Note: This post originally appeared on the SANS Forensics blog
When it comes to computer forensic tools, I consider myself to be somewhat of a late adopter. I love to play with the latest tool release, but when it comes to what I’m actually going to use in my lab, I prefer to have a mature product. It takes too much time to test and validate tools to waste time on buggy or incomplete versions. So, I finally made the jump (back) to Access Data’s Forensic Toolkit (FTK) in its 3.1 version. Like many forensic professionals I know, I sat out the “lost generation” of FTK v2. However, if you haven’t taken a look recently, version 3 will likely surprise you.
I don’t expect tool suites to solve all of my forensic problems, but I do appreciate the breadth of capabilities they can provide in one package. FTK v3 excels at facilitating keyword searches, graphics review, email archive parsing, compound file extraction, and has an excellent collection of built-in file viewers. I have neither the blog space nor the energy to go into each of these, but I would put FTK at the top of my tool list for any of these activities. However, I would like to cover a few of the new or updated features I have found useful.
MAC OS X FORENSIC SUPPORT
With Apple PCs nearing a market share of 10%, it is getting harder and harder for forensic professionals to pretend they don’t exist. Even if you are in an enterprise environment, I am betting someone in senior leadership has sought a waiver to bring his or her silver status symbol to work. We have been living in a Microsoft Windows world and most of our forensic tools cater to that platform. While FTK and others have supported the HFS filesystem for a long time, it is clear in the latest release that many developer hours have been spent to include real analysis capabilities.
FTK now reads DMG archives and includes native viewers for binary and XML Property Lists (PLIST), SQLite databases, JSON files, B-trees, and Apple Mail. While it is lacking some of the features of the dedicated Mac forensic suites, these new capabilities allow FTK to hold its own and are particularly valuable for organizations that don’t have the volume of cases to support a Mac-based forensic workstation.
With geographically distributed networks being the norm, remote acquisition and preview is a force multiplier and can provide significant cost savings over traditional methods. There are several enterprise forensic products designed to meet this need, but the price can be prohibitive. In FTK v3, some of the functionality from the Access Data enterprise products has filtered down. Remote access works by connecting to an agent on the target system. A built-in option allows a temporary agent to be installed via the network, or a manual install can be performed via other means. Access Data advises that the agent can be installed on all Windows platforms, Windows XP and later. The agent provides the following capabilities:
- Acquire image of physical or logical drive
- Acquire memory image
- Remote mounting of any of the above
The first two options are self-explanatory, allowing the user to push a forensic image over the network to a lab machine. In these cases, you are limited to just grabbing an image; you cannot perform a live preview. However, the remote mounting functionality provides some interesting possibilities. As the name indicates, you can mount the remote logical drive(s) to your system and use Windows Explorer to review and extract files in a read-only environment. This is perfect if you need to grab registry hives, a PST file, or do a quick scan for documents in the allocated portion of a drive on a live system. You can also mount the physical drives and run third-party forensic tools against them. It will mount physical memory too, but I see little benefit in this versus just acquiring memory to a file. I was able to hack together a poor man’s drive preview by mounting the remote physical disk and then pointing FTK Imager to the mounted drive. I expect that incorporating a more intuitive live preview option is likely on the FTK roadmap.
Check back for part 2, where I will continue this review, focusing on full disk encryption and memory analysis support.
Chad Tilbury, GCFA, has spent over ten years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Computer Forensic Essentials and FOR508 Computer Forensic Investigations and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury.