My favorite thing about FTK 2.0 is that it comes with 1.72.
My favorite thing about FTK 2.0 is that it comes with 1.72.
And 1.72 is better how? (As I sit here waiting for a case to reprocess after crashing and FTK telling me it cannot open the case, and gives numerous errors when I try to open the backup from Friday).
Yeah..imagine what the courts would say if DNA tests failed as often as computer forensics programs…hah!
My favorite thing about FTK 2.0 is that it comes with 1.72.
And 1.72 is better how? (As I sit here waiting for a case to reprocess after crashing and FTK telling me it cannot open the case, and gives numerous errors when I try to open the backup from Friday).
I've rarely had issues with 1.72, I run it on DI's FRED system so maybe they've done something magic…
I haven't tried 2.x yet but based on what I'm reading I'll wait a while.
To be fair to Access Data, 1.72 is pretty stable on my system (touch wood), hench my reluctance to move over to Version 2 and a whole new world of frustration
I am not saying FTK is less stable than any of the other tools I have, and 1.72 really seems no more or less stable than 1.71.
FWIW AccessData recommends the following for the stability issues I am seeing in 1.72
1 Disable HyperThreading if enabled.
2 Create two new folders (perhaps on separate physical drives) to be used as 'fail-over' temp folders for FTK.
To further on that.. I too really like 1.72 and 1.8 will be out soon. One of the fixes in 1.8 is that the email attachements being removed from the origional email when exporting is suppoed to be resolved.
While I am far from a cheerleader for either AccessData or Guidance Software, we recently had a need to review several enterprise level products and we chose to go with AccessData's FTK 2.0 Enterprise.
I will admit to experiencing many of the issues listed above; however, AccessData has been very quick to work on fixes and troubleshooting. In my past experience, I can not say that I have had the same assistance with other providers.
I agree that the GUI navigation is currently very slow, but (and perhaps this puts me in a minority) I tend to use this transition time reviewing the output of my other tools. For instance, while analysis is being performed in FTK 2.0, I will bring up FTK Imager and export registry, cache, pagefile, etc and use tools like, Registry Tool Kit, RegRipper (Hail Mr. Carvey!), Mandiants Web Historian and the like. I get to spend plenty of time pouring over those results while the analysis completes.
I wouldn't say I am 100% overjoyed with the product, but I am mostly satisfied. What reservations I still have I expect to be addressed with upcoming patches.
The following is a review I wrote for the American Lawyer Media online publication "EDD Update" (
FTK 2.0 Product Review
In the years I've been writing about forensic technology, I've shied away from reviews that dumped on products. If I couldn't say something nice, I tried to talk about something else. Heck, I generally steered clear of mentioning any product by name unless I liked it so much I could barely contain myself. There are few perfect software products, and just about any application is a buggy mess in its point-O release. Likewise, code bloat and ham-handed departure from the simple virtues that drew us to a product in the first place are common missteps.
But the problems seen in the latest 2.0 release of the venerable AccessData Corp. product, Forensic Tool Kit (FTK 2.0), just seem deeper and wider than I've run into elsewhere, and I'd be doing you a disservice, dear reader, if I glossed over them. Read on to get a smattering of why I say "Wait! Spare yourself the pain!" when it comes to the FTK "upgrade."
1. To start, the program won't run under Windows Vista, an operating system that's been on the market for over a year. Okay, I blame myself for overlooking the fact that this "Windows-only" product won't run on the version of Windows that comes installed on virtually every new PC sold today. Granted that Vista hasn't seen the quick adoption of Windows XP or 95; but, no one should imagine that Microsoft will retreat from Vista and embrace XP. That will not happen. So, when you buy a new, powerful PC to feed resource hungry FTK, you must also purchase a copy of Windows XP, strip the new machine of its latest, greatest Vista content and replace it with an obsolete circa-2001 operating system that leaves the market forever just one month from today. Instead of calling it FTK 2.0, perhaps they should have dubbed it "FTK 2001."
2. Though you can pull evidence data from anywhere, the fruits of analysis are stored within a monolithic Oracle data base that commingles the data from all investigations. That's insane. I don't mean that it contaminates one case with data from another. Rather, it puts all the data eggs into one well-compartmentalized basket.
Here's why that's a lousy approach. My habit has been to confine drive images and case analysis to individual external hard drives that can be easily archived with each matter's pertinent data. This affords me a discrete, portable data set facilitating use at counsel briefings, deposition and trial. I can segregate case data, better guard against data loss and selectively and reliably purge data at the conclusion of a case. Plus, I can tailor the storage medium to the needs of each case, i.e., cases with little data are stored on smaller, cheaper hard drives and large volume cases reside on higher capacity storage media (e.g., external RAID arrays or NAS devices).
That's not feasible with FTK 2.0. Instead, you've got to put it all on one logical volume physically–not just logically–connected to a Windows system. That means you can't load the database on a NAS device, and you can't point the Oracle database to a mapped drive! What were they thinking? As a workaround, you can export a case, but that becomes a cumbersome, two-step process requiring you to create the case within the Oracle environment then export the data to archival media after processing and analysis is complete. When you're talking terabytes, moving data takes hours even over a gigabit network and then you have a long wait while the backup restores to FTK 2.0.
3. Installation is plodding, fussy and frustrating. Once I'd enlisted an XP box with enough oomph to run the program, I encountered a series of maddening hurdles that twice entailed manually stripping out aborted installation efforts from the system Registry and killing running services. Each effort to install Oracle generated cryptic fatal errors (Did you know that FTK Oracle aptly assigns error messages negative numbers?). To make matters worse, the installation crashed before it placed the uninstall batch file on the drive, with the result that I couldn't rid myself of the crippled installation now blocking further installation efforts until I undertook a painstaking and risky surgery on the system Registry.
Whether installing from the program disk or the gargantuan 258MB update file you download to patch the program out-of-the-box, the process was unduly time consuming and complex. A program requiring half a dozen system reboots on installation doesn't value a customer's time. Perhaps I just had a run of bad luck that required me to spend hours in the effort, but I suspect my experience isn't unique.
4. As the pain of installation faded, I turned my attention to performance, hoping it would all be worth it. FTK users have waited a long time for this update and the new release came paired with a big hike in the cost of ownership and maintenance. Surely we would see significant new features and performance gains? Think again. FTK 2.0 has been redesigned to meet someone's needs, but not mine.
FTK was always the slowest of the major computer forensic suites, but we made allowances for this because it indexed data at the start. The payback for the time lost to processing was the speed with which FTK could perform indexed searches using its integrated DTSearch capabilities. Those capabilities remain, but they're not the novelty they once were, and now they come at the price of unspeakably slower processing. Not just s-l-o-w, but glacial–to the point where use of FTK will now be a luxury accorded only to those rare cases where time is of no consequence.
Where the old version offered a lively, clear display of what FTK was doing during all that processing, the newest release offers incomprehensible data processing status bars. Exactly what does it mean when, after 12 hours speant processing three drive images, two progress bars sit at 100% completion, (one stating 307/307, another 233/233) and a third shows no progress, reading 1033/3393329? Will processing complete today, tomorrow or next week, and what accounts for the wait? There's just no way to know, and the smart money is betting it'll crash first.
5. As life is short and FTK's delivery of useful data is not, I've had little opportunity to thoroughly vet new features. Suffice to say, I'm underwhelmed. One touted enhancement is, "instantaneous access to data while processing." It's great…if your definition of "instantaneous" is not quite enough time to wash your car between request and response. To me, it means that I shouldn't be able to slowly count to 57 between the time I click on a tab and the time the screen changes (and that's on a 3.4GHz machine with 3 GB of RAM). I made it all the way to 82 when moving between tabs.
FTK has always been weak in the important area of data carving from unallocated clusters, and that remains the case. Yes, if the lion's share of your work is investigating child porn cases, FTK may come closest to the one click solution many seek; but, if you need to carve for more than just bread-and-butter file types, FTK 2.0 remains the least capable of the major forensic tools. Insofar as the new interface, it's a solution in search of a problem. Some will like the new tabbed interface, particularly those with the ample spare time it takes to move between tabs. Others will see it as lipstick on a pig. I never found the old interface particularly limiting, and I don't find the new one especially enabling.
6. But it's not all grim for FTK fans. AccessData still has about the best Registry Viewer application on the market, and the FTK Imager is, hands down, the best acquisition application for an unbeatable price. The Password Recovery Toolkit is an able application, and AccessData's telephone product support is first rate. Overall, FTK 2.0 and its software siblings seem geared to those who work in large groups where distributed resources can be marshalled to enhance productivity. The government or the miltary may find value in the changes seen in FTK 2.0. For the rest of us who toil in small departments or solo shops, FTK 2.0 is the little engine that can't. Until it improves (or the pricing drops to reflect how it has devolved), wait to upgrade and devote your scarce software dollars to safer bets, like EnCase, X-Ways Forensics, Pro Discover or, if you can still buy it, good ol' FTK 1.71.
Just so you know, I buy my forensic software tools in the open market, and pay out thousands of dollars per seat to keep them up to date. I buy the same products, receive the same level of support and grouse about the cost as loudly as anyone. I don't seek or receive any favors from AccessData or any of its competing product vendors. I do own a small amount of stock in Guidance Software, maker of EnCase and, if you think I'm disappointed in FTK 2.0, don't get me started on Guidance's flagging stock.
Thank you for all the information in this article and thread. I am an assistant at a college in the computer forensics dept. (and a Computer Forensics student). I helped the dept decide to buy 10 licensed copies of FTK 2.0 about 3 months ago. To my regret, it has not turned out well for us so far. After upgrading the ram on one of the servers to handle the oricle database I thought the installation for the lab would be a snap. Boy was I wrong. Since I am inexperienced, the multiple phone calls to tech support, unfortunate pestering of my Prof's for assistance, and just overall frustration both with setting up the lab servers and workstations was really starting to get to me, I was starting to worry that I "bit off more then I could chew". Once I actually got it all working, I also experienced most of the performance related issues others have discussed here.
I only have one of the lab workstations (this is a classroom "lab") running 2.0 for now. I'll be using the clone image with 1.72 on the rest until I get 2.0 working more reasonably.
I apologize for the sentiment, but seeing experienced professionals such as yourselves describe similar problems actually makes me feel a little better. I have learned an important lesson regarding buying multiple licenses of "updated" software based on the performance of previous software, albeit "the hard way", so I guess it's not a total loss wink I will be following this thread; again, thanks for sharing.