The Real World Forensics
-
Upload
ctin -
Category
Technology
-
view
1.365 -
download
2
description
Transcript of The Real World Forensics
![Page 1: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/1.jpg)
The Real World: ForensicsEnCase vs FTK
By Justin McAnnFrank Enfinger
![Page 2: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/2.jpg)
This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real.
- The Real World: Forensics!
![Page 3: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/3.jpg)
Starring…
EnCase V4 FEWeighing in at $3600
Enterprise EditionHeavy Weight Division $130K
Ultimate Forensic ToolKit V1.60Weighing in at $1695
![Page 4: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/4.jpg)
FTK 1.60
No Progress BarNo Multi-TaskingNo Scripting SupportHFS (Mac) Not Supported2 Million File LimitImage Mounting…
![Page 5: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/5.jpg)
EnCase V4
No Outlook 2003 PST/OST SupportNo Internal Mail ViewerRough Looking ReportsNo Full Indexing of the driveLive Searches onlyCustomer Support ???
![Page 6: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/6.jpg)
Kidnapping Case Scenario
Victim’s mother reports kidnappingMother provides information about the minor in questionVictim’s mother provides consent to search computerComputer is brought to the lab
![Page 7: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/7.jpg)
Forensic Methodology
Keyword SearchProfiling
Gallery ViewEmailInternet HistoryInstant Messaging History
CarvingReport
![Page 8: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/8.jpg)
Keyword SearchingFTK
Full Indexed SearchSurrounding Text SearchRegular Expression, GREP, Hex…Plain-Text Keyword ImportLong pre-processing times!
EnCaseLive Search OnlySurrounding Text SearchRegular Expression, Grep, Hex…Parallel Text Searching MethodsPlain-Text (Paste) Keyword Import
![Page 9: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/9.jpg)
Full Index Searching - FTK
![Page 10: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/10.jpg)
Gallery View
FTKDoes not fit picture to windowNo PSD (Photoshop) SupportNo AVI Support (Missing First Frame)
EnCaseConstantly crashes on corrupt picturesGallery Viewer not as efficient
![Page 11: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/11.jpg)
Email – FTK 1.60
![Page 12: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/12.jpg)
Email – EnCase V4
![Page 13: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/13.jpg)
CarvingFTK
Automated Carving of 7 File TypesManual Carving for any othersAdding addition automation not permitted (yet)
EnCaseAll Carving is AutomatedCan be done manually as wellScripting allows easy carving for customized file types
![Page 14: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/14.jpg)
Report
FTKDynamic HTML reportEasily customizableExportable Gallery View
EnCaseDifficult CustomizationStatic Content makes BIG reportsExportable to RTF
![Page 15: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/15.jpg)
Corporate Hacker
System Administrator reports root accounts being lockedLogs provided from servers pointing to attacker system addressSystem is tracked to location and confiscatedComputer is brought to the lab
![Page 16: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/16.jpg)
Forensic Methodology
Time LinesRegistry ReviewMount and ScanHash SetsApplication LogsEnScripts
![Page 17: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/17.jpg)
Time Line
EnCase TimelineFTK – No Timeline except for sorting columns
![Page 18: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/18.jpg)
Registry Review - EnCase
![Page 19: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/19.jpg)
Registry Viewer - FTK
![Page 20: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/20.jpg)
Image Mounting
FTK – None.Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on.
EnCase can mount image as Network Drive or Physical Drive
Read Only – Allows for Virus Scanning and Exploring
![Page 21: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/21.jpg)
Hash Sets
FTK uses “Known File Filters”Can import NSRL Hash SetsCan create individual sets to check against case
EnCase has the same featuresEnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
![Page 22: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/22.jpg)
Application Logs
Built-In Support for Application LogsInternet History RTF, Spreadsheet, HTML (Tables)
Windows Event Logs
FTK converts Internet History to HTML only without tablesWindows Event Logs
![Page 23: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/23.jpg)
Scripting
EnCase has full scripting abilities.Allows automation of reports, decryption, carving… anything
FTK current has NO support for scriptingFTK handles some automation through other UTK components
![Page 24: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/24.jpg)
War Stories
EnCase New Versions BuggyEnterprise problems with Unix/LinuxEnCase upgrades cause older case files to no longer workFTK hits 2,000,000 file limitFTK has known “Common Areas”issue in Registry ViewerFTK cannot open case if drive letter changes where case data is located
![Page 25: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/25.jpg)
Summary
FTKLess Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing.
EnCaseEnterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.
![Page 26: The Real World Forensics](https://reader033.fdocuments.us/reader033/viewer/2022051609/547092b3b4af9fb40a8b483d/html5/thumbnails/26.jpg)
Questions