The Real World Forensics

1,888 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,888
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Real World Forensics

  1. 1. The Real World: Forensics EnCase vs FTK By Justin McAnn Frank Enfinger
  2. 2. This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real. - The Real World: Forensics!
  3. 3. Starring… EnCase V4 FE Weighing in at $3600 Enterprise Edition Heavy Weight Division $130K Ultimate Forensic ToolKit V1.60 Weighing in at $1695
  4. 4. FTK 1.60 No Progress Bar No Multi-Tasking No Scripting Support HFS (Mac) Not Supported 2 Million File Limit Image Mounting…
  5. 5. EnCase V4 No Outlook 2003 PST/OST Support No Internal Mail Viewer Rough Looking Reports No Full Indexing of the drive Live Searches only Customer Support ???
  6. 6. Kidnapping Case Scenario Victim’s mother reports kidnapping Mother provides information about the minor in question Victim’s mother provides consent to search computer Computer is brought to the lab
  7. 7. Forensic Methodology Keyword Search Profiling Gallery View Email Internet History Instant Messaging History Carving Report
  8. 8. Keyword Searching FTK Full Indexed Search Surrounding Text Search Regular Expression, GREP, Hex… Plain-Text Keyword Import Long pre-processing times! EnCase Live Search Only Surrounding Text Search Regular Expression, Grep, Hex… Parallel Text Searching Methods Plain-Text (Paste) Keyword Import
  9. 9. Full Index Searching - FTK
  10. 10. Gallery View FTK Does not fit picture to window No PSD (Photoshop) Support No AVI Support (Missing First Frame) EnCase Constantly crashes on corrupt pictures Gallery Viewer not as efficient
  11. 11. Email – FTK 1.60
  12. 12. Email – EnCase V4
  13. 13. Carving FTK Automated Carving of 7 File Types Manual Carving for any others Adding addition automation not permitted (yet) EnCase All Carving is Automated Can be done manually as well Scripting allows easy carving for customized file types
  14. 14. Report FTK Dynamic HTML report Easily customizable Exportable Gallery View EnCase Difficult Customization Static Content makes BIG reports Exportable to RTF
  15. 15. Corporate Hacker System Administrator reports root accounts being locked Logs provided from servers pointing to attacker system address System is tracked to location and confiscated Computer is brought to the lab
  16. 16. Forensic Methodology Time Lines Registry Review Mount and Scan Hash Sets Application Logs EnScripts
  17. 17. Time Line EnCase Timeline FTK – No Timeline except for sorting columns
  18. 18. Registry Review - EnCase
  19. 19. Registry Viewer - FTK
  20. 20. Image Mounting FTK – None. Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on. EnCase can mount image as Network Drive or Physical Drive Read Only – Allows for Virus Scanning and Exploring
  21. 21. Hash Sets FTK uses “Known File Filters” Can import NSRL Hash Sets Can create individual sets to check against case EnCase has the same features EnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
  22. 22. Application Logs Built-In Support for Application Logs Internet History RTF, Spreadsheet, HTML (Tables) Windows Event Logs FTK converts Internet History to HTML only without tables Windows Event Logs
  23. 23. Scripting EnCase has full scripting abilities. Allows automation of reports, decryption, carving… anything FTK current has NO support for scripting FTK handles some automation through other UTK components
  24. 24. War Stories EnCase New Versions Buggy Enterprise problems with Unix/Linux EnCase upgrades cause older case files to no longer work FTK hits 2,000,000 file limit FTK has known “Common Areas” issue in Registry Viewer FTK cannot open case if drive letter changes where case data is located
  25. 25. Summary FTK Less Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing. EnCase Enterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.
  26. 26. Questions

×