This guide will walk you through a basic, one-box installation of FTK, using PostgreSQL. For more detailed installation steps, such as using a different database, using a multi-box setup, or setting up distributed processing, please refer to the guides and documentation on the FTK Download Page.
Obtaining the Software
The newest FTK and KFF ISOs can be downloaded from http://accessdata.com/product-download/digital-forensics. The ISOs can be mounted with drive emulation software (e.g. winCDEmu) or burned to DVD using a program capable of burning ISO images (e.g. ImgBurn). After downloading the ISO, you should verify the MD5 of the downloaded file to confirm the download completed successfully.
The software requires a valid license to run, which can be obtained by contacting 800-574-5199 or [email protected].
In depth hardware recommendations can be found in the AccessData System Spec Guide.
To maximize performance, AccessData recommends the following:
- At least 2 GB RAM per logical CPU core (e.g. an 8-core machine should have at least 16 GB of RAM). The minimum RAM must not be less than 1 GB per core.
- Keep the database storage, temp space, case folders, and evidence on separate disks to maximize I/O throughput.
- Avoid resource-intensive third-party applications that may compete for hardware resources.
Note: If disk space depletes while processing a job, the job and case data may become corrupted.
Microsoft Windows XP (32- and 64-bit)
Microsoft Windows Vista (32- and 64-bit)
Microsoft Windows 7 (32- and 64-bit)
Microsoft Windows 8 (32- and 64-bit)
Microsoft Windows Server 2003 (32- and 64-bit)
Microsoft Windows Server 2008 R1 (32- and 64-bit)
Microsoft Windows Server 2008 R2 (64-bit)
Microsoft Windows Server 2012 (64-bit)
- Install all current Windows updates.
- Disable Windows User Account Control.
- Disable all Firewall profiles.
- Disable any antivirus/malware scanning software.
- Insert a license dongle with a valid FTK license.
- Insert or mount the FTK installation media and launch the autorun.
- At the autorun menu, click “FTK Install”.
- When prompted, select whether you would like to perform a “Default” or “Advanced” installation.
A “Default” installation will perform the entire installation, with little user input, using default values for everything (see this article).
- Place a checkmark next to each component you’d like to install: PostgreSQL, Evidence Processor, Forensic Tool Kit. Note that the Evidence Processor and Forensic Tool Kit are both necessary, but you may choose to use an existing installation of PostgreSQL or Microsoft SQL.
- If you chose to install PostgreSQL, do the following during the “AccessData PostgreSQL Setup”:
- At the “Data Folder” dialog, choose the folder where you’d like PostgreSQL to store its data. If the machine has a dedicated drive you wish to use for database storage, you should choose that as the destination.
- At the “PostgreSQL Port” dialog, choose the port that PostgreSQL should use. If you have any other services using the default port 5432, you will need to have PostgreSQL use a different port.
- At the “Optimize for environment” dialog, indicate that you’re installing PostgreSQL for use with FTK.
- At the “PostgreSQL User Create” dialog, create a password for the PostgreSQL database administrator account.
- If you chose to install the Evidence Processor, do the following during the “AccessData Evidence Processing Engine” setup:
- At the “Destination Folder” dialog, do not check “Install as distributed processing engine”.
- At the “Processing Temp Folder and State Folder” dialog, choose the folders where you’d like the temporary file stored. If the machine has a dedicated drive you wish to use for temp space, you should choose that as the destination.
- If you chose to install the Forensic Tool Kit, during the “AccessData Forensic Toolkit” setup, accept the defaults to complete the installation.
- Launch FTK.
- At the “Add Database” dialog, do the following:
- Select “PostgreSQL” in the “RDBMS” drop-down.
- If you chose a different port than 5432 during the database installation, uncheck “Use Default Port” and enter the correct port.
- Click “OK”.
- Enter the database administrator password created earlier.
- Click “OK” and wait while the database is initialized.
- At the “Add New User” dialog, complete all the fields to create your first FTK Application Administrator user, and click “OK”.
- Insert or mount the KFF installation media and launch the autorun.
- At the autorun menu, select either “Install KFF 64 bit” or “Install KFF 32 bit” depending on your PC’s architecture.
- Click “Install Elastic Search ** bit” and do the following:
- At the “Data Folder” dialog, choose the folder where you’d like Elastic Search to store its data. If the machine has a dedicated drive you wish to use for Elastic Search storage, you should choose that as the destination.
- Accept all other default options to complete the installation.
- Click “Install KFF Import Utility ** bit” and accept all the defaults to complete the installation.
- Click “Install NSRL Data” and follow the instructions to import the NSRL hash library.
- Import any additional KFF Data sets you desire.
- In FTK, under the “Tools” menu, click “Preferences”.
- Click “Configure KFF”.
- Click “Test KFF” and confirm the connection is successful.