MSc Forensics Contr...
 
Notifications
Clear all

MSc Forensics Controversy

37 Posts
21 Users
0 Likes
3,623 Views
(@sphere)
Posts: 7
Active Member
Topic starter
 

Hi all,

I'm currently studying a MSc in digital forensics. For some reason, the lecturers are pro open-source tools and seem very much against EnCase, going as far as to describe is as 'push button'. I'm greatly offended by this and i'm beginning to question the value of the course, as I studied EnCase for 3 years for my BSc and found it to be amongst the best, if not the best forensics tool i've ever used. Needless to say, this is why it's used in both the private and public sector.

Don't get me wrong, I love open-source too, but anyone saying that EnCase does the investigation for you has clearly had little experience with the tool, or working in the industry.

What are your thoughts?

 
Posted : 04/11/2015 12:48 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Open source is good for people who don't place much value on their time.

Having said that I do believe people need to understand how things work at the low level. People with the best low level knowledge understand the higher level better as well (especially when there are bugs in the higher level stuff).

e.g. a good assembly level programmer will write more efficient code in C# (as a broad generalisation)

 
Posted : 04/11/2015 5:28 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I've found those who use the term "push button forensics" suffer from delusions of grandeur. It's like refusing to use a belt sander to sand a wooden table because "in the old days all they had was normal sand paper you used by hand".

As long as you understand the underlying process of what the tools are doing and can adequately explain them for court or other legal proceedings then it matters diddly squat what tool you use.

Universities tend to breed elitism in this field…

 
Posted : 04/11/2015 5:53 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

There are many good reasons for using Open Source tools on a Msc course.
Firstly commercial forensic tools change and the tools you would use in industry would very much depend on the area you work in. For example E-discovery jobs use NUIX and similar tools a lot more compared to a Police Hi-Tech Crime Unit which would likely use Encase 6/X-Ways/FTK.

This latter example also brings up another problem with commercial tools in relation to Encase, basically do you teach with Encase 6 which is aging or Encase 7 which isn't really fit for purpose IMHO.

Secondly the point of a MSc and BSc degrees is to teach the underlying principles and understanding what a tool does. You learn a lot more from the Open Source tools as you have to do a lot more of the work yourself. Learning how to extract data from a Google Chrome history file using an Sqlite browser teaches you far more than pressing a button in IEF.

Lastly cost may force the issue. I now subscriptions for forensic tools are quite expensive and paying for a licence for each student for Encase/X-Ways/FTK + IEF and other tools may push the cost of the course up.

 
Posted : 04/11/2015 12:21 pm
Logan
(@logan)
Posts: 66
Trusted Member
 

A forensic examiner should have knowledge of as many different forensic tools as possible. Relying on 1 tool for everything is pretty bad practise…

EnCase does tend to hide a lot of the underlying process. It is always important to understand exactly what the forensic tools you are using, and general forensic processes, do at a very low level. It is always good to broaden your knowledge!

 
Posted : 04/11/2015 1:48 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Hmm. Are you doing your MSc in DeMontfort? Heh.

I think the big takeaway here is that Open Source does not automagically mean "better". Commercial forensic tools can be very good and also save considerable time during analysis - and these days time is often at a premium. But above the choice of tool is, of course, the methodology - that you verify your results with different tools. This is also a big takeaway )

I once had a course professor argue that you can't trust EnCase because it doesn't show you it's workings. He put forward that his own methods, written in Pascal and C, were the best because he wrote the code and so he knows what happens. But in reality he doesn't know what is happening, because he is still using a "black box" - his compiler. He maintained that he could test and verify the output of his scripts as they were repeatable, and I tried to make the point that this could also be done with EnCase - but he didn't understand roll

 
Posted : 04/11/2015 4:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I haven't used EnCase in a long time…in part because it (and other tools) do not allow me to do the things I need to do in an investigation, particularly timeline analysis.

However, if someone wants to use EnCase, they are more than welcome to do so. My concern with commercial forensic applications is not that they're "push button", but more so the shear number of analysts who use them as such. I've heard analyst's state that if EnCase didn't locate, parse, and display the necessary data, then it's likely not important. That's not an indictment of the application, it's an indictment of the analyst.

That is not say that I don't use commercial tools…I do, when necessary, and when I know what they're doing to collect or parse certain data. For the most part, I use open source tools, many of which I wrote myself, and achieve much more detailed results in less time than others take using other open source tools, or commercial ones.

 
Posted : 04/11/2015 4:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I find silly to discuss "Commercial" vs. "Open Source".

Besides the fact that something can be BOTH Commercial AND Open Source, the discussion starts making sense if it is about "good" tools and "bad" tools, and as well about "push button" vs. "hand driven" tools.

Judging from what has been reported on the forum for years, even "Encase 6" vs. "Encase 7" seems like a nice topic for discussion.

In any case since we are talking of a "learning path", and not of "practice", I dare to say that someone who knows how to use a zillion of little, specific or "narrow oriented" tools (not necessarily "Open Source") will learn how to use a "suite" easily while maintaining the "low level" knowledge he learned earlier, whilst the opposite is not true, as after having spent a few years using exclusively (or almost exclusively) a given "suite" (not necessarily "Encase" and not necessarily "Commercial") it is probable that the investigator will rely blindly on it or however he/she will have lost contact with the "low level" essentials.

All in all they are IMHO just and only "tools", it is the hand (and brain and experience) that drives them that might make a difference in the results.

jaclaz

 
Posted : 04/11/2015 5:27 pm
(@sphere)
Posts: 7
Active Member
Topic starter
 

Hmm. Are you doing your MSc in DeMontfort? Heh.

Napier (Scotland).

Thanks for the input everyone. I agree that using lots of tools is a good thing and I enjoy learning about open-source tools as well as commercial. I do think that the examiner's brain is the most important thing regardless of whatever tool you use. In my books, EnCase is still one of the very best out there for what it does.

 
Posted : 04/11/2015 6:47 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

As a side note is this Msc by any chance done in De Montford?

 
Posted : 04/11/2015 7:04 pm
Page 1 / 4
Share: