Skip to content

Investigate Remote Endpoints with FTK Enterprise

Gain deep visibility into remote endpoint data to investigate cybersecurity incidents, data breaches, or employee wrongdoing.

Industry-leading companies trust Exterro FTK for digital forensics and incident response.

Estee Lauder Logo Wells Fargo Logo Cox Communications Logo

Quickly Identify and Understand Activity Putting Your Organization at Risk

Use FTK Enterprise to expose and investigate a variety of criminal and malicious activities, including data breaches, database tampering, inappropriate sharing of confidential company information, deletion of files, wiping of hard drives, or viewing of inappropriate content. 

  • Discreet Data Acquisition

    Discretion can be critical when conducting internal investigations, so FTK® Enterprise uses covert, agent-based technology to ensure that employees and teams aren’t alerted as you acquire remote data.

  • Pinpoint Evidence

    Eliminate the hours spent manually digging through endpoint registry data, internet history, and system summary files for the data you’re interested in. FTK Enterprise intelligently categorizes the most data artifacts to help you pinpoint key evidence faster.

  • Remediate Quickly

    Stop risks in their tracks with remediation capabilities that give you the ability to delete offending files, kill processes, and stop non-compliant activities across endpoints.

Investigate employee wrongdoing from anywhere with Remote Endpoint Collection. 

FTK Enterprise can deploy agents to each endpoint (including Macs), and then perform discreet agent-based remote collection to a secure, encrypted forensic container.  

No VPN? No problem!  FTK Enterprise is the leader in Off-Network Acquisition. Organizations can continue to perform data collections from traveling or ‘work from home’ employees who may not be connected to the VPN, as long the endpoint is simply online.

Assess endpoint data prior to collection with Live Preview.

Full-disk collection takes up time and storage space. With FTK Enterprise, you can perform a rapid risk assessment of a suspected compromised endpoint by previewing the contents to see the endpoint’s folder structure, filter for specific file and data types, and view files of interest before performing a collection. 

Instantly preserve endpoint evidence with cybersecurity automation.

Integrate FTK Enterprise with SOAR and SIEM solutions to instantly preserve and collect endpoint evidence upon detection of an intrusion, with optional FTK Connect automation. [link to page].  Exterro’s seamless integration with cybersecurity platforms like Cortex XSOAR reduces risk and speeds up internal breach investigations, with 24/7 real-time evidence collection and auditable preservation capabilities. 

Additional Capabilities

  • Zero Trust Compliant

    Conduct remote endpoint collection, preview, and remediation securely within a Zero Trust framework such as ZScaler, using encrypted public site server technology.

  • Memory Comparison

    Easily compare an endpoint's volatile data to the previous time you previewed it to locate differences in processes or applications that are running.

  • Targeted Collection

    Target specific locations on the endpoint, then apply filters to limit the size and scope of the collection and bypass irrelevant data.

  • Mac Data Review

    Collect, parse and render Apple Mail, iMessage, iWork files, Safari browser data, Outlook for Mac email, Mac Artifacts, and Mac system summary data like Spotlight Search, KnowledgeC, and Power Log data. 

Innovative partners for your entire DFIR workflow

Internal investigations begin at the moment a threat is detected, so Exterro integrates with the best innovators from cybersecurity platforms and zero trust technologies to post-incident analysis powerhouses.

Palo Alto Networks Logo
RWS Logo
Abbyy Logo
Estee Lauder Logo

“Incident response has been accelerated through the ability of FTK Enterprise to collect from remote endpoints, and in fact, the tool has quickly gained recognition within the company.”

Digital Forensics Program Manager

Ready to get started?

See our digital forensics and cybersecurity investigation solutions in action. 

Frequently asked questions

  • What kinds of devices or data sources can FTK Enterprise collect from?

    FTK Enterprise has the ability to perform full-disk data collection (Windows, Mac, Linux) from both on-network and off-network endpoints, as well as from network shares and cloud data sources like Gmail, Google Drive, One Drive, O365, Microsoft Teams, SharePoint, and Exchange, and more.

  • Does FTK Enterprise use a persistent agent, and how is it installed?

    Yes, FTK Enterprise uses a persistent agent that can be mass deployed to thousands of endpoints at once, including on Macs by using Jamf®.  Our Agent gains full access to the disk, including all volumes and files. The FTK Agent runs as a service, and ensures a secure connection by using your organization’s X.509 certificate to protect the endpoint from becoming vulnerable. The service running does not cause the endpoint to lag and should be undetectable to the user while they’re working. The agent collects into forensically-sound evidence file formats, such as AD1, E01, L01, DMG, etc.

  • Can I deploy the FTK Enterprise remote agent on an as-needed basis?

    Yes, the agent can be installed and remain inactive until called upon, or you can deploy an agent for a specific preview or collection activity, and then uninstall it.

  • How does the remote endpoint agent perform a collection?

    As described above, you will first deploy the remote agent to a Windows, Linux or Mac endpoint.  You will then configure a site server to manage collection activity initiated by these remote agents located outside the local network.  When you initiate a collection job from FTK Enterprise, the site server receives the request and communicates with the remote agent on the endpoint.  When the endpoint is online and a connection is established, the endpoint data is encrypted and collected into an AD1 file, and then retrieved through the firewall where it can then be reviewed and analyzed in FTK Enterprise.  NOTE: for off-network (i.e., off-VPN) acquisition, secure public site servers can be configured in place of private servers.

  • What kind of data types can FTK Enterprise investigate?

    FTK Enterprise remote agents can provide visibility into endpoint data including geolocation, internet, file, and program history including uploads, downloads, and deletions.  Here are some examples of what you can investigate:

    - Windows Registry + System Information 

    - Volatile Data / Memory Analysis

    - Browser history & activity 

    - File uploads and downloads

    - Files emailed within the company or to external recipients 

    - Recently accessed programs, files, and network shares 

    - External devices that were connected to a computer

    - Origination of “phishing scams” or malware

    - User location based on connected network

  • What happens if a remote endpoint goes offline during a collection?

    If the endpoint goes offline during a remote collection, the collection will be paused and will automatically resume once the endpoint comes back online.  If the disconnection happens during a Live Preview session, specifically, a ‘snapshot’ is created so the FTK Enterprise admin can continue to sift through file structure. The contents of the files might not be available, but the structure is there.  When they find what they are looking for, the admin can send another job to the site server asking it to perform a collection when the endpoint comes back online again.


of Healthcare Orgs experienced external ransomware threats


had Personal Data Compromised


had Medical Data Compromised

Major New York City Hospital System Chooses FTK Enterprise Over the Competition for Remote Endpoint Collection and Faster Hard Disk Acquisition

From multiple locations to massive employee pools and remote workers, this hospital system needed to access their entire network of endpoints to identify potential threats and eliminate them before they became full-blown incidents. 

Featured Remote Investigation Resources

Learn about the best practices and technology that can help your organization improve its internal investigation workflow

Product Briefs

Exterro FTK® Enterprise Product Brief

Learn how you can conduct internal investigations and facilitate legal and regulatory compliance in enterprise environments with FTK Enterprise.

White Papers

Jumpstarting Digital Forensic Investigations

Download this guide to learn about different types of investigations you might need to conduct in corporate environments--and tips and tricks to make them more efficient.

Ready to get started?

See our digital forensics and cybersecurity investigation solutions in action.

Get a Demo