Accessing the file system of a target machine was very straightforward. The file system hierarchy is viewed via the right window pane within the CAT console (see illustration below) which is spilt into two, the left first section is the hierarchy itself (in a narrow window which you can’t expand, meaning a lot of left and right scrolling) and the other pane shows the contents of each folder. Right clicking on any file allows you to ‘download’ it to your machine where you can examine it using the built in hex viewer, or go to the file itself and analyse it using your tools of choice. H3E allows you to examine the file’s properties, however the MAC times given are those of the file once it arrived on your machine– the MAC times on the client machine are viewable but rather frustratingly it’s not clear how or indeed if these MAC times can be copied over to your report.
Viewing a remote file system
H3E allows for the imaging of RAM, volumes and physical disks, although the imaging of physical disks is not recommended over a network. Instead, H3E’s many tools can help the investigator pinpoint which machines on the network could be candidates for ‘traditional’ imaging techniques. I tried imaging a remote machine’s RAM contents over the network which worked well; the data stream is encrypted by default which I would imagine adds some overhead to the process. When imaging the investigator can select which port to image over, the image file segment size and the maximum speed you require. What isn’t immediately clear is whether the image file format is to be in EnCase E01 or dd format. During my testing I imaged 2048MB of RAM over a gigabit network where I found the average transfer speed to be approximately 355KB/second; you can see why imaging a whole physical disk using this technique is not recommended.
Another impressive feature of H3E is its search function; it allows for searches by keyword, MD5 hash or by regular expression, all of which can be filtered by date range and also de-duplicated. In my testing in this area the results were returned impressively quickly with corresponding target machine MAC times. The results can then be exported in pdf format, which is very clearly laid out.
Customer Support
My call to e-fense technical support, as touched on above, was prompted by the fact that I followed the available instructions and waited a long time for the available agents to appear in the CAT, and nothing appeared, despite ensuring the Windows Firewall was off and that there were no other security applications in use. Re-boots of the machines with the Agent and CAT on yielded no success either. The process of populating the Agents list came across as rather haphazard and wasn’t helped by the lack of documentation; indeed the ‘Help’ button within the program itself was not that useful as it only contains a link to the pdf manual. The manual itself contains the following ‘if you are unable to find the solution you need, please contact Customer Support at http://fogbugz.e-fense.com/ with a detailed explanation of the issue or request’. However this is another link which leads to a 404 ‘Page Not Found’ response.
The e-fense web site states that additional support is available for Helix3 Enterprise customers Monday – Friday 9:00 AM – 5:00 PM MST, which means that support won’t be available in London until 3pm and not until 4pm in mainland Europe. However I do know that there is support based in England, which at the time of writing is one person. On trying to get a solution to my problem this person happened to be on holiday in America, and although he did do his best for me despite the time differences, accessing help was a bit more of a struggle than I expected with an Enterprise-class product.
Conclusion
Helix 3 Enterprise is a very well designed product which gives the examiner easy access to a wealth of important data from remote machines pre-installed with the Agent. However I felt let down by the content of the manual and the availability of the support, which should be first class considering that it is mandatory to buy the support package. The lack of checking the erroneous content of the manual carried over to a lack of proof-reading in the application itself, such as under the Agent Configuration screen you are told 'This shows the list of machines that are going to configured'. I felt that this application came across as having something of a ‘beta’ feel about it as it’s evident that it has not been thoroughly and independently tested. H3E is almost there but it does require further refinement. I’ve been informed that support will improve with e-fense setting up an 0800 (toll-free) number for the UK, and equivalent numbers for other countries where they have H3E customers that will route the call to the most appropriate location for that time of day. Also e-fense apparently now have two additional support people in the UK who will receive calls during the day, ensuring that customers will be able to reach a person quickly, until early afternoon when e-fense’s American head office takes over until late evening UK time.
Pricing
Pricing is on application, but it is understood that H3E is priced very favourably in comparison to EnCase Enterprise or AccessData Enterprise.
If you are interested in purchasing H3E or have any questions about it please contact Bright Forensics:
Web: www.brightforensics.com
Tel: +44 (0)845 224 5538
This review can be discussed here.
MY ACCOUNT
COMMUNITY
RESOURCES
MISC
Membership:
Latest: 
New Today: 0
New Yesterday: 9
Overall: 15631
Members: 3
Visitors: 9
Staff: 0
Live Acquisition Project