Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

If you’re unfamiliar with EnCase Portable, it is a USB key-based tool, designed for on-scene work, namely triage and collection. EnCase Portable offers two modes of use: The forensically trained investigator can configure jobs on the EnCase Portable USB key and the non-expert field technician can use Portable with a minimum of effort or training.

Jobs can be configured to consist of any combination of processing modules depending on the type of on-scene work. e.g.
  • Live RAM acquisition
  • Take a snapshot of running processes, ports, DNS cache, ARP, etc.
  • Detect full-disk encryption
  • Search for and preview pictures
  • Run bespoke EnScript
Once configured, EnCase Portable is built for situations where a non-expert technician is pressed into duty to perform in on a tight timeframe. On-scene personnel don’t have time to wait for analysis or processing to occur, they need to know which action to take next. Think of these sorts of questions: “Is the drive encrypted?” “Can I shut it down?”

EnCase Portable is a standalone product that works independently of EnCase Forensic and EnCase Enterprise, but now is available as part of its older, more capable siblings.

Configuring a Portable Device

In the Tools menu, you’ll find a new option, Create Portable Device.

With this tool, you’ll be able to configure any removable storage device, including an EnCase Portable USB key to run EnCase Portable. When we launch the tool, Portable Management appears. From this interface, we can create and manage jobs, and prepare new devices. Select a locally attached external storage device (e.g. F: ) and click Configure Device.

EnCase will begin to copy all required binaries and libraries to the selected USB device.

Once complete, then we can select the type of job we want to add to the Portable device. In the example below, we’ll select the On-scene Intelligence Collection job (1) and add it to the device (2).

We have just crafted a fully functional EnCase Portable device, complete with EnCase installation and Portable jobs with a few clicks. All we need to do now is take our USB drive, and our EnCase Forensic, Enterprise or Portable dongle and head on-scene, or mail it to on-scene personnel (half-way around the world).

Easy On-Scene Intelligence

We’ve configured a single job on the USB stick, so let’s see how the on-scene technician will interact with the tool. All the technician needs to do is plug in the prepared Portable device and their Portable USB key into the target machine. If you have an old and crusty USB stick, and an equally crusty EnCase Forensic dongle, it would look like this:

Of course, if you already own an EnCase Portable dongle, you can also configure that device with the same capability (and use a single dongle if you like).

From Windows Explorer, execute Run Portable.exe. EnCase launches and automatically loads the EnCase Portable UI. Since we only prepared the USB stick with one drive, we only have one option:

With a click of the mouse the job executes. This pre-configured job collects live RAM, performs a snapshot to obtain running processes and other volatile artifacts, collects screen captures of open windows, and scans physical volumes to detect full disk encryption. This job is designed to run within a short period of time, but of course the jobs may be tailored to meet your needs (i.e. snapshot only, live RAM only).

All of the data and resulting analysis is captured onto the Portable device for immediate or later review back in the lab. For example, you could use the encryption report to determine if it is safe to turn off a target machine and image it with a Tableau Forensic Duplicator. You might collect live RAM so that you can return to your lab and use the Volatility Reporting Plugin within EnCase.

Craft your diamond sword

(not an actual screenshot)

I don’t play Minecraft, but I think the “crafting” analogy in this case works. We think this new ability will provide a great value to investigators, primarily because investigations require flexibility: You don’t know what you will encounter next, but you likely have the raw materials at your disposal to fashion the tool you need. Give this new-found ability a try in EnCase 7.10, and let us know how your on-scene investigations go in the comments below, or reach me on Twitter @kenm_encase.

No comments :

Post a Comment