Ftkug Ftk 221 Ug

2012-09-18

: Pdf Ftk 221 Ug ftk_221_ug

Open the PDF directly: View PDF .
Page Count: 322

Download
Open PDF In Browser	View PDF

AccessData FTK2 User Guide

AccessData Forensic Toolkit 2.2

LEGAL INFORMATION
AccessData Corp. makes no representations or warranties with respect to the contents
or use of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further, AccessData
Corp. reserves the right to revise this publication and to make changes to its content, at
any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Corp. makes no representations or warranties with respect to any
software, and specifically disclaims any express or implied warranties of merchantability
or fitness for any particular purpose. Further, AccessData Corp. reserves the right to
make changes to any and all parts of AccessData software, at any time, without any
obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or
regulations including, without limitation, U.S. export regulations or the laws of the
country in which you reside.
© 2008 AccessData Corp. All rights reserved. No part of this publication may be
reproduced, photocopied, stored on a retrieval system, or transmitted without the
express written consent of the publisher.
AccessData Corp.
384 South 400 West
Suite 200
Lindon, Utah 84042
U.S.A.
www.accessdata.com

AccessData Forensic Toolkit 2.2

ACCESSDATA TRADEMARKS
AccessData® is a registered trademark of AccessData Corp.
Distributed Network Attack® is a registered trademark of AccessData Corp.
DNA® is a registered trademark of AccessData Corp.
Forensic Toolkit® is a registered trademark of AccessData Corp.
FTK® is a registered trademark of AccessData Corp.
Password Recovery Toolkit® is a registered trademark of AccessData Corp.
PRTK® is a registered trademark of AccessData Corp.
Registry Viewer® is a registered trademark of AccessData Corp.

DOCUMENTATION CONVENTIONS
In AccessData documentation, a greater-than symbol (>) is used to separate actions
within a step. Where an entry must be typed in using the keyboard, the variable data is
set apart using [variable_data] format.
A trademark symbol (®, ™, etc.) denotes an AccessData trademark. All third-party
trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party
items.
We value all feedback from our customers. For technical and customer support issues,
please email us at support@accessdata.com. For documentation issues, please email
us at documentation@accessdata.com.

REGISTRATION
The AccessData product registration is tracked by the USB security device included
with your purchase, and is managed by AccessData. Subscriptions
AccessData provides an annual licensing subscription with all new product purchases.
The subscription allows you to download and install the latest product releases for your
licensed products. Following the initial licensing period, a subscription renewal is

AccessData FTK 2.2 User Guide

required for updating your products. You can renew your subscriptions through your
AccessData Sales Representative.
Use LicenseManager to view your current registration information, to check for
product updates and to download the latest product versions, where they are available
for download. You can also visit our website, www.accessdata.com anytime to find the
latest releases of our products.
For more information, see Managing Licenses in your product manual or on the
AccessData website.

ACCESSDATA CONTACT INFORMATION
MAILING ADDRESS AND GENERAL PHONE NUMBERS
You can contact AccessData in the following ways:
TABLE FrontMatter-1 Mailing Address, Hours, and Department Phone
Numbers
Corporate Headquarters

AccessData Corp.
384 South 400 West
Suite 200
Lindon, UT 84042 USA
Voice: 801.377.5410
Fax: 801-377-5426

General Corporate Hours:

Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays

State and Local
Law Enforcement Sales

Voice: 800.574.5199, option 1
Fax: 801.765.4370
Email: Sales@AccessData.com

Federal Sales

Voice: 800.574.5199, option 2
Fax: 801.765.4370)
Email: Sales@AccessData.com

Corporate Sales

Voice: 801.377.5410, option 3
Fax: 801.765.4370
Email: Sales@AccessData.com

AccessData Forensic Toolkit 2.2

iii

TABLE FrontMatter-1 Mailing Address, Hours, and Department Phone
Numbers
Training

Voice: 801.377.5410, option 6
Fax: 801-765-4370
Email: Training@AccessData.com

Accounting

Voice: 801.377.5410, option 4

TECHNICAL SUPPORT
You can contact AccessData Customer and Technical Support in the following ways:
TABLE FrontMatter-2 AccessData Customer & Technical Support Contact
Information
Customer Service Hours:

Monday through Friday, 7:00 AM – 6:00 PM (MST)

Customer/Technical Support
Free technical support is available
on all AccessData products.

Voice: 801.377.5410, option 5
Voice: 800-658-5199 (Toll-free North America)
Email: Support@AccessData.com
Website: http://www.AccessData.com/Support

The Support website allows access to Discussion Forums, Downloads, Previous Releases,
our Knowledgebase, a way to submit and track your “trouble tickets”, and in-depth contact
information.
Note: All support inquiries are typically answered within one business day. If there is an urgent need for
support, contact AccessData via phone during normal business hours.

DOCUMENTATION
Please e-mail any typos, inaccuracies, or other problems you find with the
documentation to:
documentation@accessdata.com

AccessData FTK 2.2 User Guide

Table of Contents

AccessData Forensic Toolkit 2.2...................................................................................................i
Legal Information............................................................................................................i
AccessData Trademarks...................................................................................ii
Documentation Conventions............................................................................................ii
Registration ....................................................................................................................ii
AccessData Contact Information ...................................................................................iii
Mailing Address and General Phone Numbers................................................iii
Technical Support ............................................................................................ iv
Documentation................................................................................................. iv
Table of Contents ......................................................................................................................... v
Chapter 1 Introduction................................................................................................................1
Introduction to AccessData Forensic Toolkit...................................................................1
Audience ........................................................................................................................1
Handling Evidence .........................................................................................................2
Other AccessData Products ............................................................................................3
License Management.......................................................................................................3
LicenseManager................................................................................................3
CodeMeter Runtime..........................................................................................3
AccessData Forensic Products.........................................................................................4

Table of Contents

FTK Imager .....................................................................................................4
AccessData Language Selector ..........................................................................5
AccessData Forensic Toolkit.............................................................................5
AccessData Enterprise .....................................................................................5
AccessData eDiscovery .....................................................................................5
Lab ..................................................................................................................6
SilentRunner ....................................................................................................6
Registry Viewer ................................................................................................7
Mobile Phone Examiner...................................................................................7
Steganography Plug-in .......................................................................................7
File Decryption and Password Discovery.........................................................................8
PRTK and DNA ............................................................................................8
Features Overview.............................................................................................9
PRTK / DNA Add-Ons ...............................................................................9
License Management.................................................................................................... 11
LicenseManager............................................................................................. 11
CodeMeter Runtime....................................................................................... 12
Chapter 2 Installation and Upgrade......................................................................................... 13
Installation Options..................................................................................................... 13
Installation Configuration Options............................................................................... 14
System Overview.......................................................................................................... 15
Estimating hard disk space requirements ..................................................................... 15
Installation .................................................................................................................. 16
Install CodeMeter .......................................................................................... 17
Install Oracle................................................................................................. 18
Single Computer Installation........................................................................................ 25
Install FTK................................................................................................... 25
Install the KFF Library.............................................................................................. 29
Installing on Separate Computers................................................................................. 30
Additional Programs ................................................................................................... 31
Install Language Selector................................................................................ 32
Upgrading to FTK 2.2................................................................................................ 35

AccessData FTK 2.2 User Guide

Chapter 3 Concepts.................................................................................................................. 37
Regarding the CodeMeter Stick.................................................................................... 37
Basic Workflow ........................................................................................................... 37
Acquiring and Preserving the Evidence........................................................... 38
Create a Case ................................................................................................ 38
Add Evidence................................................................................................ 39
work the case ................................................................................................. 39
Generate Reports ........................................................................................... 40
Moving Forward .......................................................................................................... 40
Starting FTK ................................................................................................ 40
Setting Up the Application Administrator ..................................................... 40
Using the Case Management Window............................................................ 41
Chapter 4 Starting a New
FTK 2.2 Case ................................................................................................................... 45
Launch FTK 2.2 ........................................................................................................ 45
Creating a Case........................................................................................................... 48
Selecting Evidence Processing Options............................................................. 50
Fuzzy Hashing.............................................................................................. 53
Comparing Files Using Fuzzy Hashing......................................................... 57
Viewing Fuzzy Hash Results........................................................................ 57
Selecting dtSearch Text Indexing Options....................................................... 58
Selecting Data Carving Options..................................................................... 60
Indexing a Case............................................................................................. 61
Selecting Evidence Discovery Options ............................................................. 61
Selecting Evidence Refinement (Advanced) Options ........................................ 63
Selecting Index Refinement (Advanced) Options ............................................. 66
Creating the Case .......................................................................................... 69
Adding Evidence to a New Case.................................................................... 70
Processing Evidence........................................................................................ 72
The FTK User Interface ................................................................................ 74
Viewing Processed Items ................................................................................ 74

Table of Contents

vii

Backing Up the Case................................................................................................... 74
Restoring a Case.......................................................................................................... 75
Deleting a Case ........................................................................................................... 75
Storing Case Files........................................................................................................ 75
Chapter 5 Adding and Processing Evidence............................................................................... 77
Opening an Existing Case........................................................................................... 77
Adding Evidence ......................................................................................................... 77
Selecting a Language.................................................................................................... 80
Additional Analysis.................................................................................................... 81
Data Carving.............................................................................................................. 83
Data Carving Files When Processing a New Case......................................... 84
Data Carving Files in an Existing Case ....................................................... 84
The FTK User Interface .............................................................................................. 85
Menu Bar...................................................................................................... 85
Export File List Info .................................................................................... 86
Exporting Files ............................................................................................. 88
Exporting To Image ...................................................................................... 89
Exporting the Word List............................................................................... 91
Toolbar Components .................................................................................... 100
File List Pane.............................................................................................. 102
Using Tabs................................................................................................................ 104
Chapter 6 Using Tabs to Explore & Refine Evidence ........................................................... 105
Explore Tab................................................................................................ 105
Viewer Pane ................................................................................................ 107
File Content Tab ......................................................................................... 113
Overview Tab .............................................................................................. 119
Email Tab .................................................................................................. 124
Graphics Tab .............................................................................................. 125
The Bookmarks Tab ................................................................................................. 127
Creating a Bookmark.................................................................................. 129
Viewing Bookmark Information.................................................................. 131

viii

AccessData FTK 2.2 User Guide

Adding to an Existing Bookmark............................................................... 134
Creating Email or Email Attachment Bookmarks ...................................... 135
Moving a Bookmark ................................................................................... 139
Deleting a Bookmark .................................................................................. 139
Deleting Files from a Bookmark.................................................................. 140
Search Tabs................................................................................................. 140
Creating Tabs.............................................................................................. 142
Chapter 7 Searching a Case ................................................................................................... 143
Conducting a Live Search .......................................................................................... 143
Customizing the Live Search Tab ................................................................ 146
Conducting a Pattern Search...................................................................................... 146
Simple Pattern Searches ............................................................................... 147
Complex Pattern Searches............................................................................ 147
Predefined Regular Expressions ................................................................... 149
Creating Custom Regular Expressions......................................................... 153
Conducting Hex Searches ............................................................................ 155
Conducting Text Searches ............................................................................ 156
Conducting an Index Search ...................................................................................... 157
Search Terms ............................................................................................... 160
Search Criteria ............................................................................................ 160
Documenting Search Results ...................................................................................... 164
Using Copy Special to Document Search Results .......................................... 164
Bookmarking Search Results ....................................................................... 166
Chapter 8 Using Filters ......................................................................................................... 167
The Filter Toolbar..................................................................................................... 167
Applying an Existing Filter ...................................................................................... 168
Creating a Filter........................................................................................................ 170
Refining a Filter .......................................................................................... 171
Deleting a Filter ........................................................................................................ 172
Using the Known File Filter ...................................................................................... 172
Understanding KFF Hashes........................................................................ 172
Table of Contents

Importing KFF Hashes ............................................................................... 173
Exporting KFF Hashes .............................................................................. 174
Understanding the KFF Database ............................................................... 175
Storing Hashes in the KFF Database.......................................................... 175
Creating Sets and Groups............................................................................ 177
Chapter 9 Decrypting Encrypted Files ................................................................................... 179
Decrypting Files and Folders...................................................................................... 179
Decrypting Windows EFS Files.................................................................. 181
Viewing Decrypted Files............................................................................................ 181
Decrypting Domain Account EFS Files.................................................................... 183
Decrypting Credant Files........................................................................................... 185
Using an Offline Key Bundle ....................................................................... 185
Using an Online Key Bundle........................................................................ 186
Decrypting Safeguard Utimaco Files .......................................................................... 188
Decrypting SafeBoot Files ............................................................................ 189
Chapter 10 Working with Reports ......................................................................................... 191
Creating a Report...................................................................................................... 191
Saving Settings............................................................................................. 192
Entering Basic Case Information ................................................................. 193
Including Bookmarks................................................................................... 195
Including Graphics....................................................................................... 197
Selecting a File Path List............................................................................. 199
Selecting a File Properties List ..................................................................... 200
Registry Selections ........................................................................................ 201
Running the report..................................................................................................... 202
Selecting the Report Location ....................................................................... 202
Creating the Report...................................................................................... 203
Viewing a Report ...................................................................................................... 204
International Date and Time Stamp Issue ................................................... 205
Modifying a Report.................................................................................................... 206
Printing a Report....................................................................................................... 206

AccessData FTK 2.2 User Guide

Chapter 11 Customizing the Interface .................................................................................... 207
Customizing Overview ............................................................................................... 207
Using the View Menu to Customize the FTK Interface ............................................. 208
Customizing the Tab Views......................................................................... 209
Using the Tab Layout Menu........................................................................ 210
Moving View Panes..................................................................................... 210
Creating Custom Tabs ................................................................................. 213
Customizing File List Columns................................................................................. 213
Creating and Modifying Column Settings ..................................................... 214
Available Columns ...................................................................................... 215
Appendix A File Systems and Drive Image Formats............................................................ 227
File Systems .............................................................................................................. 228
Hard Disk Image Formats........................................................................................ 228
CD and DVD Image Formats ................................................................................. 228
Appendix B Recovering Deleted Material............................................................................... 229
FAT 12, 16, and 32 ............................................................................................... 229
NTFS ...................................................................................................................... 230
ext2 .......................................................................................................................... 230
ext3 .......................................................................................................................... 230
HFS ......................................................................................................................... 230
Appendix C Program Files .................................................................................................. 231
Files and Folders for the Application ......................................................................... 231
Files and Folders for the Database............................................................................. 232
Changing Registry Options ........................................................................................ 232
Changing the Logging Registry Options........................................................ 232
Appendix D Gathering Windows Registry Evidence.............................................................. 235
Understanding the Windows Registry ........................................................................ 235

Table of Contents

Windows 9x Registry Files.......................................................................... 236
Windows NT and Windows 2000 Registry Files........................................ 237
Windows XP Registry Files ........................................................................ 238
Possible Data Types..................................................................................... 240
Additional Considerations ........................................................................... 241
Registry Quick Find Chart ...................................................................................... 242
System Information ...................................................................................... 243
Networking ................................................................................................. 244
User Data ................................................................................................... 244
User Application Data................................................................................ 245
Appendix E Troubleshooting ................................................................................................. 247
Finding Answers ....................................................................................................... 247
Troubleshooting Tables............................................................................................... 248
Diagnostics Tools....................................................................................................... 249
Database Diagnostics................................................................................... 249
Uninstalling FTK 2.2 and The Oracle Database ...................................................... 253
Automated Uninstall................................................................................... 253
Appendix F Managing Security Devices and Licenses ............................................................ 255
NLS Support ........................................................................................................... 255
Installing and Managing Security Devices .................................................................. 255
Installing the Security Device........................................................................ 255
Installing LicenseManager ......................................................................................... 264
Managing Licenses with LicenseManager................................................................... 267
Starting LicenseManager ............................................................................. 269
The LicenseManager Interface ...................................................................... 270
Opening and Saving Dongle Packet Files ................................................................... 275
Adding and Removing Product Licenses..................................................................... 276
Adding and Removing Product Licenses Remotely ........................................ 278
Updating Products ....................................................................................... 281
AccessData Glossary .............................................................................................................. 283

xii

AccessData FTK 2.2 User Guide

Chapter 1 Introduction

This chapter provides an introduction to AccessData® (AD) Forensic Toolkit (FTK®)
and information that you need to implement this powerful software in your enterprise.

INTRODUCTION TO ACCESSDATA FORENSIC TOOLKIT
AccessData Forensic Toolkit is recognized around the world as the standard in
computer forensic investigation technology. This court-validated platform delivers
cutting edge analysis, decryption and password cracking all within an intuitive,
customizable and user-friendly interface. In addition, with FTK you have the option of
utilizing a back-end database to handle large data sets. You get the benefit of best-ofbreed technologies that can be expanded to meet your ever-changing needs. Known for
its intuitive functionality, email analysis, customizable data views and stability, FTK is
the smart choice for stand-alone forensic investigations.
For more information about FTK, or any other AccessData product, see the
AccessData website at www.accessdata.com.

AUDIENCE
AccessData Forensic Toolkit (FTK) is intended for law enforcement officials and
corporate security and IT professionals who need to access and evaluate the evidentiary
value of files, folders, and computers.

Chapter 1 Introduction

In addition, law enforcement and corporate security professionals should possess the
following competencies:

• Basic knowledge of and training in forensic policies and procedures
• Familiarity with the fundamentals of collecting digital evidence and ensuring the
legal validity of the evidence

• Understanding of forensic images and how to acquire forensically sound images
• Experience with case studies and reports

HANDLING EVIDENCE
Law enforcement officials using FTK and related tools to gather evidence need to
understand the basics of computer forensics. Computer forensics involves the
acquisition, preservation, analysis, and presentation of computer evidence. This type of
evidence is fragile and can easily, even inadvertently, be altered, destroyed, or rendered
inadmissible as evidence. Computer evidence must be properly obtained, preserved,
and analyzed to be accepted as reliable and valid in a court of law.
To preserve the integrity of case evidence, forensic investigators do not work on the
original files themselves. Instead, they create an exact replica of the files and work on
this image to ensure that the original files remain intact.
To verify that the files they are working on have not been altered, investigators can
compare a hash of the original files at the time they were seized with a hash of the
imaged files used in the investigation. Hashing provides mathematical validation that a
forensic image exactly matches the contents of the original computer, drive, partition,
or file.
Another important legal element in computer forensics is the continuity, or chain of
custody, of computer evidence. The chain of custody deals with all who have possessed,
supervised, acquired, analyzed, and otherwise controlled the evidence. Forensic
investigators must be able to account for all that has happened to the evidence between
its point of acquisition or seizure and its eventual appearance in court.
There are many cases in which personnel trained in information technology have
rendered incriminating computer evidence legally inadmissible because of reckless or
ill-conceived examinations. Only properly trained computer forensics specialists should
obtain and examine computer evidence.

AccessDataFTK 2.2 User Guide

OTHER ACCESSDATA PRODUCTS
AccessData has developed other industry-leading products to assist in forensic analysis
and password recovery. The following sections offer a brief introduction to these
products. For more information on any of these products, please visit our website,
www.accessdata.com.

LICENSE MANAGEMENT
The following products aid in the management of your AccessData product licenses
and license security devices. For more detailed information regarding licenses,
LicenseManager, and license security devices, see “Appendix F Managing Security
Devices and Licenses” on page 255.

LICENSEMANAGER
AccessData LicenseManager lets you manage product and license subscriptions stored
on your Wibu CodeMeter CmStick or Keylok dongle USB license security device.
LicenseManager communicates directly with AccessData’s license server, so when
license renewals take place, the information is readily and immediately accessible for
download to your license device.
LicenseManager checks for the newest releases of your installed products, and also tells
you when your license is near expiration.

CODEMETER RUNTIME
The CodeMeter Runtime Kit is a program that is designed to work with the Wibu
CodeMeter (CmStick) so AccessData programs can verify license information stored
on the CmStick. It must be installed prior to connecting the CmStick. The CmStick and
CodeMeter Runtime Kit software must be fully installed prior to running
LicenseManager. Either a CmStick, or a Keylok dongle with a current license is
required to fully utilize AccessData products. CodeMeter Runtime can be installed and
running on the same machine with the AccessData Dongle Drivers, but both hardware
devices cannot be connected to the same machine at the same time.

Chapter 1 Introduction

ACCESSDATA FORENSIC PRODUCTS
This section provides basic information about AccessData’s forensic investigation
products.

FTK IMAGER
FTK Imager is an AccessData software evidence acquisition tool. It can quickly preview

evidence and, if the evidence warrants further investigation, create a forensically sound
image of the disk. It makes a bit-by-bit duplicate of the media, rendering a forensic
image identical in every way to the original, including file slack, and unallocated and
drive free space.
Imager performs the following tasks:

• Preview files and folders on local hard drives, network drives, floppy diskettes, Zip
disks, CDs, DVDs, SD cards, and USB storage devices.

• Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, DVDs,
USB storage devices, and othes.

• Preview the contents of forensic images stored on the local computer or on a
network drive.

• Export files and folders from forensic images.
• Generate hash reports for regular files and disk images (including files inside disk
images.)

Important: When using Imager to create a forensic image of a hard drive, use
a hardware-based write-blocking device as well. This ensures that the
operating system does not alter the hard drive data while attached to the
imaging computer.
Create a hash of the original drive image that can be referenced later as a benchmark to
prove the integrity of the case evidence. Imager verifies that the drive image hashs and
the drive hash match when the drive image is created. Two hash functionsare available
in FTK Imager: Message Digest 5 (MD5), and Secure Hash Algorighm (SHA-1 & SHA 256).
After you create a drive image or custom image of the data, use FTK to perform a
complete and thorough forensic examination and create a report of your findings.

AccessDataFTK 2.2 User Guide

ACCESSDATA LANGUAGE SELECTOR
AccessData Language Selector is a utility that allows you to choose a language
codepage to view your cases in. Install it from the FTK 2.2 Install Main Menu > Install
Other Products menu. For more information, see “Install Language Selector” on
page 32.

ACCESSDATA FORENSIC TOOLKIT
AccessData Forensic Toolkit® (FTK®) provides award-winning technology that is used
by law enforcement and corporate security professionals to filter, analyze, investigate,
and report on acquired evidence.
FTK provides users with the ability to perform complete and thorough computer
forensic examinations. FTK features powerful file filtering and search functionality.
FTK customized filters allow you to sort through thousands of files so you can quickly
find the evidence you need. FTK is recognized as the leading forensic tool for

performing email analysis. In addition, outstanding bookmarking and reporting
functions add to the power and usability of the product.

ACCESSDATA ENTERPRISE
AccessData Enterprise takes network-enabled digital investigations to the next level.
Built on our industry-standard, court-validated FT technology, AccessData Enterprise
delivers state-of-the-art incident response capabilities, deep dive analysis of both
volatile and static data, as well as superior threat detection capabilities — all within an
easy-to-use interface. A role-based permission system, an intuitive incident response
console, secure batch remediation capabilities, unsurpassed searching and filtering, and
comprehensive logging and reporting are just a few of the reasons Enterprise is quickly
being adopted by Fortune 500 companies.

ACCESSDATA EDISCOVERY
AccessData eDiscovery is truly a landmark technology that virtually walks you through
each and every step of the eDiscovery lifecycle. Fortune 500 companies are quickly
turning to eDiscovery, because it is the only true custodian-based, end-to-end
eDiscovery solution on the market today. Furthermore, it is by far the easiest to use
with an intuitive dashboard that conveys the real-time status of all collection activities.
True custodian data mapping, the ability to schedule and manage ongoing and periodic

Chapter 1 Introduction

collections to better address ongoing litigation matters, as well as powerful processing
and reporting are just a few of the reasons eDiscovery is the new revelation in the
industry. Not only does it give you the power to address each phase of the process inhouse, but it allows you to search and collect data from network shares, email servers,
Documentum, SharePoint, Open Text, databases and other structured data
repositories. This gives you a level of reach unmatched by any other e-discovery
solution. Simply compare other solutions’ capabilities to eDiscovery and you will see
why so many people are switching.

LAB
The AccessData Lab family of solutions enables labs of all sizes, facing an array of
challenges, to work more effectively. Single person labs can radically speed up the
processing of cases, utilizing the distributed processing in our FTK Pro solution. Labs
that have expanded a little can extend the distributed processing capabilities of Pro, and
add collaborative work and web-enabled case management. Finally large labs that either
utilize a distributed workforce or would like to collaborate with attorneys, HR
personnel or any other non-forensic investigators can step up to Lab, which adds
powerful and intuitive web-based review. Regardless of the size, scope or mission of
your lab, AccessData Lab has a solution that will meet your needs.

SILENTRUNNER
SilentRunner enables you to answer the difficult question of "What happened?" in the
aftermath of a security incident by tackling the complicated tasks of capturing,
analyzing and visualizing network data. It is a passive network monitoring solution that
visualizes network activity by creating a dynamic picture of communication flows,
swiftly uncovering break-in attempts, weaknesses, abnormal usage, policy violations
and misuse, and anomalies — before, during and after an incident. Operating like a
surveillance camera, SilentRunner can play back events from thousands of
communications to validate system threats and investigate security breaches. This
dramatically enhances your ability to identify offenders, determine root cause, and
mitigate the recurrence of the same security incident. In addition, it helps monitor
infractions to regulatory controls and policy violations, providing supporting reports
for auditing requirements and contributing to your ability to demonstrate compliance.

AccessDataFTK 2.2 User Guide

REGISTRY VIEWER
AccessData Registry Viewer® allows you to view the contents of Windows operating
system registry files. Unlike Windows Registry Editor, which only displays the registry
of the current system, Registry Viewer lets you examine registry files from any
Windows system. Registry Viewer also provides access to a registry’s protected storage,
which contains passwords, usernames, and other information not accessible in
Windows Registry Editor.

MOBILE PHONE EXAMINER
Mobile Phone Examiner is an AccessData programthat reads and images data from cell
phones and cell phone data card readers. It can run as a standalone program or as an
add-on to FTK.
When run as a standalone, it reads and images the data. You then would add the image
file to a case in FTK.
When installed on a machine that also has FTK installed, the phone or device can be
detected when adding new evidence, and the data, when imaged, is automatically added
to the current FTK case.

STEGANOGRAPHY PLUG-IN
AccessData now provides a plugin application that integrates support for several
steganography applications.

WHAT IS STEGANOGRAPHY?
Steganography is the process of breaking up and embedding one document or file type
inside another, effectively hiding the embedded file. The file that contains the
embedded file is known as a “carrier” file. The file that is embedded within the carrier
file is called the “payload”.
Because steganography provides an effective way of hiding files or data that could
prove to be valuable evidence, the AccessData Steganography plugin is an important
tool for detecting and extracting the payload from carrier files.

Chapter 1 Introduction

Some carrier files are password encrypted, and some are not. This difference is key to
determining the best path for accessing the payload. AccessData provides the tools
necessary to address both scenarios.
To create a carrier file and embed payload data into it, a special application is required
that is designed to do so. While many such apps are available, the AccessData
Steganography plugin currently supports a specific list of steganography programs.

SUPPORTED STEGANOGRAPHY PROGRAMS
Ther AccessData Steganography plugin provides support for the following
steganography applications:
TABLE 1-1 FTK

Steganography Plugin Supported Programs

Covert.tcp

CryptaPix

dc-Stego

FFEncode

Gzsteg

Gifshuffle

Hide 4 PGP

Hide and Seek

Jsteg

PGE-Pretty Good Envelope

S-Tools versions 1-3

S-Tools version 4

Scytale

Snow

Steganos Security Suite

Stegodos

Texto

wbStego

WNSTORM

FILE DECRYPTION AND PASSWORD DISCOVERY
AccessData offers two superior programs for file decryption and password discovery.
In addition, AccessData offers add-ons that provide impressive enhancements to the
speed of these applications.

PRTK AND DNA
PRTK and DNA have essentially the same program interface and they work essentially

the same way. Both programs analyzes file signatures to find encryption types and
determine which recovery modules to use.

AccessDataFTK 2.2 User Guide

PRTK and DNA perform recoveries on protected files using various methods, including
decryption and dictionary attacks. For difficult password key values, PRTK performs
dictionary attacks using various types of dictionaries, including the Golden Dictionary
(containing previously recovered passwords), as well as Biographical, Custom User, and
Default dictionaries.

FEATURES OVERVIEW
PRTK and DNA perform the following basic functions:

• Hash files
Hashing a file uses an algorithm that creates a unique hash value for a file,
allowing verification that the contents of a file remain unchanged. When a file is
added to PRTK or DNA for key or password recovery, it is hashed. When the
key or password is recovered, the file is automatically hashed again to verify that
the file itself has remained unchanged. This is particularly helpful to law
enforcement personnel who need to verify that a file has not been changed while
recovering a password.

• Recover passwords
PRTK can recover the password to files created in many popular industry
applications by using a variety of methods, including several types of dictionaries
used within profiles, in combination with rules to achieve the desired results.
PRTK can also recover multi-lingual passwords.

• Generate reports
You can now print job information reports for password recovery jobs in .PDF
format.

• Open encrypted files
You can use recovered keys or passwords to open recovered files, if the applications the
files originated from are available and installed on a computer you have access to.
Recovered files can be copied or moved to any location.

PRTK / DNA ADD-ONS
The following add-ons are available to enhance the power and speed of passwordcracking with PRTK and/or DNA:

Chapter 1 Introduction

PORTABLE OFFICE RAINBOW TABLES
Rainbow Tables are also pre-computed, brute-force attacks. AccessData Portable
Office Rainbow Tables (PORT) are different from the full Hash tables set. A statistical
analysis is done on the file itself to determine the available keys. This takes far less
space than the Hash Tables, but also takes somewhat more time and costs a small
percentage in accuracy.
As previously stated, a system set at 40-bit encryption has one trillion keys available. A
brute-force attack of 500,000 keys per second would take approximately 25 days to
exhaust the key space combinations of a single file using a single 3 Ghz Pentium 4
computer. With Portable Office Rainbow Tables, you can decrypt 40-bit encrypted files
Microsoft Word or Excel files, usually in seconds, minutes, or hours, rather than days or
weeks, depending on the power of the system you are using. DNA and PRTK
seamlessly integrate with PORT
Product Features

•
•
•
•

40-bit encrypted files decrypted in 5 minutes on average
One table available: MS Word & Excel (MS Office)
Completely portable, fits on your laptop
98.6% accuracy for MS Office Word and Excel files.

PORT for Word and Excel takes only about 3.7 GB of disc space. It is shipped on a
single DVD. You can carry it with you! Indispensable for on-site acquisitions and
investigations.

RAINBOW (HASH) TABLES
Rainbow Tables are pre-computed, brute-force attacks. In cryptography, a brute-force
attack is an attempt to recover a cryptographic key or password by trying every possible
key combination until the correct one is found. How quickly this can be done depends
on the size of the key, and the computing resources applied.
A system set at 40-bit encryption has one trillion keys available. A brute-force attack of
500,000 keys per second would take approximately 25 days to exhaust the key space
combinations using a single 3 GHz Pentium 4 computer. With a Rainbow Table,
because all possible keys in the 40-bit keyspace are already calculated, file keys are
found in a matter of seconds-to-minutes; far faster than by other means. DNA and
PRTK seamlessly integrate with Rainbow Tables.

AccessDataFTK 2.2 User Guide

Product Features
Three Rainbow Tables Hash Sets are available:

• MS Office Word and Excel
• Acrobat PDF
• Windows LAN Hash
Each hash set takes nearly 3TB of disk space.
AccessData RainbowTables hash sets for Windows LAN Hash ship with their own
user-interface program, and that is the one that should be used for LAN Hash files.
The Rainbow Tables has sets for MS Office and Acrobat PDF, as well as the Portable
Office Rainbow Tables, (PORT) all run with AccessData Rainbow Tables stand-alone
user-interface program. Check for the latest version of RainbowTables.exe on the
AccessData Website, www.AccessData.com.

TACC UNIT
The Tableau TACC1441 Hardware Accellerator (TACC) is a specialized product that
reduces the dictionary-based password recovery times of PRTK and DNA. The TACC
accelerator performs massively parallel, high-speed computations of cipher-keys,
yielding a dramatic increase in the number of passwords per second that each host
computer generates. This results in a greater number of successful attacks in a
significantly shorter amount of time. For more information, contact your AccessData
sales rep, or contact Tableau, LLC; www.tableau.com.

LICENSEMANAGER
AccessData LicenseManager lets you manage product and license subscriptions stored
on your Wibu CodeMeter CmStick or Keylok dongle USB license security device.

Chapter 1 Introduction

LicenseManager communicates directly with AccessData’s license server, so when
license renewals take place, the information is readily and immediately accessible for
download to your license device.
LicenseManager checks for the newest releases of your installed products, and also tells
you when your license is near expiration.

AccessDataFTK 2.2 User Guide

Chapter 2 Installation and
Upgrade

This chapter details the steps for the installation of the required components for the
operation of AccessData Forensic Toolkit (FTK) 2.2. The following components are
required to run FTK:

•
•
•
•

CodeMeter 3.30a Runtime software for the CodeMeter Stick
A CodeMeter Stick
Oracle 10g Database
FTK 2.2 Program

These additional programs are available to aid in processing cases:

•
•
•
•

FTK Known File Filter (KFF) Library

AccessData Registry Viewer
AccessData LanguageSelector
AccessData LicenseManager

INSTALLATION OPTIONS
Most notably, beginning with this version, FTK 2.2 can be installed with any one earlier
version of 2.x remaining on the same computer at the same time. Installation paths will
differ slightly from previous versions and registry entries will also be different. This
means you may not have to uninstall your earlier version of FTK 2.x and thus will not

Chapter 2 Installation and Upgrade

have to convert (or lose) cases to the newer version to maintain compatibility with the
database.

INSTALLATION CONFIGURATION OPTIONS
FTK can be set up in three different configurations, each with its own benefits and

advantages. The three configurations listed below are represented in the graphic
following:

• Single Machine
• Separate Machines
• Separate Machines with an existing Oracle install
Note: AccessData recommends that you turn off firewalls and anti-virus software during
installation.

Figure 2-1 Three Different Configurations

AccessData FTK2.2 User Guide

SYSTEM OVERVIEW
The more powerful the available hardware, the faster FTK can analyze and prepare case
evidence. Larger evidence files require more processing time than smaller evidence
files. While the components can be installed on a single workstation, it is recommended
to install them on separate workstations in order to make more hardware resources
available to each.
The ideal configuration uses two workstations connected by a Gigabit ethernet
connection. The Oracle database can be installed on a separate computer, or on the
same computer as the FTK Program. If the KFF is installed, it must be installed on the
same computer as the Oracle database. Ideally, the CodeMeter Runtime 3.30a software,
LanguageSelector, and LicenseManager should be installed on the computer with the
FTK Program.
To further maximize performance, AccessData recommends the following:

• For both the single- and separate-workstation configurations, install Oracle to a
large hard disk drive that Oracle can use exclusively.

• Do not run other applications on these machines that will compete with FTK or
the Oracle database for hardware resources.
The FTK Program can also be installed on one workstation, and connected to an
existing instance of Oracle 10g already running on a separate workstation. This is
displayed in the above figure.

ESTIMATING HARD DISK SPACE REQUIREMENTS
The FTK Program requires a minimum of 500 megabytes of disk space for installation,
although 5 gigabytes is recommended. Oracle, where images are stored, requires a
minimum of 6 gigabytes (5 gigabytes for the basic installation) and additional room for
case processing. Additional space is required for cases and case data.

Important: If disk space depletes while processing a case, the case data is
erased.
To estimate the amount of hard drive space needed, apply these suggested factors:

• Data: every 500,000 items require one gigabyte of space in the Oracle storage
location.

Chapter 2 Installation and Upgrade

• Index: every 100 megabytes of text in the evidence requires 20 megabytes of space
for processing in the case storage folder.

INSTALLATION
To install FTK 2.2, follow these steps:
1. Insert the FTK 2.2 DVD into the drive.

AccessData FTK2.2 User Guide

2. Click Install Forensic Toolkit 2.2.

INSTALL CODEMETER
Install the WIBU CodeMeter Runtime v3.30a software for the CodeMeter Stick. Click
Install CodeMeter Software to launch the CodeMeter installation wizard, as displayed in the
following figure.

Follow the directions for installation, accepting all defaults, and click Finish to complete
the installation

Chapter 2 Installation and Upgrade

Figure 2-2 CodeMeter Installation Wizard.

If the user attemps to install FTK 2.2 before installing the CodeMeter v3.30a software
and the Wibu CmStick, a message similar to the following error message will be
displayed.
Figure 2-3 CodeMeter Error

Note: To Remedy, quit the FTK 2.2 install. Install CodeMeter Runtime 3.30a software, and
connect the CmStick. Then restart FTK 2.2 installation.

INSTALL ORACLE
From the FTK New Install screen, perform the following steps as displayed in the
following figure.

AccessData FTK2.2 User Guide

Figure 2-4 Install Oracle Button

FTK must link to an Oracle database. If one already exists in the network or domain
(with sufficient space for storage and processing) it can be leveraged for use with FTK.

If no Oracle database exists, it must be installed either on the same computer as the
FTK Program within the same network or domain, or a separate computer.
If the FTK installation is attempted before installation of Oracle, the FTK installer
warns of its dependency on Oracle and prompts the user to continue with or terminate
the install, in a message similar to the one displayed in the following figure.
Figure 2-5 Oracle Dependency Warning

At this point the user is prompted to continue or terminate as in the following figure.

Chapter 2 Installation and Upgrade

Figure 2-6 Terminate or Continue Install

If the user continues, the FTK installation may fail, and otherwise, the program will not
run properly.
Note: The solution is to properly install Oracle before attempting to install FTK 2.2.

AccessData FTK2.2 User Guide

1. Launch the installer.

2. Click Next.

Chapter 2 Installation and Upgrade

3. Read the license argeement, agree to it, and click Next.

4. Wait for the installer to configure the installation.

5. Select the installation drive letter.
Note: Select the appropriate drive where Oracle will reside, separate from all other programs.

AccessData FTK2.2 User Guide

6. Click Next.

Note: These options are only available when Advance Installation has been selected.
7. Agree to the Oracle Admin Password Agreement and click Next.

Chapter 2 Installation and Upgrade

8. Provide an Oracle System Administrator password.

9. Click Submit.

10. Wait for the installation and configuration to finish.
Note: This step can take up to forty minutes.

AccessData FTK2.2 User Guide

11. Click Finish to end the installation process..

SINGLE COMPUTER INSTALLATION
The FTK Program can be installed on the same computer as the installed Oracle
database, as displayed in the following figure.
Figure 2-7 Single Computer Installation

INSTALL FTK
From the FTK 2.2 New Install screen, perform the steps displayed in the following
figure.

Chapter 2 Installation and Upgrade

Figure 2-8 Install FTK 2.2 Button

1. Click Install FTK 2.2.

2. Click Next.

AccessData FTK2.2 User Guide

3. Read and accept the AccessData license agreement.

4. Click Next.
5. Select the location for the FTK components.
Note: If another directory is desired instead of the default, click Browse to navigate to or create
the file using the Windows Browse functionality.

Chapter 2 Installation and Upgrade

6. Click Next.

7. Click Next to continue with the installation.
8. Follow the prompts on the screens that follow.

9. When the installation is completed successfully, click Finish.

AccessData FTK2.2 User Guide

INSTALL THE KFF LIBRARY
The FTK KFF Library can be installed to help shorten the investigation time on the
case. The KFF Library must be installed on the same volume as the Oracle database. To
perform step 4 and install the KFF, perform the following steps from the Install New
FTK window, as displayed in the following figure.
Figure 2-9 Install KFF Button

1. Click Install KFF Library

2. Click Next.

Chapter 2 Installation and Upgrade

3. Accept the KFF license agreement.

4. Click Next.
5. Allow installation to progress.

6. When the screen indicates a successful installation, click Finish to end the

installation.
7. Click Back to Main Menu to return to the Main Menu and make other selections.

INSTALLING ON SEPARATE COMPUTERS
FTK 2.2 can be installed on two separate computers. To do this, change the steps, as
shown again in the following figure, to 2, 1, 3, 4. Perform steps 2 and 4 on the computer
to run Oracle. (The KFF Library installs into the Oracle installation.) Then perform
steps 1 and 3 on the computer designated to run the FTK Program. (The CodeMeter

software and CmStick must be installed on the FTK 2.2 machine.)

AccessData FTK2.2 User Guide

Figure 2-10 Install New FTK Screen

INSTALLATION RESULTS
If the default install location was selected, the FTK Program installation puts the
program files in the following folder: C:\Program Files\AccessData\Forensic Toolkit\
2.2.

ADDITIONAL PROGRAMS
To change to another supported language other than the default English (United
States) that ships with FTK, LanguageSelector must be installed.

Chapter 2 Installation and Upgrade

INSTALL LANGUAGE SELECTOR
To install Language Selector follow these steps:
1. From the FTK 2.2 Autorun Main Menu, click Install Other Products, then click Install

Language Selector.

AccessData FTK2.2 User Guide

2. The Language Selector Installer runs. Click Next to continue.

3. Read and accept the License Agreement. Click Next to continue.

4. Click Finish.

Chapter 2 Installation and Upgrade

USING LANGUAGE SELECTOR
Run Language Selector by clicking Start > All Programs > AccessData > Language Selector
> Language Selector.
OR
Click the Language Selector Icon on your desktop:

Language Selector has a very simple interface, as shown in the following figure:

Click the Select Languages dropdown to select the language to use. Languages to choose
from are as follows:
TABLE 2-1

Language Selector Supported Languages

• Chinese (Simplified, PRC)

• Japanese (Japan)

• Dutch (Netherlands)

• Korean (Korea)

• English (United States)

• Portuguese (Brazil)

• French (France)

• Russian (Russia)

• German (Germany)

• Spanish (Spain, Traditional Sort)

• Italian (Italy)

AccessData FTK2.2 User Guide

The Products supporting this language text box indicates the products that will be
affected by the language selection.
The File menu contains two choices:

• Select Language
• Exit
The Help menu contains one choice:

• About

LICENSING
If licenses need to be managed, LicenseManager must be installed. For more
information on LicenseManager, see “Appendix F Managing Security Devices and
Licenses” on page 255.
Also, make sure the current versions of any other programs required for the
investigation are installed, including AccessData RegistryViewer, and AccessData
Password Recovery Toolkit, or AccessData Distributed Network Attack.

UPGRADING TO FTK 2.2
You no longer need to upgrade your previous FTK 2.x version to 2.2, or convert earlier
2.x cases to continue to use them. You can keep one earlier 2.x version installed on your
machine, and still install FTK 2.2 using the same database. Your previous cases will still
be available and you can work with them in their native version.

Chapter 2 Installation and Upgrade

AccessData FTK2.2 User Guide

Chapter 3 Concepts

Before using AccessData Forensic Toolkit (FTK), a basic knowledge of the FTK
interface is helpful. This chapter focuses on the basic features and flow of a case. The
chapters that follow give more detail.
The FTK interface contains a menu bar, toolbars, seven main tabs, each tabbed page
having a specific focus. Most tabs also contain a common toolbar and file list with
customizable columns.

REGARDING THE CODEMETER STICK
AccessData provides a USB CodeMeter Stick security license device with FTK. The
WIBU-SYSTEM CodeMeter Stick is a security compliance license device. Insert the
CodeMeter Stick into the USB port prior to installation. It maintains your FTK licensing
and subscription information and is required by FTK.
You can use the LicenseManager application to monitor your FTK subscription. For
more information, see “Managing Licenses with LicenseManager” on page 267.

Important: FTK.2.x does not work with the green KEYLOK security device dongle
used with previous versions of FTK.

BASIC WORKFLOW
The most efficient way to work in FTK 2.2 is to begin with the end in mind. For
example, your goal may be to use computer evidence to convict a criminal of wrongful
acts. To do so, you will need to produce a report that presents meaningful evidence of
the offenses to interested parties, such as in a court of law.

Chapter 3 Concepts

As you begin, of course, you will need to install and set up the program and users to
best and most efficiently accomplish the task at hand.
Once the installation is complete, and the Application and Case Administrators are set
up, a case can be created.
The basic flow of a case then, is as follows:

ACQUIRING AND PRESERVING THE EVIDENCE
For digital evidence to be valid, it must be preserved in its original form. The disk
image must be forensically sound, or identical in every way to the original.
Two types of tools can do this: hardware acquisition tools and software acquisition
tools.

• Hardware acquisition tools duplicate, or clone, disk drives at the bit level, and allow
read-only access to the hard drive.

• Software acquisition tools create a disk image that usually requires a hardware
write-blocker, and makes no changes to the data or information on the hard drive.
The use of write-blocking devices is recommended when using software tools, because
some operating systems, such as Windows, may make changes to the drive as it reads
the data to be imaged.
FTK Imager is an AccessData software acquisition tool. It can quickly preview evidence

and, if the evidence warrants further investigation, create a forensically sound image of
the disk. It makes a bit-by-bit duplicate of the media, rendering a forensic image
identical in every way to the original, including file slack, and unallocated and drive free
space.

CREATE A CASE
1. From the Case Management window, click Case > New.
2. Specify the evidence options to apply to the evidence by clicking Detailed Options

in the New Case Options window.
3. Mark Open the Case, then click OK.
4. Wait while the case is being created. When case creation is complete, FTK opens and

the Manage Evidence dialog opens.

AccessData FTK 2.2 User Guide

ADD EVIDENCE
1. Click Add.
2. Select the type of evidence to add, then click OK.
3. Type an ID or Name associated with the case, and a description if you wish.
4. Select the timezone for the original location of the selected evidencel
5. Select a language if other than English.
6. Click OK.
7. The Data Processing Status window appears and indicates the progress of the

evidence processing. When a process is complete, the bar turns green. When all
processes represented are green, the evidence processing is complete and you can
being working in the case.
Note: You can close the Data Processing Status window at any time. Processing will
continue until it is complete. To view the Data Processing Status window at any time,
click View > Progress Window.

WORK THE CASE
IDENTIFYING MEANINGFUL EVIDENCE WITHIN A CASE
The purpose of FTK is to help investigators to identify meaningful evidence and to
make that evidence available to the appropriate parties in an easy-to-understand
meduim.
The beginning of the evidence defining process involves the hashing of the data added
to a case. Another key to easily finding meaningful evidence is the indexing of case
data. Through these two functions, Enterprise provides the foundation for successful
investigation and analysis.
Using Index searching, live searching and filtering files using the Known File Filter
Library (KFF) as well as built-in and custom filters applied to the data give results that
can then be bookmarked and added to the report that summarizes the findings in the
case.
Use the tabs to view basic evidence groups, and to get an idea where best to look for
the evidence you seek. In addition, you can run searches for specific words, names,
email addresses and so forth from the index, or you can run live searches. Look
through thumbnails of graphics, and look through emails and attachments. Narrow
your search to look through specific document types, or to look for items by status, or
by file extension. You can dig into the registry files to find websites visited, and the
passwords for those sites. The possibilities are nearly endless.

Chapter 3 Concepts

As you find items of interest, you can:

• check mark them or bookmark them, so you can easily find those items again.
• Files can be exported,
• External files that are not otherwise part of the casec an be added to bookmarks
as supplemental files

GENERATE REPORTS
When you feel you have exhausted the resouces within the case and are ready to create
your report, you can include your bookmarks, emails, registry evidence, and documents.
They can be arranged in the way that works best for you, or for your audience.
Reports can be generated in several formats to make it easier to provide it in a useful
way to your audience.

MOVING FORWARD
The remainder of this chapter provides basics of the Case Management window and its
options. For more detailed information about features and how they are used, see
“Chapter 5 Adding and Processing Evidence” on page 77.

STARTING FTK
After you complete the installation, start FTK by selecting Start > All Programs >
AccessData > Forensic Toolkit > FTK 2.2 (which executes FTK.exe), or by selecting the
AccessData Forensic Toolkit 2.2 shortcut on the desktop:

Important: Close any virus scanner program while running FTK and
processing evidence. Virus scanners can slow performance significantly.

SETTING UP THE APPLICATION ADMINISTRATOR
On first launch an Application Administrator must be created to manage the database.
The Add New User dialog box opens automatically. The first added user is the

AccessData FTK 2.2 User Guide

Application Administrator, and has full rights for management of this FTK 2.2
installation, users, cases and database administration. The Application Administrator
can add new users to the database, including Application Administrators, Case
Administrators, and Case Reviewers.
Figure 3-1 Add New User Dialog

Complete the fields to assign a role and a password to a new user. Every field is
required. Click OK to save the new user and close the dialog.

USING THE CASE MANAGEMENT WINDOW
FTK manages cases from a central database. The Case Administrator administers the
case from the Case Management window. The following figure displays the Case
Management window.

Chapter 3 Concepts

Figure 3-2 Case Management Window.

After logging into FTK, the Case Management window appears with the following
menus:
TABLE 3-1 Case

Management Menus

• File

• Tools

• Database

• Help

• Case
The following tables shows the available Case Management menu options.
TABLE 3-2 Case

Management File Menu

Option

Description

Exit

Exits FTK.

AccessData FTK 2.2 User Guide

TABLE 3-3 Case

Management Database Menu

Option

Description

Opens the authentication dialog for users to log into the
database and to access a particular case. If someone is currently
logged in to the database this option may not be available.

Log Out

Logs the user out of the current case. If no one is currently
logged-in to the database, this option will not be available.

Administer Users

Available to the Application Administrator, view the list of
current users, add users, and change users’ passwords.

Manager KFF

Import or export KFF groups or databases, edit, or delete nondefault groups, lists, or databases.

Add Database

Specify the network location of another instance of Oracle
where cases can be stored and processed.

Session Management

Provides a list of database sessions and whether they are active
or inactive; cases can be aborted from this menu.

Change my password

Allows the currently logged-in user to change his or her own
password.

Add User

Create a user with either Reviewer or Administrator rights to the
database. This can only be done by the application
administrator.

TABLE 3-4 Case

Management Case Menu

Option

Description

New

Start a new case with the logged-in user as the Case
Administrator. Case Reviewers cannot create a new case.

Open

Opens the highlighted case with its included evidence.

Assign Users

Allows the Application Administrator or the Case
Administrator to adjust or control the rights of other users to
access a particular case..

Backup

Opens a dialog for specifying names and locations for backup
of selected cases.

Restore

Opens a Windows Explorer instance for locating and restoring
a selected, saved case.

Delete

Deletes the selected case.

Chapter 3 Concepts

TABLE 3-5 Case

Management Tools Menu

Option

Description

Tools

• Create Options
File

• Preferences set-

Allows the creation of a Global Options File to apply to all cases
as the default.
Options are:

tings:

• Choose temporary file path
• Choose network security device location. Options are:
•IP Address

TABLE 3-6 Case

• Port

Management Help Menu

Option

Description

User Guide

Opens the FTK User Guide in PDF. format. The manual is
formatted for two-sided printing.

Diagnostics

View the activity of the databases in which cases are stored, and
of the Worker machines assigned to each case.

About

Provides copyright and trademark information about FTK and
other intellectual property of AccessData.

CREATING A NEW CASE
When a case is created, the user who creates it becomes that case’s Administrator. To
create a new case, click Case > New from the Case Management window.
For more information about creating a new case, see “Creating a Case” on page 48.

AccessData FTK 2.2 User Guide

Chapter 4 Starting a New
FTK 2.2 Case

After collecting the files or drive images to examine, start a case using AccessData
Forensic Toolkit (FTK 2.2).

LAUNCH FTK 2.2
FTK harnesses the power of multiple investigators and computer processors to analyze
cases. The application administrator is created when FTK 2.2 is launched the first time,
and the Case Management window opens. Run FTK 2.2 by doing the following:
1. Click Start> All Programs > AccessData > Forensic Toolkit > AccessData Forensic Toolkit

2.2.
Note: Please note that it may take a few moments for FTK 2.2 to run. This is because it is
also launching the Oracle database.
2. Log in using the case-sensitive username and password provided by the application

administrator, as shown in the following figure:

Chapter 4 Starting a New FTK 2.2 Case

Figure 4-1

A successful login brings up the Case Management window, as in the following figure:
Figure 4-2 Case Management Window

The Application Administrator can add additional users from the Case Management
window. The following steps can be used by the Application Administrator to set up
new users as needed:
3. Click Database > Administer Users > Add User to open the Add New User dialog.

AccessData FTK 2.2 User Guide

4. Enter a username.
5. Enter the full name of the user as it is to appear in reports.
6. Assign a role.
7. Enter a password.
8. Verify the password.
9. Click OK to save the new user and close the dialog.

The following table gives information on the fields available in the Add New User
dialog.
TABLE 4-1 Add

New User Information Fields

Field

Description

User Name

Enter the name by which the user is known in program logs and other
system information.

Role

Assign rights to the user name:

• Application Administrator: can perform all types of tasks, including adding and managing users.

• Case Administrator: can process data and change settings to FTK,
although only the application administrator can add new users.

• Case Reviewer: cannot create cases; can only process cases.
Full Name

Enter the full name of the user as it is to appear on case reports.

Password

Enter and verify a password for this user.

After completing the dialog, the log in prompt returns again for a login name and
password for the newly created user to login. The Case Management window shows the
name you just created, indicating that the user can view and modify cases within that
database.

ASSIGNING ROLES
New users require a role, or a set of permissions to perform specific sets of actions.
APPLICATION ADMINISTRATOR
An Application Administrator has permissions to all areas of the program and can
create and manage users..

Chapter 4 Starting a New FTK 2.2 Case

CASE ADMINISTRATOR
A Case Administrator can perform all of the tasks an Application Administrator can
perform, with the exception of creating and managing users.
CASE REVIEWER
The following tasks are unavailable to a user having the Case Reviewer role:
TABLE 4-2 Permissions

Denied Case Reviewer Users

• Create, Add, or Delete cases

• Use FTK Imager

• Administer Users

• Use Registry Viewer

• Data Carve

• Use PRTK

• Manually data carve

• Use Find on Disk

• Assign Users to cases

• Use the Disk Viewer

• Add Evidence

• View file sectors

• Access Credant Decryption from the

• Define, Edit, Delete, Copy, Export, or

Tools Menu

Import Filters

• Decrypt Files from the Tools Menu

• Export files or folders

• Mark or View Items Flagged as

• Access the Additional Analysis Menu

“Ignorable” or “Privileged.”

• Manage the KFF

• Backup or Restore Cases

• Manage Fuzzy Hash

• Add a Database

• Enter Session Management

CREATING A CASE
FTK stores each case in an Oracle database, and allows case administration as the case

is created. When an authorized user creates a case, that user becomes that case’s
administrator. Start a new case from the Case Management window with the following
steps:
1. Launch FTK 2.2 and login. This opens the Case Management window

AccessData FTK 2.2 User Guide

2. Click Case > New.

3. Enter a name for the case in the Case Name field.
4. Enter the specific reference information in the Reference field. This field is not

required to create a case.
5. Enter a short description of the case in the Description field.
6. If you wish to specify a different location for the case, click the browse button
Note: If the c:\ftk2‐data folder is not set as shared, an error occurs during case creation.
7. If you wish to create the case in Field Mode, mark the Field Mode box. Field Mode

disables the Detailed Options button when creating a case.

Chapter 4 Starting a New FTK 2.2 Case

In addition to disabling Detailed Options, Field Mode bypasses file signature analysis
and the Oracle database communication queue. These things vastly speed the
processing.
Note: The Job Processing screen will always show 0 for Queued when Field Mode is enabled,
because items move directly from Active Tasks to Completed.
8. If you wish to open the case as soon as it is created, mark the Open the case box.
9. If you do not select Field Mode, click Detailed Options to specify how you wish the

evidence to be treated as it is processed and added to the case. The case creation
steps are continued in the following section.

SELECTING EVIDENCE PROCESSING OPTIONS
The Evidence Processing options allow selection of processing tasks to perform on the
current evidence. Select only those tasks that are relevant to the evidence being added
to the case. The following figure represents the detailed options dialog. Different
processing options can be selected and un-selected depending on the specific
requirements of the case.
At the bottom of every Refinement Options selection screen you will find five buttons:

•
•
•
•
•

Reset: resets the current settings to the currently defined defaults.
Save as My Defaults: saves current settings as the default for the current user.
Reset to Factory Defaults: Resets current settings to the factory defaults.
OK: accepts current settings without saving for future use.
Cancel: cancels the entire Detailed Options dialog without saving settings or
changes, and returns to the New Case Options dialog.

AccessData FTK 2.2 User Guide

Figure 4-3 Detailed Options Dialog

10. Click Detailed Options to choose settings for the case.
10a. Click the Evidence Processing icon in the left pane, and select the processing

options to run on the evidence. For more information, see “Selecting Evidence
Processing Options” on page 50.
10b. Click the Evidence Discovery icon to specify the location of the File

Identification File, if one is to be used. For more information, see Figure ,
“Selecting Evidence Discovery Options,” on page 61.
10c. Click the Evidence Refinement (Advanced) icon to select the custom file

identification file to use on this case. For more information, see “Selecting
Evidence Discovery Options” on page 61.
10d. Click the Index Refinement (Advanced) icon to select which types of evidence to

not index. For more information, see “Selecting Evidence Refinement
(Advanced) Options” on page 62.
10e. Click OK.

When you are satisfied with your evidence refinement options, Click OK to continue to
the Evidence Processing screen.

Chapter 4 Starting a New FTK 2.2 Case

The following table outlines the Evidence Processing options:
TABLE 4-3

Process

Description

MD5 Hash

Creates a digital fingerprint using the Message Digest 5
algorithm, based on the contents of the file. This fingerprint can
be used to verify file integrity and to identify duplicate files. For
more information about MD5 hashes, see “Message Digest 5”
on page 294.

SHA-1 Hash

Creates a digital fingerprint using the Secure Hash Algorithm-1,
based on the contents of the file. This fingerprint can be used to
verify file integrity and to identify duplicate files. For more
information about SHA hashes, see “Secure Hash Algorithm”
on page 296.

SHA-256 Hash

Creates a digital fingerprint using the Secure Hash Algorithm256, based on the contents of the file. This fingerprint can be
used to verify file integrity and to identify duplicate files. SHA256 is a hash function computed with 32-bit words, giving it a
longer digest than SHA-1. For more information about SHA
hashes, see “Secure Hash Algorithm” on page 296.

Fuzzy Hash

Mark this box to enable Fuzzy hash options and Match fuzzy
hash library. Fuzzy hash options allow you to compare files
which may be similar but not identical, and also to specify the
size of files to hash.

Flag Duplicate Files

Identifies files that are found more than once in the evidence.
This is done by comparing file hashes.

KFF

Using a database of hashes from known files, this option flags
ignorable files and alerts the user to known illicit or dangerous
files.
Both AD KFF Alert and AD KFF Ignore groups are selected
by default. If you have custom groups and you want them to be
enabled, specify them under the Case KFF Options.
For more information about Known File Filter (KFF), see
“Using the Known File Filter” on page 172.

Expand Compound Files

Automatically opens and processes the contents of compound
files such as .ZIP, email, and OLE files.

Flag Bad Extensions

Identifies files whose types do not match their extensions, based
on the file header information.

AccessData FTK 2.2 User Guide

TABLE 4-3

Process

Description

Entropy Test

Determines if the data in unknown file types is compressed or
encrypted.
The compressed and encrypted files identified in the entropy
test are not indexed.

dtSearch Index

Stores the words from evidence in an index for quick retrieval.
Additional space requirement is approximately 25% of the
space required for all evidence in the case.
Click Indexing Options for extensive options for indexing the
contents of the case.

Generate Thumbnails for
Graphics

Creates thumbnails for large graphics.
Note: All thumbnails are generated in .JPG format, regardless of the
original graphic file type.

HTML File Listing

Creates an HTML version of the File Listing in the case folder.

Data Carve

Carves data immediately after pre-processing. Click Carving
Options, then select the file types to carve. Uses file signatures to
identify deleted files contained in the evidence. All available file
types are selected by default.
For more information on Data Carving, see “Selecting Data
Carving Options” on page 60.

Meta Carve

Carves deleted directory entries. This process can uncover
dvidence clues that might otherwise not be found.

FUZZY HASHING
Fuzzy hashing is a tool which provides the ability to compare two distinctly different
files and determine a fundamental level of similarity. This similarity is expressed as
score from 1-100. The higher the score reported the more similar the two pieces of
data. A score of 100 would indicate that the files are close to identical. Alternatively a
score of 0 would indicate no meaningful common sequence of data between the two
files.
Traditional forensic hashes (MD5, SHA-1, SHA-256, etc.) are useful to quickly identify
known data and to ensure that files have been forensically preserved. However, these
types of hashes cannot indicate how closely two non-identical files match. This is when
fuzzy hashing is useful.
In AccessData applications fuzzy hashes are organized into a library. This library is
very similar in concept to the AccessData KFF library. The fuzzy hash library contains

Chapter 4 Starting a New FTK 2.2 Case

of a set of hashes for known files that can be compared to evidence files in order to
determine if there are any files which may be relevant to a case. Fuzzy hash libraries are
organized into groups. Each group contains a set of hashes and a threshold. The group
threshold is a number the investigator chooses, to indicate how closely an evidence
item must match a hash in the group to be considered a match and to be included as
evidence.

CREATING A FUZZY HASH LIBRARY
There are two ways to create a fuzzy hash library. The first way is to drag and drop a
file, or files, from a disk into the Fuzzy Hash Library screen. The second way is to right
click on the file and select, ‘Add to Fuzzy Hash Library.’ To access the Fuzzy Hash
Library screen go to Tools > Fuzzy Hash > Manage Library.

SELECTING FUZZY HASH OPTIONS DURING INITIAL PROCESSING
Follow these steps to initialize fuzzy hashing during initial processing or when adding
additional evidence to a case:
1. After choosing to create a new case, click Detailed Options.

2. Select Fuzzy Hash.

AccessData FTK 2.2 User Guide

2a. (Optional) If FTK already refers to a fuzzy hash library, you can select to match

the new evidence against the existing library by selecting Match Fuzzy Hash
Library.
2b. Click Fuzzy Hash Options to set additional options for fuzzy hashing.

2c. Set the size of files to hash. The size defaults to 20 MB, 0 indicates no limit.
2d. Click OK to set the value.
3. Select OK to close the detailed options dialog.

ADDITIONAL ANALYSIS FUZZY HASHING
Fuzzy hashing can also be initialized on the current data by performing the following
steps:

Chapter 4 Starting a New FTK 2.2 Case

1. Click Evidence > Additional Analysis.

2. Select Fuzzy Hash.
3. (Optional) Select if the evidence needs to matched against the Fuzzy Hash library.
3a. (Optional) If performing this additional analysis after adding new information,

the fuzzy hashing can be done again against previously processed items.

AccessData FTK 2.2 User Guide

3b. (Optional) Click Fuzzy Hash Options to open the Fuzzy Hash Options dialog.

3c. Set the file size limit on the files to be hashed.
3d. Click OK.
4. Click OK to close the Additional Analysis dialog and begin the fuzzy hashing.

COMPARING FILES USING FUZZY HASHING
To compare a file to another file or group of files go to Tools > Fuzzy Hash > Find
Similar Files. This option allows you to select a file hash to compare against. You can
specify the minimum match similarity that you want in this screen. This screen can also
be accessed by right clicking on a file and selecting Find Similar Files.

VIEWING FUZZY HASH RESULTS
To view the fuzzy hash results in FTK, several pre-defined column settings can be
selected in the Column Settings field under the Common Features category. Those
settings are: Fuzzy Hash, Fuzzy Hash blocksize, Fuzzy Hash library group, Fuzzy Hash
library score, and Fuzzy Hash library status.

Chapter 4 Starting a New FTK 2.2 Case

The following table shows the column settings and the description of each:
TABLE 4-4 Fuzzy

Hash Column Settings

Column Setting

Description

Fuzzy Hash blocksize

Dictates which fuzzy hash values can be used to compare
against a file. Fuzzy hashes can only be compared to another
fuzzy hash value which is half the fuzzy hash value, equa.l to
the actual fuzzy hash value, or two times the fuzzy hash
value.

Fuzzy Hash Library Group

The highest matching group value for a file. To find all of
the library groups which have been used to compare a file
against, double click on the value in column settings.

Fuzzy Hash

The actual fuzzy hash value given to a file.

Fuzzy Hash Library Score

The value of the highest group score a file has been
compared against. To find all of the library scores, double
click on the value in the column settings.

Fuzzy Hash Library Status

Set to either alert or ignore, which is similar to the KFF alert
or ignore settings.

SELECTING DTSEARCH TEXT INDEXING OPTIONS
This new feature gives you almost complete control over what goes in your case index.
These options can be selected to apply globally from Case Management by clicking
Tools > Create Options File to bring up the Detailed Options dialog. In the Evidence
Processing screen, mark the dtSearch Text Index box, then click Indexing Options to bring
up the Indexing Options screen shown in the figure below.

AccessData FTK 2.2 User Guide

Figure 4-4 dtSearch Text Index: Indexing Options

To adjust these options for a single case, in Case Management, click Case > New >
Detailed Options. Again, in the Detailed Options: Evidence Processing dialog, mark the
dtSearch Text Index box, then click Indexing Options to bring up the Indexing Options
screen shown in the figure above.
For more detailed information regarding the Indexing Options dialog, see “Chapter 7
Searching a Case” on page 143.

Chapter 4 Starting a New FTK 2.2 Case

SELECTING DATA CARVING OPTIONS
Data Carving gives you the choice of which file types to carve, as seen in the following
figure:

When you choose to carve data, select which types of data to carve, according to the
information below:
1. Select Data Carve.
2. Click Carving Options.
3. Mark the Exclude KFF Ignorable box to specify not to carve those files.
4. Select the types of files you want carved.

• Click Select All to select all file types to be carved.
• Click Clear All to unselect all file types.
• Select individual file types by marking the checkboxes.
5. Define the optional limiting factors to be applied to each file type.

• Define the minimum byte file size for the selected type.
• Define the minimum pixel height for graphic files.
• Define the minimum pixel width for graphic files
6. Click OK.

AccessData FTK 2.2 User Guide

INDEXING A CASE
All evidence should be indexed to aid in searches. Index evidence when it is added to
the case by checking the dtSearch Text Index box on the Evidence Processing Options
dialog, or index after the fact by clicking and specifying indexing options.
Another factor that can determine which processes to select is schedule. Time
restraints may not allow for all tasks to be performed initially. For example, if you
disable indexing, it shortens the time needed to process a case. You can return at a later
time and index the case if needed.

SELECTING EVIDENCE DISCOVERY OPTIONS
The Custom File Identification file is a text file that overrides the file types assigned by
FTK during preprocessing. With this file, FTK can assign custom file types to specific
files.
The Evidence Discovery Options dialog lets you select the Custom File Identification
file to apply to new case. This file is stored elsewhere on the system, and the location is
determined by the user. The following figure represents the Evidence Discovery
Options window in the detailed options dialog. The location can be browsed to, by
clicking Browse, or reset to the root drive folder by clicking Reset.
Figure 4-5 Evidence Discovery Options

Chapter 4 Starting a New FTK 2.2 Case

CREATING THE CUSTOM FILE IDENTIFICATION FILE
The Custom File Identification file, or Custom Identifier, creates the new branch “File
Category\User Types” on the Overview tab, under which the new file type assignments
appear.
The Custom File Identification file can be created in a text editor or similar utility. Each
line in the file represents a custom file type assignment. The general format is:
name, description, category[, offset:value [| offset:value]* ] +
For example, the line,
"MyGIF","Tim's GIF","Graphics",0:"47 49 46 38 37"|0:"47 49 46 38 39"
creates a branch called “MyGIF” under “File Category\User Types.” The offset:value
rules in this case look for the string “GIF87” or “GIF89” at offset 0.
The following table describes the parameters for Custom File Identification files:
TABLE 4-5 Custom

Identification File Parameters

Parameter

Description

name

The type displayed in the Overview tree branch. It also appears in the
Category column.

description

Accompanies the Overview tree branch’s name.

Category

Description

Category

Description

OS/File System Files

Partitions, file systems, registry files, and so forth.

Other Encryption Files

Found encrypted files, as well as files needed for decryption
such as EFS search strings, SKR files, and so forth.

Other Known Types

A miscellaneous category that includes audio files, help files,
dictionaries, clipboard files, link files, and alternate data stream
files such as those found in Word .doc files, etc.

Presentations

Lists multimedia file types such as MS PowerPoint or Corel
Presentation files.

Slack/Free Space

Files, or fragments of files that are no longer seen by the file
system, but have not been completely overwritten.

Spreadsheets

Includes spreadsheets from Lotus, Microsoft Excel,
QuattroPro, and others.

Unknown Types

File types that AD FTK 2.2 cannot identify.

User Types

User-defined file types such as those defined in a custom
File Identification File.

FILE STATUS CONTAINER
File Status covers a number of file categories that can alert the investigator to problem
files or help narrow down a search.
The statistics for each category are automatically listed. Click the category button to see
the file list associated with it. The following table displays the file status categories.
TABLE 6-6 File

122

Status Categories

Category

Description

Bad Extension

Files with an extension that does not match the file type
identified in the file header, for example, a .gif image renamed as
graphic.txt.

Data Carved Files

The results of data carving when the option was chosen for
preprocessing.

Decrypted Files

The files decrypted by applying the option in the Tools menu.

Deleted Files

Complete files or folders recovered from slack or free space that
were deleted by the owner of the image, but not yet written over
by new data.

AccessData PRKT/DNA User Guide

TABLE 6-6 File

Status Categories

Category

Description

Duplicate Items

Any items that have an identical hash.
Because the filename is not part of the hash, identical files may
actually have different filenames.
The primary item is the first one found by FTK.

Email Attachments

Files attached to the email in the evidence.

Encrypted Files

Files that are encrypted or have a password. This includes files
that have a read-only password; that is, they may be opened and
viewed, but not modified by the reader.
If the files have been decrypted with EFS and you have access to
the user’s login password, you can decrypt these files. See
“Decrypting Files and Folders” on page 179.

Flagged Ignore

Files that are flagged to be ignored are probably not important to
the case.

Flagged Privileged

Files that are flagged as Privileged cannot be viewed by the case
reviewer.

From Email

All email related files including email messages, archives, and
attachments.

From Recycle Bin

Files retrieved from the Windows Recycle Bin.

KFF Alert Files

Files identified by the HashKeeper Web site as contraband or
illicit files.

KFF Ignorable

Files identified by the HashKeeper and NIST databases as
common, known files such as program files.

OLE Subitems

Items or pieces of information that are embedded in a file, such
as text, graphics, or an entire file. This includes file summary
information (also known as metadata) included in documents,
spreadsheets, and presentations.

User Decrypted

Files you’ve previously decrypted yourself and added to the case.

BOOKMARK CONTAINER
The Bookmark Container lists bookmarks as they are nested in the shared and the userdefined folders. Bookmarks are defined by the investigator as the case is being
investigated and analyzed.

Chapter 6 Using Tabs to Explore & Refine Evidence

123

EMAIL TAB
The Email tab displays email mailboxes and their associated messages and attachments.
The display is a coded HTML format. The following figure represents the email tab.
Figure 6-13 Email Tab

EMAIL STATUS TREE
The Email Status tree lists information such the sender of th email, and whether an
email has attachments. They are listed according to the groups they belong to.

124

AccessData PRKT/DNA User Guide

EMAIL TREE
The Email tree lists message counts, DBX counts, PST counts, NSF counts, and other
such counts.

GRAPHICS TAB
The Graphics tab displays the case in photo-album style. Each graphic file is shown in a
thumbnail view. A graphic displays when its thumbnail is checked in the File Contents
pane. The following figure displays the Graphics tab with a selected thumbnail graphic.
Figure 6-14 Graphics Tab

Beneath each thumbnail image is a checkbox. When creating a report, choose to
include all of the graphics in the case or only those graphics that are checked. For more
information on selecting graphics, see “Including Graphics” on page 197.

Chapter 6 Using Tabs to Explore & Refine Evidence

125

The Evidence Items pane shows the Overview tree by default. Use the View menu to
change the tree. Only graphic files appear in the File List when the tab filter is applied.
Shut the tab filter off to view additional files.

USING THUMBNAILS
The thumbnail settings allow large amounts of graphic data to be displayed for
evidence investigation. The investigator does not need to see details to pick out
evidence; scan the thumbnails for flesh tones, photographic-type graphics, and perhaps
particular shapes. Once found, the graphics can be inspected more closely in the
Content Viewer.

MOVING THE THUMBNAILS PANE
The thumbnail feature is especially useful when you move the undocked graphics pane
to a second monitor, freeing your first monitor to display the entire data set for the
graphics files being analyzed. Do the following to move the Thumbnails pane to
maximize space usage.
1. Undock the Thumbnails pane, and expand it across the screen.

126

AccessData PRKT/DNA User Guide

2. Open the Thumbnails Settings sub-menu, and scale the thumbnails down to fit as

many as possible in the pane.

THE BOOKMARKS TAB
A bookmark contains a group of files that you want to reference in your case. These are
user-created and the list is stored for use in the report output.
Bookmarks help organize the case evidence by grouping related or similar files. For
example, you can create a bookmark of graphics that contain similar or related graphic
images. The bookmark information pane is highlighted in the following figure.

Chapter 6 Using Tabs to Explore & Refine Evidence

127

Figure 6-15 Bookmark Information Pane

The Bookmarks tab lists all bookmarks that have been created in the current case.

128

AccessData PRKT/DNA User Guide

CREATING A BOOKMARK
TABLE 6-7 Bookmarks

Tab

Features

Description

Bookmark Name

Displays the name given to the bookmark when it was created.

Bookmark Comment

Displays notes included with a bookmark.

File Comment

Displays notes included with a file.

Selection Comment

Displays notes included with a selection.

• Save Changes
Selection(s)

• Clear Changes

Remembers the highlighted text in the bookmarked file and
automatically highlights it when the bookmark is retrieved. The
highlighted text also prints in the report.
This can be done for multiple files with multiple selections.
Use this option to Add and Remove Selections.

• Add Selection

• Remove Selection

Creator Name

Name of the user who created the bookmark.

Supplementary Files

Lists additional files attached to the bookmark. Options:

• Attach File

• Remove File

Save Changes

Saves changes to the bookmark.

Clear Changes

Removes comments that have not been saved.

Files can be bookmarked from any tab in FTK. To create a bookmark follow these
steps:

Chapter 6 Using Tabs to Explore & Refine Evidence

129

1. Right-click the files or thumbnails you want to bookmark, and click Create Bookmark

or click the Bookmark button on the File List Toolbar to open the Create New
Bookmark dialog.

2. Enter a name for the bookmark in the Bookmark Name field.
3. (Optional) In the Bookmark Comment field, type comments about the bookmark or

its contents.
4. Click one of the following options to specify which items to add to the bookmark:

• All Highlighted: Highlighted items from the current file list. Items remain
highlighted only as long as the same tab is displayed.

• All Checked: All items checked in the case.
• All Listed: Bookmarks the contents of the File List.
5. (Optional)Type a description for each file in the File Comment field.
6. Click Attach to add files external to the case that should be referenced from this

bookmark. The files appear in the Supplementary Files pane, and are copied to the
case folder.

130

AccessData PRKT/DNA User Guide

7. For FTK to remember the highlighted text in a file and automatically highlight it

when the bookmark is re-opened, check Bookmark Selection in File. The highlighted
text also prints in the report.
8. Select the parent bookmark under which you would like to save the bookmark.
FTK provides a processed tree for bookmarks available to all investigators, and a

bookmark tree specific to the case owner.
If the bookmark is related to an older bookmark it can be added with the older
bookmark as the parent.
9. Click OK.

VIEWING BOOKMARK INFORMATION
The Bookmark Information pane displays information about the selected bookmark
and the selected bookmark file. The data in this pane is editable by anyone with
sufficient rights.
Select a bookmark in the Bookmarks view of the Bookmarks tab, or in the Bookmarks
node in the tree of the Overview tab to view information about a bookmark. The
Overview tab view provides limited information about the bookmarks in the case. The
Bookmark tab provides all information about all bookmarks in the case. In the
Bookmark tab, the Bookmark Information pane displays the Bookmark Name, Creator
Name, Bookmark Comment, and Supplementary files. When selected, a list of files
contained in the bookmark displays in the File List. If you select a file from the File List
the comment and selection information pertaining to that file displays in the Bookmark
Information pane.
The Bookmark Information pane contains these fields:
TABLE 6-8 Bookmark

Information Pane Information

Field

Description

Bookmark Name

The name of the bookmark. Click Save Changes to store any changes
made to this field.

Bookmark Comment

The investigator can assign a text comment to the bookmark. Click
Save Changes to store any changes made to this field at any time.

Creator Name

The FTK2 user who created the bookmark.

Chapter 6 Using Tabs to Explore & Refine Evidence

131

TABLE 6-8 Bookmark

Information Pane Information

Field

Description

Supplementary Files

Displays a list of external, supplementary files associated with the
bookmark. Options are:
Attach: Allows the investigator to add external supplementary files
to the bookmark, these files are copied to a subdirectory within the
case folder and referenced from there.
Remove: Removes a selected supplementary file from the
bookmark.

File Comment

The investigator can assign a different comment to each file in the
bookmark. Click Save Changes to store any changes made to this
field.

Selection(s)

Displays a list of stored selections within the selected file.

Add Selection

Stores the cursor position, selection boundaries, and tab selection
of the swept text in the File Content pane. This button does not
store selection information for the Media or Web tabs.

Remove Selection

Remove the highlighted selection from the Selections list.

Selection Comment

Each file within the bookmark may contain an unlimited number
of selections, each of which the investigator may assign a comment.
Click Save Changes to store any changes made to this field. These
notes can be edited.
Save Changes: Stores the changes made to the bookmark
information.
Clear Changes: Clears any unsaved changes made to the
bookmark information.

Change any of the information displayed from this pane. Changes are automatically
saved when you change the bookmark selection, but you must manually save your
changes if you plan on closing FTK before selecting a different bookmark. It may be
best to make a habit of saving changes everytime you make a change, to avoid
forgetting and losing your changes.

BOOKMARKING SELECTED TEXT
Bookmarked selections are independent of the view in which they were made. Select
hex data in the Hex view of a bookmarked file and save it; bookmark different text in
the Filtered view of the same file and save that selection as well.
To add selected text in a bookmark perform the following steps:

132

AccessData PRKT/DNA User Guide

1. Open the file containing the text you want to select.
2. From the Natural, Text, Filtered or Hex views, make your selection.
Note: If the file is a graphic file, you will not see, nor be able to make selections in the Text
or the Natural views.
3. Click Create Bookmark in the File List toolbar to open the Create New Bookmark

dialog.
4. When creating your bookmark, check Bookmark Selection in File

5. To save selected content, choose the view that shows what you want to save, then

highlight the content to save.

Chapter 6 Using Tabs to Explore & Refine Evidence

133

6. Right-click on the selected content. Click Save Selection..

7. Name the selection and click Save.

The selection remains in the bookmark.

ADDING TO AN EXISTING BOOKMARK
Sometimes additional information or files are desired in a bookmark. To add to an
existing bookmark, follow these steps:
1. Right-click the new file.

134

AccessData PRKT/DNA User Guide

2. Click Add to Bookmark.

3. Select the parent bookmark.
4. Select the child bookmark to add the file or information to.
5. Click OK.

CREATING EMAIL OR EMAIL ATTACHMENT BOOKMARKS
When bookmarking an email FTK allows the addition of any attachments. FTK also
allows the inclusion of a parent email when bookmarking attachments to an email.
To create a bookmark for an email, follow the steps for creating a bookmark. Select the
email to include in the bookmark. Right-click and choose Create Bookmark. Note that by
default, the Email Attachments box is active, but unmarked. If only the parent email is
needed the Email Attachments box should remain unselected. The following figure

Chapter 6 Using Tabs to Explore & Refine Evidence

135

displays the Create New Bookmark dialog for an email with the Email Attachments
checkbox selected.
Figure 6-16 Crete New Bookmark with Email Attachment

If you need to bookmark only an attachment of the email, select and right-click on the
attachment. Choose Create Bookmark. (For more information on creating bookmarks,
see, “Creating a Bookmark” on page 129.) Note that the Parent Email box is
automatically active, allowing you to include the parent email. If the Parent Email box is
checked, and there is more than one attachment, the Email Attachments box becomes
active, allowing you to also include all attachments to the parent email. To add only the
originally selected attachment to the bookmark, do not check the Parent Email box.
The following figure displays the Create New Bookmark dialog with the Parent Email
checkbox selected.

136

AccessData PRKT/DNA User Guide

Figure 6-17 Create New Bookmark with Parent Email Selected

ADDING EMAIL AND EMAIL ATTACHMENTS TO BOOKMARKS
To add an email to a bookmark, select the email to add, then right-click on the email
and choose Add To Bookmark. (For more information see, “Adding to an Existing
Bookmark” on page 134). Note that the Email Attachments box is active, but not
marked. If only the parent email is needed the Email Attachments box can remain
unselected. To include the attachment’s parent email, mark the box. The following
figure displays the Add Files to Bookmark dialog with the Email Attachments
checkbox selected.

Chapter 6 Using Tabs to Explore & Refine Evidence

137

Figure 6-18 Add Files to Bookmark with Email Attachments Selected

If only an attachment of an email is needed to be added to the bookmark, select the
attachment and follow the instructions for adding to a bookmark. (For more
information on adding to bookmarks, see, “Adding to an Existing Bookmark” on
page 134.) Note that the Parent Email box is automatically active, but not selected,
giving the opportunity to select the parent email if you wish to include it with the
attachment to the bookmark.The following figure displays the Add Files to Bookmark
dialog with the Parent Email checkbox selected.

138

AccessData PRKT/DNA User Guide

Figure 6-19 Add Files to Bookmark with Parent Email Selected

MOVING A BOOKMARK
The following steps detail how to move a bookmark:
1. From either the Bookmark or the Overview tab, select the bookmark you want to

move.
2. Using the left or right mouse button, drag the bookmark to the desired location and

release the mouse button.

DELETING A BOOKMARK
Use the following steps to delete a bookmark:

Chapter 6 Using Tabs to Explore & Refine Evidence

139

1. In the Bookmark tab, expand the bookmark list and highlight the bookmark to be

removed.
2. Press the Delete key.

OR
3. Right-click on the bookmark to delete, and choose Delete.

DELETING FILES FROM A BOOKMARK
Use the following steps to delete files from bookmarks:
1. From either the Overview tab or the Bookmarks tab, open the bookmark containing

the file you wish to delete.
1. Right-click the file in the Bookmark File List.
2. Select Remove from Bookmark.
Note: Deleting a file from a bookmark does not delete the file from the case.

The following table describes the features of the Bookmark tab.

SEARCH TABS
The Search Tabs allow the user to conduct an indexed search or a live search on the
evidence. An indexed search is faster, while a live search is more flexible and powerful.
The results of each search appear as line items in the search results list. Click the plus
icon (+) next to a search line to expand the search results branch. To view a specific
item, select the file in the search results or file lists. All search terms are highlighted in
the file. For information on searching, see “Chapter 7 Searching a Case” on page 143.

LIVE SEARCH TAB
The live search is a process involving an item-by-item comparison with the search term.
The following figure represents a selected Live Search tab.

140

AccessData PRKT/DNA User Guide

Figure 6-20 Live Search Tab

A live search is flexible because it can find non-alphanumeric character patterns.
Comparatively, an Index search has to stick with the alphanumeric patterns created with
an initial search index when the case is initially processed.

INDEX SEARCH TAB
The indexed search uses the index file generally created in pre-processing or through
additional analysis to find the search term. The following figure represents the Index
Search being performed.

Chapter 6 Using Tabs to Explore & Refine Evidence

141

Figure 6-21 Index Search Tab

Evidence items can be indexed when they are first added to the case or at a later time.

CREATING TABS
Create custom tabs by selecting View > Tab Layout > Add to bring up the Create Tab
dialog, as in the following figure.
Figure 6-22 Create Tab Dialog

For more information on tab creation, see “Creating Custom Tabs” on page 213.

142

AccessData PRKT/DNA User Guide

Chapter 7 Searching a Case

Searching evidence for information pertaining to a case can be one of the most crucial
steps in the examination. AccessData Forensic Toolkit (FTK) provides three different
live search modes: hexadecimal, pattern (or “regular expression”), and text. Search
results, or “hits,” appear highlighted in the File Content view.

CONDUCTING A LIVE SEARCH
The live search is a process involving a bit-by-bit, item-by-item comparison of the
search term against all evidence items contained in the case. A live search is flexible
because it can find patterns of non-alphanumeric characters. Allow ample time for any
live search to complete.
Live search also supports pattern searches. Pattern searches, also called regular
expression searches, are searches for mathematical statements that describe a data
pattern such as a credit card or social security number. Pattern searches allow the
discovery of data items that conform to the pattern described by the expression. For
more information about regular expressions and syntax, see “Conducting a Pattern
Search” on page 146.
AccessData recommends live searching for items an index search cannot find.
To perform a live search, perform the following steps:
1. In the Live Search tab, click the Text, Pattern, or Hex tab.

In the Text or Pattern tabs, mark the character sets to include in the search. If
Unicode is selected, and you need to include sets other than ANSI and Unicode,

Chapter 7 Searching a Case

143

mark the box for Other Code Pages, scroll to the code page you need, then click to
select it.
Note: You must select at least one of the CodePage choices. If you try to unselect all of the
choices on the CodePage selection bar, the next available option is automatically marked.

2. Click to select the needed sets.
3. Click to include EBCDIC, Mac, and Multibyte as needed.
4. Click OK to close the dialog.
5. Click to mark Case Sensitive in the Live Search > Text tab if you want to search
specifically uppercase or lowercase letters. FTK ignores case if this box is not

checked.
6. Enter the term in the Search Term field.
7. Click Add to add the term to the Search Terms window.
8. Click Clear to remove all search terms.
9. In the Max Hits Per File field, enter the maximum number of times you want a
search hit to be listed per file. The default is 200.
10. (Optional) Apply a filter from the drop-down list. Applying a filter speeds searching

by eliminating items that do not match the filter.
11. Click Search.

144

AccessData FTK 2.2 User Guide

Note: Click Cancel in the Data Processing Status dialog to halt the search. Cancelling will
return all results found so far.
12. Select the results you wish to view from the Live Search Results pane. Click the plus
icon (+) next to a search line to expand the branch. Individual search results are

listed in the Live Search Results pane, and the corresponding files are listed in the
File List. To view a specific item, select the file in the search results. All search
results are highlighted in the Hex View tab.
Right-click on a search result in the Live Search Results pane to display more
options. The available right-click options are as follows:
TABLE 7-1

Right-Click Options in Live Search Results Pane

Option

Description

Create Bookmark

Opens the Create New Bookmark dialog.

Copy to Clipboard

Opens a new context-sensitive menu. Options are:

• All Hits In Case
• All Hist In Search
• All File Stats In Case
• All File Stats In Search
Export to File

Opens a new context-sensitive menu. Options are:

• All Hits In Case
• All Hist In Search
• All File Stats In Case
• All File Stats In Search
Set Context Data Width

Opens the Data Export Options window. Allows you to set
a context width from 32 to 2000 characters within which to
find and display the search hit.

Delete All Search Results

Deletes all search results from the Live Search Results pane.

Delete this Line

Deletes only the highlighted search results line from the Live
Search Results pane.

Important: Searching before the case has finished processing will return
incomplete results. Wait to search until the case has finished processing
and the entire body of data is available.

Chapter 7 Searching a Case

145

CUSTOMIZING THE LIVE SEARCH TAB
Change the order of the Live Search tabs by dragging and dropping them into the
desired order. The following figure shows the live search tabs.
Figure 7-1 Live Search Tabs

For more information on customizing the FTK user interface, see “Chapter 11
Customizing the Interface” on page 207.

CONDUCTING A PATTERN SEARCH
Pattern searching, also known as regular expression searching, allows forensics analysts
to search through large quantities of text information for repeating formats of data
such as:

•
•
•
•

Telephone Numbers
Social Security Numbers
Computer IP Addresses
Credit Card Numbers

Pattern searches are similar to arithmetic expressions that have operands, operators,
sub-expressions, and a value. For example, the following table identifies the
mathematical components in the arithmetic expression, 5/((1+2)*3):
TABLE 7-2

146

Mathematical Components of Arithmetic Expressions

Component

Example

Operands

5, 1, 2, 3

Operators

/ , ( ), + , *

Sub-Expressions

(1+2), ((1+2)*3)

Value

Approximately 0.556

AccessData FTK 2.2 User Guide

Note: Unlike arithmetic expressions, which can only have numeric operands, operands in
pattern searches can be any characters that can be typed on a keyboard, such as
alphabetic, numeric, and symbol characters.

SIMPLE PATTERN SEARCHES
A simple pattern search can be made up entirely of operands. For example, the pattern
search dress causes the search engine to return a list of all files that contain the sequence
of characters d r e s s. The pattern search dress corresponds to a very specific and
restricted pattern of text, that is, sequences of text that contain the sub-string dress. Files
containing the words “dress,” “address,” “dressing,” and “dresser,” are returned in a
search for the pattern search dress.
The search engine searches left to right. So in searching the pattern search dress, the
search engine opens each file and scans its contents line by line, looking for a d,
followed by an r, followed by an e, and so on.

COMPLEX PATTERN SEARCHES
Operators allow regular expressions to search patterns of data rather than specific
values. For example, the operators in the following expression enables the FTK search
engine to find all Visa and MasterCard credit card numbers in case evidence files:
\<((\d\d\d\d)[\– ]){3}\d\d\d\d\>

Without the use of operators, the search engine could look for only one credit card
number at a time.
The following table identifies the components in the Visa and MasterCard regular
expression:
TABLE 7-3

Visa and MasterCard Regular Expressions

Component

Example

Operands

\–, spacebar space

Operators

\, <, ( ), [ ], {3}, \>

Chapter 7 Searching a Case

147

TABLE 7-3

Visa and MasterCard Regular Expressions

Sub-expressions

(\d\d\d\d), ((\d\d\d\d)[\– ])

Value

Any sequence of sixteen decimal digits that is delimited by three
hyphens and bound on both sides by non-word characters (xxxx–
xxxx–xxxx–xxxx).

As the pattern search engine evaluates an expression in left-to-right order, the first
operand it encounters is the backslash less-than combination (\<). This combination is
also known as the begin-a-word operator. This operator tells the search engine that the
first character in any search hit immediately follows a non-word character such as white
space or other word delimiter.
Note: A precise definition of non-word characters and constituent-word characters in regular
expressions is difficult to find. Consequently, experimentation by FTK users may be the
best way to determine if the forward slash less-than (\<) and forward slash greater-than
(\>) operators help find the data patterns relevant to a specific searching task. The
hyphen and the period are examples of valid delimiters or non-word characters.

The begin-a-word operator illustrates one of two uses of the backslash or escape
character ( \ ), used for the modification of operands and operators. On its own, the
left angle bracket (<) would be evaluated as an operand, requiring the search engine to
look next for a left angle bracket character. However, when the escape character
immediately precedes the (<), the two characters are interpreted together as the begina-word operator by the search engine. When an escape character precedes a hyphen (-)
character, which is normally considered to be an operator, the two characters (\ -)
require the search engine to look next for a hyphen character and not apply the hyphen
operator (the meaning of the hyphen operator is discussed below).
The parentheses operator ( ) group together comprise a sub-expression, that is, a
sequence of characters contained within the parentheses that must be treated as a
group and not as individual operands.
The \d operator, which is another instance of an operand being modified by the escape
character, is interpreted by the search engine to mean that the next character in search
hits found may be any decimal digit character from 0-9.
The square brackets ([ ]) indicate that the next character in the sequence must be one of
the characters listed between the brackets or escaped characters. In the case of the
credit card expression, the backslash-hyphen-spacebar space ([\-spacebar space]) means
that the four decimal digits must be followed by a hyphen or a spacebar space.

148

AccessData FTK 2.2 User Guide

The {3} means that the preceding sub-expression must repeat three times, back to
back. The number in the curly brackets ({ }) can be any positive number.
Finally, the back slash greater-than combination (\ >), also know as the end-a-word
operator, means that the preceding expression must be followed by a non-word
character.
Sometimes there are ways to search for the same data using different expressions. It
should be noted that there is no one-to-one correlation between the expression and the
pattern it is supposed to find. Thus the preceding credit card pattern search is not the
only way to search for Visa or MasterCard credit card numbers. Because some pattern
search operators have related meanings, there is more than one way to compose a
pattern search to find a specific pattern of text. For instance, the following pattern
search has the same meaning as the preceding credit card expression:
\<((\d\d\d\d)(\–| )){3}\d\d\d\d\>

The difference here is the use of the pipe ( | ) or union operator. The union operator
means that the next character to match is either the left operand (the hyphen) or the
right operand (the spacebar space). The similar meaning of the pipe ( | ) and square
bracket ([ ]) operators give both expressions equivalent functions.
In addition to the previous two examples, the credit card pattern search could be
composed as follows:
\<\d\d\d\d(\–| )\d\d\d\d(\–| )\d\d\d\d(\–| )\d\d\d\d\>

This expression explicitly states each element of the data pattern, whereas the {3}
operator in the first two examples provides a type of mathematical shorthand for more
succinct regular expressions.

PREDEFINED REGULAR EXPRESSIONS
FTK provides several predefined regular expressions to be used in pattern searches.

Select regular expressions from drop-down lists under the arrows:

• To access the Predefined Regular Expressions, click the white arrow

. This will
display the predefined regular expressions list, as shown in the following figure:

Chapter 7 Searching a Case

149

Figure 7-2 Pre-defined Regular Expressions List

• Click the white arrow

to see a list of predefined expressions, as displayed in the

following table:
TABLE 7-4

150

Predefined Pattern Searches

MAC Address

URL {http, https, ftp, ftps}

Mailto:

... .com

... .edu

... .info

... .net

... .org

AccessData FTK 2.2 User Guide

TABLE 7-4

Predefined Pattern Searches

... .gov

... .museum

... .tv

... .

...@... .com

...@... .edu

...@... .gov

...@... .net

...@... .org

...@... . email address

AMEX

Visa

Mastercard 1

Discover

Credit Card Standard

Web Credit Card Transaction Receipt with
X or #

Kazaa DAT file

Kazaa DBB

Limewire DAT

Link File Parser (fast) - (Run on
Unallocated)

Info2 Files FAST All Years

INFO2-Expanded (Run on Unallocated)

MSN Hotmail Beginning

MSN Hotmail End

HTML Search Engine Return - Google
Search

INDEX.dat entries and Search Engine
Return - Google Search

HTML Search Engine Return - Ebay.com,
search.aol.com, mamma.com

THTML Search Engine - Ask Jeeves

Orphaned Index.dat Files (with date)

Orphaned Index.dat Files (Without Date)

Orphaned Histore Index.dat Files

Orphaned Index.dat Cookie Files

IP Address

US Phone Number

UK Phone Number

Social Security Number

Edit Expressions

The Social Security Number, U.S. Phone Number, and IP Address expressions are
discussed in the following sections.

SOCIAL SECURITY NUMBER
The pattern search for Social Security numbers follows a relatively simple model:
\<\d\d\d[\– ]\d\d[\– ]\d\d\d\d\>

This expression reads as follows: find a sequence of text that begins with three decimal
digits, followed by a hyphen or spacebar space. This sequence is followed by two more

Chapter 7 Searching a Case

151

decimal digits and a hyphen or spacebar space, followed by four more decimal digits.
This entire sequence must be bounded on both ends by non-word characters.

U.S. PHONE NUMBER
The pattern search for U.S. phone numbers is more complex:
((\<1[\–\. ])?($|\<)\d\d\d[$\.\–/ ] ?)?\<\d\d\d[\.\– ]\d\d\d\d\>

The first part of the above expression, ((\<1[\–\. ])?($|\<)\d\d\d[$\.\–/ ] ?)?, means
that an area code may or may not precede the seven digit phone number. This meaning
is achieved through the use of the question mark (?) operator. This operator requires
that the sub-expression immediately to its left appear exactly zero or one times in any
search hits. The U.S. Phone Number expression finds telephone numbers with or
without area codes.
This expression also indicates that if an area code is present, a number one (1) may or
may not precede the area code. This meaning is achieved through the sub-expression
(\<1[\–\. ])?, which says that if there is a “1” before the area code, it will follow a nonword character and be separated from the area code by a delimiter (period, hyphen, or
spacebar space).
The next sub-expression, ($|\<)\d\d\d[$\.\–/ ] ?, specifies how the area code must
appear in any search hits. The \(|\<) requires that the area code begin with a left
parenthesis or other delimiter. The left parenthesis is, of necessity, escaped. The initial
delimiter is followed by three decimal digits, then another delimiter, a right parenthesis,
a period, a hyphen, a forward slash, or a spacebar space. Lastly, the question mark (?)
means that there may or may not be one spacebar space after the final delimiter.
The latter portion of this expression, \<\d\d\d[\.\– ]\d\d\d\d\>, requests a seven-digit
phone number with a delimiter (period, hyphen, or spacebar space) between the third
and fourth decimal digit characters. Note that typically, the period is an operator. It
means that the next character in the pattern can be any valid character. To specify an
actual period (.), the character must be escaped ( \ .). The backslash period combination
is included in the expression to catch phone numbers delimited by a period character.

IP ADDRESS
An IP address is a 32-bit value that uniquely identifies a computer on a TCP/IP network,
including the Internet. Currently, all IP addresses are represented by a numeric

152

AccessData FTK 2.2 User Guide

sequence of four fields separated by the period character. Each field can contain any
number from 0 to 255. The following pattern search locates IP addresses:
\<[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\>

The IP Address expression requires the search engine to find a sequence of data with
four fields separated by periods (.). The data sequence must also be bound on both
sides by non-word characters.
Note that the square brackets ([ ]) still behave as a set operator, meaning that the next
character in the sequence can be any one of the values specified in the square brackets
([ ]). Also note that the hyphen (-) is not escaped; it is an operator that expresses ranges
of characters.
Each field in an IP address can contain up to three characters. Reading the expression
left to right, the first character, if present, must be a 1 or a 2. The second character, if
present, can be any value 0–9. The square brackets ([ ]) indicate the possible range of
characters and the question mark (?) indicates that the value is optional; that is, it may
or may not be present. The third character is required; therefore, there is no question
mark. However, the value can still be any number 0–9.
You can begin building your own regular expressions by experimenting with the default
expressions in FTK. You can modify the default expressions to fine-tune your data
searches or to create your own expressions.

CREATING CUSTOM REGULAR EXPRESSIONS
Create your own customized regular expressions using the following list of common
operators:
TABLE 7-5

Common Regular Expressions Operators

Operators

Description

Matches the preceding sub-expression one or more times. For example,
“ba+” will find all instances of “ba,” “baa,” “baaa,” and so forth; but it will
not find “b.”

Matches the end of a line.

Matches the preceding sub-expression zero or more times. For example,
“ba*” will find all instances of “b,” “ba,” “baa,” “baaa,” and so forth.

Matches the preceding sub-expression zero or one times.

Chapter 7 Searching a Case

153

TABLE 7-5

Common Regular Expressions Operators

Operators

Description

[]

Matches any single value within the square brackets. For example, “ab[xyz]”
will find “abx,” “aby,” and “abz.”
A hyphen (-) specifies ranges of characters with the brackets. For example,
“ab[0-3]” will find “ab0,” “ab1,” “ab2,” and “ab3.” You can also specify case
specific ranges such as [a-r], or [B-M].

’

(Back quote) Starts the search at the beginning of a file.

‘

(Single quote) Starts the search at the end of a file.

Matches the beginning of a word. In other words, the next character in any
search hit must immediately follow a non-word character.

Matches the end of a word.

Matches either the sub-expression on the left or the right. For example, A|u
requires that the next character in a search hit be “A” or “u.”

Positions the cursor between characters and spaces.

Matches anything not at a word boundary. For example, will find Bob in the
name Bobby.

Matches any decimal digit.

Matches any lowercase letter.

Matches a new line.

Matches a return.

Matches any white space character such as a space or a tab.

Matches a tab.

Matches any uppercase letter.

Matches any whole character [a-z A-Z 0-9].

Matches the start of a line.

[[:alpha:]]

Matches any alpha character (short for the [a-z A-Z] operator).

[[:alnum:]]

Matches any alpha numerical character (short for the [a-z A-Z 0-9] operator).

[[:blank:]]

Matches any whitespace, except for line separators.

{n,m}

Matches the preceding sub-expression at least n times, but no more than m
times.

Click the black arrow
to see a list, as displayed in the following figure, of the basic
components for regular expressions. You can create your own pattern by combing
these components into a longer expression.

154

AccessData FTK 2.2 User Guide

Figure 7-3 Defining Customized Regular Expressions

CONDUCTING HEX SEARCHES
Click the Hex (Hexadecimal) Search tab, to enter a term by typing it directly into the
search field, or by clicking the Hexadecimal character buttons provided, as displayed in
the following figure.

Chapter 7 Searching a Case

155

Figure 7-4 Hex Search Tab

The instructions for conducting a live search on the hex tab are similar to conducting
searches on the Pattern tab. For more information on conducting a Pattern search, see
the beginning of this section, “Conducting a Pattern Search” on page 146.

CONDUCTING TEXT SEARCHES
The difference between a Pattern search and a Text search is that a text search searches
for the exact typed text, there are no operands so the results return exactly as typed. For
example, a Pattern search allows you to find all strings that match a certain pattern,
such as for any 10-digit phone number (nnn-nnn-nnnn), or a nine-digit social security
number (nnn-nn-nnnn). A Text search finds all strings that match an exact entry, such as
a specific phone number (801-377-5410). When conducting a Live Text Search, there
are no arrows to click for operand selection, as displayed in the following graphic.
Figure 7-5 Live Search: Text Search Tab

156

AccessData FTK 2.2 User Guide

Otherwise apply the instructions for the pattern search to this search. For more
information on conducting a pattern search see “Conducting a Pattern Search” on
page 146.

CONDUCTING AN INDEX SEARCH
The index search uses index files to find the search term. Evidence items may be
indexed when they are first added to the case or at a later time. AccessData
recommends always indexing a case before beginning analysis.
For more information about indexing an evidence item, see “Indexing a Case” on
page 61. The following figure displays the FTK window with the Index Seach tab
selected.
Figure 7-6 Index Search Tab

Chapter 7 Searching a Case

157

The index files contain all discrete words or number strings found in both the allocated
and unallocated space in the case evidence. FTK2.2 allows you to define nearly every
aspect of indexing, include that of spaces and special characters or symbols, including
the following:
.,:;"’~!#$%^& @=+.

The following figure shows the Indexing Options dialog:
Figure 7-7 New Indexing Options Dialog

These options must be set prior to case creation. To set them globally, in Case
Management, click Tools > Create Options File to bring up the Detailed Options dialog. In
the Evidence Processing screen, mark the dtSearch Text Index box, then click Indexing
Options to bring up the Indexing Options screen shown in the figure above.
To adjust these options for a case, in Case Management, click Case > New > Detailed
Options File. Again, in the Detailed Options > Evidence Processing dialog, mark the

158

AccessData FTK 2.2 User Guide

dtSearch Text Index box, then click Indexing Options to bring up the Indexing Options
screen shown in the figure above.
TABLE 7-6

dtSearch Indexing Options

Option

Description

Letters

Specifies the letters and numbers to index. Specifies
Original, Lowercase, Uppercase, and Unaccented. Choose
Add or Remove to customize the list.

Noise Words

A list of words to be considered “noise” and ignored during
indexing. Choose Add or Remove to customize the list.
Note: The best way to use the ignore words box is to add and
remove your own characters/symbols. When doing an index search
those characters/symbols are ignored; when typing your search in
you shouldn't included the character or symbol you chose to ignore.
For example, add ! in the ignore box; in the case there is a term
trus!t, in index search term type trust and you will get the hit.

Hyphen Treatment

Specifies how hyphens are to be treated in the index.
Options are:

• Ignore
• Hyphen
• Space
• All
Hyphens

Specifies which characters are to be treated as hyphens. You
can add standard keyboard characters, or control characters.
You can remove items as well.

Spaces

Specifies which special characters should be treated as
spaces. Remove characters from this list to have them
indexed as any other text. Choose Add or Remove to
customize the list.

Ignore

Specifies which control characters or other characters to
ignore.

Set Max. Memory

Allows you to set a maximum size for the index.

Max. Word Length

Allows you to set a maximum word length to be indexed

Auto-Commit interval (MB)

Allows you to specify an Auto-Commit Interval while
indexing the case. When the index reaches the specified
size, the indexed data is saved to the index. The size resets,
and indexing continues until it reaches the maximum size,
and saves again, and so forth.

Chapter 7 Searching a Case

159

TABLE 7-6

dtSearch Indexing Options

Option

Description

Enable Date Recognition

Choose to enable or disable this option

Presumed Date Format For
Ambiguous Dates

If date recognition is enables, specify how ambiguous dates
should be formatted when enountered during indexing.

Index Binary Files

Specify how binary file should be treated in the index.
Options are:

• Index all
• Skip
• Index all (Unicode)
When finished setting Detailed Options, click OK to close the dialog, complete the New
Case Options dialog, then click OK to create the case.
In addition to performing searches within the case, you can also use the index as a basis
for a custom dictionary for password recovery processes in the Password Recovery
Toolkit (PRTK). You can export the contents of the index by selecting File > Export
Word List.

SEARCH TERMS
Type the term or its dialog in the Search Term field. The term and terms like it appear
in the Indexed Words column displaying the number of times that particular term was
found in the data. Click Add to place the term to the Search Terms list, or double-click
a term from the indexed words column to add it to the Search Terms list.

SEARCH CRITERIA
Refine a search even more by using the Boolean operators AND and OR. You can
specify the terms to use in an indexed search by selecting specific entries, or by
searching against all entries. Click Clear to clear these search criteria. If any items are
selected, clicking Clear will clear the selected item(s) only. If no items, or all items, are
selected, clicking Clear will clear all items from the list.

Important: When creating your search criteria, try to focus your search to
bring up the smallest number of meaningful hits per search.
Click Export to save a set of search terms, then save the file.

160

AccessData FTK 2.2 User Guide

Click Import to import a set of search terms then select and apply the imported file you
previously saved.

INDEX SEARCH OPTIONS
To conduct an index search, select the Options button to refine the search by opening
the Indexed Search Options dialog, as in the following figure.
Figure 7-8 Index Search Options Dialog

The following tables review the individual search and result options:
TABLE 7-7

Individual Search and Result Options

Option

Result

Stemming

Words that contain the same root, such as raise and raising.

Phonic

Words that sound the same, such as raise and raze.

Synonym

Words that have similar meanings, such as raise and lift.

Fuzzy

Words that have similar spellings, such as raise and raize.
Click the arrows to increase or decrease the number of letters in a
word that can be different from the original search term.

Chapter 7 Searching a Case

161

TABLE 7-8

Max Files to List and Max Hits per File

Option

Result

Max Files to List

Maximum number of files with hits that are listed in the results.
You can change the maximum number in the field. The default is
200. Searches limited by changing from the default will be
indicated by an asterisk (*) and the text “(files may be limited by
“Max files to list” option)” which may be cut off if the file name
exceeds the allowed line length.

Max Hits per File

Maximum number of hits per file. You can change the maximum
number in the field. Searches limited in this way will be indicated
by an asterisk (*) and the text “(files may be limited by “Max hits
per file” option)” which may be cut off if the file name exceeds
the allowed line length.
The maximum number applies separately to files with hits from
both Allocated and Unallocated disk space. Reducing the number
of hits to display per file reduces the time it takes to display all
items.

Max. Words to Return

The maximum number of words to be returned by the search.

Important: When running the search, limit the number of files with hits (200
is default) to list at one time, and try to have only one tree node in the
Index Search Results list expanded at a time for either Allocated or
Unallocated space hits. Having too many tree items expanded (to display

162

AccessData FTK 2.2 User Guide

3,000 or more files with hits) can cause long delays in viewing selected
hits.
TABLE 7-9

Search by Date and Time

Option

Description

All Files

Search all the files in the case.

File Name Pattern

Limits the search to files that match the filename pattern.
Operator characters can be used to fill in for unknown characters.
The pattern can include “?” to match any single character or “*”
to match zero or more characters. The asterisk (*) and questionmark (?) operators are the only characters allowed in the search.
For example, if you set the filename pattern to “d?ugl*”, the
search could return results from files named “douglas,”
“douglass”, or “druglord.”
To enter a filename pattern:
1. Check the box.
2. In the field, type the filename pattern to search for.

Files Saved Between

Beginning and ending dates for the last time a file was saved. Do
the following to set these parameters:
1. Check the box.
2. In the date fields, enter the beginning and ending dates to
search.

Files Created Between

Beginning and ending dates for the creation of a file. Do the
following to set these parameters:
1. Check the box.
2. In the date fields, enter the beginning and ending dates that
you want to search.

File Size Between

Minimum and maximum file sizes, specified in bytes.
Check the box.
In the size fields, enter the minimum and maximum size in bytes
of the files that you want to search.

Save as Default

Check this box to make your settings apply to all index searches.

Saves the Indexed Search Options you have selected, and exits the
dialog.

Cancel

Cancels the Indexed Search Options dialog without saving
settings.

Chapter 7 Searching a Case

163

When search criteria are prepared and you are ready to perform the search, click OK to
save your selected options, then click Search Now.

DOCUMENTING SEARCH RESULTS
Right-click an item in the Search Results list to open the quick menu with the following
options:

• Copy to Clipboard: Copies the selected data to the clipboard where it can be
copied to another Windows application, such as an Excel spreadsheet.
Note: 10,000 is the maximum number of evidence items that can be copied in a single copy
operation.

• Export to File: Copies information to a file. Select the name and location for the
information file.
Copy or export the hits and the statistics of a search result using the options on the
following table:
TABLE 7-10

Result Copy or Export Options

Option

Description

All Hits in Case

Saves all the search terms found from the entire case.

All Hits in Search

Saves all the search terms found in each search branch.

All File Stats in Case

Creates a .CSV file of all file information in the case.

All File Stats in Search

Creates a .CSV file of the file information requested in the search.

After the information is copied to the clipboard, it can be pasted into a text editor or
spreadsheet and saved.
Search results can then be added to the case report as supplementary files.

USING COPY SPECIAL TO DOCUMENT SEARCH RESULTS
The Copy Special feature allows the copying of specific information about files to the
clipboard or a file.
To copy information about the files in your search results:
1. In the Index Search Results list, highlight the search hit you want to document.

164

AccessData FTK 2.2 User Guide

2. Find that file highlighted in the File List view.
3. Right-click on the desired file.
4. Select Copy Special.

5. In the Copy Special dialog, under Choose Columns, click the dropdown select the

columns definition to use, or click Column Settings to define a new column template.
Figure 7-9 Select Column Settings to Export with Copy Special

Chapter 7 Searching a Case

165

5a. Modify the column template in the Column Settings Manager. For more

information on customizing column templates, see “Customizing File List
Columns” on page 213.
6. Mark Include Header Row if you want a header row included in the exported file.
7. Under File List Items to Copy, select from All Highlighted, All Checked, Currently

Listed, or All to specify which files you want the Copy Special to apply to.
8. Click OK.

BOOKMARKING SEARCH RESULTS
To keep track of the files that were returned in a particular search, bookmark the search
results. Bookmarks from the search results in the file list can be created or added to a
bookmark as with any other data.
To create a bookmark from the file list:
1. Select the files you want to include in the bookmark.
2. Right-click the selected files then select Create Bookmark.
3. Complete the Create New Bookmark dialog. For more information, see “Creating a

Bookmark” on page 129.
4. Click OK.

The bookmark now appears in the Bookmark tab.

166

AccessData FTK 2.2 User Guide

Chapter 8 Using Filters

AccessData Forensic Toolkit (FTK) can filter files by their metadata to find specific
evidence. For example, FTK can filter a large number of graphics by creation date to
see only those made during a certain time frame.
The interface for the Filter function is intended to work as a handy side-utility. It can be
dragged to any part of the screen and used at any time.

THE FILTER TOOLBAR
The Filter toolbar contains the tools you need to create and manage filters for viewing
your case data.
Figure 8-1 The Filter Toolbar

For an explanation of the filter toolbar and its components, see “QuickPicks Filter” on
page 101.

Chapter 8 Using Filters

167

APPLYING AN EXISTING FILTER
FTK contains the following predefined filters:
TABLE 8-1 Pre-defined

Filters

Filter

Description

Archive Files

Shows only archive file items.

Bad Extension Files

Shows only the files with extensions that don’t match the detected
file type.

Carved Files

Shows only the items that have been carved.

Checked Files

Shows only the items that you have selected with a checkmark.

Decrypted Files

Shows only the items that have been decrypted by AccessData
tools, or have been decrypted by the user then added to the case.

Deleted Files

Shows only those items that have the deleted status.

Duplicate Files

Shows only items that have duplicates. Displays the primary copy
and all secondary copies of each file occurs more than once in the
case.

Email Attachments

Shows all items sent as attachments to a message, but does not
include the most recent email “container” message.

Email Files

Shows only those items that have the email status.

Email Files and
Attachments

Shows all email items including email messages, related
attachments, and others, such as notes, appointments, and so
forth.

Encrypted Files

Shows only those items flagged as EFS files, items encrypted by
other means, and compressed files.

Evidence Items

Shows all items added as evidence without their descendents.

Flagged Ignorable

Shows only those items you have identified as Ignorable.

Flagged Privileged

Shows only those items you have identified as Privileged.

Folders

Show only folder items.

From Recycle Bin

Shows only those itemsfound in one of the system recycle bin
folders.

Graphic Files

Show only those items that have been identified as graphics.

KFF Alert Files

Shows items flagged Alert by the KFF..

Microsoft Office Files Show Word, Access, PowerPoint, and Excel files.

168

KFF Ignore Files

Shows items flagged ignore by the KFF.

No Deleted

Shows all items that do not have Deleted status.

AccessData FTK 2.2 User Guide

TABLE 8-1 Pre-defined

Filters

Filter

Description

No Duplicate

Shows all files, but where duplicates are found, includes only the
primary (generally the first instance encountered by the program
during processing) copy, and does not display any secondary (all
subsequent instances of a file whose hash exactly matches another
instance of a file already added to the case) duplicate files.

No KFF Ignore Files

Shows all items except those flagged ignore by the KFF..

Not Flagged Ignorable Shows all items but those you indicated Ignorable.
No KFF Ignore or
OLE Subitems

Shows all items but KFF ignore files or OLE subitems.

No KFF Ignore or
OLE Subitems or
Duplicate

Shows all items except KFF ignore files, OLE subitems, or
duplicate items.

Not Flagged Privileged Shows all items but those you flagged Privileged.
OLE Subitems

Shows only OLE archive items and archive contents.

Reclassified Files

Shows only those item you have changed the classification.

Registry Files

Shows Window 9x and NT registry files.

Thumbs.db Files

Shows Thumbs.db files.

Unchecked Files

Shows only those items that you have not checked.

User-decrypted Files

Shows only those items that you have decrypted and added to the
case.

Web Artifacts

Shows HTML, Index.dat, and empty Index.dat files.

No Unimportant OLE Shows all items not affected by Unimportant OLE Streams Filter.
Streams
Unimportant OLE
Streams

Shows all items from OLE Streams that are in the set of categories
in the Unimportant OLE Stream Categories (UOSC).

Unimportant OLE
Stream Categories

Shows all items in their Unimportant OLE Streams Categories.

To apply an existing filter, use the Filter drop-down list on the File List toolbar,
displayed in the following figure.

Chapter 8 Using Filters

169

Figure 8-2 File List Toolbar Filter Dropdown List

CREATING A FILTER
You can create or modify your own filters. These custom filters are saved with the case
in which they are created.
Filters consist of a name, a description, and as many rules as you need. A filter rule
consists of a property, an operator, and one or two criteria. (You might have two criteria
in something like a date range.)
1. Select Unfiltered from the Select a Filter drop-down menu.
2. Click Filter > New, or click Define on the Filter toolbar.
3. Type a name and a short description of the filter.
4. Select a property from the drop-down menu.
5. Select an operator from the Operators drop-down menu.
6. Select the applicable criteria from the Criteria drop-down menu.

Each property has its own set of operators, and each operator has its own set of
criteria. The combinations are vast to allow you to customize filters that fit your
needs.

170

AccessData FTK 2.2 User Guide

7. Select the Match Any operator to filter out data that satisfies any one of the filter

rules or the Match All operator to filter out data that satisfies all rules of the filter.
8. Click Save. The filter you just created is now the active filter.
9. Click Close.

Test the filter without having to save it first by selecting the Live Preview checkbox to
test the filter while creating it.

REFINING A FILTER
As the investigation progresses, investigators become more familiar with patterns and
file types needed in the case, and can adjust the filters to find this specific data. The
following figure displays the Filter Definition dialog used for changing and refining
filters.
Figure 8-3 Filter Definition Dialog

To modify an existing filter:
1. Select the filter you want to modify from the Filter drop-down list.
2. Click Define.
3. To make your filters more precise, click the Plus (+) button to add a rule, or the
Minus (–) button to remove one.

Chapter 8 Using Filters

171

4. When you are satisfied with the filter you have created or modified, click Save, then

Close.
5. Select the newly created filter from the Filter drop-down in the toolbar to apply it.

DELETING A FILTER
You can delete a custom filter if you no longer need it. Predefined, or system filters
cannot be deleted or modified.
To delete a custom filter:
1. Select the filter to delete from the Filter drop-down menu list.
2. Click Filter > Delete or click the Delete Filter button on the Filter toolbar

3. Confirm the deletion.

USING THE KNOWN FILE FILTER
The Known File Filter (KFF) is a utility that uses a database of hash values of known
files to filter the files found in the evidence. The purpose of the KFF is to eliminate
unimportant files, or to identify and alert the user to known files with illicit content. It
also checks for duplicate files. When you add evidence to the case, select KFF to
compare all the files in the case to the hash values contained in the KFF database.
FTK creates and records hashes of the files it discovers in the evidence to demonstrate
that the files have not been modified since acquisition, and to allow for quick
determination if two files have the same contents.

UNDERSTANDING KFF HASHES
FTK includes hashes from two major reporting agencies, The National Institute of
Standards and Technology (NIST), and Hashkeeper, created and maintained by the
National Drug Intelligence Center (NDIC). The toolkit also provides a mechanism for
the addition of hashes from other sources to the KFF database. When you select a set in
FTK the source reporting agency is displayed in a text box. It is good practice when
creating sets to put your own agency in the source field so that other investigators
know where the hashes came from.

172

AccessData FTK 2.2 User Guide

IMPORTING KFF HASHES
When using the Import KFF Hashes feature, you can import hashes from several
supported formats.
To import hashes to the KFF database do the following steps:
1. Click Tools > KFF > Manage to open the KFF Administration dialog.

2. Click Import to open the KFF Hash Import dialog.

Chapter 8 Using Filters

173

3. Click Add File. In the Add KFF Source File to Import List dialog you can choose to

import any of the following file types:

•
•
•
•
•
•
•

AccessData Hash Database (.hdb)
FTK Imager Hash List (.csv)

Hashkeeper Hash Set (.hke, hke.txt)
Tab Separated Value (.tsv)
National Software Reference Library (.nsrl)
Hash (.hash)
FTK.0 (.KFF)

3a. Click the Status drop-down list to select either Alert or Ignore status for the list

you are importing.
3b. Browse to the path where the new source file is found.
3c. Type a name for the new source.
3d. Include a description of the new source file.
3e. Mark the Import Entire Directory box if all the files in the source path are to be

included in this import.
3f. Click OK to close this dialog and return to the KFF Hash Import dialog keeping

the new source files, or click Cancel to close this dialog without adding the new
source files.
4. In the KFF Hash Import dialog verify the files to import, and click Process Files.

The imported hash set is merged into the existing hash set and saved. Duplicate
hashes are overwritten.

EXPORTING KFF HASHES
To export a KFF hash file, follow these steps:
1. Click Tools > KFF > Manage.

174

AccessData FTK 2.2 User Guide

2. Click Export.
3. Select the location to which you want to save the exported KFF file. FTK saves the

file as .kff by default.
4. Click Save.

UNDERSTANDING THE KFF DATABASE
FTK divides hashes into three table: AccessData and User Created.
TABLE 8-2 KFF

Table
AccessData

Library Groups

Description
These tables contain the hashes, sets and groups which are distributed with
FTK. You can create groups from these sets, but the sets are read-only.

User Created

Create your own sets and groups. You should create non-case specific hash
sets and groups here. Sets or groups in these tables are accessible to
anyone using the same KFF database instance (cases are stored in the same
database). Groups in these tables may include sets from the AccessData or
shared tables but not from the case specific tables.

When setting the status of sets or groups it is important to be mindful of other
investigators or cases which may be using the KFF database. Remember that all cases
will have access to the AccessData and user tables so if you want to adjust statuses for
your case without interfering with other investigations you should create case specific
sets or groups.

STORING HASHES IN THE KFF DATABASE
The KFF database organizes hashes into sets and groups.
A set represents a related collection of evidence files. For example, WordPerfect 5.1,
Quicken 7, or a collection of photographs taken at a suspects home.
A group represents a collection of related sets. For example, legitimate software,
known child pornography, or known hacker tools.
Sets and groups allow investigators to rapidly specify what kind of files to which they
want to be alerted, to more easily comply with search warrant limitations by rapidly

Chapter 8 Using Filters

175

disregarding files outside the warrant, and make the KFF more manageable and easier
to use.
Each set or group is assigned a status so that FTK can respond when it encounters
hashes that belong to the set or group.
Assign any of the following statuses to a set or group:
TABLE 8-3 KFF

Group Status Options

Status

Description

Alert

Selecting this status indicates to the Forensic Toolkit that you want to be
alerted to the existence of any file in the set or group.

Disregard

This case specific status allows the investigator to avoid violating search
warrant limitations. You can mark a group with the disregard status to treat
any matching files as if they were unknown. The files will still be indexed,
carved, and can be searched but the Forensic Toolkit will not automatically
alert the investigator to their presence in the suspect’s drive image.

Ignore

This status is used to identify files that are without forensic significance
(known software packages or shared DLLs, for example). Utilizing this status
allows the Forensic Toolkit to sift these uninteresting files away from the
investigators view.

The group’s status supersedes the statuses of any of it’s sets without actually changing
the sets’ statuses. You can manually change the status of thousands of sets that don’t
apply to your case, or you can simply organize all of those sets into related groups and
change each group’s status. Any time you dissolve a group, each set in that group
retains the status it had prior to forming the group.
Only groups are analyzed. The two default groups: Alert and Ignore update
dynamically as a user modifies sets. They contain all sets in the KFF and cannot be
modified manually by the user.
If you have included the same set in two different groups, FTK prioritizes the status and
returns the highest priority status:
1. Disregard
2. Alert
3. Ignore

176

AccessData FTK 2.2 User Guide

CREATING SETS AND GROUPS
To create sets and organize them into groups, follow these steps:
1. Select Tools > KFF > Manage.
2. Click New.

3. Name the group.
4. Assign the group a status.
5. Select the sets you want in the group from the Available Sets list and move them to

the Items in Group list by clicking the arrow button.
6. Click Apply to create the group without closing the Create New KFF dialog.
7. Click OK to save the group and close.

Chapter 8 Using Filters

177

178

AccessData FTK 2.2 User Guide

Chapter 9 Decrypting Encrypted
Files

DECRYPTING FILES AND FOLDERS
FTK 2.2 is designed to decrypt EFS, Microsoft Office, and Lotus Notes (NSF) files and

folders. To do so, the password must already be known. To find the passwords, export
encrypted files and add them as jobs in PRTK or DNA. When passwords are found, you
are ready to decrypt the encrypted files in FTK2.2.
Click Tools > Decrypt Files to begin decryption. The following figure displays the
decryption menu:

Chapter 9 Decrypting Encrypted Files

179

Figure 9-1 Decrypt Files Dialog

To use the decryption menu, do the following:
1. Type a password in the Password box.
1a. Confirm the password by typing it again in the Confirm Password box
2. Mark Permanently Mask to display the password in the Saved Passwords list as

asterisks, hiding the actual password.
3. Click Save Password to save the password into the Saved Password List.
4. Mark Attempt Blank Password to decrypt files with no password, or whose password is

blank.
Note: FTK 2.2 will automatically detect encrypted files in the case. Decrypt File Types will
automatically be marked according to the file types found. Unselect any file types you
wish not to decrypt.
5. Click Decrypt to begin the decryption process.
Note: The Decrypt button is disabled until at least one password is entered, or until Attempt
Blank Password is marked.
6. Click Cancel to return to the case.

180

AccessData FTK 2.2 User Guide

DECRYPTING WINDOWS EFS FILES
Windows 2000, XP Professional, 2003, and Vista include the ability to encrypt files and
folders through the Encrypting File System (EFS). AccessData Forensic Toolkit (FTK)
can break file encryption so that additional evidence can be uncovered.

UNDERSTANDING EFS
EFS is built in to Windows 2000, XP Professional, 2003, and Vista. It is not supported in
Windows XP Home Edition.
EFS can be used to encrypt files or folders. Within Windows, EFS files or folders can be

viewed only by the user who encrypted them or by the user who is the authorized
Recovery Agent. When the user logs in, encrypted files and folders are seamlessly
decrypted and the files are automatically displayed.
There are certain files that cannot be encrypted, including system files, NTFS compressed files,
and files in the [drive]:\[Windows_System_Root] and its subdirectories.
Note: All EFS decryption requires the user’s or Recovery Agent’s password.

VIEWING DECRYPTED FILES
Find the decrypted files in the Overview tree, under the File Status > Decrypted Files
branch. Click on an individual file in the File List to view the file in the File Content
pane.

Chapter 9 Decrypting Encrypted Files

181

Figure 9-2 Overview Tab Viewing Decrypted Files

Note: Regardless of the encryption type, once decrypted, the files will appear in the File List
Name column as “Decrypted copy of [filename],” as seen in the following figure:

182

AccessData FTK 2.2 User Guide

Figure 9-3 File List showing Decrypted Files

DECRYPTING DOMAIN ACCOUNT EFS FILES
This section deals with decrypting domain account EFS files using FTK. These can be
decrypted from image files, individually, or the whole image may contain the encrypted
files.
To decrypt EFS files from a file image, perform the following steps:
1. Create a new case with no evidence added.

Chapter 9 Decrypting Encrypted Files

183

2. From the main menu, click Evidence > Add/Remove.

3. Click Add.
4. Select Individual File(s).
5. Click OK.
6. Navigate to the PFX path and filename (domain recovery key).

Or type the full path and filename into the File Name field of the Open dialog.
7. Click Open.

8. Click No when the application asks if you want to create an image of the evidence

you are adding.
9. Select the proper time zone for the PFX file from the Time Zone drop-down list in
the Manage Evidence window, and click OK.
FTK 2.2 begins processing the PFX file and the progress dialog appears.
Note:

184

AccessData FTK 2.2 User Guide

DECRYPTING CREDANT FILES
Credant encryption is file-based and works much like EFS. Process drives with Credant
encryption normally. The Credant Decryption option in the tools menu is unavailable
unless the image contains Credant encryption.
Click Tools > Credant Decryption to open the Credent decryption options, as displayed in
the following figure:
Figure 9-4 Credant Decryption Dialog

The Credant integration for FTK allows two options for decryption: offline, and online.
For a key bundle located on the user’s local machine or network, use the offline option.
For a key bundle located on a remote server use the online option.

USING AN OFFLINE KEY BUNDLE
Offline decryption is a quicker and more convenient option if the key bundle can be
placed on the investigator’s local computer. Perform the following steps to decrypt a
Credant encrypted image offline: select the key bundle file and enter the password used
to decrypt it. This is detailed in the following steps:

Chapter 9 Decrypting Encrypted Files

185

1. Click Tools > Credant Decryption to open the Credant decryption options dialog.

2. Select the key bundle file by entering its location or browsing to it.
3. Enter the password.
4. Re-enter the password.
5. Click OK.

USING AN ONLINE KEY BUNDLE
Online decryption can occur only when the machine processing the image can directly
access the Credant server over the network. The following figure displays the online
tab:

186

AccessData FTK 2.2 User Guide

Figure 9-5 Credant Decryption Online Tab Options

Usually FTK auto-populates the Credant Machine ID and Credant Shield ID fields. The
Credant Machine ID can be found on the Credant server as the Unique ID on the Properties
tab. The Credant Shield ID can be found as the “Recovery ID” on the “Shield” tab. It
looks similar to this: “ZE3HM8WW”.
The Server Data group box contains information on how to contact the Credant
server. It includes the Credant Server user name, password, and IP address. The port
should be 8081, and is auto-populated.
Offline decryption requires you to get a key bundle file from the server. You need to
select the key bundle file and enter the password used to decrypt it. You can get the key
bundle file by executing the CFGetBundle.exe file with a command like that looks like
this:
CFGetBundle ‐Xhttps://10.1.1.131:8081/xapi ‐asuperadmin ‐Achangeit
‐dcredantxp1.accessdata.lab ‐sZE3HM8WW ‐oKeyBundle.bin ‐ipassword
‐X for the server address
‐a for administrator name
‐A for the administrator password
‐d for the Machine ID

Chapter 9 Decrypting Encrypted Files

187

‐s for the Shield ID
‐o for the output file
‐i for the password used to encrypt the keybundle
Note that all command line switches are case sensitive. Also, there is no space between
the switch and the datatype.
Once you have either used the online or offline method, the files will be decrypted
immediately and the decrypted file will become a child of the encrypted file. After
decryption, the files will be processed with the same settings last used to process a file.

DECRYPTING SAFEGUARD UTIMACO FILES
Safeguard Utimaco is a full-disk encryption program.
Figure 9-6 Provide the Safeguard Encryption Credentials

The Safeguard dialog box appears only when FTK 2.2 reads a valid Utimaco-encrypted
image.
The username and password used to create the encrypted image are required for
decryption. Once the credentials have been added, click OK to return to the Manage
Evidence dialog. Select a time zone from the Time Zone drop-down, then click OK to
begin processing.

Important: Type the User Name and Password carefully and verify both
before clicking OK. If this information is entered incorrectly, FTK 2.2
checks the entire image for matching information before returning with
an error message. Each wrong entry results in a longer wait.

188

AccessData FTK 2.2 User Guide

DECRYPTING SAFEBOOT FILES
SafeBoot is a program that encrypts drives and/or partitions. When FTK 2.2 detects a
SafeBoot-encrypted drive or partition, the following dialog is displayed.
Figure 9-7 SafeBoot Encryption Key Entry

The encryption key must be available to enter into the Key field. All recognized
partitions are selected by default, up to a maximum of eight. You can unselect any
partition you wish not to add to the case.
Once the key has been added and the appropriate partitions selected, click OK to return
to the Manage Evidence dialog. Select a time zone from the Time Zone drop-down,
then click OK to begin processing.

Chapter 9 Decrypting Encrypted Files

189

190

AccessData FTK 2.2 User Guide

Chapter 10 Working with Reports

Upon completion of the case investigation, AccessData Forensic Toolkit (FTK) can
create a report that summarizes the relevant evidence of the case. The final report is
made available in several formats including one that is viewable in a standard Web
browser.

CREATING A REPORT
Create a report with the Report Wizard. Access the Report Wizard by selecting File >
Report. The Report Wizard is displayed in the following figure:

Chapter 10 Working with Reports

191

Figure 10-1 Report Options Dialog

To create a report:
1. Enter basic case information.
2. Select the properties of bookmarks to include in the report.
3. Decide how to handle graphics in the report.
4. Decide whether to include a file path list.
5. Decide whether to include a file properties list.
6. Select the properties of the file properties list.
7. Add the Registry Viewer sections to include in the report.

Each step is discussed in detail in the following sections.

SAVING SETTINGS
Report settings are auromatically saved when you finish specifying the report settings
and click OK to generate the report.
Export report settings at anytime while creating a report, and after you finish specifying
the report settings. Import and reapply those settings to a new report, or a report in a
new case, as desired.

192

AccessData FTK 2.2 User Guide

To export report settings do the following:
1. Click Export. The Export Selections dialog opens.

2. Check the Section Names to include in the exported settings file.
3. Click OK.
4. Type a name for the exported settings file.
5. Click OK to save the settings as an .XML file.

To import settings to a new report in this or another case, perform the following steps:
1. Open a this case or a different case.
1. Click File > Report > Import.
2. Browse to and select the exported settings .XML file you want to import.
3. Click Open to import the settings file to your current case and report.

ENTERING BASIC CASE INFORMATION
The Case Information dialog provides fields for basic case information, such as the
investigator and the organization that analyzed the case. The following figure displays
the Report Options dialog with the basic case information displayed.

Chapter 10 Working with Reports

193

Figure 10-2 Basic Case Information

To include basic case information in the report, check the Case Information box in the
Report Outline on the left side of the screen. In the Default Entries pane, check the
entries to include in the report (all are checked by default). Double-click the Value field
to enter the required information.
Add and remove entries with the Add and Remove buttons below Default Entries. Mark
the Include File Extensions box to include a File Extensions List and count in the File
Overview portion of the report.

Important: The default setting is intentionally unchecked, as the File
Extensions List is long and may span many pages. If you intend to print
the file, this may not be desirable.
To add an entry for case information do the following:
1. Click Add.

A new entry line appears at the bottom of the list.
2. Provide a label and a value for the new entry.

To remove a Case Information entry, do the following:
1. Highlight the entry line to be removed.
2. Click Remove.

194

AccessData FTK 2.2 User Guide

Important: Below the Case Information Pane there is a new button, Include
File Extensions. This box is unmarked by default. If you wish to include in
the report a list of file extensions such as is found in Overview > File
Extensions, mark the Include File Extensions box. The list of file
extensions will appear in the report under Case Information, after File
Items and File Category, and before File Status.

INCLUDING BOOKMARKS
Marking the Bookmarks dialog creates a section in the report that lists the bookmarks
that were created during the case investigation, as displayed in the following figure.
The investigator can also choose to not create a bookmark section by unselecting the
Bookmarks checkbox.
Figure 10-3 Bookmark Report Options

Mark the boxes to include Shared and/or User bookmarks.

• Choose whether to export the files and include links to them in the report when it
is generated.

• Choose whether to include graphic thumbnails that may be part of any bookmarks.

Chapter 10 Working with Reports

195

SELECTING SORT OPTIONS
Select the primary sort criterion for the bookmarks by clicking Sort Options. To set the
sort order for the bookmarks in the report, do the following:
1. Click Sort Options to open the Sort Options dialog.

2. Add a sort line by clicking Plus (+). Remove a sort line by clicking Minus (-).
3. Add sorting criteria by clicking the drop-down list button at the right end of the sort

line.
4. Click OK to close the dialog when you are satisfied with the sort options you have

selected.

SETTING BOOKMARK COLUMNS
The columns can be modified to display specific information about bookmarks
included in the report.

196

AccessData FTK 2.2 User Guide

Figure 10-4

To modify the column setting, click Columns. The Column Settings dialog opens. Select
a pre-defined columns template, or create your own. For more information on setting
columns, see “Customizing File List Columns” on page 213.

INCLUDING GRAPHICS
Mark the Graphics box under Report Outline to include graphics in the report. The
Graphics section in the report displays thumbnail images of the graphics in the case
and can link them to original graphics if desired, as displayed in the following figure.

Chapter 10 Working with Reports

197

Figure 10-5 Report Options: Graphics

Select the options as follows:
1. Apply no filter, or one of several filters to your graphics files.
2. If desired, mark the box to Export and link full-size graphics to thumbnails. This allows

the person viewing the report to click on a thumbnail and see the original graphic
that was found in the case.
3. Choose either of the following:

• Include checked graphics only
• Include all graphics in the case
4. Set the number of graphics to display per row.
5. If you want filenames displayed all together at the end of the report, mark the box

for Group all filenames at end of report. If this box is not marked, each filename displays
with its respective thumbnail.
6. Click Sort Options to access the Sort Options Page.

198

AccessData FTK 2.2 User Guide

Figure 10-6 Report Graphics Sort Options

7. Set the desired sort options (note that only two options, Name and Path, are

available here).
8. Click OK to return to the Bookmark Options page for the report.

SELECTING A FILE PATH LIST
The List by File Path dialog creates a section in the report that lists the file paths of files
in selected categories. The List by File Path section simply displays the files and their
file paths; it does not contain any additional information. The files can be exported and
link to the files in the File Path list by selecting category item checkboxes to be
exported.

Chapter 10 Working with Reports

199

Figure 10-7 File Path Report Options

Drag and drop an item from the Available Categories pane to the Selected Categories pane
to copy an item and its parent category. You can then check a category item to export
its contents to the report. Checking a parent item automatically selects the child files
and folders of that parent item.

SELECTING A FILE PROPERTIES LIST
The File Properties options allow the creation of a section in the report that lists file
properties for files in selected categories. The options are displayed in the following
figure.

200

AccessData FTK 2.2 User Guide

Figure 10-8 File Properties Report Options

Drag and drop items from the Available Categories list to the Selected Categories list. Check
items in Selected Categories to export them to the report. Checking a parent item
automatically selects the child files and folders contained in the parent item.
To modify the Sort Options, click Sort Options. For more information on modifying the
Sort Options, see “Selecting Sort Options” on page 196.
To modify column settings, click Columns. The Column Settings dialog opens. For more
information on setting columns, see “Customizing File List Columns” on page 213.

REGISTRY SELECTIONS
If the evidence drive image contains registry files, they can be included in the report
through the Registry Selections report options.

Chapter 10 Working with Reports

201

Figure 10-9 Registry Selections Report Options

In the Registry File Types window, mark the file types for headings to include in the
report. In the right window, check the registry files to be included in the report.
Check the Include user generated reports (if any) box if you have AccessData Registry Viewer
reports generated and you want to create FTK report links to the Registry Viewer
reports.
Checking this box without the Registry Viewer report(s) having been previously generated will
create an empty link.

RUNNING THE REPORT
When all report options have been selected, click OK to display the Report Output
dialog.

SELECTING THE REPORT LOCATION
The Report Output dialog allows the selection of the report location, report file output
type(s), and the selection of a custom logo for the HTML format report.

202

AccessData FTK 2.2 User Guide

Figure 10-10 Report Output Dialog

To select the report location do the following:
1. Type the folder to save the report to, or use the Browse button to find a location.
2. Use the drop-down arrow to select the output language of the report.
3. Indicate the output format(s) to generate the report to.
4. Select the Export Options for the report. These are not required. You can choose

either, neither, or both. Options are:

• Use object identification number for filename.
• Append extension to filename if bad/absent.
5. To add a custom graphic or company logo you want to include in the HTML format

of the report, mark the Use custom logo graphic checkbox, then browse to and select the
graphic file to use. The selected custom graphic will be used in the HTML report.
6. When output selections have been made, click OK to begin report generation.

CREATING THE REPORT
When the options are selected and you click OK, the Data Processing Status window
appears. The progress bar dialog indicates the progress of the report.
The report displays when processing is complete. You can process only one report at a
time.
If another report generation is attempted while a report is generating, you are
prompted to wait, as in the following dialog.

Chapter 10 Working with Reports

203

Figure 10-11 A Report is Processing. Please Wait

VIEWING A REPORT
The report contains the information that you selected in the Report Wizard. When
included in the report, files appear in both raw data and in the report format. An
example of the main page of the HTML (index.htm)report is displayed in the following
figure.
Figure 10-12 HTML Case Report

The following figure represents the PDF version of the report as displayed in a viewer.

204

AccessData FTK 2.2 User Guide

Figure 10-13 PDF Report

To view the report without opening it from FTK, browse to and click on the report file.
The report will open in the appropriate program for the report file type selected. For
example:

• Click on index.htm to open an HTML document in a Web browser.
• Click on the file report.pdf to open the report in a PDF viewer.
• Click on the file report.docx to open the report in Microsoft Word 2007.

INTERNATIONAL DATE AND TIME STAMP ISSUE
When a report is generated, the date and time stamp are in the preferred format for
the computer that generated the report. For example, a date of 02/01/2003 could be
interpreted as 2 January 2003 (in the European format) or 1 February 2003 (in the
United States format). This interpretation could cause problems with internationally
circulated cases and reports.

Important: To avoid confusion, notify recipients of the date and time format
of the computer that generated the report. There is currently no specific
option to change this.
Chapter 10 Working with Reports

205

MODIFYING A REPORT
Once a report is generated, it cannot be edited or modified as you would a wordprocessing document. You must recreate the report with the added evidence or
changed report settings to properly modify the report. Change the report settings for
each report as needed. All previously distributed reports should be retracted from the
recipients to keep all recipients current.

PRINTING A REPORT
Print the report from the program used to view it. The PDF report is designed
specifically for printing hard copies, and will hold its formatting better than the HTML
report.

206

AccessData FTK 2.2 User Guide

Chapter 11 Customizing the
Interface

The AccessData Forensic Toolkit (FTK) interface provides a highly visual user interface
to make evidence more recognizable and easy to process. This chapter discusses
customizing the interface to accommodate the current case and the user’s personal
style.

CUSTOMIZING OVERVIEW
Adjust the size of the panes in the tabs by hovering over a border with your mouse until
you see a double-arrow. Then click and drag the window to a new size.
Rearrange the order of the tabs by clicking on a tab, then dragging and dropping it in
the desired order.
Add or remove panes from the current tab using the View menu. Click View and click
the pane you would like to add to the current view. a check mark next to the view item
means it is being displayed in the current view. Checking and re-checking toggles the
setting on or off.
To save the new arrangement, Click View > Tab Layout > Save.

Chapter 11 Customizing the Interface

207

USING THE VIEW MENU TO CUSTOMIZE THE FTK INTERFACE
Use the View menu to control the pane views displayed in each tab. Several tabs are
available by default, but tabs can be customized, or new ones created to fit your needs.
Figure 11-1 FTK View Menu

The View menu contains the following options:
TABLE 11-1

View Menu Options and Sub-options

• Refresh the current view’s data

• Bookmark Tree

• View the Filter Bar

• Index Searches

• Select the desired time zone for viewing

• Live searches.

• Choose the display size for graphic thumbnails.

• Bookmark Information

Select from the following:

208

AccessData FTK 2.2 User Guide

TABLE 11-1

View Menu Options and Sub-options

•Large - default
•Medium
•Small
•Tiny

• File List

• Customize the Tab Layout. Options are:
•Lock the tabs to prevent changes.
•Add a new tab.
•Remove a tab.
•Save an individual tab
•Save all tab layouts
•Restore to before previous change.
•Reset to factory defaults.

• File Content
• Email Attachments

• Explorer Tree

• Properties

• Graphics Tree

• Hex Value Interpreter

• Overview Tree

• Thumbnails

• Email Tree

• Progress Window

CUSTOMIZING THE TAB VIEWS
From the View menu you can add panes to the current tab. Note that the Tree panes,
such as Explorer Tree, or Overview Tree, are “exclusive,” and only one can exist on a
single tab at any time.
To add other panes to a tab, Click View, then click to select the pane to add. A
checkmark next to a pane indicates it is included in the current view. Clicking again
toggles the option off. Options are described in the table below:
TABLE 11-2

View Panes Available from the View Menu

View Pane

Description

Bookmark Information

In the Bookmark tab, select to display the Bookmark
Informaiton, suhc as the bookmark’s name, the creator’s
name, and comments, and so forth.

File List

Adds the File List Pane to the current tab.

Chapter 11 Customizing the Interface

209

TABLE 11-2

View Panes Available from the View Menu

View Pane

Description

File Content

Adds the File Content Pane to the current tab.

Email Attachments

Adds the Email Attachment Pane to the current tab.

Properties

Adds the Properties Pane to the current tab.

Hex Value Interpreter

Adds the Hex Value Interpreter Pane to the current tab.

Thumbnails.

Adds the Thumbnails Viewer Pane to the current tab.

USING THE TAB LAYOUT MENU
Use the options in the Tab Layout menu to save changes to tabs, restore original
settings, and lock settings to prevent changes.
The following table describes the options in the Tab Layout menu:
TABLE 11-3

Tab Layout Menu Options

Option

Description

Lock

Locks the panes in place so that they cannot be moved.

Add

Adds a blank tab to the FTK window. The new tab copies the layout of
the current active tab.

Remove

Removes the active tab from the FTK window.

Save

Saves the changes made to the active tab.

Save All Layouts

Saves the changes made to all tabs.

Restore

Restores all tabs to the settings from the last saved layout. Custom
settings can be restored.

Reset to Default

Resets all tabs to the settings that came with the program. Custom
settings will be lost.

MOVING VIEW PANES
Move view panes on the interface by placing the cursor on the title of the pane, then
clicking, dragging, and dropping the pane on the location desired. Hover the mouse
over the title bar of the pane until a Move icon (a four-direction arrow) appears. Hold
down the mouse button to undock the pane. Use the guide icons to dock the pane in a
pre-set location. The pane can be moved outside of the interface frame.

210

AccessData FTK 2.2 User Guide

Figure 11-2 Pane in Movement

To place the view pane at a specific location in the current tab:
1. Place the mouse (while dragging a view pane) onto a docking icon. The icon changes

color.
2. Release the mouse button and the pane seats in its new position.

Chapter 11 Customizing the Interface

211

The following table indicates the docking options available:
TABLE 11-4

Docking Options

Docking Icon

Description
Docks the view pane to the top half of the tab.

Docks the view pane to the right half of the tab.

Docks the view pane to the left half of the tab

Docks the view pane to the bottom half of the tab

Docks the view pane to the top, right, left, bottom, or center of the
pane. When docked to the center, the new pane overlaps the
original pane, and the both are indicated by tabs on the lower
perimeter of the pane.

Docks the view pane to the top, right, left, or bottom of the tree
pane. The tree panes cannot be overlapped.

Locks the panes in the application, making them immovable.
When the lock is applied, the blue box turns grey. Toggles when
clicked, from locked to unlocked, and back.

212

AccessData FTK 2.2 User Guide

CREATING CUSTOM TABS
Create custom tabs to specialize an aspect of an investigation, add in desired features,
apply filters as needed, and to accommodate conditions specific to a case.
To create a custom tab, do the following:
1. Click on an existing tab to use as a template for the new tab.
2. Click View > Tab Layout > Add.
3. Enter a name for the new tab and click OK. The resulting tab is a copy of the tab

your were on when you created the new one.
4. From the View menu, select the features you need in your new tab.
Note: Features marked with diamonds are mutually exclusive, only one can exist on a tab at a
time. Features with check marks can co-exist in more than one instance on a tab.
5. When satisfied with your new tab’s content, click Save to save the current tab’s

settings, or View > Tab Layout > Save.
6. (Optional) Click View > Tab Layout > Save All to save all changed and added

features.
7. To remove tabs, click View > Tab Layout > Remove.

CUSTOMIZING FILE LIST COLUMNS
The Column Settings dialog allows the modification of existing definitions, or the
creation of new definitions for the colums that display in the File List, and the order in
which they display. Column settings are also used to define what file information
appears in the Bookmark and File Properties sections of case reports.
Using custom column settings, as displayed in the following figure, narrows the
information provided in the File List and case reports. Columns display specific
information about the listed files.

Chapter 11 Customizing the Interface

213

Figure 11-3 Column Settings Options

Custom column settings can be exported as an .XML file, and imported for use in other
cases.
To export column settings to an .xml file, do the following:
1. Click Export.
2. Select a folder and provide a filename for the exported column settings file.
3. Click Save.

To import a column settings file, do the following:
1. From the Column Settings dialog, click Import.
2. Find and select the column settings .xml file.
3. Click Open.

CREATING AND MODIFYING COLUMN SETTINGS
To create or modify column settings:

214

AccessData FTK 2.2 User Guide

1. Right-click a heading in the File List, or click the Column Settings

button to open

the Manage Columns context menu.
2. Click Column Settings. The Column Settings dialog opens.
3. From the Available Columns pane, select a category from which to use a column

heading. Add the entire contents of a category or expand the category to select
individual headings.
Note: Column widths in most view panes can be adjusted by dragging the column borders
wider or narrower.

Click on a column heading in the file list view to sort by that column. Hold down the
Shift key while clicking a column heading to make that column the primary sorted
column while the previously sorted column becomes the secondary sorted column.
To undo a secondary sort, click on a column heading to make it the primary sorted
column.

AVAILABLE COLUMNS
The following tables describe all available columns in the File List. The columns you
actually see depend on which tab and which columns template is selected.
Note: When viewing data in the File List, use the type-down control feature to locate the
information you are looking for. Sort the column first, then type the first letter of what
you are searching for. FTK will move down the list to the first file beginning with that
letter. As you continue to type, the search gets more specific until you have typed the
entire name of the item. You may find exactly what you are looking for with only a few
characters. You can use the scroll button to move up and down the list at any point.
When you find the item in the list, select it.

COMMON FEATURES
The following column headings tend to be most shared among objects.
TABLE 11-5

Common Column Headings

Column

Description

Accessed Date

The timestamp showing when the object was last accessed.

Accessed Date (FAT)

The date the object was last accessed on a FAT system.

Chapter 11 Customizing the Interface

215

TABLE 11-5

216

Common Column Headings

Column

Description

Actual File

Yes (Y) or No (N) value to indicate whether this is an Actual
File which is the file as the user or file system normally sees it,
as opposed to a member of All Files which includes metadata,
document summary info, etc.

Bad Extension

Indicates if the file extension does not match its header.

Carved

Indicates whether the object is carved from another object.

Compressed

Indicates whether the object is compressed. Only set on files.

Compressed File Size

Displays the size of the compressed files. Only set on
compressed files.

Container

Indicates whether the object has child objects.

Created Date

The date the object was created.

Decrypted

Indicates that the object has been decrypted.

Decrypted by User

Indicates that the object has been decrypted by the user
before having been added to the case.

Deleted

Yes (Y) or No (N) value to indicate whether an item was
deleted.

Duplicate File

Indicates whether, based on file hashes, the file is a duplicate
of another file in the case. Options are blank if not a duplicate,
Primary if it was the first instance of the file encountered in
processing, or Secondary, if not the first instance. Any
duplicate file can be elevated to Primary status, and the
original Primary automatically becomes Secondary status.

Encrypted

Indicates whether the object is encrypted. Only set on files.

Extension

Displays the object’s extension.

File Class

An internal enumberation describing what kind of object it is.

File Type

An ID reflecting the identified or reclassified type of a file.

Flagged Ignorable

Indicates that the object was marked as ignorable. Not
accessible to a reviewer.

Flagged Privileged

Indicates that the object was marked as Privileged. Not
accessible to a reviewer.

From Recycle Bin

Yes (Y) or No (N) value to indicate a Recycle Bin index file, or
a recycled file still in the Recycle Bin folder.

Fuzzy Hash

Fuzzy hash of the object’s contents.

Fuzzy hash blocksize

AccessData FTK 2.2 User Guide

TABLE 11-5

Common Column Headings

Column

Description

Fuzzy hash library group

Fuzzy hash library score

Fuzzy hash match score

Fuzzy hash library status

Item Number

Displays a unique ID number assigned the object by FTK.

Logical Size

Indicates the logical size of an object.

MD5 Hash

Indicates the MD5 hash of the object’s contents.

Modified Date

Indicates the date the object was last modified.

Name

Indicates the name of the object.

Object Type

The type of the object.

Original File Type

Indicates the original type of an object whose type has been
changed.

Path

Shows the full path of an object.

Physical Size

Indicates the amount of space the object takes up on a disk.

Recycle Bin Original Name

Displays the name of a file in the Recycle Bin folder before
the file was recycled.

SHA-1 Hash

Indicates the SHA-1 hash of the object’s contents.

SHA-256 Hash

Indicates the SHA-256 hash of the object’s contents.

DISK IMAGE FEATURES
The following table displays the stored hashes for the logical image.
TABLE 11-6

Column Headings for Viewing Hashes

Column

Description

Validate MD5

Indicates the validated MD5 hash of the object. This is the
internal stored hash of an image such as E01 or SMART.

Validate SHA-1 Hash

Indicates the validated SHA-1 hash of the object. This is the
internal stored hash of an image such as E01 or SMART.

Chapter 11 Customizing the Interface

217

EMAIL FEATURES
These column headings listed in this table are features specific to email in general, to
Microsoft Outlook/Exchange, and to Outlook Express.
TABLE 11-7

Common Email Column Headings

Column

Description

Lotus Notes-specific features Options include:

• Note ID: The Lotus Notes NOTE_ID (unique to the
NSF file).

• UNID: The Lotus Notes Universal Note ID (globally
unique).

218

Outlook Express-specific
Features

See below, table titled Microsoft Outlook Express Column
Headings

Outlook/Exchange-specific
Features

See below, table titled Microsoft Outlook/Exchange
Column Headings

Attachment

Whether the email contained an attachment

BCC

Indicates addresses in the Blind Carbon Copy field.

Indicates addresses in the Carbon Copy field.

Delivery Time

For outgoing email, it indicates the time the object was sent;
for incoming email, it indicates the time the object was
received.

Email File

True if file is part of email.

From

Lists the addresses in the object’s From field.

From Email

Indicates whether the object came from an email or an email
archive.

Has Attachment

Indicates whether the object has an attachment.

Subject

Lists the text in the object’s Subject field.

Lists the addresses in the object’s To field.

Unread

Indicates whether the object is marked as Unread.

Unsent

Indicates whether the object was marked as Sent.

AccessData FTK 2.2 User Guide

MICROSOFT OUTLOOK EXPRESS HEADINGS
These email headings are set for Microsoft Outlook Express only:
TABLE 11-8

Microsoft Outlook Express Column Headings

Column

Description

Account Name

Indicates the name of the account associated with the object.

Account Registry Key

Indicates the registry key associated with the object’s account.

Answered

Indicates whether the object was answered. True if the Email
has been answered, false otherwise.

Answered Message ID

Displays the ID of the email’s answered message.

Digitally Signed

Indicates whether the email was digitally signed.

Email Size

Indicates the size of the email. Only set on emails from
Outlook Express.

Has Attachment
(Outlook Express)

Indicates whether the email has an attachment. True if the
email has at least one attachment, false otherwise. Only set
on emails from Outlook Express.

Hotmail Message ID

Displays the ID of a Hotmail email message.

Marked

Indicates whether the email has been marked. True if the
email has been marked, false othewise. Only set on emails
from Outleook Express.

Message ID

Displays the message ID. Only set for Outlook Express.

Message Offset

Shows the message offset of the email.

News

Indicates whether the email was a news item. True if the
email is a news item, false otherwise. Only set on emails from
Outlook Express.

Priority

Shows the priority assigned the email. Only set for Outleook
Express.

Recipient Address

Lists the addresses in the email’s recipient field. Only set for
Outleook Express.

Recipient Name

Lists the names in the email’s recipient field. Only set for
Outleook Express.

Sender Address

Lists the addresses in the email’s sender field. Only set for
Outleook Express.

Sender Address and Name

Lists the addresses and names in the email’s sender field.
Only set for Outleook Express.

Chapter 11 Customizing the Interface

219

TABLE 11-8

Microsoft Outlook Express Column Headings

Column

Description

Sender Name

Lists the name in the email’s sender field. Only set for
Outleook Express.

Server

Lists the server used to send the email. Only set for Outleook
Express.

Server Info

Lists the server information the email. Only set for Outleook
Express.

Subject
(Outlook Express)

Lists the text on the email’s subject field. Only set for
Outleook Express.

Subject Without Prefix

Lists the text without the prefix on the email’s subject field.
Only set for Outleook Express.

Thread Ignored

Indicates whether a thread was marked as Ignore. Only set
for Outleook Express.

Thread Watched

Indicates whether a thread was marked as Watch. Only set for
Outleook Express.

Time Message Saved
(Outlook Express)

Indicates the time an email was Saved. Only set for Outleook
Express.

Time Received
(Outlook Express)

Indicates the time an incoming email was received. Only set
for Outleook Express.

Time Sent
(Outlook Express)

Indicates the time an outgoing email was sent. Only set for
Outleook Express.

MICROSOFT OUTLOOK/EXCHANGE HEADINGS
These email headings are set for Microsoft Outlook/Exchange only:
TABLE 11-9

220

Microsoft Outlook/Exchange Column Headings

Column

Description

Attachment MIME Tag

Lists the attachment MIME tag of the email.

Client Submit Time

Indicates the time the client submitted the email.

Comment

Lists any comment associated with the email.

Content Count

Indicates the content count of the email.

Content Unread

Indicates whether the email is marked Unread.

Conversation Topic

Indicates the email’s conversation topic.

AccessData FTK 2.2 User Guide

TABLE 11-9

Microsoft Outlook/Exchange Column Headings

Column

Description

Delete After Submit

Indicates whether the email was marked for deletion after it
was submitted.

Display Name

Lists the email’s display name.

From Me

Indicates whether the email was marked From Me.

Importance

Indicates the email’s assigned importance.

Message Class

Indicates the class assigned to the message in the email.

Message Size

Indicates the size of the email.

Originator Delivery Report
Requested

Indicates whether an Originator Delivery Report was
requested.

Provider Submit Time

Indicates the time at which the provider submitted the email.

Read Receipt Requested

Indicates whether the email sent requested confirmation of
the email.

Received By Email Address

Indicates the time at which the addressee received the email.

Received By Name

Lists the name on the addresses that received the email.

Received Representing Email Displays the address of a Representing email recipient.
Address
Reply Recipient Names

Lists the addresses in the Reply To: field.

Resend

Indicates whether the email was marked Resend.

Sender Email Address

Lists the address in the email’s Sender field.

Sensitivity

Indicates the sensitivity assigned the email.

Sent Representing Email
Addresses

Displays the address of a Representing email sender.

Sent Representing Name

Displays the name of the Representing email sender.

Submitted

Indicates whether the email was marked as Submit.

Transport Message Headers

Lists the Simple Mail Transfer Protocol (SMTP) headers.

Unmodified

Indicates whether the email has been marked as Modified.

Chapter 11 Customizing the Interface

221

ENTROPY STATISTICS
These column headings list information that indicate entropy statistic possibilities such
as encryption and compression.
TABLE 11-10

Entropy Statistics Column Headings

Column

Description

Arithmetic Mean

The result of summing all the bytes and dividing by the file length.
If random, the value should be about 1.75; if the mean departs
from this value, the values are consistently high or low.

Chi Squared Error
Percent

This distribution is calculated for the stream of bytes in the file and
expressed as an absolute number. This percentage indicates how
frequently a truly random number would exceed the value
calculated.

Entropy

Shows the information density of a file in bits per character.
Amounts close to 8 indicate randomness.

MCPI Error Percent

Monte Carlo algorithm, named after Monte Carlo, Monaco, is a
method involving statistical techniques for finding solutions to
problems.
This heading shows the result of using a Monte Carlo algorithm to
approximate Pi.

Serial Correlation
Coefficient

Indicates the amount to which each byte in an email relies on the
previous byte. Amounts close to 0 indicate randomness.

FILE STATUS FEATURES
The file status columns show hash set names that match the file and their status.
TABLE 11-11

File Status Column Headings

Column

Description

Hash Set

Indicates the set from which the hash came. Lists the sequence
entered into the database, or the program that generated the hash.

KFF Status

Lists the KFF status of the file.

Label

Label associated with an object.

Not KFF Ignore or OLE True if the file is not marked KFF Ignore, or the file is not an
OLE subitem.
Subitem
Not KFF Ignore, OLE
Subitem, or Duplicate

222

True if the file is not marked KFF Ignore or the file is not an
OLE subitem, or the file is not a duplicate of another file.

AccessData FTK 2.2 User Guide

If a file has matches from more that one set, the status with the height value is used.
For more information, see “Chapter 8 Using Filters” on page 167.

FILE SYSTEM FEATURES
These column headings list information specific to a particular file system.
TABLE 11-12

File Status Column Headings

Column

Description

DOS Features

See below, in the table titled DOS File System Column
Headings.

ext2 Features

See below, in the table titled ext2 File System Column
Headings.

HFS Features

See below, in the table titled HFS File System Column
Headings

NTFS Features

See below, in the table titled NTFS File System Column
Headings

Unix Security Features

See below, in the table titled Unix Security File System Column
Headings

Start Cluster

Indicates the starting cluster of a file on a disk or volume.

Start Sector

Indicates the starting sector of a file on a disk or volume.

DOS FILE SYSTEMS
These column headings list information specific to DOS.
TABLE 11-13

DOS File System Column Headings

Column

Description

8.3 Name

Lists the 8.3 format name of the object.

Archive

Indicates whether the Archive attribute was set on the object.

Hidden

Indicates whether the Hidden attribute was set on the object.

Read Only

Indicates whether the Read Only attribute was set on the object.

System

Indicates whether the System attribute was set on an object.

Chapter 11 Customizing the Interface

223

EXT2

FILE SYSTEMS
These column headings list information specific to ext2.
TABLE 11-14

ext2 File System Column Headings

Column

Description

Deleted Date

Lists the date on which the object was deleted. Set on Unix objects only.

inode Number

Lists the inode Number of an object. Set on Unix objects only. Data
structures that contain information about files in Unix file systems that
are created when a file system is created. Each file has an inode and is
identified by an inode number (i-number) in the file system where it
resides. User and group ownership, access mode (read, write, execute
permissions) and type inodes provide important information on files.
There are a set number of inodes, which indicates the maximum
number of files the system can hold.
A file’s inode number can be found using the ls -i command, while the ls
-l command will retrieve other inode information.

HFS FILE SYSTEMS
These column headings list information specific to HFS.
TABLE 11-15

224

HFS File System Column Headings

Column

Description

Backup Date

Displays the date on which the object was backed up.

Catalog Node ID

Displays the catalog node ID of the object.

Color (HFS)

Indicates the color of the object.

File Creator (HFS)

Lists the object’s creator.

File Locked (HFS)

Indicates whether the object was locked.

File Type (HFS)

Indicates the object’s file type.

Folder Valence (HFS)

Lists the number of files and folders directly contained in any
given object.

Invisible (HFS)

Indicates whether the object is invisible.

Name Locked (HFS)

Indicates whether the object’s file name is locked.

Put Away Folder ID (HFS)

Lists the ID of the object’s Put Away folder.

AccessData FTK 2.2 User Guide

NTFS FILE SYSTEMS
These column headings list information specific to NTFS.
TABLE 11-16

NTFS File System Column Headings

Column

Description

Alternate Date Stream Count The number of alternate data streams contained in the object.
Group Name

Displays the Group Name of the object’s owner.

Group SID

Displays the group SID of the object owner.

MFT Record Number

Displays the object’s Master File Table (MFT) record number,
indicating what metadata is needed to retrieve an object.

Offline

Indicates whether the object’s Offline attribute is set.

Owner Name

Displays the name of the object owner.

Owner SID

Displays the SID of the object owner.

Record Date

Indicates the record date of the object.

Resident?

Indicates whether the Resident attribute is set for the object.

Sparse?

Indicates whether the Sparse attribute is set for the object.

Temporary

Indicates whether the Temporary attribute is set for the
object.

UNIX SECURITY FILE SYSTEMS
These column headings list information specific to the Unix security file system.
TABLE 11-17

Unix Security File System Column Headings

Column

Description

GID

Displays the Group ID of the object.

Group Name (Unix)

Displays the Group Name of the object.

Permissions

Lists the Permission settings for the object.

UID

Displays the User ID of the object.

Username

Displays the Username of the object.

Chapter 11 Customizing the Interface

225

STEGANOGRAPHY
These column hedings list information specific to files where steganography is found:
TABLE 11-18

Steganography Column Headings

Column

Description

Confidence

Level of confidence that this file contains a steganographic
payload

Highest Confidence

Level of highest confidence that this file contains a
steganographic payload among all the candidate steganography
applications.

Stego App

Application used to extract this steganographic payload.

Stego Password

Password used by steganography application to extract this
steganograpyhic payload.

Zip-Specific Features
These column headings list information specific to files zipped (combined) or
compressed into a single file.
TABLE 11-19

226

Zip-Specific Column Headings

Column

Description

Checksum

Displays the checksum value of the object.

Compression Method

Displays the compression method of the object.

Extract Version

Displays the extract version of the object.

AccessData FTK 2.2 User Guide

Appendix A File Systems and
Drive Image Formats

This appendix lists the file systems and image formats that FTK 2.2 analyzes.

Appendix A File Systems and Drive Image Formats

227

FILE SYSTEMS
TABLE A-1

Recognized File System

• FAT 12, FAT 16, FAT 32

• NTFS

• Ext2, Ext3

• HFS, HFS+

• ReiserFS 3

•

HARD DISK IMAGE FORMATS
TABLE A-2

Supported Hard Disk Image Formats

• Encase

• SnapBack

• Safeback 2.0 and under

• Expert Witness

• Linux DD

• ICS

• Ghost (forensic images only)

• SMART

• AccessData Logical Image (AD1)

•

CD AND DVD IMAGE FORMATS
TABLE A-3

228

Supported CD and DVD Image Formats

• Alcohol (*.mds)

• CloneCD (*.ccd)

• ISO

• IsoBuster CUE

• Nero (*.nrg)

• Pinnacle (*.pdi)

• PlexTools (*.pxi)

• Roxio (*.cif)

• Virtual CD (*.vc4)

•

AccessData FTK2 User Guide

Appendix B Recovering Deleted
Material

FTK 2.2 finds deleted files on supported file systems by their file header.

FAT 12, 16, AND 32
When parsing FAT directories, FTK 2.2 identifies deleted files by their names. In a
deleted file, the first character of the 8.3 filename is replaced by the hex character 0xE5.
The file’s directory entry provides the files’s starting cluster (C) and size. From the size
of the file and the starting cluster, FTK 2.2 computes the total number of clusters (N)
occupied by the file.
FTK 2.2 then examines the File Allocation Table (FAT) and counts the number of
unallocated clusters starting at C (U). It then assigns the recovered file [min (N, U)]
clusters starting at C.

If the deleted file was fragmented, the recovered file is likely to be incorrect and
incomplete because the information that is needed to find subsequent fragments was
wiped from the FAT system when the file was deleted.
FTK 2.2 uses the long filename (LFN) entries, if present, to recover the first letter of the
deleted file’s short filename. If the LFN entries are incomplete or absent, it uses an
exclamation mark (“!”) as the first letter of the filename.
FTK 2.2 meta carves, or searches the volume free space for deleted directories that have

been orphaned. An orphaned directory is a directory whose parent directory or whose
entry in its parent directory has been overwritten.

Appendix B Recovering Deleted Material

229

NTFS
FTK 2.2 examines the Master File Table (MFT) to find files that are marked deleted

because the allocation byte in a record header indicates a deleted file or folder. It then
recovers the file’s data using the MFT record’s data attribute extent list if the data is
non-resident.
If the deleted file’s parent directory exists, the recovered file is shown in the directory
where it originally existed. Deleted files whose parent directories were deleted are
shown in their proper place as long as their parent directory's MFT entry has not been
recycled.

EXT2
FTK 2.2 searches to find inodes that are marked deleted: the link count is zero and the

deletion timestamp is nonzero.
For each deleted inode, FTK 2.2 processes the block pointers as it does for a normal file
and adds blocks to the deleted file. However, if an indirect block is marked allocated or
references an invalid block number, the recovered file is truncated at that point because
the block no longer contains a list of blocks for the file that the application is
attempting to recover.
FTK 2.2 does not recover the filenames for files deleted on ext2 systems. Instead,

deleted files are identified by inode number because ext2 uses variable-length directory
entries organized in a linked list structure. When a file is deleted, its directory entry is
unlinked from the list, and the space it occupied becomes free to be partially or
completely overwritten by new directory entries. There is no reliable way to identify and
extract completely deleted directory entries.

EXT3
FTK 2.2 does not recover deleted files from ext3 volumes because ext3 zeroes out a

file’s indirect block pointers when it is deleted.

HFS
FTK 2.2 does not recover deleted files from HFS.

230

AccessData FTK 2.2 User Guide

Appendix C Program Files

The following tables list key FTK 2.2 files and folders, their functions, and their
locations.

FILES AND FOLDERS FOR THE APPLICATION
These files and folders exist on the computer running FTK 2.2.
TABLE C-1

FTK 2.2 Folders and File Locations

File or Folder

Location

FTK2‐Data (shared)

Root of system drive or partition Contains all case data not
stored in the database.
[drive]:\ftk2‐data\

summary_install_log_2.2
.txt

[drive]:\Program Files\

KFF Logs

[drive]:\Program Files\

FTK.exe

[drive]:\Program Files\

AccessData\Forensic Toolkit\
2.2\logs\

Function

Points to a set of log files
including a summary
installation log to help
Technical Support with
troubleshooting.

Records whether the Known
AccessData\KFF Library FTK 2.2 File Filter was added to the
schema.
Program executable

AccessData\Forensic Toolkit\
2.2\bin\

Appendix C Program Files

231

TABLE C-1

FTK 2.2 Folders and File Locations

File or Folder

Location

Function

FTK2_log.txt

[drive]:\Program Files\

Log file recording information
specific to the application.

AccessData\ Forensic Toolkit\
2.2\

FTK2crash[timestamp].dmp [drive]:\Program
Dump file with the timestamp
Files\AccessData\AccessData from an FTK crash.
Forensic Toolkit\2. 2\

FILES AND FOLDERS FOR THE DATABASE
These files and folders exist on the computer running the Oracle database.
TABLE C-2

Oracle Database File Locations

File or Folder

Location

Function

ftk2

[drive]:\Oracle

Contains files FTK 2.2 uses to work with the
Oracle database, such as JRE, libraries,
configuration scripts, etc.

logs

[drive]:\Program

Contains installation logs intended to help
Technical Support with installation
troubleshooting.

Files\Oracle\Inventory
FTK2_KFF.DBF

[drive]:\Oracle\ftk2\databas Contains the hashes that make up the
e

AccessData Known File Filter.

CHANGING REGISTRY OPTIONS
The following sections cover small changes that can be made to items in the registry to
aid in the functionality and desired efficiency of FTK.

CHANGING THE LOGGING REGISTRY OPTIONS
To make changes in the registry for the available logging options do the following:
1. Click Start > Run.
2. Enter regedit and click OK.
3. Open HKLM\SOFTWARE\AccessData\Shared\Version Manager\sds\

232

AccessData FTK 2.2 User Guide

4. Change any of the following values to the desired setting:

• errorlog = controls if LOG_WARN/LOG_ERROR logs to
ftkWorker.errorlog.txt (defaults to 1)

• infolog = controls if LOG_INFO logs to ftkWorker.infolog.txt (defaults to 1)
• userlog = controls if LOG_USER logs to ftkWorker.userlog.txt (defaults to 0)
This is required by ediscovery.

• tracelog = controls LOG_TRACE logs to ftkWorker.tracelog.txt (defaults to 0)
Logs object created/complete messages.

• memlog = controls memory logging to ftkWorker.infolog.txt (defaults to 0)
• timelog = controls time logging to ftkWorker.infolog.txt (defaults to 0)
Note: Log files initialize when ftkworker.exe starts. Registry keys are read during the startup
process only.

CHATTY WORKER
In the worker diagnostic page, “Chatty” now controls whether the worker LEVEL_*
logs to stdout/stderr (therefore showing up in the text pane).

Appendix C Program Files

233

234

AccessData FTK 2.2 User Guide

Appendix D Gathering Windows
Registry Evidence

This appendix contains information about the Windows Registry and what information
can be gathered for evidence.

UNDERSTANDING THE WINDOWS REGISTRY
For forensic work, registry files are particularly useful because they can contain
important information such as the following:

• Usernames and passwords for programs, email, and Internet sites
• A history of Internet sites accessed, including dates and times
• A record of Internet queries (i.e., searches performed on Internet search engines
like Google, Yahoo, etc.)

• Lists of recently accessed files (e.g., documents, images, etc.)
• A list of all programs installed on the system
AccessData Registry Viewer allows you to view the contents of Windows operating
system registries. Unlike the standard Windows Registry Editor, which only displays the
current system’s registry, Registry Viewer lets you examine registry files from any
system or user. Registry Viewer also provides access to a registry’s protected storage,
which contains passwords, usernames, and other information not accessible from
within Windows Registry Editor.

Appendix D Gathering Windows Registry Evidence

235

The files that make up the registry differ depending on the version of Windows. The
tables below list the registry files for each version of Windows, along with their
locations and the information they contain.

WINDOWS 9X REGISTRY FILES
The following table describes each item on the Windows 9x registry files:
TABLE D-1

Windows 9x Registry files

Filename

Location

system.dat

\Windows

Contents

• Protected storage for all users on the system. Protected Storage is an accessrestricted area of the registry that stores
confidential user information including
usernames and passwords for Internet
Web sites, email passwords for Microsoft
Outlook or Outlook Express, and a record
of Internet queries (i.e., searches performed on Internet search engines like
Google, Yahoo, etc.), including the time
and date when they were performed.

• Lists installed programs, their settings, and
any usernames and passwords associated
with them.

• Contains the System settings.
user.dat

\Windows
If there are multiple user
accounts on the system,
each user has a user.dat file
located in
\Windows\profiles\user
account

• MRU (Most Recently Used) list of files.
MRU Lists maintain a list of files so users
can quickly re-access files. Registry
Viewer allows you to examine these lists
to see what files have been recently used
and where they are located. Registry
Viewer lists each program’s MRU files in
order from most recently accessed to
least recently accessed.

• User preference settings (desktop configuration, etc.).

236

AccessData FTK 2.2 User Guide

WINDOWS NT AND WINDOWS 2000 REGISTRY FILES
The following table describes each item in the Windows NT and Windows 2000 registry
files:
TABLE D-2

Windows NT and Windows 2000 Registry Files

Filename

Location

NTUSER.DAT

\Documents and
Settings\[user account]
If there are multiple user
accounts on the system, each
user has an ntuser.dat file.

Contents

• Protected storage for all users on the system. Protected Storage is an accessrestricted area of the registry that stores
confidential user information including
usernames and passwords for Internet
Web sites, email passwords for Microsoft
Outlook or Outlook Express, and a
record of Internet queries (i.e., searches
performed on Internet search engines
like Google, Yahoo, etc.), including the
time and date when they were performed.

• All installed programs, their settings, and
any usernames and passwords associated
with them.

• User preference settings (desktop configuration, etc.)
default

\Winnt\system32\config

System settings

SAM

\Winnt\system32\config

User account management and security
settings

SECURITY

\Winnt\system32\config

Security settings

software

\Winnt\system32\config

All installed programs, their settings, and any
usernames and passwords associated with
them

system

\Winnt\system32\config

System settings

Appendix D Gathering Windows Registry Evidence

237

WINDOWS XP REGISTRY FILES
The following table describes each item in the Windows XP registry files:
TABLE D-3

Windows XP Registry Files

Filename

Location

NTUSER.DAT

\Documents and
Settings\[user account]
If there are multiple user
accounts on the system, each
user has an ntuser.dat file.

Contents

• Protected storage for all users on the system. Protected Storage is an accessrestricted area of the registry that stores
confidential user information including
usernames and passwords for Internet
Web sites, email passwords for Microsoft
Outlook or Outlook Express, and a
record of Internet queries (i.e., searches
performed on Internet search engines
like Google, Yahoo, etc.), including the
time and date when they were performed.

• All installed programs, their settings, and
any usernames and passwords associated
with them.

• User preference settings (desktop configuration, etc.)
default

\Winnt\system32\config

System settings

SAM

\Winnt\system32\config

User account management and security
settings

SECURITY

\Winnt\system32\config

Security settings

software

\Winnt\system32\config

All installed programs, their settings, and any
usernames and passwords associated with
them

system

\Winnt\system32\config

System settings

The logical registry is organized into the following tree structure:
The top level of the tree is divided into hives. A hive is a discrete body of keys, subkeys,
and values that is rooted at the top of the registry hierarchy. On Windows XP systems,
the registry hives are as follows:

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)

238

AccessData FTK 2.2 User Guide

•
•
•
•

HKEY_LOCAL_MACHINE (HKLM)
HKEY_USERS (HKU)
HKEY_CURRENT_CONFIG (HKCC)
HKEY_DYN_DATA (HKDD)

HKEY_LOCAL_MACHINE and HKEY_USERS are the root hives. They contain
information that is used to create the HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
and HKEY_CURRENT_CONFIG hives.
HKEY_LOCAL_MACHINE is generated at startup from the system.dat file and contains
all the configuration information for the local machine. For example, it might have one
configuration if the computer is docked, and another if the computer is not docked.
Based on the computer state at startup, the information in HKEY_LOCAL_MACHINE is
used to generate HKEY_CURRENT_CONFIG and HKEY_CLASSES_ROOT.
HKEY_USERS is generated at startup from the system User.dat files and contains
information for every user on the system.
Based on who logs in to the system, the information in HKEY_USERS is used to
generate HKEY_CURRENT_USER, HKEY_CURRENT_CONFIG, and
HKEY_CLASSES_ROOT.
Keys and sub-keys are used to divide the registry tree into logical units off the root.
When you select a key, Registry Editor displays the key’s values; that is, the information
associated with that key. Each value has a name and a data type, followed by a
representation of the value’s data. The data type tells you what kind of data the value
contains as well as how it is represented. For example, values of the REG_BINARY type
contain raw binary data and are displayed in hexadecimal format.

Appendix D Gathering Windows Registry Evidence

239

POSSIBLE DATA TYPES
The following table lists the Registry’s possible data types:
TABLE D-4

Possible Data Types

Data Type

Name

Description

REG_BINARY

Binary Value

Raw binary data. Most hardware component
information is stored as binary data and is
displayed in hexadecimal format.

REG_DWORD

DWORD
Value

Data represented by a number that is 4 bytes long
(a 32-bit integer). Many parameters for device
drivers and services are this type and are displayed
in binary, hexadecimal, or decimal format. Related
values are REG_DWORD_LITTLE_ENDIAN
(least significant byte is at the lowest address) and
REG_DWORD_BIG_ENDIAN (least
significant byte is at the highest address).

REG_EXPAND_SZ

Expandable
String Value

A variable-length data string. This data type
includes variables that are resolved when a
program or service uses the data.

REG_MULTI_SZ

Multi-String
Value

A multiple string. Values that contain lists or
multiple values in a format that people can read
are usually this type. Entries are separated by
spaces, commas, or other marks.

REG_SZ

String Value

A text string of any length.

REG_RESOURCE_LIST

Binary Value

A series of nested arrays designed to store a
resource list used by a hardware device driver or
one of the physical devices it controls. This data is
detected by the system and is displayed in
hexadecimal format as a Binary Value.

REG_RESOURCE_
REQUIREMENTS_LIST

Binary Value

A series of nested arrays designed to store a device
driver’s list of possible hardware resources that it,
or one of the physical devices it controls, can use.
This data is detected by the system and is
displayed in hexadecimal format as a Binary Value.

REG_FULL_RESOURCE_ Binary Value
DESCRIPTOR

240

AccessData FTK 2.2 User Guide

A series of nested arrays deigned to store a
resource list used by a physical hardware device.
This data is displayed in hexadecimal format as a
Binary Value.

TABLE D-4

Possible Data Types

Data Type

Name

Description

REG_NONE

None

Data with no particular type. This data is written
to the registry by the system or applications and is
displayed in hexadecimal format as a Binary Value.

REG_LINK

Link

A Unicode string naming a symbolic link.

REG_QWORD

QWORD
Value

Data represented by a number that is a 64-bit
integer.

ADDITIONAL CONSIDERATIONS
If there are multiple users on a single machine, you must be aware of the following
issues when conducting a forensic investigation:

• If there are individual profiles for each user on the system, you need to locate the
USER.DAT file for the suspect(s).

• If all the users on the system are using the same profile, everyone’s information is
stored in the same USER.DAT file. Therefore, you will have to find other
corroborating evidence because you cannot associate evidence in the USER.DAT
file with a specific user profile.

• On Windows 9x systems, the USER.DAT file for the default user is used to create
the USER.DAT files for new user profiles. Consequently, the USER.DAT files for new
profiles can inherit a lot of junk.
To access the Windows registry from an image of the suspect’s drive, you can do any of
the following:

• Load the suspect’s drive image and export his or her registry files to view them in
Registry Editor.

• Mount a restored image as a drive, launch Registry Editor at the command line
from your processing machine, export the registry files from the restored image,
then view them in a third-party tool.
Note: The problem with this method is that you can only view the registry as text. Registry
Editor displays everything in ASCII so you can’t see hex or binary values in the
registry.

• Use Registry Viewer. Registry Viewer integrates seamlessly with FTK 2.2 to display
registry files within the image and create reports.

Appendix D Gathering Windows Registry Evidence

241

Important: Registry Viewer shows everything you normally see in live systems
using the Windows Registry Editor. However, unlike Registry Editor and
other tools that use the Windows API, Registry Viewer decrypts
protected storage information so it displays values in the Protected
Storage System Provider key (PSSP). Registry Viewer also shows
information that is normally hidden in null-terminated keys.

SEIZING WINDOWS SYSTEMS
Information stored in the registry—Internet Messenger sessions, Microsoft Office
MRU lists, usernames and passwords for Internet Web sites accessed through Internet
Explorer, and so forth—are temporarily stored in HKEY_CURRENT_USER. When the
user closes an application or logs out, the hive’s cached information is pulled out of
memory and written to the user’s corresponding USER.DAT.
Note: Passwords and MRU lists are not saved unless these options are enabled.

Important: Because normal seizure procedures require that there be no
alteration of the suspect’s computer in any way, you must be able to
articulate why you closed any active applications before pulling the plug
on the suspect’s computer. Sometimes it is better to simply pull the plug
on the computer; other times, it makes more sense to image the
computer in place while it is on. It may depend on what is the most
important type of data expected to be found on the computer.
For example, Windows updates some program information in the
registry when the changes are made. Other information is not updated
until a program is closed. Also, if the computer’s drive is encrypted and
you cannot decrypt it or don’t have the Key or password, you may have
no choice except to image the live drive.
The Registry Quick Find Chart gives more information.

REGISTRY QUICK FIND CHART
The following charts discuss common locations where you can find data of forensic
interest in the Windows Registry.

242

AccessData FTK 2.2 User Guide

SYSTEM INFORMATION
TABLE D-5

System Information From HKLM

Information

File or Key

Location

Description

Registered Owner

Software

Microsoft\Windows NT\
CurrentVersion

This information is entered during
installation, but can be modified later.

Registered Organization Software

Microsoft\Windows NT\
CurrentVersion

This information is entered during
installation, but can be modified later.

Run

Software

Microsoft\Windows\Current
Version\Run

Programs that appear in this key run
automatically when the system boots.

Logon Banner Message

Software

Microsoft\Windows\Current
Version\Policies\System\Legal
NoticeText

This is a banner that users must click
through to log on to a system.

Mounted Devices

System

MountedDevices

Database of current and prior mounted
devices that received a drive letter.
Identifies which control set is current.

Current Control Set

System

Select

Shutdown Time

System

ControlSetXXX\Control\Windows System shutdown time.

Event Logs

System

ControlSetXXX\Services\Eventlog Location of Event logs.

Dynamic Disk

System

ControlSetXXX\Services\DMIO\
Boot Info\Primary Disk Group

Identifies the most recent dynamic disk
mounted in the system.

Pagefile

System

ControlSetXXX\Control\
Session Manager\Memory
Management

Location, size, set to wipe, etc.

Last User Logged In

Software

Microsoft\Windows NT\
CurrentVersion\Winlogon

Last user logged in - can be a local or
domain account.

Product ID

Software

Microsoft\Windows NT\
CurrentVersion

O\S Version

Software

Microsoft\Windows NT\
CurrentVersion

Logon Banner Title

Software

Microsoft\Windows\Current
Version\Policies\System\Legal
NoticeCaption

User-defined data.

Logon Banner Message

Software

Microsoft\Windows\Current
Version\Policies\System\Legal
NoticeCaption

User-defined data.

Time Zone

System

ControlSet001(or002)\Control\
TimeZoneInformation\Standard
Name

This information is entered during
installation, but can be modified later.

Appendix D Gathering Windows Registry Evidence

243

NETWORKING
TABLE D-6

Information

File or Key

Registry Networking Information

Location

Description

Map Network
Drive MRU

NTUSER.DAT

Software\Microsoft\Windows\
CurrentVersion\Explorer\Map
Network Drive MRU

Most recently used list of mapped
network drives.

TCP\IP data

System

ControlSetXXX\Services\
TCPIP\Parameters

Domain, hostname data.

TCP\IP Settings of
a Network
Adapter

System

ControlSetXXX\Services\
adapter\Parameters\TCPIP

IP address, gateway information.

Default
Printer

NTUSER.DAT

Software\Microsoft\Windows
NT\CurrentVersion\Windows

Current default printer.

Default
Printer

NTUSER.DAT

\printers

Current default printer.

Local Users

SAM

Domains\Account\Users\
Names

Local account security identifiers.

Local Groups

SAM

Domains\Builtin\Aliases\
Names

Local account security identifiers.

Profile list

Software

Microsoft\Windows NT\
CurrentVersion\ProfileList

Contains user security identifiers (only
users with profile on the system).

Network Map

NTUSER.DAT

Documents and
Settings\username

Browser history and last-viewed lists
attributed to the user.

USER DATA
TABLE D-7

244

Registry User Data Information

Information

File or Key

Location

Description

Run

NTUSER.DAT

Software\Microsoft\Windows\
CurrentVersion\Run

Programs that appear in this key run
automatically when the user logs on.

Media Player Recent List NTUSER.DAT

Software\Microsoft\Media
Player\Player\ RecentFileList

This key contains the user's most recently
used list for Windows Media Player.

O\S Recent
Docs

Software\Microsoft\Windows\
CurrentVersion\Explorer\
RecentDocs

MRU list pointing to shortcuts located in
the recent directory.

NTUSER.DAT

AccessData FTK 2.2 User Guide

TABLE D-7

Registry User Data Information

Information

File or Key

Location

Description

Run MRU

NTUSER.DAT

\Software\Microsoft\Windows\ MRU list of commands entered in the
CurrentVersion\Explorer\RunMR “run” box.
U

Open And Save As Dialog NTUSER.DAT
Boxes MRU

\Software\Microsoft\Windows\
CurrentVersion\Explorer\
ComDlg32

MRU lists of programs\files opened with
or saved with the “open” or “save as”
dialog box(es).

Current Theme

NTUSER.DAT

Software\Microsoft\Windows\
CurrentVersion\Themes

Desktop theme\wallpaper.

Last Theme

NTUSER.DAT

Software\Microsoft\Windows\
CurrentVersion\Themes\Last
Theme

Desktop theme\wallpaper.

File Extensions\
Program Association

NTUSER.DAT

Software\Microsoft\Windows\
CurrentVersion\Explorer\
FileExts

Identifies associated programs with file
extensions.

USER APPLICATION DATA
TABLE D-8

Information

File or Key

Location

NTUSER.DAT

Software\Microsoft\office\
version\Common\UserInfo

NTUSER.DAT

Software\Microsoft\office\
version\Common\Data

NTUSER.DAT

Software\Microsoft\Internet
Explorer\TypedURLs

NTUSER.DAT

\Software\Microsoft\
Internet Explorer\IntelliForms

NTUSER.DAT

\Software\Microsoft\Protected
Storage System Provider

NTUSER.DAT

Software\Microsoft\Internet
Explorer

NTUSER.DAT

Software\Microsoft\office\
version\Outlook\Security

Word User Info
Word Recent Docs
IE Typed URLs
IE Auto- Complete
Passwords
IE Auto-Complete
Web Addresses
IE Default Download
Directory
Outlook Temporary
Attachment Directory

Registry User Application Data Information
Description
This information is entered during
installation, but can be modified later.
Microsoft word recent documents.
Data entered into the URL address bar.
Web page auto complete passwordencrypted values.
Lists Web pages where auto complete was
used.
Default download directory when utilizing
Internet Explorer.
Location where attachments are stored
when opened from Outlook.

Appendix D Gathering Windows Registry Evidence

245

TABLE D-8

Information

File or Key

AIM

Location

NTUSER.DAT

Software\America Online\AOL
Instant Messenger\
CurrentVersion\Users\username

NTUSER.DAT

Software\Microsoft\office\
version\Common\UserInfo

NTUSER.DAT

\Software\Mirabilis\ICQ\*

NTUSER.DAT

Software\Microsoft\MSN
Messenger\ListCache\.NET
MessngerService\*

NTUSER.DAT

Software\Kazaa\*

NTUSER.DAT

Software\Yahoo\Pager\ Profiles\*

NTUSER.DAT

Software\Google\NavClient\
1.1\History

NTUSER.DAT

Software\Adobe\*

Word User Info
ICQ

Registry User Application Data Information

MSN Messenger

Kazaa
Yahoo
Google Client History
Adobe

246

AccessData FTK 2.2 User Guide

Description
IM contacts, file transfer information, etc.

This information is entered during
installation, but can be modified later.
IM contacts, file transfer information, etc.
IM contacts, file transfer information, etc.

Configuration, search, download, IM data,
etc.
IM contacts, file transfer information, etc.

Acrobat, Photo deluxe, etc.

Appendix E Troubleshooting

FTK 2.2 is a complex program and troubleshooting can be challenging. While this

section attempts to present some basic solutions to commonly asked questions, and
directions for using AccessData Forensic Toolkit (FTK) Diagnostics Tools, it would not
be practical to list every possibility here. Thus, this section is limited.

FINDING ANSWERS
The most up-to-date troubleshooting and problem solving information is available on
the AccessData website, in our Knowledge Base.
Here's how to get into the Knowledge Base:
1. Open your Internet browser to http://www.accessdata.com/support.html
2. Click on link to Knowledge Base
3. Be sure to log in using “Sign In” link located at the upper right hand corner to see

the majority of articles.
4. If you are unable to log in, please contact support at:

support@accessdata.com or 800-658-5199 or 801-377-5410. For complete
AccessData contact information, see “Appendix G AccessData Corporate Contact
Information” on page 307.

Appendix E Troubleshooting

247

TROUBLESHOOTING TABLES
The following table provides limited, basic information for troubleshooting FTK 2.2.
TABLE E-1

FTK 2.2 Troubleshooting

Problem

Suggested Resolution

Application GUI cannot connect to
the Oracle database.

Ensure connectivity on port 1521.

The File List pane may not always
seem to correspond with the graphic
selected.

Refresh the File List pane to match up with the
selected graphics. Press F5 or click View > Refresh to
manually update the view.

The installer cannot connect to your
Oracle database.

Check to see if the Oracle host has been changed.
Test connectivity at port 1521.

Note: When you change the name or
Verify that the SYS password is entered correctly.
domain affiliation of the Oracle host, the
Oracle instance on that host will not work. Changing the Host name or Domain affiliation

causes the FTK2.exe connection to Oracle to fail.
Windows will allow a workgroup or domain change
at any time, and Oracle has no way to know about
that change until you tell it. Since Oracle currently is
using a fully qualified name, it fails when the
domain or workgroup name changes.
Log in to the host running Oracle.
Stop the listener control program by entering
“lsnrctl stop” at a command prompt.
From a text editor, open the file:
c:\Oracle\ftk2\NETWORK\ADMIN\listener.ora.
Edit the line containing the Oracle hostname. For
example, if the Oracle hostname were changed
from “privateeye” to “ciaoperative,” the line should
be changed from (ADDRESS = (PROTOCOL =
TCP)(HOST = privateeye)(PORT = 1521)) to:
(ADDRESS = (PROTOCOL = TCP)(HOST =
ciaoperative)(PORT = 1521))
Save the change and exit the text editor.
Restart the listener service by entering “lsnrctl
start” at a command prompt.

248

AccessData FTK2 User Guide

TABLE E-1

FTK 2.2 Troubleshooting

Problem

Suggested Resolution

The file names listed in the Explorer The characters in the file name are non-ASCII, and
tree have boxes in place of characters. the character set FTK is using does not have a
character to represent the value contained in the file
name.
The user that launched FTK 2.2 may not have rights
Even after several minutes, the
progress bar indicates that FTK is not to access the computer on which the data is found.
processing the evidence I just added. Manually change the user’s access to the evidence.
User operates several non-Network
License Service (NLS) applications
but cannot open FTK 2.2 using an
NLS license. Error message reads:
“No more user licenses are available.”

FTK 2.2 is looking on the local CmStick for a
license. To correct the problem, remove the local
CmStick. Launch FTK 2.2, and locate the NLS
server. Reattach the local CmStick to allow other
applications to access it.

DIAGNOSTICS TOOLS
FTK provides a Diagnostics tool to help troubleshoot problems with evidence

processing. It displays the activity of the databases where cases are stored and a list of
the Worker machines assigned to each case.

DATABASE DIAGNOSTICS
To access the FTK Database Diagnostics tool:

Appendix E Troubleshooting

249

1. Select Help > Diagnostics to open the database in the browser.

2. The FTK Version Management Diagnostics page opens. The page displays the

following information:
TABLE E-2

FTK Version Management Diagnostic Page

Information Category and Related Data

Time and date of the host’s connection
Refresh rate
GUI Information

• Host ID

• Version ID

• User ID

• Case ID number for each open case

Cases Information

• Case Number(s)

• User GUID logged in to work on
that case

• Worker Helper Link

• Database Helper Link

Logging options

Time and date at which the case was opened, in the following format:
MM/DD/YYYY Hours:Minutes:DecimalSeconds AM/PM +/- UTC.

250

AccessData FTK2 User Guide

3. Click the Worker link. The Worker Helper Diagnostics Page opens.

The page displays the following information:
TABLE E-3

FTK Worker Helper Diagnostic Page Information

Information Category and Related Data

Page Title
Time and Date in UTC
Refresh Rate.
Open cases for this version of FTK.

• Case Priority
• Case Name
• Current Task(s)

• User(s) assigned to this case
• Date and Time case was opened
• Logging Options:
•Also log to file
•Verbose
•Set
•Clear Text
•Log Entries

Click the Worker Diagnostic Page to see more information specific to the current
worker.

Appendix E Troubleshooting

251

Figure E-1 FTK Worker Diagnostic Page

The FTK Worker Diagnostic Page appears. The following information is displayed:
TABLE E-4

Information Category and Related Data

Date and Time in UTC
Refresh Rate
Worker Options

• Low, Normal, or High Priority / Set
• Host
• Case ID
• Case PriorityAdded

• Last Worker Start Time
• Last Exit Status
• Elapsed Run Time

Logging Options

• Also log to file
• Verbose
Logged data

252

AccessData FTK2 User Guide

• Set
• Clear Text

UNINSTALLING FTK 2.2 AND THE ORACLE DATABASE
If for any reason you need to uninstall FTK, and in particular in the case of a failed
FTK 2.2 install, there are steps you can follow to ensure a successful uninstall. Do not
try to reinstall FTK over the top of a failed installation. In this situation, it is essential to
completely clean off the FTK components as described in this section, and then run
the install again.

AUTOMATED UNINSTALL
Try uninstalling in Add or Remove Programs in the Windows Control Panel. If for any
reason this process fails, move contact AccessData Support, or refer to the instructions
for Manually Uninstalling the Database on our website, www.accessdata.com/support.

Appendix E Troubleshooting

253

254

AccessData FTK2 User Guide

Appendix F Managing Security
Devices and Licenses

This chapter acquaints you with the managing AccessData product licenses. Here you
will find details regarding the LicenseManager interface and how to manage licenses
and update products using LicenseManager.

NLS SUPPORT
Beginning with the PRTK 6.4 and DNA 3.4 release, AccessData’s Network License
Service (NLS)is supported. If you have NLS, you should also have documentation on
how to install and implement it.

INSTALLING AND MANAGING SECURITY DEVICES
Before you can manage licenses with LicenseManager, you must install the proper
security device software and/or drivers. This section explains installing and using the
Wibu CodeMeter Runtime software and USB CmStick, as well as the Keylok USB
dongle drivers and dongle device.

INSTALLING THE SECURITY DEVICE
As discussed previously, AccessData products require a licensing security device that
communicates with the program to verify the existence of a current license. The device
can be the older Keylok dongle, or the newer Wibu CmStick. Both are USB devices,

Appendix F Managing Security Devices and Licenses

255

and both require specific software to be installed prior to connecting the devices and
running your AccessData products. You will need:

• The Wibu CodeMeter Runtime software with a Wibu CodeMeter (CmStick)
• The Wibu CodeMeter Runtime software, and the AccessData Dongle Drivers with
a Keylok dongle
Note: The Codemeter Runtime software and either a silver Wibu CmStick or a green
Keylok dongle are required to run PRTK or DNA. Without them, you can run PRTK
or DNA in Demo mode only.

The CmStick or dongle should be stored in a secure location when not in use.
You can install PRTK and the CodeMeter software from the shipping CD or from
downloadable files available on the AccessData website at www.accessdata.com. Click
Support > Downloads, and browse to the product to download. Click the download link
and save the file locally prior to running the installation files.
For solutions to commonly asked installation questions, see “Chapter 11
Troubleshooting” on page 189.

INSTALLING THE CODEMETER RUNTIME SOFTWARE
When you purchase the full PRTK package, AccessData provides a USB CmStick with
the product package. The green Keylok dongles are no longer provided, but can be
purchased separately through your AccessData Sales Representative.
To use the CmStick, you must first install the CodeMeter Runtime software, either from
the shipping CD, or from the setup file downloaded from the AccessData Web site.
LOCATING THE SETUP FILE
To install the CodeMeter Runtime software from the CD, you can browse to the setup
file, or select it from the Autorun menu.
To download the CodeMeter Runtime software, go to www.accessdata.com and do the
following:
1. Click Support > Downloads.
2. Find
2a. CodeMeter Runtime 3.30a (32 bit)

MD5: 9F299EC832152E593D9E8D76F199C723

256

AccessData FTK 2.2 User Guide

(MD5 hash applies only to this version)
OR
2b. CodeMeter Runtime 3.30a (64 bit)

MD5: 1140085cbbd0f15ade393f632b56d00c
(MD5 hash applies only to this version)
3. Click the Download link.
4. Save the file to your PC and run after the download is complete.

When the download is complete, double-click on the CodeMeterRuntime32‐3.30.exe
or the CodeMeterRuntime64‐3.30.exe.
RUNNING THE CODEMETER RUNTIME SETUP
Whichever way you choose to access the CodeMeter Runtime setup file, when you run
it you will see the following:
1. The CodeMeter Runtime Open File Security Warning will appear to allow you to

verify that you really want to open this file.

Appendix F Managing Security Devices and Licenses

257

2. Click Run.

3. On the Welcome screen, click Next.

4. Accept the License Agreement.

258

AccessData FTK 2.2 User Guide

5. Click Next.

6. In the User Information screen, enter your name and your company name.
7. Specify whether this application should be available only when you log in, or for

anyone who uses this computer.
8. Click Next.

9. Select the features you want to install.

Appendix F Managing Security Devices and Licenses

259

10. Click Next.

11. When you are satisfied with the options you have selected, click Next.

12. Installation will run its course. When complete, you will see the “CodeMeter

Runtime Kit v3.30 has been successfully installed” screen. Click Finish to exit the
installation.
THE CODEMETER CONTROL CENTER
When the CodeMeter Runtime installation is complete, the CodeMeter Control Center
pops up. This is a great time to connect the CmStick and verify that the device is
recognized and is Enabled. Once verified, you can close the control center and run
your AccessData product(s).

260

AccessData FTK 2.2 User Guide

For the most part there is nothing you need to do with this control center, and you
need make no changes using this tool with very few exceptions. If you have problems
with your CmStick, contact AccessData Support and an agent will walk you through
any troubleshooting steps that may need to be performed.

INSTALLING KEYLOK DONGLE DRIVERS
To install the Keylok USB dongle drivers do the following:
1. If installing from CD, insert the CD into the CD-ROM drive and click Install the Dongle

Drivers.
If auto-run is not enabled, select Start > Run. Browse to the CD-ROM drive and
select Autorun.exe.
OR
1. If installing from a file downloaded from the AccessData Web site, locate the

Dongle_driver_1.6.exe setup file, and double-click it.

Appendix F Managing Security Devices and Licenses

261

2. Click Next.

3. Select the type of dongle to install the drivers for.
4. Click Next.

5. If you have a USB dongle, verify that it is not connected.
6. Click Next.

7. Click Finish.

262

AccessData FTK 2.2 User Guide

8. Connect the USB dongle. Wait for the Windows Found New Hardware wizard, and

follow the prompts.

Important: If the Windows Found New Hardware wizard appears, complete
the wizard. Do not close without completing, or the dongle driver will
not be installed.
WINDOWS FOUND NEW HARDWARE WIZARD
When you connect the dongle after installing the dongle drivers, you should wait for the
Windows Found New Hardware Wizard to come up. It is not uncommon for users to
disregard this wizard, and then find that the dongle is not recognized and their
AccessData software will not run.
When the Found New Hardware Wizard pops up, do the following:
1. When prompted whether to connect to Windows Update to search for software,

choose, “No, not this time”.

2. Click Next.

Appendix F Managing Security Devices and Licenses

263

3. When prompted whether to install the software automatically or to install from a list

of specific locations, choose, “Install the software automatically (Recommended)”.

4. Click Next.
5. Click Finish to close the wizard.

Once you have installed the dongle drivers and connected the dongle and verified that
Windows recognizes it, you can use LicenseManager to manage product licenses.

INSTALLING LICENSEMANAGER
LicenseManager lets you manage product and license subscriptions using a security
device or device packet file.

264

AccessData FTK 2.2 User Guide

To install LicenseManager from the downloadable file:
1. Go to the AccessData download page at

http://www.accessdata.com/downloads.htm.
2. On the download page, click the LicenseManager Download link.
3. Save the installation file (currently lm‐license_manager‐2.2.4.exe) to a temporary

directory on your drive.
4. To launch the installation program, go to the temporary directory and double-click

the installation file you downloaded in step 3.
5. Click Next on the Welcome screen.

Appendix F Managing Security Devices and Licenses

265

6. Click Yes to accept the license agreement.

7. Wait while the installation completes.
8. If you want to launch LicenseManager after completing the installation, select

Run LicenseManager.

Run LicenseManager later by selecting
Start >Programs > AccessData > LicenseManager > LicenseManager
or by double-clicking the LicenseManager icon on your desktop

266

AccessData FTK 2.2 User Guide

MANAGING LICENSES WITH LICENSEMANAGER
LicenseManager manages AccessData product licenses on a Keylok dongle or Wibu
CodeMeter Stick security device, or in a security device packet file. LicenseManager and
the CodeMeter Stick installation are no longer integrated with FTK2 installation.
LicenseManager displays license information, allows you to add or remove existing
licenses to a dongle or CmStick. LicenseManager can also be used to export a security
device packet file. Packet files can be saved and reloaded onto the dongle or CmStick,
or sent via email to AccessData support.
In addition, you can use LicenseManager to check for product updates and download
the latest product versions.
LicenseManager displays CodeMeter Stick information (including packet version and
serial number) and licensing information for all AccessData products. The Purchase
Licenses button connects directly to the AccessData website and allows you to browse
the site for information about products you may wish to purchase. Contact AccessData
by phone to speak with a Sales Representative for answers to product questions, and to
purchase products and renew licenses and subscriptions.
LicenseManager provides information as displayed in the following figures:

Appendix F Managing Security Devices and Licenses

267

Figure 6-1 LicenseManager Installed Components Tab

Figure 6-2 LicenseManager Licenses Tab

268

AccessData FTK 2.2 User Guide

STARTING LICENSEMANAGER
LicenseManager.exe is located in C:\Program Files\AccessData\Common
Files\AccessData LicenseManager\. You can execute the program from this location
if you wish.
Click Start > All Programs > AccessData > LicenseManager > LicenseManager,
OR
Click or double-click (depending on your Windows settings) the LicenseManager icon on
your desktop

OR
From some AccessData programs, you can run LicenseManager from the Tools > Other
Applications menu. This option is not available in PRTK or DNA.
The LicenseManager program opens.
When starting LicenseManager, License Manager reads licensing and subscription
information from the installed and connected Wibu CodeMeter Stick, or Keylok
dongle.
If using a Keylok dongle, and LicenseManager either does not open or displays the
message, “Device Not Found”, do the following:
1. Make sure the correct dongle driver is installed on your computer.
2. With the dongle connected, check in Windows Device Manager to make sure the

device is recognized. If it has an error indicator, right click on the device and choose
Uninstall.
3. Remove the dongle after the device has been uninstalled.
4. Reboot your computer.
5. After the reboot is complete, and all startup processes have finished running,

connect the dongle.
6. Wait for Windows to run the Add New Hardware wizard. If you already have the

right dongle drivers installed, do not browse the internet, choose, “No, not this
time.”
7. Click Next to continue.
8. On the next options screen, choose, “Install the software automatically

(Recommended)

Appendix F Managing Security Devices and Licenses

269

9. Click Next to continue.
10. When the installation of the dongle device is complete, click Finish to close the

wizard.
11. You still need the CodeMeter software installed, but will not need a CodeMeter

Stick to run LicenseManager.
If using a CodeMeter Stick, and LicenseManager either does not open or displays the
message, “Device Not Found”, do the following:
1. Make sure the CodeMeter Runtime 3.30a software is installed. It is available at

www.accessdata.com/support. Click Downloads and browse to the product. Click
on the download link. You can Run the product from the Website, or Save the file
locally and run it from your PC. Once the CodeMeter Runtime software is installed
and running, you will see a gray icon in your system tray: .
2. Make sure the CodeMeter Stick is connected to the USB port. When the CmStick is

then connected, you will see the icon change to look like this:

If the CodeMeter Stick is not connected, LicenseManager still lets you to manage
licenses using a security device packet file if you have exported and saved the file
previously.
To open LicenseManager without a CodeMeter Stick installed:
1. Click Tools > LicenseManager.

LicenseManager displays the message, “Device not Found”.
2. Click OK, then browse for a security device packet file to open.
Note: Although you can run LicenseManager using a packet file, FTK 2.2 will not run with a
packet file alone. You must have the CmStick connected to the computer to run FTK 2.2.

THE LICENSEMANAGER INTERFACE
The LicenseManager interface consists of two tabs that organize the options in the
LicenseManager window: the Installed Components tab and the Licenses tab.

THE INSTALLED COMPONENTS TAB
The Installed Components tab lists the AccessData programs installed on the machine.
The Installed Components tab is displayed in the following figure.

270

AccessData FTK 2.2 User Guide

Figure 6-3 LicenceManager Installed Components

The following information is displayed on the Installed Components tab:
TABLE 6-1

LicenseManager Installed Components Tab Features

Item

Description

Program

Lists all AccessData products installed on the host.

Installed Version

Displays the version of each AccessData product installed on the
host.

Newest Version

Displays the latest version available of each AccessData product
installed on the host. Click Newest to refresh this list.

Product Notes

Displays notes and information about the product selected in the
program list.

AccessData Link

Links to the AccessData product page where you can learn more
about AccessData products.

Appendix F Managing Security Devices and Licenses

271

The following buttons provide additional functionality from the Installed Components
tab:
TABLE 6-2

LicenseManager Installed Components Buttons

Button

Function

Help

Opens the LicenseManager Help web page.

Install Newest

Installs the newest version of the programs checked in the product
window, if that program is available for download. You can also get
the latest versions from our website using your Internet browser.

Newest

Updates the latest version information for your installed products.

About

Displays the About LicenseManager screen. Provides version,
copyright, and trademark information for LicenseManager.

Done

Closes LicenseManager.

Use the Installed Components tab to manage your AccessData products and stay up to
date on new releases.

THE LICENSES TAB
The Licenses tab displays CodeMeter Stick information for the current security device
packet file and licensing information for AccessData products available to the owner of
the CodeMeter Stick, as displayed in the following figure.

272

AccessData FTK 2.2 User Guide

Figure 6-4 LicenseManager Licenses Tab

The Licenses tab provides the following information:
TABLE 6-3

LicenseManager Licenses Tab Features

Column

Description

Program

Shows the owned licenses for AccessData products.

Expiration Date

Shows the date on which your current license expires.

Status

Shows these status of that product’s license:

• None: the product license is not currently owned
• Days Left: displays when less than 31 days remain on the
license.

• Never: the license is permanently owned. This generally applies
to Hash Tables and Portable Office Rainbow Tables.
Name

Shows the name of additional parameters or information a product
requires for its license.

Appendix F Managing Security Devices and Licenses

273

TABLE 6-3

LicenseManager Licenses Tab Features

Column

Description

Value

Shows the values of additional parameters or information a product
contained in or required for its license.

Show Unlicensed

When checked, the License window displays all products, whether
licensed or not.

The following license management actions can be performed using buttons found on
the License tab:
TABLE 6-4

License Management Options

Button

Function

Remove License

Removes a selected license from the Licenses window and from
the CodeMeter Stick or dongle. Opens the AccessData License
Server web page to confirm success.

Refresh Device

Connects to the AccessData License Server. Downloads and
overwrites the info on the CodeMeter Stick or dongle with the
latest information on the server..

Reload from Device

Begins or restarts the service to read the licenses stored on the
CodeMeter Stick or dongle.

Release Device

Click to stop the program reading the dongle attached to your
machine, much like Windows’ Safely Remove Hardware feature.
Click this button before removing a dongle.
This option is disabled for the CodeMeter Stick.

274

Open Packet File

Opens Windows Explorer, allowing you to navigate to a .pkt file
containing your license information.

Save to File

Opens Windows Explorer, allowing you to save a .pkt file
containing your license information. The default location is My
Documents.

Finalize Removal

Finishes the removal of licenses in the unbound state. Licenses
must be unbound from the CmStick or dongle before this button
takes effect.

View Registration Info

Displays an HTML page with your CodeMeter Stick number and
other license information.

Add Existing License

Allows you to bind an existing unbound license to your CodeMeter
Stick, through an internet connection to the AccessData License
Server.

AccessData FTK 2.2 User Guide

TABLE 6-4

License Management Options

Button

Function

Purchase License

Brings up the AccessData product page from which you can learn
more about AccessData products.

About

Displays the About LicenseManager screen. Provides version,
copyright, and trademark information for LicenseManager.

Done

Closes LicenseManager.

OPENING AND SAVING DONGLE PACKET FILES
You can open or save dongle packet files using LicenseManager. When started,
LicenseManager attempts to read licensing and subscription information from the
dongle. If you do not have a dongle installed, LicenseManager lets you browse to open
a dongle packet file. You must have already created and saved a dongle packet file to be
able to browse to and open it.
To save a security device packet file:
1. Click the Licenses tab, then under License Packets, click Save to File.
2. Browse to the desired folder and accept the default name of the .pkt file; then click

Save.
Note: In general, the best place to save the .pkt files is in the AccessData LicenseManager
folder. The default path is C:\Program Files\AccessData\Common Files\AccessData
LicenseManager\.

To open a security device packet file:
1. Select the Licenses tab, then under License Packets, click Open Packet File.
2. Browse for a dongle packet file to open. Select the file, then click Open.

Appendix F Managing Security Devices and Licenses

275

Figure 6-5 LicenseManager Open Packet File

ADDING AND REMOVING PRODUCT LICENSES
On a computer with an Internet connection, LicenseManager lets you add available
product licenses to, or remove them from, a dongle.
To move a product license from one dongle to another dongle, first remove the
product license from the first dongle. You must release that dongle, and connect the
second dongle before continuing. When the second dongle is connected and
recognized by Windows and LicenseManager, click on the Licenses tab to add the
product license to the second dongle.

REMOVE A LICENSE
To remove (unassociate) a product license:
1. From the Licenses tab, mark the program license to remove. This action activates

the Remove License button below the Program list box.
2. Click Remove License. This connects your machine to the AccessData License Server

through the Internet.

276

AccessData FTK 2.2 User Guide

3. You will be prompted to confirm the removal of the selected license(s) from the

device.

Click Yes to continue, or No to cancel.
4. You will see some screens indicating the connection and activity on the License

Server, and when the license removal is complete, you will see the following screen:
Figure 6-6 Packet Update Successful

5. Click OK to close the message box. You will then see an Internet browser screen

from LicenseManager with a message that says, “The removal of your license(s)
from Security Device was successful!” You may close this box at any time.

ADD A LICENSE
To add a new or released license:
1. From the Licenses tab, under Browser Options, click Add Existing License.

The AccessData LicenseManager Web page opens, listing the licenses currently
bound to the connected security device, and below that list, you will see the licenses
that currently are not bound to any security device. Mark the box in the Bind
column for the product you wish to add to the connected device, then click Submit.
2. An AccessData LicenseManager Web page will open, displaying the following

message, “The AccessData product(s) that you selected has been bound to the
record for Security Device nnnnnnn within the Security Device Database.

Appendix F Managing Security Devices and Licenses

277

“Please run LicenseManager’s “Refresh Device” feature in order to complete the
process of binding these product license(s) to this Security Device.” You may close
this window at any time.

3. Click Yes if LicenseManager prompts, “Were you able to associate a new product

with this device?”
4. Click Refresh Device in the Licenses tab of LicenseManager. Click Yes when prompted.

You will see the newly added license in the License Options list.

ADDING AND REMOVING PRODUCT LICENSES REMOTELY
While LicenseManager requires an Internet connection to use some features, you can
add or remove licenses from a dongle packet file for a dongle that resides on a
computer, such as a forensic lab computer, that does not have an Internet connection.
If you cannot connect to the Internet, the easiest way to move licenses from one dongle
to another is to physically move the dongle to a computer with an Internet connection,
add or remove product licenses as necessary using LicenseManager, and then physically
move the dongle back to the original computer. However, if you cannot move the
dongle—due to organization policies or a need for forensic soundness—then transfer
the packet files and update files remotely.

278

AccessData FTK 2.2 User Guide

ADD A LICENSE REMOTELY
To remotely add (associate) a product license:
1. On the computer where the security device resides:
1a. Run LicenseManager.
1b. From the Licenses tab, click Reload from Device to read the dongle license

information.
1c. Click Save to File to save the dongle packet file to the local machine.
2. Copy the dongle packet file to a computer with an Internet connection.
3. On the computer with an Internet connection:
3a. Remove any attached security device.
3b. Launch LicenseManager. You will see a notification, “No security device

found”.
3c. Click OK.
3d. An “Open” dialog box will display. Highlight the .pkt file, and click Open.
3e. Click on the Licenses tab.
3f. Click Add Existing License.
3g. Complete the process to add a product license on the Website page.
3h. Click Yes when the LicenseManager prompts, “Were you able to associate a new

product with this dongle?”
3i. When LicenseManager does not detect a dongle or the serial number of the

dongle does not match the serial number in the dongle packet file, you are
prompted to save the update file, [serial#].wibuCmRaU.
3j. Save the update file to the local machine.
4. After the update file is downloaded, copy the update file to the computer where the

dongle resides:
5. On the computer where the dongle resides:
5a. Run the update file by double-clicking it. (It is an executable file.)
5b. After an update file downloads and installs, click OK.
5c. Run LicenseManager.
5d. From the Licenses tab, click Reload from Device to verify the product license has

been added to the dongle.

Appendix F Managing Security Devices and Licenses

279

REMOVE A LICENSE REMOTELY
To remotely remove (unassociate) a product license:
1. On the computer where the dongle resides:
1a. Run LicenseManager.
1b. From the Licenses tab, click Reload from Device to read the dongle license

information.
1c. Click Save to File to save the dongle packet file to the local machine.
2. Copy the file to a computer with an Internet connection.
3. On the computer with an Internet connection:
3a. Launch LicenseManager. You will see a notification, “No security device

found”.
3b. Click OK.
3c. An “Open” dialog box will display. Highlight the .pkt file, and click Open.
3d. Click on the Licenses tab.
3e. Mark the box for the product license you want to unassociate; then click Remove

License.
3f. When prompted to confirm the removal of the selected license from the

dongle, click Yes.
When LicenseManager does not detect a dongle or the serial number of the
dongle does not match the serial number in the dongle packet file, you are
prompted save the update file.
3g. Click Yes to save the update file to the local computer.

The Step 1 of 2 dialog details how to use the dongle packet file to remove the
license from a dongle on another computer.
3h. Save the update file to the local machine.
4. After the update file is downloaded, copy the update file to the computer where the

dongle resides.
5. On the computer where the dongle resides:
5a. Run the update file by double-clicking it. This runs the executable update file

and copies the new information to the security device.
5b. Run LicenseManager
5c. On the Licenses tab, click Reload from Device in LicenseManager to read the

security device and allow you to verify the product license is removed from the
dongle.

280

AccessData FTK 2.2 User Guide

5d. Click Save to File to save the updated dongle packet file to the local machine.
6. Copy the file to a computer with an Internet connection.

UPDATING PRODUCTS
You can use LicenseManager to check for product updates and download the latest
product versions.
For more information on the general features of the subscription service, see the
AccessData Website at http://www.accessdata.com/subscription_renewal.htm.

CHECK FOR PRODUCT UPDATES
To check for product updates, on the Installed Components tab, click Newest. This
refreshes the list to display what version you have installed, and the newest version
available.

DOWNLOAD PRODUCT UPDATES
To install the newest version, mark the box next to the product to install, then click
Install Newest.
Note: Some products, such as FTK 2.x, Enterprise, and others, are too large to download, and
are not available. A notification displays if this is the case.

To download a product update:
1. Ensure that LicenseManager displays the latest product information by clicking the

Installed Components tab. Click Newest to refresh the list showing the latest
releases, then compare your installed version to the latest release.
If the latest release is newer than your installed version, you may be able to install
the latest release from our Website.
2. Ensure that the program you want to install is not running.
3. Mark the box next to the program you want to download; then click Install Newest.
4. When prompted, click Yes to download and install the latest install version of the

product.
5. If installing the update on a remote computer, copy the product update file to

another computer.

Appendix F Managing Security Devices and Licenses

281

6. Install the product update.

For information about installing the product update, refer to the installation
information for the product. You may need to restart your computer after the update is
installed.

PURCHASE PRODUCT LICENSES
Use LicenseManager to link to the AccessData Web site to find information about all
our products.
Purchase product licenses through your AccessData Sales Representative. Call 801-3775410 and follow the prompt for Sales, or send an email to sales@accessdata.com.
Note: Once a product has been purchased and appears in the AccessData License Server, add
the product license to a CodeMeter Stick, dongle, or security device packet file by clicking
Refresh Device.

SEND A DONGLE PACKET FILE TO SUPPORT
Send a security device packet file only when specifically directed to do so by AccessData
support.
To create a dongle packet file, do the following:
1. Run LicenseManager
2. Click on the Licenses tab.
3. Click Load from Device.
4. Click Refresh Device if you need to get the latest info from AD’s license server.
5. Click Save to File, and note or specify the location for the saved file.
6. Attach the dongle packet file to an e-mail and send it to:

support@accessdata.com.
Note: For a more complete list of AccessData Corporation’s contact information, see
“Appendix G AccessData Corporate Contact Information” on page 307.

282

AccessData FTK 2.2 User Guide

AccessData Glossary

A
AccessData Recovery Session
In PRTK, selecting one or more files and starting the password recovery process is
called an AccessData Recovery (ADR) session. Typically, each case has one session
unless you have a large number of encrypted files.

Address
A location of data, usually in main memory or on a disk. You can think of computer
memory as an array of storage boxes, each of which is one byte in length. Each cstorage
box has an address (a unique number) assigned to it. By specifying a memory address,
programmers can access a particular byte of data. Disks are divided into tracks and
sectors, each of which has a unique address.

Advanced Encryption Standard
A common symmetric encryption system that has replaced Data Encryption Standard
as the encryption standard. It uses a 128, 192, or 256-bit key.

Application Administrator
The first user created in an AccessData FTK2 system. The Application Administrator
has all rights within the application, including adding users and assigning roles.

AccessData Glossary

283

Application Administrators can assign the role of Application Administrator to new
users as they are created.

Asymmetric Encryption
A type of encryption in which the encryption and decryption keys are different.
Asymmetric encryption uses a public key (which can be posted on an Internet site or
made “public” through other means) and a private key, which remains secret. In this
system, something that has been encrypted with the private key can be decrypted only
by the public key, and vice versa. Asymmetric algorithms are slower than symmetric
algorithms, but can nonetheless be very useful. They are often used in combination
with symmetric algorithms, as with EFS Encryption.
The number of possible key values refers to the actual number of different key words or
passwords that can exist, based on the particular algorithm used to create the key value
in question. A n-bit key has 2n possible values. For example, a 40-bit key has 240 possible
values, or 1,099,511,627,776 possibilities.
The security of an algorithm should rely on the secrecy of the key only, not the secrecy
of the algorithm.
Do not compare key sizes between symmetric and asymmetric algorithms. For example,
a 128-bit symmetric key is approximately as strong as a 512-bit asymmetric key.

B
BestCrypt
A common symmetric encryption system that can be used with any of the following
hash functions and encryption algorithms:
TABLE Glossary-1 BestCrypt

284

Hash Functions and Encryption Algorithms

• GOST

• CAST

• SHA-1 Hash

• AES

• Blowfish

• RC6

• IDEA

• 3DES encryption

• Twofish

•

AccessData FTK2 User Guide

Binary
Pertaining to a number system that has just two unique digits. Computers are based on
the binary numbering system, which consists of just two unique numbers, 0 and 1. All
operations that are possible in the decimal system (addition, subtraction, multiplication,
and division) are equally possible in the binary system.

BIOS
Acronym for Basic Input/Output System. The BIOS is built-in software that
determines what a computer can do without accessing programs from a disk. On PCs,
the BIOS contains all the code required to control the keyboard, display screen, disk
drives, serial communications, and a number of miscellaneous functions.

Bit-stream Image
See “Forensic Image” on page 290.

Bookmark
A menu entry or icon on a computer that is most often created by the user and that
serves as a shortcut to a previously viewed location (as an Internet address). The term
“bookmark” as used in a Computer Crimes Unit report refers to locating a file, folder
or specific item of interest to the examiner or to the investigator. The location of the
data (file name, file location, relative path, and hardware address) is identified. Other
data can be addressed as well.

Boot
To load the first piece of software that starts a computer. Because the operating system
is essential for running all other programs, it is usually the first piece of software loaded
during the boot process.

Boot Record
All the three types of FAT have a boot record, which is located within an area of
reserved sectors. The DOS format program reserves 1 sector for FAT12 and FAT16 and
usually 32 sectors for FAT32.

AccessData Glossary

285

C
Chunk Size
The number of passwords the supervisor machine can process in the amount of time
specified.

Cluster
Fixed-length blocks that store files on the FAT media. Each cluster is assigned a unique
number by the computer operating system. Only the part of the partition called the
“data area” is divided into clusters. The remainder of the partition are defined as
sectors. Files and directories store their data in these clusters. The size of one cluster is
specified in a structure called the Boot Record, and can range from a single sector to
128 sectors. The operating system assigns a unique number to each cluster and the
keeps track of files according to which cluster they use.

CMOS
Short for Complementary Metal Oxide Semiconductor. Pronounced SEE-moss, CMOS
is a widely used type of semiconductor. CMOS semiconductors use both NMOS
(negative polarity) and PMOS (positive polarity) circuits. Since only one of the circuit
types is on at any given time, CMOS chips require less power than chips using just one
type of transistor. This makes them particularly attractive for use in battery-powered
devices, such as portable computers. Personal computers also contain a small amount
of battery-powered CMOS memory to hold the date, time, and system setup
parameters.

CRC
Short for Cyclical Redundancy Check. It performs a complex calculation on every byte
in the file, generating a unique number for the file in question. If so much as a single
byte in the file being checked were to change, the cyclical redundancy check value for
that file would also change. If the CRC value is known for a file before it is downloaded,
you can compare it with the CRC value generated by this software after the file has been
downloaded to ascertain whether the file was damaged in transit. The odds of two files
having the same CRC value are even longer than the odds of winning a state-run
lottery—along the lines of one in 4,294,967,296.

286

AccessData FTK2 User Guide

Cylinder
A single-track location on all the platters making up a hard disk. For example, if a hard
disk has four platters, each with 600 tracks, then there will be 600 cylinders, and each
cylinder will consist of 8 tracks (assuming that each platter has tracks on both sides).

D
dd
(Linux) Makes a copy of a input file (STDIN) using the specified conditions, and sends
the results to the output file (STDOUT).

Data Carving
Data carving is the process of extracting a collection of data from a larger data set. Data
carving techniques frequently occur during a digital investigation when the unallocated
file system space is analyzed to extract files. The files are “carved” from the unallocated
space using file type-specific header and footer values. File system structures are not
used during the process.

Data Encryption Standard
A 56-bit symmetric encryption system that is considered weak by current standards. It
has been broken in a distributed environment.

Device
Any machine or component that attaches to a computer. Examples of devices include
disk drives, printers, mice, and modems. These particular devices fall into the category
of peripheral devices because they are separate from the main computer.
Most devices, whether peripheral or not, require a program called a device driver that
acts as a translator, converting general commands from an application into specific
commands that the device understands.

Disk

AccessData Glossary

287

A round plate on which data can be encoded. There are two basic types of disks:
magnetic disks and optical disks.

E
Encrypting File System (EFS)
EFS is a file system driver that provides filesystem-level encryption in Microsoft
Windows (2000 and later ) operating systems, except Windows XP Home Edition,
Windows Vista Basic, and Windows Vista Home Premium. The technology enables
files to be transparently encrypted on NTFS file systems to protect confidential data
from attackers with physical access to the computer.

EnScript (also “e script”)
EnScript is a language and API that has been designed to operate within the EnCase
environment. EnScript is compatible with the ANSI C++ standard for expression
evaluation and operator meanings but contains only a small subset of C++ features. In
other words, EnScript uses the same operators and general syntax as C++ but classes
and functions are organized differently.

Evidence Item
A physical drive, a logical drive or partition, or drive space not included in any
partitioned virtual drive.

F
File Allocation Table (FAT)
A table that the operating system uses to locate files on a disk. A file may be divided
into many sections that are scattered around the disk. The FAT keeps track of all these
pieces.
There is a field in the Boot Record that specifies the number of FAT copies. With
FAT12 and FAT16, MS-DOS uses only the first copy, but the other copies are

288

AccessData FTK2 User Guide

synchronized. FAT32 was enhanced to specify which FAT copy is the active one in a 4bit value part of a Flags field.
Think of the FAT as a singly linked list. Each of the chains in the FAT specify which
parts of the disk belong to a given file or directory.
A file allocation table is a simple array of 12-bit, 16-bit, or 32-bit data elements. Usually
there will be two identical copies of the FAT.
FAT12: The oldest type of FAT uses a 12-bit binary number to hold the cluster number.

A volume formatted using FAT12 can hold a maximum of 4,086 clusters, which is 212
minus a few values (to allow for reserved values to be used in the FAT). FAT12 is most
suitable for very small volumes, and is used on floppy disks and hard disk partitions
smaller than about 16 MB (the latter being rare today.)
FAT16: The FAT used for older systems, and for small partitions on modern systems,
uses a 16-bit binary number to hold cluster numbers. When you see someone refer to a
FAT volume generically, they are usually referring to FAT16, because it is the de facto
standard for hard disks, even with FAT32 now more popular than FAT16. A volume

using FAT16 can hold a maximum of 65,526 clusters, which is 216 less a few values (again
for reserved values in the FAT). FAT16 is used for hard disk volumes ranging in size
from 16 MB to 2,048 MB. VFAT is a variant of FAT16.
FAT32: The newest FAT type, FAT32 is supported by newer versions of Windows,
including Windows 95’s OEM SR2 release, as well as Windows 98, Windows ME, and
Windows 2000. FAT32 uses a 28-bit binary cluster number—not 32 because 4 of the 32
bits are reserved. 28 bits is still enough to permit very large volumes—FAT32 can
theoretically handle volumes with over 268 million clusters, and will theoretically
support drives up to 2 TB in size. To do this, however, the size of the FAT grows very
large.
VFAT features the following key improvements compared to FAT12 and FAT16:

• Long File Name Support: Prior to Windows 95, FAT was limited to the elevencharacter (8.3) file name restriction. VFAT’s most important accomplishment
enabled the use of long file names by the Windows 95 operating system and
applications written for it, while maintaining compatibility with older software
that had been written before VFAT was implemented.

• Improved Performance: The disk access and file system management routines
for VFAT were rewritten using 32-bit protected-mode code to improve

AccessData Glossary

289

performance. At the same time, 16-bit code was maintained, for use when
required for compatibility.

• Better Management Capabilities: Special support was added for techniques like
disk locking to allow utilities to access a disk in exclusive mode without fear of
other programs using it in the meantime.

File Header
The data at the beginning of a file that identifies the file type: .gif, .doc, .txt, etc.

File Footer
The data at the end of the file signifying the file is complete and allows the file to be
understood by the operating system.

File Item
Any item FTK can parse from the evidence. This includes complete files as well as subelements such as graphics, files, or OLE objects embedded in other files; deleted items
recovered from unallocated space; and so forth.

File Slack
Unused space. Operating systems store files in fixed-length blocks called clusters.
Because few files are a size that is an exact multiple of the cluster size, there is typically
unused space between the end of the file and the end of the last cluster used by that file.

Forensic Image
A process where all areas of a physical disk are copied, sector by sector, to storage
media. This image may be a raw file, as in the case of the Linux utility DD, or it may be
a forensically correct copy, such as SPADA provides. These images replicate exactly all
sectors on a given storage device. All files, unallocated data areas, and areas not
normally accessible to a user are copied.

Forensically Prepared Media
Digital media (such as a diskette, tape, CD, hard drive) that is sanitized (wiped clean) of
all data. This means computer media that may be sanitized up to the Department of

290

AccessData FTK2 User Guide

Defense standards 5220.22-M (National Industrial Security Program Operating Manual
Supplement) using software wipe utilities such as Dan Mares (Maresware) Declassify,
New Technologies Inc (NTI) Disk Scrub or M-Sweep Pro or Symantec (Norton)
WipeInfo to remove all data by overwriting the existing data with random or predefined characters. The Linux OS may also be used to write out a value of zero (0) to a
device.
The media is then examined using tools to determine that no data exists (MD5, SHA-1
or Diskedit). The partition information is removed and the media is sanitized from the
physical address of (cylinder/head/sector) 0/0/1 to the physical (versus logical) end of
the media.
This process involves using a program such as I-wipe, Encase, Linux, Drivespy, SPADA
or any program capable of writing multiple passes of a single character over the entire
drive.
Checksum is a form of redundancy check, a very simple measure for protecting the
integrity of data by detecting errors in data. It works by adding up the basic
components of a message, typically the bytes, and storing the resulting value. Later,
anyone can perform the same operation on the data, compare the result to the
authentic checksum and (assuming that the sums match) conclude that the message was
probably not corrupted.
Redundancy check is extra data added to a message for the purposes of error detection
and error correction.
The value of the checksum of forensically prepared media will be zero (0) provided the
write process is done using zeros.

G
Graphic Image Files
Computer graphic image files such as photos, drawings, etc. Come in various standard
formats. Some of the most common file types include but are not limited to Joint
Photographic Experts Group (JPEG, JPG), Bitmap (BMP), Graphics Interchange Format
(GIF, JFIF) and AOL image file (ART).

AccessData Glossary

291

Golden Dictionary
The Golden Dictionary file, ADPasswords.dat, contains all recovered passwords for all
PRTK sessions on the current computer. It is stored in the AccessData program
directory (C:\Program Files\AccessData\Recovery\). Recovered passwords are used as
the first level of attack in all password recovery sessions. Most people use the same
password for different files, so recovering the password for a simple file often opens
the door to more difficult files.

Graphic Interchange Format (GIF)
A common graphics format that can be displayed on almost all Web browsers. GIFs
typically display in 256 colors and have built-in compression. Static or animated GIF
images are the most common form of banner creation.

H
Hard Disk (Drive)
A magnetic disk on which you can store computer data. The term hard is used to
distinguish it from a soft or floppy disk. Hard disks hold more data and are faster than
floppy disks. A hard disk, for example, can store anywhere from 10gigabytes to several
terabytes, whereas most floppies have a maximum storage capacity of 1.4 megabytes.

Hashing
Generating a unique alphanumeric value based on a file’s contents. The alphanumeric
value can be used to prove that a file copy has not been altered in any way from the
original. It is statistically impossible for an altered file to generate the same hash
number.

Head
The mechanism that reads data from or writes data to a magnetic disk or tape. Hard
disk drives have many heads, usually two for each platter.

Hexadecimal

292

AccessData FTK2 User Guide

The base-16 number system, which consists of 16 unique symbols: the numbers zero
through nine and the letters A to F. For example, the decimal number 15 is represented
as F in the hexadecimal numbering system. The hexadecimal system is useful because it
can represent every byte (eight bits) as two consecutive hexadecimal digits. It is easier
for humans to read hexadecimal numbers than binary numbers.

K
Known File Filter (KFF)
The KFF is a database utility that compares the hash values of case files to a database
of hash values from known files. The KFF can significantly reduce the amount of time
you spend analyzing files by eliminating unimportant files such as system and
application files, or identifying alert files such as known child pornograhy images. After
you compare case files to the KFF database, FTK and Enterprise place unimportant
files (known system and application files) in the KFF Ignorable container and alert files
(known criminal files) in the KFF Alert Files container within the Overview tab.

M
Markov Permutation
The Markov permutation records the times certain words, letters, punctuation, and
spaces occur together in a given amount of text, then generates random output that has
the same distribution of groups.
For example: if you were to scan through the text and create a huge frequency table of
what words come after the words “up the,” you might find “tree,” “ladder,” and
“creek” most often. You would then generate output from the words “up the,” and get
the results “up the tree,” “up the creek,” and “up the ladder” randomly.
If the words “up the” were followed most frequently by the word “creek” in your
sample text, the phrase “up the creek” would occur most frequently in your random
output.
Andrey Andreyevich Markov (June 14, 1856–July 20, 1922) was a Russian
mathematician.

AccessData Glossary

293

Memory
Internal storage areas in the computer. The term memory identifies data storage that
comes in the form of chips; the word storage is used for memory that exists on tapes or
disks. Moreover, the term memory is usually used as shorthand for physical memory,
which refers to the actual chips capable of holding data.

Message Digest 5
A 128-bit digital fingerprint based on a file's content. An algorithm created in 1991 by
Professor Ronald Rivest of RSA that is used to create digital signatures, or a 128-bit
digital fingerprint based on a file's content. Message Digest 5 (MD5) takes as input an
arbitrary-length file and outputs a fixed-length number referred to as a hash or digest. It
is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has
been broken. MD5 is a one-way hash function, meaning that it takes a message and
converts it into a fixed string of digits, also called a message digest. When using a oneway hash function, one can compare a calculated message digest against the message
digest that is decrypted with a public key to verify that the message hasn’t been
changed. This comparison is called a hash check. The number is derived from the input
in such a way that it is computationally infeasible to derive any information about the
input from the hash. It is also computationally infeasible to find another file that will
produce the same output.
MD5 hashes are used by the KFF to identify known files.

Metadata
Literally data about data. Metadata describes how, when, and by whom a particular set
of data was collected and how the data is formatted. Metadata is essential for
understanding information stored in data warehouses and has become increasingly
important in XML-based Web applications.

Mount
To make a mass storage device available to the OS, or to a user or user group. In may
also mean to make a device physically accessible. In a Unix environment, the mount
command attaches discs or directories logically rather than physically. The Unix mount
command makes a directory accessible by attaching a root directory of one file system
to another directory, which makes all the file systems usable as if they were
subdirectories of the file system they are attached to. Unix recognizes devices by their

294

AccessData FTK2 User Guide

location, while Windows recognizes them by their names (C: drive, for example). Unix
organizes directories in a tree-like structure in which directories are attached by
mounting them on the branches of the tree. The file system location where the device
is attached is called a mount point. Mounts may be local or remote. A local mount
connects disk drives on one machine so that they behave as one logical system. A
remote mount uses Network File System (NFS) to connect to directories on other
machines so that they can be used as if they were all part of the user’s file system.

N
NT File System (NTFS)
One of the file systems for the Windows NT operating system (Windows NT also
supports the FAT file system). NTFS has features to improve reliability, such as
transaction logs to help recover from disk failures. To control access to files, you can set
permissions for directories or individual files. NTFS files are not accessible from other
operating systems, such as DOS. For large applications, NTFS supports spanning
volumes, which means files and directories can be spread out across several physical
disks.

P
Pagefile (.sys)
The paging file is the area on the hard disk that Windows uses as if it were random
access memory (RAM). This is sometimes known as virtual memory. By default,
Windows stores this file on the same partition as the Windows system files.

Parallel Framework Extensions (PFX)
PFX is a managed concurrency library being developed by a collaboration between
Microsoft Research and the CLR team at Microsoft. It is composed of two parts:
Parallel LINQ (PLINQ) and Task Parallel Ligary (TPL).

Pretty Good Privacy

AccessData Glossary

295

A common symmetric encryption system used for exchanging files and email. It
provides both privacy and authentication.

R
RC4
RC4, or ARC4, is a variable key-length stream cipher designed by RSA. Stream ciphers
are key-dependent, pseudo-random number generators whose output is XORed with
the data XOR <random-looking stream> = <random-looking
ciphertext>. Because XOR is symmetric (in other words, [A XOR B] XOR B = A),
XORing the ciphertext with the stream again returns the plaintext. Microsoft Word and
Excel use RC4 and a 40-bit key to encrypt their files. An exhaustive key space attack has
a much better chance at succeeding with a 40-bit key space.

S
Sector
A sector is a group of bytes within a track and is the smallest group of bytes that can be
addressed on a drive. There are normally tens or hundreds of sectors within each track.
The number of bytes in a sector can vary, but is almost always 512. The maximum
number of sectors in a cluster is 64. CDROMS normally have 2048 bytes per sector.
Sectors are numbered sequentially within a track, starting at 1. The numbering restarts
on every track, so that “track 0, sector 1” and “track 5, sector 1” refer to different
sectors. Modern drives use a system known as Logical Block Addressing (LBA) instead
of CHS to track sectors.
During a low-level format, hard disks are divided into tracks and sectors. The tracks are
concentric circles around the disk and the sectors are segments within each circle. For
example, a formatted disk might have 40 tracks, with each track divided into ten sectors.
Physical sectors are relative to the entire drive. Logical sectors are relative to the
partition.

Secure Hash Algorithm

296

AccessData FTK2 User Guide

A 160-bit digital fingerprint based on a file’s content. Designed by the National Institute
of Standards and Technology (NIST), Secure Hash Algorithm (SHA) takes as input an
arbitrary-length file and outputs a fixed-length number referred to as a hash or digest.
The number is derived from the input in such a way that it is computationally
impossible to derive any information about the input from the hash. It is also
computationally impossible to find another file that will produce the same output.
SHA-1 hashes are used by the KFF to identify known files.
FTK uses SHA-1 and SHA-256. The KFF library contains some A hashes.

SHA
The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash
functions. The most commonly used function in the family, SHA-1, is employed in a
large variety of popular security applications and protocols, including TLS, SSL, PGP,
SSH, S/MIME, and IPSec. SHA-1 is considered to be the successor to MD5, an earlier,
widely-used hash function. The SHA algorithms were designed by the National Security
Agency (NSA) and published as a US government standard.
The first member of the family, published in 1993, is officially called SHA; however, it is
often called SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the
first successor to SHA, was published. Four more variants have since been issued with
increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and
SHA-512—sometimes collectively referred to as SHA-2.
Attacks have been found for both SHA-0 and SHA-1. No attacks have yet been reported
on the SHA-2 variants, but since they are similar to SHA-1, researchers are worried, and
are developing candidates for a new, better hashing standard.

Spool (spooling, print spool)
Acronym for Simultaneous Peripheral Operations On-Line, spooling refers to putting
jobs in a buffer, a special area in memory or on a disk where a device can access them
when it is ready. Spooling is useful because devices access data at different rates. The
buffer provides a waiting station where data can rest while the slower device catches up.
The most common spooling application is print spooling. In print spooling, documents
are loaded into a buffer (usually an area on a disk), and then the printer pulls them off
the buffer at its own rate. Because the documents are in a buffer where they can be
accessed by the printer, you can perform other operations on the computer while

AccessData Glossary

297

printing takes place in the background. Spooling also lets you place a number of print
jobs on a queue instead of waiting for each one to finish before specifying the next one.

Slack (File and RAM)
Files are created in varying lengths depending on their contents. DOS, Windows and
Windows NT-based computers store files in fixed length blocks of data called clusters.
Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data
storage space that exists from the end of the file to the end of the last cluster assigned
to the file is called file slack. Cluster sizes vary in length depending on the operating
system involved and, in the case of Windows 95, the size of the logical partition
involved. Larger cluster sizes mean more file slack and also the waste of storage space
when Windows 95 systems are involved.
File slack potentially contains randomly selected bytes of data from computer memory.
This happens because DOS/Windows normally writes in 512 byte blocks called sectors.
Clusters are made up of blocks of sectors. If there is not enough data in the file to fill
the last sector in a file, DOS/Windows makes up the difference by padding the
remaining space with data from the memory buffers of the operating system. This
randomly selected data from memory is called RAM Slack because it comes from the
memory of the computer.
RAM Slack can contain any information that may have been created, viewed, modified,

downloaded or copied during work sessions that have occurred since the computer was
last booted. Thus, if the computer has not been shut down for several days, the data
stored in file slack can come from work sessions that occurred in the past.
RAM slack pertains only to the last sector of a file. If additional sectors are needed to
round out the block size for the last cluster assigned to the file, then a different type of
slack is created. It is called drive slack and it is stored in the remaining sectors which
might be needed by the operating system to derive the size needed to create the last
cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is
padded with what was stored on the storage device before. Such data could contain
remnants of previously deleted files or data from the format pattern associated with
disk storage space that has yet to be used by the computer.

For example, take a file that is created by writing the word “Hello.” Assuming that this
is the only data written in the file and assuming a two sector cluster size for the file, the
data stored to disk and written in file slack could be represented as follows:
________________________________________

298

AccessData FTK2 User Guide

Hello+++++++|————(EOC)
RAM Slack is indicated by "+"
Drive Slack is indicated by "–"
________________________________________
File Slack is created at the time a file is saved to disk. When a file is deleted under DOS,
Windows, Windows 95, Windows 98 and Windows NT/2000/XP, the data associated
with RAM slack and drive slack remains in the cluster that was previously assigned to the
end of the deleted file. The clusters which made up the deleted file are released by the
operating system and they remain on the disk in the form of unallocated storage space
until the space is overwritten with data from a new file.
File slack potentially contains data dumped randomly from the computer’s memory. It
is possible to identify network login names, passwords, and other sensitive information
associated with computer usage. File slack can also be analyzed to identify prior uses of
the subject computer and such legacy data can help the computer forensics investigator.
File slack is not a trivial item. On large hard disk drives, file slack can involve several
hundred megabytes of data. Fragments of prior email messages and word processing
documents can be found in file slack. From a computer forensic standpoint, file slack is
very important as both a source of digital evidence and security risks

String Searches
A string search is a data string containing standard text or non-text data. The term may
be a word, phrase or an expression. Keyword searches are designed to aid in the
identification of potentially relevant data on the examined media.

Superuser Administrator
Aperson with unlimited access privileges who can perform any and all operations on
the computer and within the operating system and file system. These privileges do not
necessarily transfer to the applications installed on the computer.

Symmetric Encryption
A type of encryption in which the encryption and decryption keys are the same. Some
common symmetric encryption systems are Data Encryption Standard, Triple-DES,
Pretty Good Privacy, BestCrypt, and Advanced Encryption Standard.

AccessData Glossary

299

T
Thumbnail
A smaller-sized version of a graphics image.

U
Unallocated Space
Also called free space, it consists of all the clusters on a drive that are not currently
assigned to a file. Some of these clusters may still contain data from files that have been
deleted but not yet overwritten by other files.
Until the first file is written to the data storage area of a computer storage device, the
clusters are unallocated by the operating system in the File Allocation Table (FAT). These
unallocated clusters are padded with format pattern characters and the unallocated
clusters are not of interest to the computer forensics specialist until data is written to the
clusters. As the computer user creates files, clusters are allocated in the File Allocation
Table (FAT) to store the data. When the file is deleted by the computer user, the clusters
allocated to the file are released by the operating system so new files and data can be
stored in the clusters when needed. However, the data associated with the deleted file
remains behind. This data storage area is referred to as unallocated storage space and it
is fragile from an evidence preservation standpoint. However, until the unallocated
storage space is reassigned by the operating system, the data remains behind for easy
discovery and extraction by the computer forensics specialist. Unallocated file space
potentially contains intact files, remnants of files and subdirectories and temporary files,
which were transparently created and deleted by computer applications and also the
operating system. All of such files and data fragments can be sources of digital evidence
and also security leakage of sensitive data and information.

URL
Abbreviation of Uniform Resource Locator, the global address of documents and
other resources on the World Wide Web. The first part of the address indicates what
protocol to use and the second part specifies the IP address or the domain name where
the resource is located.

300

AccessData FTK2 User Guide

V
Volume
A volume refers to a mounted partition. There may be only one volume on a disk, such
as a floppy disk or a zip disk. There may be several volumes on a disk as on a
partitioned hard drive. A volume is a logical structure, not a physical device. There can
be up to 24 of these logical volumes on a disk and they show up as drive “c,” “d,” or “e”
in DOS.

Volume Boot Sector
Since every partition may contain a different file system, each partition contains a
volume boot sector which is used to describe the type of file system on the partition
and usually contains boot code necessary to mount the file system.

AccessData Glossary

301

302

AccessData FTK2 User Guide

A
archiving
see backing up case 93

B
backing up case 93
bookmarks 104
creating 105
export files to report 171
including in report 171
moving 114
tab 68
viewing 107

C
carved files
adding 81
carving
see data carving 145
case 35
adding evidence 95
backing up 93
creating 77
entering information in a report 169
indexing 82
processing of evidence 78
refining evidence 84
Case Management Window 36
CmStick 36, 207, 209
CodeMeter 36
column headings
common 188
compressed 200
DOS 197
email 190
ext2 197
file status 195
file system 196
HFS 198
NTFS 199
Outlook/Exchange 193
stored hashes 190
Unix 200

303

Creating 71
custom identification file 83
customizing 184
data carving 201
file list columns 186
tab layout 183
view panes 183

D
data carving 145
customizing 201
existing case 146
new case 81, 146
Database File Types 239
decrypted files
locating 80
decrypting 161
viewing decrypted files 163
diagnostics
workers 223
docking
options 184
Document File Types 234
dongle 36, 209
dtSearch 8, 82

E
EFS 161
decrypting files 80
email
file types 243
window 68
evidence
excluding from index 89
processing of 78
refining 84
exporting
bookmarked files to report 171
files 118
index 138
registry files 121

304

AccessData FTK2 User Guide

file
exporting 118
file category 60
file content 50
filter tab 52
hex tab 53
natural tab 51
text tab 53
file list columns
customizing 186
file listing database 80
file properties
in report 174
viewing 102
file status 60, 61
file types
email message 243
filter 149
Known File Filter (KFF) 154
toolbar 149
filtering
creating or modifying 152
FTK 2 window 38
FTK Imager 77

G
Graphic File Types 241

H
hardware acquisition tools 76
hashing
databases of 9
overview of 8
sample of 8
HashKeeper database 9
hex interpreter 49
hexadecimal 49
HTML file listing 80

I
index
contents of 138
selecting 78

305

L
License Manager
updating 216

M
MD5
see Message Digest 5 8
Message Digest 5 8
selecting 78

N
NTFS 161, 249
decrypt EFS files 80

O
or 35

P
packet file 212
partition
evidence item 278
NTFS 80, 249
Password Recovery Toolkit 138, 204
features 205
progress dialog 57
Properties Pane 48
PRTK
see Password Recovery Toolkit 204

Q
QuickPicks 45
QuickPicks Filter 56

R
registry files 206
Registry Viewer 206, 257
regular expression 123
reports
entering case information 169
including bookmarks in 171

306

AccessData FTK2 User Guide

including list of file properties in 174
modifying 180
sample of 178
selecting location of 176
viewing 178
roles 75

S
searching 8
regular expressions 129
Secure Hash Algorithim 8
Secure Hash algorithim
selecting 78
security device 212
SHA-1
see Secure Hash Algorithim 8
software acquisition tools 76
Spreadsheet File Types 238
status 158

T
tab
Bookmark 68
Email 63
Explore 54
Graphics 65
Overview 58
Search 69
User-defined 71
Tab Layout menu 183
temporary file folder 200
thumbnails
creating 78
marking 65
see Graphics Tab 66
toolbar 45
file list 47

U
updating
products 216

307

View menu 182
view panes
moving 183

W
window
email 68
Windows Registry
file types 258
Windows 9x file types 258
Windows NT and 2000 file types 259
Windows XP file types 260

308

AccessData FTK2 User Guide

</pre><hr>Source Exif Data: <br /><pre>File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.7
Linearized : Yes
Tagged PDF : Yes
Page Mode : UseOutlines
XMP Toolkit : Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:17:08
Creator Tool : Adobe Illustrator CS3
Create Date : 2009:05:13 13:44:37Z
Modify Date : 2009:05:13 18:44:45-06:00
Metadata Date : 2009:05:13 18:44:45-06:00
Thumbnail Width : 200
Thumbnail Height : 256
Thumbnail Format : JPEG
Thumbnail Image : (Binary data 13525 bytes, use -b option to extract)
Format : application/pdf
Title : ftkug.book
Creator : jleishman
Producer : Acrobat Distiller 8.1.0 (Windows)
Document ID : uuid:38103f96-f735-47b2-9649-fa5fe1c0b72a
Instance ID : uuid:2b4a05bf-145f-4bb2-939d-31fec070f418
Manifest Link Form : EmbedByReference
Manifest Reference File Path : C:\Documents and Settings\adobe\Desktop\FTK\ftk_221_cover2.pdf
N Pages : 1
Has Visible Transparency : False
Has Visible Overprint : False
Max Page Size W : 7.500000
Max Page Size H : 9.000000
Max Page Size Unit : Inches
Font Name : BerlinSansFB-Reg, Arial-Black, GXOBAA+Arial-BoldMT
Font Family : Berlin Sans FB, Arial Black, GXOBAA+Arial BoldMT
Font Face : Regular, Regular, BoldMT
Font Type : Open Type, Open Type, Unknown
Font Version : Version 1.00, Version 2.35, Version 2.007;PS 002.000;Core 1.0.38;makeotf.lib1.7.9032
Font Composite : False, False, False
Font File Name : BRLNSR.TTF, ariblk.TTF, MyriadPro-Regular.otf
Plate Names : Cyan, Magenta, Yellow, Black, PANTONE Cool Gray 9 C, PANTONE 541 C
Swatch Group Name : Default Swatch Group
Swatch Group Type : 0
Swatch Colorant Swatch Name : PANTONE Cool Gray 9 C, PANTONE 541 C
Swatch Colorant Type : SPOT, SPOT
Swatch Colorant Tint : 100.000000, 100.000000
Swatch Colorant Mode : CMYK, CMYK
Swatch Colorant Cyan : 0.000000, 100.000000
Swatch Colorant Magenta : 1.176500, 56.863397
Swatch Colorant Yellow : 0.000000, 0.000000
Swatch Colorant Black : 50.981098, 38.038599
Page Count : 322
Author : jleishman
</pre>
<small>EXIF Metadata provided by <a href="https://exif.tools/">EXIF.tools</a></small>

<div id="ezoic-pub-ad-placeholder-110">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

<ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-0545639743190253"
data-ad-slot="6172135303"
data-ad-format="link"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>
</div>
<div id="catlinks" class="catlinks catlinks-allhidden" data-mw="interface"></div> <div class="visualClear"></div>
</div>
</div>
<div id="mw-navigation">
<h2>Navigation menu</h2>

<form action="https://usermanual.wiki/search.php" id="searchform">
<div id="simpleSearch">
<input type="search" name="search" placeholder="Search UserManual.wiki" title="Search UserManual.wiki [ctrl-option-f]" accesskey="f" id="searchInput" tabindex="1" autocomplete="off"><input type="hidden" value="Special:Search" name="title"><input type="submit" name="go" value="Go" title="Find a User Manual" id="searchButton" class="searchButton"> </div>
</form>
</div>-->
<ul>
<li id="pt-mycontris"><a href="https://usermanual.wiki/upload" title="Upload User Manual" accesskey="y">Upload a User Manual</a></li>
</ul>
</div>
<div id="left-navigation">
<div id="p-namespaces" role="navigation" class="vectorTabs" aria-labelledby="p-namespaces-label">
<h3 id="p-namespaces-label">Versions of this User Manual:</h3>
<ul>
<li id="ca-nstab-main"><span><a href="https://usermanual.wiki/Pdf/Ftk221Ug.499755660" title="User Manual Wiki" accesskey="c">Wiki Guide</a></span></li> <li id="ca-nstab-main"><span><a href="https://usermanual.wiki/Pdf/Ftk221Ug.499755660/html" title="HTML" accesskey="c">HTML</a></span></li> <li id="ca-nstab-main"><span><a href="https://usermanual.wiki/Pdf/Ftk221Ug.499755660/amp" title="Mobile AMP" accesskey="c">Mobile</a></span></li> <li id="ca-nstab-main" class="selected" ><span><a href="https://usermanual.wiki/Pdf/Ftk221Ug.499755660/help" title="Discussion / FAQ / Help" accesskey="c">Download & Help</a></span></li>
</ul>
</div>
</div>
<div id="right-navigation">
<div id="p-views" role="navigation" class="vectorTabs" aria-labelledby="p-views-label">
<h3 id="p-views-label">Views</h3>
<ul>

<li id="ca-view"><span><a href="#">User Manual</a></span></li>

<li class="selected" id="ca-edit"><span><a href="https://usermanual.wiki/Pdf/Ftk221Ug.499755660/help" title="Ask a question" accesskey="e">Discussion / Help</a></span></li>

</ul>
</div>
</div>
</div>
<div id="mw-panel">
<div id="p-logo" role="banner"><a class="mw-wiki-logo" href="https://usermanual.wiki/Main_Page" title="Visit the main page"></a></div>
<div class="portal" role="navigation" id="p-navigation" aria-labelledby="p-navigation-label">
<h3 id="p-navigation-label">Navigation</h3>

</div>
<div class="portal" role="navigation" id="p-tb" aria-labelledby="p-tb-label">

</div>
</div>
</div>
<div id="footer" role="contentinfo">
<ul id="footer-info">
<li id="footer-info-lastmod">© 2024 UserManual.wiki</li>
</ul>
<ul id="footer-places">
<li id="footer-places-privacy"><a href="https://usermanual.wiki/ContactUs" title="UserManual.wiki:Contact Us">Contact Us</a></li>
<li id="footer-places-about"><a href="https://usermanual.wiki/DMCA" title="UserManual.wiki:DMCA">DMCA</a></li>
</ul>
<ul id="footer-icons" class="noprint">
<li id="footer-poweredbyico">

</li>
</ul>

</div>

</div></body></html>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="7f92e8e151697724b16d7079-|49" defer></script>