The Real World: ForensicsEnCase vs FTK

By Justin McAnnFrank Enfinger

This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real.

- The Real World: Forensics!

Starring…

EnCase V4 FEWeighing in at $3600

Enterprise EditionHeavy Weight Division $130K

Ultimate Forensic ToolKit V1.60Weighing in at $1695

FTK 1.60

No Progress BarNo Multi-TaskingNo Scripting SupportHFS (Mac) Not Supported2 Million File LimitImage Mounting…

EnCase V4

No Outlook 2003 PST/OST SupportNo Internal Mail ViewerRough Looking ReportsNo Full Indexing of the driveLive Searches onlyCustomer Support ???

Kidnapping Case Scenario

Victim’s mother reports kidnappingMother provides information about the minor in questionVictim’s mother provides consent to search computerComputer is brought to the lab

Forensic Methodology

Keyword SearchProfiling

Gallery ViewEmailInternet HistoryInstant Messaging History

CarvingReport

Keyword SearchingFTK

Full Indexed SearchSurrounding Text SearchRegular Expression, GREP, Hex…Plain-Text Keyword ImportLong pre-processing times!

EnCaseLive Search OnlySurrounding Text SearchRegular Expression, Grep, Hex…Parallel Text Searching MethodsPlain-Text (Paste) Keyword Import

Full Index Searching - FTK

Gallery View

FTKDoes not fit picture to windowNo PSD (Photoshop) SupportNo AVI Support (Missing First Frame)

EnCaseConstantly crashes on corrupt picturesGallery Viewer not as efficient

Email – FTK 1.60

Email – EnCase V4

CarvingFTK

Automated Carving of 7 File TypesManual Carving for any othersAdding addition automation not permitted (yet)

EnCaseAll Carving is AutomatedCan be done manually as wellScripting allows easy carving for customized file types

Report

FTKDynamic HTML reportEasily customizableExportable Gallery View

EnCaseDifficult CustomizationStatic Content makes BIG reportsExportable to RTF

Corporate Hacker

System Administrator reports root accounts being lockedLogs provided from servers pointing to attacker system addressSystem is tracked to location and confiscatedComputer is brought to the lab

Forensic Methodology

Time LinesRegistry ReviewMount and ScanHash SetsApplication LogsEnScripts

Time Line

EnCase TimelineFTK – No Timeline except for sorting columns

Registry Review - EnCase

Registry Viewer - FTK

Image Mounting

FTK – None.Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on.

EnCase can mount image as Network Drive or Physical Drive

Read Only – Allows for Virus Scanning and Exploring

Hash Sets

FTK uses “Known File Filters”Can import NSRL Hash SetsCan create individual sets to check against case

EnCase has the same featuresEnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.

Application Logs

Built-In Support for Application LogsInternet History RTF, Spreadsheet, HTML (Tables)

Windows Event Logs

FTK converts Internet History to HTML only without tablesWindows Event Logs

Scripting

EnCase has full scripting abilities.Allows automation of reports, decryption, carving… anything

FTK current has NO support for scriptingFTK handles some automation through other UTK components

War Stories

EnCase New Versions BuggyEnterprise problems with Unix/LinuxEnCase upgrades cause older case files to no longer workFTK hits 2,000,000 file limitFTK has known “Common Areas”issue in Registry ViewerFTK cannot open case if drive letter changes where case data is located

Summary

FTKLess Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing.

EnCaseEnterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.

Questions