My natural inclination, being very experienced in Unix, is to use the Unix tools such as 'Vital Data's FoRK', Knoppix-STD, Autopsy, SleuthKit. However I suspect those tools are not as useful as EnCase or FTK. I also suspect using Unix tools instead of the #1 or #2 software suite would open me up to more intense scrutiny when it's time to testify in court as to my findings.
That is part of what I am trying to find out.
Don't get me wrong, if you know how to use a tool efficiently use it. An example of why I like the automated utilities better is in dealing with compound files. Encase can view registry, thumbs.db, zip, dbx, pst, etc. compound file types simply by using the "view file structure" command. You will need a lot more utilities to view the various file types once you recover them. That takes time. In fact I can use a script to open all the zip files in a case at once and include them in keyword and graphic searches. I can decode embedded dates and times from within encase (as long as I know where they are) such as those found in Word metadata. If your charging the kind of rates most of us do your clients will appreciate you using the most efficient analysis tool possible. Also be careful with some of the utilities out there. If asked in court what tool I used to perform a particular operation I don't want to have to say something like "chastity cracker". It just doesn't look professional. Then your going to get asked who wrote the software and that will probably look even worse.
I would get some forensic training because you will find when UTG in court that if you don't have the forensic training then it will be a short day for you.
Figure out what software that you want and attend their training. You know where Greg stands on this issue.
Encase has it's EnCE cert program and FTK doesn't have a cert, rather they have boot camp, intermediate, advanced, aol-yahoo-kaaza-hotmail- etc, and a few other ones. I believe that FTK is around $1600 for just the class but you can get a good deal if you buy the suite of software
PRTK password recovery toolkit
FTK
Reg Viewer
DNA distributed network attack
etc
I found the intermediate to be basic but the other classes were very good.
The Encase classes have several different choices and the manuals for the classes are huge and provide lots of graphics and information. Also there are classes where you can go to a conference and attend several Encase related items in one week, which is nice.
Then you have things like Net analysis which has it's own training and although I haven't been the people who teach it are top notch, the software is also top notch.
You can also find yourself getting winhex or some variant of it and attend their training class, which will add that much more knowledge and also more CV items.
AFter you get all that done you could choose to join organizations like HTCIA or IACIS etc, I don't really like any organization who doesn't believe in the fact that you can do defense work.
In this field there tend to be a few categories of forensic people
LE
Private sector (PWC or other accounting firms) larger server type stuff
Defense work (which could be for the govt i.e. publid defender or private counsel.
whew…….. ok i'm done. Hope that helps you.