TABLE OF CONTENTS




Data Sources

Data Sources are the sources of data relevant to a case during electronic discovery or security investigation. The data can include electronically stored information on employees, system management computers, and can refer to people, Network shares, Domino or Exchange email accounts, or other public repositories associated with the person. 

The Data Sources module allows you to add, define, delete and edit data sources. Once data sources have been configured, data can be collected remotely and then processed.

  


Managing Data Sources

FTK Central supports data management and collection from 11 different data sources and the details to manage the data sources are provided in the upcoming sections. 

Elements of Managing Data Sources 

Network Share

Computer

Gmail

Google Drive

OneDrive

Microsoft Teams

Slack

SharePoint

Exchange

Box

 


Tip:  To filter the grid efficiently, you can simply enter a keyword into the search box  located at the top of any grid and click the search button or press enter.


 

 

Network Share

Shares are network folders on which the person may possess read and write access permissions. You can add or remove shares from this page, edit a share path, or add and edit a share’s locality and description.

Adding Network Share data sources

To add a Network Share data source:

  1. From the home page, click Data Sources.
  2. Navigate to Network Share.


    3. Click Add Network Share.

  • The Add Network Share Details pop-up is displayed.


4. Enter the Path of a network share.


5. Provide a Description.

6. Choose No Credentials if you don’t want any authentication to access it or New Credentials to set a username and password for it. 


Note:  The below steps are to be performed for configuring new credentials.
 
  1. Provide a Domain/Username for the network share.
  2. Provide a Password.
  3. Repeat the same password in Confirm Password field.



 7. Click Save


 

 

Importing Network Share from CSV

To add a Network Share data source from CSV:

  1. From the home page, click Data Sources.
  2. Navigate to Network Share.
  3. Click Import Network Share(s) from CSV.
    • The Import Network Share(s) from CSV pop-up is displayed.


4. Click Select files.


5. Select the required file or drag and drop the file to be uploaded.

6. Click Import.

 

Note:  You can click on Download Template fill in the details of the network share and upload it for the application to read the network shares to be imported


 

Mapping Network Shares data sources to Custodians

To map a Network Share data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to Network Share.
  3. Click Map Custodian against the data source to be mapped.
    • The Map Custodians pop-up is displayed.
  4. Select the required custodians by enabling the checkbox against it. 
  5. Click Save.


 

 

Editing Network Share data sources

To edit a Network Share data source:

  1. From the home page, click Data Sources.
  2. Navigate to Network Share.
  3. Click Edit against the data source to be edited.
  • The Edit Network Share Details pop-up is displayed.


4. Make the necessary changes.

5. Click Save.


 

Deleting Network Share data sources

To delete a Network Share data source:

  1. From the home page, click Data Sources.
  2. Navigate to Network Share.
  3. Click Deletegainst the data source to be deleted.
    • The Please confirm pop-up is displayed.


    4. Click Yes.

 


Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete .

 

 

Computer

One of the primary sources of evidence used in a case originates on workstations (or nodes) managed by a person. You can add or remove computers from this page, edit a share path, or add and edit a computer’s information and description.


Adding Computer data sources

To add a computer data source:

  1. From the home page, click Data Sources.
  2. Navigate to Computer.

 


3. Click Add Computer.

  • The Add Computer pop-up is displayed.


4. Provide a name for the computer in Computer Name field.


5. Provide a description for the computer in Description field.

6. Click Save.



Importing Computer data sources from CSV

To import computer data sources from CSV:

  1. From the home page, click Data Sources.
  2. Navigate to Computer.
  3. Click Import Computer(s) from CSV.
    • The Import Computer(s) from CSV pop-up is displayed.


4. Click Select files.


5. Select the required file or drag and drop the file to be uploaded.

6. Enable the checkbox against Associate to Groups to associate groups to computers.

7. Enable the checkbox against Merge new groups to existing computers to associate new groups to computers that were previously added by CSV import. 

8. Click Import.



Note:  You can click on Download Template fill in the details of the network share and upload it for the application to read the network shares to be imported.


 


Mapping Computer data sources to Custodians

To map a computer data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to Computer.
  3. Click Map Custodianagainst the data source to be mapped.
    • The Map Custodians pop-up is displayed.


4. Select the required custodians by enabling the checkbox against it.

5. Click Save.


 

 

Editing Computer data sources

To edit a computer data source:

  1. From the home page, click Data Sources.
  2. Navigate to Computer.
  3. Click Editagainst the data source to be edited.
    • The Edit Computer pop-up is displayed.

4. Make the necessary changes.

5. Click Save.


 

 

Deleting Computer data sources

To delete a computer data source:

  1. From the home page, click Data Sources.
  2. Navigate to Computer.
  3. Click Deleteagainst the data source to be deleted.
    • The Please confirm pop-up is displayed.


    4. Click Yes.

 

Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete .


 

 

Creating Endpoint Reports

To create an endpoint report from data sources:

  1. From the homepage, click Data Sources.
  2. Click Computer.
  3. Click Export.
  4. Select any of the following report types:
    • HTML
    • CSV
    • PDF

 

The report will be created, listing the computers and their associated columns.

 

Tip:  To create a report of specific endpoints, ensure computers have been filtered using the columns available. If this is not followed, a report will feature all computers listed in Data Sources.




Gmail

You can configure the application to collect data from Gmail at a domain (administrative) level. Administrators can collect from individual accounts without needing individual credentials. The service account must be used for collections.


Tip:  If you have updated your FTK Central environment with an existing Data Source, ensure they are removed and reconfigured.





Adding Gmail data sources

To add a Gmail data source:

  1. From the home page, click Data Sources.
  2. Navigate to Gmail.

 


    3. Click Add Gmail.

  • The Add Gmail Details pop-up is displayed.

4. Provide a Name for the Gmail.

5. Enter the Domain Name.

6. Enter the Service account API key.

7. Select the Associated to all custodians to associate all the custodians to the server.

8. Click Save.


 

 

Mapping Gmail data sources to Custodians

To map a Gmail data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to Gmail.
  3. Click Map Custodianagainst the data source to be mapped.
    • The Map Custodians pop-up is displayed.



4. Select the required custodians by enabling the checkbox against it.


5. Click Save.


 

Editing Gmail data sources

To edit a Gmail data source:

  1. From the home page, click Data Sources.
  2. Navigate to Gmail.
  3. Click Editagainst the data source to be edited.
    • The Edit Gmail Details pop-up is displayed.

4. Make the necessary changes.

5. Click Save.


 

Deleting Gmail data sources

To delete a Gmail data source:

  1. From the home page, click Data Sources.
  2. Navigate to Gmail.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.


    4. Click Yes.


Note: You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete icon.




 

Google Drive

You can configure the application to collect files from a Google Drive. Once you have configured the application to collect from your Google Drive, you can choose to collect from this source with a collection job. The service account must be used for collections.


Tip:  If you have updated your FTK Central environment with an existing Data Source, ensure they are removed and reconfigured.


Notes:  
  • When the user runs a Report only collection for Google Drive, native Google files (Docs, Spreadsheets, Slides, and Forms) do not count against a user’s storage quota and show as zero bytes. 
  • Google does not expose the size of the native files from Google Drive and hence only the file size is downloaded when file is downloaded (File Scan Collection/Non report only scenario).



 

Adding Google Drive data sources

To add a Google Drive data source:

  1. From the home page, click Data Sources.
  2. Navigate to Google Drive.


    3. Click Add Google Drive.


  • The Add Google Drive Details pop-up is displayed.

4. Provide a Name for the Google Drive.

5. Enter the Service account API key.

6. Select the Associated to all custodians to associate all the custodians to the server.

7. Click Save.


 

 

Mapping Google Drive data sources to Custodians

To map a Google Drive data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to Google Drive.
  3. Click Map Custodian against the data source to be mapped.
    • The Map Custodians pop-up is displayed.


4. Select the required custodians by enabling the checkbox against it.

5. Click Save.
 

 

Editing Google Drive data sources

To edit a Google Drive data source

  1. From the home page, click Data Sources.
  2. Navigate to Google Drive.
  3. Click Editagainst the data source to be edited.
    • The Edit Google Drive Details pop-up is displayed.


4. Make the necessary changes.

5. Click Save.


 

 

Deleting Google Drive data sources

To delete a Google Drive data source:

  1. From the home page, click Data Sources.
  2. Navigate to Google Drive.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

    4. Click Yes.

 

Note: You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete icon.




 

OneDrive

You can configure the application to collect all files from a OneDrive. Once you have configured the application to collect from your OneDrive, you can choose to collect from this source with a collection job. If attempting to collect from GCC environments please refer to the Office 365 Credentials section.


Tip:  If you have updated your FTK Central environment with an existing Data Source, ensure they are removed and reconfigured.





Adding OneDrive data sources

To add a OneDrive data source:

  1. From the home page, click Data Sources.
  2. Navigate to OneDrive.

 

    3. Click Add OneDrive.

  • The Add OneDrive Details pop-up is displayed.

4. Enter a OneDrive Name

5. Choose the API Method.

  1. Graph API:
  1. Enter the Tenant Active Directory Name.
  2. Enter the Application (client ID).
  3. Enter the Secret Value.


        b. Export API:

  1. Choose the User Credentials.
  2. No Credentials – This will fetch the credentials configured in the System Management > Manage Credentials page.
  3. New Credentials – Select this to configure users with new credentials.


6. Click Save.


 

Mapping OneDrive data sources to Custodians

To map a OneDrive data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to OneDrive.
  3. Click Map Custodian against the data source to be mapped.
    • The Map Custodians pop-up is displayed.

4. Select the required custodians by enabling the checkbox against it.

5. Click Save.

 

Editing OneDrive data sources

To edit a OneDrive data source:

  1. From the home page, click Data Sources.
  2. Navigate to OneDrive.
  3. Click Edit against the data source to be edited.
    • The Edit OneDrive Details pop-up is displayed.

4. Make the necessary changes.

5. Click Save.


 

 

Deleting OneDrive data sources

To delete a OneDrive data source:

  1. From the home page, click Data Sources.
  2. Navigate to OneDrive.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

    4. Click Yes.

 

Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete.


 

Microsoft Teams

You can configure the application to collect files Microsoft Teams business user accounts. You can add, edit, or delete multiple accounts from this page. If attempting to collect from GCC environments please refer to the Office 365 Credentials section.

Adding Microsoft Teams data sources

To add a Microsoft Teams data source:

  1. From the home page, click Data Sources.
  2. Navigate to Microsoft Teams. 

3. Click Add Microsoft Teams.

  • The Add Microsoft Teams Details pop-up is displayed.

4. Enter a Microsoft Teams Name.

5. Select the API Method.

  1. Graph API:
  1. Enter the Application (client ID) of the Microsoft Teams.
  2. Enter the Secret Value of the Microsoft Teams.
  3. Enter the Redirect URL of the Microsoft Teams.


  1. Export API:
  1. Choose the User Credentials.
  2. No Credentials – This will fetch the credentials configured in the System Management > Manage Credentials page.
  3. New Credentials – Select this to configure users with new credentials.


        6. Click Save.

 


Editing Microsoft Teams data sources

To edit a Microsoft Teams data source:

  1. From the home page, click Data Sources.
  2. Navigate to Microsoft Teams.
  3. Click Edit against the data source to be edited.
    • The Edit Microsoft Teams Details pop-up is displayed. 

4. Make the necessary changes.

5. Click Save.


 


Deleting Microsoft Teams data sources

To delete a Microsoft Teams data source:

  1. From the home page, click Data Sources.
  2. Navigate to Microsoft Teams.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

 

    4. Click Yes.

 

Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete icon.


 


Slack

You can configure the application to collect files from Slack business user accounts. You can add, edit, or delete multiple accounts from this page.


Adding Slack data sources

To add a Slack data source:

  1. From the home page, click Data Sources.
  2. Navigate to Slack.

 

3. Click Add Slack.

  • The Add Slack Details pop-up is displayed.

4. Enter a Slack Name.

5. Enter the Client ID of the Slack.

6. Enter the Client Secret of the Slack.

7. Enter the Redirect Url of the Slack.

8. Click Save.

 


Editing Slack data sources

To edit a Slack data source:

  1. From the home page, click Data Sources.
  2. Navigate to Slack.
  3. Click Edit against the data source to be edited.
    • The Edit Slack Details pop-up is displayed.

4. Make the necessary changes.

5. Click Slack and authorize the account and to establish a successful connection.

6. Click Save.
 



Deleting Slack data sources

To delete a Slack data source:

  1. From the home page, click Data Sources.
  2. Navigate to Slack.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

 

    4. Click Yes.

 

Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete .




SharePoint

You can configure the application to collect from document libraries, wikis, blogs, calendars, contacts, announcements, surveys, and discussion boards on team and individual sites of SharePoint. The following are the versions supported:

  • Microsoft SharePoint 2010 
  • Microsoft SharePoint 2013
  • Microsoft SharePoint 2016
  • Office 365
  • OneDrive for Business (Collection of personal OneDrive accounts is not supported.)

If attempting to collect from GCC environments please refer to the Office 365 Credentials section.

Adding SharePoint data sources

To add a SharePoint data source:

  1. From the home page, click Data Sources.
  2. Navigate to SharePoint.


3. Click Add SharePoint.

  • The Add SharePoint Details pop-up is displayed.


Note: You must configure the ‘Default Case Path’ in the Case Defaults section to display the SharePoint Subsite.



4. Enter the Web Application URL.

  • The value of this field is typically be formatted as the following: http://[Address]:[Port]

 

where [Address] is the host name or IP address of the system hosting the SharePoint Web Application. You can optionally use the [Port] address if you are connecting to a specific SharePoint web application. If you provide a URL that does not specify the port, port 80 is used.

 

If you specify a root path, such as http://server_name/, when you run the Collection, you can select SharePoint site URLs that may exist within sub sites off of the root path. 

 

For example, you could include URLs of any blogs, discussion boards, document libraries, or wikis within the specified root path.

 

If you specify a SharePoint path to a particular organization’s department, you can include the blogs, discussion boards, document libraries, or wikis just within that department site. For example, the path may look like http://server_name/sites/marketing


5. Choose the API Method.

  1. Graph API:
  1. Enter the Domain.
    • (Optional) If the user account entered in the Username field is a domain user account, the domain must be specified; otherwise leave this field blank.
  2. Enter the Username.
    • Lets you specify the username of an account that is granted Full Read access to SharePoint.
  3. Enter the Password.
  4. Repeat the same password in Confirm Password field.
     b. Export API:
  5. Choose the User Credentials.
  • No Credentials – This will fetch the credentials configured in the System Management > Manage Credentials page.
  • New Credentials – Select this to configure users with new credentials.


    6. Click Save.

 

Note: Update the RefreshSharepointDatasourceIntervalInDays field in the ADG.WeblabSelfHost.exe.config file to automatically synchronize the SharePoint sub sites.





Editing SharePoint data sources

To edit a SharePoint data source:

  1. From the home page, click Data Sources.
  2. Navigate to SharePoint.
  3. Click Edit against the data source to be edited.
    • The Edit SharePoint Details pop-up is displayed.

4. Make the necessary changes.

5. Click Save.


 

 

Deleting SharePoint data sources

To delete a SharePoint data source:

  1. From the home page, click Data Sources.
  2. Navigate to SharePoint.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

    4. Click Yes.


Note: You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete icon.


 

Exchange

You can configure the application to collect data from your Microsoft Exchange server which includes email, calendars, contacts, faxes, and voice mail. The following are the versions supported:

  1. Exchange 2010 SP1
  2. Exchange 2013
  3. Exchange 2016
  4. Exchange EAC (2019)
  5. Office 365


Note: Exchange Online Basic Authentication deprecation is in progress (31st December 2022) and if already disabled will need to be enabled here: https://portal.office.com/adminportal/home/  to continue with any collections.




If attempting to collect from GCC environments please refer to the Office 365 Credentials section.


 

 

Adding Online/Office 365 data sources

EWS API Method

To add an Online/Office 365 data source (EWS API Method):

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.

 

3. Click Add Exchange.

  • The Add Exchange Mail Server Details pop-up is displayed.

 

4. Select Online/Office 365 as the Version from the drop-down. 

5. Enter a Name for the Exchange Server.

6. Select the EWS option for API Method field.

 

7. Enter the IP address of the Exchange Server in Address.

8. Enter the Tenant ID in the Admin Tenant ID field.


Note:  The Admin Tenant ID field corresponds to the Primary Domain value.

 

9. Enter the Microsoft Exchange Client ID.

10. Enter the Microsoft Exchange Client Secret.

11. Select the Associated to all custodian checkbox to associate all the custodians to the server. 


Note:  If you have previously associated individual custodian to a server, this action will overwrite the associations of the individual custodian.

12. Click Save.




Graph API Method

To add an Online/Office 365 data source (Graph API Method):

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.

 

3. Click Add Exchange.

  • The Add Exchange Mail Server Details pop-up is displayed.


4. Select Online/Office 365 as the Version from the drop-down. 

5. Enter a Name for the Exchange Server.

6. Select the Graph API option for the API Method field.

 

 

7. Enter the Tenant ID in the Admin Tenant field.

 

Note:  The Admin Tenant ID field corresponds to the Primary Domain value.

 

8. Enter the Microsoft Exchange Client ID.

9. Enter the Microsoft Exchange Client Secret.

10. Select the Associated to all custodian checkbox to associate all the custodians to the server. 

 

Note:  If you have previously associated individual custodian to a server, this action will overwrite the associations of the individual custodian.

 

11. Click Save.




Export API Method

To add an Online/Office 365 data source (Export API Method):

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.

 

3. Click Add Exchange.

  • The Add Exchange Mail Server Details pop-up is displayed.


4. Select Online/Office 365 as the Version from the drop-down. 

5. Enter a Name for the Exchange Server.

6. Select the Export API option for the API Method field.

 

 


7. Select the any one of the below options for User Credentials field:

  • No Credentials – Select this option to create the data source without specific account credentials. 
  • New Credentials – Select this option to create the data source for a specific user account. Upon enabling this option, the following fields will be displayed.
    1. Admin user account – Provide the admin user account’s email address.
    2. Refresh Token – Provide the corresponding accounts Refresh Token.

8. Click Save.

 

Adding Exchange data sources

To add an Exchange data source:

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.

 

3. Click Add Exchange.

  • The Add Exchange Mail Server Details pop-up is displayed.

 

4. Select Exchange 2010 SPI, Exchange 2013, Exchange 2016, or Exchange 2019 as the Version from the drop-down. 

5. Enter a Name of the Exchange Server.

6. Enter the Address.

7. Enter the Username.

8. Enter the Password.

9. Repeat the same password in Confirm Password field.

10. You can select the Exchange Server-side Mail Box Indexing Enabled? checkbox if you have indexing enabled on the server. 

Warning: If you want to use filters on the data collected, you must have this action checked.

 

11. Enable the Use Custom AD Settings checkbox to use a custom active directory instead of the local active directory server.

 

Note:  By default, the application uses the local Active Directory server. If you have an advanced scenario, such as a cross-domain scenario, you can select to this option and specify the AD Server, AD Port, AD BaseDN settings.

 

12. Select the Associated to all custodians to associate all the custodians to the server.

 

Note:  If you have previously associated individual custodian to a server, this action will overwrite the associations of the individual custodian.

 

    13. Click Save.

 


Adding On-Premise Exchange data sources (EAC)

 

Notes:  
  • FTK Central supports collection for the Exchange 2019 version.
  • Refer to the Exterro Exchange Admin Center (EAC) - Configuration Guide.


To add an On-Premise Exchange data source (EAC):

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.

 


 3. Click Add Exchange.

  • The Add Exchange Mail Server Details pop-up is displayed.

 

4. Select Exchange EAC as the Version from the drop-down. 

 

5. Enter a Name of the Exchange Server.

6. Enter the Address.

7. Enter the Username.

8. Enter the Password.

9. Repeat the same password in Confirm Password field.

10. Select the Associated to all custodians to associate all the custodians to the server.



Note:  If you have previously associated individual custodian to a server, this action will overwrite the associations of the individual custodian.

 

11. Click Save.

 


Mapping Exchange data sources to Custodians

To map an Exchange data source to custodians:

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.
  3. Click Map Custodian against the data source to be mapped.
    • The Map Custodians pop-up is displayed.

4. Select the required custodians by enabling the checkbox against it.

5. Click Save.

 

Editing Exchange data sources

To edit an Exchange data source:

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.
  3. Click Edit against the data source to be edited.
    • The Edit Exchange Mail Server Details pop-up is displayed.

 

 

4. Make the necessary changes. 

5. Click Save.

 



Deleting Exchange data sources

To delete an Exchange data source:

  1. From the home page, click Data Sources.
  2. Navigate to Exchange.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

 

    4. Click Yes.


Note:  You can also perform bulk deletion of data sources by clicking the checkbox against it and clicking on Delete.


 

 

Box

You can configure the application to collect structured and unstructured data from Box. You can add, edit, or delete multiple accounts from this page.

Adding Box data sources

To add a Box data source:

  1. From the home page, click Data Sources.
  2. Navigate to Box.

 

3. Click Add Box.

  • The Add Box Details pop-up is displayed.

4. Provide a Name for Box.

5. Enter the User Name.

6. Enter the Client ID

7. Enter the Client Secret.

8. Enter the Public Key ID.

9. Enter the Private Key.

10. Enter the Private Key Password.

11. Click Save.


 

Editing Box data sources

To edit a Box data source:

  1. From the home page, click Data Sources.
  2. Navigate to Box.
  3. Click Edit against the data source to be edited.
    • The Edit Box Details pop-up is displayed.

4. Make the necessary changes.

5. Click Save.
 



Deleting Box data sources

To delete a Box data source:

  1. From the home page, click Data Sources.
  2. Navigate to Box.
  3. Click Delete against the data source to be deleted.
    • The Please confirm pop-up is displayed.

    4. Click Yes.

 

Note:  You can also perform bulk deletion of the data source by enabling the checkbox against it and clicking on Delete.