Sometimes I get asked what software I use most in computer forensics. I promise I’m not a paid spokesperson here, but I’m a big fan of AccessData’s Forensic Toolkit (FTK). I’ve been using different versions since about 2001, and I consider it the primary workhorse in my forensic tool arsenal. The current version is 6.1, which was released in October 2016. (Well, it’s the current one as of the initial posting of this article in February 2017.)
A couple of the key aspects of FTK I enjoy:
Multiple installations: FTK can be installed on multiple computers. To operate on a specific computer, you need a security dongle that you physically attach to that computer. If you want to work on another computer that has FTK installed, though, you can move the dongle and do it — it’s very easy. A lot of computer forensics programs don’t make this easy, which I think is one of the bigger value-adds of the FTK software.
Consistent search results: If you’re in the investigating phase or performing document review — and if you’re searching in FTK or a program like Summation — you can get consistent search results delivered quickly. This is a huge time-saver.
Fairly simple: With so many different tools on the market (for anything, really), I keep coming back to the idea that simplicity is key. FTK is powerful, but it’s deceptively simple. For example: all digital evidence gets shared in one case database. Anyone who needs to access the information has it all in one place. With some other forensics programs, there are multiple datasets — which increases the time and complexity you need to deal with, especially if you’re looping new people or new teams into the process.
Visualization: We supposedly live in this era of “Big Data,” which I think is mostly true. But one of the things we miss about Big Data is that when we’ve put together lots of information, we still need a way to present it to people effectively. Many human beings are visual creatures, which makes the visualization aspect of FTK a huge value-add. I can automatically construct timelines and graphically illustrate relationships among parties of interest in a case; I can also use cluster graphs, pie charts, and geolocations. When I’m done with the different visualizations, I can then generate reports that are easily consumed by attorneys, CIOs or other investigators. This is absolutely amazing — and makes the back-and-forth aspect of this work much easier.
That’s my vote, then: FTK. I’ve been around it almost two decades and I don’t see that changing anytime soon. Had a different experience with FTK, or have another forensics program you want to extol the virtues of? I’d love to hear.