Review: Guidance merges incident response with forensics

most recent release of EnCase Enterprise puts incident-response capabilities into the IT security manager's toolbox. In our Clear Choice Test, we found that with this aggregation of incident-response and forensic capabilities not yet seen in competing products, EnCase Enterprise can (for a pretty big price tag) help a network investigator establish relationships between open ports, open files, network connections, hidden files or processes and malicious network activity.

Imagine that your network (IDS) generates an alert that shows traffic to Port 2222 on your Web server. Then, seconds later, your host-based IDS for that same machine generates an alert showing that the kernel has been modified. Then you have to access the box via a Secure Shell () connection (or traipse to the building where the box physically sits to use the console) and start nosing around to see what is going on.

With EnCase Enterprise, you receive the IDS alerts, swivel your chair to a different console and pull that same information - all transparent to the potential attacker who could be watching for a root logon via local or SSH connection. While there is a bit of a learning curve to complete some complex forensic investigation, getting started with basic functions such as checking for open ports, running processes and suspicious files (plus any relationship between them) is rather easy.

There are three parts to the EnCase Enterprise system: the Secure Authentication for EnCase (SAFE), the Enterprise Examiner GUI front end and the Servlet agent software.

SAFE takes care of all authentication processes. Each user is assigned a profile in the SAFE that defines what resources he can access.

The Examiner GUI - EnCase Enterprise's bread and butter from a security analysis point of view - bears a striking resemblance to the interface of the more law enforcement- focused EnCase Forensic edition. Overall, the GUI lets you navigate easily between the parameters you've established and the detailed file or port and process information you'll need to investigate.

Lastly, Servlet agents run on monitored boxes and communicate with the Examiner. This agent works at a basic level in the operating system and allows the analyst access to detailed information about the host. The Servlet is completely reactive; ir presents information to the Examiner only when queried. It has almost no effect on the host's performance, unless an investigator is taking action.

A primary tenet of incident response built into EnCase Enterprise is the ability to remove from consideration, as fast as possible, the "known good," be it ports, files, processes, log entries or even registry entries. The faster an analyst can filter through what is known and focus on what is unknown, the shorter the investigation time. In some enterprise environments, IDS alerts can easily number in the tens of thousands each day. In most cases, at least a token investigation beyond the information provided by the IDS is required to determine whether the event is a false positive or warrants further attention. The easier it is for an analyst to make this decision, the more efficient the entire system becomes. EnCase Enterprise is capable of providing the information an analyst needs to make such a decision.

The three main mechanisms for sorting out the unknown information are Filters, EnScripts and Conditions. Guidance provides defaults for each of these, but the user can add more.

We found EnCase Enterprise filters to be very basic, handling file permissions, deleted files and specific types of Web pages.

EnScript is a proprietary language that lets you build code for complex activities, such as collecting data from the Servlet, initializing databases and setting up filter combinations. The name of the EnScript that polls data from the Servlet is Enterprise Sweep. By default, it captures only port, file, process and physical system information. However, the user is presented with approximately 25 optional modules for data collection that can be selected. For example, in our tests we retrieved log files for Windows and Linux via the and Linux SysLog Parser, respectively.