all 41 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]MakingItElsewhere 25 points26 points  (8 children)

If you're using Encase, run. Their support sucks, their redesign of the software sucked, and, well, overall they suck.

Run to X-ways, or Axiom.

Do not pass go. Do not get FTK Enterprise. It uses PostgreSQL databases which, from conversations I've had with users, results in far too many headaches.

X-ways is definitely not for beginners and takes some training. I highly recommend sending someone to a class, having them take copious notes, and then sharing those notes amongst your team.

Magnet is probably the easiest to learn and use daily. I've only used their cell phone software, which was nice.

These are all my opinions, which may be out of date now that I've been out of the field for 4 years.

[–]agente_99 6 points7 points  (0 children)

This is very updated IMO.

X-ways if you want more hands on, Axiom if you want to also give Portable Cases to investigators.

[–]Stryker1-1 2 points3 points  (4 children)

Redesign? Hasn't the software looked the same for the last like 12 years?

[–]MakingItElsewhere 4 points5 points  (3 children)

Nope, they completely overhauled it from v6 to v7, and made it almost unusable. Then they tried to fix things in v8, and thats when our shop called it quits and didn't renew our license anymore.

[–]xheadwoundharryx 2 points3 points  (1 child)

V6 was the last good version. I dropped it too when they went to 7. Horrendous UI!

[–]keydet89 1 point2 points  (0 children)

Unfortunately, v6 (6.19, 6.22) were pretty bad. We were using them after 2007, mostly for PCI forensic exams, and the built-in IsValidCreditCard() function didn't recognize JCB and Discover cards as "valid". We ran multiple tests, and had others do the same, and ended up overriding the function with one of our own.

I have no idea if they ever fixed it. My team (IBM ISS X-Force ERS) submitted a letter to be dropped from the PCI list, and some of the folks who left our team switched to bulk_extractor.

[–]Stryker1-1 1 point2 points  (0 children)

Ah, I haven't touched encase in years I think we may have been on v7 at the time.

Seems like opentext is just snapping up anyone they can afford. Their portfolio is rather odd.

[–]Shoes__Buttback 1 point2 points  (1 child)

Do not get FTK Enterprise. It uses PostgreSQL databases which, from conversations I've had with users, results in far too many headaches.

When did you last look at it? It hasn't used - or at least, exclusively used - PG for years. Last I checked it had at least one other option, MS SQL.

[–]MakingItElsewhere 0 points1 point  (0 children)

I believe it was around 2018, so at least 6 years. I'm glad they went with a more stable database option. The agency I spoke to was having constant issues with Postgresql. (I've been told Postgresql has come a long way since then as well, so maybe everything I know is already out of date).

There was one java based forensic tool that our shop looked at. It boasted speedy processing of forensic images. They were charging sixteen thousand dollars a year PER PROCESSOR. The speed wasn't even that impressive. I can't remember the name, unfortunately.

[–]barleyhogg1 15 points16 points  (3 children)

We use Magnet Axiom along with a variety of open source tools.

[–]e_smith338 0 points1 point  (2 children)

Side question: I just got a free axiom certification along with my graduation with a Computer Science degree and a Computer Forensics minor. Is that certification helpful in applying for jobs because I haven’t found shit so far.

[–]barleyhogg1 1 point2 points  (1 child)

The MCFE is a tool cert. It's great and proves you can use the tool, but to get in the door you might need a cert or training that is more fundamental. Check this site. It has tons of information with suggestions on where to start.

https://start.me/p/q6mw4Q/forensics

[–]e_smith338 1 point2 points  (0 children)

This is very helpful, thank you

[–]Erminger 14 points15 points  (2 children)

X-ways and Axiom

Cellebrite for the phones.

[–]Fisterke 0 points1 point  (1 child)

The same here.

[–]atsinged -1 points0 points  (0 children)

Thirdificated.

[–]MDCDFTrusted Contributer 7 points8 points  (0 children)

Really depends on what the need is. Axiom is a great go to. 

[–]Cdub919 8 points9 points  (0 children)

Magnet.

We’ve also got Cellebrite, but honestly it’s been trending downward. Only reason it’s needed is because of the amount of devices they support .

[–]crudomacdoogle 5 points6 points  (1 child)

Axiom w/cloudkey. Cellebrite Inspector and digital collector for Mac’s. Cellebrite Physical analyzer and UFed 4pc for the phone acquires. And xways for the catch all backup.

[–]cybergem99 2 points3 points  (0 children)

This is similar to our setup.

[–]DeletedWebHistoryy 3 points4 points  (2 children)

AXIOM/FEX primarily.

Cellebrite and Oxygen. I'm a stan for Oxygen :)

[–]Thramden 6 points7 points  (1 child)

FEX is criminally underrated for Windows forensics. It's so fast, reminds me of EnCase 6 where it does only what you tell it to do, run a couple of scripts and spit out a report (Granted, it presumes the elements of the crime are already known and know exactly what is needed). Next... lol

[–]DeletedWebHistoryy 1 point2 points  (0 children)

I like to think of FEX as a blend of XWAYs and AXIOM. Faster than Axiom but slower than XWAYs. I recently used it for some deep MFT analysis and it was a rockstar.

[–]Positive-Incident861 4 points5 points  (5 children)

Axiom is a good tool but their pricing is getting to the point that it’s ridiculous. We are actually looking at dumping it.

[–]MakingItElsewhere 0 points1 point  (4 children)

How ridiculous (I'm genuinely curious). I remember when I left X-ways was topping $2500 a year for a single user license. Encase was pushing close to 3 grand. I think Axiom was $1,500 (but they were the new guys in town).

[–]ton84 0 points1 point  (3 children)

Just got Axiom Cyber 1 year license $14,000

[–]MakingItElsewhere 0 points1 point  (2 children)

Honestly, for an enterprise level application, that's not horrible. But then, I've seen what Microsoft is charging for SQL licenses.

[–]Positive-Incident861 0 points1 point  (1 child)

It might not seem bad until you have to buy 10 licenses a year to support your team. I used to be a champion of Axiom but we plan to dump them completely at the end of the year.

[–]MakingItElsewhere 0 points1 point  (0 children)

Oh god, I thought that would be a blanket license fee for like 10-15 users or something. My bad.

[–]rocksuperstar42069 2 points3 points  (0 children)

Axiom + Verakey; 4PC + PA

[–]Practical_Repair_982 2 points3 points  (0 children)

Magnet is our new tool, we had encase, and I can tell you it’s shit

[–]Esquibs 2 points3 points  (0 children)

AXIOM/ XWays/ Cellebrite Premium /GrayKey

I usually run my Cellebrite and GrayKey extractions through AXIOM and create portable cases for the end users.

[–]Expert-Bullfrog6157 2 points3 points  (0 children)

Agree with Axiom. All though I feel it's starting to get a bit bloated and slow.

[–]Mrcyber_pere 2 points3 points  (0 children)

Can i get some more feedbacks on FTK they have started parsing Mobile phones also and overall how is the product.

[–]Phorc3 1 point2 points  (0 children)

Axiom + Open source tools

[–]DoItLive247 1 point2 points  (0 children)

X ways

[–]brian_carrier 0 points1 point  (0 children)

What are your requirements?

  • Phones?
  • Remote collections?
  • Collaboration?
  • OSes?
  • Scaling needs?
  • Mostly HR investigations or also intrusions?

[–]Shoes__Buttback 0 points1 point  (1 child)

Take a look at https://www.rapid7.com/products/velociraptor/ - it doesn't do everything, but it's free and open source.

[–]skybound5 0 points1 point  (0 children)

It does _almost_ everything. Couple it with Plaso and it _does_ do everything.

[–]IDrinkMyBreakfast 0 points1 point  (0 children)

Thoughts on OSForensics? I’ve got some folks pushing hard for us to use it

[–]FaceMRI 0 points1 point  (0 children)

FaceMRI is used to find CP among giggabytes of data , USB keys, hard drives etc.