Authors:

Ovie Carroll – oviecarroll@gmail.com

Rob Lee – rlee@sans.org

http://twitter.com/robtlee
http://twitter.com/sansforensics

Special Thanks to Chad Tilbury, Ovie Carroll, and Jenny Delucia. Your thoughts, opinions, research, and
insight were invaluable to the creation of the course.

1-B
We have your SANS virtual machine set up so if you are connected to our Virtual Private Network (VPN),
you will obtain your FTK license from our server and everything should work just as if you had plugged in
your own FTK license.

2-B
After launching FTK, you should get the FTK splash screen – hang on … depending on the speed of your
machine, this will go away in 10-20 seconds after FTK initializes. The version we are using in class is the
FTK 4.1.0.502, 32-bit version . FTK has both a 32-bit and 64-bit version. Because hard drives and the data
sets digital investigative analyst are seeing now have become so large, you want to use the most powerful
system you can with as much RAM as possible. It is also recommended all forensic workstations use 64-bit
operating system so they can take advantage of large amounts of RAM.

3-B
Now did anyone receive this warning dialog box?

If you did, one of five things happened:

1. You forgot to insert your license dongle.
2. You did not install the dongle drivers.
3. Something happened during the install of your dongle drivers that caused the driver installation
not to successfully complete.
4. You are not connected to the SANS VPN.
5. You are not connected to the instructor license server.

If your dongle is inserted into your machine, first try inserting it into a different USB port. If that does
not work, try uninstalling the dongle driver from the control panel “add and remove programs” and
then reinstall the dongle drivers, making sure you DO NOT have your dongle inserted during the
installation process.

If you are using the SANS VPN or connecting to the instructors license server to obtain your license and
are seeing this, then raise your hand and let me or one of the class assistants know so we can try to help
get you connected.

4-B
Next we are going to go through the steps necessary to set up your own case file. In some organizations,
you may have lab technicians do this for the examiners so when the examiner gets ready to start an
analysis, the case file already has been created and indexed. We will be covering:

• How to enter basic case information.

• How to check what you want included in the case log.
• How to check the processes that you want run on the evidence.
• How to select the criteria for adding evidence to the case.
• How to select the criteria for creating the index.
• How to add the evidence.
• How to review your selections.
• And how to start the processing of evidence.

5-B
When you launch FTK, the first thing you should see is the AccessData FTK Case Manager interface and
an authentication dialog box. We will log in with the application administrator account. This account
allows you to administer the FTK application and create user accounts. The application administrator
account has full rights to access every case, can create new users, change passwords for users (they do not
have to know the users old password to change it) and assign rights at the global level.

When setting up your FTK environment at your workplace you should strongly consider establishing
individual accounts for each examiner. Additionally, you can set up accounts with review only privileges
that will allow an individual the ability to review a case but not add additional evidence, manage KFF,
export items from the case, etc.

We will be using the application administrator account during class. Let’s go ahead and log into the FTK
case manager interface.

The application administrator username is “sansforensics408” and the password is “forensics”.

6-B
7-B
Starting with the stand-alone version of FTK 3, you can add three additional computers to be used as
distributed processing engines. This can significantly speed up the initial case processing.

To use additional computers as additional processing engines, the additional computers can NOT have the
full version of FTK installed, they can only have the processing engine installed. The processing engine
can be found on the FTK install disk. One option for being able to set up your lab environment to take
advantage of distributed processing, you can setup each forensic workstation with a dual boot
configuration. The primary partition would be setup normally as your forensic analysis machine an the
second partition would only have the processing engine installed.

On the menu bar, select Tools; Processing Engine Config…, and enter the IP Address of the remote
computer then add the computer to the list of available processing engines.

When you want to use distributed processing to process a case, simply reboot your additional machines
into the distributed processing partition then launch FTK from your primary machine. It will then be able
to see and use the processing power of the additional machines.

When initially processing a case, FTK will use as much RAM and processor power as possible. This can
leave your computer and your FTK user interface relatively sluggish or unresponsive. An interesting
option under this configuration utility is a check box that gives you the ability to maintain the user
interface performance while processing cases. This option does slow down the processing of your case
but makes your FTK user interface much more responsive while the case is being indexed.

8-B
To start a new case select “Case”, then “New…” from the menu bar of the Case Manager interface.

The New Case Options dialog box will open and type “dblake” in the “Case Name” field.

Next is the “Reference” field. You can add a reference such as a case number or work load tracking number.

The next field is “Description” where you can type 512 characters describing the case. For cases where the
description requires an extensive explanation, the “Description File” field allows you to attach a file such as a text
or word document describing the case.

Next is the “Case Folder Directory”. Select the “…” navigation button to navigate to the directory where your case
will be stored.

To optimize your forensic workstation, the case folder should be on a separate drive from the forensic images. The
next field is the “Database Directory” and it should also be on a separate drive from the case folder and the images.

Since this is a small case, we are going to leave it in the same directory as the case folder so select the check box
next to “In the case folder”. This will also make it easier to move your case from one machine to another if
needed.

At the bottom of the New Case Options dialog box there is a “Field Mode” checkbox. If you would like to
immediately start looking at your case and start conducting triage you can select this box and all processing and
indexing will be postponed. Field Mode does no processing of any kind, including file signature analysis. The case
evidence tree will be shown as soon as the case is open and files will be listed in the overview tab based on file
extension only.

The last item we need to look at before moving on is the “Detailed Options…” button. Select “Detailed
Options…” and we will take a look at processing options.

9-B
The Detailed Options Evidence Processing tab may be familiar to those who used previous versions of FTK with
some improvements.

At the top of the Evidence Processing dialog box you will find all of your hashing functions. You have the
option to create MD5, SHA-1, SHA-256 and Fuzzy hashes. You can save some time by only using the MD5
hash. If you want to use the known file filters (KFF) feature of FTK, MD5 is the hash value that KFF signatures
use and must be enabled. Additionally, FTK automatically adds the SHA-1 hash when using the KFF feature.

The Fuzzy Hashing function is also known as contextual piecewise hashing. Fuzzy hashing looks for
homologous files, not exact matches. This feature is very helpful with intellectual property cases or other
situations where you need to find similar files. Warning, enabling fuzzy hashing adds considerably to the time it
takes to initially process the case.

The “Flag Duplicate Files” will identify files based on hash and flag them as primary and secondary. The
primary flag has no significance other than it was the first file found during case processing.

Expanding compound files can be time intensive but depending on the case type you are analyzing can be very
helpful. You can reduce the number of files to expand if you know some file types are not significant to your
analysis.

Entropy Test will run against unknown file types to test if the file is encrypted or compressed. If a unknown file
is encrypted or compressed, it will not be indexed. Since the likelihood of indexing any of these files is remote,
this can save you time in the initial processing of your case.

10 - B
FTK uses the DTSearch indexing engine to index your case. This will make all indexed search result
instantaneous. When you process a case you will almost always want to enable this feature. FTK requires space
equal to 50% of the evidence files to initially index the case. Once the case is created, it will shrink back to
approximately 25% the size of the case but it needs that extra space for working room during the initial
indexing.

Data Carve - Data carving looks for data that was lost or deleted from the file system and is predominantly done
by identifying file headers and/or footers, and then “carving out” the blocks between these two boundaries. Data
carving is a time intensive process and generally it is best to do data carving as a secondary step after the case
has been indexed. This can easily be accomplished by selecting the “Evidence” then “Additional Analysis…”
options from the menu bar of FTK. By default data carving will look for AOL bag files, BMP, EMF, GIF,
HTML, JPEG, LNK, OLE (MS Office), PDF, and PNG files but you also have the option of creating your own
custom data carvers to meet your specific needs.

Meta Carve – Meta carve searches volume free space for deleted directories that have been orphaned. Orphaned
directories are directories whose parent directory has been deleted or overwritten.

OCR - converts text in graphic files to text. A new file containing the OCR’ed text will be created and is named
the same as the parent graphic, [graphic.ext], but with the .OCR extension, (e.g. IncomingFax.jpg.ocr)

FTK can use 2 OCR engines, Tesseract (default and included with FTK), and GyphReader (which requires
separate licensing).

Evidence refinement - if you exclude a file type they can never be brought back into this case, a new case would
have to be created.

Ref:
MD5 Hash - http://www.loc.gov/standards/premis/pif-presentations/rebecca-
SKOS/cryptographicHashFunctions-MD5.html
SHA-1 & 256 - http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
Fuzzy Hashing - http://accessdata.com/downloads/media/Fuzzy_Hashing_for_Investigators.pdf
Tesseract - http://code.google.com/p/tesseract-ocr/
Glyphreader OCR - http://www.atalasoft.com/products/dotimage/ocr/glyphreader/

11 - B
12 - B
By default, FTK’s indexing options interpret 35 special characters such as / : ; ? @ as a space. You can
specially configure the indexing options to allow any or all of these characters to be indexed as they are. As an
example, if you think it would be valuable to be able to search for full e-mail addresses you can select the @
symbol from the list of characters listed in the “Spaces:” box, then select “Remove”. The @ symbol will now be
indexed as itself and you can conduct indexed searches for full e-mail addresses such as “rob@sans”.

13 - B
Now it is time to Add Evidence to your case. To do this, simply click on the “Add” button at the bottom left of
the Manage Evidence dialog box.

Once you click the add button you will have the option to choose what type of evidence you are adding to your
case. Typically it is going to be an “Acquired Image(s)” or in large cases where you have several images in a
directory, you have the option to select “All Images in Directory”. You could also add the “Contents of a
Directory”, Individual File(s)”, or even a physical or logical drive (with a write block of course).

Select “Acquired Image(s)”, then click “OK” and navigate to the location where your image file is located.

14 - B
15 - B
C:\cases\blake_case\images\xp_dblake.dd
Once you have selected the evidence to be added and verified the path to the evidence in the “Path” field, you
should give each item of evidence an ID or name in the ID/Name field.
You can also add a description for each item of evidence that will be included in any FTK report generated.

With the Evidence Group feature, you can assign evidence items to different groups and share them between
cases. We will not be assigning an evidence group for our purposes here.

The next step is to identify the time zone for each evidence item. This must be done with all evidence items and
allows FTK to normalize all data in the index.

If you have multiple evidence items, you should consider selecting the Merge Index option. This will put all
indexed evidence items in the same database. The only disadvantage to doing this is if you later decide to
remove an evidence item from your case, the indexed database will still contain entries for items that were
removed. If you conduct an index search after removing an evidence item you will get hits on items that were in
the removed evidence item.

You also have the ability to configure KFF options for each item of evidence. By selecting “Case KFF
Options…” we will be able to select only the KFF sets to run against each evidence item.

16 - B
Get used to looking at this screen since it will be there for hours or even days depending on the size of
your case and what processing options you selected.

With previous versions of FTK if something bad happened while a case was indexing you would typically
have to start this whole indexing process over again. Current versions of FTK can pick back up where it
left off if you have a crash or power failure.

Author note: Although FTK has improved the way it handles system crashes, etc., I still recommend
reprocessing the entire case because there is just no assurance that a single file was not missed.

17 - B
18 - B
This page intentionally left blank.

19 - B
One of the great features of FTK is the way it presents information to the investigator/analyst.

The first thing you may notice is that across the top of FTK are (8) EIGHT tabs. We will be discussing
each of these tabs briefly because you will be navigating through your analysis using these tabs.

Here we are at the OVERVIEW tab, which is the first thing you see when you start FTK. At a glance,
the overview tabs tells you all the basic information about your case, as well as provides you the ability
to immediately review specific groups of files.

The Overview Tab can be broken down into (8) eight basic areas:
• Evidence Groups
• File Items
• File Extension
• File Category
• File Status
• E-mail Status
• Labels
• Bookmarks

20 - B
21 - B
In the Overview Tab you will find your case organized in several different ways to help you quickly locate
certain file types. It also shows you some basic information about your case. To name a few, it shows you:

The File Items lists the number of evidence items and files by whether they have been checked.

The File Extension list itemizes files by their extensions. The total number of files listed in this list will not
equal the total number of items in the case as it does not include items such as file folders do not have
extensions and are not listed here.

The File Category list organizes files by type, such as graphics, e-mail, documents, etc. and lists them in a tree
view. You can create your own custom file categories and have them show up under this list by adding the file
header and selecting the file category you want it to be listed under. You can create your custom file carver by
selecting “Manage”, then “Carvers”, then “Manage Carvers…” from the menu bar of the FTK examiner
interface.

The E-mail Status list organizes e-mail items by status such as E-mail Attachments, E-mail Reply, Forwarded E-
mail and From E-mail (all items from an e-mail source, i.e., e-mail related)

The Labels list shows all labels that have been applied to the evidence. You can create your own custom labels.

The Bookmarks container lists bookmarks as they are nested in the shared and the user-defined folders.
Bookmarks are defined by the investigator as the case is being investigated and analyzed. Bookmarks are
viewed from the Bookmarks Tab.

22 - B
23 - B
Across the bottom of the Overview tab window you will find the File List area.

If you click on any of the file lists in the above Case Overview section, all files of that particular list will
be listed here. You can scroll through, review, bookmark, or export these items quickly and easily.

By clicking on the “File Category”, then “OS / File System Files”, then “Windows Shortcut”, all
Windows Link Files would be displayed in the File List section.

As you select any of the items in the File List area, the contents of that file will be displayed in the top
right window, which is called the View Window pane.

24 - B
25 - B
At the top right of your screen you will find the Viewer Window. FTK uses Stellent Outside In technology
(now owned by Oracle) or Internet Explorer as the viewing engines to display almost any file in the view
window. This gives the reviewer great ability to view a wide range of file types without having to launch all the
associated viewers. Imagine having to open each application for each associated file type. The file is displayed
almost as quickly as the reviewer can select each subsequent file.

Ref:
http://www.oracle.com/us/technologies/embedded/025613.htm

26 - B
Viewer

27 - B
Next, let's click on the Explorer Tab found across the top of FTK to the left of the Overview tab.

The Explorer tab provides a directory tree display of the evidence items that can be navigated much like in the
standard Windows Explorer.

Starting at the Top Left, you will find the “Tree View”.

You can see in this window the directory tree structure and can expand and contract the directory structures by
clicking on the “+” PLUS or “-” MINUS symbols, just like in your standard Windows programs.

You can view the file within each of the folders by clicking on each directory. As you click on each directory,
ONLY the files in that directory will be displayed. You can view ALL files in that directory and all subdirectories or
descendants by clicking on the arrow adjacent to the directory. This arrow is called the “quick picks” icon and is a
type of filter that allows the selection of multiple directories so you can focus your analysis of specific content.

You may find that many times while reviewing your case, you are not seeing all the files you think you should see.
The first thing you want to check is your quick picks settings.

28 - B
 Tree View

29 - B
Directly below the Tree View window, you will find the File List window. As you click on any directory
in the Tree View window, the contents of that directory and if the “quick picks” arrow is selected its
subdirectories will be displayed here.

As you select any of the files in the File List Window, the contents of the file will be displayed in the Top
Right Viewer Window.

30 - B
31 - B
File List
At the top right of your screen you will find the Viewer window. Just like we saw from the overview tab,
this and all the viewer windows in FTK use the same “Quick View” technology to display almost any file
in the viewer window. This is a very convenient feature to quickly look at virtually any file on the drive.

32 - B
Viewer

33 - B
Almost no matter what kind of case you are working, you will be spending a lot of time in the Graphics Tab.
The Graphics Tab displays all graphic files in a photo album or contact sheet style display. Depending on the size
or number of monitors you have, this allows you to review 20, 40, 100 or more images at one time. This allows
you to quickly scan and triage graphics.

You can adjust the size of the Thumbnail View window by clicking and dragging the bar below the Thumbnail
View windows. You can even completely detach each viewer pane from FTK by clicking and dragging the area
above each window pane. If you are like me, when you have to review a lot of graphics, you spread the
thumbnail pane across multiple large monitors so you can quickly triage or review them. By detaching each
window pane you can arrange each tab in a way that best suits you. The window pane placement is specific to
each tab so when you move back to the explorer tab, it will look just like it did when it was last active. To reset
all your window panes back to their default location, from the menu bar select “View”, then “Tab Layout”, then
“Reset to Default”.

34 - B
35 - B
 36 - B
Undocked Window Panes
In the middle of the screen on the left side you will find the “Tree View”. You can see in this window the
directory tree structure. You can expand and contract the directory structure by clicking on the “+” PLUS or “-”
MINUS symbols, just like in your standard Windows programs.

You can view the file within each of the folders by clicking on the directory. Like with the Explorer Tab, as you
click on each directory, ONLY the files in that directory will be displayed, however you can view ALL files in
that directory and all subdirectories by clicking on the quick picks icon on that directory.

So remember, if you want to review ALL graphic files on the system, you would go to the root directory in the
tree view window, then select the quick picks icon.

37 - B
38 - B
In the middle of the screen to the RIGHT of the Tree View windows, is the Viewer window. In this
window, the graphic will be displayed in its full size for a more detailed inspection. In many cases, you
will find you do not need to display each and every thumbnail image in the viewer windows.

39 - B
 Viewer

40 - B
At the very bottom you will find the File List window.

As you click on any of the graphics in the Thumbnail View window, the file will also be highlighted in the
File List window. It is here that you will find where the file is located on the drive, what directory it is in,
etc. You will also be able to look here in the File List window to see the MAC times and other interesting
details about the selected file, such as if it is a match to one of the hash sets you have loaded, if it has a file
extension mismatch (if someone changed the extension of a picture file from a JPG to a word document
file such as DOC).

41 - B
 42 - B
File List
Go to the top again and click on the E-MAIL tab.

When you talk to people who do a lot of computer forensics, almost everyone will agree that FTK processes and
displays e-mail better than most of the other forensic programs. The E-mail tab displays e-mail messages and
attachments in a coded HyperText Markup Language (HTML) format.

Starting at the top left, you will find the Tree View.

The E-mail tree lists message counts, AOL, PST, NSF, MBOX, and several other archive formats.

With FTK 4, e-mail items tree view contains two new groups: E-mail By Date (organized by year, month, then date,
for both submitted and delivered); and E-mail Addresses (organized by senders, recipients, e-mail domain, display
name, and e-mail addresses). This is a great way to quickly look for all e-mails from a particular domain or specific
e-mail address contained in an e-mail archive.

FTK will also attempt to recover deleted e-mail messages, even if the wastebasket has been deleted from Outlook,
Outlook Express and Thunderbird.

43 - B
44 - B
To the right of the Tree View is where you will find all the messages for the selected list in the tree view.

You will notice that the column headings are different in the e-mail tab. By default in the file list window
you will see the subject line of the e-mail; the name; To, From, CC, and BCC e-mail fields; submitted
date; delivered date; current status of the unread and unsent flags and if the message has an attachment.
Several additional fields are also available and can be configured to display in the file view pane in any
order the examiner desires.

When you click on any of the messages in the File List window, the message will be displayed in the
Viewer window directly below.

45 - B
File List

46 - B
At the bottom of the screen you will find the Viewer window for e-mail.

FTK displays all e-mail in HyperText Markup Language (HTML). You may recognize this as the language web
pages are made of. The reason FTK displays all e-mail in HTML is so when you export all this out for your
report, it will all be self-contained and displayed neatly.

Two additional things you should know about the e-mail tab ...

47 - B
When an e-mail is displayed in the Viewer window, any attachments will be displayed in a window to the
RIGHT of the displayed e-mail. This allows you to see what, if anything, was attached to any e-mail.

Additionally, FTK organizes the e-mail to display the contents of the e-mail at the top where you can see it
and places ALL e-mail headers at the bottom of the e-mail.

48 - B
49 - B
Attachments
So if you want to examine the mail headers, scroll down to the bottom of the e-mail and here are all the
mail headers. From here you can attempt to determine where the e-mail came from, the originating IP
address, if possibly it was spoofed, etc. If you print this file, you will get the HTML version of the e-mail
and below the e-mail it will print the full mail headers.

50 - B
51 - B
This is an example of utilizing the framework of FTK to view a deleted file. The deleted files are marked
with a red X on the file icon and the file details in the file viewer pane are slightly grayed out in your
version of FTK. It makes them easier to spot. In this case you can see the page that was viewed by
Donald Blake on January 14, 2009. It is an AOL home page with news on it.

Spend some time here looking for deleted files that have been carved out of the file system or that have
been categorized for you automatically. Pay special attention to files that have been marked confidential
or secret. Also pay special attention to any files that might have been created on the last day of work for
Donald Blake.

52 - B
53 - B
FTK also allows you to capture RAM from a remote computer on your network by pushing an agent to that
machine, then acquiring RAM across the network. You will need to have administrative privileges on the remote
machine to do this. FTK can also allow you to import images of RAM previously imaged for viewing.

You can import a memory dump file by selecting “Evidence”, then “Import Memory Dump…”, from the menu bar.

From the Import Memory Dump File dialog box, you will need to add a name to the “Agent” field. This name is
only used to title the memory dump file you are importing. Next, browse to and select the memory dump file in the
“Memory Dump File” field, then select “OK”. FTK will then begin the import process of the memory dump file.

54 - B
55 - B
FTK will sort all the running processes, DLLs, Sockets, Drivers, Open Handles, Processors, System Descriptor
Tables and Devices in the tree window pane of the Volatile Tab.

You can right click on any dump file in the Snapshot view and create custom filters for memory objects.

For each process in the Process List, further information can be found in the Detailed Information pane at the
bottom. Analyzing imported DLLs, network sockets and connections, process handles, and the virtual address
descriptor (VAD) tree can help identify suspicious processes. In this example, a svchost.exe process is
communicating with an external IP address over port 80. This is commonly seen in bots when they
communicate with their command and control server. A web search for the IP address 193.104.41.75 shows it
as a blacklisted IP associated with Zeus malware.

There is a lot of analysis that can be done to memory but that is another course.

56 - B
57 - B
One of the advanced features I love about FTK 4 is the additional data carving feature. How many times have
you found a file significant to the investigation but suspect there are more, only they have not automatically
been carved from unallocated space. Perhaps you suspect they have been deleted and partially overwritten.
You can setup custom data carvers for specific file types either at the start of your case or at any point
throughout your analysis. If you your case has already been indexed and processed, simply select from the
menu bar Evidence then Additional Analysis.

Under the Carving, select “Data Carve”, then select the “Carving Options…” button.

58 - B
59 - B
Next, select the “Custom Carvers…” button then select the “New” button to create your new custom carver.

For adding more custom carvers you can download more AD carvers from
http://www.accessdata.com/support/technical-customer-support/custom-carvers.

60 - B
Now give your new custom carver a name, annotate the author’s name who created the carver and provide a
brief description of what the carver does. Over time, you can develop a library in your lab of custom carvers
that can be shared and imported into any case you or your colleagues are working.

In this example, we are using a prefetch file signature. We will examine and discuss windows prefetch files in
section 4 of this course.

There are two dialogue boxes you can add signatures. In the the top dialogue box you can enter one or multiple
signatures that are in the file you are looking for. Click the plus “+” and add the file signature in Hex and offset
where the signature starts. If your file signature is not case sensitive then uncheck the “Signature is case
sensitive” box then click “OK”. Files will be carved if they have any of the signatures in this top dialogue box.

If you place any signatures into the second dialogue box, only files with ALL signatures entered into the second
dialogue box will be carved. Unless you are looking for a very specific file that must have both signatures, you
may want to leave this blank.

61 - B
62 - B
This page intentionally left blank.

63 - B
64 - B
At the bottom left of the Custom Data Carving screen, select a file category to place your carved files, then you
can add End of File information such as the hex for the End File Tag. This End of File information is not
necessary.

Once you have entered your new file carving information select save then close your Manage Custom Carvers
dialogue box. Make sure only the carvers you would like to search for are selected in the Carving Options
dialogue box then select OK to both the Carving Options and Additional Analysis dialogue boxes.

65 - B
66 - B
To find your newly carved files go to the Overview tab and select the file category you selected for your custom
carved file. We will discuss Prefetch files in-depth later in the course, but recovering deleted ones is very
important and will help your overall analysis.

67 - B
While an Indexed Search gives instantaneous results, a live search includes options such as text, pattern and
hexadecimal searching. You can view search results from the File List and File Contents views of the Search
tab. The Live Search is accomplished by a bit-by-bit comparison of the entire evidence set with the search term
or pattern.

68 - B
69 - B
The second way you can do searches in FTK is through the Live Search function. Live search can be used to
search for special characters, case sensitive words, Hexadecimal or Regular Expressions. Live Search should
be used judiciously since it is a time intensive process that involves an item-by-item comparison with the
search term. One big advantage of Live Search is that it can find patterns of non-alphanumeric characters.
The reason this is important is that as we said earlier, FTK only indexes discrete words or number strings
found in both allocated and unallocated space.

With the Text tab selected you can search for text strings in ANSI, Unicode with UTF-16 Little Endian, UTF-
16 Big Endian, and UTF-8. Selecting the black arrow under the text search entry field to quickly switch
between UTF-16 Little Endian, UTF-16 Big Endian, and UTF-8.

You can choose to make your searches case sensitive (except for UTF-16 Big Endian and UTF-8 which are
always case sensitive). You can also choose from a list of other code pages to apply to your search by
checking the “Other Code Pages” box then click on the “Select…” button.

References:
Forms of Unicode - http://www.icu-project.org/docs/papers/forms_of_unicode
http://www.utf8-chartable.de
http://unicode.org/faq/utf_bom.html

70 - B
Under the Pattern search tab you can search for precise character strings that describe a data pattern such as a
credit card or social security number.

Click on the white arrow to the right of the search term entry field and you will see a menu where you can
select several common patterns that have been preloaded.

You can edit this list and add your own that will show up here by scrolling to the bottom of this list and
selecting “edit expressions…”.

71 - B
You can also click on the black arrow to the right of the search term field and you will see a menu where
you can select from a number of common operators to help you build your own complex expressions.

72 - B
This page intentionally left blank.

73 - B