Cyber ResilienceSecurityServices

Putting OpenText EnCase Forensic to the test

They’re faster – fact or fiction?

I was recently having a conversation with a customer at an industry forensics event. We were discussing what tools his team has in their investigation toolkits and why. I think it’s safe to say we all agree having multiple tools in your toolkit is a good thing. After all, when you build a house, you don’t just use a hammer for all the building activities. You use a nail gun, a saw, a screwdriver – each tool is optimized for a specific job. The same is true for a digital forensic investigation. So, the fact that this investigator had multiple digital forensic products in his toolkit was not a surprise.

In this particular case, the investigator’s toolkit includes OpenTextTM EnCaseTM Forensic and a competing digital forensics software product from another vendor. They use these two specific tools to investigate evidence contained on suspect computers. The conversation took an interesting turn when he mentioned that while he preferred the features of EnCase Forensic, he thought “the other guy” was faster. My immediate question was, “Why do you believe it’s faster? Have you compared the performance of the two products head-to-head? In the course of your investigative work, have you experienced the other product being faster?” His response was honest and straightforward. “No I haven’t. I’ve just heard they’re faster. Do you think this faster claim is fact or fiction?” 

From everything I knew about EnCase Forensic, I was skeptical that the other product would be inherently faster. But I also knew they were both great products, being used by really smart people, so I was going to need some data to answer the “fact or fiction” question. 

Searching for the truth in data 

Performance statistics are everywhere when you work at a $3B company with extensive development, quality and customer support resources. But in my quest for the truth, I came across a particular piece of data that was indicative of what a real-world investigator would experience, and the results provided interesting insight. 

Over 75,000 digital forensic investigators across the globe have taken courses in the OpenText Training Lab. This gives the lab well-rounded exposure to the types of tools that are being used in real-world digital investigations. As such, those user environments have been duplicated within the lab and provide experiences and results that are representative of what investigators would see in their own crime labs.  It is within this lab where a head-to-head comparison was done between EnCase Forensic and a competing digital forensic investigation software. 

The test platform used to process the evidence included two Silicon Forensics workstations, one running EnCase Forensic CE 21.2 and the other running a competitor’s version 4.11 software. Both computers contained Intel i7-7700 processors, had 32GB of RAM, used NVMe hard drives and were running Windows 10. The same evidence file, which contained 41GB of photos, emails, internet searches, documents and chats was processed on each test platform. 

While 41GB may not be representative of your particular evidence file size, since many evidence files range from 256GB – 500GB, it is useful in this analysis based on its content and the fact that the same evidence file was tested on the same computer configuration for both products, providing an accurate comparison of performance. 

The performance experiment: on your mark, get set – go! 

Given the development work that’s gone in to improving the efficiency of investigations, I wasn’t surprised EnCase processed the evidence faster, but I must admit I WAS surprised by how much faster. In a head-to-head comparison, using the same computer configuration and same evidence file, EnCase Forensic processed the evidence in just 4 hours and 14 minutes compared to 6 hours and 20 minutes from the other product. The test indicated that EnCase Forensic was 33% faster than the competition! 

Saving two hours of an investigator’s time on every case they investigate with EnCase Forensic has significant implications. It allows the investigator to work more efficiently, work faster, save frustration, get better results, and come to a conclusion faster.  It also has potential impacts to payroll budgets, especially if it reduces the need for overtime pay. 

Working smarter: saving time on digital investigations adds up  

Let’s assume your evidence file isn’t 41GB but is 256GB. Based on the results of the above testing, you’re going to be able to process that evidence with EnCase in 26 hours, but it’s going to take 39 hours to process that same case evidence with the other product. Put a different way, with EnCase it’s going to take just three standard workdays to process that evidence versus an entire week with the other product. 

Of course, performance is one of those data points that’s akin to “your mileage may vary.” But what more reliable way to provide true speed comparisons than to conduct the test on the same platform using the same evidence data? 

So, regarding the customer’s questions about whether it’s fact or fiction that that other product is faster than EnCase, the answer is …  

It’s FICTION. The facts in this case are that EnCase processes evidence 33% faster. 

Raj Munusamy

Raj Munusamy is the Senior Director of Product Marketing (Security) at OpenText.

Related Posts

Back to top button