Government agencies and enterprises alike invest heavily in network security by implementing the appropriate processes, hiring appropriately trained staff, and procuring the appropriate technology. Despite all this, they all quietly admit that they expect to suffer network breaches in the face of continued cyber attacks. So what else can they do to protect their organizations?

According to Joshua Knust, Cyber Threat Specialist, Office of The Director, National Institutes of Health, to really mount a successful network defense requires another step – placing the effort to understand your adversary.

Knust spoke at Guidance Software’s Federal Summit held in Arlington, VA earlier this month. The theme of the one-day thought-leadership event was “a focus on data visibility,” and it brought together top federal agency officials in charge of cyber security, e-discovery and digital investigations to discuss how they locate, manage and secure data in order to ensure compliance, reduce risk and secure organization assets.

Knust argued that the primary object of daily security operations should be to gather actionable information on attackers based on previous breaches and to use such information to help focus the security resources on the most valuable and highly targeted problem areas.

One way to attempt to understand the mind of the attacker is to identify, with the help of incident response technology, the types of files that were targeted or stolen, as such information may provide insights into the motives of the attacker.  Incident response and forensic investigations technology provide another way to learn more about the adversary’s motives through tracking the virtual path the attacker took across different network assets and correlating such information against previous breaches.

However, despite all the intelligence security staff can gather about the attackers’ motives, Knust offered one key warning: security starts with an organization’s employees, and as long they fall victims of phishing attacks, breaches will continue to be a major issue. Thus, empowering employees through frequent and rigorous education on how to detect such phishing attacks plays a very important role to that organization’s defense against cyber attackers.

Knust summarized by saying that creating a well thought out plan, implementing innovative security measures, and understanding how adversaries think provide a good combination of proactive defenses against network attacks. While not all intrusions can be prevented, cyber response and digital investigations technology provide critical insights into how the adversary works so that future attacks can be effectively repulsed.

While many pundits are demanding that VeriSign come forward with more information about their breach, few seem to consider that there’s maybe not much more the company can say with confidence.  

It’s tough to turn to a technology publication and not see an editorial condemning domain name registrar and IT security services firm VeriSign for not being as forthcoming and not releasing enough information about the breach that they endured in 2010.

In case you’re not yet familiar with the incident, Reuters has a thorough write-up available.

According to what has been published in news reports and government filings, the attacks became public in a U.S. Securities and Exchange Commission (SEC) filing in October 2011. VeriSign made the disclosure as is required by the (relatively) new SEC guidances on reporting potentially materially relevant cyber security breaches to investors. We covered the SEC guidelines in-depth in our post SEC Cybersecurity Guidelines -- What You Should Know:

According to the SEC in issuing the guidelines, "[w]e have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption." And while the guidelines do not make it a legal requirement for organizations to disclose data breach issues, the guidelines lay the groundwork for shareholders suits based on failure to disclose such attacks.

In Govinfosecurity.com’s post, Executive Editor Eric Chabrow (like many other bloggers, journalists, and columnists have since the disclosure) demands that VerSign reveal more information about their breach. To date, VeriSign has acknowledged that there had been potential breakdowns in communications on the nature of the breach from their IT team up to management. And VeriSign has made very public statements that the company does not believe that the Domain Name System (DNS) - the system that resolves actual internet addresses to the domain names we use - wasn’t comprised. Had it been comprised, the impact could had of been significant: criminals could potentially make a malicious web sites look like they are resolving to their legitimate location.

Also according to SEC filings, VeriSign’s IT security team quickly learned of the attack, and put new security defenses in place to stop potential future attacks. However, according to the SEC statement, those 2010 incidents were not reported to management until September 2011. Since then, the company says it has improved its reporting procedures to management.

In the Reuters story cited above, former VeriSign Chief Technology Officer Ken Silva’s speculation is most likely on mark and that VeriSign “probably can't draw an accurate assessment" of the extent of the breach. Welcome to the foggy reality of most breaches today and incident response plans in place today.

The fact is that most organizations - from the small and mid-sized business to the largest most complex enterprise - don’t have a detailed and accurate enough view of the state of their infrastructure to be able to access the true impact of a breach with confidence. Perhaps the breach was much broader than they fear, or perhaps the breach was contained and security defenses succeeded at thwarting an attack before it grew serious.

This is why EnCase® Cybersecurity offers enterprises a way to rapidly identify infected systems. It provides a way for IT teams to create “profiles” of approved and trusted configurations for various systems on the network. Then, against these trusted images the infrastructure can be scanned for endpoints that deviate from the baseline. Anything that deviates from the code can be investigated. If deemed safe, the configuration can be added to the list of trusted profiles.

Most important: if there is something malicious, it can be contained. Just as important: if nothing malicious happened, there’s no reason to report. And that decision will be based on factual evidence that the organization can confidently stand behind.

Today, organizations need to focus as much on response as they do prevention. Because, eventually, defensive strategies are bypassed and then it comes down to the speed of your response and your ability to identify exactly what data and systems may had of been breached.

And until more organizations get those capabilities in place, expect many more vague SEC filings to follow in the future.

There’s one time in an employee’s tenure at a government agency – or a company – when management knows exactly what’s on their company issued device(s).  That’s their first day of work.

After that, having visibility into these endpoints is difficult and this lack of knowledge can raise problems in an era when computer networks are facing unprecedented attacks by hackers looking for unprotected secrets.  Lack of data visibility can also cause business problems in the event that the employee is somehow party to a lawsuit or internal investigation and the agency needs digital evidence from that person’s endpoints.

That was the message from the morning keynote address at the Guidance Software Federal Summit, a one-day thought leadership event focused on e-discovery, internal investigation and cyber security held in Arlington, VA, on Feb. 10, 2012.

The theme of the event was “a focus on data visibility,” and leading the welcome address were Victor Limongelli, President and CEO of Guidance Software and Matthew L. McCormack, Chief, Office of Cyber Security, Defense Intelligence Agency (DIA).

Victor set the stage by introducing the problem and defining its scope.  Today the average worker may have nearly 20 GBs of data and is starting to use their personal smartphones, tablets and cloud storage services for company data, meaning there are more places where data might be stored.  The PC is not going away – 400 million of them will be sold in 2012 – so that means these new devices are adding to the problem.

“Lack of data visibility is a situation that everyone deals with.  There are different tools that help, but agencies need those tools to work together to solve the challenge.  The cloud is a good example, it makes the perimeter of your network security very fuzzy and means the tool you use on your premises must also extend to the cloud or integrate with those that do,” Limongelli said.

As an example, he noted the recent announcement of EnCase® eDiscovery’s product upgrade that included expanded support for collecting digital evidence from cloud data sources.

Limongelli then introduced Matthew McCormack of the DIA who said the job for federal cyber security teams is growing more difficult because the traditional need to keep out the bad guy and to keep an eye on the insiders is now complicated by the need to establish a secure network perimeter.

McCormack said the current budget situation makes bring your own device (BYOD) policies very appealing, which is making perimeter security more porous.  “How on earth do I as the security guy secure your personal iPhone?  The answer right now is ‘I don’t know.’”

The first challenge going forward is defining the endpoint – what is the hardware, operating system, and applications that can be accommodated – because without that agencies can’t set up a security infrastructure.  Even with a great definition, there are just some protection technologies that are just not there yet. And, of course, having budget to secure these devices is always a consideration.

McCormack predicts that the problem will continue to grow as college grads enter the workforce and bring the desire to collaborate remotely with colleagues. This pits the working style of a new generation against federal agencies that are used to working in a much more restrictive workstyle.  He predicts that many agencies will have to try new things and take some risks because even as this culture change is underway, the security risks are continuing to grow.

The process starts by first admitting that this is a problem and secondly by getting a handle on the end points in your agency.  Once, these are in place, agency security teams can start thinking creatively about the solutions.

With acquisition Guidance will extend market leadership with complete e-discovery solution 

PASADENA, California. – Feb 7, 2012 – Guidance Software, Inc. (NASDAQ: GUID) today announced it has signed a definitive agreement to acquire privately-held CaseCentral, Inc., a leader in the electronic discovery (e-discovery) market for Cloud-based review and production software.

Click to Tweet: @EnCase to acquire @CaseCentral - brings together leading #ediscovery, #cloud solutions http:/bit.ly/encasecentral.

“The acquisition of CaseCentral will bring together the industry leaders for both on-premise and Cloud-based e-discovery software. We will deliver the best of both worlds to customers by offering the most complete, integrated and innovative software in the e-discovery market,” said Victor Limongelli, president and chief executive officer of Guidance Software. “The combined organization will be the largest pure-play e-discovery software company, with nearly 500 total employees, and thousands of users.”

This acquisition will extend Guidance Software’s market leadership by delivering a complete e-discovery platform addressing the e-discovery needs of corporations and government agencies. The combined product portfolio will deliver to customers increased efficiency and automation, as well as lower risk for e-discovery activities. The integrated solution will span from legal hold to identification, collection, preservation, processing, first pass review, and, now with CaseCentral’s market leading software-as-a-service (SaaS) offering, best-in-class early case assessment (ECA), review and production capabilities.

The combined offering deploys software intelligently, with EnCase eDiscovery delivering the legal hold, identification, collection, preservation, and processing functions on-premise, at the customer site – close to the sources of data and the data custodians – and CaseCentral delivering the ECA, review and production functions as SaaS in the Cloud, so that geographically dispersed inside and outside counsel  can efficiently review collected documents without needing any special equipment or software other than a web browser and internet connectivity.

The integration of EnCase eDiscovery with CaseCentral will quickly provide additional value to customers, scaling from support for single-case requirements to multi-case, multi-party requirements. Further, the unique EnCase eDiscovery Collected Data Reuse capabilities, coupled with the unique CaseCentral centralized, multi-matter legal repository provide immediate benefit to customers by automating searches, reducing over-collection of ESI, lowering spoliation risk, re-using attorney work product where appropriate, and avoiding inadvertent production of confidential or privileged client data. See http://www.encase.com/only-with-encase.htm for more information on Collected Data Reuse and http://www.casecentral.com/enterprise.php for more information on multi-matter capabilities. These capabilities, among others, help customers to standardize e-discovery processes and drive down the risk, time and cost of e-discovery.

“CaseCentral has pioneered many significant e-discovery industry developments, including the delivery of e-discovery software via the Cloud and a centralized legal repository with multi-matter, multi-party and re-use capability,” said Chris Kruse, founder, president and chief executive officer of CaseCentral.  “We are excited about joining forces with Guidance Software, as we will be well positioned to capitalize on the market’s tremendous potential and define the next generation of e-discovery solutions, benefitting both Guidance and CaseCentral customers, partners and employees.”

Under the terms of the agreement, Guidance Software will acquire CaseCentral for upfront consideration of approximately $17.1 million, consisting of $8.3 million in cash, $8.3 million in Guidance Software common stock, and the assumption of $0.5 million of debt, net of cash. Depending on CaseCentral’s SaaS revenue growth, Guidance Software may pay up to an additional $33 million in cash over the next three years. The transaction is subject to customary closing conditions and is expected to close during the first quarter of 2012. Guidance Software expects the transaction to add approximately $10 million in SaaS revenue in 2012, and to be slightly dilutive to slightly accretive to 2012 non-GAAP EPS and accretive to 2013 non-GAAP EPS.

Atlas Technology Group acted as financial advisor to Guidance Software in this transaction.  

Conference Call Information: 

The company will host a conference call today at 2:00 p.m. pacific time, 5:00 p.m. eastern time to discuss its quarterly results and this acquisition.  Participants should call (877) 303-9850 (North America) or (408) 427-3732 (International) and should dial in at least 5 minutes prior to the conference call.

A webcast and replay of the call may also be found on the Internet through Guidance Software's Investor Relations website at http://investors.guidancesoftware.com/events.cfm. Registered users may access this content over the Internet, and there is no cost to register. If you have not already registered, please do so at least 15 minutes prior to the start of the conference call.

An audio-only replay of the call will be available by calling (404) 537-3406, passcode 41017140, available from 8:00 pm eastern time, February 7, 2012, through midnight eastern time, February 14, 2012.

About Guidance Software 

Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® platform, with more than 40,000 licenses distributed worldwide, provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to e-discovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. The EnCase® Enterprise platform is used by numerous Federal Civilian and Defense agencies, more than half of the Fortune 100, and thousands attend Guidance Software's renowned training programs annually. For more information about Guidance Software, visit www.guidancesoftware.com.

EnCase®, EnScript®, FastBloc®, EnCE®, Guidance Software™ and Tableau™ are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission.

Your organization needs to be ready for a digital investigation to start at any moment. Maybe it’s a partner contacting you because they’ve noticed suspicious traffic coming from one of your servers, or your HR team has received a complaint about an employee. Maybe an investigation ticket has just been opened as the result of an internal whistleblower. Perhaps a watchdog complaint has been filed.

Regardless of the issue, time is of the essence. This is especially true when intentional wrongdoing is underway – it’s amazing how many computers are “lost” or “stolen” right around internal investigation time.

The longer it takes an organization to investigate any given incident - as evidence is overwritten and destroyed or damage escalates - the greater the chances for increased risk and repercussions to the organization. In response to this, digital regulations not only outline the trigger events of a digital investigation, but also specify that the investigation must be initiated soon. Consider Sarbanes Oxley 301(4) or PCI DSS section A.1.4, both of which specifically state an investigation must be carried out “promptly” in the case of SOX and “timely” according to PCI DSS.

Particularly in the case of an incident investigation, measured cost savings can be realized for an organization that can facilitate a rapid investigation in response to a suspected breach.

Ponemon’s 2011 Cost of Cyber Crime study found that a prompt response can minimize the cost of cyber attacks, which often result in data breaches or a disruption of operations. According to the report:

Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period. This represents a 67 percent increase from last year’s estimated average cost of $247,744, which is compiled for a 14 day period. Results show that malicious insider attacks can take more than 45 days on average to contain.”

The investigation stage of incident response is critical to ensure the entire scope of a suspected breach is realized in order to confidently contain the threat. In order to cut costs and minimize risk, that initial investigation needs to be fast and comprehensive. Additionally, in the case of suspected insider involvement, investigators often don’t want to tip the subject off that an investigation is underway. Investigations must be clandestine as well.

EnCase Enterprise enables fast, remote, covert corporate investigations. With EnCase, a tiny, passive software agent can be placed on each system, either in advance or during the first stage of an investigation. Investigators can then access the agent and analyze the system over the network. This subtle exploration provides both speed and privacy. Time is saved because investigators don't need to be dispatched to a physical location. By enabling this over-the-network analysis, EnCase provides prompt and covert investigatory capability.

A percentage of accusations will always be completely baseless; some accusations will be vague, and in the case of a suspected breach, the initial information available will be limited. EnCase excels at helping investigators during the early, ambiguous phase of their cases.

The “First Look” option within EnCase enables IT investigators to preview a suspected system to see if there is any substance to an accusation or validity to a security alert, without revealing any visible indication that an investigation is underway. If - or when - an investigator determines that a deeper investigation is merited, the same infrastructure enables an analysis of the system software, memory, and data. The investigator, guided by internal policies, might choose to take additional actions depending on what is uncovered.

As the number of investigations increases - along with the number of industry and government regulations - swift, comprehensive, and accurate triage will help investigators to more wisely allocate expertise and personnel for maximum impact. This intelligent use of resources is your “force multiplier.” It makes it possible for centralized resources (both investigators and auditors) to perform more investigations, more quickly, without the expense and delay of travel. Local “hands- on” work can be restricted or avoided altogether, without compromising the quality of the investigation or the authenticity of the evidence.

So while the number and complexity of investigations may be on the rise, thankfully there is technology available that will not only enable investigators to keep up, but excel at doing so. If you are interested to learn more about what to consider when implementing an investigative framework for compliance, check out our recent webinar on the topic here.

Find this interesting? Follow me on Twitter @CyberResponder

At the LegalTech New York 2012 conference we announced a new version of its EnCase® eDiscovery software with the ability to collect electronically stored information (ESI) from more cloud-based data services and a new collected data re-use feature for searching evidence collected for previous cases.

EnCase® eDiscovery is the technology and market leader for legal hold, collection, processing and analysis, first-pass review and early case assessment. The new capabilities are available in EnCase® eDiscovery v4.4 and help corporate IT and legal teams to confidently assert that they have searched all of the potentially relevant ESI in their possession, custody or control.

The Collected Data Re-use (CDR) feature allows e-discovery teams to search already collected evidence residing in an EnCase Logical Evidence File (LEF) from a previous matter. This reduces legal risk, cuts e-discovery collection time and reduces the impact on custodians.

EnCase® eDiscovery also has a new connector framework that adds direct data collection from more than 30 leading e-mail archives and content repositories from vendors such as IBM. Also included is support for optical character recognition (OCR) to extract text from image files and PDFs and index them along with other collected data. This expands the company's near de-duplication feature to compare text extracted from image files via OCR with other text files.

The ability to collect from cloud sources means EnCase® eDiscovery can collect ESI from the widest range of desktops, laptops, servers, tablets, mobile phones, enterprise repositories, cloud services and other sources. New in v4.4 is support for all IMAP and POP3 Internet e-mail services such as Google Gmail, Yahoo! Mail, Windows Live Hotmail, in addition to existing support for Microsoft Office 365 online document service. The software also collects from Microsoft SharePoint servers.

"With the proliferation of end points and data storage locations, and increasingly, the cloud, enterprises today face a significant risk of not finding relevant ESI they are required to produce for a case," said Alex Andrianopoulos, Guidance Software vice president of marketing. "This release reinforces EnCase® eDiscovery's leadership position and demonstrates our commitment to reduce cost and mitigate legal risk for in-house teams."

EnCase® eDiscovery 4.4 will be generally available in March 2012 from Guidance Software sales force and its resellers worldwide.
 

EnCase® Portable was launched in 2009 to much fanfare by the media and by customers.  Part of the reason is that it was the first USB-based computer forensic triage and collection tool on the market.  Another reason is that the market could see that this product was an ideal way to extend the reach of the often-overworked forensic investigator. 

In all applications, from law enforcement investigations, to law firm data collection to corporate investigations, having a pre-set, thumb-drive-size forensic tool made it possible to secure information in a defensible way without the forensic specialist leaving the lab.  From parole agents to paralegals, there’s always someone onsite who could triage computers and collect data if only they had a foolproof way to do it.  EnCase® Portable filled that market.

Now, we want to make it easier to get EnCase® Portable into the hands of field personnel by changing the price of the product.  At the new price of $299 (plus software maintenance and support) organizations worldwide now have an affordable way to enable everyone to perform forensic activities in the field.  

EnCase® Portable works with EnCase® Forensic and EnCase® Enterprise to allow field personnel to quickly triage and review the contents of a computer in the field with no altering or compromising of data, and then to collect data needed for the investigation.  Back at the lab, the trained forensic specialist can then analyze the collected data.

This is a significant price change that can get proven Guidance Software collection capabilities into the hands of all of those on your team who need to perform forensic triage and data collections.  For more details on the pricing and to learn more about EnCase® Portable, go to:  http://www.guidancesoftware.com/encase-portable.htm.

Today we are excited to announce the Guidance Software Federal Summit 2012: A Focus on Data Visibility, a unique one-day thought leadership summit where data security and e-discovery experts from top government agencies and industry leaders will come together to discuss best practices in achieving end-point visibility for effective digital investigations.

The summit will be held on Friday, February 10, 2012, from 8:00 a.m. – 5:00 p.m. at the Crowne Plaza Washington National Airport Hotel in Washington, D.C. It provides a rare opportunity to hear from top government agencies such as the Defense Intelligence Agency (DIA), Internal Revenue Service, U.S. Commodity Futures Trading Commission (CFTC), U.S. Department of Agriculture (USDA), U.S. Department of Education, U.S. Department of Energy, U.S. Department of Justice, USDA Forest Service and many others, as well as Guidance Software executives and industry analysts.

Guidance Software President and CEO Victor Limongelli will deliver a welcome address with co-keynote speaker Matthew McCormack, Chief, Office of Cyber Security, DIA.  Key sessions include “I Can See Clearly: Achieving Data Visibility,” “E-Discovery in the Cloud,” “Hot Topics in Criminal E-Discovery,” “A Pro-Active Approach to eDiscovery Management:  An IT POV,” and “Zero Day Mitigation.” A full agenda is available on the event website.

“The dramatic proliferation in the type and location of new endpoints such as smartphones, tablets, and cloud servers, in conjunction with the ever increasing need for digital investigations introduces brand new challenges in how to manage and secure the resulting vast web of data,” said Limongelli. “The Guidance Software Federal Summit will arm attendees with invaluable insight into how eDiscovery and cyber security best practices and technology can be applied to gain visibility into and control of this vast web of data to ensure the security of confidential and proprietary information.”

Registration is now open and free for federal executives.

Company adds 98 New EnCase® Enterprise Customers, Compared to 32 in Q4 2010 

Recently, we announced that EnCase® Enterprise, the industry standard platform for network-enabled digital investigations, gained 98 new customers in Q4 2011. For all of 2011, the company added 285 new EnCase® Enterprise customers, which is more than three times as many as the 91 new EnCase® Enterprise customers added in 2010.

"Because EnCase® Enterprise is a powerful platform with a proven track record, enterprises in every industry are turning to it to provide cost effective, yet credible and defensible digital investigations," said Victor Limongelli, President and CEO of Guidance Software. "We are incredibly pleased with this quarter's growth as our rapidly growing install base of EnCase® Enterprise customers provides an enormous upsell opportunity for our eDiscovery and Cybersecurity products in the future."

A partial list of new customers in 2011 includes the following organizations:

Technology/Media/Telecom:

-- Facebook

-- Rackspace

-- Cadence Design Systems

-- TIM Brasil

-- Go Daddy

-- Ingram Micro

-- Dow Jones & Company

-- Demand Media

-- Plantronics

-- Home Shopping Network

-- The McGraw-Hill Companies

-- Charter Communications

Industrial/Manufacturing:

-- 3M

-- Huntsman

-- Chemtura

-- Gulfstream Aerospace

-- Rio Tinto

-- DuPont

-- Rockwell Automation

Energy/Utilities:

-- American Water Works Company

-- Northeast Utilities

-- Hydro One Networks

-- Los Angeles Department of Water and Power

-- Saudi Aramco

-- Tennessee Valley Authority

Retail/CPG:

-- The Gap

-- Tyson Foods

-- McKee Foods

-- Sears Holdings

-- Kellogg Company

-- Chipotle Mexican Grill

-- Tesco

Financial Services:

-- Grupo BBVA

-- Heartland Payment Systems

-- Erie Insurance Group

-- Dun & Bradstreet

-- Credit Suisse Group

-- Hudson City Bancorp

-- First Republic Bank

-- Commerce Bancshares

-- U.S. Bancorp

-- H&R Block

-- Nuveen Investments

-- Nara Bancorp

-- Ameriprise Financial

-- National Australia Bank

-- Bank of the West

-- Pacific Life Insurance Company

Pharmaceuticals/Healthcare:

-- Maxim Healthcare Services

-- Orlando Health

-- Horizon Blue Cross Blue Shield of New Jersey

-- Memorial Sloan-Kettering

-- New York-Presbyterian Hospital

-- DaVita

-- Cleveland Clinic

-- Oklahoma Heart Hospital

-- Thermo Fisher Scientific

-- McKesson

Local Governments:

-- Australian Capital Territory

-- Jeddah Municipality (Saudi Arabia)

-- City of Oakland

-- Dallas County

-- City of Fort Worth

-- Province of Manitoba (Canada)

-- City of Grand Junction

-- Durham County Council (UK)

-- City of Auckland (NZ)

Get more information about the EnCase® Enterprise.

Today Guidance Software announced the availability of the technical specifications for the 2^nd generation EnCase® evidence file format. The updated format, Ex01, has been optimized for fast data access and memory usage, while maintaining the proven, trusted, and secure technology that has made the EnCase® file format the standard for securing digital evidence.

With this specification, solution providers can now update their offerings to support the new file format.

The 2nd generation file format support the built in encryption capabilities included in EnCase® Forensic Version 7, making the process of transporting and securing evidence much safer.  

“We are happy to share the specifications for our new file format with the community”, said Steve Salinas, Sr. Product Marketing Manager for the Forensic Solutions at Guidance Software. “With the ever increasing backlogs forensic departments are faced with today, saving time during the investigation process is critical. By enabling others in the forensic community to incorporate this new format into their solutions, forensic examiners can spend more time completing casework and less time dealing with differing evidence file types.”

The specification document for this new format is available on the Guidance Software Customer Support Portal and in the Guidance Software Document Library. 

To reduce costs and mitigate the damage done by breaches, security teams need quick access to the right information.

It seems the torrent of data breach news never lets up. In 2010, according to the Open Security Foundation’s Data Loss Database, there were 555 breaches affecting nearly 27 million records. And while the number of incidents fell to 369 this year (so far, the year isn’t over as this is written), a staggering 126.7 million records have been affected.

The number of breached records isn’t the only statistic that is up. The most recent Ponemon Institute U.S. Cost of a Data Breach Study report, published in March of this year, found that the cost of breaches per record also is climbing. The report, which looked at 2010 data, found the cost per record to be $214, up $10 when compared to the previous year.

Why is the number of records compromised rising, along with the cost of breaches? There are no easy answers. Of course, more institutions are using electronic records today than ever before – and they’re also operating under stricter regulatory compliance mandates that require notification. Those are probably two very important reasons.

Another is the greater complexity of today’s networks. There are more servers, databases, and applications managing our data across more and more networks.

This makes it very challenging to quickly identify potential breaches as they’re just getting underway. 

As networks grow more complex, with more interactions with more network infrastructure and applications, the number of potential security events to monitor also rises. In order to better manage the associated risks – and quickly clamp down on breaches as they’re occurring – IT security teams need to deploy more security defenses and to monitor everything from network access to network and web traffic to application usage.

This heightened level of security monitoring means, of course, that security teams will receive tens of thousands – for large organizations perhaps hundreds of thousands – of security alerts from their Security Information and Event Management (SIEM) system every day. This makes it incredibly difficult to prioritize and respond to those events that matter. In fact, obtaining information about endpoints (where many breaches originate) that can be acted upon in a reasonable period of time is next to impossible.

This lack of visibility into real-time endpoint security activity significantly intensifies enterprise risk by both increasing the probability that successful attacks go unnoticed, and that security teams are hampered from doing their jobs effectively.

What IT security teams need is quick access to endpoint data to reduce risks. Because endpoint data tends to decay, or change very often, by the time security teams get to see the alerts that come from their SIEM, it’s often many hours or days too late to respond.

What’s needed for SIEMs to be more effective is the ability to integrate endpoint incident response into SIEM alerting. For example, our EnCase® Cybersecurity automates the incident response process by enabling the augmentation of rules into one of the most well established SIEMs, HP ArcSight. This integration makes it possible for EnCase® to capture the necessary data right on the endpoint as soon as possible. For example, if a user who is authorized to access the network attempts to access unauthorized applications or resources, EnCase® Cybersecurity can be configured to capture relevant system information at the very time that undesirable event occurs. This ensures an accurate view of exactly what activity was underway at the time the user attempted to access the unauthorized resources.

Additionally, as alerts from security defenses are generated and captured by the SIEM, EnCase® Cybersecurity can be configured to immediately take memory and system information snapshots of all hosts involved in the event. This ensures a real-time glimpse into the state of the computer at the time of the alert, revealing known, unknown, and hidden processes, as well as running DLLs and network socket information.

And with that kind of information in the hands of the IT security team, it then can prioritize and address the biggest risks before substantial damage occurs. If more organizations had these capabilities in place, the number of breaches, affected records, and the total cost of the breaches will likely go down.

Watch Trends in SIEM and Incident Response webinar featuring 451 Research and HP Enterprise Security to learn more about how the convergence of SIEM and incident response technologies can benefit you.

The only thing that was certain, in the initial days following the report of an alleged cyber-security breach at a Springfield, Ill. public utility water pump, was that no one seemed sure what exactly had happened. This Wired article, H(ackers)2O: Attack on City Water Station Destroys Pump asserted that cyberattackers managed to electronically access the utility’s SCADA (Supervisory Control and Data Acquisition) systems and then damage the pump by repeatedly turning it on and off.

Days following the report, however, the U.S. Department of Homeland Security (DHS)  said it was investigating the incident and that it didn’t have any evidence that an attack was actually the cause of the damage to the pump. About a week later, it became clear that, according to The Washington Post, the water-pump failure in Illinois wasn’t a cyberattack after all, but was caused by a plant contractor who remotely accessed the pump while traveling.

That conclusion didn’t come before hundreds of blog posts and news stories; some detailed in this Time Techland post, Hackers Blow Up Illinois Water Utility...or Not surfaced citing the attack as fact.

Within that time period, and completely separate from the Springfield incident, a hacker who goes by the name of “Pr0f” published what he called evidence of an attack on a “really insecure” SCADA system in South Houston. Pr0f said the catalyst for the attack he claimed to have conducted was the DHS’s downplaying the lowly state of national infrastructure security.

In a subsequent interview, Pr0f said his attack didn’t require much “hacking” to complete. He told the security Web site Threatpost that the password used to protect those systems was three characters and very easy to guess. 

Both incidents highlight the challenges surrounding industrial control system security and some steps that can help improve security and a quick and accurate response to events. The basic tenants of these systems are accessibility, availability and continuity of services – security can’t disrupt these systems. However as recent examples show, there is a need to quickly get an understanding of whether the event was simply an accident, or the act of a hacker. Forensic technology can help system administrators make a rapid determination without system disruption. Additionally, more rapid information sharing among state and federal agencies could help. Finally, and also very important, those running industrial control systems need to take a close look at the security of their infrastructure as a whole. 

When taking a look at their attack surface, critical infrastructure managers still need to start with the basics. They need to take an inventory of their connected systems, look at all traffic ingress and egress points, and disconnect systems that don’t need to be connected to the Internet. Those systems that are connected need to be managed with the proper security controls, such as firewalls, access controls, and authentication, but implemented in such a way as to not disrupt the accessibility, availability and continuity of those systems. Vendor-supplied passwords don’t cut it - and certainly neither do three letter passwords. Also, it’s always a good idea to look at SCADA systems periodically for vulnerabilities, in the same way a potential attacker might.

And with all of that, it’s important to always monitor those systems for unwanted, and potentially malicious changes that may come with the installation of Trojans, worms, botnets, remote monitoring and control software, and other common forms of malware.

Anthony Di Bello is product marketing manager at Guidance Software.

The legal department has undergone dramatic change since the beginning of the 21st century. No longer do in-house counsel litigate first and ask questions about the bill later. The litigation lifecycle is viewed as a business process, one that in-house counsel are expected to oversee. And a significant portion of this oversight is devoted to reigning in costs and increasing efficiencies in order to maximize the return on legal spend. This new responsibility has given way to certain innovations in the litigation process.

One such new innovation has the potential to drastically alter the legal landscape. Too often companies that find themselves involved in related lawsuits must reinvent the wheel when litigating each case. When one claim arises, in-house counsel must identify, preserve and collect potentially responsive electronically stored information (ESI). Then when similar claims arise, they must conduct this process all over again. Conducting this e-discovery cycle just once can be time-consuming and costly enough. But doing it repeatedly gives way to a myriad of inefficiencies. Instead, there is a new method known as collected data reuse.

Collected data reuse capitalizes on the work product generated from previous data collections that arise from similar claims that involve identical custodians. By preserving the work product of a previous e-discovery cycle and reusing it in another case, an organization can save thousands in collection costs. Additionally, legal and IT personnel can save themselves days in time-consuming labor, thus freeing them up to work on other aspects of the case. Additionally, the risk of spoliation and threat of sanctions goes way down, because you can confidently assert that you have searched all of the potentially relevant data in your possession, custody, or control. 

Recognizing this need, Guidance Software has rolled out a new feature within its EnCase eDiscovery solution that enables collected data reuse. Now, e-discovery practitioners can automate searches of previously collected evidence each time a new matter arises with the new Collected Data Re-Use feature.

For example, imagine your organization is involved in a patent infringement case regarding a product that you produce. Your legal department will go through the typical motions to identify relevant custodians and data stores and to preserve, collect and process potentially responsive ESI. Now, imagine that a few months later a separate patent infringement claim arises with a different company regarding the same product. The odds are you will be identifying and collecting much of the same information from many of the same custodians and data stores as you did in the initial patent infringement case. Rather than repeating the entire e-discovery process, you can simply collect information from new custodians and data stores as well as newly created information from old custodians and data stores. Therefore, a significant portion of your production can come from the previous matter, thus saving your organization a tremendous amount in time and money.   

With its ability to maximize efficiencies while reducing expenses and risk, Collected Data Re-Use is positioned to become the next e-discovery "must have." And no solution but EnCase offers this powerful functionality.   

Watch the Only with EnCase video to learn more about Collected Data Re-Use and other features available only with EnCase technology.

Russ Gould is director of product marketing at Guidance Software. 

Well, since no compressed air is involved, perhaps it is not technically a turbocharger, but EnCase Cybersecurity now makes SIEM tools much more effective, by automating the digital forensics capture and analysis activity required as part of incident response. 

As Martin Kuppinger has observed, the “art of SIEM is to – at best – identify exactly the critical situations which need to be handled. Not more, not less.”  The problem is, no organization can do that perfectly – no SIEM is ever tuned to such a fine degree of precision so that only the “critical situations which need to be handled” are immediately presented to the incident response team.  Often, there are too many “situations,” or, the critical nature of certain “situations” is not apparent until a later time, when perhaps more related data points are correlated by the SIEM.  Determining what happened, whether critical data was exfiltrated from the organization, or whether the attack spread to other computing assets, is crucial.  In order to do so, the data around the critical situations needs to be captured, either for immediate response, or for later analysis.  As NIST has noted in its Guide to Computer Security Log Management, “data regarding a particular event could be needed weeks or months after the event occurred.”  What’s more, when one of these critical situations occurs, you may want to assess a broader set of machines, even a subnet, as part of the analysis.

EnCase Cybersecurity now facilitates this data capture and analysis in three ways.  First, if an analyst sees a highly critical situation identified in the organization’s SIEM tool, he or she can now, right from the SIEM, perform an EnCase collection.  Second, an organization, in its tuning of its SIEM, can establish rules so that for critical events, forensic collection occurs automatically.  Third, an assessment can be automatically run on a broad set of endpoints to determine the extent of the problem – by way of example, assessing what binaries are running that are not part of the organization’s approved builds. 

The user can view the analysis results right from the SIEM console. The following video demonstrates how it works: 

The result is a turbocharged SIEM – more power, more effectiveness, and a better response to critical incidents when they occur.

Victor Limongelli is president and chief executive officer of Guidance Software. 

On October 13, the Division of Finance at the Securities and Exchange Commission (SEC) released “CF Disclosure Guidance: Topic No. 2 - Cybersecurity” representing the culmination of an effort on behalf of a group of Senators led by Senator Jay Rockefeller to establish a set of guidelines for publicly traded companies to consider when faced with data security breach disclosures.  The concern from the Senators was that investors were having difficulty evaluating risks faced by organizations where they were not disclosing such information in their public filings.  

According to the SEC in issuing the guidelines, "[w]e have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption."  And while the guidelines do not make it a legal requirement for organizations to disclose data breach issues, the guidelines lay the groundwork for shareholders suits based on failure to disclose such attacks.

The guidelines come on the heels of number of recent high-profile, large-scale data security breaches including those involving Citicorp, Sony, NBC and others – many of which have affected organizations around the world. A catalyst for the regulations is found in part in many organizations failure to timely report, or complete failure to report, their breaches.  To curb any future disclosure issues, the SEC released the guidelines ordering companies to reveal their data security breaches.

As stated in the guidance notes, “[c]yber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts.”

“Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”

Consistent with other SEC forms and regulations, organizations are not being advised to report every cyber incident. To the contrary, registrants should disclose only the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” If an organization determines in their evaluation that the incident is material, they should “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.

The SEC indicated that in evaluating the risks associated with cyber incidents and determining whether those incidents should be reported, organizations should consider:

-- prior cyber incidents and the severity and frequency of those incidents;

-- the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and

-- the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Rather than exposing new obligations for organizations, the SEC guidance highlights what company executives already knew about their obligations to report cyber incidents but may not have fully appreciated.   The true lynch pin for every organization will be the determination of materiality and making the decision on which breaches gets reported and which do not.  As such, public companies will also need to weigh real-world business risks specific to their particular market associated with incidents.  For example, “if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition," the statement says.

Given the sophistication and success of recent attacks, forensic response has taken center stage when it comes to exposing unknown threats, assessing potential risks to sensitive data and decreasing the overall time it takes to successfully determine the source and scope of any given incident and the risk it may present.

Cybersecurity threats will continue to proliferate for companies of all sizes around the world.  Failing to protect sensitive company data will pose an even greater risk going forward, so too will the legal implications for failing to disclose those material cyber incidents. A proactive, timely approach to prevention of cyber incidents represents the best case scenario for all organizations.  Guidance Software’s Professional Services team and partners can help. Our consultants can help expose unknown risks in your environment, remediation of those risks, as well as provide prevention techniques designed to give your organization an active defense and knowledge against possible attacks unique to your organization.

Chad McManamy is assistant general counsel for Guidance Software, and Anthony Di Bello is product marketing manager for Guidance Software. 

Journalist Kevin Townsend recently spoke with Guidance Software’s Frank Coggrave about preventing data theft from hacking attacks by reducing the time from security alert to remediation and Guidance Software’s recent announcement of EnCase Cybersecurity 4.3 that automates incident response through integration with SIEM tools like ArcSight.

The article discusses the value that SIEM solutions provide: they scan logs in real-time looking for anomalies, discover security events and can show where things are happening on the network. But they do have a shortcoming – they lack the next step which is response.  That’s where Guidance Software’s EnCase Cybersecurity comes in. EnCase Cybersecurity is able to identify the root cause of the event and help IT administrators respond quickly, closing the gap between alert and response.

Kevin writes, “Today’s hacker likes to get in and hide himself. He thinks he can go undetected (and often can and does) while he infiltrates deeper into the network looking for the most valuable data. Hacking comes with its own latency – and you need to use that latency between infiltration by the hacker and exfiltration of your data in order to stop him…SIEM plus forensics has the potential to improve the SIEM and, by reducing the time to remediation, to defeat the hacking latency.”

An additional problem is that IT security is a 24x7 job. When the SIEM solution triggers an alert in the middle of the night, response can’t wait. Frank provided Kevin with an example of how EnCase Cybersecurity can help:

“One of the filtering systems picks up that something is happening that shouldn’t. It reports it to the SIEM. Correlation with other alerts indicates that it’s potentially a serious incident. ‘But what do you do if it’s 2:00am. Or it’s just part of a whole series of other alerts happening at the same time? Well, the SIEM can now trigger EnCase Cybersecurity Solution to automatically and immediately dive in and do an investigation. We can capture who is on the machine in question, what applications are running at the time, what processes are in memory; we can kill the applications if we want to, and we can clear up the incident before it becomes too serious.’ Going back to our earlier metaphor, SIEM+EnCase can now close the stable door before the hacking latency expires, while the hacker is still in the stable and before too much damage is done.”

Read the full article on Kevin Townsend’s website.

 A complimentary issue of Real eDiscovery is available now. Real eDiscovery is a trusted information source for legal teams interested in bringing e-discovery in-house.

In this issue, Vivian Tero from industry analyst firm IDC answer questions about early case assessment in a Real eDiscovery exclusive Q&A. IDC recently published the “IDC MarketScape: Worldwide Standalone Early Case Assessment Applications 2011 Vendor Analysis,” and we were able to ask Tero about the study’s results, the benefits of ECA, common ECA misconceptions and more.

Other interesting topics in this issue: 

 -- the evolution and maturation of the e-discovery market in the wake of recent industry reports

 -- the role of outside counsel and the benefits of certification in a profile of e-discovery litigation attorney Richard Lutkus

 -- the six technological must haves for e-discovery software

 -- views on important legal technology issues, including early case assessment, EU data privacy, metadata, FOIA requests and insourcing e-discovery

 -- metadata production and FOIA requests in the wake of NDLON v. ICE 

 -- the benefits of bringing data processing in-house.

Download a complimentary copy of Real eDiscovery. 

New software and services from Guidance Software fill a critical gap in information security by helping organizations respond automatically to security attacks and breaches, giving businesses and government agencies the capacity to react to thousands of events daily and reduce the time between a breach and incident response.

Guidance Software has connected EnCase® Cybersecurity version 4.3 with security information and event management (SIEM) systems to facilitate security automation. For example, when an attack or breach event is suspected, the SIEM system can now automatically trigger an EnCase Cybersecurity forensic response, including exposing, collecting, triaging and remediating data related to threats — essentially taking action on or gathering data about a security event that might otherwise have been missed.

By automating incident response, organizations can collect actionable information about an attack, minimize data leakage and economic damage, and reduce the time needed to eliminate the threat and return an endpoint computer to a normal state.

According to a September 2011 Cost of Cyber Crime study by The Ponemon Institute, the average time to resolve a cyber attack in 2011 was 18 days. Shortening that duration could reduce the cost and impact of an attack, which the Ponemon study placed at $416,000 on average. Results of the study also showed that malicious insider attacks can take more than 45 days to contain.

"Time is of the essence when performing incident response, but today's security teams are constrained by the volume of attacks and the time it takes to initiate a response. Any delay in response means a potential for more damage and a loss of valuable data," said Victor Limongelli, president and chief executive officer, Guidance Software. "By automating forensic response EnCase Cybersecurity enables security teams to achieve a real-time view of what was occurring on endpoints during an attack, even if the incident occurred over a weekend or in the middle of the night."

Organizations have three ways they can automate incident response using new features in EnCase Cybersecurity:

-- Integration with ArcSight — The integration of EnCase Cybersecurity with HP ArcSight Enterprise Security Manager (ESM) offers four pre-programmed, automatic functions, including forensic auto-capture of system memory, scanning for Internet history and cache files, scanning for personally identifiable information, and conducting a targeted forensic data audit of a system. Security managers can run these EnCase functions and view results from a pull-down menu inside ArcSight ESM with a few mouse clicks, or they can set them to run automatically, without manual intervention, when an incident triggers a security alert. 

-- Response Automation Connector — EnCase Cybersecurity 4.3 includes the new response automation connector, which is an application-programming interface (API) that gives organizations the ability to integrate the software with other security alerting systems. Customers using the API can integrate all of EnCase Cybersecurity's incident response capabilities into their SIEM environment and automate those functions that are most important to their security processes.

-- Response Automation Services — Guidance Software has also launched new professional services offerings to help organizations with other security alerting tools or unique staffing needs to automate response to security incidents using EnCase Cybersecurity.

Learn more about automated incident response with Arcsight ESM and EnCase Cybersecurity. 

Read the news release. 

The use of encryption technology to protect computer data is growing—and that fact presents a challenge for forensic investigators.

Guidance Software’s Senior Director of Risk Management Andy Spruill spoke with Evidence Technology Magazine about digital forensics and encryption in a recent Q&A.

In the article, he answers common questions about trends in the use of encryption and what investigators can do to get as much evidence as possible from an encrypted file or drive.

Read the full article in Evidence Technology Magazine. 

The objective of malware has moved from weapons of mass disruption, to weapons of ultimate stealth for data theft. Today, attackers want to go unnoticed. And they’ll do anything they can to get past traditional defenses. They’ll try to compromise your users through tainted links on social networking sites, or specially crafted email attachments, and even through infected USB drives. They’ll employ any means they can, and if they’re determined, they won’t stop until they succeed.

The software tools they use today include attack exploit code, Trojans, keystroke loggers, network sniffers, bots – whatever works to infiltrate the network and then ex-filtrate the desired data.

Consider this quote from this CIO.com story, “Customized, stealthy malware growing pervasive”, from an experienced penetration tester:

“The advanced attack is getting more pervasive. In our engagements and my conversations with peers we are dealing with more organizations that are grappling with international infiltration. Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.”

Consider that quote again for a second: “Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere.” 

Obviously, the goal of the malware is to slither past anti-malware defenses, and too often the attackers are successful.

This is why the ability to quickly detect and respond to infiltrations is more crucial than ever for an effective IT security program. And that makes digital forensics software central to those efforts. By being able to quickly determine the nature and cause of an incident, forensics software can be used to stop future incidents through the increased visibility into the network it provides.

This is where EnCase Cybersecurity shines. EnCase Cybersecurity offers enterprises a way to obtain actionable endpoint data related to an event before that data has a chance to decay or disappear from the affected endpoint altogether. EnCase Cybersecurity can easily be integrated with an alerting solution or SIEM of choice (such as ArcSight ESM) to enable real-time visibility into relevant endpoint data the moment an alert or event is generated. This ensures security teams have instant access to information such as hidden processes running at the time the alert was generated, ports that were open at the time and more.  The ability to see the entire picture in regards to what was occurring on an endpoint – at a specific moment in time – allows for a far more accurate incident impact analysis and a way to gain visibility into any given threat. Having a clear view into that moment in time leads to faster incident resolution rather than chasing cold trails.

This type of instant response capability that better addresses potential threats is simply mandatory today, considering the stealthy nature of malware and significant effort that goes into masking any traces of an attack.

Anthony Di Bello is product marketing manager at Guidance Software. 

In my last post, I wrote about the importance of data mapping and knowing where your electronically stored information (ESI) lives within your organization. Today, I want to touch upon document retention policies and the importance of purging unnecessary data.

If you've been following the conversation in e-discovery circles, then you undoubtedly know how imperative it is to implement a comprehensive data retention policy to ensure a defensible e-discovery process. Without uniformly and routinely enforcing your data retention policy, you risk getting slapped with the dreaded spoliation accusation. And as we've seen in many cases, the monetary cost of spoliation can surpass the entire claim being litigated.

But the preservation of ESI only addresses half of a retention policy's intended purpose. In addition to outlining what information should be held and for how long, a data retention policy should also speak to data purging. Specifically, the policy should address what information should be purged, when should this information be purged and what process should be undertaken to purge this information.

There are several reasons to include data purging procedures in a data retention policy.

First, amassing giga- and petabytes of old information unnecessarily complicates your IT infrastructure. Your organization must store this information somewhere. If it is to be retained indefinitely, your IT department will need to continually add storage devices to your organization's IT network. Although data storage is relatively inexpensive, the time you must devote to continually update your data map represents a significant cost.

Second, the more data you have within your organization, the more data you will have to search through, collect, process and review should a matter arise. Anything on the corporate network outside of privileged information is fair game for a requesting party. Therefore, the more information you retain, the higher your e-discovery costs. 

Third, the more varied and dispersed your data and your data stores, the more likely you are to inadvertently miss ESI that is potentially responsive to a matter. Think of your organization's network as a file cabinet. If your file cabinet is cluttered with outdated, unnecessary documents, it is going to be significantly more difficult to locate information than if you were to routinely clean out your file cabinet. By purging data uniformly and routinely, you can decrease the risk associated with failing to identify, collect and produce responsive ESI.

Finally, by destroying information uniformly and routinely according to a document retention policy, you are increasing your policy's defensibility. As long as the ESI is not subject to legal hold or other retention obligations, purging the information does not present an increased risk of spoliation. In fact, the opposite is true. In order for your data retention practices to hold up in court, you must uniformly and routinely retain and purge data according to your policy. This also gives reason to periodically auditing your retention and purging practices to ensure the policy is being adhered to routinely throughout the organization. Evidence of these audits can serve to embolden your position in court.

So, yes, data retention is an essential ingredient for a defensible e-discovery process. But compliantly preserving ESI should not overshadow the importance of purging unnecessary data. By cleaning house, so to speak, you can decrease your organization's risk and costs while strengthening your e-discovery efforts.

Russ Gould is director of product marketing at Guidance Software. 

Industry analyst firm IDC has named Guidance Software a leader in early case assessment (ECA) in a new report, the "IDC MarketScape: Worldwide Standalone Early Case Assessment Applications 2011 Vendor Analysis."

The report is IDC's first in-depth analysis of early case assessment applications, a fast-growing segment of the electronic discovery (e-discovery) market. IDC expects revenue for the standalone ECA applications market will total $400.8 million in 2011 and will reach $857.0 million in 2015.¹  

The need for early case assessment tools has grown in recent years as costs associated with e-discovery have escalated. ECA applications can help organizations achieve substantial cost and time-savings by enabling legal teams to have the metrics and insights needed to make informed decisions about case merits, risks and expected costs at the outset of a legal event.

"The value of early case assessment rests in its ability to enable better, faster case strategy decisions," said Victor Limongelli, president and chief executive officer, Guidance Software. "With EnCase, organizations can do case assessment truly early — including before and during collection and preservation. This unique capability gives our customers a clear advantage with assessment before collection, compared to other solutions that need to first have collection and processing complete, which could take weeks."

The IDC MarketScape evaluated early case assessment application vendors; reviewing their current capabilities and individual long-term strategies that impact their ability to meet evolving requirements, execute their go-to-market and product strategies, and gain market share going forward. The IDC MarketScape document scored and ranked vendors based on qualitative and quantitative criteria.

Read the news release. Download a complimentary excerpt of the report.    

Over the last 15 months, federal agencies have gotten on the electronic discovery bandwagon at an unprecedented pace.  And across departments and agencies, they have been standardizing on EnCase eDiscovery – in fact, in that short time, all of the following federal organizations have chosen EnCase eDiscovery for their in-house electronic discovery needs:  

-- The Internal Revenue Service (IRS)

-- The Federal Deposit Insurance Corporation (FDIC)

-- The Environmental Protection Agency (EPA)

-- The Commodity Futures Trading Commission (CFTC)

-- The Securities and Exchange Commission (SEC)

-- The Nuclear Regulatory Commission (NRC)

-- The Census Bureau

-- The Department of Agriculture (USDA)

-- The Department of Education (ED)

-- The Forest Service

-- The Executive Office of the President (White House)

-- The Defense Intelligence Agency (DIA)

When these are added to the previous federal users of EnCase eDiscovery, such as the National Nuclear Security Administration, and the Department of Veteran Affairs, it’s clear that nearly everybody’s regulator, no matter the industry or field, is using EnCase eDiscovery. 

Think about it, if you pay taxes (IRS), are a publicly traded company (SEC), use hazardous substances or emit pollution (EPA), are a bank (FDIC), trade commodity futures, options, or derivatives (CFTC), are a farmer or rancher (USDA), receive financial aid for education (ED), lease land from the Forest Service, or operate a nuclear power plant (NRC), your regulator has chosen EnCase eDiscovery for its electronic discovery needs.  Shouldn’t you?

Victor Limongelli is president and chief executive officer of Guidance Software. 

When Inside Counsel Magazine wanted to beef up its content on e-discovery it turned to Guidance Software’s Vice President and Deputy General Counsel Patrick Zeller who contributed his expertise to the publication’s “Counsel Commentary” column.

Patrick joined colleagues from across the legal community, sharing his tips on everything from building a response team to data mapping. 

A summary of his articles is listed below (click on the titles to read the full story on the Inside Counsel website):

Proactive ESI data mapping for e-discovery  

September 9, 2011 

In this article, Patrick discusses how data mapping can help organizations prepare for litigation and evaluate costs.

Is it finally time to bring e-discovery processing in-house? 

August 26, 2011 

In this article, Patrick discusses how in-house data processing can help companies realize cost savings and reduced risk.

Early case assessment – What you don’t know can (and likely will) hurt you 

August 12, 2011 

In this article, Patrick discusses the risks associated with not understanding your data.

Recent cases help evolve guidelines for producing metadata 

July 29, 2011
In this article, Patrick discusses the importance of keeping ESI load files in a forensically sound manner that preserves metadata.

Creating a discovery response team 

July 15, 2011 

In this article, Patrick discusses the universal roles that are important to in creating a successful discovery response team.

In a number of recent posts, including Malware: The Front Line Is Everywhere and As Malware Gets Even More Insidious, New Defenses Are Required, we – admittedly – are not painting a very rosy picture of the state of security.

Unfortunately, as software and vulnerabilities are everywhere, and attackers are highly motivated for both profit and activism, we don’t see that changing anytime soon. The number of infected and vulnerable web sites used to attack unsuspecting users isn’t going away, and neither is the ease at which attackers can use automated software exploits or maliciously crafted e-mails to gain entry to just about any endpoint and infrastructure.

There are, fortunately, some things we can change. Such as how we approach how we defend our networks. For years, as most of us are aware, we’ve spent our focus and effort on hardening the outside layers of the enterprise infrastructure: network firewalls, application firewalls, anti-malware defenses, intrusion detection systems, and so on. What we’ve left behind is a softer underbelly that constitutes the systems, databases, and endpoints on the other side of this digital Bastille wall.

This is why, to succeed, attackers need focus primarily on penetrating only the exterior walls. And, as we’ve seen from many successful attacks this year, a motivated attacker will exfiltrate the sensitive data they seek. In fact, it’s so difficult keeping networks, endpoints, and servers secure that even the most secure and secretive U.S. government agency operates as if it’s network has been compromised.

This Reuters’ story quotes Debora Plunkett of the National Security Agency as saying that "The most sophisticated adversaries are going to go unnoticed on our networks." She continued with the IT security strategy that the NSA operates:

"We have to build our systems on the assumption that adversaries will get in," she told a cyber security forum sponsored by the Atlantic and Government Executive media organizations.

That forward IT security execution strategy means that security managers need to be focused increasingly within the network where that which we are trying so diligently to protect, the data, actually resides. Enterprise networks, at a minimum, need to be segmented, with tight access controls in place, and heightened monitoring in place.

The idea of approaching network security with little trust of the network has also gained traction among traditional IT security analysts. Late last year Forrester research began talking about its “Zero trust Model of Information Security”. This vision feathers closely with that of the NSA’s.

Of course, not being able to trust the inner-sanctum means a higher level of monitoring and diligence on the activities. Guidance Software helps organizations to better achieve this with our Guidance Software EnCase Cybersecurity platform. EnCase Cybersecurity offers a signature-less approach to security by leveraging forensic level visibility to vet endpoints against trusted baselines. With that baseline in hand, the software can then quickly triage both live memory and disk storage for unknown or unauthorized data. If you know what a healthy system looks like, you have a much better chance at finding malware or computer misuse no matter how well obfuscated it may be.

Of course, once you find something malicious rummaging on your endpoints (and you will), you are going to have to have the people and technologies in place to respond. And respond quickly. Good incident response means the ability to mitigate risk as fast as possible, lower the costs of the incident, and efficiently manage regulatory compliance demands. Incident response is a big and important topic, and it’s something we’re going to cover in depth in our next post.

Consider for a moment all the locations you store electronic information in your personal life. Your mind likely jumps to your computer's hard drive. This hard drive can be further broken down into dozens of separate storage areas, called directories and subdirectories.  Now consider other storage devices where you keep your data. Perhaps you have a second computer or a laptop? Maybe you have a smartphone, an iPod or a tablet computer? What about a backup hard drive or backup CDs and DVDs? By considering all the locations you store personal data, you can begin to get a sense of just how dispersed electronic information can be. 

A thorough knowledge of your corporate IT infrastructure is a key component to a repeatable and defensible e-discovery process. By knowing what storage devices exist and what type of information is stored where, you can increase the effectiveness and efficiency of your e-discovery process. It is also a requirement under Rule 26 of the Federal Rules of Civil Procedure, which states that litigating parties are to disclose either a copy or a "description by category and location" of responsive electronically stored information.

A data map is a record that details this information. The data map is an integral part of any litigation-readiness plan. It serves to identify all the locations within the corporation where data may be stored. Further information, such as details about what information is stored where, should also be incorporated into the data map. For example, if data related to your company's accounting practices is located on a specific server, that should be noted within the data map. In-house counsel can reference this map when a matter arises to target collection.

But creating a data map on your own is no easy task. In fact, mapping your personal data is a breeze compared to mapping data on an enterprise-wide level. For one, a company is likely to have tremendously more storage devices. Not only do you have to think about computers, laptops and smart phones, but you also should consider servers, flash drives, legacy systems and a variety of backup devices. In addition, a company's IT infrastructure is often in a state of flux. Users create, delete and move information regularly, while IT personnel may add or alter storage devices. 

In order to effectively map your enterprise's data, you will need to invest in an e-discovery solution. However, not all e-discovery solutions are equipped with the functionality to facilitate data mapping. You need to look for a solution that has pre-collection analytical capabilities that are powerful enough to enable counsel and IT to collaborate and get critical insight into the company's diverse data stores early in the e-discovery process. Pre-collection analytics also remains a robust and effective tool even as the IT infrastructure evolves over time.

In addition to data mapping, another major concern among legal departments is the issue of data destruction. Much has been discussed about data preservation, but failing to purge unnecessary data presents significant costs and risks as well. But we'll save that for the next post.

Click here to learn about EnCase eDiscovery's pre-collection analytics capabilities.

Guidance Software’s Professional Services team also offers data mapping services.

Russ Gould is director of product marketing at Guidance Software. 

Now more than ever, it is critical for attorneys to prove they are hirable and indispensable. One way to do this is to acquire desirable, cutting-edge skills that will put them ahead of the competition. As e-discovery has become a common component of many matters, e-discovery skills have quickly become a hot commodity in the legal sector. Many large law firms have established special e-discovery practices. Some of these may be headed up by a single attorney, while other larger practices are composed of a small team of lawyers. Meanwhile, as corporate legal departments continue to in-source much of the e-discovery process, they are in search of technologically savvy corporate attorneys who can manage their internal e-discovery practices. In addition, an entire cottage industry of e-discovery consultancies, technology vendors and contract attorney agencies have arisen over the last five years, creating even more career avenues for knowledgeable attorneys.

So where does a lawyer acquire this knowledge? Conferences and one-off seminars that offer CLE credit can be helpful, but rarely do you get the kind of in-depth training that is required to qualify for one of these e-discovery positions. Instead, you will want to search for programs that provide you with more in-depth training and certification.

For instance, Guidance Software offers a range of training and certification programs that can help give you a boost along your career path. The certification courses train professionals on elements of computer forensics and e-discovery through the use of Guidance Software's EnCase solutions, which are widely employed across the legal industry. Course options include the EnCase eDiscovery v4, which educates individuals on how to efficiently gather and process electronic data using the latest version of EnCase eDiscovery. By completing a certain number of courses, professionals can acquire EnCase eDiscovery Practitioner certification (EnCEP). Learn how an e-discovery litigation attorney in Chicago bolstered his skills with EnCEP. 

There is also a separate training track that concentrates specifically on computer forensics called EnCase Certified Examiner certification (EnCE). The completion of this program acknowledges that professionals have mastered computer investigation methodology as well as the use of EnCase during complex computer examinations, which frequently play a role in corporate litigation and internal investigations. 

Learn more about EnCE and EnCEP. Learn more about the leaders in e-discovery software in a report from a leading industry analyst firm. 

Chuck Cobb is senior director of training at Guidance Software. 

Everything Channel's CRN has named Guidance Software’s Allison Ash and Kristi Houssiere as two of the top 100 Women in the Channel. The 2011 Women of the Channel were chosen by the editors of the magazine based on their achievements as executives and the amount of influence they wield over the technology channel.

Ash is vice president of worldwide channel sales at Guidance Software. She is responsible for building and directing channel strategy and programs for the leader in digital investigations. She has been instrumental in the implementation of the company’s Guidance Global Partner Program, which gives channel partners the ability to build new service practices or augment existing practices around EnCase Cybersecurity. In February, CRN also named Ash a 2011 Channel Chief. Houssiere is director of worldwide channel programs and operations.

In January 2011, at the company’s annual sales kickoff, Guidance Software announced that EnCase® Cybersecurity, the company’s incident response and data security software, would be sold exclusively through channel partners. Larry Gill, senior vice president of sales at Guidance Software, said “We believe this strong commitment, along with our new program, will greatly benefit both our channel partners and our company.”

Guidance Software is working with numerous channel partners with specializations in the security market, including Accuvant and FishNet.

See the full 2011 Women in the Channel list here.

Guidance Software will showcase cyberforensic security solutions at Black Hat USA 2011,

held July 30 to August 4 at Caesars Palace Hotel in Las Vegas.

At booth number 602, attendees can learn more about Guidance Software’s incident response and data auditing solution, EnCase Cybersecurity, which is gives enterprises and government agencies forensic-grade visibility into endpoint data to bolster security.

Specifically, attendees can learn how to:

-- reduce the costs and complexity associated with the incident response process

-- locate sensitive data and enforce data policy compliance on endpoints through targeted search

-- expose, investigate, triage and remediate threats that have escaped detection by layered security solutions.

Visit booth number 602 to see a live demonstration and learn more about Guidance Software, the company's professional services and security training.
 

To find out more about Guidance Software participation at Black Hat visit: http://www.guidancesoftware.com/BlackHat2011.htm.

About Black Hat 

Black Hat provides briefings and training to leading corporations and government agencies around the world. Black Hat differentiates itself by working at many levels within the corporate, government, and underground communities. This unmatched informational reach enables Black Hat attendees to be continuously aware of the newest vulnerabilities, defense mechanisms, and industry trends. Black Hat Briefings and Trainings are held annually in Abu Dhabi, Barcelona, Las Vegas, and Washington DC. Black Hat is produced by UBM TechWeb. More information is available at http://www.blackhat.com.

In a previous post we discussed how malware is becoming even more stealthy, especially when it comes to botnets and Web-borne threats. In the past few weeks we’ve seen evidence pointing to how vulnerabilities and threats are moving even deeper into the fabric of our infrastructure and business processes - and how difficult the fight against cyber attacks is becoming.

First up: evidence has emerged that shows how difficult it is to purge modern threats after an infection. Reports now indicate that Iran was not able to easily cleanse Stuxnet from its affected systems. This news report cities “intelligence sources” that say that Iran suffered havoc caused by Stuxnet for more than a year and wasn’t able to easily purge its systems from the infection as was previously believed:

Tehran never did overcome the disruptions caused by Stuxnet or restore its centrifuges to smooth and normal operation as was claimed. Indeed, Iran finally resorted to the only sure-fire cure, scrapping all the tainted machines and replacing them with new ones.

Stuxnet is widely thought to had been designed exclusively to set back Iran’s nuclear enrichment facilities, and many say that it’s just the beginning of a trend of attackers targeting physical control systems.

However, it’s not just sophisticated centrifuges and industrial control system hardware that security researchers and (presumably) attackers are looking at. Security researcher Charlie Miller, well known for his Apple security research, will demonstrate at the Black Hat security conference how the batteries on Apple notebooks are vulnerable to attack. That's right: the batteries. And, from there, the underlying operating system of the device could be placed in jeopardy. (Note: Guidance Software will be at booth # 602 at Black Hat.) 

Miller has found that after cracking two passwords (one password is hardwired and can't be changed) he can make changes to the notebook's firmware. "That lets you access it at the same level as the factory can," he said. "You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though," Miller told ThreatPost.

Attacks against hardware may sound novel, and to a large degree they are – but maybe not as much as we'd all like to hope. According to this PC Magazine story, DHS: Imported Gadgets Possibly Include Malicious Software, Greg Schaffer, acting deputy undersecretary at DHS' National Protection and Programs Directorate, was quoted during a Congressional hearing, as saying that DHS is aware of electronics being purposefully infected with malware.

"Clearly, supply chain risk management is an issue that the administration is focused on," Schaffer said when asked how the U.S. was battling this problem. When pressed for details, Schaffer was reluctant to expand except to say, "I am aware that there have been instances where that has happened."

"The range of issues goes to the fact that there are foreign components in many U.S. manufactured devices," Schaffer continued. "There is a task force that DHS and DOD co-chair to look at these issues with goals to identify short-term mitigation strategies and to also make sure that we have capability for maintaining U.S. manufacturing capability over the long term."

While there's certainly no way to catch every potential threat – these types of attacks are something traditional anti-virus and other security defenses just won't catch.

Guidance Software EnCase® Cybersecurity provides an advanced level of security defense through its ability to vet endpoints against trusted baselines and triage both live memory and disk storage for suspicious activity. If you know what a healthy system looks like, you have a much better chance at finding malware no matter how well obfuscated it may be.

From Security Director News:

Most physical security professionals do not consider information security to be in the realm of their responsibilities, but Joseph Shaw, a senior threat investigator for MetaNet LLC, says there should be more synergy between the two disciplines.

Shaw is hired by companies to investigate threats and breaches to their networks. Many companies are concerned primarily with security breaches coming from outside the company, however, some of the biggest losses can be caused by inside actors, said Shaw. And, many companies don’t have incident response plans in place to deal with internal breaches.

Read the full article on the Security Director News website.

- The Security Director News website features top news stories, sdnTVnews, blogs, NewsPolls, events calendar and more.   

The battle against cyber-criminals and increasingly stealthy malware never seems to let-up. While we may not have thought so at the time, the era of mass e-mail viruses, worms, and simple Trojans was a much simpler time when it came to defending IT systems.  

Consider the success of recent crimeware botnets, such as the Zbot and Conficker. Today, these are two of the most prevalent botnets known. And such botnets are getting even stealthier as their creators are doing everything they can technologically to avoid detection by traditional security tools, like anti-virus and intrusion detection systems.  

Unfortunately, the criminals are enjoying too much success.  

Currently, there is the rise of the TDL-4 botnet. TDL-4 is designed to be about as stealthy as a botnet can get. In this most recent version (TDL was first discovered in 2008) the authors updated the malware's algorithms so that all communication with the command and control servers are encrypted, and includes a rather insidious root kit. Here's a recent CNET news story on the botnet: 

“To help safeguard itself from removal, TDL-4 infects a computer's master boot record, thus allowing it to run before the operating system starts up, and keep it away from the prying eyes of anti-malware programs.” 

"The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," Kaspersky wrote on its SecureList blog earlier this week. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies." 

Also, Roger Grimes, InfoWorld blogger and security architect for Microsoft's InfoSec ACE Team, argues that while the security industry will figure out how to defeat TDL-4, it will probably take more time to do so than most organizations can care to wait:”I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to," Grimes writes. "It may take months or years to kill off something, but eventually the good guys get it right." 

Grimes continued that what troubles him is when malware authors try entirely new tactics, as they're prone to do, it takes much longer for the security industry and end users to successfully adapt. And Grimes is exactly right. 

However, while it can take longer for software operating system and anti-malware vendors to respond to new threats, it doesn't mean organizations have to wait to be effective at detecting and defeating these attacks. 

The security smart organization assumes that malware can, and will, successfully breach traditional security defenses. They assume that portions of their infrastructure have been breached, and they are constantly on the lookout for evidence of such breaches.  

The savvy approach is to assume that things can, and will, be hidden from traditional security defenses. That requires the ability to be able to successfully look for malware, find hidden and malicious code, and then isolate that code. Once an organization has an instance of the code isolated, it can then use that sample to find it anywhere it resides within their organization. 

This is an area where Guidance Software EnCase® Cybersecurity helps support a layered security defense with the ability to vet endpoints against trusted baselines as well as triage both live memory and disk storage for suspicious activity. If malware is exposed, the EnCase Cybersecurity near-match analyzer identifies similar files and binaries to expose advanced threats that are able to evade signature-based detection methods. EnCase Cybersecurity, provides complete visibility into all data on any endpoint regardless of how well hidden it may be.  

With these capabilities, not only can malware be exposed and killed on any affected machines, the exposed malware code can then also be used to successfully identify other infected systems.  

This means that there's absolutely no reason why any organization should have to wait the weeks or months for security vendors to devise the necessary signatures to keep their systems secured. EnCase Cybersecurity makes it possible to find infected systems - regardless of whether anti-malware vendors can – and keep them, along with the rest of the infrastructure clean. 

Visit here, to learn more about EnCase Cybersecurity. 

- Anthony Di Bello is product marketing manager at Guidance Software. 

Since the Federal Rules were amended in 2006 to incorporate electronically stored information into the list of discoverable materials, electronic discovery has become a booming market. Articles, white papers and webinars frequently warn lawyers about the consequences of improperly conducting e-discovery, including the possibility of sanctions. But how real is this threat?
 

Of course, everyone is familiar with the multi-billion dollar sanctions issued against Morgan Stanley in 2005. That case—which initially resulted in about $1.4 billion in sanctions but was later reversed on other grounds—is still frequently brought up as a warning to deter others from committing similar egregious e-discovery errors. Additionally, although sanctions in the billions are unlikely in most cases, the threat of sanctions against a party for improperly managing e-discovery is very real.
 

A 2010 report published in the Duke Law Journal highlights the reality of e-discovery sanctions over the last few years. The paper's authors undertook a comprehensive survey of written opinions from cases in federal courts prior to Jan. 1, 2010 involving motions for sanctions related to e-discovery. In total, the survey identified 401 sanction cases and 230 sanction awards. It also showed a startling trend—that sanction motions and awards have increased at a steeper rate over the last five years. This includes sanctions against counsel, which, although rare, are increasing in frequency.
 

Not surprisingly, the most common basis for e-discovery sanctions is a failure to produce electronic information. Sanction types range from monetary sanction to sanctions of dismissal, default judgment and adverse jury instructions. Additionally, the article authors have determined that Rule 37(e)—which states that a court may not impose sanctions on a party for failing to provide ESI lost as a result of the routine good-faith operation—has not provided consistent or comprehensive protection from sanctions.
 

What is somewhat surprising is the fact the highest frequency of sanctions occurred during 2009, three years after the Federal Rules were amended.  One takeaway from this factoid is that despite the education efforts of organizations such as the Sedona Conference, consultancies, publications and software providers, counsel are still struggling to create repeatable and defensible solutions to the e-discovery quandary. Part of this may be due to the burdens that e-discovery places on organizations, especially those that lack experience or resources to properly manage e-discovery.
 

It is important to take a proactive stance to tackling the e-discovery issue. In-house counsel need to work with knowledgeable experts to design an e-discovery repeatable and defensible plan that works for their organization. Also critical to effectively managing e-discovery is a robust and comprehensive software solution, specifically one that incorporates powerful analytical capabilities.
 

Read about the seven best practices of highly effective e-discovery practitioners.
 

Learn more about Guidance Software's EnCase® eDiscovery.

- Russ Gould is director of product marketing at Guidance Software.

After more than a year and a half of development we are pleased to announce that EnCase Forensic v7 is now available!
 

EnCase Forensic v7 is packed with innovative features all designed with the objective of enabling forensic examiners to complete fast, effective investigations. With v7, examiners are able to automate the processing of data, quickly search for critical evidence, complete in-depth email investigations, and create compelling reports faster than ever before.
 

Here are just a few of the new features and capabilities of v7:
 

• Intuitive, Streamlined Interface
• Powerful Processing Capabilities
• Unified Search
• Simple Email Review
• Integrated Smartphone Acquisition
• Lightning-Fast Case Access
• Flexible, Customizable Reporting
 

EnCase Forensic v7 is the most powerful, easiest to use EnCase Forensic we have ever developed, and truly a new approach to digital forensics.
 

Personally I have had a blast traveling around the country showing v7, but, the fun isn’t over yet. Through the summer we will be on the road with v7 so check our schedule to see if we are coming to your area: http://www.guidancesoftware.com/encase-forensic-v7-sneak-peek.htm
 

The release of EnCase Forensic v7 isn’t an ending, v7 is a new beginning.
 

Stay tuned.

- Steve Salinas is product marketing manager at Guidance Software, Inc. You can also find him on Twitter at www.twitter.com/Steve_at_EnCase.
 

According to IDC Energy Insights, the global smart meter market is growing. And it's doing so quickly. Roughly 5 million meters shipped in the first three months of this year, that's nearly a 23 percent increase over Q1 2010. IDC also expects the smart meter market to grow by more than 71 million units by 2015 – that's more than 25 percent annual compound growth globally.
 

Why such rapid growth? While emerging economies are building out their smart grids brand new, the U.S. is incentivizing the upgrade of its aging power grid. In 2009, the American Recovery and Reinvestment Act created $4.5 billion in smart grid and clean energy grants.
 

What does this mean for industry? It ideally (and probably will) mean cleaner and more reliable power. However, as this story in CSOonline magazine points out, Smart Grid (in)securities, it also means incrementally new risks to industry. With the smart grid, there's another rapidly growing, largely computational network coming to the scene, and it's going to be targeted by attackers. And, in the months and years ahead, as industrial systems and the smart grid get more tightly coupled (as they inevitably will)  it will become another avenue of attack corporations will have to be concerned about – and actively defend against.

How? Same as adversaries do today: as an entry point onto production networks (for any number of reasons from cyber snooping to financial theft) to conducting denial-of service attacks. The smart grid will be exploited by attackers to steal power (and large companies are an ideal target for this), and adversaries will have an easier way – from anywhere there's an Internet connection – to conduct denial-of-service attacks that don't knock web sites offline or make systems unavailable, but cut off an organizations power. Lights out.

 

This is one of the important reasons why it's imperative that large businesses – especially those in manufacturing – become adept at protecting industrial systems. As IT networks grow more interconnected with industrial systems and now the power grid – it's going to become increasingly more complex defending these systems.

 

Think this is stuff is imagination? Gerry Cauley, president and chief executive officer, North American Electric Reliability Corporation, certainly doesn’t. He recently testified before the House Energy & Commerce Committee that cyber attacks aimed at the grid could be used to deny power to specific targets, including business centers.
 

What makes smart grid different is that the meters and infrastructure at the business center itself could be hacked, and used to spoof false information back to the utility companies. Keeping these systems secured is going to require tight cooperation between utilities, government, and the private sector.

 

If you haven't already, take a look at Rickard Clarke's column in last week's Wall Street Journal. This former national security official to three presidents is not only convinced this threat is serious, but that adversaries have already infiltrated the power grid.

- Anthony Di Bello is product marketing manager at Guidance Software, Inc.
 

EnCase eDiscovery delivers all of the speed, scalability and ease of use that organizations expect from an e-discovery solution

EnCase eDiscovery version 4.2 software includes more than a dozen enhancements that give corporate e-discovery teams more control and automation over their enterprise deployments combined with a new user interface to make e-discovery collection and processing even easier.

The software made its debut at the Computer Enterprise Investigation Conference (CEIC) in Orlando, Florida last month.

New “check-the-box” wizard provides improved ease of use
In version 4.2, the company has a new “check-the-box” collection and processing “wizard” to help quickly specify what electronically stored information (ESI) should be collected and/or processed. These capabilities help e-discovery teams to set up repeatable processes that are the linchpin to defensible e-discovery efforts.

 

New easy-to-use collection and processing interface

 
Improved automation and workflow
New automation features include load balancing, and the ability to build workflows, which enables better prioritization and fast processing across global enterprise infrastructures. The new features are added to a platform that is well known in the industry as the gold-standard for collection and processing strength, and an architecture that offers unlimited scalability and usage, which means enterprises can take on large cases without having to upgrade the product or purchase additional licenses.

Support for Microsoft Office 365
Adding to its long time Microsoft Office Exchange and SharePoint collection capabilities, EnCase eDiscovery now supports Microsoft Office 365. Support enables the collection of electronically stored information (ESI) from Microsoft Office Exchange and SharePoint in the cloud.This new feature is important for those organizations that are transitioning to the cloud.

Guidance Software was also recently named a Leader in the first Gartner Magic Quadrant for E-Discovery which assesses 24 vendors on their ability to execute and completeness of vision in the e-discovery market. To download the full report click here: Gartner Magic Quadrant for E-Discovery.

“Enterprise e-discovery solutions increasingly must handle multiple digital investigation scenarios – not just legal cases – as well as supporting organizational goals without disrupting business, delivering collection and preservation strength that stands up in court, and providing scalable data capacity,” said Katey Wood, analyst for Enterprise Strategy Group.

EnCase eDiscovery is a comprehensive enterprise e-discovery solution that includes legal hold, pre-collection analytics, collection, preservation, processing, analysis and first pass review. It is based on the company’s judicially accepted forensic technology.

Take control of e-discovery with a single, unified solution
EnCase eDiscovery enables customers to take control of their e-discovery in a single unified solution that manages everything from legal hold through first-pass review, preserves metadata, only collects relevant files, and is scalable across large global networks with unique pre-collection analytics as well as analysis and first-pass review at any point in the process – all backed by Guidance Software’s expert services that provide industry standard best practices, training, and certifications (EnCE and EnCEP).

EnCase eDiscovery version 4.2 is available now.

- Russ Gould is director of product marketing at Guidance Software.

Last week at the SANS What Works in Forensics and Incident Response Summit in Austin, Texas, Guidance Software was awarded three Forensic 4cast awards in the categories of Best Forensic Hardware, Best Forensic Software and Outstanding Contribution to Digital Forensics for its Computer and Enterprise Investigations Conference (CEIC).

 

Selected as the Best Forensic Hardware, the Tableau TD1 Forensic Duplicator is compact and durable with functionality for both field and lab data acquisition. Selected as the Best Forensic Software, EnCase Forensic is the industry-standard computer investigation solution for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process, Finally, selected as Outstanding Contribution in Digital Forensics, The Computer and Enterprise Investigations Conference (CEIC), is the industry’s premier digital investigations conference.

 

"The fact that Guidance won three awards is unprecedented; no single organization or individual has achieved that in previous years," said Lee Whitfield, Forensic 4cast founder. “Guidance has made some great progress in the last year. [EnCase Forensic] Version 7 looks great and has some serious potential. That may be why the community came out in their numbers to vote for Guidance.”

 

“To be selected for the Forensic 4cast Awards is truly an honor because it means our users and peers believe our solutions are the most innovative and the best choice for digital forensics,” said Steve Salinas, product marketing manager, Guidance Software. “With the upcoming general availability of EnCase Forensic V7 – we believe that it will transform the way people perform digital investigations.”

 

Now in its third year, the Forensic 4cast Awards provide the digital forensic industry a platform to nominate and vote for the best people, companies and products throughout the industry. Hosted by Whitfield, nominations opened in February and voting took place May 4 through June 5. A complete list of winners can be found at http://www.forensic4cast.com/forensic-4cast-awards/.



 

Those who attended the eleventh annual Computer and Enterprise Investigations Conference (CEIC), May 15–18, 2011, at the Loews Royal Pacific Resort at Universal Orlando, certainly had plenty to cultivate and much to think about to help them grow in their e-discovery and IT investigative work. And, the sun was out!

Record-breaking attendance, once again! 

More than 1,300 people were on hand this year. Attendees had a choice of more than 110 learning sessions led by computer forensics, e-discovery, cybersecurity, and enterprise investigations experts. Many also took the opportunity to take a track dedicated to EnCase® Forensic v7. As an added bonus, EnCase Certified Examiner (EnCE®) and EnCase Certified eDiscovery Practitioner (EnCEP®) exams were offered to qualified attendees at no additional cost.

A big week for e-discovery  

The legal and IT community charged with electronic discovery had a busy week during CEIC. The market saw two acquisitions, a leading analyst firm published new research about the e-discovery space, and last but not least, sessions at CEIC highlighted key e-discovery trends and best practices.

The Guidance Software e-discovery legal team covered some of the show’s most interesting e-discovery sessions and discussions on their e-discovery insights blog. Some of the highlights include: Craig Ball's “Nerdy Things Lawyers Need To Know About Computer Forensics and a Few Nerdy Things Forensics People Need to Know About the Law,” new critical e-discovery case law updates, common misconceptions of early case assessment, and perspectives from Dell, Best Buy and Nationwide on real-world e-discovery scenarios.

Additional e-discovery blog posts from CEIC:  

-- Judges Focus on E-Discovery Challenges 

-- Navigating International E-Discovery Challenges With Guidance From Multi-National Experts 

-- Testing, Sampling and Quality Control – Keys to Success in E-discovery 

-- E-Discovery and Cloud Computing: Still More Questions Than Answers 

-- eDiscovery Ethics Issues Apply to More Than Attorneys 

-- Hiding Your Head in the Sand is not the Right Way to Conduct an Internal Investigation 

The Keynote: Eric O’Neill 

Keynoting at the show was Eric O’Neill, subject of the 2007 film “Breach” for his undercover role in the capture of Robert Phillip Hanssen, one of the most notorious spies in U.S. history. IT security publication CSOonline covered the O'Neill CEIC keynote, where O”Neill noted the importance of forensics in the apprehension of Hanssen, especially mobile forensics:

"The forensic analysis of a Palm Pilot played a crucial role in the apprehension of Hanssen, as it detailed the location and time of his next drop to the Russians. And the explosion of electronic devices has become crucial to fighting both the spying of nations and of corporate espionage. "Spies previously had to first photocopy or photograph the material they wanted, then make arrangements for drops and payments," O'Neill said. "Today they just capture it on their phone and email it to anywhere in the world."  

The keynote theme certainly proved on-message for the conference, which included dozens of sessions and hands-on lab training about mobile forensics analysis and mobile malware threats. James Doyle, who presented his Hot Topics Lecture on Corporate Investigations in the Electronics Era said that the proliferation of mobile devices has made investigations much more difficult. "With so many different kinds of devices, and the average person using more devices than before, it certainly makes investigations more challenging that in the past," he said. "Mobile forensics is crucial because that's where more people are processing their data," he said.

Another big theme this year, as many might expect, was cloud computing. As more users turn to cloud-based storage and applications, there will be more cloud security and privacy concerns arise, said Joshua Gilliland, who presented his talk Oceania Rising: The Collision of Technology & Privacy. "The proliferation of cloud computing, social media, smart phones are all having a profound impact on e-discovery and personal privacy," Gilliland said. "These aren't things that are going to be easily resolved," he said.

That's for certain – and neither are the challenges in e-discovery, digital forensics, and cybersecurity. The ever increasing use of electronic devices and services are going to demand investigators and security professionals be smarter about how they investigate and protect for years to come.

Speaking of years to come: next year's CEIC will be at the Red Rock Resort in Summerlin, Nevada, May 21 to 24. See you there!

Follow CEIC on Twitter  and Facebook.

Most of e-discovery used to be outsourced to law firms and vendors. Over the past several years, surveys have shown consistent growth in the number of organizations that choose to bring parts of the e-discovery process in-house. By in-sourcing e-discovery, companies can manage the process like most business functions. The organization can hand-select skilled employees to assume ownership, and these employees, in turn, can hone a reliable, consistent and defensible e-discovery strategy that can be replicated for each matter. This kind of control and predictability mitigates risk and reduces costs.

However, to say that many companies have brought e-discovery in-house is somewhat of a misrepresentation of the facts. It's true that a large number of organizations—more than half, according to studies—have moved to in-source certain steps of the e-discovery process. Yet, there is still one area that in-house counsel continues to outsource more often than not—processing.

According to a recent survey of in-house counsel, more than 50 percent of companies have devised some sort process for collecting electronically stored information, issuing legal holds, and a significant number of businesses also have brought analysis and first-pass review in-house as well. However, only a small fraction have actually attempted to in-source processing.

Processing certainly is one of the more misunderstood components of e-discovery. You can easily surmise what collection and review entail even if you're an e-discovery rookie. Processing, on the other hand, is vague. Many see it as the magic black box of the e-discovery assembly line. Clumps of data go in one side and come out the other end neatly refined and repackaged.

But the truth is processing doesn't have to be a daunting and mysterious task. In fact, with the right set of tools, any e-discovery team can in-source data processing. The reduction of data and the cost reduction achieved at the review stage can benefit these organizations.

At its core, processing is when extraneous data is siphoned out of a collection. The remaining potentially responsive data can then be sorted and sent down the e-discovery workflow to be analyzed and reviewed. Extraneous information can mean a number of things. It may be e-mail duplicates, or it may mean data that falls outside a specific date range. What data is and is not relevant will depend on the specifics of the case and the discovery request.

A product like Guidance Software's EnCase eDiscovery demonstrates how in-sourcing processing can be a reality. The software provides users with the ability to sort data using a variety of criteria, including keywords, date ranges and file types. Plus its intuitive graphical interface makes it easily navigable for non-tech users. 

As e-discovery continues to become just another business function, more companies are going to realize the benefits of in-sourcing the process. Although bringing litigation hold requests, collection and preservation is a start, it certainly is not the end for many organizations. As in-house counsel become informed about the tools available to them, other e-discovery functions, including processing, will be moved in-house.

Learn how EnCase eDiscovery can help you with data processing. 

Learn more about EnCase eDiscovery.  

Russ Gould is director of product marketing at Guidance Software. 

I don’t know about you but I hate to be kept in suspense so here you go: the retail price of EnCase Forensic v7 will be $2,995.00 plus SMS. That’s right; the retail price of EnCase Forensic v7 will be the same as EnCase Forensic v6. But wait, there is much more.

EnCase Forensic v7 Packs More Forensic Punch 

For $2,995 you not only get EnCase Forensic but also the functionality of the v6 modules. Yes, you read correctly. There will no longer be any charge for these capabilities. EnCase Forensic v7 will include the capabilities of the following modules:

- EnCase Decryption Suite (EDS)

- Physical Disk Emulator (PDE)

- Virtual File System (VFS)

- Fastbloc SE

In addition, we added the ability to acquire from Smartphones and Tablets to EnCase Forensic v7 at no additional charge.

When you look at it, EnCase Forensic v7 will provide more capabilities than EnCase Forensic Deluxe -- with a price tag of only $2,995 plus SMS.

Already Own EnCase Forensic v6? 

For those of you who currently have SMS or PLSP, you will be able to upgrade to EnCase Forensic v7 at no cost. For those of you without current SMS or PLSP, the upgrade price from EnCase Forensic v6 will be $896, plus $599 for the next twelve months of SMS. (SMS on the upgrade will be based on the retail price of EnCase Forensic v7.) 

Special Discount Offer at CEIC 2011 

Also, I wanted to let you know about a special offer we will be running at this year’s CEIC in Orlando. Everyone that attends CEIC will have the chance to pre-order a new license of EnCase Forensic v7 or an upgrade to EnCase Forensic v7 at a special price. You can save a total of $400 on new licenses and $200 on upgrades. If you are going to the conference this is something you should definitely consider.

If you have questions for the sales team contact Guidance Software at (888) 999-9712 or on the Web. See you at CEIC!

Click here to Tweet “Guidance Software has announced EnCase Forensic v7 Pricing #EF7 #DFIR.” 

Learn more about EnCase Forensic v7. 

Steve Salinas is product marketing manager at Guidance Software. You can also find him on Twitter: @Steve_at_EnCase.  

Note: International pricing may vary. 

The insider threat is always a subject that grabs attention. Over the years debates have raged about whether the insider threat is a greater risk to organizations than attacks from the outside. However, such debates are largely academic: if you are an enterprise that has confidential information that requires protection, you need to protect yourself from both.

That's not to say that the insider threat isn't a special type of danger. It most certainly is. The “insider gone bad” – whether an employee, partner, consultant, or anyone with privileged access – knows the inner workings of your organization. They know who has access to what data. They know what's valuable. And they likely know something about where that data resides and something about how it is protected. This expertise on internal operations can be why the insider breach, when it does occur, can be more costly and difficult to solve than breaches from the outside.

According to the 2010 CyberSecurity Watch Survey, conducted by CSO Magazine, the United States Secret Service (USSS), CERT, and Deloitte, the mean value of losses from IT crime was $394,700. While that figure includes both inside and outside threats 67 percent of survey respondents said that insider breaches were more costly than those caused by outsiders.

Perhaps no one understands the complexity of the insider threat than Eric O'Neill (Who will be keynoting at the CEIC Conference this year). O'Neill is the young FBI operative who was brought in by the bureau to spy on his boss, FBI agent Robert Hanssen who was at the time suspected of selling national secrets to the Soviets. Anyone who has seen the movie Breach, which is based on O'Neill's first-hand experience in the takedown of the most notorious insider in U.S. history, knows how hard it can be to discover the insider gone criminal.

Difficult, but not impossible.

What makes insiders difficult is that they're given access to systems, and in many cases they are entitled to use the systems they're stealing data from. Nonetheless, insiders can be identified if organizations look – and know how to look. For instance, many insider trouble starts when morale is low, tension is high, or conditions change. For instance, if an employee is placed on probation, has been written up for violations, is close to being terminated (or actually submitted their resignation) – it could be time to monitor their activity more closely.

In this post, the CERT at the Carnegie Mellon Software Engineering Institute provides an overview of insider threat best practices that were discussed during a Peer2Peer session at the RSA Conference this year.

For starters, they recommend that you log what data insiders are accessing, and when. Of course, any such monitoring needs to be an approved part of a corporate policy and vetted by legal and human resources. In most cases employees will be told that their actions on the network will be monitored. And that, in itself, can act as a huge deterrent. When everyone knows that there is a record of network activity, employees will be less likely to conduct anything considered dishonest. 

Additionally, they recommend the monitoring for excessive files being accessed by employees, contractors and other insiders, within short periods of time – a sign that someone may be harvesting data. Also, watch for credentials being used during odd hours or from odd locations.

It's important to note that just because you see credentials being used for suspicious activity that it automatically means it's the rightful owner of those credentials. In outside attacks, it's common for the hacker to capture user credentials and then use those credentials to gain access to the data they seek, or drill deeper into the network. Only a thorough investigation will reveal the true nature of an incident.

Another point in mitigating the insider threat (as well of the risks of outsiders) is to limit the locations where sensitive and confidential data is held within your network. That makes it easier to protect and monitor those troves of information. It also requires continuous monitoring of the network and connected systems to identify locations where confidential data is being stored – and shouldn't.

As you've probably realized – none of this will stop the risk of the insider threat entirely. But these practices will certainly help to mitigate the insider threat – and increase the chances of spotting an insider attack before the damage is done.

From time to time an organization considering bringing electronic discovery in house will look at solutions that offer a fixed amount of data capacity for a fixed price --- say, 1 TB of capacity for a license fee of $200,000.  Very often part of the prospective customer’s analysis is “How much capacity do we need”?  The answer, unfortunately, is treated like a static arithmetic problem, with reasoning along the lines of “well, we average about 100 custodians per year, and our data per custodian averages about 8 GB, so if we buy 1 TB of capacity, we should be fine.  Sure, we might get a few more custodians or a case with a bit more data, but we’ve built in a buffer in terms of capacity.” 

Unfortunately, that type of analysis is fundamentally flawed because it vastly underestimates a key variable – the volume of data per custodian.

Looking at recent history, in the 2005 time frame it was common to see data volumes per custodian in the range of 1 GB.  Nowadays, 8GB or 10GB per custodian occurs frequently.  That is 8x or 10x the amount of data per custodian in a half-dozen years!  If data continues to grow at that rate – and there is no indication data growth is slowing down – in six years data per custodian will be 50 GB to 100 GB!  In other words, over the next half-dozen years, that 1 TB of capacity purchased for an in-house electronic discovery system will prove woefully inadequate, with 5 TB – 10 TB required – even if the number of cases and the number of custodians does not increase at all.   That $200,000 software license will need to be expanded at least 5x, resulting in an additional license fee of $1,000,000 or more, and a total cost of ownership far in excess of what was originally planned.  The situation, of course, will be much worse if the number of cases or number of custodians also increases.

That result is not surprising when one considers that, outside of the electronic discovery context, data volumes continue to grow, with no end in sight.  The Economistreported last year that “The amount of digital information increases tenfold every five years.”  Similarly, a graphical representation of the growth of data storage is available here.

Given the ongoing explosion of electronic data, and the uncertainty about future cases and custodian numbers, doesn’t it make more sense to implement a system that does not restrict the number of cases, the number of custodians, or the amount of data?  One of the goals of bringing the electronic discovery process in house is to achieve cost certainty, so that the legal budget is not bushwhacked by the growth of electronic discovery.  The way to do that is to insist on a solution that offers unlimited data capacity, unlimited numbers of cases, and unlimited numbers of custodians.

Victor Limongelli is president and chief executive officer of Guidance Software. 

A survey produced by the Center for Strategic and International Studies (CSIS) and released this week reveals what we've been discussing in the Guidance Software Newsroom for some time: the critical infrastructure that supports the power grid, oil, gas, and water industries are woefully insecure.

The survey consisted of 200 IT security executives from critical power infrastructure providers in 14 countries. The survey found that 40 percent of those surveyed believe that their industry has become more vulnerable than the prior year, about 30 percent also believe their company is not prepared for a cyber attack.

The report had a number of other key findings:

-- Eighty percent of respondents have faced a large-scale denial of service attack (DDoS), and a quarter reported daily or weekly DDoS attacks and/or were victims of extortion through network attacks

-- Organizations failing to adopt effective security: sophisticated security measures placed upon offsite users are in the minority, with only a quarter of those surveyed implementing tools to monitor network activity, and only about 36 percent use tools to detect role anomalies

-- Organizations fear government attacks: more than half of respondents say that they have already suffered from government attacks.

Last month we detailed how a security researcher posted nearly three dozen industrial control system vulnerabilities to a security mailing list and the resulting warnings from the DHS, as well as recent efforts by the International Society of Automation (ISA) and the North American Electric Reliability Corporation designed to help improve the security of SCADA systems.

And there is certainly much more room for improvement, the challenge is that the attackers seem to be moving much more quickly than those charged with defending critical infrastructure.

However, with threats such as Stuxnet now a reality, focusing on defense alone is enough.

With so many threats targeting critical systems, some are bound to get through. Interestingly, from the CSIS survey – 40 percent of respondents said that Stuxnet impacted their systems. If that's accurate – what other types of threats – Trojans, traffic loggers, bots, or exploits, have infiltrated these systems?

Without the ability to spot anomalies, there's really no easy way to tell. However, if critical control system security and operation managers understand what these systems should look like at any given moment – they'll find it easier to spot anomalies much more quickly than having to conduct a slow forensic investigation across dozens – if not hundreds – of potentially affected systems.

We've seen, in incident after incident, how defenses – intrusion detection/prevention systems, firewalls, anti-virus, and others let malware and attackers slide on through. While these technologies are essential, and do help to stop most attacks – they're not enough in themselves. So the ability to reliably identify systems that have been breached through anomaly detection needs to be part of the plan.

For more information about how Guidance Software helps protect critical infrastructure click here.

Learn more about EnCase Cybersecurity.

We saw a couple items this week that caught our eye, and that together underline an inescapable truth. First, Craig Ball wrote an excellent article on anti-forensics, in which he noted that “[the fact that] a party has intentionally destroyed or altered evidence [is] alleged and proven with disturbing frequency.” He details how he uncovered spoliation in a particular case, and concludes that “anti-forensics is counterproductive,” but is something that counsel should be on guard against. 

Second, we saw that Clearwell posted an explanation for its appearance in a published Order from U.S. Magistrate Judge Elizabeth Laporte in Datel Holdings Ltd. v. Microsoft Corp.  Coming fast on the heels of the negative reference to Clearwell  in the government’s brief asking for a stay of Judge Scheindlin’s Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency, a case in which the Declaration of the Director of the Freedom of Information Office at ICE went into great detail about the problems the government had run into with Clearwell, it undoubtedly was important for Clearwell to clarify what had happened in the Datel case. In this instance, Microsoft unwittingly produced portions of an email thread that Microsoft’s lawyers had listed on their privilege log. Microsoft’s counsel argued that the disclosure of the material was inadvertent, and was due to, as Judge Laporte put it in the Order, a “glitch” in Clearwell. As it turns out, Clearwell explained that the problem was really Microsoft’s, in that the software Microsoft used to decrypt previously encrypted content had truncated certain documents before they were loaded into Clearwell.

What do these two items have in common with each other? They highlight the critical importance of forensics technology – which can handle all types of data and all types of cases – in an in-house electronic discovery system. Certain vendors who, unfortunately, are forced to rely on the computer’s operating system to search and collect data have tried to argue that “forensics is overkill,” but nothing could be further from the truth. An in-house electronic discovery system based on forensics can find hidden data (which can be critical in trade secrets, IP, or fraud cases, or in internal investigations), and can handle encrypted data, so that you are not forced to decrypt in a third-party tool before entering the data into your e-discovery application. Why deploy a partial solution?

Certainly, given the data volumes and number of devices, forensics technology that can be targeted at potentially relevant data is critically important. But there should be no confusion – “forensics” does not mean that “full-disk” images must be taken. Rather, it means that the technology does not rely on the computer’s operating system to identify, collect, and preserve potentially relevant data, so that all cases can be addressed by the system without disrupting custodians; it means that all metadata is protected throughout the process, so that you don’t find yourself in the situation of the government in NDLON; and it means that hidden, embedded or encrypted data can be addressed within the system, so that you do not have to rely on other tools to “massage” the data before using your electronic discovery system. On that last point, EnCase eDiscovery has built in integration with Microsoft’s RMS encryption tool – the encryption at issue in the Datel case – as well as built-in integration with other common encryption tools such as PGP, SafeBoot, Credant, Utimaco, Guardian Edge, etc.  All kinds of cases, all kinds of data – that’s the strength of a forensics backbone in an in-house electronic discovery system.

Patrick Zeller is vice president of e-discovery and deputy general counsel at Guidance Software.  

In September 2009, Guidance Software announced the EnCase Certified eDiscovery Practitioner (EnCEP) program, creating the first e-discovery certification testing program. The EnCEP® program certifies private and public sector professionals in the use of the EnCase® eDiscovery software, as well as their proficiency in e-discovery planning, project management and best practices.

On March 29, 2011, the U.S. Patent and Trademark Office registered, as a certification trademark, the Guidance Software EnCEP name and logo. 

The mark certifies that “the electronic discovery services are provided by a person who has been trained in EnCase eDiscovery software and has passed the examination and application standards which indicates the person has the skill and knowledge to provide the services.”

EnCase eDiscovery is the leading e-discovery solution for the search, collection, preservation, and processing of electronically stored information (ESI). Earning the EnCEP certification signifies that a practitioner is skilled in the application of the solution, to manage and successfully complete all sizes of e-discovery matters in accordance with the Federal Rules of Civil Procedure.

The EnCase Certified eDiscovery Practitioner program was created with the input of industry experts, to meet the needs of our EnCase eDiscovery users who are handling electronic evidence in both routine and some of the largest and most complex litigations of our day.   Candidates who complete the EnCEP program, and earn the designation, will have demonstrated their expertise in the leading edge EnCase technology and methodology for the collection and processing of electronically stored information.

Over the past decade, Guidance Software has certified more than 3,000 computer investigative professionals with the globally recognized EnCase(R) Certified Examiner (EnCE) designation. The EnCEP program similarly enables e-discovery practitioners to demonstrate their skills, training and experience in the proper handling of ESI for legal purposes.

Jessica Bair is senior director of curriculum development at Guidance Software. 

March has proven a hectic month for SCADA and industrial control security. Last week, according to this InformationWeek blog post, a security researcher posted nearly three dozen industrial control system vulnerabilities to a security mailing list. Following that move the US CERT issued several warnings.

Before the vulnerability disclosures, there have been a number of developments that aim to improve the U.S. power industry from cyber threats.

Most recently, the International Society of Automation (ISA) announced that the ISA99 standards committee on Industrial Automation and Control Systems Security formed a task group that would perform a gap analysis between the current ANSI (American National Standards Institute) ISA 99 security standards and modern cyber threats.

The ISA 99 standard is crucial to the security of SCADA system security as the standard provides a roadmap for control system operators on the current state of security technologies and how they can be employed to protect these systems from cyber attack. The intent of this analysis is to determine if organizations that follow ISA 99 would have been able to successfully defend against a Stuxnet-like attack, according to this statement. And, where weaknesses are found, related improvements will be recommended.

Separately from the ISA 99 standards gap analysis, the North American Electric Reliability Corporation (NERC) recently announced the formation of a Cyber Attack Task Force (see PDF). The task force will be charged with identifying the potential impact of a coordinated cyber attack on the reliability of the bulk power system.

The goal is to develop flexible options so that potential attacks can be spotted and rapidly mitigated. This task force is a continuation of the Department of Energy and NERC's "Coordinated Action Plan" announced last year. That report concluded that the best response would involve NERC efforts as well as those led by individual concerns of the bulk power industry. 

While NERC and others have been looking at the potential impact of cyber attacks on the bulk power system, this will be the most in-depth analysis of the disruption a sustained and targeted cyber attack on the power system could cause.

Learn more about the industry's first forensic-based critical infrastructure security solution. 

Guidance Software will host the eleventh annual Computer and Enterprise Investigations Conference (CEIC), the industry’s premier digital investigations conference, May 15 – 18 at the Loews Royal Pacific Resort at Universal Orlando.  

At the conference attendees can choose from more than 110 learning sessions, led by some of the world’s foremost experts in computer forensics, e-discovery, cybersecurity, and enterprise investigations. Attendees can create personalized schedules to focus on their unique interests. Every session earns Continuing Professional Education (CPE) credits and the e-discovery Lecture Track offers Continuing Legal Education (CLE) credits.

Other activities at CEIC 2011 include:

-- A track dedicated to EnCase® Forensic v7, an upcoming version of the popular digital forensics software, as well as tracks on e-discovery and cybersecurity

-- EnCase Certified Examiner (EnCE®) and EnCase Certified eDiscovery Practitioner (EnCEP®) exams offered to qualified attendees at no additional cost

-- Networking opportunities with peers and experts to preview the latest technology and services from leading providers in the exhibit hall.

Keynoting at the show is Eric O’Neill, subject of the 2007 film “Breach” for his undercover role in the capture of Robert Phillip Hanssen, one of the most notorious spies in U.S. history. Currently O’Neill is a founding partner of The Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessment, investigations into economic espionage, internal investigations, and background investigations.

Last year, a record 1,300 attendees joined the tenth anniversary of CEIC.  

Follow CEIC on Twitter at www.twitter.com/CEIC_Conf. The Twitter hash tag for the 2011 CEIC Conference is #CEIC2011.

Visit the CEIC 2011 website for the agenda and to register at http://www.ceicconference.com..

Kim Peterson is the CEIC event manager. 

On March 15, 2011, Justin Leri (pictured above) earned the prestigious EnCase Certified Examiner (EnCE) designation and became the 3,000 person to do so. The EnCE program provides a world-class certification designed to help examiners receive recognition in court, in the work place and with their peers, for their skills, knowledge, experience and training in EnCase technology and best practices. Celebrating a decade in November 2011, EnCE is the most-widely held certification in the world for computer forensics.

Guidance Software will honor Justin as the 3,000th EnCE at CEIC 2011, the leading conference for digital investigations! CEIC is May 15-18 at the Loews Royal Pacific Resort at Universal Orlando. Register for CEIC. 

Justin will represent all those who earned the EnCE designation, and those who are investing in themselves by working toward certification.

A co-creator of the EnCE program, I had the opportunity to interview Justin about this achievement.

Q: Can you tell us a little bit about you, your career and your agency? 

A: My name is Justin Leri. I am 26 years old and from the Scranton, Pa. area. I am currently a Detective/Computer Forensic Examiner for Lackawanna County District Attorney (DA) Andrew Jarbola’s Office in Scranton. The DA’s Office serves a population of approximately 215,000 with more than twenty Assistant District Attorneys and thirteen sworn detectives.

I am a member of the Pennsylvania State Police Northeast Computer Crime Task Force, with a territory of seventeen counties in the state, and the Pennsylvania Internet Crimes Against Children (ICAC) Task Force. As part of my Task Force duties, I also work with various local and federal agencies, including the Federal Bureau of Investigation.

I graduated from Pennsylvania’s East Stroudsburg University with a bachelor’s of science degree in computer security in 2007. Prior to joining the DA’s office, I was employed as a Computer Forensic Analyst with the New York State Police, Computer Crime Unit at the Forensic Investigation Center in Albany.

Q: How did you become a computer forensic examiner? 

A: While obtaining my degree in computer security I studied various topics in computer security, including forensics. Prior to graduation, I completed an internship with the Lackawanna County District Attorney’s Office. The internship was an opportunity to explore the area of computer crimes and forensics through the District Attorney’s Office and Pennsylvania State Police Task Force. After graduation, I was hired as Computer Forensic Analyst with the New York State Police Computer Crime Unit.

Q: What types of cases have you used EnCase software to conduct computer forensic examinations? 

A: I use EnCase software for a variety of cases. The majority of my caseload involves Internet crimes against children. However, I have also used EnCase software for various other cases including homicide investigations, narcotics, stalking and harassment, and even hacking investigations. EnCase has done a phenomenal job in meeting my forensic needs to properly conduct these examinations and investigations.

Q: Why did you decide to undertake the EnCE program and earn your certification? 

A: In law enforcement, and more specifically computer crime investigations, training and certifications are an important key to investigate and prosecute cases properly.  I decided to undertake the EnCE program so that I could test and validate my knowledge of EnCase software, and more importantly, proper computer forensic examinations.

Q: How did you prepare for the EnCE testing program? 

A: I prepared for the examination by reviewing material from my college courses, reviewing the EnCE study guide provided by Guidance Software, and by conducting forensic examinations using my previous knowledge of computer forensics. In early March 2011, I attended EnCase Computer Forensics II in Pittsburgh. I cannot speak highly enough about the information received from the class! After attending the class, I was able to use my new knowledge of EnCase to complete the EnCE practical examination in less than three working days.

Q: What do you expect you will gain from your new EnCE designation? 

A: I am pleased to have gained the designation an EnCase certified examiner. I believe this designation with help me in my current employment, with both examinations of evidence and testifying in court proceedings. I also believe that this certification will play an important role in any future computer forensic endeavors, both professionally and personally.

Q: Will you be joining us at CEIC to receive recognition on behalf of the previous 2,999 EnCE’s and those who came after you? 

A: Although I have an ICAC conference previously scheduled during a few days of CEIC, I will most certainly be attending CEIC for the first few days! I am ecstatic to have been the 3000^th person to receive EnCE certification and to attend the conference as Guidance Software honored guest!

Q: What advice shared by the current EnCE’s so far on Guidance Software’s Facebook page has helped you? 

A: Some of the best advice relating to computer forensic examinations, shared by previous EnCE individuals, is to “never give up, the answer is right in front of you.” I have learned from these individuals that in forensic examinations, sometimes taking a break and going back to your examination a few hours or days later, will help counter break any problems with narrow vision on cases.

Are you already an EnCase Certified Examiner?  

You can continue to help Justin and other new EnCEs. We’re offering a chance at a free Tableau Modular Storage System for providing some good advice to our 3,000th examiner (and others). The new Tableau Modular Storage System gives forensic investigators the storage capacity they need to handle large cases in the field.

All you need to do is “Like” the Guidance Software page on Facebook and leave your best advice in a sentence or two. Keep it professional and upbeat.  Sometime before CEIC (May 15) we’ll do a random drawing of all of the entries, and if you are picked (and are an EnCE examiner) you win!

Jessica Bair is senior director of curriculum development at Guidance Software. 

Legal Notice:
You alone are responsible for your content, and you recognize that you may expose yourself to liability if, for example, your content contains material that is false, intentionally misleading, or defamatory; violates any third-party right (including any copyright, trademark, patent, trade secret, moral right, privacy right, right of publicity, or any other intellectual property or proprietary right); or contains material that is unlawful. You represent that you own, or have the necessary permissions to use and authorize the use of your content. When you submit your content to Guidance Software, you are also irrevocably granting to Guidance Software world-wide, non-exclusive, royalty-free, sublicensable, transferable, perpetual rights to use, distribute, modify, and create derivative works of your content for any purpose. The opinions expressed herein are those of the individual poster and do not necessarily reflect the views or opinions of Guidance Software, Inc.  

Since EnCase has been used in hundreds of thousands of cases, and mentioned by name in over 70 reported decisions, we know a little something about the pride an organization feels when its software gets highlighted in a judicial opinion.  Now getting mentioned in a brief filed in a case, as opposed to a reported opinion, won’t usually set hearts aquiver in quite the same way, but something tells me that Clearwell’s mention in the government’s brief asking for a stay of Judge Scheindlin’s groundbreaking Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency has nevertheless created some nervous excitement for them.  First, Immigration and Customs Enforcement (ICE) highlighted that using Clearwell for FOIA purposes had already cost it over $300,000, and that “[c]ontinued use of the software will require an additional expenditure of funds in an unknown amount, perhaps in the hundreds of thousands, if not millions, of dollars.”  Well, it may cost a large, growing, and ultimately unknown amount, but on the positive side at least “ICE was required to suspend many of the agency’s security protocols in order to allow Clearwell to run properly.”  Er, wait, uh . . . never mind ICE, what about  the other defendants?  The FBI noted that it would be able to use Clearwell to process 79 spreadsheets, but that “Clearwell will be unavailable for future productions because it has reached maximum capacity . . .” 

Let’s see . . . uncertain costs, suspended security protocols, and capacity limitations – not the typical trifecta looked for when e-discovery software is highlighted in a landmark case. 

UPDATE (March 29, 2011): Last week we blogged about Clearwell getting mentioned in the government brief asking for a stay of Judge Scheindlin’s Order in National Day Laborer Organizing Network v. U.S. Immigration and Customs Enforcement Agency.  Supporting the government’s brief was the Declaration of the Director of the Freedom of Information Act Office at ICE, available here. It contains a number of bold statements such as: “[The ICE Office of the Chief Information Officer] decided that given the tremendous technical difficulties and huge expenditure of manpower . . . associated with operating the Clearwell software . . . the agency should abandon the Clearwell application and discontinue its use.” (Declaration at ¶ 14)

Thinking about the situation more broadly, it seems that Judge Scheindlin has an uncanny knack for issuing landmark opinions in e-discovery cases, but each of them highlights situations that others can avoid by using commercially available software that is suited for the task at hand – to collect and preserve potentially relevant data, thereby avoiding the problems of the defendants in the Zubulake cases, to issue and track legal holds and conduct online surveys of custodians, thereby avoiding the problems in Pension Committee, and to properly preserve metadata, thereby mitigating the problems in NDLON v. ICE. (As Judge Scheindlin noted, “[b]y now it is well accepted, if not indisputable, that metadata is generally considered to be an integral part of an electronic record.”)  As we pointed out earlier, EnCase eDiscovery is an in-house e-discovery system that can handle all types of matters, without disrupting an organization’s business or impacting its security protocols.  Instead of capacity limitations, it has no constraints on usage.  Instead of unknown future charges, it delivers cost certainty. 

Patrick Zeller is vice president of e-discovery and deputy general counsel at Guidance Software.  
 

We saw Clearwell’s announcement of its new Legal Hold Module last week, and we have to say we are in wholehearted agreement that full-fledged Legal Hold capabilities (Hold Notices, Auto-Reminders and Auto-Escalations, Online Custodian Surveys, and Automated Tracking and Reporting) are part-and-parcel of any comprehensive electronic discovery system for in-house use.  Given the critical nature of legal holds in fulfilling preservation duties, this may seem obvious – and it’s why EnCase has offered integrated legal hold capabilities for over two years now, since March 2009.  Indeed, if a system claiming to provide in-house electronic discovery does not offer these capabilities, it should be summarily disregarded.

Of course, there is other – perhaps just as obvious – critical functionality for an in-house electronic discovery system.  It goes without saying that any system must provide the in-house team with the means, broadly speaking, to collect data, process it, and view it.  However, when looking at the specifics of available systems, it is clear that without full-featured capabilities in the following areas, an in-house electronic discovery system is a mere illusion, an abstraction, with the name “e-discovery” but without the means to actually accomplish the necessary tasks:

-- First, an in-house electronic discovery system should be able to handle all types of cases – there shouldn’t be a class of cases that it simply cannot act upon.  For example, there are a set of cases – such as IP theft, FCPA, fraud, or employee disputes involving allegations of discrimination or harassment – in which hidden data may be critically important.  Electronic discovery systems that rely on the computer operating system (such as Windows) can “see” only what the operating system presents to them, so this critical evidence can be missed entirely.  Because of this, for an entire set of sensitive cases, systems that rely entirely on the operating system simply cannot be used.  When choosing an electronic discovery system, why deploy a solution that can handle only some of your cases, when you can deploy a solution that can handle them all?

-- Second, an in-house electronic discovery system should disrupt the organization’s business as little as possible.  Litigation is always somewhat disruptive, but the legal department and IT team tasked with gathering data are used to and can handle that disruption.  What is crippling is when ordinary employees cannot focus on business because of litigation. Electronic discovery systems that rely on the operating system to find and collect potentially relevant data not only cannot find hidden data, but they cannot even collect files that are in use by the custodians – for instance, every custodian will have to exit from Outlook before you can search and collect their PSTs.  Imagine the scenario for frequent custodians . . . good luck calling the CEO repeatedly to tell him to get out of Outlook, or calling the CFO over and over again to tell him to close his spreadsheet so you can search it – why deploy a solution that requires you to harass your custodians, when you can deploy a solution that does not bother them at all?

-- Third, an in-house electronic discovery system should offer the ability to enhance your position by cleaning up data before litigation strikes.  There is a reason that the very first box in the EDRM is labeled “Information Management” – in order to reduce data volumes, cost, and risk, it is advantageous to get rid of outdated data, yet many systems claiming to offer in-house electronic discovery offer no capabilities whatsoever when it comes to cleaning up data from laptops, desktops, and servers.  With EnCase you can get rid of data that is no longer needed; why deploy a system that can focus only on the case at hand, when you can deploy a system that also offers the capability to identify and clean up problematic data?

-- Fourth, an in-house discovery system should be able to process your data without missing potential evidence.  For instance, suppose you want to run a compound search – say, “(dog or cat) w/5 (house or tree or yard)” – across your custodians’ data, and a key custodian sent an email that had as an attachment a zip file, in which there was a Word document, and in that Word document there was a spreadsheet, and in that spreadsheet there was a PowerPoint presentation . . . there are so-called electronic discovery systems being marketed today that would not search that PowerPoint presentation at all – with embedded documents, they only search two or at most three levels deep, and they don’t even tell you about that limitation, so you review your results thinking you’ve searched the data set, when in fact you’ve only searched some of it.  There are other systems that cannot even run the kind of compound search shown above – the kind of search lawyers have been running for years in Lexis and Westlaw.  Again, why deploy a partial system when you can deploy a full-featured system that gives you the confidence you need to make case decisions?

-- Fifth, when you use an in-house electronic discovery system, you shouldn’t have to worry about metadata – the system should automatically preserve all file and email metadata, so that you can avoid haggling with your opponent about which metadata fields are relevant, and, more importantly, avoid the problems that have befallen litigants who failed to properly preserve metadata.  When it comes to metadata, if you use an in-house electronic discovery system worth its salt, properly handling metadata is not difficult and is not something that should worry you; if you don’t use such a system, however . . .

-- Finally, an in-house electronic discovery system should not limit your capacity or number of cases.  The whole idea of bringing the electronic discovery process in house is to reduce risk and lower cost; the old approach of outsourcing led to operating expenses skyrocketing whenever a large case hit.  If you are bringing electronic discovery in house, why buy a solution that charges you by the volume of data, or, even worse, only provides you with a set amount of data capacity, when you can buy a comprehensive solution for a fixed price that lets you tackle an unlimited number of cases and an unlimited amount of data?

Victor Limongelli is Guidance Software's president and chief executive officer. 

With powerful automation capabilities, a streamlined user interface, and optimized case management, EnCase Forensic v7 will transform how you perform investigations. You told us what you wanted – and we listened. Guidance Software Senior Vice President of Forensic Solutions Robert Botchek answers questions about the much-anticipated launch of EnCase Forensic v7.  

Q: How significant is the launch of EnCase Forensic v7? 

A: I believe this version of EnCase Forensic marks an important evolution for digital investigations. Simply stated, this is the most powerful and easiest-to-use version of EnCase Forensic ever developed. New automation capabilities push the boundaries of what was once thought possible, allowing users to get into the meat of the investigation quickly. We’ve built a new user interface and built in features to guide investigators through the complex digital investigation workflow. With new email investigation capabilities, users can gain valuable insight into the context of a conversation allowing them to complete email investigations quickly and easily.

Q: What are the new features of EnCase Forensic v7? 

A: Just a few of the game-changing features we’ve added:
 

• A new intuitive, streamlined  user Interface
• Powerful automated processing Capabilities
• Unified search  for fast evidence identification
• E-mail review the Way You Want it
• Integrated Smartphone Acquisition
• Lightning-Fast Case Access
• Optimized hardware usage for increased Scalability

At the core of EnCase Forensic v7 is our commitment to robust file and operating system support. With version 7 you will be able to investigate more file systems and operating systems than ever before.

Q: Where can I learn more about these Features? 

A: There is a new page on the Guidance Software website dedicated to EnCase Forensic v7. Check back often as we will be adding new information frequently. Additionally, we will also be scheduling a v7 webinar in the near future.

Q: When is EnCase Forensic v7 being released? 

A: EnCase Forensic v7 is scheduled for release later this year and we plan to announce the actual release date in the near future.

Q: When v6 was released Guidance Software went on a road show to show off the new version, are you doing a road show for v7? 

A: Yes, we are doing an extensive EnCase Forensic v7 road show. We have selected a number of cities already and will be sending out invitations to our customers around those locations. 

Q: Are both EnCase Forensic v7 and EnCase Enterprise v7 being released at the same time? 

A: No. The initial release of v7 is EnCase Forensic only. EnCase Enterprise v7 will follow shortly thereafter.

Q: Can customers participate in a public preview of EnCase Forensic v7?  

A: Yes. Any EnCase Forensic v6 customer with a valid dongle can register to participate. I encourage anyone interested in test driving this new version of EnCase Forensic themselves to sign up.

Q: What if I want to buy EnCase Forensic now?  

A: No problem. If you buy EnCase Forensic plus SMS now, you will get v7 when it is released. Better yet, for a limited time, you can purchase EnCase Forensic Deluxe for the price of EnCase Forensic. Not only will you get all the deluxe modules, you will also receive the new EnCase Smartphone Examiner application at no additional charge. That’s more than $1,400 in savings, and you will be ready for v7. 

Q: Any final comments on EnCase Forensic v7?  

A: EnCase Forensic v7 is our opportunity to show forensic examiners, investigators, and the forensic community as a whole, that Guidance Software values the work they do and is committed to delivering solutions that make their jobs easier. This will be an exciting launch, stay tuned…

If you're on Twitter... the EnCase Forensic v7 hash tag is #EF7. Click here to Tweet “I just got introduced to @EnCase Forensic v7 #DFIR #EF7.”
  

Learn more about EnCase Forensic v7. 

Sign up for a EnCase Forensic v7 sneak peek in a city near you. 

There's a clear advantage in doing things early. For example, if you wake up early, you can beat rush-hour traffic. Starting a project early means you're less likely to be short on time to finish it. The same applies to electronic discovery. The earlier you can get your hands, and head, wrapped around your corpus of data, the better you can anticipate costs, allocate resources, prepare to negotiate with opposing counsel, make case-strategy decisions and minimize overall expenses.

But early case assessment (ECA), as this technique is called, wasn't always possible. In e-discovery's infancy, legal professionals were grateful just to have a roadmap that could describe the complex process needed to get from document collection to production. The EDRM provided a fairly linear path that discovery professionals could travel down to reliably and defensibly respond to discovery requests.

But as costs associated with e-discovery began to escalate, a new concern arose. No longer was the challenge merely to produce responsive, non-privileged documents from a collection of potentially millions of files; now the challenge was to produce responsive, non-privileged documents in the most cost-effective manner possible.

Because processing and reviewing documents equates to large increases in overall e-discovery costs, the obvious solution is to reduce the amount of information that needs to be processed and reviewed. However, this means that documents must be siphoned out during collection or, ideally, before collection. Just a couple years ago, such a notion would have seemed impossible. How could legal professionals derive usable insights without actually taking the time to collect, process and review the data?

Today, ECA presents a solution to this problem. ECA allows legal personnel and discovery professionals to reap insightful metrics from largely unsorted, unprocessed collections of data. With these insights, the legal team can identify key custodians and issue legal hold notices, develop keyword lists, test and perfect search criteria, identify relevant data sources and formulate a strong case strategy. Plus, by distinguishing percentages of potentially responsive data versus likely non-responsive data, professionals can surmise overall costs before embarking on a potentially expensive discovery process.

The most effective ECA solutions allow professionals to deploy pre-collection analytics to get data insights as early in the discovery process as possible, even before collection takes place. In addition, these solutions should allow analysis and first-past review to take place at any point in the EDRM, which helps to cull down data sets and reduce outside review costs. By combining these two functions—pre-collection analytics and flexible analysis and first-pass review—legal professionals can expedite the discovery process and greatly reduce overall e-discovery costs.

Learn more about how you can harness the power of ECA with EnCase eDiscovery (PDF).  

Learn more about EnCase eDiscovery. 

The EnCase Certified Examiner (EnCE) program provides a world-class certification to help examiners receive recognition in court, in the work place and with their peers; for their skills, knowledge, experience and training in EnCase technology and best practices. As it nears its 10th anniversary, the EnCE is the most widely held certification in the world for computer forensics; and continues to evolve, be sought after and respected.
 
Soon, the 3,000th examiner will earn the EnCE designation. Who will it be? In celebration of this milestone, we have a prize for both existing EnCE examiners and for our lucky 3,000th certified examiner.
 
Guidance Software is pleased to announce it will recognize this milestone in the history of EnCase technology and the profession of computer forensics by honoring the 3,000th EnCE at CEIC 2011, the leading conference for digital investigations! CEIC is May 15-18 at the Loews Royal Pacific Resort at Universal Orlando. Register for CEIC. 

 
The 3,000th EnCE will receive a complimentary pass to CEIC, hotel accommodations and a roundtrip ticket* to Orlando. He or she will also be honored at CEIC for this accomplishment, representing all those who earned the EnCE designation the past decade, and those who are investing in themselves by working toward certification.

Learn more about the EnCE and the EnCEP (EnCase Certified eDiscovery Practitioner) programs. 

Are you already an EnCase Certified Examiner?  

But we also want you to help the new examiner to get started, so we’re offering a chance at a free Tableau Modular Storage System for providing some good advice to our 3,000th examiner (and others). The new Tableau Modular Storage System gives forensic investigators the storage capacity they need to handle large cases in the field. (Note: It fits under the seat in front of you or in one of the overhead bins!)

All you need to do is “Like” the Guidance Software page on Facebook and leave your best advice in a sentence or two. Keep it professional and upbeat.  Sometime before CEIC (May 15) we’ll do a random drawing of all of the entries, and if you are picked (and are an EnCE examiner) you win!

Update (March 25, 2011): Justin Leri earned the prestigious EnCase Certified Examiner (EnCE) designation and became the 3,000 person to do so. Read more here.

Jessica Bair is senior director of curriculum development at Guidance Software. 

Legal Notice:
You alone are responsible for your content, and you recognize that you may expose yourself to liability if, for example, your content contains material that is false, intentionally misleading, or defamatory; violates any third-party right (including any copyright, trademark, patent, trade secret, moral right, privacy right, right of publicity, or any other intellectual property or proprietary right); or contains material that is unlawful. You represent that you own, or have the necessary permissions to use and authorize the use of your content. When you submit your content to Guidance Software, you are also irrevocably granting to Guidance Software world-wide, non-exclusive, royalty-free, sublicensable, transferable, perpetual rights to use, distribute, modify, and create derivative works of your content for any purpose. The opinions expressed herein are those of the individual poster and do not necessarily reflect the views or opinions of Guidance Software, Inc. 

*Guidance Software will cover up to three nights lodging in a standard room at the host hotel, the Loews Royal Pacific Resort (not including incidentals) and airfare up to US$500.00.  

Rarely are options a bad thing. We tend to favor restaurants with diverse menus. Cable television provides us with hundreds of channels. And the Internet is a vast patchwork of blogs, social networking sites and homepages.

But too many choices can be overwhelming. In a sea of options, how do you find what you're really looking for? And how do you know that what you choose is the best option? 

This dilemma is currently being played out in the e-discovery space. Over the last couple years, the e-discovery market has seen a boom in software offerings. Never before have legal and IT professionals had so many options when it comes to e-discovery technology. Although this empowers e-discovery professionals with more choices, it also makes the procurement process more difficult.

As in-house counsel and IT personnel shop around for the right solution for their company, they should keep in mind a list of criteria. Some of this criteria are universal, applying to virtually all companies regardless of industry or size. Other criteria are unique. After all, the needs of companies at the top echelons of the Fortune 1000 are not the same as those at the bottom.

So what criteria should you use when selecting an e-discovery solution?

One of the most basic criterion you should consider is the vendor's pedigree. This is a universal consideration, one that all companies should investigate prior to making a software purchase decision.

There are several reasons why vendor pedigree is important. First, there are extreme consequences for failing to conduct e-discovery in a reliable and defensible manner. You need to partner with an organization that has a proven track record of assisting in the execution of a defensible e-discovery process.

Additionally, a company's e-discovery needs will likely change over time. Changes to the industry, growth within the company and increases in litigation may all necessitate tweaks to e-discovery software. A vendor that can adapt to these changes is critical.

Also, switching e-discovery vendors can present an enormous cost. Yet, if your software provider bows out of the market, you will be left with little choice but to browse for a new solution. That is why a financially sound, veteran vendor is ideal.

When shopping for an e-discovery solution, you should take the following steps to assess the vendor's pedigree: 

- Obtain statistics on the vendor that address its financial health and longevity. Important figures include information related to its finances, number of clients and years in business. Additionally, your vendor should have extensive experience in e-discovery.

- Search for independent industry endorsements that ensure you're dealing with a "trusted vendor." Important resources include awards, certifications, judicial court references and customer references.

- Make sure the vendor possesses a wide range of service offerings. This will ensure it can meet your changing needs. Things like training, certifications, pre- and post-deployment services, and casework and staff augmentation services are traits of an adaptable vendor.

- Ensure the vendor has an internal team of e-discovery experts, not just one or one that does this part-time as part of their corporate legal duties. The e-discovery space is far from static. Court opinions continue to alter the rules of the game. A vendor with internal experts can address these changes with new, more robust service offerings and features.

- Understand the vendor's support model, including technical expertise, staff accessibility, hours of operation and escalation process.
 
Read more about how to choose the right in-house e-discovery solution. 

Subscribe to and download Real eDiscovery Magazine. 

Learn about EnCase eDiscovery. 

Russ Gould is director of product marketing at Guidance Software.
 

The biggest conference in the security industry, RSA Conference 2011, wrapped up last Friday in San Francisco. If attendees arrived feeling relatively confident that they could secure their systems from attack, they certainly didn’t leave that way.

After a week of keynote addresses and sessions that detailed the weaknesses within everything from smart phones to wireless networks, cloud computing architectures, to traditional LANs and endpoints, NSA and Cyber Command director Gen. Keith Alexander made it clear that today is a crucial moment in IT security. Attackers are growing more sophisticated and so is the malware they deploy. Not that anyone had any doubt after we continued to learn about the advanced capabilities of the Stuxnet worm.
 

Gen. Alexander believes that while many advanced digital attack tools have been created, we’ve yet to see them. "Most of the destructive tools being developed haven't been used; we need to use this window of opportunity to develop defenses," he said to a full audience.
 

That same message echoed the points make by Deputy Secretary of Defense William Lynn III, who issued similar warnings about the abilities of attack software to damage critical infrastructure such as water supplies and power plants.
 

That kind of capability means that nation states can target critical infrastructure and industrial systems. And the viability of such attacks, and what to call them, was the subject of debate at the Cyberwar Panel – Cyberwar, Cybersecurity, and the challenges ahead.
 

The panel was moderated by James Lewis, director and senior fellow at the Center for Strategic and International Studies. Panel members included Michael Chertoff, former secretary of Homeland Security; Bruce Schneier, chief technology security officer at BT; and McConnell, former director of national intelligence and former director of the NSA.

Not surprisingly, the panel had a tough time being able to define exactly what cyberwar is – and what triggers it. They did agree, generally, that there is a lot of danger out there that we need to defend against. CSIS’ Lewis put it this way: “We are not in a state of cyberwar, but we are in something that is dangerous.”
 

Dangerous our networks have indeed become.  

So dangerous, in fact, that we can’t focus all of our efforts on defense alone: the stakes of a successful infiltration are just too high. We need to also focus on being able to find and stop covert, stealth-like behavior on our networks. That’s because while persistent attackers using advanced malware techniques such as targeting zero-day vulnerabilities can be stopped some of the time, it’s unlikely they can be stopped 100 percent of the time. (Check out this video of the RSA Conference 2011 Cyberwar panel. It’s worth a watch.)

Cyberwar wasn't the only manifestation of advanced threats at the show. McAfee released a fascinating report that detailed the so-called Night Dragon attacks that targeted the energy sector. The attackers were, reportedly, after oil and gas reserve information. The Night Dragon attacks were widely discussed during the show.
 

IT security analyst Richard Stiennon recently provided an interesting timeline on attacks stemming from China, dating back to the 2004 Titan Rain incident. From the nearly one-dozen attacks, Stiennon gleaned the following from a trail of attacks that have all come from China, and target state departments, military, the IT industry, as well as critical natural resources: 

 

These industries should be on high alert and take extraordinary measures to first determine if they have already been compromised, and then lock down their environments. Tools such as Damballa, FireEye, Guidance Software, and Netwitness should be deployed immediately to detect “beaconing” connections from inside their networks to command and control servers. Web application firewalls from Application Security, F5, or Imperva should be deployed in front of exposed web resources.  Whitelisting products from Bit9, Coretrace, Lumension, or Savant Protection should be trialed immediately on executive laptops. (emphasis added)

 

We certainly agree that defeating advanced threats requires extreme diligence, a solid risk management program, and a layered set of defenses and advanced incident response capabilities. 

Learn more about EnCase Cybersecurity. 

Read the whitepaper, "How 3 Cyber Threats Transform the Role of Incident Response." 

Anthony di Bello is product marketing manager at Guidance Software.  

Richard Lutkus is an e-discovery litigation attorney at Seyfarth Shaw in Chicago. Prior to assuming his position at the firm, he entered the legal industry with a passion for both law and technology. However, even though Lutkus possessed advanced legal and technical knowledge, he didn't have a formal background in computer science. To bolster his skills in the area, Lutkus decided to enroll into Guidance Software's EnCase Certified Examiner (EnCE) program and the EnCase Certified eDiscovery Practitioner (EnCEP) program.

The EnCE certification program provides public and private sector professionals with formal training in the use of Guidance Software's EnCase computer forensic software. By becoming EnCE certified, professionals show that they have mastered computer investigation methodology as well as the use of EnCase during complex examinations.

Seeking additional experience, Lutkus became an EnCEP earlier this month. The EnCEP program certifies professionals in the use of Guidance Software's EnCase eDiscovery software, as well as their proficiency in e-discovery planning, project management and best practices spanning legal hold to load file creation.

We caught up with Lutkus and spoke with him about his EnCE and EnCEP certification experiences.

Q: Why did you decide to seek out certification to become a certified computer forensics examiner?

A: I decided to pursue a program mostly because I was kind of a self-taught expert in the area. I didn't have a degree in computer science that would lead people to believe I was really good at this. I went to law school and had an interest in technology, but I needed to prove to people that I knew what I was doing. So, I decided to gain some formal qualifications.

Q: Why did you choose the EnCase Certified Examiner program over other certification programs?

A: I went with Guidance's EnCase Certified Examiner certification program because they were more of a market leader in this area than other certification course providers. Also, they have a more recognizable name and are highly respected in the e-discovery/computer forensics space. Additionally, the principles I was learning would be applicable to any software, not just EnCase. It was kind of a no-brainer for me.

Q: How would you describe your experience in the certification program?

A: I found the program comprehensive. There's a lot of good introductory information and higher-level information. I especially liked the EnCase EnCE Prep Course. That really helps refresh your memory about all the information you learn, prior to taking the certification exam. I also had a lot of fun in EnCase Network Intrusion Investigations and the Certified Ethical Hacking classes. Overall, it was a really good experience.

Q: How do you use the knowledge you acquired through the EnCE certification program in your current position?

A: Within Seyfarth Shaw's e-discovery group, I do a lot of work related to information security and computer forensics. Many of the matters I work on are trade secret cases where you have employees leaving a company and taking customer lists and other business data. I've been doing that work pretty much since I got my certification, which was two-and-a-half years ago. Most of what I do day-to-day involves EnCase. In fact, there isn't a day that goes by where I don't use the software. I would not be able to do many of the job functions I currently perform, without having taken the training courses and becoming certified.

Q: Why did you choose to pursue EnCEP certification? How do you think this will help you with your current job functions?

A: I pursued it because getting certified was a challenge personally. I also use Guidance Software's e-discovery product regularly. Receiving this certification has set me apart. I was already in a small group of attorneys with my EnCE certification. I'm part of an even smaller group now with my EnCEP certification. This helps show clients that I'm at the forefront of the industry; and I have achieved a very difficult and respected certification that shows my proficiency in handling their electronically stored information (ESI).

Q: What would you say to other professionals who are interested in becoming certified examiners?

A: I think they need to make a conscious effort to be realistic about the time commitment. You really have to dedicate yourself to these classes and immerse yourself, if you want to get the full value of the education. You also should practice using the software to familiarize yourself with it. Even if you don't have EnCase, you can still practice on free forensic tools to get an understanding of terminology. Also, Guidance and its partners now offer on-demand training, which facilitates people with busy schedules.

Learn more about the EnCase EnCE and EnCEP certification programs. Review the comprehensive list of training course offerings.

Learn more about EnCase eDiscovery.   

Everything Channel's CRN has named Guidance Software’s Allison Ash, who is vice president of worldwide channel sales, a 2011 Channel Chief.

CRN defines Channel Chiefs are leaders in creating effective channel programs for solution providers. They consistently defend, promote and execute effective channel partner programs and strategies. 

“2010 was a year of significant growth for Guidance Software and its partner program, and I’m honored to see that our efforts have been recognized by Everything Channel’s CRN,” said Ash. “As we move forward in 2011, we will continue our dedication to the success of our channel partners.”

“Being named a Channel Chief is one of the most prestigious honors in the IT industry.  This year’s Channel Chiefs offer tremendous insight into the who’s who of the Channel,” said Kelley Damore, vice president, editorial director, Everything Channel. “Top channel executives consistently ensure that the Channel’s voice is heard when strategic decisions are being made and continually nurture mutually profitable relationships. We applaud this year’s Channel Chiefs for their successful partner programs and strategies.”

As vice president of worldwide channel sales, Ash is responsible for building and directing channel strategy and programs for the leader in digital investigations. She has been instrumental in the implementation of the company’s new Guidance Global Partner Program, which gives channel partners the ability to build new service practices or augment existing practices around EnCase Cybersecurity.

This year’s Channel Chiefs were chosen based by Everything Channel editorial on criteria including policy and program innovations made during the past year, the amount of revenue their company generates through partners, their willingness to speak out publicly on behalf of the channel, and the number of years they have dedicated to channel activities.

Click here for additional information on the CRN Channel Chief list. 

Read more information on becoming a Guidance Software channel partner.  

Last week, Guidance Software announced earnings results for 2010. We had a strong end to a record year. We experienced solid demand for EnCase eDiscovery version 4, which was released in late August, as well as our EnCase Cybersecurity offering. Looking to 2011, we expect continued improvement in the e-discovery and Cybersecurity markets, as well as our core forensics space.

Our strong results validate our belief that there is an increasing need among corporations and government agencies to get a handle on their unstructured, unmanaged data. We believe that this is a long-term, multi-year trend.

Devices are multiplying and unmanaged data is growing. 

Over the next three years, researchers estimate that more than 1.2 billion laptops and desktops will be sold, and an equal or higher number of smart phones will be sold, along with tens of millions of servers and tablets. This multiplication of devices brings with it the propagation of digital data – companies and government agencies find themselves with business data everywhere. This unstructured and unmanaged business data – and the lack of visibility into the data – causes meaningful business problems. First, it causes business problems when the company is sued and it needs to gather data for electronic discovery. Second, it causes business problems when the company needs to conduct an internal investigation, for HR, compliance, or other purposes. Third, it causes business problems, and creates risk, when sensitive data is stored in unauthorized locations, or when unapproved applications are running on devices. 

EnCase provides visibility.
Our EnCase software solves these problems, and it does so by attacking the underlying situation –  by providing visibility to the endpoint, so that the business problems can be addressed. We package our products around specific business problems, such as eDiscovery or Cybersecurity, but at a fundamental level we provide a platform that delivers visibility to the endpoint.  Visibility into the data stored, the applications running, and the activity occurring on the endpoint – laptops, desktops, and servers, but also content management systems, smartphones, and cloud applications.

Given the proliferation of endpoints that is underway, we believe our platform will become increasingly valuable. From a central location we can reach the computing environment that exists – we deal with the world as it is and the world that is emerging– with data everywhere, and easily accessible to employees – not the world as people wish it to be, wishing they had everything in a centralized repository of data that is protected and tightly controlled. We provide visibility into that computing environment, and enable accurate decision-making and the rapid actions necessary to meet compliance obligations, reduce risk, and secure an organization’s assets.

Learn more about EnCase Enterprise, EnCase eDiscovery, EnCase Cybersecurity, and EnCase Forensic.

Read our earnings release. 

Victor Limongelli is Guidance Software's president and chief executive officer. 

The world leader in digital forensics brings you the best training available on critical, real-world issues to provide end-to-end solutions from seizure and acquisition to full digital analysis.  We have added three new classes to our curriculum to ensure that you have the knowledge to use our powerful forensic tools to their utmost capabilities:

EnCase® First Responder Training -- Corporate and criminal investigators must be prepared to identify and to collect digital evidence as examiners alone cannot meet the overwhelming demand.   We will teach your personnel to act as first responders who can identify, seize, search and collect digital evidence. Participants will learn how to acquire this evidence using both software and hardware acquisition tools as well as how to search and to collect digital evidence using EnCase Portable and Tableau forensic bridges. Learn more about the EnCase First Responder Training.  

EnCase Portable Configuration and Examinations -- EnCase Portable is a pocket-sized USB device for digital evidence collection and triage. It is designed to allow any person with basic computer skills to search, collect, and review data. The class provides you with the skills necessary to properly configure, deploy and examine the results of the EnCase Portable. Once configured, a first responder can deploy this device for in-field acquisitions and e-discovery collections. Learn more about the EnCase Portable Configuration and Examinations.  

EnCase Macintosh/Linux Examinations -- This new course marks a departure from the world of Microsoft Windows.  It is dedicated to the examination of Apple Macintosh products, including the iPad.  Computer users are attracted by the design of the Macintosh, its UNIX-like stability, ease of use, and its ability to run Microsoft Windows. Apple products are increasingly popular in both corporate and private environments. According to Apple’s earnings release, 4.13 million Macs were sold in the quarter ended December 25, 2010, a 23 percent increase over the year ago quarter, as well as a record 7.33 million iPads, compared to 4.19 million iPads in the previous quarter. This class capitalizes on the similarity of Mac OS X and Linux and brings the examination of the two operating systems together.  Notwithstanding the dual nature of the course, its prime focus is on Macintosh examinations. Learn more about EnCase Macintosh/Linux Examinations.  

For a complete listing of our courses, including prerequisites, descriptions and pricing, please go to: http://www.guidancesoftware.com/computer-forensics-training-courses.htm. 

Tracy Simmons is director of training operations and business development at Guidance Software.  

SC Magazine named Guidance Software's EnCase Forensic Best Computer Forensics Tool at a ceremony held this week in San Francisco in conjunction with the RSA Conference, the world's largest information security event. This is the second consecutive win for EnCase Forensic.

With more than 650 entries submitted in 31 categories, the 2011 SC Awards honor the professionals, companies and products that help fight today’s most pressing IT security threats, and to showcase industry innovation. A panel of judges comprised of SC Magazine readers selected Guidance Software’s EnCase Forensic over competing solutions.

The computer is an infallible witness; it cannot lie. Digital evidence contains an unfiltered account of a suspect’s activities, recorded in his or her direct words and actions. This type of evidence can provide the pivotal data investigators need to turn an open investigation into an open and shut case. In order to obtain and analyze this information in a rapid, cost-effective manner, investigators need a solution to help them produce evidence for existing charges, identify accomplices, add to charges and/or counts and provide leads for other unsolved investigations. Guidance Software’s EnCase Forensic provides investigators with a powerful platform that collects digital data, performs analysis, reports on findings and preserves them in a court vetted, forensically sound format.

“The need for computer forensic tools for both corporate and law enforcement is rapidly growing with the proliferation of laptops and new corporate network-connected devices like iPads other tablets and smart phones,” said Robert Botchek, senior vice president, Forensic Solutions at Guidance Software, Inc.. "With more than 35,000 copies of EnCase Forensic sold worldwide, Guidance Software is dedicated to providing the leading forensic investigation tool as well as the industry’s best training and certification programs.  We're honored that IT professionals and readers of SC Magazine have selected EnCase Forensic as their top choice in the category of computer forensics."

Guidance Software offers EnCase and Tableau forensic products along with training to help digital investigators perform effective triage, collection, analysis, and archiving of electronic data.

Learn more about EnCase Forensic software, training and certification.

Federal District Court Judge, Shira A. Scheindlin of the Southern District of New York, author the Zubulake opinions as well as last year’s seminal Pension Committee case, has written another landmark opinion regarding e-discovery with National Day Laborer Organizing Network v. United States Immigration and Customs Enforcement Agency, 2011 WL 381625 (S.D.N.Y. Feb. 7, 2011).  The case is in the context of Freedom of Information Act (FOIA) requests.  In a matter of first impression, Judge Scheindlin holds that “metadata maintained by [an] agency as part of an electronic record is presumptively producible under FOIA, unless the agency demonstrates that such metadata is not ‘readily reproducible.’”  Slip op. at 18 (emphasis in original).   Judge Scheindlin makes further findings as to fields to be included in load files for FOIA productions.  The opinion underscores the importance of ESI preservation and production that preserves original metadata.

Read the full Court decision here.

The Plaintiffs had requested FOIA records from four government agencies --- Immigration and Customs Enforcement (“ICE”), Department of Homeland Security, the FBI, and Office of Legal Counsel.  The records related to a collaborative program called Secured Communities, where ICE and the Department of Justice enlist states and municipalities with the enforcement of federal immigration law.  The Defendants’ FOIA response included five .pdf files totaling less than three thousand pages.  The Plaintiffs objected that the data was (1) produced in an unsearchable format, (2) that the electronic records had been stripped of all metadata, and that (3) the paper and electronic records were merged together in the .pdf file.

Judge Scheindlin first notes that FOIA requires agencies to provide records “in any form or format requested by the person if the record is readily reproducible by the agency in that form or format.”  Slip op. at 7 (citing 5 U.S.C. § 552(a)(3)(B)).    While the Electronic Freedom of Information Act Amendments of 1996 (“E-FOIA”) recognize the need for government agencies to “use new technology to enhance public access to agency records and information,” the Court found little caselaw defining “readily reproducible.”  Id.   Judge Scheindlin further notes that caselaw has established that (1) “metadata is generally considered to be an integral part of an electronic record,” and (2) when a collection of static images (e.g., .tif files) are produced, load files must be produced to make the production searchable and reasonably usable.

Turning to the facts of the case, the Court found that the Defendants were on sufficient notice that Plaintiffs requested spreadsheets in native format and text records as separate, i.e., single files.  Defendants failed to respond to Plaintiffs’ offer to discuss the format of production.  Instead, Defendants produced all records non-searchable .pdf format., merging all records, and failing to produce e-mails with attachments.   The Court concluded that this production failed to satisfy FRCP 34 or FOIA. 

As for the remedy, the Court found that because Plaintiffs did not specifically request metadata, and because this was a case of first impression, it would not require the Defendants to reproduce all of the records with metadata.  The Court ordered the Defendants to re-produce all text records in static image single file format together with their attachments, and all spreadsheets in native format.  For future productions, the Court directed a protocol where the bulk of files would be produced in .tif image format with load files containing certain specified fields of metadata and spreadsheets would be produced in native format.   The Court carefully noted that this protocol was specific to this case, but that FRCP 34 requires that records be produced in a reasonably usable format, “which at a minimum requires searchability.”  Id. at 23 n. 44. 

The significance of the opinion is that the Court announces that metadata presumptively is producible under FOIA, and that the government has the burden to establish otherwise.   The Court’s particular concern was that the Defendants’ production of static images stripped of all metadata and lumped together without any indication of where a record begins and ends was unacceptable, regardless of whether or not metadata had been requested specifically.  Judge Scheindlin viewed the production as “an inappropriate downgrading of ESI.”  Slip op. at 24.  The Court concluded with an admonishment about  continued attorney failures to cooperate and communicate on these issues.

Clearly, the case law continues to point to the need to collect, preserve, process, and produce ESI load files in a forensically-sound manner that preserves metadata.  The best practice is to use EnCase eDiscovery to accomplish these goals by maintaining original native files throughout these processes. 

For e-discovery practitioners, it is critical that they select a solution that allows them to comply with the metadata requirements from these recent decisions.  Guidance Software’s EnCase eDiscovery preserves metadata at the point of collection in its original native format.  In fact, all of the metadata fields that Judge Scheindlin required in future productions by the federal government in National Day Laborer Organizing Network are preserved with EnCase eDiscovery.  Finally, EnCase eDiscovery produces its forensically-preserved collections in load file format, thereby, making it the only all-in-one solution that can comply with the standard set by this case, as well as similar state cases dealing with metadata productions.

Read the full Court decision here.

Learn more about EnCase eDiscovery. 

Daniel Lim is Senior Director and Associate General Counsel at Guidance Software. John Blumenschein is Senior Counsel at Guidance Software. Both are members of Guidance Software's e-discovery legal team. 

Gaining visibility into the endpoint has emerged critical for businesses and governments. Guidance Software Product Marketing Manager Anthony Di Bello discusses the role remote forensics plays and will play in the future.

Q: What are organizations using remote forensics for? 

 A: Organizations are using remote forensics to addresses regulatory requirements such as those imposed by Sarbanes-Oxley, respond to human resource policy violations, enforce computer usage policies, investigate IP theft, fraud and more.

Q: What five things should people know about remote forensics? 

 A:These five things are important:
- Traditional methods require a machine to be powered down, losing valuable information contained in RAM such as running processes, logged on user, open ports and more...things which can be critical to accurate closure of an investigation.

- Remote forensic capabilities allow for the covert investigation of computers to ensure that an employee is not tipped off that they may be the subject of an investigation.

- Remote forensic capabilities ensure immediate response, no need to ship hard drives or to travel to a remote location to perform investigations.

- Many regulations require the capability to perform internal investigations in certain cases, Sarbanes Oxley for example. Remote forensic technology facilitates this requirement and allows organizations to comply with the law in a swift, judicially-accepted manner.

- Remote forensic capabilities, once the domain of government agencies or large multi-national organizations have become far more affordable and easy to use for any organization that has a need to perform internal investigations. Learn more about Guidance Software’s EnCase Enterprise Starter Bundle.                                                                                                                                                

Q: How is gaining visibility into the endpoint critical for business and government organizations? 

A: Gaining visibility into the endpoint is critical for business and government organizations that place value on the data within their organization—pretty much everyone. The very nature of remote forensic capabilities allow for immediate disk level access to all the data stored on the device, regardless of how that data is stored on the system. This is valuable to understand things like what is running out in the environment, where and how sensitive data is stored on the endpoint and exactly what is running in the environment, whether it is visible or hidden to the operating system. The rapid proliferation of data has made this visibility difficult to achieve without a remote forensic capability in place.

Q: How has remote forensics changed over the years? 

A: Remote forensics really didn’t come into play until around 2004, when Guidance Software introduced EnCase Enterprise to the market. Previously computer forensics could only be performed on a “dead box” that is to say a machine that was disconnected from the network and powered down. There were many downsides to this approach for organizations, the least of which was accessibility to the device that was the subject of an investigation. Due to the complexity, many organizations did not have the bandwidth to perform digital investigations of any kind. In addition, over the past 5 years, more and more organizations have realized the pervasive need to perform remote investigations and we have seen remote forensics mature to the point where there are individuals and even entire departments within organizations designated to facilitate digital investigations.

Q: What role will remote forensics play in the future? 

A: As the field matures, remote forensics capabilities will be integrating more and more into existing systems and processes within organizations. As well there will be an increasing demand for professionals trained in the art of digital investigations to run these functions. Remote forensic needs will be an increasingly important component of every internal investigation whether they be initiated by human resources, legal, information security or IT as regulations mature to meet technology.

Learn more about Guidance Software’s EnCase Enterprise Starter Bundle. 

Learn more about EnCase Enterprise. 

"Targeted cyber attacks are increasingly pervasive, driven by criminal and state-sponsored activity, and are becoming increasingly advanced," writes Guidance Software Product Marketing Manager Anthony Di Bello in Government Security News.

Read the full story on the Government Security News website. 

Are you prepared? Guidance Software has put together a whitepaper on the subject. Understand the basics of Advanced Persistent Threats (APTs): what they are, how they work and how to mitigate them in this whitepaper.  

Learn more about EnCase Cybersecurity.  

Guidance Software’s new EnCase Academic Program helps institutions of higher education and professors train tomorrow’s digital investigator by providing essential tools to train students on computer forensics using the market-leading EnCase Forensic software.

"The need for digital forensic investigations is on the rise," said Andrew Hay, senior security analyst at The 451 Group. "As more and more public and private organizations, including law enforcement and corporate organizations, incorporate digital forensic tools into their internal and external investigation process, the need for trained professionals who understand the theory and practice of computer investigations is increasing."

To help academia handle the increased demand for new training and courses, Guidance Software's EnCase Academic Program includes everything an educational institution needs to incorporate EnCase effectively into their curriculum. In addition to classroom software, participants in the program can add a license of EnCase Forensic software and self-paced Internet-based on-demand training. This training mirrors the in-class instruction taken by more than 5,000 professionals annually at Guidance Software training facilities. Upon completion of their school's forensic program, students can opt to become an EnCase Certified Examiner (EnCE), giving them a competitive advantage as they enter the workforce.

"Guidance Software has a reputation for training in a range of computer forensic investigations and of course, for EnCase Forensic, their market-leading software for digital investigations," said Philip Anderson, senior lecturer and Programme Leader for the BSc (Hons) Computer Forensics degree at Northumbria University, located in Newcastle, United Kingdom. "Guidance Software successfully delivers training programs to thousands of industry professionals on a yearly basis and embedding this same professional training into our undergraduate degree ensures that our students are well prepared to enter the workforce upon completion of their studies."

"We've designed the new EnCase Academic Program with the students in mind," said Steve Salinas, product marketing manager, Guidance Software. "We've created a dynamic program that allows for flexible learning inside and outside of the classroom. It enables professors to provide their students with real-world simulated forensic investigations, using EnCase software, to give them the skills and hands-on experience they need to secure a job in the field computer investigations in both public and private organizations."

"As a student, one of my main concerns is finding a job after graduation," said David Caldwell, a student at Northumbria University. "EnCase Forensic is the tool of choice for many organizations, so having hands-on experience during our studies will help give us a competitive advantage over others in the market seeking employment in computer forensics."

The EnCase Academic Program is available today.

Learn more about the EnCase Academic Program. 

Learn More about EnCase Forensic. 

The IT security community can't get enough of Stuxnet. Speculation runs rampant on who and where Stuxnet was developed, why it was created in the first place. Security experts are now even debating the quality of the Stuxnet code itself.

We've started a new series on the Guidance Software Newsroom to highlight what's happening related to Stuxnet. Let's recap:

First, as we noted last week, the New York Times ran an interesting story that made the case that the development of Stuxnet was a joint U.S. and Israeli effort, and was successful in its mission:

 By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.  

Not everyone agrees. Forbes blogger Jeffrey Carr has built a case that there is a Chinese Stuxnet connection:  

As far as China goes, I’ve identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China’s unique role as Iran’s ally and customer, while opposing Iran’s fuel enrichment plans. 

 Most experts believe Stuxnet targeted Iran's controversial nuclear program. However, in this USA Today column, experts think Stuxnet may actually have targeted North Korea's nuclear weapons program. It's also theorized in that column that Stuxnet was derived from the infamous Conficker worm. 

Conficker, you may recall, was noisy, focused randomly on home and corporate desktop PCs, and grabbed headlines in big media, including coverage by 60 Minutes. 

 

By contrast, Stuxnet is stealthy, aimed primarily at large factory systems, and has mostly been written about in trade media. Conficker, it seems, could possibly even have been the beta-version of Stuxnet. 

Meanwhile, while many experts have lauded Stuxnet as a well-crafted worm, others came out this week and said it was loaded with mistakes and sloppy.  In this post, cryptography expert Nate Lawson, cited a number of what he considers mistakes in how the worm was crafted: 

First, there appears to be no special obfuscation. Sure, there are your standard routines for hiding from AV tools, XOR masking, and installing a rootkit. But Stuxnet does no better at this than any other malware discovered last year. It does not use virtual machine-based obfuscation, novel techniques for anti-debugging, or anything else to make it different from the hundreds of malware samples found every day. 

Second, the Stuxnet developers seem to be unaware of more advanced techniques for hiding their target. They use simple “if/then” range checks to identify Step 7 systems and their peripheral controllers. If this was some high-level government operation, I would hope they would know to use things like hash-and-decrypt or homomorphic encryption to hide the controller configuration the code is targeting and its exact behavior once it did infect those systems. 

Interesting take.

Eventually we may know for sure who crafted Stuxnet, how they did it, and what it was targeting. For now, we're probably going to continue to get a steady stream of conjecture. And while it's important to stay informed about malware such as Stuxnet – it's important not to become too focused on it.

That's because the focus belongs on securing your own critical systems to ensure they're protected from such attacks – no matter who develops them or why.

Learn more about EnCase Cybersecurity.

Guidance Software today announced a new forensic tool for the Apple iPad, iPhone 4 and iPod touch, giving digital investigators the ability to perform forensic analysis and e-discovery on the tablet that one in five Americans plan to buy over the next six months as well as other popular Apple devices.

According to a November survey of 1,641 business information technology buyers, corporate use of tablet devices is set to double in just the next three months. Despite the flood of new tablets hitting the market, the Apple iPad remains the overwhelming choice of business buyers going forward – with nearly four-in-five (78 percent) respondents saying their company plans to purchase Apple iPads.

The iPad, iPhone 4 and iPod touch frenzy on both the consumer and corporate fronts accelerates the need for law enforcement, security analysts and e-discovery specialists to review and collect forensic data from these popular devices. As a result, Guidance Software has expanded the mobile device support in the latest version of EnCase Neutrino to help customers acquire critical data from these devices in a matter of minutes.

“As we do digital investigations, we’re encountering more Apple devices including iPads and iPhones,” said Detective Andy Kleinick, Officer-in-Charge, LAPD, Computer Crimes Unit. “EnCase has been our primary digital forensics software for more than ten years. By supporting these popular devices Guidance Software will greatly assist my Department in collecting and analyzing these new forms of evidence through a court-vetted and effective tool.”
 
“Few organizations allow the connection of personal computers to a corporate network but, for some reason, many are fine with allowing employees to bring personal smart phones into the office – some going so far as to allow Wi-Fi-capable devices to connect to the corporate wireless network,” said Andrew Hay, senior security analyst, Enterprise Security Program for The 451 Group.  “With this new support for iPhone and iPad, Guidance Software can help analysts using its products to overlay traditional forensic and incident response strategies to one of the most prolific mobile device architectures in use today.”

According to Apple’s earnings release, Apple sold a record 7.33 million iPads in the quarter ended December 25, 2010, compared to 4.19 million iPads in the previous quarter. Apple also sold 16.24 million iPhones in the quarter, representing 86 percent unit growth over the year-ago quarter.

In addition to selling the iPad in its stores and on its own website, Apple recently widened its retail distribution channel by making the iPad available at wireless carriers like Verizon and AT&T and large retailers including Walmart, Best Buy and Target.

Guidance Software’s EnCase Neutrino also supports acquisition on devices running Android 2.1 and 2.2. This includes popular Android models like the Motorola Droid series and the HTC Evo.

EnCase Neutrino with Apple iPad, iPhone 4 and iPod touch support is available now.

Guidance Software’s new channel partner program is designed to guarantee channel partner margins and increase partner profitability. The new Guidance Global Partner Program gives channel partners the ability to build new service practices or augment existing practices around security incident management, forensics and e-discovery.

“Last week at our annual sales kickoff, we informed our global sales force that EnCase® Cybersecurity, our enterprise security software, will be sold exclusively through channel partners,” said Larry Gill, senior vice president of sales, Guidance Software. “We believe this strong commitment, along with our new program, will greatly benefit both our channel partners and our company.”

Not only will Guidance Software work with channel partners on business plans that lock in solid margins, the company will also deliver hundreds of new and existing Web-based tools and resources to help channel partners work with Guidance Software to excel in data security and incident management.

"We will help our channel partners expand their existing relationships and drive new ones with our system deviation assessment, security, and incident response solutions,” said Allison Ash, vice president of worldwide channel sales at Guidance Software. “We are 100 percent committed to our security channel partners. This commitment to the security channel will not only help our partners increase profitability but also increase their product, services and training businesses. Most importantly, we believe that by combining our products with their service expertise, our channel partners can help their customers expose advanced malware threats and respond quickly to security incidents.”

For more information about the Guidance Global Partner Program, please visit: http://www.guidancesoftware.com/worldwide-channel-program.htm. 

For more information about EnCase Cybersecurity visit http://www.guidancesoftware.com/computer-forensics-cybersecurity-software-dcid-fisma.htm. 

E-discovery is an accepted component of practicing law. However, with that acceptance come demands to streamline related costs and timeframes while still accommodating increasing volumes of data, sometimes from multiple locations.

Document Solutions, Inc. (DSi), an e-discovery and digital forensics company based in Nashville, Tennessee, is constantly working to solve this problem and announced that it is now offering a new money-saving technology for its clients: remote data collection using Guidance Software’s EnCase Portable.

EnCase Portable is a pocket-sized USB data collection and triage solution that leverages the powerful capabilities of EnCase.  The solution automatically searches a targeted computer and collects data, including documents, Internet history and artifacts, images, other digital evidence, and even entire hard drives. During this search and collection, images, documents, Internet history and a variety of other data can be reviewed in real time on the target computer.

“We don’t jump on new technology simply because it’s new. However, if our tests show that something can save money and time for our clients, and help to ensure the highest quality product, then we include it in the mix of services we offer. Remote collection passed these tests with flying colors,” said Kevin Tyner, CFO and co-founder of Document Solutions, Inc.

Remote data collection allows DSi to send a small piece of hardware, similar to a thumb drive, to a location where it is used to gather data in a forensically sound and accepted manner. The recipient plugs the device into the target computer and the device, pre-programmed by DSi’s technicians, automatically finds the data that has been deemed relevant and saves it to an accompanying hard drive. The result is exact, quick and defensible.

“When we determined that this technology would be beneficial to us and to our clients we got a few options in to test,” said Gary Torgersen, DSi’s vice president of operations and technology “We determined that EnCase Portable, a pocket-sized USB device that can quickly search and collect documents, Internet history, images and other digital evidence, was the best solution available.”

DSi recently completed a project involving 65 individuals in 12 different locations, including Puerto Rico. They had 45 days to collect, process, review and produce. Traveling from place to place, coordinating with various people and companies to obtain access to each computer would be both time and cost-intensive. Instead, these “plug-and-play” devices were sent to each location, with the software programmed to filter and hash-verify as it collects.

The total universe of data was equivalent to approximately 45-50 million pages of information, which was obtained over a 25-day period. As data was received back, DSi was able to process it for their client to start the review, allowing them to meet the short deadline.

Not only did the EnCase Portable devices save time by allowing filtering at the point of collection, they saved money. These small devices allowed DSi to provide a flat rate per machine, including collection and filtering. They were able to lower their cost to one-third of what it would have been using traditional techniques – not including travel expenses. With 65 machines, that’s a substantial savings.

Learn more about EnCase Portable. 

CNN Money interviewed Guidance Software’s Brent Botta and Westchester County Police Sgt. James A. Welsh about digital forensics in today’s Internet world.

Watch the video.

You can also learn more about EnCase Forensic here.

Heading into 2011, the trend of organizations bringing in-house the data collection and preservation aspects of the EDRM, at least, is expected to continue.  As you evaluate collection and preservation systems, however, it is critically important to keep in mind the impact of the operating system (“OS”), such as Windows, OS X, Linux, etc., on the performance and usability of your collection system.  Many collection approaches try to use a “quick-and-dirty” approach of relying on the applicable OS to find and collect data.  This approach has two overwhelmingly negative consequences. 

First, there are a set of cases – such as IP theft, fraud, or employee disputes involving allegations of discrimination or harassment – in which hidden or “forensics” data is critically important.  Collection systems that rely on the OS can “see” only what the OS presents to it, so this critical evidence can be missed entirely.  Because of this, for an entire set of sensitive cases, collection systems that rely on the OS simply cannot be used.  When deploying a system to handle your data collection and preservation needs, why would you go with a system that handles only some of your cases? 

Second, and perhaps even more damning, collection systems that rely entirely on the OS (and File System) are much more disruptive to your business.  To see why, let’s walk through a simple example.  Let’s imagine a case with 50 custodians, all of whom have email (in the form of .PST files) stored locally on the laptops and desktops.  Of the 50 custodians, five are senior executives (CEO, CFO, et al), and another 25 are salespeople, who use email to communicate with potential customers, as well as internally.  The case is time sensitive, so collection needs to happen quickly.  The company determines that, given the nature of the dispute (including the time period involved), it should preserve all of the email of the custodians.  It kicks off its collection at 8:30 AM on a Tuesday morning.  Oh no!  It turns out all 50 custodians have Microsoft Outlook open on their laptops and desktops.  Collection systems that rely on the OS and File System cannot collect files – such as .PSTs – unless and until they are not being used by other applications; in other words, the OS has “locked” the file.  In order to collect these PSTs, the employees tasked with completing the collection would have to contact each and every custodian and have them log out of Outlook – taking the salespeople offline and disrupting the CEO’s and CFO’s day – so that the OS could be used to collect the email.  Do you want to make that phone call (or, if you wanted to be ironic, send that email)?  Perhaps you can imagine doing that once, for one case . . . but each and every time a collection needs to occur?  Isn’t the Legal department trying not to harm the business?

As you look to deploy a collection and preservation system in 2011, by all means look for a system that can reach multiple data sources and handle common data formats, and one that enables easy, check-the-box creation of the collection criteria.  And if you want a system that handles all of your cases, without disrupting your executives, your employees, or your business, beware the OS! 

Victor Limongelli is president and chief executive officer of Guidance Software. 

One positive result of the recent publication of secret U.S. documents by the now infamous WikiLeaks organization is that companies around the world are realizing they need to revisit the security of their electronic information and take steps to secure that information.
 

“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” says Guidance Software’s Steve Salinas in a recent article in Security Director News entitled, “What Security Professionals Should learn from WikiLeaks.” “Organizations are very aware that they need to have solutions in place beyond typical antivirus or firewall software to help control and protect their intellectual property.” 

Once considered the responsibility of the IT department, electronic security today requires cooperation between multiple departments throughout a company. Read the full article at Security Director News.

To learn more about how Guidance Software can help protect critical electronic information visit: http://www.guidancesoftware.com/computer-forensics-cybersecurity-software-dcid-fisma.htm

 

The latest edition of Real eDiscovery Magazine is out! Download a complimentary copy and subscribe to future editions.

Written by the Guidance Software e-discovery team and other legal experts, Real eDiscovery is a trusted information source for legal teams interested in bringing e-discovery in-house. In this edition:

-- Liberty Mutual’s Sean McSweeney, deputy general counsel, and Glenn O’Brien, electronic discovery manager, discuss their process and approaches from the legal and technical perspectives.
-- Contributor Denise Backhouse offers resources to master European Union data privacy laws. Backhouse is an associate in the eData Practice of Morgan, Lewis & Bockius, LLP. She counsels and defends clients primarily in the areas of securities and financial industry litigation and business and corporate disputes.
-- Guidance Software Senior Counsel Chad McManamy opens up the e-discovery toolbox and describes what organizations should look for in a unified e-discovery solution.
-- Exploring the Victor Stanley decision focused on sanctions for spoliation of electronically stored information, Guidance Software Senior Counsel John Blumenschein also covers the role Guidance Software played in the case.
-- Guidance Software Vice President and Deputy General Counsel Patrick Zeller shares his tips on reducing e-discovery sanction risk by 80 percent.

Download a complimentary copy of Real eDiscovery and subscribe to future editions now. 

Cas Purdy is editor of Real eDiscovery Magazine and senior director of corporate communications at Guidance Software. 

German security firm, G Data Software AG, began warning users right before the Thanksgiving holiday that a new Trojan, dubbed Ares, may start spreading soon.

Ares is considered to be similar to the famous Zeus banking Trojan and is designed to disseminate malware through infected websites.

From G Data's analysis:

As Ares has so many potential variants, it can be used for almost any attack on any target. We believe one of the eventual uses will be to spread Trojans aimed at online banking users. Internet users need to protect themselves by making sure they have anti-malware solutions in place that monitor all HTTP traffic and can block dangerous websites before they are called up on work and personal computers. 

One of the interesting aspects of the Ares trojan is that it has a modular design that is meant to enable attackers to use the code in many different ways, which would make it more difficult for anti-virus software to spot and rectify.

SearchSecurity.com covered how the Ares developer plans to profit from the Trojan:

The reason for G Data's preemptive warning is that the Ares developer -- whose identity remains unknown -- has authored a free software development kit for the Trojan. The kit is intended for so-called "trustworthy developers," provided that they pay the Ares developer a license fee when subsequent modules are sold to third parties. 

 

Others can buy an Ares starter kit for $820, or the full development kit for up to $6,000. Payment is made via an anonymous online payment service -- in this case WebMoney -- so neither the purchaser nor the developer need to reveal his or her true identity. 

This is yet another escalation in the malware arms race. And, because every instance of the Ares platform and the malware it creates is "unique" it is designed to be able to bypass traditional anti-malware software. Ares and its predecessor, Zeus, make it clear that criminals are doing everything in their power to bypass the traditional layers of security enterprises have in place.

Despite the efforts of the Ares platform to generate malware that will be as stealth as possible, there will be significant swaths of code re-used in its variants. That's why the ability to perform baseline deviation assessments and similar file analysis is so crucial. As files are changed on systems and networks, those malware deviations can be detected and the malware stopped in ways signature defenses can't match.

Download “How 3 Cyber Threats Transform the Role of Incident Response” to learn about cyberforensics can help defending from threats like Ares and Zeus.

Learn more about EnCase Cybersecurity. 

Anthony di Bello is product marketing manager at Guidance Software.

We've known for some time that viruses, worms, and other forms of malware are in an ever-increasing arms race against defensive security technologies. Last year InformationWeek noted the number of unique malwares started going exponential with one anti-virus vendor finding 1.2 unique malware programs in the first half of 2009, compared with 500,000 in all of 2008.

With so much malware being so rapidly produced it's a wonder security software designed to be defensive: anti-virus, firewalls, content filtering, intrusion detection systems can be counted on to catch everything. And when it comes to malware, attackers are certainly getting more complex. These applications are increasingly centrally controlled; stealthily hidden within system processes; as well as encrypted, compressed, and designed to incapacitate antivirus software.

And it seems, according to recent anti-virus tests highlighted by this Computerworld news report, Tests show consumer antivirus programs falling behind, are having trouble keeping up with the threats:

The latest tests of consumer of antivirus software released on Tuesday show the products are declining in performance as the number of malicious software programs increases, a trend that does not bode well for consumers. 

 

NSS Labs tested 11 consumer security suites and found that the products are less effective than a year ago as far as blocking the download and execution of malicious software programs. The company also tested if those programs detected and blocked malicious Web sites. 

 

In its tests, the company used new malicious Web sites within minutes of discovery in addition to brand-new malware, which it contends is indicative of the conditions that users would find while browsing the Internet. 

Most organizations depend on their firewalls, as well as signature-based anti-malware and intrusion detection systems as their last line of defense. But it's clear that this line of defense isn't a perfect line of defense.

Learn more about how EnCase Cybersecurity can help organizations respond to security incidents. Also, learn about Guidance Software's professional incident response services.

Cas Purdy is senior director of corporate communications at Guidance Software. 

Many organizations have multiple locations and remote employees with offices around the world, making it an expensive and time-consuming task to send investigators on-site to collect data and evidence for digital investigations. Too many organizations don’t realize that there are “remote forensics” tools out there that can help save time, money – and make digital collection faster and easier.

Download the complimentary Remote Forensic report now. 

These tools are designed to help investigators collect legally admissible data for internal and external investigations including, illegal activity, security breaches, HR investigations and more, from servers, computers (both desktops and laptops), and workstations across a distributed enterprise. Further – these tools allow investigative staff to launch agents on workstations from remote locations, invisible to the subject, which helps prevent the disruption of evidence collection.

According to Jay Heiser, research vice president at Gartner, “Remote forensics is rapidly becoming a standard investigative process for both internal corporate security departments and external consultants. It provides both cost-efficiencies and unique capabilities, and should be considered when:
 

-- Your investigators (internal or external) are spending too much time (and money) traveling.
-- You are hiring outside investigators for purely logistical reasons (e.g., it's easier to pay someone from outside the organization than to use your own employee).

-- Your organization has multiple locations that could benefit from a central digital analysis service to provide forensics, e-discovery and incident response.

-- You need to conduct surveillance of employee activities over a period of time and collect legally admissible evidence.”

To learn more about Jay Heiser’s research on remote forensic investigations, please download the complementary Gartner report on Remote Forensic Software.

Learn more about Guidance Software’s remote forensics software EnCase Enterprise.

Anthony Di Bello is product marketing manager at Guidance Software. 

Guidance Software has new training courses designed to arm information technology and security professionals with the knowledge they need to meet today's security challenges. Guidance Software’s Senior Director of Curriculum Development Jessica Bair discusses the new EnCase® Cybersecurity training and a new course on ethical hacking.

Q: Guidance announced new Cybersecurity training. What can attendees expect to learn? 

A: The new EnCase Cybersecurity course is focused on how to use Guidance Software’s leading-edge incident response software to reduce data-security non-compliance, and the risk and cost of damage that advanced malware and advanced persistent threats cause to an organization. Additionally, it teaches students how to efficiently and successfully resolve security incidents. 

The course imparts knowledge in three key skill areas: 1) assessing system integrity; 2) network-enabled incident response; and 3) data audit and policy enforcement. These are pillars of a strong, forensic-centric approach to cybersecurity.

Q: How long does the training course take to complete?  

A: The training is four days in length, a total of 32 classroom hours, for which students can receive Continuing Professional Education (CPE) credits for renewing their certifications, such as CISSP, EnCase Certified Examiner (EnCE®), EnCase Certified eDiscovery Practitioner (EnCEP), CFE, CPA, etc. 

We have published a list of certifying organizations. A detailed syllabus of the four-day course is also available online.

Q: Guidance Software also introduced a new ethical hacking course. Why should someone attend? 

A: The Guidance Software Professional Development and Training Department is working with the EC-Council to offer the Certified Ethical Hacking (CEH) course at Guidance Software training facilities.  We continue to look for ways to serve the needs of our customers; and in this case, it made sense to work with the EC-Council to provide EnCase users with a course to help them think like a hacker.  Armed with this knowledge, EnCase users can more effectively use the network and forensic-based technology to find and to remediate security weaknesses hackers will exploit, and to document the evidence. The course conveys the principles of ethical hacking and IT security forensic best practices, taught by Guidance Software instructors who are experts in this industry.

Q: What sets Guidance Software training courses and certification programs apart from other programs? 

A: For more than a decade, Guidance Software as provided world-class instruction in the EnCase methodology: an approach to the collection, preservation, analysis and reporting of digital evidence that revolutionized the industry in its inception, and continues to help define and build upon best practices accepted worldwide.  Guidance Software instructors have dozens of years of experience in using EnCase in the real world (most began their career in law enforcement or the military); and they bring that expertise to the classroom. They have a passion for using technology to solve complex problems and even make the world a little safer.

When I co-created the EnCE in 2001, we had the goal of creating a world-class certification that would help examiners receive recognition in court, in the work place and with their peers; for their skills, knowledge, experience and training in EnCase and best practices.  Nine years later, to my knowledge, it is the most widely-held certification in the world for computer forensics; and continues to evolve, be sought after and respected. 

The EnCEP program was created in 2009 with a similar purpose, and leads the industry as the first true certification in e-discovery technology, methodology and best practices.  Several dozen practitioners have completed the challenging and rewarding certification program, and it is available online in both EnCase eDiscovery v3 and v4.

Q: Why should someone sign up for Guidance Software training courses? 

A: Our leadership team and instructors are dedicated to providing the best training possible.  We recognize the 30,000+ EnCase users worldwide have the requirement to be trained in core functionality, advanced techniques and features, best practices and the fundamental EnCase methodology.  We provide training to more than 6,000 students each year, and have expanded our course offerings to meet the growing and diverse needs of our customers.  We understand the need for flexibility, and offer courses at our facilities and those of authorized training partners around world; we take the courses to our students with our Mobile Classrooms; and provide our most popular courses online through EnCase OnDemand.

Regardless of the delivery method, our students will receive the highest quality training from our instructor team, on the latest technology, and using the best practices.

Sign up now for EnCase Cybersecurity training.  

Sign up now for the EC-Council's Certified Ethical Hacking class offered by Guidance Software. 

The parent company to Novelis Corporation, Novelis Inc., is the global leader in aluminum rolled products and aluminum can recycling. The company operates in 11 countries, has approximately 12,300 employees and reported revenue of $10.2 billion in fiscal year 2009. Novelis supplies premium aluminum sheet and foil products to automotive, transportation, packaging, construction, industrial, electronics and printing markets throughout North America, South America, Europe and Asia. Novelis is a subsidiary of Hindalco Industries Limited, one of Asia’s largest integrated producers of aluminum and a leading copper producer. Hindalco is a flagship company of the Aditya Birla Group, a multinational conglomerate based in Mumbai, India.

Background
In Qualcomm v. Broadcom (Southern District of California, 2007) outside counsel made costly e-discovery mistakes that ended up costing Qualcomm the lawsuit. Investigators discovered more than 230,000 pages of emails, company correspondence, and memoranda after trial began, which led to the inevitable lawsuit between the client and the outside law firm. Qualcomm suffered great embarrassment that could have been avoided had the e-discovery process been staffed in-house with qualified personnel who understood the business, its processes and its data rather than relying solely on outside resources who were unfamiliar with the business.