by Jonathan Krause, Forensic Control Ltd.
www.forensiccontrol.com

Helix 3 Enterprise (H3E) is e-fense’s flagship investigation suite pitched at a similar level as EnCase Enterprise or Access Data Enterprise. It’s aimed at organisations which need to be able to carry out incident response, forensics and e-discovery functions over networks. H3E facilitates centralised incident response, imaging of drives and volatile data and also enables scans and searches of a user’s internet history and documents on any computer which has had the H3E Agent pre-installed on it. The integrity of data in transit and within the H3E database is ensured through 256-bit AES encryption.

H3E’s main differentiator from its competitors is on price and ease of use. Whether this product is financially viable for your organisation is for your personal assessment, as in my experience the prices of such enterprise class products are seldom fixed, being based more upon the individual circumstances in which they are going to be used. So rather than examine value for money, this review focuses on the usability of the product and how well it achieves its stated goals. I was given a time-limited trial version of Release 1 of the 2009 Version of H3E which I tested on a Windows platform.

The Helix 3 Enterprise logo

Install

The main thing I liked about H3E was its relative simplicity in use, and this was certainly true of the installation process. H3E consists of three separate elements (the Agent, the CAT and the Server) each taking less than a minute to install. The Agents sit on the target computers and need to be installed pre-incident if your desire is to maximise the amount of data available for analysis and to minimise any contamination issues which may arise. The other two elements which make up H3E are the Server and the Console Administration Tool (or CAT for short). The H3E manual describes the Server as "the system's headquarters" and the CAT as "the command centre" which seem to me to be very similar functions. I wonder if e-fense could simplify things for the end user by combining the Server and the CAT into a single install process; additionally I see no benefit with invented names to describe old functions; just Agent and Server would seem to be perfectly simple and self-explanatory. The instruction manual reminds you that to ensure you are running the latest version of H3E you should visit h3e.e-fense.com to find up to date downloads but unfortunately at the time of writing this review this resulted in a ‘404 Page Not Found’ error.

The Agents can be installed in a number of ways including through the use of applications such as HP OpenView or PSExec. I installed the Agents manually, which obviously requires physical access to the target machine and an account with administrator-level privileges. Double clicking on the Agent installer package quickly completes the install; I feel options here to rename the default service name (h3e-sma) and to define ports to those of your choosing would be welcome. The CAT installer politely asks where you want the shortcuts to be placed but the Server installer once double-clicked requires no input and finishes rather abruptly with no indication that it has finished or installed correctly.

I was impressed that the H3E Server and CAT can install on Windows, Mac and Linux boxes which gives administrators a good choice of what they can run it from but was less impressed that the Agent can only be run on Windows (post Windows 2000) boxes. Organisations running desktop Macs or Unix derivatives will need additional solutions.

There is a very informative chart in the manual laying out the minimum and recommended specs for running the Agent, the CAT and the Server but as the pdf manual is password encrypted and does not allow extraction of contents unfortunately I’m unable to reproduce it here. However I can say that the minimum requirements for Agents are a Windows 2000 operating system or later, a 400 MHz Celeron processor or equivalent, 256MB RAM and 10MB free disk space. The Server and CAT components would obviously benefit from being on more powerful boxes with the fast network interface.

Use

On starting the CAT, the first thing which struck me was the quality of design of the interface, how easy it was on the eye, its responsiveness and how well it was laid out. A real pleasure to use.

The pleasing interface to the H3E CAT

Once the Agents are installed (keep in mind that you must configure any firewall and the like on your target machines to let the Agents communicate with the CAT and the Server) they should automatically appear under the ‘Agents’ portion of the CAT GUI, on the left in the illustration above; I only knew this (and that I didn’t need to do anything to ‘make’ them appear) after a call to technical support. For me this part is a fundamental part of the application which should really be covered in the manual.

Once the agents were showing that they were available I was able to properly test the capability of H3E. Generating reports including such information as contents of the setipapi.log, screen captures, installed applications, clipboard contents and so on was very straightforward. The key logging capability could also be very useful although I could not find any information as to how much could be stored and what happens when the key logging capacity is reached. Testing the key logger produced the results exactly as I expected but one drawback is it cannot record Unicode characters – for example a simple sentence in Japanese characters typed in on the target machine was recorded on the CAT as ASCII characters.