Missing parent email after FTK export

admin — Wed, 20 Jun 2007 06:25:03 +0000

Scenario: You perform a keyword search. FTK returns hits emails with attachments for the keyword you searched for. Since you are a good forensic examiner, you validate the completeness of the results. Unfortunately you notice that several attachments reference emails which are not present.Reason: The keywords hit only on the attachment content, yet not on the email message.

Problem: How do you locate the parent email which contained the attachment with the keyword hit?

Answer 1: Manually review each single item in your search result set. Using the “View the item in a different list – Email tab”. Ok, if you have only a few items.

Answer 2: Wait for a new version of FTK to come out and hope the feature to export parent emails is included. According to AccessData’s support form, it might be in a new release.

Answer 3: Use the attached Microsoft Excel spreadsheet. I recently worked a case where I was in the same situation and needed a somewhat automated tool. So I took it upon myself to write a VB macro that basically compares two columns from the FTK “Copy special…” feature.

Here is how you would use the tool.

Within FTK perform the following steps:

Step 1: Perform your search on emails with attachments within FTK

Step 2: Right-click in your search result pane and select “Copy Special …”

Step 3: Select “All Currently Listed Items”

Step 4: Only check the “File name” and “Attachment Info” column

Step 5: Select “Clipboard” within the Copy destination section.

Step 6: Click “Copy” button

Open the Excel spreadsheet (don’t delete any of the columns)

Step 1: Click on the “FTK Feed” worksheet tab

Step 2: Paste the results you have copied above into the “FTK Feed” worksheet.

Step 3: Within the “FTK Feed” worksheet, select column B2 and sort in “ascending” order

Step 4: Go to the “Locator” tab.

Step 5: Press the button…

The macro will crawl column A and compare it to column B. Column A is considered the “base”, which was extracted from the “Attachment Info” column. It is compared to Column B, which basically contains all files and email messages. If any value from column A is in B, you are lucky. If not, the macro will mark it in RED. This still means that you have to find the message within FTK, yet now you have a list to work with.
I know the tools doesn’t really solve the problem, yet it helps automate the process of locating the missing parent email.

I hope this helps.

Download: Find Parent Email (12.28 KB, 109 downloads), version:

NOTE: Use this tool at your own risk. Make sure you test the results.

Proactive Discovery » Code/Dev

Missing parent email after FTK export