Since 2008 when we mastered Encase Enterprise and its derivatives it was our tool of choice for enterprise / system level of forensic data collecting. It was reliable and easy to use for data collecting with ability to script "specific" tasks. Also it was easy to put collected data to other tools for further tasks. It had its quirks and really not to helpful user interface but it was much better than anything else on the market. Unfortunately with version 7 things start to become worse and now, last few months with version 8 we have continuous problems. It is not so much with tool but with licencing, getting extension certificates, reliability of licence manager, documentation, support response , etc. Last change from Safe/NAS configuration in v7 to Safe for enterprise and LM for distributed licencing caused surge of problem with customers. At the moment it almost looks like situation when Cellebrite was hacked, when Cellebrite support database was compromised. Anyhow whatever cause is, conclusion is even tool is functional, because of this licensing issues it is not reliable enough to be used reliably in any real incident situation. In the lab environment in sterile and not being time bound it is OK for forensic analyses, but for incident response in compromised network it is simple not reliable enough, especially in a sense of targeted attacked, like recent SWIFT affair. Anything of that type with strategic implications is situation where we can expect well organised and prepared attack aiming at weak points of response chain, For such attacker it will be relatively easy to attack licensing and authentication mechanisms of EnCase enterprise tool to disable it, and trough this rendering IR useless or at least very slow. There is even more cunning, an paranoid scenario, which will include attack on GuidanceSoftware itself to damage its capabilities to maintain licences and certificates for products, Current SMS extension scheme which is now in action, with current forced moving customers from "bad" v7 to new v8 is almost perfect opportunity for such idea.
Having all this in mind some alternative should be found, I was working with several tools to see its features in such conditions and still there is no silver bullet, Conclusion is to have a set of tools which complicate things a lot, with stress on ability of early detection. Combination of GRR as opensource at one end of spectrum to Fidelis cybersecurity at the other one looks as a good but complicated situation.
Having all this in mind some alternative should be found, I was working with several tools to see its features in such conditions and still there is no silver bullet, Conclusion is to have a set of tools which complicate things a lot, with stress on ability of early detection. Combination of GRR as opensource at one end of spectrum to Fidelis cybersecurity at the other one looks as a good but complicated situation.
