Vijay, most expensive definitely doesn't make it the best.
You can modify anything in a hex editor, including wiping out the MBR, creating encrypted partitions within encrypted partitions, shredding files, etc. This is where EnCase makes it much easier to put together the correct story. We used to use Norton's Disk Editor for forensic investigations. With today's volumes of data and deadlines, that's no longer practical, but is still possible. It is my opinion that the same logic extends to the open source tools out there.
The amount of data types supported alone make EnCase and FTK tools much more robust than anything else out there. For example, what other forensics tools can handle PST files, NSF files, Exchange EDB (granted not so well on the later
) files, Registry files, etc., all natively within the same application. I understand that you can export an NSF file and open it in Lotus Notes, or export the registry file and open it in a Registry viewer. The problem is that you are involving yet another piece of software. In the case of Lotus Notes or Outlook, it likes to modify the file immediately. Outlook won't even open a write-protected PST file. The list just goes on. Guidance has spent years reversing various file formats and incorporating them into EnCase. I am much more comfortable saying that I am reasonably certain EnCase didn't modify the structure of my PST file than I am even mentioning that I analyzed a PST file in Microsoft Outlook.
In the open-source world, you have Autopsy/PTK/Sleuthkit, and a set of tools like skalpel, dcflldd, regviewer, etc. What you have is a combination of tools that do about 70% of what EnCase does in a single tool. Every time you export a file from your safe and verified image, you are introducing another element to your report. When you have to deal with the native software application because you couldn’t find a forensics tool that supports the format, that's another nightmare.
Like I said, I would love to be proven wrong here and come away with a good set of tools that do everything EnCase and FTK do. I am a big supporter of open-source tools. I would love to be able to go open-source. Every time we have researched this the conclusion is always the same, open source tools will do about 70% of what we need. That's just not enough.
I guess my point is that the open-source community is lacking in the forensics industry when compared to others, especially pen testing. One of the problems is that software vendors like Microsoft will actually release some of their source code to companies like Guidance. That will never release anything to an open source project. It's quite frustrating actually.