EnCase broadens the investigation

EnCase Enterprise Edition 5.0 taps forensics agents for evidence gathering

Forensic investigations of computer misuse have always been difficult, painstaking, and slow. They’ll probably remain difficult and painstaking, but Guidance Software’s EnCase Enterprise Edition 5.0 will help to speed them up. This first enterprise edition of EnCase has the unique ability to tap deployed agents, or servlets, to automate the gathering of evidence from any number of workstations or servers. No longer must investigations proceed one machine at a time.

Enterprise’s passive agents provide information to the Enterprise Examiner, which is essentially the well-known EnCase Forensic Edition on steroids. I was impressed with Enterprise’s use of EnCase’s automated incident response technology to create a snapshot of a targeted machine’s activities. As a result, agents can report what processes are talking on what ports, whether these processes are trusted or hidden, what files are open on a given machine, and who’s logged in to a machine at any given time.

Naturally, Enterprise also leverages EnCase’s well-known forensic capabilities to unearth malicious activity despite attempts to hide, cloak, or delete the evidence. It’s also an excellent product to use in conjunction with IDS, IPS, and log analysis tools to gather information from networks running a variety of operating systems (Windows, Linux, and Solaris). Enterprise also has remediation capabilities, allowing you to kill rogue processes on specific machines remotely.

In addition to requiring that you deploy agents on every machine to be monitored, EnCase Enterprise 5.0 also sports a complex and unintuitive GUI, but it does have the capability to draw data from across the enterprise that can be used subsequently in a court of law. And it does so in a way that won’t alert potential targets. It would be a valuable addition to any information security toolkit.

EnCase EnterpriseEdition Version 5
Guidance Software
Cost: Starts at $45 per node for as many as 4,000 nodes. Large enterprise deployments run about $85,000.
Available: Now


Copyright © 2005 IDG Communications, Inc.

How to choose a low-code development platform