What is the best computer forensic imaging tool and analysis tool available?
I get a lot of emails and general questions from students and blog readers about what tools I feel are the best to do imaging and analysis. It is no secret that I worked for Guidance Software in the past and have a personal preference for EnCase, but I also use many other tools during my various assignments depending on the type of case I am working and the client's needs.
Here is my simple opinion on the best tool for imaging and/or analysis tool.
The best tool is:
1. The one you have with you (AND)
2. Is mainstream/validated (AND)
3. You have experience using it
Here is my simple opinion on the best tool for imaging and/or analysis tool.
The best tool is:
1. The one you have with you (AND)
2. Is mainstream/validated (AND)
3. You have experience using it
ShareThis
Posts
11 comments:
Lance,
I don't see questions like that very often, and when I do, they often lead me to ask, "what do you mean by 'best'?" Is the asker's definition of "best imaging tool" one that handles HPA/DCO 'correctly'?
As far as analysis is concerned, the 'best' tool is that grey, goopy gunk between your ears.
Very good point. I would add that the "best" tool would actually be a combination of multiple tools. As has been pointed out before, no one product out there does everything. The best thing to do is come up with an arsenal that can be adapted to the situation you are working with.
I agree with two out of the three points: Who decides what is "mainstream"? Must it be a commercial tool?
I think Harlan is on the right track, the analyst/forensicator and their skills are the "best" tool for the job.
For a blast from the past: http://computer-forensics.sans.org/blog/2010/09/16/tool-digital-forensics-tool/
i would say any tool cannot make a perfect image i use FTK imager / Air for imaging
I would agree, I love Imager for so many reasons...not the least of which its the best tool for the money. For analysis, like everyone, I would say "It depends", but my main stays are EnCase and FTK 3. For me it's a balance between the case goals and stability....and because of that, EnCase has been getting a lot more play time.
I do agree with the comments so far. I personally use encase and PTK forensic. We are 3 people in my lab and ptk allow us to work on the same case at the same time.
Best imager: dcfldd
Best analysis: grep + awk + strings
Hi, I have an excel file and I would like to determine if the time stamp has been altered. I saw you wrote a script for Encase, but I do not have Encase. The file is on a flash drive and would like to know who I could use to determine if the stamp has been changed, or if there is a program that could do this.
Thank You,
I'm not sure -- I'd like to see a definition of 'tool' before I committed myself to a definite reply.
What *is* a tool? Something that makes it easier? faster? less error prone? to get something done?
And is it a tool in all circumstances, or only in some? Which?
I think that grep -F would certainly be a tool (in general), while grep -E is more doubtful -- regexps need a great deal of care and knowledge to use, so that is only a tool for those with that knowledge and willing and able to exercise that care.
I'm not sure that the three requirements uou give are sufficient: if I have a hammer with me, would it be the best tool? Perhaps the best tool I had with me, but not the best tool to get whatever it is done.
A tool must produce some improvement -- or we wouldn't use it. If that improvement comes at the expense of something else (more false positives, less reliable data, more difficulty in interpreting output) -- and we cannot accept or adjust to that, is it still a tool? I'd say, no, it isn't.
I once visited a school for watch makers. They bought their first tool kit when they entered the school -- it was very expensive, but they would be able to go on using it for the rest of the active career
In that case the tool and the education/training to use the tool came together. How often does that happen? Is a tool a tool if the knowledge to use it properly is lacking? Experience is not quite the same, although it is closely related.
Let me try:
A better tool allows me to produce a given result faster, easier, etc. with the same quality, but preferrably higher, than before.
The best tool maximises that equation for a certain user, type of job, environment or period of time.
That's far too fuzzy for my taste, but it at least suggests that we can't talk seriously about better or best tools without having metrics to make the comparison is it faster? is it easier? is quality higher?
Hm... I think that the combination of various tools would be a good way to explore, analyze something too,
thanks for sharing your experience Lance,
Bests
With imaging tools forever changing, it's hard to chose a single one.
Post a Comment