Forensics_5_0_1 FTK 5 0 1 RN

2014-07-10

• Introduction
• Important Information
  • For installation instructions, see the Quick Install Guide or the Detailed Install Guide. You can access these guides at
  • FTK supports Distributed Processing Engines (DPEs). Distributed Processing allows the installation of up to three additional processing engines to share the work load of processing evidence in a case.
  • FTK does not support skipping versions when you upgrade cases from previous major or minor versions. You must upgrade in the order of the released versions. For example, you cannot upgrade cases from FTK 4.1 or earlier directly to FTK 5.x. You must f...
  • Whenever possible, install FTK on a physical system. Due to performance, AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.
  • Oracle 10g is not compatible with Windows 8.
  • If you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle, you must change the Oracle SID from ADG to FTK2.
  • To install the KFF server, you must have admin privileges. Otherwise, you get the following error:
  • You may need to adjust the KFF Server thread counts in order for KFF to complete processing.
  • The Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
  • AccessData recommends that, whenever possible, you not have an active internet connection when running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML web pages or binar...
  • If using PostgreSQL, please note the following:
  • It is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL, Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance and data integrity.
  • When using an Oracle database, it must be installed on a computer with a name that begins with a letter (a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle if the computer’s name begins with a numb...
  • If you choose to have a case’s database files placed in the case folder, do not move your case folder without first archiving and detaching the case. (64450)
  • If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in the Evidence drop-down menu to process the ...
• 5.0.1 New and Improved
  • Evidence Processing
    • The time to perform Static Ram and Memory analysis has been improved.
    • The time to perform Field Mode processing jobs has been improved.
    • The time to perform Remote Preview jobs has been improved.
  • Internet Artifacts
    • After expanding compound SQLITE files, such as Google Chrome internet history, you can now view the HTML-rendered index within the table. You can also view the structure of the database itself on the Explore tab.
  • KFF
    • Updated KFF Server
  • DNA
    • There is a new module for DNA (Distributed Network Attack) 7.2 that provides support for RAR 5.0 files.
  • Add on Module Enhancements
• Fixed Issues in 5.0.1
  • Decryption
    • Fixed an issue that prevented the decryption of S/MIME encrypted messages from a PST. The option to decrypt S/MIME files under Tools > Decrypt Files is now available. (21684)
    • Fixed an issue that prevented the decryption of Credant files and not displaying an error. (26316)
  • Search
    • Fixed an issue that sometimes caused slow results when running an indexed search. (25584).
    • Fixed an issue that caused the item numbers in exported search results (CSV file) to not match the object numbers in the application. (26304)
    • Fixed an issue that sometimes caused a slow response when expanding and retracting search options. (15156)
  • Processing
    • When running Additional Analysis and selecting Explicit Image Detection, the required option of File Signature Analysis is now automatically selected as well. (26749)
    • Fixed an issued that caused Facebook JSON files from being listed in the Overview tab under Unknown Types\Unknown. They are now listed under Other Known Types in a JSON file category. (26824)
  • Reports
    • Fixed an issue that when generating a Timeline Report, the forward slashes did not appear correctly in Excel (25596).
  • Filters
    • Fixed an issue that caused an error [Missing string: 11611] when creating a filter using the Language filter. (24992).
    • Fixed an issue that caused filtering to sometimes not work properly when attempting to exclude non- English files. (24942)
    • Fixed an issue that caused an edited custom filter to not save when the filter referred to other filters. (26747)
    • Fixed an issue that caused a Label filter to filter out all files rather than the ones that were labeled. (27793)
    • Fixed an issue that caused rules to sometimes not work properly in filters causing files to be listed that were not expected. (29505)
  • KFF
    • Fixed an issue that caused KFF groups to sometimes not function properly after uninstalling and re- installing KFF data. (23522)
    • Fixed an issue that caused FTK to become unresponsive if the KFF server was stopped and Additional Analysis was run with KFF selected. (24027)
    • Fixed an issue that sometimes caused an Error 22 to be returned when importing a KFF or XML file. (24129)
    • Fixed an issue that sometimes caused the following error when installing the KFF Server on XP computers: "Error 1920. Service AccessData KFF Server (ad_kff) failed to start. Verify that you have sufficient privileges to start system services." (25290)
    • Fixed an issue that sometimes caused the default KFF group from being used when processing rather than the selected group. (28434)
    • Fixed an issue that sometimes caused a “Failure on item...Could not perform KFF lookup on object” error. (26645)
  • Agent
    • Fixed an issue that when adding remote data (Image Drive) using the Temporary Agent, the agent sometimes failed. (27692)
  • Other
    • Fixed an issue that caused the UI to be very slow when expanding the Explore tab when there are many disk images in the case. (28891)
    • When managing column settings, fixed an error that sometimes caused duplicate column names to appear. (23820)
    • In the column settings dialog, the columns associated with PhotoDNA now have descriptions (23719).
    • Fixed an issue that prevented the scroll bar to appear in the Administer User page. (24154)
    • Fixed an issue that sometimes caused errors when importing multiple carvers files. (23720)
    • Fixed an issue that if the case folder was manually deleted or moved during the time that the case was created, it caused the interface to hang. (21587)
    • Fixed an issue that sometimes an occurred when closing FTK on Windows XP computers and getting a message that ‘it encountered a problem and needs to close’. (25739)
    • When running in evaluation mode, the product title bar now displays “Evaluation Version” at the end of the title. (26997)
    • All items assigned to the OLE Storage category now have a folder icon instead of a light bulb icon. (26626)
    • In the column settings dialog, the columns associated with PhotoDNA now have descriptions (23719).
    • Fixed an issue that caused inconsistent counts when enumerating NTFS file systems with additional threading (24868)
• Known Issues in 5.0.1
  • Rights and Permissions
    • If you only have one user account with the Application Administrator role, and you change that user’s role, you no longer have a user with Application Administrator rights. The application does not prevent or warn you that there is not another admi...
  • Decryption
    • When running an environment that has Microsoft RMS and that has Outlook on it, and you restrict emails, Outlook emails cannot be decrypted. (25505)
    • When running an environment that has Microsoft RMS, and you restrict Office documents, they cannot be decrypted. (25608)
    • When using the Decrypt Credant Files processing option, Credant files may not get decrypted. If using the Tools > Credant Decryption option in the Examiner, decryption works properly. (24443)
    • Clicking on a file in the Examiner that is encrypted with Credant may cause the Examiner to crash. (26492)
    • When using Distributed Network Attack (DNA), if more than one job is running, and if you delete one job and then re-add it, the job that was not deleted and re-added is placed in a queued status and you must manually pause and resume the job for it t...
    • EFS encrypted files cannot be decrypted using the Perform Automatic Decryption option during processing. Instead, you must use the Tools > Decrypt Files option in the Examiner. (26665)
  • Processing
    • Selecting the Expand Compound Files > RFC822 Internet Email option does not expand internet mail files. (25606)
    • The Fuzzy Hash feature is not reporting correct data. (24883)
    • When performing Additional Analysis, the Registry Reports option requires that File Signature Analysis also be selected. It is not automatically selected and you must select manually in order to generate the reports. (27001)
  • Search
    • If using Oracle as the database, and if you apply over 100 individual index searches, additional files are not displayed in the list. Then if you apply any filter and then attempt to export all the hits in file, the dialogue box will not appear for t...
  • Internet Artifacts
    • If the full_path column is missing in the Chrome History SQLite file, you are unable to view data in the Natural view or drill down into the History file. (26433)
  • Reports
    • When creating reports using the File Category, File Extension, or File Status categories, you are unable to generate the report in the following formats: RTF, WML, DOCX, and ODT. You will get a Format Transformation error. (26294)
  • Agent
    • When adding remote data (Image Drive) using the Temporary Agent, and then trying to cancel the job, the cancel buttons turn inactive (for both the Creating Image and the Verifying Image tasks). Then when trying to exit FTK, you may get the error mess...
    • If you attempt to install the FTK Temporary Agent and you specify an invalid IP address, you get a Server Busy error and you cannot cancel it. You must restart FTK. (27648)
  • KFF
    • When a connection with the KFF Server is lost, and then trying to add evidence to a case, you may get an error that the evidence cannot be processed. (27909)
  • Internet Carvers
    • The following carvers that were added in FTK 5.0 are not available in the Processing Options. (28169)
  • Other
    • The language identification feature may sometimes mis-identify languages when they are similar. For example, Italian may be mistaken for Spanish and Dutch for German. (21872).
    • When configuring Additional Analysis, if you select a tab, then press escape, the tap display goes blank. Click another tab and the view is restored. (27688)
    • From the File > Reports page, if you click a tree item and then press escape, the tree view goes blank. You must restart Examiner. (27689)
    • When creating a new filter, the Zip Code property is not recognized. (26278)
• Release Notes for Add-on Modules
  • 5.0.1 Release Notes for the Cerberus Add-on
    • 5.0 Release Notes for the Cerberus Add-on (page 20)
    • Avast Antivirus is flagged as a threat. (20938)
• Where to get more information
• Comments?
• Introduction
• Important Information
  • FTK does not support skipping versions when you upgrade cases from previous major or minor versions. You must upgrade in the order of the released versions. For example, you cannot upgrade cases from FTK 4.1 or earlier directly to FTK 5.0. You must f...
  • Whenever possible, install FTK on a physical system. Due to performance, AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.
  • If you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle, you must change the Oracle SID from ADG to FTK2.
  • To install the KFF server, you must have admin privileges. Otherwise, you get the following error:
  • You may need to adjust the KFF Server thread counts in order for KFF to complete processing.
  • The Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft Collaboration Data Objects (CDO) installed on the same computer as the processing engine.
  • AccessData recommends that, whenever possible, you not have an active internet connection when running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML web pages or binar...
  • It is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL, Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance and data integrity.
  • When using an Oracle database, it must be installed on a computer with a name that begins with a letter (a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle if the computer’s name begins with a numb...
  • If you choose to have a case’s database files placed in the case folder, do not move your case folder without first archiving and detaching the case. (64450)
  • If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in the Evidence drop-down menu to process the ...
• 5.0 New and Improved
  • Evidence Processing
    • Processing Profiles
    • New internet artifact carvers
    • Ability to add CSV as individual records to support timeline analysis
  • Visualization
    • Visualization is now a standard feature
    • New Social Analyzer II Visualization
    • Screenshot support for Visualization
  • Mobile Phone Examiner Plus (MPE+)
    • 30-day evaluation license of MPE+
    • One year of MPE+ Essentials
  • Explicit Image Detection
    • Explicit Image Detection is now a standard feature
  • File Decryption
    • Decrypt files during processing with a password list
    • Integration with Password Recovery Toolkit (PRTK) and Distributed Network Attack (DNA) for password recovery
    • Integration with Password Recovery Toolkit (PRTK) for enhanced file decryption
    • Enhanced Bitlocker Support
  • Reports
    • Timeline support for bookmarked items in reports
  • Internet Artifacts
    • Google Chrome internet artifacts enhancements
    • New Internet/Chat Tab
    • Renamed Mozilla folder
  • KFF
    • Updated KFF NSRL 2.40 library
    • Updated KFF Server
  • Media Investigation
    • Microsoft PhotoDNA Integration
  • Imager
    • Destination Spanning
    • Enhanced Features for Command-line Imager
  • Database Compatibility with Summation 5.0 and eDiscovery 5.0
    • Open a case
    • Backup and restore a case
    • Add and remove evidence
    • Perform Additional Analysis
    • Search and Index data
    • Export data
  • Other
    • Enhanced Vista /Windows 7 Recycle bin parsing
    • Automated Language Identification
    • Modified Additional Analysis page
    • Agent Data Acquisition
  • Add on Module Enhancements
• Fixed Issues in 5.0
  • Export
    • Fixed an issue that caused the “'Export messages from email archives to PST” feature to fail. (15196)
    • Fixed an issue that when you decrypted a file, and then exported it to an image, if you processed that image, the file was not decrypted. The exported file is now viewable. (17319)
    • Fixed an issue that prevented an NSF file from being exported to a PST file. (11580)
    • Fixed an issue that when exporting an AOL Email Archive (PFC) file, either as individual emails (MSG) or the entire archive (PST) the resulting emails did not contain the FROM: field data. (20340)
  • Processing
    • Fixed an issue that caused some processing information to not be stored in the jobinformation.log. (17532)
    • Fixed an issue that caused processing to sometimes fail when the Indexing processing option was enabled and you added data with SWF files. (15746)
    • Fixed an issue that if using OCR and selecting the B&W and Grayscale option, and then setting the Filter to OCR Graphics, the File List pane may display graphics with color. (13140)
  • Visualization
    • Fixed an issue that caused the Traffic Details in Email Visualization to sometimes show all Sent and Received mail as the total count for Received Mail. (17657)
    • Fixed an issue that sometimes caused the Visualization pane to be become unresponsive when changing the Timeline date from Created to Modified. (15171, 21964)
    • Fixed an issue that may cause the Visualization pane to be become unresponsive when launching the Social Analyzer if there was no data in the Timespan bar. Now, if no data is available, the Social Analyzer button is deactivated. (22174)
    • Fixed an issue that caused the Timeline to change when switching from the Created to Modified file values. (22598)
    • Fixed an issue that caused the Row Highlighting to not work correctly in some circumstances. (11589)
    • Fixed an issue that caused the email traffic details to sometimes not display properly. (22504)
  • Bookmarks
    • Fixed an issue that when deleting a file from a bookmark, you were prompted to confirm the deletion a second time, and regardless of your response, the file was deleted. This issue only occurred when using Microsoft SQL Server for the database. (18215)
  • Search
    • Fixed an issue that prevented the “Limit Search Hits” from working correctly when doing an Index Search. (14619)
    • Fixed an issue that when performing a Live Search, if you clicked Remove more than once, it would clear the whole list. (14896)
  • KFF
    • Fixed an issue that caused an “Error 1721” when uninstalling NSRL data after stopping or uninstalling the KFF Server. (17617)
    • Fixed an issue that caused the KFF Server to not restart after uninstalling NDIC data. (18122)
    • Fixed an issue that when the 64-bit KFF Server was installed, it was installed to the Program Files (x86). instead of the normal Program Files folder. (22022)
    • Fixed an issue that after uninstalling the KFF Server and trying to uninstall the KFF Data, an Error 1721 was returned and you could not uninstall the data. (13920)
    • You no longer need to perform a manual reboot of the computer after installing the KFF Server on 64-bit computers. (15000)
    • Fixed an issue that when uninstalling the KFF server, the service was not removed. (7279)
  • Other
    • Fixed an issue that caused the Codemeter installation to fail on Windows 8 computers. (68531)
    • Fixed an issue that prevented you from viewing deleted emails in a PST. (21582)
    • When adding live evidence (files or folders) through Evidence Processing, if it encountered a file that it could not open, there was no error recorded in a log and a 0-byte file was added to the case. An error is now displayed and the error gets repo...
    • Fixed an issue that caused the tree view to not work correctly if graphic thumbnails were dragged off the dock of the Graphics tab. (23359)
• Known Issues in 5.0
  • When doing a live search with multiple Chinese characters, no results are found. (9471)
  • You can only get unicode search results when using Live Search and not dtSearch. (15338)
  • Links to files in a PDF report do not open if Japanese characters are in the file name. The link does work in HTML reports. (22936)
  • When creating a report in ODT format, the page numbers display as 0. If you do a page preview, the page numbers will be generated. (22952)
  • Some information is not saved in processing profiles. (21000)
  • When performing data carving, you may get different results when done during Additional Analysis versus processing when adding evidence. This is because during processing when adding evidence, the thumb.db files are included whereas when using Additi...
  • You cannot import .HASH files. (16520, 21671)
  • When you import an XML or KFF file, the import will be successful but you may see the following error:
  • The version numbers of installed KFF libraries are not displayed in the KFF Manager. (13650)
  • When decrypting files from the Tools > Decrypt Files page, the decryption progress dialog appears briefly then closes. (23234)
  • When viewing large amounts of email data in Visualization and adjusting the range of data, the display may take some time to refresh the data. (21881)
  • FTK may not launch correctly if installed on Windows Server 2008 R2 or Server 2003 R2 if you also have Adobe Acrobat installed. You may get an error: "The application failed to initialize properly (0xc00000142)”. (19148)
  • When exporting emails to a PST and using the 'Preserve file structure' option selected, some emails may not display in Outlook. (19086)
  • CIRT job names are only viewable in FTK by node.
  • Computer software inventory data from a CIRT job does not display when the case is viewed in FTK. (15818)
  • FTK does not recognize CIRT users who log into CIRT using Windows authentication. To use a CIRT user in FTK, you must create the user account in CIRT and grant the user the permissions that you want them to have in FTK. (15813)
  • The same documents may be displayed differently in the Natural Views of each product. (23084)
  • The search results counts for the same case may be different when viewed in the different products due to the way search options are executed in the respective products. (23005)
  • If using Summation or eDiscovery to add evidence to a case that was created in FTK, search does not return results from the new data. (23006) You can do one of the following as a workaround for this issue:
  • If using Summation or eDiscovery to add evidence to a case that was created in FTK, the Processing and Indexing counts may be different due to different processing options. (22945)
  • Attempting to view an FTK case in Summation or eDiscovery may sometimes cause an exception error message. (22947)
  • The processing options applied to a case are different from which ever product the case is created in. For example, you may create a case in eDiscovery, process the evidence, and then add more evidence using FTK. If you compare the JobInformation.log...
  • If you create a case and include a period at the end of the case name, and then add remote data, no data is shown in the Volatile tab. (17838)
• Release Notes for Add-on Modules
  • 5.0 Release Notes for the Cerberus Add-on
    • Avast Antivirus is flagged as a threat. (20938)
• Where to get more information
• Comments?