Supplier: Guidance Software
Price: £23 per node for up to 3,000 users, excluding VAT
This software provides the tools to carry out forensic analysis and internal investigations on systems on the LAN and WAN. It allows investigators to conduct in-depth examinations of workstations and the data they contained, allowing them to determine not only whether a misdemeanor has been committed, but by whom. In fact, Guidance Software claims this is the world's first computer investigative solution.
The software comprises three components: a SAFE (secure authentication for EnCase) module, the Examiner console and a client servlet or agent. The SAFE provides essential security for the EnCase system, so that data cannot be intercepted and can only be accessed by authorised personnel. Along with logging and device discovery, it provides AES 128-bit encrypted communications between the Examiner console and agent.
During installation you generate a unique key file that is used by the Examiner and agent to access the SAFE. Operations also rely on a USB dongle permanently loaded on the SAFE host system. The easily deployed agent runs at the hardware-abstraction layer for Windows systems and can also interact at the kernel level, allowing it to see all processes running on the system. Platform support is particularly good as agents are also available for Linux, Unix, Mac OS and NetWare.
Access to the Examiner console is locked down by creating multiple users with different privileges. Roles also limit users to accessing particular networks, nodes or files. An important role is viewing graphics, as in some circumstances it may be required to restrict this role to trained investigators. Next up is network object creation, which can comprise individual IP addresses, address ranges or machine names.
An investigation starts by creating a case that contains details about the network objects to be examined. It's at this stage that we felt the console interface could be more intuitive. Initial training is included in the price, but the Examiner could be better designed as it can quickly become cluttered and difficult to navigate.
We added a range of Windows client systems running Server 2003 and XP, and EnCase displayed all available partitions and hard disks along with hidden partitions. Their master file tables are then parsed and the information downloaded to the Examiner. The case opens with a preview of each included network object showing all remote volumes on each system. You can drill down into each volume and look at its entire contents.
The case file lists all included network objects, while a floating table shows details of the selected object. A handy gallery option brings up a thumbnail view of all images, including those in the web browser's cache. The timeline shows a history of file creations, modifications and last access dates on the selected network object. You can see every modification made to a file, allowing you to precisely track its usage.
Clearly, EnCase can deliver a lot of information and the filter pane is used to sort out the wheat from the chaff. Filters are very flexible so you could use conditions to search for Office, graphics, system or executable files. The selected file can be analysed in detail in the viewing pane, which can display in ASCII and Unicode text, hex, picture or native document formats.
As EnCase has access to the master file table, it also shows deleted files, which may be recovered if not completely overwritten. On one system we had deleted an Outlook.PST file some weeks previously, but could still run queries on the remaining fragments, message body and attachments.
The questions use a global list of keywords, while the EnScript programming language allows you to create detailed custom queries. The filter pane also includes the Sweep Enterprise module, which can search any number of systems for specific information. If, for example, you suspect someone may be copying data onto a USB device you could query a range of machines and check for serial numbers to track its usage
Once your case has all the required information, you create an evidence file to store it securely. These can only be accessed by the Examiner console, and you use their physical location to determine access. Evidence file integrity can be maintained with a lock option, as any further modifications will cause EnCase to issue an alert to highlight this.
By its nature, EnCase Enterprise Edition is not a simple product to use as it can serve up a huge amount of information about the systems on your network. However, once you've learned to use the filters, conditions and queries, the software has the ability to provide essential information that can be invaluable to investigations into computer-related abuse or crime.
SC MAGAZINE RATING
Ease of use: ***
Value for money: ****
Overall Rating: ****
For: Sophisticated evidence gathering abilities, low-level access to systems and storage devices, very flexible filter and query tools, investigations can be easily secured in evidence files
Against: Examiner console could be better designed and more intuitive, user documentation inadequate
Verdict: A sophisticated forensics solution that can provide crucial and extremely detailed evidence for private investigations.