ner0 wrote:
We're looking at purchasing either EnCase 7 or FTK4 for our agency. Since both are relatively new, I've not been able to find too many reviews of the products. Ideally, we would like to purchase both, but our budget will limit us to only purchasing one for now. Which piece of software would you recommend to an agency that currently has no commercial forensic software?
Thanks for your input.
------------------
I tried FTK 4 vs EnCase 7 for a month and were processing the same evidence files (HDD images that vary from 50 GB to 200 GB).
Our conclusion was:
- FTK uses 100% of our workstation (see specs at the end) while processing, we need to stop using the workstation. When it finish the index searches are slow and we can't transfer the case to computers with less capacity. FTK takes a lot of time (almost doesn't finish processing a case if you don't have a powerful computer).
- EnCase it uses 40% of our workstation while processing, the workstation is totally responsive, it finish between 30 minutes to 1.5 hours after FTK. When it finish the index searches are faster than FTK and we can transfer the case to other computers with less capacity (EnCase let you use a less powerful computer to process a case, it takes more time, but it finish)
If you need a lot of speed and have the money to buy FTK compatible computers, FTK could be your solution.
If you don't care about 1.5 hours of additional time while processing and you will like to be able to easily transfer the case to more than one investigator that has a less powerful computer (or process the case in a less powerful computer), EnCase could be your solution.
By the way we used FTK 4.0.2.33 and EnCase 7.06.01.
Note: EnCase 7 lets you restore a case after EnCase crashes and it takes no more than 5 minutes to open a 120 GB case....we worked in a case with 5 images of 150 GB in the same case an it takes 10 minutes to open the case after a crash. Before the crash the 5 images where completely processed with the following processing options enabled: Recover folders, File signature analysis, Protected files, Thumbnail creation, Hash analysis (only SHA), Find email and Indexing (only files that are not in the library).
-------------------------------------------
Workstation used:
- Two Intel Xeon CPU E5-2630 @ 2.30GH processors
- 32 GB of RAM
- 64-bit Windows 7 Professional
3 HDDs:
Disk 0 – For Windows [OS(C:)] and System. In this HDD EnCase or FTK was installed.
Disk 1 – 2 TB 10K, this drive is were evidence is stored.
Disk 2 – Is a RAID 0 composed of 3 HDDs at 15K, this RAID is used for the CACHE or the database.
-----------------------------------------------
↧