I get this every now and then - "what tools do I use"? Meh, of course I am more about the process and using the right tool for the job, BUT I recognize the familiar tool bias (you like what you know) and personal bias towards the way I like to approach problems. I like to check work from multiple tools and note that in my summary of findings. So I am answering this from the primary tool perspective. With that said, here I go on about the overall forensic tool kit.
Overall forensic tool kit - X-ways Forensics, combined with the $199 version of DTSearch. I used to be almost 100% Encase, then migrating to Access Data FTK, but now mostly X-ways. I feel it is as flexible as it can be, I don't have to do a monolithic import to get thing going. I just mount the image read-only and start the DTindex and open in X-ways and start processing. I have been using Access Data FTK as the backup and when I have multiple cases that need processing at the same time, and I still check my work with Carrier's Sleuth Kit. I believe I use tools fairly agnostic, but I just have not needed to reach back to my older version of Encase. Also, I never get into flame wars about how your choice rocks and everyone else is bad - I just but things in a category of the good and bad parts of using whatever tool you are talking about.
SIFT workstation, I love version 2.0 and have been warming to the idea of VM forensic kits with shared folders that allow to use the combination of win32 and *nix tools without large copy times or loading external drives.
Oh, running late - follow up later
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment