FTK
What is FTK?
FTKForensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
FTK (Forensic Toolkit) is a long-established commercial digital forensics platform first released by AccessData in the early 2000s. After AccessData's acquisition by Exterro in 2020, the product is marketed as Exterro FTK and is widely used by law-enforcement, government and corporate examiners. The suite includes FTK (analysis), FTK Imager (free evidence acquisition tool that creates verified E01/AFF4/raw images and supports live previews), and FTK Lab/Enterprise for remote and large-scale investigations. Key capabilities include distributed indexing for fast keyword search across terabytes, deduplication, registry and email analysis, mobile-device support, and exportable reports. FTK is often compared with EnCase as the two flagship commercial DFIR tools.
● Examples
- 01
Using FTK Imager to capture a forensic image of a suspect drive with MD5 and SHA-1 verification.
- 02
Performing a keyword search across a custodian's mailbox using FTK's distributed indexing during an internal investigation.
● Frequently asked questions
What is FTK?
Forensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence. It belongs to the Forensics & IR category of cybersecurity.
What does FTK mean?
Forensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
How does FTK work?
FTK (Forensic Toolkit) is a long-established commercial digital forensics platform first released by AccessData in the early 2000s. After AccessData's acquisition by Exterro in 2020, the product is marketed as Exterro FTK and is widely used by law-enforcement, government and corporate examiners. The suite includes FTK (analysis), FTK Imager (free evidence acquisition tool that creates verified E01/AFF4/raw images and supports live previews), and FTK Lab/Enterprise for remote and large-scale investigations. Key capabilities include distributed indexing for fast keyword search across terabytes, deduplication, registry and email analysis, mobile-device support, and exportable reports. FTK is often compared with EnCase as the two flagship commercial DFIR tools.
How do you defend against FTK?
Defences for FTK typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FTK?
Common alternative names include: Forensic Toolkit, Exterro FTK, AccessData FTK.
● Related terms
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
- forensics-ir№ 378
EnCase
EnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
- forensics-ir№ 078
Autopsy
Open-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
- forensics-ir№ 1142
The Sleuth Kit
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
- forensics-ir№ 425
Forensic Hash Verification
The practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.
● See also
- № 428Forensic Toolkit