1. The Real World: Forensics
EnCase vs FTK
By Justin McAnn
Frank Enfinger

2. This is the true story of when EnCase
and The Ultimate Tool Kit are used on
the same cases. Find out what
happens when they stop being
friendly and start getting real.
- The Real World: Forensics!

3. Starring…
EnCase V4 FE
Weighing in at $3600
Enterprise Edition
Heavy Weight Division $130K
Ultimate Forensic ToolKit V1.60
Weighing in at $1695

4. FTK 1.60
No Progress Bar
No Multi-Tasking
No Scripting Support
HFS (Mac) Not Supported
2 Million File Limit
Image Mounting…

5. EnCase V4
No Outlook 2003 PST/OST Support
No Internal Mail Viewer
Rough Looking Reports
No Full Indexing of the drive
Live Searches only
Customer Support ???

6. Kidnapping Case Scenario
Victim’s mother reports kidnapping
Mother provides information about the
minor in question
Victim’s mother provides consent to
search computer
Computer is brought to the lab

7. Forensic Methodology
Keyword Search
Profiling
Gallery View
Email
Internet History
Instant Messaging History
Carving
Report

8. Keyword Searching
FTK
Full Indexed Search
Surrounding Text Search
Regular Expression, GREP, Hex…
Plain-Text Keyword Import
Long pre-processing times!
EnCase
Live Search Only
Surrounding Text Search
Regular Expression, Grep, Hex…
Parallel Text Searching Methods
Plain-Text (Paste) Keyword Import

9. Full Index Searching - FTK

10. Gallery View
FTK
Does not fit picture to window
No PSD (Photoshop) Support
No AVI Support (Missing First Frame)
EnCase
Constantly crashes on corrupt
pictures
Gallery Viewer not as efficient

11. Email – FTK 1.60

12. Email – EnCase V4

13. Carving
FTK
Automated Carving of 7 File Types
Manual Carving for any others
Adding addition automation not permitted
(yet)
EnCase
All Carving is Automated
Can be done manually as well
Scripting allows easy carving for
customized file types

14. Report
FTK
Dynamic HTML report
Easily customizable
Exportable Gallery View
EnCase
Difficult Customization
Static Content makes BIG reports
Exportable to RTF

15. Corporate Hacker
System Administrator reports root
accounts being locked
Logs provided from servers pointing to
attacker system address
System is tracked to location and
confiscated
Computer is brought to the lab

16. Forensic Methodology
Time Lines
Registry Review
Mount and Scan
Hash Sets
Application Logs
EnScripts

17. Time Line
EnCase Timeline
FTK – No Timeline except for sorting
columns

18. Registry Review - EnCase

19. Registry Viewer - FTK

20. Image Mounting
FTK – None.
Pulls files out individually in temporary
files (*see file limits!) which then is
scanned by AntiVirus if turned on.
EnCase can mount image as Network
Drive or Physical Drive
Read Only – Allows for Virus Scanning
and Exploring

21. Hash Sets
FTK uses “Known File Filters”
Can import NSRL Hash Sets
Can create individual sets to check
against case
EnCase has the same features
EnCase does not have to “re-index” in
order to apply Hash List. The case only
needs to be hashed once.

22. Application Logs
Built-In Support for Application Logs
Internet History
RTF, Spreadsheet, HTML (Tables)
Windows Event Logs
FTK converts Internet History to
HTML only without tables
Windows Event Logs

23. Scripting
EnCase has full scripting abilities.
Allows automation of reports,
decryption, carving… anything
FTK current has NO support for
scripting
FTK handles some automation
through other UTK components

24. War Stories
EnCase New Versions Buggy
Enterprise problems with Unix/Linux
EnCase upgrades cause older case
files to no longer work
FTK hits 2,000,000 file limit
FTK has known “Common Areas”
issue in Registry Viewer
FTK cannot open case if drive letter
changes where case data is located

25. Summary
FTK
Less Expensive, Integrates with
Logicube, Yahoo Encryption Support,
suite of tools integrated. Excellent
Email Support, Full Text Indexing.
EnCase
Enterprise version, Internet History
Support, User GUID support. All tools
built in. Amazing Scripting Power.

26. Questions