AccessData Forensic Suite
Strengths: A host of tools that enable a thorough and organized investigation.
Weaknesses: Some of the software tools may not be quickly understood by beginners.
Verdict: The three-product platform provides a solid foundation for any digital forensic investigation. For a full-feature package, this earns our Recommended designation.
There are three products in AccessData's forensic suite that every digital forensic investigator needs: Mobile Phone Examiner (MPE) Plus, Forensic Toolkit (FTK) and AD Triage. The compatibility of the three tools enables the user to complete a thorough and organized investigation.
MPE Plus is a software solution for mobile phone extraction and analysis. It supports more than 6,800 devices, including the iPhone, iPad, Android, BlackBerry and MediaTek (MTK) Chinese devices.
The installation process is simple and took us only about 20 minutes. The interface is organized with three well-labeled menus, and tools that are graphically displayed cleanly. The interface allows the user to manipulate and examine data with a host of tools, allowing for a functional, effective approach. The automated results are generated from the app and can be exported or printed.
FTK is a digital investigation platform built for speed, analytics and scalability. Known for its intuitive interface, email analysis capability, customizable data views and stability, it lays the framework for seamless expansion so one's computer forensic solution can grow with an organization's needs. Additionally, FTK integrates with optional expansion modules to provide malware analysis capability and state-of-the-art visualization.
AD Triage is an easy-to-use, forensically sound triage tool for the on-scene preview and acquisition of computers that are live or have been shut down. AD Triage is ideal for users who are inexperienced with computer forensic software, but need to preserve evidence in the field. Installation of this component is simple. It takes only three steps. Triage is segregated into two different interfaces: administrator and receiver. The administration interface is used to manage and configure removable media devices and to review and store all collected data. The receiver interface is employed for target systems to collect data to a USB device or to a network-connected computer.
Once licenses have been obtained and the devices installed, one can grab the data essential to an investigation. The profile is published and assigned to the removable device desired. The device can then be plugged into the computer from which the information will be extracted. This is done by running the Triage agent application file. If the computer is not in active state, then the user should use a bootable CD/DVD or USB. The run process will activate the interface and the extraction process is started. All the files that were required when creating the profile of the device are going to be sorted and can then be exported to the device or a remote destination that is specified.
Finally, the file collection from the field can be reviewed and a report generated and stored to the investigator's lab computer. The AccessData suite offers support and documentation in a variety of forms: via phone, email, web, discussion forums and a user guide.
Each of the products has to be purchased separately as these applications are not bundled together as a suite. However, at a total price of $7,495 for all three tools, the simplicity, functionality and management capabilities that can be applied to the analyzed data well justify the expense.