FTK Bootcamp Intermediate
Duration: 3 days.
The AccessData BootCamp – Intermediate three-day course provides the knowledge and skills necessary to install,
configure, and effectively use Forensic Toolkit (FTK), Password Recovery Tool Kit (PRTK) and Registry Viewer.
This hands-on class is intended for intermediate users, particularly forensic professionals and law enforcement
personnel, who use AccessData forensic software to examine, analyze, and classify digital evidence.
To obtain the maximum benefit from this class, you should meet the following requirements:
- Perform most operations on a personal computer
- Have a intermediate knowledge of computer forensic investigations and acquisition procedures
- Be familiar with the Microsoft Windows environment
Class Materials and Software
You will receive the associated materials prior to the course.
During this three-day, hands-on course, participants will perform the following tasks:
- Install and configure FTK, FTK Imager, and Registry Viewer
- Review Registry Viewer functions: also conduct advanced searching and produce registry summary reports
- Conduct more detailed email analysis
- Use advanced processing options of FTK such as: EID, OCR, PhotoDNA, Event Log analysis, and Volume
- Increase abilities to conduct more advanced Index and Live searches
- Create and use more complex filters
- Learn to use the Visualization tool
- Learn the basics of PRTK, including: custom profile creation, creation of custom dictionaries and the breaking of
Module 1: Introduction
- Identify the FTK components
- List the FTK and PRTK system requirements
- Describe how to receive upgrades and support for AccessData tools
- Install required applications and drivers
Participants will install the UTK components—FTK, KFF Library, PRTK, and Registry Viewer
Module 2: FTK Imager 201
- Learn how to make FTK Imager portable
- Use features of FTK Imager in an incident response capacity
- Learn how to extract volatile data from live machines
During the practical participants acquire volatile data from virtual machine, simulating a suspect machine.
Module 3: Registry Viewer 201
- Use basic and advanced searching through the Windows Registry
- Create Registry Summary Reports
- Select keys to put report in a specific order
- Discuss running summary reports during case processing
During the practical, participants use Registry Viewer
to search for specific registry keys and recover
registry artifacts in a specific order, for a custom
report. Students will also create registry summary
reports and select summary reports to be run during
Module 4: Case Setup
- Optimum Setup
- Configuring Preferences
- Archive and Backup Operations
- Copying a case from an older version of FTK to a newer version.
Students will learn how to copy a case from one version of FTK to another and perform backup and archive functions for cases.
Module 5: Email Analysis
- Review Email tab
- Learn about the function of Persons of Interest
- Describe the different abilities of FTK to export email
- Use the features of email threading
Students will walk through a case containing processed email and see the full abilities of FTK to deal with email.
Module 6: Disk Analysis Features
- Learn about the FTK Disk Viewer
- Use the Deleted Partition Finder
- Conduct Image Verification
- Use the Meta Carve feature
Participants will go over the features listed in the topics above, using various evidence files.
Module 7: Advanced Processing Options
Students will use each of the below listed advanced processing options of FTK:
- Analyze Windows Event Logs
- Explicit Image Detection
- Optical Character Recognition
- Examining Videos
- XRY images and UFDR reports
- Language Identification
- Entity Extraction
- Document Content Analysis (DCA)
- Volume Shadow Copy
During the practical, participants will explore the advanced capabilities of FTK to analyze case data.
The steps performed here will walk through the
usage of each of the advanced processing options
listed above, using various evidence files and cases.
Module 8: Advanced Searching
Students will conduct live and index searches using the follow features of the search tabs:
- Live Search Options
- Index Search
- Indexing Options
- Conducting an Index Search
- Importing/Exporting Search Terms
- Search Operators
- Searching for a phrase
- Boolean Searches
- Searching Options
- TR1 Regular Expressions
Students will see how to make searches more effective by making subtle to advanced changes to index options and search parameters.
Module 9: Advanced Filtering
- Defining of global filters to manage case items
- Filters with multiple rules
- Filter Nesting
- Compound Filtering
- Tab Filters
Participants will build and use complex filters to take large amounts of data and find specific items within that dataset.
Module 10: Visualization
- Launch the Visualization tool.
- Describe the Visualization page.
- Use Timeline views to review case data.
- Select a Theme.
- Use the Visualization function to review file data.
- Use the Visualization function to process email data.
- Perform an Email Social Analysis.
- Examine Email Traffic details.
- Visualize Internet browser history.
- Use the Geolocation function to map evidence items that have geolocation information associated with them.
Students learn how to use the functionality of the Visualization interface.
Module 11: PRTK 101
- Navigate within the PRTK interface
- Identify the available password recovery modules and their associated attack types
- Import user-defined dictionaries and FTK word lists to use in a password recovery attack
- Create biographical dictionaries
- Set up profiles
- Explain what a PRTK profile is and how it is used
- Recount the AccessData Methodology
During the labs, participants will use PRTK to recover passwords from data files. Students will also
apply the AccessData Methodology to decrypt files in a sample image. This process will require students to
export the FTK case index and Registry Viewer’s registry index to create a custom dictionary, create a biographical
dictionary and custom profiles, then re-apply intel gathered from decrypted files to attack other encrypted files.