Replacing EnCase En...
 
Notifications
Clear all

Replacing EnCase Enterprise

18 Posts
8 Users
0 Likes
3,018 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

All,

I want to replace EnCase Enterprise (EnCase Basic) with something else. The primary function that we use it for are investigations and remote viewing of workstations to determine if we need to acquire the device for any reason. The only tools that I'm aware of that allow remote acquisitions over the wire are EnCase and FTK Enterprise (renamed to AD Enterprise?).

Here's what is going on. Guidance is trying to force our hand to move to Endpoint Investigator. There's a long backstory to how this came about, but I'm ready to move on. Is there another product that you use in the Enterprise that helps you to do this that doesn't cost half a million dollars to purchase? )

 
Posted : 14/08/2018 9:51 pm
(@kenobyte)
Posts: 36
Eminent Member
 

I have had good success with F-Response in conjunction with X-Ways off the top of my head it is a good solution. There are various versions depending on your needs which change the pricing scheme but might be worth taking a look at.

 
Posted : 15/08/2018 1:20 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

All,
Here's what is going on. Guidance is trying to force our hand to move to Endpoint Investigator.

Endpoint Investigator is the new EnCase Enterprise. Basic is mainly the standalone forensic tool with networking (its a terrible name though, TBH). I'm not sure how forcing you to use EI is bad, unless they are changing your basic license model. So if its cost, that make sense, but EI's base function is not much different than the legacy EE.

 
Posted : 15/08/2018 1:52 pm
(@rich2005)
Posts: 535
Honorable Member
 

I have had good success with F-Response in conjunction with X-Ways off the top of my head it is a good solution. There are various versions depending on your needs which change the pricing scheme but might be worth taking a look at.

Another vote for X-Ways.
Although frankly I never liked EnCase after they changed the user-interface from a relatively easy to understand look in 4/5/6 look to some horrible tabbed and nested mess!

 
Posted : 15/08/2018 3:42 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

All,
Here's what is going on. Guidance is trying to force our hand to move to Endpoint Investigator.

Endpoint Investigator is the new EnCase Enterprise. Basic is mainly the standalone forensic tool with networking (its a terrible name though, TBH). I'm not sure how forcing you to use EI is bad, unless they are changing your basic license model. So if its cost, that make sense, but EI's base function is not much different than the legacy EE.

Oh, this is a looong story, but Guidance did some shady stuff. During our first purchase of EnCase Enterprise, they licensed us for the number of investigators we had. At the time, we only licensed for 1 investigator (logged in concurrently). We were told "You can push the servlet out to as many systems as you want at no cost." Okay, we purchased. Then, I wanted to get EnCase eDiscovery in the door. They wanted to license us for all of our nodes (in the 6 figure range), even though it used the existing servlet we already had pushed out. They backpedaled and said, "it's okay - we'll charge you for just the product."

Fast forward, they told us EnCase Enterprise was renamed to Basic, and now we can do everything from EnCase Basic. Okay, no issues there. We had a hell of a time getting eDisco to work with professional services, so we got professional services onsite to resolve the issues the first professional services person couldn't fix. They found that our SQL server version wasn't supported, so they upgraded eDisco to the latest to support the newer version of SQL. Well, that took away our ability to be able to remotely do certain things with EnCase Basic because it needed the new servlet that only came with Endpoint Investigator.

Okay, so here we are today with the issue I ran into a couple of weeks ago where we had a bitlockered drive from Windows 10. EnCase wouldn't prompt for the recovery key, but I could clearly see the signature on the disk. Since this was a malware analysis case, we decided to boot the system up and do a live acquisition to get the data that we needed. We contacted OpenText to see what we could do, and they said "Oh, you're at version 8.04, but you need to be at 8.07, so you'll need to move over to Endpoint Investigator to get that."

This is where I'm stuck, and unfortunately can't justify moving over to that for the amount of money they want. I've left a lot out, but my personal believe is they brought us in at a low rate because they a.) wanted us to get hooked on the product since Enterprise was the base system and they had other products that plugged on top of it, and b.) they knew their roadmap was leading down this road.

In all fairness, we have been told that Endpoint Investigator is their future, but I've not been impressed with them through the eDisco debacle. That's primarily the reason I want to switch out for something else.

 
Posted : 15/08/2018 6:32 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

I have had good success with F-Response in conjunction with X-Ways off the top of my head it is a good solution. There are various versions depending on your needs which change the pricing scheme but might be worth taking a look at.

This is exactly the combination I'm looking into now. I have a demo with F-Response tomorrow. How well does X-Ways handle Win 10 bitlocker?

 
Posted : 15/08/2018 6:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I have a demo with F-Response tomorrow.

Tell Matt Shannon I said "hi". 😉

 
Posted : 15/08/2018 7:34 pm
(@kenobyte)
Posts: 36
Eminent Member
 

So X-ways puts out updates very frequently and i wouldn't be surprised if they have an in X-ways solution for decryption add in at some point but i dont believe it does now, and i have been using an up to date version. So you would have to mount the image (i use arsenal) in RO you will get the prompt for the recovery key from windows, input the key and then image the encrypted volume. Or restore then image to a drive connect it RO and follow the same process. That would be my method at least.

 
Posted : 15/08/2018 7:59 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

I have a demo with F-Response tomorrow.

Tell Matt Shannon I said "hi". 😉

Will do )

 
Posted : 15/08/2018 8:49 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

So X-ways puts out updates very frequently and i wouldn't be surprised if they have an in X-ways solution for decryption add in at some point but i dont believe it does now, and i have been using an up to date version. So you would have to mount the image (i use arsenal) in RO you will get the prompt for the recovery key from windows, input the key and then image the encrypted volume. Or restore then image to a drive connect it RO and follow the same process. That would be my method at least.

Thanks Kenobyte. I contacted X-Ways, and they don't support it out of the box. I like your idea about Arsenal, so I'm going to look into that.

 
Posted : 16/08/2018 4:07 pm
Page 1 / 2
Share: