FTK Bootcamp

Level: Beginner.

Duration: 3 days.

The AccessData Bootcamp three-day course provides the knowledge and skills necessary to install, configure, and effectively use Forensic Toolkit (FTK), FTK Imager and Registry Viewer.

Prerequisites

This hands-on class is intended for new users, particularly forensic professionals and law enforcement personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this class, you should meet the following requirements:

Perform basic operations on a personal computer
Have a basic knowledge of computer forensic investigations and acquisition procedures
Be familiar with the Microsoft Windows environment

Class Materials and Software

You will receive the associated materials prior to the course.

During this three-day, hands-on course, participants will perform the following tasks:

Install and configure FTK, FTK Imager, and Registry Viewer
Use FTK Imager to preview evidence, export evidence files, create forensic images and convert existing images
Review Registry Viewer functions, including indexing the registry, creating reports and integrating those reports with your FTK case report
Create a case in FTK
Use FTK to process and analyze documents, metadata, graphics and e-mail
Use bookmarks and check marks to efficiently manage and process case data
Update and customize the KFF database
Create and apply file filters to manage evidence in FTK
Use regular expressions to perform live searches
Import search lists for indexed searches in FTK
Use the FTK Data Carving feature to recover files from unallocated disk space
Create and customize reports

Modules

Module 1: Introduction

Objectives:

Identify the FTK components
List the FTK and PRTK system requirements
Describe how to receive upgrades and support for AccessData tools
Install required applications and drivers

Lab:

Participants will install the UTK components—FTK, KFF Library, FTK Imager, and Registry Viewers

Module 2: FTK Imager 101

Objectives:

Describe standard data storage devices
Identify some common software and hardware acquisition tools
List some common forensic image formats
Use FTK Imager to perform the following functions:
- Preview evidence
- Export data files
- Create a hash to benchmark your case evidence
- Acquire an image of evidence data
- Convert existing images to other formats
Use dockable windows in FTK Imager
Navigate evidence items
Use the properties and interpreters windows
Validate forensic images
Create Custom Content Images
Mount images

Lab:

During the practical participants acquire an image of a thumb drive, then explore the FTK Imager features and functions discussed in the module, including converting an image to a different image format, creating a Custom Content Image, and mounting an image.

Module 3: Registry Viewer 101

Objectives:

Describe which files comprise the Windows Registry
Discuss the elements of the Registry Viewer interface
Identify the key features of the Registry Viewer
Create a basic report from FTK
Determine a user’s time zone setting
Determine a user’s SID
Determine OS installation settings
Determine User Typed URL and Recent Docs

Lab:

During the practical, participants use Registry Viewer to recover information from a sample image. Participants will then generate registry reports for individual registry files.

Module 4: FTK Administration

Objectives:

Effectively use the Case Manager
Create and administer users
Back up, delete, and restore cases
Identify FTK preferences
Create custom profiles
Identify processing options

Lab:

Students will perform basic system functions such as creating user accounts and defining different levels of permissions to a case, managing shared objects, and customizing the FTK interface. Students will also create custom profiles.

Module 5: Case Creation

Objectives:

Review all Tabs in the FTK Examiner
Create Custom Tabs
Work with Dockable Windows

Lab:

Students will walk through the process of case creation, including selection of processing profiles/options, adding of evidence and the selection of custom processing data.

Module 6: Overview of FTK Interface

Objectives:

Review all Tabs in the FTK Examiner
Create Custom Tabs
Work with Dockable Windows

Lab:

Participants will go over the features of all of the tabs within the FTK Examiner Interface

Module 7: Case Analysis

Objectives:

Change time zone display
Sort Functionality
Create and manage bookmarks
Perform Index and Live Searches
Export files and folders
Use the Copy Special and Export File List Info features
Registry Viewer integration within FTK
Generate System Information

Lab:

During the practical, participants will explore the basic capabilities of FTK to analyze case data. The steps performed here will done using a case workflow format. A case scenario will be provided and participants will find and bookmark “evidence” by using the capabilities of the tool.

Module 8: Case Refinement

Objectives:

Using Filters
Performing Additional Analysis
View compound files
Add/ Remove Evidence
Creating a custom KFF hash set
Dealing with Email
Basic Windows Artifact Analysis

Lab:

This practical will continue finding evidence in the previous module case scenario. The skills here will consist of refining the case to find specific data out of larger datasets.

Module 9: Reporting

Objectives:

Modify the case information
Include a list and export bookmarked files
Include thumbnails of case graphics
Link thumbnails to full-sized graphics in the report
Export and link video files and thumbnails
Include a list of directories, subdirectories, files, and file types
Include a list of case files and file properties in the report
Append a registry report to the case report
Generate reports in multiple formats

Lab:

Participants will use the bookmarked data from the previous modules to generate a case report. During the report creation, discussion will be made about the various options that can be selected to get the desired output for the report.

listado completo de cursos