Product Review: Computer forensics – EnCase Enterprise Edition v6

June 1, 2007

Supplier: Guidance Software

Price: £23 per node for up to 3,000 users, excluding VAT

Contact: www.guidancesoftware.com

This software provides the tools to carry out forensic analysis andinternal investigations on systems on the LAN and WAN. It allowsinvestigators to conduct in-depth examinations of workstations and thedata they contained, allowing them to determine not only whether amisdemeanor has been committed, but by whom. In fact, Guidance Softwareclaims this is the world's first computer investigative solution.

The software comprises three components: a SAFE (secure authenticationfor EnCase) module, the Examiner console and a client servlet or agent.The SAFE provides essential security for the EnCase system, so that datacannot be intercepted and can only be accessed by authorised personnel.Along with logging and device discovery, it provides AES 128-bitencrypted communications between the Examiner console and agent.

During installation you generate a unique key file that is used by theExaminer and agent to access the SAFE. Operations also rely on a USBdongle permanently loaded on the SAFE host system. The easily deployedagent runs at the hardware-abstraction layer for Windows systems and canalso interact at the kernel level, allowing it to see all processesrunning on the system. Platform support is particularly good as agentsare also available for Linux, Unix, Mac OS and NetWare.

Access to the Examiner console is locked down by creating multiple userswith different privileges. Roles also limit users to accessingparticular networks, nodes or files. An important role is viewinggraphics, as in some circumstances it may be required to restrict thisrole to trained investigators. Next up is network object creation, whichcan comprise individual IP addresses, address ranges or machinenames.

An investigation starts by creating a case that contains details aboutthe network objects to be examined. It's at this stage that we felt theconsole interface could be more intuitive. Initial training is includedin the price, but the Examiner could be better designed as it canquickly become cluttered and difficult to navigate.

We added a range of Windows client systems running Server 2003 and XP,and EnCase displayed all available partitions and hard disks along withhidden partitions. Their master file tables are then parsed and theinformation downloaded to the Examiner. The case opens with a preview ofeach included network object showing all remote volumes on each system.You can drill down into each volume and look at its entire contents.

The case file lists all included network objects, while a floating tableshows details of the selected object. A handy gallery option brings up athumbnail view of all images, including those in the web browser'scache. The timeline shows a history of file creations, modifications andlast access dates on the selected network object. You can see everymodification made to a file, allowing you to precisely track itsusage.

Clearly, EnCase can deliver a lot of information and the filter pane isused to sort out the wheat from the chaff. Filters are very flexible soyou could use conditions to search for Office, graphics, system orexecutable files. The selected file can be analysed in detail in theviewing pane, which can display in ASCII and Unicode text, hex, pictureor native document formats.

As EnCase has access to the master file table, it also shows deletedfiles, which may be recovered if not completely overwritten. On onesystem we had deleted an Outlook.PST file some weeks previously, butcould still run queries on the remaining fragments, message body andattachments.

The questions use a global list of keywords, while the EnScriptprogramming language allows you to create detailed custom queries. Thefilter pane also includes the Sweep Enterprise module, which can searchany number of systems for specific information. If, for example, yoususpect someone may be copying data onto a USB device you could query arange of machines and check for serial numbers to track its usage

Once your case has all the required information, you create an evidencefile to store it securely. These can only be accessed by the Examinerconsole, and you use their physical location to determine access.Evidence file integrity can be maintained with a lock option, as anyfurther modifications will cause EnCase to issue an alert to highlightthis.

By its nature, EnCase Enterprise Edition is not a simple product to useas it can serve up a huge amount of information about the systems onyour network. However, once you've learned to use the filters,conditions and queries, the software has the ability to provideessential information that can be invaluable to investigations intocomputer-related abuse or crime.

SC MAGAZINE RATING
Features: *****
Performance: ****
Ease of use: ***
Documentation: **
Support: ****
Value for money: ****
Overall Rating: ****

For: Sophisticated evidence gathering abilities, low-level access tosystems and storage devices, very flexible filter and query tools,investigations can be easily secured in evidence files

Against: Examiner console could be better designed and more intuitive,user documentation inadequate

Verdict: A sophisticated forensics solution that can provide crucial andextremely detailed evidence for private investigations.

prestitial ad