessData Website ( ). Rather than using a single machine, DNA uses machines across the network or across the world to conduct key space and dictionary attacks. For more information about DNA, the AccessData Website ( ).FTK 2.0 The most comprehensive AccessData product for forensic investigation is FTK 2.0. It includes all the PRTK recovery modules, a 50-client license for DNA, and a one-year upgrade subscription for all of the included products. Any products and upgrades purchased in that year do not expire. For more information about FTK 2.0, the AccessData Website ( ).4 Forensic Toolkit User Guide The chapter contains the following sections: “The Big Picture” on page 6 “Acquiring and Preserving the Evidence” on page 7 “Analyzing the Evidence” on page 8 “Presenting the Evidence” on page 10 5 Acquire and Preserve the Evidence Workstation Target Analyze the Case Prepare a Report Case Report The concepts behind each of these steps are discussed in the following sections.6 Forensic Toolkit User Guide There are two ways to achieve this: by creating an image of the suspect drive using hardware devices or by using software applications. Hardware acquisition tools duplicate disk drives or allow read- only mode access to a hard drive. For more information about hardware tools, see “Industry and Third-Party Contacts” on page 321. Software acquisition tools create a forensically sound image that makes no changes to the data or information on the suspect hard drive. The forensic image must be identical in every way to the original. As a rule, no changes to the evidence should be made. FTK Imager is a software acquisition tool. It can be used to quickly preview evidence and, if the evidence warrants further investigation, create a forensically sound image of the disk. To prevent against accidental or intentional manipulation of evidence, FTK Imager makes a bit-by-bit duplicate image of the media.

10 Forensic Toolkit User Guide The chapter is divided into the following sections: “Supported File Systems and Image Formats” on page 13 “System Preparation” on page 14 “Basic Installation” on page 15 “Upgrade Instructions” on page 27 “Uninstalling” on page 30 11 A good understanding of the workstation and its configured devices will help ensure that FTK runs at its best. Consider the following: Role of the workstation Determine if it will be used as a regular user workstation, a forensic analysis workstation, or a password recovery workstation. Access policy Identify where the workstation will be located, who can access the information, and when the cases can be worked on. Hardware and software requirements For the hardware and software requirements, see “System Requirements” on page 12. Application relationships Verify that the applications can work simultaneously. Do not run so many applications that you compromise overall performance. Network and Internet issues Determine if the workstation should be connected to a network or the Internet. Under normal circumstances, the forensic analysis workstation will not be connected to the Internet to avoid the possible tainting of evidence. System policies and procedures Check with your system administrator about any specific policies and procedures that may exist.14 Forensic Toolkit User Guide The installation is divided into three parts: Install the Forensic Toolkit: FTK 1.70.0 and later will install in locations separate from FTK 1.6 or earlier. Your older versions of FTK and their cases will not be affected by installing FTK 1.70. Warning: FTK 1.70.0 has an upgraded database, increasing the limit on how many items a case can contain. This enhancement, however, renders FTK 1.70.0 incompatible with earlier versions. Cases processed in earlier versions of FTK cannot be opened in FTK 1.70.0, and cases processed in 1.70.0 cannot be opened in earlier FTK versions. FTK Imager is now a separate installation.

Searching With FTK, you can conduct a live search or an indexed search. A live search is a time-consuming process involving an item-by- item comparison with the search term. Live searches allow you to search non-alphanumeric characters and perform regular expression searches. Note: Regular expressions are mathematical statements that describe a data pattern such as a credit card or social security number. Regular expression searches allow you to find data items that conform to the pattern described by the expression. FTK provides several pre-defined regular expressions such as U.S. phone number, U.K. phone number, credit card number, social security number, and IP address. The indexed search uses the index file to find a search term. The index file contains all discrete words or number strings found in both the allocated and unallocated space in the case evidence. FTK Overview 9 For more information on searching, see “Searching a Case” on page 149.Presenting the Evidence FTK presents computer evidence by creating a case report and case log to document the evidence and investigation results. FTK uses the Report Wizard to create and modify reports. In the report, you can add bookmarks (information you selected during the examination), customize graphics references, select file listings, and include supplementary files and the case log. You can also export selected files with the report, such as bookmarked files and flagged graphics, so they are available with the report. The report is generated in HTML. The case log assists in documenting and logging activities during the investigation and analysis of a case. This information can be used as part of a report or to identify what has occurred if you are assigned to an investigation in progress. The case log is created automatically by the FTK and is called ftk.log. For information about creating a report, see “Working with Reports” on page 221.

Installing KFF from CD To install KFF from CD: 1 Insert the CD into the CD-ROM drive and click Install the Known File Filter Library. Browse to the CD-ROM drive and select Autorun.exe. 2 Click Next on the Welcome screen. 3 Select I Accept the Terms of the License Agreement and then click Next.18 Forensic Toolkit User Guide The default directory is c:Program FilesAccessDataAccessData Forensic ToolkitProgram. Important: If you install KFF to another directory, you must indicate the new location in FTK Preferences. For more information, see “KFF Database Location” on page 259. 5 Click Next. 6 Click Finish.Basic Install from Downloadable Files FTK downloadable files are available from the AccessData Website ( ). To download the FTK program files: 1 Go to the AccessData downloads page. 2 Under Forensic Toolkit, click Updates. 3 Download the program files you would like to install. If this is the first time you have installed FTK, download both FTK and the dongle driver. If you want to eliminate ignorable and duplicate files, and be alerted of known illicit or contraband files, you also need to download the KFF database.The default directory is c:Program FilesAccessDataAccessData Forensic Toolkit. To specify a different directory, click Browse, select the location, and click OK. 8 Click Next. 9 Check the box to run FTK if you want it to automatically start after you complete the installation. If you run FTK but haven’t installed the KFF database, you will receive an error message at the end of the installation saying that the KFF Hash Library is not found and certain features will be disabled. You can install the dongle drivers and KFF from the downloadable files. For installation instructions, see “Installing the Dongle Drivers from Downloadable Files” on page 21. 10 Check the box to run LicenseManager if you want it to automatically check for updates.20 Forensic Toolkit User Guide For more information on LicenseManager, see “Managing Licenses” on page 263.

See “Installing LicenseManager from CD” on page 23 or “Installing LicenseManager from Downloadable Files” on page 26. 11 Click Finish.Installing the Dongle Drivers from Downloadable Files Installing the KEYLOK (green) Dongle Driver To install the dongle drivers from downloadable files: 1 On the Forensic Toolkit Download page, click the dongle drivers install. 2 Save the dongle install file (dongle.exe) to a temporary directory on your drive. 3 To launch the install program, go to the temporary directory and double-click the dongle install file (dongle.exe). 4 Click Install. 5 Click Next to install the driver. 6 If you have a USB dongle, verify that it is not plugged in. If you have a parallel port dongle, verify that it is plugged in. 7 Designate the dongle driver directory by doing one of the following: To accept the default directory, click Next. To specify a different directory, click Browse, select the location, and click OK. 8 Click Next. 9 If you have a USB dongle, plug it in. 10 Click Finish. Installing the Forensic Toolkit 21 Click Install CodeMeter Software to launch the CodeMeter installation wizard, as displayed in the following figure.CodeMeter Installation Wizard 5 Follow the directions for installation, accepting all defaults, and click Finish to complete the installation.Installing KFF from Downloadable Files To install KFF from downloadable files: 1 On the Forensic Toolkit Download page, click KFFInstall.exe. 2 Save the KFF install file (kffinstall.exe) to a temporary directory on your drive.22 Forensic Toolkit User Guide The default directory is c:Program FilesAccessDataAccessData Forensic ToolkitProgram. For more information, see “KFF Database Location” on page 259. 7 Click Next, then click Finish.Installing LicenseManager from CD LicenseManager lets you manage product and license subscriptions using a dongle or dongle packet file. For more information, see “Using LicenseManager” on page 55.

Install the Known File Filter Library: Installs the Known File Filter (KFF) database, a utility that compares file hashes in your case against a database of hashes for known system and program files as well as known illicit and contraband files. To preserve work done on earlier versions of FTK, your 1.70.0 KFF will be installed in the 1.70.0 directory without overwriting any previously installed KFFs. To economize disk space, you may choose to manually delete older versions of your KFF. To point any version of FTK to the new KFF, go to the Tools menu, then type in the path in the Preferences dialog. For additional information about KFF, see “Known File Filter” on page 9. Launch Dongle Driver Setup: Installs the driver for either the USB or parallel port dongle. The dongle is required to use FTK and it should be stored in a secure location when not in use. Each part can be independently installed, although FTK and the dongle driver must be installed for FTK to work properly. If you want to eliminate ignorable and duplicate files, and be Installing the Forensic Toolkit 15 For troubleshooting information on the FTK install, see “Troubleshooting” on page 275.Basic Install from CD The following sections review installing FTK, the dongle drivers, and KFF from CD.Installing FTK from CD To install FTK from CD: 1 Insert the CD into the CD-ROM drive and click Install the Forensic Toolkit. If auto-run is not enabled, select Start, and then Run. Browse to the CD-ROM drive and select Autorun.exe. 2 Click Next on the Welcome screen. 3 Select I Accept the Terms of the License Agreement and then click Next. 4 Designate the program directory by doing one of the following: To accept the default directory, click Next. The default directory is c:Program FilesAccessDataAccessData Forensic Toolkit. To specify a different directory, click Browse, select the location, and click OK. 5 Click Next.

6 Check the box to run FTK if you want it to automatically start after you complete the installation. If you check the box to run FTK but haven’t installed the dongle drivers, you will receive an error message and FTK will not start. If you run FTK but haven’t installed the KFF database, you will receive an error message at the end of the installation16 Forensic Toolkit User Guide You can install the dongle drivers and KFF from the CD. For installation instructions, see “Installing the Dongle Driver from CD” on page 17 and “Installing KFF from CD” on page 18. 7 Check the box to run LicenseManager if you want it to automatically check for updates. LicenseManager automatically checks the AccessData Website for software updates. For more information on LicenseManager, see “Managing Licenses” on page 263. If LicenseManager is not installed, a warning is displayed. See “Installing LicenseManager from CD” on page 23 or “Installing LicenseManager from Downloadable Files” on page 26. 8 Click Finish.Installing the Dongle Driver from CD Installing the KEYLOK (green) Dongle Driver 1 Insert the CD into the CD-ROM drive and click Launch Dongle Driver Setup. Browse to the CD-ROM drive and select Autorun.exe. 2 Click Next to install the driver. 3 If you have a USB dongle, verify that it is not plugged in. If you have a parallel port dongle, verify that it is plugged in. Click Next after meeting the above conditions. 4 Designate the dongle driver directory by doing one of the following: To accept the default directory, click Next. The default directory is c:Program FilesAccessDataDongle Driver. To specify a different directory, click Browse, select the location, and click OK. Installing the Forensic Toolkit 17 Click Install CodeMeter Software to launch the CodeMeter installation wizard, as displayed in the following figure. 2 Follow the directions for installation, accepting all defaults, and click Finish to complete the installation.

To install LicenseManager: 1 Insert the CD into the CD-ROM drive and click Install LicenseManager. Browse to the CD-ROM drive and select Autorun.exe. Installing the Forensic Toolkit 23 The default directory is C:Program FilesAccessDataAccessData LicenseManager. To specify a different location, click Browse, select the location, click OK, and the click Next.5 If you want to launch LicenseManager after completing the installation, select Run LicenseManager. Installing the Forensic Toolkit 25 You can also start LicenseManager in FTK, by clicking Help, and then Launch LicenseManager.Installing LicenseManager from Downloadable Files LicenseManager lets you manage product and license subscriptions using a dongle or dongle packet file. To install LicenseManager: 1 Go to the AccessData download page ( ). 2 On the download page, click LicenseManager. 3 Save the dongle installation file (LicenseManager.exe) to a temporary directory on your drive. 4 To launch the installation program, go to the temporary directory and double-click the dongle installation file (LicenseManager.exe). 5 Click Install.26 Forensic Toolkit User Guide For example, you can upgrade to a newer version of FTK without upgrading the KFF database. Important: You do not need to upgrade the dongle drivers unless notified by AccessData. You can upgrade the version of FTK from a CD or from downloadable files available on the AccessData Website ( ). To be notified via e-mail when FTK upgrades are available, go to the Update Notification page on the AccessData Website ( ). For troubleshooting information on upgrading FTK, see “Troubleshooting” on page 275.Upgrading from CD Typically you will upgrade from downloadable files. If you want to upgrade from CD, contact AccessData. For contact information, see “Technical Support” on page 341.Upgrading FTK from CD To upgrade FTK from CD: 1 Insert the CD into the CD-ROM drive and click Install the Forensic Toolkit. Browse to the CD-ROM drive and select Autorun.exe.

2 Select Install the Newer Version and click Next. 3 Check the box to run FTK if you want it to automatically start after you complete the installation. 4 Check the box to run LicenseManager if you want it to automatically check for updates. Installing the Forensic Toolkit 27 For more information on LicenseManager, see “Managing Licenses” on page 263. See “Installing LicenseManager from CD” on page 23 or “Installing LicenseManager from Downloadable Files” on page 26. 5 Click Finish.Upgrading KFF from CD If you have added your own hashes to the KFF database, see “Upgrading a Customized KFF” on page 30 for instructions on how to upgrade the KFF database without overwriting the hashes you have added. If you have not customized the KFF library, simply re-install the KFF from CD. To upgrade a basic KFF from CD: 1 Insert the CD into the CD-ROM drive and click Install the Known File Filter Library. 2 Select Replace My KFF with This Version and click Next. 3 Click Finish.Upgrading from Downloadable Files FTK downloadable files are available from the AccessData Website ( ). To download the FTK program files: 1 Go to the AccessData downloads page. 2 Under Forensic Toolkit, click Updates. 3 Download the program files you would like to install.Upgrading FTK from Downloadable Files To upgrade FTK from downloadable files:28 Forensic Toolkit User Guide Note: Your custom column settings and filters are not overwritten. 6 In the install program, select Install the Newer Version and click Next. 7 Check the box to run FTK if you want it to automatically start after you complete the installation. 8 Check the box to run LicenseManager if you want it to automatically check for updates. See “Installing LicenseManager from CD” on page 23 or “Installing LicenseManager from Downloadable Files” on page 26. 9 Click Finish.

Upgrading KFF from Downloadable Files If you have customized the KFF library by adding your own hashes, you need to follow the instructions in “Upgrading a Customized KFF” on page 30. These instructions will prevent the overwriting of the hashes you have added. If you have not customized the KFF library, simply re-install the KFF from the downloadable files. To upgrade a basic KFF from downloadable files: Installing the Forensic Toolkit 29 The FTK interface contains six main windows, organized like tabbed pages, each with a particular focus or function. Most windows also contain a common toolbar and file list with columns. Note: Viewing large items in their native applications is often faster than waiting for them to be rendered in an FTK viewer. This chapter discusses the interface in the following sections: “Starting FTK” on page 32 “Overview Window” on page 34 “Explore Window” on page 39 “Graphics Window” on page 40 “E-mail Window” on page 41 “Search Window” on page 42 “Bookmark Window” on page 45 “Toolbar Components” on page 48 “File List Columns” on page 51 “FTK Imager” on page 54 “Using LicenseManager” on page 55 31 Virus scanners can slow FTK performance significantly.32 Forensic Toolkit User Guide If the correct version isn’t found, an error message will display.Using the Dongle AccessData provides a parallel or USB dongle with FTK. The dongle is a security compliance device that you insert into the parallel or USB port during installation. It maintains your FTK licensing and subscription information and is required to use FTK. For information on installing the dongle drivers, see “Installing the Dongle Driver from CD” on page 17 or “Installing the Dongle Drivers from Downloadable Files” on page 21. You can use the License Manager to monitor your FTK subscription. For more information, see “Using LicenseManager” on page 55.

Using the FTK Startup Menu When you start FTK, the Simple Start menu appears with the following options: Start a new case For detailed information on starting a new case, see “Starting a New Case” on page 59. Open an existing case For detailed information on working with existing cases, see “Working with Existing Cases” on page 93. Preview evidence This option opens FTK Imager. For more information, see “FTK Imager” on page 54. Go directly to working in program Getting Started 33 Don’t show this dialog on start-up again. Mark this option if you do not want the FTK Startup menu to appear when you start FTK. If you want the FTK Startup menu to appear after you have set it to not appear, click Tools, then Preferences, and then Show Startup Dialog. Overview Window The Overview window provides a general view of a case. Viewer Toolbar General Case Information Viewer File List Toolbar File List34 Forensic Toolkit User Guide Now customize the name of a clipboard to store your clips. Discover everything Scribd has to offer, including books and audiobooks from major publishers. Report this Document Download Now Save Save FTK 1.80 Manual For Later 100% (1) 100% found this document useful (1 vote) 4K views 365 pages FTK 1.80 Manual Uploaded by Adam Smith Description: Full description Save Save FTK 1.80 Manual For Later 100% 100% found this document useful, Mark this document as useful 0% 0% found this document not useful, Mark this document as not useful Embed Share Print Download Now Jump to Page You are on page 1 of 365 Search inside document Browse Books Site Directory Site Language: English Change Language English Change Language. Legal Notices AccessData Corp.F urther, AccessData Corp.Further, AccessData Corp.Further, AccessData Corp.All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or tran smitted without the express written consent of the publisher. Version 1.80.0 May 22, 2008 AccessData Corp.

384 South 400 West Lindon, Utah 84042 U.S.A. www.accessdata.com AccessData Trademarks AccessData is a registered trademark of AccessDa ta Corp. Distributed Network Attack is a registered tradem ark of AccessData Corp. DNA is a registered trademark of AccessData Cor p. Forensic Toolkit is a registered trademark of Acc essData Corp. FTK is a trademark of AccessData Corp. FTK Imager is a trademark of AccessData Corp. Known File Filter is a trademark of AccessData Co rp. KFF is a trademark of AccessData Corp. LicenseManager is a trademark of AccessData Co rp. Password Recovery Toolkit is a trademark of Acce ssData Corp. PRTK is a trademark of AccessData Corp. Registry Viewer is a trademark of AccessData Cor p. Ultimate Toolkit is a trademark of AccessData Co rp. Third-Party Trademarks All third-party trademarks are the property of the ir respective owners. FTK features powe r ful file filtering and search functionality and is recognized as the leading forensic tool for e-mail analysis. This chapter contains the following sections: ? “Audience” on page 2 ? “Handling Evidence” on page 2 ? “Role of Forensic T oolkit” on page 3 ? “Other AccessData Products” on page 3 Audience The Forensic T oolkit User Guide is written for law enforcement and corporate security professionals with the following competencie s. Basic knowledge of and training in forensic policies and procedures. Basic knowledge of and experience with personal computers. Familiarity with the fundamentals of collecting digital evidence. Understanding of forensic images and how to acquire forensically sound images. Experience with case studies and reports. Familiarity with the Microsoft Windows environment Handling Evidence Computer forensics involves the acquisition, preservation, analysis, and presentation of comput er evidence. This type of evidence is fragile and can easily, even inadvertently, be altered, destroyed, or render ed inadmissible as evidence.