DFIR Training Blog



Something I see with forensic software preferences

We each have our own preferences in what we want to see in forensic tools. Some live and die by the CLI , where any GUI is blasphemy to the cause. Others demand that a button exist for everything and don’t even give a sideways glance at anything that requires typing a command or right-clicking to get to a function.

By the way, there’s nothing wrong with anyone’s preferences, as long as you can do the job with the tool you use. But there is something to keep in mind when you stand wholeheartedly fast in your software belief system, and it probably stems from your introduction to the tools.  One thing that I have seen in introducing forensic tools, is that the manner of introduction has a long-term effect on future users. If the introduction is poorly done, the odds are that unless the student makes an effort to correct the introduction, the use of that tool probably won’t happen.

Here’s one example.

While at FLETC during BCERT , we had a 3-day class from Accessdata on FTK . FLETC (at the time at least), gave Accessdata three days to teach FTK, gave four days to Guidance Software to teach EnCase, and so forth. X-Ways Forensics had been recently released and there was no training in X-Ways at FLETC/BCERT other than, “This is what X-Ways looks like. Next.”

But here’s the rub. The Accessdata instructor did such a terrible job, that practically everyone in the class was bashing FTK the entire three days. It was that bad. It was the worst that I have ever seen in more ways than I can remember. Many in the course had never seen any forensic tool. let alone FTK, so the only impression was that Accessdata FTK must be terrible because the tool didn’t work and the instructor didn’t know how to use it.  Luckily, I had Accessdata training prior, and been using FTK for some time before my FLETC training. The end result is that this particular FLETC course pumped out a bunch of EnCase lovers and FTK haters.  All because of three days of ineffective instruction. To Accessdata’s credit, they gave a training pass to everyone to repeat the course at anytime, but I don’t know how many gave Accessdata a second chance. 

The obvious intention of FLETC's BCERT was to introduce and give training in several tools so that we could choose that which will fit a case and fit our preferences, based on knowing the ins and outs of a box of software. 

I don’t remember that instructor’s name who taught those three days at FLETC, but I can tell you that I used that credit to repeat the course after I left FLETC. For the repeat of this course, Dustin Hurlbut was the instructor. I remember Dustin’s name because his delivery of FTK was spot on. I subsequently had Dustin as an instructor with other Accessdata courses and every time, he did Accessdata very well. In every one of those courses, I am sure that he sent out motivated, new Accessdata users.

So, when I hear that someone doesn’t like a particular forensic tool, I ask specifically, ‘what is it that you don’t like about it?’.  If I can’t get an answer that is specific, I assume that their initial exposure was negative, and they don’t really know why they don’t like it. I can work with that when I give training. Sometimes a proper re-introduction can do magic.

For me, I ‘prefer’ tools based on the situation at hand. At times,  FTK can rock a specific scenario. EnCase is king in another. Magnet just kicks it in a different case. X-Ways fits the bill in another. Paraben covers a gap that no one can in a different situation. And so forth.  When the results are virtually the same (output being only visually different), the tools generally do what you need to be done if you choose a tool that fits your needs. Preferences are valid when you can honestly compare tools against each other. Much like complaining that a stick shift (meaning, you have to change gears manually...and use a clutch....) doesn't work because you don't know how to drive it, isn't really a fair opinion of a stick shift when comparing against an automatic transmission. However, if you can drive both, then not only can you give your personal preference of what fits your needs, but you can pick the transmission type that fits your needs.

My point

If someone else ‘loves’ a tool that you do not, take a step back and ask yourself ‘why?’. Why do they love it? Why do you not? You may discover that you have been missing out on a fantastic tool that could have saved you months of work and frustration as it actually fits your needs, and the only reason you didn't know is because your introduction to the tool was subpar. That’s not your fault way back then, but eventually it becomes your responsibility to find the tools that you need, regardless of any poor introductions made earlier.

Keep in mind, the more tools in your tool box, the more problems you can solve. Otherwise when you only have a little tool bag , you are going to limit your effectiveness.  As for me, I prefer to fill the toolbox, just in case.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="52"}