Getting Started With FTK
FTK is database driven, it uses postgres database to organize its case data. Therefore one of the first things you’d have to do is to set up a postgres db. Once a db is set, Login into FTK and create a case:
1. Open FTK > Case > New > (Fill in Case details: Case Name and Case Folder Directory) 2. Choose a Processing profile (the different profiles are predefined configurations with aim to facilitate your forensics analyzes, you can also customize your own if you’d like) 3. Manage Evidence screen will pop up, this is where you add the evidences such as images, files, physical drive, etc. 4. Add > Pick evidences you want to load > Select timezone in which the evidences will be based from > OK > Wait FTK to load evidences into the case (database) > Close
The below categories are important tabs in FTK and an explanation on how to use them:
Allows users to explore the full image including partitioned and unpartitioned space. From this tab a user can view the content of the image, create bookmarks for further investigation or for items to add to a report, and to activate QuickPicks.
The overview tab breaks down all of the content discovered in the image and puts them into different categories. File Items logically separates discovered items by those you have checked, items that are marked as evidence, and items that haven’t been checked. File Extension organizes found items by their extension. Items that show up red have the named extension but has been identified as a different file extension. File Category groups items by the categories they fall under whether they are documents, presentations, graphics, system files, etc. These categories are grouped further to be more specific and can be seen by clicking the plus sign next the category. File Status groups items by the alert, red flags, or warnings they give off. These include bad extensions where the item says it is one file type but is really a different file type, encrypted files, deleted files, KFF flagged, etc. Email Status groups items by if they are attachments, replys, forwarded, or related content. Labels are created and set by the user. Bookmarks are created and set by the user.
The Email tab is similar to the email section in the Overview tab but further breaks down the content for analysis into categories by organizing them by things such as date, who the sender was, or who the recipient was.
The Graphics tab is used to quickly view the graphics in the image. This is very handy when used in conjunction with the QuickPicks selector. QuickPicks is activated by selecting the arrow to the left of the content. If the arrow is filled green that means QuickPicks is activated for that folder/section. Images under areas where QuickPicks has been activated will be available for quick access and viewing in the Graphics tab. (Tip: If you are unable to turn on QuickPicks you may need to make sure it is enabled on the top bar next to “Filter Manager”)
The Video tab makes it easy to view video content and analyze it. Videos can usually be played from a built in viewer in FTK. If the videos do not play in FTK the video can be right clicked on and a user can use “Open With …” to select the appropriate application for viewing the video. This tab will also create thumbnails of the video at specified time or percentage segments to allow quicker examination of the content of the video without needing to watch the whole video. Internet/Chat: The Internet/Chat tab organizes and groups files that have been found on the image that relate to browsers and online chat rooms/clients. Bookmarks: Bookmarks are used to easily keep track of and organize files for things like further investigation or things that are evidence. To add items to bookmarks just right click on the item you want to create or add a bookmark for and select the option you want to use. Bookmarks can be created from most of the other viewing tabs.When creating a new bookmark it must be given a name and be given a parent bookmark.
The Live Search tab allows a user to create a live search on the image and supports text, pattern/regex, and hex searching. On the pattern section there are some play image buttons next to the text entry box. These provide regex assistance and some predefined regex searches that can search for things such as credit card numbers. Live Search is much slower than index search.
The Index Search tab is used to do searches among the indexed content. Upon case creation and the addition of the evidence FTK should have already indexed the image. Index search is very fast and can also accumulate the results of multiple search terms.
The System Information tab provides the system information that may be difficult to find. Here you can find a list of users and their hashes, what applications are installed, and even what URLs they have viewed in browsers. It is not uncommon for there to be no information when you get to this tab. If that is the case select Evidence > Additional Analysis > Indexing / Tools > Generate System Information. Then select “OK” and the system information will be gathered and then should show up in the “System Information” tab when processing is complete.