EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 2 of 3 – Jamey Tubbs' Time Zone Prior to Processing

Robert Batzloff

And we’re back with another post to walk you through one of the over 150 EnScripts® that can be found at EnCase® App Central. This three-part series will introduce and explore four EnScripts to help you make the most of EnCase App Central, manage and organize your evidence, and finally, show you a new option when it comes to creating your case report. In the previous post we discussed What’s New in App Central and Manfred’s Comprehensive Case Template. In this post we’ll walk through Jamey Tubbs’ incredibly helpful, time-saving EnScript: Time Zone Prior to Processing.

Time Zone Prior to Processing

Download Here

As an examiner it’s critical to determine the time zone settings of hard drives with the Windows OS installed before processing the evidence. Time stamps and other temporally related items usually provide the most damning evidence or the best alibis. Without the proper time zone setting, the former can easily become the latter and then the bad guy walks.

If regional time zone settings are not defined by the user, then by default EnCase implements the examination machine’s regional settings on the case during processing. It’s not a good idea to let EnCase determine the time zone based on the examination machine’s settings. Doing so runs the risk of invalidating evidence because multiple evidence files from multiple computers may have different regional settings, different from one another as well as the examiner’s machine.

What you should do is locate the time zone setting for each device, bookmark these settings, and then manually change each device’s time zone settings under the device menu. The steps involved in properly determining a device’s time zone setting are pedantic, time-consuming, and include navigating the SYSTEM registry hive, combing through ControlSet subfolders, interpreting hex with Little-endian, etc.

Enter the "Time Zone Prior to Processing" EnScript

Instead, you can use this EnScript, created by Guidance’s own Jamey Tubbs (@JameyTubbs), and automatically parse out the proper time zone information for each device. The EnScript then automatically creates a bookmark folder for every device in your case containing time zone information, making this info easy to find and reference.

The one thing the script does not do is make the change within the device settings; you need to complete this final step on each evidence file before processing. I’ll show you how to run the EnScript and then note when and where you must make these changes.

Like most EnScripts on EnCase App Central, this EnScript is simple to run. Select the EnScript option from the toolbar and run Time Zone Prior to Processing. Most EnScripts contain a unique UI or menu but this EnScript automatically runs and its progress can be seen at the bottom right of the screen.

Once complete, a bookmark folder titled Time Zone Information will be created in the tree pane. Within it will be subfolders for each device’s respective time zone information. Selecting the device in the table pane and selecting the ‘report’ tab in the view pane will show you the TimeZoneRegistry Data, here you’ll find the information you’re looking for.

Gotcha, Peterson.

This last step is arguably the most important and must be done manually. The EnScript only gives you the time zone information; it’s up to you to implement it. If you don’t and then process your evidence, you run the risk of reporting incorrect time zone information. And again, bad guy goes free.

To change the device’s time zone setting go to the Evidence, Viewing (Entry) tab. Right-click on the evidence file in the left pane; select Device, Modify Time Zone Settings. Select the proper time zone as noted in the newly created bookmark folder and then process your evidence.

There you have it. One free EnScript developed by one of our long-term trainers can save you time and make sure your evidence is in proper order before processing. 

Thanks again for reading. Our next post will highlight the fantastic EnScript, Quick Report, from Brett Liddicoet. If there is an EnScript category you'd like me to cover or maybe a single EnScript you think deserves some more coverage, or if you’d like a tutorial for any of the 150+ available EnScripts, please let me know in the comments.

You can connect with EnCase App Central on Twitter account, where you can find links to all the new or updated EnScripts the day they’re made available. 

If you have any questions regarding the EnScripts discussed in this blog post, drop us a line or visit the EnCase App Central support portal. Each EnScript developer has a discussion board dedicated to answering questions or posting more information about their EnScripts. 

No comments :

Post a Comment