Forensics: FTK 3

Today, 24th August 2009, is the preview day for FTK 3.0.

Could this be the long awaited FTK product that FTK 2 should have been?

Several months ago a determined attempt was made by this author to get FTK 2.x working this failed. A few weeks ago another attempt was made to get FTK 2 working. This also failed, until AccessData’s technical support was called

The support from AccessData was superb: However it did take several hours, of continual assistance on the phone, to get FTK almost working. After a day or so FTK 2 was running. But the penalty was huge, and involved writing off two complete days to get FTK 2 running on a single machine (as well as the previously time wasted). The time penalty was so huge that FTK 2.x was not installed on any other machines as the time penalty was just too  great.

Because FTK could not effectively  (i.e. in realistic time scales) be installed on multiple machines in the same lab, its not currently being used by this author.

AccessData has had all the pieces in place to create a top of the range tool for a very long time, they have had indexing, file carving, reporting, a fantastic imaging tool and a brilliant registry viewer; one which  knocks the spots of EnCase. They just can’t put them together [This is not strictly fair as FTK 1.x was also a great product but limited by its age]

AccessData let the market down by the FTK 2, however the company has moved on since then, new staff, new products, new outlook, and a revamped  qualification.

The market were quite rightly angry at AccessData for the farce that was the FTK 2.0 release, but the anger was probably only so high as because people wanted so much from the new tool and had waited so long in so much anticipation.

The FTK 3 will be a different release. People are not as hopeful as they were with FTK 2, expectations are lower. This means that AccessData can’t fall as far.

In fact if FTK 3 works and can be installed easily people will probably be quietly happy. If, and its a big if, it can deliver what it says it can, it will be great tool.

Below is the marketing spiel about FTK 3

AccessData has announced the preview of Forensic Toolkit® 3.0 (FTK®) which will be demonstrated at HTCIA International on August 24th in Lake Tahoe, California. Below are just a few highlights of the FTK 3.0 release…

Reengineered for Improved Performance:

* UI Performance: The FTK GUI is 10 times more responsive across the board, even on machines with only 4GB of RAM.
* Indexing: Indexes quickly and search results populate fast, even with large result sets.
* Distributed Processing: Every copy of FTK 3 comes with 4 workers, allowing you to leverage CPU resources from up to 4 computers (3 distributed workers and 1 worker on the main FTK examiner system).

Compelling New Capabilities:

* RAM Analysis: Enumerate all running processes from 32-bit machines, search memory strings, and process RAM captures for passwords, html pages, lnk files and MS Office documents.
* Mac Analysis: Many new capabilities, such as processing B-Trees attributes for metadata, decrypting Sparse Images or Sparse Bundles, PLIST support, SQLite support and more.
* Pornographic Image Identification: Enables the automated detection and identification of pornographic images by analyzing visual features in the image to assess its actual visual content.

About AccessData

AccessData has pioneered digital investigations for twenty years, providing the technology and training that empower law enforcement, government agencies and corporations to perform computer investigations of any kind with speed and efficiency. Recognized throughout the world as an industry leader, AccessData delivers state-of-the-art computer forensic, network forensic, password cracking and decryption solutions. AccessData’s Forensic Toolkit® and enterprise investigative solutions enable examiners to search for, analyze and forensically preserve electronic evidence for the purposes of criminal investigations, internal investigations, incident response and eDiscovery. AccessData is also a leading provider of digital forensics training and certification with its much sought after AccessData Certified Examiners (ACE) program. For more information on AccessData visit http://www.accessdata.com.

Advertisements

6 Responses to “Forensics: FTK 3”

  1. CTB Says:

    I’m going to try not to trash AccessData too much because I do think they have all the best ingredients for success. That said, I’m still waiting for them to use them in the right combination without any major screwups 🙂

    FTK 2.2.1 is really pretty good. There are features that are missing that I feel like could be implemented pretty easily (but I’ll ignore that for now since it does way more than the competition). I think I have two big problems with FTK2 as it stands now that I’d like to see resolved. The first is usability which is closely tied with the issues a lot of people have had with installation. I see AccessData making the same mistakes as recently as last month with their release of oradjuster, which is a tool to optimize the oracle database to speed it up. They released a nice little video explaining how much oradjuster could improve performance over the comparatively sluggish out-of-box configuration. The problem is oradjuster does not seem like a simple tool to correct this. The usage goes something like: archive or backup all your cases (lame), hack these registry keys (lame), run oradjuster using these convoluted options from the command line (lame) and if all goes well, FTK should run as fast as it SHOULD have in the first place. Pair that with the installation process, which has to be followed exactly in order to function properly, and I can see why people get so angry. I don’t see why the installation process hasn’t been streamlined up until now, but the fact that oradjuster assumes that every forensic examiner is also a PhD in computer science and an MCSE makes me think they aren’t going to get it right for FTK 3 either. I hope I’m wrong. It shouldn’t be hard out of the box, and that issue should be fixed no matter what it takes.

    The second issue I have is money, plain and simple. I don’t expect the licensing costs to go down at all, but I’ll ask anyway. AD, can you please make FTK 3 cheaper? Can you please make the lab lite edition affordable for small businesses? Can you pay those of us back who have dealt with FTK 2.x for the past year and a half by giving us a deal on FTK 3, which we are presuming to be a much better product as a result of the lessons you should have learned over that period of time? I didn’t think so, but I thought I’d ask.

    I’m not sure what time the preview was supposed to be today, but can anyone in attendance report on what they saw?

    -CTB

  2. Forensics: FTK 3 – Tips and Tricks Videos « Data – Where is it? Says:

    […] Forensics: FTK 3 – Tips and Tricks Videos Posted on September 5, 2009 by 585 Below is a video from Acess Data, showing some tips and tricks for FTK 3.0 […]

  3. Forensics: FTK 3 Reviews « Data – Where is it? Says:

    […] FTK 3 Reviews Posted on September 5, 2009 by 585 Accesss Data’s FTK 3 was launched on 24th August, just under a fortnight ago.  There was not the same  fan fare that […]

  4. Forensics: FTK 3 Video « Where is Your Data? Says:

    […] FTK 3 Video September 26, 2009 — 585 The latest FTK 3 video, fromAccessData is now […]

  5. JDM Says:

    I use to blame Guidance Software for ignoring the small guys and law enforcement for the big companies, but Access Data has really beaten them. Have you seen the recommended computer specs for FTK3? Minimum 8-16gb of RAM and dual quad core processors. Most of you’re small labs and LE agencies don’t have these systems and won’t be able to buy them with the economic situation.

    I have two license of FTK2, but have only used the product maybe 2 times since it was released. I use FTK1 for anything I need (that Encase won’t handle) and I find a lot of other examiners do as well.

  6. BPG Says:

    I know these posts are super old, but I have to make a reply to JDM for anyone knew to this industry that might stumble upon this page.

    First, let me say that it is unfortunate that LE agencies don’t allocate an adequate budget for digital investigations, but this is no different than any other area of forensic science; technology changes and if you want to be able to solve crimes better and faster, you have to change with it.

    Where would Access Data be if they designed FTK 3.0 to run on Windows 98 with 512KB of RAM? How many cases would still be unsolved with evidence sitting in the freezer if DNA did not progress as much as it has in the last 20 years?

    Just because it is digital does not make it any less important or relevant. Look at some of the high profile cases in the last 10 years that have been solved this way, Peterson, Rader, etc.

    I feel for the men and women working in law enforcement that have to struggle with the lack of funding they receive for solving crime, but the manufacturers of these great tools can’t hold back for the sake of municipal budgets.

    As far as small commercial shops go; this is not for overnight LLCs, you need to have capital and a plan lined up and if you can’t do it today, then work for someone else and keep your skills current until you can.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: