Tuesday, October 26, 2010

AccessData anuncia FTK3.2 e Imager 3.0

Principais novidades incluem suporte ao sistema de arquivos EXT4 e análise de memória RAM de sistemas 64bit.


A AccessData, uma das principais fornecedoras de software de investigação forenses do mundo, anunciou novidades importantes em sua linha de produtos: FTK 3.2 e Imager 3.0. A AccessData teve muitos problemas na versão 2.X do FTK, mas conseguiu se redimir com a versão 3.X  e, desde então, só vem aprimorando a suíte de aplicativos forenses. A principal característica do FTK, que o distancia ainda mais dos seus concorrentes, é a indexação dos arquivos de evidências em um banco de dados Oracle, totalmente otimizado para ser utilizado pelo FTK. O processamento distribuído de evidências (já comentado em outros posts aqui no Blog) é uma outra característica muito importante do sistema.



Dentre as novidades do FTK 3.2, destacam-se:


FILE SYSTEM, FORENSIC IMAGE AND FILE SUPPORT...
  • Create and process Advanced Forensic Format (AFF) images.
  • Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), and Blackberry IPD backup files.
  • Sophos Enterprise and S/MIME decryption support with proper credentials.
ENHANCED WINDOWS MEMORY ANALYSIS...
  • AccessData now offers the first and ONLY commercial computer and enterprise forensics products with 64-bit memory analysis!
  • Ability to identify/display kernel structures involved with network miniport and file system filter drivers.
  • SSDT/IDT/IRP hook detection.
GREATER PROCESSING SPEED AND FLEXIBILITY...
  • Processing speed for email archives, such as PSTs, EDBs and NSFs has been increased by 200%! (Times vary, depending on the hardware.)
  • New selective archive expansion allows a user to define "drill down" options and specify which files are expanded during processing (i.e. only ZIP and PST files).
ADVANCED EMAIL ANALYTICS...
  • Email Items tree view completely refreshed:
  • Email By Date -- organized by Year, then by Month, then by Date for both Sent and Received.
  • Email Addresses -- organized by Sender/ Recipient, and subcategorized by Date, Email Domain, Display Name and Email Address.
PHYSICAL AND VIRTUAL DEVICE MOUNTING...
  • Safely mount a forensic Image (AFF/DD/E01/S01) as a physical device. Any tool that enumerates devices can find it, such as FTK Imager. Also supports booting forensic images in VMWare. 
  • Mount a logical image (AD1/L01) and physical image (AFF/E01/DD/S01) as a virtual device or volume. Once mounted the read-only media is available to any third-party Windows application and exposes the same file system artifacts as FTK.  For example you can mount an HFS+ image, and it will show up as a volume on the examiner's machine in the explorer view.
GLOBAL FILTERS, CARVERS, COLUMNS AND LABELS...
  • Users can now define global columns, carvers, filters and more, and have these available for use on all cases.
DEVICE RESTORATION...
  • Quickly restore your forensic image to media for distribution, processing with other tools, etc. This feature works with several types of forensic images.
And more!


Sobre o Imager 3.0, as principais novidades são:


PHYSICAL AND VIRTUAL DEVICE MOUNTING...
  • Safely mount a forensic Image (AFF/DD/E01/S01) as a physical device. Any tool that enumerates devices can find it, such as FTK Imager. Also supports booting forensic images in VMWare.  
  • Mount a logical image (AD1/L01) and physical image (AFF/E01/DD/S01) as a virtual device or volume. Once mounted the read-only media is available to any third-party Windows application and exposes the same file system artifacts as FTK.  For example you can mount an HFS+ image, and it will show up as a volume on the examiner's machine in the explorer view.
NEW FILE SYSTEM and FORENSIC IMAGE SUPPORT...
  • Create and view Advanced Forensic Format (AFF) images.
  • New support for DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), and Microsoft VHD (Microsoft Virtual Hard Disk)

    Maiores informações e download do sistema (é necessário licença para utilizar o sistema) podem ser obtidas em: http://www.accessdata.com/products/ftk/ad_ftk32_ftp.aspx

    2 comments:

    Fellipe said...

    Uso o Encase, agora vou ter acesso ao Forensic tollkit 3, bom conhecer algumas de suas funcionalidades antes de usar.
    O que seria Blackberry IPD ? Backup de contatos ou arquivos dos smartphones da Blackberry ?

    Luiz Rabelo said...

    Oi Fellipe, os arquivos IPD são arquivos de backup do Blackberry, não só com os contatos, mas todos os arquivos de dados do smartphone. Abraços!

    Post a Comment