Encase forensic software arrives in the local market

Vendor launches product for policy enforcement after it sees an opportunity for its forensics software in the Middle East region.

  • E-Mail
By  Anna Karhammar Published  January 29, 2004

|~|Adrian Manfred_m.jpg|~|INCIDENT RESPONSE TEAM: Guidance’s Hatzesberger and Culley hope to highlight the role computer forensics plays in the enforcement of local and regional policy and procedural guidelines.|~|Dubai-based company ScanIT has three years penetration testing experience of company infrastructures and is the official distributor for Encase software, services and training in the Middle East. ScanIT has been working with Encase in Europe some time and saw an opportunity for its forensics software in the region. Guidance’s Encase software is a security and risk management solution encompassing enterprise-wide response, forensic analysis and discovery capabilities — and is particularly suited to spanning networks for investigations ranging from single server type to enterprise wide discovery. Thus the software can be used as a risk management tool, to gather evidence to corroborate or support a particular allegation before taking action. The solution could be particularly relevant for enforcement of policy and procedural guidelines. “Through EnCase you can see what is happening without having to remove the machine first, as is normally the case. This is good for mission critical servers, for example. If there’s a law enforcement warrant — it usually means power down and seizing the machine but this way they can get an image of the machine without taking it off line, and can investigate it,” explains Adrian Culley regional manager, Guidance software EMEA. The financial industry could especially benefit from the software’s properties, as regulation and control of its security policies is so important. While many companies have this control, they often have no clear path to implementing and enforcing policy. A practical example is where trading offices have identified instances of insider trading within the same day of the accusations. The evidence can thus be found in a matter of hours. The software is based on Dr Locard’s research into criminal forensics, and is based on the ‘Locard Exchange Principle’ which basically recovers traces of information and is able identify the cyber-scene of a crime remotely. Global companies are starting to use it more, as remote identification is possible in a discrete yet solid manner. The forensic contents of a live RAM are viewable, a previously unattainable task. Called 'Snapshot', it enables a powerful instant response to an alert triggered, by being able to go direct to a machine via a timeline view. “Hackers or cases of industrial espionage could be identified very quickly, or instances of inappropriate web surfing where an employee would have no knowledge that the machine was being checked,” says Manfred Hatzesberger, enterprise business manager Guidance. The technology works by using bit streams of binary code, so it doesn’t make a difference which format the data is in. It can recover data from IP, IP and e-mail addresses, even USB memory sticks because it traces any copies that have been made to any media file format. It can also recover the ports on the layer below IP addresses or a remote user’s port. Essentially communication over any networks can be traced, be it Ethernet, wireless or even Bluetooth. “It is reading static data though, so it’s not ‘sniffing’. The speed comes from the programming algorithm, which is crypto-graphically secure. Once on network, you can’t subvert it, as the installation is unique,” Culley explains. “Now the US and Europe are moving into the world of forensics more and more, it is really kicking off now. It is mostly coming from the government and police departments, where the Encase software allows the cyber-scene of the crime to be identified, revealing what is, what was and what is hidden,” he adds.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code