I'm currently attempting to acquire my minor degree in computer forensics. I just started the program and have had a program called Encase recommended by my professor. I have yet to really look at it, and though it is required i was wondering if it is the best tool, or perhaps the easiest to start on for data recovery? If anyone with some experience could give me some feedback i would be most appreciative.
Thanks
Briefly, it's not the most intuitive application but is one of the most comprehensive with probably the best support available. It's expensive.
Cheaper but even less intuitive though really very good is X-Ways Forensics.
Any tool in the hands of someone who isn't knowledgeable in its use is at best useless, and at worst dangerous.
Are you interested in data recovery or forensics?
There is no one tool out there which is the best at everything. EnCase has its strong points, but you need to understand how to use it, what it does well, and what are its limits. The same is true for any other software package.
One advantage of EnCase is that it is widely recognized and EnCase certification can be a plus when looking for employment.
Think of it this way. Most computer forensic tools help you to organize and visualize complex data such as file systems, registries, file tables, etc. They are, in essence, time savers, especially for tasks that you perform, frequently, as part of your examination. Thus, the choice of tool should be dictated by your needs as a practitioner rather than the name recognition of the tool.
Even possession of a tool and certification on the use of the tool is no substitute for understanding what it is you are looking for and how best to look for it. If you understand that, the choice of tool boils down to whatever best supports your practice.
The benefit of the forensic tool suites like EnCase, FTK and X-Ways is that they both automate certain forensic processes, and organise and translate the data in a way that is easier to view.
Each tool suite has certain things that it does well, and they all have glaring deficiencies. For this reason, I would never suggest that one tool is the "best".
As an example, one of EnCase's best features is the EnScripts. You can write a script to automate some data processing for you. The downside of this feature is that you get inexperienced examiners who use someone else's EnScript and then treat the results as gospel having never independently verified the process and/or results. This is an example of why Harlan (keydet89) says that tools can be dangerous.
Remember that in the end, it's the examiner who is giving evidence, not the tool.
As an example, one of EnCase's best features is the EnScripts. You can write a script to automate some data processing for you. The downside of this feature is that you get inexperienced examiners who use someone else's EnScript and then treat the results as gospel having never independently verified the process and/or results. This is an example of why Harlan (keydet89) says that tools can be dangerous.
It's really more than that. Too many times in the EnCase User Forum, I've seen "..I ran the case processor on a Windows image and it didn't find any Registry information…", and the follow on "…so it must not be there…" sort of attitude.
And to be fair, I see this with RegRipper, as well…the thought that if RegRipper doesn't report something, then it must not be there, without ever verifying whether or not RR even looks for that key/value/data.
Many tools and their results can be easily verified if you understand what the tool is doing, or what it is you're looking for.
I do recall reading in a recent publication……..
"The 'Age of Nintendo Forensics' is over."
I guess that is my fear of a thread such as this. There is a ton of information about the tools in methods publicly available online from demos, YouTube videos, blogs, forums, etc that can be easily researched.
This is a highly analytical and cognitive field. You don't have to be a genius; but a thinker. You have to constantly think on your own and persistently dig until you get what you need to know. Nothing can be simply handed over by just asking. Not that people are not willing to help, but because you will gain nothing from it unless you understand why you are asking a question.
To add to the previous, you also need to be willing to experiment. Data systems and data organizations are dynamic entities and while a great deal of information can be obtained through "literature" searches, reference books or looking at a piece of code, sometimes the only way to show how something could have happened is to demonstrate it through an experiment.
I'm currently attempting to acquire my minor degree in computer forensics. I just started the program and have had a program called Encase recommended by my professor. I have yet to really look at it, and though it is required i was wondering if it is the best tool, or perhaps the easiest to start on for data recovery? If anyone with some experience could give me some feedback i would be most appreciative.
Thanks
As a user of EnCase for almost 4 years now I find myself depending on non-commercial tools for much of my work now. Not only is EnCase expensive but its becoming bloatware IMHO.
If you can get past all the crashes and nuances to finsish a case without putting giant hole in your monitor you are a saint.
Anyway, one example for non-commercial tools that I hold in high regard and have made a part of my forensic protocol is RegRipper. It is so effecient and so easy to use it is a pleasure to use. If you really want to get a handle on things read Harlen Carvey's books, they are a MUST read for all examiners.
To get to the root of the original post, is EnCase the best tool? I've been using EnCase for 6 years, FTK for 4 and god knows how many one off applications that come and go with new technologies. To the new student trying to earn his minor in computer forensics, I would say start learning EnCase immediately. It will be the tool you go to for 70% of your analysis so understanding its features and MOST IMPORTANTLY how the product comes up with the results it does, would go a long way in your program. In CF you'll hear often, "it's not about the tools, it's about the investigator" and I'll say it's about both. Without his/her tools a Forensic Examiner can often times be unable to report the findings but if the investigator doesn't know his stuff, all the tools in the world will just get him in trouble.
Good Luck!!