AccessData FTK Administration - PDF

Summary

This document is a presentation about the AccessData FTK (Forensic Toolkit) Administration. It covers essential elements like case management, user administration, backup/restore procedures, and the KFF install process. The module reviews FTK components, creating users, preferences, and the use of custom processing profiles.

Full Transcript

AccessData
FTK Administration
Module Objectives

FTK Components
Creating Users/Assigning Privileges
FTK Tools and Preferences
Global Objects
KFF Install
Custom Processing Profiles
FTK Components

The Forensic Tool Kit is comprised of three
main components:

Database (PostgreSQL or Microsoft SQL)
Holds the data

FTK Graphical User Interface (GUI)
Interacts with the database

Known File Filter Server
Contains the Data Sets (hash values)
Case/ Database Manager

Manage Database
Create Users
Case Creation
Case Management
Tools and
Preference
Configuration
Object
Management
Application Administrator

The first user account is the
Application Administrator
Creating Users

Trusted User uses
Windows login credentials
for FTK access
Creating Users
Application
Administrator
Case Administrator
Case Reviewer
Changing Passwords

Each user has the ability to change their own
password
Changing Passwords

Application Administrators do not need to
know the original password
Application Administrators can change any
user password
Disable/Enable User Accounts

Application Administrators can disable and
enable user accounts
Accounts can not be deleted
Assigning Users to a Case

Users are assigned by the Case
Administrator or the Application
Administrator:
Administrators have full access
Reviewers have restricted access
Backup a Case

Don’t create Backup folder
first, FTK will create folder
during backup process
Don’t forget to copy your
evidence files!
Archive a Case

Will create an archive in case folder
Don’t forget to copy your evidence files!
Archive/Detach a Case

Will conduct Archive action and then
detach the case from the database
Don’t forget to copy your evidence files!
Delete a Case

Deletion will not only the delete case from the
database but will also delete your case folder
Restore a Case Backup

Don’t forget to replace your evidence files!
Attach a Case Archive

Don’t forget to replace your evidence files!
Recover Processing Job

Processing Jobs which become stuck may be
able to be recovered/re-started
To recover processing job:
Select desired job
Choose Restart
Database Preference

Some database preferences can be adjusted:
Temporary file path
Visualization themes
DB Optimization and KFF Configuration
Manage Global Objects

Most Global objects must be managed by the
Application Administrator
Case Administrator can only manage:
KFF
Manage Global Objects

Objects created here are available in
all cases
Objects can only be managed by
Application Administrator
Case Administrators can manage objects
by making them shared from within a
case
Case Reviewers can not manage any
objects
KFF Install

Server for KFF

Utility needed to import NSRL Data
KFF Install

Extract to Folder on local hard drive
KFF Install
KFF Install
What is a Processing Profile?

Saved list of
frequently used
processing options
Improves efficiency
Provides
consistency in
casework
Available for all
cases
Custom Processing Profile

Can be case specific
or specific to
forensic examiner
Custom profiles can
be also set as
default
Custom profiles can
be exported for use
on other
installations of FTK
Module Review

FTK Components
Creating Users/Assigning Privileges
FTK Tools and Preferences
Global Objects
KFF Install
Custom Processing Profiles