There are a number of software tools on the commercial and freeware market today. The digital forensics laboratory should have access to several tools to perform similar functions. At a minimum, the lab should have software that can perform imaging of evidence drives, examine images, analyze memory captures, and report findings.

There are several different types of forensic software that a digital forensics analyst can utilize. The first of these is forensic applications. These applications are purpose-designed, to perform a variety of digital forensics tasks. They are often commercially available and are in wide use in the law enforcement and government communities, as well as in private industry. The following four forensic applications are the most common and widely deployed:

• Autopsy: This open source software, developed by Brian Carrier, provides a feature-rich application that automates key digital forensics tasks. As an open source project, Autopsy also has open source modules that provide a great deal of additional functionality. Autopsy will be covered in greater depth in later chapters.
• EnCase: Developed by OpenText, EnCase is a full-spectrum digital forensics application, performing the entire gamut of tasks in the examination of digital evidence, primarily from hard drives and other storage media. Besides analyzing digital evidence, EnCase has a reporting capability that allows examiners to output case data in an easy-to-digest format. EnCase is widely deployed in government and law enforcement agencies. One drawback is the cost associated with the application. Some CSIRTs and forensic examiners on a limited budget will have trouble justifying this cost.
• Forensic Toolkit (FTK): This is another full-service forensic application that is in wide use by government and law enforcement agencies. With many of the same features as EnCase, this may be an alternative that digital forensics analysts will want to explore.
• X-Ways Forensics: Another option is the X-Ways Forensics application. With similar functionality to FTK and EnCase, this is a great lower-cost option for CSIRTs who do not need functionality such as network access or remote capture.