One of the distinctions that we still find in cyberforensics is between media forensics and network forensics. While mobile devices once were treated entirely separately from computer disks, today it is common to find these two capabilities combined in a single tool. Such is the case with FTK, the venerable pioneer in the computer forensics world. FTK has been a staple in our lab for years and we were eager to see what the latest release brought us. We were not disappointed.
Setup was pretty much run-of-the-mill. We had received a damaged installer disk but when AccessData support replaced the installers everything went smoothly. The new release found our license dongle from our prior installation and went in flawlessly. Once we had the system installed we were ready for testing. This is a bigger, better and easier to deploy system than in prior years. Back when FTK shipped with an Oracle backend we found performance issues, especially when using it at our student lab at Norwich University. When AD switched to PostgreSQL, everything relating to data management was instantly better - both from a performance and ease of deployment point of view.
This year we saw the inclusion of ElasticSearch, which empowers some analytics that significantly extend the tool's usefulness. Data from the internet, the local area network, mobile devices and computer disks all can be combined into a single case. So, while this is not specifically a network tool, it has plenty of power and capability to consume and analyze network data, especially in the context of other enterprise-wide forensic data.
Another feature that we have used before but has come back in this release with a lot of analytic power is Cerberus. This dog has a lot more than the three heads of the guardian at the gates of Hades. He can catch and analyze pretty much any malware that might appear in the case. While this is not pure reverse engineering as we might see with tools such as IdaPro, it is so close that for forensic purposes it is far more than adequate. Cerberus starts by identifying suspicious files. It then performs an analysis that gives actionable intelligence about the suspicious file. This is a multi-stage process. With each stage the data becomes more granular. Cerberus is an option but, certainly, one we would advise getting.
Once we were up and running, we pulled in data from a test case. Imaging had been done already so we used our test image. Results were immediate and we were able to start analysis at once. After years of using FTK, we wondered if there were going to be features we would find obscure and might require relearning or additional training. Not a bit. For one who is familiar with the FTK of years past, this will be a familiar tool and new features will simply appear as additional functionality. If you never have used FTK, you still will find it very intuitive. Often small shops will use an open source tool, such as Autopsy, and then move to something such as FTK. The transition from the user experience perspective could not be simpler.
Support is up to AccessData's usual fine standards, and documentation - always a strong point in the past (we recall receiving thick, spiral-bound manuals with our install disks in earlier versions) - continues to be first-rate. The website, while a little heavier on marketing than in the past, still has substance and plenty of meat for you during the product selection and deployment process.