Comparison of EnCase and FTK Digital Forensic Investigation Tools

Guidance software EnCase and AccessData FTK are the modern digital forensic investigation tools with robust features of investigating digital evidence involving encrypted files and compressed content in digital evidence. According to Guidance Software OpenText Company, who are the developers and owners of the EnCase digital forensic software, the latest release of the tool is equipped with features such as apple file system support, and updated encryption support which is aimed at providing an advanced user experience to conduct digital forensic investigation precisely and efficiently. On the other hand, AccessData FTK tool is described as having features such as mobile device interoperation and e-discovery technology (Jensen, 2015). The most beneficial functionality in AccessData FTK is the ability to generate the hash values for all each file in digital evidence including the encrypted files and their dates of creation and modification. This helps in validating the integrity of the digital evidence using specified hash values. EnCase beneficial function the ability to retrieve all the file names in digital evidence (Ahmed & Li, 2018).

Guidance Software EnCase and AccessData FTK Capabilities Outline

EnCase

AccessData FTK

Able to analyze images produced in evidence

Able to analyze images produced in evidence

Simple and easy to use user interface with powerful customizable processing hence saves time.

Faster to search and increase speed of analysis thus eliminates waster time

The reporting options are flexible to handle

Indexes and processes data upfront

Integrated with Mobile investigator tools hence applicable in mobile device investigations. Also has an automated External Review

Database driven with a central and secure environment

Volume shadow copy capabilities

Can recover passwords from more than 100 files

Hash Value comparison

John X Smith:  04ce35da82906c77f6ffa74b8a63d9b1

John X. Smith: e0978f948a14f980af30031de7b10437

MD5 Checksum Tool was used in verifying the integrity of both files. The results indicated a difference in the hash values thus showing that the two files are not identical. Therefore, any modification of a file generates a different hash value which interferes with forensic investigation results from the digital evidence.

References

Ahmed, A. A., & Li, C. X. (2018). Analyzing Data Remnant Remains on User Devices to         Determine Probative Artifacts in Cloud Environment. Journal of forensic             sciences, 63(1), 112-121.

Guidance Software EnCase Documentation. (2018). Retrieved from             https://www.guidancesoftware.com/document?types=User-Guide

Jensen, C. (2015). AccessData FTK User Guide. Retrieved from             https://support.accessdata.com/hc/en-us/articles/204056525-FTK-User-Guide