• Like
The Real World Forensics
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

The Real World Forensics



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. The Real World: Forensics EnCase vs FTK By Justin McAnn Frank Enfinger
  • 2. This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real. - The Real World: Forensics!
  • 3. Starring… EnCase V4 FE Weighing in at $3600 Enterprise Edition Heavy Weight Division $130K Ultimate Forensic ToolKit V1.60 Weighing in at $1695
  • 4. FTK 1.60 No Progress Bar No Multi-Tasking No Scripting Support HFS (Mac) Not Supported 2 Million File Limit Image Mounting…
  • 5. EnCase V4 No Outlook 2003 PST/OST Support No Internal Mail Viewer Rough Looking Reports No Full Indexing of the drive Live Searches only Customer Support ???
  • 6. Kidnapping Case Scenario Victim’s mother reports kidnapping Mother provides information about the minor in question Victim’s mother provides consent to search computer Computer is brought to the lab
  • 7. Forensic Methodology Keyword Search Profiling Gallery View Email Internet History Instant Messaging History Carving Report
  • 8. Keyword Searching FTK Full Indexed Search Surrounding Text Search Regular Expression, GREP, Hex… Plain-Text Keyword Import Long pre-processing times! EnCase Live Search Only Surrounding Text Search Regular Expression, Grep, Hex… Parallel Text Searching Methods Plain-Text (Paste) Keyword Import
  • 9. Full Index Searching - FTK
  • 10. Gallery View FTK Does not fit picture to window No PSD (Photoshop) Support No AVI Support (Missing First Frame) EnCase Constantly crashes on corrupt pictures Gallery Viewer not as efficient
  • 11. Email – FTK 1.60
  • 12. Email – EnCase V4
  • 13. Carving FTK Automated Carving of 7 File Types Manual Carving for any others Adding addition automation not permitted (yet) EnCase All Carving is Automated Can be done manually as well Scripting allows easy carving for customized file types
  • 14. Report FTK Dynamic HTML report Easily customizable Exportable Gallery View EnCase Difficult Customization Static Content makes BIG reports Exportable to RTF
  • 15. Corporate Hacker System Administrator reports root accounts being locked Logs provided from servers pointing to attacker system address System is tracked to location and confiscated Computer is brought to the lab
  • 16. Forensic Methodology Time Lines Registry Review Mount and Scan Hash Sets Application Logs EnScripts
  • 17. Time Line EnCase Timeline FTK – No Timeline except for sorting columns
  • 18. Registry Review - EnCase
  • 19. Registry Viewer - FTK
  • 20. Image Mounting FTK – None. Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on. EnCase can mount image as Network Drive or Physical Drive Read Only – Allows for Virus Scanning and Exploring
  • 21. Hash Sets FTK uses “Known File Filters” Can import NSRL Hash Sets Can create individual sets to check against case EnCase has the same features EnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
  • 22. Application Logs Built-In Support for Application Logs Internet History RTF, Spreadsheet, HTML (Tables) Windows Event Logs FTK converts Internet History to HTML only without tables Windows Event Logs
  • 23. Scripting EnCase has full scripting abilities. Allows automation of reports, decryption, carving… anything FTK current has NO support for scripting FTK handles some automation through other UTK components
  • 24. War Stories EnCase New Versions Buggy Enterprise problems with Unix/Linux EnCase upgrades cause older case files to no longer work FTK hits 2,000,000 file limit FTK has known “Common Areas” issue in Registry Viewer FTK cannot open case if drive letter changes where case data is located
  • 25. Summary FTK Less Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing. EnCase Enterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.
  • 26. Questions