ACCESSDATA FTK RELEASE NOTES

Similar documents
AccessData Forensic Toolkit 5.5 Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Forensic Toolkit Release Notes

AccessData AD Lab Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Forensic Toolkit 6.2 Release Notes

AccessData Forensic Toolkit 5.6 Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Enterprise Release Notes

AccessData AD Lab 6.3 Release Notes

AccessData Forensic Toolkit Release Notes

AccessData AD Lab Release Notes

AccessData AD Enterprise Release Notes

AccessData Imager Release Notes

AccessData Forensic Toolkit 5.0 Release Notes

AccessData Imager Release Notes

AccessData AD Lab 6.4 Release Notes

AccessData Imager Release Notes

AccessData Imager Release Notes

FTK Imager 2.9 Release Notes

Mobile Phone Examiner Plus 5.8 Release Notes

AccessData FTK Quick Installation Guide

AccessData Imager Release Notes

AccessData Advanced Forensics

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

Mobile Phone Examiner for FTK Release Notes

Distributed Processing

ANALYSIS AND VALIDATION

Summation & ediscovery Patches Release Notes

Mobile Phone Examiner Plus Release Notes

AccessData ediscovery 6.3 and Patches Release Notes

ediscovery 6.1 and Patches Release Notes

Remote Device Mounting Service

FTK 4 and FTK 5. Working with FTK 4 or 5

Summation & ediscovery Patches Release Notes

Mobile Phone Examiner Plus Release Notes

AccessData Triage 2.3 Release Notes

Mobile Phone Examiner Plus Release Notes

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

Mobile Phone Examiner Plus 5.5 Release Notes

AccessData ediscovery 6.3 and Patches Release Notes

Summation 6.3 Release Notes

Legal Notices. AccessData Corp.

Quick Start User Guide For Cellebrite Extraction Reports

Nuix Proof Finder Reference Guide

Halcyon Spooled File Manager GUI. v8.0 User Guide

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Table of Contents DATA MANAGEMENT TOOLS 4. IMPORT WIZARD 6 Setting Import File Format (Step 1) 7 Setting Source File Name (Step 2) 8

Quick Start Guide. Paraben s SIM Card Seizure. For Authorized Distribution Only. For use with Microsoft Windows XP/Vista/7

AccessData Triage 2.4 Release Notes

Honeywell HC900 Ethernet Driver Help Kepware Technologies

Summation Patch Release Notes

AccessData Imager Release Notes

Intella Release Notes

AccessData FTK Quick Installation Guide

Layers. About PDF layers. Show or hide layers

DiskBoss DATA MANAGEMENT

CA DataMinder. Stored Data Integration Guide. Release 14.5

Release Notes. Enhancements Resolved Issues Current Issues Additional Information

Overview. Top. Welcome to SysTools MailXaminer

Tzunami Deployer Lotus Notes Exporter Guide

FileLoader for SharePoint

Report Commander 2 User Guide

Silk Performance Manager Installation and Setup Help

AccessData ediscovery 6.1 SP1 Release Notes

SILWOOD TECHNOLOGY LTD. Safyr Metadata Discovery Software. Safyr Getting Started Guide

PrimoPDF Enterprise User Guide, Version 5.0

Administrating CaseMap User Guide

Administration Guide - NetApp File Archiver

Contact Details and Technical Information

Creating an Adobe Connect Presentation: Using Your Personal Computer to Record and Publish

What's New in Laserfiche Rio, Laserfiche Avante, Laserfiche Forms, and Laserfiche Connector White Paper

ZENworks 2017 Update 2 Endpoint Security Utilities Reference. February 2018

Chapter 2. Index.dat

What's new 9 Magnet AXIOM 11 System requirements 12

Source:

Trustee Attributes. White Paper. February 2012

Release Notes. LAW PreDiscovery, Version 6.8. Enhancements Resolved Issues Current Issues Additional Information

ZENworks 11 Support Pack 4 Endpoint Security Utilities Reference. October 2016

KOFAX TO LASERFICHE RELEASE SCRIPTS

Aprimo Marketing Studio Configuration Mover Guide

IBM i Version 7.2. Connecting to your system Connecting to Your system with IBM Navigator for i IBM

UNDELETE User Guide

Release Notes. LAW PreDiscovery, Version Enhancements Resolved Issues Current Issues Additional Information

AccessData. Known File Filter (KFF) Installation Guide

Perceptive Data Transfer

DiskBoss DATA MANAGEMENT

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

User Manual. Dockit Archiver

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

Paraben Examiner 9.0 Release Notes

TomTom GPS Device Forensics

Release Notes. CaseWare Working Papers

Release Notes McAfee Vulnerability Manager 7.5.8

JMP to LSAF Add-in. User Guide v1.1

DC Detective. User Guide

Xpert BI General

Transcription:

ACCESSDATA FTK 3.3.0 RELEASE NOTES INTRODUCTION This document provides important information relative to the use of FTK 3.3.0. IMPORTANT INFORMATION If the machine running Imager or FTK has an active internet connection and you are viewing certain types of HTML or Web pages, there is a potential risk associated with specially crafted pages. These pages may trigger unintended consequences such as running malicious code or scripts. AccessData recommends that, wherever possible, users not have an active internet connection while Imager or FTK is running. In addition, please be aware that viewing HTML content in the FTK or Imager preview pane when connected to the internet has potential risk. The Oracle database must be installed on a machine whose name begins with a letter (a-z and A-Z). Applications cannot connect to Oracle if the machine name begins with a number. This is because of a restriction on domain names in RFC 1035. If your desired Oracle computer has a name that begins with a number, you must change the machine name prior to installing Oracle. FYI: FTK does not index HTML and XML tags, but it does index the data between tags for data streams that have been identified as HTML and XML files. (55334) FTK 3.3 does not carve container files. Safari cache.db files are container files. (54453) NEW AND IMPROVED FILTERS Filters used by the application (that would not normally be applied by a user) have been removed from the filter drop-down list. These filters now only appear in the Filter Manager interface and each begins with a ~ character. (56137) A No Unimportant Items From MS Office 2007/2010 Files" filter is now available in the Filter Manager interface. This filter excludes small XML files contained in MS Office 2007/2010 OPC files (.docx,.xlsx,.pptx, etc). (56139) AccessData FTK 3.3.0 Release Notes 1

MISC The Backup/Detach Case feature now uses a local empty user-designated temp directory as intermediate storage for the database files. When the copy is complete, the files are then moved to the final backup/detach destination. (54372) Upon completion of an export job, the export destination folder will now automatically open up in Windows Explorer to show you the files / folders exported. (55773) AFF images created in FTK now store the sector size as an metadata attribute. (53896) Fixed issue that caused segmented AFF image verification to not automatically compare the generated hash values. This issue did not affect the forensic integrity of AFF images or their hash values. (55012) Updated the FTK Hex Interpreter field names for the following: (54170) AOL date/time is now displayed as DOS OS/X date/time GPS date/time is now displayed as GPS/BREW/QC date/time BITDATE is now displayed as LG/Samsung Enhanced export functionality to handle export destination paths of more than 248 characters in length. (54302) Using Index Search, the NOT operator does not function as documented previously. Solution: Use parenthesis to apply the NOT operator to the excluded word: (54787) Example: (NOT apple) PROCESSING Added support for Lotus Notes 8.0 and 8.5 ODS formats 48 and 51. (18229) The New Case Wizard and Additional Analysis dialog box now allow the user to Do not find find deleted items. Deleted files will be discovered and processed by default. (44322) Note: If a user enumerates all the items in a case during processing and chooses not to add deleted files, then the deleted items can never be added to the case. A new status view has been added to indicate overall progress on multiple jobs in the Progress window. To see this status, click on the Add Evidence Jobs line at the top of the File list in the Data Processing Status dialog box. (21185) In the dialog box that allows users to select the compound files to expand Selective Expand, the Microsoft OLE option now represents both MS Office and OPC documents. (52769) Now, when choosing Additional Analysis options, performing File Signature Analysis is no longer required for expanding compound files, but if the user selects this option, Expand Compound Files will be based on file extension instead of File Signature Analysis results. (55351) This allows the user to see the contents of compound files without necessarily having to process them. Processing can be done later, if it is deemed necessary or beneficial to the case. At the root of each case folder you will now find a file called EvidenceHistory.log which shows a record of all of the following items: (53093) Total processing time (across all jobs processed at the same time) and exact start/stop time. File name of all evidence images and loose files added to the case. 2 AccessData FTK Release Notes

Total number of items processed. List of errors encountered and some details about those errors. Total number of items enumerated (item count after processing including carved files and children expanded out of compound files). Note: Each time the processing engine runs a job or batch of jobs for a case, a new entry will be appended to the log. Additionally, the data will reflect the statistics for that batch. Improved handling of Apple partition maps. (54808) All children files and folders that are parsed out of an email attachment are now being marked as attachments to the parent email message. (54866) Support has been added to handle raw physical images of iphone devices with sector sizes of 2048 KB, 4096 KB, or 8192 KB. (54441) Note: MPE 4.2 exports physical apple device images with specially formatted file names that define the sector size attribute. It is important to ensure that the file names follow this special format in order to have FTK read these images correctly. Here s an example of the file name syntax: BadGuys_iPhone.dd8.001 [IMAGE_NAME].[SECTOR_SIZE].[SEGMENT_NUMBER] (Sector size is defined by the following: dd2 = 2048 KB, dd4 = 4096 KB, dd8 = 8192 KB.) Improved handling of: Drives that have had their GUID partition tables (GPT) converted to the MBR partitioning format. (54971) AutoCAD (DWG) files. (55448) Corrupted drives with overlapping and/or invalid partitions. (55703) Improved consistency of text generated from OCR engine. (55228) The Index Refinement (Advanced) dialog now includes an option to Include Message Headers in the index. (54736, 54741) Note: NOTE: The option is ON by default in FTK You can now link directly to the Job Information log from the Data Processing Status window to view detailed information related to the processing status of a job. (55353) USER INTERFACE On the browse for evidence dialog a new check box option allows the user to use UNC or to convert a regular path to UNC. This feature uses only user-defined shares, not Admin shares such as C$ etc. (21561) These new columns have been added to the file list view in FTK for use in reviewing data acquired from MPE+: (20997) Call Type should appear under MPE Call Log column setting, and will be where the data such as Incoming, Missed, Received is shown. (There is already a column called Phone call Type that we could use for this purpose but it doesn't appear under the MPE default column settings as it should) SMS Type should appear under the MPE-SMS column setting, and will be where the data such as Sent, Received, etc. will be. AccessData FTK 3.3.0 Release Notes 3

Phonebook Item Title should appear under the MPE-Contacts column setting, and will be where the data such as Mr., Mrs., President, etc. is displayed. Number Type should appear under MPE-Call Log and will displays data such as mobile, cell, home etc... Duration should appear under MPE-Call Log and will display the time duration for each item in the call log. Mobile Phone memory type is already an entered column but does not show up in the MPE column settings by default and according to Lee, it should. This is to display the data location on the device such as phone, SIM, memory card. New columns added in the file list view for MS Office metadata properties of Last Saved By and Author. (54704) FIXED ISSUES The default Custom Carver Maximum File Size is 2147483647 bytes. The carver Max File Size in bytes must be populated with any size larger than the defined Minimum File Size in bytes (default is 0). A Maximum File Size equal to or less than the minimum size, or <no entry>, results in an error prompting for a valid number to be entered. (53135) The Search by Date range (index search option) is now limited to be between Jan 1, 1970 and Dec 31, 3000. (53705) This fix prevents dates prior to 1970 from causing issues in processing. Case Reviewers are no longer able to see or to know how many items have been marked privileged. (52836) Fixed a problem with indexing counts when multiple images were added to a case simultaneously. (53385) Improved indexing of Yahoo chat files. This applies only to newly processed cases. Where this is a problem with existing cases, the case must be reprocessed. (54909) Yahoo IM conversations were not including a username. The Yahoo username is not known within the chat log file. The folder name is now being used as the username. (53861) FTK does not support processing evidence images of HFS+ file systems that have a sector size greater than 512 bytes. (52734) Processed Lotus Notes (NSF) files no longer add a large number of entries to the list of file extensions in the case overview. (54422) Email files which have been converted by the Outlook2Mac (O2M) utility now show the metadata values correctly when processed in FTK. (55819) KNOWN ISSUES A user who changes his or her own password must log out and back in again when the password is changed so work can continue without any problems. If the user does not log out and back in after changing the personal password, access problems occur with the database. (44157) The processing Engine has to be manually stopped on 3.1 before 3.2 can be run and viceversa. They can be installed at the same time, but only one can run at a time. FTK will get an error in the processing dialog if the wrong DPE is running. (21233) 4 AccessData FTK Release Notes

Naming the case folder in a Unicode code page language or character set causes searches to return fewer hits than when using a normal English case folder name. (54042) Very large and complex search lists take a long time to import into large cases. (21138) Workaround: Turn off the import calculation by modifying the following registry key to a non-zero value: "HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products\ Forensic Toolkit\3.3\NoIndexSearchTermHitsOnImport" (DWORD) Note: Be sure to back up your registry before making any modifications. If an image is processed before KFF is installed, then after installing the KFF database, Additional Analysis is performed for KFF, there is no prompt to go into Case KFF Options and select the KFF groups to process. This may leave the user thinking that the evidence has reprocessed using the KFF but it hasn t. (15812) Text Internet Email is being classified as Text Email when the header contains a line break. If you remove the line break manually, it is then classified as Text Internet Email. (53002) The Internet email standard (see RFC822 or RFC5322 for latest) mandates that any header line that is broken into multiple lines MUST have a white space (usually a tab or space) character at the beginning of the continuation lines. FTK 3.3 64-bit does not utilize the Adobe Acrobat Reader plug-in for Internet Explorer by default whenever displaying PDF files within FTK even when the plug-in is installed on the examination system. A 64 bit installation of FTK 3.3 will use the built-in INSO viewer when displaying PDF files. By contrast however, FTK 3.3 32-bit, does take advantage of this plug-in (if installed). (20527) There is not an option in the UI to show or hide the total hits when importing a word list. (21330) Workaround: Create the following registry DWORD entry: HKEY_LOCAL_MACHINE\SOFTWARE\AccessData\Products\ Forensic Toolkit\3.2\NoIndexSearchTermHitsOnImport A zero value causes the hits to be displayed as the word list is imported. A non-zero value causes the hits to be hidden from view in the Search terms list. A Case Administrator cannot manage global filters (accessing the list and copying them down to the case). (44158) Workaround: The Application Administrator must assign the Application Administrator role to the Case Administrator for that case in Case > Assign Users. When exporting folders and their contents, you should always select the folder to be exported from the file list view instead of from the explore tree in order to export the contents correctly. (53627) Suggestion: To export a folder structure with its children, move up one folder level and select the following options: Export directory as file and Export children. FYI: The Create Manifest Files option is not checked by default for exports. This is off by default because it takes more time to do the export with the Create Manifest File option selected. (55184) Lotus Notes deletes the collection indexes routinely. If they are in that state when processed in FTK, then the email will be placed in the [other1] folder (or a folder with a similar name). (54997) Workaround: Open the NSF file in the Lotus Notes client, and then close (you may need to save), then acquire the data and process it with FTK the emails will all be in the right folder because the view collections got recreated. AccessData FTK 3.3.0 Release Notes 5

FTK now carves SQLite databases in order to recover deleted data that they might contain. Due to this change, users will likely see duplicate files if they choose to carve SQLite databases in addition to expanding them. (54453, 55292) Language Selector localizations have not been updated to reflect changes to the user interface for this release. Non-default hyphen treatment (Indexing Options) settings create inconsistent results in index search for hyphenated words. (55375) In FTK 3.3, if you choose to update your default processing options (regardless of the option being changed), new cases created in FTK 3.2 will have "Include OLE Streams" unchecked by default. (56077) COMMENTS? We value all feedback from our customers. Please contact us at support@accessdata.com, or send documentation issues to documentation@accessdata.com. 6 AccessData FTK Release Notes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback