Hello,
My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you!Â
Mostly none of these two, both will be able to get you partial results only. Get a tool specifically for incident response analisys and not for dedicated to forensics!
I think Magnet is bit further with this topic in these days and also more user friendly.
Doesn't it really depend on what you consider "better" when it comes to malware analysis and incident response? Â
I mean, it's hard to say if one tool is better than the other, if you're not able to articulate your requirements. As they are right now, they're pretty vague. If I were to respond to your question right now, as it stands, I'd say, "neither". Â
Some things to think about...what are you trying to do when you say "malware analysis"? What are the steps involved with something like this, in your mind?
Now, do the same thing with "incident response".
Â
Hello,
My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you!Â
MAGNET AXIOM
Personally, I wouldn't use either Encase or Magnet Axiom for Incident Response. I would use a series of programs instead to acquire volatile data, and subsequently some non-volatile data, then proceed into other programs to hash files and go through the pids of processes and virus checks.
Nuix VDC2/3, Kape, Bulk Extractor, Bambi Raptor, Volatility, Redline, Wireshark, Network Miner, a good Linux VM..
Â
Any of those would be more useful in Incident Response than your original two choices IMO.
Â
BUT-- if your only choice is those two previously mentioned, then I would definitely go with Magnet Axiom.
If you are going to narrow it down to these two, I would go with AXIOM. I have been using EnCase for 8 years and Magnet Forensics IEF/AXIOM for the last 7 years. I have seen a steady decline in the quality of EnCase Forensic over the last couple of years, and their customer service has followed the same route unfortunately. EnCase does a lot of things well, but I would be concerned about the quality of the support you will get and performance down the road.
On the other hand, Magnet Forensics has good customer support who respond quickly and thoroughly. All of my tech support questions have been responded to in less than 24 hours. AXIOM is updated regularly and they continue to expand its capabilities. It might come across as push button forensics, but it will get the artifacts to you, and then you as the analyst can review and verify what you find. Which is something we all should be doing anyways.
The flaw with your question is that neither forensics nor incident response can be done competently with just one or two tools.
Its like a carpenter asking, "I"m building a house, which tool should I use - a hammer or a saw".
The answer to your question, really, is both, plus more. Probably many more. Some free, some not.
Instead, break it up into tasks and ask which tools are best for that task. So, for incident response, which tool is best for imaging over the network? For on-scene, which tool is best for triaging a live system? Which tool is best for imaging memory? What tool is best for reviewing Windows event logs? Which tool is best for static malware analysis? Which tool is best for dynamic static analysis? On and on and on.
No one uses encase after version 6 anymore, easy choice though better alternatives exist
For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQ