(For more resources related to this topic, see here.)
Changing the time zone
The correct use of the Time Zone feature is of the utmost importance for computer forensics because it might reflect the wrong MAC time of files contained in the evidence, making a professional use the wrong information in an investigation report.
Based on this, you must configure the time zone to reflect the location where the evidence was acquired. For example, if you conducted the acquisition of a computer that was located in Los Angeles, US, and bring the evidence to Sao Paulo, Brazil, where your lab is situated, you should adjust the time zone to Los Angeles so that the MAC time of files can reflect the actual moment of its modification, alteration, or creation.
The FTK allows you to make that time zone change at the same time that you add a new evidence to the case. Select the time zone of the evidence where it was seized from the drop-down list in the Time Zone field. This is required to add evidence in the case.
Take a look at the following screenshot:
You can also change the value of Time Zone after adding the evidence. In the menu toolbar, click on View and then click on Time Zone Display.
Mounting compound files
To locate important information during your investigation, you should expand individual compound file types. This lets you see the child files that are contained within a container, such as ZIP or RAR files. You can access this feature from the case manager’s new case wizard, or from the Add Evidence or Additional Analysis dialogs.
The following are some of the compound files that you can mount:
- E-mail files: PST, NSF, DBX, and MSG
- Compressed files: ZIP, RAR, GZIP, TAR, BZIP, and 7-ZIP
- System files: Windows thumbnails, registry, PKCS7, MS Office, and EVT
If you don’t mount compound files, the child files will not be located in keyword searches or filters.
To expand compound files, perform the following steps:
- Do one of the following:
- For new cases, click on the Custom button in the New Case Options dialog
- For existing cases, go to Evidence | Additional Analysis
- Select Expand Compound Files.
- Click on Expansion Options….
- In the Compound File Expansions Options dialog, select the types of files that you want to mount.
- Click on OK:
File and folder export
You may need to export part of the files or folders to help you perform some action outside of the FTK platform, or simply for the evidence presentation.
To export files or folders you need to perform the following steps:
- Select one or more files that you would like to export.
- Right-click on the selection and select Export.
- A new dialog will open. You can configure some settings before exporting as follows:
- File Options: This field has advanced options to export files and folders. You can use the default options for a simple export.
- Items to Include: This field has the selection of files and folders that you will export. The options can be checked, listed, highlighted, or selected all together.
- Destination base path: This field has the folder to save the files.
Take a look at the following screenshot:
Column settings
Columns are responsible for presenting the information property or metadata related to evidence data. By default, the FTK presents the most commonly used columns. However, you can add or remove columns to aid you in quickly finding relevant information. To manage columns in FTK, in the File List view, right-click on column bars and select Column Settings…. The number of columns available is huge. You can add or remove the columns that you need by just selecting the type and clicking on the Add button:
The FTK has some templates of columns settings. You can access them by clicking on Manage and navigating to Columns | Manage Columns:
You can use some ready-made templates, edit them, or create your own.
