One very powerful advantage of FTK is Full Text Indexing.
Encase doesn't do that.
😉
Yes it does. FTK uses DTsearch indexing engine while the newest Encase version (6) uses Stellent. Version 5 doesn't index but still has the ability to search using GREP.
From the Guidance Website. Google is your Friend!
Case Indexer
EnCase® V6 introduces our new patent-pending, powerful indexing engine which indexes text extracted from the Stellent™ Outside In Technology. You can now build a complete index of words from multiple languages based on your evidence file and then create fast and easy queries using EnCase® Conditions and Filters. These indices can be chained together to find possible keywords in common with other investigations. The Unicode-supported index is built from the contents of personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages.
One very powerful advantage of FTK is Full Text Indexing.
Encase doesn't do that.
😉Yes it does. FTK uses DTsearch indexing engine while the newest Encase version (6) uses Stellent. Version 5 doesn't index but still has the ability to search using GREP.
From the Guidance Website. Google is your Friend!
Case Indexer
EnCase® V6 introduces our new patent-pending, powerful indexing engine which indexes text extracted from the Stellent™ Outside In Technology. You can now build a complete index of words from multiple languages based on your evidence file and then create fast and easy queries using EnCase® Conditions and Filters. These indices can be chained together to find possible keywords in common with other investigations. The Unicode-supported index is built from the contents of personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages.
Well said. Have you actually tried to build an index using Encase 6?
My $.02
FTK 2.0 includes a full version of Oracle to assist with indexing opposed to the flat file that EnCase uses. From what AccessData explained to me is that due to the exponential growth of hard drive capacity a flat file isn't going to sustain the amount of indexing that is required or will be required in the future. The other nice thing about FTK 2.0 is that if FTK crashes during a search you haven't lost everything since your last save because the results are stored in Oracle, unlike EnCase where when it crashes you loose everything since your last save.
I have copies of both EnCase 6 and FTK 2.0 and am by no means an expert however from a CIS standpoint the Oracle integration seems logical. I'm waiting on AccessData's eDiscovery to compare against Guidance Software's, although it's a 1.0 product I believe that there is a lot of potential.
BTW I don't have an AccessData tattoo and I agree that you should have more than 1 tool in your forensic tool bag. Both products have their +'s and -'s, I only posted because I think that the Oracle integration is something that is important however it seemed as if it was overlooked. Then again, Oracle in itself is a beast.
Greetings,
Whoever supports AFF first will win serious points with me, not that that'll convince anyone to do so more quickly.
-David
As far as LAN and Windows server analysis is concerned, I gather that EnCase does have Active Directory Module while FTK does not have any capacity to perform Active Directory examination and analysis.
I haven't had a chance to try the EnCase module out however so I have no idea how good it is. (From the little documentation I was able to find it looks pretty basic.)
Another summer project…. D
The "if you could choose only one tool what would it be" discussion has been around a long time and, I'm not sure that it is particularly relevant.
As noted, Encase (and ProDiscover) are scriptable, which can be really useful when you have a very large case. FTK builds an inverted index (using dtSearch), which makes ad hoc queries much faster, even when compared with Encase 6's indexing.
Insofar as file carving, both tools are good though each has their strengths and weaknesses. One of the most important thing facing investigators in US courts is the ability to demonstrate that results are reproducible. Having two (or more) tools helps to address this as well as it helps to give the investigator more confidence in his/her conclusions.
AFIK, neither tool makes particularly good use of multicore processors, something that I hope will be addressed in the future. Encase seems to be more dependent upon memory (especially versions prior to 6), which can be an issue if you are dealing with very large files (like Exchange databases > 100 Gbytes).
Encase does not provide for detailed forensic auditing (except in the Enterprise edition), whereas FTK does. I am told that this was a conscious decision on the part of Guidance Software and I have not found it to be an impediment (in fact, quiet the contrary), but to X-Ways or FTK users this might seem strange. Instead, Encase provides for bookmarks, most of which are managed by the user. This helps with crafting reports, IMHO, though I tend to use the reporting capability of both products as the starting point rather than the finished product.
I would have to say that I use both (and X-Ways), in most cases because for specific tasks, one package is significantly better than the other. If you had the budget for only one tool, and there is any issue of what has the greatest volume of case law behind it, I would probably choose Encase to start. But I wouldn't stop there unless it was simply impossible to continue.
Finally, I might point out that Autopsy/The Sleuthkit are freely available, as well as Scalpel and Carvfs. The use of these tools helps you to increase your understanding of the actual implementation of the file system and I have found that for certain types of file carving, Scalpel is very efficient and reliable and easy to customize to specific carving tasks.