Forensics: FTK 2

Part 2 and Part 3 are now available

Part1:

Five  years after FTK 2 was first touted, and 1 year after FTK 2 was released, where is AccessData with the much maligned tool?

Time Line:

As early as 2004 AccessData was talking about the release of FTK 2 with a release date “of this year”. This message was put out year after year.

In 2007 FTK 2 was beginning to market the the release of FTK 2 as “soon” with beta demos being available for testing  and public demos of the tool available from October 2007.  Access Data even went as far as to state that FTK 1.x would no longer be sold after November 2007. A decision that was later reversed.

Pricing was discussed in 2007, but there was still no product release in 2007.

In January 2008, at New York Legal Tech,  it was stated that FTK would be released “this week”. However, following another months delay FTK 2 was released on 19th February 2008.

FTK 2.0 The First Release

The initial release by FTK 2.0 was, by any measure, an unmitigated disaster.

The AccessData press releases stated “The product is designed to handle extremely large data sets and to meet your needs as case loads and case sizes continue to increase“, but users quickly found this was not true.Those working with anything other than very basic data sets  found that the idea of indexing 100 GB of email with FTK was pointless and the system effectively died.

But, only a select few even found this out as getting FTK 2.0 working was not an easy task. The hardware specification required for FTK were far higher than most expected and the oracle installation was clunky/awful. To make matters worse FTK 2.0 used the codemeter dongle, rather than the FTK 1.x green dongle. This meant that users had to move licenses between dongles. Then, after they had wasted a couple of days installing and uninstalling FTK 2.0, they had to move them back again.

If a user did get FTK 2.0 working, and did use a small amount of data, the results were still poor FTK 2.0 seemed to take the worst parts of FTK 1 and the worst parts of EnCase 4 and combine them, it was a terrible tool, and everybody recognized this.

Eventually in May 2008 AccessData sent out a formal apology to FTK 2.0 users (much to Guidance Software’s amusement). The email stated “The release of FTK 2 has created much more confusion than we had anticipated, so we would like to take a moment to once again clarify a very important point……FTK 2 is not meant to be a replacement for FTK 1 for all customers…..We acknowledge there are challenges with FTK 2, such as slow processing, complex installation and GUI response issues. We are very well aware of these issues and diligently working on addressing them as quickly as possible…We know we have not made it the easiest transition and for that we apologize. It is nobody’s fault but our own as the product manufacturer

The email, while painful for AccessDatam, at least recognized the problems that they and their users were facing.

FTK 2.1

AccessData rolled out updates and patches to try resolve the problem with FTK 2.0 , culminating in the release of 2.1 in November 2008 . But even this release was not with out problems; people in the UK could not download the update

The UK supplier of FTK (DataDuplication) formally announced that there were problems with downloading FTK 2.1 from AccessData’s site  and so shipped DVDs to clients.

In Novemeber 2007  an allegedly neutral site claimed that Access Data has redeemed itself with FTK 2.1.  Though the language of the post “Usability – Wow“,  and and the fact that the computer  used to test FTK 2.1 had 8 cores and 8 GB of RAM did raise a few eye brows.

FTK 2.11

Currently AccessData are on FTK 2.11, on the 1st anniversary since FTK 2.0 was released. What is this tool like, and how does it perform? Well, three days into trying to find out, its still not known.

On Friday an attempt was made download the full version of  FTK 2.11 from the AccessData server, as this this process was due to take 14 hours, so was left to run over night. 14 hours is not an acceptable time period to download 1 piece of forensic software – while using a 20 mb bit line and Firefox). Unfortunately the downloading PC restarted 13 hours into the download (Windows patches!).  On Saturday a download attempt was started again, this time it was due to take 16 to 18 hours. For this reason a new approach had to be taken, and a download manager was used. This radically reduced the download time to less than 4 hours.

The download is an ISO, but as a day had already been wasted a DVD was not made, but an attempt to install it from the hard drive was made and the ISO was extracted out onto the local drive. This was a mistake.

On running the “setup” function, the following screen is presented.

FTK 2 First Screen

Immediately it becomes apparent that this is going to be more manual than you would hope for. To make matters worse on pressing the buttons they don’t work as the call appears to be absolute, rather than a relative path and it is looking for the DVD, rather than accepting the existing folder path. So, each part has to be  installed separately.  During the Oracle set up, there appear to be several  options which could cause confusions for a a novice in Oracle.

Oracle Screen in FTK 2.11

Oracle Screens in FTK 2

Who, in the forensics industry is not a novice in Oracle? Most forensics staff do not have background in Oracle. Those with an electronic Discovery background will be familiar with working with AccessData or SQL, but which other tool in the market uses Oracle?

After the CodeMeter dongle was installed, and Oracle was installed, and the .NET distributed package that is required, it was then time to install FTK 2.11. However there was an error, it could not talk to Oracle.

Oracle Error

Being a total novice with Oracle this threw a spanner in the works. Therefore assistance was required, Googling the error produced zero results. Even googling the first part of the error produced nothing.

Therefore the AccessData forums were approached for assistance. However you can not access the forums without an account. So a new account was created, but as it was a Saturday permission was not granted, you  need to wait until Monday.

The installation attempt was started on Friday 27th February, but by Sunday 1st March there has still been no success. Next week, when FTK 2 is eventually working the feasibility of using FTK 2, in the realword, can be tested.

Can you recommend FTK 2.11? I can’t even install it to test it!