Forensic Focus - Forensic Software - EnCase 7 vs FTK4

Forensic Focus

Go to page Previous 1, 2, 3, 4, 5, 6, 7 Next :| |:

Posted: Thu Mar 15, 2012 6:52 am
Author: PM_SQ Location: Montreal (Canada)
I don't want to hijack this thread, but I see a lot of people mentioning X-Ways.

I've never used it myself and I was wondering what features does X-Ways have that makes it so powerful?

From the screenshots on the website, it looks a bit like an older version of Encase.

Re: EnCase 7 vs FTK4

Posted: Thu Mar 15, 2012 5:24 pm
Author: pbeardmore Location: Surrey
X-Ways can only benefit from the 2 market leaders releasing products which are clearly not properly tested.
There is surely room for a third option (perhaps one that is simpler with less "bells and whistles" but just works).
We have just purchased our first x-ways dongle and I am sure we are not alone.

Re: EnCase 7 vs FTK4

Posted: Fri Mar 16, 2012 2:37 am
Author: Chris_Ed Location: Kent
Here's a very short and brief overview of some of X-Ways:

It is not a pretty tool, but it is very powerful. It natively does a large range of things which you look at and think "why doesn't <insert other forensic tool> do that?".

Off the top of my head, it will quickly parse:
LNK files
PF files
System Restore change.log

As well as this it has a very good indexing system, a superbly flexible approach to reviewing keywords, and it can deal with pretty much any filesystem you can name.

There are three downsides to XWF, as far as I see it;
1. Unintuitive interface.
2. Lack of customisation that (for example) EnScripts allow.
3. No free acquisition tool (unlike it's most popular competitors).

None of these are especially game-breaking.

I have personally been evangelising about it pretty hard in my office, but without much luck this financial year. Maybe the next one.. ? Smile

Re: EnCase 7 vs FTK4

Posted: Sun Mar 18, 2012 4:09 am
Author: RedEyes Location: Birmingham
We currently have FTK Pro, FTK, EnCase 6 with 7 upgrade

For some reason FTK Pro version releases are a couple of months behind the Basic FTK releases. We were only permitted (by AD) to purchase four Pro dongles. So only half the office can use Pro. I will not advocate renewing these licences.

I have used FTK 4, I have yet to understand why it isn't FTK 3.5. As I can't transfer cases between my Pro machine and FTK 4 machine either '4' or FTK Pro is useless, take your pick which.

My order of things:

FTK to process live file to our viewing team
REG ripper
bulk-extractor
FTK to process all its bits and pieces (except indexing)
EnCase 6 to run various scripts
SIFT/EnCase 6 for timeline logs
Then it's mix and match as by now i would expect the SIO to decide what they want.

I don't use EnCase 7 and I'd like our money back

Re: EnCase 7 vs FTK4

Posted: Fri Mar 30, 2012 7:53 am
Author: twjolson Location: Minnesota
Well, we know at least two Guidance employees roam the forums...

Re: EnCase 7 vs FTK4

Posted: Sat Mar 31, 2012 8:56 am
Author: jwells Location: Chattanooga Tn
Guidance has to know by now how big an egg they laid with Encase7 and for it to go on this long is just irresponsible they should stop selling it until its fit for duty. Guidance doesn't seem to want it to work and keep the same features as version 6 no matter how many times their customers tell them. Guidance knows best the rest of us don't have a clue what we need is the feeling I get. Guidance has released a few fixes but still its broken. FTK is a good product I have been with is since 1.8. FTK4 has had some bumps YES it has which is also unfortunate I thought they learned their lesson with FTK2 it seems no so much! What an opportunity FTK has with the program to win over Encase owners I stick with FTK3 and Encase6 for now.

Re: EnCase 7 vs FTK4

Posted: Thu Apr 05, 2012 6:46 am
Author: finbarr Location: London, UK

- Chris_Ed

There are three downsides to XWF, as far as I see it;
1. Unintuitive interface.
2. Lack of customisation that (for example) EnScripts allow.
3. No free acquisition tool (unlike it's most popular competitors).

Hi Chris,
Just a quick note about XWF - it's true the UI doesn't fit with what most EnCase trained examiners expect, however, once you've carried out the three day training course, the UI becomes second nature and actually very intuitive. The guys at X-Ways have spent a lot of time making the UI easy to use, but you need someone to explain it to you so you 'get' the design.

The latest version of XWF now ships with X-Tensions, which is a way of programming your own DLL in whatever language you like to extend XWF's capabilities. The API is solid and there are a lot of useful additions coming down the line.

With respect to acquisition tools, do they need to produce one? FTK Imager is probably the best and most widely used forensic tool available today, so stick with that!

A couple of other very compelling reasons to try XWF is that it is considerably cheaper than either FTK or EnCase. This is not because of reduced functionality - it's more like X-Ways are not gouging enterprise level customers as the other two are. Closely tied to this is the outrageous levels of hardware you have to throw at either FTK or E7 to get them to perform even adequately. XWF will run fast and remain stable on much lower spec hardware.

Finally, the X-Ways team release updates and optimisations very regularly, with beta versions of the next release available to all registered users if you're interested in having a play. They respond quickly and well to user feedback and provide the best value for money in the current market.

I use XWF as my primary tool followed by EnCase 6. As most others in this thread have described, EnCase 7 is not fit for purpose and doesn't get a look in.

I have no association with X-Ways other than as a very satisfied customer. Very Happy

Unlike my very dissatisfied association with Guidance as tester for their buggy software! Mad

Kind regards,
Fin.

All times are GMT - 6 Hours
Page 2 of 7 Go to page Previous 1, 2, 3, 4, 5, 6, 7 Next :| |:
http://www.forensicfocus.com/