EnCase Enterprise vs ProDiscover

Really, EnCase Enterprise and ProDiscover are two completely different things, that accomplish the same primary goal.

First of all, Enterprise (EE) works on a p2p system, which requires a small java servlet be installed on each acquirable system - which is basically a backdoor for the EE application. This process is generally performed by the sysadmin team, generally pushed out in a logon script etc. .

Once the backdoor is installed, it has the ability to send the content of a system (including deleted files) to the EE server, which is usually on site, or in some cases abroad. (rare)

The EE administrator then does either a live content search, or searches for filenames on remote systems, and decides what to acquire and what to leave alone.

The EE system can deduplicate on acquire, comparing hashes of acquired files from one machine to another, and deliver detailed logs of what was acquired, what was skipped, and why, on what workstations.

This is why Enterprise is so expensive, you can complete in hours what a physical system-by-system acquisition would take weeks. (i.e;imaging 1000 workstations and analyzing the data)

To my knowledge, no vendors are using this app, because of the price. Many in house counsel such as Dell are using EE in house, because it makes more sense than hiring a vendor to do a system by system physical acquisition 3 times a year, which is disruptive to the business physically and psychologically.

The only vendor ive seen use EE is Guidance Software themselves, in the professional services division. If you contact Kim Davis at Guidance PSD, she will explain more.

Pro Discover is more comparable to the EnCase Forensic product, because it is used for system by system analysis (generally 1 drive or array at a time) is examined, and it is a fraction of the cost.

ProDiscover is still cheaper, and very capable compared to EnCase Forensic. I know alot of our peers in this community prefer it over EnCase.

I personally haven't used it, but I look forward to a chance one day.

To conclude ProDiscover is not comparable to EE, but it is however comparable to EnCase Forensic.

I believe another sound comparison for ProDiscover, is the LiveWire product which received the Lab Approved rating. Both tools work on the same premises, meaning there is no pre-installation and is more of an "on the fly" aquisition.

Hey has anyone used the ProDiscover Basic software? Looks like it's free?
What do you miss vs. the pay version?

To conclude ProDiscover is not comparable to EE, but it is however comparable to EnCase Forensic.

Which do you mean ProDiscover, ProDiscover Forensic or ProDiscover IR?

I apologize to my question unclear, but I compared EE with ProDiscover IR.
When I saw Technology Pathway's HP, I think Prodiscover IR works like EE. So I want to know the difference.

As you mean, ProDiscover is NOT P2P software? and it can't aquire image over the network?
I think you explain just EE "e-Discovery" version….

I believe another sound comparison for ProDiscover, is the LiveWire product which received the Lab Approved rating. Both tools work on the same premises, meaning there is no pre-installation and is more of an "on the fly" aquisition.

I've never heared about "LiveWire".
Do you use it ? and is it a good tool?

And I don't know about "Lab Approved rating"
Is this an officially…governmental rating?
I'm going to check WetStone HP and "Lab Approved rating", but if you know more information about them , please let me know.

Mikkie,

LiveWire is an interesting tool…I've seen folks use it and it looks like it actuall uses a lot of third party tools (renamed) and collects information from remote systems via psexec-like tools, as well as WMI. It allows you to collect a lot of info, and presents it in a nice HTML format, but it doesn't seem to really facilitate much analysis.

H

EE can surely capture a full image over the wire - takes time though. It is an outstanding forensic tool for larger companies. Our laptops are encrypted and it´s quite some job to decrypt, image and the do forensic analyses on it. With EE you really controle your invironment. I have done investigations on computeres off shore also with a great deal of succes. EE furthermore has the ability to do a snapshot of the system so you can see running processes, open ports etc. Excellent tool, but as you state very expensive - so I guess it depends on your need. E-discovery uses the same agent, and depending on connections - it seems like a very powerfull solution for document searches. We are in a phase right now concidering the purchase of E-discovery.
We did some testing while aquiring a 30g drive, and it was hardly possible to notice it on the client maschine while the imaging took place. Imaging took 4 hours.
I am in the financial sector.

30gb in 4 hours is pretty quick, anyone have any benchmarks for the speed for ProDiscover?

Mikkie,

LiveWire is an interesting tool…I've seen folks use it and it looks like it actuall uses a lot of third party tools (renamed) and collects information from remote systems via psexec-like tools, as well as WMI. It allows you to collect a lot of info, and presents it in a nice HTML format, but it doesn't seem to really facilitate much analysis.

H

Harlan,

There are many people that say LiveWire is not good for "forensic analysis tool", and yor opinion is the same?
I just visit WetStone HP, and I notice that company say they are leading company to analys Malware and Steganography.
I'm interested in the company as the Malware investigation tool.
How is your view? Is it easy/usefull to analys Malware?

Also, I think you commented out about ProDiscover in other topic I suppose, let me know more info about it.
Borninfire says ProDiscover is not comparable to EE… ?