We are pleased to report the successful introduction of Access Data's Forensic Toolkit (FTK) v4 into the SANS FOR408 Course (Computer Forensic Investigations - Windows In-Depth). While students have access to well over a hundred free and open source tools during the course, we also felt it important for them to gain an understanding of the capabilities of commercial tool suites. There is no one tool that can accomplish everything during a forensic examination, but in many cases a forensic suite can greatly speed up case processing and analysis. Hence, commercial tools like Guidance EnCase, Magnet Forensics Internet Evidence Finder, and Access Data FTK are all part of the curriculum.
FTK 4 and Virtual Machines
Students in the class receive the SANS Windows SIFT Workstation -- a Windows 7 virtual machine pre-configured with a wide variety of Windows-based forensic tools. Previous FTK users know a historical limitation of running FTK on mobile workstations was the significant resources required by the back-end Oracle database. This limitation was mitigated with the introduction of the Postgres database in FTK v4. With multiple classes now having used FTK v4, we have witnessed it operating with as little as 1GB of memory and 1 processor core allocated to the Windows 7 virtual machine. Note: This is NOT our recommended configuration, and additional memory and processors significantly increase performance. In short, it is clear that the prevalence of quad-core systems and inexpensive RAM makes FTK 4 a very viable solution on modern mobile workstations.
While the purpose of the FOR408 course is to teach core forensic concepts, working with the latest tools ensures students can immediately apply what they learn when they return to their organizations. You can find more information on the course here.