Educause Security Discussion mailing list archives

Re: Best Forensic Tools?

From: Guy Pace <gpace () SBCTC EDU>
Date: Tue, 30 Mar 2010 09:55:38 -0700

Encase and Forensic Toolkit (FTK) are the more common around here. None of the are simple to use, especially if you are 
using them for forensic analysis.

It isn't the software that has the reputation with the courts, it is the investigator/examiner that has earned the 
respect and reputation through hard experience. It doesn't matter what software you use, you can still make a hash of 
an investigation if you don't understand the procedures and process and know what you are doing.

I recommend getting some training, first. Then looking at the tools that seem to fit your needs best. A good, 
thoughtful investigator/examiner using simple, well-understood tools and knowing how to present the evidence can trump 
an Encase bootcamp grad police officer in court.

Harlan Carvey uses a lot of self-designed tools for forensics work. He is well known to the court systems where he 
works, and can speak plainly and authoritatively to the information he gathers in his investigations. He is the 
exception and exceptional. Could an untrained person grab a bunch of his tools and do the same?  Not likely.

Also, never underestimate where an incident will end up. Always approach an incident as though it will end up in court, 
pay attention to process and chain of evidence and act accordingly. If you are not trained to gather forensic evidence 
with the tools you have and on the platform in question, stop and bring in a certified digital forensic investigator. 
It is that important.



Guy L. Pace, CISSP 
Security Administrator
Information Technology Division
WA State Board for Community and Technical Colleges (SBCTC) 
3101 Northup Way, Suite 100 
Bellevue, WA 98004 
425-803-9724 
gpace () sbctc edu 

"Great art is a practice. Turn it into a process and the result is a paint-by-numbers system." Bob Lewis


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne 
Samardzich
Sent: Tuesday, March 30, 2010 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Best Forensic Tools?


What forensic tools do you use?  For copying HD's,  looking for data, e-discovery?

I've been looking and Encase and Safeback: not sure of the pricing structures.   We need some tools that will be 
relatively easy to use and have the reputation in the legal world for effectiveness and trustworthiness.  


Best,

Wayne 

Wayne Samardzich
Operations Supervisor
Information Services
Purdue Calumet
219 989  2307
 Think before you print

Current thread:

Best Forensic Tools? Wayne Samardzich (Mar 30)
- <Possible follow-ups>
- Re: Best Forensic Tools? Guy Pace (Mar 30)
- Re: Best Forensic Tools? Zach Jansen (Mar 30)
- Re: Best Forensic Tools? David Gillett (Mar 30)
- Re: Best Forensic Tools? Wayne Samardzich (Mar 30)
- Re: Best Forensic Tools? Bradley, Stephen W. Mr. (Mar 30)
- Re: Best Forensic Tools? O'Callaghan, Daniel (Mar 30)
- Re: Best Forensic Tools? Patrick Goggins (Mar 30)
- Re: Best Forensic Tools? Eric Case (Mar 30)