EnCase 7 vs FTK4

I don't know how I missed the previous Perlustro-turfing. Jaclaz, thanks for calling attention to it. The puffery of Perlustro and its surrogates is cut from the same cloth as social engineering scams, e.g., 419 emails. The ignorant may find that approach appealing, but to competent professionals, it's comically over the top.

A very entertaining read.

edit I couldn't resist putting the company name in orange, in true turfing style. lol

I see your orange Tucker and raise you a 24 point font sir!

<begin_rant>

i am dealing with the marketing trolls from

on some linkedin discussions about x-ways that has nothing at all to do with ILook.

out of the blue someone named Ian Brownlie (http//goo.gl/O9ZrX) shows up and starts spouting off all the used car salesman type stuff about

and how it can find evidence from cases without even having the images related to that case, how it solved the enron case in 27.1 minutes, and on and on.

This same distinguished gentleman then went on to send me messages like this

Eric,

PERLUSTRO no longer supply demos as no other product can recover the files that there products can, what they offer is a 60 day money back guarantee that you can't find another tool that can find more files than they can. (No other company offers this guarantee).

There actually is a demo for the imager that was given to all that attended HTCIA in Hershey. The restriction is that the image files it makes are proprietary .asb which can only be read in ILookIX.

The data on the PERLUSTRO site is the results of the NIST images processed through ILookIX and are there for the benefit of registered ILookIX users to verify their results after they themselves have done a comparison of the NIST images first.

How can you refute IXimager claims if you don't even have access to the program.? IXImager is not just a imager, it can boot/image/restore/clone etc 99% of any computers ever made.

Try this scenario, 52 desktops imaged in 6 hours some of those are RAID (the imager boots the computer loads into ram and then ejects the disk, all under a minute) if the computer is found turned on, the imager can reboot the computer fast enough to capture volatile ram.

PERLUSTRO are a small company and their products are always a constant work in progress, the product is built on average every at least every 48 hours or whenever something can be improved as they don't spend money on marketing it is all by results and word of mouth. Perlustro was only ever available to Law Enforcement and certain government agencies, whilst the US government footed the bill. The product is nothing like the free version used too be, 2 years ago there were 7000000 files that no other product used to see. 12 months ago it took 24 hours to process the Enron case, now it takes just over an hour.

ILookIX costs $US 2200 for the first year, and it will be no more than $1560 for second and subsequent years. Perlustro don't charge any extra for upgrades and new versions whilst the license is valid. For that you get the most advanced Forensic solution available. This includes the ability to create a licenced copy of IXImager. A enterprise licenced SQL Server 2008R2 (This alone costs more than the ILooKIX license if you were to buy seperate). This SQL server is yours to do as you wish (you can run other programs from it etc, it is not locked down). You can also create Ivault files that can be imported into the reviewing tool IVAULT. Ivault is a seperate reviewing tool with which you can access/ share files or case data and print or export to other formats such as concordance / ringtail etc.

When you have done your testing with any tool of your choosing please post your results for all too see. If you like see how long it takes you to process the Enron case?

I am happy to discuss this further, however I think if you wish to do it publicly we need to choose another forum.

Regards,

Ian

and

Eric,

I doubt ZORAN will allow this to be listed, it is still in the que.

I still am not seeing the NIST DFR test reports of Winhex ?, not withstanding your protests about product costs and the fact no one can do forensics but the FBI, I still don’t understand how If it is so simple and easy for winhex to pass the DFR tests, you won’t just publish the same tests Perlustro has.

Evidently Winhex can’t pass the tests ? or Winhex will not publish the test results because they are waiting on your write up to clear the air on the issue.

Or maybe there is something else going on preventing a 15 minute test from being performed because of more pressing tests of more importance.

Its just simple NIST tests about Deleted Files – your not trying to buy time are you ? Perlustro published them 5 months ago now. Maybe when the terror events give you more of a time break you can get to them.

Regards,

Ian

Stay classy Ian.

Right in Ian's response he says the

NIST tests are for the benefit of other ilook users rather than an objective test and comparison against other forensic suites.

my guess is twhip is this guy Ted Wypych with linkedin profile http//goo.gl/O1nGz

he does the same kind of trolling there along with Ian and someone named Richard Boddington with profile http//goo.gl/Vkyyh

My guess is its all the same person or persons with a few accounts. They contribute as much stuff to linkedin as they do here, namely, astroturfing posts.

Search thru linkedin for their names and the perlustro/ILookX group (that has 16 members) and see how they operate. I know ian is a member of every vendors group and posts the same kind of stuff about

in all of them.

Hey Twhip, i can tell you that people are NOT getting asked about the NIST images in court (or at least state and federal court in the united states), or at least not the dozens of hearings and trials i have gone to and been a part of in the past few years.

testing against the VERY LIMITED nist images as it relates to finding deleted files has little to do with the totality in accuracy or capabilities of a forensic tool.

if you think about it, a deleted file is, for a lot of the nist images, just a filename and dates without content. in all but very limited circumstances, that will NOT be anything even close to your core evidence about what happened on a computer as it relates to proving a case.

in the few nist images i have tested, X-Ways Forensics did just fine in finding the files that it should according to the NIST documentation.

they then drone on and on about the nist images but if you look on the

page, it reports NOTHING about the findings at all. not a THING as to how

did. it just contains the number of files found before and after a bunch of stuff that only makes sense to ilook users.

Why they do not choose to do something logical like

Nist image 01

Expected files 3
Found by ILook 2
Missing file was foobar.txt

Nist image 02

Expected files 4
Found by ILook 4

and so on.

this allows direct comparison between forensic tools, but do they do that? No! its the same drivel they post about all the other OneOfAKindWeDoItAllBESTTOOLINTHEWORLD statements on their site without any context at all.

they also have a bunch of file systems and stuff not even included in the nist sets. Why?

As jaclaz also alluded to,

says they imaged 56 computers in 6 hours. Big deal! How many instances of Ilook were used? 56? I would argue any imaging program can do the same. where are the details? What OS? what size were the drives? where were the images being written to? did that include any setup time?
How many people were doing it?

in the IACIS list last year some salesman jumped in about how ilook imager was so fast and threw out all these numbers. i showed better performance with x-ways forensics and imager across the board with as close to the same kind of test that they did.

another linkedin user put it best

A lot has already been said about Perlustro's marketing techniques, so I won't elaborate on them. As far as I'm concerned, I tend to run away from professional tools that are marketed like washing powder.

i can only hope the owners of

are not aware of how their product is being marketed. I have heard good things about the developers from people i respect.

for anyone considering ilook, be aware that it the license expires the day you stop paying maintenance and the license is tied to a single computer. lets not forget the horsepower that is necessary to ensure SQL server runs decently as well as this is an additional expense. Finally, can ilook write DDs or e01s or just their proprietary format? if its just the proprietary format, that surely seems to be a means to lock you into sticking with ilook as all your evidence will be in a format no other vendor supports (which again is an interesting question. why dont other vendors support ilooks imaging format?)

its no secret i am pro X-Ways and the reasons compared to ilook are obvious

- i can get xwf with years of maintenance for the same price as the ilook
- i can run xwf as many times as i want on any computer i want
- xwf spends their money on their product, not marketing shills

Sorry to possibly highjack the thread, but it had to be said!

</begin_rant>

Wow! Lots of vindictiveness when ILook is mentioned. When other tools are mentioned, people just ask questions.

I personally know TWhip and he really has used ILook for 14 years. So have I - we used to work together in the same agency, albeit at opposite ends of the country. I thought he had posted before but maybe that was in different forums. . .

There is no way I can go through all the posts referred to by Jaclaz, and try to respond. When I tried to follow them it was like a rabbit hole.

As I said, I've used ILook for 14 years, with a short break in 2007 or so, when it went offline and transitioned from being a Law Enforcement only tool, supported by the US government to a commercial tool, available to anyone. During that break you were still allowed to use ILook but you had to request frequent licence upgrades. This kept the users to the base that already knew how to use it well so there were not a lot of customer service issues while the new commercial release was being developed.

I, and my co-workers, kept up our licences during that interim but many others did not. We also tried to use FTK and EnCase as the future was uncertain as to when ILook would be back with a commercial release. That time span included FTK 1 and just a bit of FTK 2 and I'm not sure what version EnCase was issued at that time. We were able to purchase ILook commercially in August 2009 and have been using it ever since. We still have a licence for EnCase and FTK but do not have them installed and ready to use.

We also have a licence for X-Ways and my two co-workers have been on X-Ways training. I am going next month. I hope to use X-Ways as my second tool to cross validate ILook results. It is easy to install and although not easy to use, I will have the training under my belt, and the manual to help me remember the reportedly non-intuitive interface.

As TWhip said, there were many users back then, and because of the two year delay, many left and went with EnCase or FTK and now feel that they have paid so much money into the ecosystem of their current tool, that it is very difficult to leave. Why so much vindictive replies to the suggestion that someone consider another tool?

Perlustro is not a software house (as I read in one of the posts when trying to follow Jaclaz' link) but a small private company with two or three people at the core of this software. In that way it is very similar to X-Ways in that it changes quickly to meet need, developers are accessible and interested, etc. Some of them might be a bit eccentric )

ILooKIX is fast, able to run on any machine that can run Windows 7 Business, Pro or Ultimate, has an intuitive interface, it's deleted file recovery is fantastic, as is its ability to undelete files from within shadow copies.

It's downside is also how small the company is so there are not slick marketing tools, as you can see by the various complaints about their marketing technique. They don't have one. As far as I know, all the posts being complained about are from users.

Although the original post to this thread was a year ago, a more accurate survey would have consisted of open-ended question on which brand and version of a tool is preferred (along with those having an interest of a particular brand self-report that interest).

Having just an either-or option gives false data results unless those two choices are truly your only two choices. I can't see that being a practical option. Also, the results of this kind of survey is inaccurate because of us, the voters. I can say alot about XWF (all versions) and nothing about Encase v7 (but I can on older versions). Unless you have used all versions, opinions on which is better is moot. Encase v7 is nothing like v5, as an example. How can anyone, include me, say that FTK v4 is better than Encase v7 if I have not used Encase v7?

AD just posted this survey to twitter, giving the percentage of votes but not giving the low number of 77 votes, as validation of FTK being more popular than Encase. That is a low hat stand to hang your hat on, in my opinion.

"AccessData ‏@AccessDataGroup 19 Apr
FTK 4 v EnCase 7 - Which would u recommend to an agency that has no commercial forensic software? 84% say FTK! http//bit.ly/XL4E4B …"

There are more forensic suites besides Encase and FTK (or XWF, or iLook, or Paraben, or TechPathWays, or ….). There are many to choose from, based on #1 budget, #2 needs, and #3 personal preference.

I would consider the results of this survey misleading to anyone facing purchasing their first commercial forensic suite, unless there really is no other choice besides FTK and Encase. I'd like to see a more accurate survey, where the users of a tool give their opinion based on their personal knowledge of other tools. Or perhaps a "Consumer Reports" of forensics tools is in order 😉

On the topic of bashing any software, that's not me. When I see anyone bashing someone or someone's product while at the same time trying to sell something, I stop listening and make a mental note of staying away from that product. If any product is better than any other product, there is no need in trashing competitors or embellishing on claims of performance. I can say that I will never try iLook solely for the sake of the manner it has been marketed on the Internet through forums, and this has nothing to do with whether or not it is a good tool.

Hitting the advertising snippets that sneak in about software…for validation, I don't remember the last time I checked a "NIST" or "whatever-validation-organization-you-can-name" for a tool I use or may use. It's nice some organization does these test I guess, but for what reason? By the time a test is made public, the software has gone through several iterations of changes, which completely invalidates the "newly" released test as that software version is old. Try using v10 of a program and basing the validation of NIST's test of that program when it was v8 (and you did not test it yourself!). Unless I am supervising or conducting a software validation personally, it's all snake-oil and fancy brochures to me. I need a test-ride before I trust a salesperson telling me their car is better than the one across the street.

And to repeat what has been repeated more than enough times, validation is the responsibility of the user of the program. Not NIST, not the software company, not the court. A court doesn't "qualify" a software as valid, the user does. A competent forensic analyst can use a mediocre tool and have the results admitted as evidence in a case. An incompetent analyst (loosely named "analyst") can take the best tool and have all evidence excluded in a pre-trial hearing because they didn't know what they were doing. It is the analyst that makes the tool, not the other way around. (I'm sure Picasso could paint a masterpiece with watercolors). My opinion in the best tool is the tool you like, that you tested, that works as you need, at a price you are willing to pay.

A court doesn't "qualify" a software as valid, the user does. A competent forensic analyst can use a mediocre tool and have the results admitted as evidence in a case. An incompetent analyst (loosely named "analyst") can take the best tool and have all evidence excluded in a pre-trial hearing because they didn't know what they were doing. It is the analyst that makes the tool, not the other way around.

Brett, I just read this on the Perlustro website

It empowers any end user, from novice to expert, to conduct an investigation quickly, with a reliability scale unmatched in any other tool.

You may be a prominent forensic expert, but can you honestly say that your "reliability scale" is as unmatched as a novice user of Perlustro's ILooKIX?

Didn't think so.

lol

Wow! Lots of vindictiveness when ILook is mentioned. When other tools are mentioned, people just ask questions.

Debbie, here are a couple of comments made when one of the "other tools" was mentioned in this thread.

EnCase 7 is apocalyptically bad.

Encase 7 is the worst version of Encase I have ever seen.

You call those questions? What you call "vindictiveness," I call observational humor, and it's directed at nonsensical claims made by Perlustro and its devotees.

As for whose words we're criticizing, I remind you that one of the lengthy posts was purportedly an email from Jim Baker himself, and I personally took issue with the tone and language of the Perlustro website. Neither of those can be considered written by users, can they?

For the curious, here's a textbook example of the overuse of glowing superlatives http//www.perlustro.com/solutions/e-forensics/ilookix

If, in fact, the posts here were all made by legitimate users (and not paid shills), it would appear that Perlustro attracts users with a mindset similar to its own. To reiterate, this isn't so much about vindictiveness as it is about appreciating the humor in everyday life. I, for one, am grateful that Perlustro possesses a comicality scale unmatched in any other tool. Smiles make the world a better place.

[Eric, I appreciated your contribution as well. Count me as a fan of the "52 computers in 6 hours" anecdote.]

A court doesn't "qualify" a software as valid, the user does. A competent forensic analyst can use a mediocre tool and have the results admitted as evidence in a case. An incompetent analyst (loosely named "analyst") can take the best tool and have all evidence excluded in a pre-trial hearing because they didn't know what they were doing. It is the analyst that makes the tool, not the other way around.

Brett, I just read this on the Perlustro website

It empowers any end user, from novice to expert, to conduct an investigation quickly, with a reliability scale unmatched in any other tool.

You may be a prominent forensic expert, but can you honestly say that your "reliability scale" is as unmatched as a novice user of Perlustro's ILooKIX?

Didn't think so.

lol

I stand corrected lol

i think a lot of the vitriol and vindictiveness related to Perlustro has to do with the complete lack of details provided every time they are asked for by people who do not use the software. This, combined with the muddy presentation of information on the website (the NIST page is a perfect example) amplifies this effect.

look at the many threads here and elsewhere that are barren of details beyond the script that was provided to the "users" of ilookx for them to dump on people. every time i read posts about perlustro, i feel like someone is trying to convert me to a new religion via a script than a deep understanding of the topic.

i also find the lack of updates and no community forum interesting.

in the end, everyone can choose their own tool, but it seems in most cases the ilook "users" interject in the middle of topics that have nothing to do with their interjections…

It is funny that ILook users are generally very quiet, other than a few who are writing and quoting from stuff taken from the website. I think someone already pointed out that most vendors have their own hyperbole and that users should check things out for themselves. I don't think it is limited to perlustro. There is astroturfing all over the forums - great term, btw - maybe I live under a rock but I had never heard it before. . . .

I think that there is so little penetration into the market for ILook, other than to previous users (people like TWhip and I, and other long time ILook users I have met over the years) that there is no need for forums on how to use it. Current users are very happy with it, as far as I know and most have either been using it for a decade or so, or work with people who have been using it for a long time and have shown them how to use it. If you have ever had training in forensics, then you should be able to understand ILook, it is laid out in the same manner as most other forensic suites, displaying files, hex views, logs, file systems, categories of files, etc., etc. It is very easy and intuitive to use, and very customizable and powerful. There has also been training available from different entities over the years but the developers do not feel that training in the use of software is a sustainable model for a forensic software development company and that forensic training is better left to forensic training companies.

Perlustro would benefit greatly from a professional web designer, a marketing team and a professional technical writer to update the help manual and the online help system. But all they have is a small core of developers who really care about a product that gets right to the root of the file system and displays everything available for the user to make use of as extensively as they are capable of. And they have a core of users that really like the software and know how to use it.

I have a very small business connection to Perlustro as I recognized how badly they needed their help manual updated and I offered to do that for them in return for assistance purchasing a Windows based system to run ILook, and the software needed to work with it (ILook, Windows 7 Ultimate, Word, Acrobat, a few small utilities). I have an Apple ecosystem at home ) .

I think the investment in equipment and software is split about 50/50 between Perlustro and I and is about $5000. I'm making about 10 cents an hour. roll But the main benefit to me is that I get to learn how to use ILook really, really, well while I am putting it through its paces so I can include screen shots and verify information that is in the manual. But I am working full time and the process is going to take a very long time. If the developers hit the big time with ILook, or any or their other projects, then they can replace me with a real technical writer, but in the meantime, they are just a small American company and I am essentially, a volunteer.

Anyways, like I said, the developers are a bit eccentric, but they write great software and have great customer service.

If anyone has any questions about the software and would like an answer from me, an actual user of ILook in real cases, I'd be happy to take this offline or move it to a forum more suited to the topic.

Debbie

For the curious, here's a textbook example of the overuse of glowing superlatives http//www.perlustro.com/solutions/e-forensics/ilookix

I went to the Perlustro website and read what was at this post and to me it was a dated introduction to the new commercial ILook once it was available. For old users, it told us what was new. ILook really does do what it says there (actually it does considerably more since that was written as it is always being improved, although the website is not anywhere near as uptodate as the tool).

Sure there's a bunch of hyperbole about ILook being the greatest tool on earth, and to many, if not all, of the actual paying customers, it is the greatest tool on earth.

As I mentioned in another post, Perlustro could definitely use some professional public relations, website, marketing help, but instead choose to spend their resources on making ILook a fantastic tool.

Smiles make the world a better place.

I couldn't agree more. The developers at Perlustro often make me smile, especially when they come out with yet another new feature at no extra charge.

[Eric, I appreciated your contribution as well. Count me as a fan of the "52 computers in 6 hours" anecdote.]

I have taken place in operations like this, although not to this scale. The reason it is so simple to image so many computers at one time using IXImager is because it boots almost every computer that is currently in normal operation in a business, or used personally, and write protects the internal drive by default (assuming a good boot, not booting to the internal drive, but instead to the floppy, CD or USB). My licence allows me to make as many of these CDs or USBs as I need to get the job done. The only hardware I need is some sort of carrier to hold the drive where the image will be written, and a hard drive to hold the image. So, it includes a solution that costs me a couple of hundred bucks per PC/laptop that needs to be imaged and allows me to complete all these images at the essentially the same time. It's pretty slick.