Thursday, November 21, 2013

Daily Blog #151: Automating FTK Filter creation

Hello Reader,
           Normally I would just include something like this on a Saturday Reading link, but being that today was pretty busy and this something pretty useful to those of you using FTK I thought it was worth its own post.

If you use FTK then you know about the power of filters, much like other tools you can use filters in FTK to lock down your views to different dates, hashes, file types, paths, categories, etc... We use this feature a lot to take advantage of some of the more harder to find FTK features like LNK Metadata export. Well if you are using filters on a regular basis and using long filters to do these like only show files with a certain hash value you should check out this tool written by David Dym, read the blog post here http://redrocktx.blogspot.com/2013/11/scripting-with-ftk-filters.html.

You might know David Dym as the author of shadowkit but I know him as a fellow employee of G-C Partners where we've been using this tool on a number of cases. In the example shown in his blog entry he is getting FTK to show only those itemids listed. We do this a lot with attorneys providing them a spreadsheet of files with itemids included, telling them to mark which ones they are interested in. Then we can just export out those itemids to FTK in a filter form and easily export out the data they want.

That's just one example but you can extend and automate any number of large and long filters this way and then just import them into your case.

Tomorrow is the forensic lunch!