Guidance Software Encase Endpoint Investigator
Strengths: Solid, proven, over-the-network forensic technology with lots of nice little innovations, such as Pathways. Other than that, the solid, detail-oriented tool that we expect from Guidance Software.
Weaknesses: None that we found.
Verdict: This is the 800-pound gorilla of over-the-network digital forensic tools. Today – and for the functionality required for the types of investigations for which it is intended – if it doesn’t have it, you probably don’t need it. It’s our Recommended product.
This is an "over-the-network" tool. Under the licence, you can connect up to 2,000 nodes. From a central point on the enterprise you then connect to agents on the nodes to perform forensic testing/analysis. There are two main components: The Examiner and the SAFE Server. The Examiner is very similar to the standalone version of EnCase Forensic. The look and feel is very close and the functionality also is very similar. Of course, the Endpoint Investigator assumes that there are a large number of devices spaced around the enterprise, each of which has an agent that can communicated with the Examiner.
The SAFE Server - misnamed, we think, given that it implies a locked vault in which something is stored securely - actually stands for Secure Authentication for EnCase. As such, it is a standalone server with which the Examiner communicates enroute to the agents. It authenticates investigators, enforces role-based permissions and generates some logs.
We installed the Examiner on our forensic desktop and set up SAFE Server. We then placed an agent on a remote computer and began the analysis process. Over-the-network analysis has both good and bad news. First, there are some things you cannot do. For example, dead-box forensics, obviously, is a non-starter since the endpoint must be running to connect. That said, we can gather a lot of otherwise unavailable data such as running processes and open ports.
Agents can be pushed to nodes in a variety of ways that take the enterprise environment into account. Once the agent is on the endpoint there is an authentication process that goes through the SAFE and, once all of that is complete, an operator can perform forensics on the endpoint device. There also is a NAS (Network Authentication Server) that actually behaves like a licence server. It is possible to put all three components (Examiner, SAFE and NAS) on the same machine. We did not. If you do, however, there is a wizard that will step you through the installation process.
For streamlining routine investigations, you can use the Pathways functionality to suggest a workflow. We went to the manual since this was new functionality for us and we walked through the full investigation Pathway. It suggested five steps: Create a case, add evidence, audit your drive space, determine the time zone of your evidence, and apply a hash library to your case. While this sounds a bit elementary and suited best to a novice, remember that even experienced airline pilots use checklists. We saw this as an excellent way to be able to say in court that we followed a universal tested procedure and then would be able to prove that we had.
Note, and this is important, the Pathway deals exclusively with evidence preparation. This is the point at which most cases fail procedurally. Once you get into analysis you're on your own. Every investigator has his or her own time-tested ways to analyse evidence. This is, as one would expect, a very complete tool for digital forensic analysis. The SAFE architecture has been around EnCase for a very long time and, while it improves with age and sophistication in its execution, is architecturally the same as it always has been. This gives the confidence that comes with a tried-and-proven methodology.
Documentation was extensive, the website is comprehensive and support, while a little pricey, is first rate. In short, in all of our years of reviewing this fine product this is the best release that we've seen.