EnCase vs Magnet Ax...
 
Notifications
Clear all

EnCase vs Magnet Axiom  

Page 1 / 2
  RSS
elchinmv
(@elchinmv)
New Member

Hello,

My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you! 

Quote
Posted : 04/08/2020 9:36 am
passcodeunlock
(@passcodeunlock)
Senior Member

Mostly none of these two, both will be able to get you partial results only. Get a tool specifically for incident response analisys and not for dedicated to forensics!

ReplyQuote
Posted : 17/08/2020 7:22 pm
dom_newman
(@dom_newman)
New Member

I think Magnet is bit further with this topic in these days and also more user friendly.

ReplyQuote
Posted : 18/08/2020 9:20 am
B1N2H3X liked
keydet89
(@keydet89)
Community Legend

Doesn't it really depend on what you consider "better" when it comes to malware analysis and incident response?  

I mean, it's hard to say if one tool is better than the other, if you're not able to articulate your requirements.  As they are right now, they're pretty vague.  If I were to respond to your question right now, as it stands, I'd say, "neither".  

Some things to think about...what are you trying to do when you say "malware analysis"?  What are the steps involved with something like this, in your mind?

Now, do the same thing with "incident response".

 

ReplyQuote
Posted : 18/08/2020 8:50 pm
Northwind
(@northwind)
Junior Member
Posted by: @elchinmv

Hello,

My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you! 

MAGNET AXIOM

ReplyQuote
Posted : 19/08/2020 12:16 pm
B1N2H3X liked
sisyphus
(@sisyphus)
New Member

Personally, I wouldn't use either Encase or Magnet Axiom for Incident Response.  I would use a series of programs instead to acquire volatile data, and subsequently some non-volatile data, then proceed into other programs to hash files and go through the pids of processes and virus checks.

Nuix VDC2/3, Kape, Bulk Extractor, Bambi Raptor, Volatility, Redline, Wireshark, Network Miner, a good Linux VM..

 

Any of those would be more useful in Incident Response than your original two choices IMO.

 

BUT-- if your only choice is those two previously mentioned, then I would definitely go with Magnet Axiom.

ReplyQuote
Posted : 19/08/2020 2:04 pm
kastajamah
(@kastajamah)
Member

If you are going to narrow it down to these two, I would go with AXIOM.  I have been using EnCase for 8 years and Magnet Forensics IEF/AXIOM for the last 7 years.  I have seen a steady decline in the quality of EnCase Forensic over the last couple of years, and their customer service has followed the same route unfortunately.  EnCase does a lot of things well, but I would be concerned about the quality of the support you will get and performance down the road.

On the other hand, Magnet Forensics has good customer support who respond quickly and thoroughly.  All of my tech support questions have been responded to in less than 24 hours.  AXIOM is updated regularly and they continue to expand its capabilities.  It might come across as push button forensics, but it will get the artifacts to you, and then you as the analyst can review and verify what you find.  Which is something we all should be doing anyways.

ReplyQuote
Posted : 19/08/2020 5:48 pm
B1N2H3X liked
twjolson
(@twjolson)
Active Member

The flaw with your question is that neither forensics nor incident response can be done competently with just one or two tools.

Its like a carpenter asking, "I"m building a house, which tool should I use - a hammer or a saw".

The answer to your question, really, is both, plus more.  Probably many more.  Some free, some not.

Instead, break it up into tasks and ask which tools are best for that task.  So, for incident response, which tool is best for imaging over the network?  For on-scene, which tool is best for triaging a live system?  Which tool is best for imaging memory?  What tool is best for reviewing Windows event logs?  Which tool is best for static malware analysis?  Which tool is best for dynamic static analysis?  On and on and on.

ReplyQuote
Posted : 19/08/2020 5:58 pm
athulin liked
Taweret
(@taweret)
New Member

No one uses encase after version 6 anymore, easy choice though better alternatives exist

This post was modified 4 weeks ago by Taweret
ReplyQuote
Posted : 30/08/2020 5:50 pm
trewmte
(@trewmte)
Community Legend
Professor Bill Buchanan OBE, PhD, FBCS, a Professor of Cryptography at Edinburgh Napier University recently highlighted that people should look more closely at small-to-medium size enterprises and the software products they produce. Bill gave a few suggestions to illustrate what he meant:
 

For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQ

https://www.cyanforensics.com/

ReplyQuote
Posted : 31/08/2020 1:54 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @trewmte
Professor Bill Buchanan OBE, PhD, FBCS, a Professor of Cryptography at Edinburgh Napier University recently highlighted that people should look more closely at small-to-medium size enterprises and the software products they produce. Bill gave a few suggestions to illustrate what he meant:
 

For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQ

https://www.cyanforensics.com/

With all due respect ( both to you and to the professor you cited), the good guys at Cyanforensics make a (BTW nice) Triage tool:

https://www.cyanforensics.com/technology/

Our tools provide a new “quick look” and prioritisation capability without changing well established processes, or interfering with the tools for a full forensic examination that provides detailed evidence for use in court.

jaclaz

ReplyQuote
Posted : 31/08/2020 2:55 pm
trewmte
(@trewmte)
Community Legend
Posted by: @jaclaz
Posted by: @trewmte
Professor Bill Buchanan OBE, PhD, FBCS, a Professor of Cryptography at Edinburgh Napier University recently highlighted that people should look more closely at small-to-medium size enterprises and the software products they produce. Bill gave a few suggestions to illustrate what he meant:
 

For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQ

https://www.cyanforensics.com/

With all due respect ( both to you and to the professor you cited), the good guys at Cyanforensics make a (BTW nice) Triage tool:

https://www.cyanforensics.com/technology/

Our tools provide a new “quick look” and prioritisation capability without changing well established processes, or interfering with the tools for a full forensic examination that provides detailed evidence for use in court.

jaclaz

Again, I show readers at this forum what someone else has said and it turns out to be my words, too, apparently. I guess all the break weblinks Jaclaz for most posts you do must literally be your words...

You're wrong Jaclaz. Learn the lessons of life... don't shoot the messenger!

ReplyQuote
Posted : 31/08/2020 5:05 pm
jaclaz
(@jaclaz)
Community Legend

@trewmte

I am not at all shooting at the messenger, and as you say I am (likely) wrong, but comparing Encase with the tools by Cyanforensics remains inappropriate, they have different scopes and different usage.

The first is a (good or bad) "complete" forensic suite, the second is "only" a triage tool (and neither are suited for the OP question which is related to incident response/malware analysis).

jaclaz

ReplyQuote
Posted : 31/08/2020 7:02 pm
trewmte
(@trewmte)
Community Legend
Posted by: @jaclaz

@trewmte

I am not at all shooting at the messenger, and as you say I am (likely) wrong, but comparing Encase with the tools by Cyanforensics remains inappropriate, they have different scopes and different usage.

The first is a (good or bad) "complete" forensic suite, the second is "only" a triage tool (and neither are suited for the OP question which is related to incident response/malware analysis).

jaclaz

@jaclaz

Again, I am not involved in the claim or supporting the statement published. What I am drawing attention to is a statement that implies a like for like claim. I have already been to the Napier website https://www.napier.ac.uk/about-us/news/cyan-forensic-funding-2019 to know what they say in addition to the cyan forensics website, which I posted the link. Moreover, I have written to Bill to ask what side by side tests have been conducted to qualify the remarks made.

The point of the post is to demonstrate how difficult for those just coming into this industry it is to understand the products to use. 

At this stage, it maybe inappropriate to make a statement of "inappropriate" unless you, personally, jaclaz have done your own research, downloaded and run tests side by side with another product.  Or if you aren't going to do so then wait to see what others say who may respond and who have run such tests.

ReplyQuote
Posted : 31/08/2020 8:50 pm
jaclaz
(@jaclaz)
Community Legend

@trewmte

And again, just like you only cited the professor, I only cited what the makers of those tool (Cyanforensics) have to say about their own tools.

There is no need to run/test them, nor Encase, they simply fit different usage case between them and from what the OP asked.

The good guys @Cyanforensics explain very clearly the usage:
https://www.cyanforensics.com/technology/

1 Prepare (the database of what you expect to find)
2 Triage (very quickly look at device contents to find anything connected to the database above)
3 Investigate (once having chosen which devices are "suspect" in step 2 do a "normal" investigation using other forensics tools).

The above (nice) features seem to me not at all useful in incident response, nor in malware analysis (though  keydet89 has a point about the OP requirement being a bit vague).

Anyway, how I read this thread (if it was on a carpenter forum):

Q: My company wants to buy a carpenter tool. We are stuck between a lathe and a milling machine. I know both lathes and milling machine are great tools for carpentry, but which one will do better job for cabinet making/wood sculptures ?

A1 (passcode unlock)Mostly none of these two
A2:(dom newman) I think a milling machine is bit further with this topic in these days and also more user friendly.
A3: (keydet89) Define cabinet making/wood sculptures. If I were to respond to your question right now, as it stands, I'd say, "neither".
A4: (Northwind) Milling machine.
A5: (sisyphus) Personally, I wouldn't use either a lathe  or a milling machine for cabinet making. I I would use a series of tools instead (list follows), but in case the millng machine is a better choice.
A5: (kastajamah) If you are going to narrow it down to these two, I would go with the milling machine.
A6: (twjolson) The flaw with your question is that neither cabinet making nor wood scupltures can be done competently with just one or two tools.The answer to your question, really, is both, plus more.  Probably many more. 
A7:(Taweret) Noone uses lathes since ...

At this point it seems to me like the majority (almost everyone) deemed the lathe as not being suitable.

A8: (trewmte) Professor x says that for every lathe there is a power jigsaw. (link to a power jigsaw manufacturer)
A9: (jaclaz) Power jigsaws are not comparable to lathes.

jaclaz

ReplyQuote
Posted : 02/09/2020 6:04 pm
Page 1 / 2
Share: