Forensic Toolkit, or FTK, as it is generally known, is a mainstay of the computer forensic world. Part of a suite of products that includes mobile phone forensics; an AD Lab that allows multiple investigators to login, view and analyze data via a web interface; and other ancillary programs, such as FTK Imager, FTK 3.2 is a forensics powerhouse.
The current version offers a worker pool of three machines, as well as an Oracle database, into which all cases are organized during the processing step. This database allows indexed searches that are lightning fast. It also includes other attractive features, such as built-in file and metadata carvers, hash management and live searches (searches that do not use the indexed database, but instead look through the image directly).
While we found some slowness in earlier versions, 3.2 seems to have managed the usually bloated Oracle backend database much better. We had no trouble processing a three-computer case that had multiple images and included both Windows and Mac file systems. With more than 1.5 terabytes of images to process, we thought we would need to settle in, but not so as it turned out.
The installation works best if one puts the database on one server and the rest on a workstation. However, users can employ two servers - one for the database and one for the processing engine. FTK 3.2 works efficiently with distributed processing.
As full-featured computer forensic tools go, FTK is priced at the lower end. It is capable of both traditional computer forensics and over-the-network computer forensics, putting it in the same class as other over-the-network tools. Add the free imager - a separate tool that can be downloaded from the website - and the optional registry viewer, and you have a serious production computer forensic tool.
We have been watching this one for some time and while it has been considered the law enforcement tool of choice, if you are serious about computer forensics, this is the program to have.