I have a laptop which runs 3.0 and is not a docking station laptop.
YMMV, but plenty of the laptops now a days are coming with great features.
I have a laptop which runs 3.0 and is not a docking station laptop.
YMMV, but plenty of the laptops now a days are coming with great features.
You can get 64 dual and quad core laptops with 8GB RAM for a "reasonable" price these days.
One question I have not been able to have answered from the software vendors is whether the code of any of these packages are compiled in a manner to take advantage of multi-core or multi-processor systems.
I have a laptop which runs 3.0 and is not a docking station laptop.
YMMV, but plenty of the laptops now a days are coming with great features.
Would you mind posting your setup? I'd be fascinated to see how you're set up and whether you have an attached/network RAID or whatnot.
Also, how responsive are you finding it?
As for that comment about FTK indexing it's own data, I would hope that it does. Databases index their data in multiple ways potentially to make it faster to search or faster to retrieve records. I think this was a simple user misunderstanding as to what FTK was doing here. The Oracle DB isn't just a repository for fragments of the image, it's much more than that, and adding in indexes of your case file doesn't contaminate anything since your image file is not altered. I've never heard of anyone getting FTK to report as source data anything from the case file.
I take your point. I don't want to get into a show of strength about how much we know, but you can safely assume that I know what I am talking about when it comes to databases. I know what should be indexed and what shouldn't. When I run a search on the information in my database I generally don't want to be returning the meta information from the internal database files which is what FTK was doing. If it was the right thing to do, then why have AccessData changed the behaviour?
The other important point I made is that the returned hit offsets were wrong. I fail to see how this can be at all helpful.
What type of specs does Xways require?
Those who have it and use it, is the Investigation Report add on necessary?
I'm assuming I could run this on a laptop with 4GB ram?
X-Ways Forensic will run happily 4GB. The machine I have it on only has 2GB running XP Pro. Any modern computer will run it easily.
X-Ways Investigator is a cut down version that you use if you want to have an investigator or attorney work on looking through the evidence. If you are conducting the whole exam yourself, you don't need it since you can produce your results on e.g. a CD and they can look at it that way.
Cyber Speak had a very good interview with Brian Karney the COO of AccessData. Brian talks with about FTK 3.0 and does explain some feature that are very intriguing.
http//
(note CyberSpeak is on iTunes so you can pull it from there as well)
Just found this thread.
One question I have not been able to have answered from the software vendors is whether the code of any of these packages are compiled in a manner to take advantage of multi-core or multi-processor systems.
In X-Ways Forensics, multiple processor cores or processors are utilized simultaneously in various situations
- when computing hashes (of disks, images, or individual files on disks/in images)
- when creating an image
- when cloning disks
- when restoring an image back to a disk
- when indexing and optimizing the index
- whenever working with compressed .e01 evidence files (e.g. running searches, refining the volume snapshot, …)
and more
X-Ways Forensic will run happily 4GB. The machine I have it on only has 2GB running XP Pro. Any modern computer will run it easily.
Even outdated computers that you may encounter on site (or in your own office) should run it. One of my computers is many years old and has only 512 MB RAM. X-Ways Forensics also runs on that computer, and if I close down all other programs I can even get it to load an image of a volume that contains 5 million files.
IMHO FTK customer service has tanked big time.
Version 1.8 is still very good and in a lot of people's opinion the most stable release.
No Doubt… 1.81..is my "Goto" of the AD Toys.. Along with the Registry tool. Other then that..it the case that determines the Tool. Tha majority of my cases are started with Encase 6.15 (well..imaged as E01 with FTK imager) then I spit out or export as needed..using FTK tools as a Viewer…
As for EnCase reporting.. Its consistent.. 😉 ..Export as RTF or make a fancy HTML report.. It's all good.. you just gotta do the work..
I would LOVE to use WinHex Forensic for a bit… It seems very powerful..
How are the reporting Features in Xways? Are they very presentable?