EnCase Imager vs. FTK Imager

Back in early 2013 when Guidance Software first released EnCase Imager I conducted a comparison with AccessData's FTK Imager (version 3.1.1.8 at the time). There were a couple of points that, to me, made FTK Imager a clear winner as a choice of free forensic imaging software, particularly in relation to live imaging.

  • FTK Imager had a smaller footprint
  • EnCase Imager extracts to local machine when run
  • EnCase Imager wouldn't run the 32bit version on 64bit machines (gave an error)
  • FTK Imager can preview files
  • FTK Imager can mount images
  • FTK has a command line scaled down versions (Windows, OSX, and Linux variants)

Now that 2015 is here I thought that it would be a great time to review the issues from 2 years ago to see if Guidance Software has made any improvements* to their free imaging tool.

Advertisement

*This review will not cover a speed test, only a features comparison, as there are many other blogs dedicated to the performance rating of various digital forensic imaging tools.


EnCase Imager

https://www.guidancesoftware.com/products/Pages…

This review is related to the current release, version 7.10.00.103 (32bit & 64bit).

Advertisement
Illustration for article titled EnCase Imager vs. FTK Imager
Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

Disappointingly EnCase Imager is still extracted from the executable. Each time that it is run it extracts files from the executable to C:\Users\...\AppData\Local\Temp\Imager\.

Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement
Illustration for article titled EnCase Imager vs. FTK Imager

In order to get it to play nicely as a live imaging tool I then tried copying these files to a USB thumb drive and ran the "Imager.exe" from there, unfortunately I received the following error message:

Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

However the application did start and appeared to work as expected, although it did give me a similar error message when I exited the application.

When run on a USB thumb drive however, EnCase Imager still creates temporary files on the local machine in the following AppData directory C:\Users\...\AppData\Local\Temp\Imager\UserData\Cases\EvidenceCache\ when adding evidence.

Advertisement

Dropping files on a local machine like this makes EnCase Imager unsuitable for any live imaging as it would be modifying the original exhibit in a reckless fashion.

After adding the same physical disk to both FTK Imager and EnCase Imager I noted the running process size in memory. EnCase Imager 32bit used 103088KB, the 64bit version used 115452KB, whereas FTK Imager used 47536KB of RAM. The importance here is to remember that if you are using these tools to image RAM the smaller the footprint the better.

Advertisement
Illustration for article titled EnCase Imager vs. FTK Imager
Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

Below is a list of supported forensic image formats that EnCase Imager can handle:

Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

Positives:

  • Supports LX01 & EX01 image formats
  • Can be used to rebuild RAID configurations and then image
  • Can restore forensic images to physical devices

Negatives:

  • Larger footprint in RAM than FTK Imager
  • Writes files to local machine (not suitable for live imaging)
  • Cannot mount images
  • Cannot preview files (not even in hex)
  • Cannot output RAW format images

It can also be used to wipe drives (not sure if this is a positive or a negative). I guess it depends on your needs, but for me a "forensic" tool should not have the ability to modify data in any circumstances – that's why X-Ways Forensics also ships with WinHex (to provide modifying functionality when/if needed).

Advertisement

FTK Imager

http://accessdata.com/product-downlo…

This review is based on the current release, version 3.3.0.5.

Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

Unlike EnCase Imager, FTK Imager can be run "live" on a suspect machine without impacting the exhibit too much (however it would still be running in RAM). Once you have installed FTK Imager you can just copy the logical files to any USB thumb drive (or burn onto an optical disk) and FTK Imager can then be run "live" from that location. It won't write any files to the AppData directory on a suspect machine (but obviously there will be entries in prefetch, registry, shellbags).

Below is a list of supported forensic image formats that FTK Imager can handle:

Illustration for article titled EnCase Imager vs. FTK Imager
Advertisement

Positives:

  • Smaller footprint in RAM than EnCase Imager
  • Can mount images
  • Can preview some files (hex and limited preview mode)
  • Can detect EFS encryption
  • Can obtain protected files from running system (registry hives, locked files)
  • Supports more image formats (e.g. GHO, NRG)
  • FTK has a command line scaled down versions (Windows, OSX, and Linux variants)

Negatives:

  • Doesn't support LX01 & EX01 image formats
  • Cannot rebuild RAID configurations
  • Cannot restore forensic images to physical devices

Conclusion

It has been nearly two years since EnCase Imager was released, and although they have addressed the issue of receiving an error when running the 32bit version on a 64bit machine, not much else has changed.

Advertisement

EnCase Imager is still unsuitable for any live imaging work; the extraction issue coupled with the creation of local files, not to mention the larger footprint in RAM.

I struggle to think of a use case for EnCase Imager; if you already have the full version of EnCase at your disposal then running it without a licence dongle will put you into acquisition mode (which is identical to "Imager" mode), and if you don't have the full version of EnCase then this product is probably only going to be used to convert LX01/EX01 files into L01/E01 formats if you receive them from a third party.

Advertisement

This is a shame because EnCase Imager could easily be improved by;

  1. Including the ability to mount images (alá the Physical Disk Emulator Module & Virtual File System Module from EnCase version 6.x)
  2. Ceasing to store files on the local machine (in fact while you're at it, stop making it so it has to be extracted on the first run)
  3. Including the ability to preview files (even in hex would be a plus)

I know that the next time I require a live imaging tool I will be turning to FTK Imager again, and that's something that I cannot say about EnCase Imager.

Advertisement



Don't forget to connect on LinkedIn & Twitter.

Share This Story

Get our newsletter