Forensic Tools - Tool Kits

[hunterfs]

All,

I am in the market for some forensic tools and/or tool kits that we would be using in our corporate environment. Would like to know if anyone is willing to make a suggestion or recommendation.

We have begun to look at Encase from Guidance Software and Forensic Toolkit from AccessData. These tools average 1500-2000 dollars, it that what we can expect to spend for a full suite?

Thanks in advance,
Frederick

 

[eyec]

save you time, money, and effort go with Encase.

i took an introductory course using it alongside FTK and others and there is a remarkable difference.

Encase is the standard when it comes to presenting evidence in court.

however, the software alone will not do the job by itself - attend their training! you get a key for each person/CD when you go that route instead of trying to learn it on your own and just buying the key.

i intend on going as soon as i can make it happen.

 

[hunterfs]

thanks for the input, not sure that we would be running to court just yet, but you never know.

 

[eyec]

can you say Sarbanes-Oxley, HIPPA, and a host of other new laws to go along with EEOC, copyright, antitrust, workplace harrasement, etc.?

if you are a medium to large size employer you better have in-house forensics or know of a good consultant to call.

just my opinion in today's litigious world.

 

[vanillapod]

We've been using EnCase for a few years now, just upgraded to vers 4 and am attending more training this tuesday.

EnCase is real good for looking at various devices inc. hard drives. Its real easy to use the basic stuff although the advanced stuff does require you attend the training courses. We come accross loads of deleted / hidden files inc images hidden in docs etc etc stuff users thought we couldn't find / get at.

I did a 10gb aquisition the other day, it took 20mins and then I was off looking for evidence etc... i'd def. recommend it to anyone after a forensics tool...

They have the forensics version and enterprise version, think the enterprise version can be used over a LAN...

 

[40below0]

EnCase seems to be the standard in the police realm. I have not worked with the enterprise version. The forensics version is not what you would call intuitive. Classroom training is important. The manuals leave out steps which causes confusion. Buy the product with support and attend the classes. Guidance Software tech support is very helpful.

Keep in mind that a hardware write blocker is a must if you are going to court with the evidence you find.

If you are having trouble selling the idea to IT management, remind them that this sofware can find deleted files and files on reformatted drives. There are many non-forensic uses for it.

 

[vanillapod]

Just got back off training for version 5 forensic version. Its really cool. Internet and email viewing is pretty much totally automated and real easy.

They're talking about releasing a software based version of their 'Fastbloc' which is a write blocker so that'll be cool when its out.

The training is worth it, recreating deleted partitions, viewing registry etc etc... good stuff. We use it in a corporate environment.