Cross-reference Functions EnCase VS FTK

Function	FTK	EnCase
1. Acquisition	1. In the Acquisition FTK can - Perform network-based, secure, single-system forensic acquisition of physical devices, logical volumes and RAM. § The agent is easy to deploy. § Doesn’t require a cumbersome installation and authentication process. Secure Remote Device Mounting 2. FTK can validates MD5 and SHA-1 hash for verification of the data-copying process 3. In the Acquisition function FTK can do the physical data copy , logical data copy ,data acquisition formats ,GUI process ,and verification	1. Encase can do the : § physical data copy § logical data copy § data acquisition formats § command –line process § GUI process § remote acquisition and do the verification 2. EnCase prompts to obtain MD5 hash value for verification of the data-copying process
2. Validation	FTK – can do the hashing ,filtering and analyzing the file headers	EnCase- can do the hashing ,filtering and analyzing the file headers
3. Extraction (Analysis)	1. Ability to read – FTK reads and indexes data from Microsoft PST and OST files, EnCase doesn’t – 2. FTK can analyze unallocated data areas of a drive/image file and locate fragments or entire file structures that can be carved and copied into a new file. 3. FTK can viewing the data ,do the Keyword searching decompressing , carving ,decrypting and bookmaking Example : Bookmaking function 4. FTK produces a list of possible passwords for an encrypted file from a suspect drive. FTK’s generated password list can be loaded into.	1. Ability to read - EnCase enable you to create script for extracting but FTK doesn’t 2. EnCase, can analyze unallocated data areas of a drive/image file and locate fragments or entire file structures that can be carved and copied into a new file. 3. EnCase: can viewing the data ,do the Keyword searching decompressing , carving , and bookmaking
4. Reconstruction	1. FTK can do the disk to disk copy , Image to disk copy	1. EnCase can do the disk to disk copy , Image to disk copy, do the partition-to-partition copy and Image-to-partition copy
5. Reporting	1.FTK –dynamic HTML report ,easily customizable ,exportable gallery view 2. FTK, can produce log reports that records activities the investigator performed You can create a section in the report that lists the bookmarks that were created during the case investigation. You can also choose to not create a bookmark section. · You can create a section in the report that displays thumbnail images of the case graphics. · You can create a section in the report that lists the file paths of files in selected categories. The List by File Path section simply displays the files and their file paths; it does not contain any additional information. However, you can export and link to the files in the File Path list by checking the Export to the Report box. · You can create a section in the report that lists file properties for different file types in selected categories.	1. Difficult customization, static content make big report