Tag Archives: FTK

FTK Tool Evaluation Update 2

Current Progress After receiving our team-generated test data, we plugged our test scenario into Forensic ToolKit. It was intriguing to see what Forensic ToolKit would catch from our generated data.   Data took a long time to load into FTK, but once it was in the system we could start evaluating processing speed and user […]

Continue reading

EnCase 7.1 and FTK 5.5 Tool Evaluation Part 4

Data Generation In order to test and examine the new editions of EnCase and FTK, we need a hard drive with existing data to work with. We want to have something specific to look for when we analyze the drives later on, so we are conducting controlled data generation using computers built for this project […]

Continue reading

EnCase 7.1 and FTK 5.5 Tool Evaluation Part 3

EnCase v7.10 Updates Windows 8.1 and Server 2012 R2 Support EnCase 7.10, EnCase Examiner, SAFE, and the servlet all support Windows 8.1 and Windows Server 2012 R2. Systems running Windows 8.1 via the Evidence Processor (specifically the Windows Artifact parser) and BitLocker encryption are also supported now, and EnCase system requirements and recommended configurations are […]

Continue reading

EnCase 7.1 and FTK 5.5 Tool Evaluation Part 2

EnCase v7.10 Updates EnCase Portable Capabilities EnCase 7.10 comes with full EnCase Portable capabilities. EnCase portable was a standalone product that worked separately from EnCase Forensic and EnCase Enterprise, however, with this update it is now included. EnCase Portable is a USB key based tool that is designed for non-expert and on-scene use. The goal […]

Continue reading

EnCase 7.1 and FTK 5.5 Tool Evaluation Introduction

Project Introduction Over the past few months, Guidance Software and AccessData both released new updates for their computer forensic programs, EnCase and FTK. With EnCase now in update 7.1 and FTK being in 5.5, there are new and updated features that should be looked at. We could also use this opportunity to record how long […]

Continue reading
Volume Shadow Copy

Volume Shadow Copy Part 3

What we found in the Volume Shadow Copy for Windows 7 After creating a raw image of the Volume Shadow Copy, we were able to view it in both FTK and Encase. We most often used Encase to examine the raw image file and received positive results. We cross referenced the log of what was […]

Continue reading

Treasure Hunting with FTK, EnCase, and SQLite Databases

The last tools we used to examine PirateBrowser, Mozilla 23, and Firefox Portable were EnCase and FTK.  SQLite databases that contained lists of the websites visited, as well as downloads saved by our team were found on each image.  We used a PDF from the SANS blog to assist us in finding the locations of […]

Continue reading

Closer Look at Log2Timeline

Log2Timeline is an open source tool developed by Kristinn Gudjonsson focused on creating timelines with the purpose of digital forensic examination. With its ability to perform cross platform, it has become increasingly popular and bundled with open source forensic tools. The forensic distributions SIFT and TAPEWORM come with log2timeline preinstalled and set as primary tools on their systems. SIFT has a branched version of Log2Timeline that automates the creation of a supertimeline in the command line, while TAPEWORM uses log2timeline but places a custom graphic interface that simplifies the command for the end user. In addition to Linux distributions, Log2timeline also runs on Microsoft Windows via the command line. Continue reading