From reading the previous posts FTK and EnCase seem to be the most prelevant software packages in the computer fornesics community. I realize that these products generally aren't used in completing isolation, but they will probably represent the biggest tool in one's tool box.
My questions are
1.) What are they main distinguishing points that separate FTK and EnCase?
They both seem to provide a lot of the same functionality, which makes it hard to choose.
2.)Who's training is better?
Better meaning comprehensive, technical and complete along with documentation.
Thanks in advance.
Don
Whats that saying about 'one mans meat is another mans poison'!!
The main points between FTK and EnCase from an initial point of view is where you want to spend your time processing.
In FTK all your time is up front, indexing, data carving, so building your case takes a while initially, but then it's all there for you when you come to examination. In EnCase you do everything as you want it, and all keyword searches are live so will take time to complete.
Choosing between the two, hmmm, I'm in LE so I've got both anyway, but if budget is an issue then you've got some deciding to do.
As to which one I use when, if I've got a job involving images then I will probably use EnCase, because I feel it's easier for images, or maybe I'm just more used to it because I've been using it longer, someone who's been an FTK user for a while and only recently come to EnCase may well feel differently.
Anything involving emails, or something that's likely to involve word searching goes straight into FTK, and I've been known to copy out PST and DBX files from EnCase and put those into FTK too.
Actually, sitting at my desk now with a job in progress, I find that it's in both FTK and EnCase so I can look at what I want, when I want.
At the end of the day,yes, they do offer the same functionality, but in slightly different ways. Some stuff in FTK is just done for you, whereas in EnCase you have to decide to do it.
Training - sorry to be vague, but we've all been on courses we thought were poor, only to speak to someone who thought it was great. It's that 'one mans meat' thing again.
I've done EnCase Basic and Intermediate in the UK, and FTK Bootcamp and I've spoken to numerous other people who've done the same with different instructors and have differing opinions to me. The trainer on the FTK Bootcamp was Keith Lockhart, and if you get the opportunity to take one of his classes I'd highly recommend him. Any training you take in a product you use is going to be valuable.
Hope this helps
Jon
1) Distinguishing points - different look and feel between the two programs. Additionally, FTK can integrate very nicely with AD's other tools, the Ultimate Toolkit I think they call it. NOTHING in my opinion beats their Password Recovery Toolkit and DNA. So if you invest, invest in The Ultimate Toolkit as you'll have the capability to do your analysis and reporting as well as work on encrypted documents and containers using PRTK and DNA.
Also, price point. A price difference between both forensic programs.
I prefer FTK due to reporting feature, indexing, and PRTK/DNA as already mentioned if I played in a Win32 world and my only options were EnCase or FTK.
Also, FTK can interpret and write more image file formats than EnCase can.
AD's Registry Viewer integrates very nicely into FTK as well, and is useful in analysis.
2) There is no definite answer to this question. Training is training. The content is equally as important as the instructor. Bad content but a good instructor equals a good overall experience. Bad content and lame instructor equals bad overall. Good content but bad instructor equals a bad overall. Good content and good instructor is the best - what you hope to find in any training you take. Someone will love Class X while another student hated it. It's very personal and subjective. You can take a large selection group and go with the overall consensus. But for me, the deciding factor would be the instructor. Who's teaching this course on this date and location? Because there are a few folks who have good reviews as instructors.
regards,
farmerdude
'll weigh in on this topic. I have attended every class AD offers and found all of the classes to be good except the boot camp. It is advertised as an intermediate and it was so basic it was sickening.
Here in Indiana we were the guinea pigs for their Internet Forensics class (we were the first class) Keith and Ken and one other gentleman did a great job and they said they onle made it better since then.
I think you can resit any AD class for a year for free and after that for a small fee. With the ACE from AD now coming to light a lot of people have to go back and retake the boot camp class because they revised the sylabus since most of us took it.
FTK works very well with MOST things. If you have RAID, a MAC, or a case with over 2 million items, you will be sad (
Farmerdude was correct saying their DNA and PRTK are the best. If you use the suspects computer against them by exporting the word list into the case you can make it even better on hard to crack cases. The engineers that they have working on their upgrades work really hard when new things come out i.e. AOL 9.0 and up.
On the subject of training…
I will revisit this post in a couple of weeks as I'm currently scheduled for my first training with Access Data. I will say now that I have been very impressed with training provided by Guidance Software. I've been to the Sterling facility 4 times now. I would also recomend it to those looking for non-vendor specific advanced training. Once you get past the intermediate level you are beyond the "how to use Encase" portion of it. You will use it for sure, but the majority of your time will be spent in the hex view learning how to find the data manually. I can say that this would be beneficial to anyone no matter what software they used.
Thanks a lot for all of the insight gentlemen. Your feedback helps a lot.
In terms of pricing, AD offers a 'one week bootcamp' plus the UTK for $2,595. Where as one week of training only at EnCase is $2,750. I imagine the software is probably another $2,000 or so. I didn't feel like sending away for a quote, so I'm just guessing. I can't help but ask why there is such a disparity in pricing. Psychologically speaking it makes me think that there should be a huge difference in functionality, but according to the members there isn't.
On a technical note, do EnCase and AD check file signatures? (For example, a jpeg is renamed with a dll extension) . I know WinHex Foren. does.
Thanks again.
Encase is about $3700 now. From what I know, as an experienced Encase user, and as one having reviewed FTK's capabilities, is that Encase far exceeds FTK. FTK does excel in certain areas.
Encase does check file signatures. Encase allows third party scripts, so that you could write your own complex search strings, or perhaps download someone else's. The script functions are really quite good, and this feature allows for limitless functionality.
FTK currently cannot reconcile the Macintosh file system. Encase can interpret that plus some Unix file systems. FTK's cannot acquire RAID's. Encase provides multiple options for dealing with RAID's. They are reporting that FTK version 2.0 will address these deficiencies, but expect the price to change.
Encase can be rather slow to work with, and there are occasionally annoying bugs. I don't know how FTK compares in that category. That said, if I could only have one, Encase wins hands down. I think it's worth the difference in price. Also consider that the one week boot camp isn't one week at all, but 3 days. The Encase training is generally 4 days.
Hi don_t
some of your queries (like file name/signature mismtach) suggests that your checklist/standard for the product to buy is not set to the desired level.
I would suggest that you play with some open source forensic tools (like TSK and autopsy) to have a fair idea of what capabilities or minimum requierments a tool shoud have. then you checklist level will rise up to the required level where you will be touching on the buying factor rather than the obvious artifacts.
regards
youcef
Thanks again for the insight Greg.
Youcef Sorry, but I have no idea what idea you were trying to convey. "Required Level", "Obvious Artifacts"?
-don
what I meant by obvious artifacts is that the comparison between FTK and EnCase should not be base on something that every Forensic tool (whether open source or commercial) should deliver. like
- recovering deleted files
- detecting extension/signature mismatch
- recovering orphaned files and directories
- building file and directory listings
- generating md5 or sha1 hashes for every file
- supporting physical searches (sector based) or logical searches (file based)
- suporting ASCII and Unicode searches, regular expression searches, …etc.
and the list could go on.
What I meant by the required level is what some of the repsonders have touched upon like support for RAID, encrypted media, applicaiton level analysis (like Outlook and Outlook Express file analysis, Internet explorer index file analysis, registy analysis, …etc). this list should allow you to decide what the real benefit of the product is.
hope this made it clear