Ooops, looks like I didn't read the full comment on the libewf sourceforge page. And I need to browbeat the Guidance rep the next time he comes and gives a presentation.
My preferences
X-Ways
EnCase 6
SIFT Windows and Ubuntu versions
FTK3 with Postgres (seems less inclined to eat the machine compared to Oracle installation)
EnCase 7 is apocalyptically bad. I could not see where the En6 -> En7 EnScript converter is. IIRC it was promised during a podcast to 'smooth' the transition. The real question is will it affect how managers' view the certification when hiring staff if the product is getting this response from the community?
Have you ever used Encase (version 6) to analyze a big case, waited for a day, and it crashed. Then, you opened the case again, and nothing was saved. I said NO with encase. I will never accept such a stupid behaviour like that.
FTK is better. Even if it freeze or crash, you can open it again, and everything is there.
Maybe I will replace Encase with XWays.
It is definitely FTK 4. Encase 7 is the worst version of Encase I have ever seen. No one wants to use version 7 in my laboratory. Lots of good features in version 6 have been removed and it is now very unfriendly in terms of design and operation.
Ive used XWF but for pretty low level stuff. If you have to start looking at FS data strutures, the HEX Viewer beats any of them hands down. No doubt though, the Interface in not pretty and hard to use.
Does XWF support searching of compount files, zips, docx's, etc…
Thanks
We're looking at purchasing either EnCase 7 or FTK4 for our agency. Since both are relatively new, I've not been able to find too many reviews of the products. Ideally, we would like to purchase both, but our budget will limit us to only purchasing one for now. Which piece of software would you recommend to an agency that currently has no commercial forensic software?
Thanks for your input.
——————
I tried FTK 4 vs EnCase 7 for a month and were processing the same evidence files (HDD images that vary from 50 GB to 200 GB).
Our conclusion was
- FTK uses 100% of our workstation (see specs at the end) while processing, we need to stop using the workstation. When it finish the index searches are slow and we can't transfer the case to computers with less capacity. FTK takes a lot of time (almost doesn't finish processing a case if you don't have a powerful computer).
- EnCase it uses 40% of our workstation while processing, the workstation is totally responsive, it finish between 30 minutes to 1.5 hours after FTK. When it finish the index searches are faster than FTK and we can transfer the case to other computers with less capacity (EnCase let you use a less powerful computer to process a case, it takes more time, but it finish)
If you need a lot of speed and have the money to buy FTK compatible computers, FTK could be your solution.
If you don't care about 1.5 hours of additional time while processing and you will like to be able to easily transfer the case to more than one investigator that has a less powerful computer (or process the case in a less powerful computer), EnCase could be your solution.
By the way we used FTK 4.0.2.33 and EnCase 7.06.01.
Note EnCase 7 lets you restore a case after EnCase crashes and it takes no more than 5 minutes to open a 120 GB case….we worked in a case with 5 images of 150 GB in the same case an it takes 10 minutes to open the case after a crash. Before the crash the 5 images where completely processed with the following processing options enabled Recover folders, File signature analysis, Protected files, Thumbnail creation, Hash analysis (only SHA), Find email and Indexing (only files that are not in the library).
——————————————-
Workstation used
- Two Intel Xeon CPU E5-2630 @ 2.30GH processors
- 32 GB of RAM
- 64-bit Windows 7 Professional
3 HDDs
Disk 0 – For Windows [OS(C)] and System. In this HDD EnCase or FTK was installed.
Disk 1 – 2 TB 10K, this drive is were evidence is stored.
Disk 2 – Is a RAID 0 composed of 3 HDDs at 15K, this RAID is used for the CACHE or the database.
———————————————–
I would give ILookIX by Perlustro a good look. Major cost savings in hardware requirements to image Mac and PC's alike without removing the Hard Drives from the box. One LEO was able to image 52 computers having HD's of 250GB to over 1 TB, RAIDS included in 6 hrs by two special agents to a combination of external storage devices.
IxImager is the only forensic imaging tool in existence that exceeds NIST Test Criteria. https://
The only terrorist to be convicted in relation to 9-11 bombing by the United States had his computers examined by FBI SA Lawler using ILook.
(United States of America v. Zacarias Moussaoui) http//
I would give ILookIX by Perlustro a good look.
Might I ask you if you actually already gave it a good look?
And if you are - by any chance - connected with Perlustro? 😯
No offence whatever intended ) , but every time someone on his/her first post recommends a tool it is logical to suspect some form of astroturfing, and this particularly happened with Perlustro in the past
http//www.forensicfocus.com/Forums/viewtopic/t=8679/postdays=0/postorder=asc/highlight=perlustro/start=7/
And with it exceeding NIST criteria
http//www.forensicfocus.com/Forums/viewtopic/p=6562161/#6562161
jaclaz
Hi Jaclaz
I have used all three. I am I connected? I am a retired-LEO, and I have been using ILook for 14 yrs and do know the developers very well at Perlustro. Check the records, I have been a member of this forum for a number of years (2007). Contributions have been limited, but when I have something to say, I say it.
I made the suggestion to "give it a good look" to bring to the readers of this forum alternatives to the Encase and FTK products.
Most examiners today have little experience or knowledge about ILook . Few people realize that, ILook was supported and distributed by the U.S. Treasury to law enforcement and had over 20,000 domestic and international users when support was discontinued. Unfortunately, the commercial version was delayed for over a year allowing Encase and FTK to gain a foothold. Once the hook is in place, Encase and FTK, your investment is multiplied by all the training and upgrades making it financially difficult to migrate to something else.
I am passionate about ILook, just like Encase and FTK users are about their tools.
Is one better then the other??? That's up to the users. NIST recently posted a number of controlled images so examiners can validate their tools knowing their tools were able to recover and find known evidence. I suggest forum readers test their tools. As the legal community gets wind of the NIST control images, I bet your bottom dollar or Euro, they will be asking the "examiner" if they have tested their tool, Encase, FTK, Xways, etc, against them and the results. If they didn't or did, I would hate to be one giving evidence, especially if the tool fail.
I have used all three. I am I connected? I am a retired-LEO, and I have been using ILook for 14 yrs and do know the developers very well at Perlustro. Check the records, I have been a member of this forum for a number of years (2007). Contributions have been limited, but when I have something to say, I say it.
Yes ) , you joined in 2007 BUT posted for the FIRST time today. (I would say that your previous post was your first and only contribution)
I would be interested if you (or the Perlustro developers you know well) would care to comment on the linked to thread
http//www.forensicfocus.com/Forums/viewtopic/p=6562161/#6562161
As well it would be nice if you could post/report your personal opinions on the tool/experiences with it, rather than citing "vague" anecdotal reference such as
One LEO was able to image 52 computers having HD's of 250GB to over 1 TB, RAIDS included in 6 hrs by two special agents to a combination of external storage devices.
jaclaz