Hello,
Immediately tried - or tried to try Encase 8 - with the hope we will have a completely new easy-to-use forensic software. But it turns out to be a disappointment.
We looked forward to having - so called new version 8 - and we thought we will return to Encase and be able to use Encase again, but it seems we won't.
Here is our first impressions;
- same platform as 7, not a new product, seems just like a slight update in version 7,
- still confusing with a lot of unclear and unrelated menus, tabs, buttons, shapes, arrows randomly scattered everywhere ,
- still not user friendly, it gives you no idea where to start and how to proceed, and you get lost amongst tabs, buttons, menus, and can't seem to go anywhere,
- you don't feel comfortable with it. there is no systemmatic step-by-step stages like IEF or FTK and you can't make sure you are not skipping or omitting anything. It is like a draft not a complete full final product.
- still no "volume shadow" option to include into the case, so still we can not include volume shadows which almost all hard drives have today.
- the only good side probably is "the conditions in version 6" are back.
So, based on our experience with Encase 8 so far, we have not got good impressions at all and it seems we will not be able to use it until a good version comes out.
encase is very flexible program but they have to study about stablisation
but we still need it for more tecnical cases for example virus total api integration
GSI did admit recently that v8 wasn't a new product but simply an update to v7.
It does incorporate Project Vic compatibility (which it needed some time ago to keep up with X-Ways) and the project team are vowing to listen to the users this time so they have obviously had their fingers burnt, unsurprisingly.
As for IEF, although the idea of Next->Next-> Finish is great for new users I'm afraid it continues to struggle getting the job done right and its carver is more miss than hit. I know our office have submitted many many bug reports over the years ( as we have with Encase) since Jad first took his tentative steps into the forensic world.
Also IEF tech support is lacking so don't expect them in the witness box anytime soon.
Like most products, there isn't one that does everything so we end up using several tools, they all have their strengths and most certainly their weaknesses.
EnCase 8 has a new feature called Pathways that will contain walk-thru options for less advanced users, if that's what you're looking for to compare against FTK or IEF.
never a better time than now to switch to X-Ways and see what you have been missing.
do more with less and faster too!
new versions on average every 40 days, lightening fast support, exceptional carving and searching, and more.
if you want to see what Encase and FTK MAY do in 2-3 years, look at X-Ways now.
I tried X-Ways but within the first 4 hours of use found it crashed far too often and that's from an Encase user.
At the end of the day, if the evidence is there then it's down to the examiner to find it and whatever tool they choose to use.
They all have their faults but there is no clear leader.
i would be interested to hear more about your crashes. x-ways is far more stable than the other 2 in general. when the 64 bit version was new it was less stable than 32 bit but its just fine now.
if you have spent any amount of time using x-ways and seen what it does compared to at least the other 2, there is a very clear leader for the vast majority of core functionality found in a suite
My thoughts on EnCase v8 was that it was just a white wash skin applied to v7, but with a refresh button at the top.
Don't like the way they call the button with three horizontal bars the hamburger menu either, sounds rather unprofessional.
I'm actually an X-Ways convert now, although still trying to get my colleague to use it more. I still utilise both, as X-Ways can actually do things with EXT3/4 and EnCase doesn't seem to be able to do anything with them automatically, but EnCase seems to handle much larger keyword lists better. My keyword lists typically contain code (e.g. PHP) and with the full list of several hundred keywords that could sometimes be run, X-Ways has reported several thousand hours where EnCase has completed it overnight. X-Ways really doesn't like compressed files either, which when you're dealing with web servers you get quite a few of (e.g. .tar.gz backups and .sql.gz database dumps etc). Try and view a keyword hit list in X-Ways without filtering out compressed files first and you'll get a never-ending please wait loop! EnCase v6 did have this problem too though…
Anyway, I've gone off topic a bit here. In short… EnCase 8? Doesn't seem like a new product at all, they may as well have just called it EnCase v7.13 with compulsory white wash skin and a free hamburger.
for x-ways and searching, did you do an RVS first? that will unpack all the archives so it shouldnt be as painful. indexing would of course help here too but that is generally not necessary
i have never had any issues with searching as you describe. how many search hits come back? could it be x-ways is just searching MORE than encase? have you compared the results once things finish?
hit me up in a PM to discuss it further but that sounds like an anomaly for some reason
Cheers Eric,
I try and run some of my cases consecutively in EnCase and XWF for ease and case sharing with other colleagues but I've never actually measured the stats of precisely how long each has taken.
Always do RVS before doing any logical search, but quite regularly get a slow down as soon as a compressed file (attr c) comes into view in the window when scrolling down. If I filter these files out the keyword hit lists work a treat.
The server running XWF has Intel Xenon X5650 @ 2.67GHz - 12 core, 24 logical processors, with 96GB RAM. Neither ever seem to be maxed out by XWF so I'm never entirely sure why the slow down occurs…
