Build New Skills while Rubbing Shoulders with the Industry’s Brightest at CEIC 2015

This year when the best minds in security and digital forensics converge at CEIC May 18-21, 2015, you have an unprecedented opportunity to gaining skills and knowledge on real solutions to your biggest data-related challenges, as well as to collaborate with like-minded professionals who bring to CEIC plenty of war stories not unlike your own.

We’re excited to feature this year’s “EnCase in Action” conference track in today’s blog. We worked hard to pack it with sessions that will put real-world context around some of the EnCase capabilities you've heard so much about.

AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime

Jessica Bair, Cisco

Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.

Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics/digital investigation capabilities. Malware analysis is also a critical part of digital investigation: to prove or disprove a "Trojan defense" for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.

EnScript and .NET: Debugging in Visual Studio

I have been working on a few projects lately using C# and integrating it with EnScript code, and of course I run into problems in my code. Sometimes the problem is in the EnScript code, but other times it is in the C# code. To be honest, it is more often in the C# code since I have spent less time in that language than EnScript. Especially in the context of making a DLL to interface with EnScript.

If you have been reading this so far while thinking any of the following “What? C# and EnScript? When did this happen?” Check out this one for a little intro. My goal in this post is to show you how to debug your C# code while EnScript is calling it. Yes! You can do that!

Debugging in EnScript

First, let’s have a quick review on debugging your EnScript code inside EnCase. The default operation when in the IDE is to debug. The start button and its assigned F5 shortcut.

EnScript Debugging Button in EnCase

If I have a problem to debug in the EnScript code, I just click a breakpoint next to where I want to stop. You can see my breakpoint on line 7, with the yellow arrow on top of it showing that this line is about to be executed.

Setting EnScript Breakpoint for Debugging in EnCase

Line 8 contains a function that I am bringing in from my C# DLL mentioned on the first line. If I use Step Into over my EnScript code, it will walk down the lines here without digging into the C# code. EnCase doesn’t have the source code, Visual Studio does.

Connecting Visual Studio Debugger

To get to the source code of the C# project, we need to connect EnCase and Visual Studio together. It is fairly simple, but it is not something I realized was possible until one of our developers showed me a couple years ago. I am finally getting to write this to share with all of you.

First thing is that you need to have a project written and built. Make sure the output type is Class Library.

C# Project Properties in Microsoft Visual Studio

Use the build menu to create the DLL file. This file needs to be placed beside the EnScript source code, so copy it over there.

Building C# Project in Microsoft Visual Studio

Put the assembly command in the EnScript code, and make sure it compiles. This is important to do, because the compile process is what reads into the DLL file to load all the symbols.

Assembly Command in EnScript Code using EnCase

You can confirm the DLL stuff was loaded by viewing the Class Browser. In there you should find a bunch of things mentioned about DotNet, but you should also find your project namespace, public classes, and public functions in there.

EnScript Class Browser Showing C# Classes Loaded in EnCase

Once you have compiled successfully, the symbols are loaded and ready to go. Go back into Visual Studio and use the Debug menu drop down to find the Attach to Process option.

Debug Menu Attach to Process in Microsoft Visual Studio with EnCase

In the window that pops up, find the EnCase.exe process and click the Attach button.

Microsoft Visual Studio Attach to Process Window Showing EnCase.exe Process

Visual Studio is now in a paused state waiting for control to come over. To get the debugger in Visual Studio to trip, you have to set a break point on code in C#. Otherwise the code will just execute without stopping.

Hit the start button in EnCase, and wait for your C# breakpoint.

Microsoft Visual Studio C# Code Showing Breakpoint


#1 File Lock

There is a complexity with the integration of EnCase and the .NET stuff. The bridge between managed and unmanaged code is not easy. Just ask anyone who has called into unmanaged/native DLLs from C#.

When you compile your EnScript project, EnCase places a lock on the DLL file. If you point your EnScript to the DLL location where Visual Studio builds to, then VS will fail to build while EnCase has that lock. If you are trying to copy the built DLL into the folder where your EnScript project is at, you will get an error message saying that it cannot overwrite the file.

The only way to release the lock is to exit EnCase entirely. Use the Save All option and it will be easier to open back up into your EnScript project.

#2 Project Type

Because of the file lock, I typically start my projects as a Windows or Console Application. I put some basic test code inside the ProgramClass and I add another class module to contain the code I intend to use in EnScript. This allows me to debug as much of the code natively inside Visual Studio as I can before bringing EnScript into the mix. Once I am comfortable with the code, I change the project type over to the Class Library and start testing my code with EnScript.

#3 Logging

You can get error messages logged from the .NET code (and other things), and direct them to the console in EnCase or to a file on your drive. You will find these options in the Tools dropdown in the Options… menu item. Then Debug Tab, and the Show Logging button.

EnCase Debug Logging Options


You can download my EnScript and C# code here to follow along in the screen shots. There is nothing amazing happening in that code, but you are welcome to use it in your forensic projects (with proper credit of course)…

I would love to see you attend the EnScriptProgramming course, and then we can talk face to face about the possibilities of this bridge.

Hit me up on Twitter or leave a comment below if you have any questions. Thanks for reading!

James Habben

Using EnCase with the Latest Release of Belkasoft Evidence Center

Yuri Gubanov, Belkasoft

Belkasoft has just updated its digital forensics suite, Belkasoft Evidence Center, making the tool a true, all-in-one forensic solution. When seamlessly integrated with EnCase, the two tools can cover nearly every digital forensic need. Belkasoft Evidence Center helps you jump-start investigations by automatically discovering evidence gathered from many different sources.

In its biggest update in two years, Belkasoft has done more than learn a few new tricks. It now extracts and analyzes evidence from pretty much any data source you can imagine. Hard drives and drive images with Windows, Linux, Ubuntu, and many other operating systems; smartphone backups in all popular formats; UFED images and chip-off dumps; live memory dumps; and many virtual machines can be scanned for available evidence. This major update turns Belkasoft Evidence Center into a true, all-in-one digital forensic tool.

We added several new modules to bring about these changes.

Firefox Cache2 Storage Breakdown

Mozilla introduced a new format of storage ** ** for the Firefox browser in version 27. It was defaulted off until recently in version 32, when it was turned on. Mozilla claims in its recent statements that cache2 is more efficient to speed up the browser.

Here is a good write-up about the previous version of cache in case you encounter it. Pretty much every forensic tool supports it—which brings me to my next point.