Versions Compared

Old Version 2

changes.mady.by.user Creighton Barrett

Saved on

compared with

New Version Current

changes.mady.by.user Creighton Barrett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

...

  • This page provides instructions on creating a case in Forensic Toolkit (FTK).

Prepare checklist of digital storage devices

...

  1. Log into SharePoint and export register of digital storage devices to Excel. 

    1. Option 1: Export entire register and use Excel filters to filter the list based on Collection ID and/or Accession number.

    2. Option 2: Use Collection ID and/or Accession number columns to filter the list and create a new list view before exporting the register.

  2. The exported list is a temporary file. Discard the file after all images have been added to the case in FTK.

Create case in FTK

...

  1. Launch FTK.

  2. Click on Case menu and select New...

    Image Added

  3. Review the New Case Options window.

    Image Added

  4. Use the Collection ID or accession number as the Case Name:

    Image Added

  5. Leave the Reference field blank.

    Image Added

  6. Provide a brief description of the case that includes the fonds/collection name, types of digital storage devices, and any other information that helps describe the case.

    Image Added

  7. Optional: Attach a separate description file to the case. For example, you can use this field to attach a deed of gift or processing plan to the case.

    Image Added

  8. Use the default options for the Case Folder directory (G:\) and Database Directory (leave blank).

    Image Added

  9. Select evidence processing profile. Most cases should use Field mode. 

    Image Added

  10. Click on each profile to review detailed options.

    1. Forensic processing: Standard processing options.

      Image Added

    2. eDiscovery processing: Default processing options of the eDiscovery application.

      Image Added

    3. Summation processing: Default processing options of the Summation application.

      Image Added

    4. Basic assessment: Processing options for quickly reviewing the case data.

      Image Added
    5. Field mode: Field mode disables the standard options when processing evidence. Field mode is the fastest way to add evidence items to a case.

      Image Added

    6. Customize: Customize the defaults for how evidence added to this case will be pre-processed.

  11. When the New Case Options window is complete, click the OK button to build and open the case.

Add evidence items to case

...

  1. Add evidence items to case.

  2. Give

  3. Add each item to appropriate evidence group (e.g., 3.5 inch floppies, optical discs, computer hard drives).

  4. Use inventory as a checklist, ensure previous accessioning and registration work is accurate and complete.

  5. Correct errors or omissions as needed (e.g., edit record in register of digital storage device, create forensic images).

Additional learning resources

...

Widget Connector
urlhttps://www.youtube.com/watch?v=UZRN9py5G00

Next steps - Run additional analysis processing

...

See the procedures for running additional analysis processing in FTK.