Legal Technology News - E-Discovery and Compliance Blog

« CTSummation's Discovery Cracker 5.1 Webinar | Main | Go deep for e-discovery answers »

May 08, 2008

FTK 2.0: Product Review

Cb027636 In the years I've been writing about forensic technology, I've shied away from reviews that dumped on products.  If I couldn't say something nice, I tried to talk about something else.  Heck, I generally steered clear of mentioning any product by name unless I liked it so much I could barely contain myself.  There are few perfect software products, and just about any application is a buggy mess in its point-O release.  Likewise, code bloat and ham-handed departure from the simple virtues that drew us to a product in the first place are common missteps.

But the problems seen in the latest 2.0 release of the venerable AccessData Corp. product, Forensic Tool Kit (FTK 2.0), just seem deeper and wider than I've run into elsewhere, and I'd be doing you a disservice, dear reader, if I glossed over them.  Read on to get a smattering of why I say "Wait! Spare yourself the pain!" when it comes to the FTK "upgrade."

1. To start, the program won't run under Windows Vista, an operating system that's been on the market for over a year.  Okay, I blame myself for overlooking the fact that this "Windows-only" product won't run on the version of Windows that comes installed on virtually every new PC sold today.  Granted that Vista hasn't seen the quick adoption of Windows XP or 95; but, no one should imagine that Microsoft will retreat from Vista and embrace XP.  That will not happen.  So, when you buy a new, powerful PC to feed resource hungry FTK, you must also purchase a copy of Windows XP, strip the new machine of its latest, greatest Vista content and replace it with an obsolete circa-2001 operating system that leaves the market forever just one month from today.  Instead of calling it FTK 2.0, perhaps they should have dubbed it "FTK 2001."

2. Though you can pull evidence data from anywhere, the fruits of analysis are stored within a monolithic Oracle data base that commingles the data from all investigations.  That's insane.  I don't mean that it contaminates one case with data from another.  Rather, it puts all the data eggs into one well-compartmentalized basket. 

Here's why that's a lousy approach.  My habit has been to confine drive images and case analysis to individual external hard drives that can be easily archived with each matter's pertinent data.  This affords me a discrete, portable data set facilitating use at counsel briefings, deposition and trial.  I can segregate case data, better guard against data loss and selectively and reliably purge data at the conclusion of a case.  Plus, I can tailor the storage medium to the needs of each case, i.e., cases with little data are stored on smaller, cheaper hard drives and large volume cases reside on higher capacity storage media (e.g., external RAID arrays or NAS devices). 

That's not feasible with FTK 2.0.  Instead, you've got to put it all on one logical volume physically--not just logically--connected to a Windows system.  That means you can't load the database on a NAS device, and you can't point the Oracle database to a mapped drive!  What were they thinking?  As a workaround, you can export a case, but that becomes a cumbersome, two-step process requiring you to create the case within the Oracle environment then export the data to archival media after processing and analysis is complete.  When you're talking terabytes, moving data takes hours even over a gigabit network and then you have a long wait while the backup restores to FTK 2.0.

3. Installation is plodding, fussy and frustrating.  Once I'd enlisted an XP box with enough oomph to run the program, I encountered a series of maddening hurdles that twice entailed manually stripping out aborted installation efforts from the system Registry and killing running services.  Each effort to install Oracle generated cryptic fatal errors (Did you know that FTK Oracle aptly assigns error messages negative numbers?).  To make matters worse, the installation crashed before it placed the uninstall batch file on the drive, with the result that I couldn't rid myself of the crippled installation now blocking further installation efforts until I undertook a painstaking and risky surgery on the system Registry.

Whether installing from the program disk or the gargantuan 258MB update file you download to patch the program out-of-the-box, the process was unduly time consuming and complex.  A program requiring half a dozen system reboots on installation doesn't value a customer's time.  Perhaps I just had a run of bad luck that required me to spend hours in the effort, but I suspect my experience isn't unique.

4.  As the pain of installation faded, I turned my attention to performance, hoping it would all be worth it.  FTK users have waited a long time for this update and the new release came paired with a big hike in the cost of ownership and maintenance.  Surely we would see significant new features and performance gains?  Think again.  FTK 2.0 has been redesigned to meet someone's needs, but not mine. 

FTK was always the slowest of the major computer forensic suites, but we made allowances for this because it indexed data at the start.  The payback for the time lost to processing was the speed with which FTK could perform indexed searches using its integrated DTSearch capabilities.  Those capabilities remain, but they're not the novelty they once were, and now they come at the price of unspeakably slower processing.  Not just s-l-o-w, but glacial--to the point where use of FTK will now be a luxury accorded only to those rare cases where time is of no consequence. 

Where the old version offered a lively, clear display of what FTK was doing during all that processing, the newest release offers incomprehensible data processing status bars.  Exactly what does it mean when, after 12 hours speant processing three drive images, two progress bars sit at 100% completion, (one stating 307/307, another 233/233) and a third shows no progress, reading 1033/3393329?  Will processing complete today, tomorrow or next week, and what accounts for the wait?  There's just no way to know, and the smart money is betting it'll crash first.

5. As life is short and FTK's delivery of useful data is not, I've had little opportunity to thoroughly vet new features.  Suffice to say, I'm underwhelmed.  One touted enhancement is, "instantaneous access to data while processing."   It's great...if your definition of "instantaneous" is not quite enough time to wash your car between request and response.  To me, it means that I shouldn't be able to slowly count to 57 between the time I click on a tab and the time the screen changes (and that's on a 3.4GHz machine with 3 GB of RAM).  I made it all the way to 82 when moving between tabs.

FTK has always been weak in the important area of data carving from unallocated clusters, and that remains the case.  Yes, if the lion's share of your work is investigating child porn cases, FTK may come closest to the one click solution many seek; but, if you need to carve for more than just bread-and-butter file types, FTK 2.0 remains the least capable of the major forensic tools.  Insofar as the new interface, it's a solution in search of a problem.  Some will like the new tabbed interface, particularly those with the ample spare time it takes to move between tabs.  Others will see it as lipstick on a pig.  I never found the old interface particularly limiting, and I don't find the new one especially enabling. 

6.  But it's not all grim for FTK fans.  AccessData still has about the best Registry Viewer application on the market, and the FTK Imager is, hands down, the best acquisition application for an unbeatable price.  The Password Recovery Toolkit is an able application, and AccessData's telephone product support is first rate.  Overall, FTK 2.0 and its software siblings seem geared to those who work in large groups where distributed resources can be marshalled to enhance productivity.  The government or the miltary may find value in the changes seen in FTK 2.0.  For the rest of us who toil in small departments or solo shops, FTK 2.0 is the little engine that can't.  Until it improves (or the pricing drops to reflect how it has devolved), wait to upgrade and devote your scarce software dollars to safer bets, like EnCase, X-Ways Forensics, Pro Discover or, if you can still buy it, good ol' FTK 1.71.

Just so you know, I buy my forensic software tools in the open market, and pay out thousands of dollars per seat to keep them up to date.  I buy the same products, receive the same level of support and grouse about the cost as loudly as anyone.  I don't seek or receive any favors from AccessData or any of its competing product vendors.  I do own a small amount of stock in Guidance Software, maker of EnCase and, if you think I'm disappointed in FTK 2.0, don't get me started on Guidance's flagging stock.


TrackBack URL for this entry:

Listed below are links to weblogs that reference FTK 2.0: Product Review:


Oh boy. I just started trying to install FTK 2.0 today. I ran into a number of problems, not least the failure of Oracle to install and the subsequent forced reboot. Now I'm wondering if I should even bother to download the iso that tech support promised me would work better than the CDs we got. :-(

What little credibility Access Data had in the past, is now gone. At least under their old management, they could focus on doing one thing, right. Now, management is so distracted by trying to play the enterprise and eDiscovery market that they have forgotten their core competency. All we get now are empty promises, buggy code, horrible customer service and promises of vaporware. I just can't risk my own career credibility by continuing to invest in such a product. I am going to stick with Guidance, which is the gold standard in this space.

When I wrote the above, FTK 2.0 had been processing three drive images (20GB, 49GB and 100GB) for 12 hours. Now, it's been churning away for 84 hours and it appears to be less than 10% of the way through the data. BTW, these images load, authenticate and process swiftly in other apps.

The main application is locked up, but the data processing goes on inscrutably. It's near time to pull the plug on this disastrous new release as I can't tie up a machine forever.

Is anyone using FTK 2.0 without severe heartburn and hairpulling? Anyone? Anyone? Bueller?

It is always dangerous for the CEO of any company to respond to a blog post because it almost invariably seems to get more people upset but in this case, I think Mr. Ball’s comments deserve a response. First off I would like to say that both Eric and I welcome feedback on any and all of our products even if that feedback is negative. We are dedicated to putting out the best forensics products on the market and believe that feedback, when it is well thought out like Mr. Ball’s helps us improve. So with that said, let us get to the heart of the issues identified by the review.

First, many of the technical issues have already been resolved in the v2.02 release. In particular, the overall installation process has been dramatically improved especially the database component, performance of the GUI (moving between tabs, filtering and file extension tree) has been improved, and opening of cases is much faster. In addition to those improvements, we will be issuing another release in June that will have additional GUI improvements, 64-bit support and Vista support. We will also be working on improving the processing speed of the solution and believe we will make dramatic strides during the summer.

Despite the improvements that we have made and the additional ones that will be made shortly, it is important to understand that FTK 2 takes a fundamentally different approach than FTK 1. As a database-driven tool it has many distinct advantages over traditional products, but there are also drawbacks. The database gives users a new level of stability, scalability and enables a number of capabilities that simply cannot be achieved with memory-based tools. Over the next several quarters, we will release a number of new products and capabilities that we believe will prove out the value of the approach we have taken.

That said there are drawbacks to the database that are fundamental and are not likely to go away. First the database requires processing power and machine resources that a memory-only forensics tool doesn’t, creating an increased minimum hardware requirement. The presence of the database also slows down processing on a single machine deployment. Regardless of the optimizations we make, when a database is utilized, the application has to move information back and forth between memory and the database, and the result is slower processing. Much of this drawback can be overcome by utilizing more powerful hardware or through distributed processing, which should be released in the summer. Finally, the database added a level of complexity that has created many misconceptions. For example, Mr. Ball’s view that the case files are commingled is an understandable but incorrect perception. As a point of fact, FTK 2 creates a new set of database tables that are stored as their own files each time a case is created. This means Mr. Ball can absolutely continue his practice of saving case files and their corresponding evidence on dedicated hard drives. Regardless of this reality though, it is important to note that confusion is not the fault of the users, it is the fault of the manufacturer, and so AccessData is committed to continuing to make FTK 2 easier to use and to provide customer support and educational resources for those who are interested in them.

So what are the alternatives for AccessData customers who are either not interested in moving to a database-driven solution, don’t have the hardware to take advantage of the solution, or simply don’t want to move to a dot 0 or even dot 2 product? The answer to that question is simple, stick with FTK 1. Every FTK 2 license ships with a working copy of FTK 1 that can be used at the same time as FTK 2. We are committed to continuing support and development of FTK 1 and will release v 1.8 shortly with many new features and improvements. Ultimately, we believe the power of FTK2 will win even the skeptics over, but we are not now, nor do we plan to in the future, forcing costumers to migrate to FTK 2. There are situations in which a database-driven solution is better and situations in which a memory-based solution is best, but we are not about to make that decision for our customers. We will continue to enable you with both solutions, and will allow you to decide when to use each.

Tim Leehealey
AccessData Corp
work 949-706-1347
cell 949-355-1513
(If you call me or email me I will respond and look forward to engaging you.)

Dear Mr. Leehealey:

Thank you for your comments. While I appreciate that a CEO can't be spending his days rebutting every blog post critical of his company's products, I'm sure the readers share my view that when a CEO steps forward and acknowledges responsibility, that goes a long way toward establishing credibility. I always tell my students and my children, "Everyone makes mistakes. It's the measure of a man (or a company) how he owns up to them and fixes things."

I'm pleased to hear that you anticipate getting a better product out to your customers sometime in the third quarter of 2008. I assume that AccessData will, as a gesture of good faith and customer support, extend the paid subscriptions for all of us now bereft of a functional 2.0.

I assure you that I WAS using your latest V.2.02 release, and so the issues I detail remain a factor despite the patch. I also dedicated a 500GB hard drive solely to the application and database. I ran no other applications on the machine when FTK 2.0 was processing. If the application requires two separate systems connected over a gigabit network to function reasonably, then it behooves AccessData to eliminate the single machine installation from its marketing and documentation until you can deliver a version that does function reasonably well in a single machine deployment.

You state, "As a point of fact, FTK 2 creates a new set of database tables that are stored as their own files each time a case is created. This means Mr. Ball can absolutely continue his practice of saving case files and their corresponding evidence on dedicated hard drives." I believe you may mistake my point, or you have access to a capability that the rest of us do not. What the product seems unable to do is allow the user to point the database to a discrete location apart from the drive on which the database resides to create those tables in the first instance, i.e., when the case is created. Consequently, I must locate and copy the tables when processing completes, then purge the data from the commingled location. I tried to make this point clearly in my post, and I confirmed the incapability with your support staff before I wrote about it.

But, all that said, I'm not seeking to win a debate. The most important message you've conveyed is that AccessData knows it has a lot of work to get this product ready for its customers and it's doing that work right now. The determination you express to fix the problems and show the marketplace that your new approach can work is what we all needed to hear, and I applaud your candor.

Thank you.

Craig Ball

I too applaud Mr. Leehealey both for his candor and for his willingness to engage his customers. My experience is a bit different from Mr. Ball's. I couldn't even install from the CDs. I was promised an ISO from support but have not yet gotten one. I was also unaware that I could install the latest version of 1.x from the same CDs, which I will attempt to do tomorrow.

It's clear that FTK has some issues to deal with and that they are, at least in part, aware of. Hopefully they will be successful, and we'll look back at the launch as a glitch in an otherwise good relationship.

Mr. Leehealey's post just made me feel even worse. I’ll do the following comparison. You have been driving a certain brand of car for a long time and is happy with its overall performance and cost benefit, then the car maker decides to release a new model. It comes with promises of better performance and handling, in a much improved package; however what you receive is a product that costs more, moves slower, needs a much bigger garage, and consumes much more gas.

The car maker answer to your complains is “We know that we released a product that is not ready, and that you now have to own the gas station to be able to make it run; but stick with us, in a few years all will be all right, maybe. In the mean time, keep using the old model that you liked so much, just buy the new one (for a higher price of course) and we will give you an old one for free (?!?!?!). But don’t forget to buy the bigger garage and the gas station just in case you, in the future, decide to use what you really bought.”

Really a consumer-focused business model…

PS: Mr. Ball, being an avid reader of your articles and an admirer of your knowledge in Computer Forensics / e-Discovery fields, I feel somewhat relieved that the problems and disappointment I’ve been experiencing with FTK 2.0 are not my problems, so it seems they also reach the top-dogs in the field…

I am glad that my problems with FTK are not isolated to my experience. I encouraged my company to invest in FTK and, with the release of 2.0, I now feel like a fool. While I appreciate the fact that the Access Data CEO responded to Mr. Ball's review, the question remains --- why doesn't Access Data run some quality assurance on its products before releasing them? Is Mr. Leehealey trying to provide the best products to his customers or, is he simply putting "lipstick on a pig" to try and sell Access Data to the first buyer and make a quick buck? I hope that is not the case. There are a whole bunch of AD customers who have staked our reputations on the AD products only to now feel betrayed by 2.0 and the lack of focus by AD. Now, Access Data has been promising us an enterprise product and some form of eDiscovery product but, if I can't even have basic competency confidence in their forensic product, why should I stake my career and reputation on their future products?

I'm with Felix. I too told the uppers that FTK 2.0 would be a good investment. I'm not going to tell them that it wasn't now that I'm using one of my 4 copy's as a drink coaster. It sounds like under the pressure of releasing a product we were told about two years ago they put out the closest thing QA would call complete and hoped that nobody would notice. At CEIC Guidance gave out great hats with Encase on the front and "NO CHEAP IMITATIONS" on the back. Boy do they have it right........

The only reason AccessData is being apoligetic is because they got caught. They tried to pass off a piece of cr** version of FTK to the customer and when they got caught there have been apoligies; but no tangible relief other than wait for the next version. That is horrible. Extend my maintenance, give me a refund, pay for my new copy of EnCase. AccessData has lost a customer and their credibility here.

I go to their website and see that the management at AccessData is mostly former EnCase employees. I bet that EnCase is glad about that as their product is rocking since I bought it and dumped FTK.

Shame on you AccessData for trying to fool your customers with cr**. Or maybe you just don't care about a single copy sale since you are now in the Enterprise world.

You think Guidance cares about single copy sales either? The marketplace is saturated for forensic sales, enterprise sales will also start dropping off soon. IR and ediscovery are the direction to go for a little while, so AccessData is just trying to catch up to the EnCase "enterprise" solution.

I have been having all the same problems as mentioned here. When FTK2 first came out I was very excited to install it. The install did not go through so I had to call AD support. To thier credit the support tech did stay 2 hours late to help me resolve the issues BUT they should not have released a product that is that difficult to install. I had a brand new system just for FTK2 and it still was problematic.

After getting it to run, things got much better until I had to search in the unallocated space for keywords. This feature, which is very much needed, crashes FTK over 50% of the time. I called support and they said they would get back with me. It has been over a month and I have heard nothing.

I loaded the 2.02 version thinking that it would correct my issues. I had a new case with a 250GB hard drive and I started processing 2 weeks ago and it still is not finished. I called support again to see if this was common and they told me that sometimes it takes up to 4 weeks to process. FOUR WEEKS!!!!???

My customers can not wait this long before I can even start looking at the case. (I know I can look while it processes but I don't want to crash it)

My plea to AccessData is to PLEASE fix this mess before you lose another customer and further damage your reputation.

Lots of doubts above as to whether AccessData can succeed in the enterprise space...check out the below security alert from Guidance.


Because the security of enterprise applications is critically important to organizations, users often examine such security, and the claims made regarding such security, closely. To that end, AccessData has stated that its Enterprise product enables users to “conduct secure investigations.” AccessData has also described in detail the purported mechanisms that frame its product’s security. We believe that straightforward, hands-on testing of AccessData Enterprise will likely demonstrate that the product’s security will not work as described, as summarized below.

I. Authentication / Authorization

Claim: AccessData states that “User authentication and authorization is controlled entirely by the Management Server. In order to perform any type of investigative operation users must successfully authenticate against the Management Server and obtain proper credentials.” In addition, AccessData asserts that the Management Server “enforces granular role-based security.”

How to Test:

1) Install the AccessData Enterprise product, add an Examiner account, and give the Examiner permission to view a target computer (“Computer A”).
2) Install the Agent software on Computer A.
3) Start the Examiner software and login to the Management Server.
4) Unplug the network cable of the Management Server computer (or stop the service).Use the Examiner software to view Computer A

Testing Will Likely Show: We believe that testing will show that Examiner authentication and authorization are not controlled entirely by the Management Server. Instead, the Examiner seems to obtain a list of approved computers and permissions from the Management Server at login, and the Management Server then apparently trusts that the Examiner will not view any other computers or take any unapproved actions. In other words, these permissions do not appear to be enforced by the Management Server. Most importantly, the Management Server apparently does not broker the communication between the Examiner and the Agent. Indeed, after getting the approved list, it seems that the Examiner can sever the connection with the Management Server and contact any Agent, and perform any permitted activity with respect to those machines on the list, without approval or logging from the Management Server. Finally, although beyond the scope of the testing described above, it is likely that the use of simple port-forwarding software would enable the Examiner to contact any Agent, without regard to whether it was on the approved list.

II. Logging & Auditing

Claim: AccessData asserts that “The Management Service maintains logs of all relevant activity. The Management Server . . . keeps detailed logging on a user basis of what investigative operation was performed at a given time. The AD Enterprise Examiner keeps track of nearly all investigative/processing operations giving organizations the ability to capture relevant events.”

How to Test: See above under “Authentication/Authorization.”

Testing Will Likely Show: As described above, we believe that testing will show that the Management Server logs account activity, but does not log investigative/forensic activity. In fact, as described above, once the Examiner logs on, it seems that the connection with the Management Server can be severed, and the Examiner will be allowed to continue viewing machines, and performing investigative activities, at will. Any logs of this activity are apparently kept on the Examiner machine and thus could be altered or cleansed at any time.

III. Agent Integrity and Access

Claim: AccessData asserts that the Management Server ensures “that only authorized resources can communicate with the Agents.”

How to Test: See above under “Authentication/Authorization.”

Testing Will Likely Show: Since it seems that the Management Server can be disconnected from the network and the Examiner will nevertheless be able to communicate with the Agent, it appears that the Management Server is not used in the authentication process for the communication between Examiner and Agent.

IV. Certificate Management and Controls

Claim: AccessData states that “The Management Server is responsible for certificate management.” AccessData also asserts that “to ensure that inter-component communication is secure, and only authorized entities can communicate with the Agents, industry-standard x509 certificates and a FIPS 140-2 certified SSL encryption engine are leveraged.”

How to Test: Use OpenSSL to convert the Examiner key to the P12 format (openssl.exe pkcs12 -export -in c:\incert.pem -out c:\outcert.p12). No password is required to open and convert the key certificate. The P12 certificate can then be imported into the Windows Certificate Manager, where you can examine the properties of the certificate.

Testing Will Likely Show: The certificates on the Management Server and Examiner appear to be stored without passwords or time limits. Rather than ensuring that only authorized entities can communicate with the Agents, it appears that anyone with network access to either the Management Server or the Examiner machines can obtain the files necessary to gain access to any computer with an Agent installed.

V. Conclusion

The security architecture of AccessData Enterprise does not appear to operate as described in AccessData’s documentation, and may create security vulnerabilities. Indeed, our understanding of the security implementation of AccessData Enterprise suggests that it would be not only possible, but relatively straightforward, to create a program that can communicate with any Agent, at any time, and execute any command without the involvement of the Examiner or Management Server software, using only a single file that rests unprotected on the Examiner machine. Certainly, thorough testing, either as outlined above or more extensive procedures, is warranted to determine if AccessData Enterprise meets the standards expected of secure enterprise software.

The team at AccessData takes security very seriously and aims to deliver solutions that are secure, intuitive and easy to use. As a result, we appreciate the folks at Guidance Software taking the time to try and identify what they perceive to be security issues with our AccessData Enterprise product. The issues they identify are, however, either incorrect or reveal their own limited understanding of well-accepted and commonly utilized security protocols. We would like to assure all of our customers that not only is our solution secure, it is currently in the process of receiving FIPS 140-2 certification and Common Criteria EAL4, which is a significantly higher certification than was achieved by EnCase Enterprise.

Guidance Software has made four assertions relative to the security of AccessData Enterprise. Since the those assertions are presented in the post above we will simply reference them by number here:

In regard to Guidance Software Assertion 1:
At the root of this assertion is Guidance Software’s misguided belief that in order to achieve security, the management server must broker every investigative transaction. This assumption is not only incorrect, but it results in one of the larger competitive advantages AccessData Enterprise has over EnCase Enterprise.

AccessData Enterprise utilizes an approach similar to Kerberos, in which a user obtains privileges from the management server at the beginning of each session, but does not need to continually re-authenticate itself throughout the course of every operation. This approach provides more than enough security and ensures that the management server does not become a bottleneck for large-scale operations and distributed teams.

In fact, it is for this very reason that many Guidance Software customers have thrown away significant investments in EnCase Enterprise to replace the EnCase product with AccessData Enterprise. Not only does Guidance Software’s implementation turn its management server (SAFE) into a bottleneck, but it also results in customers needing to purchase many management servers (SAFEs), in order to achieve adequate coverage, which dramatically increases the cost of the EnCase Enterprise solution.

In regard to Guidance Software Assertion 2:
This assertion simply could not be further from the truth. The application absolutely logs investigator/forensic activity (role/power usage), administrative activity and successful/ failed user login attempts. In fact, our logging is superior to that of EnCase technology, because AccessData Enterprise stores logs in a database that enables powerful reporting and archiving cabilities. EnCase Enterprise stores its event logs in an encrypted, proprietary, flat file format that has no archiving capability, does not provide an auditor role, and doesn’t even track purging activity. Therefore, anyone could erase EnCase logs with no resulting audit trail.

In regard to Guidance Software Assertion 3:
This issue is effectively a rehashing of the issue Guidance Software presented in its first assertion, and as we pointed out in our reply, our approach leverages commonly accepted techniques similar to Kerberos. While Guidance Software, either doesn’t understand or doesn’t agree with this approach, we believe it is in fact much more effective than the methodology utilized by EnCase Enterprise.

Guidance Software’s approach requires an excessive number of authentications between Examiner and SAFE. It also requires multiple connections to a node before an investigation can begin, and worst of all, it is proprietary in nature. By utilizing a proprietary approach, users of EnCase Enterprise cannot take advantage of their organizations’ existing security infrastructure. This results in significant management overhead, increased complexity and diminished security, because it does not allow for centralized password management, requires Guidance Software support in the event of a failure, and cannot leverage an existing PKI infrastructure.

In direct contrast, by utilizing widely accepted security principles, it is possible for AccessData customers to fully integrate our solutions into their existing corporate environment, allowing Active Directory, for example, to be utilized for authentication, ensuring that passwords remain centrally managed.

In regard to Guidance Software Assertion 4:
Guidance Software is making some wild assumptions and did not acknowledge that a rogue employee must possess all of the following, in order for this so-called weakness to exist:
1) Logical access to the management server
2) Administrative control over IIS
3) Access to the Examiners private keys
4) Administrative control over the target node to switch the Agent cert

Finally, Guidance Software ignores the fact that, in order for a rogue employee to “gain access to any computer with an Agent installed,” that person – in addition to meeting the above criteria – would also have to compromise the Management Server Database and modify user accounts.

The AccessData solution uses industry-standard x.509 certificates that enable an organization to leverage their existing PKI infrastructure and create a set of certificates for the Management Server and Examiners that is a subordinate of their existing PKI, if they choose. The customer is in ultimate control of how the certificates are created and what the specific criteria associated with them are, including passwords and time limits. Conversely, Guidance Software requires customers to go through a painful cert approval process where they must send a certificate to Guidance Software, which requires a proprietary key scheme that forces organizations to divorce the EnCase Enterprise application from their existing security controls

AccessData goes to great lengths to ensure our solutions are not only secure but intuitive and easy to use. Whenever possible we utilize accepted standards and technologies. Our approach results in a solution that is not only secure, but is superior to comparable solutions in the following ways:
1) the ease with which it can be implemented – saving customers a significant amount of money on professional services fees
2) how quickly customers can begin effectively utilizing the solution – again saving organizations significant amounts of money on professional services fees
3) its ability to integrate with other products
4) and its ability to integrate with an organization’s existing infrastructure.

If you are interested in validating any of these assertions, we stand ready at all times to provide supporting documentation, to speak with you directly, and to even visit your organization to allow you to see first-hand how AccessData technology will function in your environment. You may send all inquiries to

what a bozo this Leehealey guy is....he did not answer the fundamental question about the security flaw....I have tested it and everything that the previous poster said about the AccessData Enterprise software security flaws, is true. It is a house of cards....their architecture is severly flawed and and any CIO or IT professional who put this code on their company network will be committing professional suicide. I hope they got some coupons from whatever hack shop they paid to produce this (likely some sweatshop in Bangalore) because the AccessData Enterprise software is a POS!

No need to be mean, frankie. Why does everyone go around with name calling? Ok, it has a security flaw that wasn't need to toss in all the harsh stuff.

Hey Dan - check the dates of the comments!

This is really something quite revolutionary. I never heard about this anywhere. Though we all can have differing opinion, I must say I am amazed to see this post about with genuine information. Surprised the site is not frozen with comments! LOL

This is very nice one and gives indepth information. Thanks for this nice.I am looking for my own blog. I really get lot of guidance from your blog.

Your post about is pretty amazing! Its written nicely. I think that you have provided the essentials that are needed to understand the subject. There are enough information about here to read.

The comments to this entry are closed.

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Network

From the Newswire

Sign up to receive Legal Blog Watch by email
View a Sample

Contact EDD Update

Subscribe to this blog's feed

RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page

March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Blog Directory - Blogged