the real world forensics
DESCRIPTION
TRANSCRIPT
The Real World: ForensicsEnCase vs FTK
By Justin McAnnFrank Enfinger
This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real.
- The Real World: Forensics!
Starring…
EnCase V4 FEWeighing in at $3600
Enterprise EditionHeavy Weight Division $130K
Ultimate Forensic ToolKit V1.60Weighing in at $1695
FTK 1.60
No Progress BarNo Multi-TaskingNo Scripting SupportHFS (Mac) Not Supported2 Million File LimitImage Mounting…
EnCase V4
No Outlook 2003 PST/OST SupportNo Internal Mail ViewerRough Looking ReportsNo Full Indexing of the driveLive Searches onlyCustomer Support ???
Kidnapping Case Scenario
Victim’s mother reports kidnappingMother provides information about the minor in questionVictim’s mother provides consent to search computerComputer is brought to the lab
Forensic Methodology
Keyword SearchProfiling
Gallery ViewEmailInternet HistoryInstant Messaging History
CarvingReport
Keyword SearchingFTK
Full Indexed SearchSurrounding Text SearchRegular Expression, GREP, Hex…Plain-Text Keyword ImportLong pre-processing times!
EnCaseLive Search OnlySurrounding Text SearchRegular Expression, Grep, Hex…Parallel Text Searching MethodsPlain-Text (Paste) Keyword Import
Full Index Searching - FTK
Gallery View
FTKDoes not fit picture to windowNo PSD (Photoshop) SupportNo AVI Support (Missing First Frame)
EnCaseConstantly crashes on corrupt picturesGallery Viewer not as efficient
Email – FTK 1.60
Email – EnCase V4
CarvingFTK
Automated Carving of 7 File TypesManual Carving for any othersAdding addition automation not permitted (yet)
EnCaseAll Carving is AutomatedCan be done manually as wellScripting allows easy carving for customized file types
Report
FTKDynamic HTML reportEasily customizableExportable Gallery View
EnCaseDifficult CustomizationStatic Content makes BIG reportsExportable to RTF
Corporate Hacker
System Administrator reports root accounts being lockedLogs provided from servers pointing to attacker system addressSystem is tracked to location and confiscatedComputer is brought to the lab
Forensic Methodology
Time LinesRegistry ReviewMount and ScanHash SetsApplication LogsEnScripts
Time Line
EnCase TimelineFTK – No Timeline except for sorting columns
Registry Review - EnCase
Registry Viewer - FTK
Image Mounting
FTK – None.Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on.
EnCase can mount image as Network Drive or Physical Drive
Read Only – Allows for Virus Scanning and Exploring
Hash Sets
FTK uses “Known File Filters”Can import NSRL Hash SetsCan create individual sets to check against case
EnCase has the same featuresEnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
Application Logs
Built-In Support for Application LogsInternet History RTF, Spreadsheet, HTML (Tables)
Windows Event Logs
FTK converts Internet History to HTML only without tablesWindows Event Logs
Scripting
EnCase has full scripting abilities.Allows automation of reports, decryption, carving… anything
FTK current has NO support for scriptingFTK handles some automation through other UTK components
War Stories
EnCase New Versions BuggyEnterprise problems with Unix/LinuxEnCase upgrades cause older case files to no longer workFTK hits 2,000,000 file limitFTK has known “Common Areas”issue in Registry ViewerFTK cannot open case if drive letter changes where case data is located
Summary
FTKLess Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing.
EnCaseEnterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.
Questions