FTK Installation Guide

White Paper

Version:3.2 th Published:Oct 6 , 2010

FTK Installation Guide

TABLE OF CONTENTS

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Installation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Hardware Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Estimating Hard Disk Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Migration from FTK 2.2+ to FTK 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Uninstalling FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Installing AccessData Forensic Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Database Install Disc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The FTK Application Install Disc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 AccessData Distributed Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Additional Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Language Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 LicenseManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Table of Contents

FTK Installation Guide

ACCESSDATA FTK 3.2 INSTALLATION GUIDE

CONTENTS
This guide details the installation of the components required for the operation of AccessData Forensic Toolkit (FTK) 3.2.

INSTALLATION INFORMATION
As with the AccessData FTK 2. version, FTK 3.2 can be installed with any single earlier version of 2.x or 3.x remaining on the same computer at the same time. Installation paths will differ slightly from previous versions and registry entries will also be different. This means you may not have to uninstall your earlier version of FTK 2.x or 3x, and thus may not have to convert cases to the newer version to maintain compatibility with the database.
Note: Administrator account or privileges are not required for running FTK version 3.1 and later.

PREREQUISITES
The following prerequisites apply for installing and running FTK 3.2: CodeMeter 4.20a Runtime software for the CodeMeter Virtual or USB CmStick.
Note: For more information regarding the Virtual CmStick, see Appendix E Managing Security Devices and Licenses in the FTK User Guide.

A WIBU-SYSTEMS CodeMeter USB or Virtual CmStick Oracle 10g Database FTK 3.2 Program

AccessData FTK 3.2 Installation Guide

 Evidence Processing Engine These additional AccessData programs are available to aid in processing cases: Known File Filter (KFF) Library Registry Viewer Language Selector LicenseManager

HARDWARE CONSIDERATIONS
The more powerful the available hardware, the faster FTK can analyze and prepare case evidence. Larger evidence files require more processing time than smaller evidence files. AccessData recommends that the various components be installed on separate machines to make more hardware resources available to the program. Thus, while the FTK and Oracle components can be installed on a single workstation, the ideal and recommended configuration uses two workstations connected by a Gigabit Ethernet connection, thus making more hardware resources available to each. If the KFF Library is installed, it must be installed on the same computer as the Oracle database. Ideally, the CodeMeter Runtime 4.10b software, Language Selector, and LicenseManager should be installed on the same computer as the FTK Program. To further maximize performance, AccessData recommends the following: For both the single- and separate-workstation configurations, install Oracle to a large hard disk drive that Oracle can use exclusively. Recommended RAM is 2 GB per processing core (e.g. an 8 core machine should have at least 16 GB of RAM). The minimum RAM must not be less than 1 GB per core. If your machine has less than 1 GB per core when processing multiple pieces of evidence under certain circumstances processing will fail and not recover. We recommend that the amount of RAM be 2 GB per processing core (e.g. an 8-core machine should have at least 16 GB of RAM).
Note: AccessData has changed the way jobs are allocated to each engine based upon available resources. The new approach works by calculating the Number of Cores or hyperthreading times two (2), which determines the total number of processing threads the engine will use. Each job requires minimum of two threads plus one GB of FREE physical memory to start. So when the engine gets a request to process something, it looks at the total number of jobs it is already working on. If it has at least two threads it can use on the new job, then it looks at free physical memory. If it also finds one GB free RAM available, then it will start up an adprocessor.exe to process the job.

Do not run third-party applications on either the FTK or Oracle machine that will compete with FTK or the Oracle database for hardware resources.

FTK Installation Guide

 If you need PRTK or DNA, install it on the network, then copy any files for decryption to that machine.

ESTIMATING HARD DISK SPACE REQUIREMENTS

The FTK program requires a minimum of 500 megabytes of disk space for installation, although 5 gigabytes is recommended. Oracle, where case data is stored, requires a minimum of 6 gigabytes (5 gigabytes for the basic installation) and plenty of additional room for case processing. Additional space is required for the actual cases and for drive images and other evidence files that need to remain intact, separate from the database. These can be stored on other computers within the network.

Important: If disk space depletes while processing a case, the case data is corrupted.
To estimate the amount of hard drive space needed, apply these suggested guidelines: Data: every 500,000 items require one gigabyte of space in the Oracle storage location. Index: every 100 megabytes of text in the evidence requires 20 megabytes of space for processing in the case storage folder.

CONFIGURATION OPTIONS
FTK can be set up in three different configurations, each with its own benefits and

advantages. Single Machine

OR

Separate Machines with a new Oracle install

FTK and Oracle 10g can be installed on separate boxes or on the same box. If both are

installed on the same box, it is recommended that Oracle be installed either on a separate drive, or on a separate partition from FTK. Separate Machines with an existing Oracle install If a compatible Oracle 10g database is already installed, you may be able to use it with FTK. The installer runs a check for compatibility.
Note: AccessData recommends that you turn off firewalls and anti-virus software during installation.

AccessData FTK 3.2 Installation Guide

Important: If installation is being done using remote desktop to Server 2003, the remote connection needs to be established using either the /admin or the / console command.

MIGRATION FROM FTK 2.2+ TO FTK 3.2

FTK 3.2 installs separately from an installation of FTK 2.x so they can co-exist on one machine if you want them to; otherwise, just uninstall the previous version altogether before installing FTK 3.2. FTK 3.2 can convert any case processed using FTK 2.2 or later to FTK 3.2 through an option in the FTK 3.2 UI.

Important: For more information, see Converting a Case From FTK 2.2+ in the FTK User Guide.

UNINSTALLING FTK
Here are some things to remember when uninstalling FTK.

Important: Prompts to close running processes will not automatically close as indicated. When a user uninstalls FTK 3.2 after they have been using the program and have since closed it, the dialog box on uninstall will notify the user that processes are still running and gives an option to close them automatically. If the user selects to have the process close them automatically, it cannot. The uninstall cannot work correctly until the user kills all running FTK processes manually.
Note: If you uninstall after a successful install, the pointer to the database will be left behind. If you want to re-install and point to a new Oracle location, you need to delete the databases.xml file found in the following path (in Vista):
[drive]:\ProgramData\AccessData\Products\Forensic Toolkit\FTK Databases.xml.

INSTALLING ACCESSDATA FORENSIC TOOLKIT

There are two discs that ship with FTK: The FTK program install disc, and the Oracle Database install disc. Each has an Autorun.exe to streamline the installation process. The FTK Program can be installed on the same computer as the installed Oracle database. This is known as a one-box, or single-box, install. To perform a one-box install,

FTK Installation Guide

perform the prescribed steps in the order presented, all on the same machine, switching out the DVDs as necessary.
FTK 3.2 can be installed on two separate computers. The table below explains the

recommended order for the installation tasks.

TABLE 1-1 Running a Two-box Install of FTK 3.2: What to do Where

Step
1 2 3 4 5 6 7 8

Machine
Oracle Oracle Oracle FTK FTK FTK FTK Oracle

Task
Install Oracle Optimize Oracle Memory, by running Oradjuster.exe Install Oracle Patches, if desired Install CodeMeter Install FTK 3 Install Evidence Processing Engine Run FTK to initialize the database Install KFF

Important: For information regarding backup and restore for FTK when Oracle is installed on a separate box, see Appendix F Back-up and Restore Case Data on a Two-Box Installation on page 381 in the FTK User Guide..

DATABASE INSTALL DISC

FTK must link to an Oracle database. If a compatible one already exists in the network or

domain (with sufficient space for storage and processing), it can be leveraged for use with FTK. If no Oracle database exists, it must be installed either on the same computer as the FTK Program or on a separate computer within the same network or domain. If you are not using a network with a domain controller, you can still install and use FTK. Check the AccessData Knowledge Base on the AccessData web site, www.accessdata.com. Click Support > Knowledge Base, then search for the desired topic. One suggested search may be for mirrored local accounts.

AccessData FTK 3.2 Installation Guide

INSTALL THE DATABASE

Place the AD Database Install disc into the DVD drive and wait for the Autorun.exe to execute. FIGURE 1-1 FTK Database Install Autorun

1. Click Install the Database. The installer launches. 2. Click Next and follow the prompts. 3. Read and accept the license agreement, and click Next. 4. Choose the Destination folder. Click Next. 5. Choose the setup type to use. Most users will choose Typical. 5a. If you choose Custom, type the SYS password into the text box, then click I agree to

remember this password and keep it safe indicating you understand the risks. Click Next.

FTK Installation Guide

Important: AccessData has no method of recovering lost SYS account passwords. If you forget or lose the password, you will have to reinstall. This may mean losing access to your cases.
6. Wait for the installer to configure the installation. 7. Select the installation drive letter. Note: Select the drive where Oracle will reside, separate from all other programs. 8. Click Install. 9. Wait for the installation and configuration to finish. Note: This step can take up to forty minutes. 10. Click Finish to finalize the Oracle installation process and return to the main menu.

OPTIMIZE THE DATABASE

AccessData Oradjuster.exe optimizes Oracles memory usage on your computer. This utility is particularly useful for 64-bit systems with large amounts of RAM installed. The Oradjuster utility is included on the FTK 3.2 Application install disc. It can also be downloaded from the AccessData web site, www.accessdata.com/downloads. Look under Utilities. For more information about Oradjuster, including its installation, configuration, and use, see Appendix G AccessData Oradjuster on page 387 of the FTK User Guide. Choose Optimize the Database to run Oradjuster for the first time. During installation is the ideal time to run it because you will not have any processes running that will delay the optimization. Respond to the prompts as they appear.

PATCH THE DATABASE

Choose to apply patches to the Oracle 10g database in preparation for the FTK schema to be laid down when you run FTK for the first time after all components are installed.
Note: Installing the patch can take as long as the original Oracle installation.

AccessData FTK 3.2 Installation Guide

THE FTK APPLICATION INSTALL DISC

Place the FTK v3.2.0 App Install disc into the DVD drive and wait for the Autorun.exe to execute. FIGURE 1-2 FTK Program Install Autorun

1. Click FTK 32 Bit Install OR

FTK 64 Bit Install. The Install menu opens.

2. Follow the steps in the order presented. For each product install, follow the prompts

as they appear.

FTK Installation Guide

INSTALL CODEMETER
Install the WIBU-SYSTEMS CodeMeter Runtime v4.20a software for the USB CodeMeter (CmStick). The WIBU-SYSTEMS CodeMeter Runtime 4.20a is required if you are running with a Virtual CmStick. Click Install CodeMeter Software to launch the CodeMeter installation wizard. Follow the directions for installation, accepting all defaults, and click Finish to complete the installation. If the user attempts to run FTK 3.2 before installing the correct CodeMeter Runtime software and the WIBU-SYSTEMS CmStick, a message similar to the following will appear. FIGURE 1-3 CodeMeter Error

If you are not using NLS for your security device configuration, after clicking No, you will see the following additional message. FIGURE 1-4 Security Device Not Found

To remedy, click OK, then install the correct CodeMeter Runtime software, and connect the CmStick or run LicenseManager to generate your Virtual CmStick. Then, restart FTK
3.2.

For more information regarding CodeMeter Runtime, USB and Virtual CmSticks, and the management of Licenses, see Appendix E Managing Security Devices and Licenses in the FTK User Guide.

AccessData FTK 3.2 Installation Guide

INSTALL FTK
When the CodeMeter Software installation is complete, you are returned to the FTK Install menu in the Autorun. Continue as follows:
1. Click Install FTK. 2. Click Next. 3. Read and accept the AccessData License Agreement. 4. Click Next. 5. Select the location for the FTK components. Note: If another directory is desired instead of the default, click Browse to navigate to or to create the folder using the Windows Browse functionality. 6. Click Next. 7. Click Install to continue with the installation. 8. Follow the prompts on the screens that follow. 9. When the installation is completed successfully, mark the View Readme box to open the

Readme file when you finalize the installation. Otherwise, click Finish.

INSTALL THE EVIDENCE PROCESSING ENGINE

When the FTK User Interface installation is complete, you are returned to the FTK Install menu in the Autorun. Continue as follows:
1. Click Install Processing Engine. 2. Read and accept the License Agreement. Click Next. 3. Accept the default Destination Folder, or specify one of your choice. Click Next. 4. Click Install on the Ready to Install screen. 5. Click Next to continue the installation. 6. Click Finish when the installation is completed successfully.

RUN FTK
FTK must be run next, to add the schema to the database.

INSTALL THE KFF LIBRARY

The FTK KFF Library can be installed to help shorten the investigation time on the case. The KFF Library must be installed on the same volume as the Oracle database.

10

FTK Installation Guide

Important: Do not run the KFF Installer until after Oracle is installed, FTK is installed, and FTK has been run once to lay down the schema in the database.
To install the KFF:
1. Click Install KFF Library. 2. Click Next. 3. Read and accept the KFF license agreement. 4. Click Next. 5. Allow the installation to progress. 6. When the screen indicates a successful installation, click Finish to finalize the

installation.
7. Click Back to Main Menu to return to the Main Menu and make other selections.

For more information about the KFF Library, see Appendix D The KFF Library on page 343 of the FTK User Guide.

ACCESSDATA DISTRIBUTED PROCESSING

This release of FTK supports Distributed Processing Engines (DPEs). Distributed Processing allows the installation of up to three additional processing engines to share the work load of processing evidence in a case For more informaiton on the installation and configuration of DPEs, see Configuring Distributed Processing with FTK 3

AccessData FTK 3.2 Installation Guide

11

ADDITIONAL PROGRAMS
The following AccessData programs may also be useful and are found on your product installation disc(s). FIGURE 1-5 FTK Program Install Autorun: Other Products

LANGUAGE SELECTOR
To change to another supported language other than the default English (United States) that ships with FTK, Language Selector must be installed.

INSTALL LANGUAGE SELECTOR

To install Language Selector:

12

FTK Installation Guide

1. From the FTK 3.2 install disc Autorun Main Menu, click Install Other Products, then click

Install Language Selector.

2. The Language Selector Installer runs. Click Next to continue. 3. Read and accept the License Agreement. Click Next to continue. 4. Click Finish.

USING LANGUAGE SELECTOR

To run Language Selector:
1. Click Start > All Programs > AccessData > Language Selector > Language Selector. OR

Click the Language Selector Icon on your desktop.

Language Selector has a very simple interface.

2. Click the Select Languages dropdown to select the language to use. Languages to choose

from are as follows:

TABLE 1-2 Language Selector Supported Languages Chinese (Simplified, PRC) Dutch (Netherlands) English (United States) French (France) German (Germany) Italian (Italy) Japanese (Japan) Korean (Korea) Portuguese (Brazil) Russian (Russia) Spanish (Spain, Traditional Sort) Swedish (Sweden) Turkish (Turkey)

The Products supporting this language text box indicates the AccessData programs that will be affected by the language selection. The File menu contains two choices: Select Language Exit The Help menu contains one choice: About Provides version and copyright information.
3. Click Save Settings to save selections and close Language Selector.

AccessData FTK 3.2 Installation Guide

13

LICENSEMANAGER
If licenses need to be managed, LicenseManager must be installed. For more information on LicenseManager, see Appendix E Managing Security Devices and Licenses in the FTK User Guide. Also, make sure the current versions of any other programs required for the investigation are installed, including AccessData Registry Viewer, and AccessData Password Recovery Toolkit, or AccessData Distributed Network Attack.

14

FTK Installation Guide