What software do &q...
 
Notifications
Clear all

What software do "you" use for Computer Forensics?

32 Posts
18 Users
0 Reactions
2,793 Views
(@matti)
New Member
Joined: 19 years ago
Posts: 2
 

Hi All

Just wondering whether anyone has found any discrepancies while verifying results with a second forensic software tool e.g. FTK or Xways after using EnCase as a primary tool? If so, what actions were taken!

Any feedback is very much appreciated.

Thanks!
Matt


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

What kind of discrepancies?


   
ReplyQuote
(@newblueblood)
New Member
Joined: 15 years ago
Posts: 4
 

Jason,

I spent 4 years as a broke college kid assembling a free forensic toolkit.

As mentioned above, FTK Imager is free, and the free demo version of FTK will do up to 5,000 items in a case. Harlan mentioned The Sleuth Kit, and I'd recommend Autopsy on top of that as a GUI with additional functionality.

There are also a ton of tools that focus on specific forensic ideas or file types. Volatility does a great job with memory analysis, WireShark does packet capture/analysis, and RegRipper for registry analysis. There are a ton out there, you just have to track them down. Harlan's blog is where I found most of the tools I used.


   
ReplyQuote
(@Anonymous 15228)
Guest
Joined: 15 years ago
Posts: 75
 

Purdue teaches FTK, Encase, Filehound, Device Seizure, and a whole slew of other more specialized software packages (BitPim, MobilEdit, etc).

I personally prefer FTK.


   
ReplyQuote
 96hz
(@96hz)
Estimable Member
Joined: 17 years ago
Posts: 143
 

Just wondering whether anyone has found any discrepancies while verifying results with a second forensic software tool e.g. FTK or Xways after using EnCase as a primary tool? If so, what actions were taken!

I have seen EnCase and FTK interpret a disk differently, in one case, EnCase added an NTFS partition at sector 63, this was in fact an old deleted partition.

I have also on odd occasions seen file status descriptions (eg. deleted) differ between the 2 tools.


   
ReplyQuote
ehuber
(@ehuber)
Trusted Member
Joined: 17 years ago
Posts: 91
 

I have seen EnCase and FTK interpret a disk differently, in one case, EnCase added an NTFS partition at sector 63, this was in fact an old deleted partition.

I have also on odd occasions seen file status descriptions (eg. deleted) differ between the 2 tools.

I've had a situation where Popular Forensic Tool A and Popular Forensic Tool B disagreed on the location of a group of files of interest located on an Windows\NTFS image I was examining. It was easy enough to just manually parse the MFT to determine which one got it right and which one got it wrong.

This is why you need to learn how to do these sort of things by hand. It's fine to use multiple tools to validate your findings, but what happens when those tools disagree? How are you going to determine which tool is giving you the correct information…or that either tool is giving you the correct information?


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
 

As a part-timer…….

RegRipper
Windows Forensic Analysis (the book plus the utilities which Harlan provides with the book) - my bible!
FTK Imager
NetAnalysis
LinkAlyzer
Tableau Write-Blocking Kit
Digital Camera (with Text function for getting good pics of serial numbers)
EasyRecovery Professional (Kroll)
USBDeviceForensics (WoanWare)
Windows File Analyzer (MiTeC)
Windows Registry Recovery (MiTeC)

Plus a couple of non-standard tools I use
Metadataminer Catalogue - extracts most fields from (esp) MS Office docs into Excel allowing for filtering and sorting
Discovery Attender for Exchange (Sherpa Software) - use this for searching Exchange mailboxes, file stores, and PSTs; dates, addresses, content, filenames as attachments - versatile but slow due to no indexing
Mail Attender for Exchange (Sherpa Software) - use this primarily to strip attachments out of Mailboxes and PSTs and then run Metadataminer Catalogue against the output.

Why the above? Because we know there are certain Company and Author entries which we don't want to have on our systems due to potential Intellectual Property infringements. If we find something (esp in stripped-out attachments) then we go looking further. Not strictly in forensic mode but we could if we wanted to.

Have recently got FTK (full version) but don't use it to nearly its maximum due to part-time nature of forensic duties. Every case seems to be a re-learning exercise (

Oh and did I mention reguarly looking at this forum? Great resource with great experienced people willing to share their experience.


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

This is why you need to learn how to do these sort of things by hand. It's fine to use multiple tools to validate your findings, but what happens when those tools disagree? How are you going to determine which tool is giving you the correct information…or that either tool is giving you the correct information?

Agreed. Forensic tools are THEIR view of the data structure. It is a bit like light refraction (remember 7th grade earth science right?) and looking at the fish in the lake. As you view the 0s and 1s that data has to pass though a medium. What you are seeing in a GUI might be slightly off from what is there. You have to know how to look at/for the data in its most basic root form. Goal is to be able to look a the Matrix code falling down the screen and see the girl in the red dress without 3rd party interpretation.


   
ReplyQuote
 96hz
(@96hz)
Estimable Member
Joined: 17 years ago
Posts: 143
 

This is why you need to learn how to do these sort of things by hand. It's fine to use multiple tools to validate your findings, but what happens when those tools disagree? How are you going to determine which tool is giving you the correct information…or that either tool is giving you the correct information?

Absolutely, it is also nice to find these 'discrepancies' once in a while because it reduces complacency, well it says its there so it must be as we all know isn't always the case.


   
ReplyQuote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

I am aware of a situation where 2 major CF tools can report different hashes for files recovered from deleted space because they seem to have used a different method to determine EOF.


   
ReplyQuote
Page 2 / 4
Share: