Advanced FTK Training From AccessData
Posted Monday November 28, 2016 (14:55:53)
Reviewed by Azeem - Cyber Security Professional
At the end of the three-day, instructor-led AccessData Advanced FTK (Forensic Toolkit) class, students have been exposed to and trained in the effective use of advanced analysis with FTK, FTK Imager, Password Recovery Toolkit (PRTK), and Registry Viewer. Prior to enrolling in this course, all students should have gone through either AccessData’s BootCamp training or possess a few years of hands-on work experience with FTK software. In my opinion, by meeting these requirements, students will be best prepared to take advantage of everything that the course has to offer, which is sizable.
For a few years, I had been using FTK without any formal training. I had managed to work my way through the fundamentals on my own, but I always sensed that there was much on which I was missing out. Little did I know that the breadth of these tools was passing me by completely.
It was only after I had completed the Advanced FTK class that I realized the enormity of what had been right under my nose the whole time.
I am someone who learns best in person, largely because I enjoy interacting with my classmates and learning from both their shortcomings and their accomplishments. While this class is offered online, I opted for the in-person session. The course is arranged in such a way that anyone who has fulfilled the prerequisites can benefit.
One major bonus that I would be remiss not to mention was that the class was very diverse. Students came from a variety of backgrounds, some with many years of forensic experience and some for whom forensics was fairly new. All students, however, were open both to learning and to collaborating with one another, making the atmosphere welcoming and productive. As we all agreed early on that there is no one perfect tool for forensics, we shared an eagerness to soak up all of the knowledge that we could, feeding off of each other’s opinions and perspectives in an effort to funnel our collective insights. Experience sharing was encouraged.
With under a dozen students, the class felt intimate and personal, and the student-to-instructor ratio could not have been any better. In a technical class such as this one, labs and discussions make up a big portion of the learning experience, and the instructor did a fine job of leading us through these activities. The setup of the classroom itself was thought out well also, characterized by a wealth of space and light, leading to smooth movement in and out of your chair. There was plenty of room in the computer desks too so that storing your books and recording notes was never a problem.
Unlike other classes, this class did not require you to bring your own computer; rather, the computers were already there, saving you the headache of troubleshooting technical issues with your system and lugging one more thing back and forth. Each of the systems provided two monitors, which is what most “forensicators” are used to having at work, and the instructor projected his computer screen at the front of the class for our convenience.
Each student system connected to two monitors
In addition, the instructor’s system was configured with screen-sharing software that enabled students to easily see instructor’s screen on one of their own monitors. I think this was great, especially since there are so many fine details in the FTK software and sometimes those details are hard to see from far on a projected screen.
Left screen shows FTK installation on student’s system and the right screen shows instructor’s system
Divided into twelve modules, the Advanced FTK class never seemed rushed, each day bringing a challenging – but not daunting – amount of work. After the quick introduction, necessary because not everyone was familiar with the same features of the tools we were using, it seemed like the class was always on the same page. As we went through carvers, labels, PhotoDNA, and Evidence Processing Profiles, advanced processing modules seemed to click. Other topics, such as Windows event logs, prefetch files, email and social media analysis, video processing, and detecting explicit images, passed by with a similar ease.
Email analysis visualization
Filters, which we covered in particular detail, seemed to carry a special weight in this course, and by the end, it seemed that topics such as defining global filters and using nested and compound filters were coming secondhand to everyone. The advanced searching techniques module was just as involved as any other, and class engagement reflected this, as everyone participated much more than usual throughout this module.
Lab using the SocialAnalyzerView
In the Cerberus solution, the visualization module, the remote evidence module, the distributed processing modules, the volume shadow copy artifact, the Geolocation View feature, all of which could be executed in such a compact course only with the greatest of precision. On top of all that, we covered Windows Memory Basics and Analysis, going over the importance of acquiring memory, reviewing the process list, and running searches against it, all skills that will come in handy in the future.
Lab on GeoLocation View
Each module incorporated a hands-on lab, which the instructor led with grace and finesse. The course itself was outstanding, and the instructor did a fantastic job of explaining all of the advanced concepts, including advanced installation. Unfortunately, I think that most people do not make use of custom software installation, sticking with the defaults. With FTK, it is definitely worth looking into your options on this front, as evidenced by everything the instructor covered during that section of the course.
The instructor utilized a whiteboard to illustrate how FTK backend interoperates and some of the distributed deployment considerations to increase efficiency
All of the training materials related to the class were provided in a secure electronic format. To view the secure material, you needed to install specific software and register using a license key created uniquely for you. While these safeguards have been implemented to prevent the misuse of the training materials, I know some students would still prefer the option to receive hard copies. Not only would hard copies make it easier to take notes during the class, but also some may not be able to install the specific software needed to view the protected electronic format back on work systems.
My experience in the Advanced FTK class was a positive one. Todd, the instructor, was prepared and knowledgeable. He made himself available for one-on-one help during class breaks and over the lunch hour, a great favor to all of the students. By the end of the course, I was more confident than ever before with regards to my FTK usage. Today I understand much more clearly how the software works, and I possess a firm grasp of the options that are available to forensic investigators. This course also helped me in preparing and passing the AccessData Certified Examiner (ACE) certification.
About The Reviewer
As an information security professional, the reviewer has accrued years of experience in security engineering, incident response, digital forensics and vulnerability management. A firm believer in ongoing education, he works hard to keep his base of knowledge current and up to date. He is actively involved in the security community and frequently blogs at azeemnow.com. He can also be found on Twitter @azeemnow.
About FTK Advanced Training
AccessData's FTK Advanced course, delivered by Syntricate, aims to teach students everything they need to know about using the Forensic Toolkit. The course focuses on how to properly collect, process, review and report case data toward successful case resolution. Find out more here.
Article content received from: Forensic Focus,