±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36087
New Yesterday: 2 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What Forensic Software do you recommend if buying personally

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 ... 9, 10, 11  Next 
  

forensicakb
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 17, 09 05:00

Harlan,

Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.

Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.

You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.


- keydet89
- Patrick4n6

I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?


The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case...one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.

The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?

Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.

Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.

I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.
 
 
  

ecophobia
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 17, 09 18:28

X-ways forensic would be my choice if I had to by a tool from my own pocket. It is stable and versatile. If you can get on Stefan's training, you should be up and running in no time (provided - you know what you doing with the tool). You can always add freeware tools into your forensic arsenal later.  
 
  

unknown
Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 17, 09 19:12

The good thing about individuals like Harlan is that they give the rest of us other options to consider. That does not mean everyone needs to roll thier own tool kits and write custom code. However, to not be sensitive to the fact that there are other ways to understand the problem is counterproductive to whatever you do professionally.

Thanks.

- forensicakb
Harlan,

Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.

Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.

You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.


- keydet89
- Patrick4n6

I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?


The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case...one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.

The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?

Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.

Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.

I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.
 
 
  

paul206
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 17, 09 19:57

I do the same as Beetle and Harlan is absolutely correct when he says the analyst is the one who has to build the timeline. It is pretty much equivalent to a "get evidence button" and I don't see it ever happening because each case is different. The timeline is specific to the case and the evidence you are looking for and it is up to the analyst to assemble it. Think of it as job security! I love FTK but I don't use it for everything and I always suppliment it with other tools. For instance I prefer to look at my internet history in a spreadsheet. I just find it easier to read when I am going through hundreds of entries.

One other thought which is, don't forget that if you wind up working civil or criminal cases your tools are going to get challenged in court. Open source tools are more vulnerable to attack by the opposition than commercial tools that are standardized. I don't know if the tools you seek are for learning or if you are building a lab to work for yourself.  
 
  

jot49
Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 17, 09 19:57

Reedsie,

some years ago I was in the same situation as you and my choice was X-Ways. I paid it from my own pocket.
I think it´s a monetary question, you also have to consider the license renewals every year. Who wants to use such a tool which is out of date?!
I agree with all the others that it is no problem to do analysis using free or open source tools, I use a lot of them, but it´s more comfortable to use a commercial tool.
IMHO XWF is a great tool as it have it´s seeds in Winhex (=hexeditor) and you stay a little closer to the bits and bytes as in other commercial tools.

jot49  
 
  

keydet89
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 17, 09 20:30

- forensicakb
Harlan,

Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.

Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.


Oh, I understand...really, I do. I see that all the time..."I can't do this because I don't have EnCase...".

I post on this stuff, and I even post THE stuff itself, because there have to be options. Sure, you may not need the information or analysis for your exams, but at least you know what's there and what's possible, right?

- forensicakb

You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.


I don't post (to my knowledge) about pen testing, but I do post about the type of work I do and have done. I may not be posting about what you see as what the average examiner would encounter...because maybe I'm not seeing that sort of thing.

What sort of thing is the average examiner encountering? Not long ago, I had a conversation with an LE examiner about things to look for before the defense played the "Trojan Defense" card...is that not what you're encountering?

Can you share something about what you're encountering?

Also, just to be clear, a LOT of the stuff I release that's based on Perl is also shipped as a Windows PE file, so that the examiner does NOT need to install Perl to use it.

Anyway, if I've completely missed the point of your post, I apologize. If there's something I can present or discuss that's more along the lines of what you're looking for, please...share it. Thanks.  
 
  

keydet89
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 17, 09 20:50

- eyespy

One other thought which is, don't forget that if you wind up working civil or criminal cases your tools are going to get challenged in court. Open source tools are more vulnerable to attack by the opposition than commercial tools that are standardized. I don't know if the tools you seek are for learning or if you are building a lab to work for yourself.


Are they really? I would suggest that that really isn't the case at all, largely because it appears that what gets "attacked" isn't the tools but the analyst's abilities and processes.

Also, there is one important factor that is not mentioned or apparently considered when the subject of going to court is brought up; that is, as an analyst, you don't simply walk into court one day and get on the stand and testify. The fact of the matter is that you're a witness for one side or the other, and you will not be brought in to testify unless the attorney you're working for or with is completely comfortable with your knowledge, your skills, and your ability to testify in support of their case.

Therefore, if you're supporting the prosecution, and there's any question about what you found because you used open source tools instead of a commercial product, and that question cannot be addressed by the prosecution, you very likely won't be put on the stand.

There are a couple of other issues at hand here...one is that there are things you can do with open-source tools that you simply cannot do with commercial tools. The last PCI assessment I did while at IBM involved me using my timeline creation tools to build a more comprehensive picture of what happened on the system than was available with any commercial tool. And because I knew exactly what I was looking for, I didn't run into the problem you see on the EnCase user forums all the time..."I pushed the button and nothing happened...why?" I did a more complete and comprehensive analysis of the system than was available solely through the use of a commercial application, and was able to minimize the window of exposure for the customer.

Finally, what does it matter what tool was used? I've used open source tools to find things, completely documented my procedures and findings, and turned that over to someone else, that then validated my findings via their commercial toolset in order to present this information in a court of law. The information contained within an acquired image is nothing more than a stream of bits. If I can verify the integrity of the data through the use of a checksum, then what does it matter how I go about finding evidence? If the bits are there, and they are not changed, who cares if I use a backhoe, a shovel, or a toothbrush to extract that data?

The point should REALLY be that regardless of the tool used, the process should be completely and thoroughly documented.

Honestly, what I think this really comes down to is that for many of the more common tasks, it's much easier for the majority of analysts to use the commercial tools.

The last thing I'll say here is that yes, I've used many of the commercial tools mentioned...EnCase, FTK, XWF, even MacForensicsLab. Like any other tool, they have their uses. For example, when doing the PCI forensic assessments, our team used EnCase, and custom EnScripts...we HAD to go custom because at the time (as of June '09, to my knowledge), the built-in function that GSI used to determine whether or not a credit card number was "valid" did not cover all of the card brands that were considered valid by PCI. Therefore, certain card numbers would be found, even in track data, and the hit would be considered invalid by the built-in function...I got help from someone really knowledgeable in EnScripting to write the necessary code to replace the built-in function. My point is simply that if you're using a tool simply because it's easier...maybe that isn't the right answer.  
 

Page 3 of 11
Page Previous  1, 2, 3, 4 ... 9, 10, 11  Next