Forensic Toolkit Description

The Forensic Toolkit LogoForensic Toolkit is recognized around the world as the standard in computer forensics software. This court-accepted digital investigations platform is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs.


  • Create images, process a wide range of data types from forensic images to email archives, analyze the registry, conduct an investigation, decrypt files, crack passwords, and build a report all with a single solution.
  • Recover passwords from 100+ applications.
  • KFF hash library with 45 million hashes.
  • Comprehensive analysis of volatile data
  • Static RAM analysis from an image or against a live system
  • Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
  • Automatically decrypt (with proper credentials) Credant, Safe Boot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
  • FTK is the only computer forensics solution that can identify encrypted PDFs.   



EDAS FOX Ultimate Investigator

A picture of the EDAS Fox Ultimate Investigator The EDAS FOX “Ultimate Investigator” was designed to bring the very best in processing power to today’s forensic investigators; Combining dual high-speed multi-core processors, high speed Error Checking Memory, and a high performance SSD RAID gives you the best performance available. All EDAS FOX Systems are user friendly, and support all Windows based forensic platforms. The addition of a Raid Array to the system gives you a perfect package to process and store data all on one machine. Included in each system is the HTCI LABS DART software for complete cell phone rip analysis capability without any additional equipment required.


  • Two High Speed Intel Xeon E5-2630 Six Core Processor Clocked at 2.3 Ghz (2.8 Ghz Turbo)
  • 64 GB of High Speed, Error Checking DDR3 1600 Quad Channel Memory
  • An NVidia GeForce GTX 650 with multi-monitor support to ensure a silky smooth experience whether you are processing cases, writing reports, or viewing evidence
  • SSD Raid Arrays 6 x 128 GB SATA 6 Gbp/s SSD Drives (Two in RAID 0 for OS, Two in RAID 0 for Oracle Database, and Two in RAID 0 for Oracle Temp)
  • A High Capacity, High Speed 2 TB 7200 RPM 6 Gbp/s Hard Disk Data Drive to store files.
  • A High Capacity, Raid 6 Array Connected to a Dedicated Raid Card. Raid 6 Gives you a high speed, failure resistant Raid Array.
  • Dual 10/100/100 Mbps Intel Server Class LAN Ports
  • High Speed USB 3.0 for up to 10X Faster data transfers than USB 2.0
  • An Integrated Top Mounted SATA Hard Drive Dock for easy access to Bare SATA Hard Drives.
  • *NEW* 3x Hot Plug SATA Tray-less Bays, giving you access to easy to use, high speed hard drive bays for extra storage.
  • An Integrated Write-Blocked Multi-Card Reader to ensure forensically sound access to all types of media cards.
  • An integrated Write-Blocked Forensic Bridge, With USB 3.0, SATA, IDE, SAS, and FireWire Connections.
  • H.T.C.I.  Data Analysis Reporting Tool kit (DART) and one year subscription to our Investigator Portal



EnCase Forensic v7 Description

A picture of the EnCase Forensic v7EnCase® Forensic, the industry-standard computer investigation solution, is for forensic practitioners who need to conduct efficient, forensically sound data collection and investigations using a repeatable and defensible process. The proven, powerful, and trusted EnCase® Forensic solution, lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence.


  • Acquire data from disk or RAM, documents, images, e-mail, webmail, Internet artifacts, Web history and cache, HTML page reconstruction, chat sessions, compressed files, backup files, encrypted files, RAIDs, workstations, servers, and with Version 7: smartphones and tablets.
  • EnCase® Forensic produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 hash values for related image files and assigning CRC values to the data. These checks and balances reveal when evidence has been tampered with or altered, helping to keep all digital evidence forensically sound for use in court proceedings or internal investigations.
  • Recover files and partitions, detect deleted files by parsing event logs, file signature analysis, and hash analysis, even within compounded files or unallocated disk space.
  • The National Software Reference Library (NSRL) is provided in the EnCase hash library format, allowing user to easily de-NIST their evidence, eliminating thousands of known files from their evidence set. This reduces the time and amount of data that needs to be analyzed significantly.
  • View hundreds of file formats in native form, built-in Registry viewer, integrated photo viewer, see results on a timeline/calendar.
  • Export reports with lists of all files and folders along with detailed list of URLs, with dates and time of visits. Provide hard drive information and details related to the acquisition, drive geometry, folder structure, etc.
  • Once investigators have identified relevant evidence, they can create a comprehensive report for presentation in court, to management or stakeholders in the outcome of the investigation.




The MacQuisition

The Logo for the MacQuisitionMacQuisition™ is a powerful 3-in-1 live data acquisition, targeted data collection, and forensic imaging solution. Tested and used by experienced Mac forensic examiners for over 7 years, MacQuisition™ acquires data from over 185 different Macintosh computer models. Avoid complicated and time consuming take-aparts. MacQuisition™ runs on the Mac OS X operating system and safely boots and collects data from Xserve, Mac, iMac, Mac Mini, MacBook, and MacBook Air computers in their own native Mac OS X environment.


  • Target and forensically acquire files, folders, and user directories while avoiding known system files and other unresponsive data.
  • Preserve valuable metadata by maintaining its association with the original file.
  • Authenticate collected data using any or all MD5, SHA-1, or SHA-256 hash functions.
  • Thoroughly log data acquisitions and source device attributes throughout the collection process.
  • Selectively acquire email, chat, address book, calendar, and stickies on a per user, per volume basis.
  • Capture important live data such as Internet, chat, and multimedia files in real time.
  • Soundly acquire and save volatile Random Access Memory (RAM) contents to a destination device.
  • Choose from 21 unique system data collection options including active system processes, current system state, and print queue status.
  • Extensively log live data acquisition information throughout the collection process.
  • Avoid time consuming take-aparts. Use the source machine’s own system to create a forensic image by booting from the MacQuisition USB swivel key.
  • Image over 185 different Mac laptop, desktop, and OS X server models.
  • Write-protect source devices while maintaining read-write access on destination devices.
  • Extensively log forensic image acquisition processes, disk and volume attributes, and corresponding hash values.



The Wireless StrongHold Box

A picture of the Wireless StrongHold BoxParaben’s StrongHold Box is a portable faraday cage that can be used in the lab or in the field to block unwanted signals from reaching your evidence. You can perform a forensic examination of wireless devices without fear of signals ruining your work. The StrongHold Box allows you to have shielded power, light, data connections, and access to the contents of the box through signal blocking gloves.


  • The StrongHold Box is constructed of .090 Aluminum, utilizing precision machined tolerances throughout to maintain an RF-Tight environment.
  • The special “double lip” technology gives you an RF isolation greater than 90dB down at 1GHz.
  • The heavy duty RF sealed cover hinges open and close with a precision air piston.
  • Hands-on, complete access to the contents of the box is accomplished by using specially designed, silver impregnated, ultra fine mesh gloves that offer excellent manual dexterity.
  • The entire interior is lined with RF absorbent foam that provides 24dB attenuation.
  • The work area has built-in lighting via low voltage incandescent lamps powered by the RF Filtered AC Supply.
  • The Stronghold Box includes a Filtered RS-232 interface, Filtered USB data port and 6 outlet power strip (US Outlets) for supplying power to the phones.



The UltraKit III Description

A picture of The UltraKit IIIThe UltraKit III is a portable kit which contains a complete family of UltraBlock hardware write blockers along with adapters and connectors for use in acquiring a forensically sound image of virtually any hard drive or storage device you may encounter. Simply select the appropriate Write Protected UltraBlock and attach it to the source drive and use your desktop or laptop to acquire a forensically protected disk image to an internal drive or externally connected drive enclosure.

TD2 Features:

  • Disk to Dual Disk Duplication
  • Disk to DD File Duplication (FAT32, with the ability to span multiple destination disks)
  • Source Hashing (without duplication)
  • Drive-speed/real-time MD-5 and SHA-1 Hashing (simultaneous) for duplication and hashing
  • Destination Wiping (ATA Security Erase, 1-pass wipe, and 3-pass wipe)
  • Destination Disk Formatting
  • Source and Destination Blank Check (both automatic and menu-driven)
  • HPA/DCO Support (ability to defeat/remove HPA and/or DCO)
  • Native SATA or IDE on the source and destination
  • 80 Character User Interface
  • 2 USB Ports for Printing and/or Saving Reports to Thumb Drives (Planned for Rev 2)
  • 1 FireWire Port for Fast Firmware Updates
  • Upgradeable Firmware Offers Expanded Features

Additional Write Block Modules Included in the kit:

  • IDE/SATA T35es
  • SAS T6es
  • USB T8-R2
  • FireWire T9
  • FCR W2510



The UFED Touch Ultimate

A picture of tCellebrite’s new generation mobile forensic solution, UFED Touch Ultimate, enables the most technologically advanced extraction, decoding, analysis and reporting of mobile data. It performs physical, logical, file system and password extraction of all data (even if deleted) from the widest range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets.


  • Physical extraction from BlackBerry® devices running OS 4-7.
  • Exclusive decoding: BBM data, apps, emails, Bluetooth, etc.
  • Widest support for Apple devices running iOS3+
  • Physical extraction and decoding while bypassing pattern lock/ password / PIN from Android devices including HTC, Motorola, Samsung Galaxy SIII family and more
  • Physical extraction from Nokia BB5 devices – password extraction from selected devices
  • File system extraction from any device running Windows phone 7.5 and 8 including Nokia, HTC, Samsung, Huawei and ZTE
  • The most powerful solution for phones with Chinese chipsets
  • TomTom® trip-log decryption, and data extraction from other portable GPS devices
  • Obtain existing and deleted data: apps, passwords, emails, call history, SMS, contacts, calendar, media ¬les, geotags, location information, GPS – xes etc.
  • Proprietary technology and boot loaders ensure forensically sound extractions



The XRY Complete Description

A picture of the XRY CompleteXRY is a software application designed to run on the Windows operating system which allows you to perform a secure forensic extraction of data from a wide variety of mobile devices, such as smartphones, GPS navigation units, 3G modems, portable music players and the latest tablet processors such as the iPad. Extracting data from mobile / cell phones is a specialist skill and not the same as recovering information from computers. Most mobile devices don’t share the same operating systems and are proprietary embedded devices which have unique configurations and operating systems. XRY has been designed and developed to make that process a lot easier for you, with support for over 8,000 different mobile device profiles.


  • IM card reading
  • S IM card cloning
  • Mobile device Logical examinations
  • Mobile device Physical examinations
  • GPS devices Physical examinations
  • Memory card Logical examinations
  • Memory card Physical examinations
  • Hex viewer
  • Hash algorithms
  • File signature analysis
  • Selective extraction of data