Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

FTK 4 Added to SANS FOR408 Windows Forensics Training Course

We are pleased to report the successful introduction of Access Data's Forensic Toolkit (FTK) v4 into the SANS FOR408 Course (Computer Forensic Investigations - Windows In-Depth). While students have access to well over a hundred free and open source tools during the course, we also felt it important for them to gain an understanding of the capabilities of commercial tool suites. There is no one tool that can accomplish everything during a forensic examination, but in many cases a forensic suite can greatly speed up case processing and analysis. Hence, commercial tools like Guidance EnCase, Magnet Forensics Internet Evidence Finder, and Access Data FTK are all part of the curriculum.

FTK 4 and Virtual Machines


FTK4 and SIFT Workstation

Students in the class receive the SANS Windows SIFT Workstation -- a Windows 7 virtual machine pre-configured with a wide variety of Windows-based forensic tools. Previous FTK users know a historical limitation of running FTK on mobile workstations was the significant resources required by the back-end Oracle database. This limitation was mitigated with the introduction of the Postgres database in FTK v4. With multiple classes now having used FTK v4, we have witnessed it operating with as little as 1GB of memory and 1 processor core allocated to the Windows 7 virtual machine. Note: This is NOT our recommended configuration, and additional memory and processors significantly increase performance. In short, it is clear that the prevalence of quad-core systems and inexpensive RAM makes FTK 4 a very viable solution on modern mobile workstations.

While the purpose of the FOR408 course is to teach core forensic concepts, working with the latest tools ensures students can immediately apply what they learn when they return to their organizations. You can find more information on the course here.

2 Comments

Posted November 27, 2012 at 7:12 PM | Permalink | Reply

Duck

Microsoft is no longer selling Windows 7 so obtaining a license key from them is not possible (I tried). Is the Windows SIFT workstation able to be upgraded to Windows 8? Or will that ruin the forensic integrity of the VM?

Posted December 07, 2012 at 11:05 PM | Permalink | Reply

Stephen

Win 7 is still available from a variety of retailers including Amazon.com.

Post a Comment






Captcha

* Indicates a required field.