comparitive study

I think EnCase has been the leader for a long time until FTK 3 came along.

I believe FTK 3 handles large datasets better than EnCase. It also does a great job of categorizing file types and the indexing is great if you need it. However, it needs to run on a PRETTY GOOD machine to use it efficiently. If you choose to use FTK 3, consider using an SSD drive to install your Oracle DB. It's the best way to make the GUI more responsive.

On the other side, EnCase can run on pretty much any hardware. It does a great job for file system forensics. It is not renown for it's email capabilities though…

Honestly, I don't use EnCase much so I hope you'll get more feedback from other users to help you choose. However, as you'll probably see on several forums/blogs, both tools are pretty much complementary now so recommanding one over the other will be a tough thing to do.

Check this blog entry, it might help you http//ericjhuber.blogspot.com/2010/05/dont-panic.html

This question, or a variation of it, has to be one of the most frequently asked questions on Forensic newsgroups and there is no right answer.

Each tool has strengths and weaknesses, most of which have already been discussed, here, so I'll try to be brief.

Because of its rigorous certification process, EnCase experience is probably more widely valued in terms of employment (in the absence of other credentials or documented experience). Many places will require EnCE or accept it in lieu of a vendor neutral certificate.

EnCase is also scriptable and there are many Guidance Software and third party Enscripts which extend the functionality of EnCase by automating many of the most commonly performed tasks of a forensic investigator.

As noted by Hitman, EnCase is resource intensive, a lot of functionality and performance is achieved by processing data in RAM. More recent versions of EnCase can take advantage of multi-core processors but processing large volumes of data can be resource intensive.

Until recently, EnCase did not have the ability to build inverted indexes of the evidence but newer versions do. Also, some EnCase functionality has the appearance of "afterthought" meaning that it can be counterintuitive.

Before FTK 3, FTK 1.8 was the most reliable version of FTK and, as noted, was particularly good at handling most mail formats as well as ad hoc queries using a pre-built inverted index. FTK was limited, in performance, by the underlying database but this changed with 2 and 3 and now FTK uses Oracle, which is good, but for the best performance, I would (as Hitman suggested), consider running your database on a separate platform.

Both platforms use Oracle's OutsideIn for native file viewing and processing. This has found to be an issue in the past due to the fact that buffer overrun exploits could be inserted in to Microsoft Office files which corrupted both EnCase and FTK.

Another issue with FTK is the way that it handles compound files by extracting their contents to temporary files can create problems if the files contain malware and you aren't running in a sandbox or with antimalware software.

Another package that I have found to be valuable is X-Ways forensics which can be more reasonably priced than either FTK or EnCase.

And, of course, The Sleuth Kit (TSK) is free and I have been invoved in cases where what was obscure in FTK or EnCase was made immediately obvious in TSK (especially if you are dealing with $MFT issues).

Anyway, my $0.02 worth.

Thanks Hitman and seammcl for your suggestions.

Dear seanmcl you suggested
"FTK was limited, in performance, by the underlying database but this changed with 2 and 3 and now FTK uses Oracle, which is good, but for the best performance, I would (as Hitman suggested), consider running your database on a separate platform."

I would like to ask you how can we run our database on separate machine. Thanks!!

I would like to ask you how can we run our database on separate machine. Thanks!!

Follow the Detailed Install Guide?