AccessData Group Forensic Toolkit (FTK) v4
Strengths: Solidly covers the computer/mobile device territory.
Weaknesses: None that we found.
Verdict: Likely to set the computer forensic standard for the foreseeable future. Once again, we designate AccessData’s FTK 4 and its associated tools SC Lab Approved.
SummaryThe suite of computer forensic tools from AccessData Group that we tested is a nearly complete examiner's tool kit. Add its Password Recovery Toolkit (not reviewed here) and you've got the whole shebang.
The new FTK 4 is pretty much the same set of tools that we are used to seeing from AccessData - until you add the company's exciting new modules, Cerberus and Visualization. Now, it's a whole different ballgame.
These two new modules allow examiners to perform a deep dive into malware on the disk under examination (Cerberus) and to examine email and documents in an entirely new way (Visualizer). The Mobile Phone Examiner Plus (MPE+) adds mobile devices to the repertoire. It outputs a file that can be added directly into a case, along with images from computers. This makes correlation fast and straightforward.
We read two hard-disk images into FTK 4 and then added dumps from two mobile devices. All of these images were placed into a single case which was then processed. We found the performance to be exceptional and the results of having all of the images - computers and phones - in the same case made analysis easy.
The new modules are quite impressive. There is a clear graphical display of the relationships between email addresses using Visualizer. Similar visualization enhancements are available for document files. Using the Visualizer is easy and we had no trouble performing the additional analysis that the tool permits.
Today, malware in its many forms bedevils security engineers and forensic examiners alike. It is always challenging to identify malware - especially zero-day - using conventional computer forensics. Cerberus changes that. We ran the post-processing necessary to do a Cerberus analysis. With that, every time we opened a file that could contain malware, we received the Cerberus report for that file. The report gives deep details about the file and adds a probability that the file is or contains malware.
MPE+ was provided to us in a Microsoft tablet, but it is also available as software only. The product is the same in either case. The kit we received has a solid collection of cables. We were able to connect our phones and dump them in under 10 minutes each. The time this takes depends, of course, on the size of the data in the mobile device. One can read a standalone report from MPE+ or generate a file that can be added into an FTK analysis. We did both and concluded that this tool's biggest strength is its ability to act in concert with the overall investigation.
Pricing for this suite of tools is competitive in the computer forensic market, in general, but the breadth and depth covered makes it an excellent value. FTK and the rest of its complementary tools do not take long to learn. They cover a lot of forensic ground and, having used them in actual cases as well as in the test lab, we can say that they provide a solid, reliable platform and consistent look and feel.
Documentation, in the form of PDF files, is excellent. The AccessData Group website is complete and provides the support needed.