Jason,

I partially agree with your response, but it fails to address the
complexities of zip/compressed tar/jar files.

We ended up using dtSearch for Windows, but I must admit that I
expected there to be a Linux solution that could be competitive. I'm
a Linux bigot and would prefer to work in that environment.

Our Logic:

FTK can only handle 2,000,000 objects, and we hit that at the 50 GB
point because of zip, tar, and jar files. Just too many sub-objects.

We considered Encase, but we had thousands of the above collections
that needed to be searched. I think we could have written scripts to
handle them in an automated fashion, but Encase out of the box does
not automatically search compressed archives, so we moved on.

dtSearch is incorporated within FTK so we had confidence in the
product. And the standalone version does not have FTK's 2,000,000
object limit. Surprisingly, it seems to index slower than the FTK
version, but such is life. The good news is that it does expand zips
and search them. A pretty basic requirement for any "forensic"
analysis in my book.

Greg

Indeed, if your not interested in unallocated space, perhaps the best
forensic tools are those that provide data to the forensic technologist.
And if you use the forensic program Mount Image Pro or MIP you can mount the
drive image and use any windows programs.
Consider the best windows search tools by my standards are dtSearch or ISYS.
BTW the FTK search engine uses a version of dtSearch! Also a great
on-the-fly and budget minded windows search tool is Examine32. If you do
need unallocated space searched, and I can't remember them all, WinHex and
it's big forensic brother X-Ways Forensics right along with Parben's Text
Searcher do the job.

Regards,

Jack

Jack Seward
***@msn.com
New York City
917-450-9328
Fax: 212-656-1486



----- Original Message -----
From: "Jason Coombs" <***@science.org>
To: "Brian Carrier" <***@sleuthkit.org>
Cc: "Greg Freemyer" <***@gmail.com>; "Forensics"
<***@securityfocus.com>
Sent: Sunday, March 13, 2005 5:05 PM
Subject: Re: Autopsy vs. FTK
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Jason said:

<<
All tools are "forensic" when they are used by a "forensic technician"
in conjunction with a "forensic investigation".
Jason,

Perhaps you could elaborate on this definition of a "forensic" tool. Taken
at face value, I disagree with it.

In my mind, some tools have no "forensic" function whatsoever and should
never be called a "forensic" tool. As just one example, Windows Explorer
is not a "forensic" tool. If a "forensic technician", in conjunction with
a "forensic investigation", uses Windows Explorer to make copies of data
from an unprotected original hard drive, that is not forensically sound.
Putting the original hard drive on a hardware write blocker and then
copying the files from the drive using Windows Explorer may be a
"forensically sound process". But that process merely compensates for
forensically unsound Windows environment and Explorer. Explorer itself is
never a forensic tool.

That's how I look at it.

James

==============================================================
James O. Holley Cell: 914.320.4874
Ernst & Young Office: 212.773.2902
Investigative & Dispute Services Lab: 212.773.7784
5 Times Square Fax: 212.773.4280
New York, New York 10036 Mobile Fax: 866.436.2643
Pager: 888.620.5275
Pager Email: 6205275 at skytel dot com
==============================================================


________________________________________________________________________
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-***@ey.com. If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com