On August 25 AccessData gave attendees of HTCIA International a preview of Forensic Toolkit Version 3. Â Matt Churchill was in attendance and has kindly given us his thoughts on AccessData’s upcoming release:
FTK3 First Impressions
I recently attended the International HTCIA Conference in South Lake Tahoe. AccessData was there and I was able to attend two hour-long sessions covering new aspects of FTK.
FTK LAB
The first hour was FTK Lab. I remember hearing about this several years ago and often wondered where it went. The instructor assured us that getting Lab working and available was a priority for him since they had been discussing this version for so long. The big thing here was the Case Management interface. It’s done completely on the web. They are building a new Silverlight version of the interface.
Other Lab features include the ability to mark files as privileged and apply Labels. Labels work exactly like they do in Gmail. A neat feature, but seems almost the same as creating temporary bookmarks. Privileged files will be nice to allow one reviewer to see them while another reviewer works on a different set of files.
The distributed analysis of Lab could be a great feature for bigger forensic shops. Tasks can be assigned and work progress updated through the web interface. It looks nice, but most shops I know around here only have one person working one case at a time.
FTK3
The presentations of FTK3 started off with the instructor poking a bit of fun at AccessData. He called FTK2 the “Windows ME of Forensic Toolsâ€. When starting the demo, FTK 2.3 appeared on the splash screen. They said it was the internal codename for FTK3, but I’m sure they are trying to distance themselves from the 2.x versions.
For the internals of FTK3, the processing engine has been entirely rewritten. They claim it to be faster than the 1.x series. A test case they did for a 200GB was processed in 3 hours with the File Signature Analysis and Render Thumbnails options enabled. Full text indexing was not enabled, but they ended up with 560,000 items. Seems to be fairly quick. There is also a new Field Mode to load drives quickly and get an overview of the file system.
As for architecture changes, and if I understood this correctly, case data including pictures will be stored in the case file instead of the Oracle database. This will help to eliminate the cross contamination argument some examiners have made.
There are several new options that when you look at them it makes you wonder why they were never included before. New bookmarking and sorting options including the ability to assign columns to specific bookmarks in the report. This helps when you have an email bookmark and want to show To and From fields, but your JPG bookmark has no need for those fields. One of the biggest “Duh†fixes is that search results are now categorized. I think this will help relieve some of the tedium of going through search results. There are also new report formats so you can save your report as RTF, PDF, add custom CSS, and more.
MAC Options, RAM options, and the ability to add remote evidence are available. I previously tested AccessData Enterprise and the remote options included with FTK3 are very nice. There are two options for adding RAM, the first is as a flat file so data carving and indexing are available. The second is to add it as RAM so FTK enumerates the Processes, DLLs, and Sockets.
The GUI seems to be much more responsive. The first time loading a tab was a bit slow, but subsequent changes to that tab were much quicker. Switching tabs seemed to be much quicker than even the 1.x series. I’m not sure as to the total items in our test case (I forgot to look), but at one point in one of our lists we had over 100,000 items (I think – again, forgot to write it down). Either way the speed of the GUI was noticeable.
Overall
I currently use FTK 1.8 on an 8 core, 10gb RAM system. I haven’t bothered to test FTK2 due to it’s bad start and negative first impressions. However, after viewing the demo of FTK3, I am excited to try it out. I think the extra worker licenses and the adding of remote data options add extra value.
The only downside is that I will have to update the hardware in my forensic machine to accommodate the recommended requirements. Eric Thompson suggested getting a Corsair SSD instead of a RAID for the OS and Oracle database. Either way it will be an expense to buy some new hard drives for the upgrade.
Matt Churchill, CISSP, CFCE, CCE, GCFA, CEH, ACE
You can get in touch with Matt at matt -at-Â binint.com
***UPDATE***
There is now a 10 minute video showing Mac support in version 3. Â You can watch the video here but you will have to fill out a form to get to it.