±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 159

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What Forensic Software do you recommend if buying personally

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5 ... 9, 10, 11  Next 
  

seanmcl
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 17, 09 21:09

- reedsie
I recently just passed my GCFA and was curious as to what software is good for analyzing data/memory, indexing files in allocated and unallocated space?

I realize everyone is going to say FTK or Encase but keep in mind, I am buying this with my own proceeds not the companys so what software program can you recommend?


Actually, I use neither for the uses that you mention. I have found that there are a number of open source and/or inexpensive tools that will assist in the tasks that you mention for far less money than any of the big name tools.

I believe that Harlan has a blog entry dealing with open source tools and you'll find many examples of code that can perform specific tasks as well as or better than commercial tools.

The main reasons that I use commercial tools are:

1. Familiarity. I have worked with EnCase and FTK long enough that I can perform focussed tasks very quickly. For example, FTK's use of the dtSearch engine makes ad hoc queries very fast (at the expense of a lot of up front processing). On the other hand, neither tool has the ability to do searches based upon Perl Compatible Regular Expressions which I find much more powerful than GREP and, carefully crafted, are much less likely to return false positives.

2. To confirm what I find using other tools.

But, with few exceptions, there is nothing that I can do with commercial tools that cannot be done with open source tools (and a bit of programming/scripting knowledge), if you are willing to get under the hood.  
 
  

forensicakb
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 18, 09 01:46

One other thought which is, don't forget that if you wind up working civil or criminal cases your tools are going to get challenged in court. Open source tools are more vulnerable to attack by the opposition than commercial tools that are standardized. I don't know if the tools you seek are for learning or if you are building a lab to work for yourself.[/quote]


Can you give us an example of how open source tools are more vulnerable. Just hearing it is from someone doesn't count. An example from a case where you can show that open source tools are more vulnerable.  
 
  

kovar
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 18, 09 02:06

Greetings,

Another thing to keep in mind is how few cases end up in court. One approach is to use open source tools and back them up with commercial tools. If you start approaching court, rework the case with the tools that are less likely to be challenged.

There is an enormous amount of corporate internal investigation forensics analysis work that never gets anywhere close to court. Tools that get the job done quickly and efficiently are far more valuable than ones that are "court approved" but require more time and effort to use.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

inspectaneck
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 18, 09 02:16

Here is the link seanmcl referred to on Harlan's blog:

windowsir.blogspot.com...tools.html  
 
  

seanmcl
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 18, 09 02:52

- forensicakb

Can you give us an example of how open source tools are more vulnerable. Just hearing it is from someone doesn't count. An example from a case where you can show that open source tools are more vulnerable.


I doubt that such examples exist. In fact, if you use EnCase, you might be asked "What kind of training and certification do you have in the use of EnCase?" whereas if you use TSK, Autopsy, PhotoRec, etc., what can they ask that you can't answer with "There is no such thing as TSK certification."

My point being that the use of CF tools for which there are corresponding training and certfication paths which you do not have may raise more questions.

In either case, what is required is that you used the tool correctly, and that you understand the tools limitations and capabilities and how it helped you to arrive at your conclusion.  
 
  

reedsie
Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 18, 09 02:55

THanks again for all of your posts. I am looking into the software packages as well as open source. Based on what I have done so far, there isn't really 1 tool that does everything perfect so it will probably be a mix and match of different tools!  
 
  

forensicakb
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 18, 09 05:11

Agreed Smile


- seanmcl
- forensicakb

Can you give us an example of how open source tools are more vulnerable. Just hearing it is from someone doesn't count. An example from a case where you can show that open source tools are more vulnerable.


I doubt that such examples exist. In fact, if you use EnCase, you might be asked "What kind of training and certification do you have in the use of EnCase?" whereas if you use TSK, Autopsy, PhotoRec, etc., what can they ask that you can't answer with "There is no such thing as TSK certification."

My point being that the use of CF tools for which there are corresponding training and certfication paths which you do not have may raise more questions.

In either case, what is required is that you used the tool correctly, and that you understand the tools limitations and capabilities and how it helped you to arrive at your conclusion.
 
 

Page 4 of 11
Page Previous  1, 2, 3, 4, 5 ... 9, 10, 11  Next