| The purpose of this research was to examine Guidance Software's Encase Enterprise & Cybersecurity (EEC) platform in order to assess its capabilities as a remote forensic platform and illustrate its use in incident response investigations. In order to accomplish this, four research questions were proposed related to the platform's ability to provide responsive endpoint visibility, flexibility in acquisition options, scalability in reviewing large numbers of endpoint systems and in the ability to remediate a compromised endpoint system. The platform displayed strong capabilities in areas one through three and limited but effective capabilities in remediation. This Capstone Project also examined the use of remote forensic techniques in the execution of the Incident Response Lifecycle as conducted by an enterprise Cyber Security Incident Response Team (CSIRT). An overview of remote forensics platforms to include EEC, Bit9, and GRR is provided along with suggestions for their usage and roles. Functional testing of the platform has been conducted in order to facilitate the broader discussion of remote forensic use cases in network defense. The practical application of this platform has been demonstrated through the course of two incident response engagement scenarios selected to display the possibility in leveraging such capabilities against common incident categories that a forensic examiner supporting CSIRT operations is likely to encounter. |
PDF Full Text Request