April 3, 2011, 7:02 a.m.
posted by newmy
FTK is an excellent all-around tool for investigating e-mail files. Principal among its strongest features is the ability to create a full text index of large files. While this is time-consuming up front, the amount of time you will save in large investigations is enormous. A good rule of thumb is that if you are going to search a file only one time, you don't necessarily have to index the file. If you are going to search the file more than five times, you need to consider the value of indexing the files. If you are going to search the file more than ten times, we would hope that you have indexed it already.
An advantage to using FTK is its ability to read PST and OST archives directly by accessing internal structures. The result is that e-mails are automatically indexed during the import process, making them easy to search quickly, especially across multiple mail stores.
Keep in mind that FTK can also take EnCase images directly and create a full text index of the entire file. This illustration shows an example of the interface. Because there is no need to break down the PST, the e-mail is readily accessible right after you get the evidence imported.
FTK's operational look and feel is the same for .dbx files as it is for .pst files. The index and search features are helpful across multiple and large e-mail data containers. The following illustrates how FTK handles Outlook Express e-mail.
The next screen shows an example of the powerful searching capabilities of FTK. In this case we performed a few simple searches for evidence that the suspect might have been using tools to crack passwords. Notice that seven files had the word rainbow, and 21 files had the word crack. The quick cumulative operation reveals that there were three hits in only one file that contains both of these terms. A search for password and crack quickly found the file in the preview window discussing how a dictionary attack works.