1000GBP/1750USD - w...
 
Notifications
Clear all

1000GBP/1750USD - what do you buy?

12 Posts
5 Users
0 Likes
798 Views
Jamie
(@jamie)
Posts: 1288
Moderator
 

Here's a question I like to throw in every now and again…

Assuming an arbitrary figure of 1000GBP/1750USD and a need to source a hardware and software solution for forensic work (imaging, analysis, reporting, chain of evidence etc.) what do you buy, and why? For the sake of argument let's assume you already have a bare-bones PC system with enough processor power to provide the speed/power you need, what else do you buy (if, indeed, you take the commercial route)?

Jamie

 
Posted : 19/02/2006 9:03 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

bump

 
Posted : 20/02/2006 9:11 pm
(@walkabout_fr)
Posts: 67
Trusted Member
 

That's a problem !

As far as I'm concerned, 1000 GBP is too much or too little…

I usually work with Encase. as far as I know, 1000 GBP only gets you half of that software.

On the other hand, if you choose a free forensics software (Ilook or some Forensics Linux distrib) and already have a barebone system, 1000 GBP is a lot to spend on write blockers (mine costs 60 euros), USB HDD and additional software…

Hey, you could almost make me happy not to have 1000 GBP to spend !!! -)

Marc

 
Posted : 20/02/2006 9:30 pm
pooball
(@pooball)
Posts: 12
Active Member
 

Having the kit is one thing but what happens when the Prosecution / Defence Counsel asks what qualifies you to use the aforementioned forensic tool(s)!!

"Sorry your honour, I couldn't afford the training to use it properly, had to use the Force (ala Luke Skywalker) for the rest"..

I've found that the courses that go with the tools (along with Cranfield and all the rest of it) cost way more collectively than the kit we use. Being non Law enforcement bumps the bill up a few quid too!!

I'd stick the money in a high interest account and look again in 5 years for a second hand Encase 3 license!!

 
Posted : 20/02/2006 10:08 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

I usually work with Encase. as far as I know, 1000 GBP only gets you half of that software.

Yes, that's a good point (I'd forgotten how expensive it is these days!)

OK everyone, let's increase the budget to 2000GBP (or whatever we need to just afford EnCase)…what hardware/software combo offers the best bang for our buck, and why?

Clearly there's no right answer here, but I think this is a useful exercise to carry our every 6 months or so.

Jamie

 
Posted : 20/02/2006 10:11 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

I usually suggest to people starting out that they spend money on training, software, and hardware in that order. I like Encase as well, but if I only had just enough to buy it then I don't think I would. Under such a budget I'd look hard at Winhex, or perhaps a Linux tool kit and training. Hoping to save enough for an IDE write blocker, a SATA converter for said board, and one large storage drive.

 
Posted : 21/02/2006 12:36 am
(@gmarshall139)
Posts: 378
Reputable Member
 

Then again, when I started off in the private sector I was lucky and found Encase ver. 3 used for $1000 US. I already had the training, and the I spent just a couple hundred more on write blockers and adapters. You really have to look for these deals, but occasionally.

A word of caution though, specifically relevant to buying Encase second hand, make sure that the seller is a licensed owner. That they didn't just get the software from a lost parcel sale or something similar. You can only become a valid licensed user by virtue of buying from one. You wont be able to purchase updates, download them from the website, or have access to the Encase Forums (which may be the best part of Encase). Also, you will have to transfer the license with Guidance Software to get a customer number. If you buy version 4 or later you will have to pay a $150.00 fee.

 
Posted : 21/02/2006 1:09 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

Good points as far as training is concerned. I think when I posed the question I was making the assumption that it wasn't necessary to figure training into this particular equation but the comments are well made.

No mention of FTK at the moment, any takers for that particular route?

Jamie

 
Posted : 21/02/2006 2:23 am
(@walkabout_fr)
Posts: 67
Trusted Member
 

Then again, when I started off in the private sector I was lucky and found Encase ver. 3 used for $1000 US.

By any chance, any idea where I could look for a Encase second hand licence ? Is there an "official" second hand market for this ?

I am part of the "computer_forensics_for_sale" yahoo group, but not much activity there…

 
Posted : 21/02/2006 12:44 pm
pooball
(@pooball)
Posts: 12
Active Member
 

I'd be interested in a second hand Encase licence meself if anyone comes up trumps!!

 
Posted : 21/02/2006 2:37 pm
Page 1 / 2
Share: