±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36209
New Yesterday: 7 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

First Forensic Suite Advice Please

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

sgware
Member
 

First Forensic Suite Advice Please

Post Posted: Jul 31, 12 18:01

I am new in the field. I just completed a masters program in digital forensics at UCF and am planning to enter the CFCE certification process this Fall. Throughout my academic career and through mock investigations post graduation, I have put together a nice selection of forensic tools, both free and purchased, that includes TSK, fileXray, WinHex (specialist), imaging tools, registry analysis tools, the FAU suite, various file viewers. The free FTK and FTK Imager are also part of the tool box.

My workstation is a late 2011 MBP, i7 quad core, 8GB RAM. I run VMWare Fusion with XP SP3, 2 Ubuntu distributions (10.04 and 12.04). At present, I select the tools I need across all three platforms to acquire images and analyze them.

Now, I am ready to take the next step and purchase a forensic suite. Platform is a concern only from the standpoint that XP running in Unity doesn't allow access to the firewire ports on the MBP. So, the question of what to purchase is taking longer to answer than I thought. I have narrowed the decision to XWF and MacForensicslab. Both claims support for most filesystems, email formats/archives, and have impressive workflows/reporting capabilities.

For a personal forensic toolkit, I would really like feedback on the two.

Thanks all!

Scott  
 
  

twjolson
Senior Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 19:38

I thought about buying FTK with my student loans. Long story short, I didn't, and I'm quite glad that I didn't. If I had, I would have used it for the ACE and never touched it again.

The thing is, unless you are planning on starting your own little CF business, it's just not worth the money. This is doubly true if you still have connections at school (or get a position in CF) that allows you access.

The CFCE process does not require any particular program. Thus, if that is your only impedius, what tools you have already are more than enough. When I attended, we got a copy of WinHex, which should be adequate for the CFCE process.

My personal bias though is to stick with SIFT and other such tools. The market is flooded with tool monkeys that can do push button forensics on EnCase or FTK. But, if you go into an interview and say that you can do an exam only with SIFT and other open source tools, I think that is a big plus in your column. Assuming school did teach you EnCase and/or FTK, I think the ability to use SIFT and other open source tools in addition makes you an attractive hire.

But, to answer your original question, I don't think the difference in features between X-Ways Forensic and WinHex is enough to warrant the purchase (I could be wrong, as I am just now dipping my toe into WinHex/X-Ways Forensic). Unless you are flush with money to burn, I would think EnCase and FTK are too expensive to warrant purchase merely for personal studies. MacForensicslab, I have never used. It is quite pricey though, so I guess I would skip that one personally.

My two cents, but I guess unless you have money to burn, or are planning on using the tool to invest into a CF firm, I'd skip buying. Nothing, after all, says you have too. I doubt owning your own version of, say, FTK will be much to your credit at interview.  
 
  

BitHead
Senior Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 19:54

Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents: Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons: You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).  
 
  

keydet89
Senior Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 19:56

- sgware
Now, I am ready to take the next step and purchase a forensic suite.


Given your background, why do you see the need to purchase a commercial forensic suite?

Part of the reason I use (or write) open source tools isn't specifically because they're open source, but because I can see what they're doing. When I was on the IBM team performing PCI investigations, we had a good bit of difficulty in getting from GSI what, exactly, their IsValidCreditCard() built-in function was doing. When we finally did find out, and were able to validate this, we found that the function was missing several of the CCN formats that PCI considered "valid" and in-scope.

Another reason I use these tools is because they are capable of doing things that commercial suites aren't, such as full-on timeline creation using multiple data sources.

Again, given your background, I would think that with your experience in using these other tools, you would have reached a point where you were able to pick the tool for the job.  
 
  

isth
Senior Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 19:57

We have FTK, Encase and X-ways - X-ways wins in my book 95% of the time. Encase and FTK are barely touched. It's also the cheapest of the 3.  
 
  

sgware
Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 20:00

Thanks for the quick response! Great advice as well. We didn't spend a lot of time on FTK or Encase. Most of the file system analysis was low level accomplished using a hex editor. I thought XWF or Macforensiclabs might be an asset by combining several functions into one tool. However, I suppose it really doesn't matter until I am in a position where the caseload requires higher throughput.

Again, you feedback is very much appreciated.

Scott  
 
  

sgware
Member
 

Re: First Forensic Suite Advice Please

Post Posted: Jul 31, 12 20:09

- BitHead
Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents: Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons: You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).


Yes, I am very comfortable with the WinHex GUI. In fact, looking at the MFL GUI, and reading the docs at their website, it felt a bit to abstracted from what was actually happening. I would have to test every function myself to feel comfortable with them. With WinHex, I trust it because through many experiments, I have verified that is what it says it is.

So, if I do purchase a tool, it will most likely be XWF.

Thanks to all for the great, and valuable, feedback.

Scott  
 

Page 1 of 2
Page 1, 2  Next