TABLE OF CONTENTS




Live Preview

FTK Central users can now opt to view a Windows agent’s file system prior to any collection job being initiated; this allows users to cull any data before opting to collect any files using a typical collection job. You can view the hierarchical structure of the files and folders in the system and choose to preview the files via the viewer.  

 



UI Breakdown

General

 

UI Element

Description

Case Selection – A case must be selected when attempting to utilise live preview. This list will display all available cases on a global level.

Agent Selection – An agent must be selected when attempting to utilise live preview. This list will display all agents that have been added manually or via heartbeat.

Preview Agent – Clicking this will allow an agent’s file system to be shown as a live preview. 

 

  • If an agent has not been recently live previewed, the button will initiate the job to collect file system information. 
  • If an agent has been recently live previewed, the button will not initiate an additional live preview job and instead display the last file system information collected.

Rerun Live Preview Job – Clicking this will rerun the live preview job. This will bring back the latest file system information rather than previously attained information. It is only available after a user has successfully run a live preview job for an agent in the past.

Live Preview Job Selection – Toggling this option will allow users to select a Live Preview/Acquire Logical Drive job. Each option has varying workflows.

Agent Information – This pane will list basic network and hardware information.

 

  • Name – Hostname/IP of the agent selected.
  • IP Address – IP of the agent selected.
  • File Index – The currently toggled agent indexing status.
  • Number of Cores – Physical Cores of the agent selected.
  • Processor – Specifics about the processor.
  • Processor Count: Processor Threads of the agent selected.
  • RAM – Amount of volatile memory on the agent selected.

 


 

 

Search and Culling

 

UI Element

Description

Agent Indexing – Clicking this will allow Windows agent indexing to be toggled. By default, it is disabled. Additionally, users can provide specifics on what should/shouldn’t be indexed on the agent system using the Include/Exclude filter options. 

Live Preview Search

This field allows users to run quick searches against the Windows agents system index and accepts text strings connected by Boolean operators: AND and OR.

File System Tree – When a live preview job has been completed, the file system tree will be generated. Users must check the files and folders for collection.

File Preview Viewer

This pane allows users to view files natively within the FTK Central viewer. Users must click on a single file within a directory to preview the file. 

 

Exclusions:

  • DLL
  • EXE
  • Windows Folder 

 


 

Live Previewing an Agent

 


Warning:  Users must ensure that an agent has been added manually using the Data Sources tab or automatically added via an active heartbeat configuration. Additionally, users must have a case available prior to attempting a live preview.



 

To live preview and collect files/folders from an agent:

  1. From the home page, click Live Preview.
    • The Live Preview page is displayed.
  2. Select Live Preview in the top-right.
  3. Select a Case.
  4. Select an Agent from the agent list.
  5. Click the Indexing button  to configure indexing on the agent (Optional).


Notes:  


 

6. Click Preview Agent.

  • A Live Preview job will be initiated and will begin copying file streams to generate a live preview.


Notes:  
  • The time it takes to complete this process is entirely dependent on the network in use. 
  • If an agent is offline or the site server is failing to recognize the connection with the agent, users will be prompted with a message asking if they would like to be notified (in the bell icon ) when the agent regains connection with the site server. This status will be visible for 2 days or until the list of agents gets overwritten by the latest connection notifications (a list of 5 can be displayed at one time).


 

7. Once the job is completed, you can click Preview Agent again to refresh the file system tree and begin culling data.

8. Once the file system tree has been generated, locate any folders/files of importance and check them. Alternatively use the select all checkbox to select all files and folders for collection.

  • Clicking on a single file within sub directory/file list will fetch the file and display the file in its native view.

9. Click Review.

  • The Selection for Acquisition page is displayed.

10. Check the items to finalize the collection.

11. Click Acquire Files/Folders to proceed with the collection.

  • The collection job will begin.




Indexing Filters for Live Preview

The Windows agent can be configured to build a search index of the metadata and file contents of the system. The indexing is disabled by default, but for best results, you should configure the agent indexing settings to meet the requirements of your investigation.

 

Filter behaviors

The following are the fundamentals of using filters:

  • When writing queries for the Keyword(s) field, use the terms AND or OR to help refine your search. For example: “Apple AND Oranges” will return only the files with both terms “apple” and “oranges”.
  • In the extension field, you can use an asterisk (*) as a wildcard. For example, doc* which will include both .doc and .docx.
Note: You can specify multiple extensions by separating with a comma.


  • In the Path, you can include or exclude files based on folders/sub-folders in the share or on the computer. You can specify folders by doing the following:
    1. Include or exclude a complete folder name. Example: \\documents\my_Work_files\
    2. Include or exclude a folder name using wildcards. e.g. *work* 
    3. Spaces within a folder name are allowed. e.g. shared files
Note: You can specify multiple paths by separating with a comma.


  • Multiple properties are treated with AND: When you add a filter, you can configure one or more properties within the filter and the properties are combined as an AND function. For example, if you add an inclusion filter, and an extension of PDF and also a file size of greater than 2MB, the logic is “PDF” AND “>2MB”. The results will include only PDF files that have a file size greater than 2 MB.
  • Multiple values in the same property are treated with OR: When more than one values are provided for a same property, the values are treated with OR function. As another example, if you add an inclusion filter with two extensions “DOCX, XLSX” then the results will include both DOCX and XLSX files.
  • Path always takes precedence:   If you include a path as a property in a filter, any other properties specified in the same filter will only apply to the specified path. Suppose you target a network share \\documents and you create an inclusion filter and specify the folder my_Work_files. Additionally, in the same filter you specify a file extension as PDF. In this example, only the PDF files in the my_Work_files folder is included. 
  • Inclusion and Exclusion filters are treated with AND: You can add both Inclusion filter and Exclusion filter to get the required data. For example, specify an Inclusion filter with extension as PDF and an Exclusion filter, file size greater than 3MB. The result will include only PDF files that are less than 3MB. 




To configure the index filter for Live Preview:

1. From the Indexing button, click Include/Exclude.

  • The Apply Filter prompt is displayed.

2. Provide a name for the filter in Filter Name.

3. Select if you want to Include or Exclude the filtered files by enabling the required option in the top right corner of the prompt.

4. Configure the required filters as instructed in Filter Behaviors.

5. Click Apply.


 

Job Type

Description

  • Collection
  • Live Preview
  • Acquire Logical Drive
  • Indexing
  • Index Search

 

Selected files/folders/logical drive will be added to an .AD1 image maintaining the existing directory structure and will be located within the case folder associated to the selected case; the folder holding the .AD1 image is named AcquiredFiles.


Note:  This image will not be added to a case or processed. This must be done manually.

 

Acquired logical drives will be added to an .AD1 image maintaining the existing directory structure and will be located within the case folder associated to the selected case; the folder holding the .AD1 image is named AcquiredLogicalDrives. This image will be added to a case and processed using the default processing profile configure in the administration section.

Any files that may have been previewed in the viewer will be located within the case folder associated to the selected case; the folder holding the previewed files is named AgentLivePreview.

If indexing was enabled on an agent, the resulting log will be located within the case folder associated to the selected case; the folder holding the index log is named DTSIndexJob$.

When a search has been run again a live preview, the resulting index search report will be located within the case folder associated to the selected case; the folder holding the search report is named DTSIndexSearch$.



Acquiring a Logical Drive from an Agent

Logical drive acquisitions allow users to select specific partitions for collection. 

 

 


To acquire a logical drive from an agent:

  1. From the home page, click Live Preview.
    • The Live Preview page is displayed.
  2. Select Acquire Logical Drive in the top-right.
  3. Select a Case.
  4. Select an Agent from the agent list.
  5. Select a drive by checking it. 
  6. Click Acquire For Collection.
    • The collection job will begin. Once complete, the image will be added and processed in the selected case.