Hi - new to the forum here! 8)
I am looking for recommendations from the group on what to use to do forensics on Windows servers. Encase enterprise edition is a bit pricey - $250k? ❓
I am fairly new to this and currently own Encase Professional and downloading as I type Penguin Sleuth Bootable CD.
My concern is to minimize server downtime and have the ability to move all that data off the server.
Thanks
You can acquire the data from the server with Encase Forensic Edition. There are methods to speed up the acquisition so as to minimize server downtime. One of the newer ones (that I have yet to try) is with the Linen utility (Encase for Linux). Examiners are reporting acquisitions of 500 gb's in 6-8 hours when writing to an ext3 partitioned storage volume. If the server's RAID is hot swappable you can acquire each drive in turn with a write blocker without taking the server down. Encase will allow you to rebuild the array, but you must know the details of the RAID (type, stripe size, etc.).
I'm not sure of the actual cost of the enterprise version. It is pricey to be sure, and based on the number of nodes on the network, but I have never heard a quote approaching 250k. If it's gone that high I would suspect it's because they really don't want anyone buying it. It may be more valuable to them as a proprietary tool for the professional services division.
As Greg says EnCase EE is not $250K, more like $10K (in Euros I found a price of 4,800).
Heres a link that provides prices (I couldn't find the price of EE on the Guidance site?)
Perhaps someone from Guidance Software can provide a correct quote (I know they lurk in here, but never post).
On The subject of forensically examining a server, is there any sense in imaging a whole server with possibly Terabytes of information? The length of time it will take will be ridiculous (I think we have discussed this before?).
Also legally - where would you stand with all that collateral data intrusion? If you are specifically investigating a ‘user’ with an account/profile on a server – you can create an image of the user profile/folder using Access Data’s FTK imager (it’s free too).
Yes you will be accessing a live system, and there may well be an inference made at court that you could have altered the original data, however if you keep a contemporaneous record of all you do, and a third part can follow this record, reaching the same conclusions, then all should be ok. Courts normally accept common sense decisions where it is justified (or at least UK courts do in my experience – well most of the time).
I foresee problems in the near future with hdd capacities increasing to huge proportions (the magic pixy dust makers have strange new techniques) and requirements to image everything make prove extremely problematic and possibly cost prohibitive to most.
When it comes to live forensics there are many tools available and EnCase EE is but one. It all depends on what exactly you wish to achieve. If all you wish to do is keep an eye on user accounts then EE may be overkill. In any case EE is designed for forensically investigating an entire enterprise sized network.
Can you elaborate on what forensic work you need to do on the server, as I am quite interested in this topic.
Andy
teach,
Can you be more specific?
An image can be taken of the drive using dd (or, if you're using just Windows, dd.exe). The image can be analyzed using a variety of Linux-based tools (ie, TCT, Autopsy, SleuthKit).
What specifically are you trying to do?
H. Carvey
"Windows Forensics and Incident Recovery"
My understanding of EnCase EE is that it has a complex pricing structure. The details, as I remember them, were that the Servlets (the host installed component) were free, but you then payed on a per analysis station basis, and then for the number of parallel threads (monitorings/captures) you wanted per analysis station.
I looked at it last year for a project and it can come out as very expensive, dependent on the number of hosts you predict you will need to monitor/capture.
Mark
I have been corrected. I have since found out that EnCase Enterprise Edition is approx $150K, whereas EnCase FIM (works on one target/remote machine) is priced at $10K. Both are impressive tools.
Andy
For imaging a live Windows server, you can always use: