Digital forensics

Comparison of popular computer forensics tools [updated 2019]

Ravi Das
July 6, 2019 by
Ravi Das

This article will be highlighting the pros and cons for computer forensic tools. The tools that are covered in the article are Encase, FTK, XWays, and Oxygen forensic Suite. This article has captured the pros, cons and comparison of the mentioned tools.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

EnCase

EnCase is a product which has been designed for forensics, digital security, security investigation, and e-discovery use. Encase is customarily utilized to recoup proof from seized hard drives. Encase enables the specialist to direct a top to bottom investigation of client records to gather digital evidence can be used in a court of law. 

Pros:

  • It is a very user friendly tool. Encase wins the race here as well by supporting the analyst with user friendly interface.
  • With the paid version of Encase which supports all utilities, it also has a free version which can be used for evidence acquisition which is very easy to use. This tool is known as the Encase Imager.
  • In terms of processing and analysis features, this tool also has good reporting functionalities built into it.
  • With the increase in cyber threats, encryption plays a significant role in securing data in any type or kind of system. Encase has built in support for almost all types of encryption including Bitlocker, MacAfee, Symantec, Sophos etc.
  • Good keyword searching capabilities and scripting features are available.

Cons:

  • This is a very expensive tool.
  • Encase processing can take a lot of time in case of very large compound files and mail boxes.
  • The latest versions of Encase sometimes are not compatible with other forensic based tools.
  • There is much usage of Encase for mobile forensics.

FTK

The Forensic Toolkit, or FTK, is a computer forensic investigation software package created by AccessData. It examines a hard drive by searching for different information. It can, for instance, find deleted emails and can also scan the disk for content strings. These can then be used as a secret key word reference to break any encryption. The toolbox incorporates an independent disk imaging program called the FTK Imager. It saves an image of a hard disk in one document or in different segments which can then be recreated later. It computes MD5 hash values and affirms the integrity of the information before closing of the documents. The outcome is an image file(s) that can be saved in a several formats.

Pros:

  • It has a simple user interface and advanced searching capabilities.
  • FTK supports EFS decryption.
  • It produces a case log file.
  • It has significant bookmarking and salient reporting features.
  • FTK Imager is free.

Cons:

  • FTK does not support scripting features.
  • It does not have multi-tasking capabilities.
  • There is no progress bar to estimate the time remaining.
  • FTK does not have a timeline view.

XWF (X-Ways)

X Ways Forensics is a powerful, commercial Computer Forensic Tool. It is a Windows based licensed software which offers many functionalities pertaining to computer forensics. One of the best advantages of this software is that it can be used in a portable mode.

Pros: 

  • Evidence processing options can be customized as per the requirements of the case.
  • It has a very flexible and granular filtering options as well as highly customizable search functions.
  • It is portable in nature and it checks for new features on a regular basis.

Cons:

  • The user interface is complex.
  • It is a dongle based software and does not work without it.
  • There is no support for Bitlocker.

Oxygen forensic suite

The Oxygen Forensics package is a mobile forensics software for logical examination of smartphones, cell phones and PDAs. The suite can extract device information, contacts, calendar events, SMS messages, occasion logs, and records. Likewise, it can also extract various types of metadata which is important in any digital forensic investigation. The suite gets to the device by utilizing proprietary protocols.

Pros:

  • Oxygen allows for physical extraction information and data from Android devices.
  • The user interface and options are very simple and clear to understand.
  • The final report can be saved in multiple readable formats such .xls, .xlsx, .pdf, etc.
  • It is an economically better option when compared to other mobile forensic tools.
  • It has a built in functionality that can be used to crack passwords for encrypted iTunes, locked iPhone or android backups.

Cons:

  • Its support for range of mobile devices is limited.
  • Since tool is computer based, there is a higher statistical probability of virus/malware entering inside the phone that is being examined.
  • It uses a brute force technique which incur a lot of time to complete the process.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Conclusion

In this article we have covered the difference between various forensic tools and listed down their pros and cons. It is important to note that there are many other forensic tools out there, it is not just limited to this list. Finding the right one to use is a direct function of the kind or type of case the forensics investigator is currently working on.

If you're in the market for a class in mobile computer forensics, InfoSec Institute is the place to be. We offer computer forensics classes that will cover many of the principles and tools discussed in this post. For more details and course pricing, just fill out the brief form above.

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.