If your team already runs EnCase — now OpenText Endpoint Investigator — you know exactly what it’s good at: quietly reaching across endpoints, on or off VPN, to pull court-admissible evidence and uncover what really happened. For over two decades that engine has been the name attorneys and judges trust. What a lot of users don’t realise is that with the recent 25.3 release, the tool sitting on their network has become far more than an investigation tool. It’s now the launchpad for full incident response.
A new name, the same engine — and a bigger mission
First, the rebrand: EnCase Endpoint Investigator is now OpenText Endpoint Investigator. That’s not just a logo change. The EnCase engine you’ve relied on for years is still under the hood — but it now sits inside a broader, more modern platform built to do something the old generation of tools couldn’t: move from finding out what happened to doing something about it, fast.
The 25.3 release alone is a serious step up. It scales to over a million endpoints for large, distributed environments. It adds a clean web-based interface for remote collaboration, a single dashboard showing the status of every endpoint agent, faster forensic imaging through chunked collection, sharper timeline and snapshot analysis, and direct API hooks into your SIEM, SOAR and EDR tools. In short: faster, more scalable, and built for the hybrid, spread-out workforce that’s now normal.
But forensics is only half of “DFIR”
Here’s the honest limitation of any pure forensic tool: it tells you what happened after it happened. In today’s threat landscape — where attackers move laterally, abuse credentials, and slip past traditional defences before anyone notices — knowing the story isn’t enough. Your team also needs to act. That’s the gap OpenText set out to close.
Meet OpenText Endpoint Forensics & Response
Built on the same 25.3 platform, OpenText Endpoint Forensics & Response keeps all the forensic depth of EnCase and layers live response on top. In one environment, your investigators and responders can now:
- Isolate a compromised machine in near real time — without pulling it out of the investigation.
- Kill malicious processes or delete harmful files during a live case.
- Interrogate and modify registry keys remotely.
- Run on-demand IoC scans and YARA rule matching across the estate.
No more juggling one tool to collect evidence, a second to analyse it, and a third to contain the threat. The silos disappear, and so do the delays between insight and action — which means shorter attacker dwell time and better outcomes when minutes matter.
What it looks like in practice
Picture a ransomware hit on a hospital. The team uses Endpoint Investigator to pinpoint where the infection started — then, with Forensics & Response switched on, isolates the affected systems, kills the encryption process, and begins recovery, all without leaving the platform or calling in a third-party tool. Or an insider quietly stealing IP from a manufacturer: the timeline and artefact views expose the suspicious access, and the same platform lets the team confirm the malicious tools, then silently isolate the machine for deeper analysis. Or unusual logins at a bank: IoC scanning sweeps every endpoint for credential abuse, and the attack is stopped before data leaves the building.
The best part: if you already own it, you’re halfway there
This is the detail worth circling. If you already run OpenText Endpoint Investigator, you do not need to rip out and replace anything. Incident response — real-time isolation, process remediation, IoC scanning — switches on as a simple add-on licence, inside the same interface and architecture your team already knows. OpenText even offers a 45-day trial of Endpoint Forensics & Response on top of an existing deployment, so you can prove the value before you commit.
And if you’re currently on a different forensic tool, this is a clean moment to consolidate. One licence gives you forensics and incident response together, in a single platform, instead of stitching three tools into a fragile workflow.
Where SIAGA comes in
The line between digital forensics and incident response is disappearing — and that’s a good thing, because threats don’t wait for analysis. As OpenText’s partner in Malaysia, SIAGA helps you make that shift the right way. If you already run Endpoint Investigator, we’ll help you scope and activate the Forensics & Response add-on and get your SOC using it properly. If you’re on another tool and tired of the tool-sprawl, we’ll map out a consolidation that saves cost and closes the gap between knowing and acting. And if a live incident hits, our own DFIR team can stand alongside yours.
If you’re ready to go from investigating breaches to stopping them before the damage is done, contact SIAGA for a walkthrough or a trial of OpenText Endpoint Forensics & Response.
