Wednesday, March 11, 2009

The F-bomb

I'm in one of those moods this evening and I recently saw something that just makes me laugh and cry all at once. This is to be considered not safe for work as I'll probably let loose the F-bomb a few times.

I'm pointing the finger directly at Guidance software and their classy representatives who see fit to trash their competition. Quid Pro Quo Guidance.

To begin...Guidance is feeling the pressure of a small company breathing down their backs. This product is being mentioned left and right in Guidance's own forums. At one point, Guidance saw fit to blacklist all use of the name of the product. Is that fear? Afraid someone will catch on to your fleecing of the industry?

First they begin by insulting the rest of the industry by saying that this "inferior tool" appeals to novice investigators. As someone with many years of investigative experience I heartily disagree. Maybe your internal investigators should take a few more classes , because the last time I checked, you use your own "superior" tools internally and when asked to produce documents you are magically unable to. I'm fairly certain that even a "novice" could find those files. I'm also fairly certain that a novice knows they're not supposed to store customer credit card information.

How about this "inferior product" appeals to the rest of the world because it costs a fraction of what FIM and EE cost. More on that later. How about it appeals to the rest of the world because it works? How about it appeals to the rest of the world because it's simple? How about it appeals to the rest of the world because it meets our needs? A wise man once said "buy the cheapest product that meets your needs". Guess what Guidance, your products are too expensive. In these trying economic times, people don't have millions to invest in to EE or tens of thousands to invest in FIM when this "inferior product" does just fine.

There are claims that this "inferior product" is not court validated. Well Guidance, what does that mean? Court validation is not something whereby someone waves a magic wand and stamps a product as "court validated". Validation comes through the process of presenting a case in front of a judge and withstanding scrutiny from the opposition. "court validation" is merely a forensic buzzword just as is "forensically sound". DNA is court validated, is it questioned? You betcha! as is blood evidence, and fingerprints. Guidance says "our products have been vetted through court and industry peer review". Is that why I see your customers bitching and moaning about how encase (all flavors) keeps crashing on them? Let's discuss error rates hmmmm? I don't recall seeing anything in Digital Investigation or other Scientific Journals showing industry peer review.

Acquiring data using a new transfer method. Guidance claims this "inferior product" uses an untested acquisition and transfer method. Guidance, are you saying that Encase acquisition is untested? I thought you said it was court validated? Afterall, your tool is what's being used to do the acquisition. Are you also saying that an industry standard protocol is untested for data acquisition and transfer. My god, stop the presses and contact all of your SAN manufacturers that use iSCSI. Your data is not to be trusted when crossing the wire using that protocol! I guess I better comment on those RFC's. Why, in their message, they even mention AccessData Enterprise as being unproven. Let's not leave anyone out here. Did Guidance forget all the issues they had with their agent? Apparently so.

They go on to mention that there are no granular permissions used by this "inferior tool". Tell me something, if I have the dongle and the dongle needs to be plugged in to my machine, and I set a username and password of my choosing, what more do I need?

No auditing. My god stop the presses again. Windows stopped auditing events. This "inferior tool" provides no auditing. 1) That's easily fixed. 2) It's not required. The process is documented by the investigator. Don't you teach that in your own classes? Let's see..I have a read only connection to a target. Better audit that. Oh wait, that's already done either by the operating system or the tool itself. And besides, do you mean to tell us that Encase doesn't provide an audit log of actions taken. tsk tsk.

No end node processing. I care about this when all I need to do is acquire an image? Do I care about this when I need to examine an intrusion? That your product does this client about impact analysis?

Limited Volatile Data capabilities. it comes...what are you talking about on this point? Do you even know? Volatility can't identify hidden processes or injected Dll's or better yet NIC information (what do you mean here anyways, that I can't determine what NIC is in the machine?)? I better let AAron Walters know! Better yet I better let Mandiant know that their product can't do these things. Finally they get to the point. Ahh..Snapshot can do all this and better yet it makes it easy! Not to mention that EE can dump the memory space for a single process! I can't do that with other tools? Guess I better stop doing it with Volatility. That capability can be yours through Guidance for $$$$$$$$$$$$$$$$$$$$$$$ . Guess we're all screwed in the memory analysis field. Let's not mention that they're attacking a beta product. Is that fear I smell again?

No solaris, mac, linux, aix, novell. Hey I have an idea, why not throw in plan9 while you're at it? Newsflash! It supports Mac and Linux. I should know..I did an awful lot of testing on both. Guess that takes care of about 95% of the market. Time to check those sources before you start a smear campaign.

No encryption during transfer. This is true, but let me say right off, that IPsec is built in to windows, and works just fine.

No compression. I've acquired terabytes and never had an issue caused by lack of compression. Try again.

64bit examiners. This entire section is based on supposition. Using terms such as (un)likely and "not yet developed" is something that should never be said. Are you on the development team? Are you in the private meetings? If you have no facts to backup your claim, keep your mouth shut.

Limited Stealth capabilities. Guidance can install a better trojan. There's a point in your favor. Hold on to that for dear life. Why not use that in your marketing?

Invasive compared to servlet. The "inferior tool" is not passive. That's right, it doesn't sit there disabled until I want to enable it. They say it requires copying it to the end node. Guess I better shred my CD's that I run it from, and better burn my USB keys that I run it from too. They say it disturbs the endpoint more than the servlet which uses about 1MB of space. Oh I get it, it overwrites diskspace. Now we're talking bits and bytes consumed by agents. Here's a hint, check your facts. This "inferior tool" uses less space than your agent. In addition, if any agent is part of a standard build process then it doesn't alter anything. Deploying an agent in a triage situation is what's called "acceptable", just like inserting an IV is acceptable if the patient needs it.

Agent deployment is manual and doesn't scale. Newsflash! Check out the videos. Management of the agent is manual they say..but it's installed as a service on a remote system. Stop the presses! Microsoft has no way of managing services remotely. Better get Redmond on the phone!

A user can not ask the service to perform a task and receive feedback. Hmmm let's see. I tell a service to start and open a connection. Did it connect? I'd call that feedback.

No throttling of the service. No service management in windows? Encase can set low, medium and high priorities for processes? I can't say I understand the point they're trying to make with this argument.

Ah yes.. the enterprise sweep enscript. psst...let me clue you in...who says I need your script to search my own mapped drives? Guess a for loop stopped being useful. And another powerful utility is the database snapshot utility! pssst...guess what..I can have a look at the database using native tools.

And now we get to my favorite part. Money. Encase FIM costs approximately what? $15k to start?

What can I get with $15k?
AccessData FTK or X-Ways
Two Cisco ASA's
The "inferior tool"

and I've still got $5k. I can ship an ASA to a client, preconfigured to create a tunnel back to my shop and voila, encryption solved. Not to mention I've got $5k in my pocket. With that extra $5k, I can even deploy a dedicated system in the remote location.

Now let's discuss Encase Enterprise. Average cost of an Encase Enterprise deployment? Well over the 6 figure mark just to start! A real deployment is in the millions. There are a few corporations that will spend this kind of money. If that's what they need, then so be it. They've got the budget for it. For the rest of the world, there's no way anyone is going to buy it. I refer to the wise man for this. "Buy the cheapest that meets your needs". So I think to myself, what can I buy for $250,000? I can buy myself an awful lot of hardware that provides all the infrastructure needed. I can even purchase dedicated lines to those "important clients". I can buy an entire development team to build me a product. Point is I can build a bigger, better, more robust forensic capability by NOT using your product for the same amount of money, or less. And that's a low end Encase Enterprise deployment.

A few litigious words come to mind after reading the message from Guidance but that's not for me to worry about. What concerns me most, is that this message is from the "world leader in digital investigations". Time to change that slogan to "The biggest douche bags in the forensics industry"TM. Honestly, is this who we want representing the industry? Is this the kind of stuff that should be tolerated? I don't mind and in fact I fully support an honest competition, but when you start this game, it's bad for everyone. This is an outright smear campaign by Guidance and there are too many false statements to count, unfortunately given the history of Guidance I'm somehow not surprised. I am, like I said in the beginning amused by this as well. Guidance is actually showing fear. Only those who are afraid lash out. Guidance has lashed out at a number of vendors in the industry with this message. It's truly sad when they have to resort to this.

Harlan has picked up on this story as well.


Jim said...

Great post. Very spot on, F-Response is a great product.

Anonymous said...

Yeah, I guess the sales of EnCase Enterprise product has fallen dramatically after F-Response has come out :) But Matthew can continue to count on my support! F-Response is tremendous value for the money.

du212 said...

Are you a registered EnCase customer? I am, and have yet to see this "letter"....So as I posted to Harlan in jest but perhaps more seriously. maybe the letter is a targeted campaign which went out to known customers who have publicly extolled F-response?

hogfly said...

We do maintain an Encase license. It may have been targeted at a subset of customers, though it's fair to say their message is irresponsible and makes Guidance Software liable for the contents.

hogfly said...

EE sales have fallen because they can't move their product. Re-licensing fees alone are nearly 6 figures. That's a pretty hefty sum for anyone in this economic climate.