accessdata forensic toolkit 4.2.1 release notes 4.2.1 rn.pdf · fixed an issue that sometimes...

AccessData Forensic Toolkit 4.2.1

Release Notes

Document Date: March 19, 2013

©2013 AccessData Group, LLC All rights reserved.

IntroductionThis document includes information about the AccessData® Forensic Toolkit® (FTK®) 4.2.1 release. Please be aware that all known issues that have been published under previous release notes still apply until they are listed under a “Fixed Issues” section.

For your convenience, previous Release Notes versions are included at the end of this document.

See the following:

AccessData Forensic Toolkit 4.2 Release Notes (page 9)


AccessData Forensic Toolkit 4.0.2 Release Notes (page 28)



For information about additional previous releases, see the AccessData website at http://accessdata.com/.

Important Information

Installation and upgrade:FTK 4.2.1 is a patch and will replace 4.2 if it is already installed. If you have 4.1 or earlier already

installed, 4.2.1 will install concurrently with it. You do not need to upgrade cases from 4.2 to 4.2.1. You can upgrade 4.1 cases directly to 4.2.1.

FTK does not support skipping versions when you upgrade cases from previous major or minor versions. You must upgrade in the order of the released versions. For example, you cannot upgrade cases from FTK 4.0 or earlier directly to FTK 4.2.x. You must first upgrade 4.0 to FTK 4.1 and then upgrade from FTK 4.1 to FTK 4.2.x.

Whenever possible, install the database component to a physical system. AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.

AccessData Forensic Toolkit 4.2.1 Release Notes Introduction | 1

http://accessdata.com/

If you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle,

you must change the Oracle SID from ADG to FTK2.

If you choose to install both versions of PostgreSQL, version 9.1.6 cannot use the same port as 9.0.1 (5432). You must use a new port when installing version 9.1.6. A new port will automatically be chosen during the installation. You should record the port that is used.

To install the KFF server, you must have admin privileges. Otherwise, you get the following error:Unhandled exception has occurred in your application. (9092)

Note: To install the KFF server, Microsoft .NET Framework 4 is required. If you do not have .NET installed, you will be prompted to install it. If you install .NET at this time, the computer must be restarted before installing KFF. On 32-bit computers, the installer will prompt you to do this, but on 64-bit computers, you are not prompted and the KFF Server Setup Wizard opens. You must cancel the wizard and restart the computer manually before restarting the KFF Server installation. (15000)

Important: When configuring the KFF Server, if you specify too many or too few threads, it could slow down performance. To calculate the appropriate number of threads, multiply the number of cores that the computer has by four. For example, if the KFF Server computer has 4 cores, you should use 16 threads.

For instructions on installing KFF, see the Working with the KFF Library chapter in the Forensics Toolkit User Guide.

The Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft Collaboration Data Objects (CDO) installed on the same computer as the processing engine.CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email messages. To export Unicode email messages, install Outlook.For more information, see the Quick Installation Guide.See 4.2.1 Where to get more information on page 8.

Data and Database ManagementAccessData recommends that, whenever possible, you not have an active internet connection when

running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such as running malicious code or scripts.

It is strongly recommended that you configure your antivirus to exclude the database (PostgreSQL, Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance and data integrity.

Cerberus writes binaries to the AD Temp folder momentarily in order to perform the malware analysis. Upon completion, it will quickly delete the binary. It is important to ensure that your antivirus is not scanning the AD Temp folder. If the antivirus deletes/quarantines the binary from the temp, Cerberus analysis will not be performed.

When using an Oracle database, it must be installed on a computer with a name that begins with a letter (a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle if the computer’s name begins with a number. If the Oracle computer name begins with a number, you must change the machine name before installing Oracle.

If you choose to have a case’s database files placed in the case folder, do not move your case folder without first archiving and detaching the case. (64450)

If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in the Evidence drop-down menu to processes the manually carved item. (57812)

AccessData Forensic Toolkit 4.2.1 Release Notes Important Information | 2

4.2.1 New, Improved, and Enhanced FeaturesThe following items are new and improved features or feature enhancements for the 4.2.1 release.

For enhancements in the previous 4.x releases, see the following:

4.2 New, Improved, and Enhanced Features (page 11)


4.0.2 New, Improved, and Enhanced Features (page 29)



ProcessingFTK has made modifications to way Evidence Processing (EP) resources are dynamically allocated

during processing on different types of hardware configurations. As a result evidence processing performance has been increased.

Decryption SupportSymantec Drive Encryption (PGP Whole Disk Encryption version 10.x) is now supported.

Known File Filter (KFF)Export to XML - When you export KFF groups and sets, they are now exported in .XML format rather than

.KFF. You can still import .KFF files from previous versions. (15402, 15405, 16192)

New KFF group column - In the KFF groups list, there is a new column that displays whether the group is open or closed. Closed groups cannot be edited or deleted. Examples of closed groups are pre-defined groups or groups created in AD CIRT. (15393)

Reports LocalizationReports are now available in Lithuanian. (18131)

Add on Module EnhancementsThis release includes enhancements to the FTK Cerberus and Visualization add-on modules.

For information, see 4.2.1 Release Notes for Add-on Modules (page 7).

4.2.1 Fixed IssuesThe following items are resolved issues in the 4.2.1 release.

For resolved issues in the previous 4.x, releases, see the following:

4.2 Fixed Issues (page 15)


4.0.2 Fixed Issues (page 30)


AccessData Forensic Toolkit 4.2.1 Release Notes 4.2.1 New, Improved, and Enhanced Features | 3


ReportsIf you added a memory dump to an existing case and then ran a report, the 'memory dump' evidence was

listed multiple times. Only unique evidence objects are now shown. (16614)

RolesFixed an issue that prevented a user with the Case Reviewer role to view all assigned cases. (16105,

15966)

Fixed an issue that allowed a user with the Case Reviewer role to view files that were flagged as Privilege or Ignore. (17055)

GraphicsFixed an issue that prevented some graphics thumbnails from being created. (17219)

SearchFixed an issue that produced a blank live preview when creating a custom search filter and there was not

a valid Index Search term selected. (15252)

ProcessingFixed an issue that caused processing to hang when processing an index.dat file while attempting to

meta-carve. (15504)

Fixed an issue that caused memory analysis to return “Unknown Operation” errors. (17963, 18176, 18179)

EmailFixed an issue that sometimes caused the application to hang while exporting emails to PST. (14924,

16033)

Fixed an issue that caused email counts to sometimes be incorrect. (15445)

Fixed an issue that caused the descendants of all .DBX files to be shown rather than just for the selected file. (16370)

Integration with AD CIRTFixed an issue that prevented Volatile Data processes from CIRT being visible in the Volatile tab in FTK.

(17017)

Fixed an issue that prevented Registry Values from a Volatile job from CIRT being visible as details in the Registry Key item in FTK. (17040)

Fixed an issue that prevented Volatile Data from CIRT being visible in FTK. (15815, 16083)

KFFYou can now delete all user-defined groups. (15157)

You can now edit imported groups. (15173)

AccessData Forensic Toolkit 4.2.1 Release Notes 4.2.1 Fixed Issues | 4

Fixed an issue that caused other data to be uninstalled when NRSL data was uninstalled. (15042, 16676,

17259)

Fixed an error that sometimes prevented the import of KFF data if a KFF library was not already installed. (17127)

Fixed an error that sometimes caused the KFF Server and data to not install correctly on XP and Vista computers. (17273, 17159. 17275, 16943)

Fixed an issue that caused KFF groups that were created at the case-level to also appear in the global KFF groups list. (15960)

Fixed an issue that allowed you to specify a case-level KFF group as a default global group. Only global groups can be set as default groups. (16522)

Fixed an issue that caused KFF groups to be changed to Unknown after the KFF Server was stopped and restarted. (17218)

Fixed an issue that caused NSRL data to not install correctly. (17181)

When importing KFF data, you can now only select the supported file types (CSV, TSV, HDB, HKE, KFF). (14897)

Fixed an issue that prevented you from multi-selecting (highlighting) groups. (15250)

Fixed an issue that caused KFF to not recognized some KFF groups that were imported as CSV/TSV files. (15275,17484)

Columns Fixed an issue that didn’t save the name of a custom column template properly. (15467)

Fixed an issue that caused shared columns to sometimes not work properly in new cases. (17934)

Custom Columns example file - If you tried to import a custom column file, and the file was not formatted correctly, you got the following error:“Custom column file has invalid format. Please see CCExample.csv (located in the program bin directory) for an example of the correct format.”The location of the example file had been moved but the error message did not reflect the new path.The example was moved from the \Bin folder to its parent folder:...Program Files\AccessData\Forensic Toolkit\4.2The error message has also been corrected to show the correct path. (16029)

4.2.1 Known IssuesThe following items are known issues found in the 4.2.1 release.

For known issues found in previous 4.x releases, see the following:

4.2 Known Issues (page 17)


4.0.2 Known Issues (page 31)



KFFIf you are installing the KFF server on a Windows Vista x64 computer, you must first have Service Pack 2

installed. Otherwise, you will get a KFF Server Setup error. (17129)

AccessData Forensic Toolkit 4.2.1 Release Notes 4.2.1 Known Issues | 5

When importing KFF data, once you start an import, you cannot cancel it. Larger hash files take longer to

process (about 15 minutes per 100MB). You will not be able to do other work in the interface while the import is taking place. There is a dialog with this information that is shown before you start the import so that you can verify that you want to start the import. (17570)

After uninstalling KFF data and the defined sets, the groups remain. (13858)

KFF .Hash files cannot be imported. (16520)

When using the KFF Group column in the File List, it will display KFF sets not groups. (18292)

KFF sets can be imported more than once and the sets appear as duplicates in the list of defined sets. (18297)

Remote DataWhen adding Remote Data, if you select the Complete Disc Image option, and then cancel a running job,

it may cause FTK to hang and then shut down. (18262)

When adding Remote Data, if you enter an invalid IP address or invalid credentials, you get a “Server Busy” error rather than notifying you that the network path is not found. (14677)

When adding Remote Data, if you enter a port that is already in use on the computer, you get an error stating the pipe has ended or incorrect function, rather than notifying you that the port is already in use. (14677)

Agent You can manually uninstall the agent even if the Allow manual uninstall option is not selected in the Agent

Installation dialog.

If you attempt to push an agent and you have entered the wrong credentials, you do not get an error and the job keeps running in the progress bar. (17847)

DecryptionIf FTK is running on a computer that is encrypted with SafeGuard, it can't decrypt images that were

encrypted with SafeGuard. (16164)

When attempting to decrypt files, if you select the option to Permanently Mask passwords and save a password, the password is not masked. (16939)

Index SearchOn the Index Search tab, if you have added search terms and enabled the Accumulate Results option, it

will calculate the total number of cumulative results. If you clear a search term, the total is not recalculated correctly. (17783)

When viewing the Index Search Results, if you expand and retract the file nodes repeatedly, FTK may become unresponsive and need restarting. (15156)

Using custom filters with indexed search results may not work properly after clearing search terms. (16474)

ExportWhen attempting to export an NSF file to a PST, it is exported as an NSF file. (11580)

When attempting to export an email to a PST and you select the option to Preserve folder structure > PST per mail archive, you may get a “Cancelled” status without an error summary. (16384)


Bookmarks

When deleting a file from a bookmark, you are prompted to confirm the deletion a second time and regardless of your response, the file is deleted. This issue only occurs when using Microsoft SQL Server for the database. (18215)

FTK Compatibility with AD CIRTIf you attempt to use FTK to add a user to a database that was created by AD CIRT, it will create the user

but causes FTK to crash. (17929)

VADs, Crypto, and Kernal Modules from a memory analysis job that was run by CIRT do not appear correctly in FTK. There are “Unknown Operation” items displayed in the FTK volatile tab. (17908)

4.2.1 Release Notes for Add-on Modules

4.2.1 Release Notes for the Cerberus Add-onThere is an add-on module for malware analysis that is called Cerberus. Cerberus is integrated to allow you to detect and triage suspect binaries. You can determine the behavior, intent, and potential threat of suspect binaries without waiting for a malware team to perform weeks of analysis. Cerberus requires an additional license. For more information, see http://accessdata.com/.

For Cerberus Release notes from previous 4.x releases, see the following:

4.2 Release Notes for the Cerberus Add-on (page 18)


4.0.2 Release Notes for the Cerberus Add-on (page 31)



4.2.1 Release Notes for the Visualization Add-onThere is an add-on module called Visualization. The visualization module lets you view data in multiple display formats, including time lines, cluster graphs, pie charts and more. This functionality lets you quickly determine relationships in the data and find key pieces of information. Visualization requires an additional license. For more information, see http://accessdata.com/.

For Visualization Release Notes for the previous 4.x releases, see the following:

4.2 Release Notes for the Visualization Add-on (page 18)


4.0.2 Release Notes for the Visualization Add-on (page 32)



The following fixes have been made in 4.2.1:

Fixed an issue the caused no highlighted bars to be displayed for a selected single browser history file. (16609)

AccessData Forensic Toolkit 4.2.1 Release Notes 4.2.1 Release Notes for Add-on Modules | 7

Fixed an issue that caused Browser History items to be displayed after selecting a blank area in the

Browser History Timeline pane. (16609)

The following are known issues in 4.2.1:

The Received Mail count in the Email Traffic Details window displays all items for both Sent and Received Mails. (17657)

Some files in the Browser History are not showing their time/date in the Timeline pane. (16618)

4.2.1 Where to get more informationUse the following documentation resources to learn more about this product. Each document is available in PDF format in the download ISO file. The User Guide is also available through the Help menu in FTK.

The latest version of each document is available in the Product Release pane on the FTK product download page:

http://www.accessdata.com/support/product-downloads/ftk-download-page

Comments?We value all feedback from our customers. Please contact us at [email protected], or send documentation issues to [email protected].

Document DescriptionQuick Installation Guide Information about how to install and upgrade this and related products.User Guide Information about how to use this product, including detailed technical

information and instructions for performing tasks.Upgrading, Migrating, and Moving Cases

Information about upgrading and migrating cases from 4.1 to 4.2.1, and moving cases from one database to another.

Upgrading Cases Information about upgrading cases from 4.1 to 4.2.1.Migrating Archived Cases Information about upgrading or migrating cases that you have archived

in a previous release.

AccessData Forensic Toolkit 4.2.1 Release Notes 4.2.1 Where to get more information | 8


AccessData Forensic Toolkit 4.2

Release Notes

Document Date: February 4, 2013


IntroductionThis document includes information about the AccessData® Forensic Toolkit® (FTK®) 4.2 release. Please be aware that all known issues that have been published under previous release notes, still apply until they are listed under a “Fixed Issues” section.


See the following:





For information about additional previous releases, see the AccessData web site at http://accessdata.com/.

Important InformationThe following are important considerations to be aware of:

Installation and upgrade:FTK does not support skipping versions when you upgrade cases. You must upgrade in the order of the

released versions. For example, you cannot upgrade cases from FTK 4.0 or earlier directly to FTK 4.2. You must first upgrade to FTK 4.1 and then upgrade from FTK 4.1 > FTK 4.2.

Whenever possible, install the database component to a physical system. AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.

If you are using Oracle, when you first launch FTK and add the database, when you select to use Oracle, you must change the Oracle SID from ADG to FTK2.

AccessData Forensic Toolkit 4.2 Release Notes Introduction | 9


If you choose to install both versions of PostgreSQL, version 9.1.6 cannot use the same port as 9.0.1

(5432). You must use a new port when installing version 9.1.6. A new port will automatically be chosen during the installation. You should record the port that is used.

To install the KFF server, you must have admin privileges. Otherwise, you get the following error:Unhandled exception has occurred in your application. (9092)

To install the KFF server, Microsoft .NET Framework 4 is required. If you do not have .NET installed, you will be prompted to install it. If you install .NET at this time, the computer must be restarted before installing KFF. On 32-bit computers, the installer will prompt you to do this, but on 64-bit computers, you are not prompted and the KFF Server Setup Wizard opens. You must cancel the wizard and restart the computer manually before restarting the KFF Server installation. (15000)

The Exporting Emails to PST feature requires that you have either Microsoft Outlook or the Microsoft Collaboration Data Objects (CDO) installed on the same computer as the processing engine.However, CDO does not support exporting Unicode email messages. Attempting to export Unicode messages to PST with CDO installed will result in errors and the resulting PST will be missing any Unicode email messages. To export Unicode email messages, you must install Outlook.For more information, see the Quick Installation Guide.See Where to get more information on page 19.

Data and Database ManagementAccessData recommends that, whenever possible, users not have an active internet connection when

running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML web pages or binaries, there is a potential risk that is associated with specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such as running malicious code or scripts.

It is strongly recommended to configure antivirus to exclude the database (PostgreSQL, Oracle database, Microsoft SQL) AD temp, source images/loose files, and case folders for performance and data integrity.

Cerberus writes binaries to the AD Temp folder momentarily in order to perform the malware analysis. Upon completion, it will quickly delete the binary. It is important to ensure that your antivirus is not scanning the AD Temp folder. If antivirus deletes/Quarantines the binary from the temp Cerberus analysis will not be performed.

When using an Oracle database, it must be installed on a computer with a name that begins with a letter (a-z and A-Z). Due to a restriction on domain names in RFC 1035, applications cannot connect to Oracle if the computer’s name begins with a number. If the Oracle computer has a name that begins with a number, you must change the machine name before you install Oracle.

If you are using Oracle, you should consider installing Oracle Critical Patch Updates. You can download the Oracle Critical Patch Update 38 and 45 (April 2011) from the AccessData Support Downloads web page. For newer updates, you must have an Oracle support contract. You can upload updates from the Oracle web site (http://www.oracle.com/technetwork/topics/security/alerts-086861.html).To install an Oracle Critical Patch Update, first back up the database, and then close all programs before you install the patch. (58583, 58248) If you do not have an Oracle support contract, consider changing from an Oracle database to PostgreSQL, which is available at no cost on the FTK Download page. You can easily migrate your cases from Oracle to PostgreSQL. For more information, see the Quick Install Guide and the Upgrading, Migrating, and Moving Cases guideSee Where to get more information on page 19.


If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in the Evidence drop-down menu, to processes the manually carved item. (57812)

AccessData Forensic Toolkit 4.2 Release Notes Important Information | 10

http://www.oracle.com/technetwork/topics/security/alerts-086861.htmlhttp://www.oracle.com/technetwork/topics/security/alerts-086861.htmlhttp://www.oracle.com/technetwork/topics/security/alerts-086861.html

4.2 New, Improved, and Enhanced FeaturesThe following items are new and improved features, or feature enhancements for the 4.2 release.






Enhanced Database Support

Support for Microsoft SQL Server You can now use Microsoft SQL Server database version 2008 R2 or 2012 for your FTK database.

You can migrate your FTK 4.1 cases that are currently in Oracle or PostgreSQL to FTK 4.2 and Microsoft SQL Server.

For information on configuring a Microsoft SQL database to work with FTK 4.2, see the Quick Install Guide.

For information on migrating cases, see the Upgrading, Migrating, and Moving Cases guide.

See Where to get more information on page 19.

Updated version of PostgreSQLFTK 4.2 includes PostgreSQL 9.1.6. (FTK 4.1 included PostgreSQL 9.0.1).

For information about PostgreSQL version 9.1.6, see the following link:

http://www.postgresql.org/docs/current/static/release-9-1-6.html

PostgreSQL installation and upgrade options:If you are installing FTK 4.2 with PostgreSQL for the first time, PostgreSQL 9.1.6 is the version

that is provided for you to install.

If you are upgrading from FTK 4.1 and using PostgreSQL, you have two options:

Continue to use PostgreSQL 9.0.1 with FTK 4.1 and 4.2. You are not required to upgrade to the new version of PostgreSQL.

Install PostgreSQL 9.1.6

Important: If you choose to install PostgreSQL 9.1.6, it will be installed along side of PostgreSQL 9.0.1 and will only be used by FTK4.2. If you continue to use FTK 4.1, it will use only version 9.0.1. (4.1 does not support the new 9.1.6 version).

You can upgrade or migrate your FTK 4.1 cases to be used in 4.2 using any of the supported databases. For more information, see the Upgrading, Migrating, and Moving Cases guide.

For more information about installing and upgrading with PostgreSQL, see the Quick Install Guide and the Upgrading, Migrating, and Moving Cases guide.See Where to get more information on page 19.

AccessData Forensic Toolkit 4.2 Release Notes 4.2 New, Improved, and Enhanced Features | 11

http://www.postgresql.org/docs/current/static/release-9-1-6.html

Database Integration with AccessData CIRT 2.2If you are using both FTK 4.2 or higher and AccessData CIRT 2.2 or higher, you can share the same database. When you install FTK, you can specify the same database that you are using for CIRT. This lets you open and perform tasks on CIRT cases in FTK. You can do the following tasks with CIRT cases:

Open a case

Backup and restore a case

Add and remove evidence

Perform Additional Analysis

Search and index data

Export data

Opening FTKFTK ProEnterprise cases in CIRT is not currently supported.

Updated Case Backup FunctionalityAll case backups are now performed using the database independent format rather than a native format. The database independent format facilitates migrating and moving cases to a different database application or version. You can perform a backup using a native format using the dbcontrol utility.

Updated Functionality for Parsing and Viewing Data

Support for Viewing and Parsing IIS Log Files You can now view data that is contained in IIS log files in HTML format in the Natural tab of the File Contents Pane.

You can also process IIS log files so that they are broken into individual records and interspersed with other items to support timeline analysis. To process IIS log files, there is a new IIS LOG check box in Evidence Processing Options > Expansion Options. This option is not enabled by default.

When viewing IIS log files, you can use the following new IIS-related columns in the File List:

c-ip cs-bytes cs-uri-query s-computername s-sitename

cs(Cookie) cs-host cs-uri-stem s-ip sc-bytes

cs(Referer) cs-method cs-username s-port sc-status

cs(User-Agent)


Registry Timeline AnalysisYou can now view additional registry data in HTML format in the Natural tab of the File Contents Pane to support timeline analysis.

You can process Registry data files so that they are broken into individual records so they are interspersed with other items to support timeline analysis. To process Registry data, there is a new Registry check box in Evidence Processing Options > Expansion Options. This option is not enabled by default.

The following registry areas are supported:

SAM:

SAM\Domains\Account\Users

NTUSER.DAT:

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

You can also use the following new Registry-related columns in the File List:

Support for Additional File Types in the Natural tab of the File Contents PaneFonts embedded in PDF input files are now supported

Support for the following document types has been added:

Registry Action Description Registry Action Type

Registry Action Name Registry File

Name

Viewing in the Natural Viewer Categorizing

Extracting Text

Hangul 2010 documents X X X

Table data in a Microsoft Jet 3.x- or 4.x-based file X X X

Microsoft OneNote 2007 and 2010 files X X

Office 2003 files: WordProcessingML (Word 2003) text only; and SpreadSheetML (Excel 2003) text only

X X X

IBM SmartSuite 9.8 files: Lotus WordPro, Lotus 1-2-3, and Lotus Freelance

X X X


Cache File ListWhen evidence is processed, data that is commonly viewed in the File List can now be cached. You can cache the following:

All of the tab views and default columns associated to the respective view

All of the pre-defined Filters

This feature is not enabled by default. To enable this feature, select the Cache Common Filters option in either the Case Processing Options or Additional Analysis.

For large cases, this caching will reduce the amount of time required to refresh the data in the File List and various views. Database caching effectively runs the common queries during processing time and stores the results in the database. When a user performs a query that is cached, the results will come back quickly instead of having to run the actual query against the database each time it is executed.

Caching the queries will increase processing time due to the fact the each of the queries are executed at processing time. The increase in time is dependent on the amount of data. In the evidence processing options, you can choose to disable the default setting to cache files.

From the file list, you can choose to add or remove views from the cache.

Indexing UpdatesThe default list of noise words that are ignored for indexing during a dtSearch has been reduced. Words,

such as another, because, each, indeed, many, and others, are no longer in the default list. You can still add or remove noise words from the default list when configuring default evidence processing options for a new case. (13867)

When you export data from a case as an image, and then add that image as evidence in either the same case or a different case, the name of the image is renamed using a generic term. This prevents a user-generated image name from being indexed with evidence. (9495)

Apple iWork 09 files for Mac OSX: Pages, Keynote, and Numbers

X X X

WordPerfect X5 files: Word Processor, Quattro Pro, and Presentations

X X X

Adobe Creative Suite 5 files: Photoshop CS5, Illustrator CS5, and InDesign CS5

X X X

Microsoft Project Note field rich text X X X

Compressed PDF files X X X

PDF files that are encrypted using AES 256-bit encryption X

PDF files created by Acrobat 10 are now validated by file signature engine

X X

Name

Viewing in the Natural Viewer Categorizing

Extracting Text


Bitlocker Update

Bitlocker now supports Windows 7 and Windows Vista.

New Version of KFFKFF (Known File Filter) is now a separate application that runs on the same computer that runs examiner.

It no longer stores the KFF database in the shared evidence database but on the file system in EDB format.The install of KFF data now only includes the Hash Library from NIST NSRL (Feb 2012). The expanded library, including quarterly NSRL updates and Hashkeeper, is available on the AccessData download site. KFF now requires you to “close” a custom KFF group before using it. A closed group cannot be edited to deleted.

If you are upgrading from FTK 4.1, you can export your existing KFF groups and import them into FTK 4.2.If you continue to use FTK 4.1, you will use the 4.1 version of KFF, not the new KFF version for 4.2.

You will now install the KFF server service as a separate installation from the KFF library.When you install the KFF server, you specify the location for the KFF data.For information on installing KFF, see the Quick Install Guide.

Processing ImprovementsProcessing has been enhanced to provide faster performance.


For information, see 4.2 Release Notes for Add-on Modules (page 18).

4.2 Fixed IssuesThe following items are resolved issues in the 4.2 release.






Index Merge DataFixed an issue that prevented the index merge from consolidating all data. (3734)

AccessData Forensic Toolkit 4.2 Release Notes 4.2 Fixed Issues | 15

Processing

Fixed an issue that prevented 7zip files that contained EXE files to be expanded properly. (70071)

Fixed an issue that sometimes caused large amounts of registry data to not be shown in Registry Viewer. (10149)

FiltersRenaming filters

The user interface has been updated to reflect actual events when managing filters. In previous versions, it appeared that you could edit and then change the name of a custom filter. However, what really happened is that the original filter was copied using the new name. The result was that the original filter still existed with the original name, and a copied filter was created with the new name. Now, if you edit a custom filter, you cannot attempt to rename the filter. You can copy it and you can use a new name for the copy. If desired, you can delete the original custom filter. (9698)

Fixed an issue that caused Cyrillic/Russian names in the “From” and “To” fields of email messages to not be displayed correctly. (14242)

Graphics and VideoFixed an issue that sometimes caused a Runtime error when accessing the Graphics tab. (13754)

Fixed an issue that caused 32-bit systems to convert fewer Flash Video files to common video files than 64-bit systems. (13216)

Fixed an issue that caused Windows 7 (64-bit) from creating thumbnails and common video files from .rb and .rmvb files. (10150)

BookmarksFixed an issue that prevented files from being deleted from a bookmark. (68372)

KFFFixed an issue that prevented the KFF Manager from displaying the sets of only the highlighted group.

(13082)

BitlockerFixed an issue that caused Bitlocker to fail when validating credentials. (13493)

ImagerImage mounting now works in FTK or Imager when the agent is installed on that machine. (58791)

Fixed an issue that caused Imager to crash while performing a string copy of the filename to display in the file list. (13011)

Fixed an issue that improves the detection of corrupt $I30 files. (12293)

File ListThe “Key” icon that is displayed next to files for the category Other Encryption Files in the File List pane is

no longer distorted. (18628)


FTK now prevents you from creating two or more Column Settings profiles with the same name but with

different character cases. (55732, 52510, 58961)

OtherFixed an issue that prevented contents of an ISO, or data from a CD/DVD, from having the Actual File

flag set. (10554)

Improved performance on email export. (13098)

Fixed an issue where an extra space at the end of the case name caused FTK to crash. (62386)

4.2 Known IssuesThe following items are known issues found in the 4.2 release.






SearchWhen doing an Index Search of a pagefile.sys file, it does not highlight the correct section of the file in the

'File Content' pane. (14614)

When doing an Index Search of a pagefile.sys file, if there are a lot of hits, a “Limit Search Hits” pop up window will let you limit the number of hits displayed. This is not working correctly for Index Search results. (14619)

While doing a Live Search, on the Text tab, you can enter more than one Search Term, but if you click “Remove” for one of them and then click “Remove” again, it will clear the whole list without warning (unless you selected another individual item).(14896)

Doing a live search on multiple Chinese characters may not yield any results. Performing a live search on a single character works properly. (9471)

Video filesWhen using the option to create common video files during processing, some Flash Video files are not

converted correctly. This can be resolved by updating the ffmpeg.file. This file is located in the following folder: ..\AccessData\EvidenceProcessing Engine\version\ffmpeg.exeYou can download an updated version from http://ffmpeg.zeranoe.com/builds/ and replace the original file. (13216)

KFFIn FTK 4.2, you cannot export KFF groups. You can still export groups out of 4.1 so that you can import

them into 4.2.

After uninstalling the KFF Server and trying to uninstall the KFF Data, an Error 1721 is returned and you cannot uninstall the data.Workaround: If you want to uninstall the KFF server, uninstall the data/hashes first. (13920)

AccessData Forensic Toolkit 4.2 Release Notes 4.2 Known Issues | 17

http://ffmpeg.zeranoe.com/builds/

Bookmarks

The bookmarks dialog normally only allows the inclusion of “Email Attachments” or “Parent Email” when bookmarking an email message or attachment. However, it is currently also applying these options when bookmarking email archives and folders, thus resulting in many more items being bookmarked than intended. (14992)

OtherIf you are using a display with less than 768 pixels, when viewing the Additional Analysis page, you can

not see the OK button on the bottom of the page. (10210)

If using OCR and selecting the B&W and Grayscale option, and then setting the Filter to OCR Graphics, the File List pane may display graphics with color. (13140)

4.2 Release Notes for Add-on Modules

4.2 Release Notes for the Cerberus Add-onThere is an add-on module for malware analysis that is called Cerberus. Cerberus is integrated to let you detect and triage suspect binaries. You can determine the behavior, intent, and potential threat of suspect binaries without waiting for a malware team to perform weeks of analysis. Cerberus requires an additional license. For more information, see http://accessdata.com/.






Please note the following enhancements:Additional data is reported for the following:

Static Function Call Summary

Static Function Call Details

Column names in the report have been simplified

Cerberus no longer gets flagged by AntiVirus software.

4.2 Release Notes for the Visualization Add-onThere is an add-on module called Visualization. The visualization module lets you view data in multiple display formats, including time lines, cluster graphs, pie charts and more. This functionality lets you quickly determine relationships in the data and find key pieces of information. Visualization requires an additional license. For more information, see http://accessdata.com/.





AccessData Forensic Toolkit 4.2 Release Notes 4.2 Release Notes for Add-on Modules | 18


Please note the following enhancements:Visualization now supports browser history data.

You can now view browser history files in the detailed visualization timeline. You can view browser history files from the following browsers:

Internet Explorer

Firefox

Chrome

Safari

OperaTo process browser history data, there is a new Process Internet Browser History for Visualization check box in Evidence Processing Options or Additional Analysis. This option is not enabled by default.

Please note the following fixed issue:The visualization time line’s current date selection now matches the Current Selection information that is

displayed on the time line’s status bar. It no longer adds an additional day. (66296)

Where to get more informationUse the following documentation resources to learn more about this product. Each document is available in PDF format in the download ISO file. The User Guide is also available through the Help menu in FTK.

The latest version of each document is available in the Product Release pane on the FTK product download page:



Document DescriptionQuick Installation Guide Information about how to install and upgrade this and related products.User Guide Information about how to use this product, including detailed technical

information and instructions for performing tasks.Upgrading, Migrating, and Moving Cases

Information about upgrading and migrating cases from 4.1 to 4.2, and moving cases from one database to another.

Upgrading Cases Information about upgrading cases from 4.1 to 4.2.Migrating Archived Cases Information about upgrading or migrating cases that you have archived

in a previous release.

AccessData Forensic Toolkit 4.2 Release Notes Where to get more information | 19


AccessData Forensic Toolkit 4.1

Release Notes

Document Date: October 3, 2012


IntroductionThis document includes information about the AccessData® Forensic Toolkit® (FTK®) 4.1 release. Please be aware that all known issues that have been published under previous release notes, still apply until they are listed under a “Fixed Issues” section.


See the following:






You can download the Oracle Critical Patch Update for this release from the AccessData Support Downloads web site. First back up the database, and then close all programs before you install the patch. (58583, 58248)

AccessData recommends that, whenever possible, users not have an active internet connection when running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML or web pages, there is a potential risk that is associated with specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such as running malicious code or scripts.


Whenever possible, install the database software to a physical system. AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.


AccessData Forensic Toolkit 4.1 Release Notes Introduction | 20


FTK does not support skipping versions when you upgrade cases. You must upgrade in the order of the

released versions. For example, you cannot upgrade cases from FTK 3.1 to FTK 4.0. In this example, you would need to upgrade first from FTK 3.1 > FTK 3.2 > FTK 3.3 > FTK 3.4 > FTK 4.0. (63494) (57461)

If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the “Process Manually Carved Items” option in the Evidence drop-down menu, to processes the manually carved item. (57812)

It is strongly recommended to configure antivirus to exclude the database (PostgreSQL, Oracle database, MS SQL) AD temp, source images/loose files, and case folders for performance and data integrity.

Cerberus writes binaries to the AD Temp folder momentarily in order to perform the malware analysis. Upon completion it will quickly delete the binary. It is important to ensure that your antivirus is not scanning the AD Temp folder. If antivirus deletes/Quarantines the binary from the temp Cerberus analysis will not be performed.

4.1 New, Improved, and Enhanced FeaturesThe following items are new and improved features, or feature enhancements for the 4.1 release.





Media Analysis EnhancementsNew Video Tab

You can generate thumbnails from video files and display them in the Video Thumbnail pane. This functionality lets you quickly examine a portion of the contents within video files without having to watch the full content of each media file.You can define the thumbnail generation interval based on one of the following:

Percent (1 thumbnail every “n”% of the video)

Interval (1 thumbnail every “nonskeds)

Generate Common Video FileYou can convert all supported video types into a format that Windows Media Player supports. All converted videos are stored in the case folder and when a user selects a video, it is playable within FTK.You can define the lines of resolution and the bit rate.

Exporting EnhancementsImproved handling of Outlook 2010 email drafts when exporting. (67505)

Exporting Emails to PSTYou can export email messages to a PST file, even if they didn't come from a PST file originally. This lets you accomplish the following:

Export messages from RFC822, NSF, PST, Exchange, and so on to a PST.

As the opposite of reduction, you can create a new PST file with responsive messages in it. This creates a new PST rather than exporting the whole source PST and running reduction to remove anything non-responsive.

Convert email archives, such as NSF, to a PST with the same folder and message structure.


Note: This export feature requires that you have Microsoft Outlook and the Microsoft Collaboration Data

Objects (CDO) installed on the same computer as the processing engine. The Processing Engine installer will attempt to download and install CDO automatically. However, if the computer does not have an internet connection, you will need to install CDO manually.See http://www.microsoft.com/en-us/download/details.aspx?id=3671

Header info has been added to the export manifest file. (69056)

Processing EnhancementsThe handling of NSF Emails with compressed email bodies has been improved. (66674)

The following new carvers have been added. These new carvers are not enabled by default:

File Content Viewing EnhancementsYou can now easily view data about Windows prefetch (.pf) files.

When you select a prefetch file in the file list, the following application data is displayed in HTML format in the Natural tab of the File Content pane:

The file path of the application executable file

The number of times the application has been run

The last time the application was run

Support for Windows EVTX log filesYou can now view data that is contained in Microsoft EVTX log files in HTML format in the Natural tab of

the File Contents Pane. (T6636)

There is a new option in Expand Compound Files for EVTX. When EVTX is selected, it will create a separate object for each event. This allows a user to view EVTX events interspersed with file data.

You can also use the following new EVTX-related columns in the File List:

EVTX Event Channel

EVTX Event Computer

EVTX Event Data

EVTX Event ID

AIM Chat Logs Firefox Form History Windows Messenger Plus w/chat logging

Facebook Status Updates Firefox Places MSN/WLM ChatFacebook Chat Firefox Session Store Yahoo DiagnosticFacebook Email Artifact Frostwire Props Files Yahoo Webmail ChatFacebook Mail Snippets GigaTribe Chat Yahoo MailFacebook Fragment IE8 Recovery URL Yahoo Group Chat RecvdGmail Email Message Limewire Props Yahoo Group Chat SentGmail Parsed Email Limewire/Frostwire Keyword

SearchYahoo Chat

Google Talk Chats mIRC Chat Log Yahoo Chat UnAllocatedHotmail Email Artifact MySpace Chat Yahoo Unencrypted ActiveBebo Chat Twitter Status


http://www.microsoft.com/en-us/download/details.aspx?id=3671

EVTX Event Level

EVTX Event Source

EVTX Event Source Name

EVTX Event User ID

Decryption EnhancementsDecrypting Microsoft Office and Outlook Digital Rights Management (DRM) Protected Files

If your organization uses Windows Rights Management (RMS) to protect your Microsoft Office files and Outlook email files, you can use the Examiner to decrypt them. If you are investigating Microsoft Office files and Outlook email files from within your organization, this saves you time by decrypting and indexing DRM protected files in batch. By using this feature you no longer have to first export each document and then decrypt them individually with the RMS server.

Important: This feature only applies to files that are DRM protected from within your Domain. You cannot use this feature to decrypt files that are protected by other organization's RMS systems.

To decrypt DRM protected files, the following prerequisites must exist:

Your Examiner computer and the Microsoft RMS server must be in the same domain.

The Examiner computer must be able to authenticate with the RMS server. The machine activation happens when you first attempt to open or to protect a document for the first time.

You must be logged into the Examiner computer with a Domain account that has Super User access to the Microsoft RMS server.

You must have Microsoft Office installed on the Examiner computer. To decrypt DRM protected PST files, Outlook must be installed on the Examiner computer. It must be configured to work with your organization's Microsoft Exchange Server system.

When you attempt to decrypt, the system will prompt with a Security Alert, select View Certificate and then click Install Certificate.

You can now configure Credant server settings in two separate ways:

Globally, for all cases, in the Case Manager interface under the Tools menu.

For a specific case on the Additional Analysis page.From the Additional Analysis page, you can select to decrypt Credant files. If you select to decrypt Credant files, the File Signature Analysis option will automatically be selected as well. (68848, 69165)

You can now do a Live Search on Credant files on the fly after performing a drive preview. (70081)

Database Optimization for Large CasesIf you are using PostrgreSQL, you can now select an option to optimize your database for large cases.

(68733)

Installation and Upgrade EnhancementsYou can now migrate users, shared roles, filters, columns, and so on from the previous version when the

database is initialized. (68535)

Other EnhancementsRSR (Registry) reports that were available on the website to add to FTK have now been incorporated into

the product. (67649)


Add on Module Enhancements

This release includes enhancements to the FTK Cerberus and Visualization add-on modules.For information, see 4.1 Release Notes for Add-on Modules (page 25).

4.1 Fixed IssuesThe following items are resolved issues in the 4.1 release.





Processing FixesThe handling of NSF Emails with compressed email bodies has been improved. (66674)

Fixed an issue that if processing was done with both 'KFF' and 'Optical Character Recognition' selected, two OCR files were generated for each file that had OCR done in it. (67248)

Fixed an issue where, in certain cases, FTK took a long time to render SQLite database files. (68246)

Miscellaneous FixesFixed an issue where, in certain cases, FTK was showing address book GUIDs instead of email

addresses in the “To” and “From” fields. (68228)

Fixed an issue in the HTML file listing where Local and UTC times were backwards. (63082)

The Auto Commit default value is now displayed in the case indexing options instead of 0. (58701)

The visible area in the Social Analyzer when the radius is zoomed in has been improved. (66495)

Fixed an issue where when using certain reporting options, case reviewers were able to export certain items that had been marked as privileged. (68202)

Added support for index search hit highlighting for PDF files in the natural view. Previously, only the filtered text view supported index search hit highlighting for PDF files. (68336)

PDF files are now identified through the PDF file system and will no longer be identified through Custom File Identification. (67866)

Fixed an issue where certain IMG files were causing a crash. (69663)

Fixed an issue where some SHA1 hashes were being truncated in the Export Manifest file. (69155)

Fixed filter issue in UI when using file hashes (MD5, SHA1, etc.). (69273)

Improved handling of EML files. (69910)

Fixed an issue with duplicate email counts. (70078)

Fixed an issue when importing user defined KFF groups. (70086)

4.1 Known IssuesThe following items are known issues found in the 4.1 release.






InstallationThe KFF installation on PostgreSQL can take quite a bit of time to complete. (68237)

The KFF install will not work on Postgres if the dbname has been changed from FTK2. (70629)

Graphics and Video The Video tab has a tab filter set to only show media that has had a thumbnail or video file rendered from

it during processing. If the video options were not selected for processing, the video tab will be blank. (67871)

SWF video files are not supported. (67958)

When using the option to create common video files on 32-bit computers, some Flash Video files are not converted correctly. This can be resolved by updating the ffmpeg.file. This file is located in the following folder: ..\AccessData\EvidenceProcessing Engine\version\ffmpeg.exeYou can download an updated version from http://ffmpeg.zeranoe.com/builds/ and replace the original file. 13216

Other Known Issues:When viewing files after performing a dtSearch, when you click through the search results, you may not

see the results in the expected order. If the file contains headers and footers, such as PDF files, the results from the main body of the text in the page will be shown in order. It will then show any results in the header and then footer on that page. It will then proceed to the body of the next page, followed by the header and footer, and so on. (68556)

When exporting from 7-Zip files, some EXE files may become corrupted. (70071)

In the FTK product shortcut, the Target field includes the following parameter:-product=productname with a product name, such as, FTK, Lab, and so on. If this parameter is not set, AccessData Enterprise will open by default.

4.1 Release Notes for Add-on Modules

4.1 Release Notes for the Cerberus Add-onThere is an add-on module for malware analysis that is called Cerberus. Cerberus is integrated to let you detect and triage suspect binaries. You can determine the behavior, intent, and potential threat of suspect binaries without waiting for a malware team to perform weeks of analysis. Cerberus requires an additional license. For more information, see http://accessdata.com/.






http://ffmpeg.zeranoe.com/builds/

Please note the following enhancements:Cerberus Add-on Enhancement

Stage 1 Cerbrus Analylsis now includes the following additional information:

Entropy Score: Displays a score of the binaries entropy used for suspected packing or encrypting

Modules Section: Displays the DLLs loaded with the binary

Packer & Encryptor Identification: Attempts to display a list of identified packers and encryptors whose signagture matches known malware packages.

Integrated Unpacker for certain family of packers. Cerbrus Analylsis attempts to unpack the binary and analyze the contents and displays the results of unpacking efforts.

4.1 Release Notes for the Visualization Add-onThere is an add-on module called Visualization. The visualization module lets you view data in multiple display formats, including time lines, cluster graphs, pie charts and more. This functionality lets you quickly determine relationships in the data and find key pieces of information. Visualization requires an additional license. For more information, see http://accessdata.com/.





Please note the following enhancements:New Detailed View in Visualization

You can use the Detailed view of the visualization time line to get a more granular view of the files and emails in your data set. This helps you use the time line to identify the files and emails that are important in your investigation. The detailed view provides the following time bands that you can turn on or off to get a more or less granular view of the files:

Years

Months

Days

Hours

Minutes

Seconds

MillisecondsDifferent file types are represented by different colors to assist in identifying relevant files.

Select All and Select None options have been added to the Basic Time line View in Email Visualization. (68170)

The Visualization demo time remaining information has been removed from the message box that appeared when logging in and is now displayed in the Help >About dialog. (67738)

Fixed an issue that caused the warning Info box to continue showing after clicking “No” to not continue with Visualization. (66792)

Fixed an issue on the extensions bar where the selection was cleared after moving the scroll bar in the Extensions Distribution pane. (66843)

Fixed an issue that when making a selection from the File Extensions Distribution pane, it did not refresh the Categories Distribution Chart pane. (66893)


Fixed an issue where legend names were not sorted alphabetically in the File Visualization window.

(68304)

Fixed an issue in visualization where 0 length files were sometimes showing a size of -1 bytes. (68992)

Please note the following issues:When viewing the visualization Categories Distribution Chart, the percentages are rounded to the nearest

one-hundredth percent. If a certain category has a percentage lower that one-hundredth of a percent, such as 0.008 %, it will display as 0%, even though there are a limited number of actual files. (68508)

When viewing the detailed time line, and files are grouped by Selected Time, if you click a group, the total File Count for that group is displayed in the flag and next to the file list. If the files are grouped by Fixed Number, the File Count number is not shown next to the file list. (68530)


AccessData Forensic Toolkit 4.1 Release Notes Comments? | 27


Release Notes

Document Date: June 13, 2012


IntroductionThis document includes information about the AccessData® Forensic Toolkit® (FTK®) 4.0.2 release. Please be aware that all known issues that have been published under previous release notes, still apply until they are listed under a “Fixed Issues” section.

For your convenience, both the version 4.0.1 and the version 4.0 release notes are included at the end of this document. See the following:





You can download the Oracle Critical Patch Update for this release from the AccessData Support Downloads web site. First back up the database, and then close all programs before you install the patch. (58583, 58248)

AccessData recommends that, whenever possible, users not have an active internet connection when running Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML or web pages, there is a potential risk that is associated with specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such as running malicious code or scripts.


Whenever possible, install the database software to a physical system. AccessData does not recommend configurations where the database or the Evidence Processing Engine is running on a virtual machine.




FTK does not support skipping versions when you upgrade cases. You must upgrade in the order of the

released versions. For example, you cannot upgrade cases from FTK 3.1 to FTK 4.0. In this example, you would need to upgrade first from FTK 3.1 > FTK 3.2 > FTK 3.3 > FTK 3.4 > FTK 4.0. (63494) (57461)

If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the "Process Manually Carved Items" option in the Evidence drop-down menu, to processes the manually carved item. (57812)

4.0.2 New, Improved, and Enhanced FeaturesThe following items are new and improved features, or feature enhancements for the 4.0.2 release.

For enhancements in the previous 4.0.1 or 4.0 releases, see the following:



File System EnhancementsFTK now supports the EX01 Evidence Format. (66024) (66389)

This release improves the handling of unallocated space for Android EXT4 partitions. (65613)

This release improves the handling of unallocated space in YAFFS partitions. (65601)

Processing EnhancementsWhen you choose to index or expand in Additional Analysis, file slack and drive free space is included by

default. (63473)

A new option has been added to not process embedded graphics from email items. The default behavior has not changed. The option only applies if you select it in the processing options. (65912)

You can now run an Entropy Test on files without performing indexing.

Backup EnhancementsYou can now select multiple cases in the Case List pane and back up/detach them at the same time.

(66503) (66503)

Bookmarking EnhancementsThe user interface now lets you bookmark more than 9,999 items at a time. (65840)

Decryption EnhancementsThis release adds new decryption support for YAFFS 1 and YAFFS 2.

This release adds new decryption support for IOS.

Transparently decrypted files have the Decrypted flag set instead of the Encrypted flag. You can search for these files by sorting or filtering on the Decrypted column. If you need to view the original encrypted data, right-click on the file and select Find on Disk. (65314)

Filtering Enhancements This release improves the user interface’s tab order in the Filter Definition dialog. (65805)


Optical Character Recognition (OCR) Enhancements

FTK now has support for a new OCR engine. Existing Glyph Reader customers will be switched to the new OCR engine.

Registry File EnhancementsYou can now send registry files to Registry Viewer from FTK even if the files have not yet been identified.

Searching EnhancementsWhen you do a Live Search with a filter selected, the Search Results tree now shows the type of filter

option that you used for that particular search. (65961)

Known File Filter EnhancementsFor user-defined KFF sets, the Source Vender column is now populated. (57244)


For information, see 4.0.2 Release Notes for Add-on Modules (page 31).


For resolved issues in the previous 4.0.1 or 4.0, releases see the following:



Installation and Configuration FixesFixed an issue where when a user installed the product to a Unicode folder, the indexing options in the

New Case Wizard were not populated. (65582)

Backup and Restore FixesFixed an issue where if the case folder path contained the ampersand "&" character, and if the case was

detached and then attached again, the attachment failed. (65385)

Decryption FixesFixed an issue where FTK was showing "Document is encrypted" for certain protected XLS files instead

of the contents of the file. (65839)

Exporting FixesThis release fixes an issue where you could not open evidence from an Export to Image file action.

(66122)


This release fixes an issue where, in certain instances, blank fields in the File List pane were filled in with

duplicate data when they were exported to a CSV file. (66129)

Filtering FixesFixed an issue where some filters displayed the operator “attribute does not exist” 3 times in the

operators list. (65237)

Miscellaneous FixesFixed an issue where when you un-docked the File Content pane, it remained open in the other tabs.

(57321) (65248)

Fixed an issue where the product was sometimes not able to connect to the database. (65906)

This release fixes an issue with the vertical scroll bar of the Properties window. It was previously covering the data in the view. (57582)

This release fixes an issue where the column sort indicator arrow, did not update properly in the File List pane. (65997)

Improved the handling of MSG items that are attached to emails, when exporting to MSG. (66216)


For known issues found in the 4.0.1 or 4.0 releases, see the following:



Known Issues:Viewing search hits in large files is a very resource intensive action. It can slow down the product’s

performance. (65382)

Distributed Processing, with PostgreSQL as the database, does not work with multiple network interface cards that are teamed together or that are using Link Aggregation Control Protocol (LACP). It does work with a single network interface card. (64286)

Certain PDF files, that are processed as evidence from a network location, can cause processing to slow down.


4.0.2 Release Notes for the Cerberus Add-onFTK supports an add-on module for malware analysis that is called Cerberus. Cerberus integrates with FTK to let you detect and triage suspect binaries. You can determine the behavior, intent, and potential threat of suspect binaries without waiting for a malware team to perform weeks of analysis. Cerberus requires an additional license. For more information, see http://accessdata.com/.

For Cerberus Release notes from the previous 4.0.1 and 4.0 releases, see the following:




Please note the following:Cerberus stage 1 analysis has been enhanced to include several additional details. The report now

includes details about a file’s size, the examined functions, any potentially threatening functions, detailed versioning information, and detailed signature information.

4.0.2 Release Notes for the Visualization Add-onFTK supports an add-on module called Visualization. The visualization module lets you view data in multiple display formats, including time lines, cluster graphs, pie charts and more. This functionality lets you quickly determine relationships in the data and find key pieces of information. Visualization requires an additional license. For more information, see http://accessdata.com/.

For Visualization Release Notes for the previous 4.0.1 and 4.0 releases see the following:



Please note the following Enhancements:Beginning with this version, the product now includes a free 30-day evaluation license for the

Visualization add-on Module. This functionality will be in effect until the promotion expires.

You can now select objects to Label, Create Bookmarks, Clear a checked item, or add it to other checked items, directly from the Visualization window.

This release improves the performance in Visualization when you change the time-span from the Created Date to the Modified Date. (65809)

The communication volume graph in the Social Analyzer tool has been enhanced to more accurately represent the volume of communication. (65816)

Please note the following issues: The time line’s current date selection does not match the Current Selection information that is displayed

on the time line’s status bar. An additional day is added to the time line status bar. (66296)


AccessData Forensic Toolkit 4.0.2 Release Notes Comments? | 32


Release Notes

IntroductionThis document includes information about the AccessData® Forensic Toolkit® (FTK®) 4.0.1 release. Please be aware that all known issues that have been published under previous release notes, still apply until they are listed under a “Fixed Issues” section.

For your convenience, the version 4.0 Release Notes are included at the end of this document.

See AccessData Forensic Toolkit 4.0 Release Notes (page 38)

For information about previous releases, see the AccessData web site at http://accessdata.com/.

Important Information

The following are important considerations to be aware of: You can download the Oracle Critical Patch Update for this release from the AccessData Support

Downloads web site. First back up the database, and then close all programs before you install the patch. (58583, 58248)

AccessData recommends that, whenever possible, users not have an active internet connection when they run Imager or FTK. If the computer running Imager or FTK has an active internet connection and you are viewing certain types of HTML or Web pages, there is a potential risk that is associated with specially crafted pages or binaries. These pages or binaries can trigger unintended consequences, such as running malicious code or scripts.


Whenever possible, install the database software to a physical system drive. AccessData does not support configurations where the database or the Evidence Processing Engine is running on a virtual machine. Additionally, installing the CodeMeter software on a virtual machine is not recommended. (56262)


FTK does not support skipping versions when you upgrade cases. You must upgrade in the order of the released versions. For example, you cannot upgrade cases from FTK 3.1 to FTK 4.0. In this example, you would need to upgrade first from FTK 3.1 > FTK 3.2 > FTK 3.3 > FTK 3.4 > FTK 4.0. (63494) (57461)

If you bookmark a manually carved item that has not been processed, the file does not display in a bookmark or in a report until you process it. You can use the "Process Manually Carved Items" option in the Evidence drop-down menu, to proceses the manually carved item. (57812)



4.0.1 New, Improved, and Enhanced FeaturesThe following items are new and improved features, or feature enhancements for the 4.0.1 release.

For enhancements in the 4.0 release, See 4.0 New, Improved, and Enhanced Features on page 39.

Processing Enhancements You can now obtain metadata from PDFs, including “Title”, “Author”, “Subject”, “Keywords”, “Creator”,

“Producer”, “Creation Date”, and “Modification Date”. This feature also lets you extract attachments (but not embedded graphics) from PDFs. To extract the attachments, you can choose to expand PDFs as compound files. PDF Attachments are the files in Adobe Reader’s bottom window that open with Adobe’s paperclip feature.

There are new processing options for additional registry data that is gathered from a memory analysis. (64873)

There is a new index processing option called Do Not include document metadata in filtered text. This option lets you prevent the collection of internal metadata properties for indexed filtered text. The fields for these metadata properties are still populated for field-level review. However, if selected you do not see information such as “Author”, “Title”, “Keywords”, “Comments”, etc in the Filtered text pane of the Examiner. The exclude office metadata option only excludes it from filtered text and not from attributes. If you export using another utility, such as ECA or eDiscovery, and include the filtered text of the file with the export, the metadata is filtered from the exported file. (64514) (65560)

The identification and processing of PDF files is improved. (65101)

The processing speed for the Optical Character Recognition (OCR) feature is improved. (64237)

The processing speed is improved when you use KFF processing options and a PostgreSQL database. (62400)

The reporting of processing times for the log file and the progress window is improved. (64522)

Bookmarking EnhancementsWhen you bookmark an index.dat entry, the Create Bookmark dialog provides an option to include the

entry’s parent index.dat file in the bookmark. (58750)

Exporting EnhancementsThe exporting of metadata from NSF emails into MSG format is improved. (64515)

When you export a manifest file, the file name of the manifest file is renamed from FTKExportSUmmary&Errors.TXT to FTKExportSummary.TXT (60733)

Searching EnhancementsLive Search’s text information has been updated to be more clear about the options that you have

selected. (61526)

Miscellaneous EnhancementsThe option to Manage KFF is located under the Database menu in the Case Manager, as well as from the

Examiner. (57441)

Improved support for finding hidden processes, when the option is selected in the "Add Remote Data" feature. (65264)


Add on Module Enhancements

This release includes several enhancements to the FTK Cerberus and Visualization add-on modules For information, see 4.0.1 Release Notes for Add-on Modules (page 36).


For resolved issues in the 4.0 release, See 4.0 Fixed Issues on page 40.

Installation and Configuration FixesWhen you create a trusted user, the Application Administrator’s account is validated if you select Trusted

User. (64335)

This release fixes an issue in the Copy Previous Case dialog where the user assignment window was blank if you used a PostgreSQL database. (64524)

This release fixes an issue where FTK 3.4.1 could not open cases after you selected a time zone for processing in FTK 4.0. (64559)

Searching FixesThis release fixes an issue where certain custom file carvers were causing Other known Types, in the

dtSearch window to not expand. (64822)

This release fixes a hang in the Index Search tab that occurred when searching through custom carved MPEG files. (57740)

Exporting FixesThis release fixes an issue with exporting HTML views for carved files. (58520)

Email FixesThis release fixes an issue where FTK was rendering some emails with white text on a white background.

This previously made text not viewable in the window. (63384)

Reporting FixesThis release fixes an issue in user-generated reports where non-English characters were displayed

instead of the words "Time Zone for display." (65009)

Miscellaneous FixesThis release fixes an issue that occurred when you viewed drivers in the Detailed Information pane. The

pane did not update when switching between the entries in the list unless the selected item contained data. (64207)

This release fixes an issue with a crash that sometimes happened when you moved the File List pane and then quickly closed the Examiner. (62976)

The write cache field in the Drive Mounting dialog has been fixed to automatically populate with a valid path. (64821)



For known issues found in the 4.0 release, see 4.0 Known Issues (page 42)

Known Issues:When exporting an email message that has an embedded message, the exported embedded message

may have blank header information (To, From, CC, BBB, Subject). To work around this isssue, export the embedded message separate from the embedded email. (65744)

Image mounting does not work in FTK or Imager if the agent is installed on that machine. (58791)

Distributed Processing, with PostgreSQL as the database, does not work with multiple network interface cards that are teamed together or that are using Link Aggregation Control Protocol (LACP). It does work with a single network interface card. (64286)

The SafeGuard Enterprise decryption dialog displays an error message when you click the Cancel button. (19975)

The “Key” icon that is displayed next to files for the category Other Encryption Files in the File List pane is distorted. (18628)

Certain antivirus programs have been known to flag jam.dll as malware. This is a false positive and can be ignored.


4.0.1 Release Notes for the Cerberus Add-onFTK supports an add-on module for malware analysis that is called Cerberus. Cerberus integrates with FTK to let you detect and triage suspect binaries. You can determine the behavior, intent, and potential threat of suspect binaries without waiting for a malware team to perform weeks of analysis. Cerberus does require an additional license. For more information, see http://accessdata.com/.

See also 4.0 Release Notes for the Cerberus Add-on (page 42)

Please note the following:The HTML results of a Cerberus Malware analysis can now be indexed so that you can run a search for

them.

Cerberus malware triage includes a new filter called Cerberus Static Analysis. This filter limits the display of files in the File List Pane to only the files that have had Cerberus Stage 2 run against them.

Cerberus malware triage includes a new column called Cerberus Static Analysis. This column displays the letter “Y” next to files that have had Cerberus Stage 2 analysis run on

accessdata forensic toolkit 4.2.1 release notes 4.2.1 rn.pdf · fixed an issue that sometimes...

Documents