Ride the Lightning

CRAIG BALL BEATS ME TO IT: THE DISASTER THAT IS FTK 2.0

May 12, 2008

Here I had gone to the trouble of asking my partner John to stop grousing about FTK 2.0 and actually write about it and then he smugly points out that he doesn’t need to – our colleague and friend Craig Ball has beaten him to the punch. John further points out what is so often true, that no one could say it so well and . . . scathingly . . . as Craig did.

John and the other forensics technologists at Sensei were great fans of FTK 1.7x (the version we use) – loved the upfront indexing and the speed of indexed searching with the integrated dtSearch function. Now we get a higher priced (and higher maintenance) version which won’t install cleanly, doesn’t work on Vista, and places all data from various cases in a single database. We thought that we had purchased maintenance that entitled us to free upgrades. Apparently, AccessData has redefined the definition of free. Sure you get FTK 2.0 itself for no additional charge, but be prepared to pony up $50 for the new (I’m not sure improved or special) dongle that is required for this new version. So what happened to the free upgrade? Even Guidance Software didn’t charge (unless you didn’t return the old ones) for the upgraded dongles.

We’ve tried to use FTK 2.0 on 4 of our smaller cases just to see how it works. Not well would be an understatement. The cases involved single drives of 40GB and 80GB in size. Only one of the four was able to index the evidence overnight and that was one of the 40GB drives. Forget about the 80GB drives. To make matters worse, you have to let the processing continue to completion since there is no option to stop and pickup where you left off. Be prepared to dedicate a computer to processing the electronic evidence for a very long, long time. Think in terms of Rip Van Winkle.

To continue the rant, AccessData must have redefined the word ‘save’ in addition to free. After processing the ONE 40GB drive for multiple hours during the night and saving the case, the case could not be reopened. So much for saving the case file. Geez, even Microsoft gets that right.

So what have we done to recover from our apparent participation in the FTK 2.0 beta test? We’ve moved our licenses back to the original dongle so we can run cases in version 1.71 on Windows 2000, Windows XP and Windows Vista analysis machines. It really pains us that AccessData had an excellent opportunity to grab a huge amount of market share from Guidance Software (which is working overtime to alienate the private sector) and totally blew it. We really wanted to love this product and now feel burned by a faulty product that was clearly prematurely released.

That’s the semi-short version – to get the full version of Craig’s wrath (as if you didn’t get enough here), just check out his review. If this were Broadway, this play would have had a one night run.

Craig’s review of FTK 2.0 may be found at http://commonscold.typepad.com/eddupdate/2008/05/ftk-20-product.html

E-mail:       Phone:          703-359-0700