Forensic Toolkit v2.0
Strengths: Great all around product. We rate this our Best Buy.
Weaknesses: License installation can be slightly confusing to first-time users.
Verdict: FTK is a great product. It is well put together and worth several times the price.
SummaryForensic Toolkit (FTK) is one of the most full-featured sets of products. It includes a forensic imager utility, a registry viewer utility and the distributed network attack (DNA) which distributes password recovery alongside the PRTK (password recovery toolkit).
The earlier 1.7 version’s primary screen was gray with a multitude of buttons for performing different components of a forensic investigation. The current 2.0 version has a sleeker interface with a tab-based design, but is still a little cluttered with different windows on each of the tabs opened by default.
The FTK Imager utility was able to create a forensic image of the 1 GB drive in under three minutes. The import into the FTK interface took 30 minutes of processing time. A new feature allows the investigator to work with the data while the data is being imported into the program. FTK was able to discover the deleted executable, directory and file, and was even able to reconstruct the deleted picture. It detected the password protected ZIP file and showed the file contents, but could not open the ZIP without the password recovery toolkit. FTK also detected the password-protected Microsoft Word file. FTK did not, however, discover the steganographed files.
FTK also includes data-carving features, which allow the drive’s slack space to be searched for file fragments. The only noticeable problems were that the application would crash with large email investigations, and the utility would only recognize VMWare disk files as flat files and not virtual file systems.
The installation of FTK was both simple and complex at the same time. The software went in as part of a simple autorun utility, and the interface for installation was very well laid out. The difficult part was trying to get the license dongle recognized and installed. It took several tries to get the driver installed correctly. The XP OS would recognize the license fob as a flash drive, and once the driver was installed, it was necessary to contact the Access Data server to get the correct licenses installed on the fob. For us this required a call to tech support.
The help file for FTK is the best we have ever seen. It walks the user through using the utility with such detail and accuracy it is possible to learn the utility inside and out simply by reading the PDF help manual.
The pricing for FTK is $2,995, which is at the low end of the price spectrum, making this an excellent value.