Typically you think about using forensics software after a break-in occurs, to find out what damage was done and hopefully catch the culprit. While that's certainly useful, Guidance Software thinks forensics tools can also be used in a proactive mode, to catch surreptitious activity before it results in real damage.

Guidance next month will deliver EnCase Enterprise Edition (EEE), a new version of its EnCase forensics software that can now be used to examine remote computers over a network, including the Internet. That capability enables EEE to be used in a more proactive mode, to examine internal resources and detect the existence of software and documents that internal users shouldn't have, such as hacker tools and sensitive files.

EEE also allows for the performance of traditional forensic examinations following an attack or internal incident, to discover the extent of the damage, potential corrective actions and when it's safe to resume operations. But now users can perform such examinations remotely, instead of having to be at the physical computer under examination.


Guidance was founded in 1997 at a time when most companies thought of forensic tools as complicated beasts to be used only by specially trained consultants and other experts.

"We've got the totally opposite view," says Bob Sheldon, senior vice president and co-founder of the firm, based in Pasadena, Calif. "We're trying to show that it's not black magic. People really can do it in-house."

EEE, like its EnCase predecessor, is a Windows-based tool that is intended to be used not just in response to an event, but to audit internal systems on a routine basis. Users can create scripts that detect specified problems, such as the existence of unauthorized applications and prohibited files, including pornography and sensitive, digitally signed documents. In that fashion, users can detect when an employee who is leaving the company moves or copies sensitive documents and take pre-emptive action.

EEE consists of three components. The SAFE Server is a physically and logically secured server that authenticates all users and controls access, such that only authorized EEE users can view audit results. Node Servlet code runs on each network workstation and server while the EnCaseNET Enterprise Client is the administrative interface. Administrative functions can be distributed to users with varying levels of access, enabling one administrator to take an image of a system but not review the audit results, for example.

All communications between the three components are encrypted using the 128-bit Advanced Encryption Standard (AES).

EEE costs $35,000 to cover 100 workstations or servers.