A little bit of a layoff on the blog due to some crazy class schedules, but hey I am here again at 30,000 feet so what the heck. Lets talk about AccessData’s FTK.
I have been messing with AccessData’s new FTK 3.2 since it’s release and have you seen the cellphone supported features? I have been pretty impressed with items such as image mounting, ipd support, dates and times, and others. Let me tell you about my tests and I hope to hear from many others who have tried it.
First off, I took a disk image created by both AccessData’s MPE+ new(beta) full image support of a 3GS iPhone and also a 3G iPhone disk image by iXAM from FTS. I then added to FTK 3.2 as evidence, selecting an image. Once the data was processed I then right clicked on the evidence and selected to mount them. HOLY smokes what just happened? I then went into MY Computer and there they were, like two new little devices but with a sweet exception; the mounted device showed the unallocated portion as well! So technically I could create a full AD1, E01 etc with imager at that point and would include the unallocated area as well. Hey imager, YES the new FTK imager 3 also allows you to mount them as devices! This is pretty sweet considering I used to have to have Mac Drive installed if I used FTS IXAMiner when it parsed the dmg and reported on the data. Truly a nice new offering in FTK.
Second item I looked at was the addition of bringing in ipd files as evidence. An ipd is a proprietary file created by the Blackberry Desktop Manager software (which of course is free). I selected an image file and pulled down to ipd file. Brought in the file and was amazed at what was now displayed. The files and folders fully parsed and showing in a cool filesystem view. Now, as a ran through some of the folders like address, messages, SMS/MMS the traditional coolHTML made it look even better. I even figured out that I can add an extension when making the report and the cool HTML displays beautifully in my report. The coolest thing that FTK does so beautifully is email. I just opened up the email tab and whammo, all the email was sitting there in full FTK style, email done CHECK! Of course images and any other item I can custom carve was easily located and reported on. I quickly saw a folder “blackberry messenger” and immediately clicked to expose the database file, there was data but alas not parsed….YET. There were other folders that contained data rows but have yet to be parsed…I was told soon, but for a start FTK gets all the common areas. Nice!
Next, I looked to the new and improved HEX Interpreter. This feature from what I remembered doing computer exams really contained a limited selection and I was pleasantly surprised when cellphone dates and times showed up. So I tested with an LG that I had extracted the filesystem from and brought in as a compound file.
I navigated to the nvm folder and then nvm/SMS to find an inbox.dat message. Once I selected the file I switched over to the HEX tab to show the file in HEX. I then clicked the tab for the Hex Interpreter and held it down to dock it beside the Hex View of the file. I located the four bytes in the file indicative of delivery time and swept them and watched the Hex Interpreter display the date/time from the highlighted data. Sweet. I clicked on the interpreted data and copied. This converted data was easily added to the bookmark for this SMS message. So AccessData has added a quasi Decode but for cellphones in FTK 3.2. Cool feature let me tell you…OUTSTANDING.
I have also heard a few rumblings on adding the ability to run an entire binary file OR filesystem for any PDU and then decode as such, showing the converted text! Can’t wait!
So, just a quick preview of the new offerings in FTK 3.2 with cellphones. I immediately recognize AccessData has made a great leap from just a company focused on computer forensics to now digital data including cellular phone data.
Let me know what you think if you try it. Also, I am going to try and get a demo on the MFI YouTube spot. Keep checking……
Alright, landing to speak in Wisconsin…until next time..
Lee
As I agree with some of your assessments of FTK 3.2 and the iPhone. I believe that the strongest part of FTK is the email aspect. The rest is still very much hit or miss. FTK still can’t parse all the SQLite Databases, and those have to be exported to a third party tool for analysis. Access Data has still a lot of work to do with HFX. The new imager as impressive as it is, still has the HFX Achilles heel that all window tools have.
Thanks again for the comments, as always it is great to get another perspective. Great call on exporting databases to another application, I love that there are great FREE applications to view them after exporting from FTK or even imager.
This is truly awesome to hear! I love using FTK for my file system extractions and now it just got better. Any idea if putting a .bin file from a Cellebrite Physical Dump option will work as an image file? Great to hear about the .ipd files as well. Looking forward to trying out MPE+ when we get our new license of it as well.
nice article, keep the posts coming