Below are sample of e-Discovery Processing Tools, some are better than others and the price will vary radically. This list does not recommend or comment on any of these tools
If you need to crack a password, a fantastic company for breaking passwords is Elcomsoft.
They provide a variety of password cracking tools, including those with distributed capability.
If you need to break an MS Office, SQL, or EFS password, they have tools to to do it.
However their latest news is that they have managed to harness the CPU powers of the NVida graphic cards for their password cracking.
By doing this they have increased the speed of their ability to crack WiFi (WPA and WPA2) passwords 100 times faster than previously possible.
This means that Wireless Networks are 100 times less secure!
Encase Forensic, produced by Guidance, is currently on version 6.11 (at the time of publishing). Version 6 was first released in late 2006.
Version 6 has attempted to gain market share in the areas EnCase 5.x could not handle previously – namely email handing and indexing.
Guidance have done this by adding Stellant at the backend, to try an handle compound files and indexing better. Stellant is used by many other tools, not least of which is FT – the arch rival of Guidance
The first versions of EnCase Forensic 6.x, simply did not do what it said on the tin. Attempting to use the indexing feature was utterly futile, cases crashed, time was wasted and and anyone who paid for the upgrade to EnCase 6.0 no doubt felt cheated, again. To be fair the launch of EnCase 6.0 was better than appalling launch of FTK 2.0 (it could hardly be worse). But even Encase 6.11 still does not have the simplicity of use that FTK 1.x has (in relation to indexing emails)
But, Guidance are nothing if not consistent. Regular users of Guidance Software know that the first few versions of EnCase are never going to be stable, they will have bugs and flaws in them, which we, the customers, are the beta testers for.
By EnCase 6.10 the product had started to become far more stable, emails could be expanded and searched – though not through indexing (I would leave this to EnCase Version 7)
The scripts and case processor is effective and easy to work with, but the registry viewer is still poor compared to “Registry Viewer” by Access Data, which came as standard with FTK 1.0.
The disk view, transcript view, record view, search hit view, book marks view, entries view, etc, are all individually well presented; however the huge array of views can be confusing.
Overall EnCase 6.x is better than EnCase 5.x, though it isn’t as good as the marketing says it is.
Trident, produced by Wave is an excellent product and does, unlike most electronic discovery and computer forensic tools exactly what it says on the label.
It takes emails – PST files filters them (by date), keyword searches them, and de-dupes them. It then outputs PST files in several different formats, e.g you can produce a single PST file for all the users/custodians you loaded in, or you can produce separate PST files for each custodian. It can also handle horizontal/global and vertical/user based de-duping procedures.
Trident can also output basic load files, though don’t try using it to load data into Introspect or the like.
Wave will also handle standard e-files (DOCs, XLS), and do the de-duping and all the good stuff listed above. It can also handle NSF files (outputting NSF files), but unfortunately it can not keyword search attachments for NSF files – they need to be converted to PST files if that is required. But Trident admit this (though its not widely advertised) so its not a flaw, its a documented feature!
In short, its a great tool.
The primary flaw with it are that it can only handle PST files, i.e it can’t handle DBX, OST, or encrypted PST - they need to be converted/decrypted if required. Tools like FTK can handle all those email formats – but can’t do the de-duping that Trident can.
Encase Forensic is owned and produced by Guidance Software Inc,
Encase Videos:
Video: Locating MFT from Volume Boot
Video: Locating the First Partiton from the MBR
Video: The MBR
EnCase Forensic
As Guidance have started to produce more and more tools, e.g, , EnCase Enterprise, EnCase Data Audit & Policy, Enforcement, EnCase E-Discovery, it needed to identify the stand alone forensics tool. However as Encase Forensic is Guidance’s first tool, and still by far their biggest seller, with the vast majority of police forces and corporates using the tool around the world, it is more often than not simply reffered to as “EnCase”.
Encase is often referred to as the “de-facto” tool for analysis for forensics, while good it is only one tool, with has many failings as successes.
Encase, which is now on version 6 has come a long way from its early roots, and there have been many problems with is. In EnCase 4.18 there was a flaw with the keyword searching, which didn’t return all of the results. Other EnCase 4 versions has other bugs and problems, often found within half a day of release, causing version such as 4.21b to be released with hours of 4.21. This can only be put down to a lack of testing, and a poor development cycle – or as many users commented, “the customers were the beta testers of EnCase 4″.
EnCase 5 was launched and was a big improvement from EnCase 4, lots of new features, easier to handle multiple drives and cases, etc – however there were still bugs and problems. As Guidance became bigger and more “corprate” (but also less friendly) there was less of a feel that the customers were the beta testers.
All of the versions of EnCase, upto and including version 5, could not handle emails effectively (if at all). Where as tools such as DTSearch and FTK had been for many years, and had the critical indexing capbility that EnCase still lacked. How can anyone investigate a case without looking at emails?
In December 2006 EnCase 6 was launched, without warning – unlike the build upto EnCase 5.
When EnCase 6 arrived at your door it promised to be everything you ever wanted in a computer forensics tool, it could handle emails, index, and allowed you to do the nitty griity of deailed technical investigations.
This was, of course, not true. The indexing did not work, and its ability to handle emails was not much better, contsantly crashing. Once again EnCase 6 was a beta tool.
If you were dealing with a single users hard drive, with a single DBX or PST file, then it could probably (just) handle the investigation. However, if like many proffesionals, you are handling multiple users/custodians, and high volumes of emails 10s or 100s of PST files, and 100,000s of messages, Encase simple cuold not work. So tools like FTK , Wave, and DTSearch remained, for many, the primary work horses for handling emails and indexing files.
Now, in mid 2008, on version 6.10, Encase is starting to do what it said it would. Its still too early to trust its indexing capability, but no doubt it will be great 2009/2010, and its starting to handle emails much better. Though it still can’t de-dupe emails effectively – but then neither can DTSearch or FTK – that requires a more specialist tool such as Wave, or full on ED processing tool.
When EnCase 7 comes out, it should be very interesting to see what it does.