One of the advantages of running a computer forensic company is that I get to buy lots of tools to use. When I was working for other companies I would have to wait for budget cycles and submit justification for tool purchases, but for the last 7 years I’ve been able to buy them as I needed them. In those 7 years we’ve accumulated a lot of tools that we use for different specializations and a body of knowledge related to them that I feel could be better utilized to share with all of you.
With that in mind I think it would be interesting to see how all these tools compare when working on the same forensic image. So with that in mind I’m going to start making some test images to see how data is interpreted from the same disk but in different image formats. I am going to start with the identification, not recovery, of deleted files and go from there.
My initial tool list to test includes:
Encase v. 7.04
FTK v. 4.01
Smart 3-26-12
X-ways forensics v. 16.5
SIFT v. 2.13
Any other tool you want us to test? Let me know in the comments below
I'll post my results as we finish a round of tests and as always a large case could easily distract me!