FTK Feature Focus: Interface Customization

This week on Feature Focus, we’re going to talk about customizing the interface. There’s no reason to not like the look of FTK, because you can change it if you want to. Welcome to this week’s episode.

Welcome to this week’s episode of Future Focus. I am Justin Tolman, the Director of Training over North America here at Exterro. And this week, again, we’re going to be talking about customizing your interface to get the most out of it, to a layout that you prefer, and that is most efficient for you. So, be the change you want to see. Remember, how many times have I said that the product team has to build the interface and the features to do the most good for the most people, but they give you the tools to tailor FTK to your purposes, allowing you to be as comfortable as possible as you run your investigations.

All right, let’s jump into it. So what we’re going to do first is modify the ‘Graphics’ tab in a way that I like to have it laid out. But again, this is about customization. You get to do it how you want. I’m just going to show an example and we’ll show some of the features that come along with it. Then what we’re going to do is create a custom tab so that you can have any content separated out on its own with a custom tab layout, custom tab filter, custom columns, all that sort of thing. All right, so let’s go over to the ‘Graphics’ tab by selecting the ‘Graphics’ tab.

So when we get to the ‘Graphics’ tab, we have the default layout here; ‘Thumbnails’ at the top, ‘Evidence Items’, ‘File Content’, and ‘File List’ at the bottom. It’s not a bad layout for sure. You may like it. More power to you. That’s great. So what we’re going to do is some small modifications. So first off, we have this ‘Lock Panes’ button here. If this is deselected, you can’t move anything. You want to make sure that this is enabled so that you can move things around. To move a pane around, simple; you click on the header and you move it and you mouse over these anchor points and it’ll give you a blue outline of what it will appear like when it goes in. We can attach it over here and have this tiny little thing.

Now, we’re going to make this a little bigger. We can resize this. We’re going to bring this over a little bit so we get some more of our thumbnails in here. We can select an image, an evidence item that we want to look at. Let’s get one with actual pictures in it. There we go. And we can adjust the size if necessary down to a little bit smaller. Okay, now, we don’t need necessarily for this purpose, this huge window for the evidence items. We’re going to select our evidence items and even navigating down to a specific directory we still don’t need all this real estate. So we’re going to bring this down and attach it here with our ‘File List’ pane and then we’re going to swing this over and then we’ll bring our ‘Thumbnails’ pane down so that we get all of this here.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Now what you get is if you view an image, you get a larger view. So if we were to sort by size to get our larger images up top, and we select one, you get this larger view, we can do best fit. Here we can see the picture a little better. If we were to switch to ‘Properties’, we can view those a little better. We also have plenty of room to see plenty of thumbnail’, and you can still page down, scroll down, whatever you want to do to get that. Now we’ll adjust our file list just a little bit more just over here. Again, the ‘Evidence Items’ pane, you’re going to select a couple of times, but most of your work is going to be done in the other three panes, so we don’t need a lot of space for the evidence items. We can modify our column set, of course, by going into the ‘Column Edit’, we can copy selected, and for example, in this one, I don’t really care about the item number while I am reviewing images, so I’m going to move that all the way down.

Okay, and in this case, I don’t really care about duplicate files, so I’m going to move that down, as well. And I think that’s going to be good. Just a minor modification there. We’ll just call this ‘Photos 2’ and click ‘OK’, and we’ll find ‘Photos 2’ in here and click ‘Apply’. And we have our ‘Photos 2’, and we can resize our path if we want to bring in a little bit more data. And we have our duplicate out here in our item number.

All right, so once we have this laid out how you want, you want to come up here to ‘View’, ‘Tab Layout’, and then you want to save it. This will make it so that every time you come to this tab, it is laid out in this way because that’s the best part is you can customize the layout, then get it to stick how you want it so that you don’t have to do it again.

The other thing you want to do is come into ‘View’, ‘File List Columns’, and save as either ‘Case Default’, or if you’re an application administrator, you can save it as ‘Global Default’. And what that does is that applies your, in this case, Photos 2 column set to always be the column set that is selected here on the ‘Graphics’ tab. That way, again, you do not have to come in and reset your columns every time if you have a specific column set that you like using. One thing I want to note is if you do hit the column dropdown, this is new as of the patch applied to 7.4.2, or Service Pack 1 for 7.4.2 is the other name for the patch. We have the grouped column sets and user-defined is now the top level filter, which is good because anything that you create now will automatically be at the top of your dropdown, allowing you to get to those quickly. A huge Quality of Life update. I’m a big fan.

Okay, so basic tab layout modifications. You can apply these types of changes to every single tab. Once you get everything locked how you want it, you’ve saved it, you can always turn off the moving of the panes. Just be aware that this also removes the ability to resize the panes by clicking and dragging. So if that’s not going to be a problem, go ahead and disable that. And that way, when you click around, if you’re getting quick, you’re not going to accidentally pull a pane off and have to reset it.

Now, the second part. Let’s create a custom tab. So what we’re going to do is we’re going to go back over to the ‘Overview’ tab. And the nice thing about the ‘Overview’ tab is it has categories for us and we can break those off into their own tab and basically make a tab specific to that artifact type. So let’s expand out ‘File Category’ and we’ll come down to ‘OS and File System Files’. We have our Windows Event Log Information. Selecting that, we have our Windows Events expanded out because we ran that expansion option. We can always come in and choose from our user-defined, we can choose Event Logs, and we get all of our event log information in the ‘File List’ pane, so we can filter and view a lot at the same time, et cetera. Okay, but maybe we look at event logs a lot. So what we want is a tab dedicated specifically to just this information that we can tailor to this content. Perfect.

So what we’re going to do with the ‘Overview’ tab selected is we’re going to go to ‘View’, ‘Tab Layout’, and we’re going to add a new tab layout and we’ll call this ‘Event Logs’ and we’ll click ‘OK’. What FTK is going to do is duplicate the ‘Overview’ tab into a new tab, which we named ‘Event Logs’. Now, what we want to do is we want to come down to ‘OS File System Files’, and we’re going to come down to ‘Event’ and we’ll get our information populated down here. And what we’re going to do is click the ‘Home’ button. The ‘Home’ button will filter the ‘Case Overview’ screen, giving us only what we had selected, in this case, ‘Windows Event’. Perfect. And we’re going to come up here and select ‘User-Defined’ and ‘Event Logs’ so we get that data, and then we will come up here, of course, and do ‘File List Columns’, and we’re going to save as ‘Global Default’ so that this tab always has the event logs. Now, in this case, we can go ahead and select one and see about what our size is, and we can adjust this down to about what our size would be here. And we could bring this a little bit because we’re never going to use that, but we need to leave it there because that’s activating our filter and we can get this all set up how we want to view the data.

The last bit of customization you could do is, let’s say we’re working with ‘Event Logs’ here in this example, and you wanted a specific tab only for log-on activity. Well, we can do that. We can come up and create a filter. We’ll select our property, we’ll go to ‘More’, and we’re going to go to ‘File System Features’, and ‘NTFS’, and we will go to event ID is ‘4625’, we’ll do a live preview to make sure that that is what we want, we’ll select one and sure enough, ‘LogonType’, and so we’ll call this ‘Event Logons’, okay? And we’ll save it, close that, and we will go to ‘Filter’, ‘Tab Filter’, and we can save this at, or select this as ‘Event Logons’ and click ‘OK’

Now anytime we come to this tab, it’s actually going to be filtering by event logons, okay? So the only thing we have in here is that event ID type. And notice it doesn’t affect our global filters, it’s only for this tab, hence the name ‘Tab Filter’. So you can build all of this tab so that when you come over into it, it’s automatically what you want ready to go. So a couple of cases from now, you’ve already done the work for yourself later, and you’re just ready to go.

Okay, thanks for watching this week. We’ve got a lot of good stuff coming up on August 12th. We have a webinar talking about reducing your backlog through use of reviewers, review sets, and filtering of your evidence. Then we have our Masters of Forensic series coming up where we’re going to have numerous topics from imaging, analysis, reporting and a bunch of stuff in between, over the next few weeks through August and September. So we have a lot of good stuff. Be on the lookout for those dates. And again, we’ll see you next week. Thanks for watching.

Okay, but we’ll re-enable that cause we’re going to be messing with stuff. Now, second part…

Google Assistant: You’ve just asked to turn on an alarm. I couldn’t find any set at the moment.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles