Видео

@@ShashankM-k1f Software based response playbooks are typically built in orchestration tools like Splunk. These Security Orchestration, Automation and Response (SOAR) tools are connected within a network to various other resources and tools that can help in reaction during a breach. If you are talking about organizational playbooks, that is just documentation and procedures. So whatever you would want to use for that.

Say no more. go.exterro.com/FTKfreetrialsignup 30 day trial of FTK. Full feature.

You should download FTK 8.1 (It was released today) and yes, it will require you to uninstall 7.4. If you need cases from 7.4 you will actually need to take your cases from 7.4 to 7.6 and then to 8.1. Or just reprocess the case in 8.1... or just finish the cases in 7.4 if you can before you move to 8.1. 7.4 is old enough that a straight 7.4 to 8.1 isn't supported.

One of the requirements for using the Trial is to use a business email, tied to an organization. This was an operational decision made above my paygrade. hah. Sorry for any inconvenience.

Do you have other Forensic Software that is using Codemeter? Are you using a virtual license or a physical dongle? One thing to try is opening the ISO and installing Codemeter directly rather than part of the whole install process.

Not sure why it is failing. Can you try opening the ISO and installing code meter itself separate from the main install. Run as admin. If the error comes up take a screenshot and email me at Justin.tolman@exterro.com

That is a great question. Not sure what happened... I have just reuploaded it and added it to the playlist. Thanks for letting me know! ruclips.net/video/8oxlFZGWqxA/видео.html

I understand you were probably wanting a walk through of the actual buttons to press during installation. I can create a video showing that process. However, do you have a specific part of the installation that you are hung up on that I can address?

I created this today. Let me know if it answers your question: ruclips.net/video/ykuazx0o2bI/видео.html

My answer is a mix between "it depends" and "most likely not". Why? FTK does not do any mobile device extraction, so it can only work with what it is given. FTK parses the artifact data of what was extracted through solutions like Cellebrite's UFED or Grayshift's Graykey. So if it is an allocated file only extraction, there is very little to carve out (more on that later). Also, most phones use file based encryption. This means that when a file is deleted, so is the pointer, and the decryption key that is used to make the file visible. That creates a major hurdle in recovering files that require carving even on a physical extraction. It depends, because FTK's carving can recover embedded files. In the mobile space this could be something "deleted" or hidden in a database or other file. Rare... but that is the "it depends"

You can set up FTK Connect to collect from specific employees. You would need to specify which endpoints you would like to collect from and what you want to collect. Once that collection profile is created, you can automate the collection at any time.

Hmmm interesting. Reach out to support@exterro.com via email. They should be able to get you sorted out.

What is your question?

Yes. Give me a little bit to set up a machine I don't already have an agent on.

We moved around some of our parsers. I am not sure if Skype for windows is still directly supported. But, if you go to Expansion Options and choose Exterro Mobile Parsers, Skype for Android and iOS are supported. The export process once you parse it is the same as exporting Browser data from the file list pane. OR you can choose to export HTML version to get the chat view. I will make a video on that, but it may be a bit as my schedule right now is pretty stacked.

@@JustinTolmanForensics what do you mean with expansion options?

Yup. Here you go: ruclips.net/user/shortsvyA3au-9aPU

what about extracting chats belonging to skype or telegram? @@JustinTolmanForensics

Thanks again for chatting with us!

FTK requires a license to be activated and used. FTK is required to pass the exam. If you don't have access to FTK and cannot purchase a copy, you can purchase lab time to take the exam. This does not include study time or anything, just time to take the exam. This can be purchased through the website: training.accessdata.com.

@@JustinTolmanForensics can we access Forensic ToolKit if we take lab time

@@pravallikadarsi8268 If you have the ACE with Lab option, FTK is pre-installed on a remote machine you can log into and take the exam. If you have specific questions about that process you can email training@exterro.com. At the time of the recording I was over the training department, I took a promotion and am now no longer associated with the training department. They can get you sorted out for sure.

Two questions and I will follow up on this. What version of FTK are you on? Did you load the images at the same time or one at a time?

I don't have a video that shows the "click through" of the install process. But I did make this which explains the concepts and considerations when installing FTK: ruclips.net/video/cMakwd4rT_U/видео.html

@@JustinTolmanForensics thanks for this reference! I’ll check it out and update you 👍

exactly

Can you let me know what version you are on so I can check it out on my end? Thanks.

@@JustinTolmanForensics 7.5 - happy to reach out directly via my work email (we have paid for support with Exterro) - just PM me if that is appropriate

@@YORCC justin.tolman@exterro.com email me. I am traveling, but will respond asap.

Sounds like FTK can't see the USB license dongle, or if you are using a network license it can't see that. If using a physical USB dongle, check to make sure the USB port is working. If so, open License Manager to make sure your license is set up correct (typically this would say "no more licenses available" but you never know). If you are using a Network dongle, trouble shoot the network connection, and make sure the addressing and ports are set up correctly. If all that looks good, then you may need to contact support.

@@JustinTolmanForensics What is meant by the license? what does actually it needs?

@@muhammadyaqubsecurity Sorry for the delay in my response, I did not see the notification. FTK is a premium tool, so you need to purchase a license (or permission) to use the software.

Yeah, I will look at those topics and frame some videos around it. A video that might cover some of what you are looking for could be this one: ruclips.net/video/aGRQS-rrQkE/видео.html

@@JustinTolmanForensics Thankyou sir, It would be great if you include system information such as computername, installation date, OS version and build etc.

Looks like this is a known issue. Fortunately, it appears we have a patch for it coming in the next few weeks! FTK 7.5.2 will bring in support for this type of Bitlocker Encryption. Be on the lookout for that update. If that doesn't fix it, we will need to contact support and take a deeper look. Apologies for not having a quicker fix.

@@JustinTolmanForensics Thank you for the update. I overcame this issue by using other tools. But I am curious if I was to mount the image using FTK Imager (the files would be visible) and then make another image of the mounted disk, will this image be unencrypted?

@@cipster I haven't tested that workflow with our latest version of FTK Imager. However, the concept you are describing is technically correct. I will see if I can find some time to do some testing on that because it sounds interesting to me.

There could be a few things that could cause this. 1. It could be that the user was using a smart card. If they are then the password field would not be populated and you would get the grayed-out behavior, you are seeing. 2. It could be that they didn't set a password. BitLocker would simply be tied then to the Windows login. This of course would leave the password field blank, and thus grayed-out. If you don't think either of those are the issue you can contact our support channel and they can attempt to trouble shoot any potential FTK issues that could create this response.

@@JustinTolmanForensics Got it. Thanks again Justin, have a nice day!