Encase is a forensic suite produced by Guidance Software (now part of OpenText) that is popular with commercial providers. A standard license comes in at around $3500.
We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
Forensic Toolkit (FTK) has been around for as long as Encase and is particularly popular with law enforcement. FTK is a forensic suite. The owner, AccessData, also make the solid product FTK Imager available for free. They have recently expanded to offer cloud forensic capabilities. FTK is priced similarly to Encase, at around $3000.
X-Ways is the third of the “big three” forensic suites. The user interface suffers some feature creep, but in my experience it is considerably more reliable, faster and cheaper than FTK or Encase. It costs around $1000.
A detailed review of performance can be found here. It’s extremely difficult to provide a non-controversial assessment without biases, but this seems to be a pretty good job.
The amount of time (lower is better) for the three products to perform a keyword search were:
- X-Ways: 1 minute 52 seconds
- EnCase: 3 minutes 31 seconds
- FTK: 3 hours 56 minutes 3 Seconds
Clearly the results for FTK are an outlier and may need to be re-examined.
For a comparison, the videos below show how to execute a keyword search.
Logical Evidence Files
Acquire Evidence via Bootdisk
Acquire volatile memory
Filters and Conditions
Active Directory Information Extractor
Recover deleted files/folders
Windows event log parser
Link file parser
File Signature analysis
Built-in Registry Viewer
External File Viewers
Unicode index search
Internet and email search
Listing of all files and folders
List all URLs
Acquisition and Hard Drive details
Apple DMG and DD_DMG disk image support
JSON file support
Support for 700 image, archive and file types
Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833
Process and analyze DMG (compressed and uncompressed), Ext4, exFAT, VxFS (Veritas File System), Microsoft VHD (Microsoft Virtual Hard Disk), Blackberry IPD backup files, Android YAFFS / YAFFS 2
Derypt Credant, SafeBoot, Utimaco, SafeGuard Enterprise and Easy, EFS, PGP, GuardianEdge, Pointsec and S/MIME.
View E-Mail Details Graphically
Explicit Image detection
Generate Reports in CSV, HTML, PDF, XML, RTF
Interpret Image File As Disk
Multi-User Coordination For Large Cases
Search Hit List
Search Term List
Hit Count in Search Term Lists
Mount As Drive Letter
File Type Categories
Time Zone Concept
Evidence File Containers
External Analysis Interface
We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.