Hi,
Is an opensource tool like the Sleuthkit as accepted in the industry as something like encase?
also which is more frequently used as a forensics platform linux or windows? I am familiar with both platforms, but it seems like there are more tools in the linux space (at least opensource tools), and as I try to get into the field, I like opensource as opposed to spending big bucks for windows-based tools.
Any tool is only as good as the person using it, I cant see anyone having a problem with you using Sleuthkit, except maybe in a private sector job where they may argue you can work faster with tool xxx or its standard practice for their company.
From my understanding, LInux is better for investigating Linux machine and vice versa for Windows.
That said I have done examinations of Linux machines on Windows so I see no reason why you couldnt use linux for a promary investigation machine.
That said, if your looking not to spend as much, maybe something like Winhex/X-ways for Windows would suit you better than Encase.
There are a lot of free tools for Windows, and I think (dont quote me on this) that you can use TSK/Autopsy on Windows.
Any tool is only as good as the person using it, I cant see anyone having a problem with you using Sleuthkit, except maybe in a private sector job where they may argue you can work faster with tool xxx or its standard practice for their company.
From my understanding, LInux is better for investigating Linux machine and vice versa for Windows.
That said I have done examinations of Linux machines on Windows so I see no reason why you couldnt use linux for a promary investigation machine.
That said, if your looking not to spend as much, maybe something like Winhex/X-ways for Windows would suit you better than Encase.
There are a lot of free tools for Windows, and I think (dont quote me on this) that you can use TSK/Autopsy on Windows.
Thanks for the input. Yes TSK and Autopsy are available on windows, although I haven't tried them as yet.
My other big issue is how accessible some of the tools is since I am totally blind. I know that TSK and autopsy are accessible, and I have been working on some home-grown perl tools to do some registry extraction for windows based on articles by Harland Carvey and others. Haven't gotten too far on the home-grown stuff yet though.
If you want to look in to X-ways forensics then you can always go straight to the source, Stefan is the developer/owner of the business and he is always extremely helpful. He is also the primary deliverer of training courses (at least he was when I did it about 2 years ago). He would be able to tell you straight away about the structure of his software and you may be able to figure out together it's accessibility for sight impairment.
Hopefully you don't have to resort to re-writing all the tools yourself, although go for it if it's something you enjoy!
Good Luck )
IN theory, The technological neutrality is an international law principle. But in practice depends where you are, and what do you do.
Using a tool like Sleuthkit/ Autopsy you know what you do - or you should 😉
Comparing Encase 6 and 7 this knowing what you do disappears. If you're using a so called standard as Encase, x-ways or FTK you shouldn't get much question at the court. But if you get them can you answer?
You must be able to guarantee the chain of custody. Can you describe the way you get the data back? Can you explain the setup of MBR/ GUID? Than it should be no problem what tool or tool suite you use. If a tool fits your demand use it.
I'm just in the stage of finding the demands to can ask the question on a tool.