Encase vs FTK vs X-Ways Review

Forensic Labs
3 min readMar 21, 2018

--

Introduction

Encase is a forensic suite produced by Guidance Software (now part of OpenText) that is popular with commercial providers. A standard license comes in at around $3500.

We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Forensic Toolkit (FTK) has been around for as long as Encase and is particularly popular with law enforcement. FTK is a forensic suite. The owner, AccessData, also make the solid product FTK Imager available for free. They have recently expanded to offer cloud forensic capabilities. FTK is priced similarly to Encase, at around $3000.

X-Ways is the third of the “big three” forensic suites. The user interface suffers some feature creep, but in my experience it is considerably more reliable, faster and cheaper than FTK or Encase. It costs around $1000.

Performance

A detailed review of performance can be found here. It’s extremely difficult to provide a non-controversial assessment without biases, but this seems to be a pretty good job.

The amount of time (lower is better) for the three products to perform a keyword search were:

  • X-Ways: 1 minute 52 seconds
  • EnCase: 3 minutes 31 seconds
  • FTK: 3 hours 56 minutes 3 Seconds

Clearly the results for FTK are an outlier and may need to be re-examined.

Interface

For a comparison, the videos below show how to execute a keyword search.

Encase

FTK

X-Ways

Encase Features

Acquisition Restart
Logical Evidence Files
Acquire Evidence via Bootdisk
Acquire volatile memory
EnScript Scripting
Filters and Conditions
Active Directory Information Extractor
Hardware Analysis
Recover partitions
Recover deleted files/folders
Windows event log parser
Link file parser
File Signature analysis
Hash analysis
File finder
Built-in Registry Viewer
External File Viewers
Gallery View
Calendar viewer
Unicode index search
Binary search
Proximity Search
Internet and email search
Case Sensitive
Listing of all files and folders
List all URLs
Acquisition and Hard Drive details

FTK Features

Apple DMG and DD_DMG disk image support
JSON file support
Support for 700 image, archive and file types
Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833
Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), Blackberry IPD backup files, Android YAFFS / YAFFS 2
Derypt Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
View E-Mail Details Graphically
Explicit Image detection
Generate Reports in CSV, HTML, PDF, XML, RTF

X-Ways Features

Interpret Image File As Disk
Case Management
Multi-User Coordination For Large Cases
Evidence Objects
Case Log
Case Report
Report Tables
Viewer Functionality
Registry Report
Simultaneous Search
Logical Search
Search Hit List
Search Term List
Hit Count in Search Term Lists
Event Lists
Mount As Drive Letter
File Type Categories
Hash Database
PhotoDNA
Time Zone Concept
Evidence File Containers
Related Items
Generator Signatures
External Analysis Interface

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.

--

--