±Forensic Focus Partners
|New Today: 9||Overall: 29017|
|New Yesterday: 8||Visitors: 86|
· Linux Timestamps, Oh boy!
· Standard Processes in Windows 10
· NAS Forensics Explained
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
· The Future of Mobile Forensics
· TSFIC 2015 – Recap
· Evidence Acquisition and Analysis from Live Exchange
· TDFCon 2015 – Recap
FTK vs. Encase vs. SMART
I'm currently working on a case that may end up costing an organization $500,000 in damages. As of right now, I'm working largely with open source utilities and winhex(forensics version). I've gotten word that given the potential cost, a few thousand dollars is money well spent if it helps in the investigation.
I'm interested in hearing from those of you that work with commercial software on a daily basis what your thoughts are on FTK vs. Encase vs. SMART.
I mainly deal in incident response and compromised hosts, attempting to determine the cause of compromise and generate a timeline of events and file activity. If anyone can recommend a version of any of the above that is well suited to incident response and post mortem analysis versus law enforcement use I'd appreciate it.
- Senior Member
All of the tools have imaging capabilities, but I like using SMART for this purpose. WinHex has a DOS based Replica tool which provides a true image of the target (as it sees it!!). FTK and EnCase create images which are not true copies as they embed the image files with error checking data (that is not to say that within that image file the true copy does not exist - it's just that there is also the additional data for checking purposes). These three work in a DOS/Windows environment and unless careful it may be possible to miss the fact that you are not aquiring the entire contents of the drive (ie in circumstances where a HPA has been created). SMART is a LINUX tool and creates a true bit image copy of the target and can create a separate file for the error checking purposes. If you try SMART you will be pleased with the available options and the fact that you can simultanously create multiple image files as well as clone the target.
It should be noted that these tools can all open image files created by the other tools... however, it makes sense that proprietary formats should only really be worked on using the software that created it. Using raw (true) images such as those created with SMART can be opened with any of the tools and there is no need to worry about proprietary formats.
The best tool of the four (in my experience) for keyword searching is FTK. FTK can create a keyword index of the entire image at the start of the process which makes futures searches easy. It is rare that you start a case with all the correct keywords... as a case develops, you often need to repeat searches with new keywords which can waste alot of time
examining complex structures
This is where EnCase is quite outstanding - it is cabable of breaking down complex file structures for examination, such as the registry files, dbx & pst files, thumbs db etc
For recovering files from unallocated space, I will commonly use EnCase, but will often try WinHex to do the same thing (basically because I really like WinHex & trust it more)
For incident response, all of the tools can be useful, but before I start, I would use a tool under the same OS as the system being examined. ie, I would definitely use SMART to examine a Linux machine and one of the others for a windows machine. For live incident response, we have been testing ProDiscover with some success
We work with alot of foreign language systems & the ability of the software to interpret the different unicode code pages successfully is important. The only tool which has come close so far is EnCase, but it still leaves alot to guesswork
If you are working with incident response and especially if you deal with alot of Linux systems I would strongly recommend SMART. It is a tool that we have only bought a few months ago, but I am liking it more and more. I am also a great fan of Winhex (X-Ways forensics), but that is because you have a great deal of control over what you are doing - for automated forensic work (and hence greater efficiency) stick with EnCase or FTK. Lastly, do not overlook Pro Discover - very useful for the type of work you seem to be involved in.
In addition, we use tools such as Gargoyle (from Wetstone) which is useful for quickly identifying hacking tools or other malware on a system under investigation. Paraben e-mail examiner (both local and server versions) is also very useful where e-mail is part of your investigations.
This was probably too much info, but in a nutshell, all tools have their uses but just one will not meet every requirement. In your case I would probably get SMART as well as Pro Discover. If you've got more money to burn get one of EnCase or FTK.
Hope that helps
Thanks for the info.
I typically respond to incidents with a Helix CD in hand to any incident to grab a DD image. It works over the network, and can do live analysis on a system. I'm also trying to determine a way to use Harlan's forensic server project in my environment.
Do any of these products require a hardware write blocker during investigation? Up until recently I've done all of my work on a linux box, and I am just now starting to use windows as a forensics workstation.
Do any of the tools create a timeline of file activity?
How well do they handle an ext3 volume with a DD image contained within?
Interestingly enough..Wetstone is about 20 minutes from my location.
- Senior Member
Why order a taco when you can ask it politely?
Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. "
- Senior Member
I agree with the comments that EnCase can make you a bit complacent. People tend to believe it more because it seems more professional(?)
The FTK Indexer is much better than most because you can add search terms after the fact. That is a huge time saver as the results are almost instantly displayed. I still don't think the FTK version of DTSearch is anywhere near as good as the standalone version though, at least regarding indexing speeds.
The EnCase Index needs work (a lot of work.)
The disadvantages for FTK include a lack of recursive export capabilities and a problem with the file naming convention in exported reports (1.70+.)
FTK doesn't carve files as well as EnCase.
Neither EnCase nor FTK does a very good job of reporting on problems or errors the products may encounter.
I have had issues with EnCase when mounting severely nested archives.
FTK Imager is great. I have used it live on a cd and on usb. I did have a couple of problems with FTK Imager on a live system recently but I worked around it.
I also use FTK Imager to verify images when working on-site.
EnCase's Linen is great too. You just can't beat Linen with Helix.
That is about my two cents on the comparison. I use both tools as well as others. These days I am using a lot more of XWays (WinHex Forensics) and I am getting to like it more and more. I also use Helix. For copying tasks I tend to use Evidence Mover or a new tool called File Analyst (www.litquest.com.) I have also bought Harlan's book and am working my way though his tools as well.