I feel that it is hard to compare EE to ProDiscover or LiveWire….simply put, it is way more expensive and allows a bit more back end analysis then other live tools, it just depends on what you are looking for and what your budget is….
On their website, WetStone says that they offer online demos of the Gargoyle product, might be a good place to see how it works and to ask questions.
Mikkie,
"There are many people that say LiveWire is not good for "forensic analysis tool", and yor opinion is the same?"
LiveWire is good for capturing volatile data, but I don't know of any tool out there yet that performs analysis. I've listed some analysis steps in my book, but no two infrastructures are the same, so what may be legit in one organization may not be in another.
"I just visit WetStone HP, and I notice that company say they are leading company to analys Malware and Steganography.
I'm interested in the company as the Malware investigation tool.
How is your view? Is it easy/usefull to analys Malware?"
I have no idea. I don't believe that any one tool can analyze malware for you. Instead, you have to have a toolbox and your own knowledge. From what I've seen of LiveWire, it appears to use some of the same volatile data collection tools I currently used (based on the output as it appears on the screen, formatting of the data, etc.). However, that's just data collection…it's up to you to actually analyze the data.
"Also, I think you commented out about ProDiscover in other topic I suppose, let me know more info about it."
Like what, specifically?
I use it all the time when analyzing Windows images. It's easier for me to use, and I've even gone so far as to convert EnCase evidence files to dd format so I could perform my analysis. I find the interface much cleaner than EnCase, and I find it much easier to move around in ProDiscover. Also, I do not rely on EnScripts, and instead will write my own ProScripts (or external tools…both are included on the DVD with my book, BTW) because it's easier for me to do so.
"Borninfire says ProDiscover is not comparable to EE…"
Yes, I see that, and I disagree. ProDiscover IR allows you to push out an agent (which is client-server, NOT P2P) to the remote system, or deploy the agent via CD. The agent allows you to collect volatile data as well as perform a live acquisition. I've done both. I've also automated both via ProScripts.
Also, remember…Borninfire himself states that he hasn't actually used ProDiscover. I'm not saying that I'm right…simply that I have my own opinion, based on using both EnCase and ProDiscover (in addition to other tools).
Hope that helps,
H
I feel that it is hard to compare EE to ProDiscover or LiveWire….simply put, it is way more expensive and allows a bit more back end analysis then other live tools, it just depends on what you are looking for and what your budget is….
On their website, WetStone says that they offer online demos of the Gargoyle product, might be a good place to see how it works and to ask questions.
Forensicon,
thanks for your comments and I think it will be better to ask some questions to them…
thanks
Harlan,
Thank you for your info, that was really helpfull for me.
I think I should try to use ProDiscover, anyway…
Adding that, I can notice that Malware analysis is very difficult, so that cant depend on supecific tools….
I must have more knowledge about them to analys malware ?
mikkie
mikkie,
"I must have more knowledge about them to analys malware"
Okay…buy my book.
H
Yes, I see that, and I disagree. ProDiscover IR allows you to push out an agent (which is client-server, NOT P2P) to the remote system, or deploy the agent via CD. The agent allows you to collect volatile data as well as perform a live acquisition.
Hmm, interesting thread. The EE servlet can be deployed like any other application but it also allows you to push out servlets by using an enscript. It can collect volatile data but is unable to acquire physical memory which I believe ProDiscover IR can do.
I'm not sure that I would describe EE as P2P either, it uses SAFE (Safe Authentication For EnCase) to provide authentication and role based permissions for examination capabilities. The servlet is not java based, however the encript language has a very C++/Java feel to it.
I'm an experienced EE user but have no ProDiscover IR experience.
Hoping someone can assist me.Is there anyway someone can detect if Encase Enterprise has been deployed (the servlet) on their PC, or ideally anyway to detect if an image has been taken of thyeir machine remotely or viewed remotely?
Any help greatly appreciated
Not exactly on topic, but the answer is yes. Everything runs as a process on a system…in order for any work to be done there needs to be a process and at least one thread. With a savvy enough user, this can be detected.
Can you please tell me what artifacts/files will indicate if Encase Enterprise has been deployed on a PC, and also what to look for to detect if an image has been taken of a machine remotely or viewed remotely?
Any help greatly appreciated
No, I think that would be telling.
See, we don't know you. You've recently joined, and your only posts are about Encase from a users view. For all I know, you're trying to figure out if you're being monitored by someone who probably has a legitimate reason to monitor you. I'm not going to interfere with that.
I'm all for knowledge wants to be free and all that, but not in this case. We’re self-policing here, and not answering is the control we exercise.