Meet the New FTK Family for Modern Forensics

Holli: Hi everyone. My name is Holli Hagene, welcome to today’s webcast. We’ll get started in just a minute, first I wanted to let you know a few things. All of the lines have been muted to reduce background noise, and we encourage you to submit questions at any time through the webinar control panel. We will do our best to work those in throughout the discussion. This webcast is being recorded and will be posted along with a copy of the slides to Exterro’s website. We’ll also send you a link to those materials later today over email. I also wanted to point out in the handout section, there are a couple of product briefs for the 7.5 release in general and the FTK Connect solution.

So today we are excited to present “Meet the New FTK Family for Modern Forensics”. We will be going into the product for most of the sessions, so you may need to use your Zoom on “go to webinar” in order to see them a little bit better. And this webcast is brought to you by Exterro, the leading provider of e-discovery and data privacy software designed for in-house legal privacy and IT teams, a Global 2000 and AmLaw 200 organization. Exterro recently acquired Access Data, the makers of FTK. By combining courses with Access Data, Exterro can now provide companies, government agencies, law enforcement, law firms and legal service providers with the only solution available to address all legal GRC and digital investigation needs. Now I would like to welcome our speaker, Justin Tolman, forensic subject matter expert with Exterro. Justin, if you can take over.

Justin: Thanks, Holli. All right, so we have a lot of good stuff to cover in the next little bit here. So, again, we’re talking about the latest release, 7.51, and that’s me, so…there’s my stuff. You can find me on LinkedIn, I also post regularly on YouTube, forensic related stuff…FTK, forensics in general. And if you’re looking to take the ACE, I have a study guide on there that’ll help you pass it, so you should watch that as well.

You can also reach out to me via email justin dot tollman (spelling on the screen) at So if you have forensic questions or FTK questions, or stuff like that, if I don’t know the answer (because I’m not the end-all be-all of forensics), I may know someone who does, I may have access to someone who does, and we can help you out, because the more successful you are, the better it is for everyone.

So just a rough highlight, like Holli said, we’re going to jump into the tool and take a look at the stuff in it, but here’s kind of an overview, not necessarily in order of what we’re going to do. So some of the things that were added were multi-case review and FTK Plus, and we’ll talk about FTK Plus a little bit, what it is, why you should be using it, why it’s awesome, that sort of thing.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

We’re going to be looking at AI assisted object recognition in image and video, maybe my favorite addition to this version. We’re going to talk a lot about increased Mac artifact parsing, we’ve done a lot of work there, really cool stuff, and you can see some of the stuff there. And we’ll talk and show some ABBYY OCR processing we’ve added in 7.5 ABBYY as an option for your OCR.

Then we’re going to jump into FTK Central and look at some of the stuff that we’ve added there: Project VIC and CAID integration custom dashboards, which are totally awesome, and we’ll talk about some other optimizations that we’ve made there as we.

So we’re going to be bouncing through the FTK family over the next little bit. If you have questions, drop them in to the Q&A system. Holli will help me, hopefully keep on track with that, because the “go to meeting” interface does not like my system for some reason, and it’s really hard for me to read those. But I will try to get to them, and we’ll try to do it in context. So yea, if you have any questions, go ahead and drop them in there and we’ll get to it.

So, I’m going to jump out of this, and we’re going to go over here, and we’ll go into our system here to take a look. So, again, it might be a little small (apologies for that), but over the last few versions of FTK, we have worked really hard at updating the system artifacts that we show in both Windows and Mac. And so, if you’ve been using FTK for a while you may remember the system information tab, and it didn’t look like this. This is the new hotness! (Whatever! To pull in from Men in Black).

System Summary is an amazing tab. We, the training department, we’re talking about the System Summary tab versus the Overview tab, and what is the best place to start an investigation. For years it’s been the Overview tab, but System Summary now is making a play for maybe one of the best places to start your investigations when jumping into FTK. And the reason for that is we bring out all this computer information front and center, easy to read, right here for you.

So, again, it’s a little small, but we have Apple keychain generic passwords, and if we were to select that we can see some of the Wi-Fi passwords and information that have been brought in, and you can select it. It has the column data down here, and that column data allows you to filter, allows you to export, allows you to sort, all that sort of things that you’re used to doing in FTK, but with this system information, we also display it in a nice HTML view, so that you can export that out for reporting however you want to do it. You can also, of course, export out this column view into an Excel format, still the same: we haven’t gotten rid of that.

So Apple keychain generic passwords is one of the new things we’ve added with our increased Mac parsing. You’ll also see Mac applications here where we list the applications and various information about them. We have browser data, that sort of information as well with Safari (we’re going to look at that in a different tab though), but notice we have the Mac installed apps, so you can take a look at what they’ve installed, what version is installed, that sort of thing. Going down through the startup items, if you want to see what information is starting up.

Now one thing I want to point out which was a huge thing for me, and probably for a lot of you who use FTK, is our product and development team added auto column switching. This is actually not a 7.5 release, this was a 7.4 release, but just in case you haven’t noticed, as we move through these, our columns are automatically switching to display that information. If you’re returning to FTK, maybe after a brief break, you’ll know this is huge, I love it, one of my favorite new features in the recent versions of FTK. System Summary makes great use of that because we have a lot of different types of information as we look here through the keychains and the app information.

Again, we have browser information, we’re going to take a look at that as well. We can look at it here, but we’re parsing Safari out, grab the cookies, the credentials, any download information (you can see here they downloaded the LogMeInClient) you can see the download time, the file size, what browser was used etc. (in this case Chrome). And we can see Mac network information, operating system info, recent files, just a lot of information there with the Mac.

And one thing I should say is you can actually get a lot more than this. The data set that I had available to run Mac, this is what was returned. If you have a different Mac image which obviously you will in your investigations you can get a lot more than what I’m displaying here. We don’t show zero field stuff so this list will grow and shrink based on the data that you put in it.

The other cool thing, really cool thing, about the system summary upgrade that we’ve done in 7.5 and in 7.4 (it’s been this staged thing, as we’ve added features) is all we need to do to populate this is the specific files needed for what is parsing this information. So, we can see here that I just happen to be on downloads, the only thing we need is the history database. If we were to switch up here to, say, the menu apps we just need these files here, this plist, we just need this one plist.

So what that allows you to do is, if you’re acquiring Mac information using the FTK Enterprise agent, you don’t have to bring over a full forensic image, you can bring over just the files that you need to populate the System Summary information. This saves you a load of time, a load of network traffic as well, but it also saves on processing and you’re just into the information really quick. And so this is really handy that you don’t need the whole disk, you just need the files that you want to populate in this System Summary.

So this can be populated depending on your network and stuff on the poll, but the actual processing and everything is under 20 minutes, it’s really quick, really, really quick. So, you can get this information in post breach investigations to determine what was an event, what was an incident, how we transitioned between those two things, get some historical information as well. So a lot of useful information that we’ve added to this.

Outside of Mac, one of the things that we’ve added within this version for Windows System Summary, is we’ve also added increased Windows event log parsing. You can see (hopefully!) the list of things such as account management, events power, entry events, networking login/logouts, kernel events, firewall events, shell events. All these things that can help you in determining user and system activity, if you’re in incident response, super important information, but even in just determining user behavior leading up to any investigation on pretty much any thing.

For example, we used to track login counts through the SAM registry file…well, with Windows 10 especially requiring live logins, that’s not really tracked there anymore, it’s tracked in the Windows event logs, so we need to have that category to get there quick. So we’ve done a lot of work to bring this information out to you very quickly, in an easy to read format. So check out that System Summary because there’s a lot of good information.

So, over here on the Internet tab, we have added Safari because we’ve increased our Mac processing, so we have our Safari browser data, history, cache index, bookmarks, all the stuff that you would want (top sites). And then we also bring out the files, and you can take a look at those as well. So, a lot of stuff done with the Mac.

Speaking of Mac acquisition, we’ve optimized our agent in 7.5 to use up less resources on the end client, so that you can do the remediation, you can do the capture, you can do what you need to do without impacting the flow of that endpoint machine. So you can still capture and do all the things that you need to do, but in a more efficient way. We’ve worked on making that a lot more efficient in this release as well.

So a little bit more information on some things that we’ve done with FTK 7.51, while we’re in this interface, is if you work with virtual machines or virtual hard disks, we’ve optimized the way that you can bring those in. You know, in the past, that you’ve had to use imager to take an image of the virtual machine (the virtual disk), convert it into a forensic format and bring it in.

Now, while that’s still good because forensic formats are awesome and we want to contain that, if you’re just doing a triage or you just want to look at it based on your needs, we can bring in those virtualized disks directly into FTK, even the newer versions of those things and just look at them directly. So you don’t need to convert those into a forensic format if your workflow policy etc. don’t require you to do that, saving you some time, saving you some steps and getting those in.

So, what we’re gonna talk about now is FTK Plus. If you haven’t been using FTK Plus you need to, because it’s awesome, and there’s a couple ways that you can get into it. First off, for every client, or every install of FTK, whether it’s FTK, FTK Lab, FTK Enterprise, it comes with the ability to run FTK Plus. This is kind of a separate thing, in that you’ll see, it’s a different interface, but it comes with it, so it’s not like you have to do something extra, it’s installed by default. So you have a couple different ways to launch it. If you are in your case, you can launch it using the FTK Plus button here and that’ll launch the interface for you, or during the installation of FTK it’s going to create a shortcut on your desktop and you can launch it from there.

So, is FTK Plus new in 7.5? Nope, but we’re talking about it because we’ve seen a lot of cool stuff added to it. So, I already had it open. We’re gonna jump over and take a look here at FTK Plus. So here’s the interface for that, and I have some data loaded up already, specifically a video. And I mentioned earlier that we were going to talk about AI assisted object recognition, and that’s what this is, and it’s pretty cool. I’m a big fan!

So, how does it work? Well, behind the scenes it just does its magic, but in here what we get is pretty cool because we have this video here of some drone footage, and it’s just a bunch of desert and some mountains for quite a while, quote – unquote. You can see here that our first detection happens around 1 minute and 48 seconds. For this video which is only 2 and a half minutes, that’s an insane amount of time to watch nothing really happen.

But if I’m looking for, say, vehicles in videos and I want to do that, I either have to scrub through, which is…I mean it I guess it works, or we have to watch the whole thing but that takes a lot of time, or we can run image recognition, object recognition on this to find it.

So, we can take a look at this one, and we hit play and it jumps right to it. We have this ATV, this little thing here, but it detected it as a vehicle from super high up. And we get these little thumbnails as we go through as the camera angle changes, it’s redetecting. One thing that I really like about it is that it’s pretty sensitive to what vehicle parts are.

So, if I hit play here, notice that it just hit on this front thing because it detected some tires, maybe the hood etc., here just the edge on the back. So we can run this on video to find the objects that you want to find and it’s going to give you these jump points to get there, complete with a thumbnail. And we can increase the image size if you wanted. This video I like to use because it’s so small and it shows the sensitivity that the scan, the AI, whatever you want to call it, has to finding these objects in there.

You also have your timestamp listed out down here. If it’s a longer video, you’ll have more thumbnails based on what you have and you can adjust how many you see at any given time, of course, down here. We don’t have 50, we only have 11 because it’s a short clip, but in your investigations you can get a lot longer videos and so you could have a lot of hits depending on what you are looking for.

So, if I was to come down and select the next one, one that i haven’t run this on, because this one (I don’t even think there’s much in here, it’s just this dry lake bed) if you wanted to run this you have a couple different options, and it’s pretty handy the way that we’ve done that, because you can either run the recognition on one video, or you can run it on your whole case, or selected items.

But sometimes, you may just have this one long video and you want to tag throughout it every time that a certain thing is detected so that your reviewer, you, the end user etc., can say, “OK, this happened at this time, this time, this time,” and FTK Plus is going to do that for you.

So, we have these various categories here. We have airplane, banknotes, drugs, coins, guns, knives, you can get it to highlight people. If somebody was taking videos of passport documentations, or we can highlight signatures, vehicles is the one that I ran here. And not just guns, I want to point out that we have pistols and rifles here, so if you’re looking for a specific type (or I guess it wouldn’t be type, like genre) of gun you can do that as well.

So, you would select the category or categories that you want to run across your video and then you just click “run image recognition”, and that’s going to process out and it’s going to generate this output for you. And, again, it’s really nice because you can just be like, “this looks interesting,” also there’s a person in it and you could jump straight to that location, you don’t have to scrub or anything like that. So I really like the feature set here, it’s super easy to use and it just pops it out and you can just go down through your videos.

So, the other thing that it’s going to do, which is really helpful, because if you’re going to run it on your whole case or at least a bunch of files, it’s going to apply a label to your video. And the usefulness of this is if, like right here I have 726 items in my video list, I can quickly filter down and show only the ones that hit on this object recognition. So, let’s do that. We can take a look at how that works by deselecting video and we’ll select our graphics, and let those load up real quick. And we’ll show how this filter system works. (Of course, because it’s live, it’s gonna hang on me, but normally it’s pretty quick!)

So we’re going to come to our labels, and notice that we have aeroplane (airplane) here and we’ll select it, and we’ll click “filter”. So what I’ve done here (previous, you know like a cooking show…just pull it out of the oven as it’s done), is I ran object recognition on some graphic files. And so we filtered down to just airplane here, and we can look at the pictures of airplanes.

So, if I switch to my thumbnail view and let’s adjust my bookmarks pane, we get airplanes, we get some helicopters in here, a snowflake, but you know, we get really good hits. I like this satellite too because I think it satisfies all the criteria of an airplane, maybe it hit on a kind of helicopter, but I love that it’s there. But we get really good hits on these airplanes and it narrows it down. But we have…we’re filtered on labels, but we have a lot of graphic files in this data set. But by quickly applying this filter to the automatic placed filter, we can get down to our…just airplanes.

So this AI run object recognition can be run on images, on video, it gets you to your evidence quick. And the nice thing about this type of processing is this type of processing works when you aren’t. And so you can let this run while you’re working on other stuff, or when you’ve gone home, and by the time you’re done working on that other stuff or you come back the next day or whatever, it’s ready to go. It actually processes very quick. I don’t have that powerful of a machine, and it goes through pretty quick. So it’s not a big time sink to run this, so it can save you a lot of time.

And, again, you can run multiple different types of categories on the images as well. I’ll show you here, we can go up to evidence, additional analysis. We come over to the AI and advanced jobs and notice we have the image recognition here and then, again, you have your categories that we went over earlier, and you can run it on the highlighted items, checked items or you can run it on your whole case.

So, either way you want to do it, whatever you’re looking for, you can do that as well. So, you don’t have to run it up front if you don’t want, you can run it on individual videos like we showed earlier, you can run it on individual pictures, multiple pictures, all that sort of stuff. You have a lot of flexibility there to get what you want.

So let’s deselect graphics real quick, and let’s come over to like documents and we’ll select spreadsheets. And we’ll take a look at this. We don’t need our thumbnail pane anymore because we’re looking at these. So, one thing that we can do now in FTK Plus, which is really cool, is multi-case searching and analysis…oh, I need to turn off my filter here because we don’t have any airplanes in our spreadsheets…is we can do multi-case.

And this can be really useful as you know that, “OK, we did this one case at this date and then we have this other one and there seems to be some things that might be similar.” And in FTK Plus it makes it super simple to do that. So, we can hit this drop down. This is our case drop down that lists all the cases that we have attached to our database and to this user. So, this will only show the cases that this user has access to. And all we need to do is select the case or cases that we want to load, and click the check button, and it’s going to load in here. (There we go.)

And what we have here, is it’s automatically going to put in the multi-case window here, and you can see the total count. Now these look small, because remember, I have a spreadsheet filter on. So, again, what’s nice is the filters that we apply in FTK Plus here apply to both cases, so we get this here. And then if I, say, search for “Justin”, and hit go, so it’s going to apply this search term here, and run my searches on both cases to find the items.

So, we found 2 in the main case and 2 in the BlueP case, and so we can take a look and we have this spreadsheet here that lists some people out etc., has some three tabs. So we get copy of TheSyndicate and TheSyndicate[7], and then if we switch over to the BlueP case it loads them up, and notice that we have the same documents, but this is TheSyndicate[5], copy the TheSyndicate[5] (the other one was [7]).

So what we can do now is (just making up kind of a narrative here) is, “OK this was back then of this one computer, main is more current with this newer computer, we can compare date/times. Maybe the path, right here, indicates that it came from an email. So, maybe we’re now going to work with both of these cases loaded into the same interface to tie this back to the email that it came from from the other computer and we can do that very easily and then combine our report on the way out.” And tie these things in a longer case.

If it’s something like, that document’s inside of a network (inside of a corporation or a business) you have that sort of chain. If it’s something like a drug case or something in criminal, you can go back and try to chain and try to map out an organization based on the files or the chats if you’re working with mobile data to bring that all together. So, notice that our filters apply to both cases, our searching applies to both cases, we can add to our bookmarks and get it all put together.

So, multi-case: all you need to do is come up, select the two cases that you want, or more cases that you want, (in this case this one’s clear off in something else), select the case that you want and hit go and it’s going to load those up for you. Cool, I think it’s great and can really help you in chaining together historical case runs.

So, I’m gonna refresh my case list and clear out my interface here. And I’m going to quickly switch over to the FTK interface, but on another machine here: maximize my interface. One of the cool things that we have added in 7.5 is ABBYY OCR as an option for your optical character recognition here. So, I have various mobile screenshots here that show some different things.

So, first off just this kind of picture: somebody’s playing some music here. We can go over to text and ABBYY OCR has parsed this out in a clean and easy to read format. So, we can see the time up here of like 9:45, we get the band (or the artist, Deadmau5) and the name here “Strobe, Deadmau5”, etc.

And we come in, and we get the name: this, how much time, how much time remaining, we get up next, lyrics, relate, the time the battery, all that sort of stuff is pulled out of that screenshot. And the reason I like this screenshot as well is the colors are kind of all over the place. Yea, it’s white text, but we’ve got some of this blue text in here, black background, green, and it’s grabbing that information out of there.

If we switch to the next one, we have Dan here. We have this discussion going on here with a black background, white text: pulls it out just fine. So, you can see that. And why would you want to do that? That screenshot’s super easy to read anyway. Well, because you may want to search this. And so what we’re doing is, if you have a lot of screenshots, you want to search those screenshots (or you have other file types that you have OCR’ed) you can bring those in, those are all searching.

I’ve actually had a case where a screenshot of a text message was the key piece of evidence that got him. It was a rape case, so really in my opinion pretty important to get that one solved! And so screenshots can be useful. But if they take a lot of them, they can be a hassle to read through going through to try to get through. So we want to be able to search out this text.

ABBYY is an option that we’ve provided because of its efficiency, because of its quality. So, to run that you can go into evidence or additional analysis, and you can run it. You can also run it pre-case, if you want to do that. So, you have options there.

So we have optical character recognition here, and you can set up your OCR options on what you want to scan. If you used OCR with FTK prior to 7.5, this window should look familiar, except for what you’ll see now with an additional license is ABBYY fine reader here as a select. You can also run lead tools if you have ABBYY added there. You can choose which one you want to run.

But ABBYY is the way to go if you have it, but we provide you that option if for whatever reason you need that. But ABBYY’s output is super clear so that you can read this in this text and get that going. But, again, the thing I like about it is multiple colored backgrounds texts, it’s ripping that out bringing that into a searchable thing which can help you solve your cases.

Cool. Alright, so let’s do this. (Let’s…nope. I need to get out there, and here.) And we’re going to take a look at FTK Central. So, FTK Central: perfect for distributed work environments because it works through a web browser. The other cool thing about it is you can distribute the work to the people that are at the investigative ground level, as it were. So, if you have centralized labs that are working your cases, you can send it back out to the people who are more familiar.

So, in a law enforcement example, like where I worked at the Ohio Bureau of Criminal Investigation, we were a state lab and we had some offices in Youngstown, Richfield and in Columbus (or just outside of London) and the detectives and the investigators would bring their evidence to us and we would work it.

The funny thing about it, kind of in reference to FTK Central is, I was from, and am from, and in now Washington state, but was working in Ohio for a while. So, while I knew what to look for as far as like bad things happening, and the detectives and the investigators would write out the descriptions, and I would read their case reports and all that sort of stuff on what to look for, I wouldn’t know the context. I can see a white car, but the detective is going to know, “hey, that’s his brother’s, or that’s his sister’s car, and that’s whatever.”

So, they’re going to have more that context, more of that information that’s going to help them be more effective in their cases, and that’s going to…and FTK Central can assist in that. So, because what they can do is bring in the information to the centralized lab, they process, give them this link to log in and they log into their instance, and can look through in a simplified interface.

So, we’ve done some work here, and continue to work here, of course, in this platform. So, we have some cases that I’ve looked at here, and we’re going to talk about a few of the things that we do here. So, let’s first jump into November75. And first thing that we’ve added here that you’re going to start on is customized dashboards. And this customized dashboard is cool in that you can get the information that you want displayed when you load into a case.

So, we do have a classic dashboard, which is…product and development have the burden of developing things that do the most good for the most people, but sometimes what you want isn’t what most people want, or maybe you just have your own taste. So, here we do have file categories, and we’re going to have evidence items, and processing jobs, and the different bookmarks and labels etc.

But maybe you want something different. So, what they’ve done is they’ve added this way to customize your dashboard. So, here we do have file categories, but I also put labels. I want to know what labels I have in the case and how many files are in each one. And we’re going to take a deeper look into this feature here in a second.

And then how many of the files within my case have been viewed? Now why would you want to know? You’re the guy going through it, maybe. If I have like, Sarah and Holly and Dan assigned to review different aspects of the case and they’re all logging into this case, I want to see overall progress. Maybe the labels are assigned to different things. I can also add another widget here, but I want to see what files are being labeled as they go through.

Same with the bookmarks. I only have one user assigned to this, but if I had Sarah, Holly and Dan in here, I could see, “OK, hey, Justin’s bookmarked 2, Dan hasn’t bookmarked any,” etc. So, you can kind of get a feel for that if you’re the admin. If you are the reviewer and you see this here, maybe it’s just giving you an overall progress to help in your time management. So, we’ve not viewed 124 files, we’ve viewed only 9, maybe we better pick it up.

So, we can customize this from the get go, when you open up a new case this will be blank because, again, it’s a custom dashboard. You can load up pre-created ones, if you want, of course. So, you can create once and then just load up again. And then once you have it here, you can always add another widget and it gives you these customization options to build out exactly what you want.

So, obviously pie chart, you saw the table version with the labels, and then we have a horizontal bar here (vertical bar). You then choose the data type that you want to show. So, you have a lot of different options here that you can put in. So, you select those and then you just add the widget, and it’s just going to drop it in here, and you can move it around etc. You also have different layouts: I chose this three column layout, you can do two column layout, you can do whatever when you create a new custom dashboard.

The other thing that’s kind of cool about this labels one especially, is we have these two labels that we’ve applied, so I come back in, it’s the next day, I want to see: what did I do yesterday? That was a long time ago. I can just click on Cityscape, it’s going to open up (we’ll talk about this warning here in a second, I think it’s really good), and we have just our labels notice it’s applied that label filter as we jumped in and now I only have my Cityscape files that I’ve tagged here. So, we can close that and come back out, we can go to our video one and it’s there. So, you can jump to those very easily. So, the customized dashboard, really cool for giving you that overview added in the latest version of FTK 7.5.

Now if we want to go in to our case, we’re going to click enter review, and we’re going to get this warning up here. “Warning this case contains sensitive VIC (project VIC) and CAID images.” And what is flagged by that (let’s close our filters so we just get a good look at what’s going on here)…what’s caused that is, I’ve configured this one for, in this case, CAID categories so that I can go through and tag those out.

So, if I open up this filter…not that, well here’s the filter thing…I’m meant to open up my tags, and come over to my bookmarks, I have the CAID (which is the international UK version of Project VIC: same idea, just their categories), I have those listed here. And I’ll show you how you can do that here in a second, but when I put these categories in it’s going to give me that flag.

And this is important because remember that this is for a distributed work environment. FTK Central excels at spreading that work out to office sat — satellite offices (let’s switch those words up into the right order), investigators that are working in different departments, whatever the case may be. So, because of that you as the admin, you as the forensic person, and then we as a product, we don’t know where they’re going to be. So, we don’t want somebody to open up a case while riding the bus home, or at home, depending on what their office situation is like, and not know that, “hey, there’s a potential for some pretty bad contraband in this image, you probably shouldn’t be looking at this in a public place!” So, that little warning comes up saying, “hey, these categories are active, so just be careful.” So, I think that’s a really important feature to point out, even though it’s just this tiny little banner.

So, OK, we have these. And the cool thing about these as well, when you populate these (which we’ll show in a minute) it provides like shortcuts, so notice by pushing Shift+2, I can put it into that one, and then I can go to my next document and it’s this one I can do Shift+3 and it’s going to put it in that one. So, it’s going to create these shortcuts for us in there so that your reviewer can just go through clicking, “next, OK, bookmark, not bookmark, bookmark, not bookmark,” and just go through with the shortcut keys adding them to the categories.

Of course, you can run the known file filter with the Project VIC or CAID hash sets and they’ll be put into those categories, but as you go through your case, if you find more, you can use those shortcuts or manually, of course (you can always manually put them in). So, we could come in and say, “this is borderline,” and you can of course click to put them in. And add everything in and then export those out for delivery to the Project VIC and CAID systems to keep that going.

So, this is a super big help, I think, builds those in, automatically builds the shortcuts as well and of course, you still have the ability to run the known file filter to find what’s already known and what’s already in the VIC and CAID sets. So, how do we enable that? We’re going to come back over here, we’ll take a look at our case list, and because I’m an admin user in this case I’m going to see a lot of stuff, so we’re just going to say, “November”, and here we are. We can come over to the menu and “initiate media category”.

And so, we can see here the media category is CAID. This was selected for this instance to be a CAID box, but depending on where you are, of course, you could be a Project VIC category etc. But you would just come in here to initiate that, make sure that everything is good, you have your shortcuts in here that you could change if you wanted, and then you click save, and it will create those bookmarks in your case (the bookmark categories that we just took a look at). And then you’re ready to go with the Project VIC. Again you get your warning, and you can come down through.

But we’ve added a bunch of other things. If you’ve been using FTK Central for a while, we’ve moved some things around the interface to make them more user-friendly. For example, moving all of our (what do you want to call these?) icons, like filter icons, and everything over here to the left to allow you just a consistent place where you’re always going to open those things like tags.

And the nice thing is, again, we’re focused on a simplified interface. We’re getting it out, distributing it to the users that have the most knowledge about their case, maybe not the most knowledge about forensics. But that’s not what we’re looking for here, we want them to be able to work a case and distribute it, so we’ve moved the information over here. We’ve adjusted our case level permissions so that you can assign global and case roles to each user, so that you can control exactly what you want each user to be able to do. If you only want them to be able to view data and label, or view data, label, and bookmark, you can set that all up within the system.

So, a lot of good stuff have gone into FTK Central but the Project CAID, Project VIC, custom dashboards are some of my favorite that have gone in to make your experience a lot better in using the tool.

Cool. Is there any questions, or comments, or whatever about the things that we’ve gone over here in the last 50 minutes?

Holli: A few questions about the translation feature, which I stated you’ll be doing another webinar on. But anything you can say about that?

Justin: Yea, so the translation feature, we will be devoting its own whole webinar to because it’s pretty awesome. So, let me…I don’t have any case loaded now. Let me get a case loaded (we’ll do this guy, I guess, this one), and the translation will pop up in here. I haven’t run it on this data set because it’s all in English, because I created it and I speak only English.

But yea, it can translate it. It will then index here in FTK Plus so that you can search that translated text as well in whatever language that you are translating it to. So that if you’re bringing it back into English, or maybe English isn’t your first language, you’re taking it into Spanish or something like that, you can then search in the translated language. We are partnered with RWS and we will be doing a webinar and a bunch of releases wrapped around that, but yea, coming soon, really cool. You can look at it by selecting the translated text here, or within FTK, if I have a document I can…you have the translation tab here. And again, I haven’t run translation on this, but that’s coming up.

And then the other thing that you should be on the lookout for is we’ve done a lot of work and updates and some cool stuff around what’s called FTK Connect. And FTK Connect, if you’ve talked with us before, we were calling the API, but that’s just a general (I mean, there’s APIs for a lot of things), but FTK Connect is a scripting. Right now it’s primarily with Python Connector into FTK lab, or FTK Enterprise, FTK Central, to allow you to automate and standardize workflows and it’s pretty awesome.

So, you can have case creation automatically happen when an image is added, you can have files be automatically labeled based on criteria, and so this can really help speed up your workflows when working with lots of data. So, I was just talking with Tom who’s working a lot with our FTK Connect, and you can say, “OK, any document with a certain name,” or “starts with a certain letter,” or “has this character combination in it, we want to label that.”

And the cool thing about that is we can then kick it out to a portable case or to its own forensic image, and you can send it to the end user who needs to review only that file. So, up until it finally gets to the reviewer, it can almost be totally hands off in the setup. Really, really powerful in speeding up workflows, making it efficient, but also standardizing. I know a lot of people, a lot of companies, a lot of agencies want to standardize the process for defensibility, for consistency, all that sort of thing. And while they may have policies and stuff, it still comes down to the user doing what the policy says.

FTK Connect can, again, you create the image then it can take it from there and make sure that things are run the way that policy states, because you’ve programmed it to do so, and that’s what computers do, is what we tell them to do…at least for now! So, yea, we have the translation stuff coming up here soon, very, very cool. We have some FTK Connect webinars coming up soon also very, very cool, and you should check those out in that area. So, Holli, hopefully that answers a little bit about that.

Holli: Yes, thank you. There was another question about the different FTKs. So, FTK plus versus Central versus Connect. A couple of those are just product name changes and one is new, but if you could just go into the differences.

Justin: Yea, so, all these different technologies of FTK run on the same backbone, and let’s take a look at it like, historically. We’ve always had FTK, just Forensic ToolKit standalone, then we had FTK Lab, and FTK Enterprise, and the interface was the same.

And what was different is they were tailored for different uses. FTK Lab was for your large labs, for distributed environments, for huge processing servers etc., whereas FTK Enterprise, now (per its name) was for enterprise environments. It had agent deployment, and remediation, and live preview and…things like that that work within an enterprise environment.

So, we’ve kind of taken that and tailored it as well, so FTK Central is now designed for a distributed environment. So, again, like my example, I’m the forensic expert in Richfield, Ohio, but I have a detective in Elyria that submitted some stuff. I’m going to process it and he can work that review from Elyria across the web, a secure container – a secure connection, and bookmark and label, and we can communicate if he needs more information.

So, FTK Central is this distributed review environment designed for those environments. FTK Plus is this added review and functionality to FTK. Again, it’s part of FTK, it comes with it. So, for example, you can do the object and video recognition in FTK, but the FTK Plus, which is part of FTK, just adds this clean, easy to follow user interface. So, one of the ways that you can use it is if you have a visiting council or something like that where they just need to review, FTK Plus is great at reviewing and just displays the information in a way that I really like in those certain areas.

FTK remains the backbone (like the interface that we’re looking at right now), remains the backbone of all those for management, for deep dive forensics, for all of you that like to hex dive and solve…you got to rebuild stuff, you’ve got a data carve, that sort of thing, this is the home. All the information that’s here you can see out there, just in more detail.

We’re just, again, as we have always in the past, with FTK Lab and Enterprise, they’re just tailored to different industries, different types of users, that’s what we’ve done there. FTK Connect is kind of its own thing in that there’s not really an interface per se, it’s an automation tool. So that’s an API, honestly that’s what it is. So, a way to plug into the back, the subsystems of the software and automate everything about it. So, hopefully that’s a little bit clear of how we’re tailoring these different software packages to suit the needs of the various industries that enjoy using the FTK.

Holli: Another question: how easy is it to run FTK’s database other than locally, for example AWS?

Justin: Yea, so, all of our tools are supported in AWS. So you can install it there. And if you want a centralized database for FTK on prem, that is what FTK Lab is designed for. I’ve worked in an environment where we used FTK Lab with a centralized environment. You install the database in the central and then all the clients just connect to it across your network. But you can install our software in AWS, and then you just have to be aware of the network connection between your cloud and your machine for uploading data and downloading data etc. So, we support that.

Holli: All right. If you have multiple lab users, is there one FTK Plus per user, or can only one user use it at a time?

Justin: There’s one FTK Plus per client install of FTK. So, you can have multiple users assigned to FTK and thus FTK Plus. And so, if it’s on a standalone box in your office then only one user can use it at a time, but let’s say you have shift work or you just rotate through depending on what case it is, yea you can have different users assigned and logging into FTK and FTK Plus. Just not at the same time in normal FTK. FTK Central is a similar interface as you saw, and that allows for multi-user logins, collaboration – simultaneous collaboration.

Holli: Perfect. We have come to the end of our questions. So, thank you very much Justin, we appreciate that. Like he said, we will have a couple more webinars coming up soon, we just have to work out some details. But just a reminder that this webcast was recorded and will be posted along with the slides to Exterro’s website. We’ll also send you a link to those materials later today. So if you could please take a minute to fill out the survey at the end letting us know how we did and what topics you’d like to see in the future, we’d appreciate it. So that concludes our webcast today, have a great day everyone. Thank you.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles