Anyone with Encase Enterprise?
What have you used it for? Other than "forensics", how about just eDiscovery? Legal holds? Other?
I'm curious about Encase Enterprise as well. Can anyone comment about its speed and reliability for logical acquisitions for e-discovery?
I have used it pretty extensively. The key to any efficient collection is defining limiting criteria that is not too broad or narrow. That being said, it is efficient at gathering data from remote systems and putting the data into a logical evidence file. That automated capability is not really included with the lower end model, unless you script it yourself. You will have to buy additional modules to use the full features and automation.
Depending on what your trying to accomplish, the network environment and how many machines your talking about, F-Response can do the "connection" and "networking" part, then you can still use EnCase forensic version to automate the collection into LEF files or whatever.
Lance
I though Encase Enterprise removes the need for F-Response, or are you talking about EnCase Pro/standalone only?
EnCase Enterprise is EnCase Forensic with network capabilities. F-Response is just a tool that enables a network connection to a remote machine, there is no forensic tool included, so therefore you have to have some type of forensic tool to do the image or analysis across that network connection.
Also, the price differences are huge.
EnCase Enterprise = > 100k depending on how many nodes and concurrent connections.
EnCase Forensic ($3500) + F-Response ($5000).
I am not implying the two solutions are completely equal. It just depends on what your intended use is, what the future use will be and what you want to accomplish with it.
This is great info. Thanks, lance.
I am familiar how F-Response functions. It will not work for us.
Hmmm… That is not what the EnCase reps are selling to the Legal department.
Indeed they are saying that there is all this document and case management features built into the Enterprise version, besides the networking and the forensics.
So the big question is, do the extra features worth +$90K?
We may be hearing different things or interpreting different messages from various sales reps.
They made a visit to push Encase Enterprise, with eDiscovery in mind; they didn't mention F-Response at all or any other 3rd party app.
What they did mention was that you can push a client applet/agent with your software distribution of choice (e.g., smss). Once that is installed and running on the client (laptop/desktop) you can collect/cull data - which is more in line with the understanding I had from reading their documentation.
The advantage over the Enterpise license is that you don't need someone to be physically with the laptop. You can do it remotely live forensics or eDiscovery.
I'm not saying lancemueller got it wrong; obviously, he is using it. Just giving my $.02.
I believe the Enterprise version covers the need for the secure network tunnel, and provides the client at the remote device.
My problem is that it, or F-Response will not work for us. It will not work because we have a huge heterogeneous network with potentially half dozen firewalls in-between the target and collecting machines.
It is highly unlikely and ill advised to punch holes through every firewall each time just to be able to image a machine.
It would also be a logistical nightmare…
Which is why I would like to hear about the case management side of it. Is it truly worth the huge investment?
If the sales rep is talking to your legal department then they would be selling the eDiscovery product, which is built on top of EnCase Enterprise. It's primary use is a collection and processing tool with some case management aspect to it. There's also a Legal Hold Product that builds on it further.
My guess would be that's what they are talking to the legal department about.
Tom