Hi all,
I'm currently studying a MSc in digital forensics. For some reason, the lecturers are pro open-source tools and seem very much against EnCase, going as far as to describe is as 'push button'. I'm greatly offended by this and i'm beginning to question the value of the course, as I studied EnCase for 3 years for my BSc and found it to be amongst the best, if not the best forensics tool i've ever used. Needless to say, this is why it's used in both the private and public sector.
Don't get me wrong, I love open-source too, but anyone saying that EnCase does the investigation for you has clearly had little experience with the tool, or working in the industry.
What are your thoughts?
Open source is good for people who don't place much value on their time.
Having said that I do believe people need to understand how things work at the low level. People with the best low level knowledge understand the higher level better as well (especially when there are bugs in the higher level stuff).
e.g. a good assembly level programmer will write more efficient code in C# (as a broad generalisation)
I've found those who use the term "push button forensics" suffer from delusions of grandeur. It's like refusing to use a belt sander to sand a wooden table because "in the old days all they had was normal sand paper you used by hand".
As long as you understand the underlying process of what the tools are doing and can adequately explain them for court or other legal proceedings then it matters diddly squat what tool you use.
Universities tend to breed elitism in this field…
There are many good reasons for using Open Source tools on a Msc course.
Firstly commercial forensic tools change and the tools you would use in industry would very much depend on the area you work in. For example E-discovery jobs use NUIX and similar tools a lot more compared to a Police Hi-Tech Crime Unit which would likely use Encase 6/X-Ways/FTK.
This latter example also brings up another problem with commercial tools in relation to Encase, basically do you teach with Encase 6 which is aging or Encase 7 which isn't really fit for purpose IMHO.
Secondly the point of a MSc and BSc degrees is to teach the underlying principles and understanding what a tool does. You learn a lot more from the Open Source tools as you have to do a lot more of the work yourself. Learning how to extract data from a Google Chrome history file using an Sqlite browser teaches you far more than pressing a button in IEF.
Lastly cost may force the issue. I now subscriptions for forensic tools are quite expensive and paying for a licence for each student for Encase/X-Ways/FTK + IEF and other tools may push the cost of the course up.
A forensic examiner should have knowledge of as many different forensic tools as possible. Relying on 1 tool for everything is pretty bad practise…
EnCase does tend to hide a lot of the underlying process. It is always important to understand exactly what the forensic tools you are using, and general forensic processes, do at a very low level. It is always good to broaden your knowledge!
Hmm. Are you doing your MSc in DeMontfort? Heh.
I think the big takeaway here is that
I once had a course professor argue that you can't trust EnCase because it doesn't show you it's workings. He put forward that his own methods, written in Pascal and C, were the best because he wrote the code and so he knows what happens. But in reality he doesn't know what is happening, because he is still using a "black box" - his compiler. He maintained that he could test and verify the output of his scripts as they were repeatable, and I tried to make the point that this could also be done with EnCase - but he didn't understand roll
I haven't used EnCase in a long time…in part because it (and other tools) do not allow me to do the things I need to do in an investigation, particularly timeline analysis.
However, if someone wants to use EnCase, they are more than welcome to do so. My concern with commercial forensic applications is not that they're "push button", but more so the shear number of analysts who use them as such. I've heard analyst's state that if EnCase didn't locate, parse, and display the necessary data, then it's likely not important. That's not an indictment of the application, it's an indictment of the analyst.
That is not say that I don't use commercial tools…I do, when necessary, and when I know what they're doing to collect or parse certain data. For the most part, I use open source tools, many of which I wrote myself, and achieve much more detailed results in less time than others take using other open source tools, or commercial ones.
I find silly to discuss "Commercial" vs. "Open Source".
Besides the fact that something can be BOTH Commercial AND Open Source, the discussion starts making sense if it is about "good" tools and "bad" tools, and as well about "push button" vs. "hand driven" tools.
Judging from what has been reported on the forum for years, even "Encase 6" vs. "Encase 7" seems like a nice topic for discussion.
In any case since we are talking of a "learning path", and not of "practice", I dare to say that someone who knows how to use a zillion of little, specific or "narrow oriented" tools (not necessarily "Open Source") will learn how to use a "suite" easily while maintaining the "low level" knowledge he learned earlier, whilst the opposite is not true, as after having spent a few years using exclusively (or almost exclusively) a given "suite" (not necessarily "Encase" and not necessarily "Commercial") it is probable that the investigator will rely blindly on it or however he/she will have lost contact with the "low level" essentials.
All in all they are IMHO just and only "tools", it is the hand (and brain and experience) that drives them that might make a difference in the results.
jaclaz
Hmm. Are you doing your MSc in DeMontfort? Heh.
Napier (Scotland).
Thanks for the input everyone. I agree that using lots of tools is a good thing and I enjoy learning about open-source tools as well as commercial. I do think that the examiner's brain is the most important thing regardless of whatever tool you use. In my books, EnCase is still one of the very best out there for what it does.
As a side note is this Msc by any chance done in De Montford?