I am studying computer forensics at university (uk) and i am currently doing a research paper on different forensics software and comparisons between programs which carry out similar tasks such as hard drive imaging. I was wondering if anyone among the many professionals which use this forum could provide information about the disadvantages of encase(versions 4/5 or 6), also in comparison to ftk as well maybes, in general or when carrying out specific tasks.
Any help/information would be greatly appreciated.
EnCase as a comparison to FTK,
Really, as you know EnCase can generally do most everything FTK can do, and in some cases, EnCase is a little bit more full featured, but these features often carry a price of complexity, and in general, the EnCase GUI isnt nearly as intuitive as FTK.
I'm sure many will disagree with me on this, but I think the biggest reason that I'd use FTK vs. EnCase for analysis would be the searching ability.
FTK uses DTSearch to build full text indices for searching (an option) whereas EnCase performs a "Live Search" every time you want to change your keywords. To explain this, EnCase will search through every document in your selected location every time you execute a search.The Live Search can take hours, depending on the size of your image / drive - even on superior hardware.
DTSearch, if you dont have any experience with it, is the brains behind most high end search engines available commercially. They have a nice API that is very affordable, which makes it an easy choice for developers who need to parse tons of text in Windows.
I have heard that a 3rd party company has developed a product that can allow EnCase to communicate with an external database via a script, but I dont think its free. FTK has the feature included.
Both EnCase and FTK have free imaging (acquisition) products, which is appreciated.
I rarely analyze anything without doing a keyword search here or there. . .
My experience is with EnCase Forensic 505c.
thanks borninfire, some very useful information
There isn't a great deal to imaging, really…FTK, EnCase, ProDiscover, even good ol' dd works just fine.
It's interesting that the question was originally about imaging, and then the first (only) response went right into analysis. Taking that line further, EnCase is very complex, non-intuitive, EnScripts from one version may or may not work on another version, and there seem to be some issues with version 6.x.
One of the problems with EnCase, and to some degree GUI analysis tools in general, is the abstraction layer they provide…some folks don't look beyond what the tools show you. Most EnCase users use the EnScripts that come with the product, but few know how to write their own, or even modify the ones that at there. It is therefore not all that difficult, really, to blow an examiner out of the water on the stand, depending upon the case, of course.
When it comes to analysis of Windows systems, I prefer ProDiscover, as the interface is more intuitive, and the scripting language is Perl.
If you're looking at analysis tools don't forget TSK and PyFlag, as well.
Harlan
A disadvantage to EnCase is that their acquisition file format is proprietary, however very widely accepted. The problem is that Guidance can make changes to the format and other 3rd party tools may not be compatible. This has come up with v6 images not being able to be loaded into FTK. EnCase does not easily support imaging to other formats.
An advantage to EnCase is their DOS and Linux based acquisition tools. These are very useful. Network cable acquisitions are also very simple using these applications. I've been using the Helix disc with LinEn for some acquisitions of laptops or when I have to acquire multiple computers. Its much quicker to get each computer going simultaneously rather than consecutively.
I haven't used FTK much - hardly at all and won't try to comment on it. I know other people that are much more experienced with that tool. EnCase's interface can be cumbersome and there is a significant learning curve to many of the features. They have tried to lessen that through EnScripts but as Harlan pointed out, if the examiner doesn't know how to verify the output of the script and can't read the EnScript code, how do you know you're getting the correct info? EnScript is a proprietary language and the only training I know of is from Guidance. Their training, as good as it is, can be cost prohibitive for some.
EnCase v6 has greatly improved their handling of email and advertises Indexing. However, to date, I don't know anyone who has successfully indexed an actual case. Guidance keeps saying they're working on it. Mercury is a 3rd party add-on for indexing a case. I have a demo but haven't had time to test it. Anyone who reads the EnCase boards knows that V6 is quite buggy. Although anyone who has been around EnCase for some time pretty much expects it will take 3-5 releases of a version before it stablizes (remember the V4 release - that was a lot of hours of my life I'll never get back).
I guess the biggest drawback to EnCase is that it is proprietary in its image format and script language. And, it is expensive. The advantages are that is can do a lot. It handes many file systems, some RAIDS, most popular email, has add-ons for physical disk emulation, mouting as network drive, and decryption, and others.
You can build a house with any brand of tools. Its not the tools, but the carpenter that builds the house.
We use a number of products to image and process data. The most important thing I have learned in working with forensics is that one tool will just not do the job every single time. Each has its strengths and weaknesses. One day, or on one drive, FTK will be best, on another day EnCase will be better. You will need to have all the tools available to you.
On an on-site acquisition I will generally bring FTK, FTK Imager, EnCase (5.05e) Helix 1.8, Winhex (Specialist with Replica) and the Logicube Talon plus some other tools.
In order of choice I would I generally start using the Logicube running dd 650mb with MD5+D+V. I can get a 40mb drive (1.8") in about 32 minutes and a 160gb sata drive in about an 1 hr., 20min (3.67gb per min.) The great thing about the Logicube is that you have dd, dd with MD5, dd with Sha, and native cloning. (The native clone often saves the day when no other tool will work.
Then I will set up Helix with LinEn to have a computer copy itself to an external drive. The 40g, 1.8" drive note above above copies to firewire in about 39 minutes. This particluar job was done without the power supply for the laptop. LinEn will now write to NTFS but it may be a bit slower than to FAT32.
Then I would use either FTK, Encase, or Replica with a writeblock.
My last choice in the field would be EnCase with cable acquisition.
In the lab we use whatever tool is available to do the job. If we have dd files we generally convert them to E01's with Imager. We will then import the files into EnCase and probably FTK. If I want to recover a single file I will use WinHex. Each situation is different.
Comments aboue
I agree with the comment above about EnCase 6 not being ready quite yet. We have it but do not use it except for testing.
On the comment about FTK and DTSearch, the indexer doesn't work as well as DTSearch standalone.
I agree that the DTSearch is faster and more effective stand alone, (not in FTK), but when you find your hits with DTSearch, then what?
There is unfortunately no way to move to the next step in analysis or collection in stand alone, once the keywords are found in the application that I know of. . ?
If you happen to find 1500 responsive documents in different directories around the filesystem, you'll have some labor to do, with a high chance of error.
Additionally, the DTIndexer doesnt index slack space and unallocated, right?
But then again, im a total amateur. Maybe enlighten me if there's more to know?
Thanks!
That is what I meant about no tool being right for every situation.
DTSearch does not search slack or unallocated but then not every job does calls for that type of search to be made, at least not at first. Many times the request is just "search for all office docs" or "search for all pdf, xls, and msgs" and then export those. DTSearch can search through tons of data and export the results in a few minutes.
If I want to search unallocated space on the fly I might use FTK or EnCase but I would probably use WinHex as I feel is faster.
FTK does search slack and unallocated space and many times it does quite well. I have also seen FTK, and EnCase, hang on a number of searches and never complete the process. The thing I do like about FTK vs EnCase is that once you run the index all you need to do is import new search terms and you get the results without running the searches again.
As for carving which is often the next step, the same generalization applies. Not one application is the best in every situation. In my opinion EnCase, off the shelf, sucks at carving, FTK is better but has its drawbacks. WinHex is good and I have heard scapel and foremost are too.
Whatever it takes to get the job done, well, and in a reasonable amount of time is good with me.
Thanks for your clarification, im not trying to discredit your opinion, you're obviously more experienced than me, and I'm genuinely trying to milk you for your knowledge =)
Thanks man!
My experience is mainly confined to EnCase, FTK and a little bit of WinHex.
As has been pointed out no tool is complete so you need to use the combination of tools that is right for each job.
EnCase is generally poor at carving files out from unallocated, but is very good at carving out picture files and providing their full provenance- so if your case involves CP for example then EnCase is good. WinHex is good at carving a wider variety of files out of unallocated. A more consumer orientated product such as Recover My Files is also great at carving out all sorts from unallocated space, but does not give you the provenance.
EnCase 6.x now has a native file viewer meaning that less files need to be exported out into apps such as Quick View Plus, but then again FTK has had this ability for years.
For cases with an emphasis on emails, documents and spreadsheets FTK is invaluable due to its indexing ability. I think EnCase 6 came out in December but is already up to version 6.4 and its much touted new indexing feature still doesn't work. Pretty poor for such an expensive product in my view!
For a detailed analysis of internet history from both allocated and unallocated space then NetAnalysis is the tool to be used, although I believe it is due for a new release soon.