i ii AccessData FTK2 User Guide AccessData Forensic Toolkit LEGAL INFORMATION AccessData Corp. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Corp. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Corp. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Corp. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. © 2008 AccessData Corp. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Corp. 384 South 400 West Suite 200 Lindon, Utah 84042 U.S.A. www.accessdata.com AccessData Forensic Toolkit i ACCESSDATA TRADEMARKS • AccessData is a registered trademark of AccessData Corp. • AccessData Certified Examiner is a registered trademark of AccessData Corp. • ACE is a registered trademark of AccessData Corp. • Distributed Network Attack is a registered trademark of AccessData Corp. • DNA is a registered trademark of AccessData Corp. • AccessData eDiscovery is a registered trademark of AccessData Corp. • AccessData Enterprise is a registered trademark of AccessData Corp. • Forensic Toolkit is a registered trademark of AccessData Corp. • FTK is a registered trademark of AccessData Corp. • FTK Imager is a trademark of AccessData Corp. • Known File Filter is a trademark of AccessData Corp. • KFF is a trademark of AccessData Corp. • LicenseManager is a trademark of AccessData Corp. • Password Recovery Toolkit is a registered trademark of AccessData Corp. • PRTK is a registered trademark of AccessData Corp. • Registry Viewer is a registered trademark of AccessData Corp. • Ultimate Toolkit is a registered trademark of AccessData Corp. • UTK is a registered trademark of AccessData Corp. DOCUMENTATION CONVENTIONS In AccessData documentation, a greater-than symbol (>) is used to separate actions within a step. A trademark symbol (®, ™, etc.) denotes an AccessData trademark. An asterisk (*) denotes a third-party trademark. All third-party trademarks and copyrights are property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party items. We value all feedback from our customers. For technical and customer support issues, please email us at [email protected]. For documentation issues, please email us at [email protected]. ii AccessData FTK2 User Guide Contents AccessData Forensic Toolkit...................................................................................................................... i Legal Information............................................................................................... ......................... i AccessData Trademarks................................................................................................ ii Documentation Conventions ........................................................................................... ii Contents................................................................................................................................................... iii Chapter 1 Welcome and Overview .......................................................................................................... 1 Audience ............................................................................................................ ........................ 1 Handling Evidence ............................................................................................. ........................ 1 What is a Case?............................................................................................................ 2 Role of Forensic Toolkit...................................................................................... ........................ 3 Other AccessData Products ................................................................................ ........................ 3 Password Recovery Software ........................................................................................... 3 AccessData Enterprise................................................................................................... 4 AccessData eDiscovery................................................................................................... 4 Product Overview................................................................................................ ........................ 4 Managing a Case................................................................................................ ........................ 5 Defining the Evidence ......................................................................................... ........................ 5 Hashing.........................................................................................................................5 Searching .......................................................................................................................6 Contents iii Known File Filter .......................................................................................................... 6 Presenting Evidence ............................................................................................ ........................ 7 Chapter 2 Installation and Upgrade....................................................................................................... 9 Installation Options............................................................................................ ........................ 9 System Overview................................................................................................. ...................... 10 Estimating hard disk space requirements............................................................. ...................... 11 Installation......................................................................................................... ...................... 11 CodeMeter Stick Installation ....................................................................................... 13 Oracle Installation ....................................................................................................... 13 Single Computer Installation............................................................................... ...................... 18 Installing the FTK PROGRAM........................................................................... 18 Choosing an Evidence Server........................................................................................ 20 Installing the KFF.............................................................................................. ...................... 23 Installing on Separate Computers........................................................................ ...................... 26 Additional Programs.......................................................................................... ...................... 26 Upgrading to FTK 2.1....................................................................................... ...................... 27 Upgrading a Two-Computer Configuration ......................................................... ...................... 32 Chapter 3 Concepts.............................................................................................................................. 33 Starting FTK..................................................................................................... ...................... 33 Setting Up the Application Administrator................................................................... 33 Using the CodeMeter Stick.......................................................................................... 34 Using the Case Manager Window................................................................................ 34 The FTK Window ............................................................................................. ...................... 37 Toolbar Components.................................................................................................... 42 File List Pane ............................................................................................................. 43 Properties Pane ............................................................................................................ 45 Hex Interpreter Pane................................................................................................... 47 File Content................................................................................................................. 49 Using Tabs to Explore and Refine Evidence....................................................... ...................... 52 Explore Tab...............................................................................................................