Transcription
Forensic Toolkit(FTK)D R A F TUser Guide 1
AccessData Legal and Contact InformationDocument date: April 3, 2017Legal Information 2017 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,stored on a retrieval system, or transmitted without the express written consent of the publisher.AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of thisdocumentation, and specifically disclaims any express or implied warranties of merchantability or fitness for anyparticular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to makechanges to its content, at any time, without obligation to notify any person or entity of such revisions or changes.Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, andspecifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessDatasoftware, at any time, without any obligation to notify any person or entity of such changes.You may not export or re-export this product in violation of any applicable laws or regulations including, withoutlimitation, U.S. export regulations or the laws of the country in which you reside.AccessData Group, Inc.588 West 400 South Suite 350Lindon, UT 84042USAAccessData Trademarks and Copyright InformationThe following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks arethe property of their respective owners.AccessData DNA PRTK AccessData Certified Examiner (ACE )Forensic Toolkit (FTK )Registry Viewer AD Summation Mobile Phone Examiner Plus Summation Discovery Cracker MPE Velocitor SilentRunner Distributed Network Attack Password Recovery Toolkit AccessData Legal and Contact Information 2
A trademark symbol ( , , etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, andunless otherwise notated, all third-party product names are spelled and capitalized the same way the ownerspells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademarkand copyright holders. AccessData claims no responsibility for the function or performance of third-partyproducts.Third party acknowledgements: FreeBSD Copyright 1992-2011. The FreeBSD Project. AFF and AFFLIB Copyright 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis TechnologyCorp. All rights reserved. Copyright 2005 - 2009 Ayende RahienBSD License:Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and binary forms,with or without modification, are permitted provided that the following conditions are met: Redistributions ofsource code must retain the above copyright notice, this list of conditions and the following disclaimer;Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the followingdisclaimer in the documentation and/or other materials provided with the distribution; Neither the name of AndriySyrov nor the names of its contributors may be used to endorse or promote products derived from this softwarewithout specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERSAND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSEDAND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE POSSIBILITY OF SUCH DAMAGE.WordNet License:This license is available as the file LICENSE in any downloaded version of WordNet.WordNet 3.0 license: (Download)WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by PrincetonUniversity under the following license. By obtaining, using and/or copying this software and database, you agreethat you have read, understood, and will comply with these terms and conditions.: Permission to use, copy,modify and distribute this software and database and its documentation for any purpose and without fee orroyalty is hereby granted, provided that you agree to comply with the following copyright notice and statements,including the disclaimer, and that the same appear on ALL copies of the software, database and documentation,including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 byPrinceton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" ANDPRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BYWAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS ORWARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THEUSE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRDPARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University orPrinceton may not be used in advertising or publicity pertaining to distribution of the software and/or database.AccessData Legal and Contact Information 3
Title to copyright in this software, database and any associated documentation shall at all times remain withPrinceton University and LICENSEE agrees to preserve same.XMLmind XSL-FO Converter Professional Edition Developer License Agreement:DistributionLicensee may not distribute with the Application any component of the Software other than the binary classlibrary (xfc.jar) for the JavaTM version and the Dynamic Link Library file (xfc.dll) for the .NET version.Licensee shall include the following copyright notice: "XMLmind XSL-FO Converter Copyright 2002-2009Pixware SARL", with every copy of the Application. This copyright notice may be placed together with Licensee'sown copyright notices, or in any reasonably visible location in the packaging or documentation of the Application.Licensee may use, distribute, license and sell the Application without additional fees due to Licensor, subject toall the conditions of this License Agreement.Documentation ConventionsIn AccessData documentation, a number of text variations are used to indicate meanings or actions. Forexample, a greater-than symbol ( ) is used to separate actions within a step. Where an entry must be typed inusing the keyboard, the variable data is set apart using [variable data] format. Steps that require the user toclick on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item inthe user interface.A trademark symbol ( , , etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, allthird-party product names are spelled and capitalized the same way the owner spells and capitalizes its productname. Third-party trademarks and copyrights are the property of the trademark and copyright holders.AccessData claims no responsibility for the function or performance of third-party products.RegistrationThe AccessData product registration is done at AccessData after a purchase is made, and before the product isshipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to yourpurchase.SubscriptionsAccessData provides a one-year licensing subscription with all new product purchases. The subscription allowsyou to access technical support, and to download and install the latest releases for your licensed products duringthe active license period.Following the initial licensing period, a subscription renewal is required annually for continued support and forupdating your products. You can renew your subscriptions through your AccessData Sales Representative.Use License Manager to view your current registration information, to check for product updates and todownload the latest product versions, where they are available for download. You can also visit our web site,www.accessdata.com anytime to find the latest releases of our products.For more information, see Managing Licenses in your product manual or on the AccessData website.AccessData Legal and Contact Information 4
AccessData Contact InformationYour AccessData Sales Representative is your main contact with AccessData. Also, listed below are the generalAccessData telephone number and mailing address, and telephone numbers for contacting individualdepartmentsMailing Address and General Phone NumbersYou can contact AccessData in the following ways:AccessData Mailing Address, Hours, and Department Phone NumbersCorporate Headquarters:AccessData Group, Inc.588 West 400 South Suite 350Lindon, UT 84042 USAVoice: 801.377.5410; Fax: 801.377.5426General Corporate Hours:Monday through Friday, 8:00 AM – 5:00 PM (MST)AccessData is closed on US Federal HolidaysState and LocalLaw Enforcement Sales:Voice: 800.574.5199, option 1; Fax: 801.765.4370Email: Sales@AccessData.comFederal Sales:Voice: 800.574.5199, option 2; Fax: 801.765.4370Email: Sales@AccessData.comCorporate Sales:Voice: 801.377.5410, option 3; Fax: 801.765.4370Email: Sales@AccessData.comTraining:Voice: 801.377.5410, option 6; Fax: 801.765.4370Email: Training@AccessData.comAccounting:Voice: 801.377.5410, option 4Technical SupportTechnical support is available on all currently licensed AccessData solutions.You can contact AccessData Customer and Technical Support in the following ways:AccessData Support PortalYou can access the Chat, Knowledge Base, Discussion Boards, White Papers and more through theAccessData Support Portal:https://support.accessdata.comE-Mail sia-Pacific:800-658-5199 (North America)AccessData Legal and Contact Information 5
Support Hours: Mon-Fri, 7:00 AM – 6:00 PM (MST), except corporate holidays.NOTE: Emergency support is available on weekends:Saturday and Sunday 8:00am – 6:00pm MST via support@accessdata.comDocumentationPlease email AccessData regarding any typos, inaccuracies, or other problems you find with the onal ServicesThe AccessData Professional Services staff comes with a varied and extensive background in digitalinvestigations including law enforcement, counter-intelligence, and corporate security. Their collectiveexperience in working with both government and commercial entities, as well as in providing expert testimony,enables them to provide a full range of computer forensic and eDiscovery services.At this time, Professional Services provides support for sales, installation, training, and utilization of Summation,FTK, FTK Pro, Enterprise, eDiscovery, Lab and the entire Resolution One platform. They can help you resolveany questions or problems you may have regarding these solutions.Contact Information for Professional ServicesContact AccessData Professional Services in the following ways:AccessData Professional Services Contact InformationContact MethodNumber or AddressPhoneNorth America Toll Free: 800-489-5199, option 7International: 1.801.377.5410, option 7Emailservices@accessdata.comAccessData Legal and Contact Information 6
Table of ContentsAccessData Legal and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Part 1: Introducing Forensic Toolkit (FTK ). . . . . . . . . . . . . . . . . . . . . . . 24Chapter 1: Introducing AccessData Forensic Toolkit (FTK ) . . . . . . . . . . . . . . . . . . . . . 25Overview of Investigating Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . 25About Acquiring Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Types of Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Acquiring Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26About Examining Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27About Managing Cases and Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . 28What You Can Do With the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . 29About Indexing and Hashing . . . . . .About the Known File Filter DatabaseAbout Searching . . . . . . . . . . . .About Bookmarking . . . . . . . . . . .About Presenting Evidence . . . . . . 29. 29. 30. 30. 30Chapter 2: Getting Started with the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Part 2: Administrating Forensic Toolkit (FTK ). . . . . . . . . . . . . . . . . . . . 33Chapter 3: Application Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Initializing the Database and Creating an Application Administrator Account . . . 35Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Recovering a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Creating a Password Reset File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Resetting your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Setting Database Preferences . . . . . . . .Managing Database Sessions . . . . . . . .Optimizing the Database for Large Cases .Creating Databases for Individual Cases . .Managing KFF Settings . . . . . . . . . . . .Recovering and Deleting Processing Jobs .Restoring an Image to a Disk . . . . . . . . .Table of Contents. . . . . . . . . . . . . . . . . . . . . . . 38. . . . . . . . . . . . . . . . . . . . . . . 38. . . . . . . . . . . . . . . . . . . . . . . 38. . . . . . . . . . . . . . . . . . . . . . . 39. . . . . . . . . . . . . . . . . . . . . . . 39. . . . . . . . . . . . . . . . . . . . . . . 40. . . . . . . . . . . . . . . . . . . . . . . 40 7
Database Integration with other AccessData Products . . . . . . . . . . . . . . . . 41Web Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Adding New Users to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42About Assigning Roles to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42About Additional Roles . . . . . . . . . . . . . . .About Predefined Roles . . . . . . . . . . . . . .Assigning Initial Database-level Roles to Users .Assigning Additional Case-level Roles to Users . 43. 43. 46. 46Assigning Users Shared Label Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . 47Setting Additional Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Choosing a Temporary File Path . . . . . . . . . . . . . .Providing a Network Security Device Location . . . . . . .Setting Theme Preferences for the Visualization Add on .Optimizing the Case Database . . . . . . . . . . . . . . .Managing Global Features. . . . . . . . . . . . . . . . . . . . .Managing Shared Custom CarversManaging Custom Identifiers . . .Managing Columns . . . . . . . . .Managing File Extension Maps . .Managing Filters . . . . . . . . . .Part 3: Case Management . 47. 47. 48. 48. 48. 48. 49. 50. 50. 51. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Chapter 4: Introducing Case Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53About Case Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53The User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53About the Cases List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Menus of the Case Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Menus of the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Chapter 5: Creating and Configuring New Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Opening an Existing Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Creating a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Configuring Detailed Options for a Case . . . . . . . . . . . . . . . . . . . . . . . . . 75About Processing Options . . . . . . . . . . . . . . .Configuring Default Processing Options for a Case .Using Processing Profiles . . . . . . . . . . . . . . .Manually Customizing a set of Detailed Options . . . 75. 76. 77. 81Evidence Processing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82Expanding Compound Files . . . . .Using dtSearch Text Indexing . . . .Configuring Case Indexing Options .Data Carving . . . . . . . . . . . . . .Table of Contents. 85. 88. 88. 91 8
Running Optical Character Recognition (OCR) . . . . .Using Explicit Image Detection . . . . . . . . . . . . . .Including Registry Reports . . . . . . . . . . . . . . . . .Send Email Alert on Job Completion . . . . . . . . . . .Custom File Identification Options. . . . . . . . . . . . .Creating Custom File Identifiers . . . . . . . . . . . . . .Configuring Evidence Refinement (Advanced) Options .Refining Evidence by File Status/Type . . . . . . . . . .Selecting Index Refinement (Advanced) Options . . . .Selecting Lab/eDiscovery Options . . . . . . . . . . . . 95. 96. 97. 98. 98. 98100101102104Adding Evidence to a New Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Working with Volume Shadow Copies . . . . . . . . . . . . . . . . . . . . . . . 107Converting a Case from Version 2.2 or Newer . . . . . . . . . . . . . . . . . . . . 107Chapter 6: Managing Case Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Backing Up a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109About Performing a Backup and Restore on a Multi-Box Installation . . . . . . 109Performing a Backup of a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Performing a Database-only Backup . . . . . . . . . . . . . . . . . . . . . . . . 110Archiving a Case . . . . . . . . . .Archiving and Detaching a CaseAttaching a Case . . . . . . . . . .Restoring a Case . . . . . . . . .Deleting a Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Storing Case Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Migrating Cases Between Database Types . . . . . . . . . . . . . . . . . . . . . . 115Chapter 7: Working with Evidence Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verifying Drive Image Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mounting an Image to a Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Benefits of Image Mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Characteristics of a Logically Mounted Image . . . . . . . . . . . . . . . . . . . . .Characteristics of a Physically Mounted Image . . . . . . . . . . . . . . . . . . . .Mounting an Image as Read-Only . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mounting a Drive Image as Writable . . . . . . . . . . . . . . . . . . . . . . . . . . .Unmounting an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Restoring an Image to a Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Performing Final Carve Processing . . . . . . . . . . . . . . . . . . . . . . . . . . .Recovering Processing Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117117118118119119119120121121121122Chapter 8: Working with Static Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Static Evidence Compared to Remote Evidence . . . . . . . . . . . . . . . . . . . 123Table of Contents 9
Acquiring and Preserving Static Evidence .Adding Evidence . . . . . . . . . . . . . . . . .Working with Evidence Groups . . . . . . . .Selecting Evidence Processing Options . .Selecting a Language . . . . . . . . . . . . . .Examining Data in Volume Shadow Copies. . . . . . . . . . . . . . . . . . . . . . 124. . . . . . . . . . . . . . . . . . . . . . 124. . . . . . . . . . . . . . . . . . . . . . 128. . . . . . . . . . . . . . . . . . . . . . 129. . . . . . . . . . . . . . . . . . . . . . 130. . . . . . . . . . . . . . . . . . . . . . 131About Restore Point Processing Options . . . . . . . . . . . . . . . . . . . . . . 132Managing Restore Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Viewing Restore Point Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Using Additional Analysis . . . . . . . . . . . . . . . . . . . . . . . . . .Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Data Carving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Viewing the Status and Progress of Data Processing and Analysis .Viewing Processed Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135. . . . . . . 140. . . . . . . 140. . . . . . . 142. . . . . . . 143Chapter 9: Working with Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144About Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Types of Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Adding Local Live Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Methods of Adding Remote Live Evidence . . . . . . . . . . . . . . . . . . . . . . . 146Requirements for Adding Remote Live Evidence . . . . . . . . . . . . . . . . . 146Adding Evidence with the Temporary Agent . . . . . . . . . . . . . . . . . . . . . . 147Pushing the Temporary Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Manually Deploying the Temporary Agent . . . . . . . . . . . . . . . . . . . . . 148Adding Data with the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . . . . . 149Methods of Deploying the Enterprise Agent . . . . . . . . . . . . . .Creating Self-signed Certificates for Agent Deployment . . . . . . .Configuring Communication Settings for the Enterprise Agent PushPushing the Enterprise Agent . . . . . . . . . . . . . . . . . . . . . .Removing the Enterprise Agent . . . . . . . . . . . . . . . . . . . . .Connecting to an Enterprise Agent . . . . . . . . . . . . . . . . . . .Adding Remote Data with the Enterprise Agent . . . . . . . . . . . .Acquiring Drive Data . . . . . . . . . . . . . . . . . . . . . . . . . . .Acquiring RAM Data . . . . . . . . . . . . . . . . . . . . . . . . . . .Importing Memory Dumps . . . . . . . . . . . . . . . . . . . . . . . .Unmounting an Agent Drive or Device . . . . . . . . . . . . . . . . .149149150151152152152155156157157Chapter 10: Filtering Data to Locate Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158About Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Types of Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159What You Can Do with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Understanding How Filters Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Viewing the Components of Filters . . . . . . . . . . . . . . . . . . . . . . . . . 161Table of Contents 10
Viewing Details about Attributes that Filters use . . . . . . . . . . . . . . . . . . 161Using Simple Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Using Global Filters . . . . . . . . . . . . . . . . . . . .Using Tab Filters . . . . . . . . . . . . . . . . . . . . .How Global Filters and Tab Filters can work TogetherUsing Filters with Category Containers . . . . . . . . .Using Filters with Reports . . . . . . . . . . . . . . . .Viewing the Filters that you have Applied . . . . . . .162162163163163164Using Filtering with Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Adding a Search Filter to Live Searches . . . . . . . . . . . . . . . . . . . . . . 165Adding a Search Filter to Index Searches . . . . . . . . . . . . . . . . . . . . . 165Using Compound Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Applying Compound Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Using Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167About Nested Filters . .Creating a Custom FilterCopying Filters . . . . .Editing a Custom Filter .167167168168Sharing, Importing, and Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . 169Sharing Custom Filters Between Cases . . . . . . . . . . . . . . . . . . . . . . 169Importing Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Types of Predefined Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Using the Persons of Interest Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Creating a List of Communication Participants. . . . .Creating a Rule within People Finder . . . . . . . . . .Searching for Data within People Finder . . . . . . . .Creating a Communication Filter within People FinderFields Searched when using Persons of Interest . . .174175175175176Chapter 11: Working with Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What You Can Do With Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Creating a Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Applying a Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Label Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177177178178179180Chapter 12: Decrypting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181About Decrypting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181About the Encrypted File Passwords List . . . . . . . . . . . . . . . . . . . . . . 183Identifying the Encrypted Files in a Case . . . . . . . . . . . . . . . . . . . . . . . . 185Using PRTK/DNA Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Decrypting Files Using the Automatic Decryption Processing Option . . . . . . 186Table of Contents 11
Decrypting Files Using Right-Click Auto Decryption . . . . . . . . . . . . . . . . 187Recovering Unknown Passwords of Encrypted Files. . . . . . . . . . . . . . . . . 188About Recovering Passwords using the PRTK/DNA Integrated Tool with Examiner188Recovering Passwords using the PRTK/DNA Integrated Tool . . . . . . . . . . 188Decrypting Other Encryption Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Decrypting EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Decrypting Microsoft Office Digital Rights Management (DRM) Protected Files 191Decrypting Dropbox DBX Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Decrypting Lotus Notes Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Decrypting S/MIME Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Decrypting Credant Files (Dell Data Protection Encryption Server) . . . . . . 194Decrypting Bitlocker Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196Decrypting Safeguard Utimaco Files . . . . . . . . . . . . . . . . . . . . . . . . 197Decrypting SafeBoot Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Decrypting Guardian Edge Files . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Decrypting an Image Encrypted WithPGP WDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Viewing Decrypted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Chapter 13: Exporting Data from the Examiner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Copying Inf
AccessData Certified Examiner (ACE ) Forensic Toolkit (FTK ) Registry Viewer AD Summation Mobile Phone Examiner Plus Summation Discovery Cracker MPE Velocitor SilentRunner Distributed Network Attack Password Recovery Toolkit
