Tue 19 Jun 2007
Scenario: You perform a keyword search. FTK returns hits emails with attachments for the keyword you searched for. Since you are a good forensic examiner, you validate the completeness of the results. Unfortunately you notice that several attachments reference emails which are not present.Reason: The keywords hit only on the attachment content, yet not on the email message.
Problem: How do you locate the parent email which contained the attachment with the keyword hit?
Answer 1: Manually review each single item in your search result set. Using the “View the item in a different list – Email tab”. Ok, if you have only a few items.
Answer 2: Wait for a new version of FTK to come out and hope the feature to export parent emails is included. According to AccessData’s support form, it might be in a new release.
Answer 3: Use the attached Microsoft Excel spreadsheet. I recently worked a case where I was in the same situation and needed a somewhat automated tool. So I took it upon myself to write a VB macro that basically compares two columns from the FTK “Copy special…” feature.
Here is how you would use the tool.
Within FTK perform the following steps:
Step 1: Perform your search on emails with attachments within FTK
Step 2: Right-click in your search result pane and select “Copy Special …”
Step 3: Select “All Currently Listed Items”
Step 4: Only check the “File name” and “Attachment Info” column
Step 5: Select “Clipboard” within the Copy destination section.
Step 6: Click “Copy” button
Open the Excel spreadsheet (don’t delete any of the columns)
Step 1: Click on the “FTK Feed” worksheet tab
Step 2: Paste the results you have copied above into the “FTK Feed” worksheet.
Step 3: Within the “FTK Feed” worksheet, select column B2 and sort in “ascending” order
Step 4: Go to the “Locator” tab.
Step 5: Press the button…
The macro will crawl column A and compare it to column B. Column A is considered the “base”, which was extracted from the “Attachment Info” column. It is compared to Column B, which basically contains all files and email messages. If any value from column A is in B, you are lucky. If not, the macro will mark it in RED. This still means that you have to find the message within FTK, yet now you have a list to work with.
I know the tools doesn’t really solve the problem, yet it helps automate the process of locating the missing parent email.
I hope this helps.
Download: Find Parent Email (12.28 KB, 267 downloads), version:
updated on 2009-02-16
NOTE: Use this tool at your own risk. Make sure you test the results.
