Agreed with Harlan. The past year I have purchased both collection software and analysis software and find myself gravitating to the less expensive niche software packages more and more for both tasks. I am not trying to be anti-commercial, but the free or lower cost targeted solutions do such a fine job that I have a harder time justifying the cost of the larger "name brand software". Those are great pieces of software and I do train and use them all the time but the real winners for me are the narrow focus tools. It really depends on what type of clients you are serving and what the deliverables are.
I recently took the Guidance Computer Forensics II and EnCE Prep classes. I'd estimate that 50% of the instruction covered using EnCase to do analysis where EnCase would be my last, not first, choice of the best tool for the job. Registry, internet, and email analysis were the major topics that come to mind at the moment.
These days I'm often working in a task specific tool while keeping EnCase open to verify results, extract files, and document findings.
-David
I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?
The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case…one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.
The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?
Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.
Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.
I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.
Agreed with Harlan. The past year I have purchased both collection software and analysis software and find myself gravitating to the less expensive niche software packages more and more for both tasks. I am not trying to be anti-commercial, but the free or lower cost targeted solutions do such a fine job that I have a harder time justifying the cost of the larger "name brand software". Those are great pieces of software and I do train and use them all the time but the real winners for me are the narrow focus tools. It really depends on what type of clients you are serving and what the deliverables are.
I recently took the Guidance Computer Forensics II and EnCE Prep classes. I'd estimate that 50% of the instruction covered using EnCase to do analysis where EnCase would be my last, not first, choice of the best tool for the job. Registry, internet, and email analysis were the major topics that come to mind at the moment.
These days I'm often working in a task specific tool while keeping EnCase open to verify results, extract files, and document findings.
-David
Ditto here on your points.
We have FTK but I (by personal choice) primarily use it to build those nice reports to burn to CD. I use Encase as my weapon of choice but will default to command-line tools or task specific tools for verifying hashes, file headers etc. In the AccessData products I use their Registry tools to build annotated reports but also confirm specific items with other registry hive tools. I believe that a mix of tools is a good thing if you can afford it.
I think if it was my money I was spending I would likely buy Xways forensics just to leverage the cost-benefit ratio over some of the more pervasive products. I am a Mac guy at home and if I was starting up a practice I would consider MacForensics Lab. Even though the name is "Mac…" the tool is cross-platform and works under Windows as well. I have had the opportunity to try it and is very Encase-like. The price is quite reasonable, so I would likely buy this kit in addition to Xways.
On the open-source/freeware side
I have tried Autopsy and it seems quite capable but I am on the Sleuth Kit mailing list and you need to monitor the bugs that show up pretty closely.
Still haven't had the opportunity to try whatever tools Harlan has in his latest edition (plug intended) ) but I am sure that they are excellent.
X Ways Forensic =
1,088.12 USD
I'm selling FTK 1.8 for 1200
and another person is selling 2 copies of 3.0 for 3500 or 3000 can't remember which.
Harlan,
Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.
Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.
You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.
I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?
The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case…one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.
The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?
Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.
Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.
I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.
X-ways forensic would be my choice if I had to by a tool from my own pocket. It is stable and versatile. If you can get on Stefan's training, you should be up and running in no time (provided - you know what you doing with the tool). You can always add freeware tools into your forensic arsenal later.
The good thing about individuals like Harlan is that they give the rest of us other options to consider. That does not mean everyone needs to roll thier own tool kits and write custom code. However, to not be sensitive to the fact that there are other ways to understand the problem is counterproductive to whatever you do professionally.
Thanks.
Harlan,
Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.
Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.
You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.
I could walk to the shops every time I need food and carry the bags back, but prefer to drive. Or perhaps I should have a farm in my back yard and grow my own food?
The analogy you're trying to use doesn't really apply here, per se, as it assumes a one-to-one correlation between commercial and open-source/freeware tools. This simply isn't the case…one set of tools gives you a capability that the other doesn't, and vice versa. Therefore, the analogy of just "food", in general, really doesn't apply here.
The point of me offering up freeware and open-source as an alternative is to allow for a thorough understanding of what's going on under the hood when an analyst clicks a button in a commercial application. How many analysts really understand what "file signature analysis" consists of, as well as the shortcomings of how this is achieved in commercial tools?
Take timeline creation and analysis for example. While EnCase has some modicum of this, I'm not aware of a commercial tool that incorporates Event Log records, file system metadata, Registry data, Recycle Bin and Prefetch artifacts, web browsing artifacts, etc., all into a single timeline for viewing and analysis.
Like you, I drive to the store to get food. However, if there's something particular that I can't get at the location I normally shop, or if the item I want is located only at one particular store, then I will drive there.
I'm not against commercial tools, and I'm not espousing the use of only open-source tools. I am suggesting that if monetary cost is an issue, then perhaps paying the price of time may be a way to save money.
I do the same as Beetle and Harlan is absolutely correct when he says the analyst is the one who has to build the timeline. It is pretty much equivalent to a "get evidence button" and I don't see it ever happening because each case is different. The timeline is specific to the case and the evidence you are looking for and it is up to the analyst to assemble it. Think of it as job security! I love FTK but I don't use it for everything and I always suppliment it with other tools. For instance I prefer to look at my internet history in a spreadsheet. I just find it easier to read when I am going through hundreds of entries.
One other thought which is, don't forget that if you wind up working civil or criminal cases your tools are going to get challenged in court. Open source tools are more vulnerable to attack by the opposition than commercial tools that are standardized. I don't know if the tools you seek are for learning or if you are building a lab to work for yourself.
Reedsie,
some years ago I was in the same situation as you and my choice was X-Ways. I paid it from my own pocket.
I think it´s a monetary question, you also have to consider the license renewals every year. Who wants to use such a tool which is out of date?!
I agree with all the others that it is no problem to do analysis using free or open source tools, I use a lot of them, but it´s more comfortable to use a commercial tool.
IMHO XWF is a great tool as it have it´s seeds in Winhex (=hexeditor) and you stay a little closer to the bits and bytes as in other commercial tools.
jot49
Harlan,
Not everyone needs event log information, prefetch analysis, perl scripting, etc. You pop in frequently on issues having to do with you being able to do investigations with freeware or things you write yourself.
Not everyone can do this and for those people (which are in the majority) FTK and Encase offer what is needed.
Oh, I understand…really, I do. I see that all the time…"I can't do this because I don't have EnCase…".
I post on this stuff, and I even post THE stuff itself, because there have to be options. Sure, you may not need the information or analysis for your exams, but at least you know what's there and what's possible, right?
You post about intrustions, pen testing, and related items, but don't post much about other more frequent cases which the average examiner would encounter, I would assume that you don't post about legal type issues because that is not your area of expertise, much the same as perl scripting, freware or shareware registry analysis, and such are not others area of expertise.
I don't post (to my knowledge) about pen testing, but I do post about the type of work I do and have done. I may not be posting about what you see as what the average examiner would encounter…because maybe I'm not seeing that sort of thing.
What sort of thing is the average examiner encountering? Not long ago, I had a conversation with an LE examiner about things to look for before the defense played the "Trojan Defense" card…is that not what you're encountering?
Can you share something about what you're encountering?
Also, just to be clear, a LOT of the stuff I release that's based on Perl is also shipped as a Windows PE file, so that the examiner does NOT need to install Perl to use it.
Anyway, if I've completely missed the point of your post, I apologize. If there's something I can present or discuss that's more along the lines of what you're looking for, please…share it. Thanks.