Forensic Toolkit (FTK)

Additional features

Comprehensive Digital Evidence Collection

Facilitates defensible full-disk image collection and supports collecting data from various sources including computers, mobile devices, and cloud applications.

Powerful & Scalable Processing Engine

Features a reliable, multi-threaded processing engine that efficiently processes and indexes large volumes of digital evidence upfront, accelerating subsequent analysis and review.

Intuitive User Interface

Designed with an intuitive interface that reduces the learning curve, making the software accessible and efficient for both experienced forensic investigators and less technical users.

Advanced Artifact & Data Recovery

Capable of intelligently categorizing and displaying a vast array of data artifacts, performing data carving to recover deleted evidence, decrypting encrypted files, and cracking passwords from over 100 applications to uncover hidden information.

Fast & Efficient Evidence Searching

Enables rapid filtering and searching of evidence, as data is processed and indexed upfront, eliminating wait times during the review phase.

Integrated Mobile Data Processing

Supports parsing native unprocessed UFD extractions from various mobile devices (e.g., Cellebrite, Oxygen, XRY, GrayKey) and allows for the review of chat messages from popular apps (Twitter, WhatsApp) in a near-native view within a single database.

Mac Data Review & Analysis

Provides capabilities to process and analyze datasets containing Apple file systems (even if encrypted, compressed, or deleted), parsing various Mac artifacts like Apple Mail, iMessage, Safari browser data, and system summary data (Spotlight Search, KnowledgeC, Power Log data).

Multimedia Thumbnail Review

Offers an efficient way to pivot through image and video case evidence using interactive thumbnails, allowing for easy inspection, labeling, and categorization with context-providing mini timelines of user activity.

Image Identification & Categorization

Utilizes facial and object recognition to automatically locate similar images and integrates with collaborative hash databases like Project Vic and CAID UK to assist in identifying victims, particularly in CSAM investigations.

Registry File Parsing (System Summary)

Automatically parses Windows registry files to reconstruct user activity timelines, showing every application opened, internet activity, network connections, and associated timestamps.

Memory Analysis

Includes a module for analyzing dumped memory data, allowing investigators to identify hidden processes, enumerate running processes, associated DLLs, network sockets, and open handles.

Portable Case Export

Allows for exporting selected data into a portable case for offline review by non-FTK users (detectives, analysts, attorneys), with labels and bookmarks syncing back to the original case.

Defensible Reporting

Facilitates the generation of detailed and defensible reports in various formats (PDF, HTML, XML, RTF) suitable for legal proceedings, with the ability to bookmark key evidence.

Custom Scripting & Automation

Supports the creation and execution of custom Python scripts for tailored analysis and automation of forensic tasks.

Investigator Wellness Settings

Includes features designed to reduce repeated exposure to sensitive content in investigations, particularly in cases involving child sexual abuse material (CSAM).

Robust Database-Driven Architecture

Ensures that work is not lost due to crashes, as all data is stored in a resilient database, providing stability unlike memory-based tools.

Remote Endpoint Imaging

Can image a remote endpoint over a network (typically an FTK Enterprise feature) for collection from live systems.

Hash Function Support

Provides various hash functions for data integrity verification.