Forensic Toolkit (FTK) is a complete platform for digital investigations, developed to assist the work of professionals working in the information security, technology, and law enforcement sectors.
Through innovative technologies used in filters and the indexing engine, the relevant evidence of investigation cases can be quickly accessed, dramatically reducing the time to perform the analysis.
This chapter will cover the first steps needed to install and configure the FTK tool.
Forensic digital investigations include the following processes:
Preparation
Acquisition and preservation
Analysis
Reports and presentation
This process will be discussed in more detail in Chapter 4, Working with FTK Forensics, with the use of FTK forensics and enterprise editions.
The computer forensics tools need to be kept updated to address issues such as an increasing size of hard drives and the use of encryption in order to reduce the time to perform the data acquisition and analysis.
AccessData has two versions of the platform:
FTK forensics: This version of FTK, which will be covered in this book, has the ability to perform the acquisition and analysis of digital devices such as computer hard drives, USB drives, flash memory devices, smartphones, tablets, and other digital media. Its approach is related to a process called post-mortem computer forensics, which happens when the computer has been powered down.
AD Enterprise: In general, AD Enterprise has the same features as the FTK forensics version plus the ability to analyze multiple computers across your company simultaneously. Another important feature of this version is the ability to acquire and analyze volatile data, such as RAM. The investigation process is totally confidential, and the investigated user will not be aware of the analysis, even if it is done through the network and with the target equipment in use.
Once the FTK platform has been acquired, AccessData usually sends the DVDs for product installation and the hardware dongle codemeter with the license of the product.
If not, then it is possible to download the FTK directly from the AccessData website. All other products are also available for download.
In this book, we will use FTK Version 5 onwards, and you can download the product from http://www.accessdata.com/support/product-downloads.
There are two different settings (configuration options) for FTK installation:
One machine: FTK + database
Two machines: FTK + database on separate machines
In general, the specification used for FTK with the PostgreSQL database is shown in the following screenshot:
FTK installation is quite simple, although the components' installation sequence must be respected. AccessData has created a menu to provide support for the correct installation, as can be seen in the following screenshot:
Perform the following steps for installing FTK:
Start the installation process by using the Database component. You can then enter a password to create the PostgreSQL database admin user.
Once the database installation is done, install FTK.
Install the Distributed Engine component, as it is necessary for the correct operation of FTK.
The View User Guide installation is optional, but highly recommended.
To finish the FTK platform installation process, click on the Other Products button and select the components listed as follows:
If the installation has been done correctly, the first step would be to create a user:
Next, you can complete the fields in the form and then click on OK to create the first user. This user will be the application administrator, who will manage the FTK tool. The use of the FTK tool will be discussed in the next few chapters.
This chapter covered the first necessary steps to be performed in order to use the FTK forensics tool. The first step was to understand the difference between standalone and enterprise platforms as it is extremely important to determine the approach to be used in an investigation. This will certainly impact the time of acquisition and data analysis. Another important point was to consider the hardware prerequisites. Keep in mind that more the computing power the hardware has, the faster is the response of their analysis.
The analysis process is really time-consuming, and if not properly scaled, the hardware can have a negative impact on your project.
In the next chapter, you will use FTK Imager, the free version of the platform, which is commonly used for evidence acquisition and preanalysis of data.
