Has anyone used this software or know anything about it? Being an FTK user, fbi looks to have additional functions that may be useful. How does it compare to EnCase?
Any thoughts would be appreciated. TIA.
Hi DCSO
FBI is a fantastic piece of software; our firm has been involved in the testing of this software and currently owns a few copies. NUIX is really responsive to feedback and will implement your suggestions (if it’s a reasonable one) usually by the next release.
FBI's niche is email although it can be used like ISYS, DTSearch or FTK. It can index directly from an EDB, NSF or GroupWise, and has a unique feature which allows you to tag say an image then backtrack to the original email, something no current forensic program can do on a large scale.
FBI indexes roughly at 1-3 GB an hour with full text indexing but it depends on the features you select eg de-duplication, skin tone detection, images only etc. The speed of the indexing will greatly increase if technologies such as striped RAID are used. The index can also be resumed if the computer crashes halfway through or you decided to kill the program to do something else. FBI is not overly resource hungry with RAM or CPU while indexing, but does give your hard drive(s) an absolute hammering
FBI does have some weaknesses; they revolve around the viewing of video and audio formats. FBI takes forever to open these formats when dealing with EDB files. Other weaknesses are the program crashes when trying to export a node map larger then around 100 nodes to PNG.
When comparing FBI to Encase most things you can do in encase you can do it FBI.
Similarities
• FBI can import hashes such as NIST, Hashkeeper and plain MD5’s in a text file.
• It can quickly sort file types and formats like Encase.
• Has regular updates and feature releases like Encase.
• Similar price to Encase.
Encase Advantages (Things FBI can’t do as yet)
• Define you own file headers.
• Data carve.
• Script like Enscripts.
• Acquire a Forensic image (Although not really needed).
FBI Advantages
• Skin tone detection (X-ways is one of the only other programs from memory that does this, besides Enscripting something up).
• Email backtracking.
• Graphical node mapping of emails and files.
• Direct EDB indexing - this is great when dealing with large-scale backup tape restores. You can dump the entire contents of tape to a server including the EDB file and FBI will index the lot. No EDB extractions or conversions.
• Highly customizable column headings.
• Ringtail export – Great when dealing with law firms.
• Developed in Java
Features FBI should implement
• Distributed Indexing – Currently can only index one lot of data from one computer with one dongle.
• Better video and audio support – At least speed up the opening of these files
• Better support for viewing of files eg PPT and PPS files.
• Better file support for more file types
At the end of the day FBI is a must have, if dealing with emails. It cuts out many conversion steps and allows backtracking to original emails. The team at NUIX know what they are doing and have implement many features (in a few months) that we have asked other providers such as Encase, FTK and Paraben to implement for years. Personally I think NUIX is doing a fantastic job and I look forward what they have in the future.
Detecting new file formats probably isn't hard as long as there is some pattern to match in the file header, so perhaps if you throw an email at Nuix they can add some new patterns. If the format is common enough then it may benefit other users.
As for video and audio files, those are a problem for many apps (including my mail client…)
Flexible operating systems such as Linux+KDE allow for custom URL handlers, which would offer an elegant solution to the problem; defining a custom URL scheme so the application can stream the file directly to the player.
URL schemes under Windows however can only perform actions such as launching applications, which is fairly limiting. So unless the file is on disk already (which it is not in the above example) there are only two options for opening one of these files under Windows
1. copy the file to disk – easy, but slow, especially if the file is large, which media files tend to be;
2. embed a media player into the application – more elegant, but difficult, and not particularly comprehensive in terms of codec support unless the application has access to DirectShow codecs.
Stuck between a rock and a hard place, pretty much, unless your application is blessed (cursed?) with being written in (or at least linking with a great deal of) native code. -)
I realize I'm late in responding, but….
Cost. Not even close to EnCase by my most recent quote. It is 4 times more expensive than EnCase!
Unless I'm misunderstanding my eval version, it also doesn't really handle "traditional forensics" functions like viewing the registry, viewing files in hex, analyzing web browsing behavior, data carving, etc.
It seems entirely focused on e-mail analysis. And that it does very well and with a few really novel features.
Feel free to correct me if I have mis-characterized FBI in any way. I like the product, but feel that the previous descriptions make it look like a direct competitor to FTK and EnCase.
Update as inspired by cfprof
cfprof - PM me if you would like to know anything extra about FBI.
Cost At the moment FBI Desktop is around $10,000AUD to $13,000+ AUD dollars, depending on extra features, maintenance contract/fees, number of copies purchased, bargaining power, etc but mostly how much you can negotiate with the CEO of the company. Yes it is four times the cost of Encase but it can handle email analysis like no other program I have currently come across.
Misrepresentation I apologise for the comment "When comparing FBI to Encase most things you can do in Encase you can do it FBI" I may have slightly misrepresented/oversold FBI capabilities, my thoughts were more along the lines of FBI could view, filter, browse data similar to Encase. Cfprof is right, FBI can not data carve, view files in hex, analyse web browser history (FBI can index and read browser history, but Encases interpretation of be browser history is sketchy at the best of times) or view the registry, but remember FBI is only on version 2 of 10 versions in its current software development life cycle (remember what Encase v2 and 3 were like) there is still room to add those capabilities. FBI's niche is Email and indexing something FTK has always done, kind of, and Encase has just implemented in Encase V6.
Current Gripe (Yes this is a dig at NUIX, so feel free to skip ahead) FBI Desktop was originally sold to its customers with Ringtail support included, under their "new" scheme (read grab for more money) NUIX have decided it is in their customers "best interests" to withdraw this support and included it as an extra module you need to purchase, above the normal expensive price, on the flip side if you purchase the law export module you can now export in Ringtail, Concordance and Summation DII.
Direct Competition Personally I would say FBI is a competitor with FTK and Encase although maybe more in the field of Email, Indexing and E-Discovery, which is the way FTK and Encase are heading in some regards, with FTKs implementation of distributed indexing with Oracle and Encases "implementation" of indexing. Although it does not have some of the traditional forensic functions like Encase or FTK, have you tried doing one of the following with FTK or Encase and not had the program crash or consume countless hours…
• Index and text search upwards of 3-4TB of miscellaneous files with a directory structure longer then 255 characters deep. Followed by between 10-50 people conducting search and reviewing simultaneously on the same case data in multiple states. Yes there are programs out there which can do this besides FBI [gasp, horror].
• Index 4-5TB of EDB files producing 5 Million+ images for review and categorization, able to review those files and produce a report within 1 hour of finishing the review detailing who sent and received those images.
Yes the above two examples are geared more toward larger jobs but take one of the smaller jobs I conducted a few days ago. Testing was conducted only on the indexing phase of a job. The testing was only meant to be one of those quick what the hell is going on test. The data used was the same case data for all program and consisted of 3x60GB Encase images consisting of normal office data. The reason for testing was FTK v1.6 original indexed the entire case with no errors for the investigation phase of the job. During the investigation phase the Investigators could no longer view emails but would get search hits in the file and but could not view the contents of the file as they could 1 day earlier. The case was reindexed on the same machine using the same version of FTK, It failed, it was also tried with a fresh forensic lab ghost image, but failed, so began our what the hell testing…
• FTK v1.5, v1.6, v1.70, v1.70.1 (approx. 12 hours for each all running simultaneously on fresh ghost images) - All version kept falling over on two OST files, and two Index.dat files which had to be removed before FTK would index correctly and the case could index. The Encase files still had the correct hashes as noted during the forensic imaging phase.
• FBI v2.9.3 (approx. 15 hours) - No problems encountered, but had to upgrade to Microsoft Office 2007 and Java 6.
• Encase v6.3 (Left running for 2 days and was still quoting 6 days when it had to be stopped due to time restraints) – Need I say more.
Conclusion I do not work for NUIX, never have, never will, I am only trying to convey what I have learnt/picked up while working with FBI Desktop on cases and add some information to a product that is no widely know about at present. I regularly use FBI, FTK, Encase and countless open source tools to complete my cases and there is no one tool that is the smoking gun. I do no hate or like one tool over another, they are all hated or liked equally for there own quirkiness’s. My policy is to always recheck work with another program, and on more then one occasion FBI has screwed up, but on the other hand it has saved the day countless times and clients love the reports produced. The test conducted were not meant to be biased towards FBI they just happened to come to mind while writing this note (some would say very long essay). In conclusion and in keeping with by conclusion theme <insert very large incomprehensible legally worded disclaimer keeping me protected from all legal, demonic, future, historic, copyright, social and flaming implications brought about by this post, which by reading you have agreed to waive all rights surround implications brought about by this post…Man I have got to get out more…>
Seelogic,
Thank you for your clarification.
You obviously have a great deal of experience with the software and I appreciate your observations and candid thoughts. I think you have made clear the similarities and differences between FBI and the usual products.
Again, I really like what I've seen of the software. The visual representation of e-mail communications is nothing short of spectacular for those of us who have never seen anything like it before.
I met the CEO, Eddie, at a conference and he was incredibly nice/helpful/generous. He is agressively marketing in the states and seems willing to make deals with early users. He also seemed very attentive to user concerns/suggestions.
I think it could be a real contender in coming years (and is likely a true contender now for e-mail/e-discovery types of cases).
someone knows how to obtain the demo copy of FBI Desktop?
For demo copies of FBI Desktop you will need to talk to Eddie or one of the sales representatives at NUIX. Details below
Nuix Pty. Ltd.
Suite 79
89 Jones St
Ultimo NSW 2007
Australia
Phone +61 2 9280 0699
Mobile +61 4 1890 0978
Fax +61 2 9212 6902
Or Email Via
They will usually send you out a time/feature limited trial dongle/USB key with PBEwithMD5andDes encrypted license.dat file on it and a link or copy of their latest version of FBI…
I have just recieved a dongle and now have FBI Desktop. Looks good and now looking for a hefty .pst file to have a look at.
1. Can anyone send me one ?
2. Confidential Agreement / Disclosure will be signed
3. Expert Witness Statement will be produced F.O.C.
Feedback regarding this application I am quite happy to submit, im in the U.K. so possible any U.K. company that would like a overview of this application please contact me.
BTW i have no connections to NUIX or FBI in any way.
Regards
Simon
Here is what we found.
What we liked.
Nice tool for metadata
The graphic view of the mail
What we did not like
It took 40 mins to an hour per gig to index email. (dual core, 2 gig ram) When indexing a 30 gig EDB it took 114 hours and crashed twice -To be fair it did restart.
We indexed the same file on 2 different computers it reported two different index totals. So we were never sure what it missed only that it did.
It did not recover lost or deleted data from an encase image.
The price
We looked at a few other software packages as part of our business plan.
Google desktop – did 80% of what Niux did, no nice pictures though.
http//
http//