FTK
FTK (Forensic ToolKit) is a not-free program that is distributed by AccessData. On the main page for FTK at the AccessData website, it touts FTK as "a court accepted digital investigations platform", and that is definitely the audience that this program is built for. FTK offers a variety of different tools that allow a user to view deleted files, piece together meta-data, view a timeline of events that have taken place on certain images, etc. Pretty much anything can be imported into FTK and used as evidence.
FTK is built off of a database system (which is included during the initial installation) and uses some pretty beefy algorithms and architecture to index data and make it searchable. FTK also does a lot of the heavy lifting for users, so that going through evidence seems more like browsing through a directory instead of piecing together hex code or bits and bytes.
One very useful thing that I learned from a classmate of mine was called "carving" the data. Carving is kind of like what it sounds like- working the program a little harder, and having it scrape and clean data to bring out things that may have been hidden, and basically trimming the fat. This is done fairly easily by using the "Evidence" tab, then selecting "Additional Analysis".
Another tool that is built around the same structure as FTK is MPE+ (Mobile Phone Examiner Plus), which is a separate program that feels almost exactly like FTK. MPE+ is basically FTK for mobile phones and devices. I am just getting into using the program, but it seems very intuitive and like I have already mentioned, is structured a lot like FTK in the UI and features.
While FTK and MPE+ are not free, they can be tried for 30 days courtesy of AccessData. Downloads for FTK and other AccessData products can be found here: http://www.accessdata.com/support/product-downloads.
 |
| XKCD. Too good. |
No comments:
Post a Comment