Forensic Toolkit v2.0

The earlier 1.7 version's primary screen was a grey with many buttons for performing different parts of a forensic investigation. Version 2.0 has a sleeker interface with a tab-based design, but still felt a bit cluttered, thanks to the different windows on each of the tabs that were opened by default.

The FTK Imager utility was able to create a forensic image of the 1GB drive in less than three minutes. The import into the FTK interface took 30 minutes. A new feature allows the investigator to work with the data while it is being imported into the program.

FTK was able to discover the deleted executable, directory and file and could even reconstruct the deleted picture. It detected the password-protected zip file and showed the file contents, but could not open the zip without the password-recovery toolkit.

FTK also found the password-protected Microsoft Word file, but did not spot the steganographed files. The solution includes data-carving features that allow the drive's slack space to be searched for file fragments. The only problems were that the application would crash with large email investigations and only recognised VMWare disk files as flat files and not virtual file systems.

The installation was simple and complex at the same time. The software went in as part of an auto-run utility and the interface for installation was very well laid out. The tricky part was trying to get the licence dongle recognised.

It took several attempts to get the driver installed correctly as the XP OS would recognise the licence fob as a flash drive. Once the driver was set up it was necessary to contact the Access Data server to get the correct licences set up on the fob. This required a call to tech support.

The help file for FTK is the best we have ever seen. It walks you through using the utility with such detail you can learn the tool inside out from the manual.

The pricing for FTK is US$2,995, which is at the low end of the price spectrum, making this an excellent value