- Evidence Processor Performance
- Support for Text Indexing in Slack and Unallocated Space
- Compressed review of Search hits
- Additional Artifacts including attached USB devices and mounted network shares
Although processing 2 – 3 times faster than v7.02 is certainly solid progress, we were also interested in how v7.03 compared to other products. Using a system identical to our recommended computer system, we ran several different data sets through EnCase v7.03 and through the new release of a competitor’s product. As you can see from the below table, in addition to being 2 – 3 times faster than Version 7.02, EnCase v7.03 also performed at least 2 times faster than the competitor’s product.
Test Set
|
Entries
|
Device Size (GB)
|
EnCase
Processing Time (hh:mm)
|
Items indexed
|
EvCache
size (GB) |
Competitor’s Processing time (hh:mm)
|
Items indexed
|
EvCache
size (GB) |
Test Ev 1
|
10,731
|
232.83
|
01:41
|
31,189
|
3.82
|
4:22
|
28,121
|
6.85
|
Test Ev 2
|
110,069
|
232.83
|
02:52
|
423,741
|
16.9
|
77:57
|
420,450
|
20.5
|
Test Ev 3
|
761,775
|
298.09
|
15:12
|
1,005,015
|
27.2
|
29:17
|
909,448
|
53
|
In order to make the comparison as “apples-to-apples” as possible, we used the two products with the same settings (if available), as follows:
Settings
|
EnCase
|
Competitor’s Product
|
Base Modules
|
||
Recover Folders
|
Enabled
|
Enabled
|
File sig
|
Enabled
|
Enabled
|
Protected file analysis
|
Enabled
|
No option
|
Thumbnail creation
|
Enabled
|
Enabled
|
Hash analysis
|
MD5, SHA1
|
MD5, SHA1
|
Compound files processing
|
Enabled
|
Enabled
|
Find email
|
Enabled
|
Enabled
|
Find internet artifacts
|
Enabled (no Unallocated)
|
IE Only
|
Indexing
|
Slack\Unallocated Clusters enabled
Min word length: 3 Max word length: 64 East Asian support enabled |
Unallocated Clusters on
Max word length of 64 No East Asian script support “Index All” |
Additional Modules
|
||
System Info Parser
|
Enabled; default settings
|
n/a
|
IM Parser
|
Enabled; default settings
|
Yahoo only (via data carver)
|
File Carver
|
Enabled; default settings
|
n/a
|
Win Event Logs
|
Enabled; default settings
|
evt, evtx only
|
Win Artifact Parser
|
Enabled; default settings
|
Link files only
|
Unix Login
|
Enabled; default settings
|
n/a
|
Linux Syslog parser
|
Enabled; default settings
|
n/a
|
We always encourage and welcome testing. If you conduct your owns tests and are able to share the results, we would love to hear from you. No two evidence files are exactly alike, and there may be additional enhancements we can make based on certain types of data that we may not have in our test sets.
Although we are encouraged by the improvements that we have made, we are continuing to look at ways to make the critical step of evidence processing faster, while giving examiners access to even more data. We know that with the new caching that was instituted in Version 7 (in order to alleviate memory constraints), I/O speeds are an important limiting factor, as a lot more data is written to disk and read in when needed. This new caching approach enables EnCase to scale almost infinitely, but we will continue to optimize file storage and hardware configuration so that EnCase maximizes the I/O and is not constrained by one or two data channels. This will enable EnCase to utilize system memory and processors more efficiently, instead of having the processors wait to read/write data. This will continue to be a priority for EnCase v7.04, as we continue to make improvements that are the most meaningful to our users.
As all of you know, in addition to the evidence processor, Version 7 also included significant changes to the user interface. The UI had not drastically changed since Version 1, and based on a lot of customer feedback, we knew it was time to overhaul it. We talked to many users about what they wanted in a new UI and how they used the program in their daily work. We then came up with a design that we believed met the majority of the requirements expressed by users, and did so in a manner that would allow both less experienced and longtime users to operate in efficiently.
Although we talked to many users and obtained feedback on prototypes, we realize that we did not account for certain common workflows used by investigators. We know that a few of the changes (especially how compound files are mounted, tagging vs. blue checks and reviewing search hits) have been difficult for longtime users to get used to, but these changes were necessary to allow for the speed, flexibility and scalability that you require. Even so, we realize that if you can’t get your work done, all the speed, flexibility and scalability in the world won’t make a difference. We have listened to your feedback and are adding features like these in the next few months that will enable more varied workflows:
- Hyperlinking to exported files in reports
- Adding more fields into reports, including options that were available in v6
- Ability to refresh search results during a processing
- Allow users to do operations like copy/unerase, export and bookmark based on a tag
In conclusion, I want to let all of you know that we have been listening to your concerns and suggestions about the software and we have been working hard, making changes to give you the tool that you want and need. We will continue to listen, continue to make improvements, and continue to innovate, as we work to meet the needs of our user base that has worked with us for many years to improve the tools available to investigators.
Ken Basore
Vice President, Research & Development
Guidance Software, Inc.
No comments :
Post a Comment