Join Us!

First Forensic Suit...
 
Notifications
Clear all

First Forensic Suite Advice Please  

  RSS
sgware
(@sgware)
Junior Member

I am new in the field. I just completed a masters program in digital forensics at UCF and am planning to enter the CFCE certification process this Fall. Throughout my academic career and through mock investigations post graduation, I have put together a nice selection of forensic tools, both free and purchased, that includes TSK, fileXray, WinHex (specialist), imaging tools, registry analysis tools, the FAU suite, various file viewers. The free FTK and FTK Imager are also part of the tool box.

My workstation is a late 2011 MBP, i7 quad core, 8GB RAM. I run VMWare Fusion with XP SP3, 2 Ubuntu distributions (10.04 and 12.04). At present, I select the tools I need across all three platforms to acquire images and analyze them.

Now, I am ready to take the next step and purchase a forensic suite. Platform is a concern only from the standpoint that XP running in Unity doesn't allow access to the firewire ports on the MBP. So, the question of what to purchase is taking longer to answer than I thought. I have narrowed the decision to XWF and MacForensicslab. Both claims support for most filesystems, email formats/archives, and have impressive workflows/reporting capabilities.

For a personal forensic toolkit, I would really like feedback on the two.

Thanks all!

Scott

Quote
Posted : 31/07/2012 7:01 pm
twjolson
(@twjolson)
Active Member

I thought about buying FTK with my student loans. Long story short, I didn't, and I'm quite glad that I didn't. If I had, I would have used it for the ACE and never touched it again.

The thing is, unless you are planning on starting your own little CF business, it's just not worth the money. This is doubly true if you still have connections at school (or get a position in CF) that allows you access.

The CFCE process does not require any particular program. Thus, if that is your only impedius, what tools you have already are more than enough. When I attended, we got a copy of WinHex, which should be adequate for the CFCE process.

My personal bias though is to stick with SIFT and other such tools. The market is flooded with tool monkeys that can do push button forensics on EnCase or FTK. But, if you go into an interview and say that you can do an exam only with SIFT and other open source tools, I think that is a big plus in your column. Assuming school did teach you EnCase and/or FTK, I think the ability to use SIFT and other open source tools in addition makes you an attractive hire.

But, to answer your original question, I don't think the difference in features between X-Ways Forensic and WinHex is enough to warrant the purchase (I could be wrong, as I am just now dipping my toe into WinHex/X-Ways Forensic). Unless you are flush with money to burn, I would think EnCase and FTK are too expensive to warrant purchase merely for personal studies. MacForensicslab, I have never used. It is quite pricey though, so I guess I would skip that one personally.

My two cents, but I guess unless you have money to burn, or are planning on using the tool to invest into a CF firm, I'd skip buying. Nothing, after all, says you have too. I doubt owning your own version of, say, FTK will be much to your credit at interview.

ReplyQuote
Posted : 31/07/2012 8:38 pm
BitHead
(@bithead)
Community Legend

Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).

ReplyQuote
Posted : 31/07/2012 8:54 pm
keydet89
(@keydet89)
Community Legend

Now, I am ready to take the next step and purchase a forensic suite.

Given your background, why do you see the need to purchase a commercial forensic suite?

Part of the reason I use (or write) open source tools isn't specifically because they're open source, but because I can see what they're doing. When I was on the IBM team performing PCI investigations, we had a good bit of difficulty in getting from GSI what, exactly, their IsValidCreditCard() built-in function was doing. When we finally did find out, and were able to validate this, we found that the function was missing several of the CCN formats that PCI considered "valid" and in-scope.

Another reason I use these tools is because they are capable of doing things that commercial suites aren't, such as full-on timeline creation using multiple data sources.

Again, given your background, I would think that with your experience in using these other tools, you would have reached a point where you were able to pick the tool for the job.

ReplyQuote
Posted : 31/07/2012 8:56 pm
isth
 isth
(@isth)
Member

We have FTK, Encase and X-ways - X-ways wins in my book 95% of the time. Encase and FTK are barely touched. It's also the cheapest of the 3.

ReplyQuote
Posted : 31/07/2012 8:57 pm
sgware
(@sgware)
Junior Member

Thanks for the quick response! Great advice as well. We didn't spend a lot of time on FTK or Encase. Most of the file system analysis was low level accomplished using a hex editor. I thought XWF or Macforensiclabs might be an asset by combining several functions into one tool. However, I suppose it really doesn't matter until I am in a position where the caseload requires higher throughput.

Again, you feedback is very much appreciated.

Scott

ReplyQuote
Posted : 31/07/2012 9:00 pm
sgware
(@sgware)
Junior Member

Not to discount the points from twjolson, but since you just asked for a comparison of the two products here is my 2 cents Since you have a Specialist license of WinHex, my recommendation would be to upgrade to XWF. Reasons You are familiar with the interface, XWF has additional features not found in MFL, XWF has a more robust development/bug fix cycle, and there used to be a discount path from Specialist to XWF (this may or may not be the case anymore).

Yes, I am very comfortable with the WinHex GUI. In fact, looking at the MFL GUI, and reading the docs at their website, it felt a bit to abstracted from what was actually happening. I would have to test every function myself to feel comfortable with them. With WinHex, I trust it because through many experiments, I have verified that is what it says it is.

So, if I do purchase a tool, it will most likely be XWF.

Thanks to all for the great, and valuable, feedback.

Scott

ReplyQuote
Posted : 31/07/2012 9:09 pm
fraudit
(@fraudit)
Member

Well, I expanded from forensic accounting into computer forensic area quite recently. I'm certainly not an expert but always was fond of digging into system's guts so I believe I have necessary prerequisite.

Anyway, I second for X-Ways - it's affordable and does its job. If you need some more sophisticated tools, I'm pretty sure you will find a GPL-licensed one!

ReplyQuote
Posted : 07/09/2012 2:32 pm
sgware
(@sgware)
Junior Member

Thanks for the feedback. I appreciate it. On the advice of the other respondents, I took another look at the freeware and open source tools that i have accumulated. I can't imagine needing more to do that job. That said, X-Ways is very attractive to me and at some point I will upgrade my WinHex specialist license.

So, for now I think I have the tools needed for the CFCE. I will definitely follow up with the results and commentary.

Scott

ReplyQuote
Posted : 08/09/2012 1:50 am
marcyu
(@marcyu)
Active Member

Scott,

I'm also a user of WinHex Specialist and it's one of the best tools in my arsenal. However, looking at the additional tools available with X-Ways Forensics, I don't believe it's worth the extra money for the upgrade. I would save my money for other software that you'll eventually need, such as RAID recovery, social media artifacts, password recovery, and cell phone acquisition.

ReplyQuote
Posted : 08/09/2012 3:45 am
LarryDaniel
(@larrydaniel)
Active Member

A couple of thoughts MacForensics Lab i.m.h.o. is very pricey for what you get as you can do everything with other tools. I know I can't justify the expense for that tool when we have others that work just fine for MAC forensics.

You might want to consider P2Commander suite as it handles email extremely well and does chat and some other parsing. I consider P2 commander to be a "semi-automatic" suite as it is closer to Xways than it is to FTK or EnCase. You can get a free demo copy of P2 Commander from Paraben. They have demos of most of their forensic software and their email tools are outstanding.

If you move into a commerical job, chances are you will need to use FTK or EnCase if that is the shop standard. You already have FTK in some form, so don't neglect it.

You can get a feel for EnCase by going through the EnCE Study Guide as I think it has a student version included with some sample evidence. At least it used to.

As you get down the road in your career, you will find that you will tend to use either the best tool for the job based on what you have available, or the only tools you are allowed to use based on where you work.

So keep your horizons broad and while you have the luxury of time, play with and learn all you can with a critical eye as to what gives you the best results and the most production.

Once you get into the workplace you will find the greatest limit on your ability to perform examinations is not tools but time and money. There is always a limit to how much you can spend on a case, either time, money or both, so what really matters is how efficient you can be, regardless of which tool you choose to employ. Whether you are in private practice, working for law enforcement or doing internal investigations, the idea is to turn cases as quickly and efficiently as possible without compromising quality.

ReplyQuote
Posted : 19/09/2012 7:43 am
Share: