±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34489
New Yesterday: 5 Visitors: 148

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Replacing EnCase Enterprise

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 
  

Re: Replacing EnCase Enterprise

Post Posted: Fri Aug 17, 2018 7:14 am

I personally never had to altr the VBR and my experience is on with an .e01 acquisition of a windows 10 AEX-XTS ecrypted volume. I mounted with arsenal in read only and windows recognized the drive and prompted for the recovery key. It was fairly straight forward. The elcomsoft tool would would be nice considering it supports TPM as well www.elcomsoft.com/news/699.html .  

Kenobyte
Member
 
 
  

Re: Replacing EnCase Enterprise

Post Posted: Fri Aug 17, 2018 8:54 pm

I just worked through a demo of F-Response Enterprise.

1. The Encase Remote LEF capability is not implemented, although F-Response did agree to put this on their development plan.

For those that don't know, a Remote LEF allows you to create logical evidence files on the target computer itself and that target then copies the LEF to a network file share for you. The job auto-resumes if the machine goes offline. This is has become an integral part of our enterprise data collection workflow and is working very well for us.


2. With Encase Enterprise we have pre-installed the endpoint connector (formerly servlet) on all managed computing environments which allows for rapid response and connections without having to install.

The F-Response endpoint would need to be installed as needed - it could be pre-installed, but when firing up the F-Response console, all of the deployed clients start checking in, and at over 100,000 potential endpoints, that's a lot of traffic. Furthermore the endpoints constantly try to phone home and reach a server. Therefore for it to be of practical use for us, it would require admin creds each time we wish to connect to either install the endpoint or start up a service. Not totally undesirable and perhaps a good separation of duties approach, but still those were the two issues that stopped us going forward.

If #1 is addressed, we may reconsider, and then adjust our workflow to accomodate this product.

And of course the biggest differentiator is the cost.

With regards to encryption, we do not deal with encryption 'over the wire', there is no need, just access the volume.

You can always still buy Encase -- standalone, to handle encryption for you (which is a much cheaper purchase option and one we would pursue if we went with F-Response). XWF is unlikely to ever support encryption.

Note: I use Encase, FEK, XWF, Intella, IEF, FTK, Netanalysis, Blacklight and Cellebrite. I am fortunate in that I can use the tool best suited for the job.
_________________
Blog: secureartisan.wordpress.com 

pbobby
Senior Member
 
 
  

Re: Replacing EnCase Enterprise

Post Posted: Sat Aug 18, 2018 4:06 am

- pbobby

The F-Response endpoint would need to be installed as needed - it could be pre-installed, but when firing up the F-Response console, all of the deployed clients start checking in, and at over 100,000 potential endpoints, that's a lot of traffic. Furthermore the endpoints constantly try to phone home and reach a server.


I am not sure to understand (actually I am pretty sure I don't understand) the 100,000 potential endpoints reference.

Can you explain/expand?

As well the phone home sounds more like a malware than anything else. Shocked

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Replacing EnCase Enterprise

Post Posted: Sat Aug 18, 2018 10:36 am

My workplace has over 100,000 managed endpoints. We have the Encase servlet pre-installed on all of them, makes connecting to them real easy when needed.

With F-Response, we can also pre-install, but unlike the Encase servlet that is idle and waits to be connected to, the F-Response endpoint attempts to find it's home license server every few seconds. It would be a better design decision if the f-response client sat idle and waited to be connected to. I passed on that feedback to the Shannons.

When launching the F_Response console to do an acquisition, all of those endpoints start checking in and populating the product; it's just a lot of 'busy' traffic that makes launching that console slow (almost have to leave it running).
_________________
Blog: secureartisan.wordpress.com 

pbobby
Senior Member
 
 
  

Re: Replacing EnCase Enterprise

Post Posted: Sun Aug 19, 2018 1:59 am

- pbobby
My workplace has over 100,000 managed endpoints. We have the Encase servlet pre-installed on all of them, makes connecting to them real easy when needed.

With F-Response, we can also pre-install, but unlike the Encase servlet that is idle and waits to be connected to, the F-Response endpoint attempts to find it's home license server every few seconds. It would be a better design decision if the f-response client sat idle and waited to be connected to. I passed on that feedback to the Shannons.

When launching the F_Response console to do an acquisition, all of those endpoints start checking in and populating the product; it's just a lot of 'busy' traffic that makes launching that console slow (almost have to leave it running).


I see Smile by endpoint you mean "monitored (remote) systems".

100,000 is a huge number Shocked .

If the effect of 100,000 endpoints connecting all together is only that of "slowing the console launch" you must have a heck of a network setup.

In any case the attitude to phone home and/or auto-logging sounds like a (pointless) attempt to hog needlessly the bandwidth, even if the programmers had in mind a handful or tens, maybe hundreds "endpoints" max it seems like a "wrong" choice.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 3 of 3
Go to page Previous  1, 2, 3