At parts 1 and 2 of the webinar series, "Transitioning from EnCase Version 6 to Version 7," we ran out of time to answer all of your questions. In this blog post, I've attempted to answer them and hope it helps you continue a productive transition.
View the webinars: Part 1 and Part 2
Can you discuss how you’ve made reporting less complicated and what resources we could use to simplify reporting even further?
Once the hard work of painstaking analysis and review of an investigation is complete, determining what to share with an external audience is an important, but often time-consuming task. EnCase® Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a polished examination report with a minimum of effort. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power. When time is precious and working with Report Templates is more complex than desired, we built the Report Template Wizard to make it faster and easier to perform basic reporting modifications directly from Bookmarks.
You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates.
We have lots of OS X investigations. What have you done or are you doing to improve MAC support?
In comparison to even just a few years ago, OS X investigation volume continues to grow. In support of this growing need, EnCase 7 has incorporated several capabilities specific to Mac investigations.
EnCase 7 offers comprehensive support for the HFS+ file system, including parsing of extended attributes and double files. Native support is provided for visibility inside OS X disk images, like DMG, bundles, sparse bundles, and the ability to decrypt containers protected FileVault1.
An OS X Processor Module is included to automatically harvest common system information, plists (XML and Binary) as well as system event logs.
EnCase 7 maintains support for investigation of the latest OS X 10.10 Yosemite versions, including remote investigation of a single OS X machine over the network. When operating in this mode, EnCase 7 has full access to logical volumes, which contain data in an unencrypted state, even when protected by FileVault 2.
I could go on for an hour on this topic alone, but it’s worthwhile to mention a couple of resources:
Take a look at our Digital Forensics Today blog for articles on examining Time Machine Backups and the Quick Look Thumbnail cache.
Check out EnCase® App Central, where several EnCase integrated utilities for OS X investigations are available for free download.
You didn’t discuss decryption. Can you talk a bit about your decryption capabilities?
Dealing with full-disk, full-volume, and file-level encryption is increasingly a firm requirement of any investigation. If your tool can't read the data, it doesn't matter how many artifacts are parsed, or how faithfully the evidence is preserved. You won't find much, and it’s a really inconvenient problem.
Encryption vendors are not incentivized to make it easy to decrypt their protection. Yet, this is exactly the capability investigators need.
EnCase 7 addresses this problem by partnering with the industry leaders in encryption technologies and by delivering fully supported decryption capabilities. Some examples of the partners we integrate with include: Symantec Endpoint Encryption, PGP Whole Disk Encryption, Sophos SafeGuard, WinMagic SecureDoc, Dell Data Protection, McAfee Drive Encryption, and more.
I often hear from investigators: "This decryption capability saved my bacon." It's good in a tight situation.
If you want to triage a case but don’t want to process the case first, what is your recommendation?
I think is really important that investigators understand there is a lot of diversity problems and how they need to be solved. Investigators must not only overcome obstacles of understanding the data, but also doing so within time constraints. There's no single way to triage, so EnCase 7 enables several techniques:
a. At times, all you need is a quick look of the evidence to determine whether the evidence is worth processing. Opening an evidence file, or multiple evidence files and viewing them in a single view can be very efficient. Add a couple evidence files or network previews to your Case. In the evidence pane, blue check the files and click the Open button. All of the file system entries can be recursively displayed and sorted, for a quick read of the files and metadata present.
b. Going a bit deeper, you might want to perform some level of processing of the evidence, but want to review the data as it is being processed. The EnCase Evidence Processor provides Prioritized processing, which allows the investigator to review user created data first, as it is processed, independent of the contents of the rest of the evidence.
c. Finally, if you have a good sense of what you are looking for, but still want to perform some basic processing on the data itself, an investigator can perform a search to create a result set, and then just process the items in that result set.
I hope you'll take away the fact that the EnCase toolset gives you many options that can be adapted to your needs and workflow.
Can you provide insight into how to set up the processor settings so that EnCase processes the evidence quickly and effectively?
Entire papers have been written and training labs built on this topic, so I won't go into great detail here. Digital Intelligence, makers of the famed FRED workstations, have published a great article on hardware selection for EnCase 7, which I highly recommend.
If I have one bit of advice to share, it’s that disk I/O on the EnCase Evidence Cache is the first determining factor of performance in EnCase 7. We're dealing with large datasets with millions of items, so having the fastest I/O subsystem and devices is highly recommended. This is much different than the way EnCase 6 was architected, and having an understanding of this is central to a good experience.
How do you mount (View File Structure) multiple files at the same time?
You can try this EnScript®-based filter, available on EnCase App Central.
How could I add the SHA1 hash value to be showed below the MD5 value in the report?
This can be easily modified using the Report Template wizard. You can learn more about this feature in an earlier blog post on the topic.
Can you change reporting properties in Bookmarks?
How do you customize different attributes to show in your report, such as file extension, hash value, deleted etc..?
How could I add the SHA1 hash value to be showed below the MD5 value in the report?
We've made modifying and editing reports much simpler in recent releases. From the Bookmarks view, right click on the Bookmark Folder you want to add to your report. You'll be presented with a dialog that allows you to select the part of the report you'd like to add the folder to, and if you like, you can customize the metadata you would like displayed.
I've put together a brief blog post on this topic, which I recommend if you want to learn more at your convenience.
Can v7 analyze IE 11?
Yes, EnCase offers support for parsing and analyzing contents of IE10 and 11 data formats - specifically, the Extensible Storage Engine format, ESEDB.
Ashley apparently showed an inclusion hash list. How would you show excluded hashed items such as from the NSRL list?
Using Hash Libraries, is it possible to easily EXCLUDE hash values? I think the example used here was filtering looking for specific hashes
The Find Items by Hash Category filter includes the ability to invert the results, which finds items NOT in selected categories. In this way, you can control what you want to see by selecting hash categories and choosing to invert or not.
Can you talk about the difference between conditions and filters and when you should use one versus the other?
Filters and Conditions functionally perform similar tasks: subjecting data to criteria and presenting a result set to you for review.
Conditions are intended to be used to filter in on specific metadata about a file. A point-and-click user interface is provided to implement simple or complex, boolean logic operating on the metadata of files or emails.
Filters allow for more complex logic. Algorithms can be implemented in Filters to work with metadata or content of evidence. Filters are built by Guidance Software, or by investigators comfortable with the EnScript programming language. Several filters are included with EnCase, and you can find more on EnCase App Central.
Why can't I layer conditions and filters like I could in Version 6?
Earlier releases in v7 did not include this capability. More recently, you can create Result Sets from your conditions and filters. Result Sets can then be subsequently filtered to achieve layering of searches.
I’m confused about what is a record versus a bookmark versus something else in v7. It’s different in v6. Can you provide some clarity?
Records result from analysis of data residing within an evidence file. They represent derived data.
Bookmarks are a reference to data in your case. They represent an investigator’s commentary and notes.
EnCase Version 6 treated all data as if it resided in an evidence file, in a specific tree structure. When dealing with composite artifacts, such as system information, Internet artifacts, or even a complex i-nbox folder structure in a PST, a singular tree structure encompassing ALL data wasn’t sufficient for dealing with large volumes of items.
Version 7 adds the ability to differentiate between entries in a file system from records derived from the data, and keeps the ability to annotate, comment, and report on either in Bookmarks.
I haven’t seen a module for rebuilding webpages. Do you have one?
There is a webpage rebuilder EnScript available on EnCase App Central.
My favorite feature of v6 was being able to Timeline -- is there anything like that in v7 or is there a plan to include it in upcoming releases?
I recommend reviewing the MACE Timeline EnScript on EnCase App Central.
It seems that v7 is intended for complex cases, whereas v6 was intended to handle simple cases. How can I effectively use v7 for simple cases?
In the last webinar, I talked a bit about triaging a case using v7. In short, v7 can be used for simple triage and for viewing file systems quickly and efficiently. It also has the range to handle larger, more complex cases involving many types of data for review.
One of the triage features discussed is the ability to open multiple devices simultaneously, performing a recursive "green plate" search, and sorting all entries across devices simply.
EnCase should provide an accurate estimate of how much longer processing is going to take. My company uses it for incident response, and the client wants to know when they will be provided results. The fact that it can take between a day and a week is unacceptable.
Version 6 is no different in this regard. Depending on what you ask EnCase to do, performance will vary.
In v7, we introduced the Performance view within Evidence Processor Manager. This allows you to view the precise work that is being executed at the moment, including an estimate of progress.
The evidence cache takes up quite a bit of space. I can I manage it more efficiently on my system.
Whereas v6 could take minutes or hours to open a case with many evidence files and many bookmarks, v7 can open such cases within seconds. How does v7 do this? The answer is the evidence cache.
The size of the evidence cache can be quite large, and that is simply inevitable when processing and extracting data from large evidence files.
The most effective way of managing the size of the evidence cache is to perform only the processing and analysis that you need. For example, using the File Carver module to extract files from unallocated space can significantly increase storage requirements, because each individual file is being extracted for review. If your case doesn't require carving in unallocated, then this analysis may be eliminated, reducing the impact on the evidence cache.
In EnCase® Enterprise, to get a memory image I need to add host list (of IP addresses) as targets, Why can I not pick from a list of machines that EnCase knows have servlets installed!?
Neither v6 nor v7 has a method of determining where servlets are installed. The servlet is passive by nature, which means it does not reach out to communicate with the EnCase Examiner or SAFE. This avoids introducing unnecessary network traffic.
What should I expect when I use File Carver in v7? It doesn’t appear to work as well as the file carver in v6.
File Finder and File Carver offer different capabilities. We have a detailed knowledgebase article on how File Carver works and the differences between File Carver and File Finder on the Guidance Software Support Portal.
In v6 I could choose the option ‘Tag Selected Files’ in Bookmarks so that they’d show up in Entries already checked. Is there a similar function in v7?
Both Tag and Untag Selected Items, as well as the inverse, Select Tagged Items, are possible in EnCase 7.
Does the case files size grow as a result of the indexing process? Does this have any impact on the performance of the software?
The case file does not grow significantly, but the Evidence Cache, a component unique to EnCase 7, will grow with the size of the data indexed. In some ways, the performance of the software is enhanced by having more data indexed – index searches are faster, more convenient, and more versatile than raw keyword searches.
In v6 I could export a quick report based on items I had checked and any columns I wanted in the Entries pane. Is there a similar function in v7?
Yes, in the upper right corner of the table view, you can click “Save As”.
Does the IM Parser recover instant messenger conversations from Microsoft Lync 2010?
No, not at this time.
Can v7 parse out chats from smartphone extracted in EnCase?
The smartphone examiner can extract SMS messages, but due to the variety of chat applications and artifacts on smartphone operating systems, EnCase does not claim to support extraction of all chat applications or artifacts.
The ability to sweep bookmarks was not available in early versions of 7. Has this functionality been added in since?
Yes, after sweeping text in Text or Hex tabs, you can right-click, select Bookmark, and then Raw text.
No comments :
Post a Comment