My friend she told me last week that FTK could not "see" keywords in a plain text files when doing index search. That‘s very interesting. I used to trust the search results of FTK, and I think there must be something wrong .
I have to do a test to see what‘s going on. A plain text file named "password.txt" is as below, and its code page is Traditional Chinese Big5.
It makes sense that both FTK and EnCase could hit keyword "密碼" in that plain text file.
Now the test result is not the same as what she told me, could I just say that she is wrong??? No, of course not, the test environment is on the NTFS Volume and I have to do another test on a FAT32 Volume. Guess what??? EnCase could hit the keyword in that plain text file, but FTK failed.
What if the same keyword in a Doc/Docx file on the FAT32 Volume? Now FTK could hit the keyword in the Doc/Docx file.
I try to figure out what‘s going on here. Correct me if any:
1. FTK supports lots of code page including "Big5".
2. FTK could index and search lots kind of file types including "plain text file".
3. FTK supports so many kind of file systems including "FAT32".
Now my question is:
Why FTK could not hit the keyword in the plain text file whose code page is Big5 lying on FAT32 Volume?
So what the hell is going on??? FTK must "see" the keywords in a plain text file or forensic guys will miss some very important clues like accounts and passwords. It‘s a very serious problem!
Something wrong with FTK's index search results