My Road to Digital Forensics Excellence

Automatic Feature Sets Dumb Down the Investigator?

Posted by Paul Bobby on November 4, 2008

Okay so I freely admit to being partial to Encase – in fact, I use the tool almost exclusively. However there are some industry peers hell bent on painting the picture that individuals who rely on feature rich tools, such as Encase, instead of command-line kung fu with Perl, are in fact nothing more than point-and-click investigators.

Well I take serious issue with that of course. Granted, Enscripts, Case Processors and other built-in filters (Encase and FTK has a bunch) can lead one down the road of investigative complaceny, but why should that include every one who uses such a tool?

I am a heavy Encase user, yes, but I have disciplined myself to be the type of investigator who conducts an examination, and just so happens to use Encase to do it, rather than the type of investigator who uses Encase hoping to press the right button to solve my case.

So stop trying to make a Microsoft vs Mac issue over Encase and perl scripts.


2 Responses to “Automatic Feature Sets Dumb Down the Investigator?”

  1. H. Carvey said

    What’s wrong with command-line kung fu and Perl? Personally, as an examiner and incident responder, I find these much more feature rich and expandable than any commercial product, regardless of whether its EnCase, ProDiscover, or FTK. Every tool has its place, as well as its strengths and weaknesses…the process and methodology is “the thing”, as Shakespeare would say.

  2. Paul Bobby said

    Nothing wrong at all – in fact my post does not denounce the use of command-line tools at all – I use Regripper a lot 🙂 My point is the almost immediate dismissal of any examiner that claims to use a nice feature rich gui package to do his or her work, because when they do, they are a lesser examiner than someone who uses the keyboard at a command prompt.
    If you think about it, people using your Regripper are essentially in the same boat as those people who rely on Encase that do not know how ‘things work’. Just as I can run a registry parsing enscript and not know where the values are or how Encase produces its’ results, I can do the same with Regripper; just get my report and go to court.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: