FTK_User_Guide FTK 4.2 UG

2014-07-01

• AccessData Legal and Contact Information
  • Legal Information
  • AccessData Trademarks and Copyright Information
  • Documentation Conventions
  • Registration
    • Subscriptions
  • AccessData Contact Information
    • Mailing Address and General Phone Numbers
    • Technical Support
    • Documentation
  • Professional Services
    • Contact Information for Professional Services
• Table of Contents
• Introducing Forensic Toolkit® (FTK®)
  • Introducing AccessData® Forensic Toolkit® (FTK®)
    • Overview of Investigating Digital Evidence
    • About Acquiring Digital Evidence
      • Types of Digital Evidence
      • Acquiring Evidence
        • About Acquiring Static Evidence
        • About Acquiring Live Evidence
        • About Acquiring Remote Evidence
    • About Examining Digital Evidence
    • About Managing Cases and Evidence
    • What You Can Do With the Examiner
      • About Indexing and Hashing
      • About the Known File Filter Database
      • About Searching
      • About Bookmarking
      • About Presenting Evidence
  • Getting Started with the User Interface
    • The Case Manager
    • The Examiner
• Administrating Forensic Toolkit® (FTK®)
  • Application Administration
    • Creating an Application Administrator Account
    • Changing Your Password
    • Setting Database Preferences
    • Managing Database Sessions
    • Optimizing the Database for Large Cases
    • Managing Shared KFF Settings
    • Recovering and Deleting Processing Jobs
    • Restoring an Image to a Disk
    • Database Integration with AccessData CIRT 2.2
    • Adding New Users to a Database
    • About Assigning Roles to Users
      • Assigning Initial Database-level Roles to Users
      • Assigning Additional Case-level Roles to Users
    • Restrictions to the Case Reviewer Role
    • About Assigning Permissions to Users
    • Assigning Users Shared Label Visibility
    • Setting Additional Preferences
      • Choosing a Temporary File Path
      • Providing a Network Security Device Location
      • Setting Theme Preferences for the Visualization Add on
      • Optimizing the Case Database
    • Managing Global Features
      • Managing Shared Custom Carvers
      • Managing Custom Identifiers
      • Managing Columns
      • Managing File Extension Maps
      • Managing Filters
      • Managing Labels
• Case Management
  • Introducing Case Management
    • About Case Management
    • The User Interfaces
    • About the Cases List
    • Menus of the Case Manager
      • Options of the Case Manager File Menu
      • Options of the Case Manager Database Menu
      • Options of the Case Manager Case Menu
      • Options of the Case Manager Tools Menu
      • Options of the Case Manager Manage Menu
      • Options of the Case Manager Help Menu
    • Menus of the Examiner
      • Options of the Examiner File Menu
      • Options of the Examiner Edit Menu
      • Options of the Examiner View Menu
      • Options of the Examiner Evidence Menu
      • Options of the Examiner Filter Menu
      • Options of the Examiner Tools Menu
      • Options of the Examiner Manage Menu
      • Options of the Examiner Help Menu
  • Starting New Cases
    • Opening an Existing Case
    • Creating a Case
    • Configuring Case Detailed Options
    • Evidence Processing Options
    • About Fuzzy Hashing
      • Creating a Fuzzy Hash Library
      • Selecting Fuzzy Hash Options During Initial Processing
      • Additional Analysis Fuzzy Hashing
      • Creating Fuzzy Hash Groups
      • Exporting Fuzzy Hash Groups
      • Importing Fuzzy Hash Groups
      • Modifying Fuzzy Hash Lists within Fuzzy Hash Groups
        • Add to Fuzzy Hash Library Group from File List View
      • Comparing Files Using Fuzzy Hashing
        • Viewing Fuzzy Hash Results
    • Expanding Compound Files
    • dtSearch Text Indexing Options
      • Indexing a Case
      • dtSearch Indexing Space Requirements
      • Case Indexing Options
    • Data Carving
      • Pre-defined Carvers
      • Selecting Data Carving Options
      • Custom Carvers
    • Running Optical Character Recognition (OCR)
    • About Explicit Image Detection
    • Including Registry Reports
    • Send Email Alert on Job Completion
    • Custom File Identification Options
      • Creating Custom File Identifiers
      • Custom Case Extension Maps
    • Evidence Refinement (Advanced) Options
      • Refining Evidence by File Status/Type
      • Refining Evidence by File Date/Size
    • Selecting Index Refinement (Advanced) Options
      • Refining an Index by File Status/Type
        • Refining an Index by File Date/Size
    • Adding Evidence to a New Case
    • Converting a Case from Version 2.2 or Newer
  • Managing Case Data
    • Backing Up a Case
      • Performing a Backup and Restore on a Two-Box Installation
      • Performing a Backup of a Case
    • Archiving a Case
    • Archiving and Detaching a Case
    • Attaching a Case
    • Restoring a Case
    • Deleting a Case
      • Storing Case Files
    • Migrating Cases Between Database Types
  • Working with Static Evidence
    • Static Evidence Compared to Remote Evidence
    • Acquiring and Preserving Static Evidence
    • Adding Evidence
    • Working with Evidence Groups
    • Selecting Evidence Processing Options
    • Selecting a Language
    • Additional Analysis
    • Hashing
    • Data Carving
      • Data Carving Files When Processing a New Case
    • Viewing the Status and Progress of Data Processing and Analysis
    • Viewing Processed Items
  • Working with Live Evidence
    • About Live Evidence
      • Types of Live Evidence
    • Adding Local Live Evidence
    • Methods of Adding Remote Live Evidence
    • Requirements for Adding Remote Live Evidence
    • Adding Evidence with the Temporary Agent
      • Pushing the Temporary Agent
      • Manually Deploying the Temporary Agent
    • Adding Data with the Enterprise Agent
      • Methods of Deploying the Enterprise Agent
      • Creating Self-signed Certificates for Agent Deployment
      • Configuring Communication Settings for the Enterprise Agent Push
      • Pushing the Enterprise Agent
      • Removing the Enterprise Agent
      • Connecting to an Enterprise Agent
      • Adding Remote Data with the Enterprise Agent
      • Acquiring Drive Data
      • Acquiring RAM Data
      • Importing Memory Dumps
      • Unmounting an Agent Drive or Device
  • Filtering Data to Locate Evidence
    • About Filtering
      • Types of Filters
      • What You Can Do with Filters
    • Understanding How Filters Work
      • Viewing the Components of Filters
      • Viewing Details about Attributes that Filters use
    • Using Simple Filtering
      • Using Global Filters
      • Using Tab Filters
      • How Global Filters and Tab Filters can work Together
      • Using Filters with Category Containers
      • Using Filters with Reports
      • Viewing the Filters that you have Applied
    • Using Filtering with Searches
      • Adding a Search Filter to a Live Searches
      • Adding a Search Filter to an Index Searches
    • Using Compound Filters
      • Applying Compound Filters
    • Using Custom Filters
      • About Nested Filters
      • Creating a Custom Filter
      • Copying Filters
      • Editing a Custom Filter
    • Sharing, Importing, and Exporting Filters
      • Sharing Custom Filters Between Cases
      • Importing Filters
      • Exporting Filters
    • Types of Predefined Filters
  • Working with Labels
    • What You Can Do With Labels
    • Creating a Label
    • Applying a Label
    • Managing Labels
    • Managing Label Groups
  • Running Cerberus Malware Analysis
    • About Cerberus Malware Analysis
      • About Cerberus Stage 1 Threat Analysis
      • About Cerberus Stage 2 Static Analysis
    • Running Cerberus Analysis
    • Reviewing Results of Cerberus
    • Using Index Search with Cerberus
    • Exporting a Cerberus Report
  • Decrypting Files
    • Understanding EFS
    • Decrypting EFS Files and Folders
      • Requirements
        • Windows 2000 and XP Systems Prior to SP1
        • Windows XP SP1 or Later
      • Decrypting EFS
    • Decrypting Microsoft Office Files
    • Decrypting Lotus Notes Files
    • Decrypting S/MIME Files
    • Viewing Decrypted Files
    • Decrypting Credant Files
      • Using an Offline Key Bundle
      • Using an Online Key Bundle
    • Decrypting Safeguard Utimaco Files
      • Safeguard Easy
      • SafeGuard Enterprise
        • Retrieving the Recovery Token
    • Decrypting SafeBoot Files
    • Decrypting Guardian Edge Files
    • Decrypting an Image Encrypted With PGP® Whole Disk Encryption (WDE)
      • PGP® WDE Decryption
    • Decrypting Microsoft Office and Outlook Digital Rights Management (DRM) Protected Files
  • Exporting Data from the Examiner
    • Copying Information from the Examiner
    • Exporting Files to a Native Format
    • Exporting Files to an AD1 Image
    • Exporting an Image to an Image
    • Exporting File List Information
    • Exporting a Word List
    • Exporting Recycle Bin Index Contents
    • Exporting Hashes from a Case
    • Exporting Custom Groups from the KFF Library
    • Exporting All Hits in a Search to a CSV file
    • Exporting Emails to PST
• Reviewing Cases
  • Using the Examiner Interface
    • About the Examiner
      • Miscellaneous types of evidence
  • Exploring Evidence
    • Explorer Tree Pane
    • File List Pane
      • Using the File List’s Type-Down Control Feature
      • Icons of the File List Tool Bar
      • File List View Right-Click Menu
    • The File Content Viewer Pane
      • The Natural Tab
      • The Properties Tab
      • The Hex Tab
      • The Hex Interpreter Tab
      • The Text Tab
      • The Filtered Tab
    • The Filter Toolbar
    • Using QuickPicks
    • Caching Data in the File List
  • Examining Evidence in the Overview Tab
    • Using the Overview Tab
      • Evidence Groups Container
      • File Items Container
      • File Extension Container
      • File Category Container
      • File Status Container
      • Email Status Container
      • Labels Container
      • Bookmarks Container
  • Examining Email
    • Using the Email Tab
      • Email Status Tree
      • Email Archives Tree
      • Email Tree
  • Examining Graphics
    • Using the Graphics Tab
    • The Thumbnails Size Setting
    • Moving the Thumbnails Pane
    • Evaluating Explicit Material
    • Filtering EID Material
      • Create an EID Tab Filter
      • Change the Column List Settings
    • EID Scoring
  • Examining Videos
    • Generating Thumbnails for Video Files
    • Creating Common Video Files
    • Using the Video Tree Pane
    • Using the Video Thumbnails Pane
    • Playing a Video from a Video Thumbnail
    • The Thumbnail Size Setting
    • Moving the Thumbnails Pane
  • Examining Miscellaneous Evidence
    • Viewing Windows Prefetch Data
    • Viewing Data in Windows XML Event Log (EVTX) Files
      • About Viewing EVTX Log Files
    • Viewing IIS Log File Data
    • Registry Timeline Analysis
  • Bookmarking Evidence
    • Using the Bookmarks Tab
    • Creating a Bookmark
    • Viewing Bookmark Information
    • Bookmarking Selected Text
    • Adding to an Existing Bookmark
    • Creating Email or Email Attachment Bookmarks
    • Adding Email and Email Attachments to Existing Bookmarks
    • Moving a Bookmark
    • Copying a Bookmark
    • Deleting a Bookmark
    • Deleting Files from a Bookmark
  • Searching Evidence with Live Search
    • Conducting a Live Search
    • Live Text Search
    • Live Hex Search
    • Live Pattern Search
      • Using Pattern Searches
    • Predefined Regular Expressions
      • Social Security Number
      • U.S. Phone Number
      • IP Address
    • Creating Custom Regular Expressions
  • Searching Evidence with Index Search
    • Conducting an Index Search
    • Using Search Terms
    • Defining Search Criteria
    • Exporting and Importing Index Search Terms
    • Selecting Index Search Options
    • Viewing Index Search Results
    • Documenting Search Results
    • Using Copy Special to Document Search Results
    • Bookmarking Search Results
  • Examining Volatile Data
    • Using the Volatile Tab
    • Understanding Memory
    • Viewing Memory Dump Data
      • Viewing Hidden Processes
      • Viewing Input/Output Request Packet Data
      • Viewing Virtual Address Descriptor (VAD) Data
  • Using Visualization
    • About Visualization
    • Launching Visualization
    • About the Visualization page
    • About Visualization Time Line Views
    • About the Base Time Line
    • Changing the View of Visualization
      • Modifying the Bar Chart Displays
      • Changing the Theme of Visualization
    • Visualizing File Data
      • Configuring Visualization File Dates
      • Visualizing File Extension Distribution
      • Visualizing File Category Distribution
      • Using the File Data List
    • Visualizing Email Data
      • Narrowing the Scope with the Email Time Line
        • Using History Items in the Email Time Line
      • Viewing Mail Statistics
      • Using the Email Details List
      • Viewing Social Analysis
      • Viewing Traffic Details
    • About the Detailed Visualization Time Line
    • Using the Detailed Visualization Time Line
      • Understanding How Data is Represented in the Detailed Time Line
      • About Time Bands
      • Modifying the Time Line Using Time Bands and Zoom
      • Understanding How Grouping Works in the Detailed Visualization Time Line
    • Visualizing Internet Browser History Data
  • Customizing the Examiner Interface
    • About Customizing the Examiner User Interface
    • The Tab Layout Menu
    • Moving View Panels
    • Creating Custom Tabs
    • Managing Columns
    • Customizing File List Columns
    • Creating User-Defined Custom Columns for the File List view
    • Deleting Custom Columns
    • Navigating the Available Column Groups
  • Working with Evidence Reports
    • Creating a Case Report
    • Adding Case Information to a Report
    • Adding Bookmarks to a Report
    • Adding Graphics Thumbnails and Files to a Report
    • Adding a Video to a Report
    • Adding a File Path List to a Report
    • Adding a File Properties List to a Report
    • Adding Registry Selections to a Report
    • Selecting the Report Output Options
    • Customizing the Report Graphic
      • Using Cascading Style Sheets
    • Viewing and Distributing a Report
    • Modifying a Report
    • Exporting and Importing Report Settings
    • Writing a Report to CD or DVD
• Appendices
  • Appendix A Working with Windows Registry Evidence
    • Understanding the Windows Registry
      • Windows 9x Registry Files
      • Windows NT and Windows 2000 Registry Files
      • Windows XP Registry Files
      • Possible Data Types
      • Additional Considerations
        • Seizing Windows Systems
    • Windows XP Registry Quick Find Chart
      • System Information
      • Networking
      • User Data
      • User Application Data
  • Appendix B Supported File Systems and Drive Image Formats
    • File Systems
    • Whole Disk Encrypted Products
    • Hard Disk Image Formats
    • CD and DVD Image Formats
  • Appendix C Recovering Deleted Material
    • FAT 12, 16, and 32
    • NTFS
    • Ext2
    • Ext3
    • HFS
  • Appendix D Working with the KFF Library
    • About the KFF Library
    • About the KFF Server and Data Libraries
    • Configuring KFF
    • About Managing the KFF Library
      • How the KFF Works
        • Status Values
        • Sets
        • Groups
        • Higher Level Structure and Usage
    • Viewing Defined Sets and Defined Groups
    • Importing KFF Hashes
    • Defining KFF Groups
    • Customizing KFF Hash Sets and Groups
      • Adding Hash Sets to a Defined Group
      • Deleting Hash Sets from a Defined Group
      • Deleting KFF Groups
    • KFF Library Sources
      • NIST NSRL
      • NDIC/HashKeeper
  • Appendix E Managing Security Devices and Licenses
    • Installing and Managing Security Devices
      • Installing the Security Device
        • Installing the CodeMeter Runtime Software
        • Locating the Setup File
        • The CodeMeter Control Center
      • Installing Keylok Dongle Drivers
        • Windows Found New Hardware Wizard
    • Installing LicenseManager
      • Starting LicenseManager
      • Using LicenseManager
        • The LicenseManager Interface
          • The Installed Components Tab
          • The Licenses Tab
        • Opening and Saving Dongle Packet Files
        • Adding and Removing Product Licenses
          • Removing a License
          • Adding a License
        • Adding and Removing Product Licenses Remotely
          • Adding a License Remotely
          • Removing a License Remotely
      • Updating Products
        • Checking for Product Updates
        • Downloading Product Updates
        • Purchasing Product Licenses
      • Sending a Dongle Packet File to Support
    • Virtual CodeMeter Activation Guide
      • Introduction
      • Preparation
      • Setup for Online Systems
      • Setting up VCM for Offline Systems
      • Creating a Virtual CM-Stick with Server 2003/2008 Enterprise Editions
      • Additional Instructions for AD Lab WebUI and eDiscovery
      • Virtual CodeMeter FAQs
    • Network License Server (NLS) Setup Guide
      • Introduction
      • Preparation Notes
      • Setup Overview
      • Network Dongle Notes
      • NLS Server System Notes
      • NLS Client System Notes
  • Appendix F Configuring for Backup and Restore
    • Configuration for a Two-box Backup and Restore
      • Configuration Overview
      • Create a Service Account
        • Instructions for Domain User Accounts
      • Share the Case Folder
      • Configure Database Services
      • Share the Backup Destination Folder
      • Test the New Configuration
  • Appendix G AccessData Oradjuster
    • Oradjuster System Requirements
    • Introduction
    • The First Invocation
      • Subsequent Invocations
      • One-Box Deployment
      • Two-Box Deployment
    • Tuning for Large Memory Systems
  • Appendix H AccessData Distributed Processing
    • Distributed Processing Prerequisites
    • Installing Distributed Processing
    • Configuring Distributed Processing
    • Using Distributed Processing
      • Checking the Installation