Part 1 - So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

There is truly no one tool or organization that can claim to address the diverse needs of today’s digital investigators. There are just too many artifacts, spread across too many devices and more are presented every day. As a product manager at Guidance Software I can safely say: there are not enough engineers in any one company to put the best tools in front of investigators. However, through EnCase App Central, we think investigators have a fighting chance, and we think investigators should take this into account when investing their time in a toolset. We aim to provide two things:

Comprehensiveness: Extend the power of your EnCase investment with timely, sophisticated analysis.
Efficiency: Reduce the amount of effort it takes to perform common tasks throughout an investigation.
I know it’s challenging to keep abreast of what is available at any given point in time. EnCase App Central developers continue to add apps all the time, and at any given point in time, it may be difficult to find time to figure out if there is something that can move your investigation forward. To that end, I’d like to offer a sampling of the free solutions that might help you in your case work.

Apps to help you search and explore your case

Keyword Search with Range Bookmarking: A common request in many an investigation: Perform raw keyword search and bookmark a specified number bytes on either side of the hit.

Categorize File Extensions & Bookmark Them: Define criteria and then automatically bookmark resulting files into sub-folders by file type. This app does the heavy lifting of sorting and categorizing, allowing you to review and connect the dots in the case.

Export by Extension: Export all files that match a list of extensions entered. Simple. Time-saving.

Create Result Sets for Hash Categories: Create Result Sets containing items that match each of the hash categories in your case. Get to the review stage of your investigation faster.

Create Result Set Excluding Unwanted Items: Take a hash library with a “Known” category and quickly create a Result Set containing just what you want, and explicitly exclude items you do not by file path, file type, file extension and more.

Search and Bookmark Specific Data Types: Search for one or more keywords and bookmark with a specific data-type encoding (picture, ROT13, low ASCII, etc.).

CompoundFileMounter: Mounts compound files in bulk, so they may be searched more easily by Evidence Processor.

Apps for malware investigations

Team Cymru Malware Hash Registry Search: Query the Team Cymru Malware Hash Registry directly from your case.

Md5MalwareDbCheck: Save your fingers from monotonous copy/paste operations between one tool and another. Check for malicious files on or, querying directly from your case in EnCase.

Low Hanging Fruit: Correlate unique hashes in EnCase against external hash libraries, to help efficiently identify potentially malicious files. Hash Library: A repository of malware samples, built in the EnCase Hash Library format. The latest version includes 0 through 119 torrents.

C-TAK (Cyber-Threat Analytics Knowledgebase): WetStone’s fully integrated threat identification app provides the know-how of WetStone, unleashed on your case to identify potentially malicious files.

Volatility Reporting Plugin: Memory analysis tools, launched from and integrated into EnCase. The latest update from John Lukach incorporates user feedback to deliver even more efficiency to malware investigations.

MemoryAnalysis: Automated memory analysis for Windows, OS X and Linux RAM images.

In my next post, I’ll focus on Apps to parse and analyze evidence as well as apps to help you manage your investigation.

If you have questions, would like to learn more, or have ideas for apps you’d like to see, feel free to start the discussion below.

No comments :

Post a Comment