There are three downsides to XWF, as far as I see it;
1. Unintuitive interface.
2. Lack of customisation that (for example) EnScripts allow.
3. No free acquisition tool (unlike it's most popular competitors).
Just a quick note about XWF - it's true the UI doesn't fit with what most EnCase trained examiners expect, however, once you've carried out the three day training course, the UI becomes second nature and actually very intuitive. The guys at X-Ways have spent a lot of time making the UI easy to use, but you need someone to explain it to you so you 'get' the design.
The latest version of XWF now ships with X-Tensions, which is a way of programming your own DLL in whatever language you like to extend XWF's capabilities. The API is solid and there are a lot of useful additions coming down the line.
With respect to acquisition tools, do they need to produce one? FTK Imager is probably the best and most widely used forensic tool available today, so stick with that!
A couple of other very compelling reasons to try XWF is that it is considerably cheaper than either FTK or EnCase. This is not because of reduced functionality - it's more like X-Ways are not gouging enterprise level customers as the other two are. Closely tied to this is the outrageous levels of hardware you have to throw at either FTK or E7 to get them to perform even adequately. XWF will run fast and remain stable on much lower spec hardware.
Finally, the X-Ways team release updates and optimisations very regularly, with beta versions of the next release available to all registered users if you're interested in having a play. They respond quickly and well to user feedback and provide the best value for money in the current market.
I use XWF as my primary tool followed by EnCase 6. As most others in this thread have described, EnCase 7 is not fit for purpose and doesn't get a look in.
I have no association with X-Ways other than as a very satisfied customer.
Unlike my very dissatisfied association with Guidance as tester for their buggy software!
The custom Oracle or PostgressSQL (your choice) database is part of and included with FTK.
one small question about FTK 4: If I was to buy a licence of FTK4, does it come with Oracle included or would I need to buy Oracle also in order for FTK to work?
I don't think it's open in the sense that anyone can make changes, but the technical details are published and libewf supports it.
It's not very open if the Forensic community can't make changes.
At "Date: 2012-03-21 13:16:11 PDT" jbmetz the developer of LIBEWF makes the following comment.
Ex01/Lx01 is actually a completely different format, at the lower level.
Guidance has released part of the format specification.
For now I lack the time to do anything serious on Ex01.
Seems as :
a) Guidance have released only part of the specification
b) Libewf doesn't support Ex01
This is not evidence of openness. I would love to see signs that Guidance wants to engage with the community. The mess with encase7 doesn't to show engagement with the forensic community, it show's that they don't know or care what we need.
They could for one add support for AFF evidence files (AFFLIB) for a start to show that they support open formats.
The forensic community are blessed to have people like JB Metz who have written tools so that we can have access to proprietary formats like EWF (.E01)
We're looking at purchasing either EnCase 7 or FTK4 for our agency. Since both are relatively new, I've not been able to find too many reviews of the products. Ideally, we would like to purchase both, but our budget will limit us to only purchasing one for now. Which piece of software would you recommend to an agency that currently has no commercial forensic software?
Thanks for your input.
I tried FTK 4 vs EnCase 7 for a month and were processing the same evidence files (HDD images that vary from 50 GB to 200 GB).
Our conclusion was:
- FTK uses 100% of our workstation (see specs at the end) while processing, we need to stop using the workstation. When it finish the index searches are slow and we can't transfer the case to computers with less capacity. FTK takes a lot of time (almost doesn't finish processing a case if you don't have a powerful computer).
- EnCase it uses 40% of our workstation while processing, the workstation is totally responsive, it finish between 30 minutes to 1.5 hours after FTK. When it finish the index searches are faster than FTK and we can transfer the case to other computers with less capacity (EnCase let you use a less powerful computer to process a case, it takes more time, but it finish)
If you need a lot of speed and have the money to buy FTK compatible computers, FTK could be your solution.
If you don't care about 1.5 hours of additional time while processing and you will like to be able to easily transfer the case to more than one investigator that has a less powerful computer (or process the case in a less powerful computer), EnCase could be your solution.
By the way we used FTK 184.108.40.206 and EnCase 7.06.01.
Note: EnCase 7 lets you restore a case after EnCase crashes and it takes no more than 5 minutes to open a 120 GB case....we worked in a case with 5 images of 150 GB in the same case an it takes 10 minutes to open the case after a crash. Before the crash the 5 images where completely processed with the following processing options enabled: Recover folders, File signature analysis, Protected files, Thumbnail creation, Hash analysis (only SHA), Find email and Indexing (only files that are not in the library).
- Two Intel Xeon CPU E5-2630 @ 2.30GH processors
- 32 GB of RAM
- 64-bit Windows 7 Professional
Disk 0 – For Windows [OS(C:)] and System. In this HDD EnCase or FTK was installed.
Disk 1 – 2 TB 10K, this drive is were evidence is stored.
Disk 2 – Is a RAID 0 composed of 3 HDDs at 15K, this RAID is used for the CACHE or the database.
I would give ILookIX by Perlustro a good look.
Might I ask you if you actually already gave it a good look?
And if you are - by any chance - connected with Perlustro?
No offence whatever intended , but every time someone on his/her first post recommends a tool it is logical to suspect some form of astroturfing, and this particularly happened with Perlustro in the past:
And with it exceeding NIST criteria:
I have used all three. I am I connected? I am a retired-LEO, and I have been using ILook for 14 yrs and do know the developers very well at Perlustro. Check the records, I have been a member of this forum for a number of years (2007). Contributions have been limited, but when I have something to say, I say it.
Yes , you joined in 2007 BUT posted for the FIRST time today. (I would say that your previous post was your first and only contribution)
I would be interested if you (or the Perlustro developers you know well) would care to comment on the linked to thread:
As well it would be nice if you could post/report your personal opinions on the tool/experiences with it, rather than citing "vague" anecdotal reference such as:
One LEO was able to image 52 computers having HD's of 250GB to over 1 TB, RAIDS included in 6 hrs by two special agents to a combination of external storage devices.
jaclazI see your orange Tucker and raise you a 24 point font sir!
i am dealing with the marketing trolls from perlustro on some linkedin discussions about x-ways that has nothing at all to do with ILook.
out of the blue someone named Ian Brownlie (http://goo.gl/O9ZrX) shows up and starts spouting off all the used car salesman type stuff about perlustro and how it can find evidence from cases without even having the images related to that case, how it solved the enron case in 27.1 minutes, and on and on.
This same distinguished gentleman then went on to send me messages like this:
PERLUSTRO no longer supply demos as no other product can recover the files that there products can, what they offer is a 60 day money back guarantee that you can't find another tool that can find more files than they can. (No other company offers this guarantee).
There actually is a demo for the imager that was given to all that attended HTCIA in Hershey. The restriction is that the image files it makes are proprietary .asb which can only be read in ILookIX.
The data on the PERLUSTRO site is the results of the NIST images processed through ILookIX and are there for the benefit of registered ILookIX users to verify their results after they themselves have done a comparison of the NIST images first.
How can you refute IXimager claims if you don't even have access to the program.? IXImager is not just a imager, it can boot/image/restore/clone etc 99% of any computers ever made.
Try this scenario, 52 desktops imaged in 6 hours some of those are RAID (the imager boots the computer loads into ram and then ejects the disk, all under a minute) if the computer is found turned on, the imager can reboot the computer fast enough to capture volatile ram.
PERLUSTRO are a small company and their products are always a constant work in progress, the product is built on average every at least every 48 hours or whenever something can be improved as they don't spend money on marketing it is all by results and word of mouth. Perlustro was only ever available to Law Enforcement and certain government agencies, whilst the US government footed the bill. The product is nothing like the free version used too be, 2 years ago there were 7000000 files that no other product used to see. 12 months ago it took 24 hours to process the Enron case, now it takes just over an hour.
ILookIX costs $US 2200 for the first year, and it will be no more than $1560 for second and subsequent years. Perlustro don't charge any extra for upgrades and new versions whilst the license is valid. For that you get the most advanced Forensic solution available. This includes the ability to create a licenced copy of IXImager. A enterprise licenced SQL Server 2008R2 (This alone costs more than the ILooKIX license if you were to buy seperate). This SQL server is yours to do as you wish (you can run other programs from it etc, it is not locked down). You can also create Ivault files that can be imported into the reviewing tool IVAULT. Ivault is a seperate reviewing tool with which you can access/ share files or case data and print or export to other formats such as concordance / ringtail etc.
When you have done your testing with any tool of your choosing please post your results for all too see. If you like see how long it takes you to process the Enron case?
I am happy to discuss this further, however I think if you wish to do it publicly we need to choose another forum.
I doubt ZORAN will allow this to be listed, it is still in the que.
I still am not seeing the NIST DFR test reports of Winhex ?, not withstanding your protests about product costs and the fact no one can do forensics but the FBI, I still don’t understand how If it is so simple and easy for winhex to pass the DFR tests, you won’t just publish the same tests Perlustro has.
Evidently Winhex can’t pass the tests ? or Winhex will not publish the test results because they are waiting on your write up to clear the air on the issue.
Or maybe there is something else going on preventing a 15 minute test from being performed because of more pressing tests of more importance.
Its just simple NIST tests about Deleted Files – your not trying to buy time are you ? Perlustro published them 5 months ago now. Maybe when the terror events give you more of a time break you can get to them.
Stay classy Ian.
Right in Ian's response he says the perlustro NIST tests are for the benefit of other ilook users rather than an objective test and comparison against other forensic suites.
my guess is twhip is this guy: Ted Wypych with linkedin profile goo.gl/O1nGz
he does the same kind of trolling there along with Ian and someone named Richard Boddington with profile goo.gl/Vkyyh
My guess is its all the same person or persons with a few accounts. They contribute as much stuff to linkedin as they do here, namely, astroturfing posts.
Search thru linkedin for their names and the perlustro/ILookX group (that has 16 members) and see how they operate. I know ian is a member of every vendors group and posts the same kind of stuff about perlustro in all of them.
Hey Twhip, i can tell you that people are NOT getting asked about the NIST images in court (or at least state and federal court in the united states), or at least not the dozens of hearings and trials i have gone to and been a part of in the past few years.
testing against the VERY LIMITED nist images as it relates to finding deleted files has little to do with the totality in accuracy or capabilities of a forensic tool.
if you think about it, a deleted file is, for a lot of the nist images, just a filename and dates without content. in all but very limited circumstances, that will NOT be anything even close to your core evidence about what happened on a computer as it relates to proving a case.
in the few nist images i have tested, X-Ways Forensics did just fine in finding the files that it should according to the NIST documentation.
they then drone on and on about the nist images but if you look on the perlustro page, it reports NOTHING about the findings at all. not a THING as to how perlustro did. it just contains the number of files found before and after a bunch of stuff that only makes sense to ilook users.
Why they do not choose to do something logical like:
Nist image 01:
Expected files: 3
Found by ILook: 2
Missing file was foobar.txt
Nist image 02:
Expected files: 4
Found by ILook: 4
and so on.
this allows direct comparison between forensic tools, but do they do that? No! its the same drivel they post about all the other OneOfAKindWeDoItAllBESTTOOLINTHEWORLD statements on their site without any context at all.
they also have a bunch of file systems and stuff not even included in the nist sets. Why?
As jaclaz also alluded to, perlustro says they imaged 56 computers in 6 hours. Big deal! How many instances of Ilook were used? 56? I would argue any imaging program can do the same. where are the details? What OS? what size were the drives? where were the images being written to? did that include any setup time?
How many people were doing it?
in the IACIS list last year some salesman jumped in about how ilook imager was so fast and threw out all these numbers. i showed better performance with x-ways forensics and imager across the board with as close to the same kind of test that they did.
another linkedin user put it best:
A lot has already been said about Perlustro's marketing techniques, so I won't elaborate on them. As far as I'm concerned, I tend to run away from professional tools that are marketed like washing powder.
i can only hope the owners of perlustro are not aware of how their product is being marketed. I have heard good things about the developers from people i respect.
for anyone considering ilook, be aware that it the license expires the day you stop paying maintenance and the license is tied to a single computer. lets not forget the horsepower that is necessary to ensure SQL server runs decently as well as this is an additional expense. Finally, can ilook write DDs or e01s or just their proprietary format? if its just the proprietary format, that surely seems to be a means to lock you into sticking with ilook as all your evidence will be in a format no other vendor supports (which again is an interesting question. why dont other vendors support ilooks imaging format?)
its no secret i am pro X-Ways and the reasons compared to ilook are obvious:
- i can get xwf with years of maintenance for the same price as the ilook
- i can run xwf as many times as i want on any computer i want
- xwf spends their money on their product, not marketing shills
Sorry to possibly highjack the thread, but it had to be said!
A court doesn't "qualify" a software as valid, the user does. A competent forensic analyst can use a mediocre tool and have the results admitted as evidence in a case. An incompetent analyst (loosely named "analyst") can take the best tool and have all evidence excluded in a pre-trial hearing because they didn't know what they were doing. It is the analyst that makes the tool, not the other way around.
Brett, I just read this on the Perlustro website:
It empowers any end user, from novice to expert, to conduct an investigation quickly, with a reliability scale unmatched in any other tool.
You may be a prominent forensic expert, but can you honestly say that your "reliability scale" is as unmatched as a novice user of Perlustro's ILooKIX?
Didn't think so.
Wow! Lots of vindictiveness when ILook is mentioned. When other tools are mentioned, people just ask questions.
Debbie, here are a couple of comments made when one of the "other tools" was mentioned in this thread.
EnCase 7 is apocalyptically bad.
Encase 7 is the worst version of Encase I have ever seen.
You call those questions? What you call "vindictiveness," I call observational humor, and it's directed at nonsensical claims made by Perlustro and its devotees.
As for whose words we're criticizing, I remind you that one of the lengthy posts was purportedly an email from Jim Baker himself, and I personally took issue with the tone and language of the Perlustro website. Neither of those can be considered written by users, can they?
For the curious, here's a textbook example of the overuse of glowing superlatives: http://www.perlustro.com/solutions/e-forensics/ilookix
If, in fact, the posts here were all made by legitimate users (and not paid shills), it would appear that Perlustro attracts users with a mindset similar to its own. To reiterate, this isn't so much about vindictiveness as it is about appreciating the humor in everyday life. I, for one, am grateful that Perlustro possesses a comicality scale unmatched in any other tool. Smiles make the world a better place.
[Eric, I appreciated your contribution as well. Count me as a fan of the "52 computers in 6 hours" anecdote.]
I went to the Perlustro website and read what was at this post and to me it was a dated introduction to the new commercial ILook once it was available. For old users, it told us what was new. ILook really does do what it says there (actually it does considerably more since that was written as it is always being improved, although the website is not anywhere near as uptodate as the tool).
Sure there's a bunch of hyperbole about ILook being the greatest tool on earth, and to many, if not all, of the actual paying customers, it is the greatest tool on earth.
As I mentioned in another post, Perlustro could definitely use some professional public relations, website, marketing help, but instead choose to spend their resources on making ILook a fantastic tool.
Smiles make the world a better place.
I couldn't agree more. The developers at Perlustro often make me smile, especially when they come out with yet another new feature at no extra charge.
[Eric, I appreciated your contribution as well. Count me as a fan of the "52 computers in 6 hours" anecdote.]
I have taken place in operations like this, although not to this scale. The reason it is so simple to image so many computers at one time using IXImager is because it boots almost every computer that is currently in normal operation in a business, or used personally, and write protects the internal drive by default (assuming a good boot, not booting to the internal drive, but instead to the floppy, CD or USB). My licence allows me to make as many of these CDs or USBs as I need to get the job done. The only hardware I need is some sort of carrier to hold the drive where the image will be written, and a hard drive to hold the image. So, it includes a solution that costs me a couple of hundred bucks per PC/laptop that needs to be imaged and allows me to complete all these images at the essentially the same time. It's pretty slick.Another wonderful reply from Ian
Ian Brownlie has sent you a message.
Subject: RE: where can we get a demo or trial of ilook? i wait, i cant, not even of their imaging tool. why does it matter if some arbitrary test...
I emailed Perlustro and they said they would bet 10,000.00 to st jude, that they would whip the ass off your tool. (this is of course a standing offer for you and your buddies)
I told them I’d put up another 1k on top.
When we going to get started ?
Who you want to elect to hold the money ?
Oh btw, VSS is OFF the table as a method to recover data, as is registry hive deleted keys, but if you really want to lose faster, I’ll add them in.
If you wish to discuss this further, pick another forum instead of defaming or making defamatory comments on other forums without checking first?
For your information according to Perlustro, FBI was one of the largest licence holders of ILook and ILookPI when the product was free......
wonder why they want to limit the testing by excluding VSS and registry hive deleted keys detection, or are they the world leaderz in that too?
also, every govt agency there is was using it since the US govt was paying for its development, yes?
Use their specifications guide to configure your system properly, put your DB on a dedicated SSD.
And your ADTemp folder if you can. If in doubt, move the whole user directory in your Environment Variables for uberspeed.
Try to find an AccessData Oracle DB installer disc because from my experience, PostgreSQL tends to crash FTK when working with moderately large cases (2 million + items).
Something's wrong with your Postgres implementation. Anyway, SQL is the future. Postgres and SQL will both outperform Oracle.