II. Navigating FTK

Using FTK’s case interface can seem uncomfortable at first. This section will discuss the basics of navigating a case in FTK, including a discussion of the filter bar, the most common panes and views, and the Quick Pick feature.

Filter bar

The filter bar includes key tools for filtering items and organizing the interface. The key functions here include:

1. Filter toggle: Toggles the active filter on and off. This is helpful for quickly hiding the active filter(s) without needing to use the filter manager.

2. Filter selection menu: A drop-down menu for selecting a filter from the list of default and custom filters.

3. Filter manager: Opens the filter manager dialog. The filter manager is discussed in more detail in the Filters section of the user guide.

4. Quick Pick toggle: Enables and disables the Quick Pick feature.

5. Pane movement toggle: Enables and disables the ability to organize the visible panes, pop out panes into their own windows, and set pane boundaries.

6. Screenshot: Click and drag a selection of the application to take a screenshot. Screenshots save to the FTK_CASES directory on the H: drive.

7. Communication participants dialog: An advanced feature used to track Internet message participants. This feature is rarely used in our work.

8. FTK Plus launcher: FTK Plus is a review version of FTK with a simplified interface and stripped-down features. This launcher is not the recommended method to use FTK Plus.

Open

Figure 1. The Filter bar.

Explore tab

The Explore tab is the first case viewing tab. Use it to view the case as a list of disks and file hierarchies. Using the explore tab most closely mimics the experience of the creator by drilling down into individual disks and folders. Combined with the Quick Pick feature and using disk carrier information from BDT, the Explore tab can be an effective processing approach.

Open

Figure 2. The Explore tab.

Explore tab panes

The three default view panes in the Explore tab are:

1. Explorer tree: The list of disk images in a case, which can be expanded to drill down into folders. Only containers of files (as in: folders, disks, partitions, or some files with embedded files) can be viewed using th

2. File list: Shows all items contained in the selected evidence hierarchy. See the File List section of the user guide for more information.

3. File content viewer: Presents the selected file in the file list. See the File Content section of the user guide for more information.e explorer tree. Select any disk, file system, file root, or folder to see its item contents in the file list.

Quick Pick

A unique and highly useful method of selecting evidence in the Explore tab is the Quick Pick feature. Next to each hierarchical object in the explorer tree is an empty arrow. With the Quick Pick toggle enabled, select an arrow to turn it green. This changes the file list to include all items under the selected hierarchy, including items in child folders.

Overview tab

While the Explore tab shows the case content drilldown by disk and folder, the Overview tab collects all items in the case and organizes them by their characteristics. Using the Overview tab as a processing approach leverages the impressive indexing and analysis abilities of the FTK software.

Like the Explore tab, the Overview tab includes the file list and the file content viewer as default panes. Unlike the Explore tab, the Overview tab includes the Case Overview tree. The Overview tree shows different file characteristics, with filtered file counts and file counts next to each characteristic.

The Case Overview tree allows drilldown by the following characteristics:

1. Evidence Groups: Custom groupings defined by the user.

2. File Items: Evidence organized by disk carriers, checked items, and unchecked items.

3. File Extension: Items organized by extension. Items do not always have an extension. For example, folders and unallocated space on a disk never have extensions. In addition, not all file systems require files to have extensions relevant to their file format. Be cautious when using the File Extension characteristic to locate files of a given format.

4. File Category: Perhaps the most useful tool in the Overview tab. Select File Category to view all indexed items in a case. In addition, drill down by file category to view files that FTK has indexed by category. FTK analyzes files by their file headers, so even files without extensions can be identified. FTK further categorizes unknown file types as a single category.

5. File Status: Files by unique characteristics, such as deleted files, files found in a hard drive’s recycle bin, and email attachments.

6. Email Status: Advanced characteristics for items from email categories, such as reply messages.

7. Labels: Items from user-defined labels.

8. Bookmarks: Similar information as the Bookmark tab. Use the Bookmark tab for more complex features.

9. Cluster Topics: An advanced evidence processing feature that can cluster near-duplicates and other complex file characteristics. Schlesinger does not use this.

10.  Document Content: An advanced evidence processing feature that can analyze documents. Schlesinger does not use this.

11.  Mobile Device Application: An advanced evidence processing feature that can analyze characteristics from items created on mobile devices. Schlesinger does not use this.

12.  Web Page Category: An advanced evidence processing feature that can analyze characteristics from items used for web sites. Schlesinger does not use this.

Select a file characteristic in the Case Overview tree to open the contents in the file list. Select an item in the file list to present it in the file content viewer.

While file filtering is more comprehensively discussed in the Filters section of the user guide, note that filtering is a highly useful method for examining files in the Overview tab. The following example in Figure 7 shows the list of all Microsoft Document files in a case, filtered to show only files created in 1995 and 1996. Filtering methods are powerful ways to make the most out of the Overview tab’s features.