Forensic Toolkit® (FTK® 4) is recognized around the world as the standard in computer forensics software. This court-accepted digital investigations platform is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs.

New expansion modules deliver industry-first malware analysis and state-of-the-art visual analytics as part of an integrated platform.

Cerberus

Cerberus is a malware triage technology that is available as an add-on for FTK 4. The first step towards automated reverse engineering, Cerberus provides threat scores and disassembly analysis to determine both the behavior and intent of suspect binaries.

Visualization

View data in multiple display formats, including timelines, cluster graphs, pie charts and more. Quickly determine relationships in the data, find key pieces of information, and generate reports that are easily consumed by attorneys, CIOs or other investigators.

Product Details:

An Integrated Computer Forensics Solution

  • Create images, process a wide range of data types from forensic images to email archives, analyze the registry, conduct an investigation, decrypt files, crack passwords, and build a report all with a single solution.
  • Recover passwords from 100+ applications.
  • KFF hash library with 45 million hashes.
  • Advanced, automated analysis without the scripting.

DON’T LOSE WORK DUE TO CRASHING

Unlike other products on the market, FTK is database-driven so you won’t experience the crashing associated with memory-based tools. In addition FTK components are compartmentalized, so for example, if the GUI crashes, the processing workers continue to process data.

UNMATCHED PROCESSING SPEEDS

FTK is different from other computer forensics solutions in that it processes data up front, so you’re not wasting time waiting for searches to execute during the analysis phase. However, the product is designed to provide the fastest, most accurate and consistent forensic processing possible with distributed processing and true multi-threaded / multi-core support. Every copy of FTK includes a total of 4 processing workers – 1 on the examiner machine and 3 distributed. If you are interested in having multiple examiners share a common processing farm and centralized database for collaborative analysis, please contact your sales representative to inquire about AccessData Lab.

  • Wizard-driven processing ensures no data is missed.
    • Cancel/Pause/Resume functionality
    • Real-time processing status
    • CPU resource throttling
    • Email notification upon processing completion
  • Pre- and post-processing refinement
  • Advanced data carving engine allows you to specify criteria, such as file size, data type and pixel size to reduce the amount of irrelevant data carved while increasing overall thoroughness.

SINGLE-NODE ENTERPRISE

Install a persistent agent on a single computer to enable the remote analysis and incident response capabilities of AD Enterprise. Preview, acquire and analyze hard drive data, peripheral device data, and volatile/memory data on Windows®, Apple® OS, UNIX® and Linux® machines. Uninstall the agent at any time, and push it out to a different computer for multi-machine analysis.

  • Easy, wizard-driven agent deployment.
  • Secure remote device mounting using the Pico agent.

ADVANCED VOLATILE / MEMORY ANALYSIS

  • Supports 32-bit and 64-bit Windows® OS
  • Comprehensive analysis of volatile data
  • Static RAM analysis from an image or against a live system
    • Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
    • Dump a process and associated DLLs for further analysis in third-party tools.
    • Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
    • FTK 4 now provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.

“MAC features… that can’t be found in any other Windows Analysis Tool.”

- Ryan Kubasiak, www.AppleExaminer.com

  • Process B-Trees attributes for metadata
  • PLIST support
  • SQLite database support
  • Apple DMG and DD_DMG disk image support
  • JSON file support

FASTER, MORE COMPREHENSIVE INDEX AND BINARY SEARCHING

FTK processes and indexes your data up front, so search and analysis is faster than other products. Leveraging the powerful dtSearch engine, as well as a full-featured regular expression engine for binary searches, FTK produces fast and accurate results.

  • New in FTK 4: Regular expression support in index searching allows you to search for advanced combinations of characters within indexed data.

BROAD FILE SYSTEM, FILE TYPE AND EMAIL SUPPORT

  • Support for 700+ image, archive and file types
  • Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833
  • Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), Blackberry IPD backup files, Android YAFFS / YAFFS 2 and many more.
  • Create and process Advanced Forensic Format (AFF) images.

BROAD ENCRYPTION SUPPORT

  • Automatically decrypt (with proper credentials) Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
  • FTK is the only computer forensics solution that can identify encrypted PDFs.

EXPLICIT IMAGE DETECTION (EID) ADD-ON

This image detection technology not only recognizes flesh tones, but has been trained on a library of more than 30,000 images to enable auto-identification of potentially pornographic images.

RICH REPORTING

  • Generate detailed reports in native format, HTML, PDF, XML, RTF, and more – with links back to the original evidence.
  • Define Registry Supplemental Reports (RSR) during pre-processing or additional analysis.
  • See which files could not be processed or indexed with the Processing Exception/Case Info report.
  • Create a CSV of processed files that can be imported into Excel or a database application.
  • Export MSGs for all supported email types.

AccessData, Forensic Toolkit and FTK are registered trademarks owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Any reference to non-AccessData marks are for the purposes of enumerating the technologies AccessData solutions will address during the course of a digital investigation.

Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4.

The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

Cerberus Works in Two Stages

Stage 1:

During Stage 1 analysis, Cerberus tallies attributes of each binary to generate threat scores that approximate how “dangerous” each binary might be. This high-level threat scan is extremely fast and can be run against a large number of binaries very quickly.

Stage 2:

In stage 2, Cerberus disassembles the entire binary, develops an understanding of the binary through simulated data flow analysis, and delivers a list of operating system functions called by the binary, along with the arguments that are passed into those functions. Additional analysis provides details, such as function arguments, revealing Internet callback addresses, file names and other statically compiled artifacts.

Cerberus Triage vs. Traditional Malware Analysis

Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.

Traditional methods each have its own shortcomings, which Cerberus methodologies avoid.

  • Dynamic Analysis is often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
  • Traditional Heuristics are not based on the fundamental characteristics of malware and have high false positive / false negative rates.
  • Signature-based / Byte String Analysis cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.

Technical Features

Stage One Analysis

The following first-level analysis is conducted to quickly tally threat scores.

  • Product Name
  • Product Version
  • Company Name, etc.
  • Functions included in the Import Table
    • Network
    • Process
    • Security
    • Registry
  • Dynamic Loading, etc.
  • Does the binary have high entropy (obfuscated)?
  • Does the binary have signatures of:
    • Internet Relay Chat (“IRC”)
    • Shellcode
    • Cryptography (“Crypto”)
  • Does the binary contain strings associated with autoruns?
  • Digital Signature Verification

Executable Binary Analysis:

Stage Two Analysis

Stage two involves more complex disassembly analysis to give you more detailed behavioral information. This simulation and data flow analysis is possible without running binaries in a sandbox, and there is no reliance on white lists or signatures.

Basic Disassembly Analysis:

  • Integrated disassembly engine
  • If using network functionality, potentially what host it is communicating with and over what protocol(s)
  • If using network functionality, can it bypass proxy servers?
  • For functions that require usernames and/or passwords, does the executable contain a static string, indicating insider or advanced knowledge?

Advanced Disassembly Analysis:

  • Automated code and data flow analysis
  • More advanced Functionality Interpretation
    • IP addresses and Domain Names Used
    • Debugger and Sandbox avoidance
    • Command and Control Functionality
    • Hooking Techniques
    • Arbitrary Code Execution
    • Host Forensic Artifacts
    • Registry Settings
    • Temp Files
    • Configuration Files

Stop relying on third-party tools to see visual relationships within data. AccessData’s new FTK add-on, Visualization, allows you to view data in seconds in multiple display formats, including timelines, cluster graphs, pie charts and more.

By combining the state-of-the-art backend processing of FTK with this graphical analytic interface you will dramatically enhance the accuracy and speed with which you analyze case data.

Visualization Highlights

GRAPHICAL EMAIL ANALYTICS

  • Adjust scale and focus of communication periods in days, weeks, months, years and decades.
  • Quickly determine and convey peak communication periods in a graphical format.
  • View email custodian-level details including sent and received statistics to pinpoint periods of interest.
  • Graphically represent the social network of an email custodian to determine strength/frequency of communication.
  • Obtain key insight into the interaction among potential persons of interest and flag these email exchanges in FTK.

GRAPHICAL FILE ANALYTICS

  • Adjust scale and focus of created, modified and last accessed dates to identify gaps or areas of interest.
  • Provide a complete picture of the data profile and makeup.
  • Understand file volume and counts through an interactive interface.
  • Sort and group files by a variety of metadata attributes.
  • Efficiently identify and tag files for checking in FTK.

 

HTePL is leading company providing forensic solutions like forensic toolkit /FTK software which acts as a Computer Forensics, Malware Analysis & Digital Investigation tool for forensics investigators. Forensic toolkit is a best tool for forensic investigation.

Contact Us

Registered Office (Mumbai)
HIGH-TECH e-TECHNOLOGIES PVT.LTD.
2102,21st Floor, Guruprabha Apt,
Senapati Bapat Marg, Dadar (West),
Mumbai - 400 028, India.
+91 22 2436 7119 info@htepl.com
  1. Put Your Details Here

Business Partner

Group Site