FTK and Encase

I don't know of anyone who thinks that FTK 2 is fit for purpose.

FTK 1.x and EnCase have many differences and it would not be assessing the merits of each one fairly by just asking 'what do you think is the best' with a yes/no response.

Sorry it's a bit of a general question, but the assignment I was given is quite general - it simply asks me to evaluate these tools and their use……

"to address the issues regarding all the different and distinct phases of a computer forensic investigation"

Hello, I am doing an assignment comparing FTK and Encase and wondered what everyone else thinks about these two products and which you think is best?

Thanks 😯

I was going to respond with a detailed message (although you could search this group and get many responses to similar threads), but aside from the "which is best question" (the answer is neither), is your assignment a "survey" type assignment or do you have access to the tools and are you being asked to make this determination for yourself?

Most investigators use more than one tool, the selection of which is based upon the needs of the investigation. Rather than which is best, I would think that the issue is what are the strengths and weaknesses of each.

I have to assess the tools and compare them. I just wondered what people who actually use them think in very general terms. Thanks for the information

In very general terms, i use them both for different things, and to crossreference. Its a means to an end as seanmcl says, and often will be a combination of many tools, both for identifying data of note, or presentation reasons.

This is one of those matter of faith questions along with

vi or emacs
Perl or Python
Linux or Windows or MacOS
Bitter or Larger
Tea or Coffee

It comes down to what an indivudual prefers, so much, both have advantages and disadvantages compared to the other (be they technical or interface).

(Although I have to second Jonathan, I don't know _anyone_ who has found FTK2 fit for purpose. -P)

I personally, prefer vi, Perl, MacOS, Bitter, Coffee and old FTK (of the two - otherwise, I like WinHex best - certainly on reliability count - not to mention cost !).

At the end of the day, remember that you have to verify your results anyway, so you may well loathe each of them equally by the end of any given piece of work ! -D

FTK's indexing engine is superior to Encase. It allows you to see results as you type; which can be helpful for discovering new search terms. FTK's interface is more intuitive.

Encase has incredibly powerful scripting capabilities and supports more file systems. It's propietary image format is inconvenient.

I can't live without either of them, but becasue of the problems with FTK 2.0, the only thing I use in the 2.0 suite today is PRTK. But I still use 1.7

For email-intense cases, I tend to go with FTK. For everything else, I tend to go with Encase.

I tend to use both as many people do, both have advantages over each other, so its more down to personal pref (which has already been mentioned)

now down to the important answers!

vi
Perl
Linux @ work / MacOS @ home
Bitter
Caramel Hot Choc (Star Bucks)

and to continue

FTK 1.8
Apache
mysql

Not that anyone cares obvioulsy.

I think giving a simple answer to a simple question would result in me choosing EnCase over FTK.

However…..! (forensics analysts never give a simple answer)
I use both simply because EnCase does some things that FTK does not do and FTK does some things that Encase does not do.
My reason for choosing EnCase over FTK is based on its development and progression over the last few years which has resulted in a much more reliable and integrated case tool. EnScript technology is a major advantage that EnCase has over FTK.
FTK is a great tool and I use it because it does some things very well. FTK is potentially on the verge of eclipsing EnCase, I suggest this because having recently attended the course for FTK2, I think the direction that FTK2 is taking - in principle - is the future for digital forensic examinations.