Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Autopsy vs. FTK

from [Cooper, Christopher] Network Security [Permanent Link]
Subject: RE: Autopsy vs. FTK
Date: Wed, 9 Mar 2005 07:59:09 -0500 
Also take a look at:  http://swish-e.org

Both Swish-e and Glimpse have great on-line documentation, which talks about 
the switches and plugins.  It is as simple as changing a few files to customize 
your search.

-C...
-----Original Message-----
From: Greg Freemyer [mailto:greg.freemyer@gmail.com]
Sent: Tuesday, March 08, 2005 2:06 PM
To: subscribe@crazytrain.com
Cc: Forensics
Subject: Re: Autopsy vs. FTK


On Mon, 07 Mar 2005 07:30:04 -0500, subscribe wrote:

On Fri, 2005-03-04 at 17:48, Greg Freemyer wrote:

My company uses FTK as it's normal analysis tool, but we image in Linux.

One of the main reasons we use FTK is the indexed search capability,
but we all know FTK has had stability issues in the past.

I went to a SMART lecture Wed. and was told that SMART does not have
an indexed search capability, but I see that Autopsy does.



Correct.  But 'glimpse' is available and hard to beat.  I'm not sure ASR
Data wants to reinvent the wheel with respect to indexing.



Is there a webpage that compares FTK and Autopsy.


Probably....somewhere....GOOGLE...  :)

(I haven't seen one, but I feel silly say 'Nope' - because someone,
somewhere, probably has a listing for just this very question!)

FTK and Autopsy are very different animals.  Since you have FTK and you
are comfy within Linux it shouldn't be hard to grab The Sleuth Kit and
Autopsy and do a comparison for yourself.    Areas I'm sure you'll find
'different' include;
- Registry viewing
- Ability to import image formats of different types
- E-mail parse
- Encryption ID
- etc.

Of course, most of those are in a Win32 environment.  So target OS
analysis plays a key role in deciding which of these two programs to
use.

regards,

farmerdude

www.crazytrain.com



Okay, assuming linux-based tools and ignoring imaging:

do you mind walking me thru what I hope is a simple scenario.

We have a 300GB disk basically full of docs, zip files, jar files,
etc.  (no PSTs).

We need to produce all docs that have one of 20 search terms in them. 
The search terms have simple boolean logic.  (ie. word1 and not word2)

Using FTK, we would simply load the case with indexing set, perform
our searches, add the results to a bookmark, export the bookmark.

With Linux / Smart / Glimpse?  

And with Linux / Autopsy / new indexing patch, what would be the process?

Thanks
Greg
-- 
Greg Freemyer

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Macintosh wiping, Altheide, Cory B. (IARC)
Next by Date:  Re: Macintosh wiping, Seann Alexander
Previous by Thread:  Re: Autopsy vs. FTK, Brian Carrier
Next by Thread:  REVIEW: "Windows Forensics and Incident Recovery", Harlan Carvey, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]