SlideShare ist ein Scribd-Unternehmen logo

The Real World Forensics

‱
‱
CTIN
CTIN
Technologie
1 von 26
The Real World: Forensics EnCase vs FTK By Justin McAnn Frank Enfinger
This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real. - The Real World: Forensics!
Starring
 EnCase V4 FE Weighing in at $3600 Enterprise Edition Heavy Weight Division $130K Ultimate Forensic ToolKit V1.60 Weighing in at $1695
FTK 1.60 No Progress Bar No Multi-Tasking No Scripting Support HFS (Mac) Not Supported 2 Million File Limit Image Mounting

EnCase V4 No Outlook 2003 PST/OST Support No Internal Mail Viewer Rough Looking Reports No Full Indexing of the drive Live Searches only Customer Support ???
Kidnapping Case Scenario Victim’s mother reports kidnapping Mother provides information about the minor in question Victim’s mother provides consent to search computer Computer is brought to the lab
Forensic Methodology Keyword Search Profiling Gallery View Email Internet History Instant Messaging History Carving Report
Keyword Searching FTK Full Indexed Search Surrounding Text Search Regular Expression, GREP, Hex
 Plain-Text Keyword Import Long pre-processing times! EnCase Live Search Only Surrounding Text Search Regular Expression, Grep, Hex
 Parallel Text Searching Methods Plain-Text (Paste) Keyword Import
Full Index Searching - FTK
Gallery View FTK Does not fit picture to window No PSD (Photoshop) Support No AVI Support (Missing First Frame) EnCase Constantly crashes on corrupt pictures Gallery Viewer not as efficient
Email – FTK 1.60
Email – EnCase V4
Carving FTK Automated Carving of 7 File Types Manual Carving for any others Adding addition automation not permitted (yet) EnCase All Carving is Automated Can be done manually as well Scripting allows easy carving for customized file types
Report FTK Dynamic HTML report Easily customizable Exportable Gallery View EnCase Difficult Customization Static Content makes BIG reports Exportable to RTF
Corporate Hacker System Administrator reports root accounts being locked Logs provided from servers pointing to attacker system address System is tracked to location and confiscated Computer is brought to the lab
Forensic Methodology Time Lines Registry Review Mount and Scan Hash Sets Application Logs EnScripts
Time Line EnCase Timeline FTK – No Timeline except for sorting columns
Registry Review - EnCase
Registry Viewer - FTK
Image Mounting FTK – None. Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on. EnCase can mount image as Network Drive or Physical Drive Read Only – Allows for Virus Scanning and Exploring
Hash Sets FTK uses “Known File Filters” Can import NSRL Hash Sets Can create individual sets to check against case EnCase has the same features EnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
Application Logs Built-In Support for Application Logs Internet History RTF, Spreadsheet, HTML (Tables) Windows Event Logs FTK converts Internet History to HTML only without tables Windows Event Logs
Scripting EnCase has full scripting abilities. Allows automation of reports, decryption, carving
 anything FTK current has NO support for scripting FTK handles some automation through other UTK components
War Stories EnCase New Versions Buggy Enterprise problems with Unix/Linux EnCase upgrades cause older case files to no longer work FTK hits 2,000,000 file limit FTK has known “Common Areas” issue in Registry Viewer FTK cannot open case if drive letter changes where case data is located
Summary FTK Less Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing. EnCase Enterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.
Questions

Empfohlen

MITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubMITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubShritesh Bhattarai
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
PharoDAYS 2015: Pharo Status - by Markus Denker
PharoDAYS 2015: Pharo Status - by Markus DenkerPharoDAYS 2015: Pharo Status - by Markus Denker
PharoDAYS 2015: Pharo Status - by Markus DenkerPharo
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
December 1995
December 1995December 1995
December 1995Mohammad Abdullah
 
fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14N Masahiro
 
Pharo Status ESUG 2014
Pharo Status ESUG 2014Pharo Status ESUG 2014
Pharo Status ESUG 2014Marcus Denker
 

Empfohlen

MITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubMITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubShritesh Bhattarai
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
PharoDAYS 2015: Pharo Status - by Markus Denker
PharoDAYS 2015: Pharo Status - by Markus DenkerPharoDAYS 2015: Pharo Status - by Markus Denker
PharoDAYS 2015: Pharo Status - by Markus DenkerPharo
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
December 1995
December 1995December 1995
December 1995Mohammad Abdullah
 
fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14fluent-plugin-beats at Elasticsearch meetup #14
fluent-plugin-beats at Elasticsearch meetup #14N Masahiro
 
Pharo Status ESUG 2014
Pharo Status ESUG 2014Pharo Status ESUG 2014
Pharo Status ESUG 2014Marcus Denker
 
Reflection in Pharo5
Reflection in Pharo5Reflection in Pharo5
Reflection in Pharo5Marcus Denker
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!Abhinav Srivastava
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!Mihir Shah
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 reportKoji Kawamura
 
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...Frank van der Linden
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
File000131
File000131File000131
File000131Desmond Devendran
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
ECX Solution Sheet
ECX Solution SheetECX Solution Sheet
ECX Solution SheetNicholas Toscano
 
Apache Tika end-to-end
Apache Tika end-to-endApache Tika end-to-end
Apache Tika end-to-endgagravarr
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityRobb Boyd
 
Alchemy Catalyst Automation
Alchemy Catalyst AutomationAlchemy Catalyst Automation
Alchemy Catalyst AutomationShamusd
 
Scaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per DayScaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per DayCarmine Paolino
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Reflection in Pharo5
Reflection in Pharo5Reflection in Pharo5
Reflection in Pharo5Marcus Denker
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!Abhinav Srivastava
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!Mihir Shah
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 reportKoji Kawamura
 
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...Frank van der Linden
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 

Was ist angesagt? (10)

Reflection in Pharo5
Reflection in Pharo5Reflection in Pharo5
Reflection in Pharo5
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!Distributed Storage with IPFS and Python!
Distributed Storage with IPFS and Python!
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 report
 
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
Icon UK 2018 - Spring forward: an introduction to Spring boot and Thymeleaf f...
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 

Andere mochten auch

Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentationSomya Johri
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 

Andere mochten auch (6)

File000131
File000131File000131
File000131
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 

Ähnlich wie The Real World Forensics

Apache Tika end-to-end
Apache Tika end-to-endApache Tika end-to-end
Apache Tika end-to-endgagravarr
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityRobb Boyd
 
Alchemy Catalyst Automation
Alchemy Catalyst AutomationAlchemy Catalyst Automation
Alchemy Catalyst AutomationShamusd
 
Scaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per DayScaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per DayCarmine Paolino
 
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC Systems
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC SystemsBig Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC Systems
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC SystemsFujio Turner
 
Monitoring with prometheus
Monitoring with prometheusMonitoring with prometheus
Monitoring with prometheusKasper Nissen
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)Peer-to-Peer Management of Large-Scale Memory Sources (midterm)
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)odcsss
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesNETWAYS
 
Remove web calls and scale your site like crazy !
Remove web calls and scale your site like crazy !Remove web calls and scale your site like crazy !
Remove web calls and scale your site like crazy !Wim Godden
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...Rob Zirnstein
 
Extending the Yahoo Streaming Benchmark + MapR Benchmarks
Extending the Yahoo Streaming Benchmark + MapR BenchmarksExtending the Yahoo Streaming Benchmark + MapR Benchmarks
Extending the Yahoo Streaming Benchmark + MapR BenchmarksJamie Grier
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsVikas Jain
 

Ähnlich wie The Real World Forensics (20)

ECX Solution Sheet
ECX Solution SheetECX Solution Sheet
ECX Solution Sheet
 
Apache Tika end-to-end
Apache Tika end-to-endApache Tika end-to-end
Apache Tika end-to-end
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
 
Alchemy Catalyst Automation
Alchemy Catalyst AutomationAlchemy Catalyst Automation
Alchemy Catalyst Automation
 
Scaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per DayScaling Machine Learning Systems up to Billions of Predictions per Day
Scaling Machine Learning Systems up to Billions of Predictions per Day
 
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC Systems
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC SystemsBig Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC Systems
Big Data - In-Memory Index / Sub Second Query engine - Roxie - HPCC Systems
 
Monitoring with prometheus
Monitoring with prometheusMonitoring with prometheus
Monitoring with prometheus
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)Peer-to-Peer Management of Large-Scale Memory Sources (midterm)
Peer-to-Peer Management of Large-Scale Memory Sources (midterm)
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Flink in action
Flink in actionFlink in action
Flink in action
 
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesOSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-Bayes
 
Remove web calls and scale your site like crazy !
Remove web calls and scale your site like crazy !Remove web calls and scale your site like crazy !
Remove web calls and scale your site like crazy !
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Webtechnologies
Webtechnologies Webtechnologies
Webtechnologies
 
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...
11/10/2011 ASDFED Indy Chapter Meeting - EnCase v7 - New Features and Functio...
 
Extending the Yahoo Streaming Benchmark + MapR Benchmarks
Extending the Yahoo Streaming Benchmark + MapR BenchmarksExtending the Yahoo Streaming Benchmark + MapR Benchmarks
Extending the Yahoo Streaming Benchmark + MapR Benchmarks
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Mehr von CTIN

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source ForensicsCTIN
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Nra
NraNra
NraCTIN
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Edrm
EdrmEdrm
EdrmCTIN
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassCTIN
 
CyberCrime
CyberCrimeCyberCrime
CyberCrimeCTIN
 
Search Warrants
Search WarrantsSearch Warrants
Search WarrantsCTIN
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007CTIN
 

Mehr von CTIN (20)

Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Nra
NraNra
Nra
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Edrm
EdrmEdrm
Edrm
 
Computer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer TrespassComputer Searchs, Electronic Communication, Computer Trespass
Computer Searchs, Electronic Communication, Computer Trespass
 
CyberCrime
CyberCrimeCyberCrime
CyberCrime
 
Search Warrants
Search WarrantsSearch Warrants
Search Warrants
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Sadfe2007
Sadfe2007Sadfe2007
Sadfe2007
 

KĂŒrzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂșjo
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...gurkirankumar98700
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

KĂŒrzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

The Real World Forensics

  • 1. The Real World: Forensics EnCase vs FTK By Justin McAnn Frank Enfinger
  • 2. This is the true story of when EnCase and The Ultimate Tool Kit are used on the same cases. Find out what happens when they stop being friendly and start getting real. - The Real World: Forensics!
  • 3. Starring
 EnCase V4 FE Weighing in at $3600 Enterprise Edition Heavy Weight Division $130K Ultimate Forensic ToolKit V1.60 Weighing in at $1695
  • 4. FTK 1.60 No Progress Bar No Multi-Tasking No Scripting Support HFS (Mac) Not Supported 2 Million File Limit Image Mounting

  • 5. EnCase V4 No Outlook 2003 PST/OST Support No Internal Mail Viewer Rough Looking Reports No Full Indexing of the drive Live Searches only Customer Support ???
  • 6. Kidnapping Case Scenario Victim’s mother reports kidnapping Mother provides information about the minor in question Victim’s mother provides consent to search computer Computer is brought to the lab
  • 7. Forensic Methodology Keyword Search Profiling Gallery View Email Internet History Instant Messaging History Carving Report
  • 8. Keyword Searching FTK Full Indexed Search Surrounding Text Search Regular Expression, GREP, Hex
 Plain-Text Keyword Import Long pre-processing times! EnCase Live Search Only Surrounding Text Search Regular Expression, Grep, Hex
 Parallel Text Searching Methods Plain-Text (Paste) Keyword Import
  • 10. Gallery View FTK Does not fit picture to window No PSD (Photoshop) Support No AVI Support (Missing First Frame) EnCase Constantly crashes on corrupt pictures Gallery Viewer not as efficient
  • 13. Carving FTK Automated Carving of 7 File Types Manual Carving for any others Adding addition automation not permitted (yet) EnCase All Carving is Automated Can be done manually as well Scripting allows easy carving for customized file types
  • 14. Report FTK Dynamic HTML report Easily customizable Exportable Gallery View EnCase Difficult Customization Static Content makes BIG reports Exportable to RTF
  • 15. Corporate Hacker System Administrator reports root accounts being locked Logs provided from servers pointing to attacker system address System is tracked to location and confiscated Computer is brought to the lab
  • 16. Forensic Methodology Time Lines Registry Review Mount and Scan Hash Sets Application Logs EnScripts
  • 17. Time Line EnCase Timeline FTK – No Timeline except for sorting columns
  • 20. Image Mounting FTK – None. Pulls files out individually in temporary files (*see file limits!) which then is scanned by AntiVirus if turned on. EnCase can mount image as Network Drive or Physical Drive Read Only – Allows for Virus Scanning and Exploring
  • 21. Hash Sets FTK uses “Known File Filters” Can import NSRL Hash Sets Can create individual sets to check against case EnCase has the same features EnCase does not have to “re-index” in order to apply Hash List. The case only needs to be hashed once.
  • 22. Application Logs Built-In Support for Application Logs Internet History RTF, Spreadsheet, HTML (Tables) Windows Event Logs FTK converts Internet History to HTML only without tables Windows Event Logs
  • 23. Scripting EnCase has full scripting abilities. Allows automation of reports, decryption, carving
 anything FTK current has NO support for scripting FTK handles some automation through other UTK components
  • 24. War Stories EnCase New Versions Buggy Enterprise problems with Unix/Linux EnCase upgrades cause older case files to no longer work FTK hits 2,000,000 file limit FTK has known “Common Areas” issue in Registry Viewer FTK cannot open case if drive letter changes where case data is located
  • 25. Summary FTK Less Expensive, Integrates with Logicube, Yahoo Encryption Support, suite of tools integrated. Excellent Email Support, Full Text Indexing. EnCase Enterprise version, Internet History Support, User GUID support. All tools built in. Amazing Scripting Power.