Rollout: Guidance Software EnCase Enterprise 6

Do you have a Roger Duronio in your midst? In December the former systems admin was sentenced to eight years for planting malicious code that took down nearly 2,000 servers owned by UBS PaineWebber. If you don't, you're fortunate--four in 10 respondents to the latest CSI/FBI Computer Crime and Security survey attribute more than 20 percent of their organizations' financial losses to insider attacks. The trick is tracking the suckers down.

Enter forensics software like AccessData's Forensic Toolkit, Guidance Software's EnCase and Technology Pathways' ProDiscover. Once the purview of consultants and large enterprises with specialized staffs, these tools are now finding their way into more organizations so that these companies can respond effectively to security incidents, internal HR investigations and litigation requiring e-discovery.

We've always considered EnCase Enterprise a robust, all-in-one investigative platform, and new features--including an eagerly awaited full-text indexing engine, a native file viewer, expanded e-mail support and enhanced client-server features--only enhance its rep.

EnCase Enterprise also has a reputation as being expensive. Version 6 starts at $25,000 and goes up as features, such as additional Examiners, concurrent connections and modules for e-discovery and automated incident response, are added. To put that in perspective, forensic firm K&F Consulting charges $6,000 for an initial forensic audit, and for e-discovery, you'll pay $5,000 just to store a 40 GB to 80 GB hard drive.Our take: EnCase Enterprise will earn its keep thanks to stellar incident-response capabilities.

Dynamic Trio

EnCase Enterprise comprises three major components: the SAFE (Secure Authentication for Encase), Examiner and servlet. The SAFE handles authentication, logging and licensing. Users and roles are also stored on the SAFE. When a user logs in, she can perform only those actions that are defined for her role. Roles can be very granular--for example, we could let system admins launch a quick analysis of what processes are running, which ports are listening or have active connections, and what files are open, but bar them from performing actions such as file-system analysis or drive acquisition. Moreover, all actions are logged, enabling full auditing to comply with corporate policies or regulations such as Sarbanes-Oxley. The SAFE also acts as a license server so investigators don't need to use the standard USB dongle to run the software.

Examiner is a networked version of the EnCase Forensics product that can log into a SAFE for both licensing and access to hosts running the servlet. The servlet can be preinstalled on desktops, laptops and servers or installed during an incident. The former scenario has the least impact on the machine being investigated: Investigators simply connect to do analysis. If it must be installed after the incident, the investigator may have to log in, thereby creating a new service, modifying the registry and writing to the file system. Fortunately, Guidance does not charge per endpoint.Communications between the servlet, SAFE and Examiners are authenticated and encrypted using certificates that can be created using an existing corporate PKI or one supplied by Guidance. A quick dump of traffic with Wireshark during testing verified communications were indeed encrypted. Currently, ProDiscover is the only other forensic product with an agent for remote investigation, albeit a pretty limited one. Also, during previous testing, ProDiscover crashed several times during analysis and when restarted, couldn't connect without restarting the agent; it also won't scale comparably to EnCase Enterprise.

All Hail The Index

Guidance finally listened to customers and added full-text indexing. Previously, most investigators supplemented EnCase with AccessData's Forensic Toolkit, which boasts a powerful indexing feature. In version 6, simply click on the "Tools" menu, select "Index Case" and wait. Once indexes were created for each of our test machines, searching for keywords was fast and easy.

Taking another page from Forensic Toolkit's playbook, Guidance has included Stellent's Outside In Viewer Technology to provide enhanced native file-viewing capabilities. Previously, a limited number of files were natively viewable; thereafter investigators had to rely on third-party viewers installed on their analysis workstations. Now, approximately 400 file formats can be viewed, content copied to the clipboard or bookmarked for later investigation, keeping investigators sitting in front of one tool--and saving both time and money.

Recognizing the importance of e-mail to e-discovery and investigations, EnCase Enterprise expands support for Microsoft Exchange and Lotus Domino e-mail clients and enterprise messaging data stores. EnCase no longer requires that the Notes client be installed--it natively parses Notes versions 5, 6 and 7. Currently, no other forensic suite supports as many e-mail storage formats.Multiple Uses

EnCase Enterprise isn't just for forensics--it really shines during incident response. Using the Examiner, an investigator can connect to suspect machines and analyze local drives for new files, check for new processes and identify all listening ports. Comparing snapshots of system activity helps focus on the source of a problem. We infected several machines in our University of Florida Real-World Labs® with malware, including some recent adware and fully functional IRC bots. The malware is multistage, so once the machines were infected, additional nasties were downloaded and executed. Using the snapshot feature, we quickly identified new processes, listening ports and newly established network connections. Then, we created a timeline of file system activity to find all malware-related files and remove them, after killing their processes.

The speed with which we could conduct investigations over the network was gratifying, and our actions had minimal impact on the host being examined. We liked that the servlet can be configured to throttle system-resource usage to minimize impact on end users. And a new "call home" feature lets investigators analyze machines even when they aren't connected to the corporate network. The servlet connects at scheduled intervals to the SAFE, which lets the Examiner complete tasks defined by the investigator, including snapshots, file discovery and even storage-device acquisition.

John H. Sawyer is a senior it security engineer at the University Of Florida and a GIAC Certified Firewall Analyst, incident handler and forensic analyst. Write to him at [email protected].