Introduction

• This page provides instructions on creating a case in Forensic Toolkit (FTK).

Prepare checklist of digital storage devices

1. Log into SharePoint and export register of digital storage devices to Excel. 
   
   
   1. Option 1: Export entire register and use Excel filters to filter the list based on Collection ID and/or Accession number.
      
      
   2. Option 2: Use Collection ID and/or Accession number columns to filter the list and create a new list view before exporting the register.
      
      
2. The exported list is a temporary file. Discard the file after all images have been added to the case in FTK.

Create case in FTK

1. Launch FTK.
   
   
2. Click on Case menu and select New...
   
   
   
   
3. Review the New Case Options window.
   
   
   
   
4. Use the Collection ID or accession number as the Case Name:
   
   
   
   
5. Leave the Reference field blank.
   
   
   
   
6. Provide a brief description of the case that includes the fonds/collection name, types of digital storage devices, and any other information that helps describe the case.
   
   
   
   
7. Optional: Attach a separate description file to the case. For example, you can use this field to attach a deed of gift or processing plan to the case.
   
   
   
   
8. Use the default options for the Case Folder directory (G:\) and Database Directory (leave blank).
   
   
   
   
9. Select evidence processing profile. Most cases should use Field mode. 
   
   
   
   
10. Click on each profile to review detailed options.
    
    
    1. Forensic processing: Standard processing options.
       
       
       
       
    2. eDiscovery processing: Default processing options of the eDiscovery application.
       
       
       
       
    3. Summation processing: Default processing options of the Summation application.
       
       
       
       
    4. Basic assessment: Processing options for quickly reviewing the case data.
       
       
    5. Field mode: Field mode disables the standard options when processing evidence. Field mode is the fastest way to add evidence items to a case.
       
       
       
       
    6. Customize: Customize the defaults for how evidence added to this case will be pre-processed.
       
       
11. When the New Case Options window is complete, click the OK button to build and open the case.

Add evidence items to case

1. Add evidence items to case.
   
   
2. Give
   
   
3. Add each item to appropriate evidence group (e.g., 3.5 inch floppies, optical discs, computer hard drives).
   
   
4. Use inventory as a checklist, ensure previous accessioning and registration work is accurate and complete.
   
   
5. Correct errors or omissions as needed (e.g., edit record in register of digital storage device, create forensic images).

Additional learning resources

Next steps - Run additional analysis processing

See the procedures for running additional analysis processing in FTK.