Hey everyone…recently I was in a bind with my new forensics company that I just got my first contract with…not a big job but it came to me unannounced and without warning or preparation. I've been using EnCase for almost 2 years now with 2 Federal Government Departments and recently registered my own company to do forensics on the side. Word got around and I was approached to do some corporate bankruptcy work. Well here was my dilemma…I have not used free linux forensics tools much except in into in courses…most of my experience is with EnCase and FTK. WELL!!! try to get either of those packages, even used ones cheap and people think you're crazy..LOL
Well, here is how I sorted out my problem. I downloaded Paraben's P2 Commander which has a 30 day trial, imaged the client hard drive with EnCase 6 in acquisition mode and now I'm going to see if I can load the EnCase image into P2 Commander to do my analysis. If this works, I will email Paraben to thank them for their 30 day trial, that it is a wonder for those new into the market and that I WILL purchase a package from them.
BTW, I talked with Guidance Software and they wouldn't even attempt to look at giving me a 30 day trial of EnCase.
Now, this allows me to earn some money in order to purchase new hardware and software.
Hope this works and that this tip helps others in the same situation.
Thanks
Rob
So, if I understand things correctly, you don't own full licenses for either of the tools you're using?
Jamie
not wishing to dampen your clear enthusiasm, but I would never want to go to court with evidence that I had either obtained or analysed with software that was running during a trial period.It simply does not look solid IMHO
Well, here is how I sorted out my problem. I downloaded Paraben's P2 Commander which has a 30 day trial, imaged the client hard drive with EnCase 6 in acquisition mode and now I'm going to see if I can load the EnCase image into P2 Commander to do my analysis. If this works, I will email Paraben to thank them for their 30 day trial, that it is a wonder for those new into the market and that I WILL purchase a package from them.
BTW, I talked with Guidance Software and they wouldn't even attempt to look at giving me a 30 day trial of EnCase.
Now, this allows me to earn some money in order to purchase new hardware and software.
Hope this works and that this tip helps others in the same situation.
You can acquire using FTK Imager, which is free. The image can be acquired in raw, dd-style mode. Any of Jesse K's *deep tools can be used to generate hashes of the resulting image (FTK Imager does this, too) to ensure integrity.
Analysis can then be done using PyFlag, TSK, by mounting the image as a read-only file system, etc.
My point is that you can make money without relying on unlicensed or trial versions of commercial software; you'll simply need to fill in your gaps with documentation of your process.
not wishing to dampen your clear enthusiasm, but I would never want to go to court with evidence that I had either obtained or analysed with software that was running during a trial period.It simply does not look solid IMHO
Trial license or full license or enterprise license or professional license the OP is licensed to use the product, so I see no problem. I actually applaud his inventive approach to his circumstances and willingness to share it.
I think we need to be careful as forensic analysts in not allowing courts too much leeway to dictate to us which tools we can use. After all we're meant to be the experts, not them!
Trial license or full license or enterprise license or professional license the OP is licensed to use the product, so I see no problem. I actually applaud his inventive approach to his circumstances and willingness to share it.
I think we need to be careful as forensic analysts in not allowing courts too much leeway to dictate to us which tools we can use. After all we're meant to be the experts, not them!
Surely there are issues regarding product features (is it the full product? have some features been removed/crippled?) and product support (does it come with the latest patches? will the vendor back up a trial version in court?) in addition to the issue of "credibility" hinted at previously?
I certainly don't disagree with examiners using their own judgment regarding the best tool for the job but I don't think this is an approach without pitfalls.
Jamie
Trial license or full license or enterprise license or professional license the OP is licensed to use the product, so I see no problem. I actually applaud his inventive approach to his circumstances and willingness to share it.
I think we need to be careful as forensic analysts in not allowing courts too much leeway to dictate to us which tools we can use. After all we're meant to be the experts, not them!
Surely there are issues regarding product features (is it the full product? have some features been removed/crippled?) and product support (does it come with the latest patches? will the vendor back up a trial version in court?) in addition to the issue of "credibility" hinted at previously?
Jamie
The OP refers only to it being a time-limited trial and in my experience of such trials you get the full product with access to updates and patches. Of course each product may differ! It's the examiner's call on whether they feel they are capable of justifying their choice of tool in the dock. One thing the OP doesn't touch on is his ability to carry out dual-tool verification.
Yeah, I do hear you, it just feels a bit like handing someone a stick to beat you with unless you're very careful.
Jamie
Practically any textbook, presentation, article on computer forensics makes it clear that using unlicensed software to perform an investigation is a no-no.
In any civil case where I have ever gone to court, one of the first things that opposing counsel requests is documentation that I am the licensed user of whatever tools/devices I used for my investigation.
Further, if it should come up in your case, your client could accuse you of malpractice or fraud for misrepresenting the capabilities of your practice.
Don't do it!
As Harlan pointed out, there is very little that any proprietary tool does that you cannot do with open source or free software, and whether you use EnCase, FTK, whatever or not you still need to understand what is under the hood if you are going to qualify as an expert. In addition to the tools already mentioned, Scalpel and PhotoRec/TestDisk are two file recovery/file carving tools which are free and can be very useful.
What you use should be determined by the work plan that you have created for the case.
Trial license or full license or enterprise license or professional license the OP is licensed to use the product, so I see no problem.
Check the terms of the "license". Paraben calls their downloads "Demo Versions". The implication is that you are not licensed to use it for commercial purposes.