FTK Labs – Lab 1: Create New Case / Open Image File

(2019 Training Manual)

Access Data Forensics – Training Manual: lab on page 5-35 (2019 Version)

Associated Reading in Training Manual: pages 5-1 to 5-34 (2019 Version)

Special Instructions for lab:

 You must use VMWare View to access the FTK software

 Within VMWare View, Forensic Toolkit is found under Start/All Programs/AccessData/ Forensic
Toolkit
 In step#2, type Mantooth Case as the case name
 After step #2, type “M-1” in the Reference: field (Note: this is the Case Number)
 In the Description: field, type “Wes Mantooth Case”
 For the Case Folder Directory:, specify your Desktop
 SKIP step #4 regarding the BootCamp profile
 For the Database Directory: field, check the box entitled “In the case folder”
 In step #8 browse to Passouts (P:)\Davis\FTK Lab Data Files\Evidence Files (or retrieve from the
FTK Labs – Week 1 folder in Blackboard)
 Also for step #8, select the Mantooth.E01 image file (not “Mantooth.001”)
 SKIP Part 3: Assignment of Users

Questions to Answer from Lab (submit responses to these using the red submission link in Blackboard):

1. Who is “Wes Mantooth?” (Note: This information may not be in the case evidence. Be a
forensic investigator!)
2. What type of file is “Mantooth.E01” and what software was used to create it?
3. From what Time Zone was the digital evidence recovered? What is the significance of selecting
the Time Zone from which the evidence was recovered and specifying whether or not Daylight
Savings time applies?
4. Describe the organization of the evidence files under the Explore tab?
5. Describe the organization of the evidence files under the Overview tab?
6. In what window (not Tab) of FTK can you click on a file? When you click on a file, in what
window do you see a preview of the file contents?