±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 4
New Yesterday: 6
Overall: 27389
Visitors: 54

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Autopsy 3: The Limitations

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Autopsy 3: The Limitations

Post Posted: Mon Jul 21, 2014 6:15 am

Hi there,

I'm currently doing some research into the limitations of open source and proprietary computer forensic tools and was advised to ask the forensic focus community for some of their experiences with Autopsy 3 and any limitations that have been found with it.

I'm currently in the process of stress testing Autopsy so any information I find, I will happily post here. So far I've looked at file size limitations (a 750GB compressed image) which was fine, noticed that Autopsy does not show images that are in Microsoft Office documents - but still trying to find away around that.

So any help would be greatly appreciated. Thanks  

Last edited by twebster01 on Mon Jul 21, 2014 6:54 am; edited 1 time in total

twebster01
Newbie
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Mon Jul 21, 2014 6:29 am

- twebster01

I'm currently doing some research into the limitations of open source and propitiatory computer forensic tools and was advised to ask the forensic focus community for some of their experiences with Autopsy 3 and any limitations that have been found with it.

Propitiatory? Shocked
www.merriam-webster.co...opitiatory

May I ask what is the scope of the research?

Is it a comparison review of some kind?

And if yes which tools are you going to analyze?

I mean, these three sentences may all be fine:
  1. Autopsy cannot plurdle gabbleblotchits
  2. Autopsy cannot plurdle gabbleblotchits but Commercial tool xy can
  3. Autopsy cannot plurdle gabbleblotchits and as well NO Commercial tool can
but they do carry with them some slightly different meaning. Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Mon Jul 21, 2014 7:10 am

The scope is to determine the reason commercial tools are used over open source tools such as Autopsy. The tools that I'm reviewing are AccessData FTK, Encase, Autopsy. In a nutshell, I'm comparing open source and commercial tools and why commercial tools are used  

twebster01
Newbie
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Mon Jul 21, 2014 11:03 pm

The scope is to determine the reason commercial tools are used over open source tools such as Autopsy.


If you are after determining the *reason* do you think comparing tools yourself will provide you with this answer? My guess the *reason* will differ per organisation why they prefer one or the other.

A couple of my *reasons* to use Open Source:

digital-forensics.sans...m_Metz.pdf  

joachimm
Senior Member
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Tue Jul 22, 2014 7:25 am

- twebster01
The scope is to determine the reason commercial tools are used over open source tools such as Autopsy. The tools that I'm reviewing are AccessData FTK, Encase, Autopsy. In a nutshell, I'm comparing open source and commercial tools and why commercial tools are used


And what if the 'limitations' have nothing to do with it? You'll find limitations, no doubt. Every tool has them. However, that may have nothing to do with why people use commercial solutions instead. For instance, what about marketing? How much does Guidance or AccessData spend on advertising? How much does Autopsy?

If you limit yourself strictly to how the program performs, you will never get the whole answer.  

twjolson
Senior Member
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Tue Jul 22, 2014 8:45 am

- twebster01
... their experiences with Autopsy 3 and any limitations that have been found with it.


Doesn't seem to handle large ISO-9660 images well. However, I used a synthetic image, so it might be argued that it is not a 'real-life' situation. (Not reported as a bug yet.)

There's also (issue #164 in the Autopsy issue tracker at github.com/sleuthkit/a...tate=open) some problems with NTFS time stamp interpretation.

However ... any closed-source products should be checked for similar issues. See articles.forensicfocus...imestamps/ for some details. It may give you ideas for additional tests.  

athulin
Senior Member
 
 
  

Re: Autopsy 3: The Limitations

Post Posted: Tue Jul 22, 2014 11:45 am

Allow me to add a couple of considerations.

#1. Implied differences
Encase or FTK are more or less what could be called forensic "suites", most of the work the good guys making these products do is about integrating features into the "suite" and make these features "compatible", "user friendly" and "integrated" in a given work flow.
Autopsy aims more or less to do the same, but it should be clear that an Open Source project will have less resources to dedicate to the project and it is more about "core" features. On the other hand there are available a zillion other Open Source (or however free/freely available) smaller/simpler programs that (in the hands of an expert digital forensicator) can often (if not always) replicate the features that either Encase or FTK offer and that Autopsy may miss.
I.e. IMHO "FTK vs. Autopsy" or "Encase vs. Autopsy" are "unfair" comparisons, whilst "FTK vs. Autopsy+ALL the other Open Source or free software available" or "Encase vs. Autopsy+ALL the other Open Source or free software available" would be much more fair (though extremely difficult to actually be carried on).

#2. Responsibility (or faster procedures in Court)
Encase or FTK are long time known Commercial tools, already used in Courts all over the world and "accepted" (either explicitly or implicitly) by most Courts.
This *somehow* helps in the acceptance of the results coming from an investigation carried with the one or the other tool, making it easier for the digital investigator to have his/her "expert witness" status be not challenged and also *somehow* taking part of the responsibility off his/her shoulders.
This could be a good reason (independent from the actual "quality" or completeness of the tool) to make someone choose one of these Commercial suites over Open Source solutions.

A good example of a case where in practice something is preferred, in this case why a disk is wiped before being used as a target for a forensic image has been given by jhup, here:
www.forensicfocus.com/...1/#6559991
and following:
www.forensicfocus.com/.../start=14/
and it is a sound, logical reason, which has noting to do with the "purely technical" part.

So, as twjolson just highlighted the reason why *something* is preferred over *something else* may not necessarily be connected on how good technically the *something* or the *something else* are.

Think about VHS vs. BetaMax Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next