FTK_User_Guide FTK UG

Ftk 5.3.4 User Guide FTK 5.3.4 User Guide FTK 5.3.4 User Guide ad

Ftk Ug FTK_UG FTK_UG 5.3.7 ftk ad

Ftk 5.3.3 Ug FTK 5.3.3 UG FTK 5.3.3 UG ad

2015-04-22

: Pdf Ftk Ug FTK_UG 5.3.8 ftk

Open the PDF directly: View PDF PDF.
Page Count: 507 [warning: Documents this large are best viewed by clicking the View PDF Link!]

| 1
AccessData
Forensic Toolkit
User Guide
AccessData Legal and Contact Information | 2
AccessData Legal and Contact Information
Document date: May 9, 2014
Legal Information
©2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this
documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make
changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData
software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without
limitation, U.S. export regulations or the laws of the country in which you reside.
AccessData Group, Inc.
588 W. 400 S.
Suite 350
Lindon, Utah 84042
U.S.A.
www.accessdata.com
AccessData Trademarks and Copyright Information
-AccessData® is a registered trademark of AccessData Group, Inc.
-AD InSight® is a registered trademark of AccessData Group, Inc.
-AD Summation is a registered trademark of AccessData Group, Inc.
-Distributed Network Attack® is a registered trademark of AccessData Group, Inc.
-DNA® is a registered trademark of AccessData Group, Inc.
-Forensic Toolkit® is a registered trademark of AccessData Group, Inc.
-FTK® is a registered trademark of AccessData Group, Inc.
-Password Recovery Toolkit® is a registered trademark of AccessData Group, Inc.
-PRTK® is a registered trademark of AccessData Group, Inc.
-Registry Viewer® is a registered trademark of AccessData Group, Inc.
AccessData Legal and Contact Information | 3
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, and
unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner
spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark
and copyright holders. AccessData claims no responsibility for the function or performance of third-party
products.
Third party acknowledgements:
-FreeBSD ® Copyright 1992-2011. The FreeBSD Project .
-AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology
Corp. All rights reserved.
-Copyright © 2005 - 2009 Ayende Rahien
BSD License: Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer; Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution; Neither the
name of Andriy Syrov nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
WordNet License
This license is available as the file LICENSE in any downloaded version of WordNet.
WordNet 3.0 license: (Download)
WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by Princeton
University under the following license. By obtaining, using and/or copying this software and database, you agree
that you have read, understood, and will comply with these terms and conditions.: Permission to use, copy,
modify and distribute this software and database and its documentation for any purpose and without fee or
royalty is hereby granted, provided that you agree to comply with the following copyright notice and statements,
including the disclaimer, and that the same appear on ALL copies of the software, database and documentation,
including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 by
Princeton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND
PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY
WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR
WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE
USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University or
AccessData Legal and Contact Information | 4
Princeton may not be used in advertising or publicity pertaining to distribution of the software and/or database.
Title to copyright in this software, database and any associated documentation shall at all times remain with
Princeton University and LICENSEE agrees to preserve same.
Documentation Conventions
In AccessData documentation, a number of text variations are used to indicate meanings or actions. For
example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in
using the keyboard, the variable data is set apart using [variable_data] format. Steps that require the user to
click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in
the user interface.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, all
third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product
name. Third-party trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party products.
Registration
The AccessData product registration is done at AccessData after a purchase is made, and before the product is
shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your
purchase.
Subscriptions
AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows
you to access technical support, and to download and install the latest releases for your licensed products during
the active license period.
Following the initial licensing period, a subscription renewal is required annually for continued support and for
updating your products. You can renew your subscriptions through your AccessData Sales Representative.
Use License Manager to view your current registration information, to check for product updates and to
download the latest product versions, where they are available for download. You can also visit our web site,
www.accessdata.com anytime to find the latest releases of our products.
For more information, see Managing Licenses in your product manual or on the AccessData website.
AccessData Contact Information
Your AccessData Sales Representative is your main contact with AccessData. Also, listed below are the general
AccessData telephone number and mailing address, and telephone numbers for contacting individual
departments.
AccessData Legal and Contact Information | 5
Mailing Address and General Phone Numbers
You can contact AccessData in the following ways:
Technical Support
Free technical support is available on all currently licensed AccessData products.
You can contact AccessData Customer and Technical Support in the following ways:
AccessData Mailing Address, Hours, and Department Phone Numbers
Corporate Headquarters: AccessData Group, Inc.
588 W. 400 S.
Suite 350
Lindon, UT 84042 USA
Voice: 801.377.5410; Fax: 801.377.5426
General Corporate Hours: Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays
State and Local
Law Enforcement Sales: Voice: 800.574.5199, option 1; Fax: 801.765.4370
Email: Sales@AccessData.com
Federal Sales: Voice: 800.574.5199, option 2; Fax: 801.765.4370
Email: Sales@AccessData.com
Corporate Sales: Voice: 801.377.5410, option 3; Fax: 801.765.4370
Email: Sales@AccessData.com
Training: Voice: 801.377.5410, option 6; Fax: 801.765.4370
Email: Training@AccessData.com
Accounting: Voice: 801.377.5410, option 4
AD
Customer & Technical Support Contact Information
AD
SUMMATIONand
AD EDISCOVERY
Americas/Asia-Pacific:
800.786.8369 (North America)
801.377.5410, option 5
Email: legalsupport@accessdata.com
AD IBLAZE and
ENTERPRISE:Americas/Asia-Pacific:
800.786.2778 (North America)
801.377.5410, option 5
Email: support@summation.com
All other AD
PRODUCTS Americas/Asia-Pacific:
800.658.5199 (North America)
801.377.5410, option 5
Email: support@accessdata.com
AD
INTERNATIONAL
SUPPORT
Europe/Middle East/Africa:
+44 (0) 207 010 7817 (United Kingdom)
Email: emeasupport@accessdata.com
AccessData Legal and Contact Information | 6
Documentation
Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation:
documentation@accessdata.com
Professional Services
The AccessData Professional Services staff comes with a varied and extensive background in digital
investigations including law enforcement, counter-intelligence, and corporate security. Their collective
experience in working with both government and commercial entities, as well as in providing expert testimony,
enables them to provide a full range of computer forensic and eDiscovery services.
At this time, Professional Services provides support for sales, installation, training, and utilization of FTK, FTK
Pro, Enterprise, eDiscovery, and Lab. They can help you resolve any questions or problems you may have
regarding these products
Contact Information for Professional Services
Contact AccessData Professional Services in the following ways:
Hours of Support: Americas/Asia-Pacific:
Monday through Friday, 6:00 AM– 6:00 PM (PST), except corporate holidays.
Europe/Middle East/Africa:
Monday through Friday, 8:00 AM– 5:00 PM (UK-London) except corporate holidays.
Web Site: http://www.accessdata.com/support/technical-customer-support
The Support website allows access to Discussion Forums, Downloads, Previous
Releases, our Knowledge base, a way to submit and track your “trouble tickets”, and
in-depth contact information.
AccessData Professional Services Contact Information
Contact Method Number or Address
Phone Washington DC: 410.703.9237
North America: 801.377.5410
North America Toll Free: 800-489-5199, option 7
International: +1.801.377.5410
Email adservices@accessdata.com
AD
Customer & Technical Support Contact Information (Continued)
Table of Contents | 7
Table of Contents
AccessData Legal and Contact Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Table of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Part 1: Introducing Forensic Toolkit® (FTK®)
. . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 1: Introducing AccessData® Forensic Toolkit® (FTK®)
. . . . . . . . . . . . . . . . . . . . . . 23
Overview of Investigating Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . 23
About Acquiring Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Types of Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Acquiring Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
About Examining Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
About Managing Cases and Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
What You Can Do With the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
About Indexing and Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
About the Known File Filter Database . . . . . . . . . . . . . . . . . . . . . . . . . 27
About Searching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
About Bookmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
About Presenting Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 2: Getting Started with the User Interface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Part 2: Administrating Forensic Toolkit® (FTK®)
. . . . . . . . . . . . . . . . . . . . . 31
Chapter 3: Application Administration
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Creating an Application Administrator Account . . . . . . . . . . . . . . . . . . . . . . 33
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Recovering a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating a Password Reset File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Resetting your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Setting Database Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Managing Database Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Optimizing the Database for Large Cases . . . . . . . . . . . . . . . . . . . . . . . . . 35
Managing Shared KFF Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Recovering and Deleting Processing Jobs. . . . . . . . . . . . . . . . . . . . . . . . . 36
Restoring an Image to a Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Database Integration with other AccessData Products . . . . . . . . . . . . . . . . . 37
Table of Contents | 8
Adding New Users to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
About Assigning Roles to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Assigning Initial Database-level Roles to Users. . . . . . . . . . . . . . . . . . . . 39
Assigning Additional Case-level Roles to Users . . . . . . . . . . . . . . . . . . . 39
Restrictions to the Case Reviewer Role . . . . . . . . . . . . . . . . . . . . . . . . . . 40
About Assigning Permissions to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Assigning Users Shared Label Visibility. . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Setting Additional Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Choosing a Temporary File Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Providing a Network Security Device Location . . . . . . . . . . . . . . . . . . . . 42
Setting Theme Preferences for the Visualization Add on . . . . . . . . . . . . . . 42
Optimizing the Case Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Managing Global Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Managing Shared Custom Carvers . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Managing Custom Identifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing File Extension Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Part 3: Case Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Chapter 4: Introducing Case Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
About Case Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
The User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
About the Cases List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Menus of the Case Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Menus of the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Chapter 5: Creating and Configuring New Cases
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Opening an Existing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Creating a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring Detailed Options for a Case . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring Evidence Processing Options. . . . . . . . . . . . . . . . . . . . . . . 70
About Processing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring Default Processing Options for a Case . . . . . . . . . . . . . . . . . 71
Using Processing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Manually Customizing a set of Detailed Options . . . . . . . . . . . . . . . . . . . 75
Evidence Processing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Expanding Compound Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Using dtSearch Text Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring Case Indexing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Data Carving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Running Optical Character Recognition (OCR) . . . . . . . . . . . . . . . . . . . . 89
Table of Contents | 9
Using Explicit Image Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Including Registry Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Send Email Alert on Job Completion . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Custom File Identification Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Creating Custom File Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuring Evidence Refinement (Advanced) Options . . . . . . . . . . . . . . . 94
Refining Evidence by File Status/Type . . . . . . . . . . . . . . . . . . . . . . . . . 94
Selecting Index Refinement (Advanced) Options. . . . . . . . . . . . . . . . . . . 96
Selecting Lab/eDiscovery Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Adding Evidence to a New Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Working with Volume Shadow Copies . . . . . . . . . . . . . . . . . . . . . . . . 100
Converting a Case from Version 2.2 or Newer . . . . . . . . . . . . . . . . . . . . . 100
Chapter 6: Managing Case Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Backing Up a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Performing a Backup and Restore on a Two-Box Installation. . . . . . . . . . . 101
Performing a Backup of a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Archiving a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Archiving and Detaching a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Attaching a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Restoring a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Deleting a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Storing Case Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Migrating Cases Between Database Types . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 7: Working with Evidence Image Files
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Verifying Drive Image Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Mounting an Image to a Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Benefits of Image Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Characteristics of a Logically Mounted Image. . . . . . . . . . . . . . . . . . . . . . 109
Characteristics of a Physically Mounted Image. . . . . . . . . . . . . . . . . . . . . 109
Mounting an Image as Read-Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Mounting a Drive Image as Writable . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Unmounting an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Restoring an Image to a Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Performing Final Carve Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Recovering Processing Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Chapter 8: Working with Static Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Static Evidence Compared to Remote Evidence . . . . . . . . . . . . . . . . . . . . 113
Acquiring and Preserving Static Evidence . . . . . . . . . . . . . . . . . . . . . . . . 114
Adding Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Working with Evidence Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Table of Contents | 10
Selecting Evidence Processing Options . . . . . . . . . . . . . . . . . . . . . . . . . 118
Selecting a Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Examining Data in Volume Shadow Copies . . . . . . . . . . . . . . . . . . . . . . . 120
About Restore Point Processing Options . . . . . . . . . . . . . . . . . . . . . . 121
Managing Restore Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Viewing Restore Point Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Using Additional Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Data Carving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Viewing the Status and Progress of Data Processing and Analysis . . . . . . . . 130
Viewing Processed Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Chapter 9: Working with Live Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
About Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Types of Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Adding Local Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Methods of Adding Remote Live Evidence. . . . . . . . . . . . . . . . . . . . . . . . 135
Requirements for Adding Remote Live Evidence. . . . . . . . . . . . . . . . . . 135
Adding Evidence with the Temporary Agent . . . . . . . . . . . . . . . . . . . . . . . 136
Pushing the Temporary Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Manually Deploying the Temporary Agent . . . . . . . . . . . . . . . . . . . . . . 137
Adding Data with the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Methods of Deploying the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . 138
Creating Self-signed Certificates for Agent Deployment. . . . . . . . . . . . . . 138
Configuring Communication Settings for the Enterprise Agent Push . . . . . . 139
Pushing the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Removing the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Connecting to an Enterprise Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding Remote Data with the Enterprise Agent. . . . . . . . . . . . . . . . . . . 141
Acquiring Drive Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Acquiring RAM Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Importing Memory Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Unmounting an Agent Drive or Device . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter 10: Filtering Data to Locate Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
About Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Types of Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
What You Can Do with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Understanding How Filters Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Viewing the Components of Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Viewing Details about Attributes that Filters use . . . . . . . . . . . . . . . . . . 149
Using Simple Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Using Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Table of Contents | 11
Using Tab Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
How Global Filters and Tab Filters can work Together . . . . . . . . . . . . . . . 151
Using Filters with Category Containers. . . . . . . . . . . . . . . . . . . . . . . . 151
Using Filters with Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Viewing the Filters that you have Applied . . . . . . . . . . . . . . . . . . . . . . 152
Using Filtering with Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Adding a Search Filter to a Live Searches. . . . . . . . . . . . . . . . . . . . . . 153
Adding a Search Filter to an Index Searches . . . . . . . . . . . . . . . . . . . . 153
Using Compound Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Applying Compound Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Using Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
About Nested Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Creating a Custom Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Copying Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Editing a Custom Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Sharing, Importing, and Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . . 157
Sharing Custom Filters Between Cases . . . . . . . . . . . . . . . . . . . . . . . 157
Importing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Types of Predefined Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Chapter 11: Working with Labels
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
What You Can Do With Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Creating a Label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Applying a Label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Managing Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Managing Label Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Chapter 12: Decrypting Files
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
About Decrypting Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
About the Encrypted File Passwords List . . . . . . . . . . . . . . . . . . . . . . 169
Identifying the Encrypted Files in a Case . . . . . . . . . . . . . . . . . . . . . . . . . 171
Using PRTK/DNA Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Decrypting Files Using the Automatic Decryption Processing Option . . . . . . 172
Decrypting Files Using Right-Click Auto Decryption . . . . . . . . . . . . . . . . 173
Recovering Unknown Passwords of Encrypted Files . . . . . . . . . . . . . . . . . 174
About Recovering Passwords using the PRTK/DNA Integrated Tool with Examiner
174
Recovering Passwords using the PRTK/DNA Integrated Tool . . . . . . . . . . 174
Decrypting Other Encryption Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Decrypting EFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Decrypting Microsoft Office Digital Rights Management (DRM) Protected Files 177
Decrypting Lotus Notes Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Table of Contents | 12
Decrypting S/MIME Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Decrypting Credant Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Decrypting Bitlocker Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Decrypting Safeguard Utimaco Files . . . . . . . . . . . . . . . . . . . . . . . . . 182
Decrypting SafeBoot Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Decrypting Guardian Edge Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Decrypting an Image Encrypted With
PGP® WDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Viewing Decrypted Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Chapter 13: Exporting Data from the Examiner
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Copying Information from the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . 187
Exporting Files to a Native Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Exporting Files to an AD1 Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Exporting an Image to an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Exporting File List Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Exporting a Word List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Exporting Recycle Bin Index Contents . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Exporting Hashes from a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Exporting Custom Groups from the KFF Library . . . . . . . . . . . . . . . . . . . . 197
Exporting All Hits in a Search to a CSV file . . . . . . . . . . . . . . . . . . . . . . . 198
Exporting Emails to PST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 14: About Cerberus Malware Analysis
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
About Cerberus Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
About Cerberus Stage 1 Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 201
About Cerberus Score Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
About Cerberus Override Scores . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
About Cerberus Threat Score Reports . . . . . . . . . . . . . . . . . . . . . . . . 202
Cerberus Stage 1 Threat Scores . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Cerberus Stage 1 File Information. . . . . . . . . . . . . . . . . . . . . . . . . . . 206
About Cerberus Stage 2 Static Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . 207
About Cerberus Stage 2 Report Data. . . . . . . . . . . . . . . . . . . . . . . . . 207
Cerberus Stage 2 Function Call Data . . . . . . . . . . . . . . . . . . . . . . . . . 208
File Access Call Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Networking Functionality Call Categories . . . . . . . . . . . . . . . . . . . . . . 211
Process Manipulation Call Categories . . . . . . . . . . . . . . . . . . . . . . . . 213
Security Access Call Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Windows Registry Call Categories . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Surveillance Call Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Uses Cryptography Call Categories. . . . . . . . . . . . . . . . . . . . . . . . . . 215
Low-level Access Call Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Loads a driver Call Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Table of Contents | 13
Subverts API Call Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Chapter 15: Running Cerberus Malware Analysis
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Running Cerberus Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
About Reviewing Results of Cerberus. . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Cerberus Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Reviewing Results of Cerberus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Using Index Search with Cerberus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Exporting a Cerberus Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Part 4: Reviewing Cases
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Chapter 16: Using the Examiner Interface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
About the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Creating Screen Captures in the Examiner . . . . . . . . . . . . . . . . . . . . . . . 225
Chapter 17: Exploring Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Explorer Tree Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
File List Pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
The File Content Viewer Pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
The Filter Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Using QuickPicks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Caching Data in the File List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Chapter 18: Examining Evidence in the Overview Tab
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Using the Overview Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Evidence Groups Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
File Items Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
File Extension Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
File Category Container. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
File Status Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Chapter 19: Examining Email
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Using the Email Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Email Status Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Email Archives Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Email Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Chapter 20: Examining Graphics
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Using the Graphics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
The Thumbnails Size Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Moving the Thumbnails Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Table of Contents | 14
Evaluating Explicit Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Filtering EID Material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
EID Scoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Using PhotoDNA to Compare Images. . . . . . . . . . . . . . . . . . . . . . . . . . . 256
About Using PhotoDNA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
About the PhotoDNA Library Management Page. . . . . . . . . . . . . . . . . . 256
About the PhotoDNA Processing Option. . . . . . . . . . . . . . . . . . . . . . . 256
About viewing the PhotoDNA results . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuring a PhotoDNA Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Comparing Images to the PhotoDNA Library . . . . . . . . . . . . . . . . . . . . 258
Chapter 21: Examining Videos
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Generating Thumbnails for Video Files. . . . . . . . . . . . . . . . . . . . . . . . . . 261
Creating Common Video Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Using the Video Tree Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Using the Video Thumbnails Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Playing a Video from a Video Thumbnail . . . . . . . . . . . . . . . . . . . . . . . . . 265
The Thumbnail Size Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Moving the Thumbnails Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Chapter 22: Examining Miscellaneous Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Identifying Processing-Generated Data . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Relating Generated Files to Original Files . . . . . . . . . . . . . . . . . . . . . . . . 268
Viewing Windows Prefetch Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Viewing Data in Windows XML Event Log (EVTX) Files . . . . . . . . . . . . . . . 269
About Viewing EVTX Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Viewing IIS Log File Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Viewing Registry Timeline Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Viewing Log2Timeline CSV File Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Identifying Document Languages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Examining Internet Artifact Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
About Extensible Storage Engine (ESE) Databases . . . . . . . . . . . . . . . . 281
About Expanding Google Chrome and IE 9 Data. . . . . . . . . . . . . . . . . . 282
About Expanding Data from Internet Explorer (IE) Version 10 or Later . . . . . 283
Expanding Internet Artifact Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Viewing Internet Artifact Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Performing Cluster Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Viewing Data in Volume Shadow Copies . . . . . . . . . . . . . . . . . . . . . . . . . 288
Chapter 23: Bookmarking Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
About Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
About Timeline Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Table of Contents | 15
Creating a Bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Bookmarks Dialog Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Viewing Bookmark Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Creating a Timeline Bookmark Report . . . . . . . . . . . . . . . . . . . . . . . . 295
Using the Bookmarks Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Bookmarking Selected Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Adding to an Existing Bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Creating Email or Email Attachment Bookmarks . . . . . . . . . . . . . . . . . . . . 298
Adding Email and Email Attachments to Existing Bookmarks . . . . . . . . . . . 298
Moving a Bookmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Copying a Bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Deleting a Bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Deleting Files from a Bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Chapter 24: Searching Evidence with Live Search
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Conducting a Live Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Live Text Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Live Hex Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Live Pattern Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Using Pattern Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Predefined Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Social Security Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
U.S. Phone Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Creating Custom Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Chapter 25: Searching Evidence with Index Search
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Conducting an Index Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Using Search Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Expanding Search Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Defining Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Exporting and Importing Index Search Terms . . . . . . . . . . . . . . . . . . . . . . 314
Selecting Index Search Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Viewing Index Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Using dtSearch Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
TR1 Regular Expressions For Text Patterns. . . . . . . . . . . . . . . . . . . . . 317
TR1 Regular Expressions For Number Patterns . . . . . . . . . . . . . . . . . . 321
Documenting Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Using Copy Special to Document Search Results . . . . . . . . . . . . . . . . . . . 324
Bookmarking Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Table of Contents | 16
Chapter 26: Examining Volatile Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Using the Volatile Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Understanding Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Viewing Memory Dump Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Viewing Hidden Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Viewing Input/Output Request Packet Data . . . . . . . . . . . . . . . . . . . . . 330
Viewing Virtual Address Descriptor (VAD) Data. . . . . . . . . . . . . . . . . . . 330
Performing File Remediation from the Volatile Tab. . . . . . . . . . . . . . . . . . . 332
Killing a Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Wiping a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Adding Hashes to KFF Library from the Volatile Tab . . . . . . . . . . . . . . . . . 333
Adding Hashes to Fuzzy Hash Library from the Volatile Tab . . . . . . . . . . . . 334
Creating a Memory Dump File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Chapter 27: Using Visualization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
About Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Launching Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
About the Visualization page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
About Visualization Time Line Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
About the Base Time Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Setting the Base Time Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Changing the View of Visualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Modifying the Bar Chart Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Changing the Theme of Visualization. . . . . . . . . . . . . . . . . . . . . . . . . 341
Visualizing File Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Configuring Visualization File Dates . . . . . . . . . . . . . . . . . . . . . . . . . 342
Visualizing File Extension Distribution . . . . . . . . . . . . . . . . . . . . . . . . 343
Visualizing File Category Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 345
Using the File Data List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Visualizing Email Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Narrowing the Scope with the Email Time Line . . . . . . . . . . . . . . . . . . . 349
Viewing Mail Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Using the Email Details List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
About the Detailed Visualization Time Line . . . . . . . . . . . . . . . . . . . . . . . 355
Using the Detailed Visualization Time Line. . . . . . . . . . . . . . . . . . . . . . . . 356
Understanding How Data is Represented in the Detailed Time Line . . . . . . 356
About Time Bands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Modifying the Time Line Using Time Bands and Zoom . . . . . . . . . . . . . . 359
Understanding How Grouping Works in the Detailed Visualization Time Line . 359
Visualizing Browser History Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Visualizing Other Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Table of Contents | 17
Chapter 28: Using Visualization Heatmap
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Chapter 29: Using Visualization Social Analyzer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
About Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Accessing Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Social Analyzer Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Analyzing Email Domains in Visualization . . . . . . . . . . . . . . . . . . . . . . 368
Analyzing Individual Emails in Visualization . . . . . . . . . . . . . . . . . . . . . 368
Chapter 30: Using Visualization Geolocation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
About Geolocation Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Geolocation Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Geolocation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Viewing Geolocation EXIF Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Viewing Geolocation IP Locations Data. . . . . . . . . . . . . . . . . . . . . . . . . . 372
Geolocation Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Geolocation Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Using Geolocation Column Templates . . . . . . . . . . . . . . . . . . . . . . . . 378
Geolocation Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Chapter 31: Customizing the Examiner Interface
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
About Customizing the Examiner User Interface . . . . . . . . . . . . . . . . . . . . 379
The Tab Layout Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Moving View Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Creating Custom Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Managing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Customizing File List Columns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Creating User-Defined Custom Columns for the File List view . . . . . . . . . . 385
Deleting Custom Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Navigating the Available Column Groups . . . . . . . . . . . . . . . . . . . . . . 387
Chapter 32: Working with Evidence Reports
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Creating a Case Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Adding Case Information to a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Adding Bookmarks to a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Adding Graphics Thumbnails and Files to a Report . . . . . . . . . . . . . . . . . . 393
Adding a Video to a Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Adding a File Path List to a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Adding a File Properties List to a Report . . . . . . . . . . . . . . . . . . . . . . . . . 396
Adding Registry Selections to a Report . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Adding Screen Captures from Examiner . . . . . . . . . . . . . . . . . . . . . . . . . 398
Selecting the Report Output Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Table of Contents | 18
Customizing the Report Graphic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Using Cascading Style Sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Viewing and Distributing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Modifying a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Exporting and Importing Report Settings . . . . . . . . . . . . . . . . . . . . . . . . . 402
Writing a Report to CD or DVD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Part 5: Reference
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Chapter 33: Using the Known File Filter (KFF)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
About KFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
About KFF Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Process for Using KFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Configuring KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
About the KFF Admin page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Manually Configuring KFF Libraries and Hash Sets . . . . . . . . . . . . . . . . 410
Adding and Managing KFF Hashes in a Library . . . . . . . . . . . . . . . . . . 411
Using KFF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Managing KFF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Exporting KFF Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configuring KFF Templates for Use in Cases . . . . . . . . . . . . . . . . . . . . . . 416
About KFF Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Creating KFF Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Managing KFF Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Enabling KFF for a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
About Enabling and Configuring KFF. . . . . . . . . . . . . . . . . . . . . . . . . 418
Enabling and Configuring KFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Reviewing KFF Results in a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
About KFF Data Shown in the Item List . . . . . . . . . . . . . . . . . . . . . . . 419
About KFF Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Using the KFF Information Quick Columns . . . . . . . . . . . . . . . . . . . . . 419
Viewing KFF Import Data Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Chapter 34: Installing KFF
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
About KFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Introduction to the KFF Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Components of KFF Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
About KFF Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
How KFF Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
About the KFF Server and Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
About Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Table of Contents | 19
About the KFF Server Application versions . . . . . . . . . . . . . . . . . . . . . 430
Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Installing the KFF Server for CIRT2.x. . . . . . . . . . . . . . . . . . . . . . . . . 432
Configuring KFF Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring KFF Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring the Location of the KFF Server . . . . . . . . . . . . . . . . . . . . . 435
Installing Pre-defined KFF Data Libraries. . . . . . . . . . . . . . . . . . . . . . . . . 437
About Installing the NIST NSRL Data. . . . . . . . . . . . . . . . . . . . . . . . . 437
Installing the NSRL Data Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Installing the NDIC Hashkeeper Library . . . . . . . . . . . . . . . . . . . . . . . 438
Installing the DHS Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Installing the Geolocation (GeoIP) Data . . . . . . . . . . . . . . . . . . . . . . . 438
Installing KFF Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
KFF Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
KFF Pre-Defined Hash Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Higher Level KFF Structure and Usage . . . . . . . . . . . . . . . . . . . . . . . 444
Hash Set Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Chapter 35: Working with Windows Registry Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Understanding the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Windows 9x Registry Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Windows NT and Windows 2000 Registry Files . . . . . . . . . . . . . . . . . . 447
Windows XP Registry Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Possible Data Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Additional Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Windows XP Registry Quick Find Chart. . . . . . . . . . . . . . . . . . . . . . . . . . 451
System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
User Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
User Application Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Chapter 36: Supported File Systems and Drive Image Formats
. . . . . . . . . . . . . . . . . . . . . 454
File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Whole Disk Encrypted Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Hard Disk Image Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
CD and DVD Image Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Chapter 37: Recovering Deleted Material
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
FAT 12, 16, and 32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
NTFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Ext2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Ext3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
HFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Table of Contents | 20
Chapter 38: Managing Security Devices and Licenses
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Installing and Managing Security Devices . . . . . . . . . . . . . . . . . . . . . . . . 459
Installing LicenseManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Starting LicenseManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Using LicenseManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Updating Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Sending a Dongle Packet File to Support . . . . . . . . . . . . . . . . . . . . . . 470
Virtual CodeMeter Activation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Setup for Online Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Setting up VCM for Offline Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 473
Creating a Virtual CM-Stick with Server 2003/2008 Enterprise Editions . . . . 473
Additional Instructions for AD Lab WebUI and eDiscovery . . . . . . . . . . . . 474
Virtual CodeMeter FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Network License Server (NLS) Setup Guide. . . . . . . . . . . . . . . . . . . . . . . 477
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Preparation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Setup Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Network Dongle Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
NLS Server System Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
NLS Client System Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Chapter 39: Configuring for Backup and Restore
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Configuration for a Two-box Backup and Restore . . . . . . . . . . . . . . . . . . . 480
Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Create a Service Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Share the Case Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Configure Database Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Share the Backup Destination Folder. . . . . . . . . . . . . . . . . . . . . . . . . 482
Test the New Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Chapter 40: AccessData Distributed Processing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Distributed Processing Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Installing Distributed Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Configuring Distributed Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Using Distributed Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Checking the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Chapter 41: AccessData Oradjuster
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Oradjuster System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
The First Invocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Table of Contents | 21
Subsequent Invocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
One-Box Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Two-Box Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Tuning for Large Memory Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Chapter 42: Installing the Windows Agent
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Manually Installing the Windows Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Preparing the AD Enterprise Agent Certificate . . . . . . . . . . . . . . . . . . . 496
Installing the Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Configuring Execname and Servicename Values. . . . . . . . . . . . . . . . . . 499
Using Your Own Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
eDiscovery Additional Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Chapter 43: Installing the Unix / Linux Agent
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Installing The Enterprise Agent on Unix/Linux . . . . . . . . . . . . . . . . . . . . . 503
Supported Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Starting the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Stopping the Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 44: Installing the Mac Agent
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Configuring the AccessData Agent installer . . . . . . . . . . . . . . . . . . . . . . . 505
Bundling a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Configuring the Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Additional Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Installing the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Uninstalling the Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Introducing Forensic Toolkit® (FTK®) | 22
Part 1
Introducing Forensic Toolkit®
(FTK®)
This part contains introductory information about AccessData® Forensic Toolkit® (FTK®) and contains the
following chapters:
-Introducing AccessData® Forensic Toolkit® (FTK®) (page 23)
-Getting Started with the User Interface (page 29)
Introducing AccessData® Forensic Toolkit® (FTK®) Overview of Investigating Digital Evidence | 23
Chapter 1
Introducing AccessData® Forensic Toolkit®
(FTK®)
AccessData® Forensic Toolkit® (FTK®) lets you do thorough computer forensic examinations. It includes
powerful file filtering and search functionality, and access to remote systems on your network.
AccessData forensic investigation software tools help law enforcement officials, corporate security, and IT
professionals access and evaluate the evidentiary value of files, folders, and computers.
This chapter includes the following topics
-Overview of Investigating Digital Evidence (page 23)
-About Acquiring Digital Evidence (page 24)
-About Examining Digital Evidence (page 25)
-About Managing Cases and Evidence (page 26)
-What You Can Do With the Examiner (page 27)
Overview of Investigating Digital Evidence
This section describes acquiring, preserving, analyzing, presenting, and managing digital evidence and cases.
Forensic digital investigations include the following process
-Acquisition
Acquisition involves identifying relevant evidence, securing the evidence, and creating and storing a
forensic image of it.
About Acquiring Digital Evidence (page 24)
-Analysis
Analysis involves creating a case and processing the evidence with tools to properly investigate the
evidence.
About Examining Digital Evidence (page 25)
-Presentation
Presentation involves creating a case report that documents and synthesizes the investigation.
About Presenting Evidence (page 28)
-Management
Management involves maintenance tasks such as backing up, archiving, detaching, attaching, restoring,
and deleting cases and evidence.
About Managing Cases and Evidence (page 26)
Introducing AccessData® Forensic Toolkit® (FTK®) About Acquiring Digital Evidence | 24
About Acquiring Digital Evidence
The admissibility of digital evidence in a court of law, can be dependent on preserving the integrity of the source
data when it is acquired.
When digital evidence is acquired, forensic examiners create clones of the digital evidence to prevent any
possibility of the digital evidence being changed or modified in any way. This acquired duplication is called a
forensic image. If there is question to the authenticity of the evidence, the image can be compared to the original
source data to prove or to disprove its reliability.
To create a forensic image, the data must be acquired in such a way that ensures that no changes are made to
the original data or to the cloned data. The acquired data must be an exact “bit-by-bit” duplication of the source
data. You can use AccessData’s Imager tool to acquire exact duplicates of digital evidence.
Preserving the evidence is accomplished both in the method of acquisition and the storage of the acquired data.
Creating an exact replica of the original source is critical in forensic investigations. Keeping that replica safe from
any source of corruption or unauthorized access involves both physical and electronic security. Once a case is
created and the evidence is added to it, the case becomes just as critical. Acquired 001, E01, S01, and AD1
images can be encrypted using AD Encryption.
Types of Digital Evidence
Digital evidence is data such as documents and emails that can be transmitted and stored on electronic media,
such as computer hard drives, mobile phones, and USB devices.
The following are types of digital evidence
-Static evidence
The data that is imaged before it is added to a case is known as static evidence because it stays the
same. Images can be stored and remain available to the case at all times because the image is an exact
replica of evidence data in a file format.
-Live evidence
Live evidence can be data that is acquired from a machine while it is running. It is often saved to an
image as it is acquired. Sometimes, this is necessary in a field acquisition. Other times, it can be an
original drive or other electronic data source that is attached to the investigation computer. All
connections to the evidence should be made through a hardware write-blocking device. Live evidence
that is attached to the investigation computer must remain connected throughout the entire investigation.
It is best to create an image of any evidence source outside of your network, rather than risk having the
source removed during the course of the investigation.
-Remote evidence
Another type of live evidence is data acquired directly from machines that are connected to your
corporate network. This live evidence is referred to as remote evidence. The process of adding it to your
case for investigation is known as Remote Data Acquisition.
Acquiring Evidence
Some aspects of acquiring evidence are dependent on local or federal law. Be aware of those requirements
before you acquire the evidence. You can utilize static evidence as well as acquire and use live and remote
evidence from computers on your network.
Introducing AccessData® Forensic Toolkit® (FTK®) About Examining Digital Evidence | 25
About Acquiring Static Evidence
For digital evidence to be valid, it must be preserved in its original form. The evidence image must be
forensically sound, in other words, identical in every way to the original. The data cannot be modified by the
acquisition method used.
The following tools can do such an acquisition
-Hardware Acquisition Tools
Duplicate, or clone, disk drives and allow read-only access to the hard drive. They do not necessarily use
a CPU, are self-contained, and are often hand-held.
-Software Acquisition Tools
Create a software duplication of the evidence called a disk image. Imager lets you choose the image file
format, the compression level, and the size of the data segments to use.
Imager is a software acquisition tool. It can quickly preview evidence. If the evidence warrants further
investigation, you can create a forensically sound disk image of the evidence drive or source. It makes a bit-by-
bit duplicate of the media, rendering a forensic disk image identical in every way to the original, including file
slack and allocated or free space.
You should use a write-blocking device when using software acquisition tools. Some operating systems, such as
Windows, make changes to the drive data as it reads the data to be imaged.
You can process static evidence, and acquire live data from local network machines for processing. You can also
view and preview evidence on remote drives, including CDs and DVDs.
About Acquiring Live Evidence
You can collect evidence from a live machine when you must. For criminal investigations, it is especially
important to be aware of the data compromises you will face in such a situation, however sometimes there is no
other choice. One such example is when the suspect drive is encrypted and you must acquire the image in-place
while the machine is running. Another example is when imaging a RAID array; it must be live to be properly
acquired.
About Acquiring Remote Evidence
You can acquire live evidence from your active networked computers, including information in RAM, and drive
data. In addition, using Remote Drive Management System (RDMS), you can mount any drive through a
mapping and browse its contents, then make a custom image of what you find. This type of evidence is known
as remote evidence because it is not stored on the examiner computer but is within your network.
About Examining Digital Evidence
Analyzing evidence is a process to locate and identify meaningful data to make it available to the appropriate
parties in an easy-to-understand medium.
Introducing AccessData® Forensic Toolkit® (FTK®) About Managing Cases and Evidence | 26
After you have completed installation and created a case, you can add evidence for analysis. Evidence can
include images of hard drives, floppy drives, CDs and DVDs, portable media such as USB drives, and/or live
(un-imaged) data from any common electronic source.
The data can be hashed and indexed. You can run searches in the index for specific words like names and email
addresses, or you can run live searches.
You can use the Known File Filter (KFF) library to categorize specific information during evidence analysis. The
KFF lets you automatically assign files a status of Alert, Ignore, or Disregard.
About Managing Cases and Evidence
As you work with cases, it is a best practice to back up the cases and the evidence. Back up of evidence files is
as easy as copying them to a secure location on a secure media. Back up of cases can be more complicated,
but is equally important in the event of a crash or other catastrophic data loss.
Back up of a case requires the same amount of drive space as the case itself. This is an important consideration
when planning your network resources for investigations.
Some of the case management features include: Archive, Archive and Detach, and Attach. These features give
you control over your cases.
See Managing Global Features (page 43).
Introducing AccessData® Forensic Toolkit® (FTK®) What You Can Do With the Examiner | 27
What You Can Do With the Examiner
You can use tab views to locate data such as the following
-The Overview tab lets you narrow your search to look through specific document types, or to look for
items by status or file extension.
-The Graphics tab lets you quickly scan through thumbnails of the graphics in the case.
-The Email tab lets you view emails and attachments.
As you find items of interest, you can do the following
-Create, assign, and view labels in a sorted file list view.
-Use searches and filters to find relevant evidence.
-Create bookmarks to easily group the items by topic or keyword, find those items again, and make the
bookmarked items easy to add to reports.
-Export files as necessary for password cracking or decryption, then add the decrypted files back as
evidence.
-Add external, supplemental files to bookmarks that are not otherwise part of the case.
About Indexing and Hashing
During case creation and evidence import, you have the option to create an index of the data and to create hash
numbers of all the files contained in the data.
Indexing is the process of creating an index with a searchable list of the words or strings of characters in a case.
The index instantaneously provides results. However, it is sometimes necessary to use a live search to find
things not contained in the index.
Hashing a file or files refers to the process of using an algorithm to generate a unique value based on a file’s
contents. Hash values are used to verify file integrity and identify duplicate and known files. Known files can be
standard system files that can be ignored in the investigation or they can be files known to contain illicit or
dangerous materials. Ignore and alert statuses provide the investigator with valuable information at a glance.
Three hash functions are available: Message Digest 5 (MD5), Secure Hash Algorithms 1 (SHA-1), and Secure
Hash Algorithms 256 (SHA-256).
Typically, individual file hashes (each file is hashed as it is indexed and added to a case) compare the results
with a known database of hashes, such as the KFF. However, you can also hash multiple files or a disk image to
verify that the working copy is identical to the original.
About the Known File Filter Database
The Known File Filter (KFF) is an AccessData utility used to compare file hashes in a case against a database of
hashes from files known to be ignorable (such as known system and program files) or with alert status (such as
known contraband or illicit material), or those designated as disregard status (such as when a search warrant
does not allow inspection of certain files within the image that have been previously identified). The KFF allows
quick elimination or pinpointing of these files during an investigation.
Introducing AccessData® Forensic Toolkit® (FTK®) What You Can Do With the Examiner | 28
Files which contain other files, such as ZIP, CAB, and email files with attachments are called container files.
When KFF identifies a container file as either ignorable or alert, the component files are not extracted. If
extraction is desired, the files must be manually extracted and added to the case.
See Using the Known File Filter (KFF) on page 405.
About Searching
You can conduct live searches or index searches of acquired images.
A live search is a bit-by-bit comparison of the entire evidence set with the search term and takes slightly more
time than an Index search. Live searches allow you to search non-alphanumeric characters and to perform
pattern searches, such as regular expressions and hex values.
See Searching Evidence with Live Search (page 300)
The Index search compares search terms to an index file containing discrete words or number strings found in
both the allocated and unallocated space in the case evidence. The investigator can choose to generate an
index file during preprocessing.
See Searching Evidence with Index Search (page 311)
AccessData products use dtSearch, one of the leading search tools available, in the index search engine.
dtSearch can quickly search gigabytes of text.
About Bookmarking
As important data is identified from the evidence in the case, bookmarking that data enables you to quickly find
and refer to it, add to it, and attach related files, even files that are not processed into the case. These files are
called “supplementary files.” Bookmarks can be included in reports at any stage of the investigation and
analysis.
See Bookmarking Evidence (page 290)
About Presenting Evidence
You can present digital evidence by creating a case report containing the evidence and investigation results in a
readable, accessible format.
Use the report wizard to create and modify reports. A report can include bookmarks (information selected during
the examination), customized graphic references, and selected file listings. Selected files, such as bookmarked
files and graphics, can be exported to make them available with the report. The report can be generated in
several file formats, including HTML and PDF and can be generated in multiple formats simultaneously.
See Working with Evidence Reports (page 389).
Getting Started with the User Interface | 29
Chapter 2
Getting Started with the User Interface
You can use two primary interfaces to work with cases and evidence:
-Case Manager
-Examiner
The Case Manager
You can use the Case Manager to manage application settings that apply to multiple cases.
The following is an example of the Case Manager:
See Introducing Case Management on page 48.
Getting Started with the User Interface | 30
The Examiner
You can use the Examiner to locate and interpret case data.
The following is an example of the Examiner:
The Examiner
For more information, see the following
-See Introducing Case Management (page 48)
-See Using the Examiner Interface (page 224)
Administrating Forensic Toolkit® (FTK®) | 31
Part 2
Administrating
Forensic
Toolkit® (FTK®)
This part contains information about administrating and configuring Forensic Toolkit® (FTK®) and contains the
following chapters:
-Application Administration (page 32)
Application Administration | 32
Chapter 3
Application Administration
This chapter includes topics that discuss administration tasks that you can do within the Case Manager
interface.
See the following
-See Creating an Application Administrator Account on page 33.
-See Changing Your Password on page 33.
-See Recovering a Password on page 33.
-See Setting Database Preferences on page 35.
-See Managing Database Sessions on page 35.
-See Optimizing the Database for Large Cases on page 35.
-See Managing Shared KFF Settings on page 36.
-See Recovering and Deleting Processing Jobs on page 36.
-See Restoring an Image to a Disk on page 37.
-See Database Integration with other AccessData Products on page 37.
-See Adding New Users to a Database on page 38.
-See About Assigning Roles to Users on page 39.
-See Restrictions to the Case Reviewer Role on page 40.
-See About Assigning Permissions to Users on page 41.
-See Assigning Users Shared Label Visibility on page 41.
-See Setting Additional Preferences on page 42.
-See Managing Global Features on page 43.
Important:
It is strongly recommended to configure antivirus to exclude the database (PostgreSQL, Oracle
database, MS SQL) AD temp, source images/loose files, and case folders for performance and data
integrity.
Application Administration Creating an Application Administrator Account | 33
Creating an Application Administrator Account
Before you can use the Case Manager, you must create an Application Administrator account and connect to the
database. The Case Manger lets you create other user accounts and perform other administrative tasks.
To create an Application Administrator account and connect to the database:
1. Launch the program.
2. If an existing database connection is not detected, you are prompted to Add Database.
3. In the RDBMS drop-down menu, select the type of database that you are connecting to.
4. Enter the IP address or DNS host name of the server hosting the database in the Host field. If the
database is on the same computer as the Examiner, you can leave this field empty.
5. (Optional) In the Display name field give the database connection a nickname.
6. Unless you have a custom database configuration, do not change the values for Oracle SID,
PostgreSQL dbname, or Port number.
7. Click OK.
8. If the connection attempt to the database is successful, the database is initialized.
9. When the initialization process completes, create the Application Administrator account for that version
of the database schema. Enter the credentials for the account and click OK.
10. In the Please Authenticate dialog, enter the Application Administrator account credentials.
The Case Manager opens.
Changing Your Password
Once logged into the system, you can change your password.
To change your password
1. In Case Manager, click Database > Change Password.
2. In the Change Password dialog box, enter your current password.
3. Enter your new password in the New Password text box.
4. Verify your new password by entering it again in the Re-enter text box.
5. Click OK.
Recovering a Password
You can recover an Administrator database password using a Password Reset File. Only the Administrator
logged into the program can create the reset file and only the Administrator that created the reset file can use the
file to reset the password. Before recovering your Administrator password, you will create a Password Reset
File. Once you reset a password, the Password Reset File you used is no longer valid.
There are two main components to recover an Administrator’s password:
-See Creating a Password Reset File on page 34.
-See Resetting your Password on page 34.
Application Administration Recovering a Password | 34
Creating a Password Reset File
There are two ways to create a Password Reset file. You can create the file when creating/changing your
password or accessing the Create Password Reset File option in the Administer Users dialog.
When creating/changing your password
1. After entering your previous password, your new password, and your password confirmation, click OK.
2. A prompt appears that asks you to create a Password Reset File. Click Yes.
3. Navigate to a secure location and enter the name of the Password Reset File.
Important:
Choose a location for the Password Reset File that only you know and to which others do not
have immediate access. Keep its location confidential.
4. Click OK.
From the Administer Users dialog
1. In Case Manager, click Database > Administer Users.
2. Highlight your User Name (that is, the User Name under which you are logged in).
3. Click Create Password Reset File.
4. Navigate to a secure location and enter the name of the Password Reset File.
Important:
Choose a location for the Password Reset File that only you know and to which others do not
have immediate access. Keep its location confidential.
5. Click OK.
Resetting your Password
To reset your password, enter the Password Reset File you created previously.
Note: Any Password Reset Files that have already been used to reset passwords are no longer valid and will
not work. Password Reset Files from other users or other databases also will not work. Only the
Password Reset File that you created previously with your User Name and Password will work.
To enter the Password Reset File
1. When prompted for your password, enter your User Name.
2. Click OK.
The Reset Password button appears in the Please Authenticate dialog.
3. Click Reset Password.
4. Locate the Password Reset File, highlight it, and click OK.
5. Enter a new password, verify the new password, and click OK.
Application Administration Setting Database Preferences | 35
Setting Database Preferences
The Preferences dialog lets you specify where to store the temporary file, the location of a network license and
whether you want to optimize the database after you process evidence.
To set database preferences
1. In the Case Manager, click Tools > Preferences. Type in or browse to the folder you want temporary
files to be written to.
2. Select a location for the temporary file folder.
The Temporary File Folder stores temporary files, including files extracted from ZIP and email archives.
The folder is also used as scratch space during text filtering and indexing. The Temporary File Folder is
used frequently and should be on a drive with plenty of free space, and should not be subject to drive
space allocation limits.
3. If your network uses AccessData Network License Service (NLS), you must provide the IP address and
port for accessing the License Server.
4. Specify if you want to optimize the case database.
This is set to optimize by default. Unmark the check box to turn off automatic optimization. This causes
the option to be available in Additional Analysis for those cases that were processed with Optimize
Database turned off initially. The Restore Optimization option in Additional Analysis does not appear if
Database Optimization is set in the New Case Wizard to be performed following processing, or if it has
been performed already on the current case from either place.
5. In the Preferences dialog, click OK.
Managing Database Sessions
You can use the Sessions Management dialog to manage and track database sessions from within the Case
Manager. You can also use the Manage DB Sessions dialog to terminate cases that are open and consuming
sessions, but are inactive. This lets open file handles close so that processing can be restarted.
To open the Manage DB Sessions dialog, in the Case Manager, click Database > Session Management.
Optimizing the Database for Large Cases
Note: This feature currently only supports installations using PostgreSQL. If you are using Oracle, this feature is
disabled.
The database can be configured to optimize the handling of large cases. Specifically it may decrease the
processing time for large cases. However, if you choose to optimize the database, it will require additional disk
resources on the database host computer.
To optimize the database for large cases
1. In the Case Manager, click Database > Configure.
2. Click Optimized for large cases.
3. Click Apply.
Application Administration Managing Shared KFF Settings | 36
Managing Shared KFF Settings
The AccessData Known Files Filter can be managed from the Case Manager > Database menu. Click Manage
KFF to open the KFF Admin dialog box.
This functionality is also found in the Examiner main window under Manage menu. Click KFF > Manage to open
the KFF Admin dialog box.
The difference between the two is that sets and groups defined from Case Manager are automatically shared.
Those defined from the Examiner are local to the case. Otherwise, the functionality is the same.
Edit or delete existing custom defined groups or custom defined or imported sets, or add new groups; import a
selected group or set; export a group.
Recovering and Deleting Processing Jobs
Jobs that are started but unable to finish can be restarted or deleted.
To recover and delete processing jobs
1. Click Tools > Recover Processing Jobs. If no jobs remain unfinished, an error message pops up.
Click Continue to see the Recover Processing Jobs dialog. It is be empty. Click Close. If there are jobs
in the list, you can choose whether to Restart or Delete those jobs.
2. Click Select All, Unselect All, or mark the check box for each job to be recovered.
3. Do one of the following:
-Click Restart. In the Recovery Type dialog, choose the recovery type that suits your needs.
-Click Delete. Click Yes to confirm that you want to delete the job permanently.
4. Click Close.
Application Administration Restoring an Image to a Disk | 37
Restoring an Image to a Disk
You can restore a disk image (001 (RAW/dd), E01, or S01) to a physical disk. The target disk must be the same
size or larger than the original, uncompressed disk.
To restore an image to a disk
1. In the Case Manager or in the Examiner, click Tools > Restore Image to Disk. The Restore Image to
Disk dialog opens.
2. Browse to and select the source image (must be RAW-dd/001, E01, or S01).
3. Click the Destination drive drop-down to choose the drive to restore the image to.
If you have connected an additional target drive and it does not appear in the list, click Refresh to
update the list.
4. If the target (destination) drive is larger than the original, uncompressed data, and you don’t want the
image data to share the drive space with old data, mark the Zero-fill remainder of destination drive
check box.
5. If you need the operating system to see the target drive by drive letter, mark the Notify operating
system to rescan partition table when complete check box.
6. Click Restore Image.
Database Integration with other AccessData Products
You can use FTK® 5.0 or higher with the following products:
-AccessData CIRT 2.2 or higher
-AccessData Insight 5.x or higher
-AccessData Summation 5.x or higher
-AccessData eDiscovery 5.x or higher
If you are using these products, you can share the same database. When you install FTK®, you can specify the
same database that you are using for the other product. This lets you open and perform tasks on projects from
those cases in FTK®. You can do the following tasks with projects:
-Open a case
-Backup and restore a case
-Add and remove evidence
-Perform Additional Analysis
-Search and index data
-Export data
Application Administration Adding New Users to a Database | 38
Adding New Users to a Database
The Application Administrator can add new users to a database. The Add New User dialog lets you add users,
disable users, change a user’s password, set roles, and show disabled users.
To add a new user
1. Click Database > Administer Users > Create User.
2. In the Add New User dialog, enter information for the following:
3. Click OK to apply the selected role to the new user.
4. Click OK to exit the Add New User dialog.
Field Description
User Name Enter the name that the user is known as in program logs and other system
information.
Full Name Enter the full name of the user as it is to appear on case reports.
Password Enter and verify a password for this user.
Role Assign rights to the selected user name using roles. The default roles are:
-Application Administrator: Can perform all types of tasks, including add-
ing and managing users.
-Case/Project Administrator: Can perform all of the tasks an Application
Administrator can perform, with the exception of creating and managing
users.
-Case Reviewer: Cannot create cases; can only process cases.
Application Administration About Assigning Roles to Users | 39
About Assigning Roles to Users
A user can have two levels of roles assigned to him or her. A user can have initial roles granted that apply
globally across all cases in a database, and a user can also have specific roles granted for a specific case.
Roles can be granted as follows
-Roles that apply to all cases in a database are granted from the Database > Administer Users dialog.
-Roles that apply to a specific case are granted from the Case > Assign Users dialog.
The permissions that are applied through roles are cumulative, meaning that if you apply more than one, the
greatest amount of rights and permissions become available.
When you assign roles that apply globally across the database, you cannot reduce the rights on a case-by-case
basis.
AccessData recommends that when you first create a user account, save the account and close the dialog
without setting a role. Then click Case > Assign Users to assign roles on a case-by-case basis. You can also
assign all new users the Case Reviewer role for the database and, then selectively add additional roles as
needed on a case-by-case basis.
Assigning Initial Database-level Roles to Users
You can use the case manager to assign roles to users. Although the default roles can all be selected
concurrently, AccessData recommends that only one of these be selected for any user to avoid granting either
redundant or excessive permissions.
To assign initial database-level roles to users
1. In the Case Manager, click Database > Administer Users.
2. Do one of the following:
-If the user does not yet exist in the system click Create User to create the user.
-If the user does exist in the system, select the user's name and click Set Roles.
3. Click Set Roles to assign a role that limits or increases database and administrative access.
4. To assign a default role, mark the check box next to that role. The default roles are as follows:
-Application Administrator: Can perform all types of tasks, including adding and managing users.
-Case/Project Administrator: Can perform all of the tasks an Application Administrator can perform,
with the exception of creating and managing users.
-Case Reviewer: Cannot create cases; can only process cases.
5. Click OK to apply the selected role to the new user, save the settings, and return to the Add New User
dialog.
Assigning Additional Case-level Roles to Users
You can use the Case Manager to assign specific roles to users on a case-by-case basis.
To assign additional case-level roles to users
1. In the Case Manager, select the case for which you want to grant additional roles to a user.
2. Click Case > Assign Users.
3. In the Assigned Users pane, select the user that you want to grant additional roles to.
4. Click Additional Roles.
Application Administration Restrictions to the Case Reviewer Role | 40
5. In the Additional Roles dialog, under Additional Roles for this Case, select the roles that you want to
grant.
6. Click OK.
7. Click Done.
Restrictions to the Case Reviewer Role
The case reviewer role does not have all of the permissions as the application administrator and the database
administrator.
Permissions Denied to Case Reviewer Users
Create, Add, or Delete cases Use Imager
Administer Users Use Registry Viewer
Data Carve Use PRTK
Manually Data Carve Use Find on Disk
Assign Users to Cases Use the Disk Viewer
Add Evidence View File Sectors
Access Credant Decryption from the
Tools Menu Define, Edit, Delete, Copy, Export, or Import Filters
Decrypt Files from the Tools Menu Export Files or Folders
Mark or View Items Flagged as
“Ignorable” or “Privileged” Access the Additional Analysis Menu
Manage the KFF Backup or Restore Cases
Enter Session Management Create Custom Data Views
Application Administration About Assigning Permissions to Users | 41
About Assigning Permissions to Users
It is important to understand that when you create user accounts (Database > Administer Users) and assign
roles to users from that dialog, the roles you assign are global for this database; you cannot reduce their rights
on a case-by-case basis.
If you decide to limit a user’s rights by assigning a different role, you must return to the Database > Administer
Users dialog, select a user and choose Set Roles. Unmark the current role and click OK with no role assigned
here, or choose a different role that limits access, then click OK to save the new setting.
AccessData recommends that you first create the user account, save the account and close the dialog without
setting a role. Then, click Case > Assign Users to assign roles on a case-by-case basis.
Or you could assign all new users the global Case Reviewer role, then selectively add the Case/Project
Administrator or Application Administrator role as needed. The permissions that are applied through roles are
cumulative, meaning that if you apply more than one, the greatest amount of rights and permissions become
available.
Assigning Users Shared Label Visibility
Shared Labels give Application Administrators the added benefit of assigning visibility to only specific users on a
case-by-case basis.
To assign Label Visibility
1. In Case Manager, click Case > Assign Users. The Assign Users for Case dialog opens, and a list of
users that have permissions in the currently selected case appears.
2. Highlight a User.
3. Click Label Visibility to open the Manage Label Visibility dialog.
To show or hide Labels
1. Select a user in the User List pane. The Shared Labels dialog opens. Initially all are set as Visible.
2. Move labels as needed, based on the following:
-Select a label you want that user not to see in any case, and click the > button.
-To move a hidden label into the Visible Labels pane, select it, and click the < button.
Application Administration Setting Additional Preferences | 42
Setting Additional Preferences
Choosing a Temporary File Path
The Temporary File Folder stores temporary files, including files extracted from ZIP and email archives. The
folder is also used as scratch space during text filtering and indexing. The Temporary File Folder is used
frequently and should be on a drive with plenty of free space, and should not be subject to drive space allocation
limits.
To specify a location for the Temporary File Folder
1. In the Case Manager, click Tools > Preferences. Type in or browse to the folder you want temporary
files to be written to.
2. Select the folder, then click OK.
3. In the Preferences dialog, verify the path is what you wanted.
4. In the Theme to use for Visualization section, you can also choose a color scheme to apply to the
visualization windows.
5. Click OK.
Providing a Network Security Device Location
If your network uses AccessData Network License Service (NLS), provide the IP address and port for accessing
the License Server.
Setting Theme Preferences for the Visualization Add on
To change the appearance of the Visualization window
1. In the Case Manager, click Tools > Preferences.
2. In the Theme to use for Visualization section, select a color scheme to apply to the Visualization
windows.
3. Click OK.
Optimizing the Case Database
This is set to optimize by default. Unmark the check box to turn off automatic optimization. This causes the
option to be available in Additional Analysis for those cases that were processed with Optimize Database turned
off initially.
Note: The Restore Optimization option in Additional Analysis will not appear if Database Optimization was set
in the New Case Wizard to be performed following processing, or if it has been performed already on the
current case from either place.
Application Administration Managing Global Features | 43
Managing Global Features
Several features that were previously available only in a case are now fully implemented for global application,
and are known as “Shared.” Since they are available globally, they are managed from the Case Manager
interface, under the Tools menu.
The Application Administrators manage all Shared features. It is a good practice to set these up to the extent you
are able, before you create your first case. Of course, new ones can be added at any time and copied to existing
cases. Shared features can be created within cases by both Application and Case Administrators, and Shared
(added to the global list).
Since each Shared feature has been documented to some extent in other chapters of the User Guide, only the
parts of the features that apply specifically to Application Administrators are explained here. Cross-references
are added to provide quick access to more complete information.
Managing Shared Custom Carvers
Carvers provide a comprehensive tool that allows you to customize the carving process to access hidden data
exactly the way you need it. You can create new, and edit or delete existing shared carvers. In addition, you can
import and export carvers, and copy carvers to cases that were previously processed without a particular custom
carver.
There are no default carvers listed in the Manage Shared Custom Carvers dialog. It contains only custom-
designed carvers that are shared.
See also Data Carving (page 84)
To create a Shared Custom Carver
1. In the Case Manager, click Manage > Carvers.
2. From the Manage Shared Custom Carvers dialog, click New.
3. Set the data carving options that you want to use.
4. Click Save when the new carver has been defined to meet your needs. You will see the new carver in
this list and when you mark the Carving option in the New Case Wizard.
5. In the Manage Shared Carvers dialog, click the appropriate button to:
-Create New shared custom carvers
-Edit existing shared custom carvers
-Delete shared custom carvers
-Import shared custom carvers that have been exported from cases
-Export shared custom carvers
-Copy shared custom carvers to a case
6. Click OK to close the Carving Options dialog.
Application Administration Managing Global Features | 44
Managing Custom Identifiers
Custom File Identifiers let you specify which file category or extension should be assigned to files with a certain
signature. While Custom Identifiers can be created and/or selected by a Case Administrator in the New Case
Wizard, Shared Custom Identifiers are created and managed from a separate menu.
See also Creating Custom File Identifiers (page 92).
To Create a Shared Custom Identifier
1. In the Case Manager, click Manage > Custom Identifiers.
Initially, the Custom Identifiers List pane is empty, and the rest of the window is grayed-out.
2. Click Create New. The window activates.
3. Enter a name for the new Custom Identifier. The name you enter is added into the Custom Identifiers
List.
4. Enter a description to help define the identifier’s purpose.
5. Create the Custom Identifier by defining Operations and using the AND and OR buttons.
6. When you are done defining this Custom Identifier, click Apply.
You can also do the following
-Click Delete to delete an unwanted or outdated identifier.
-Click Export to save the selected identifier as a TXT file.
-Click Import to add an external identifier file.
-Click Close to close the Custom Identifiers dialog.
Managing Columns
Shared Columns use the same windows and dialogs that Local Columns use.
To create a Shared Column Template
1. In Case Manager, click Manage > Columns.
The Manage Shared Column Settings dialog opens.
2. Highlight a default Column Template to use as a basis for a Custom Column Template.
3. Click New.
4. Enter a new name in the Column Template Name field.
5. Select the Columns to add from the Available Columns pane, and click Add >> to move them to the
Selected Columns pane.
6. Select from the Selected Columns pane and click Remove to clear an unwanted column from the
Selected Columns.
7. When you have the new column template defined, click OK.
See also Customizing File List Columns (page 384).
Managing File Extension Maps
Extension Maps can be used to define or change the category associated to any file with a certain file extension.
For example, files with BAG extension which would normally be categorized as “Unknown Type” can be
Application Administration Managing Global Features | 45
categorized as an AOL Bag File, or a files with a MOV extension that would normally be categorized as Apple
QuickTime video files can be changed to show up under a more appropriate category since they can sometimes
contain still images.
To create a Shared Custom Extension Mapping
1. In the Case Manager, click Manage > File Extension Maps.
2. In the Custom Extension Mapping dialog, click Create New.
3. Enter a name for the new mapping.
4. Enter a description for easier identification.
5. In the Category pane, select a file type you want to map an extension to.
6. Click Add Extension.
The Add New Extension dialog box opens.
7. Enter the new extension to add.
8. Click OK.
You can also do the following:
-Click Delete to remove an unwanted or outdated mapping.
-Click Import to add an external Custom Extension Mapping file for Shared use.
-Click Export to save a Custom Extension Mapping file.
-Click Close to close the Custom Extension Mapping dialog.
See also Custom Case Extension Maps (page 93).
Managing Filters
Filters consist of a name, a description, and as many rules as you need. A filter rule consists of a property, an
operator, and one or two criteria. (You may have two criteria in a date range.)
To create a new Shared filter
1. From Case Manager, click Manage > Filters.
The Manage Shared Filters dialog opens.
2. Do one of the following:
-If there is an existing filter in the Filters list that you want to use as a pattern, or template, highlight
that filter and click Copy.
-If there is no filter that will work as a pattern, Click New.
3. Enter a name and a short description of the new filter.
4. Select a property from the drop-down menu.
5. Select an operator from the Properties drop-down menu.
6. Select the applicable criteria from the Properties drop-down menu.
7. Each property has its own set of operators, and each operator has its own set of criteria. The possible
combinations are vast.
8. Select the Match Any operator to filter out data that satisfies any one of the filter rules or the Match All
operator to filter out data that satisfies all rules of the filter.
You can test the filter without having to save it first. Check the Live Preview box to test the filter as you
create it.
Application Administration Managing Global Features | 46
Case Management | 47
Part 3
Case Management
This part contains information about managing cases. It contains the following chapters:
-Introducing Case Management (page 48)
-Creating and Configuring New Cases (page 68)
-Managing Case Data (page 101)
-Working with Evidence Image Files (page 107)
-Working with Static Evidence (page 113)
-Working with Live Evidence (page 133)
-Filtering Data to Locate Evidence (page 146)
-Working with Labels (page 163)
-Decrypting Files (page 167)
-Exporting Data from the Examiner (page 187)
-About Cerberus Malware Analysis (page 200)
-Running Cerberus Malware Analysis (page 217)
Introducing Case Management About Case Management | 48
Chapter 4
Introducing Case Management
This chapter includes the following topics
-About Case Management (page 48)
-The User Interfaces (page 48)
-About the Cases List (page 49)
-Menus of the Case Manager (page 50)
-Menus of the Examiner (page 56)
About Case Management
Case management includes creating new cases, as well as backing up, archiving, detaching, restoring,
attaching, deleting cases from the database, and managing case and evidence files.
Case management tasks are performed from the Case Manager.
Note: Multiple user names in a case are automatically assigned to Original User Names when a case is
Archived, or Archived and Detached, and then restored. They can also be reassigned if necessary.
See Creating a Case (page 69)
See Managing Case Data (page 101)
The User Interfaces
The Case Manager lets you add and manage cases, users, roles and permissions, and do other management
tasks. You can use the Case Manager to apply settings globally to all cases in the system.
Menus of the Case Manager (page 50)
You can use the Examiner to locate, bookmark, and report on evidence.
Menus of the Examiner (page 56)
Introducing Case Management About the Cases List | 49
About the Cases List
The Cases List shows all of the cases that are available to the currently logged in user. The right pane displays
information about the cases. The information that is shown for Case File, Description File, and Description are
determined by the either the Application Administrator or the Case Administrator.
Case Manager Cases List
Introducing Case Management Menus of the Case Manager | 50
Menus of the Case Manager
Options of the Case Manager File Menu
Case Manager
Menus
Menu More Information
File The File menu lets you exit the Case Manager.
See Options of the Case Manager File Menu (page 50)
Database The Database menu lets you administer users and roles.
See Options of the Case Manager Database Menu (page 51)
Case The Case menu lets you create, backup, and delete cases. You can also assign users
to roles.
See Options of the Case Manager Case Menu (page 51)
Tools The Tools menu lets you configure the processing engine, recover interrupted jobs and
restore images to a disk.
See Options of the Case Manager Tools Menu (page 53)
Manage The Manage menu lets you administrate shared objects such as columns, labels and
carvers.
See Options of the Case Manager Manage Menu (page 54)
Help The Help menu lets you access the user guide as well as view version and copyright
information.
See Options of the Case Manager Help Menu (page 55)
Options of the
Case Manager
s File Menu
Option Description
Exit Exits and closes the program.
Introducing Case Management Menus of the Case Manager | 51
Options of the Case Manager Database Menu
Case Manager Database Menu
Options of the Case Manager Case Menu
Case Manager Case Menu
Options of the
Case Manager Database
Menu
Option Description
Log In/ Log Out Opens the authentication dialog for users to log into the database. You can log out the
currently authenticated user without closing the program.
Change password Opens the Change Password dialog. The currently authenticated user can change their
own password by providing the current password, then typing and re-typing the new
password.
Administer Users Lets you manage user accounts. The Application Administrator can change users’
roles.
Manage KFF Opens the KFF Admin dialog.
Session
Management
Opens the Manage Database Sessions dialog. Click Refresh to update the view of
current sessions. Click Terminate to end sessions that are no longer active.
Introducing Case Management Menus of the Case Manager | 52
Options of the
Case Manager Case
Menu
Option Description
New Start a new case with the currently authenticated user as the Case Administrator. Case
Reviewers cannot create a new case.
See Creating a Case (page 69)
Open Opens the highlighted case with its included evidence.
Assign Users Allows the Application Administrator or the Case Administrator to adjust or control the
rights of other users to access a particular case. Also allows the Administrator to control
which users can see which of the Shared Labels that are available.
See What You Can Do With Labels (page 163)
Backup Opens a dialog for specifying names and locations for backup of selected cases. You
can select multiple cases in the Case Manager to backup.
Options are:
Backup
Archive
Archive and Detach
Restore Opens a Windows Explorer instance for locating and restoring a selected, saved case.
Options are:
Restore an archived case
Attach an archived and detached case
Delete Deletes the selected case. Pop-up appears to confirm deletion.
Copy Previous
Case
Copy a case from a previous version (4.2 or later) into the database.
The use of a UNC folder path is no longer required beginning with version 4.2 and
newer.
To use copy from previous case you don't backup the case in the previous version, you
simply use the "Copy Previous Case" feature. If you want to use Backup, you can
backup the case in a previous version, such as 4.2 then restore it to the new version.
Copy Previous Case doesn’t recognize backed-up cases.
Remove
Generated Index
This option lets you select a case and delete its index. If you remove a case’s index, you
cannot use index searches until you create a new index. To create a new index, in the
Examiner, click Evidence > Additional Analysis. Select dtSearch® Text Index and
click OK.
Refresh Case List Right-click in the Case List area and select Refresh Case List, or click F5 to refresh the
case list with any new information.
Introducing Case Management Menus of the Case Manager | 53
Options of the Case Manager Tools Menu
Case Manager Tools Menu
Options of the
Case Manager Tools
Menu
Option Description
Processing Engine
Config
Opens the Processing Engine Configuration dialog. Configure Remote Processing
Engines here. Specify Computer Name/IP Address, and Port. Add New, Remove,
Enable or Disable configured Processing Engines.
Recover Processing
Jobs
Allows you to recover jobs that were interrupted during processing so the processing
can be completed.
Show Progress
Window
Opens the Progress window so you can check the Processing Status.
Restore Image to
Disk
Copies a disk image to a disk other than the original.
Preferences Opens Preferences dialog.
Introducing Case Management Menus of the Case Manager | 54
Options of the Case Manager Manage Menu
Case Manager Manage Menu
Options of the
Case Manager Manage
Menu
Option Description
Carvers Manage Shared Custom Carvers. Custom Carvers created here can be copied to
cases.
Custom Identifiers Manage Shared Custom Identifiers. Custom Identifiers created here are automatically
made available to all new cases, but cannot be copied directly to earlier cases. They
must be exported and then imported into such cases.
Columns Manage Shared Column Settings. Custom Columns created here can be copied to
cases.
File Extension
Maps
Manage Shared File Extension Mappings. File Extension Maps created here are
automatically made available to all new cases, but cannot be copied directly to earlier
cases. They must be exported and then imported into such cases.
Filters Manage Shared Filters. Custom Filters created here can be copied to cases.
Labels Manage Shared Labels. Custom Labels created here can be copied to cases.
KFF Lets you access advanced KFF management options such as creating groups and
sets.
Introducing Case Management Menus of the Case Manager | 55
Options of the Case Manager Help Menu
Case Manager Help Menu
Options of the
Case Manager Help
Menu
Option Description
User Guide Opens the user guide in PDF format.
About Provides version and build information, copyright and trademark information, and other
copyright and trade acknowledgements.
Introducing Case Management Menus of the Examiner | 56
Menus of the Examiner
When a case is created and assigned a user, the Examiner window opens with the following menus:
Options of the Examiner File Menu
Examiner File Menu
Examiner Menus
Menu Description
File See Options of the Examiner File Menu (page 56)
Edit See Options of the Examiner Edit Menu (page 58)
View See Options of the Examiner View Menu (page 59)
Evidence See Options of the Examiner Evidence Menu (page 61)
Filter See Options of the Examiner Filter Menu (page 63)
Tools See Options of the Examiner Tools Menu (page 64)
Manage See Options of the Examiner Manage Menu (page 66)
Help See Options of the Examiner Help Menu (page 67)
Options of the
Examiner
File
Menu
Option Description
Export Exports selected files and associated evidence to a designated folder.
Introducing Case Management Menus of the Examiner | 57
Export to Image Exports one or more files as an AD1 image to a storage destination.
When exporting to AD1 the image's file path is added under a root directory. This
speeds the process of gathering data for the AD1, and for shortening the path to
AD1 content.
Export File List Info Exports selected file information to files formatted as the Column List in CSV, TSV,
and TXT formats.
Export Word List Exports the words from the cases index as a text file. You can use this word list to
create a dictionary in the AccessData PRTK and DNA products.
See Exporting a Word List (page 196)
Report Opens the Report Options dialog for creating a case report.
See Creating a Case Report (page 390)
Volatile Data Report Opens a Volatile Data Report created from live data collected remotely and added
to this case. This option is grayed out unless Volatile Data has been added to the
case.
Close Closes the Examiner and returns to the Case Manager window.
Exit Closes both the Examiner and Case Manager windows.
Options of the
Examiner
File
Menu (Continued)
Option Description
Introducing Case Management Menus of the Examiner | 58
Options of the Examiner Edit Menu
Examiner Edit Menu
Options of the
Examiner
Edit
Menu
Option Description
Copy Special Duplicates information about the object copied as well as the object itself, and
places the copy in the clipboard.
See Copying Information from the Examiner (page 187)
Introducing Case Management Menus of the Examiner | 59
Options of the Examiner View Menu
Examiner View Menu
Options of the
Examiner
View
Menu
Option Description
Refresh Reloads the current view with the latest information.
Filter Bar Inserts the filter toolbar into the current tab. These features are also available from
the Filter menu.
Time Zone Display Opens the Time Zone Display dialog.
Thumbnail Size Selects the size of the thumbnails displayed from the Graphics tab. Select from the
following:
-Large-default
-Medium
-Small
-Tiny
Tab Layout Manages tab settings. The user can lock an existing setting, add and remove
settings, and save settings one tab at a time or all at once. The user can also
restore previous settings or reset them to the default settings.
These options are in the following list:
-Save
-Restore
-Reset to Default
-Remove
-Save All Tab Layouts
-Lock Panes
-Add New Tab Layout
Introducing Case Management Menus of the Examiner | 60
FIle List Columns Specifies how to treat the current File List. Options are:
-Save As Default
-Save All as Default
-Reset to Factory Default
-Reset All To Factory Default
File Content Tabs
Switching
Specifies the behavior of file content when a different tab is selected. Options are:
-Auto
-Manual
Explore Tree Displays the Explore Tree in the upper-left pane.
Graphics Tree Displays the Graphics Tree in the upper-left pane.
Overview Tree Displays the Overview Tree in the upper-left pane.
Email Tree Displays the Email Tree in the upper-left pane.
Bookmark Tree Displays the Bookmark Tree in the upper-left pane.
Index Searches Displays the Index Search Results pane in the upper-left pane.
Live Searches Displays the Live Search Results pane in the upper-left pane.
Bookmark Information Adds the Bookmark Information pane into the current tab.
File List Adds the File List pane into the current tab.
File Content Adds the File Content pane into the current tab.
Email Attachments Displays the attachments to email objects found in the case. Available only in the
Email and Overview tabs.
Properties Inserts the Object Properties pane into the current tab view.
Hex Value Interpreter Displays a pane that provides an interpretation of Hex values selected from the
Hex View pane.
Thumbnails Displays a pane containing thumbnails of all graphics found in the case.
Progress Window Opens the Progress dialog, from which you can monitor tasks and/or cancel them.
Options of the
Examiner
View
Menu (Continued)
Option Description
Introducing Case Management Menus of the Examiner | 61
Options of the Examiner Evidence Menu
Examiner Evidence Menu
Options of the
Examiner
Evidence
Menu
Option Description
Add/Remove Opens the Manage Evidence dialog, used to add and remove evidence. From
Manage Evidence, choose from the following:
Time Zone — Choose Time Zone for evidence item
Refinement Options — Select Evidence Refinement Options
Language Setting — Choose the language of the evidence item
Define and Manage Evidence Groups
Select Case KFF Options
Add Remote Data Opens the Add Remote Data dialog from which you can remotely access volatile,
memory, and/or drive data and add it to the case. To Collect remote data from
another computer on the network, provide the following:
Remote IP Address
Remote Port
Select any or all of the following:
Physical Drives (Can be mapped using RDMS)
Logical Drives (Can be mapped using RDMS)
Memory Analysis
Click OK or Cancel.
Introducing Case Management Menus of the Examiner | 62
Additional Analysis Opens the Additional Analysis dialog with many of the same processing options
available when the evidence was added. Allows the user to reprocess using
available options not selected previously.
See Using Additional Analysis (page 124).
Process Manually
Carved Items
Initiates the processing of items that have been manually carved, using the
selected options.
Manage Evidence
Groups
Opens the dialog where you can create and manage Evidence Groups.
Import Memory Dump Opens the Import Memory Dump File dialog which allows you to select memory
dumps from other case files or remote data acquisitions, and import them into the
current case. The memory dump file must have been previously created.
See Working with Live Evidence (page 133)
Import Custom
Column File
When a Custom Column Settings file has been created, import it into your case
using this tool.
Delete Custom
Column Data
If you have imported or created a Custom Column Settings file, use this tool to
delete the associated column and its data from the view.
Merge Case Index This option has been removed. The processing engine does this automatically and
no longer needs user interaction to select the merge.
Options of the
Examiner
Evidence
Menu (Continued)
Option Description
Introducing Case Management Menus of the Examiner | 63
Options of the Examiner Filter Menu
Examiner Filter Menu
Options of the
Examiner
Filter
Menu
Option Description
New Opens the Filter Definition dialog to define a temporary filter.
Duplicate Duplicates a selected filter. A duplicated filter serves as a starting point for
customizing a new filter.
Delete Deletes a selected filter.
On Applies the selected filter globally in the application. The File List changes color to
indicate that the filter is applied.
Import Opens the Windows file manager allowing the user to import a pre-existing filter.
Export Opens the Windows File Manager allowing the user to save a filter.
The name of the filter cannot have any special or invalid characters or the export
will not work.
Tab Filter Allows the selection of a filter to apply in the current tab.
Introducing Case Management Menus of the Examiner | 64
Options of the Examiner Tools Menu
Examiner Tools Menu
Options of the
Examiner Tools
Menu
Option Description
Decrypt Files Decrypts EFS and Office files using passwords you enter.
See Decrypting Files (page 167)
Credant Decryption Opens the Credant Decryption dialog where you enter the decryption information.
See Decrypting Credant Files (page 179)
Verify Image Integrity Generates hash values of the disk image file for comparison.
See Verifying Drive Image Integrity (page 107)
Restore Image to Disk Restores a physical image to a disk. If the original drive was on a bootable
partition, the restored image may also be bootable. This feature is disabled for
Case Reviewers.
Mount Image to Drive Allows the mounting of a physical or logical image for read-only viewing. Logically
mounting images allows them to be viewed as a drive-letter in Windows Explorer.
Mounted logical drives now show the user the correct file, even when a deleted file
with the same name exists in the same directory.
See Mounting an Image to a Drive (page 108)
Disk Viewer Opens a hex viewer that allows you to see and search contents of evidence items.
Search Text for a term using Match Case, ANSI, Unicode, Regular Expression or
Search Up instead of down; Search Hex using Search Up. Specify a logical sector
or a cluster.
Other Applications Opens other AccessData tools to complement the investigational analysis.
Configure Agent Push Opens configuration dialog for pushing the agent to remote machines for data
acquisition.
Introducing Case Management Menus of the Examiner | 65
Push Agents Push, or install, an Agent to a remote machine. You can Add, Remove, Import, or
Export a single machine or a list of machines here.
Manage Remote
Acquisition
Opens the Remote Acquisition dialog. Set the drive acquisition retry options here
to set compression levels, balance speed of transfers with the amount of
bandwidth usage, and set compression levels for remote data transfers.
Unmount Agent Drive Unmount a remote drive that is mounted through RDMS.
Disconnect Agent Disconnect a remote agent.
Recover Processing
Jobs
Restarts processing so jobs that were interrupted can be completed.
Visualization Lets you launch the Visualization add on module for the data that you currently
have displayed in the File List Pane. Visualization is only available from the
Explore, Overview, and Email Tabs.
See Using Visualization on page 335.
Execute SQL Executes a user-defined SQL script from within the interface.
Launch
‘oradjuster.EXE’
Runs Oradjuster.EXE to temporarily optimize the available memory on the
Examiner & database machine for those using an Oracle database. This utility
does not work on a two-box configuration.
See (page 491)
Options of the
Examiner Tools
Menu (Continued)
Option Description
Introducing Case Management Menus of the Examiner | 66
Options of the Examiner Manage Menu
Examiner Manager Menu
Options of the
Examiner
Manage
Menu
Tool Type Description
KFF Manage Known File Filter (KFF) Library, sets, and groups.
See Using the Known File Filter (KFF) (page 405).
Labels Manage Local and Shared Labels as well as Label Groups.
See What You Can Do With Labels (page 163).
Carvers Manage Local and Shared Custom Carvers.
See Data Carving (page 84).
Filters Manage Local and Shared Filters.
See Filtering Data to Locate Evidence (page 146).
Columns Manage Local and Shared Columns.
See Customizing File List Columns (page 384).
Introducing Case Management Menus of the Examiner | 67
Options of the Examiner Help Menu
Options of the
Examiner Help
Menu
Option Description
User Guide Opens the user guide in PDF format.
Case Folder Opens the folder that contains the case data.
About Provides version and build information, copyright and trademark information, and other
copyright and trade acknowledgements.
Creating and Configuring New Cases Opening an Existing Case | 68
Chapter 5
Creating and Configuring New Cases
This chapter explains how to create a new case and configure the case options. If you have cases that were
created in version 2.2 or later, you can convert them to the latest version.
This chapter includes the following topics
-Opening an Existing Case (page 68)
-Creating a Case (page 69)
-Configuring Detailed Options for a Case (page 70)
-Evidence Processing Options (page 76)
-Adding Evidence to a New Case (page 100)
-Converting a Case from Version 2.2 or Newer (page 100)
Opening an Existing Case
You can open a case that has previously been created and closed.
To open an existing case
1. Open the Case Manager.
2. In the Case Manager, highlight and double-click a case to open it.
Note: If you attempt to open a case you have not been assigned to, you will receive a message saying, “You
have not been assigned to work on this case.” This is because you must be authenticated to open the
case.
Creating and Configuring New Cases Creating a Case | 69
Creating a Case
Case information is stored in a database, and allows case administration as each new case is created.
To start a new case
1. Open the Case Manager.
2. Click Case > New. The New Case Options dialog opens.
3. Enter a name for the case in the Case Name field.
4. (Optional) Enter any specific reference information in the Reference field.
5. (Optional) Enter a short description of the case in the Description field.
6. You can use the Description File option to attach a file to the case. For example you can use this field to
attach a work request document or a warrant to the case.
7. In the Case Folder Directory field specify where to store the case files. If you wish to specify a different
location for the case, click the Browse button.
Note: If the case folder directory is not shared, an error occurs during case creation.
8. (Optional) In the Database Directory field you can specify a location for where to store database
directory files. You can check the In the case folder option to save the database directory in the case
folder. If you do not specify these options, the database directory is saved to the default location of the
database.
Note: The location that you specify for Database Directory is relative to your database computer. If you
intend to specify a location that is on a different computer than your database, for example in a
multi-box scenario, then you must enter a network path.
Important:
If using a UNC path for the case folder, and selecting the In the case folder option for the
database directory, and if the database process isn't running as a network user, it will not be able to
access the UNC path and will therefore fail to create the database files.
9. Configure the default processing options for the case by either using a processing profile or using
custom settings.
See Configuring Detailed Options for a Case on page 70.
10. If you wish to open the case as soon as it is created, mark Open the case.
11. Click OK to create the new case.
Creating and Configuring New Cases Configuring Detailed Options for a Case | 70
Configuring Detailed Options for a Case
When you configure Detailed Options for a case, there are options for doing the following:
-Configuring Evidence Processing Options (page 70)
-Configuring Evidence Refinement (Advanced) Options (page 94)
-Selecting Index Refinement (Advanced) Options (page 96)
-Managing Custom Identifiers (page 44)
Configuring Evidence Processing Options
About Processing Options
To help you in investigating the evidence in a case, the evidence data is processed. When evidence is
processed, data about the evidence is created and stored in the database. You can view the processed data in
the Examiner.
Evidence is processed at the following times:
-When adding evidence to a case
-After the initial processing, when performing an additional analysis
There are many different types of processing options. You can choose which processing options are relevant to
your case.
The following are some examples of how your data can be processed:
-Generate hash values for all of the files in the evidence.
-Categorize the types of files in your evidence, such as graphics, office documents, encrypted files, and so
on.
-Expand the contents of compound files, such as ZIP or TAR files.
-Create an index of the words that are in the evidence files for quick searches and retrieval.
-Create thumbnails for the graphics and videos in the evidence.
-Decrypt encrypted files.
-Compare files in your evidence against a list of known files that you may want to be alerted about (such
as contraband images) or files that you want to ignore (such as Windows system files).
You can select processing options at the following times:
-When you create a case (Detailed Options) -- these become the default options for the case.
See Evidence Processing Options (page 76)
-When you add evidence to an existing case (Refinement Options) -- you can either use or override the
case defaults.
See Configuring Evidence Refinement (Advanced) Options (page 94)
-When you perform an Additional Analysis on a case.
See Using Additional Analysis (page 124)
Each processing option that you enable increases the time that it take to process the evidence. Depending on
your situation, you may want to select more or fewer options.
For example, in one scenario, you may want to process the evidence as quickly as possible. In this case, you
can use a pre-defined “Field Mode” that deselects almost all processing options and therefore takes the shortest
Creating and Configuring New Cases Configuring Detailed Options for a Case | 71
amount of time. After the initial processing, you can perform an Additional Analysis and enable additional
processing options.
In another scenario, you may want to take the time to categorize and index files during the initial processing, so
you can enable those options. This will take a significant amount of time for a large evidence set.
Configuring Default Processing Options for a Case
When you create a case, you define the default processing options that are used whenever evidence is added to
that case. By specifying default processing options for a case, you do not have to manually configure the
processing options each time you add new evidence. The case-level defaults can be overridden and customized
when you add new evidence or when you perform an additional analysis.
You configure the default processing options for a case in one of the following ways:
-Using Processing Profiles (page 72)
-Manually Customizing a set of Detailed Options (page 75)
Note: One factor that may influence which processing options to select is your schedule. If you disable
indexing, it shortens case processing time. The case administrator can return at a later time and index the
case if needed. The fastest way to create a case and add evidence is to use Field Mode.
Creating and Configuring New Cases Configuring Detailed Options for a Case | 72
Using Processing Profiles
About Processing Profiles
As an investigator, you may want to be able to save a set of processing options as a profile so that they can be
easily reused. Processing profiles are a saved list of processing options that are stored in the database.
Processing profiles are created at the global level and are available anytime you create a case.
For example, you may need to focus on certain types of data in a case, such as images and videos. In this
example, you can create a processing profile that enables the following processing options:
-KFF
-Expand Compound Files
-Flag Bad Extensions
-Create Thumbnails for Graphics
-Create Thumbnails for Video
-Generate Common Video File
-Explicit Image Detection
-PhotoDNA
Each time you create this kind of case, you can use a profile with these options set as default and you won't
need to manually specify them again.
Processing profiles are used at the case level. Specifically, when you create a case, you can select a processing
profile from a drop-down list as the default processing options for that case. Any time that you add evidence to
that case, the profile's setting will be the default "Refinement Options". This saves you time by not having to
reconfigure processing options each time you add evidence to the case. However, when you add evidence to a
case, you can modify the processing options for that evidence set. The profile is simply a set of default settings
for the case.
Processing profiles are stored in the database. It is important to note that the profile itself does not get saved
with the case but only the processing options that are in the profile.
There are two pre-configured processing profiles:
-AD Standard (these were the Factory Defaults in version 4.x and earlier)
-AD Field Mode
See About Pre-configured Processing Profiles on page 73.
When you create a case, you can use one of the pre-configured profiles or create/select a custom profile. If you
create a custom profile, you can save it with a unique name so that you can re-use it in a different case.
See Creating a Custom Processing Profile (page 73)
Important:
When you create a custom profile, the settings for Custom File Identification or Event Audit Log
options are not stored in the processing profile. The Send Email Alert and Decrypt Credant Files
settings on the Evidence Processing tab are also not stored in the processing profile.
You can also edit, delete, import, or export processing profiles.
See Managing Processing Profiles (page 74)
You can also set custom processing options for a case without saving them to a profile.
Creating and Configuring New Cases Configuring Detailed Options for a Case | 73
See Manually Customizing a set of Detailed Options on page 75.
About Pre-configured Processing Profiles
There are two pre-configured processing profiles. You cannot edit these profiles. However, you can use them as
a template for a new custom profile.
The following are the pre-configured profiles.
Creating a Custom Processing Profile
You can create a processing profile by selecting a set of processing options and then saving them as a profile.
You can create a processing profile at one of the following times:
-Before creating a case
-While configuring processing options for a new case
To create a custom processing profile
1. From the Case Manager do one of the following:
-To create a profile before creating a case, do the following:
1a. Click Manage > Evidence Processing Profiles.
1b. Click New Profile.
-To create a profile while creating a new case, do the following:
1a. Click Case > New.
1b. Next to the Processing Profile field, click Custom.
2. You can use the Profile dropdown to select an existing profile as a template.
AD Standard AD Standard includes the following processing options:
-MD5 Hash
-SHA-1 Hash
-SHA-256 Hash
-Expand common compound files
This will expand many types of compound files.
See Expanding Compound Files (page 79)
-File Signature Analysis
-dtSearch Test Index
-Create Thumbnails for Graphics
-Include Deleted Files
This list of processing options is the same as the Factory Defaults in version 4.x.
For a description of processing options, see Evidence Processing Options (page 76)
Field Mode Field Mode disables the standard processing options when processing evidence. This speeds up
processing. You can then re-enable processing options through Additional Analysis.
See Using Additional Analysis (page 124)
The Job Processing screen always shows 0 for Queued when Field Mode is enabled, because
items move directly from Active Tasks to Completed.
Creating and Configuring New Cases Configuring Detailed Options for a Case | 74
3. Do the following:
3a. Click the Evidence Processing icon in the left pane, and select the processing options to be the
default options for the case. For more information, see Evidence Processing Options (page 76).
3b. Click the Evidence Refinement (Advanced) icon to select the evidence refinement options to use
on this case. For more information, see Configuring Evidence Refinement (Advanced) Options
(page 94).
3c. Click the Index Refinement (Advanced) icon to select the index refinement options to use on this
case. For more information, see Selecting Index Refinement (Advanced) Options (page 96).
3d. Click the Evidence Lab/eDiscovery icon to select the advanced options to use on this case. For
more information, see Selecting Lab/eDiscovery Options (page 98).
Important:
When you create a custom profile, the settings for Custom File Identification or Event Audit Log
options are not stored in the processing profile. When you configure these options, the Save As...
profile button is grayed out to signify that they are not saved as part of a profile.
See Managing Custom Identifiers (page 44).
4. When you are satisfied with your options, click Save to Profile... to create the profile.
5. Enter a name for the profile.
-To create a new profile, enter a unique name.
You cannot use AD Standard, AD Field Mode, or Custom.
-To update an existing custom profile, enter the profile name.
6. (Optional) Enter a description of the profile.
7. Click Save.
Managing Processing Profiles
You can do the following to manage processing profiles.
To manage processing profiles
1. In the Case Manager, click Manage > Evidence Processing Profiles.
2. In the Manage Evidence Processing Profiles dialog, select a profile to manage.
3. Select an action to perform on the profile.
4. Click Close.
Edit You can edit an existing custom profile. You cannot edit the AD Standard or AD Field Mode
pre-configured profiles.
To edit a profile, you select an existing profile, make the desired changes, save the profile, and
confirm that you want to replace the existing profile.
Set as Default You can set a processing profile as the global default. Whenever you create a new case, the
default profile is listed.
The default profile is denoted by a green check mark.
Delete You can delete an existing custom profile. You cannot delete the AD Standard or AD Field
Mode pre-configured profiles.
If you delete a custom profile that has been selected as the default, the profile is deleted and
the AD Standard profile becomes the default.
Export You can export a profile so that you can archive it or use it on a different computer. The
exported settings are saved in xml format.
Import You can import a profile that has been previously exported.
Creating and Configuring New Cases Configuring Detailed Options for a Case | 75
Manually Customizing a set of Detailed Options
You can configure default processing options for a case without saving it as a profile.
To manually customize the evidence processing options
1. From the New Case Options dialog, click Custom.
1a. Click the Evidence Processing icon in the left pane, and select the processing options to be the
default options for the case. For more information, see Evidence Processing Options (page 76).
1b. Click the Evidence Refinement (Advanced) icon to select the evidence refinement options to use
on this case. For more information, see Configuring Evidence Refinement (Advanced) Options
(page 94).
1c. Click the Index Refinement (Advanced) icon to select the index refinement options to use on this
case. For more information, see Selecting Index Refinement (Advanced) Options (page 96).
1d. Click Custom File Identification to configure Custom Identifiers. For more information, see
Managing Custom Identifiers (page 44).
2. Click OK.
In the Processing Profile field, it will display Custom to show that you did not save the options as a
profile.
3. When you are satisfied with your evidence refinement options, click OK to create the case and continue
to the Evidence Processing screen.
Creating and Configuring New Cases Evidence Processing Options | 76
Evidence Processing Options
The following table outlines the Evidence Processing options.
Evidence Processing Options
Process Description
MD5 Hash Creates a digital fingerprint using the Message Digest 5 algorithm, based on the
contents of the file. This fingerprint can be used to verify file integrity and to
identify duplicate files.
SHA-1 Hash Creates a digital fingerprint using the Secure Hash Algorithm-1, based on the
contents of the file. This fingerprint can be used to verify file integrity and to
identify duplicate files.
SHA-256 Hash Creates a digital fingerprint using the Secure Hash Algorithm-256, based on the
contents of the file. This fingerprint can be used to verify file integrity and to
identify duplicate files. SHA-256 is a hash function computed with 32-bit words,
giving it a longer digest than SHA-1.
Flag Duplicate Files Identifies files that are found more than once in the evidence. This is done by
comparing file hashes.
KFF Enables the Known Fle Filter (KFF) that lets you identify either known
insignificant files that you can ignore or known illicit or dangerous files that you
want to be alerted to.
When you enable KFF, you must select a KFF Template to use. You can select
an existing KFF Template from the drop-down menu or click ... to create a new
one.
See Using the Known File Filter (KFF) on page 405.
PhotoDNA Enables PhotoDNA which lets you compare images in your evidence against
known images in a library.
See Using PhotoDNA to Compare Images on page 256.
Expand Compound Files Automatically opens and processes the contents of compound files such as ZIP,
email, and OLE files.
See Expanding Compound Files on page 79.
The option File Signature Analysis is not forced to be selected. This lets you
initially see the contents of compound files without necessarily having to process
them. Processing can be done later, if it is deemed necessary or beneficial to the
case by selecting File Signature Analysis.
Include Deleted Files Checked by default. Un-check to exclude deleted files from the case.
File Signature Analysis Analyzes files to indicate whether their headers or signatures match their
extensions. This option must be selected if you choose Registry Summary
Reports.
Flag Bad Extensions Identifies files whose types do not match their extensions, based on the file
header information. This option forces the File Signature Analysis option to be
checked.
Entropy Test Identifies files that are compressed or encrypted.
Compressed and encrypted files identified in the entropy test are not indexed.
Creating and Configuring New Cases Evidence Processing Options | 77
dtSearch® Text Index Stores the words from evidence in an index for quick retrieval. Additional space
requirement is approximately 25% of the space required for all evidence in the
case.
Click Indexing Options for extensive options for indexing the contents of the
case.
Generated text that is the result of a formula in a document or spreadsheet is
indexed, and can be filtered.
Create Thumbnails for
Graphics Creates thumbnails for all graphics in a case.
Thumbnails are always created in JPG format, regardless of the original graphic
file type.
See Examining Graphics on page 250.
Create Thumbnails for
Videos Creates thumbnails for all videos in a case.
You can also set the frequency for which video thumbnails are created, either by
a percent (1 thumbnail every “n”% of the video) or by interval (1 thumbnail every
“n” seconds.
See Examining Videos on page 260.
Generate Common
Video File When you process the evidence in your case, you can choose to create a
common video type for videos in your case. These common video types are not
the actual video files from the evidence, but a copied conversion of the media
that is generated and saved as an MP4 file that can be previewed on the video
tab.
See Examining Videos on page 260.
HTML File Listing Creates an HTML version of the File Listing in the case folder.
CSV File Listing The File Listing Database is now created in CSV format instead of an MDB file
and can be added to Microsoft Access.
Data Carve Carves data immediately after pre-processing. Click Carving Options, then
select the file types to carve. Uses file signatures to identify deleted files
contained in the evidence. All available file types are selected by default.
For more information on Data Carving, see Data Carving (page 84).
Meta Carve Carves deleted directory entries and other metadata. The deleted directory
entries often lead to data and file fragments that can prove useful to the case,
that could not be found otherwise.
Optical Character
Recognition (OCR) Scans graphics files for text and converts graphics-text into actual text. That text
can then be indexed, searched and treated as any other text in the case.
For more detailed information regarding OCR settings and options, see Running
Optical Character Recognition (OCR) (page 89).
Explicit Image Detection Click EID Options to specify the EID threshold for suspected explicit material
found in the case.
See Evaluating Explicit Material on page 253.
EID is an add-on feature. Contact your sales representative for more information.
Registry Reports Creates Registry Summary Reports (RSR) from case content automatically. Click
RSR Directory to specify the location of the RSR Templates. When creating a
report, click the RSR option in the Report Wizard to include the RSR reports
requested here. RSR requires that File Signature Analysis also be selected. If
you try to select RSR first, an error will pop up to remind you to mark File
Signature Analysis before selecting RSR.
Include Deleted Files Enabled by default; to force exclusion of deleted files, unmark this check box.
Evidence Processing Options (Continued)
Process Description
Creating and Configuring New Cases Evidence Processing Options | 78
If you expand data, you will have files are are generated when the data was processed and was not part of the
original data. There are tools to help you identify generated data.
See Identifying Processing-Generated Data on page 268.
See Relating Generated Files to Original Files on page 268.
Cerberus Analysis Lets you run the add on module for Cerberus Malware Triage. You can click
Cerberus Options to access additional options.
For more information see About Cerberus Malware Analysis (page 200)
Send Email Alert on Job
Completion Opens a text box that allows you to specify an email address where job
completion alerts will be sent.
Outgoing TCP traffic must be allowed on port 25.
Decrypt Credant Files See Decrypting Credant Files on page 179.
If you select to decrypt Credant files, the File Signature Analysis option will
automatically be selected as well.
Process Browser
History for Visualization Processes internet browser history files so that you can see them in the detailed
visualization timeline.
See Visualizing Browser History Data on page 294.
Cache Common Filters Disabled by default. Caches commonly viewed files in the File List.
See Caching Data in the File List on page 243.
Perform Automatic
Decryption Disabled by default. Attempts to decrypt files using a list of passwords that you
provide
See Decrypting Files Using PRTK/DNA Integration on page 181.
Language Identification Disabled by default. Analyzes the first two pages of every document to identify
the languages contained within. The user will be able to filter by a Language field
within review and determine who needs to review which documents based on the
language contained within the document.
See Identifying Document Languages on page 278.
Evidence Processing Options (Continued)
Process Description
Creating and Configuring New Cases Evidence Processing Options | 79
Expanding Compound Files
You can expand individual compound file types. This lets you see child files that are contained within a container
such as ZIP files. You can access this feature from the Case Manager’s new case wizard, or from the Add
Evidence or Additional Analysis dialogs.
See Evidence Processing Options on page 76.
Unless noted, the following file types are expanded by default.
If you expand data, you will have files that are generated when the data was processed and were not part of the
original data. There are tools to help you identify generated data.
See Identifying Processing-Generated Data on page 268.
See Relating Generated Files to Original Files on page 268.
You can expand the following compound files:
7-ZIP
Active Directory
AOL Files
Blackberry IPD backup file
BZIP2
Chrome Bookmarks Not expanded by default. See About Expanding Google Chrome and IE
9 Data on page 282.
Chrome Cache Not expanded by default. See About Expanding Google Chrome and IE
9 Data on page 282.
Chrome SQLite Not expanded by default. See About Expanding Google Chrome and IE
9 Data on page 282.
DBX
ESE DB Expands ESE (Extensible Storage Engine) databases. See About
Extensible Storage Engine (ESE) Databases on page 281.
EMFSPOOL
EVTX Not expanded by default. See Viewing Data in Windows XML Event Log
(EVTX) Files on page 269.
EXIF
GZIP
IE Recovery Not expanded by default. Expands IE Recovery data that was stored
when access to a Web site was lost.
See Expanding Internet Artifact Data on page 285.
IE WebCache Not expanded by default. Expands the Web cache data for IE 10 and
later IE versions. See About Expanding Data from Internet Explorer (IE)
Version 10 or Later on page 283.
IIS log files Not expanded by default. See Viewing IIS Log File Data on page 271.
Internet Explorer Files Expands Internet Explorer internet artifact data.
See Expanding Internet Artifact Data on page 285.
Creating and Configuring New Cases Evidence Processing Options | 80
Be aware of the following before you expand compound files:
-If you have labeled or hashed a family of files, then later choose to expand a compound file type that is
contained within that label or family, the newly expanded files do not inherit the labeling from the parent,
and the family hashes are not automatically regenerated.
-Many Lotus Notes emails, *.NSF, are being placed in the wrong folders in the Examiner.
This is a known issue wherein Lotus Notes routinely deletes the collection indexes. Lotus Notes client
has the ability to rebuild the collections from the formulas, but Examiner cannot. So if Lotus Notes data is
acquired shortly after the collections have been cleared, then the Examiner does not know where to put
the emails. These emails are all placed in a folder named "[other1]."
To work around: Open the NSF file in the Lotus Notes client, and then close (you may need to save), then
acquire the data and process it. The emails will all be in the right folder because the view collections are
recreated.
-Compound file types such as AOL, Blackberry IPD Backup, EMFSpool, EXIF, MSG, PST, RAR, and ZIP
can be selected individually for expansion. This feature is available from the Case Manager new case
wizard, or from the Add Evidence or Additional Analysis dialogs.
-Only the file types selected are expanded. For example, if you select ZIP, and a RAR file is found within
the ZIP file, the RAR is not expanded.
Log2t CSV Not expanded by default. This processing option will recognize CSV files
that are in the Log2timeline format and parses the data within the single
CSV into individual records within the case. The individual records from
the CSV will be interspersed with other data, giving you the ability to
perform more advanced timeline analysis across a very broad set of
data. In addition you can leverage the visualization engine to perform
more advanced timeline based visual analysis.
See Viewing Log2Timeline CSV File Data on page 275.
Lotus Notes (NSF)
MBOX
Mail.ru Chat Parses Mail.RU Agent chat history files and email (mra.dbs).
Examining Internet Artifact Data (page 280)
Microsoft Exchange
MS Office, OLE and OPC documents
MSG
PDF
PKCS7 and S/MIME Files
PST
RAR
Registry Not expanded by default. See Viewing Registry Timeline Data on
page 273.
RFC822 Email
SQLite Databases
TAR
Windows Thumbnails
ZIP, including ZIPX
Creating and Configuring New Cases Evidence Processing Options | 81
To expand compound files
1. Do one of the following:
-For new cases, in the New Case Options dialog click Detailed Options.
-For existing cases, in the Examiner, click Evidence > Additional Analysis.
2. Select Expand Compound Files.
The option File Signature Analysis is no longer forced to be checked when you select Expand
Compound Files. This lets you see the contents of compound files without necessarily having to
process them. You can choose to process them later, if it is deemed necessary or beneficial to the case.
3. Select Include Deleted Files if you also want to expand deleted compound files.
4. Click Expansion Options.
5. In the Compound File Expansions Options dialog do the following:
-If you do not want to expand office documents that do not have embedded items, select Only
expand office documents with embedded items.
-Select the types of compound files that you want expand.
Only the file types that you select are expanded. For example, if you select ZIP, and a RAR file is
contained within the ZIP file, then the RAR is not expanded.
Note: The option File Signature Analysis is not forced to be selected. This lets you initially see the
contents of compound files without necessarily having to process them. Processing can be done
later, if it is deemed necessary or beneficial to the case by selecting File Signature Analysis.
6. In the Compound File Expansions Options dialog, click OK.
7. Click OK.
Using dtSearch Text Indexing
You can use the following indexing options to choose from when creating a new case.
Indexing a Case
All evidence should be indexed to aid in searches. Index evidence when it is added to the case by checking the
dtSearch Text Index box on the Evidence Processing Options dialog, or index after the fact by clicking and
specifying indexing options.
Scheduling is another factor in determining which process to select. Time restraints may not allow for all tasks to
be performed initially. For example, if you disable indexing, it shortens the time needed to process a case. You
can return at a later time and index the case if needed.
dtSearch Indexing Space Requirements
To estimate the space required for a dtSearch Text index, plan on approximately 25% of the space needed for
each case’s evidence.
Creating and Configuring New Cases Evidence Processing Options | 82
Configuring Case Indexing Options
Case Indexing gives you almost complete control over what goes in your case index. These options can be
applied globally from Case Manager.
Note: Search terms for pre-processing options support only ASCII characters.
These options must be set prior to case creation.
To set Indexing Options as the global default
1. In Case Manager, click Case > New > Detailed Options.
2. In the Evidence Processing window, mark the dtSearch Text Index check box.
3. Click Indexing Options to bring up the Indexing Options dialog box.
4. Set the options using the information in the following table:
dtSearch Indexing Options
Option Description
Letters Specifies the letters and numbers to index. Specifies Original, Lowercase,
Uppercase, and Unaccented. Choose Add or Remove to customize the list.
You may need to add characters to this list for specific index searches to function
properly. For example, you may want to do an index search for
‘name@domain.com’. By default, the @ symbol is treated as a space and is not
indexed.
See Spaces on page 83.
To have the @ symbol included in the index, you would need to do two things:
-Remove the @ from the Spaces list.
Add the @ to the Letters list.
Noise Words A list of words to be considered “noise” and ignored during indexing. Choose Add
or Remove to customize the list.
Hyphens Specifies which characters are to be treated as hyphens. You can add standard
keyboard characters, or control characters. You can remove items as well.
Hyphen Treatment Specifies how hyphens are to be treated in the index. Options are:
-Ignore
Hyphens will be treated as if they never existed. For example, the term “coun-
ter-culture” would be indexed as “counterculture.”
-Hyphen
Hyphens will be treated literally. For example, the term “counter-culture”
would be indexed as “counter-culture.”
-Space
Hyphens will be replaced by a non-breaking space. For example the term
“counter-culture” would be indexed as two separate entries in the index being
“counter” and “culture.”
-All
Terms with hyphens will be indexed using all three hyphen treatments. For
example the term “counter-culture” will be indexed as “counterculture”, “coun-
ter-culture”, and as two separate entries in the index being “counter” and “cul-
ture.”
Creating and Configuring New Cases Evidence Processing Options | 83
Note: The Indexing Options dialog does not support some Turkish characters.
5. When finished setting Indexing Options, click OK to close the dialog.
6. Complete the Detailed Options dialog.
7. Click OK to close the Detailed Options dialog.
8. Specify the path and filename for the Default Options settings file.
9. Click Save.
10. In the Case Manager, click Case > New.
11. Proceed with case creation as usual. There is no need to click Detailed Options again in creating the
case to select options, unless you wish to use different settings for this case.
In addition to performing searches within the case, you can also use the Index to export a word list to use as a
source file for custom dictionaries to improve the likelihood and speed of password recovery related to case files
when using the Password Recovery Toolkit (PRTK). You can export the index by selecting File > Export Word
List. See also Searching Evidence with Index Search (page 311)
Spaces Specifies which special characters should be treated as spaces. Remove
characters from this list to have them indexed as any other text. Choose Add or
Remove to customize the list.
You may need to remove characters from this list for specific index searches to
function properly. For example, you may want to do an index search for
‘name@domain.com’. By default, the @ symbol is treated as a space and is not
indexed.
To have the @ symbol included in the index, you would need to do two things:
-Remove the @ from the Spaces list.
Add the @ to the Letters list.
Ignore Specifies which control characters or other characters to ignore. Choose Add or
Remove to customize the list.
Max Word Length Allows you to set a maximum word length to be indexed.
Index Binary Files Specify how binary files will be indexed. Options are:
-Index all
-Skip
-Index all (Unicode)
Enable Date Recognition Choose to enable or disable this option.
Presumed Date Format
For Ambiguous Dates If date recognition is enabled, specify how ambiguous dates should be formatted
when encountered during indexing. Options are:
-MM/DD/YY
-DD/MM/YY
-YY/MM/DD
Set Max Memory Allows you to set a maximum size for the index.
Auto-Commit Interval
(MB) Allows you to specify an Auto-Commit Interval while indexing the case. When the
index reaches the specified size, the indexed data is saved to the index. The size
resets, and indexing continues until it reaches the maximum size, and saves
again, and so forth.
dtSearch Indexing Options (Continued)
Option Description
Creating and Configuring New Cases Evidence Processing Options | 84
Data Carving
Data carving is the process of looking for data on media that was deleted or lost from the file system. Often this
is done by identifying file headers and/or footers, and then “carving out” the blocks between these two
boundaries.
AccessData provides several specific pre-defined carvers that you can select when adding evidence to a case.
In addition, Custom Carvers allow you to create specific carvers to meet your exact needs.
Data carving can be selected in the New Case Wizard as explained below, or from within the Examiner. In
addition, because Custom Carvers are now a Shared feature, they can be accessed through the Manage menu.
These are explained below.
Pre-defined Carvers
The following pre-defined carvers are available. Some carvers are enabled by default.
Pre-defined Carvers
Carver Enabled by default?
AOL bag files Yes
BMP files Yes
EMF files Yes
GIF files Yes
HTML files Yes
JPEG files Yes
LNK files Yes
OLE files (MS Office) Yes
PDF files Yes
PNG files Yes
TIFF files Yes
ZIP files Yes
AIM Chat Logs No
Facebook Status Updates No
Facebook Chat No
Facebook Email Artifact No
Facebook Mail Snippets No
Facebook Fragment No
Gmail Email Message No
Gmail Parsed Email No
Google Talk Chats No
Hotmail Email Artifact No
Bebo Chat No
Firefox Form History No
Firefox Places No
Creating and Configuring New Cases Evidence Processing Options | 85
Firefox Session Store No
Frostwire Props Files No
GigaTribe Chat No
IE8 Recovery URL No
Limewire Props No
Limewire/Frostwire Keyword Search No
mIRC Chat Log No
MySpace Chat No
Twitter Status No
Windows Messenger Plus w/chat logging No
MSN/WLM Chat No
Yahoo Diagnostic No
Yahoo Webmail Chat No
Yahoo Mail No
Yahoo Group Chat Recvd No
Yahoo Group Chat Sent No
Yahoo Chat No
Yahoo Chat UnAllocated No
Yahoo Unencrypted Active No
Ares P2P No
Chrome History No
Dropbox No
eMule No
Facebook No
Flickr No
Google Docs No
Google Drive No
Google Plus No
Google Plus Chat No
Hotmail No
ICQ 7M Chat History No
Explorer 10 No
Safari No
Shareaza No
SkyDrive No
Skype, Skype 3 No
Torrent No
Twitter No
World of Warcraft No
Pre-defined Carvers (Continued)
Creating and Configuring New Cases Evidence Processing Options | 86
Selecting Data Carving Options
If you are unfamiliar, please review Creating a Case (page 69) and Configuring Detailed Options for a Case
(page 70) before beginning this section.
When you are in the New Case Wizard in Detailed Options > Evidence Processing, click Data Carve >
Carving Options to open the dialog shown below.
If you already have a case open with evidence added and processed, click the following:
-Evidence > Additional Analysis > Data Carve > Carving Options
Standard Data Carving gives you a limited choice of which file types to carve.
Choose which types of data to carve according to the information below.
To set Data Carving options
1. Select Data Carve.
2. Click Carving Options.
3. Select the types of files you want carved.
-Click Select All to select all file types to be carved.
-Click Clear All to unselect all file types.
-Click on individual file types to toggle either selected or unselected.
Note: It may help to be aware of the duplicate files and the number of times they appear in an evidence
set to determine intent.
4. Depending on the file type highlighted, the Selected Carver Options may change. Define the optional
limiting factors to be applied to each file:
-Define the minimum byte file size for the selected type.
-Define the minimum pixel height for graphic files.
-Define the minimum pixel width for graphic files
5. Mark the box, Exclude KFF Ignorable files if needed.
6. If you want to define Custom Carvers, click Custom Carvers. (Custom Carvers are explained in the
next section.) When you are done with Custom Carvers, click Close.
7. In the Carving Options dialog, click OK.
Custom Carvers
The Custom Carvers dialog allows you to create your own data carvers in addition to the built-in carvers. Custom
Carvers can be created and shared from within a case, or from the Case Manager.
Application Administrators have the necessary permissions to access the Manage Shared Carvers dialog. Case
Administrators can manage the Custom Carvers in the cases they administer. Case Reviewers are not allowed
to manage Custom Carvers.
Shared Custom Carvers are automatically available globally; but can be copied to a case when needed. Carvers
created within a case are automatically available to the case, but can be shared and thus made available
globally.
Creating and Configuring New Cases Evidence Processing Options | 87
To access Manage Custom Carvers dialogs, click Manage > Carvers > Manage Custom Carvers (or Manage
Shared Carvers if you are an Application Administrator).
The Manage Shared Custom Carvers and Manage Custom Carvers dialogs are very similar. The difference is
whether you can copy the carvers to a case or make the carvers shared.
The Custom Carvers dialog allows you to define carving options for specific file types or information beyond
what is built-in. Once defined, these carving options files can be Shared with the database as well as exported
and imported for use in other cases. The original, local copy, remains in the case where it was created, for local
management.
To create a Custom Data Carver
1. Click New.
2. Complete the data fields for the Custom Carver you are creating. Options are as follows:
3. When done defining the Custom Carver, click Close.
Note: When adding signatures to a carver, the Signature is case sensitive check box is used when
carving for signatures that can be both upper or lower case. For example, <HTML> and <html>
Name Name of the Carver
Author Name of the Creator
Description Summarizes the intended use of the carver
Minimum File Size
in bytes (Optional)
Maximum File Size
in bytes (Optional) The default Custom Carver Maximum File Size is 2147483647 bytes.
The carver Max File Size in bytes must be populated with any size larger than the
defined Minimum File Size in bytes (default is 0). A Maximum File Size equal to or
less than the minimum size, or <no entry>, results in an error prompting for a valid
number to be entered.
File extension Defining the extension of the carved file helps with categorization, sorting, and
filtering carved files along with other files in the case.
Key Signatures(s)
and Other
Signatures(s)
Enter the ASCII text interpretation of the file signature as seen in a hex viewer.
Many can be defined, but at least one key signature must be present in the file in
order to be carved.
Click the + icon to begin defining a new Key Signature or Other Signature.
Click the - icon to remove a defined Key Signature or Other Signature.
File Category The File Category the carved item will belong to once it is carved. The specified
category must be a leaf node in the Overview tab.
Offset Use decimal value.
Length The length in bytes.
Little Endian If not marked, indicates Big Endian.
Signature Enter the ASCII text interpretation of the file signature as seen in a hex viewer.
Case Insensitive Default is case sensitive. Mark to make the end File Tag Signature not case
sensitive.
Creating and Configuring New Cases Evidence Processing Options | 88
are both acceptable headers for HTML files, but each of these would have a different signature in
hex, so therefore they are case sensitive.
-The objects and files carved from default file types are automatically added to the case, and can be
searched, bookmarked, and organized along with the existing files.
However, custom carved data items are not added to the case until they are processed, and they
may not sort properly in the File List view. They are added to the bottom of the list, or at the top
for a Z-to-A search, regardless of the filename.
Creating and Configuring New Cases Evidence Processing Options | 89
Running Optical Character Recognition (OCR)
The Optical Character Recognition (OCR) process lets you extract text that is contained in graphics files. The
text is then indexed so that it can be, searched, and bookmarked.
Running OCR against a file type creates a new child file item. The graphic files are processed normally, and
another file with the parsed text from the graphic is created. The new OCR file is named the same as the parent
graphic, [graphicname.ext], but with the extension OCR, for example, graphicname.ext.ocr.
You can view the graphic files in the File Content View when it is selected in the File List View. The Natural tab
shows the graphic in its original form. The Filtered tab shows the OCR text that was added to the index.
Before running OCR, be aware of the following:
-OCR is only a helpful tool for the investigator to locate images from index searches. OCR results should
not be considered evidence without further review.
-OCR can have inconsistent results. OCR engines by nature have error rates. This means that it is
possible to have results that differ between processing jobs on the same machine with the same piece of
evidence.
-Some large images can cause OCR to take a very long time to complete. Under some circumstances,
they may not generate any output.
-Graphical images that have no text or pictures with unaligned text can generate bad output.
-OCR is best on typewritten text that is cleanly scanned or similarly generated. All other picture files can
generate unreliable output that can vary from run to run.
To run Optical Character Recognition
1. Do one of the following:
-For new cases, in the New Case Options dialog click Detailed Options.
-For existing cases, in the Examiner, click Evidence > Additional Analysis.
2. Select Optical Character Recognition. OCR requires File Signature Analysis and dtSearch Indexing
to be selected. When Optical Character Recognition is marked, the other two options are automatically
marked and grayed-out to prevent inadvertent mistakes, and ensure successful processing.
3. Click OCR Options.
4. In the OCR Options dialog, select from the following options:
5. In the OCR Options dialog, click OK.
6. In the Evidence Processing dialog, click OK.
TABLE 5-1
Options Description
File Types Lets you specify which file types to include in the OCR process during case
processing. For PDF files, you can also control the maximum filtered text size
for which to run OCR against.
Filtering Options Lets you specify a range in file size to include in the OCR process. You can
also specify whether or not to only run OCR against black and white, and
grayscale. The Restrict File Size option is selected by default. By default, OCR
file generation is restricted to files larger than 5K. If you do not want to limit the
size of OCR files, you must disable this option.
Engine Lets you choose the OCR engine to use.
Creating and Configuring New Cases Evidence Processing Options | 90
Using Explicit Image Detection
About Explicit Image Detection
Explicit Image Detection (EID) is an add-on feature. Contact your sales representative for more information. EID
reads all graphics in a case and assigns both the files and the folders they are contained within a score
according to what it interprets as being possibly illicit content. The score ranges are explained later in this
section.
To add EID evidence to a case
1. Click Evidence > Add/Remove.
2. In the Detailed Options > Evidence Processing dialog, ensure that File Signature Analysis is
marked.
3. Select Explicit Image Detection
4. Click EID Options.The three EID options are profiles that indicate the type of filtering that each one
does. You can choose between any combination of the following profiles depending on your needs:
5. When the profile is selected, click OK to return to the Evidence Processing dialog and complete your
selections.
AccessData recommends that you run Fast (X-FST) for folder scoring, and then follow with Less False
Negatives (X-ZFN) on high-scoring folders to achieve the fastest, most accurate results.
After you select EID in Evidence Processing or Additional Analysis, and the processing is complete, you must
select or modify a filter to include the EID related columns in the File List View.
TABLE 5-2
Profile
Name Level Description
X-DFT Default
(XS1) This is the most generally accurate. It is always selected.
X-FST Fast (XTB) This is the fastest. It scores a folder by the number of files it contains that meet
the criteria for a high likelihood of explicit material.
It is built on a different technology than X-DFT and does not use “regular” DNAs.
It is designed for very high volumes, or real-time page scoring. Its purpose is to
quickly reduce, or filter, the volume of data to a meaningful set.
X-ZFN Less False
Negatives
(XT2)
This is a profile similar to X-FST but with more features and with fewer false
negatives than X-DFT.
You can apply this filter after initial processing to all evidence, or to only the
folders that score highly using the X-FST option. Check-mark or highlight those
folders to isolate them for Additional Analysis.
In Additional Analysis, File Signature Analysis must be selected for EID options to
work correctly.
Creating and Configuring New Cases Evidence Processing Options | 91
Including Registry Reports
The Registry Viewer supports Registry Summary Report (RSR) generation as part of case processing.
To generate Registry Summary Reports and make them available for the case report
1. Ensure that File Signature Analysis is marked.
2. Mark Registry Reports.
3. Click RSR Directory.
4. Browse to the location where your RSR templates are stored.
5. Click OK.
Send Email Alert on Job Completion
You can select to send an email notification when a job completes.
This option is also available from Evidence > Additional Analysis. Enter the email address of the recipient in
the Job Completion Alert Address box, then click OK.
Note: Outgoing TCP traffic must be allowed on port 25.
Custom File Identification Options
Custom File Identification provides the examiner a way to specify which file category or extension should be
assigned to files with a certain signature. These dialogs are used to manage custom identifiers and extension
maps specific to the case.
In Detailed Options, the Custom File Identification dialog lets you select the Custom Identifier file to apply to the
new case. This file is stored on the system in a user-specified location. The location can be browsed to, by
clicking Browse, or reset to the root drive folder by clicking Reset.
Creating and Configuring New Cases Evidence Processing Options | 92
Creating Custom File Identifiers
Custom File Identifiers are used to assign categories to files that may or may not already be automatically
categorized in a way that is appropriate for the case. For example, a file that is discovered, but not categorized,
will be found under the “Unknown Types” category. You can prevent this categorization before the evidence is
processed by selecting a different category and sub-category.
Custom Identifiers provide a way for you to create and manage identifiers, and categorize the resulting files into
any part of the category tree on the Overview tab. You can select from an existing category, or create a new one
to fit your needs.
You can define identifiers using header information expected at a specific offset inside a file, as is now the case,
but in addition, you can categorize files based on extension.
Note: PDF files are now identified through the PDF file system and will no longer be identified through Custom
File Identification.
To create a Custom Identifier file
1. In the Case Manager, click Case > New > Detailed Options.
2. Click Custom File Identification.
3. Below the Custom Identifiers pane on the left of the Custom File Identification dialog, click New. The
Custom Identifier dialog opens.
4. Fill in the fields with the appropriate values. The following table describes the parameters for Custom
File Identifiers:
Note: The Offset must be in decimal format. The Value must be in hexadecimal bytes. Otherwise, you will see
the following error: Hex strings in the Offset field cause an exception error.
“Exception: string_to_int: conversion failed was thrown.”
Important:
After creating a Case Custom File Identifier, you must apply it, or it will not be saved.
5. When you are done defining the Custom File Identifier, click Make Shared to share it to the database.
This action saves it so the Application Administrator can manage it.
6. Click OK to close the dialog. Select the identifier you just created and apply it to the case you are
creating. Otherwise it will not be available locally in the future.
TABLE 5-3
Parameter Description
Name The value of this field defines the name of the sub-category that will appear below the
selected Overview Tree category and the category column.
Description Accompanies the Overview Container’s tree branch name.
Category The general file category to which all files with a matching file signature should be
associated.
Offset The decimal offset of where the unique signature (see Value) can be found within the file
given that the beginning of the file is offset 0.
Value Any unique signature of the file expressed in hexadecimal bytes.
Creating and Configuring New Cases Evidence Processing Options | 93
Custom Case Extension Maps
Extension Maps can be used to define or change the category associated to any file with a certain file extension.
For example, files with BAG extension, which would normally be categorized as “Unknown Type,” can be
categorized as an AOL BAG file, or files with a MOV extension, that would normally be categorized as Apple
QuickTime video files, can be changed to show up under a more appropriate category since they can sometimes
contain still images.
To create a Case Custom Extension Mapping
1. Within the Detailed Options dialog of the New Case wizard, select Custom File Identification on the
left hand side.
2. Under the Extension Maps column, click New.
3. Fill in the fields with the appropriate values.
4. Mark Make Shared to share this Custom Extension Mapping with the database.
Shared features such as Custom Extension Mappings are managed by the Application Administrator.
Your copy remains in the case for you to manage as needed.
The following table describes the parameters for Custom Extension Mappings
Note: You must use at least one offset:value pair (hence the [...]+), and use zero or more OR-ed
offset:value pairs (the [...]*). All of the offset:value conditions in an OR-ed group are OR-ed
together, then all of those groups are AND-ed together.
TABLE 5-4
Parameter Description
Name The value of this field defines the name of the sub-category that will
appear below the selected Overview Tree category and the category
column.
Category The general file category to which all files with a matching file
signature should be associated.
Description Accompanies the Overview Container’s tree branch name.
Extensions: Any file extension that should be associated to the selected Category.
Creating and Configuring New Cases Evidence Processing Options | 94
Configuring Evidence Refinement (Advanced) Options
The Evidence Refinement Options dialogs allow you to specify how the evidence is sorted and displayed. The
Evidence Refinement (Advanced) option allows you to exclude specific data from being added to the case when
found in an individual evidence item type.
Many factors can affect which processes to select. For example, if you have specific information otherwise
available, you may not need to perform a full text index. Or, if it is known that compression or encryption are not
used, an entropy test may not be needed.
Important:
After data is excluded from an evidence item in a case, the same evidence cannot be added back
into the case to include the previously excluded evidence. If data that was previously excluded is
found necessary, the user must remove the related evidence item from the case, and then add the
evidence again, using options that will include the desired data.
To set case evidence refining options
1. Click the Evidence Refinement (Advanced) icon in the left pane.
The Evidence Refinement (Advanced) menu is organized into two dialog tabs:
-Refine Evidence by File Status/Type
-Refine Evidence by File Date/Size
2. Click the corresponding tab to access each dialog.
3. Set the needed refinements for the current evidence item.
4. To reset the menu to the default settings, click Reset.
5. To accept the refinement options you have selected and specified, click OK.
Refining Evidence by File Status/Type
Refining evidence by file status and type allows you to focus on specific files needed for a case.
Refine by File Status/Type Options
Options Description
Include File Slack Mark to include file slack space in which evidence may be found.
Include Free Space Mark to include unallocated space in which evidence may be found.
Include KFF Ignorable
Files (Recommended) Mark to include files flagged as ignorable in the KFF for
analysis.
Include OLE Streams and
Office 2007 package
contents
Mark to include Object Linked and Embedded (OLE) data streams, and Office
2007 (DOCX, and XLSX) file contents that are layered, linked, or embedded.
Deleted Specifies the way to treat deleted files.
Options are:
-Ignore Status
-Include Only
-Exclude
Defaults to “Ignore Status.”
Creating and Configuring New Cases Evidence Processing Options | 95
Refining Evidence by File Date/Size
Refine evidence further by making the addition of evidence items dependent on a date range or file size that you
specify. However, once in the case, filters can also be applied to accomplish this.
Encrypted Specifies the way to treat encrypted files.
Options are:
-Ignore Status
-Include Only
-Exclude
Defaults to “Ignore Status.”
From Email Specifies the way to treat email files.
Options are:
-Ignore Status
-Include Only
-Exclude
Defaults to “Ignore Status.”
File Types Specifies which types of files to include and exclude.
Only add items to the case
that match both File Status
and File Type criteria
Applies selected criteria from both File Status and File Types tabs to the
refinement. Will not add items that do not meet all criteria from both pages.
Refine by File Date/Size Options
Exclusion Description
Refine Evidence
by File Date To refine evidence by file date:
1. Check Created, Last Modified, and/or Last Accessed.
2. In the two date fields for each date type selected, enter beginning and
ending date ranges.
Refine Evidence
by File Size To refine evidence by file size:
1. Check At Least and/or At Most (these are optional settings).
2. In the corresponding size boxes, specify the applicable file size.
3. In the drop-down lists, to the right of each, select Bytes, KB, or MB.
Refine by File Status/Type Options (Continued)
Options Description
Creating and Configuring New Cases Evidence Processing Options | 96
Selecting Index Refinement (Advanced) Options
The Index Refinement (Advanced) feature allows you to specify types of data that you do not want to index. You
may choose to exclude data to save time and resources, or to increase searching efficiency.
Note: AccessData strongly recommends that you use the default index settings.
To refine an index
1. Within the Detailed Options dialog of the New Case wizard, click Index Refinement (Advanced) in the
left pane.
The Index Refinement (Advanced) menu is organized into two dialog tabs:
-Refine Index by File Status/Type
-Refine Index by File Date/Size
2. Click the corresponding tab to access each dialog.
3. Define the refinements you want for the current evidence item.
4. Click Reset to reset the menu to the default settings.
5. Click OK when you are satisfied with the selections you have made.
Refining an Index by File Status/Type
Refining an index by file status and type allows the investigator to focus attention on specific files needed for a
case through a refined index defined in a dialog.
At the bottom of the two Index Refinement tabs you can choose to mark the box for Only index items that
match both File Status AND File Types criteria, if that suits your needs.
Refine Index by File Status/Type Options
Options Description
Include File Slack Mark to include free space between the end of the file footer, and the end of a
sector, in which evidence may be found.
Include Free Space Mark to include both allocated (partitioned) and unallocated (unpartitioned)
space in which evidence may be found.
Include KFF Ignorable
Files Mark to include files flagged as ignorable in the KFF for analysis.
Include Message Headers Marked by default. Includes the headers of messages in filtered text. Unmark
this option to exclude message headers from filtered text.
Do not include document
metadata in filtered text Not marked by default. This option lets you turn off the collection of internal
metadata properties for the indexed filtered text. The fields for these metadata
properties are still populated to allow for field level review, but the you will no
longer see information such as Author, Title, Keywords, Comments, etc in the
Filtered text panel of the review screen. If you use an export utility such as ECA
or eDiscovery and include the filtered text file with the export, you will also not
see this metadata in the exported file.
Include OLE Streams Includes Object Linked or Embedded (OLE) data streams that are part of files
that meet the other criteria.
Creating and Configuring New Cases Evidence Processing Options | 97
Refining an Index by File Date/Size
Refine index items dependent on a date range or file size you specify.
Deleted Specifies the way to treat deleted files. Options are:
-Ignore status
-Include only
-Exclude
Encrypted Specifies the way to treat encrypted files. Options are:
-Ignore status
-Include only
-Exclude
From Email Specifies the way to treat email files. Options are:
-Ignore status
-Include only
-Exclude
Include OLE Streams Includes Object Linked or Embedded (OLE) files found within the evidence.
File Types Specifies types of files to include and exclude.
Only add items to the Index
that match both File Status
and File Type criteria
Applies selected criteria from both File Status and File Types tabs to the
refinement. Will not add items that do not meet all criteria from both pages.
Refine Index by File Date/Size Options
Exclusion Description
Refine Index by File Date To refine index content by file date:
1. Select Created, Last Modified, or Last Accessed.
2. In the date fields, enter beginning and ending dates within which to
include files.
Refine Index by File Size To refine evidence by file size:
1. Click in either or both of the size selection boxes.
2. In the two size fields for each selection, enter minimum and maximum
file sizes to include.
3. In the drop-down lists, select whether the specified minimum and
maximum file sizes refer to Bytes, KB, or MB.
Refine Index by File Status/Type Options (Continued)
Options Description
Creating and Configuring New Cases Evidence Processing Options | 98
Selecting Lab/eDiscovery Options
This option is available depending the license that you own.
AD Lab and eDiscovery have additional options available for advanced de-duplication analysis.
De-duplication is separated by email items and non-email items. Within each group, the available options can be
applied by case or by Custodian.
The following table provides more information regarding each option and its description.
AD Lab/eDiscovery Detailed Options
Option Description
Enable Advanced De-duplication Analysis
Email Items De-duplication Scope
Choose whether you want this de-duplication process to be applied at the Case
level, or at the Custodian level.
-Case Level
-Custodian Level
De-duplication Options
For each item type you check, AD Lab eliminates duplicates from the case as it
processes through the collected evidence. Uncheck an item type to keep all
duplicate instances in your case.
Available item types
-Email To
-Email From
-Email CC
-Email BCC
-Email Subject
-Email Submit Time
-Email Delivery Time
-Email Attachment Time
-Email Attachment Count
-Email Hash
Body Only
Body and Attachments
Non-email Items De-duplication Scope
Choose whether you want this de-duplication process to be applied to the entire
case or at the custodian level.
-Case Level
-Custodian Level
De-duplication Option
There is only one option available for non-email items; either you are going to de-
duplicate just the actual files, or if unmarked, you will de-duplicate actual files only,
or all files, including children, zipped, OLE, and carved files.
-Actual Files Only
Create HTML Not currently available.
Creating and Configuring New Cases Evidence Processing Options | 99
Propagate Email
Attributes When an email has attachments or OLE items, marking this option causes the
email’s attributes to be copied and applied to all “child” files of the email “parent.”
Cluster Analysis Invokes the extended analysis of documents to determine related, near duplicates,
and email threads.
See Performing Cluster Analysis on page 287.
Configure the details by clicking NDA Options.
NDA Options This lets you specify the options for Cluster Analysis.
You can specify which document types to process:
-Documents
-Presentations
-Spreadsheets
-Email
You can also specify the similarity threshold, which determines the level of similarity
required for documents to be considered related or near duplicates.
Create Email Threads Sorts and groups emails by conversation threads.
Create HTML for
Email Not currently available.
Include Extended
Information in the
Index
If you create a case in FTK and are going to review it in Summation or eDiscovery,
select this option to make the index data fully compatible with Summation/
eDiscovery.
AD Lab/eDiscovery Detailed Options (Continued)
Option Description
Creating and Configuring New Cases Adding Evidence to a New Case | 100
Adding Evidence to a New Case
If you marked Open the Case before clicking OK in the New Case Options dialog, when case creation is
complete, the Examiner opens. Evidence items added here will be processed using the options you selected in
pre-processing, unless you click Refinement Options to make changes to the original settings.
Working with Volume Shadow Copies
You can examine data that is contained in NTFS Volume Shadow Copies.
See Examining Data in Volume Shadow Copies on page 120.
Converting a Case from Version 2.2 or Newer
If you have cases that were created in version 2.2 or later, you can convert them to the latest version. Refer to
the following guidelines for migrating 2.x cases.
Important:
Consider the following information:
-Any case created with a version prior to 2.2 must be re-processed completely in the latest version.
-AccessData recommends reprocessing active cases instead of attempting to convert them, to
maximize the features and capabilities of the new release.
-AccessData recommends that no new evidence be added to any case that has been converted from
an earlier version. This is because newer versions of processing gathers more information than was
done in versions prior to 2.x.
Therefore, if evidence is added to a converted 2.2 case, the new evidence will have all the info
gathered by the newest version; however, the data from the converted 2.2 case will not have this
additional information. This may cause confusion and bring forensic integrity into question in a
court of law.
For more information, see the webinar that explains Case Portability in detail. This webinar can be found under
the Core Forensic Analysis portion of the webpage: http://www.accessdata.com/Webinars.
The AccessData website works best using Microsoft Windows Explorer. You will be required to create a
username and password if you have not done so in the past. If you have used this website previously, you will
need to verify your email address. The website normally remembers the rest of the information you enter.
For instructions on converting cases, see the Migrating Cases document located at
http://www.accessdata.com/support/product-downloads/ftk-download-page
Managing Case Data Backing Up a Case | 101
Chapter 6
Managing Case Data
This chapter includes the following topics
-Backing Up a Case (page 101)
-Archiving and Detaching a Case (page 104)
-Attaching a Case (page 105)
-Restoring a Case (page 105)
-Migrating Cases Between Database Types (page 106)
Backing Up a Case
Performing a Backup and Restore on a Two-Box Installation
If you have installed the Examiner and the database on separate boxes, there are special considerations you
must take into account. For instructions on how to back up and restore in this environment, see “Configuring for
a Two-box Back-up and Restore.
Performing a Backup of a Case
At certain milestones of an investigation, you should back up your case to mitigate the risk of an irreversible
processing mistake or perhaps case corruption.
Case backup can also be used when migrating or moving cases from one database type to another. For
example, if you have created cases using 4.1 in an Oracle database and you want to upgrade to 5.0.x and
migrate the case(s) to a PostgreSQL database. Another example is if you have created cases using 5.0.x in an
Oracle database and you want to move the case(s) to the same version that is running a PostgreSQL database.
When you back up a case, the case information and database files (but not evidence) are copied to the selected
destination folder. AccessData recommends that you store copies of your drive images and other evidence
separate from the backed-up case.
Important:
Case Administrators back up cases and must maintain and protect the library of backups against
unauthorized restoration, because the user who restores an archive becomes that case’s
administrator.
Managing Case Data Backing Up a Case | 102
Note: Backup files are not compressed. A backed-up case requires the same amount of space as that case’s
database table space and the case folder together.
Starting in 4.2, all backups are performed using the database independent format rather than a native format.
The database independent format facilitates migrating and moving cases to a different database application or
version. You can perform a backup using a native format using the dbcontrol utility. For more information, contact
AccessData Technical Support.
Important:
Do not perform a backup of a case while any data in that case is being processed.
To back up a case
1. In the Case Manager window, select the case to back up. You can use Shift + Click, or Ctrl + Click to
select multiple cases to backup.
2. Do one of the following:
-Click Case > Backup > Backup.
-Right-click on the case in the Cases list, and click Backup.
3. In the field labeled Backup folder, enter a destination path for the backup files.
Important:
Choose a folder that does not already exist. The backup will be saved as a folder, and when
restoring a backup, point to this folder (not the files it contains) in order to restore the case.
4. If you are using 4.1 to backup a case in order to migrate it to 4.2, make sure that you select
Use database independent format.
In 4.2, all backups are performed using the database independent format.
5. Click OK.
Note: The following information may be useful:
-Each case you back up should have its own backup folder to ensure all data is kept together and
cannot be overwritten by another case backup. In addition, AccessData recommends that backups
be stored on a separate drive or system from the case, to reduce space consumption and to reduce
the risk of total loss in the case of catastrophic failure (drive crash, etc.).
-The absolute path of the case folder is recorded. When restoring a case, the default path is the
original path. You can choose the default path, or enter a different path for the case restore.
Managing Case Data Archiving a Case | 103
Archiving a Case
When work on a case is completed and immediate access to it is no longer necessary, that case can be
archived.
The Archive and Detach function copies that case’s database table space file to the case folder, then deletes it
from the database. This prevents two people from making changes to the same case at the same time,
preserving the integrity of the case, and the work that has been done on it. Look for filename DB fn. Archive
keeps up to four backups, DB f0, DB f1, DB f2, and DB f3.
To archive a case
1. In the Case Manager, select the case to archive.
2. Click Case > Backup > Archive.
3. A prompt asks if you want to use an intermediate folder.
The processing status dialog appears, showing the progress of the archive. When the archive
completes, close the dialog.
To view the resulting list of backup files
1. Open the cases folder.
Note: The cases folder is no longer placed in a default path; instead it is user-defined.
2. Find and open the sub-folder for the archived case.
3. Find and open the sub-folder for the archive (DB fn).
4. You may view the file names as well as Date modified, Type, and Size.
Managing Case Data Archiving and Detaching a Case | 104
Archiving and Detaching a Case
When work on a case is not complete, but it must be accessible from a different computer, archive and detach
that case.
The Archive and Detach function copies that case’s database table space file to the case folder, then deletes it
from the database. This prevents two people from making changes to the same case at the same time,
preserving the integrity of the case, and the work that has been done on it.
To archive and detach a case
1. In the Case Manager, click Case > Backup > Archive and Detach.
The case is archived.
2. You will see a notice informing you that the specified case will be removed from the database. Click OK
to continue, or Cancel to abandon the removal and close the message box.
3. A prompt asks if you want to use an intermediate folder.
The processing status dialog appears, showing the progress of the archive. When the archive
completes, close the dialog.
To view the resulting list of files
1. Open the folder for the archived and detached cases.
2. Find and open the sub-folder for the archived case.
Note: The cases folder is no longer placed in a default path; instead it is user-defined.
3. Find and open the sub-folder for the archive (DB fn).
You may view the file names as well as Date Modified, Type, and Size.
Managing Case Data Attaching a Case | 105
Attaching a Case
Attaching a case is different from restoring a case. You would restore a case from a backup to its original location
in the event of corruption or other data loss. You would attach a case to the same or a different machine/
database than the one where it was archived and detached from.
The Attach feature copies that case’s database table space file into the database on the local machine.
Note: The database must be compatible and must contain the AccessData schema.
To attach a detached case
1. Click Case > Restore > Attach.
Important:
Do NOT use “Restore” to re-attach a case that was detached with “Archive.” Instead, use
“Attach.” Otherwise, your case folder may be deleted.
2. Browse to and select the case folder to be attached.
3. (Optional) Select Specify the location of the DB files and browse to the path to store the database
files for this case.
3a. Select In the case folder to place the database files in subfolderof the case folder.
4. Click OK.
Restoring a Case
Do not use the Restore... function to attach an archive (instead use Attach...). When your case was backed up, it
was saved as a folder. The folder selected for the backup is the folder you must select when restoring the
backup.
To restore a case
1. Open the Case Manager window.
2. Do either of these:
-Click Case > Restore > Restore.
-Right-click on the Case Manager case list, and click Restore > Restore.
3. Browse to and select the backup folder to be restored.
4. (Optional) Select Specify the location of the DB files and browse to the path to store the database
files for this case.
4a. Select In the case folder to place the database files in subfolderof the case folder.
5. You are prompted if you would like to specify a different location for the case folder. The processing
status dialog appears, showing the progress of the archive. When the archive completes, close the
dialog.
Managing Case Data Deleting a Case | 106
Deleting a Case
To delete a case from the database
1. In the Case Manager window, highlight the name of the case to be deleted from the database.
2. Do either of these:
-Click Case > Delete.
-Right-click on the name of the case to deleted, and click Delete
3. Click Yes to confirm deletion.
W A R N I N G:
This procedure also deletes the case folder. It is recommended that you make sure you have a
backup of your case before you delete the case or else the case is not recoverable.
Storing Case Files
Storing case files and evidence on the same drive substantially taxes the processors’ throughput. The system
slows as it saves and reads huge files. For desktop systems in laboratories, you can increase the processing
speed by saving evidence files to a separate server. For more information, see the separate installation guide.
If taking the case off-site, you can choose to compromise some processor speed for the convenience of having
your evidence and case on the same drive, such as a laptop.
Migrating Cases Between Database Types
You can migrate or move cases from one database to another. For more information, see the Quick Install Guide
and the Upgrading Cases guide.
Working with Evidence Image Files Verifying Drive Image Integrity | 107
Chapter 7
Working with Evidence Image Files
This chapter contains the following topics
-Verifying Drive Image Integrity (page 107)
-Mounting an Image to a Drive (page 108)
-Benefits of Image Mounting (page 108)
-Characteristics of a Logically Mounted Image (page 109)
-Characteristics of a Physically Mounted Image (page 109)
-Mounting an Image as Read-Only (page 109)
-Mounting a Drive Image as Writable (page 110)
-Unmounting an Image (page 111)
-Restoring an Image to a Disk (page 111)
-Performing Final Carve Processing (page 111)
-Recovering Processing Jobs (page 112)
Verifying Drive Image Integrity
A drive image can be altered or corrupted due to bad media, bad connectivity during image creation, or by
deliberate tampering. This feature works with file types that store the hash within the drive image itself, such as
EnCase (E01) and SMART (S01) images.
To verify an evidence image’s integrity, a hash of the current file is generated and allows you to compare that to
the hash of the originally acquired drive image.
To verify that a drive image has not changed
1. Select Tools > Verify Image Integrity.
In case the image file does not contain a stored hash, one can be calculated. The Verify Image Integrity
dialog provides the following information:
Column Description
Image Name Displays the filename of the evidence image to be verified.
Path Displays the path to the location of the evidence image file.
Command Click Verify or Calculate to begin hashing the evidence image
file.
Working with Evidence Image Files Mounting an Image to a Drive | 108
2. Click either Calculate, or Verify according to what displays in the Command column, to begin hashing
the evidence file.
The Progress dialog appears and displays the status of the verification. If the image file has a stored hash, when
the verification is complete, the dialog shows and compares both hashes. Completing these processes may take
some time, depending on the size of the evidence, the processor type, and the amount of available RAM.
Mounting an Image to a Drive
Image Mounting allows forensic images to be mounted as a drive or physical device, for read-only viewing. This
action opens the image as a drive and allows you to browse the content in Windows and other applications.
Supported types are RAW/dd images, E01, S01, AD1, and L01.
Full disk images RAW/dd, E01, and S01 can be mounted Physically. Partitions contained within full disk images,
as well as Custom Content Images of AD1 and L01 formats can be mounted Logically. The differences are
explained in this section.
Note: Encrypted images cannot be mounted as either a drive or physical device.
Benefits of Image Mounting
The ability to mount an image with AccessData forensic products provides the following benefits:
-Mount a full disk image with its partitions all at once; the disk is assigned a Physical Drive name and the
partitions are automatically assigned a drive letter beginning with either the first available, or any
available drive letter of your choice.
-A full disk image mounted physically, and assigned a Physical Drive name that can be read using Imager
or with any Windows application that performs Physical Name Querying.
-Mount images of multiple drives and/or partitions. The mounted images remain mounted until unmounted
or until Imager is closed.
-Mounted images can be easily unmounted in any order, individually, or all at once.
-A logically mounted image may be viewed in Windows Explorer as though it were a drive attached to the
computer, providing the following benefits:
File types with Windows associations can be viewed in their native or associated application, when
that application is installed locally.
Anti-virus applications can be run on the mounted image.
Because the logically mounted image is seen as a drive in Windows Explorer, it can be shared, and
viewed from remote computers when Remote Access has been configured correctly.
Files can be copied from the mounted image to another location.
-Mount NTFS / FAT partitions contained within images as writable block devices. This feature caches
sections of a read-only image to a temporary location allowing the user to “write” to the image without
compromising the integrity of the original image.
Once mounted via the write cache mount method, the data can then be leveraged by any 3rd party tools
which require write access.
Working with Evidence Image Files Characteristics of a Logically Mounted Image | 109
Characteristics of a Logically Mounted Image
AD1 and L01 are both custom content images, and contain full file structure, but do not contain any drive
geometry or other physical drive data. Thus, these images do not have the option of being mounted Physically.
Note: When Logically mounting an image, the drive or partition size displays incorrectly in the Windows Start >
Computer view. However, when you open the “drive” from there, the folders and files contained within the
mounted image do display correctly.
Characteristics of a Physically Mounted Image
When you mount an image physically, while it cannot be viewed by Windows Explorer, it can be viewed outside
of Imager using any Windows application that performs Physical Name Querying.
E01, S01, and RAW/dd images are drive images that have the disk, partition, and file structure as well as drive
data. A physical disk image can be mounted Physically; the disk image partitions can be mounted Logically.
Mounting an Image as Read-Only
To mount an image
1. If you already have the desired image added as evidence in the case, select that item, then do Step 2 to
auto-populate the Source box with the image file to be mounted, as shown in Step 3.
If you do not already have the desired image added as evidence, begin with Step 2.
2. Do one of the following:
-Right-click and choose Mount Image to Drive.
-Select the image from the Evidence tree. Right-click and choose Mount Image to Drive.
-Click Tools > Mount Image to Drive, then browse to the image on your local drive or on a network
drive you have access to.
3. Enter the path and filename, or click Browse to populate the Source box with the path and filename of
the image to be mounted.
After selecting an image, the Mount Type will default to the supported mapping based on the image type
selected. Click the drop-down to display other available mount types. After selecting an image, the Map
Type will default to the supported mapping based on the image type selected. Click the drop-down to
display other available map types.
4. Select the Mount Type to use for mounting.
Available Mount Types are Physical & Logical, Physical Only, and Logical Only.
If the Mount Type selected includes Logical, you can select the Drive Letter to assign as the mount
point.
5. Click the Drive Letter drop-down to see all drive letters that are available for assignment to the mounted
image.
6. Click the Mount Method drop-down to select Block Device / Read Only or
File System / Read Only.
Working with Evidence Image Files Mounting a Drive Image as Writable | 110
Note: If you are mounting an HFS image of a Mac drive, you must choose
File System / Read Only to view contents of the drive. Otherwise, it will appear empty, and may
prompt you to format the drive.
7. Click Mount.
All the related mount information will be displayed in the Mapped Image List.
To mount another image, repeat the process. You can continue to mount images as needed, until you
run out of evidence to add, or mount points to use. Mounted images remain available until unmounted,
or until the program is closed.
8. Click Close to return to the main window.
Mounting a Drive Image as Writable
When mounting an image as writable, you must be working with a physical image, and the mount type you select
must be Physical & Logical. This is the only option that provides the Block Device /Writable Mount Method.
To mount a drive image as writable
1. In the Examiner, click Tools > Mount Image to Drive.
2. Select a full disk image such as 001/Raw dd, E01, or S01 file type.
3. In the Mount Type drop-down, select Physical & Logical.
4. In the Drive Letter drop-down, select Next Available (default), or select a different drive letter.
Note: Check your existing mappings. If you map to a drive letter that is already in use, the original will
prevail and you will not be able to see the mapped image contents.
5. In the Mount Method drop-down, select Block Device / Writable.
6. In the Write Cache Folder text box, type or click Browse to navigate to the folder where you want the
Write Cache files to be created and saved.
7. Click Mount.
You will see the mapped images in the Mapped Image List.
To view or add to the writable mapped drive image
1. On your Windows desktop, click Start > Computer (or My Computer).
2. Find the mapped drive letter in your Hard Disk Drives list. It should be listed by the name of the Image
that was mounted, then the drive letter.
3. Double-click on it as you would any other drive.
4. As a test, right-click and choose New > Folder.
5. Enter a name for the folder and press Enter.
6. The folder you created is displayed in the Folder view.
7. Mapped images remain mapped until unmapped, or until the application is shut down.
Working with Evidence Image Files Unmounting an Image | 111
Unmounting an Image
To unmount a mounted image
1. Click File > Image Mounting. The Map Image to Drive dialog opens.
2. Highlight the images to unmount, click Unmount. To unmount multiple mappings, click the first, then
Shift-click the last to select a block of contiguous mappings. Click a file, then Ctrl-click individual files to
select multiple non-contiguous mappings.)
3. Click Done to close the Map Image to Drive dialog.
Restoring an Image to a Disk
A physical image such as 001 (RAW/dd), E01, or S01, can be restored to a drive of equal or greater size to the
original, un-compressed drive.
To restore an image to a disk
1. Connect a target drive to your computer.
2. In the Examiner, click Tools > Restore Image to Disk.
3. Click Browse to locate and select the source image. It must be a full-disk image such as 001 (Raw/dd),
E01, or S01.
The source image must be a disk image. A custom content image such as AD1 will not work for this
feature.
4. Click the Destination Drive drop-down, select the target drive you connected in Step 1. If you do not see
that drive in the list, click Refresh.
5. Mark the Zero-fill remainder of destination drive check box if the drive is larger than the original un-
compressed drive.
6. Mark the Notify operating system to rescan partition table when complete check box to allow the
new drive to be seen by the OS. If you plan to connect the drive in a different computer there is no need
to do this step.
When you are finished selecting options, click Restore Image to continue.
Performing Final Carve Processing
When you have selections saved as carved files from any file in the Hex viewer, performing Final Carve
Processing carves the files, saves them, adds them to the case, and even creates or assigns them to bookmarks
you specified when the data was selected.
Final Carve Processing jobs can be monitored in the Progress Window as Additional Analysis Jobs.
Working with Evidence Image Files Recovering Processing Jobs | 112
Recovering Processing Jobs
Jobs that are started but unable to finish for whatever reason can be deleted or restarted. Click Tools > Recover
Processing Jobs. If no jobs remain unfinished, the Recover Processing Jobs dialog box is empty. Click Close.
If there are jobs in the list, you can choose whether to Restart or Delete those jobs.
To recover incomplete processing jobs
1. Click Select All, Unselect All, or mark the check box for each job to be recovered.
2. Click Restart.
3. In the Recovery Type dialog, choose the recovery type that suits your needs:
-Continue processing from where the job ended.
-Restart the job from the beginning.
4. Click Close.
5. To verify the progress of a restarted or continued job, click Tools > Show Progress Window.
To remove incomplete processing jobs
1. Click Select All, Unselect All, or mark the check box for each job to discard.
2. Click Delete.
3. Click Yes to confirm that you want to delete the job permanently.
4. Click Close.
Working with Static Evidence Static Evidence Compared to Remote Evidence | 113
Chapter 8
Working with Static Evidence
This chapter includes the following topics
-Static Evidence Compared to Remote Evidence (page 113)
-Acquiring and Preserving Static Evidence (page 114)
-Adding Evidence (page 114)
-Working with Evidence Groups (page 117)
-Selecting Evidence Processing Options (page 118)
-Selecting a Language (page 119)
-Using Additional Analysis (page 124)
-Examining Data in Volume Shadow Copies (page 120)
-Data Carving (page 128)
-Hashing (page 128)
-Viewing the Status and Progress of Data Processing and Analysis (page 130)
-Viewing Processed Items (page 131)
Static Evidence Compared to Remote Evidence
Static evidence describes evidence that has been captured to an image before being added to the case.
Live evidence describes any data that is not saved to an image prior to being added to a case. Such evidence is
always subject to change, and presents risk of data loss or corruption during examination. For example, a
suspect’s computer, whether because a password is not known, or to avoid the suspect’s knowing that he or she
is under suspicion, may be imaged live if the computer has not yet been or will not be confiscated.
Remote evidence describes data that is acquired from remote live computers in the network after the case has
been created.
This chapter covers working with static evidence. For more information regarding acquisition and utilization of
remote evidence, see Working with Live Evidence (page 133).
Working with Static Evidence Acquiring and Preserving Static Evidence | 114
Acquiring and Preserving Static Evidence
For digital evidence to be valid, it must be preserved in its original form. The evidence image must be
forensically sound, in other words, identical in every way to the original.
See also About Acquiring Digital Evidence (page 24)
Adding Evidence
When case creation is complete, the Manage Evidence dialog appears. Evidence items added here will be
processed using the options you selected in pre-processing. Please note the following information as you add
evidence to your case:
-You can now drag and drop evidence files from a Windows Explorer view into the Manage Evidence
dialog.
-You can repeat this process as many times as you need to, for the number of evidence items and types
you want to add.
-DMG (Mac) images are sometimes displayed as “Unrecognized File System.” This happens only when
the files are not “Read/Write” enabled.
If the DMG is a full disk image or an image that is created with the read/write option, then it is identified
properly. Otherwise the contents will not be recognized properly.
-After processing, the Evidence Processing selected options can be found in the case log. You can also
view them by clicking Evidence > Add/Remove. Double-click on any of the evidence items to open the
Refinement Options dialog.
-Popular mobile phone formats (found in many MPE images) such as M4A, MP4, AMR, and 3GP can be
recognized. These file types will play inside the Media tab as long as the proper codecs are installed that
would also allow those files to play in Windows Media Player.
To add static evidence (an exact image, or “snapshot” of electronic data found on a hard disk or other data
storage device) to an existing case, select Evidence > Add/Remove from the menu bar and continue.
Note: Use Universal Naming Convention (UNC) syntax in your evidence path for best results.
Click Refinement Options to override settings that were previously selected for evidence added to this case. If
you do not click Refinement Options here, the options that were specified when you created the case will be
used.
Configuring Evidence Processing Options (page 70)
Working with Static Evidence Adding Evidence | 115
After evidence has been added, you can perform many processing tasks that were not performed initially.
Additional evidence files and images can be added and processed later, if needed.
When you are satisfied with the evidence options selected, click OK.
Manage Evidence Options
Option Description
Add Opens the Select Evidence Type dialog. Click to select the evidence type, and a Windows
Explorer instance will open, allowing you to navigate to and select the evidence you
choose.
Remove Displays a caution box and asks if you are sure you want to remove the selected
evidence item from the case. Removing evidence items that are referenced in bookmarks
and reports will remove references to that evidence and they will no longer be available.
Click Yes to remove the evidence, or click No to cancel the operation.
Display Name The filename of the evidence being added.
State The State of the evidence item:
-“ ” (empty) Indicates that processing is complete.
-“+” Indicates the item is to be added to the case
-“–” Indicates the item is to be removed from the case.
-“*” Indicates the item is processing.
-“!” Indicates there was a failure in processing the item.
If you click Cancel from the Add Evidence dialog, the state is ignored and the requested
processing will not take place.
Note: If the State field is blank and you think the item is still processing, from any tab
view, click View > Progress Window to verify.
Path The full pathname of the evidence file.
Note: Use universal naming convention (UNC) syntax in your evidence path for best
results.
ID/Name The optional ID/Name of the evidence being added.
Description The options description of the evidence being added. This can be the source of the data,
or other description that may prove helpful later.
Evidence Group Click the drop-down to assign this evidence item to an Evidence Group. For more
information regarding Evidence Groups, see Working with Evidence Groups (page 117).
Time Zone The time zone of the original evidence. Select a time zone from the drop-down list.
Merge Case
Index
This option has been removed. The processing engine does this automatically and no
longer needs user interaction to select the merge.
Language
Setting Select the code page for the language to view the case in. The Language Selection dialog
contains a drop-down list of available code pages. Select a code page and click OK.
Case KFF
Options Opens the KFF Admin box for managing KFF libraries, groups, and sets for this case.
Refinement
Options Displays the Refinement Options for Evidence Processing. This dialog has limited options
compared to the Refinement Options selectable prior to case creation.
Select the options to apply to the evidence being added, then click OK to close the dialog.
Configuring Evidence Processing Options (page 70)
Working with Static Evidence Adding Evidence | 116
Note: To remove evidence from the list either before processing, or after it has been added to the case, select
the evidence item in the list, then click Remove.
Note: When you export data from a case as an image, and then add that image as evidence in either the same
case or a different case, the name of the image is renamed using a generic term. This prevents a user
generated image name from being indexed with evidence.
To add new evidence to the case
1. Do one of the following:
-Drag and drop the evidence file into the Manage Evidence > Evidence Name list field.
-Click Add to choose the type of evidence items to add into a new case.
Important:
Consider the following:
-Evidence taken from any physical source that is removable, whether it is a “live” drive or an image,
will become inaccessible to the case if the drive letters change or the evidence-bearing source is
moved. Instead, create a disk image of this drive, save it either locally, or to the drive you specified
during installation, then add the disk image to the case. Otherwise, be sure the drive will be available
whenever working on the case.
-To add physical or logical drives as evidence on any 64-bit Windows system you must run the
application as an Administrator. Otherwise, an empty drive list displays. If you encounter this
problem on a 64-bit system, log out, then run again as Administrator.
-While it is possible to add a CUE file as a valid image type, when adding a CUE file as “All images in
a directory”, although adding the BIN and the CUE are actually the same thing the user gets double
of everything.
Workaround: Remove duplicates before processing.
2. Mark the type of evidence to add, and then click OK.
3. Click the Browse button at the end of the Path field to browse to the evidence folder. Select the
evidence item from the stored location.
4. Click OK.
Note: Folders and files not already contained in an image when added to the case will be imaged in the
AD1 format and stored in the case folder. If you select AD1 as the image type, you can add these
without creating an image from the data.
5. Fill in the ID/Name field with any specific ID or Name data applied to this evidence for this case.
6. Use the Description field to enter an optional description of the evidence being added.
7. Select the Evidence Group that this evidence item belongs to. Click Manage to create and manage
evidence groups.
8. Select the Time Zone of the evidence where it was seized from the drop-down list in the Time Zone
field. This is required to save the added evidence.
After selecting an Evidence Type, and browsing to and selecting the evidence item, the selected
evidence displays under Display Name. The Status column shows a plus (+) symbol to indicate that the
file is being added to the case.