Meet The New FTK 8.1 From Exterro

For further information and to sign up for a free trial, visit: https://go.exterro.com/FTKfreetrialsignup.

Lynne: Hello, everybody, hopefully you can hear us. We are just going to wait, I don’t know, 60 seconds to let some people file in. We have a nice big group today, so that’s exciting. 97 people have joined so far. Let’s see if we can get that to 100. Give it just a second, and we’ll be starting in just a minute.

Okay, we’re at 103. That’s good for me. So, good morning, good afternoon. I’m in the US, that’s why it is very dark. I’m so sorry that my lighting in here is terrible because it is nighttime here, but we’re joined by my colleagues internationally in the UK and Europe.

So, good morning. Welcome to this webinar. We’re so excited. We have released FTK 8.1 today. Our website should be live literally within the next minute or so and the press release and everything will be launched. And so today is a great day where we really want to show off all of the new features for you in FTK, 8.1. We’ve been working very hard on this and there are some very exciting features that literally our customers are going crazy over.

So, I just want to go over a couple of housekeeping items today. These are our presenters for today. I will leave you after these messages. Harsh Behl is here. Harsh is the VP of Product Management for our Forensic product line, and Harsh is going to walk us through the story of how the heck we built this product and why we built it and what is going to be coming in this release. And he’ll walk us through a lot of the new features on the internal investigation side of things.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Christine Hall is also here with us. She’s a senior international technical engineer. She’s amazing. She’s going to demo for us all of the mobile capabilities that FTK 8.1 has in addition to the new reporting features that come along after you’ve done your mobile review. Let me just orient all of you to, we’re using a new webinar platform called Big Marker. On your console, probably on the right-hand side of your screen, or however you have it oriented, there is a chat panel. You are welcome to chat with us throughout this webinar. If something looks strange, or you can’t hear or if something’s going wrong, let us know.

I see everyone saying hi. Oh, I’m so glad, everyone’s here from so many different countries: Jason from South Africa, Angelo from Italy. Welcome, welcome. So you can absolutely use the chat feature. You can also use the Q&A tab. So, as Harsh and Christine are demoing, they’ll be doing a lot of live demos today. As they are demoing, if you have a question for them please type that into the Q&A panel. We’ll save those until the end. Again, unless it’s something that’s really important, and I’ll probably interrupt them and have them answer it, but type those questions in and we’ll make sure to answer them.

There’s also a tab called ‘Handouts’ that you’ll see, and in the ‘Handouts’ tab, we have already loaded in a couple of our brochures for FTK 8.1. There’s a product brief, in terms of the mobile capabilities of 8.1 and most of the features that maybe our law enforcement customers would be interested in, and then there’s also a whole separate brief in there just about our mobile features, just focused on that particular part of the product. So there’ll also be another one that we will send out to you later this afternoon about all of our internal investigation capabilities. And so there’s tons of information getting released today, and we’ll make sure to get that to you.

So, I’m going to go ahead and pass it over to Harsh. Again, if you have any questions, chat them in the chat panel or put in the Q&A for us, and we’ll make sure to get to those. And then, yep, Harsh is our MC today. So, take it away, Harsh.

Harsh: Thank you very much, Lynn. Appreciate it. A very good morning, afternoon, evening to all of our attendees joining from different parts of the world. Thank you very much for sparing the time from your day. We are very excited to unveil what we have built for 8.1. US customers have vested your interest and trust in the technology for all these years. And as Extero, we are very proud to be bringing you the latest release that is FTK 8.1.

So firstly, what were some of the biggest motivators for us to build our 8.1 technology and all the features that we’ve packed into the product? From the corporation side, we truly want you to stay in charge of your data, irrespective of what your employees or where your data resides, we want you to be fully in charge of it and control your data as well as preserve and investigate at your own will, irrespective of where your employees are.

This release firmly positions us at the forefront of corporate investigations. We’re now along with the off network of Windows remote collection capabilities, we have added the capabilities to collect from Mac devices remotely off the network. That is the employees who are not connected to your corporate network or to the corporate VPN, you will still be able to pull the data back from that.

I’m only going to be showing you some of these slides and then I promise we’ll see the live product, as well. So I’m going to quickly just go through some of the slides that we have for you. Mobile data: Mobile data has been an area of huge interest for Extera. We want to become a leading mobile review platform where we allow our customers to bring in all the computer, mobile, cloud resources, data and a single platform and give you those additional context and insights into the data that you would typically miss.

So we’ve put a huge amount of focus on enhancing your mobile investigative experience with this release and can’t wait to show you all the different things that we’ve got. We have enhanced mobile parsing by lots and lots of newer artifacts that you could find in our artifact guide that lists all different artifacts for all different operating systems that we support.

We have added a lot of things that could truly benefit you from a mobile investigations point of view. First is, irrespective of Android, iOS extractions, you can bring them straight into our product from whichever tool you’re creating the image from, it doesn’t truly matter. But when it comes to review of the data, we want to enhance it, not just to show the usual chats, calls, SMS, but we want to provide those investigative analytics that those additional actionable intelligence points that you could act upon and then take it further in your investigations and make your investigations really easy for you and whoever you’re going to report to.

A lab-to-court report builder: we’ve put a huge amount of time and effort into enhancing the experience of a user when they have to report upon their findings. We have come across users who’ve told us again and again that yes, they have been able to locate the smoking gun using our tool. But how do they easily narrate the narrative? How do they paint the picture of how the events unfolded and just have an easier way to communicate and convey what they want to using a piece of paper?

So, our lab-to-court report builder will help you with just that and Christine is going to show you a demo of that also. We’ve put a lot of enhancements on the multimedia side as well. Now you would be able to do object recognition, not only from just the pictures, but also from videos. You can identify similar images, similar faces, so on and so forth.

And for internal corporate investigations, off-network Mac collections, the big thing that is packed in this release: remote triage. We understand when the time during the crunch hour when something unintended is happening in your network, time is of crucial essence, right?

So you want to limit the time you take to respond to an incident, and hence we have added the remote triage capabilities. You could quickly scan the endpoints remotely collecting only the data that will give you all the system artifacts that help you make the determination of whether you want to take further actions upon these devices or these endpoints or not. So quickly putting you ahead of the curve, helping you make informed decisions to later augment your investigation.

Splunk integration. We’ve built a whole new integration library. We’ve already had integration with Palo Alto, and you can find us in their marketplace as well. But this release brings the Splunk integration as well that allows people to orchestrate the workflows between Splunk and FTK hand-in-hand. It is going to be very beneficial for the organizations who want to further augment or strengthen their cyber infrastructure as soon as an alert is detected and it matches the thresholds that you have set, it can automatically trigger FDK to perform a series of actions to, you know, even when you’re not sitting in front of your end point or your computer.

So, those are some of the really good things that we’ve put in here, and just very quickly around the mobile. So instead of you as customers using various different tools, various different reporting templates that you create out of it with FTK, now you can bring it all within the same platform, irrespective of which tool you are using for collecting mobile data, and create one single unified report to be presented to whoever you like. The reporting has enough capabilities for it to match any persona or to the liking. It can be generated to the likings of anybody who you would like to report.

All right. On the mobile, as I said, we have the support for major chat applications, lots and lots of newer iOS 17 artifacts, some of the key differentiators being extracting deleted data better than some of the other other competitors that we have in the space. We’ve added the support for reply messages; you can see the replies and how they are responded to. And like I said, we believe that all that you would need from a mobile to help you solve your case, we’ve got it in there.

And of course, given the dynamic nature of the mobile space, we want to listen to our customers. If there is something that you would like us to do better, there is something that you would like us to support, please do reach out to us and we’re always keen on customer feedback and then addressing it.

Lots and lots of chat review tools that make us stand out. I’m just going to quickly skip these for now because I want to show you the live product itself. But again, language translation has also been built into our chart viewer so that if you are reviewing documents, chats, emails that are in some other language than your native language, then you could use our language translator built in within the product, all offline, no connection to the Internet, and you could you could then translate and even search on translated content.

You could do the legal privilege professional review using our product. You can do the Google takeout and warrant returns, iOS warrant returns with this release as well. And of course, retrieval and display of deleted and edited chat messages is supported. A lot of enhancements have gone on the timeline, as well. So you could now look at all the chats on the timeline, you could export the timeline view so that whatever could be exported quickly in a PDF view, as well. So yeah. A lot of enhancements have gone there also.

Our chat viewer, we believe, truly stands out. We’ve added the capability now in this release for you to filter the chat by relevant date and times that you would like to review. So if you are reviewing a chat between two applicants and you’re not interested in the whole chat, but a specific time range, you could do that within our chat reviewer now. Of course, you could have the language translation that we just spoke about, so on and so forth.

Entity extraction and management: I am not going to steal Christine’s thunder away, but this is one of the biggest features that we believe we’ve put in 8.1. We understand how important a role communication data plays within an investigation. And we truly understand the hidden objective, the hidden agenda of the people who you might be investigating when they’re committing a crime.

So, in order to make the communication analysis easier and more insightful, we’ve brought a lot of capabilities that first and foremost identifies all different entities that are present in the case by their names, their aliases, social media handles, phone numbers, and email addresses. We put those all together, so instead of you looking at five different chat handles or applications being from the same person, we tie them all back to one entity and then let you review the data by entities. It helps you to identify the communication patterns, who has been the most chatty in the device, which application is being used the most, and how are people just communicating with each other?

So, Christine is going to take you through it, but we have had great feedback from some of our customers. And some of them have even called it a total disruptor in the industry. Very keen on getting your feedback on this when you see it when you use it, but yes, we would love to show it to you today.

Of course, we’ve spoken about the reporting. As I said, reporting will help you generate reports in different formats. You can customize the templates. You can embed the files in line into the report so that you don’t have to keep printing files separately and then appending them all together. A timeline report can be embedded into your main report or you can have a separate timeline report, and you can have a conversational view coming into the report as well. Lots of multimedia review items that we just spoke about: image recognition on videos, pictures, and then similar face recognition, as well.

Off-network Mac collections. We’ve spoken about it, and we are so proud of what the team has put together. We are firmly putting you in charge and in full control of your data, no matter where your employees are and what time of the day you want to collect the data, you have full control, right? We use standard Jamf for mass deployment of remote Mac agents. Playing very nicely with your IT teams there. And then, of course, we do support Zero Trust framework as well. So if you have implemented Zero Trust, our tool is there to help and support you for remote mobile collections.

We support the logical and filtered collections from Macs. The product has the capability to resume the collection from the point of interruption. So if there is any interruption when the data is being collected, the next time we establish a connection with the agent, we will resume from the point of interruption itself.

Scalability is at its core at Extero, whether it is supporting a large amount of data processing, large number of reviewers or investigators on the case or large number of remote endpoints that you want to collect the data from. Our technology is built to match your scale, whether it is up to five users, 10 users or up to thousands of users, our technology could help you with that scale if deployed correctly.

All right, rapid remote triage. So, as we just discussed, in the time when it matters the most, it’s very important to get the data that is going to put you ahead of the curve and going to give you a head start into your investigation. It is important when you are looking at a threat that could be enterprise, that could be spreading enterprise wide, you need to look at probably indicators of compromise.

You want to look at some of the external devices that are connected to the end points, you want to look at some of the hidden processes that are running. So instead of collecting all of the user data so that you could look at these system artifacts, we have now embedded system summary collection within the product that allows you to only collect the system-based data to help you with the most relevant system artifacts that will firmly put you ahead and give you deeper insights into whether you want to go ahead for collecting more data from that machine or not.

So, the triage of remote investigations is firmly enhanced with our system summary collection capabilities. The collection size is very small. It is only the files that we need to show those system artifacts. So you are eliminating a lot of noise for your first review.

Okay, we are going to see all of this Splunk integration. Like we discussed, you can now orchestrate all your cyber workflows between Splunk and FTK. We will be having separate videos out on this. We will be doing separate webinars out of this for Splunk integration, as well. But please reach out to us if you need help orchestrating your workflows and you want to benefit from the automation between Splunk and FDK.

I am going to quickly skip to my last slide because I’m already getting some of the texts from my team to hurry up. So we want to summarize 8.1 and this slide perfectly summarizes 8.1. We’ve built so many features that can help you with your day-to-day investigative lives, starting from lab-to-court reporting, where you can highlight certain keywords, you can put embed the timelines within a report, to multimedia AI helping you with object recognition amongst videos and pictures, similar faces, offline language translation, entity management revealing the complete communication pattern between entities and forming individual entities itself.

Remote collections, off-network map collections, live preview, endpoint triage. Everything at your fingertip to help you with your internal external investigation. Hundreds of newer mobile artifacts and new mobile data support. And our integration library has seen three new integrations this release, where we allow you to orchestrate workflows with Splunk SOAR, we allow you to import your data from Griffeye, and using our using our APIs, we have OpenAI Whisper integration that allows you to to transcribe your multimedia data. So instead of watching the full videos or listening to the audios, you can go keyword searching between these as well, all deployed within your environment behind the firewall.

Truly excited about our 8.1 release, and within the next 10 minutes, I’m just going to show you some of the features that we’ve spoken about live within the product.

So here you see, I’ve logged into the FTK central interface, or some of you may know it as a SmartView interface. And we’re going to first look at the off-network Mac collections. Now when you come into collections, you would see that we have broken it down by Windows, Linux and other data sources. And you have your Mac investigation selection, as well.

If you select Mac, it shows you the dashboard for all the previous collections that have been performed, and it also allows you to create a new collection. You can click on ‘Create’; because Mac’s remote we can only do logical acquisitions, so it defaults to logical acquisition. You can provide a name to the collection, you can put in a description, and which case would you like your collection to be collected and processed in. You can choose your own processing profile that you would like to process the data with, and if you select ‘auto-process collection’, it’s going to automatically process it.

Save and next, then it shows you the endpoints that are there today in the system, which are Mac endpoints, and you can then choose which endpoint you want to collect the data from. The one with the green dot, it shows that there has been a recent contact established with this machine, so most likely it is on the network. And if you go here, it shows you that these machines have not been contacted recently. The last contact I had was on this date and time, so these are those off-network machines that you may want to pull the data from. So you could select that as well, and then you could say, I want to do a filtered collection, or you want to collect the logical drive. Of course, if you go by logical drive, we won’t be able to get the data from it. But of course, when you’re going by the on-network machine, it will help you to collect the data for it as well.

This is the machine we want to collect the data from. So here you can create your filters for the collection. I want to collect the files that are only pdf and probably xlsx, as well. You can define a certain path if you want to only collect from that path, size, some data and timestamps you want to specify or any keywords that you want to specify. You can save the filter as a template so that you can anytime come back and use one of the saved filters. So if this is one of those filters that you had created earlier, you can see what this filter is, and then you can apply that for your collection criteria. Or at the same time, you can just click on ‘acquire logical drive’, and it’s going to show you all the logical drives that are available for you to collect remotely.

That is for filtered collections on your on- and off-network machines. However, if you would like to go up doing a live preview, you can totally do that as well. So now it shows you the same endpoints and if this is the endpoint that you would like to do the live preview upon, you select it and it’s going to do a live preview.

So it shows you the full file structure on the left and then you can traverse through the file structure, you’re looking at the folders, you could go to the folder of your choice. Here I have all these different folders, I can click upon them and I can see all the different things that are part of that folder and I’m just previewing as normal. You could go to the documents folder here as well, like you see; I have a 49ERS in here.

So here are all the different files that are in there. You can click on those, it’s going to generate a live review of those files. And then as you can see here, if there’s a picture, it’s going to show you the picture as well, and maybe these are the files that I want to collect from. You simply choose what you want to collect or you can select everything in here, review your selection, so these are the files that you want to collect, and when you hit ‘acquire files and folders’, it’s going to do the remote collection for you. If you don’t want to do remote collection and just focus on the acquisition of the logical drive, you can do it from this screen as well. Simply select the whole drive and ‘acquire for collection’ and it’s going to do the full collection for you as well.

So those are some of the latest capabilities that we’ve added for off-network and on-network Mac collections within the product itself. Before I hand it over to Christine, I am just quickly going to show you some of the capabilities that we have built for the similar face recognition as well. So I’m just going to switch to my case of similar faces identification. You see all these in the thumbnail view, you see all these different pictures that we have, and if this is the picture that I want to find similar faces for, I simply have to do right-click, search similar faces, and it will then run a search through our AI server at the back, which is hosted in your environment to find the similar pictures. So you can now see all the different pictures that are there.

You can also import a picture that is outside of your case. If you say I want to select a picture that is outside my case, probably this one here and I want to show, well, it’s the same picture, but I am just trying to show you the results. So for it to show you, it’s just going to bring those old results back to you when you import that picture from outside of the case as well.

That was our similar face and object recognition. As you may notice in this release, we have added this newer button here, and that is our integration library. Integration library, we believe it truly helps you use best-of-breed solutions. We as Exterro firmly believe that an investigative lab and an investigator has to use best-of-breed solutions. You’ve got them validated, you’ve invested in them, so why not? But FTK provides that platform where you can use all of them together as we are expanding our ecosystem of integrations with other vendors. Very shortly we’re working on some really exciting things with vendors like Oxygen Forensics as well and you will see this integration library growing.

But today you will see that we have Splunk integration. It explains everything that Splunk can do. You can click on the Splunk SOAR integration guide and it’s going to download the document relevant for you. You can similarly look at Palo Alto. If you click for more information, it’s going to redirect to the Palo Alto Marketplace. And for Griffeye, it allows you to import the CSV that could be exported out of Griffeye for your grading. So if you use Griffeye as a tool for grading, and that is the one that you prefer for grading, you can continue to use that. You export your CSV for graded images and bring it into the same case in FDK. We will automatically mark the categories that you had graded in Griffeye to exactly the same categories in FTK. It could be Project WIC, CAID, whatever you use it for. And then, of course you can continue with a much deeper dive investigation that you will expect FTK to help you.

All right. I am now, at this time, going to hand it over to Christine, who’s going to show you all the amazing things that we’ve done for mobile forensics and how mobile forensics could be conducted with FTK 8.1 and some of the features that we have put in that could help you for mobile investigations, so on and so forth. I’m just going to stop sharing my screen and hand it back to Christine.

Christine: Thank you very much, Harsh, and thank you everyone for joining us today. So, we’re going to take a look at 8.1 and we’re going to go through a mobile investigation case that I have.

So, one of my roles here as a technical engineer is to go through our software the way that our customers would using the experience that I’ve had over the last 16 years as an investigator and an operation manager. So, when I look at the new features for 8.1, I look at how can we utilize them to make our investigations efficient, and how would our customers be using these features? So, the best way to demonstrate this is to do a case together. So, this is a mobile investigation case that I have. And the reason why I picked a mobile case is because my experience over the last few years of being an investigator is that mobiles have been the most challenging and that’s because mobiles are quite complicated. There are different ways to extract them and different tools to extract them, and because of that, one of the issues I used to have in my lab is mobile data being looked at in isolation.

Now, FTK allows me to bring in mobile data from different applications so that I don’t have to look at that data in isolation, I can look at the bigger picture. And one of the most popular services I offered was preparing mobile data to be reviewed by an officer, somebody that doesn’t have that digital forensic background, somebody who doesn’t have that training and experience of navigating through a forensic application.

So, if I was to use FTK in my previous role, how could I benefit from the features and the functions of 8.1? In two ways, and that’s what we’re going to go through today. So, first of all, how can I bring so many different users into my case? Well, let’s start with the dashboard feature of FTK. Because what this does is gives me an insight into my data, into my case, within seconds. If I have somebody reviewing the data who wants to focus on a particular aspect, they can use this dashboard as a filter and go straight to a particular set of data.

So, we’re going to look at any data that’s got location information for Zeebrugge. And straight away I can see this data in my filter and I can start going through and looking through it. So we have the ability for users to go straight to the data that they want, but equally, for those of you that haven’t seen FTK 8 before, as an investigator, we can also look at all of our data in this nice easy to review filter manager. So, if you want to look at your mobile data, you can click on the filters and go straight to the information that you want to view.

Now, remember, one of the benefits of FTK is bringing that data in from multiple sources. So, this may be a case that has a computer in it and it has mobile data from Oxygen and mobile data from UFED and mobile data from XRY plus raw extractions from Greyshift, and I’ve utilized the one of the features of 8 is to bring in raw extractions to save time on decoding, so it’s decoded within my tool. So I’ve already utilized that functionality bringing that data in and now I can look at all that data together in one place.

FTK doesn’t just have this traditional grid view of looking at the data, where I can sort and filter based on any of these columns that we’re looking at here. It’s quite a traditional view of looking at data. We allow you to look at it in different interfaces so that you, whether you’re an experienced investigator or an officer that wants to quickly get an overview of your data, can look at that in the way that’s most convenient to you.

So, looking at our core data in SmartGrid, we can see things like how often calls are made and things like maybe which number was called most often. And this may allow us to take information straight away out of the case and conduct further inquiries. So this may be a number that doesn’t belong to any of the handsets that I’m currently examining, and straight away, within seconds of being in my case, I’ve now got some intel that I can go away and do further checks on.

But 8.1 takes this a step further by bringing in entity management, and this is where we add the technical aspects of being an investigator with the human elements of being an investigator; because we know that when people log into applications and log into their user accounts, they may not use their actual name or their real name, they may have a number of aliases. And this is where entity management can really help make our case efficient.

We may have a number of entities on our data set, whether that’s email addresses, telephone numbers, various user accounts, and what this does is FTK can combine and merge entities that it believes is the same person, regardless of the user accounts they’re using. It can cross-check things like email addresses and telephone numbers. So now, when we’re looking at this entity, we’re not just looking at one account, we’re looking at all the possible accounts that belong to this particular person. And we can do that for a number of our persons of interest. So we don’t have to worry if they’re using their real name or a nickname or a pseudonym or any other alias across multiple accounts, we can see all that merged here in our dashboard in our entity management dashboards.

And it may be that the system is smart enough to identify where two email addresses match or two telephone numbers match. But as an investigator, I might have additional intelligence about the case. So I might know that there are two entities here that are actually the same person and I want to merge those myself. And we can do that by selecting them and then giving our entity a name, and we can merge that ourselves. So, combining the technology of the tool, the smartness of the tool, to automatically say, ‘actually, did you know that Steph also goes by the name Queenie, and that Lena also goes by the name of the Knight’, and combine that with the intel that I have as an investigator, to be able to say these two I know are the same person, because I have intel outside of my investigation that puts those two together.

And I can also add further intel into my case by editing these entities and adding things like the person of interest’s picture. I might add information about them to the case or maybe other information that I have from maybe a third party OSINT tool or information I’ve got from another source into the case, as well. So again, another way to keep not just my data sources together in a case, but intel on people together in a case.

We can search for entities, so if we have quite a few in our case and we’re looking for a particular person, I can do a search and have a look at any records associated with that person.

So, let’s take a look at one of our persons of interest, look at Lena. We want to look at all of Lena’s accounts in one place. So we’ll click on Lena and now we can see how she interacts. Who does she speak to? What applications is she using? Now, bear in mind that my case here is just a small test case. Realistically, when I’ve done mobile phones, I can have thousands of messages, thousands of calls, different applications that people are using, different circumstances where it may be very efficient for me and very ideal for me to get an overview of the case at the start, not when I’ve spent an hour reviewing messages and reading conversations between people and getting an idea that, oh, I think this person is this person and they’re talking to the same person, but in different names and different accounts. I want to get a visual representation of what is going on in the case quite quickly, and entity management gives me that.

If you take, for example, let’s say we were looking at a harassment case, we could look at someone’s interaction and we can see straight away that the interactions between the person of interest and the victim of the harassment, it’s all one-way communication. So, straight away I can visually see that. It might be that as in this instance, I’m looking at an organized crime gang. So I want to just look at the interactions between certain people. So I can also do that too. I can narrow down my interactions to look at them in whichever way is best for my examination. Do I want to look at just particular applications? I can do that, too. Let me see all the interactions that I just carried out on WhatsApp or Kik or via Messenger, or I can look at interactions that happened between a certain time frame. I can look at that too.

So let’s take, in this instance, I want to look at the communications between a certain group of people. Because these are the people that I have identified in my organized crime investigation are the investigations of interest. So I can add that as a filter, and now, because of the flexibility that FTK gives us, I can now move that data to an interface that is best suited for that information that I want to look at, which is possibly grid view.

So in this view, I can look at my messages and review them. Anything of interest to my case, I can bookmark them, so I can identify what’s relevant to my case. And it may be, so going back to sharing this data and sharing this mobile data with other resources, in my experience, I have had a lot of cases where it may be most useful for the officer to review the mobile case, especially in cases where drugs and fraud are involved, because that officer knows the slang terms for the the drugs, they know the people’s names and the nicknames involved, and they have intel about the case that may make it useful for that officer to have the first review where officer can go through the messages and bookmark any messages of relevance.

If the officer requires further assistance, so they’ve gone through their messages, they’ve bookmarked things that are relevant, they’ve carried out keyword searches, so you can carry out keyword search across the whole case, or you can look for keywords within messages itself, which can be highlighted. All of this helps you identify the relevant data.

They may then also carry out a media review. So, if we take a look at the media in this case. So whilst we’re doing our investigation, we might take a look at the media review and this officer’s doing a drugs investigation. They may come across some indecent images or disturbing images, they can all be marked in this case, which means any future reviewers that come in this case will straight away get a warning saying the case contains indecent images.

Those images can be tagged so we can add some welfare into our case to ensure that I’m not overexposing myself on a drugs investigation by looking at something that is a bit is indecent and not something I want to look at every time I have to go through my investigation, or I can just hide them from my case.

So I’m now doing my drugs investigation, and I might identify a picture of relevance. Now, if this is my officer and my officer is doing the review, the officer knows enough about the case to say this pitch is relevant, that pitch is relevant, that chat message is relevant. What the officer can do is they can bookmark items that they want to identify as they require further assistance from the digital forensic unit, from the investigator, from the person that understands the data.

So, we can work on this case together where I as an investigator identify things that I want to share with the officer. So I might bookmark this image for the officer to review. So the officer can tell me, is that your person of interest? Is that the victim? Is this the spreadsheet that you needed? And the officer can in turn, identify data that they might want further analysis on done by someone with that training to say, how did that data get on there? Where did it come from? Was it distributed?

So, we’ve gone through our case now and we’ve identified messages of relevance. We’ve identified multimedia relevance, and we can now look at our data in a number of different formats. Again, using the smart grid to do things like look at any times and dates of relevance, identify applications of relevance and look at our data again in any format that is relevant for us at the time. So we’re going to take a quick look at the time view. So we can again look at our time in time view and we can do things like we have identified a potential date of relevance and we can generate a report from a timeline that tells me everything that occurred on that day.

Once we’ve identified the date of relevance and we’ve got the data that’s relevant to our case, we can now start looking at how do we give that information to our reviewers? Or how do we get that information ready to go to court? And this is where one of our latest 8.1 features of the reporting really has enhanced the ability to get that data out in a format that is viewable and presentable to court and to your end users.

So, we’ve gone to create a report and I’ve created a template previously. This allows me to have my logo and my title already prepared in my case. Also, what you find in a lot of organizations, especially from the lab that I used to work in, I have services. So, if I’m producing a report for a particular customer or for a particular case, I may already have pre-configured columns. So, being able to select the template that I want can save time in generating the report by saying this report is for this customer and it’s a CSAM investigation and this case is for this customer and it’s a mobile investigation. So, some of the pre-configured settings that I’m about to show you now can be set in advance so that you just select the right template you want for your case.

So we can give it a title and a name, and then we can decide what data we want to include in our case. For this particular case, I want to include all the evidence that I’ve identified as relevant, all the chat messages, all the multimedia, the internet history, everything about my case that I’ve identified during the analysis stage, I want to include. We can also bring in a timeline so we can create a timeline in the report view, so I can go to ‘create timeline’ and say bring in all the data from a particular tag. So, earlier in this case, I ran what’s called a search report for keywords. I can say ‘generate a timeline based on any of the labels that I’ve already identified’. Or, in my case already, I had already looked at a specific date for the 26th of March, and I created a timeline in the case. I can add either of those into my report. I can also configure the report in terms of formatting and columns.

Do I want to, when I export my data, how much data do I want to be in the report? For call logs, for example, it might be that, I’ll show you one that I haven’t changed yet. So, it might be that when you’re exporting your data for any of the particular objects, you may find that this is too much information that you want in your report. So you can edit this to just give the subject header, the subject, the email name, the tos and from. You can edit which fields of the data sets you want to include in your report. And this is the one I’ve done earlier for calls where I just wanted to contain the information that I feel is relevant for my report.

We can highlight information in our case. Do we want to identify a keyword, like wherever the suspect’s name is mentioned, please make it bold, wherever they talk about a keyword that’s relevant to my investigation: cocaine, drugs, guns, a search term associated with CSAM, I want you to highlight that and make it bold. These are all the options that I can add to my report to customize it. Where I’ve included evidence, do I want to include a thumbnail of that picture, a thumbnail of that evidence, or do I want to include a copy, a full-size copy of the evidence itself?

And then once you’ve generated your report, you can choose whether to have it in a PDF format or a Word format. And I’ve done both just to show you the differences, because in the PDF report you can see here, you will see that I have the overview of my evidence. You will see that I’ve had the images embedded so you can see them in my case with the details of the files themselves. And one of the things that I really like is that when you embed conversations, and this is one of the feedbacks that we’ve had from a number of customers, is that when you bookmark conversations, when you view it in FTK, we have this very nice viewer where you can see conversations to and from and it’s very visually nice. But when you export that into a report, it’s quite hard to read.

In 8.1’s reporting, we have that same easy-to-read visual output of the conversations, whether you’ve exported the conversations individually that you can see here, or you’ve exported out a conversation and you can see in that conversation view in your report. And this is a quite nice way to present those conversations to court.

And then if you scroll down further, you’ll see where I’ve added in the timelines from my case. This is the timeline that I generated earlier for the 26th of March, and that’s all shown in my report. You can also have this as a Word document. Now, for me, the reason why this is a great feature to be able to bring into a Word document is because in the UK, our reports have to be in a certain format to be presented to court.

So now I have the option to present my reports in two different ways. I can have a PDF document that hasn’t been edited since it’s come out of the tool, so I know it hasn’t been changed or amended, and I can evidence that in a statement. Or I can export it out as a Word document, which allows me to edit this document, and I can add in paragraphs outside of the tool, such as things like my validation certificate or the the background about me myself as an investigator that I need to include in my reports, or it may be that I have a third party tool that I’ve used for a different part of forensics, and I want to combine those reports together. So having an editable report is also an option within FTK.

Thank you very much for your time, and I hope you’ve enjoyed these features.

Lynne: Thank you, Christine. Harsh, If you can pop a couple slides up at the end, we’ll wrap up. I just want everyone to make sure you know where to go next and make sure that we have some conferences coming up over in Europe. We’ll wrap up with that. I have also been answering the Q&A and some of the chat in the panel. And so I’ll read some of those out, as well. Harsh has got some slides popping up here. I just want to make sure everyone knows we’ll have a website up. It’s literally going live right this second. I think they just hit the button just now. So if you want to learn more, you can go to the website, the link is right there. It’s literally exterro.com/ftk81, super simple. So, you’ll see everything on social media. We will have every single feature highlighted on social media. We’ll have tons of videos of people giving little demos of every single one of these features in addition to what Christine just showed you. Which is, she’s amazing, right?

So that is all live now. And then just making sure, the next slide, if you visit that one quickly. There is an exchange conference coming up in October in Frankfurt, Germany. If you’ve been to one of these before, you know they’re amazing events. They are free to register. It is an amazing two days of sessions and thought leadership and networking. And just again, these sessions have been so highly rated and everyone who attends absolutely finds it to be a great use of their time.

So if you want to sign up for that, you can scan the QR code here. You can also search ‘Xchange’ on our website. There’s a whole page where you can sign up, but just making sure that conference is coming up in the Fall. Again, everything’s on our website right now for FTK 8.1, there’ll be social media going up all week and gosh, for the next couple of months if you have any other questions, let me know. I am just going to read a couple of these out. If you want to hang around, you’re welcome to.

So, in terms of questions, everything, I think in the chat I posted the actual link to the download page on our website where you can get the downloadable version of FTK for Standalone FTK. If you have FTK Central or FTK Enterprise or FTK Lab, you will probably need the professional services installation team to help you with that. So again, just, send us a note here. You can send it in a chat. I’ll see it. And we’ll make sure to have someone contact you. If you have a sales representative, you can let them know, and they’ll hook you up with that professional services team.

But FTK Standalone version, you can download it today, and it’s ready to go. The update to upgrade from 8.0 to 8.1, it’s very easy, you can just go install the update yourself for FTK Standalone. You do not need any help with that. So that is an easy one. This webinar is also recorded. So anybody who wants the recording, that will be sent to you automatically. So be on the lookout for that. As far as people asking questions about entity recognition that Christine showed us today, I think you can see as she showed, you can manually edit the entities, whatever has been merged, you can merge your own. So all of that is fully customizable, very easy to use.

Somebody did also ask, facial recognition, image recognition, is that available in FTK Standalone? And it definitely is, that all available. The Whisper AI feature will require you to have FTK Connect. So FTK Connect is the automation tool. There’s a full featured version for corporate and public sector customers that does all the API scripting. But there’s a much, much cheaper version that’s available of FTK Connect in our web store, or again, through your account rep, but there’s a FTK Connect Lite version that you’re able to purchase. Again, literally only a couple of thousand dollars. Extremely inexpensive. So, the Whisper AI feature will need FTK Connect in order to work.

Just looking at some of the other questions that have come in. Somebody asked about Internet connectivity in order to use FTK Standalone. All the features in FTK are available even if you are not connected to the Internet. You can even download offline maps if you do need some app and geolocation information while you’re working, so that’s all available in FTK Standalone all by itself. Let me just see if there are any other questions in here that we can answer quickly. Yes, definitely, the recording is going to be available. Don’t worry. There are FTK 8 training opportunities and content that are available to you. A lot of it is free. And there will be an FTK 8.1 certified investigator class. So be on the lookout for that. We’ll make sure to send you all this information so you can click the link and read about it. Frankfurt exchange, forgot to put the information up about that.

There is also a trial version of FTK. I’ll post the link here again for you. No problem at all. Put that in the chat and I’ll make sure that we post that in the post information. Let me just grab the link right now. I’m going to type it into the chat right now, and there it is. So there is a free trial available for FTK. You just have to fill out a form so we can get you on the list and then somebody will personally reach out to you and send you the information that you need in order to get that trial installed. Again, depending on what you’re interested in and who you are and what you’re trying to do, we have a couple of different ways to deliver that trial to you. So, if you fill the form out, we’ll get you in the queue and we’ll make sure we get you the correct version so that you can try that out for 30 days for free.

Again, for training certifications, I will make sure to send you guys all of the information there. There are definitely free training videos that are available on demand. In terms of certifications, I’m not sure if they’re free or if there’s a small fee attached to that. So I will check on that and make sure to get you that information, I’ll see your question there.

Another question that just popped in is the mobile portion included in the FTK 8 license? Or is that an add on? All of the features that Christine showed you today of reviewing mobile data, processing mobile data, parsing mobile data, right? Using the timelines, the entity recognition, the alias merging, all of those features are included as part of FTK 8.1. None of that is in a separate module whatsoever. So that’s all included. So that’s good news.

Okay, the trial version? Yes. Last question that just popped in. The trial version is only available to be used one at a time on a computer. So once you activate that trial on that particular computer, that trial will run there for 30 days. If you do need a different trial to run on a different computer for you or a different user, you’ll have to get that as a separate install. Again, I’m sure you can understand we have mechanisms built into the trial to make sure nobody installs it and downloads it like 37 times, right? We do have them assigned to one computer at a time. But again, if you fill out the form and when we contact you, just let us know that you’re like, hey, I have two computers, could you get me set up with that? And we’ll get that coordinated for you. So that’s no problem.

A question that just popped in about features being shown as part of the FTK suite: if out of all of them, which belong to FTK Standalone? So basically, in a nutshell, anything that has to do with remote collection, remote collection from a remote Windows PC or the remote off-network Mac collection that Harsh talked about today. So anything that has to do with remote collection is only going to be available in FTK Enterprise and FTK Central. FTK Lab and FTK Standalone, those do not have that remote collection capability. So those particular features are not available in Standalone or FTK Lab.

FTK Imager in terms of mobile data acquisition. So any of the FRK tools do not do any mobile data acquisition. We used to have a product a very long time ago called MPE, Mobile Phone Examiner, but we don’t have that anymore. We are leaving mobile phone collection to all of the other parties in the space, like Harsh mentioned, Oxygen and Graykey were certified partners. And any of those other tools that you are already using to do that mobile acquisition, those are great, we’ll take an acquisition file from any of those tools. It doesn’t matter which one, right? Cellebrite XRY, Oxygen, Magnet, Graykey, whatever. So all of those tools, whatever raw native extraction that you get out of those tools, you can immediately import that into FTK to process it and parse it and review it along with all your computer data or whatever else you’ve collected. That’s where the sweet spot is getting all of it in there to process and review together.

Let me look and see what else is in here. There are a few questions I definitely can’t answer in here, and I’ve even asked them to Harsh over chat, and he said he’s going to have to check. Like Peter’s question about Microsoft chat and Microsoft Teams, Harsh is going to look into that for you. Let’s see what else is in here. We’re getting to the end. Anyone have any other questions?

I think I’ve answered everything I can answer. Again, I’ll get a copy of all these questions and I’ll make sure to follow up with all of you individually if we did not answer your question, but I think I got most of them. I know a lot of people have asked about training certification and yes, I am not prepared with that information today, but I will make sure to get that to you. I apologize for that. I’m going to post the download link here one more time. There are two different pages, and so I’m going to send you the link, I’m pasting it in the chat right now. I just posted it. So on this product download page, there are two tiles, you’ll see they’re the red background. There’s one for Lab, Central and Enterprise, and that is going to be all the documentation that you need for those particular versions of FTK. Because again, those are complicated installs, and we’re going to want you to work with the professional services team to make sure that’s all configured properly.

But then there’s also a tile there that’s for FTK 8.1, FTK Standalone. On that particular page, if you click on that tile, that will take you to the download the iso executable file that you can install to literally install 8.1. And again, all of the documentation, the install guide, the user guide, the artifact guide, that’s all there too.

Okay. I am going to put together a training link. So that I can email that to all of you after, because again, there are a couple different options for training. So I want to make sure I send you the separate links for any of the free training that is available for FTK 8. There are definitely a bunch of free modules. And then I do want to make sure I get you the right link for the FTK 8.1, like certification class and all, everything that goes along with that. So I will send that to all as a separate note after the fact. Any other questions? Thank you guys for hanging in and asking so many great questions. Harsh, is there anything else you want to wrap up with?

Harsh: No, I just want to say thank you to all the customers, partners for your support. On the mobile acquisition, I would say that is our current status as of today, but we’re working on some really good things with some of the other vendors in the space. Very shortly you will see some of the great collaboration between Oxygen and Exterro technology as well. But yes, until then we do not acquire devices, but yes, as you said, we do allow the imports. Thank you.

Lynne: Of course, oh good. Henrik says, “see you in Frankfurt”. Okay, good. Sounds great. I hope all of you guys are able to go and make it to that. It’s a really great event. Again, thank you again for everything, Harsh and Christine, amazing presentations. Again, I’ll send a follow up for everybody in terms of training information and all the Q&A, we’ll send a little document so everyone can see all the answers again.

Thank you for joining. Everything’s available on the website. You can go download the standalone version now, and you can read about everything you saw today. And again, there’s a handout tab. So if you click on the handout tab, you can download a couple of the product briefs that are ready for today.

Thank you again, everybody. We really appreciate all your time and we hope to talk to you again soon. Have a great rest of your day.

For further information and to sign up for a free trial, visit: https://go.exterro.com/FTKfreetrialsignup.

Leave a Comment