Want to cut down on your backlog and your work by making someone else do the basic review? Well, you’re in luck, because this week we’re talking about Portable Case in FTK Feature Focus.
Welcome back to FTK Feature Focus. I’m Justin Tolman, the Director of Training over North America here at Exterro. And this week we’re going to be talking about Portable Case. This allows you, the forensic examiner, to focus on more cases and also the harder aspects of cases; maybe system information, event logs, data carving, that sort of thing. While other people may be less technical, maybe just as technical, but with other roles can focus on reading documents, looking at the images, searching basic web history, that sort of thing; which will allow you to move through cases quickly, reducing your backlog.
All right, let’s jump into it. We find ourselves in the ‘Overview’ tab. If you’re going to create data for Portable Case, this is a great place to start. However, you can organize the data from any tab or multiple tabs within FTK. The ‘Overview’ tab just has a lot of what we want.
So for this example, we’ll come to ‘Documents’, and we’ll expand out Microsoft Documents, Microsoft Word. Now that we’re in Word Documents and the specific version that we want, we will select the files that you want to review. So in this case, we’ll pretend like we don’t know what’s in it, that we don’t look at this dataset everyday for work. And so maybe you just want them to view all these documents and determine which are relevant, which are not, or which are evidentiary or which are not. So we’ll just checkmark all of those in that list so we get all those Word documents and maybe we also want to take a look at spreadsheets. So we’ll come into ‘Spreadsheets’ and we’ll expand out Microsoft Spreadsheets and Excel Spreadsheets. We’ll grab ‘2010’, and again, we don’t know which ones we want to look at, so we’ll just checkmark all those. And we have a review set of Microsoft Documents that we will have somebody else look through, saving us the time we can focus on other things.
What we want to do is we’re going to go up to ‘File’ and we’re going to create a portable case. We’ll say, “No, we’re not running a service account.” The ‘Create portable case’ window will pop up. You can give it a name, so we’ll call this ‘Feature Focus’ and you can export to the case folder path, or if you deselect that you can select where you want to go. We’re just going to send it to the desktop so it’s easy to get to. And you can choose ‘Checked items’, which is what we did, but you could also do ‘Currently listed items’ or just simply ‘All items’. You can also do ‘Highlighted items’, but we don’t have any highlighted.
So we’re going to do ‘Check the items’, but we want to make sure this ‘Include QView’ is selected because that’s going to build the interface within our directory that we can send out. So we’ll click ‘OK’. I’m just going to go ahead and build that. Once it’s completed, you can hit ‘Close’ and we will minimize FTK and on our desktop is Feature Focus, and we’ll open up that, and we have startqview.bat. We’ll go ahead and click on that and press any key to continue. All right, and we have a very simple interface for reviewing our documents. So we can select our documents and we have our information here, our banking information. We can go to the next document by simply clicking up here and we have a word doc, and we can just go through and look at our stuff.
We can activate the ‘Bookmarks’ pane, as well. And if something is of evidentiary value relevant to your case, you can always select that, ‘Documents’ and click ‘Save’. And it’s going to bookmark that into ‘Documents’. So we can go through and click various things. Okay, here’s our ledger. We’re going to add that to ‘Spreadsheets’ and we’ll hit ‘Save’, and so on. And maybe we want to create a new bookmark and we’re going to call this bookmark ‘Equipment’. So we’ll save that and we have ‘Equipment’. So we’re going to come down to the one called ‘Equipment’. It talks about gun parts and different things here. And so we’re going to put that in that bookmark and we’ll hit ‘Save’.
Okay, so the user would just go from document to document reviewing. It’s simple, just reading through it. What is the content? Bookmark it or don’t depending on what the, you know, need is, what the case is. There’s also, of course, a search bar up here. So if we wanted to take a look for, say the word ‘Widow’, we can run a search and it’s going to search through our stuff. And we got all these spreadsheets of the syndicate. We can select that. It’s going to highlight, notice it’s on the second sheet, highlight ‘Widow’. So the user doesn’t have to manually go through every one if they don’t need to, or if you have a lot of documents, you can always run a search and they can bookmark again. So we could add this into ‘Spreadsheets’, click ‘Save’, and continue on. We can clear our search and move on.
We’ve gone through, we’ve reviewed our documents. Now what? We simply close down Portable Case, and what Portable cCse does is it saves the changes, bookmarks to data.db. And so we closed that down, and remember, this is Portable Case. So while we didn’t show it here, we would have taken that directory, thrown it on a jump drive, maybe emailed it, put it on a ShareDrive, whatever, sent it to somebody, they’re doing this on a separate machine somewhere else. And then we get it back via some method in that way, as well.
They give it back to us. All right, we come back in, we go to ‘File’, ‘Portable Case Sync’, we say, “No, we’re using a local system.”, we choose our database file, so we’re going to navigate out to ‘Feature Focus’, and we will select data.db and click ‘Open’ and click ‘OK’. And now it’s going to bring in those changes that we made. We added a bookmark, we bookmarked some things and it’s going to sync all that information back into the main case. Once it finishes, you’ll see the green bar, hit ‘Close’ and close, and we can see a bunch more bookmarked. We had some in there, but we could go over to our bookmarks tab to see what work they did, because remember, this probably took a couple of days. We’ve been working in other cases, we’ve long since forgotten what this was, maybe. And so we come back in here and we’re like, “Okay, these are the bookmarks I had configured for them. Oh, they added another one: “Equipment”. Okay, cool. I can see that. Now I can compile this with other cases or other data or the stuff I’ve been doing with the more deep dive forensics, whatever the case may be.”
And there’s no limit to the number of portable cases you can create for one case. So if you had three people you wanted to send to, you could send documents to one person, email to another and graphics to a third, and they could all work on the different things and they would sync back and all their bookmarks would sync back into the tool. And you could be the central point and you could coordinate those different reviews back into one case and work that out into a single report.
Okay, so that is Portable Case for FTK. You can leverage Portable Case to help reduce your backlog by spreading out the basic review, distributing the workload across more people to help move through cases quicker. All right, thanks for watching this week. We’ll be back again next week with another episode. Thanks for watching.
