Computer Forensics with FTK
Computer Forensics with FTK
Getting Started with
Computer Forensics
Using FTK
Forensic Toolkit (FTK) is a complete platform for digital investigations, developed
to assist the work of professionals working in the information security, technology,
and law enforcement sectors.
Through innovative technologies used in filters and the indexing engine, the relevant
evidence of investigation cases can be quickly accessed, dramatically reducing the
time to perform the analysis.
This chapter will cover the first steps needed to install and configure the FTK tool.
Forensic digital investigations include the following processes:
• Preparation
• Acquisition and preservation
• Analysis
• Reports and presentation
This process will be discussed in more detail in Chapter 4, Working with FTK Forensics,
with the use of FTK forensics and enterprise editions.
The computer forensics tools need to be kept updated to address issues such as an
increasing size of hard drives and the use of encryption in order to reduce the time
to perform the data acquisition and analysis.
Getting Started with Computer Forensics Using FTK
[ 6 ]
AccessData has two versions of the platform:
• FTK forensics: This version of FTK, which will be covered in this book, has
the ability to perform the acquisition and analysis of digital devices such
as computer hard drives, USB drives, flash memory devices, smartphones,
tablets, and other digital media. Its approach is related to a process called
post-mortem computer forensics, which happens when the computer has
been powered down.
• AD Enterprise: In general, AD Enterprise has the same features as the FTK
forensics version plus the ability to analyze multiple computers across your
company simultaneously. Another important feature of this version is the
ability to acquire and analyze volatile data, such as RAM. The investigation
process is totally confidential, and the investigated user will not be aware
of the analysis, even if it is done through the network and with the target
equipment in use.
In this book, we will use the solution only in the
standalone version.
Downloading FTK
Once the FTK platform has been acquired, AccessData usually sends the DVDs
for product installation and the hardware dongle codemeter with the license of
the product.
If not, then it is possible to download the FTK directly from the AccessData website.
All other products are also available for download.
In this book, we will use FTK Version 5 onwards, and you can download the product
from http://www.accessdata.com/support/product-downloads.
Chapter 1
[ 7 ]
Prerequisites for FTK
There are two different settings (configuration options) for FTK installation:
• One machine: FTK + database
• Two machines: FTK + database on separate machines
In general, the specification used for FTK with the PostgreSQL database is shown in
the following screenshot:
Note that this is the recommended specification by the vendor. However,
the more the processing, memory, and I/O resources available, the faster
the analysis.
Getting Started with Computer Forensics Using FTK
[ 8 ]
Installing FTK and the database
FTK installation is quite simple, although the components' installation sequence
must be respected. AccessData has created a menu to provide support for the correct
installation, as can be seen in the following screenshot:
Perform the following steps for installing FTK:
1. Start the installation process by using the Database component. You can then
enter a password to create the PostgreSQL database admin user.
2. Once the database installation is done, install FTK.
3. Install the Distributed Engine component, as it is necessary for the correct
operation of FTK.
4. The View User Guide installation is optional, but highly recommended.
Chapter 1
[ 9 ]
5. To finish the FTK platform installation process, click on the Other Products
button and select the components listed as follows:
°° License Manager: This is the product's license control component
°° Registry Viewer: This is the Windows registry analysis component
°° PRTK: This is the password recovery component
°° CodeMeter: This is the USB CodeMeter hardware driver and
management component
°° Imager: This is the FTK Imager product
Make sure that you select the correct platform, which can be either 32-
or 64-bits, and in case the Unable to connect to the database requested
error message appears, just change the RDBMS option to PostgresSQL.
Running FTK for the first time
If the installation has been done correctly, the first step would be to create a user:
Next, you can complete the fields in the form and then click on OK to create the first
user. This user will be the application administrator, who will manage the FTK tool.
The use of the FTK tool will be discussed in the next few chapters.
Getting Started with Computer Forensics Using FTK
[ 10 ]
Summary
This chapter covered the first necessary steps to be performed in order to use the FTK
forensics tool. The first step was to understand the difference between standalone
and enterprise platforms as it is extremely important to determine the approach to be
used in an investigation. This will certainly impact the time of acquisition and data
analysis. Another important point was to consider the hardware prerequisites. Keep
in mind that more the computing power the hardware has, the faster is the response
of their analysis.
The analysis process is really time-consuming, and if not properly scaled, the
hardware can have a negative impact on your project.
In the next chapter, you will use FTK Imager, the free version of the platform, which
is commonly used for evidence acquisition and preanalysis of data.
Working
No comments:
Post a Comment