Hi all,
New to form and enjoying all the info. I am starting my own computer forensic service and have been trained using part FTK and other course supplied software.
I have also checked out, and asked around about WinHex and found it is popular also. I am asking all professionals what their opinion is of FTK and Winhex and which one should I choose to use for examinations.
All input welcome and appreciated
Mark
Welcome to the forum.
I use them both and they are solid products. Both have pros and cons over each other. So it really depends on the case or the evidence you are up against. I recommend to have both of them handy.
Real life experience/scenario. In one case I was cross examined / challenged that "how do you know that your forensic tool did not have a anomaly or false positive?'
I was able to repond by stating that I analyzed the evidence with two different forensic products and the results were identical and thus validated. It is a good practice to cross check you findings with an additional forensic tool to desmonstrate that your examination was thorough and your findings are solid.
Thanks for your input.
Dop you recommend training for either, or both on how to use the software.
Thanks again
WinHex is pretty straightforward. It has good built in help feature. If you have a licenced version, they have extremely good support via e-mail and forums. A lot of updates though, but mostlyadd-ons. Not problems related.
I hear FTK training is good as well. Little pricy. I learnt on my own by creating my own scenarios.
For example, I wanted to know more about Yahoo/AOL/HOtmail chat, web mail etc. behaviour and functionality. How it stores info, what does it do with deleted info etc. So I created a Yahoo/Aol/Hotmail mail and chat account and started using it like an average user would. After a few weeks I created a forensic image and analyzed the results with FTK, WinHex, E-Mail Examiner by Paraben and other tools.
Interesting and consitent results with both programs. FTK has stronger email features. Paraben E Mail examiner worked well with MS Outlook pst files. Had fun doing it as well. Use the same for AOL, Hotmail etc…I even ask my friends to challege me with stuff by creating scenarios for me.
So basically use the various tools on a dummy case and document the results, strenghts and weaknesses etc. and file them. The more you get diverse experience, the better you get. Key is patience and diligence.
I am testing stuff in VPC and VM right now.
I am getting in CHAT Mode…Time to fold for the evening ;~)
Interesting stuff, thanks again. I too believe all methods should be "personally evaluated" as you are doing for credibility and training purposes.
Have you heard of "Digital Detective" email examining program? I have tried it and found to be very good, however, the WinHex email examiner seems to do the same job at acheaper proce.
Have you used Dig Det and what are your thoughts as opposed to WinHex?
Have a good one
Mark
Digital Detective? Do you mean NetAnalysis? This is a forensic tool for examining Internet History records, written by Craig Wilson from the UK. IMHO it is the best program available for the task and a must for any FC practioners toolkit, and Craig is one of the UK's leading practitioners.
Digital Detective is the name of Craig's site
Its use is not for email, although history records can show webmail activity.
I am aware that Craig is currently developing a tool to extract email artefacts, but its not available at the moment.
Andy
Thsats it netanalysis. It was highly recommended at my forensic training. Does Winhex X-Trace do the aame things that netanalysis performs?
Thanks again,
Mark
I downloaded the demo version of x-trace after reading your post. I had not heard of it prior to this. Yes indeed the software does handle index.dat files and allows examination.
It does not really compare to NetAnalysis, and I've seen freeware products that do much of the same. NetAnalysis does much more, such as reconstruction of webpages, filtering - for Internet search terms, paedophilia, website offline storage, logins and passwords. Importantly for me, NetAnalysis produces a comprehensive report. I use it with almost every case I deal with. A nice feature is the 'History Extractor' tool (that come with NetAnalysis), which will find history records from the unallocated clusters. On a recent case I found about 5000 live Internet history records, the extractor tool revealed an extra 300,000.
X-Trace, I think is a product that compliments the X-Ways Forensic Tool, which is another forensic program similar to EnCase and FTK. X-Ways forensic is a very good forensic tool, (I like it and also use it regularly) at a fraction of the cost of the other main players….
I think most examiners/practitioners will say that you need more than one main forensic tool, mainly in order to compare and validate results. So my advice to the question "Winhex or FTK?" would be, if you can - buy both.
Andy
Thanks Andy
I had planned on doing just that. I appreciate your help and obvious forensic knowledge. This forum has some very dedicated professionals, and I like this.
Mark
arashiryu, what do you consider a little pricy? FTK is half the price of Encase training and only a little more than winhex, while testing and verifying the results yourself is really nice, you can't put that on your CV and prospective clients wont give that much weight at all.