TABLE OF CONTENTS



FTK Connect

FTK Connect is a robust automation add-on for FTK Central. Users can create workflows to include processes such as data ingestion, endpoint collections, exports as well as search & tagging documents. Despite the fact these options can be carried out manually by users, FTK Connect allows these workflows to be adjusted to the needs of the organization while remaining entirely automated; with manual, automated and scheduled and API Trigger execution methods.

 


 

 

Managing FTK Connect

Using FTK Connect, you can select and examine your data in multiple ways. You can use various panels to examine the data 

Elements of Managing FTK Connect 

Automation

 



Automations

Accessing FTK Connect will open the automations homepage. This page lists all automations created so far, regardless of their current state; inactive or active. The page will also provide details of the automation such as names, description, created/modified dates, created by, active jobs and the number of times an automation has been run. 


UI Breakdown

Left Pane

  • Job Monitors - Takes you to the job monitor page where you can see automation-related job statuses.


  • Automations - Takes you to the default home page where users can view the automations.

You can have a glance of the workflows in an automation by clicking on it.

 

Right Pane

You can view the list of Automations available along with the following details 


Columns

Description

Automation ID

The automation ID is assigned in incremental order.

Automation Name

The name provided for the Automation.

Description

The description provided for the Automation.

Created Date

The date when the Automation is created.

Last Modified

The latest date when the Automation was modified/edited.

Created By

The name of the user by whom the Automation was created.

Active Jobs

The jobs that are active and running at the moment.

Number of Times Run

Denotes the count of number of times the automation has been run till date.

Status

The status of the Automation whether Active/Inactive.

 


 

Automation Options

You can also perform the following actions for the automations:


Icon

Columns

Description

Filter

Filters the columns to view automations accordingly.

Inactive/Active

Activates/Deactivates the Automation.

Pin

Pins and keeps workflow at the top of the list.

Trigger Automation

Executes the automation. 

However, this icon will be displayed only for Manual automation.

Edit

Allows users to edit existing automations which enables to add/remove existing automation steps.

Duplicate

Makes a copy of an existing automation.

Delete

To delete an automation.

Create

Allows users to start creating an automation.

Administration

Navigates to administration page within FTK Central.

Home page

Navigates to FTK Central home page.

Job queue

Shows global job statuses.





Automation Workflows


Warning:  Before configuring Automation for new cases, a default path must be set within Case Defaults located in the Administration section.

There are six Workflows available out of the box in FTK Connect. 


  • Start
  • Case Details
  • Processing
  • Search & Tag
  • Export
  • Collection



 

Start

The Start option is a mandatory workflow and is to be added by default as it dictates how an automation is executed. It is important to ensure a specific trigger type is selected to ensure the automation is executed as required.



The following are the options available:

Options

Description

Watch Folder

Allows users to execute automations by listening to a watch folder location. When FTK Central is installed, it includes a listener which waits for a user-specified directory until evidence (including loose files) are fully transferred.

API Trigger

Allows users to execute workflows by calling the Automation ID using an API client.

Schedule

Allow users to schedule the execution of automations based on a time, date and optionally a recurrence. 

Manual

Allows users to execute automations manually (by clicking Execute from the automations homepage).

 

 

Watch Folder Rules
  • A single Watch Folder must be associated with a workflow.
  • UNC paths must be used when creating an automation workflow. This path must be accessible to the Service Account used during installation. (e.g. \\ServerName\C$\WatchFolder)
  • Any Evidence (Forensic Images, loose files etc.) must be stored in a child directory within the Watch Folder. If it is not transferred within a folder, the files moved into a “Ignored” folder.
  • (e.g. \\ServerName\C$\WatchFolder\Case1_Evidence\)
  • The Case name will be set based on the name of the folder storing any evidence.
  • (e.g. \\ServerName\C$\WatchFolder\Case1_Evidence\ will set the case name to Case1_Evidence)
  • When a folder holding evidence is entirely transferred to a Watch Folder, it will then be moved to a folder named “Processed” within 3 minutes. This folder is used by FTK Central; processing will begin within 5 minutes.
  • If an existing case requires additional evidence to be added, ensure the Watch Folder name is the same as the existing case name. (e.g. adding evidence to the Case1_Evidence case will require a child directory named Case1_Evidence within the Watch Folder).

 

API Trigger Rules
  • API inputs will supersede the inputs from other trigger types.
  • Calling the workflow ID is sufficient to execute existing automations.
  • A Watch Folder is not required when using the API trigger.
Note:  Refer to the API Trigger Workflow section.



Schedule Rules
  • In a manual workflow, if Processing and/or Search & Tag options are required, then a watch folder must be provided. Additional information is provided within the Start option.
  • A Watch Folder is not required by default. A scenario where it may be useful to provide a watch folder path and scheduled execution is when a user may not want to ingest and process files until after hours. The scheduled date and time would be specified to execute the ingestion and processing of data using the specified parameters.

 

Manual Rules
  • A Watch Folder is not required when using the Manual trigger.
  • In a manual workflow, if Processing and/or Search & Tag options are required then a watch folder must be provided. 
  • Users must click “Execute” located on the automations homepage to start any manual workflows.
     

 

Case Details

The Case Details option can be added to an automation that requires data to be ingested/processed or added via means of an agent collection to a new or existing case.

 

Case Detail Rules
  • By default, any automation created will be assigned to the user that created it. 
  • New cases will allow Users and/or Groups to be given access to a case.
  • Multiple cases can be selected when using existing cases for an automation. Case access to existing cases will be dependent on the existing case access.
  • New cases are named using the name of the Watch Folder path provided.


 

 

Processing

The Processing option allows users to select a defined Processing Profile from a list of default out of the box options or select a custom profile which may have been created in any of the FTK product lineup. Additionally, users can select a specific Processing Manager to handle the processing jobs associated to an automation. 


Note: Users can toggle the Stop on Error option  to automatically stop any preceding automation options.

 

 

Processing Rules
  • The Processing Profiles listed include default and custom profiles.
  • A single Watch Folder must be associated with a processing workflow. 
  • A Watch Folder is not required when using the API trigger.
  • The Processing option must be utilized if a new case is being created.
  • The default Processing Profile will be dependent on the default configuration. These options can be found in Case Defaults within the Administration section.
  • If the “Field Mode” processing profile is utilized, Search and Tag will not be functional. 


 

Search & Tag

The Search & Tag option allows users to use wordlists (.txt) to automate the search and tagging of documents. Wordlists can contain specific terms followed by a label name.


Note: Users can toggle the Stop on Error option  to automatically stop any preceding automation options.

 

 

Search & Tag Rules
  • If the Watch Folder trigger is being utilized, keyword text files must be stored in a child directory within the Watch Folder holding the evidence. It must be named “SearchAndTag”; case insensitive. 
  • (e.g. \\ServerName\C$\WatchFolder\Case1_Evidence\SearchAndTag)
  • If the Browse option is selected within Search & Tag options, the folder restriction above does not apply.
  • If the API trigger is being utilized, a Watch Folder path is not required.
  • Search terms should be provided one per line.
  • Multiple search term lists can be provided.
  • Search terms can be followed by a label. If a label is not provided, then the search term will be used as the name of the label.
  • (SearchTerm,Label1)
  • A search term report will be created upon successful execution. This report will be stored within the case folder associated with a workflow.



Collection

The Collection option allows users to use templated (non-scheduled) collections within an automation. These collections can be put into an existing case and processed. 


Note: Users can toggle the Stop on Error option  to automatically stop any preceding automation options.

 

 

 

Collection Rules
  • A Collection workflow can only be utilized when using new cases.
  • The supported collection methods are listed below:
  • Filtered Acquisition
  • Full Disk Acquisition
  • Memory Acquisition
  • Collection workflows can only be utilized with the use of collection templates. Collection templates can be created within the Collection tab.
  • Target(s) must be added to a collection template.
  • Auto approval must be set within a collection template.
  • Scheduling must not be present within a collection template.




Export

The Export option allows export of data in the specified format. This can be exported in multiple formats including natives, portable cases and AD1,

  1. By Extension
  2. By File Category
  3. By Custom Filter
  4. By Search & Tag (This option appears when search & tag automation step is used)
  5. By Tag (Applicable for existing cases alone. Either by Labels or by Bookmarks)


Note: Users can toggle the Stop on Error option  to automatically stop any preceding automation options.


 

 


 


Export Rules
By Custom Filter
  • The Custom Filter drop-down will list custom filters created in FTK Lab/Enterprise.
  • Default filters will not be listed. 

 

By Search & Tag
  • Search and Tag must be selected within a workflow to enable this export type.

 

By Tag
  • An existing case must be selected within Case Details to enable this export type.
  • All Labels and/or Bookmarks can be exported.

 

By Extension
  • Multiple file extensions must be comma (,) separated.

 

Export Formats
Natives and AD1
  • Native exports do not required a template.
  • Exports without templates will be exported using (application) default settings.
  • Templates can be created within the export section of a case. 

 

Export Format Portable Case
  • Template is not required for a Portable Case.

 

Export Format Load File
  • Load File exports must include a template. 
  • Templates can be created within the export section of a case.





Creating an automation

You can create Automations with either all of the available automations or with the required ones.

 

Note: You can click on the  (Rules Section), to list the rules which shall be considered while configuring each section of the Automation.


 

1. From the Home Page of FTK Central, click FTK Connect.

  • The Manage Page of Automation is displayed.

2. Click Create.

3. Enter an Automation Name.

4. Enter an Automation Description.

 

 

5. Click Actions.

  • The Automation Workflows section is displayed.

 

6. Fill in the required details for the Automation Workflows.

Note: It is mandatory to configure the Start and Case Details Automation Workflows. Also, you can refer to the Automation Workflows section for detailed rules.

 

7. Once the Automation Workflows are configured, click Schedule.

 

 

8. Set the time intervals, (Date and Time) for the Schedule to be triggered.


Note: The user will be prompted to specify the time interval only for the Schedule trigger type. This step can be skipped for rest of the Trigger types (Watch Folder, API Trigger and Manual).

 

Note: You can also set the Recurring tasks for the Schedule.

 

9. Click Finish.

 

 

The Automation will be created successfully and listed on the Manage page of Automation.

Note: By default, once the automation is created, it will be in Active status.

 

 

Job Monitors

The Job Monitor displays all jobs related to the created automations. You can Delete jobs as well as access automation-specific job logs. 

Tip: To filter the automation job list efficiently, you can simply enter a keyword into the search box  located at the top of the automations page and click the search button or press enter.


 

The Job Monitors page displays the following information:

  • Live count of Active, completed, waiting, canceled and error jobs are displayed.
  • List of any automation-related jobs that are active, waiting, or completed.


Job log will only retrieve logs related to a specific workflow. It will not list every job across the application. 



To delete a Job:

  1. Click Delete against the job to be deleted.

 

  • A confirmation pop-up is displayed.

    2. Click Yes.


 

 

To download a Job log:

  1. Click Download against the job.

 

 

Limitations/Known Bugs

  1. Watch Folder - Evidence would be processed only if they are available within 1 sub-folder level. If the evidence is present inside multiple sub-folders, it would not be processed.
  2. Schedule - If we create automation based on Schedule trigger option and set the automation to 'Inactive' then still automation would be triggered at the specified time frame unless the automation is deleted.

 

 

API Trigger Workflow

API Trigger workflow:

  1. From the Create Automation page, 
  2. Choose API Trigger from the ‘Trigger’ drop-down (in the Start step and create the automation with the desired steps).

 

The following sections demonstrate how to trigger the automation with Postman API client tool.

Generating User ID

Send a POST request from the Postman API client to the below URL to generate the User ID

https://<ftkcapp>/api/RequestLogin

The body of the POST request should have the following key value pairs:


Key

Value

UserName

The FTK Central email address of the user for whom the User ID is to be generated.

Password

The FTK Central password of the user for whom the User ID is to be generated.

URL

Set the value of URL to “cookie”.

 

The POST request would fetch the User ID for the provided FTK Central/Connect user in its response body.

Generating Enterprise API Key

The EnterpriseApiKey should be generated using the below URL

<ftkcapp>/api/security/<user_id>/getenterpriseapiguid

The value of the “user_id” provided here is the value generated from the Generating User ID section.

Sending API Trigger Request

Send a POST request from the Postman API client to the below URL to trigger the automation.

https://<ftkcapp>/api/workflow/triggerworkflow/<automation_id>

The Headers of the request should contain the following key value pairs:


Key

Value

Content-Type

Set the value of Content-Type to “application/json”.

EnterpriseApiKey

Provide the generated EnterpriseApiKey from the Generating Enterprise API Key section.

 

Provide the body of the request in the below format:

{

"createCase": {"CaseName": "TestAPI-557"},

"AddEvidence": {"EvidencePath": "\\\\agi-fresh7x.addev. accessdatagroup.net\\Data2\\TestData\\PRECIOUS.E01"},

"Export": {"ExportPath": "\\\\agi-fresh7x.addev. accessdatagroup.net\\Projects_Data\\Exports"},

"SearchAndTag": {"FolderLocation": ["\\\\172.31.9.113\\Data2\\TestData\\searchandtag"]},

"Collection": {"TargetIps": ["172.31.89.120"]}   

}

 

Request

Description

createCase

Applicable for new case creation step.

AddEvidence

Applicable for Processing step where the evidence path should be provided.

Export

Applicable for Export step where the export path should be provided.

SearchAndTag

Applicable for Search & Tag step where the location of the search & tag files should be provided.

Collection

Applicable for Collection step where the target IP for collection should be provided.

 

A successful request would fetch true in its response body and the automation would be triggered. 

Sending API Trigger Request without Login Request

If the EnterpriseApiKey for the user is already available and the user is logged into the FTK Connect application, the POST request to the below URL can be directly sent to trigger the automation from the Postman API client with the appropriate headers and body as mentioned in the Sending API Trigger Request section.

https://<ftkcapp>/api/v2/enterpriseapi/workflow/triggerworkflow/<automation_id>