We're looking at purchasing either EnCase 7 or FTK4 for our agency. Since both are relatively new, I've not been able to find too many reviews of the products. Ideally, we would like to purchase both, but our budget will limit us to only purchasing one for now. Which piece of software would you recommend to an agency that currently has no commercial forensic software?
Thanks for your input.
I would strongly advise against buying EnCase 7 at the moment, because it is so buggy that it is practically unusable.
IMHO, I think that right now, between the two options, your best bet is to go with FTK. Use their specifications guide to configure your system properly, put your DB on a dedicated SSD. Try to find an AccessData Oracle DB installer disc because from my experience, PostgreSQL tends to crash FTK when working with moderately large cases (2 million + items).
Another possibility is to buy a used hand Encase 6 dongle (if you can still find one). We are still working with Encase 6 at the office (along with FTK) and it works very well.
But I really think you should stay as far away as possible from EnCase 7 at the moment. Browse through the Forensic Focus forums, you should see many threads about disappointed/angry users of Encase 7.
Hope this helps.
Pierre-Marc
No "X-Ways Forensics" option? )
Between those two choices, FTK4 is a clear winner in my book. As was said, Encase7 is very buggy and causing issues in lots of places. Our dept has FTK3 and EnCase6 - I've demo'd both of the newer ones and loved what I saw in FTK4. I've got some other all around recommendations, but that should be saved for the appropriate thread. =)
No "X-Ways Forensics" option? )
I'd also seriously suggest considering X-Ways. Of the two options presented, I'd go for FTK.
Like the others I would strongly suggest you stay away from Encase version 7. It is unusable.
Version 6, on the other hand, is a superb piece of software for investigation.
I am not a big fan of FTK but others in my office love it. I find it good for carving out files for review but limited for investigation - just my personal view.
As others have suggested, I'd take a look at XWays - it's a powerful tool but not too pretty.
My list would be
1. V6 Encase
2. XWays
3. FTK
V7 isn't on the list
While my list would be
1. X-Ways Forensics
2. SIFT/open source tools
3. EnCase 6 with a load of custom EnScripts, followed very closely by…
4. FTK 3
5. FTK 4
EnCase 7 doesn't deserve a place on the list at this moment.
I don't want to hijack this thread, but I see a lot of people mentioning X-Ways.
I've never used it myself and I was wondering what features does X-Ways have that makes it so powerful?
From the screenshots on the website, it looks a bit like an older version of Encase.
X-Ways can only benefit from the 2 market leaders releasing products which are clearly not properly tested.
There is surely room for a third option (perhaps one that is simpler with less "bells and whistles" but just works).
We have just purchased our first x-ways dongle and I am sure we are not alone.
Here's a very short and brief overview of some of X-Ways
It is not a pretty tool, but it is very powerful. It natively does a large range of things which you look at and think "why doesn't <insert other forensic tool> do that?".
Off the top of my head, it will quickly parse
LNK files
PF files
System Restore change.log
As well as this it has a very good indexing system, a superbly flexible approach to reviewing keywords, and it can deal with pretty much any filesystem you can name.
There are three downsides to XWF, as far as I see it;
1. Unintuitive interface.
2. Lack of customisation that (for example) EnScripts allow.
3. No free acquisition tool (unlike it's most popular competitors).
None of these are especially game-breaking.
I have personally been evangelising about it pretty hard in my office, but without much luck this financial year. Maybe the next one.. ? )