Thursday, February 20, 2014

Encase vs Autopsy vs XWays


Over the past few months, I have had the chance to work more extensively with the following IT Forensic tools (at the same time):

1. Encase Examiner
2. XWF or X-Ways
3. Autopsy

Most IT forensic professionals would say that there is no single tool that fit for everything. I can't agree more.

Here are my personal views of each tool's pros and cons:

1. Encase:

Pros:
- Easy to use user interface.
- Renown tool and accepted by court of laws.
- Easy reporting features.
- Easy and free tool for acquisition (Encase Imager).
- Built-in support for Bitlocker.
- Nice and user friendly "Review Package" that can be sent to Requestor for reviewing the evidence.

Cons:
- Not cheap.
- Evidence processing can be slow, especially when processing large PST files.
- Not portable by default.

2. XWF (X-Ways)
Pros:
- Very customizable evidence processing options. Thus, you can select to process only certain things that you want to look at e.g. emails, registry.
- Very flexible and granular filtering options. Filter by column 1 + filter in colum 2 etc...
- Highly customizable search functions. For example, search for "xyz" only in Word documents.
- Multiple instances e.g. one doing "processing", the other doing live preview.
- Portable by default.
- Very frequent updates for new features. 

Cons:
- Complex interface. Technical in nature - not easy to learn for a beginner.
- Too many options to choose, thus could be confusing. (However, the default options are good enough for most of the cases).
- Dongle must be attached all the times to start the software.
- No option to create nice "Review Package" that you can forward to someone.
- No support for Bitlocker (the company I work for use this a lot).
- No nice "review package".

3. Autopsy:
Pros:
- Free for commercial use.
- Very fast and easy tool for analysis of user's browsing history or internet activities.

Cons:
- Limited function (but it is free!).
- No support for Bitlocker.
- No nice "review package".

Thus, it really depends on what you want to do. For example, if I would like to quickly find out how a malware infected a machine, I would use Autopsy first. If I would like to process evidence for fraud cases, I would go for Encase first. X-Ways will be the tool if I need to do complex filtering and fast extraction of some evidence.

Have fun!