±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36212
New Yesterday: 0 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What Forensic Software do you recommend if buying personally

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, ... 9, 10, 11  Next 
  

Patrick4n6
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 16, 09 08:40

- keydet89
there's no need to purchase any software. There are enough free/open source solutions that a knowledgeable analyst could do everything that could be done with the commercial tools, and even more, using just what's freely available.

It's not about the tool...and analyst who's a "tool" will make a mess of a case regardless of whether they're using FTK or EnCase or anything else. There are plenty of free and open source solutions out there that a knowledgeable analyst can use to great effect.

I'm putting together an internal training package, and part of it includes analyzing an image. I'm doing the analysis, as well...oddly enough, I don't have any commercial tools at my disposal, but I'm already mostly completed with analysis AND reporting.


I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?

Automation - once validated - can save a considerable amount of time for repetitive tasks and if you're looking for a tool set that automates some of those tasks, then that's your prerogative and frankly the smart option. Just make sure you understand what you are doing, and don't just rely on your tool because the maker tells you so. Like I said, validate.

I use FTK because I have a lot of experience with it and have training on it, and I use X-Ways because it's both inexpensive, but also really raw and powerful which makes it fantastic for validating results. For imaging, there are plenty of free solutions like the 2 you indicated, so don't be fooled into paying unless you really want a hardware solution, although remember that FTK Imager requires a hardware write blocker to be forensically sound when imaging hdds. All live boot disks have shortcomings in so far as limited compatibility, so be prepared for them to fail in the field and plan for a backup solution.

If you're just doing what you said in your OP, then X-Ways will likely do the job for you for analysis of disks. Memory stuff is still evolving and there's multiple free solutions if you want to save money. I can't recommend any specific one yet.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 
  

douglasbrush
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 16, 09 10:58

- keydet89
there's no need to purchase any software. There are enough free/open source solutions that a knowledgeable analyst could do everything that could be done with the commercial tools, and even more, using just what's freely available.

It's not about the tool...and analyst who's a "tool" will make a mess of a case regardless of whether they're using FTK or EnCase or anything else. There are plenty of free and open source solutions out there that a knowledgeable analyst can use to great effect.

I'm putting together an internal training package, and part of it includes analyzing an image. I'm doing the analysis, as well...oddly enough, I don't have any commercial tools at my disposal, but I'm already mostly completed with analysis AND reporting.


Agreed with Harlan. The past year I have purchased both collection software and analysis software and find myself gravitating to the less expensive niche software packages more and more for both tasks. I am not trying to be anti-commercial, but the free or lower cost targeted solutions do such a fine job that I have a harder time justifying the cost of the larger "name brand software". Those are great pieces of software and I do train and use them all the time but the real winners for me are the narrow focus tools. It really depends on what type of clients you are serving and what the deliverables are.  
 
  

reedsie
Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 16, 09 19:07

Awesome, I would like to thank all of you for you responses.

I agree some of the open source tools are wonderful but that being said they are time consuming so some automated tools would be excellent for analyzing bigger images.

I am aiming towards WinHex, I have downloaded part of the version and used it and I honestly like it so far. I also agree depending on the situation what tool to use is critical. I honestly love the open source linux tools but they take forever and a day to complete. I understand you need to be able to explain exactly what the tools are doing and I can do that, it's just more about automating and speeding up the process!

In regards to the clients, I honestly don't know yet. I am looking to get into consulting in addition to my primary Systems Manager position. Unfortunately, I am in Michigan so I need to get PI license so it's a little longer process. I'm evaluating my options and honestly haven't looked out in the private sector to see what if anything is really available.

Thanks for all of your insite and if any other suggestions come up, shoot them over to me!  
 
  

kovar
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 16, 09 21:06

- douglasbrush
Agreed with Harlan. The past year I have purchased both collection software and analysis software and find myself gravitating to the less expensive niche software packages more and more for both tasks. I am not trying to be anti-commercial, but the free or lower cost targeted solutions do such a fine job that I have a harder time justifying the cost of the larger "name brand software". Those are great pieces of software and I do train and use them all the time but the real winners for me are the narrow focus tools. It really depends on what type of clients you are serving and what the deliverables are.


I recently took the Guidance Computer Forensics II and EnCE Prep classes. I'd estimate that 50% of the instruction covered using EnCase to do analysis where EnCase would be my last, not first, choice of the best tool for the job. Registry, internet, and email analysis were the major topics that come to mind at the moment.

These days I'm often working in a task specific tool while keeping EnCase open to verify results, extract files, and document findings.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

keydet89
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 16, 09 22:22

- Patrick4n6

I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?


The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case...one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.

The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?

Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.

Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.

I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.  
 
  

Beetle
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Dec 16, 09 23:02

- kovar
- douglasbrush
Agreed with Harlan. The past year I have purchased both collection software and analysis software and find myself gravitating to the less expensive niche software packages more and more for both tasks. I am not trying to be anti-commercial, but the free or lower cost targeted solutions do such a fine job that I have a harder time justifying the cost of the larger "name brand software". Those are great pieces of software and I do train and use them all the time but the real winners for me are the narrow focus tools. It really depends on what type of clients you are serving and what the deliverables are.


I recently took the Guidance Computer Forensics II and EnCE Prep classes. I'd estimate that 50% of the instruction covered using EnCase to do analysis where EnCase would be my last, not first, choice of the best tool for the job. Registry, internet, and email analysis were the major topics that come to mind at the moment.

These days I'm often working in a task specific tool while keeping EnCase open to verify results, extract files, and document findings.

-David


Ditto here on your points.

We have FTK but I (by personal choice) primarily use it to build those nice reports to burn to CD. I use Encase as my weapon of choice but will default to command-line tools or task specific tools for verifying hashes, file headers etc. In the AccessData products I use their Registry tools to build annotated reports but also confirm specific items with other registry hive tools. I believe that a mix of tools is a good thing if you can afford it.

I think if it was my money I was spending I would likely buy Xways forensics just to leverage the cost-benefit ratio over some of the more pervasive products. I am a Mac guy at home and if I was starting up a practice I would consider MacForensics Lab. Even though the name is "Mac..." the tool is cross-platform and works under Windows as well. I have had the opportunity to try it and is very Encase-like. The price is quite reasonable, so I would likely buy this kit in addition to Xways.

On the open-source/freeware side:

I have tried Autopsy and it seems quite capable but I am on the Sleuth Kit mailing list and you need to monitor the bugs that show up pretty closely.

Still haven't had the opportunity to try whatever tools Harlan has in his latest edition (plug intended) Smile but I am sure that they are excellent.  
 
  

forensicakb
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 17, 09 03:56

X Ways Forensic =
1,088.12 USD


I'm selling FTK 1.8 for 1200

and another person is selling 2 copies of 3.0 for 3500 or 3000 can't remember which.  
 

Page 2 of 11
Page Previous  1, 2, 3, ... 9, 10, 11  Next