RE: Autopsy vs. FTKMar 09 2005 12:59PM Cooper, Christopher (Christopher Cooper ed gov)
Also take a look at: http://swish-e.org
Both Swish-e and Glimpse have great on-line documentation, which talks about the switches and plugins. It is as simple as changing a few files to customize your search.
-C...
-----Original Message-----
From: Greg Freemyer [mailto:greg.freemyer (at) gmail (dot) com [email concealed]]
Sent: Tuesday, March 08, 2005 2:06 PM
To: subscribe (at) crazytrain (dot) com [email concealed]
Cc: Forensics
Subject: Re: Autopsy vs. FTK
On Mon, 07 Mar 2005 07:30:04 -0500, subscribe wrote:
> On Fri, 2005-03-04 at 17:48, Greg Freemyer wrote:
> > My company uses FTK as it's normal analysis tool, but we image in Linux.
> >
> > One of the main reasons we use FTK is the indexed search capability,
> > but we all know FTK has had stability issues in the past.
> >
> > I went to a SMART lecture Wed. and was told that SMART does not have
> > an indexed search capability, but I see that Autopsy does.
> >
>
> Correct. But 'glimpse' is available and hard to beat. I'm not sure ASR
> Data wants to reinvent the wheel with respect to indexing.
>
>
> > Is there a webpage that compares FTK and Autopsy.
>
> Probably....somewhere....GOOGLE... :)
>
> (I haven't seen one, but I feel silly say 'Nope' - because someone,
> somewhere, probably has a listing for just this very question!)
>
> FTK and Autopsy are very different animals. Since you have FTK and you
> are comfy within Linux it shouldn't be hard to grab The Sleuth Kit and
> Autopsy and do a comparison for yourself. Areas I'm sure you'll find
> 'different' include;
> - Registry viewing
> - Ability to import image formats of different types
> - E-mail parse
> - Encryption ID
> - etc.
>
> Of course, most of those are in a Win32 environment. So target OS
> analysis plays a key role in deciding which of these two programs to
> use.
>
> regards,
>
> farmerdude
>
> www.crazytrain.com
>
>
Okay, assuming linux-based tools and ignoring imaging:
do you mind walking me thru what I hope is a simple scenario.
We have a 300GB disk basically full of docs, zip files, jar files,
etc. (no PSTs).
We need to produce all docs that have one of 20 search terms in them.
The search terms have simple boolean logic. (ie. word1 and not word2)
Using FTK, we would simply load the case with indexing set, perform
our searches, add the results to a bookmark, export the bookmark.
With Linux / Smart / Glimpse?
And with Linux / Autopsy / new indexing patch, what would be the process?
Thanks
Greg
--
Greg Freemyer
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Both Swish-e and Glimpse have great on-line documentation, which talks about the switches and plugins. It is as simple as changing a few files to customize your search.
-C...
-----Original Message-----
From: Greg Freemyer [mailto:greg.freemyer (at) gmail (dot) com [email concealed]]
Sent: Tuesday, March 08, 2005 2:06 PM
To: subscribe (at) crazytrain (dot) com [email concealed]
Cc: Forensics
Subject: Re: Autopsy vs. FTK
On Mon, 07 Mar 2005 07:30:04 -0500, subscribe wrote:
> On Fri, 2005-03-04 at 17:48, Greg Freemyer wrote:
> > My company uses FTK as it's normal analysis tool, but we image in Linux.
> >
> > One of the main reasons we use FTK is the indexed search capability,
> > but we all know FTK has had stability issues in the past.
> >
> > I went to a SMART lecture Wed. and was told that SMART does not have
> > an indexed search capability, but I see that Autopsy does.
> >
>
> Correct. But 'glimpse' is available and hard to beat. I'm not sure ASR
> Data wants to reinvent the wheel with respect to indexing.
>
>
> > Is there a webpage that compares FTK and Autopsy.
>
> Probably....somewhere....GOOGLE... :)
>
> (I haven't seen one, but I feel silly say 'Nope' - because someone,
> somewhere, probably has a listing for just this very question!)
>
> FTK and Autopsy are very different animals. Since you have FTK and you
> are comfy within Linux it shouldn't be hard to grab The Sleuth Kit and
> Autopsy and do a comparison for yourself. Areas I'm sure you'll find
> 'different' include;
> - Registry viewing
> - Ability to import image formats of different types
> - E-mail parse
> - Encryption ID
> - etc.
>
> Of course, most of those are in a Win32 environment. So target OS
> analysis plays a key role in deciding which of these two programs to
> use.
>
> regards,
>
> farmerdude
>
> www.crazytrain.com
>
>
Okay, assuming linux-based tools and ignoring imaging:
do you mind walking me thru what I hope is a simple scenario.
We have a 300GB disk basically full of docs, zip files, jar files,
etc. (no PSTs).
We need to produce all docs that have one of 20 search terms in them.
The search terms have simple boolean logic. (ie. word1 and not word2)
Using FTK, we would simply load the case with indexing set, perform
our searches, add the results to a bookmark, export the bookmark.
With Linux / Smart / Glimpse?
And with Linux / Autopsy / new indexing patch, what would be the process?
Thanks
Greg
--
Greg Freemyer
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]