Open Source and free EnCase like tools?


fantr

New Member
Jan 14, 2008
3
0
#1
I am new to forensics and would like to play around with some of the different tools available. I can not afford EnCase. What free tools are available that you would recommend which are similar to EnCase?

Are there demo versions of EnCase available that give you the ability to use the product for educational purposes?

Thanks in advance!
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#2
Hi Fantr,

Have a look at Helix, it's a bootable linux distribution with sleuthkit/Autopsy included. It will take some time to get started if not familiar with Linux, but free and versatile.

FTK has a 5000 items demo-mode. You can not investigate a full installation of most any operating system, but a simple USB stick can be used to check out the program/functionality.

It might be that Encase has an educational license fee, but I suspect that to still be fairly costly.

FTK-imager is a free download of Accessdata. you can use it for both imaging and simple analysis tasks (exporting of files included).

Chris
 

RobertR

New Member
Jun 3, 2007
447
0
#3
there is not much for free that is really encase or FTK like..... probably the best free tool is Sluethkit /Autopsy combination. you can run it in most environments including Windows via Cygwin.
 
Sep 2, 2004
70
6
#4
fantr said:
I am new to forensics and would like to play around with some of the different tools available. I can not afford EnCase. What free tools are available that you would recommend which are similar to EnCase?

Are there demo versions of EnCase available that give you the ability to use the product for educational purposes?
Yes, there are. Stephen Bunting's EnCE Study Guide book has a DVD with a limited version of EnCase meant to be used with the files on the DVD.

However, there are other options, as well...on the commercial side, TechPathways offers a Basic version of ProDiscover for free.

If you want to learn what is going on "under the hood", as it were, there are a number of places you can go on the Internet to get "free" images; my favorite one is here:
cfreds.nist.gov/Hacking_Case.html

Now, FTK Imager Lite is free from AccessData...you can create your own images, even do live acquisitions. Using FTK Imager Lite, you can separate out the unallocated space, and use tools like foremost and scalpel to do data carving. Once you build up some skill and knowledge, you can do your own searching for particular artifacts...Event Log event records, Registry keys, etc.

To mount the image as a read-only, live file system, you can use VDKWin and the associated vdk.sys. This mounts the image on your system as a read-only drive letter. Be sure, for the sake of process and procedure, to also set file system permissions on the image files, as well. You can verify that changes weren't make to the image files using Jesse Kornblum's hash tools.

Once you have access to the files in the image via FTK Imager Lite or VDKWin, you can do your own analysis...file parsing and analysis, etc. It's not that hard, really. There are a number of tools available, and the book "Windows Forensic Analysis" contains some excellent Perl scripts.

If you want to boot an image to see what the user saw, use ProDiscover Basic to create the .vmdk file, and then use LiveView to boot. You can also use VMWare...VMPlayer and Server are both free (server requires some configuration, I believe, to make it do bridged networking...).

There is a lot more to forensic analysis than EnCase. Knowing what is going on under the hood, and understanding what you're looking for, can be more beneficial to the examiner than knowing what buttons to push in a GUI. That is not to say that knowing how to really use EnCase is not beneficial...but understanding what it is doing and how it is doing it is also important.

Tools like Autopsy/TSK and another free one called PyFlag are excellent tools, as well, and allow the examiner to access system images, providing a layer of abstraction. However, it is still up to the examiner to know what to look for, and how to extract and interpret the data. I use Perl mostly, and have had a great deal of success.

Thanks,

Harlan
 

Sleepy

New Member
May 28, 2007
39
0
#5
The textbook for an intro to forensics class I had has a "demo." of Encase also.

It's called "Guide to Computer Forensics and Investigation" by Bill Nelson, Amelia Phillips, Frank Enfinger and Cristopher Steuart.
 

ddow

New Member
Jul 18, 2006
1,380
0
#6
Sleepy said:
It's called "Guide to Computer Forensics and Investigation" by Bill Nelson, Amelia Phillips, Frank Enfinger and Cristopher Steuart.
The third edition of that book is quite good. It's new, so don't let anyone sell you the second edition.

Dennis
 
Jan 11, 2006
789
0
#7
fantr said:
I am new to forensics and would like to play around with some of the different tools available. I can not afford EnCase. What free tools are available that you would recommend which are similar to EnCase?
fantr,

www .asrdata2.com has an evaluation version of SMART for Linux, a GUI forensic program that you should demo. If nothing else grab the eval and read the User Guide to see what the program is capable of.


cheers!

farmerdude
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu