I am a forensic student in NC and am learning the use of FTK 1.8 and FTK imager. I was wondering if there were any recommended alternates to this software and where I could download demo or full versions for testing.
Any suggestions are appreciated!
PatrickC
You can find a big list of tools (including our own) here,
http//
There are a number of alternative tools available, some depending upon the specific capabilities you're interested in replicating.
To help you pick out a few, rather than being overwhelmed with a list with everything, I would like to recommend a few
There's also a Linux distro called
Open source tools are your friend at this point because you can get the full version for free! I'd recommend you start with Winhex though, you really can learn a lot from using that program. EnCase is an industry standard so you should get a demo of that I suppose. Not sure if they offer it on their website, but if you buy the study guide there is a demo version in there.
You get that 1.8 is nowhere near the latest version of FTK, right?
You get that 1.8 is nowhere near the latest version of FTK, right?
The SANS408 course I was on last year used 1.8. I assumed because it was so old that it must be free or cheap. Not so, is same licence price as latest versions.
I can only assume that it's used for teaching purposes because it's pretty stable, doesn't need the same kind of hardware as you need nowadays, and is pretty quick compared to latest versions.
Or mebbe there's an el-cheapo version for educational purposes?
At to add to your point, are you going to use version 3 in the field on location? Most everyone I know uses 1.8 in the field and 3 at the office.
You get that 1.8 is nowhere near the latest version of FTK, right?
The SANS408 course I was on last year used 1.8. I assumed because it was so old that it must be free or cheap. Not so, is same licence price as latest versions.
I can only assume that it's used for teaching purposes because it's pretty stable, doesn't need the same kind of hardware as you need nowadays, and is pretty quick compared to latest versions.
Or mebbe there's an el-cheapo version for educational purposes?
I think you're going about it the wrong way. Learning "FTK" is no different than playing Xbox and considering yourself a game designer.
It's just not the right way to learn. I went around asking the same questions you are right now (some of them are online here in the forums) only to find out that it was the wrong way to go about it. If anything, learn the command line tools, and forget about FTK. I went so far as to purchasing a license of X-Ways Forensics out of my pocket. Again…..the wrong thing to do. Although, prob. better than buying FTK because you actually have to understand some things about forensics when using X-Ways.
Download yourself a copy of SIFT 2.12 (or the new version of DEFT (7).) and learn how to use some of the command line tools that come pre-installed on those operating systems. The command line tools sort of force you to learn what it's looking for. You have to specify options to get the information you want, etc.
For instance
Look at the Sleuth Kit
mmls image.dd
icat -i raw -t nfts image.dd 0 > image.mft
log2timeline -f mft image.mft -w timeline.csv
So with those simple commands you will learn how to calculate the offset, learn about inodes, create a timeline, etc.
FTK - Click, Click, Click, spits out the output, but you have no idea what happened.
I'm creating a series of videos about SIFT and using only command line tools when doing so. You can follow along here (my blog) http//
I'm no expert with forensics, but while learning about forensics/incident response I have found the "gui" stuff; although nice, IS NOT the place to start (for me at least).
Good luck!!