At the moment I'm involved in preparing training for EnCase Enterprise product, training is EnCase Enterprise Examinations for v7 . Clients are not from IT company but from one to the neighboring countries ministry of finance. It is a long, long project delayed with budget problems finally comes to conclusion. Schedule was changed so many times that EnCase evolved from version 7.05 to 7.08.1 with all new training changes and new software features and of course bugs. Key differences are case processor on separates nodes and non-safe servlet (FIM replacement). Also VMware products are with new versions and sometimes there are compatibility issues.
Preparation is always a bit of lengthily process since I don't have a dedicated classroom or dedicated machines but multipurpose ones which had to be tailored for each training. EnCase v7 is very resource hungry, when we are talking about enterprise version where training include simulated network of several machines the resource bill is extremely high. Since most of trainings are on client premises we use strong laptops with a lot of external disks to fulfill the role. Priorities are disks, RAM, CPU, network. For acceptable performance quad core I5 64bit laptop with 16GB+ ram and three sata/ esata disks is enough (xpress card with two esata ports are here extremely useful but on some machines especially Dell can be problems). This configuration has enough power for EnCase evidence processor and also gives you three or more disks to spread load of virtual machines. In theory training can be provided on customer machines but in practice this fails since configuration and system administration problems, the best way is to bring your own devices and configured it by yourself.
As for real EnCase Enterprise training what is important to take into concern is versatility of EnCase Enterprise. Lance Mueller describes this in his paper with precisely defining main areas of EnCase Enterprise usage. Current training is too much condensed and gives you intro into all capabilities where actually attendee in advance should be able to understand how EE will be used in their work. This is by my experience too optimistic approach since attendees usually does not have much EnCase experience. Initially EE training was in two separate weeks but later it was changed to one week with idea of unification of EE and Forensic product. Basically this proves as a problem since no one can force customers to get Forensic courses as preparation for Enterprise (problem is always a limitation of their budget) so we usually lack a good understanding of EnCase forensic abilities. I always suggest to attendees if they are without Forensic training to at least look at free v7 intro online training but that is often not enough. The workaround is to extend introduction and add tailored points in the aspects where they’ll work. As we are here talking about financial regulator the stress should be on e-discovery process, then on standard forensic investigation and at the end on the incident response. For each of this tasks different configuration and tools in EnCase , also different user roles are required. Actually very good material for discussion is on the International competition network in the “ Anti-Cartel Enforcement Manual” It puts all this into some defined process close to those which attendees have experience with. From that point we can discuss ideas of e-discovery which is almost unknown idea in our part of Europe.
No comments:
Post a Comment