EnCase App Central - Destined To Be A Game Changer

Chet Hosmer

We are all painfully aware that criminals share their secrets, exploits and even technology. Those investigating cybercrime, attempting to pre-empt dangerous criminals, or finding new ways to rapidly clear cases must be on equal footing.

Whether on the desktop, server, smart mobile device, cloud or on a network, investigating cybercrime requires a combination of exceptional tools along with expert knowledge. One of the unique elements of investigating cybercrime efficiently is that you need expertise in both computer science and social science. Unfortunately, there has not been a solid methodology to bring this cross domain expertise to fruition. It is vital that we close this gap and create a greater overlap between these domains.

In May of 2012, I attended the CEIC trade show where Guidance Software introduced the concept of EnCase App Central. We are all familiar with Apps for iOS, Android, Windows 8 and others, but this was clearly a different, more uniquely focused App model. The concept was simple but also revolutionary; deliver an open SDK that allows developers, investigators, forensic specialist or individuals with domain knowledge or expertise to build plug-in enhancements for EnCase v7. In late 2012, the Software Development Kit (SDK) became available and a broad range of interested parties began experimenting with the kit.

Moving forward to the 2013 CEIC show, the impact of EnCase App Central was becoming clear. So far over 40 Apps are available at EnCase App Central. Many are free; others are available for a reasonable cost. As you might expect, to access the new capabilities, you browse to the EnCase App Central Store, http://store.encase.com/appcentral/, obtain the app of choice (either free or pay) and install the delivered EnPack. EnPacks protect 3rd party developer code using the EnPack licensing model.

The Apps provide an interesting cadre of capabilities that improve efficiency, apply advanced analytics, extract unique evidence and, most importantly, integrate specialized tools directly into the forensic platform. All Apps are directly integrated into EnCase and produce findings such as custom bookmarks, detailed reports and results that are directly incorporated into the case data.

Instead of running an external tool and incorporating the results into a convoluted case presentation, the results can be part of the generated EnCase evidence report. Another advantage is the elimination of redundant evidence scanning. Since EnCase v7 already performs the heavy lifting and integrates potential evidence from various sources such as the enterprise, various storage devices, mobile device and memory snapshot applications; investigators can now focus on developing deep dive algorithms, specialized visualization and distinctive analytics.

For developers this is a huge step forward, because they can finally separate the acquisition, collection, preservation and storage of digital evidence from the intelligent analytics that need to be applied. One example is C-TAK (see Figures 4 and 5) which performs cyber threat discovery by examining digital fingerprints left by infringing cyber threats. Key artifacts left behind by these threats could be spread across memory snapshots, ordinary files, unallocated space or network evidence (i.e. pcap files). By navigating through the already processed case infrastructure, connecting the dots related to cyber threats can be done more efficiently and accurately than ever before. This will open the door and expedite the experimentation of new techniques for deeper analysis of digital evidence.

An example of an automation EnCase App Central solution is Image Analyzer which employs heuristics to scan and identify pornographic content. For examiners, analyzing hundreds, even thousands, of images in a case can be a time consuming and arduous task. Image Analyzer flags images of high risk and bookmarks them for further analysis. (See Figures 6-7)

Hats off to Guidance Software for having the vision to open their platform and allow interested 3rd parties to add their own unique investigative solutions and analytics. This will allow developers, researchers and investigators from around the world to work together to advance cybercrime technologies and ultimately change the rules of the game in our favor.

For a video demonstration of C-TAK, one of the App Central Apps, you can visit:


No comments :

Post a Comment