±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 1 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

smart VS encase

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

flytnx
Member
 

smart VS encase

Post Posted: Dec 07, 04 21:37

anyone have any strong opinons? i personally would rather use smart as i feel that i have more control over my searches and have more room to work within if you know what i mean? the price of encase 5 is kinda painful too...  
 
  

Andy
Senior Member
 

Re: smart VS encase

Post Posted: Dec 07, 04 23:08

Depends what you are more comfortable with, it’s a personal choice thing. If you use Linux and are comfortable then SMART is the smart choice (sorry :D). I only wish I had time to learn and use SMART more (I have a demo – but can’t justify spending time to learn it at the moment). I do like Linux, but I am no where near as competent in it as I am Windows.

One thing to consider is – will the investigations you conduct be on mainly Linux machines or Windows? If it’s the latter then it might be wise to get to grips with EnCase, and examine in Windows. If you extract files you might need to investigate them in the same environment as your suspect machine. For example MS Word documents, Access, Excel are all best viewed with the same software. Extracting them into Linux might not give you consistent results and/or the formatting may appear wrong.

Also consider your customer(s), they may be more familiar with Windows and some of the concepts you need to explain may be a little alien to them or require translation.

I have mainly used a Windows OS – so I am more comfortable in this environment and use EnCase…….However, I am at present on a FTK boot camp course, and can say I am very impressed with it. I will be using FTK more and trying to get to grips with it as much as I am with EnCase. It appears to have everything EnCase has and perhaps a little more, such as indexing for text searching which is fantastic, and has better support for email investigation.

Andy  
 
  

flytnx
Member
 

Re: smart VS encase

Post Posted: Mar 30, 05 18:59

hi,

sorry for the late reply it's been really busy lately. well, the way i see it - if you were to go on-site with the smart linux cd, essentially all you do is boot the suspect system with the smart linux cd and mount the suspect drive as read-only, then mount with your target drive (let's assume an external firewire drive) as read-write and perform the acquire. even better, if your only purpose was to extract a few files from the suspect system, let's say .doc files then you can do cool stuff like boot from the linux cd and load smart linux to ram if you have 512mb ram or > and use the cd-rw on the suspects system to burn the files off without having to carry any hardware with you other than your smart cd and a blank cd or two. i do see where you are coming with the fear of not being able to perform the same tasks in windows, however you can boot back into windows to use the tools you are know already, or simply install vmware or wine on linux and run your win32 applications native. the bottom line is the boot cd itself is so simple then you can't really screw anything up.. if it's for your lab machine then you could install a simple to maintain build such suse or fedora.

anyhow enough </rant> from me. i just personally think encase blows for so many reasons that it should be reason enough to want to learn the other side of the fence incase you are ever called to the stand to defend yourself against someone who is aware of the many flaws of using encase for acquires.


- Andy
Depends what you are more comfortable with, it’s a personal choice thing. If you use Linux and are comfortable then SMART is the smart choice (sorry :D). I only wish I had time to learn and use SMART more (I have a demo – but can’t justify spending time to learn it at the moment). I do like Linux, but I am no where near as competent in it as I am Windows.

One thing to consider is – will the investigations you conduct be on mainly Linux machines or Windows? If it’s the latter then it might be wise to get to grips with EnCase, and examine in Windows. If you extract files you might need to investigate them in the same environment as your suspect machine. For example MS Word documents, Access, Excel are all best viewed with the same software. Extracting them into Linux might not give you consistent results and/or the formatting may appear wrong.

Also consider your customer(s), they may be more familiar with Windows and some of the concepts you need to explain may be a little alien to them or require translation.

I have mainly used a Windows OS – so I am more comfortable in this environment and use EnCase…….However, I am at present on a FTK boot camp course, and can say I am very impressed with it. I will be using FTK more and trying to get to grips with it as much as I am with EnCase. It appears to have everything EnCase has and perhaps a little more, such as indexing for text searching which is fantastic, and has better support for email investigation.

Andy
 
 
  

RoboGeek
Member
 

Re: smart VS encase

Post Posted: Mar 31, 05 02:47

I've never had a successful Encase argument as far as any problems aquiring evidence - in fact I've never had a challenge to the validity other than chain-of-custody arguments.

But I have never seen smart until this post. I use other linux tools for non criminal cases and if its a civil case I use alot of my own little goodies.

Unfortunately I won't pay $2000 to evaluate software and see how it holds up under scrutiny.

I'd like to hear from some people who have court tested experience using it.
_________________
I used to be a lifeguard, but some blue kid got me fired.

Business Network Solutions 
 
  

Andy
Senior Member
 

Re: smart VS encase

Post Posted: Mar 31, 05 09:13

i just personally think encase blows for so many reasons that it should be reason enough to want to learn the other side of the fence incase you are ever called to the stand to defend yourself against someone who is aware of the many flaws of using encase for acquires.


Perhaps you’re not using it correctly?

EnCase is regularly accepted in courts worldwide.

Andy  

Last edited by Andy on Apr 01, 05 10:52; edited 1 time in total
 
  

gmarshall139
Senior Member
 

Re: smart VS encase

Post Posted: Mar 31, 05 14:04

Nor have I ever heard of an issue, particularly with the acquisition function. If you have any details of an examination being struck down for any reason related to the use of Encase I'd like to hear about it.
_________________
Greg Marshall, EnCE 
 
  

daveg
Newbie
 

Re: smart VS encase

Post Posted: Apr 02, 05 19:36

Greg

There was a serious problem with EnCase when acquiring a disk.

If the disk you were acquiring had a bad sector, Encase didn't deal with it correctly. So your acquistion hash was different EVERY time you acquired the disk.

So an independant expert verifying your work would have a different md5 hash and would claim in court that YOU planted evidence. Or you mixed up disks with a different case, or whatever. Case dismissed.

Dave
_________________
If at first you don't succeed, try a bigger hammer 
 

Page 1 of 3
Page 1, 2, 3  Next