Hi, I am a new forensics analyzer. I am wondering what is the software that most guys use? I know of encase, but I also know of ftk.
Which is more popular?
Not sure which you're asking…which software is used, or which is more popular.
I use ProDiscover much more than EnCase when it comes to Windows systems. In fact, I also use Perl much more than EnCase, using my own tools to parse particular files and get the data I need.
H
Hi, I am a new forensics analyzer. I am wondering what is the software that most guys use? I know of encase, but I also know of ftk.
Which is more popular?
Popular - FTK and EnCase will probably be the most popular and any of them work well for most of the cases that you'll come across.
Don't let the tool dictate the case. Determine what you need to accomplish and use the tool(s) that best provide the information you seek. There are a lot of very good tools (Harlan's DVD with his latest book has some great stuff on it) out there that are task specific and do as good a job (or better) than the all-in-one suites.
We can't forget that every tool needs validated with other tools. The state of the art of tool building and our individul understanding of the workings of each tool has not perfection.
I've recently started using ProDiscover (IR version) and can tell you its fairly easy to pick up and generally intuitive. One advantage of ProDiscover (IR version) is that its MUCH cheaper the EnCase Enterprise, so much so that you could get a copy of ProDiscover IR and a copy of EnCase Forensic - that is a great combo. Of course FTK is also a great product.
I find that FTK is the most popular because it is easy to use, you can do a lot with it, and it has a great reporting feature.
Since you're new to forensics try to keep in mind that you're going to need a number of tools to handle cases. You can get by with one or two tools for a while but eventually you'll see that the more tools you have available the more data you can get to.
-Dawson