As regular readers know, one of my occasional pet peeves regards the lack of innovation in our field, especially in digital forensics. In this field we tend to see more of the same tired old tools with a few new capabilities or a new point solution to specific forensic problems. But as for a sea change in the core computer or network forensics tools? Not so much.
All of that ended when AccessData introduced FTK 4.0 with Cerberus and Visualization. I almost never say this about a forensic tool, but this one blew me away. The things that you can do with this are so varied and so powerful that I predict it will become the benchmark for computer forensic tools for some time to come.
Cerberus allows one to do a deep analysis of every executable in an image for the presence of malware elements. That wants a bit of explaining. Just because an executable has some malware elements doesn’t mean that it is malware, so the expert knowledge of the examiner comes into play. This tool is not as useful if one doesn’t have at least a modicum of knowledge about malware mechanics. If one does, though, a deep dive into executables is possible, performing both static and dynamic analyses.
Cerberus – named after the three-headed dog of mythology that guards the gates of Hades – dissects every executable in an image and then shows all of the internals, such as memory usage, system calls and more. It scores these so that at a glance one can get an idea of which files need a bit more attention. Then one can drill into the code and Cerberus does all of the reversing and analysis for the user. It really is quite amazing, and it is very powerful if one knows how to take full advantage of it.
But the feature I found most useful was email visualization. Most visualizers break at around 25,000 items. I have a case that has been bedeviling me for about three years, and it is fairly large – well over a terabyte of images from three machines. There are more than 26,000 emails, so I thought, “What the heck…I’ll just load them up and see where this takes me.” It took quite a while to load – that is a lot of data – but once in, I was able to see things that I had not considered in earlier analyses.
For example, the social display shows with whom a particular individual has communicated. It gives a strong social network display – a circle with the originator in the center and the recipients toward the perimeter of the circle, closer or further depending on frequency of emails.
All of the difficult mathematical analysis and weightings have been done for the user who is left with only the need to look at the pretty pictures and draw conclusions. Lest that sound as if I am trivializing this impressive tool set, the pictures are pretty, and that is part of FTK 4’s power. It helps the examiner get to the heart of the matter faster so that the real head work – the deep thinking and analysis that only an experienced examiner can perform – can start sooner, resulting in clearing more cases faster and with a higher percentage of wins.
Even though this one seems a bit pricey, for a busy FTK shop – or a shop contemplating moving to FTK – it is worth every penny. I really liked this one and I will be using it in the SC Lab.
At a glance
Product: FTK 4.0 with optional Cerberus and Visualization modules
Price: FTK 4.0: $2,995; Cerberus module: $2,400; Visualization module: $999
What it does: Updates FTK to a new level of functionality by adding the optional Cerberus (malware forensic analysis) and Visualization (files and email) modules.
What we liked: With these two powerful modules, this is my personal computer forensic tool benchmark.
What we didn’t like: Nothing. This is the first serious advance in computer forensic tools in a long time.