ACCESSDATA FTK 3.

2
RELEASE NOTES

INTRODUCTION
This document provides important information relative to the use of FTK 3.2.

NEW AND IMPROVED FEATURES

ADD EVIDENCE/ADDITIONAL ANALYSIS

• You can now drag and drop the evidence file into the Evidence List on the Manage
Evidence dialog. (19065)
• More relevant information is now displayed relating to Logical and Physical drives
when selecting from available Source Drives. (14125)
• FTK now has a Merge Index capability. Merging the Index can dramatically improve
Index searching performance. The Manage Evidence dialog and the Additional
Analysis dialog both provide a Merge Index option, so the user can choose when this
action takes place. AccessData recommends running this process after all evidence
items have been added, rather than with each addition. (18407)
• The Additional Analysis dialog now has a new checkbox: Include OLE Streams. Mark
the box to include, unmark to exclude. (20075)

CASE UPGRADER
• The Case Copy feature can now use either a logical path or a traditional UNC path for the
case folder. (17727)

AccessData FTK 3.2 Release Notes

 Note: When running a two-box install of FTK, and upgrading a case, the case folder
must be local to the FTK machine where the case was originally processed, or the
entire case folder must be copied to the FTK machine where the Case Copy is
being done so the paths will match and permissions will not interfere. If the case
Temporary File Path actually exists on a different machine, the case copy appears to
complete, but the new case folder will be empty. The original case data remains
intact and unchanged on the original drive, and in its original version format.

CUSTOM COLUMNS
• Users can now create as many custom columns (and populate those columns with
user-defined data) as they want by customizing and importing a .CSV file. (18089)

DECRYPTION
• Support has been added for decrypting Utimaco SafeGuard Enterprise Encrypted
drives. (19964)
• FTK 3.2 can now decrypt McAfee Endpoint Encryption 6.0. (18241)
• FTK now supports the decryption of RSA standard PKCS7 S/MIME email items. This
includes support for MBOX, DBX, RFC822, and some PST/EDB archives. (17824)
This support does not apply to PGP encrypted emails, Lotus Notes proprietary
encryption, and items with S/MIME signatures—only the S/MIME encryption.
• Separate sets of Credant Server Credentials are now stored in the database per FTK
user account. (16689)

EMAIL
• The Email Items tree view contains two new groups: Email By Date (organized by Year,
then by Month, then by date, for both Submitted and Delivered); and Email
Addresses (organized by Senders and Recipients, and subcategorized by Email
Domain, Display Name, and Email Addresses). (17418)
Note: Email data is categorized into the new containers in the Email Tree based on
common attributes. This view will only be populated in new cases. Converted cases
will not have this data. To make this data available in older cases, re-process the
case in the new version.
• In the Email Tab, the Email Items tree view contains an Email Addresses node
containing sub-nodes for Senders and Recipients. Both of these sub-nodes contain an
Email Domains sub-node. The Email Domains sub-node counts now refect the
number of email domains [total domain count / filtered domain count] listed in
brackets. Each domain listed contains a count of email items found for that domain
(total item count / filtered item count) listed in parentheses. (21130)

2 AccessData FTK 3.2 Release Notes

EXPORT FILE/EXPORT FILE LIST INFO
• Users can now export INFO2 files in TSV/CSV format. (17118)
• Users can now export LNK files in TSV/CSV format. (17626)
• Export file list dialog now displays the size of selected files in bytes, so users can total
the size and estimate the size of the export. (19171)

FILE TYPE AND FILE SYSTEM IDENTIFICATION/ENUMERATION

• FTK has added functionality to recognize popular mobile phone formats (found in
many MPE images) such as .M4A, MP4, AMR, and 3GP. These file types will play now
inside the FTK Media tab as long as the proper codecs are installed that would also
allow those files to play outside FTK in Windows Media Player. (15743)
• FTK can now open, process, and view Advanced Forensic Format (AFF) images. FTK can
also create AFF encrypted images using the Export to Image feature. (18054)
• Support has been added for the VxFS (Veritas File System). (15593)
• Support has been added for the DMG (Mac OS 10) drive images. (19279)
• Support has been added for the Microsoft Hard Disk (MSVHD) drive images. (19850)
• Support has been added for the exFAT file system. (8013)
• Personal Address Book (.PAB) Files are now correctly expanded. However, if the .PAB
file has no contents, the folder will be empty. (18941)
• FTK supports the following data types for extraction from BlackBerry IDP archive files
(BlackBerry backup files found on a PC). (19278):

TABLE 1-1 BlackBerry IDP Image Supported Data Types

• Contacts • SMS • MMS
• Memos • Tasks • Emails
• Calendar • Time Zones • AutoText.

FILTERS
• Improved implementation of “Unimportant OLE Streams” filter. (19679)

INSTALL/UNINSTALL
• The FTK Installer now automatically configures FTK to Run as Administrator by
default. If your organization’s policy prohibits applications from running as
administrator you should run the FTK installation executable from a command line
with a /V NOADMIN=true switch. (18132):

AccessData FTK 3.2 Release Notes 3

 Issue the following command from the command prompt:

setup.exe /V "NOADMIN=true"

Note: If FTK was installed using the provided command line switch, an administrator
will need to manually run FTK as an administrator at least once in order for it to be
configured properly.

INDEX SEARCH
• Index search result nodes now show a relevancy ranking in the form of a percentage to
the left of each search result. (19377)
• Index Search has been improved to make results viewable as soon as they become
available. The results are updated periodically while the search continues so the user
can see that the search is still working. (18707)

LABELS
• The Labels feature has a more intuitive interface. They can be applied to All
Highlighted, All Checked, All Listed, or All, using two new buttons on the File List
Toolbar. (17804, 19440)
• Labels can now be applied to Email Attachments within the Email view. (20237)

MEMORY ANALYSIS
• 64-bit memory analysis is now supported. FTK is the first commercial product to have
64 bit volitile memory analysis. (15703)
• Identify and display kernel structures involved with network miniport and filesystem
filter drivers
• Hook detection for use in identifying malware, including the following data types: (15892)
• SDT/SSDT Hooks
• IDT Hooks
• IRP Hooks

MISCELLANEOUS
• Restore Image to Disk (BitBlaster) is a new feature that allows a full physical image of
a drive to be restored to a different drive. (17083)
• The following features can now be Shared in the database and thus made available for
all new cases without requiring exporting and importing between cases:

4 AccessData FTK 3.2 Release Notes

 • Labels (18085)
• Custom Carvers (17153)
• Filters (17154)
• Column Settings (17150)
• Custom Identifiers (17152)
Each of these can be managed for the database from Case Manager by the
Application Administrator, or within cases (locally only) by the Case Administrator.
Case Reviewers and Case Administrators cannot add or modify these Shared feature
settings.

PRE-PROCESSING
• The speed of the Processing Engine is improved, especially on archive files such as
PST, NSF, and EDB types. (18356)
• The Optical Character Recognition (OCR) processing option is now configured by
default to only OCR files larger than 5 kilobytes in size. This can be adjusted by the user
in the OCR options dialog. (17187)
• The Expand Compound Files processing option has been enhanced in order to shorten
evidence processing time. Users can now include or exclude compound files from
being expanded based on type. (18017)
Note: It is important to note that only the selected types are expanded. For example, if
only ZIP is selected and FTK finds a RAR inside the ZIP, the RAR will not be expanded.
This helps to eliminate duplicate data.

USER INTERFACE
• The Process Manually Carved Items option now appears in the Evidence menu. (19665)
• Users now have the option to control when Database Optimization is performed.
(18389)
• The Properties tab now correctly shows the Group Status for KFF Set when using a
Custom KFF. (18210)
• The Data Processing Status window now displays which Processing Manager is
currently in use. (17077)
• FTK’s Hex Value Interpreter has been improved to display additional date/time stamp
values, such as BCD, BCD Hex, and BitDate. (19512)
• Additional improvements to the Hex Value Interpreter include the following (4093):
• The Start Sector and Start Cluster attributes are now set on carved files.
• The Start Sector and Start Cluster attributes are now viewable in the Hex Interpreter
for carved files.

AccessData FTK 3.2 Release Notes 5

 • The Find on Disk feature now works for carved files.
• The Overview tab has new status items, including (17852):
• Evidence - two levels in this tree
The group, if it was created
The evidence assigned to the group
• Labels
Lists all Labels contained in the case, enumerates the number of items each Label is
assigned to, and clicking on a Label displays the associated items in the File List
view.
• Time (based on create/sent) The user can select the Time Zone for this tree)
Year
Month
Day
• Email Status
Email Reply (enumerated in Overview Tab)
Forwarded Email (enumerated in Overview Tab)
• Recover Processing Jobs now includes a check box next to each job so the user can
select all, none, or multiple jobs and apply one action to all selected. (21108)
• A new field has been added in the Status Bar that shows the total logical size of the
items in the current File List. (18083)

VIRTUAL DEVICE MOUNTING

• Safely mount a forensic Image (AFF/DD/RAW/001/E01/S01) as a physical device
or logically as a drive letter. Once mounted, the read-only media is available to any 3rd
party Windows application and exposes the same file system artifacts as FTK. For
example you can mount an HFS+ image, and it will show up as a volume on the
examiner's machine in the explorer view. (18593)

Virtual mounting options include the ability to:

• Mount physical images (AFF/DD/RAW/001/E01/S01) as only a physical block
device.
• Mount physical images (AFF/DD/RAW/001/E01/S01) images both at the
physical level and logical level.
• Mount physical images (AFF/DD/RAW/001/E01/S01), and logical image (AD1/
L01) custom content images virtually.
• Mount NTFS / FAT partitions contained within images as writable block devices.
This feature caches sections of a read-only image to a temporary location allowing
the user to “write” to the image without comprimising the integrity of the original

6 AccessData FTK 3.2 Release Notes

 image. Once mounted via the write cache mount method, the data can then be
leveraged by any 3rd party tools which require write access.

FIXED ISSUES

ADD EVIDENCE/ADDITIONAL ANALYSIS

• Some improvements have been made to the Add Remote Data dialog.

BACKUP/RESTORE
• Fixed a problem where the case could not be opened due to an evidence error after
restoring the case to a different location. (19742)

BOOKMARKS
• File comments added to Bookmarks are now holding when additional file comments
are added. (17087)

CASE REVIEWER RESTRICTIONS

• Case Reviewers can no longer change case information even if they are assigned to a
case as an Administrator, because they do not have authorization to modify cases in
the database. (16947)

COLUMN SETTINGS
• FTK no longer crashes after running “Exporting File List Info” or “Copy Special”
with the “Normal+Filters” column setting applied. However, the side effect of this fix
is that the “Included By” column will not be populated in either Export File List or
Copy Special results. (18974)

COOLHTML
• FTK is now correctly showing the same value in the Password Required field as that
showing in Registry Viewer for the SAM file. (19360)

AccessData FTK 3.2 Release Notes 7

 DECRYPTION
• Fixed a problem where the SafeGuard Enterprise Decryption Image Partition Keys
dialog displays a different partition number from the one displayed in AccessData
FTK Examiner Evidence Tree. (20444)

EMAIL
• RFC822 emails, when found in a case, are only added and displayed if the content is
greater than 59 bytes. A database record is not created for a preamble or epilog text,
or newline only. (18306)
• Fixed a problem where emails containing RTF body text were being truncated by INSO
when trying to generate a view of the file. (18955)
• Fixed a problem where some nodes in the Email Addresses tree did not filter and
display the correct files. (19436)
• When exporting NSF emails to MSG, FTK now includes the RFC822 attachments with
proper links. (19276)
• Improved handling of Lotus Notes items, including Calendar, Profile, and so forth.
These items are now categorized so they are easily recognized and they link properly
to the same item in other views. (17108)
• Improvements have been made to Exchange Database (EDB) files processing,
including more efficient optimization. (19422)
• Expanded support of Exchange Database (.EDB) files. (19132)
• MSG messages (exported from FTK) will now be displayed as an email record when
imported into Outlook, rather than being imported as an attachment. (20583)
• Emails exported to .MSG format and opened in Outlook now display the To:, From:,
CC:, and BCC: data correctly. (20045, 19745)
• A forward slash (/) in the name of an email from an Exchange database is now
correctly treated as an email. (18629)

EXPORT FILE/EXPORT FILE LIST INFO

• When exporting File List Information with greater than 500 items, a new “Export
Progress” bar now opens, providing visual feedback to the user. In addition, the UI no
longer appears frozen, and other activities can be performed during the export.
(17060)
• Files with 0 length are now exported properly. (17436)
• Fixed a problem in which Export File List Info failed when there were Chinese/
Japanese characters in title. (10564)

8 AccessData FTK 3.2 Release Notes

FILE TYPE IDENTIFICATION
• When exporting Office 2007 Excel or PowerPoint files with missing or bad extension,
and selecting Append Extension to Filename if Bad/Absent in Export File options, the
correct .XLSX or .PPTX extension is now added. (17603)

FILTERS
• Importing and exporting custom filters now maintains the filter criteria. (17984)

FUZZY HASH
• Manually entered fuzzy hash values now return results as expected. (18451)

GRAPHICS/MULTIMEDIA
• Opening one graphic file and then another in an external program now displays the
correct graphic each time. (18630)

INDEX SEARCH
• FTK no longer indexes the evidence file name in order to make index search results
more accurate. This change only affects the Index and does not change data stored in
the database. (20937)

KFF
• Columns for KFF hash group name and KFF status now display in the File List
pane.(15136)

LABELS
• Additional states have been added to keep track of users’ Label selections. For
example, if the user has already checked a label name it will turn red, and it remains
red as long as it remains different from the original status. Clicking it again will cycle it
back to its original status and its color will return to black. (18953)

MISCELLANEOUS
• Evidence Group dropdown is now sorted alphabetically, not in creation order. (18882)

AccessData FTK 3.2 Release Notes 9

 PRE-PROCESSING
• Compound files are no longer indexed or carved. When compound files are expanded,
the Processing Engine will index and carve the children and descendants of the
parent, if Index and Data Carving options are selected. (18617)
This change was made to avoid unnecessary duplication of file records and index
search data.
Note: If compound files are expanded after performing functions such as labeling, the
expanded children/dependent files do not inherit the attributes applied to the
parent compound files.
• Improved the handling of HFS+ file systems or similar. (17251)
• The Lotus Notes StorageLink data type is now properly reported. The external URL is
displayed in the message body. (17637)
• Support has been added for the exFAT file system. (8013)
• Personal Address Book (.PAB) Files are now correctly expanded. However, if the .PAB
file has no contents, the folder will be empty. (18941)
• The Pause / Resume button on the Processing Status dialog has been improved to
work more consistently. (15069)

REPORTS
• The Next Page links are now working when viewing a Report in Firefox. (18271)
• When creating a report, the Autorun.inf file is being created to allow users to copy the
report folder contents to CD or DVDR and have it run when the disc is placed in the
drive. (14808)
• The Include email attachments option of the Bookmarks section of the report wizard will
now include all email child objects into the report, and not strictly email attachments.
(17499)
• Fixed a problem where saving a volatile data report in .ODT format failed. (11113)

SEARCHING
• Fixed a problem where a dtSearch multi-term search gave different results when in
quotes than the same multi-term search with no quotes. (19503)
• When performing a search where one search term is invalid, results will indicate 0 hits
in 0 files, instead of N/A, ??? marks, or rolling ellipses. The Results pane no longer
gives the impression that the search is on-going for an invalid term. (20102)
• The Save as Default button in Index Search Options now saves all the options on the
dialog. (17198)

10 AccessData FTK 3.2 Release Notes

 USER INTERFACE
• The “Hash Group” column / field name has been more accurately renamed to “KFF Group.”
(18643)
• Fixed an issue where certain types of Zip files were being mis-categorized. (18102)

KNOWN ISSUES

ADD EVIDENCE/ADDITIONAL ANALYSIS

• When FTK is launched by a Windows user whose username contains a space or
special character, it causes session management conflicts within the database. In this
situation, the user is unable to add evidence or perform additional analysis, and an
error may appear stating that the case is already open by someone else or that a
session is open. (18270)
Solution: Log in to Windows with an account that does not have spaces or special
characters in the username, and then log into FTK.

BACKUP/RESTORE
• If you installed any version of FTK 3.2 Beta, you will need to manually update the 3.2
database schema from the command line using the dbcontrol utility.
Note: Failure to manually update the 3.2 Beta schema will result in errors during case
backup and/or restore. (20885)
To manually update the schema
1. Open a command prompt.
2. Change the current directory to:
C:\Program Files\AccessData\Forensic Toolkit\3.2\bin\.
3. Type this command at the prompt:

dbcontrol.exe -update ftk_32

• When a user successfully and completely restores a case to FTK3, by design they will
receive an error when trying to add or restore the same case again.(10911)
However, if the user restores the case while the first attempt is still in the process of
restoring, no error is received and the same case can be restored as many times as
possible before the first attempt has time to complete.

AccessData FTK 3.2 Release Notes 11

 The result is a list of cases with unique case IDs but the same file path. If one case is
then deleted, all of them have the file paths deleted that are in common.
This could happen to a user if the worker is behind another window when restoring a
case and they did not know that it was working correctly behind other apps.
Workaround: Wait for a Case Restore to complete before adding additional jobs of
any kind.

CASE UPGRADER
• Adding evidence to a case that did not fully complete processing before it was
upgraded to 3.2, may cause FTK to crash. (17725)

COLUMN SETTINGS
• When making changes to a shared column setting profile, users will not be prompted
to confirm whether or not they want to overwrite the old profile. The changes will
simply be overwritten. (20175)

DATA CARVING
• Duplicate files will be carved out of evidence if the File Category assigned to a custom
carver is modified and the carver is run again. (20617)
• Custom Carvers defined in the New Case Wizard with other pre-processing options
are Shared by default. A local copy will be available in the case, but a copy will also be
saved to the database to be managed by the Application Administrator. (20645)

DECRYPTION
• Some Excel (.XLS) files will be listed as encrypted even though the entire file itself is
not encrypted, but one or more cells contained in the file are protected. Such files will
not be indexed, and cannot be viewed in FTK until they are decrypted. However,
exporting these files does allow them to be opened in Excel. (18163)

EMAIL
• Email data parsed into the new nodes in the Email Tree view will only be populated in
new cases. Upgraded cases will not have this data. To make this data available in older
cases, re-process the case in the new version.
• The email fields for To, From, BCC, and CC are truncated at 1024 bytes at the time that
the processing engine is parsing email messages from the data stream.. This means

12 AccessData FTK 3.2 Release Notes

 that if an email has multiple names in the field and the names go past 1024 bytes, only
the first 1024 bytes can be used for filtering and viewing. (20943)

MEMORY ANALYSIS
• Memory dumps larger than 8 GB in size will fail to analyze successfully when
imported into 32 bit versions of FTK. (21265)

MISCELLANEOUS
• Mounting a SafeGuard Enterprise encrypted image is not supported. Drive mounting
does not support any encrypted images. (20809)
• The “Restore Image to Disk” feature does not support images of encrypted drives.
(21181 and 21186)

PROCESSING ENGINE
• SQLite databases that use FTS2 (an obsolete FullTextIndex module) may not expand
completely. (19413)

REPORTS
• When creating a report that uses data from the email columns, names from the To:
field may be missing. (17197)
• When creating a Report that includes Registry files, a .DAT extension will be added to
the link. If the link does not open in the report, it can be exported and opened in
Notepad. (19368)
• When burning some reports to a CD, many Registry Viewer Auto Reports links are
broken, where they work when the report is opened from the hard disk.. (19744)
Workaround: Make sure longer Joliet filenames are enabled when burning report to a
CD.

SEARCH
• Adding too many search terms can cause dtSearch to return 0 results using the “OR”
operator. (18327)
• Natural View highlighting in FTK has a limit on how many instances of a term that can
be highlighted for the selected document. When it reaches the limit of highlighting in
that window, regardless of which term it is on (first, second, third, etc.) it stops
highlighting. Currently, there is no workaround to this issue. (20720)

AccessData FTK 3.2 Release Notes 13

 USER INTERFACE
• Even when Database Optimization is unchecked in Case Manager > Tools > Preferences, it
still appears to run according to the processing status window. In fact, the
optimization is not being run, but the output is being displayed in error. (20280)
• The Max Files to List Index search option does not work with some images. (17994)
This is caused by dtSearch counting the chunks of files as individual files that are
coming from the breaking of large unallocated space files into 10MB chunks. Since
FTK combines those chunks back into single files, the resulting file count will be less.

VERIFY IMAGE INTEGRITY

• When a segmented AFF image is created using Imager 3.0, although you can mark to
include the Verify and Create Directory Listing operations, those operations do not
automatically take place. The .AFF files are created in a folder based on the name given
to the image to be created. After creation, add the [file_000].aff as evidence to
Imager, then click File > Verify Drive/Image, and/or File > Export Directory Listing to
accomplish these tasks. Again, this applies to segmented AFF images, and not to
single-file images. (19557)

VIRTUAL DEVICE MOUNTING

• "Floppy formatted" images will not be mounted logically. "Floppy formatted" refers
to media that doesn't have a partition table (which is present on some removable
media cartridges, floppy disks, and flash drives). (21483)
• Mounting an image with a write-cache uses about 100MB RAM per 1GB of disk space
used for the write cache. (21489)

14 AccessData FTK 3.2 Release Notes