At last the team working on the Forensic Tool Comparison is finally finished with their final report! Read below to introduce yourself to the project and follow this link to view and download the PDF of the report.
introduction
Recently, Access Data released new updates for their computer forensic program Forensic
Toolkit (FTK). Magnet also released its own imaging tool Magnet ACQUIRE. We took the
opportunity to record benchmarks and test these programs new features on computers that would
be similar to computers used by law enforcement officials and private companies alike. We hope to perform an effective forensic tool comparison.
background
Tool comparison research is a staple of LCDI operations. Each time a new version of a forensic
tool comes out we investigate the updates to the software and re-compare each tool’s
performance to discover each tool’s strengths and weaknesses of each to aid in forensic
investigations.
Purpose and scope
Since FTK has released a newer version of their software (version 6.0.1). We have decided to
update our findings from the previous projects by comparing Access Data’s Forensic Toolkit
(FTK) v.6.0.1, Guidance Software’s EnCase v7.10, and Magnet’s Internet Evidence Finder (IEF)
v6.7. We are also going to look at the differences between each tool’s corresponding imaging
software such as FTK Imager, EnCase’s imaging option, and Magnet’s new imaging software
Magnet ACQUIRE.
Research Questions:
- How long do specific keyword searches on a reasonable set up take to complete in FTK
v6.0.1, EnCase v7.10, and Magnet IEF v6.7? - How many “hits” do the tools receive for each keyword search? If the number of hits
differs, what does this tell us about the tools? - How accurate are the timeline features of FTK v6.0.1, EnCase v7.10, and Magnet IEF
v6.7 compared to the known data generation time? - How do the exporting features of FTK v6.0.1, EnCase v7.10, and Magnet IEF v6.7
compare to each other for exporting both files and folders?