POSIX Regular Expressions in EnScript and .NET

James Habben

I am sure you have spent a little intimate time with EnCase doing keyword searches, so you know that EnCase has basic GREP capabilities. This is a powerful feature that allows for searches to be performed with patterns that can eliminate false positive hits. Recently, we hosted a webinar with guest Suzanne Widup, describing some techniques and benefits of using GREP in EnCase.

GREP is a term that comes from the Unix world long ago. It stands for Globally search for Regular Expressions and Print. This command line utility was used to search through data and print out results that matched the given pattern. Because of the popularity of the tool, the name has become synonymous with Regular Expressions (Regex). Though there is a defined standard, POSIX, the syntax of patterns used in Regex actually varies quite wildly depending on the platform engine and programming language that is being used. EnCase is no exception. In homage to our habit of prefixing our product names with “En”, I jokingly refer to our syntax of regex as “EnGrep.”

Feature Spotlight: Report Template Wizard

Ken Mizota

No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.

Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

Feature Spotlight: SED Unlock with EnCase & WinMagic SecureDoc

Ken Mizota

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

SEDs render “cold boot” and “evil maid” attacks useless and offer instant encryption and crypto-erase when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.

Case Study: Chesterfield County Police Department

Cynthia Siemens


Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. In his earlier work as a deputized U.S. Marshal for the Federal Bureau of Investigation’s Child Exploitation Task Force, he was the Task Force Officer, and in his work with Internet Crimes Against Children (ICAC), he served as ICAC representative for his agency.

Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.