EnCase Endpoint Investigator
Strengths: Unquestionably the most powerful and versatile computer forensic tool available. With its cleaned-up UI and significant functionality it is applicable to just about any computer forensics task. Adding the Mobile Investigator ups the power substantially, bringing mobile device analysis into the picture and allowing these devices to be included seamlessly in the case.
Weaknesses: Price, price, price. Not only is this tool expensive, the maintenance adds another $3,800 and if you want the Mobile Investigator add another $7,995.
Verdict: We wish that we could afford this tool for our lab but, as powerful as it is, it is far out of the range of any but large organizations with significant investment in forensics and DFIR.
The Endpoint Investigator, version 8, is the latest incarnation of the venerable EnCase tradition. When Guidance Software changed the GUI on its classic product it met with mixed reviews. Today, the GUI is clean and bears vestiges of the earlier EnCase look and feel. We decided to give this new version a bit of an exercise by testing its ability to process a file encrypted using Microsoft Bitlocker. The process was flawless.
We began by registering our product. Guidance has made this as painless as it can, though licensing these days is never painless. Since we do not have the Hasp dongle, we needed to update the codemeter files. That meant a long process of sending registration keys back and forth to Guidance. When we finally were finished, however, everything worked as it was supposed to. We did not license the SAFE since we were not using EnCase over the network. However, this tool can collect forensic data across the enterprise, a feature that Guidance introduced and that has been one of its mainstays for years. SAFE is the method used to ensure that data passing over the enterprise is secure and that authentication by the authorized user is not compromised.
Once we were licensed we started the process of opening a Bitlocker-protected image. We prepared the image earlier, although we could have let EnCase do it at the time we started the analysis. We did nothing special to prepare the image. We simply imaged the encrypted drive as it sat and then presented the e01 files to EnCase for analysis. We expected to find some special module that we had to invoke to let the tool see the encrypted data. There was none.
Not finding anything special that we needed to do, we simply told encase to add the evidence. We gave it the path for the e01 files and the path where we wanted to save the evidence and let it go, feeling certain that the tool would choke on the encryption. It didn't. A window popped up requiring the Bitlocker key or password. When we gave it the wrong thing it threw an error and waited patiently for us to figure out what we did wrong. Selecting the correct password from the records we had did the trick and the evidence was decrypted and added in under five minutes for a 500GB disk. Everything was as we would have expected and we continued our evaluation as if there had been no encryption. We were impressed.
The user desktop is very well-laid-out and the functionality is obvious. Learning to navigate the features took very little time and we easily invoked such features as the gallery (graphics files) and the timeline. The timeline is especially useful, if a bit confusing at first, for focusing in on events that may have occurred at a particular time. For example, we were aware of a possible compromise to this computer and we knew approximately when it was likely to have occurred. Using the timeline we were able to see everything that was created or modified during that time frame.
We view this new release with mixed feelings. In our view this is the best tool Guidance has produced to date. Guidance support is excellent, the web site is complete but the pricing is way out of whack. Some years back Guidance made, apparently, a decision to support big organizations and enterprises. That left the smaller shops, such as smaller law enforcement departments, looking for alternatives to EnCase. As good as it is, $19,000 is far too much for many departments and organizations to afford. The ability to analyze 2,000 nodes over the network is fine for big enterprises but not particularly useful for organizations that analyze computers singly. We were not given any other pricing and we hope that Guidance has alternatives for these smaller users.