We currently have FTK Pro, FTK, EnCase 6 with 7 upgrade
For some reason FTK Pro version releases are a couple of months behind the Basic FTK releases. We were only permitted (by AD) to purchase four Pro dongles. So only half the office can use Pro. I will not advocate renewing these licences.
I have used FTK 4, I have yet to understand why it isn't FTK 3.5. As I can't transfer cases between my Pro machine and FTK 4 machine either '4' or FTK Pro is useless, take your pick which.
My order of things
FTK to process live file to our viewing team
REG ripper
bulk-extractor
FTK to process all its bits and pieces (except indexing)
EnCase 6 to run various scripts
SIFT/EnCase 6 for timeline logs
Then it's mix and match as by now i would expect the SIO to decide what they want.
I don't use EnCase 7 and I'd like our money back
Well, we know at least two Guidance employees roam the forums…
Guidance has to know by now how big an egg they laid with Encase7 and for it to go on this long is just irresponsible they should stop selling it until its fit for duty. Guidance doesn't seem to want it to work and keep the same features as version 6 no matter how many times their customers tell them. Guidance knows best the rest of us don't have a clue what we need is the feeling I get. Guidance has released a few fixes but still its broken. FTK is a good product I have been with is since 1.8. FTK4 has had some bumps YES it has which is also unfortunate I thought they learned their lesson with FTK2 it seems no so much! What an opportunity FTK has with the program to win over Encase owners I stick with FTK3 and Encase6 for now.
There are three downsides to XWF, as far as I see it;
1. Unintuitive interface.
2. Lack of customisation that (for example) EnScripts allow.
3. No free acquisition tool (unlike it's most popular competitors).
Hi Chris,
Just a quick note about XWF - it's true the UI doesn't fit with what most EnCase trained examiners expect, however, once you've carried out the three day training course, the UI becomes second nature and actually very intuitive. The guys at X-Ways have spent a lot of time making the UI easy to use, but you need someone to explain it to you so you 'get' the design.
The latest version of XWF now ships with X-Tensions, which is a way of programming your own DLL in whatever language you like to extend XWF's capabilities. The API is solid and there are a lot of useful additions coming down the line.
With respect to acquisition tools, do they need to produce one? FTK Imager is probably the best and most widely used forensic tool available today, so stick with that!
A couple of other very compelling reasons to try XWF is that it is considerably cheaper than either FTK or EnCase. This is not because of reduced functionality - it's more like X-Ways are not gouging enterprise level customers as the other two are. Closely tied to this is the outrageous levels of hardware you have to throw at either FTK or E7 to get them to perform even adequately. XWF will run fast and remain stable on much lower spec hardware.
Finally, the X-Ways team release updates and optimisations very regularly, with beta versions of the next release available to all registered users if you're interested in having a play. They respond quickly and well to user feedback and provide the best value for money in the current market.
I use XWF as my primary tool followed by EnCase 6. As most others in this thread have described, EnCase 7 is not fit for purpose and doesn't get a look in.
I have no association with X-Ways other than as a very satisfied customer. D
Unlike my very dissatisfied association with Guidance as tester for their buggy software! x
Kind regards,
Fin.
Hi Fin,
For the record, I have attended the training course. You're right, once you're used to it the interface is fine, but IMO it is still fairly unintuitive. By that I mean it's difficult to "muddle" out what you want to do without referring to the manual. Of course, once you know it, you know it - but until then it can be slow going.
Let me put it a different way. I am convinced that within 5 minutes I could sit a semi-computer-literate person down and explain to them the different panes of EnCase, what they mean and how they work. I don't think I could do this with XWF.
That post was written before 16.4 - hence no mention of the APIs, which are awesome. Also, the VSS stuff in v16.4 made my heart beat in a very geeky way. And I want the acquisition to be free because it's so good! Does FTK4 allow for stuff like "copy sectors in reverse order"? I have no idea.
In conclusion; XWF is great. I hope we get some licenses this year! )
Guidance just don't seem to care.
People would complain about bug's and missing features for years without anything changing.
AD on the other hand does seem to listen and FTK does improve.
If FTK crashes I just open it up and I am back where i was in seconds. If encase crashes it's a long time to get back up. ( Encase 6 that is , their only useful version, the preview of Encase 7 looked horrible)
FTK is more open in that it can use open evidence formats like AFF. Guidance with Encase 7 comes up with another proprietary evidence format .Ex01 as well as no interest in supporting open standards.
Neither Encase or Xways support AFF.
I am pretty sure I sat in a meeting for EnCase 7 where the Guidance rep told us Ex01 was an open standard.
I don't think it's open in the sense that anyone can make changes, but the technical details are published and libewf supports it.
White paper from Guidance on Ex01.
http//
Hi guys,
one small question about FTK 4 If I was to buy a licence of FTK4, does it come with Oracle included or would I need to buy Oracle also in order for FTK to work?
Regards,
K.
Hi guys,
one small question about FTK 4 If I was to buy a licence of FTK4, does it come with Oracle included or would I need to buy Oracle also in order for FTK to work?
Regards,
K.
The custom Oracle or PostgressSQL (your choice) database is part of and included with FTK.
I don't think it's open in the sense that anyone can make changes, but the technical details are published and libewf supports it.
It's not very open if the Forensic community can't make changes.
At "Date 2012-03-21 131611 PDT" jbmetz the developer of LIBEWF makes the following comment.
Ex01/Lx01 is actually a completely different format, at the lower level.
Guidance has released part of the format specification.For now I lack the time to do anything serious on Ex01.
Seems as
a) Guidance have released only part of the specification
and
b) Libewf doesn't support Ex01
This is not evidence of openness. I would love to see signs that Guidance wants to engage with the community. The mess with encase7 doesn't to show engagement with the forensic community, it show's that they don't know or care what we need.
They could for one add support for AFF evidence files (AFFLIB) for a start to show that they support open formats.
The forensic community are blessed to have people like JB Metz who have written tools so that we can have access to proprietary formats like EWF (.E01)