tag:blogger.com,1999:blog-1746946614390371171.post8896825252729323192..comments2023-05-09T02:31:13.939-07:00Comments on Computer Forensics, Malware Analysis & Digital Investigations: What is the best computer forensic imaging tool and analysis tool available?Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-1746946614390371171.post-72493309064938180292013-07-10T00:18:50.867-07:002013-07-10T00:18:50.867-07:00With imaging tools forever changing, it's hard...With imaging tools forever changing, it's hard to chose a single one.EON8http://www.eon8.comnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-3173251150943958682012-08-13T03:19:39.141-07:002012-08-13T03:19:39.141-07:00Hm... I think that the combination of various tool...Hm... I think that the combination of various tools would be a good way to explore, analyze something too,<br />thanks for sharing your experience Lance,<br />BestsJoannahttp://www.eforensicsmag.comnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-1152851178088098392011-05-05T06:03:56.854-07:002011-05-05T06:03:56.854-07:00I'm not sure -- I'd like to see a definiti...I'm not sure -- I'd like to see a definition of 'tool' before I committed myself to a definite reply.<br /><br />What *is* a tool? Something that makes it easier? faster? less error prone? to get something done? <br /><br />And is it a tool in all circumstances, or only in some? Which?<br /><br />I think that grep -F would certainly be a tool (in general), while grep -E is more doubtful -- regexps need a great deal of care and knowledge to use, so that is only a tool for those with that knowledge and willing and able to exercise that care.<br /><br />I'm not sure that the three requirements uou give are sufficient: if I have a hammer with me, would it be the best tool? Perhaps the best tool I had with me, but not the best tool to get whatever it is done. <br /><br />A tool must produce some improvement -- or we wouldn't use it. If that improvement comes at the expense of something else (more false positives, less reliable data, more difficulty in interpreting output) -- and we cannot accept or adjust to that, is it still a tool? I'd say, no, it isn't.<br /><br />I once visited a school for watch makers. They bought their first tool kit when they entered the school -- it was very expensive, but they would be able to go on using it for the rest of the active career<br /><br />In that case the tool and the education/training to use the tool came together. How often does that happen? Is a tool a tool if the knowledge to use it properly is lacking? Experience is not quite the same, although it is closely related.<br /><br />Let me try:<br />A better tool allows me to produce a given result faster, easier, etc. with the same quality, but preferrably higher, than before.<br /><br />The best tool maximises that equation for a certain user, type of job, environment or period of time.<br /><br />That's far too fuzzy for my taste, but it at least suggests that we can't talk seriously about better or best tools without having metrics to make the comparison is it faster? is it easier? is quality higher?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-10399162147162168742011-05-03T09:25:05.462-07:002011-05-03T09:25:05.462-07:00Hi, I have an excel file and I would like to deter...Hi, I have an excel file and I would like to determine if the time stamp has been altered. I saw you wrote a script for Encase, but I do not have Encase. The file is on a flash drive and would like to know who I could use to determine if the stamp has been changed, or if there is a program that could do this.<br /><br />Thank You,Kennoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-309634609774400212011-04-29T19:59:40.495-07:002011-04-29T19:59:40.495-07:00Best imager: dcfldd
Best analysis: grep + awk + st...Best imager: dcfldd<br />Best analysis: grep + awk + stringsAllyn Stotthttp://allynstott.blogspot.com/noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-76652669173632162352011-04-28T22:46:23.031-07:002011-04-28T22:46:23.031-07:00I do agree with the comments so far. I personally ...I do agree with the comments so far. I personally use encase and PTK forensic. We are 3 people in my lab and ptk allow us to work on the same case at the same time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-87626232647188746172011-04-28T16:53:37.107-07:002011-04-28T16:53:37.107-07:00I would agree, I love Imager for so many reasons.....I would agree, I love Imager for so many reasons...not the least of which its the best tool for the money. For analysis, like everyone, I would say "It depends", but my main stays are EnCase and FTK 3. For me it's a balance between the case goals and stability....and because of that, EnCase has been getting a lot more play time.Albeenoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-67290043714412694282011-04-28T13:47:13.662-07:002011-04-28T13:47:13.662-07:00i would say any tool cannot make a perfect image i...i would say any tool cannot make a perfect image i use FTK imager / Air for imagingAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-45789993751770508772011-04-28T09:14:51.970-07:002011-04-28T09:14:51.970-07:00I agree with two out of the three points: Who dec...I agree with two out of the three points: Who decides what is "mainstream"? Must it be a commercial tool? <br /><br />I think Harlan is on the right track, the analyst/forensicator and their skills are the "best" tool for the job.<br /><br />For a blast from the past: http://computer-forensics.sans.org/blog/2010/09/16/tool-digital-forensics-tool/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-74784394669164511962011-04-28T08:47:59.174-07:002011-04-28T08:47:59.174-07:00Very good point. I would add that the "best&...Very good point. I would add that the "best" tool would actually be a combination of multiple tools. As has been pointed out before, no one product out there does everything. The best thing to do is come up with an arsenal that can be adapted to the situation you are working with.Girl, Unallocatedhttps://www.blogger.com/profile/14531145168136293345noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-87494102903658997412011-04-28T03:58:23.771-07:002011-04-28T03:58:23.771-07:00Lance,
I don't see questions like that very o...Lance,<br /><br />I don't see questions like that very often, and when I do, they often lead me to ask, "what do you mean by 'best'?" Is the asker's definition of "best imaging tool" one that handles HPA/DCO 'correctly'? <br /><br />As far as analysis is concerned, the 'best' tool is that grey, goopy gunk between your ears.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com