Ok thanks for everyones insite on prior posts. I have narrowed it down to FTK or Xway.
For those that have used both, if you wouldn't mind, let me know your thoughts.
Also, keep in mind this application will be run on a laptop for the time being.
Let me throw the ball back in your court
Why those two packages?
Criminal or civil investigations?
Are you doing collection, analysis, reporting or combination?
Are you funding purchase or is your company?
Have you demo'd either?
Doing any RAID reconstruction?
What types of hardware write blockers, if any, are you using?
Have you done training in either packages?
Hardware does matter as FTK 3.0 needs more juice than XW to say the least?
Do this Given a typical case your business model will experience with a challenge to answer a question or set of circumstance and agnostic of branded software, how would you solve that challenge?
Challenge -> Design model to solve -> then pick tools.
Can you afford the best case? If not, how can you pick a set of tools that will still solve the problem but fit your budget?
FTK seems to have very powerful database and indexing
Xway is inexpensive, good reporting, take less resources.
Not sure on Criminal or Civil, probably a bit of both
Analysis, Reporting
I am funding purchase
I have worked a little bit with WinHex, thats it besides SIFT, open source etc
Raid reconstruction is a possiblity
No write blockers
No traning in either, probably be learn as you go….
Hey reedsie,
I use FTK, XWays, and Encase. Nobody beats FTK with email presentation. I like XWays. XWays is great for eliminating duplicate hashes and extracting metadata. Also it give a great presentation if you're interested in registry information. Encase suxs if you're doing an index search as you can only search one word. If you search for a combination of words, it's a live search which can be slow. Everytime we do a warrant, we usually get 1TB worth of data uncompressed. In the case of being user friendly, it would be FTK, XWays, then EnCase. FTK 3.0 works best if you put the Oracle database stuff on a server/separate drive and the software on another (your OS drive)…
That's my two-bits
Curtis
Hey reedsie,
I use FTK, XWays, and Encase. Nobody beats FTK with email presentation. I like XWays. XWays is great for eliminating duplicate hashes and extracting metadata. Also it give a great presentation if you're interested in registry information. Encase suxs if you're doing an index search as you can only search one word. If you search for a combination of words, it's a live search which can be slow. Everytime we do a warrant, we usually get 1TB worth of data uncompressed. In the case of being user friendly, it would be FTK, XWays, then EnCase. FTK 3.0 works best if you put the Oracle database stuff on a server/separate drive and the software on another (your OS drive)…
That's my two-bits
Curtis
There is an indexing escript in Encase as I recall. You can also create a list of custom words as an index query condition.
I lost faith in FTK when I discovered that the early V2 offerings were indexing their own file meta-data. In addition the offsets returned in indexed searches bore no relation to the offset in the real evidence. Nothing short of incompetent in my view.
This undocumented 'feature' has been quietly fixed in more recent versions. I just wonder what other features I am might have to rely on when I stand in the witness box putting my reputation on the line…
The whole FTK 2.0 issue caused a lot of bad feeling (at least with me). Why anyone would stick with a company that has treated the ordinary forensic examiner in the way that AccessData has over the past 18 months beats me…
I'm not saying the competition is perfect but in my experience they are a bit more open about flaws in their products.
Greetings,
I went from FTK to EnCase during v2.x and am slowly drifting back to FTK. Here are some reasons
1) AD hired a lot of Guidance's talent
2) AD seems to have learned from v2.x and the 3.x release seems a lot more stable and they're rolling out fixes for it very quickly.
3) EnCase lacks stability. V6.14 basically fixed a bunch of bugs V6.13 introduced. (I could be off by .01).
4) EnCase still has nothing like FTK's integration with dtSearch. EnCase can use Trident Mercury but that's additional money on top of the existing license.
5) Guidance seems to be heading more towards professional services and using EnCase to provide them. AD seems to be heading towards providing a tool that professionals can use.
6) There are a lot of things I cannot do in EnCase that I'm at least willing to try in FTK - Registry and email examinations are two examples.
7) EnCase's reporting capability is basically useless. FTK's works.
8) FTK's GUI is a lot easier to use than EnCase's.
Guidance really needs a v7.x release of EnCase, and soon, that provides better searching and some other "must have" features.
-David
Greetings,
I went from FTK to EnCase during v2.x and am slowly drifting back to FTK. Here are some reasons
5) Guidance seems to be heading more towards professional services and using EnCase to provide them. AD seems to be heading towards providing a tool that professionals can use.
I agree with you, completely, on this one. When we were doing Oracle development as an Oracle Partner, they sent a representative to meet with us about boosting our sales. It was nothing more than a ploy to get us to sell Oracle consulting services rebranded as our own.
Personally, I think that it is bad business when a vendor begins to compete with its customers for their business.
IMHO FTK customer service has tanked big time.
Version 1.8 is still very good and in a lot of people's opinion the most stable release.
Of course 1.8 is still the most stable. It's had the most time in development and in deployment.
As a former commercial programmer, I know that any time you add functionality, you also increase your potential for bugs. AD knows that 2.x was a mistake, and thankfully they aren't making you pay sticker price for 3.x if you have a maintenance contract, unlike Microsoft who make you pay through the teeth to upgrade from their POS Vista to Windows7.
As for that comment about FTK indexing it's own data, I would hope that it does. Databases index their data in multiple ways potentially to make it faster to search or faster to retrieve records. I think this was a simple user misunderstanding as to what FTK was doing here. The Oracle DB isn't just a repository for fragments of the image, it's much more than that, and adding in indexes of your case file doesn't contaminate anything since your image file is not altered. I've never heard of anyone getting FTK to report as source data anything from the case file.
Also, remember that FTK treats everything in your case as objects, not just as raw data, so it may address data by for example its MFT record offset if it's resident, which is different from the physical offset to the data from the start of the partition or the start of the physical drive. This doesn't invalidate the data since I can get X-Ways to show me the MFT records in raw to validate the result.
As for the OP's question If you're running on a laptop, you're likely not going to be able to run FTK3 unless you have an awesome docking station setup. That means that you're limited to FTK1.8, which is a great product, but not in further feature development. X-Ways however will run just fine on a laptop since its overhead is significantly lower, and it's still developing new features. For that reason, I'd suggest X-Ways. If your system was a high end desktop, and money wasn't an issue, I'd probably have suggested FTK3 since you seem to be relatively new to forensics and FTK gives you a lower learning curve for its functionality.