The initial reactions about the Tableau purchase from my fellow digital forensic examiners ranged from concern to opposition. Not exactly a vote of confidence for the folks over at Guidance, but having been in this business for many years now, I understand their concern. We’ve all been burned by the major forensic software vendors like Guidance. How many disastrous EnCase version releases have you lived through? I’ve been through three so far where the digital forensic community essentially paid to be beta testers until the Guidance fixed their product to do what they said it would do when they sold it to us. Remember how well the indexing feature worked when V6 came out?
Access Data has evolved into Guidance’s mortal enemy and they haven’t been immune to playing Lucy to the community’s Charlie Brown trying to kick the forensic football.
Back when I first started in forensics, EnCase was in version 3 (Good Ol’ 3.22g was the classic V3 version) and most people used it as their primary forensic tool and used FTK 1 for things like email and to test their keywords. Sure, some people used FTK as their primary GUI toolset, but they weren’t the majority. The world was Guidance’s oyster and they acted (and charged) like it. This attitude created a lot of hard feelings in their customer base which linger to this day.
Not too long ago, Access Data made it’s great leap forward when it obtained a cash and talent injection (lots of that talent came from Guidance) which resulted in a flurry of product innovations including the wretched
Guidance is a publically traded company and as such we can review a lot of their financial data because they have to send so much of it to the SEC. Access Data isn’t a publically traded company so they don’t have to release much of anything. Thus, we can’t really compare financial information, but my opinion is that Access Data took the lead in the innovation competition with FTK 3. Guidance has been doing incremental innovation with their EnCase tool, but EnCase V6 doesn’t feel all that different to me than EnCase V3. Sure, the UI has evolved a bit and they’ve added incremental innovations over the years such email support, Internet history support and great encryption support. The rub is that a lot of their innovations have been done better by other people with other tools (both paid and free). There isn’t much reason to use, for example, their email or Internet history support options. If I’m going to parse an index.dat file, it’s not going to be with either EnCase or FTK. However, for email FTK still wins hands down and EnCase has never been a great email forensic tool. FTK 3 is a big change from FTK 1. While the UI borrows quite a bit from FTK 1, the move to Oracle allowed Access Data to do a lot more with the tool such as handle larger data sets in a more efficient manner. They have a long laundry list of innovations that they have put into FTK 3 such as fuzzy hashing, distributed processing and remote evidence mounting. You can have all of this cool technology for a pretty reasonable price. Gone are the days when FTK was a glorified email tool. You can now comfortably use FTK as your primary forensic GUI tool and not use EnCase if you like. This is a problem if you are Guidance Software especially since Access Data is working very hard at closing the gap at the enterprise level.
The last thing any one of us in the digital forensic community should want is for one of these companies to “win”. We don’t want to go back to the days where one was dominant and treated its customer base accordingly. I don’t know anyone who didn’t dread the idea of Access Data purchasing Guidance Software to return us back to the pre-competitive era in digital forensic GUI tools. Robert Botchek and Tableau have been doing a lot of innovation in the area of data acquisition and have rightly earned the good will of the community because of that. The TIM tool when coupled with a Tableau product is an amazing innovation in data acquisition, for example. I suspect that this purchase was a low cost way for Guidance to help close the innovation gap that has been opened by Access Data. If Guidance essentially allows Tableau to be Tableau and continue to innovate, it should be good for Guidance and the community. I wonder if the deal that Guidance made (and this is pure speculation on my part) was essentially to tell Botchek\Tableau that GSI would provide the funding and the day to day operational support (HR, payroll, marketing, etc) while the Tableau team would be free to just concentrate on innovation.
We all know what the worst case scenarios could be based on past behavior. For example, TIM becomes an EnCase only tool and you have to pay $500 more per dongle to use. That would be a Bad Thing(tm), but I suspect that Guidance knows it now lives in a world where it can’t act like it used to act and continue to be successful.
My bottom line is that I like and use products from Access Data and Guidance Software. EnCase V6 is my primary GUI forensic tool, but I’m increasingly using FTK for tasks that I used to do in EnCase. I have no desire at all to return to the bad old days where one of them was dominant over the other. We should want both organizations to win rather than having one of them lose. If this Tableau purchase helps maintain a rough balance of power between the two, I think it’s going to be good for the community.