Hi Fin,

For the record, I have attended the training course. You're right, once you're used to it the interface is fine, but IMO it is still fairly unintuitive. By that I mean it's difficult to "muddle" out what you want to do without referring to the manual. Of course, once you know it, you know it - but until then it can be slow going.

Let me put it a different way. I am convinced that within 5 minutes I could sit a semi-computer-literate person down and explain to them the different panes of EnCase, what they mean and how they work. I don't think I could do this with XWF.

That post was written before 16.4 - hence no mention of the APIs, which are awesome. Also, the VSS stuff in v16.4 made my heart beat in a very geeky way. And I want the acquisition to be free because it's so good! Does FTK4 allow for stuff like "copy sectors in reverse order"? I have no idea.

In conclusion; XWF is great. I hope we get some licenses this year!  

Guidance just don't seem to care.
People would complain about bug's and missing features for years without anything changing.


AD on the other hand does seem to listen and FTK does improve.

If FTK crashes I just open it up and I am back where i was in seconds. If encase crashes it's a long time to get back up. ( Encase 6 that is , their only useful version, the preview of Encase 7 looked horrible)

FTK is more open in that it can use open evidence formats like AFF. Guidance with Encase 7 comes up with another proprietary evidence format .Ex01 as well as no interest in supporting open standards.
Neither Encase or Xways support AFF.  

I am pretty sure I sat in a meeting for EnCase 7 where the Guidance rep told us Ex01 was an open standard.

I don't think it's open in the sense that anyone can make changes, but the technical details are published and libewf supports it.

White paper from Guidance on Ex01.

www.guidancesoftware.c...1000018246  

Hi guys,

one small question about FTK 4: If I was to buy a licence of FTK4, does it come with Oracle included or would I need to buy Oracle also in order for FTK to work?

Regards,

K.  

- kyrkos

Hi guys,

one small question about FTK 4: If I was to buy a licence of FTK4, does it come with Oracle included or would I need to buy Oracle also in order for FTK to work?

Regards,

K.

The custom Oracle or PostgressSQL (your choice) database is part of and included with FTK.  

- robdew

I don't think it's open in the sense that anyone can make changes, but the technical details are published and libewf supports it.

It's not very open if the Forensic community can't make changes.

http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
At "Date: 2012-03-21 13:16:11 PDT" jbmetz the developer of LIBEWF makes the following comment.

Ex01/Lx01 is actually a completely different format, at the lower level.
Guidance has released part of the format specification.

For now I lack the time to do anything serious on Ex01.

Seems as :
a) Guidance have released only part of the specification
and
b) Libewf doesn't support Ex01

This is not evidence of openness. I would love to see signs that Guidance wants to engage with the community. The mess with encase7 doesn't to show engagement with the forensic community, it show's that they don't know or care what we need.
They could for one add support for AFF evidence files (AFFLIB) for a start to show that they support open formats.

The forensic community are blessed to have people like JB Metz who have written tools so that we can have access to proprietary formats like EWF (.E01)  

Ooops, looks like I didn't read the full comment on the libewf sourceforge page. And I need to browbeat the Guidance rep the next time he comes and gives a presentation.