AccessData FTK Intermediate

Intermediate • Three-Day Instructor-Led Course

For more information contact: [email protected]

The AccessData FTK Intermediate, three-day course provides the knowledge and skills necessary to install,
configure, and effectively use Forensic Toolkit (FTK), FTK Imager and Registry Viewer at an Intermediate level.

Prerequisites
This hands-on class is intended for new users, particularly forensic professionals and law enforcement personnel,
who use AccessData forensic software to examine, analyze, and classify digital evidence.

To obtain the maximum benefit from this class, you should meet the following requirements:

• Able to understand course curriculum presented in English

• Perform basic operations on a personal computer
• Have a basic knowledge of computer forensic investigations and acquisition procedures
• Be familiar with the Microsoft Windows environment

Class Materials and Software

You will receive the associated materials prior to the course.

During this three-day, hands-on course, participants will perform the following tasks:

• Install and configure FTK, FTK Imager, and Registry Viewer

o Learn to configure FTK to be more efficient on your forensic machine
o Learn about and use Global Objects
• Use FTK Imager in a simulated “Incident Response” setting
• Review Registry Viewer functions: also conduct advanced searching and produce registry summary reports
• Conduct more detailed email analysis
o Persons of Interest
o Exporting of Email
• Use advanced processing options of FTK such as: EID, OCR, Event Log analysis, and Volume Shadow Copy
• Increase abilities to conduct more advanced Index and Live searches
• Create and use more complex filters
• Learn to use the Visualization tool
o Heat Map
o File Visualization
o Email Visualization
o Geo Location

The course includes multiple hands-on labs that allow students to apply what they have learned in the workshop.

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the
United States and/or other countries. Other trademarks referenced are property of their respective owners.
 AccessData FTK Intermediate
Intermediate • Three-Day Instructor-Led Course
For more information contact: [email protected]

(Continued on other side)

Module 1: Introduction Module 4: Case Setup

Topics: Objectives:
• Identify the FTK components • Optimum Setup
• List the FTK and PRTK system requirements • Configuring Preferences
• Describe how to receive upgrades and support • Archive and Backup Operations
for AccessData tools • Configure Global Objects
• Install required applications and drivers • Copying a case from an older version of FTK to a
Lab: newer version.
Participants will install the UTK components—FTK, Lab:
FTK Imager, and Registry Viewer Students will learn how to copy a case from one
version of FTK to another and perform backup and
Module 2: FTK Imager 201 archive functions for cases.
Objectives:
• Learn how to make FTK Imager portable Module 5: Advanced Filtering
• Use features of FTK Imager in an incident Topics:
response capacity • Defining of global filters to manage case items
• Learn how to extract volatile data from live • Filters with multiple rules
machines • Filter Nesting
Lab: • Compound Filtering
During the practical participants acquire volatile data from • Tab Filters
virtual machine, simulating a suspect machine. Lab:
Participants will build and use complex filters to take
Module 3: Registry Viewer 201 large amounts of data and find specific items within
Objectives: that dataset.
• Use basic and advanced searching through the
Windows Registry Module 6: Email Analysis
• Create Registry Summary Reports Topics:
• Select keys to put report in a specific order • Review Email tab
• Discuss running summary reports during case • Learn about the function of Persons of Interest
processing • Describe the different abilities of FTK to export
Lab: email
During the practical, participants use Registry Viewer to • Use the features of email threading
search for specific registry keys and recover registry Lab:
artifacts in a specific order, for a custom report. Students Students will walk through a case containing
will also create registry summary reports and select processed email and see the full abilities of FTK to
summary reports to be run during case processing. deal with email.

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the
United States and/or other countries. Other trademarks referenced are property of their respective owners.
 AccessData FTK Intermediate
Intermediate • Three-Day Instructor-Led Course
For more information contact: [email protected]

Module 7: Disk Analysis Features Module 9: Advanced Searching

Topics: Objectives:
• Learn about the FTK Disk Viewer Students will conduct live and index searches using
• Use the Deleted Partition Finder the follow features of the search tabs
• Conduct Image Verification • Live Search Options
Lab: o Text
Participants will go over the features listed in the topics o Pattern
above, using various evidence files. o Hex
• Index Search
Module 8: Advanced Processing Options o Indexing Options
Objectives: o Conducting an Index Search
Students will use each of the below listed advanced o Importing/Exporting Search Terms
processing options of FTK o Search Operators
• Analyze Windows Event Logs o Searching for a phrase
• Explicit Image Detection o Boolean Searches
• Optical Character Recognition o Searching Options
• Language Identification o TR1 Regular Expressions
• Entity Extraction Lab:
• Volume Shadow Copy Students will see how to make searches more effective by
Lab: making subtle to advanced changes to index options and
During the practical, participants will explore the search parameters.
advanced capabilities of FTK to analyze case data.
The steps performed here will walk through the Module 10: Visualization
usage of each of the advanced processing options Objectives:
listed above, using various evidence files and cases. • Launch the Visualization tool.
• Describe the Visualization page.
• Use Timeline views to review case data.
• Select a Theme.
• Use the Visualization function to review file data.
• Use the Visualization function to process email
data:
• Perform an Email Social Analysis.
• Examine Email Traffic details.
• Use the Geolocation function to map evidence
items that have geolocation information
associated with them.
Lab:
Students learn how to use the functionality of the
Visualization interface.

Some topics and items in this class syllabus are subject to change. This document is for information purposes only. AccessData makes no warranties,
express or implied, in this document. AccessData, AccessData Certified Examiner, ACE, Distributed Network Attack, DNA, Forensic Toolkit, FTK,
LAB, Password Recovery Toolkit, PRTK, Registry Viewer, and Ultimate Toolkit are registered trademarks of the AccessData Group, LLC. in the
United States and/or other countries. Other trademarks referenced are property of their respective owners.