Computer Forensics: Tools of Evidence

Computer forensic tools now make it possible to more easily search for, and find, evidence on hard drives

Overall, I found FTK significantly easier to use than EnCase. FTK makes it fairly easy to navigate through the file system and quickly spy on the file contents. Whereas EnCase relies heavily on external file viewers, FTK has a wide variety of viewers built into it. You can click on a button labeled Spreadsheets, and FTK will display a list with every found spreadsheet, its file name, the application that created it, and its creation date. Click on the name, and the spreadsheet itself displays in a different file pane. There are also one-button searches for databases, graphics and e-mail messages. Click on an Outlook PST file, and FTK will decode all of its content as well, including sent e-mail, journal entries, tasks, the calendar and deleted items.

On the other hand, FTK's all-in-one design can cause problems. FTK does an excellent job rendering webpages, but that's because the program uses the built-in Windows Control for displaying HTML. This can cause problems with suspect data: At one point, Windows started hammering me with JavaScript error alerts because the JavaScript on a hard drive that I was analyzing was malformed.

Serious investigators, of course, will want both; sometimes one program will find information that the other will miss. Such is the nature of all forensic toolsalthough they will help with an investigation, they do not automate the process.

But with so many good tools for finding things on hard drives, you would think that people or companies throwing them out would do their best to clean them. As we'll see next month, that's rarely the case.