Hello,
I am in the process of learning computer forensics. I have been in the info security world for 10 years and very familiar with both windows and UNIX, networking and security in general. I have taken the SANS Forensics course and spent what time I can learning different free forensic tools, and forensic concepts. My goal is to get a new job at some point with a company doing full time forensics. My question is this. I have a budget that I have put forth to spend (invest in myself) for education. I am thinking of buying a copy of FTK (full version) and learning the tool inside and out hoping that knowing this tool, which is probably used more in shops rather than free tools such as TSK and autopsy etc. Is this a good investment? For those of you doing forensics for companies are you using FTK, if so how much compared to other tools. How do you think it would help if I showed that besides everything else that I have learned about forensics I also have in-depth knowledge of FTK. Again, is it worth the investment?
Any help would be appreciated.
Thanks,
Alan
You are going to get into an interesting debate about the better of FTK or EnCase. I use FTK personally, but I've seen more jobs with EnCase advertised …
I also use WinHex and the open source tools though …
As a starting point though, I would save my £1000 ( or $ or whatever ) and buy the EnCase EnCE book - it comes with a limited version on a CD in the back that will allow you to perform all of the exercises contained in it - this will teach you the tool almost as well as the *real* thing, and at a £40 outlay is considerably better value !
Knowledge of a tool is _not_ knowledge of forensics. I know how to use Microsoft Word - but I've still not written a best selling novel …
Often the most interesting and telling things are as well picked up with a free Hex Editor and skill rather than an overpriced restrictive tool … Read up on things - get books ( scan the forum for recommendations … But I will say - Harlan Carvey & Brian Carrier ) and practice with something simpler until you know where to find things, how to understand them and why they are there.
Good Luck - personally I think that an InfoSec background is a good place to come from - mine is too … ( Think about it carefully though - InfoSec pays better ! )
Azrael
I would agree with everything azrael said and add my two cents…
There are strengths and weaknesses to each tool but all commercial tools take some of the drudgery out of computer forensic examination. That is both good and bad. Good if you understand what the tool is doing; bad if you rely on the tool to do your thinking for you.
EnCase, for example, provides some very powerful scripts for generating the kinds of reports that would be commonly used in an investigation but when you take the Encase courses you, first, learn how to do the task manually by delving into the data using a hex editor. Once you have completed a number of manual exercises you are shown a tool which can do the same thing, automatically.
Not only does this allow you to be able to explain how you did what you did but I have also found that in some cases (and this is not limited to Encase), the autmated tools actually obscure what going on because you are no longer forced to look at the underlying data.
So, if your purpose is to use the tool to automate processes that you'd feel confident doing, manually, then which tool you choose depends, in part, upon your comfort level with the look and feel of the tool and, in part, on the type of task that you think that you'll be doing most often.
I use a number of tools both free and commercial in most investigations. Rarely is one sufficient.
TSK (The Sleuth Kit) is a very good tool and combined with Brian Carrier's book, it will help you to acquire a solid understanding of the most common file systems found, today. There are a couple of sites which have tests, including the disk image, that are vender neutral so that you could use Encase, TSK, X-Ways, ProDiscover or other tools to help you perform the required tasks. As noted, the EnCE study guide and Harlan Carvey's books will help you to get a forensic appreciation of key data structures and both list a number of inexpensive or free tools which can be used to examine these on your computer or a subject computer. The Linux-NTFS documentation contains a great deal of what is known about NTFS organization and structures. It, too, is free.
As noted, before I shelled out a lot of money for FTK or Encase, I'd spend some time with these books and the freeware tools and practice images either downloaded or based upon your own computer. Once you discover the methodology that fits your style, you'll better be able to determine which tool works best with your methodology.
Thanks seanmcl -)
Further to my last post - if you download FTK from AccessData you get an evaluation license that ceases processing at 5000 items, so you need not fork out to get a feel for FTK either … ( This only applies to 1.71, I don't think/haven't found a download for evaluation of 2.0 yet … )
All,
Thanks of the input. Just a few more facts that I might want to point out to better layout the senario. First of all, I understand what you are saying about know the fundamentals first etc. I do, for the most part. For example, I can manually take an image, find the offset of what I am looking for, bind the block number, extract it, or find the inode / MFT info to get more info etc etc. So I know how to do it by hand, but as you know its time consuming and not practical. Okay that that is said, here is also the kicker. I can get the FTK 2.0 at a very reasonable price (yes legally) so that is why I am asking about FTK and not Encase and why I thought that it might be a good idea.
I have Harlan's books, and read most it and all of Brian Carrier's books. I have worked with the TSK tools etc. If not mentioned I have also taken the SANS course to learn how to use the tools by hand not just push the big red button.
thanks,
If you can afford FTK 2.0 by all means go for it. Remember, though, that currently it won't install on a 64 bit OS (though I hope that will change, soon).
Personally, I like FTK's indexing/search better than Encase's (even in Encase 6.0, although if you add Mercury to Encase, it gives you the same functionality).
Although both tools have file carvers, I still prefer some of the open source tools.
If your goal, however, is employment, I would agree with azrael that, at least in the US, Encase certification is probably more commonly sought after than FTK experience, in part probably because of the good deal of case law supporting evidence acquired and analyzed using Encase.
Is this a good investment?
As opposed to…what? Are you trying to compare it to an alternative?
For those of you doing forensics for companies are you using FTK, if so how much compared to other tools.
We have FTK, EnCase, and I have been using ProDiscover for quite some time. I also have an evaluation version of X-Ways Forensics. Each tool is just that…a tool. It has it's strengths and weaknesses.
For example, lets say you want to do hash comparisons to a known set of hashes. You could use Gargoyle, or you could use EnCase Forensic Edition to do that. I recently had an issue where I needed to do a quick extraction of credit card and social security numbers (if there were any) and process them…so I opened the image in EnCase for the CC numbers, and did SSNs side-by-side in FTK with the built-in regex.
Tools are just that…tools.
Good luck.
h
Hi Luc
It's not just your choice of tools, but the actual training you receive, as has been mentioned earlier, Encase show you where the data the tool recovers actually comes from on their course, if you intend to work in the commercial sector there will come a time when you may be called to supply evidence for court purposes, it can be quite embarrassing if they ask where a particular piece of data came and what process was applied to acquire it, you need to know Some of the commercially available courses are fairly reasonable in cost if you arrange your own accommodation. Self teach is very good and a necessary part of the process but the accredited qualification is what will get you where you want to be.
Good luck