Feature rich is the first phrase that comes to mind when using the Gargoyle Investigator Enterprise Module (GEM). Gargoyle Investigator Enterprise provides functionality different from any other utility in either this Group Test review or any we have seen on the market. GEM scans a drive, an image, a network path or an images for many types of malware. This includes anti-forensics, exploit scanners, password crackers, steganography, botnets, file splitters, remote access, toolkits, credit card fraud, gaming, rootkits, trojans, denial-of-service, keyloggers, packet sniffers, wireless detection utilities, encryption, P2P tools and spyware. GEM allows the investigator to select the major categories (up to 30) for the utility to search for in the source media.

We were able to fool GEM in a few different ways. First, we deleted the steganography files to see if GEM would detect the deleted files. In this case, it did not. We were also able to create a false positive by sticking our thumb drive into a Mac machine, which created the .Trashes directory. GEM detected this as a wireless utility. Finally, we were able to get false negative by using utilities to embed a text file into a bitmap and a JPEG inside another JPEG, respectively. Both files were missed as having steganography. GEM, however, did detect the presence of the HXDEF100 rootkit sitting inside a ZIP file on the flash drive.

The help files included with the product are about as good as any we have seen. The initial help guide covers every option for how the utility works. The help file even includes information on how to use popular forensic software packages, like EnCase and AccessData, to create hash file sets, which can be used to search for new bad files (according to the hashes).

The pricing for Gargoyle Investigator Enterprise starts at $1,995, which is at the lower end of the price spectrum, making its value for the money high.