Saturday, May 15, 2010

Don’t Panic

This was a big week for digital forensic news. We learned that Guidance Software purchased Tableau and that Access Data would be releasing FTK Imager for the Mac and Linux. All of this great digital forensic news will make for great fodder if I were going to be on the next Forensic 4cast, but I won’t because I have a prior commitment. The forensic gods can be cruel. However, Lee and his band of merry forensic practitioners will have an excellent show for you soon where they discuss these issues. Fortunately, I have a blog that is read by many twos of examiners where I can comment on these sort of things.

The initial reactions about the Tableau purchase from my fellow digital forensic examiners ranged from concern to opposition. Not exactly a vote of confidence for the folks over at Guidance, but having been in this business for many years now, I understand their concern. We’ve all been burned by the major forensic software vendors like Guidance. How many disastrous EnCase version releases have you lived through? I’ve been through three so far where the digital forensic community essentially paid to be beta testers until the Guidance fixed their product to do what they said it would do when they sold it to us. Remember how well the indexing feature worked when V6 came out?

Access Data has evolved into Guidance’s mortal enemy and they haven’t been immune to playing Lucy to the community’s Charlie Brown trying to kick the forensic football. FTK ME FTK 2 was a situation where, once again, a major forensic vendor released a product that they should have known wasn’t ready for prime time and essentially expected their customers to pay to beta test their product.

Back when I first started in forensics, EnCase was in version 3 (Good Ol’ 3.22g was the classic V3 version) and most people used it as their primary forensic tool and used FTK 1 for things like email and to test their keywords. Sure, some people used FTK as their primary GUI toolset, but they weren’t the majority. The world was Guidance’s oyster and they acted (and charged) like it. This attitude created a lot of hard feelings in their customer base which linger to this day.

Not too long ago, Access Data made it’s great leap forward when it obtained a cash and talent injection (lots of that talent came from Guidance) which resulted in a flurry of product innovations including the wretched FTK Vista FTK 2. You could see what they wanted to do with FTK 2 and how cool it could be, but it just didn’t work. For whatever reason, they released it before it was done baking which might have been a tribute to Guidance because that’s what they had been doing to their customers for years. Eventually, they got it right and released FTK 3 (AKA FTK The Apology) which is a great tool. Access Data even made an offer to buy Guidance. I’m not sure if it was a serious offer or just a good PR stunt, but it illustrated how far Access Data had come from behind to get to where they are today.

Guidance is a publically traded company and as such we can review a lot of their financial data because they have to send so much of it to the SEC. Access Data isn’t a publically traded company so they don’t have to release much of anything. Thus, we can’t really compare financial information, but my opinion is that Access Data took the lead in the innovation competition with FTK 3. Guidance has been doing incremental innovation with their EnCase tool, but EnCase V6 doesn’t feel all that different to me than EnCase V3. Sure, the UI has evolved a bit and they’ve added incremental innovations over the years such email support, Internet history support and great encryption support. The rub is that a lot of their innovations have been done better by other people with other tools (both paid and free). There isn’t much reason to use, for example, their email or Internet history support options. If I’m going to parse an index.dat file, it’s not going to be with either EnCase or FTK. However, for email FTK still wins hands down and EnCase has never been a great email forensic tool. FTK 3 is a big change from FTK 1. While the UI borrows quite a bit from FTK 1, the move to Oracle allowed Access Data to do a lot more with the tool such as handle larger data sets in a more efficient manner. They have a long laundry list of innovations that they have put into FTK 3 such as fuzzy hashing, distributed processing and remote evidence mounting. You can have all of this cool technology for a pretty reasonable price. Gone are the days when FTK was a glorified email tool. You can now comfortably use FTK as your primary forensic GUI tool and not use EnCase if you like. This is a problem if you are Guidance Software especially since Access Data is working very hard at closing the gap at the enterprise level.

The last thing any one of us in the digital forensic community should want is for one of these companies to “win”. We don’t want to go back to the days where one was dominant and treated its customer base accordingly. I don’t know anyone who didn’t dread the idea of Access Data purchasing Guidance Software to return us back to the pre-competitive era in digital forensic GUI tools. Robert Botchek and Tableau have been doing a lot of innovation in the area of data acquisition and have rightly earned the good will of the community because of that. The TIM tool when coupled with a Tableau product is an amazing innovation in data acquisition, for example. I suspect that this purchase was a low cost way for Guidance to help close the innovation gap that has been opened by Access Data. If Guidance essentially allows Tableau to be Tableau and continue to innovate, it should be good for Guidance and the community. I wonder if the deal that Guidance made (and this is pure speculation on my part) was essentially to tell Botchek\Tableau that GSI would provide the funding and the day to day operational support (HR, payroll, marketing, etc) while the Tableau team would be free to just concentrate on innovation.

We all know what the worst case scenarios could be based on past behavior. For example, TIM becomes an EnCase only tool and you have to pay $500 more per dongle to use. That would be a Bad Thing(tm), but I suspect that Guidance knows it now lives in a world where it can’t act like it used to act and continue to be successful.

My bottom line is that I like and use products from Access Data and Guidance Software. EnCase V6 is my primary GUI forensic tool, but I’m increasingly using FTK for tasks that I used to do in EnCase. I have no desire at all to return to the bad old days where one of them was dominant over the other. We should want both organizations to win rather than having one of them lose. If this Tableau purchase helps maintain a rough balance of power between the two, I think it’s going to be good for the community.

3 comments:

  1. Competition in itself may not be the answer. It strikes me as an observer (not a practitioner, but someone in a position to hear about various companies and tools) that in certain tight markets *cough* mobile forensics *cough* all the companies are so busy looking sideways that no one breaks out of the pack.

    All the tools try to do the same things. If someone does break free of the pack, it's not well thought out or executed (hence the "not ready for prime time" product). And it's not long before everyone else copies.

    I can think of a couple of reasons for this, but the main one is that demand is simply too high. Backlogs exist, forensics is not well understood by decision-makers buying product, thus companies do what they can get away with -- figuring even if users are the wiser, they won't put up much of a fight because they still need the tools.

    It's really too bad that these firms don't recognize the significance and power of the forensic community overall. They could accomplish so much more if they became part of it rather than battling each other to reign over it.

    ReplyDelete
  2. Thanks for the comment, Christa. Mobile forensics is a relatively new area to me. I'll likely blog about it in the future, but this is one area where I'm just absorbing what is out there before forming any firm opinions. I'm really looking forward to taking Eoghan Casey's SEC563 (Mobile Device Forensics) class as SANSFIRE this year!

    ReplyDelete
  3. Eric, I was more using mobile as an example of what you were talking about. In any case, it seems to me that the innovation is coming out of the user community. My fear would then be that even if Guidance still allows Tableau to innovate the way it always has, it will nevertheless be a shortsighted effort to "compete" rather than a step towards engaging with the community -- not just customers but also other innovators.

    ReplyDelete