A Look at FTK’s Biggest Improvements This Year

In this week’s episode, we’re looking at the last year in FTK releases to show you the features that have come out and why you should be upgrading to the latest version of FTK. Welcome to this week’s video.

Welcome to FTK Feature Focus. I’m Justin Tolman, the Director of Training over North America at Exterro. And this week we’re going to be taking a look at the last year’s big features and improvements that we’ve made at FTK to highlight the work that our product team has been doing, and to show why you should be updating always to the latest version of FTK.

Before we get started with that, I want to rewind a little bit to last week’s video, where I talked about the optimal installation of FTK. And I want to clarify two points. First and foremost, I made this off-hand comment, where if you get a couple of hundred segments of your image that FTK may not be able to process it, in that I’ve had that experience, I know others have in the past. Talking with product, that issue has been patched and should no longer be an issue. Take that for what it was: an off-hand comment about my past experience, but we have fixed it. And honestly, I don’t test with gazillions of segments anymore. And it was one that slipped by me. Apologies for that.

The second point I want to clarify is on this image here that we’re looking at and notice this is the same graphic from last time: operating system, temp directory, database, hot swap bay for your cases. And we talked about the processing engine and the interface installed on the operating system drive. And it doesn’t have to be, you can put it wherever, but this is kind of controlling the amount of disks.

Now, the question revolves around the processing engine. The processing engine is a program that runs to process the evidence. So why would you need that to be on its own drive if it’s just a program loading out of memory? But the processing engine has a state folder, which it uses as a swap or attempt directory, as well. And so, if this directory is not on a quick drive, say, a solid state, which is recommended every time, then that can also be a bottleneck. So, you want to make sure that it’s one on its own drive, separate from the other components, but to also want a fast drive as with everything else.

Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Okay. With those two clarifications out of the way, let’s jump into this week’s episode. As introduced earlier on, we’re going to talk about the last year in FTK releases, and we’ve got a lot of good stuff coming up here soon. Over the last year-ish, we’ve had three major updates of 7.3, which came out in May of 2020; 7.4, which was September of 2020; then we had 7.4.2, which was February of 2021. Now, in this video and in this series at large, we pretty much focus on the base of FTK. We’re not talking about AD Lab or AD Enterprise, we may cross those bridges later, but remember, we’re just talking about the core of FTK.

Now, a couple of things with that is AD Lab and FTK Enterprise have seen great updates over the last year. We’re just not talking about them here, but they are there, they have their own release notes, you should check them out if you’re using those versions. The second thing on that is that any update that FTK gets the base of FTK also applies to AD Lab and FTK Enterprise. Just know that this isn’t a comprehensive list for all versions of FTK.

So the first thing I want to talk about is the Quality of Life improvements. Some of these may not seem like huge things, but added up, it makes FTK a lot nicer to use, a lot more fluid, and can help you get through your cases a little quicker, a little more comfortably. And these are the things that I really like to see when product puts them into the releases. So I’m not necessarily going to say the version next to it. You can see that on the screen, read it for yourself, but these are some of the things that have come out in the last year.

So we’ve had a lot of column improvements, and this is big because the file list pane is typically where you’re going to get the most information for your artifacts, the easiest and the quickest. So while we still display a lot of this information in the ‘Properties’ pane, we’ve moved it down into the ‘File List’ pane to provide you with an easy way to display it and filter that data in the ‘File List’ pane. Exif information has always been parsed and displayed in FTK, but it’s typically been displayed either in the ‘Expanded File’ or in the ‘Properties’ pane.

We’ve now moved information such as the date the photo was taken the camera, make, the camera model, other device information; as well as continuing to display the latitude, longitude and altitude stored within that exif data down in the ‘File List’ pane. as well as Microsoft Office metadata, again, displayed in the ‘Properties’ pane, we’re now displaying that in the column list; so you can see things like last edited date, author information last saved by, total editing time, that sort of thing. Information we had in the properties, now in the columns.

In addition to that, we’ve also added column auto switching. So if you’re looking at Microsoft Office documents, say, on the ‘Overview’ tab, the column set will change to the Microsoft Office documents column set to display that information. Then when you switch to something else like graphics, it will switch to a more graphic-centered column set so that you don’t have to do that manually.

If you have a set of columns that you just like to use, you’ve built your own, you can set those as global defaults or as case defaults. So if you want them to stay locked in for that case, for any user that’s going to access that case, you can set them for case, but if you want every subsequent case to always inherit those columns for that tab, then you can set them as global defaults. And whenever FTK is loaded up, whenever you do a new case, you don’t have to switch your column sets for each thing.

One of my favorite new features I call ‘Home filtering’. And basically what it allows you to do is on any overview style tab, that’s the ‘Overview’ tab, internet, email system summary, and the ‘Video’ tab, you can select a category from the ‘Overview’ pane, hit the ‘Home’ key on your keyboard, and it will remove all the other ones from that view. Now, it may not seem that useful if you stay on the ‘Overview’ tab, but where it really shows its power is when you create a new tab from the ‘Overview’ tab, then you can home filter on whatever category you want. And now you have a tab devoted strictly to that artifact without the other clutter or the necessity to navigate to what you want to see.

And lastly, for interface, quality of life, the ‘Bookmark Coloring’ toggle allows you to turn off the pink highlighting for bookmarking. Just one of those little things that have been asked for, so you don’t have to see that pink text washing out all of your ‘File List’ pane. If you have a lot of bookmarks, you can get rid of that just by a simple, quick toggle.

Some performance-based quality of life improvements is FTK can now be run on a non-admin box. There are some tweaks for that. Read the release note for installation and setup instructions for that, but it can be run if a user does not have admin access on that box. The ‘File List’ pane has seen a lot of improvements for speed of refresh rate.

This is really important when looking at a lot of artifacts. Remember, FTK is designed for showing a lot of things. And so we’ve really worked hard to improve how that loads up various things like, we won’t calculate the total data size displayed in the ‘File List’ pane. If you’re displaying a million, 2 million, 3 million items in the ‘File List’ pane, calculating the total size of all those takes time. And a lot of times you may not care what the total size is, so you can still select it by clicking ‘Calculate’, but now it won’t calculate it taking up that time by default.

Another thing is, by default it will typically limit the list to 1 million items. If you want to see the rest of the items, it’s a simple one-click, load the rest of my items, and it’ll go really quick. Portable case syncing was improved in 7.4. So any work done in Portable Case can be synced back to FTK, always a good one.

And then we’ve also added embedded image expansion options. This is kind of a new feature, kind of a Quality of Life. So it kind of rides that line. But before, if you found something like a virtual machine image, or even an embedded forensic image of some sort, say, a DD or something like that, you would have to export that out and then reload it back into your case. Now you can simply select that image and tell FTK through additional analysis that this is an embedded image, and it will run it as if it was a file and everything will be expanded out below it. Then you can go through it without that need to export it out, and then bring it back in.

In each of the release notes; 7.3, 7.4 and 7.4.2, there are backend database improvements in every single one. I’m not going over those in this. It’s technical stuff. Important stuff that makes your life better, but for this, we’re focusing on tangible things that you, the user, will directly interface with.

All right, some new features and artifacts that we’ve added to the parsing. The new system summary tab in 7.4 is huge, parsing a massive amount of registry information, but continue to look at this tab for future improvements. We’ve got a lot of big plans for it. The Enhanced Artifact Analysis web page categories, I did a video on that one, as well. Facial Recognition, we did a video on that one. Object Recognition, Chat Application Parser, Microsoft Edge Chromium was added by giving it its own category. We also added the latest version support for AFF4, X-Ways CTR, Tableau E01, and LX01 image formats, so that’s good. Microsoft Outlook address book support also added in the last year.

So improvements to some of these and some of the other stuff, AFF4 processing option is now auto-toggled. If it detects that you’ve loaded up an AFF4 option it will automatically toggle the expansion option necessary to process that image. Always handy. And we’ve also improved the rate at which we process the AFF4 images. Again, always a good thing. We also added to our Facial recognition, similar Facial and Object recognition. So, kind of an expansion on that feature set. And in the last few versions; 7.3 and 7.4; we’ve made various improvements to our index searching to make it quicker, more efficient; we’ve added some things to the character set that’s added by default; and we’ve added the @ symbol to the DT search default letter set. So now you can search emails a little bit easier without having to modify the index search options. And we’ve also increased the language support for optical character recognition.

This is the quick hit of what we’ve been up to for the last year and some of the reasons why you should make sure you’re upgrading to the latest version of FTK. We’ve got a lot of cool stuff coming up here soon in FTK with some upcoming releases. So keep a watch out for social media and all that jazz, talking about the new features. It’ll be good times. Thanks for watching. We’ll see you again next week.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...