Work Smarter, Not Harder — Optimize Your System for Faster Forensic Processing

Holli Hagene: Hi everyone. Thank you for joining us today. My name is Holli Hagene, and I’d like to welcome you to today’s webcast. We’ll get started in just a minute, but I wanted to provide a few reminders. All of the lines have been muted to reduce background noise, and we encourage you to submit questions at any time through the webinar control panel, we’ll do our best to work those in throughout the discussion. Also, this webcast is being recorded and will be posted along with a copy of the slides and any additional resources to Exterro’s website. We’ll also be sending you a link to those materials later today over email.

Today, we are excited to present the second webinar in our Masters of Digital Forensics webinar series. This masters series is an educational program focused on best practices for optimizing the digital forensic investigation process. There are five complimentary courses in the series and in today’s course, we will be diving into optimizing FTK processing. If you attend to all five webinars, you’ll receive your Masters in Digital Forensics certificate.

This webinar series is brought to you by Exterro. Exterro is a leading provider of eDiscovery and data privacy software, specifically designed for in-house legal, privacy, and IT teams at Global 2000 and AmLaw 200 organizations. Exterro also recently acquired AccessData, the makers of FTK. By combining forces with AccessData, Exterro can now provide companies, government agencies, law enforcement, law firms, and legal service providers with the only solution available to address all legal GRC and digital investigation means in one integrated platform. For more information, visit our website at All right, now I’d like to introduce our speaker today. Dan Sumpter is currently a senior instructor with Exterro. He is an army veteran and retired police detective and was certified as a digital evidence recovery specialist. He holds multiple certifications in forensic investigations and is currently working towards his Master’s Degree in Cybersecurity from Bellevue University. And with that, I’ll turn things over to you, Dan.

Dan Sumpter: Hello, thank you for your introduction. Let’s see if I can take this over here. I’ll tell you a little bit about myself again. She already introduced me. I appreciate it, thank you, Holli. So to expand on that a little bit, I was a forensic examiner for a local police department just outside of Cleveland, Ohio. I’ve been doing forensics probably about eight or nine years now, maybe a little more, started with FTK, learned forensics on FTK and have been nonstop using FTK since.

So a little bit of what I’m going to talk about today is how to make your job a little bit easier, make your workflow a little bit quicker and make it more relevant to what you’re looking for. And hopefully we can throw some tips out there to you so that you can feel more comfortable using FTK and so that you don’t get backlogged with tons of data down the road, and then you can actually spend time looking at the artifacts that you want. So again, thanks for attending, everybody for those who are here today, and those who are going to tune in later and watch this.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So when we’re talking about optimization in this setting here, we’re discussing your workflow, the settings that you’re going to use in FTK, and the options that you’re going to choose to process your evidence. Obviously to optimize your hardware you’re restricted by your environment, your budgets, your equipment, but we all know that faster processors, bigger hard drives obviously makes things work a little quicker for our examination machines, but we’re going to focus more on how to make FTK work better, faster for you by limiting what we’re looking for. And that’s kind of how I teach my classes when we go through our classes, especially with the entry level classes that we teach. I try to give you an idea to narrow down what you’re looking for and then picking those processes that are important, that’ll get you those artifacts.

Now, we all know that obviously due to the size of data and technologies increasing we’re finding evidence images that are in excess of one terabyte, some four terabytes, some even larger. It takes time to go through all those things, to go through all of that evidence that’s on that image. It takes time to even create an image, like Alan probably talked about in the first class of the series, but processing times can take way longer because of the size of that data. So that’s what we’re going to try to reduce is our processing time so that we can see the artifacts that matter. And hopefully that I’ll help you accomplish that at the end of this webinar.

So just like anyone else, when I fall behind in my work or my examinations, it can be overwhelming. And because of the amount of data, I’ve missed things that probably were important because I just had so much artifacts, or so much data to examine that I’ve overlooked or missed something that may have been important. And I’ll be the first one to admit, I’ve gone back to a case after, and looked again and then something comes out, or maybe a tool’s been updated and they have an artifact that can become visible now due to some new update or change. So I can always say, when you start your case, start small and then find what you’re looking for, and then at the end if you need to go back, go back and don’t ever forget that when you go back, you can also change settings to get more things done.

The other thing that I always came across being an examiner was my time constraints. You know, how much time did I have to work this case and get this information before I had to go to court or before I had to present this? In Ohio, and I know a lot of states, and I don’t know if other countries are like this, but once you make an arrest, it’s usually about a 90 day window you get to indict somebody. And so if you don’t do your exam before you make that arrest, then you got 90 days, in my world here, to work your examination and find out as much as you can in order to be able to indict somebody on the charges that you made the arrest for.

So it is important that we try to stay within our time constraints. And then we get backlogged. We all have evidence that we got from other sources, all for one case. And then you might have another case come in the next day, another case, and maybe you’re in a situation where you’re the only examiner in that lab and those examinations can get backlogged. So hopefully as we continue, we’ll give you some pointers and hopefully that backlogging doesn’t get overwhelming, your examinations don’t get overwhelming, and you’ll feel more comfortable looking at what you want to look at in the beginning of your exam.

So faster may be sufficient, so when you look here, maybe just making a quick case, bringing in your evidence, that may be sufficient, depending on what you’re looking for. So it’s important to be familiar with the tool that you’re working with, and where artifacts can be located so that you can quickly find that information, and FTK, you know, artifacts pop right out in the Overview tab.

So if you know your tool and know, hey, I need to open this case, go to the Overview tab and take a look and see what kind of artifacts are in there, that might be all you need without having to do a ton of processing. So use your tools wisely like it says here on the slide and limit yourself to just what you need. Don’t go in there processing and picking your options, picking all of the options and then sitting back and waiting days for results, because that might be a waste of time. And we’ll talk about that.

So the biggest thing is to make sure that you can get those artifacts to become visible for you. I don’t like to go into a case fishing, say, okay, well I’ve had many detectives come to me and say, ‘Hey, here’s a phone image, here is a an image from a computer, find  the evidence.’ And I’m like, ‘Well, what’s the case?’ So it’s important to know what you’re looking for and see if you can say, ‘Hey, let’s limit this to instead of a needle in a haystack, how about just point to where, tell me what you’re looking for, and then I can work from that.’ So, you’re not working with no idea of what you’re looking for and you’re just fishing. You don’t want to do that.

And the other thing is I’ve caught myself in the past overlooking the tool options. So if I didn’t know what some of these options were in my processing, didn’t understand what output I would get from them, by overlooking them could have harmed my case. So, like I said, use your tools wisely, know your tool. However, on the flip side of that, having too many options, using too many options may result in artifacts or seeing files that don’t have any forensic value to you. So you need to be careful with that.

So when we say work smarter not harder, before you even begin, decide, well maybe all I need to do is just look at this image and see what it contains first. Weighing the needed artifact types versus the time it takes to process your image or your evidence may be a huge factor. You know, if we only need deleted files, maybe all we need to do is do a triage and you can still triage with this tool.

Triaging is more along the lines of let’s preview our image or our drive or the piece of evidence, the digital evidence. So don’t get afraid of the word triage – many people don’t really sometimes grasp what that means. It’s just, you know, a quick preview, let’s see what’s going on. Let’s see if it contains evidence and if it does, jot it down and then let’s process for those items that we saw in our preview, those files of interest.

So if you’re not exactly sure what you need to process, the best thing you can do is, we have processing profiles in FTK. And one of the processing profiles that a lot of people don’t look at or are not aware of is using Field Mode. All Field Mode does is it lets you bring in your evidence or make your case without processing anything other than deleted files. And you’ll still get some of the categorization of your JPEGs, your documents, your PowerPoints, whatever’s in there.

You’ll still get to see some of those files as well, without having to spend any time processing. You can always do what’s called additional analysis, which is the same processing profiles as you would when you initially run your case, but you can do additional analysis later and you can expand those artifacts if you need them, instead of running them at the beginning and not knowing, oh, well, I didn’t need to do that, it was a waste of time or yeah, you know what? I should have ran that at the beginning of my case. Now I got to go back and do it now. So you just weigh how long it’s going to take you to get to your goal and what you need to find and see the best way of doing that.

So in triaging, in FTK, going to Field Mode. The first thing you do is, you’re in your Case and Database Manager screen, that’s the main screen that pops up when you double click on the icon for FTK, and then you’ll put in your username and password, and then you’ll be able to Create New Case. So you’ll create your new case. And then some of the things that we look at when we go to create a new case is we’ll put our information in there.

Obviously you have your owner information. The owner is the individual account that you’re logged in at. So you can’t change that unless you log out and log back in and make a new case. So whoever makes that case, you’re the owner. And then we have our Case Name, call it what you want. In this case I just made one called Triage for this example. Your reference number or reference information would just be your internal organizational numbers that you may have at the place that you work, and Description you can put in there whatever you want, whatever’s relevant to your case.

You’re doing a triage of a specific image. You can always make another case later. You can always add image information to a case. You can add more images to a case. So you have some options there. But obviously I just put Case Name as Triage for this example, but you would put your case name and you could also put in the description, you know, initials, a triage and then go on from there.

You can add a description file, which is like maybe a Word document, a PDF. I used to get search warrants before I did examinations, so I would include the search warrant in my description file. And then some people may get an email saying, ‘Hey, I need you to do an exam or pull some data.’ So you can attach that as well in your description file. And then obviously you have your case directory and the location where your cases are stored.

But what I want to bring to your attention here is that these processing profiles here on the left and you’ll see Field Mode is greyed, which means I have that set as my default and it’s chosen. And then you’ll see down at the bottom there, the Profile is Field Mode. And if you look to the right in my Field Mode options, you’ll see tons of Evidence Processing options.

We have Refinement options as well, and FTK also does have some ability to do some eDiscovery Processing options, which include more email related and deduplication. So if you’re into that, that’s what those are for. However, if you look here at all these processing options, you’re going to see, you know, there are a lot of things.

And then if you take a look – let me see if I can make a little pointer here. Okay. So if you take a look here, we have several of these options that have like a little clock next to them on the far left of the checkmark box. Now those indicate, hey, it’s going to take a lot longer to process for this information. It’s going to do a deeper dive, you know, like data carving. You’re going to look in some unallocated space and some free space for that information.

So it could take some time – your optical character recognition, your OCR, you know, you’re going to look at pictures and look at the text and pictures, and then it’s going to index that. So that could take a little bit longer. However, in Field Mode, if you haven’t used it, I suggest trying it out because I’ll tell you what, I didn’t use it as a detective because I really didn’t understand it when I first got into using the products.

However, all you see here is we got Include Deleted Files, and then we hit OK, and then we run it. But before we get into Field Mode, I’ll show you a before and after, using all of the options compared to just Field Mode and you’ll see a huge difference here. But I do want to talk a little bit about some other options here as well. We also have in this Expand Compound Files, there are expansion options in that as well. Let me see if I can get out of there.

Okay. So these expansion options will give you artifacts in your Overview tab. If you’re familiar with our product, we have tabs at the top of FTK – they run across the top, under the toolbar. And the first one by default is Explore. Those tabs can be moved around, so they’re not set in stone.

However, the output for these files, these expansion options, will be outputted in your Overview tab. So they’ll be categorized, for instance, you see up here, we have event logs. So those will be listed as files that are Windows system files, you know, your registry information. You’ll see these compound files are nothing more than container files. So files that have files inside them, like your ZIP files, your Microsoft Office documents, they have XML documents compressed inside of them.

So if you’re looking for specific outputs, here is where you would come to expand these outputs and then say, okay, well, all I really want is SQLite databases. I’m working a phone case, phones, put all of their data in SQLite databases. So let me just export those or expand those. Or maybe I’m just doing an email case. Maybe we have an employee that’s clicking on ransomware all the time or malware, or getting viruses into the system and we need to go through their email, so we can click on expanding PST, OST files, your Exchange documents, those types of files.

So you can wire down. If I’m doing an internet investigation, maybe I care about is expanding Firefox and Chrome and Edge, and all of those are separated, and then those would populate as well in the Overview tab, but also in our Internet tab or Mobile tab, depending on what you’re expanding. So you’re going to get nice, clean outputs of some of these files.

So bad idea to click Select All and run it if we don’t know what we’re looking for, because it’s going to take some time, as we saw in that previous slide. It’s got the little clock next to it, it’s going to take some time. So I would refrain from selecting all, hit OK and then go onto the next option, because it’s going to take time. And what we want to do is we want to optimize your time, right? So that you’re not wasting time sitting here watching FTK process. That’s the last thing you want to do.

So let’s look at what’s needed, like I said before and what you have to process. So here are some ideas, I just threw this together, but what kind of things do we need to process and what kind of cases are we working? Are we doing an insider threat? And I already kind of talked a little bit about that already, these different types, but maybe all I need is event logs and some registry files and some email, or fraud, for instance, where all we care about is getting emails and documents and spreadsheets.

So you can break down the type of case that you’re working and make custom profiles based off of the type of case you’re working, which might be a little easier. Instead of using forensic processing as your option for your profiles, maybe we will make one called Internet Activity, one called Malware Analysis, one called Child Exploitation, one called Fraud Theft.

So that once you make a case, or you make a profile for a case that you know that works, and you do those repetitively, you can save time by creating that profile, saving that profile, and then you can export it and keep it safe. And then it’ll always be there. You can set it up to be your default processing profile and then use it all the time if that’s the type of cases you normally work.

So I would change those, what you saw were those easy buttons where it said Field Mode, it was greyed. Those easy buttons can be changed. It’s all customizable. So you can change it to whatever you see here on the screen, change one to Email Investigations or Email Processing, or Child Exploitation Processing, or Malware Analysis. You make your own buttons that have those custom names to it. And you completely streamline your options because you already know what you’re looking for and the output that you’re going to get. So you’ll test it, see if that’s what you get and that gives you what you need. And then you save that profile and use it next time.

So if you take a look at this real quick, I ran this the other day. What I did was, I can’t remember off the top of my head the size of the image without closing this slideshow, so I don’t want to do that. But I took an image – I want to say it was like one gig, I believe – and all I did was make a case. So in the left, we’re looking at Field Mode right now. I made a case through this one gig image in there. I chose Field Mode, opened the case, added my evidence and hit OK and ran it. And it opened up within, well, you see I started it at 11:01 and it finished at 11:02. So in less than a minute, probably what, 13, 14 seconds, I had results.

And when I went to my Overview tab, here’s what it gave me. It processed and identified file extensions , it identified some files and put them in categories. Now it’s limited of course, right? Because it’s Field Mode and it’s not processing the evidence other than putting it in order for me. But it gave me some information. It told me I had some PST files in there. It told me that I had some graphics and folders, some videos. It got me my some of my registry files. So there is artifacts here that it can get you just by bringing in Field Mode. And then that way you can look at what you want, and then see if there’s more that you need.

Now that got me in the case, it got me into the evidence. And then I can still go through my Explore tab, just like I would in Windows Explore and expand through the directory structure, look at these folders, look at the files. You still have your File Content window that can show you what the files look like. There’s a viewer in there for pictures and there’s a player in there for videos, and you can actually go through it just like you would kind of with Imager, but obviously we have more horsepower here in FTK.

 Now if we take our attention over to the All Options, on the right side of the screen, now I clicked on all of the processing options and it took well over an hour or so for this one gig image, or maybe a little more maybe. And then look at the artifacts that it expanded. So this is a small one gig file or image, but it gave us a ton or more categories, a ton of extensions, but maybe there’s a ton of stuff that I don’t need. Do I really need 800,000 OS file system files? Do I need every single little reference to the registry, any registry changes or updates, maybe that’s not relevant to me? And I could have saved a lot more time by not processing those OS files.

Maybe I wasn’t working a case that involved graphics or presentations or documents so those might have not been relevant. And I could have saved time by just doing Field Mode and then doing additional analysis and say, okay, you know what? This is a graphics heavy case. This is the type of case I need. I’m just going to do additional analysis and I’m going to make thumbnails for graphics.

So you have options to limit what you’re doing in the beginning and then we can run it later and save ourselves an hour. In this case, it’s only an hour. However, we all know in real life, if I were to have ran a terabyte hard drive, it could have been a day, or more trying to process every single object in a terabyte image.

So if you do the math, if that was a one gig image and it takes an hour, just do the math, I’m not the math guy, but you can see how it could take quite a while. So use that Field Mode, get in the habit of using it, make some profiles, pick the options that you want, and then use those to optimize how long it’s going to take for you to use them in the future. So you’re thinking about not just the current case you’re working, but the next one too.

So we have some default processing options that you can choose. I already talked about that, like you saw the Forensic Processing and you saw the Field Mode. You can also build off of those two as well. So if you bring up like we did in Field Mode, let me go to the next one, because it has a picture again. We can open up Field Mode and you can come to just this screen here, this Evidence Processing screen like we had up before. And we can just, maybe we want to add a tick here or there, or a checkmark here or there, just to add one more piece of processing, or maybe I wanted to click on Expand Compound Files and just do event logs, because I wanted to see who was remotely logging in, so I was going to look for those artifacts later.

And then, all you have to do is click Save As, and then we can give it a name and then we could call it whatever, maybe it was Remote Logins, and then we can give it a description and we can save it. So you don’t have to build from scratch. You can also build from a previous profile that’s already made for you. And we have quite a few in there that are, I think there’s eight altogether that come default with the product, maybe more depending on the product that you have, like Enterprise and such, but you can build off of those so you’re not limited to trying to figure it out for yourself. You can build off of a previous profile.

But if you’re going to make a new profile or adjust any of the profiles in your Case and Database Manager screen that we’re used to, just go up to Manage and Evidence Processing Profiles. That’s going to pop up the Manage Evidence Processing Profile window, as you see here in this area. And as you can see, these are the ones that are already created for you default, except for the 101 – I made that. And then we can create a new profile by clicking New Profile and then picking our items, or we can build off of a previous one.

We can also, don’t forget, we have the ability to export and import these too. So if Holli’s working a case and I’m working a case and she says, ‘Hey Dan, I’m working a case where I need to… it’s a graphics heavy case for child exploitation. Do you have a processing profile already set up good for that?’ I’ll be like, ‘yeah, here.’ It’s a small XML document, and then I can just ship it to her. I don’t see the XML document. Must’ve come off the side there, but let me look here. I got it in the next slide.

So if you export this, it’ll make it an XML file. If you open up the XML file in Document Viewer, most of our outputs or exports and imports use an XML format. So at the top of our XML document, you can immediately see what kind of XML document it is once you open it up. It’s going to tell you, is it a Carver? Is it a filter? Is it a column set? Or is it a profile? So obviously in this example, this is a processing profile. And so we know this is the name, and this is the name that we gave it when we created it. And then it has all of the options that you’re going to process for. Obviously you saw in this one, I’m processing a lot of those expanded options, and I have some indexing options and it just keeps going down. So it’ll show you those options in that XML file if you’re interested in looking at them.

You can also import this and then open it up, and then look at those processing options and they will be checkmarked, and you’ll see what’s chosen and what’s not chosen. So use those wisely. Don’t go heavy at first, save yourself tons of time by sharing, exporting and importing these, or at least creating them for your own use if you don’t do the exporting and importing, make these options. As you see on the screen here, we have a green checkmark. That just means that it’s my default processing option.

And you have some other options. When you assign a button, that is those easy buttons that we saw when we went create new case, and you saw those show up, so you can assign those buttons. We can lock them so we don’t inadvertently delete them. And then when you click on one, the Delete would be greyed out because it’s either locked, it’s default, or there’s a button assigned to it. But yeah, get in the habit of using these and using only the things that you need.

So there’s other things that we can do other than just our processing profiles to locate artifacts in a hurry. Use the interface. So we have column sets and we’ll look at those next, but we have column sets new to 7.4 and it keeps getting better. But I think new to 7.4 is when we just came out with our new column sets. They’re very detailed. They have a lot of information. It’s located from the properties of specific files that’ll show you that information that you’re looking for that’s more relevant in the file list.

So you don’t have to change the column sets. They’ll automatically switch for you depending on the type of files you’re looking for. So we’ll look at column sets. We have keyboard shortcuts, type-downs, I’ll talk about those here in a little bit, and then using those Property tabs or the File Content tabs in there to view evidence or information about your evidence will help you find what you’re looking for quicker. So let’s go on to the next slide here.

So column sets, this is what our new column sets look like. As you see, we have a Graphics column set that’s what’s chosen here and was clicked on Graphics, I think in the Overview tab when I took these screenshots. And as you can see now, these column information will give you more relevant information about the specific file. So now, instead of having Normal up here, we have a Graphics column set, and it’s going to give you the category, a capture date, the make, the model. And if it has GPS locations, it’s going to give you longitude, latitude, right there in your column set. So you don’t have to go searching around for it, it’s going to be right there.

So that our new column sets are very helpful, they give us way more information than they did in the past, and you can streamline what you’re looking for a lot easier. And you can sort by these as well. So if I wanted to sort by the model type of the iPhone, I can do that and then scroll down and look and see, okay, where’s the iPhone 10 this guy said he took pictures with, and we can scroll down and look at that.

So you also have automatic switching. There’s a little icon now next to the columns dropdown. And then when you click on a relevant file, if there’s a relevant or associated column set to that specific file, then bam, it automatically switched for you, or you can turn that on and off as your preference.

But as you can see, now one other thing, just to give you some information, if you make your own column sets, you can create your own custom column sets, yours will be under this new User Defined location. So if you try to find it and you’re like, oh, where did that go? All of your user ones and the ones that you created custom are going to be under that User Defined now so just be aware of that, because you might be looking for that in the future.

One thing I want to talk about, and I show this in every one of my classes. I don’t care if it’s an advanced class or not, but it’s important to let you know, stop scrolling with your mouse in the file list. If you have a million files in the file list, because you have your evidence quick picked, so everything will list in there, you’re going to take a long time scrolling to try to find something. Maybe I know that there’s a document and it’s called headquarters.docx or something. There is no need to scroll all the way down to the H’s to try to find this file. There are way quicker ways of doing it.

Regarding our shortcut keys, you could sort by your column set, like I just talked about. And say we wanted to select a list in consecutive order of specific files. you can hold down the shift key, click at the top, click at the bottom, and it’ll highlight everything in between. Instead of using our shift key, you can use the control key on your keyboard and you can choose random files that you want to select. And the biggest thing about this, whether you did it with the shift key, or you did it with the control key on your keyboard, all you have to do is hit the space bar either way and it will select or checkmark those files. And then you can uncheck them as well by hitting your space bar again. So that works.

Now, right before I talked about using the keyboard shortcuts, I told you don’t scroll, right? So if we highlight, as you see in this Sort By column, I have one thing highlighted. What I did was, you sort by column first, and then once you have everything in alphabetical order, either going from top down, bottom up, it doesn’t matter. Then as you have a file highlighted in the file list, all you got to do on your keyboard is start typing as fast as you can, as much of the information of the file name as possible.

So if I was looking for ‘headquarters’, I could type the word head – H E A D, if I’m fast enough, I can do the whole word, is going to take me right to that location in that file list. So no need to scroll. If I was looking for a file that started with the word ‘spring’, I can type as S P R I N G, and it’s going to go right to that location in the file list without having to spend days scrolling with my mouse. So try to use those options, they’re there for a reason, they work. And if I can type out the word ‘headquarters’ as fast as possible on my keyboard, I might be able to beat it before it starts looking for it, but it’s going to take it to at least a better starting point if it doesn’t take you right to it. Maybe if I were to look for the word ‘headquarters’, I typed ‘head’, you see I got ‘headset logo’ and I had to scroll a little bit more, but you get the idea, goes a little quicker and it gives you the ability to go through your data a lot faster.

And then I also want, real quick, don’t forget about your Properties pane here in your File Content window. This is a JPEG with Exif data. You’re going to find a ton of this information in your Properties pane so don’t forget about looking in Properties pane. Again, you’ll get this in those new column sets, a lot of it, but you’re going to get all in the Properties tab.

And then, as I’m wrapping up here, I wanted to bring up the fact that you can run all of these options as Additional Analysis. All you got to do is when you’re in your case – so now we’re outside away from our case in Database Manager screen. Now we’re in our case, we click on Evidence, Additional Analysis. When Additional Analysis pops up, you have this window with three tabs and these are the three tabs we see here. And all of these options in here should be familiar to you from the beginning of this webinar, because I talked about them in the processing options when we were making our profiles. So if you look here, you’re going to see the broken down into Hashing, Job Options, Indexing Tools, and then we have Miscellaneous.

 So let’s say I already made my case, I already have my piece of evidence in there from Field Mode. I go to Evidence, Additional Analysis, and maybe I want to do a Expand Compound Image Files or Compound Files. And I want to open up and expand one of those options in there, maybe zip files or a PST file for email. We’ll choose that expansion option. The biggest thing to remember about Additional Analysis however, is that when you choose your option, look at your target information. Make sure your target items are exactly how you want them. Do you want apply one of these additional analysis to an entire piece of evidence, or more than one piece of evidence? Or do you want to break it down into highlighted items or checkmarked or listed items that are in your file list? That will also speed things up.

If you’re going to do OCR, maybe you just want to OCR JPEGs or just PDFs, wire it down to just those JPEGs or just those PDFs, checkmark them, and then apply your OCR and then use it against your checked items only, and then hit OK. You’re going to save yourself a ton of time by making your target items smaller, because we’re going to expect, okay, if I’m looking for something in a Word document, I want to expand embedded items in Word documents, then let’s just checkmark our Microsoft Office Word documents, and then apply the additional analysis to those specific files.

So that could be to anything. So just remember, try to wire down, and that would make things a lot quicker for you too. And you’ll be happier with your case. You’ll be happier with the product and then you’ll get exactly what you want in a timely manner instead of just choosing everything.

So some of my final thoughts, I know I already talked about everything as fast as I could try to fit it all in. Hopefully I didn’t go too fast, but the biggest thing — plan before you process, don’t just process and then say, okay, now I got to figure out what I’m looking for. Figure out what you’re expected to look for. Obviously later on after your case is done, you may want to do more options to try to dig deeper, look for other things. That’s fine. Are you going to carve at the beginning of your case? Maybe not, maybe it’s probably not needed. A lot of times that evidence is sticking right out there, like a sore thumb, grab what you can immediately.

Determine if you need to triage it or you just need to process it. Maybe, now that we made a processing profile and we decided, okay, it’s going to be a fraud case. I know what I need to process, I’m going to use that option and just run it. Or do I need to triage it and see what’s in there first, and maybe I’ll look at that. So choose those options wisely, weigh those options of how long it takes with how much time you have. Make those custom profiles so that you can get it right now, get it figured out, and then in the future, your cases will go a lot quicker if there’s similar type cases and you’re going to process those same type of artifacts.

Don’t forget to use the interface to go through and locate those files in the file list. Use those keyboard shortcuts, use those shift and the control keys. Don’t forget to click on the Properties tab and try to find the information that you’re looking for in those Properties tabs. Even with if it’s not a file with Exif data, that information will still be possibly relevant to you if you look in the properties of those files. And then if you need to, just analyze as you go. Maybe you’ll start digging around and you’ll find something, maybe then I’ll go back and we’ll do OCR, or we’ll expand something else that we didn’t previously. So you can expand as you go by using Additional Analysis.

So hopefully I didn’t overwhelm you. Hopefully I didn’t talk way too fast, but there was a lot of information I wanted to go over with you and share with you. I think it’s important. It gives you an upper hand if you end up taking our classes in the future, or just to make your job a little easier. It would have been nice for me to know this information when I was a customer of AccessData. So now you have the upper hand, hopefully you can take these back to the office and change your way of thinking and how you’re going to approach your cases in the future. So I appreciate the opportunity of being with you, and I think I’ll be back at the end for the last one in reporting. So thank you for attending and Holli, I think that’s it unless you have some questions from the audience.

Holli: That was excellent. Dan, thank you so much. I think you went into everything so, well we have no questions.

Dan: Nice!

Holli: So if you could… yeah. I’m just going to click through to the last slide, or if you could?

Dan: Yeah, I’ll do that real quick.

Holli: Oh okay, actually one just came in. So real quick, I just want to let you know, if you do have questions, both of our emails are there, please get hold of us. A question that came in: So would you say that time management is the most important thing while dealing with workflow and searching through the application?

Dan: Time management is more important to your supervision than it is to you, right? So if somebody is paying you to do the job, they’re going to want you to do in a timely manner, but you don’t want to go too fast that you’re going to overlook things, right? So I would come up with a plan of what you’re looking for, what you want to expect to see, and then work from there. So that’s the best way to be proficient, fast, and thorough at the same time.

Holli: Awesome. All right, we have no other questions. So just a reminder, this webcast was recorded and will be posted along with a copy of the slides to Exterro’s website. We’ll also be sending you a link to these materials later today, over email. Once I close the webinar, there will be a brief survey at the end, asking how we did and what topics you’d like to see in the future. And that’s it, that concludes our webcast. Thank you everyone, and have a great day.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles