Feature Spotlight: Direct Network Preview

Guidance Software

EnCase Version 7.06 introduces a new built in ability to perform remote forensics. If you are unfamiliar with the term “remote forensics”, take a moment to review the Gartner Remote Forensics Report for 2012. EnCase Forensic Version 7.06 brings remote forensics to the standard in digital investigations, and enables forensically sound investigation of live devices. In this post, we’ll walk through how to perform a network preview, and we’ll discuss some of the key differences between remote investigation in EnCase Forensic and EnCase Enterprise.
  1. First, if you have not done so already, Generate an Encryption key from the EnCase Forensic Home screen. A wizard will appear to walk you through the process.
  2. The next step is to generate a servlet. The EnCase Examiner will create a lightweight program, called a servlet, to be installed on the target machine to be investigated. The servlet will enable secure, encrypted communication between the target machine and the EnCase Examiner. In the Tools menu, select “Create Direct Servlet”
  3. Servlets must be associated with a specific user/Encryption Key. A list of users will appear with the users/Encryption Keys that are available to the EnCase Examiner. Select the user/Encryption Key created in the first step.
  4. EnCase Forensic supports a wide variety of operating systems for remote investigation. In this example, we’ll choose the Macintosh OS X type, since we’ll be investigating a MacBook Pro. Click “Finish” and the servlet will be created in the specified directory.
  5. The Servlet installer should be copied to the target machine and executed. The servlet can also be executed in a command line for use in a single session. The screenshot bellows illustrates the Servlet being installed on the MacBook Pro.
  6. Once the Servlet is installed, collect the IP address from the machine. Back in EnCase, within the “Add Evidence” tab, click “Add Network Preview”.

  7. Click “Direct Network Preview” as noted below.

  8. EnCase will present a list of users. This time, EnCase will prompt you for a password since we are attempting to access the remote device.
  9. Once the password has been entered, EnCase asks for an IP address, port and whether or not you’d like to acquire physical and process memory.
  10. The remote device is accessed, and the Servlet enables selection of the specific device to be previewed. In this example, we’ve selected the logical volume running on this MacBook Pro. Mounting logical volumes on a running OS X device is a new feature of Version 7.06 that we’ll cover in a subsequent post.
  11. Once we’ve clicked through, we navigate to Evidence and we can begin our examination of the remote device, just as we would any other device in EnCase.
As you can see, remote forensics is a powerful addition to the investigators toolkit, and it is available today, out of the box in EnCase Version 7.06.

If you are considering remote forensics with EnCase Enterprise or EnCase Forensic, here are a few of the key differences between the two versions.

EnCase Forensic
EnCase Enterprise
Remote forensics: One connection at a time
Remote forensics: Multiple concurrent connections
Quickly sweep ranges of devices
Centralized user account management
Comprehensive user event logging
Robust “check-in” connectivity support
(VPN user, mobile user)

We hope you find the new remote forensics capability valuable and welcome your feedback in the comments below or on the Guidance Software Technical Support Forums.

No comments :

Post a Comment