First Forensic Suit...
 
Notifications
Clear all

First Forensic Suite Advice Please

11 Posts
8 Users
0 Likes
914 Views
(@sgware)
Posts: 42
Eminent Member
Topic starter
 

I am new in the field. I just completed a masters program in digital forensics at UCF and am planning to enter the CFCE certification process this Fall. Throughout my academic career and through mock investigations post graduation, I have put together a nice selection of forensic tools, both free and purchased, that includes TSK, fileXray, WinHex (specialist), imaging tools, registry analysis tools, the FAU suite, various file viewers. The free FTK and FTK Imager are also part of the tool box.

My workstation is a late 2011 MBP, i7 quad core, 8GB RAM. I run VMWare Fusion with XP SP3, 2 Ubuntu distributions (10.04 and 12.04). At present, I select the tools I need across all three platforms to acquire images and analyze them.

Now, I am ready to take the next step and purchase a forensic suite. Platform is a concern only from the standpoint that XP running in Unity doesn't allow access to the firewire ports on the MBP. So, the question of what to purchase is taking longer to answer than I thought. I have narrowed the decision to XWF and MacForensicslab. Both claims support for most filesystems, email formats/archives, and have impressive workflows/reporting capabilities.

For a personal forensic toolkit, I would really like feedback on the two.

Thanks all!

Scott

 
Posted : 31/07/2012 6:01 pm
(@twjolson)
Posts: 417
Honorable Member
 

I thought about buying FTK with my student loans. Long story short, I didn't, and I'm quite glad that I didn't. If I had, I would have used it for the ACE and never touched it again.

The thing is, unless you are planning on starting your own little CF business, it's just not worth the money. This is doubly true if you still have connections at school (or get a position in CF) that allows you access.

The CFCE process does not require any particular program. Thus, if that is your only impedius, what tools you have already are more than enough. When I attended, we got a copy of WinHex, which should be adequate for the CFCE process.

My personal bias though is to stick with SIFT and other such tools. The market is flooded with tool monkeys that can do push button forensics on EnCase or FTK. But, if you go into an interview and say that you can do an exam only with SIFT and other open source tools, I think that is a big plus in your column. Assuming school did teach you EnCase and/or FTK, I think the ability to use SIFT and other open source tools in addition makes you an attractive hire.

But, to answer your original question, I don't think the difference in features between X-Ways Forensic and WinHex is enough to warrant the purchase (I could be wrong, as I am just now dipping my toe into WinHex/X-Ways Forensic). Unless you are flush with money to burn, I would think EnCase and FTK are too expensive to warrant purchase merely for personal studies. MacForensicslab, I have never used. It is quite pricey though, so I guess I would skip that one personally.

My two cents, but I guess unless you have money to burn, or are planning on using the tool to invest into a CF firm, I'd skip buying. Nothing, after all, says you have too. I doubt owning your own version of, say, FTK will be much to your credit at interview.

 
Posted : 31/07/2012 7:38 pm
(@bithead)
Posts: 1206
Noble Member
 

Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).

 
Posted : 31/07/2012 7:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Now, I am ready to take the next step and purchase a forensic suite.

Given your background, why do you see the need to purchase a commercial forensic suite?

Part of the reason I use (or write) open source tools isn't specifically because they're open source, but because I can see what they're doing. When I was on the IBM team performing PCI investigations, we had a good bit of difficulty in getting from GSI what, exactly, their IsValidCreditCard() built-in function was doing. When we finally did find out, and were able to validate this, we found that the function was missing several of the CCN formats that PCI considered "valid" and in-scope.

Another reason I use these tools is because they are capable of doing things that commercial suites aren't, such as full-on timeline creation using multiple data sources.

Again, given your background, I would think that with your experience in using these other tools, you would have reached a point where you were able to pick the tool for the job.

 
Posted : 31/07/2012 7:56 pm
 isth
(@isth)
Posts: 65
Trusted Member
 

We have FTK, Encase and X-ways - X-ways wins in my book 95% of the time. Encase and FTK are barely touched. It's also the cheapest of the 3.

 
Posted : 31/07/2012 7:57 pm
(@sgware)
Posts: 42
Eminent Member
Topic starter
 

Thanks for the quick response! Great advice as well. We didn't spend a lot of time on FTK or Encase. Most of the file system analysis was low level accomplished using a hex editor. I thought XWF or Macforensiclabs might be an asset by combining several functions into one tool. However, I suppose it really doesn't matter until I am in a position where the caseload requires higher throughput.

Again, you feedback is very much appreciated.

Scott

 
Posted : 31/07/2012 8:00 pm
(@sgware)
Posts: 42
Eminent Member
Topic starter
 

Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).

Yes, I am very comfortable with the WinHex GUI. In fact, looking at the MFL GUI, and reading the docs at their website, it felt a bit to abstracted from what was actually happening. I would have to test every function myself to feel comfortable with them. With WinHex, I trust it because through many experiments, I have verified that is what it says it is.

So, if I do purchase a tool, it will most likely be XWF.

Thanks to all for the great, and valuable, feedback.

Scott

 
Posted : 31/07/2012 8:09 pm
(@fraudit)
Posts: 72
Trusted Member
 

Well, I expanded from forensic accounting into computer forensic area quite recently. I'm certainly not an expert but always was fond of digging into system's guts so I believe I have necessary prerequisite.

Anyway, I second for X-Ways - it's affordable and does its job. If you need some more sophisticated tools, I'm pretty sure you will find a GPL-licensed one!

 
Posted : 07/09/2012 1:32 pm
(@sgware)
Posts: 42
Eminent Member
Topic starter
 

Thanks for the feedback. I appreciate it. On the advice of the other respondents, I took another look at the freeware and open source tools that i have accumulated. I can't imagine needing more to do that job. That said, X-Ways is very attractive to me and at some point I will upgrade my WinHex specialist license.

So, for now I think I have the tools needed for the CFCE. I will definitely follow up with the results and commentary.

Scott

 
Posted : 08/09/2012 12:50 am
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

Scott,

I'm also a user of WinHex Specialist and it's one of the best tools in my arsenal. However, looking at the additional tools available with X-Ways Forensics, I don't believe it's worth the extra money for the upgrade. I would save my money for other software that you'll eventually need, such as RAID recovery, social media artifacts, password recovery, and cell phone acquisition.

 
Posted : 08/09/2012 2:45 am
Page 1 / 2
Share: