Good day folks,
Sorry if this has been discussed before, please point me in that direction if it has.
My background is in computer engineering, specializing in software engineering. I've been an avid Linux user for awhile, but new to the forensics side of things.
I'm just curious what major advantages Encase, FTK, et al offer over open source tools? Do they actually have a wide range of capabilities that can't be found (or easily scripted) in an open source environment?
Thanks for your time,
David
The same advantages any other commercial application has over open-source software
1) Better documentation (and by better, I mean all in one place)
2) 'Commercial'-level support
3) A slicker, more intuitive GUI
Though #2 being an advantage here is arguable. To be fair, you could do a proper forensic analysis using only open-source software and I wager that every single decent forensic analyst has at least a few open-source utilities in their toolbox, even if they rely on EnCase or FTK or X-Ways, etc. as their platform of choice.
For me, the reason I prefer EnCase over Smart/TCT/TSK is because of it's GUI, ability to manage case findings/reports via 'Bookmarks' and because of the great EnSCript system built-in which lets me write my own scripts a-la PERL style.
I think, like any community, open-source forensic utilities arose simply from the sheer need for a particular tool to perform a particular function not previously existing - so someone decided just to create it themself. Unlike the other IT fields, however, when it comes to forensics and it's impact on law-enforcement activies and incidentally, it's ability to send people to jail, agencies and companies are less likely to skimp on money and try to set up an all open-source shop. Instead they favor utilities which have been 'tried and tested', have ample case-law supporting their use and which also offer professional training courses and certifications related to the use of the software.
Another caveat - open-source almost always (I said almost) means Linux. When you are discussing a field like this which, for all intents and purposes, was begun and caters primarily to law enforcement, you are not going to attract the free-spirited, open-source loving, computer hacker types of people. You're going to get guys who were cops for 15 years, detectives for another 5 and then who stumbled into being the defacto computer forensics person for the department simply because they were proficient in MS Office. Most of these guys (Again, I said most and not all), weren't very comfortable Linux. Though fortunately, this is changing. However, that being the case, there is a large market for the commercial-apps with their point-and-click interface which these guys are more comfortable with.
I hope I didn't offend any LE types out there with that last paragraph. D
To better sum up an answer to your question - for anything a commercial forensic application can do, there are open-source applications which can do the same thing. Commercial apps just do a better job packaging together multiple functions and providing support.
Jeff
For me, the reason I prefer EnCase over Smart/TCT/TSK is because of it's GUI, ability to manage case findings/reports via 'Bookmarks' and because of the great EnSCript system built-in which lets me write my own scripts a-la PERL style.
You're kidding, right? Enscripting is nothing at all "a-la Perl"…
…
To better sum up an answer to your question - for anything a commercial forensic application can do, there are open-source applications which can do the same thing. Commercial apps just do a better job packaging together multiple functions and providing support.
Jeff
Thanks for the indepth response Jeff, that last paragraph was more or less what I figured.
David
For me, the reason I prefer EnCase over Smart/TCT/TSK is because of it's GUI, ability to manage case findings/reports via 'Bookmarks' and because of the great EnSCript system built-in which lets me write my own scripts a-la PERL style.
You're kidding, right? Enscripting is nothing at all "a-la Perl"…
Although not nearly as concise or eloquent, any data you want mined or interpreted on a FS using Perl can be done with an EnScript. The results of which can then be integrated into your final report.
Aside from the syntax or other features Perl provides which EnScripting lacks, can you name something specific you can do with Perl (for forensic purposes) which can't be done with an EnScript?
Isn't it odd that people pay handsomely for the ability to Enscript? I mean, if you're proficient in writing scripts, why pay thousands of dollars for Encase? Write your PERL, bash, etc., scripts and use Smart Mount, Mount Image Pro, etc. I remember when Guidance introduced the Enscript capability, I thought - wow, great idea, allow your customers to continue to develop your application _and_ they pay for it …
That being said, for any advantage a person points out a commercial application has over a non-commercial application someone else will indicate the opposite is true. Ultimately what should matter is your skills, experience, knowledge, and where you feel comfortable working. For example, Jeff stated "Better documentation". Hmmm, to which someone may reply "Really, is it documented how EnCase searches through the target file and records hits, or does the documentation simply state how to search using EnCase? Does Enterprise clearly state how RAM is acquired, or how to acquire RAM?" This points out that many commercial application documentation does document how to do something, but not how the application is doing it.
Another example, "A slicker, more intuitive GUI". Now, this is again personal. Because I look at EnCase 6.11 and say "Ugh - not intuitive!" and another person new to the application may sit there and say "Wow, this is very well thought out, laid out, and so easy for me to find my way about."
The key is to go your own way, where you feel comfy, and work from there.
Cheers!
farmerdude