Professor Bill Buchanan OBE, PhD, FBCS, a Professor of Cryptography at Edinburgh Napier University recently highlighted that people should look more closely at small-to-medium size enterprises and the software products they produce. Bill gave a few suggestions to illustrate what he meant:For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQ
With all due respect ( both to you and to the professor you cited), the good guys at Cyanforensics make a (BTW nice) Triage tool:
https://www.cyanforensics.com/technology/
Our tools provide a new “quick look” and prioritisation capability without changing well established processes, or interfering with the tools for a full forensic examination that provides detailed evidence for use in court.
jaclaz
Professor Bill Buchanan OBE, PhD, FBCS, a Professor of Cryptography at Edinburgh Napier University recently highlighted that people should look more closely at small-to-medium size enterprises and the software products they produce. Bill gave a few suggestions to illustrate what he meant:For every Cisco, there's a FarrPoint
For every Symantec, there's a 7 Elements
For every Secureworks, there's an Adarma Security
For every Guidance Software (EnCase), there's a Cyan Forensics
For every IBM, there's a Symphonic Software
For every Amazon, there's a CirrusHQWith all due respect ( both to you and to the professor you cited), the good guys at Cyanforensics make a (BTW nice) Triage tool:
https://www.cyanforensics.com/technology/
Our tools provide a new “quick look” and prioritisation capability without changing well established processes, or interfering with the tools for a full forensic examination that provides detailed evidence for use in court.
jaclaz
Again, I show readers at this forum what someone else has said and it turns out to be my words, too, apparently. I guess all the break weblinks Jaclaz for most posts you do must literally be your words...
You're wrong Jaclaz. Learn the lessons of life... don't shoot the messenger!
I am not at all shooting at the messenger, and as you say I am (likely) wrong, but comparing Encase with the tools by Cyanforensics remains inappropriate, they have different scopes and different usage.
The first is a (good or bad) "complete" forensic suite, the second is "only" a triage tool (and neither are suited for the OP question which is related to incident response/malware analysis).
jaclaz
I am not at all shooting at the messenger, and as you say I am (likely) wrong, but comparing Encase with the tools by Cyanforensics remains inappropriate, they have different scopes and different usage.
The first is a (good or bad) "complete" forensic suite, the second is "only" a triage tool (and neither are suited for the OP question which is related to incident response/malware analysis).
jaclaz
Again, I am not involved in the claim or supporting the statement published. What I am drawing attention to is a statement that implies a like for like claim. I have already been to the Napier website https://www.napier.ac.uk/about-us/news/cyan-forensic-funding-2019 to know what they say in addition to the cyan forensics website, which I posted the link. Moreover, I have written to Bill to ask what side by side tests have been conducted to qualify the remarks made.
The point of the post is to demonstrate how difficult for those just coming into this industry it is to understand the products to use.
At this stage, it maybe inappropriate to make a statement of "inappropriate" unless you, personally, jaclaz have done your own research, downloaded and run tests side by side with another product. Or if you aren't going to do so then wait to see what others say who may respond and who have run such tests.
And again, just like you only cited the professor, I only cited what the makers of those tool (Cyanforensics) have to say about their own tools.
There is no need to run/test them, nor Encase, they simply fit different usage case between them and from what the OP asked.
The good guys @Cyanforensics explain very clearly the usage:
https://www.cyanforensics.com/technology/
1 Prepare (the database of what you expect to find)
2 Triage (very quickly look at device contents to find anything connected to the database above)
3 Investigate (once having chosen which devices are "suspect" in step 2 do a "normal" investigation using other forensics tools).
The above (nice) features seem to me not at all useful in incident response, nor in malware analysis (though keydet89 has a point about the OP requirement being a bit vague).
Anyway, how I read this thread (if it was on a carpenter forum):
Q: My company wants to buy a carpenter tool. We are stuck between a lathe and a milling machine. I know both lathes and milling machine are great tools for carpentry, but which one will do better job for cabinet making/wood sculptures ?
A1 (passcode unlock): Mostly none of these two
A2:(dom newman) I think a milling machine is bit further with this topic in these days and also more user friendly.
A3: (keydet89) Define cabinet making/wood sculptures. If I were to respond to your question right now, as it stands, I'd say, "neither".
A4: (Northwind) Milling machine.
A5: (sisyphus) Personally, I wouldn't use either a lathe or a milling machine for cabinet making. I I would use a series of tools instead (list follows), but in case the millng machine is a better choice.
A5: (kastajamah) If you are going to narrow it down to these two, I would go with the milling machine.
A6: (twjolson) The flaw with your question is that neither cabinet making nor wood scupltures can be done competently with just one or two tools.The answer to your question, really, is both, plus more. Probably many more.
A7:(Taweret) Noone uses lathes since ...
At this point it seems to me like the majority (almost everyone) deemed the lathe as not being suitable.
A8: (trewmte) Professor x says that for every lathe there is a power jigsaw. (link to a power jigsaw manufacturer)
A9: (jaclaz) Power jigsaws are not comparable to lathes.
jaclaz
The flaw with your question is that neither forensics nor incident response can be done competently with just one or two tools.
Its like a carpenter asking, "I"m building a house, which tool should I use - a hammer or a saw".
The answer to your question, really, is both, plus more. Probably many more. Some free, some not.
Instead, break it up into tasks and ask which tools are best for that task. So, for incident response, which tool is best for imaging over the network? For on-scene, which tool is best for triaging a live system? Which tool is best for imaging memory? What tool is best for reviewing Windows event logs? Which tool is best for static malware analysis? Which tool is best for dynamic static analysis? On and on and on.
The response above from the FF member was the one for me that prompted my post about Cyan Forensics. I did get a response from Bill and he kindly confirmed he was only making a comparison about companies, as in SME.
The 'triage and hashes' offered as core capabilties by both Encase and Cyan are what interested me when considering @twjolson comments above.
https://www.guidancesoftware.com/encase-portable
Digital Forensic tools are on the increase and for anyone coming from, for example, a DFIR side or from digital security (Blue Team now has DF exams and certificate) can be overwhelmed and not appreciate the mix and match of tools that can assist investigations, extraction and harvesting, analysis and cross-comparison.
I am told there are further tests being carried out by Cyan so I hope that feedback can add to this discussion thread.
I've testing Cyans tool and it does what it says it does, it looks for party of files from a known database.....but nothing else. No ability to see what files have been accessed, run keywords etc.
Its pretty useless except for some police forces to use it to justify returning an item that they don't have the resources to examine and no actual intelligence to justify a 'proper' examination. So they will use it on a suspects family member (wife, daughter etc.) device and then they will give it back when it finds nothing.
Hello,
My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you!
AccessData FTK has the ability to malware analysis on executable binaries
Hello,
My company wants to buy a forensic tool. Also, we would like to have better incident response/malware analysis features. We are stuck between EnCase and Axiom. I know both EnCase and Axiom are great tools for forensics, but which one will do better job for Malware analysis/incident response ? Thank you!
Depending on the level of the granularity of details you are looking to get and your experience, you may want to consider Belkasoft Evidence Center (BEC) for incident response. To see BEC in action for IR, you can go through Belkasoft's new series of white papers on the topic.
@mreza - Having been certified in EnCase in 2009 and now having used AXIOM for years now (we have an AXIOM certified employee too) I can tell you there exists an ever widening difference between the two. EnCase was always our 'go to' product for the first attack but we always used others as well. Such as IEF by Magnet, Autopsy, and others. It seemed to us that EnCase began to move towards eDiscovery more than digital forensics starting about 2010. Still, we stayed with Encase through all of Versions 6 and 7. Eventually, though, we began using Axiom more and more and now it is our first choice. The training that Jamey Tubbs at EnCase gave us was second to none but now he has also moved to Magnet. If it were me, starting over today, I would choose Axiom. Remember though, you will always need more than one tool so consdier that. We used Belkasoft for about 2 years and liked it as well. You may want to start with Axiom and set your sights on bringing Belkasoft in a little later. Yuri is a real go-getter and you should see him skateboard too! Good luck!