Author Archives: JSMATT

Hello world!

We’re excited to launch our own new blog format.  This gives us a chance to comment on new changes and developments we feel are important in the rapidly changing fields of computer forensics, discovery, and security.

EnCase Version 7 – OMG :( (a.k.a. WTH happened???)

Let me begin this post by saying that until V7, I have been a loyal user of EnCase, have enjoyed the excellent training supporting it, and built my business on their forensic product. You will not find anyone who has been a stronger proponent of the EnCase product than myself. Unfortunately, this is no longer the case.

EnCase Version 7 is the latest iteration of Guidance Software’s computer-forensic application. It features more new “things” than I will even attempt to inventory. It has so many new “things” that few, if any, of its legions of dedicated users are even using them or it. This is a result of a confluence of its new GUI, its drop-downs, a modified/reduced mouse-clicking capabilities, and an overall failure to function/deliver. On almost every level, V7, as released, is the update no one wanted or could have anticipated when they bought their license. The pitch that it is new and improved managed to hit only one of those targets – it is new. That is “new” in not a good way and the complaints against V7 are increasingly commonplace.

Perhaps one of the best analogies is the introduction of New Coke. Coke had millions of dedicated drinkers who loved their product. But, someone in their product-management area felt that Pepsi was making too many inroads. Likely, Access Data’s FTK is the Pepsi in the sights of Guidance. But, rather than introducing a new product that attacked Pepsi, while keeping their original Coke drinkers happy, they decided to replace the existing product. This is exactly what Guidance did with V7. In creating V7, they have managed to destroy most of the usability and functionality to which its users had become accustomed and designed their workflow around.

We all know how this story ended with New Coke and there are many others, ones that may have more applicability to software (XP to Vista to Windows 7 comes to mind). Unless Guidance does something dramatic and quickly, they will be added to the product-launch stories taught in Business School of what not to do.

One element that Coke and EnCase have in common is that each decided to take a dedicated and loyal customer base and essentially put a stick in their collective eye. I do not have words to describe what I consider the colossal failure that each of these products represent.

That the dedicated user base is “hating” on EnCase V7 is an understatement. Short of reracking V7 to the look and usability of V6, I cannot imagine ever using it for a case. Worse still is the marketing hype that exists touting what a great new incarnation of EnCase that V7 is. The issues with what had been a great app in many regards are now so significant in V7 that the few neat things it can do are rendered of little to almost no value.

With Guidance Software now a publicly traded company, I cannot understand why they would risk alienating their existing customers with some marginal (at best) software that is to be their latest and greatest incarnation. Are the Wall Street analysts who track this company aware of how much risk exists with V7? I would love to have been on the earnings calls to hear what the EnCase folks were saying regarding V7. If they read and believe their own marketing, I can only imagine the rosy picture they are painting.

I believe someone is in for a very unpleasant surprise.

As a dedicated EnCase user, the state of V7 is a huge disappointment. When pitched, I had expected the incorporation of all the modules that had previously been sold separately, as well as various enhancements that were in the pipeline. I thought, “Wow, this is great; competition from FTK has brought some pricing pressure to the model used by Guidance in their EnCase product. V7 will provide some great enhanced functionality, while building on all the great things it already has.” Wrong.

Instead, the dev $ were spent redoing an application that the user community was very, very satisfied with until this latest version. And, instead of adding things like additional support for Mac OS etc., the dev $ were spent apparently rewriting the entire app. Features that thousands of users had used over the years and built their processes upon were suddenly gone. What, in gods name, was the product manager thinking?

A collective “Are you kidding me?” was issued from the user community, stunned at the state of their beloved app. (truly – as I am one of them.)

Guidance has a BIG problem on their hands. They have dumped on their devoted user base in ways that, for a relatively small company in the grand scheme of things, is incomprehensible. I am guessing they understand this, though their communication with their user base fails to indicate this.

What Guidance seems to have lost sight of is that there are many companies in this market looking for openings against a wounded competitor. Word is spreading that EnCase V7 users are ripe for the conquest. V6 will continue to provide what I consider the robust capabilities it has earned. I will look to other products to replace EnCase going forward, once V6 is no longer supported, ones that contain the flexible, yet powerful, capabilities that had been present in the EnCase product until V7.

Time will tell how this story ends. EnCase is not the only game in town. I hope their C-Level folks understand the dire situation in which their V7 product stands. Also, (i) does the BOD have any idea how POed the EnCase user base is or (ii) do any of the analysts tracking Guidance know of this situation? This is a significant professional issue for the Guidance execs and now is the time to get your customers what they wanted, had expected, and ultimately deserved – or face the consequences of a very jilted (and most likely former) customer base.

I wish you all the best in resolving this.

The Cloud – Heaven or Hell? – Part 2

Yesterday’s blog opened my contrarian view on the Cloud. To be fair, there are instances where the Cloud makes sense. There are many different ways to participate in the computing continuum of the Cloud and many of them are heavenly. Perhaps you enjoy the freedom from Microsoft-Office via Google Apps or smile from the near effortless on-line backup services provided by the Cloud. But, once you look at the enterprise level and contemplate the full impact of the implications of a full embrace of what is being pitched, you may realize that Cloud nirvana is anything but.

Today, a company’s data is the king or queen of the corporate kingdom. The Cloud may “talk” a good story about corporate data, but the corresponding contractual “walk” is as etheral as the wisps of a cirrus cloud. For all of its prospective luster, there are significant issues that buyers must be aware of to avoid an “eyes wide shut” disaster. These issues condense around two distinct risks. The first relates to litigation, specifically litigation-related preservation (a.k.a the “litigation hold”), and the second to data-breach related issues.

The Litigation Hold

It is ultimately not surprising that the merits-of-the-Cloud discussions do not cover the “arcane” topic of a litigation-hold, i.e. the preservation of potentially case-relevant data. This topic is arcane because a litigation hold is on the mind of very few IT personnel, let alone those C-level folks who should care. Certainly any CIO or IT manager, one who has had a litigation-hold go badly, only wishes in retrospect that they had more foresight into the dangers of a poorly managed litigation hold.
To some, what a “litigation hold” means in a Cloud environment is anyone’s guess. In truth, there is no guessing – the entity providing the Cloud-based service will have no liability in a litigation hold. If you have any doubts, simply review the limits of liability in a Cloud-related contract. Do you think any 3rd party Cloud entity is going to accept the contractual responsibility of a litigation hold and its potential sanctions? You will be in a relative sea of flames in corporate purgatory should your contract reveal its shortcomings in a failed litigation-hold scenario.

The Data Breach

Just like the liability arising from a failed litigation hold, today’s Cloud providers are not in the position to represent or warrant against a data breach, let alone backstop the resulting liability. Let’s say you are a large health-care servicer, an entity handling hundreds of thousands of HIPAA records and these records are hosted by a Cloud provider. Who has ultimate responsibility if a breach occurs? More importantly, who backstops the full range of liabilities that arise from such a breach? I can more or less guarantee you that the Cloud provider will not be liable in such situations and your enterprise will be left holding the proverbial bag. Nothing says “career ending move” like being the signatory on a Cloud contract that costs the organization hundreds of thousands of dollars in data-breach penalties, turning the illusory heavenly Cloud experience into one from Dante’s inferno.
I am sure there will be some interesting case law on these various issues. I admire those who boldly venture into the Cloud, because it will be from their costly mistakes that the rest of us ultimately benefit.

The Cloud – Heaven or Hell? – Part 1

Cloud computing is the HOT topic in IT Webinars, articles, and especially marketing. Most of all that is written and pitched talks to the benefits of going to the Cloud, mostly in terms of reduced costs. These reduced costs take the form of less money for hardware, software and the arms and legs needed to support it. And, looking at it from many angles, these benefits do accrue from using the Cloud. From what is said about the Cloud, one would think that it holds the transcendent features of a heaven on earth, a place where all those using the Cloud are as free from IT-related burdens as some heavenly being, where computing is bliss and systems’ worry is for those mere mortals who have not yet been sufficiently enlightened to embrace the Cloud.

As you might gather, I hold a somewhat contrary view; seeing the collateral damage from a data breach or botched litigation hold instills a bit of paranoia into your professional perspective. Accordingly, the Cloud in some respects is truly HOT, but more in terms of the opposite of heaven. What is HOT, but clearly not marketed let alone discussed, is the liability that arises from embracing the Cloud. Put another way, the Cloud is HOT and you will be burned when your Cloud provider experiences a data breach or fails to start or maintain a litigation hold. Ultimately, you will get as much support from the Cloud in terms of backstopping this type of potentially costly liability as a PII or HIPAA-loaded hard drive gets from the vapor of a real cloud, as it falls through the sky and bursts to bits as it impacts the reality of tera firma.

The devil is always in the details, and with the Cloud this is no different. I will continue this topic in a follow-on blog tomorrow, delving more deeply into its flaws.

Spoliation, Hard-Drive Failure and Schrödinger’s Cat

As with any growing service, issues that were not even on ones radar suddenly begin popping up in unpleasant ways.

Computer hardware, like any machine, is going to fail or otherwise become compromised in terms of functionality. Hard drives in storage, ones that worked perfectly well a year ago, decide to no longer even spin, even though stored in their laptop and it, in turn, stored in an antistatic bag with desiccants. On other occasions, laptops arrive, their drives imaged, and then fail to properly boot. Perhaps some memory went bad en route or some evil digital gremlin decided to ruin an otherwise normal acquisition.

In some ways, this is a bit like the paradox of Schrödinger’s Cat. Was the drive dead or alive; or, was it both in that it did successfully imaged, but then failed to boot once back in its resident computer. An amusing thought on one hand, but dreadfully serious when the non-booting PC belongs to the opposing party.

The bottom line is that you, the third-party provider, may be looking at a situation that implicates some form of spoliation at worst – the destruction of data. Less serious issues are the costs to bring a non-functioning device back on line (and seemingly always in a time-constrained fashion.)
One change we are implementing, when the opportunity exists, to ensure we are starting to work on an uncompromised piece of hardware, is to have the user boot the PC first. Booting through to the login screen, not simply waiting for the splash screen, and then shutting down the machine is a needed confirmation. Obviously, this is neither appropriate nor needed in a criminal case where the “People” take the assets and have few if any worries about necessarily returning a functioning system. This is not the case with civil matters; if the “patient” dies in your lab, it is on your dime to bring that hardware back to a fully functioning state. And, this is only right; a client simply wants their machine back and working.

Other options could include adding contract language to keep the monkey off your back, should something “go south” during an otherwise proper acquisition. Or, perhaps receiving some type of affirmation from opposing counsel that the PC worked in their presence would add some comfort to the downside of receiving a DOA system. This will be an evolving issue and, hopefully, one that does not show an increasing frequency of occurrence.

Voom/Hard Copy II (2) and Hard Copy III (3) – Field Use Advisory

I have generally been a fan of Voom’s products for making computer forensic copies. We use them regularly in the office. I purchased a HC II when they first came out. I have used it successfully in the field and the lab and was always impressed by its speed.

This changed during an on-site acquisition a couple of years ago. I was imaging a tiny 10GB drive. About 3/4 of the way through, it hit some number of bad sectors. The HC II went into “Error Recovery” mode for about 10 minutes and it showed no sign of making progress. We waited over 30 minutes in total and still no progress appeared to being made.

We had to stop the process and we relaunched the acquisition with a laptop-based, write-protect device.

I had queried Tech Support about having an expedited error mode for their product, but it was not something high on their priority list, given the soon to be released HC 3.

Reading great things about the HC 3 and understanding that it had a better (i.e.faster) error recovery process, we decided to pick one up.

This device has been great up until today. During a single drive acquisition, an 80GB Hitachi 2.5” sata drive built in Nov. 2007,the HC 3 went into Error Correction la-la land, just like its predecessor, theHC II. Although it had started out at a speedy 3.5GB/ min, this all changed when it apparently hit some bad sectors in the11GB range.

The 20 or so minutes I waited for it to get beyond this bad patch was unacceptable, especially with the user waiting for their laptop to be returned to them.

So, I had to stop the process and I connected the drive to a laptop using a WiebeTech sata write-block (which I highly recommend) using FTK imager.

FTKimager’s error handling is the way the HC should be setup. It sped through the rough patches that ground the HC 3 to a essential halt.

I will not buy another HC3 and would not recommend it for field use until the folks at Voom include an error correction process that is the equivalent of that on the Logicube, FTK imager, and the dd/dcfldd “conv=noerror,sync” methods. It is unacceptable today to be left waiting for what should be a very expeditious process due to some über-rigorous error correction.

I appreciate that the Voom folks have different types of clients to support. No doubt certain segments will want every last bit taken from a drive, regardless of the time it takes to do so. However, there is another segment who needs to get in and out from a client location in as little time as possible. If you add to this imaging in a “hostile” environment, this makes it even more imperative to not get bogged down, possibly to a very significant extent while your imaging efforts spin off into the ether as the HCs attempt to perform their error correction.

Until Voom addresses this issue, I do not believe they have a product that can be used with confidence to complete an acquisition in a timely manner.