The next step in this process is pretty much case specific. After logging into FTK® and creating your new
case, you must select the options in which you want FTK® to process. The options an examiner chooses
depends on what the case investigator / client needs for their respective investigations. If you already have customized process settings saved for a particular case, they may be selected at this point (Consult the .pdf user’s guide to build a case processing profile found under the HELP tab.) Decisions can also be derived from the scope of the legal authority, as well as the lab request submitted with the evidence on the front end of the case. Using Evidence Processing options of FTK v4.1®, I have prepared a screen
shot describing the various functions available to an examiner. In Figure 14 below, selections are briefly described in red text boxes adjacent to each of the options. Some of the notations are a matter of per- sonal preference; you may choose the options depending on the needs of your case.
Figure 14. Briefly described selections in red text boxes adjacent to each of the options
In Figure 15 below, the data carving options are selected on a case by case basis. There is an option to select all types if you have unknown variables in your case. This may yield results in a homicide case when you really have no witness statement because your victim is deceased. Always remember to stay within the scope of your legal authority when doing an in-depth examination. If you would like to exclude known files, it is a good idea to select the “Exclude KFF Ignorable box in this dialog screen.
www.eForensicsMag.com 95
ThE OThERFTK!: FORENSICSThAT KONVICT!
Figure 16 shows the Evidence Refinement options. This can be accessed by clicking “Evidence Re- finement (Advanced)” option button along the left column of the Detailed Options screen.
Figure 16. Evidence Refinement options
In the Ludwig homicide case, David fled the area in one of his family’s vehicles. It was assumed that Kara was with him immediately following the murders; however, their whereabouts were unknown. Family and friends were not in communication with either of them for days following the murders. Several witnesses, close friends, and family members of the Bordens and the Ludwigs were questioned by police to obtain facts about this case. It was quickly determined for months leading up to the murders, David and Kara communicated in various ways: cell phone calls, text messages, and the social media site Xanga.com. Investigators knew photos were sent to and from one another on their cell phones and as postings on social media sites. Both David and Kara left their cell phones behind inside their respective homes. The phones were collected as evidence with search warrants. Any and all computers, thumb drives, and media cards left behind by David and Kara were collected as well. When this incident occurred, FTK v1.x® was used.
Many processing options that are now available could not be selected.
In the second case involving the rogue coroner, I assisted Agent Robert Drawbaugh of the PA Of- fice of the Attorney General. Agent Drawbaugh and I interviewed many witnesses, suspects, and other people of interest. We collected volumes of information over the course of several months. Court orders and subpoenas were authorized and issued by the judge presiding over a sitting statewide investigat- ing grand jury. Throughout the course of this investigation, we were able to pinpoint specific pieces of information we knew had to be stored on digital media. That data would be helpful in corroborating infor- mation gleaned from our investigation. The information included email communications to and from all parties involved in this case, internet history, web pages, documents, images, etc. Search warrants were executed in multiple locations. The coroner’s residence, office, and the newspaper office were served, and many additional items were collected.
Agent Steve Arter, and other members of the PA Office of the Attorney General’s Computer Forensics Unit, as well as Detective Peter Savage of the Lancaster County District Attorney’s Office, and Cpl. Jim Strosser of the PA State Police Computer Crimes Task Force helped examine the digital evidence in this case. We worked cohesively to locate and recover data of evidentiary value. FTK v1.x® was one of the
primary forensic tools used in this investigation. Many of the automated processes available in today’s products were not available. In an effort to recover valuable data in both cases, time consuming manual searching of data was the order of the day. Examiners created and entered search scripts in the “Live Search” and keywords in the “Index Search” utilities built into the forensic software. Although it was very time consuming, this process proved to be incredibly effective.
Ultimately, the grand jury indicted the coroner on multiple charges. Agent Drawbaugh and I were co- affiants and criminally charged the elected official with a host of offenses. He eventually plead guilty in a plea agreement. The facts of each of these cases, and in the cases you are assigned to work on (whether they are in a criminal or civil arena), will determine what you are going to process, and guide the pathway to analysis.
OK, back to the steps. Once all of your processing options are selected, click “OK.” After a brief refresh, as FTK® builds the case database behind the scenes, FTK® will reappear. Add the evidence to your case.
A job-progress window will appear to inform you of the status or which processes are being performed, (see Figure 17 for an example).
Figure 17. Job-progress window
When processing begins, the image is loaded into FTK’s graphical user interface. Processed objects be- gin to populate designated containers. You are able to review data as the objects are populating; how- ever, constant refreshing occurs. Each time a refresh occurs, the objects you are viewing are interrupted. Ideally, it is best to let the software run uninterrupted. This is where registry viewer comes into play.