A letter went out recently from someone at Guidance Software that...well...misrepresented some facts about the F-Response product. I understand that this is how some folks believe that business is done, and that's...well...sad. I'm not going to bash Guidance or their products; instead, I think that as someone who greatly appreciates the work that Matt has done, it is important to clear up some of the misrepresentations put forth in that letter, as some are a bit off, while others are just blatantly wrong.
The letter starts off with: F-Response is a utility that simply allows users to acquire the contents of remote computers and devices, but without any type of security framework, data analysis or forensic preservation capabilities.
F-Response is a tool-agnostic means that facilitates acquisition of data...Matt never intended for it to provide acquisition, analysis or forensic preservation capabilities. There are already enough bloated applications out there, why add another one? Why not instead simply provide sound framework that allows you to do what you need to do? And don't get hung up on the term "sound"...if you're not willing to look into it for yourself, please don't argue the point.
Going on this way throughout the rest of the letter, point for point, would be obnoxious and boring. Instead, I'll illustrate some of the other major points brought up in the letter that include (but are not limited to):
Acquisition validation issues: Acquiring data using a new transfer method introduces an unknown into the acquisition that needs to be vetted by the industry and in the courts - How is new a bad thing? Of course things need to be vetted...EnCase needed to be vetted at one point. I'm not entirely sure I see the point to this "issue".
No logging capabilities - Of course F-Response doesn't have logging capabilities...that's not what it was designed for. This is like complaining that the hammer you brought can't be used to tighten or loosen bolts.
No end node processing - Again, F-Response wasn't designed to be yet another version of available tools; rather it was designed to give greater capabilities to those already possessing a number of the available tools; just watch the videos that are freely available.
Limited Volatile Data Collection - F-Response provides full access to physical memory, exposing it as a physical drive on the analyst's system. Mandiant's Memoryze is capable of directly accessing that physical drive. The contents of physical memory can also be acquired in raw (ie, "dd style") format and immediately imported into HBGary's Responder product with no conversion.
No Solaris, Mac, Linux, AIX, Novell: The solution is Windows only - F-Response currently supports Linux and Apple OSX 10.4, 10.5, with more coming. Characterizing F-Response as "Windows only" is blatantly incorrect.
Invasive compared to servlet - What is "invasive"? F-Response Enterprise is only 70k. You're kidding, right?
Agent deployment is manual - F-Response Enterprise Management Console. It's easier for me to deploy F-Response EE to a dozen systems than it is for me to answer an email on my Blackberry.
No Encryption - F-Response can support Microsoft IPSEC, and F-Response can be run over VPNs.
No compression - F-Response end points can be moved closer to the source machine, effectively reducing the need for compression. Also, compression is CPU-intensive, and wait a second, didn't the author of the letter just mention something about invasiveness??
All in all, the letter really goes a long way toward misrepresenting F-Response. Don't get me wrong...neither Matt nor F-Response need defending from me. Both are fully capable of standing on their own without any help from me. But when I see a misrepresentation as blatant as this, I really feel that it would be a disservice for this go on without at least saying something.
Regardless of my opinions in the matter, I'll leave it to anyone reading this to choose for themselves.
Addendum: Looks like this post got picked up here (in Poland) and by Moyix, as well. Moyix raises some excellent points about the FUD surrounding Volatility...
Perhaps Guidance Software could explain how they failed discovery requests for their own email stating that their own product doesn't work before attacking other products.
ReplyDeleteSee links here: http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202428316866
http://www.google.com/hostednews/ap/article/ALeqM5h61TVoZxh3AZK5IGT3ArncyFT_LwD96BEHG80
Good point.
ReplyDeleteAnother point brought up in the letter was that F-Response needs to be vetted by the industry and in the courts.
When do courts vet anything? Talking about this to Rob Lee, he mentioned that courts don't vet the cameras used to document crime scenes...Nikon vs. Canon.
Can anyone tell me exactly how EnCase was "vetted" by the courts???
Harlan,
ReplyDeleteIs this letter available to the public or something that could be made available? ;-)
-jamie
I'm sure it could be...but it is an email, and to forward it...well, you get the idea... ;-)
ReplyDeleteyep, that did it....I've now officially sold all my GUID stock :)
ReplyDeleteHarlan, did this letter go out to all Encase customers? If so, as a user of Guidance software, I havent yet seen it....Or was it targeted to those who have extolled f-response publicly???(insert conspiracy wink)
ReplyDeleteNot sure...recipient list was suppressed. I'm sure that based on how far off base and just simply wrong many of the points were, the email was targeted at specific individuals.
ReplyDeleteWell said Harlan! This is sad on the part of Guidance.
ReplyDeleteFor years I vetted EnCase Enterprise until I came across F-Response. Now I am happy to say that I am a F-Response customer and very pleased I might add. Keep up the good work Matt.
As previously stated, well said. Guidance has been pulling these stunts all to often. I am always glad to see someone speak up.
ReplyDeleteBefore I make any decision one way or another, I'd like to read this email. I'm sure you'd agree that a truely informed decision requires full disclosure of ALL the data. Perhaps you can post the body here - and hopefully before any (more) professionals fomulate uninformed opinions?
ReplyDeleteI'd be happy to send you a copy...
ReplyDeletePlease do, Thank you!
ReplyDeletebytechaser(a)ca(dot)rr(dot)com
SPAM-Bots need not apply :)
i think that F-response is a great tool, of course if you understand its purpose. BTW i knew that the PTK team is going to release a paper about the integration between PTK Forensics and F-Response..
ReplyDeleteWhat's interesting is after spending the last few months going through a lot of their classes (I got laid off), the trainers certainly don't bash the product in front of us. We talked about F-Response a bunch of times in different classes.
ReplyDeleteSo I'm guessing this was the idea of someone in the marketing or sales department as opposed to the people who would actually USE the product.
Tom,
ReplyDeleteGood catch! You're right on with that guess!
To expand a little on that point, even the manufacturer of Brand X Forensic Software will also use their competitor's Brand A, Brand B, and Brand C software internally because everyone knows that one tool does not do it all.
ReplyDeleteBeware of the sales pitch of 'you only need our tool'. If anyone has a great tool, then why disparage anyone else's? The market eventually determines who has the best tool at the best price, no matter what the sales department advertises.
Clearly, yourself and others that are taking the same angle on this email know Matt personally and seem to be stepping up in a way that suggests the email was a personal attack on Matt and not so much on F-Response. Are you defending Matt, F-Response or both? I follow a VERY few number of blogs (yours being one) and do so because you've maintained a professional view towards just about all you've blogged on. I ask as your first paragraph explicitly states "greatly appreciates the work that Matt has done." If this is a personal issue, bleh...
ReplyDeleteTo add to ByteChaser's post...I'd really like to see the letter published publicly before such a beating ensues. Yourself and the few others with access to this email seem surprisingly shocked at the context of the email. Did you (or anyone else for that matter) honestly expect Guidance to welcome F-Response with open arms (or any other tool/app)? Please. They're a company that exists to make money, right? And, last I checked, nothing from F-Response was free. ;) And (for Matt), I'd suggest reading 'What Would Google Do?' by Jeff Jarvis. Looks like you are pursuing the exact same business model as GS.
When you mention the vetting issue and that you discussed it with Rob, neither of you seem to suggest that maybe Guidance was referring to the validation of computer forensic tools with regard to court cases; specifically the Frye/Daubert standard/test. Download their legal journal for more info than you'll want regarding how EnCase and EE have been "vetted" in case law (been subjected to the Frye/Daubert test). If this was what the author was referring to, then absolutely the jury is still out on F-Response as this application has not been subjected to these tests.
Much of what you present above seems explainable. That said, I don't have access to email and am only getting one side of the story. I do hope you and the others attacking the email have at least given the author an opportunity to respond before initiating the mass blog campaign.
And with that, I would like to read the entire email. Any chance I can get a copy?
Jobel,
ReplyDeleteAre you defending Matt, F-Response or both?
I was pretty sure that I made it clear what I was doing...that I saw something that was blatantly wrong, and I appreciate Matt's work. Also, near the end, I stated:
Don't get me wrong...neither Matt nor F-Response need defending from me. Both are fully capable of standing on their own without any help from me.
Even without that, I thought that what I was doing was pretty clear. Some things were said about a product that I use and enjoy using, and those statements were blatantly incorrect. In the very first sentence of the post, I stated that the contents of the letter misrepresented facts about F-Response, and all I intended to do was address those misrepresentations.
...before such a beating ensues...
What "beating"? I purposely went out of my way to NOT "beat" anyone.
...attacking the email have at least given the author an opportunity to respond before initiating the mass blog campaign.
First off, no one's initiated a "mass" anything. Second, I'm not "attacking" anything. I simply saw some things that were technically incorrect, and chose to correct them. Moyix did the same thing. I have not attacked anyone.
Any chance I can get a copy?
Sure.
I take it back...I won't be able to send anyone a copy of the contents of the letter. In case Jobel is correct that I have been "beating" the author or EnCase over this, I have deleted the letter.
ReplyDeleteThank you.
Hi all,
ReplyDeleteI don't usually post responses and do like blogs and other information sources that seek to enlighten, that said I find this an interesting topic knowing the world of software sales and marketing well.
I agree that misrepresentations need to be addressed as they are encountered but having a look at this one I would bet that this is a very limited circulation based on customer requests e.g. Customer contacts their sales rep at x company and says "I am considering buying your tool but also considering x tool can you please let me know how your tool compares?".
As a sales person you have two choices here:
a) write a response focusing on your products strengths, or
b) attempt to prepare a response making comparisons.
Obviously it is very difficult to write the comparison response when you have never used the other tool and it seems in this case sales person chose option b) and the outcome speaks for itself.
The recipient of this letter was right to seek information from outside sources to verify any claims made and I take it that is how this post came into being.
Letters like this are commonplace and so is talking a product up I am not condoning it just saying it happens and not just with forensic software, the term "intrusion prevention" springs to mind when companies market security solutions.
In my ten years of using forensic software I have found there is no substitute for testing, get your hands on the product and make the comparison for yourself only then will you truly find out how many features are in the marketing and how many are in the actual product.
I am an advocate and a user of products from both companies, I don't think this was a beat up so much as a daily occurrence in software sales I am afraid and my observation is it is not limited to this company so we can probably put the conspiracy theory to bed.
This is what happens when marketing weasels get involved. I'd be willing to be no one in the technical side of Guidance would stand behind that letter.
ReplyDelete