AccessData Ultimate Toolkit
The product has industrial-strength decryption software and good search facilities.
Although the software included our streamed data in its search and display features, it did not specifically indicate that these files existed.
The Ultimate Toolkit provides a good range of tools that address most of the areas of interest.
AccessData's Ultimate Toolkit has several independent components, which can be purchased separately. The software is also protected by USB dongles, providing an extra layer of security.
The two password recovery programs are good examples of the sort of tools that need protecting. The first program, the Password Recovery Toolkit, is able to recover Windows passwords from the SAM and the Registry, and the PWL files in Windows 9X systems. The toolkit can also recover data from files and directories protected by the Encrypted File System.
The other password recovery program, the Distributed Network Attack, uses several computers to crack passwords and recover information from encrypted files, useful when there are time constraints.
Another useful component is the Registry viewer. It can access data, such as hidden passwords from the Windows registry, and examine registry files from other systems.
The main component is the Forensic Tool Kit, which is designed to assist in gathering evidence for a variety of purposes. We used it to create an image of our "suspicious" hard drive, and to create a set of indices that could then be used for keyword searches.
The software was not fooled by our attempts to disguise various files, and correctly discovered and displayed details about the hidden executable and graphic files. It did not detect our streamed files, and there was nothing to indicate that these files were anything other than normal NTFS files.
However, the hidden data did appear in the explorer view if a streamed file was examined, and the search engine also found search strings in the hidden stream. String searching extended to the contents of free space and to the page file, as well as ordinary files. There are a number of search options, including the ability to make cumulative searches, and to use search broadening filters such as stemming, phonic equivalence and fuzzy logic.
Search strings can also include special wildcard characters that modify the matching process. The system could list the files stored in password-protected zip archives, but could not display the contents.