EnCase
* GUI : Confusing for new user , very user friendly GUI.
* Timeline : Encase supports timeline view.
* Encase has its own image format ( Encase image file format) used to store various types of digital evidence.
* Encase supports more file system than FTK.
* SEARCHING : Encase uses its own search engine , Live and Indexed search supported.
* HASHING : Encase supports only MD5 (Message Digest 5).
* RAID : Encase supports several Dynamic Disk Configuration as compared to FTK.
* DELETED FILES, bad SIGNATURE : Encase does not highlight a file with Bad signature , it simply displays it.
* CARVING : Encase supports recovering of deleted files and filenames on EXT 2/3 File Systems.
* SCRIPTING : Encase uses its own script known as EnScript.
* REPORTING : Encase supports reports in RTF or HTML format.
FTK
* GUI : Rated most user friendly forensic tool.
* Timeline : FTK does not support timeline view.
* FTK supports more image formats than encase.
* FTK cannot handle compressed drives like DoubleSpace (DoubleSpace is a technology that compresses data stored by the FAT file system in real time. Real time means that data is compressed and decompressed as it is written and read).
* SEARCHING : FTK search takes longer , has good features as Live and indexed Search.
* HASHING : FTK supports Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
* DELETED FILES, bad SIGNATURE : FTK highlights if a file contains Bad signature followed by (x) symbol next to a file which is deleted.
* CARVING : FTK doesn't supports recovering of deleted files on EXT 2/3 File Systems.
* SCRIPTING : FTK doesn't supports scripting.
* REPORTING : FTK supports reports only in HTML format.
CONCLUSION:
Both the tools are essential for a thorough and complete forensic investigation. As both the tools, have some common and some unique special features which aid in the investigation, it is suggested to use both the tools for investigation.
If only one tool is to be chosen, EnCase leads FTK due to its advanced features.
REFERENCES:
1. http://www.accessdata.com/products/digital-forensics/ftk
2. https://www.encase.com/products/Pages/encase-forensic/overview.aspx
3. http://www.h11dfs.com/products/products/forensic-software/forensic-analysis-investigative-software/
* GUI : Confusing for new user , very user friendly GUI.
* Timeline : Encase supports timeline view.
* Encase has its own image format ( Encase image file format) used to store various types of digital evidence.
* Encase supports more file system than FTK.
* SEARCHING : Encase uses its own search engine , Live and Indexed search supported.
* HASHING : Encase supports only MD5 (Message Digest 5).
* RAID : Encase supports several Dynamic Disk Configuration as compared to FTK.
* DELETED FILES, bad SIGNATURE : Encase does not highlight a file with Bad signature , it simply displays it.
* CARVING : Encase supports recovering of deleted files and filenames on EXT 2/3 File Systems.
* SCRIPTING : Encase uses its own script known as EnScript.
* REPORTING : Encase supports reports in RTF or HTML format.
FTK
* GUI : Rated most user friendly forensic tool.
* Timeline : FTK does not support timeline view.
* FTK supports more image formats than encase.
* FTK cannot handle compressed drives like DoubleSpace (DoubleSpace is a technology that compresses data stored by the FAT file system in real time. Real time means that data is compressed and decompressed as it is written and read).
* SEARCHING : FTK search takes longer , has good features as Live and indexed Search.
* HASHING : FTK supports Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1).
* DELETED FILES, bad SIGNATURE : FTK highlights if a file contains Bad signature followed by (x) symbol next to a file which is deleted.
* CARVING : FTK doesn't supports recovering of deleted files on EXT 2/3 File Systems.
* SCRIPTING : FTK doesn't supports scripting.
* REPORTING : FTK supports reports only in HTML format.
CONCLUSION:
Both the tools are essential for a thorough and complete forensic investigation. As both the tools, have some common and some unique special features which aid in the investigation, it is suggested to use both the tools for investigation.
If only one tool is to be chosen, EnCase leads FTK due to its advanced features.
REFERENCES:
1. http://www.accessdata.com/products/digital-forensics/ftk
2. https://www.encase.com/products/Pages/encase-forensic/overview.aspx
3. http://www.h11dfs.com/products/products/forensic-software/forensic-analysis-investigative-software/
Thank you Pankaj !!!
ReplyDeleteReally appreciate your neat and concise article presentation.
Regards,
Nancy
Nice comparison. Appreciate the effort.
ReplyDeleteJust a minor comment :-
"Encase supports only MD5 (Message Digest 5)."
This is no longer true for Encase 7 which supports MD5 and SHA1.
Are there any updates to these products for their current versions?
ReplyDelete