Encase Portable For...
 
Notifications
Clear all

Encase Portable Forensics

11 Posts
9 Users
0 Likes
574 Views
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
Topic starter
 

Our IT Security group is looking at deploying Encase Portable Forensics to collect data and image hard drives.

If anybody is using this product, any advantages/disadvantages with the product?

I'm thinking that a full drive image using Encase Portable may take much longer than other image acquisition alternatives. Is that the case?

 
Posted : 17/06/2010 2:33 am
(@adfsolutions)
Posts: 10
 

If you want to image hard drives, a data duplication solution (logicube, tableau) is a better option. For targeted data collection, ADF's Triage-Examiner is a faster tool.

 
Posted : 23/06/2010 6:38 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

So why is a data duplication solution a better option?

And why, for targeted data collection, is ADF's Triage Examiner faster? Have you tried it side by side, using similar criteria?

Disclosure I work for Guidance so I'm obviously biased, but I'd suggest first better defining your selection criteria and then taking one out for a spin.

 
Posted : 24/06/2010 7:42 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
Topic starter
 

but I'd suggest first better defining your selection criteria and then taking one out for a spin.

That was my feedback to the genius who decided to get Encase Portable

 
Posted : 24/06/2010 10:29 pm
(@adfsolutions)
Posts: 10
 

And why, for targeted data collection, is ADF's Triage Examiner faster? Have you tried it side by side, using similar criteria?

David,
The recent article in DFI news by John Barabara reviews the testing criteria used by USSOCOM to select a triage tool - www.dfinews.com/articl...iage-tool.

The results were overwhelmingly in ADF's favor compared to Encase Portable. BTW, Triage-G2 is based on triage-Examiner so the performance is the same.

I hope this answers your question.

Disclaimer I do work for ADF Solutions.

 
Posted : 07/08/2010 3:49 am
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

but I'd suggest first better defining your selection criteria and then taking one out for a spin.

That was my feedback to the genius who decided to get Encase Portable

If I correctly interpret your response as sarcasm, surely you make a mockery of your own OP…..

By all means, get independent views but do your own testing, my friend. Or follow your own pre-conceived ideas and buy anything other than EnCase Portable.

I work for neither Guidance or ADF lol

I use EnCase Portable, on occasions, for its ease, simplicity and the "nod and a wink" that accompanies the brand EnCase in the UK Court system. I use open source solutions on other occasions when I want to feel less Nintendo….

 
Posted : 07/08/2010 4:18 am
(@douglasbrush)
Posts: 812
Prominent Member
 

Why not F-Response Consultant or Enterprise. Does what you want. Then you can use what ever tool you want for the collection. It will simply allow you to do a forensically sound connection to suspect machines then you can use FTK/FTK Imager, EnCase, PinPoint, Helix, SIFT - whatever - for your collections. Plus can do memory as well.

They have a buy before you try option.

My disclosure is that as a consultant I use all the products and pick and choose based on the client environment.

CLEARLY define your needs. TEST your assumptions. TWEAK your process. THEN commit to purchases and vendor solutions.

 
Posted : 07/08/2010 9:37 pm
(@mjantal)
Posts: 49
Eminent Member
 

While I cannot speak for EnCase Portable (interested but haven't pulled the trigger), I can say that ADF's tool provides something for the examiner as well as the field officer/agent/soldier/neophyte that is not well-trained in DF. It takes a short lesson to get those with less experience off and running with little concern about the integrity of the evidence. IMHO, if the goal is forensic triage, this tool is one of the better ones out there.

F-response may get the neophyte better access to the evidence, but that does little good to someone without a solid knowledge base in DF. I am happy to expand on this, but don't want to completely derail this thread.

Yes, there is a disclosure…I worked for ADF as a contract instructor previously….which is why I feel like I can add to this discussion. lol

 
Posted : 10/08/2010 8:32 pm
(@armresl)
Posts: 1011
Noble Member
 

You have 4 posts and all are about your product.

David,
The recent article in DFI news by John Barabara reviews the testing criteria used by USSOCOM to select a triage tool - www.dfinews.com/articl...iage-tool.

The results were overwhelmingly in ADF's favor compared to Encase Portable. BTW, Triage-G2 is based on triage-Examiner so the performance is the same.

I hope this answers your question.

Disclaimer I do work for ADF Solutions.

 
Posted : 10/08/2010 8:45 pm
(@cardrb)
Posts: 17
Eminent Member
 

I have used encase portable for some collection of data. However I still believe that if I can acquire the entire drive i will, since pulling the hard drive and imaging only takes roughly 1 hour with the tableau td1.

having said that, I have encountered a server which I used encase portable to do a live image of the server, I have to say that it was easy as pie, since encase portable used the drivers from the server. This server was unknown to me when I walked in the company to do the imaging so I was not perpared to deal with it, but time was limited.

I took a while to image the server however I was glad I did have my encase portable unit with me.

Encase portable can be a pain as you need to set up the jobs prior to attending the location or bring a laptop that has encase on it so that if surprises come while your in a place you can change the job on the fly.

I really have not used encase portable to the fullest, cause my 1st rule is to image the whole drive then bring it back to my lab. But in this one case I was glad to have it in the box.

It's been 2 months since I've touch encase portable, which was my last job I mentioned here.

As for creating a sound usb collection tool, I mostly use them for memory captures. I still perfer imaging the whole drive,(did I mention that before).

just my 2 pennies

 
Posted : 16/08/2010 2:47 am
Page 1 / 2
Share: