tag:blogger.com,1999:blog-60121802555514543142024-03-04T20:47:03.023-08:00Digital Forensics Today BlogAnonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.comBlogger110125tag:blogger.com,1999:blog-6012180255551454314.post-37292638403715625242016-05-20T17:32:00.001-07:002016-05-20T17:32:38.395-07:00We've Moved! Visit Our New Blog<div class="p1">
<span class="s1">We’ve got a fresh new look! </span></div>
<div class="p1">
<br /></div>
<div class="p1">
Please visit us at our NEW blog: <span class="s2"><a href="https://www.guidancesoftware.com/resources/blogs">https://www.guidancesoftware.com/resources/blogs</a></span></div>
guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-9028451558146737202016-03-24T13:40:00.002-07:002016-03-24T13:41:51.487-07:00Training the Next Generation of Cyber Investigators; Be Fearless Says Patrick Dennis<div class="MsoNormal">
High profile breaches, like Target, are just the tip of the
iceberg.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Our CEO Patrick Dennis discussed the state of cybersecurity
with students at the National Technical Institute of Deaf, who are
participating in their first-ever forensics boot camp. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“There are many more breaches that people never hear about,”
Patrick said. He believes that the number is much higher and that it is more
likely there are at least 90 million breaches per year.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Attacks are becoming more sophisticated and cybercriminals are
customizing their attacks to the organization that they’re targeting. At least
60 percent of organizations will be successfully attacked or targeted this
year. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The cyber landscape is also constantly changing. For
example, the number of devices attached to the Internet is increasing.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“If it attaches to the Internet, it can be attacked and
everything is connected to the Internet,” Patrick added.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Companies are also shifting to doing more business
digitally. However, there’s an estimated $3 trillion in lost revenue because
companies can’t digitize fast enough due to security issues.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Today’s Cyber Job
Market<o:p></o:p></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><br /></b></div>
<div class="MsoNormal">
There is a major labor shortage in the IT security industry,
Patrick told the students. Thousands of jobs are going unfilled. “There’s an
opportunity for you today,” he said.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
According to a project conducted by the Stanford University
Journalism Program, more than 209,000 cybersecurity jobs in the United States
and postings are up 74 percent over the past five years. The demand for
information security professionals is expected to grow by 53 percent through
2018.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“You’re picking up the industry’s hottest skill set,” he
said.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">The Road to CEO<o:p></o:p></b></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;"><br /></b></div>
<div class="MsoNormal">
“I didn’t have the most traditional path,” Patrick added.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
After his father had a heart attack when (Patrick) was in
high school, he decided to go to college closer to home. He ended up working
full-time at Eastman Kodak while attending Rochester Institute of Technology (RIT)
at night.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“I believe things in life happen for a reason,” he suggested.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
He started out as a developer, eventually transitioning into
sales. He worked at Oracle, where he led the development of Oracle’s commercial
business in North America. Patrick went onto become senior vice president and
chief operating officer of EMC’s Cloud Management Division. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“The path to CEO is not so straight,” he told the students,
later adding, “I think it’s important to have goals but you never know what’s
going to happen.”<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
He also stressed the benefits of traveling and experiencing
different cultures. Patrick has visited at least 20 different countries. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“Traveling gives you a greater appreciation for
communications and dealing with diverse people,” he said.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Patrick also encouraged the students to embrace the ideas
they come up with while at NTID, noting that his most inventive years were when
he was younger.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
"Be fearless in acting on your great ideas."</div>
<div class="MsoNormal">
<o:p></o:p></div>
guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-58856615341319277492016-03-23T10:47:00.000-07:002016-03-23T10:47:40.401-07:00NTID Forensic Boot Camp: Learning to be Your Own Advocate<div class="MsoNormal">
The inaugural National Technical Institute for Deaf (NTID) forensics
boot camp kicked off this week with a day-long training session. Throughout the
week, students will have the opportunity to learn more about digital forensics,
including Guidance Software’s suite of EnCase products. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
On Monday, participants met with Scott Van Nice, an NTID
alumnae and computer forensics manager at Procter & Gamble (P&G). Scott
discussed his career path, offering advice to the students on navigating the
post-college world.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When Scott interviewed at P&G, although he asked for an
interpreter, one was not available. Working together, they were able to find a
compromise – Scott and the interviewers used his computer to communicate. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“Sometimes things go wrong and you have to find a way to
make them work,” Scott told the students.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Although he had been planning to take a trip to Europe,
Scott decided to accept an internship at P&G. He told the students that
they will sometimes have to weigh short-term gains versus long-terms gains to
make decisions.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
After his internship, Scott accepted a full-time position at
P&G. While there, he worked hard to ensure that the company can accommodate
his and other people’s needs. He helped push towards a central fund for
workplace accommodations at P&G – as opposed to having each department pay
for it. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
“You need to become your own advocate,” Scott said.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Scott has discussed his experiences at P&G publicly – “<a href="http://www.cincinnati.com/story/money/2015/12/12/pg-exec-ve-learned-how-embrace-being-deaf/76962160/">P&G
exec: I've learned to embrace being deaf</a><span class="MsoHyperlink">,</span>”
helping highlight issues around accommodation to pave the way for future
employees.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
During his career, Scott earned his law degree and began to
work in electronic discovery and computer forensics. However, he recognized
that communication in the workplace was a challenge. Working with P&G, who
helped him identify how to succeed at his peak, he was able to have a more
vocal role – addressing team meetings – and eventually was assigned a personal
interpreter. Currently, he is on track towards a Master’s in Informatics and is
interested in insider risk which involves studying how to better protect
internal data from malicious employees, third parties, or business
partners.<span style="mso-spacerun: yes;"> </span><o:p></o:p></div>
<div class="MsoNormal">
<span style="mso-spacerun: yes;"><br /></span></div>
<div class="MsoNormal">
During an <a href="https://youtu.be/sx756Tgacaw">interview</a>
about his experiences at P&G, Scott noted: “P&G recognizes that
everyone is different, but what they bring to the table is exceptional.”<o:p></o:p></div>
<div class="MsoNormal">
---------------------------------------------------------------------------------------------------<o:p></o:p></div>
<div class="MsoNormal">
Fast facts about NTID<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
NTID is the first and largest technological college in the
world for students who are deaf or hard of hearing.<o:p></o:p></div>
<div class="MsoNormal">
<br />
The college was established after President Lyndon B.
Johnson signed the National Technical Institute for the Deaf Act. The bill
provided for the establishment and operation of a co-educational,
post-secondary institute for technical education of persons who are deaf or
hard of hearing.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br />
Total of 1,413 students enrolled as of fall 2015.
Undergraduate: 1,167 deaf and hard-of-hearing students, 151 students (enrolled
in ASL-English Interpretation program).</div>
<div class="MsoNormal">
<o:p></o:p></div>
guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-47051000911335414682016-01-01T06:00:00.000-08:002016-01-01T06:00:15.768-08:00Wishing you a happy and prosperous 2016!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAXYG20PgQUuVrQazpwyJ2fXZL_0wTt4JvX2uE_Go3eyJkFzMZq-x7RM6jnCbFqz3gO3nPfMSAENvPPD1e27ci0VbnmT2PgHpyOzT6_ySH2n3LnB8WZYv2aTl59VgsNnLN0lCZneRs3XA/s1600/happyNewYear2016.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAXYG20PgQUuVrQazpwyJ2fXZL_0wTt4JvX2uE_Go3eyJkFzMZq-x7RM6jnCbFqz3gO3nPfMSAENvPPD1e27ci0VbnmT2PgHpyOzT6_ySH2n3LnB8WZYv2aTl59VgsNnLN0lCZneRs3XA/s1600/happyNewYear2016.png" /></a>Anonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-14431171612798352782015-11-19T16:37:00.000-08:002015-11-19T16:51:11.787-08:00Now Available OnDemand: Advanced Internet Examinations CourseGood news: Now you can learn the latest browser artifacts and peer-to-peer sharing applications in our newly recorded <a href="http://bit.ly/1SEuxg5" target="_blank">EnCase OnDemand Advanced Internet Examinations course</a>. Examiners who take this updated class will leave equipped to understand user activity and recover evidence critical for your investigations.<br />
<br />
<a name='more'></a><h4>
What We'll Cover</h4>
We'll guide students through such topics as:<br />
<br />
<ul class="list">
<li>Internet activity: Google Chrome, Internet Explorer, and Firefox – all updated with the latest artifacts</li>
<li>Peer-to-peer file sharing applications: BitTorrent, Ares, and Gigatribe</li>
<li>How to rebuild webpages from the cache</li>
<li>Web search engines</li>
<li>Email fundamentals, including recovering deleted emails</li>
</ul>
<div and="" anytime="" at="" available="" be="" br="" budget="" but="" class="" classes="" convenient="" course="" courses="" designed="" facilities="" format.="" is="" let="" live="" now="" ondemand="" only="" or="" our="" pace.="" popular="" previously="" recorded="" remote="" save="" start="" students="" the="" this="" through="" to="" training="" travel="" using="" vclass="" was="" work="" you="" your="">
<br />
Keep your skills up-to-date from the comfort of your home or office – no travel justification needed.<br />
<br />
<b>For more details, </b>check out the <a href="http://bit.ly/1SEuxg5" target="_blank">course syllabus here</a> or reach out to our <a href="mailto:training@guid.com" target="_blank">training staff via email</a>.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-58442431957577644002015-11-03T17:13:00.000-08:002015-11-04T10:07:45.213-08:00Sneak Peek at One Piece of Our New LogoUPDATE: We have our three winners! Thanks for playing and helping us celebrate our new look and logo, everyone.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVFu7ZCUpJ8rPquIfingDu7yWH6nGApD6VnSKYike9x472fvM9wI1xYxSCGoEichXT5xg8zAHYb5tMhcKGhfthLdLj76I9voZ8nkznCuiMMlK6sw4K-EtYI-P5ptvv6gn46wEczi1p4Ow/s1600/game+over.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVFu7ZCUpJ8rPquIfingDu7yWH6nGApD6VnSKYike9x472fvM9wI1xYxSCGoEichXT5xg8zAHYb5tMhcKGhfthLdLj76I9voZ8nkznCuiMMlK6sw4K-EtYI-P5ptvv6gn46wEczi1p4Ow/s320/game+over.png" width="320" /></a></div>
<br />
<a name='more'></a><br />
<br />
<br />
<h4>
Original blog post</h4>
Since 1997, Guidance Software has had a look--was it a watch or a stack of discs?--but we decided it was time for a makeover. To give you a sneak peek at it prior to this week's official unveiling, we've decided to deploy the classic "Easter egg" hunt within our HTML code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnhyxczDZCqZ2QSoRJMg5UeX65aBC4bShVADnWTxoWHOU0VkNS1Jofxl5eua29rHJkg4iGlDGkYzF8nqUTOTGgj81l7fFPJq3tkd_I7KtkSpXw6l_atiOILTm3DPOQN_xcz0cXzGFEWB0/s1600/question+egg.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnhyxczDZCqZ2QSoRJMg5UeX65aBC4bShVADnWTxoWHOU0VkNS1Jofxl5eua29rHJkg4iGlDGkYzF8nqUTOTGgj81l7fFPJq3tkd_I7KtkSpXw6l_atiOILTm3DPOQN_xcz0cXzGFEWB0/s1600/question+egg.jpg" /></a></div>
<br />
We'll have an official press announcement revealing the new logo just after 1:00 on Wednesday, November 4, but those of you are reading this can earn a special preview by finding the "Easter egg"--a link to one piece of our shiny new logo somewhere in this blog post. In fact, you'll soon find clues to the locations of the other three Easter eggs on our <a href="http://www.twitter.com/encase" target="_blank">@EnCase account on Twitter</a> (no Twitter account required to view our page) and to <a href="http://www.facebook.com/guidancesoftware" target="_blank">our Facebook page</a>. Just email all four parts AND the four URLs where the pieces were found to newsroom@guidancesoftware.com.<br />
<br />
The first three players to send the correct logo -- based on email timestamps -- will win a $250 American Express gift card, plus a t-shirt and coffee mug emblazoned with the new logo.<br />
<br />
<b><a href="https://www2.guidancesoftware.com/PublishingImages/social-easter-eggs-01.jpg" target="_blank">G</a>et to know our new look before the rest of the world -- we dare you!</b><br />
<h4>
And of course... there's some fine print</h4>
<div>
<div style="background: white;">
</div>
<ol>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">ENTRY: No purchase necessary to enter or win. Contestants will enter by submitting images and URLs via email to newsroom@guidancesoftware.com.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">ELIGIBILITY: This contest is open only to legal U.S. residents over the age of 18. Employees of Guidance Software, Inc. (“GSI”)(along with its contractors, affiliates and subsidiaries) and their families are not eligible. Void where prohibited by law. Contestants residing in those areas where the contest is void may participate in the contest, but may not win any prizes. </span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">WINNER SELECTION: Social media posts to Guidance Twitter and Facebook profiles/pages will give clues as to where to find a hidden link to one of four parts of our new logo. Participants must figure out where the posts are in our multiple blogs, find the links, click through, and email all four pieces along with the four URLs where the pieces were found to newsroom@guidancesoftware.com. First three players (based on time stamps in email) to submit the four logo pieces and URLs to newsroom@guidancesoftware.com win prizes named below. All decisions of the judges are final.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">PRIZES: Winners will receive a $250 American Express gift card and GSI-branded merchandise with a maximum value of less than $50, including a polo shirt and coffee mug.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">WINNER NOTIFICATION: Winners will be notified within 14 days after the determination date. Inability to contact a winner may result in disqualification and selection of an alternate winner. </span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">GENERAL CONDITIONS: Participants hereby grant GSI a non-exclusive, perpetual, worldwide license to broadcast, publish, store, reproduce, distribute, syndicate, and otherwise use and exhibit the Submission (along with their names, voices, performance and/or likenesses) in all media now known and later come into being for purposes of trade or advertising without further compensation. </span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">USE OF CONTEST INFORMATION: All entries become the property of GSI. GSI reserves the right to use any and all information related to the contest, including submissions provided by the contestants, for editorial, marketing and any other purpose, unless prohibited by law. </span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">NOT ENDORSED BY FACEBOOK OR TWITTER: By participating in this contest, you acknowledge that this contest is in no way sponsored, endorsed or administered by, or associated with, Facebook or Twitter and release Facebook and Twitter from any and all liability arising from or related to this contest. The information you are providing for this contest is being provided to GSI and not to Facebook nor Twitter, and will be used to notify you if you have won, and to inform you about special offers from GSI.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">CONDUCT: All contest participants agree to be bound by these Official Rules. GSI in its sole discretion, reserves the right to disqualify any person it finds to be tampering with the entry process, the operation of its web site or is otherwise in violation of these rules.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">LIMITATIONS OF LIABILITY: GSI is not responsible for late, lost or misdirected email or for any computer, online, telephone or technical malfunctions that may occur. If for any reason, the contest is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention or technical failures of any sort, GSI may cancel, terminate, modify or suspend the contest. Entrants further agree to release GSI from any liability resulting from, or related to participation in the contest.</span></li>
<li><span style="color: #222222; font-family: inherit; font-size: x-small; line-height: 22px;">WINNERS LIST: The names of the winner may be obtained by sending a self-addressed stamped envelope to: Social Media Contests, GSI, 1055 E. Colorado Blvd., Pasadena, CA 91106.</span></li>
</ol>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-61206737354830951082015-10-16T10:43:00.001-07:002015-10-16T10:43:39.740-07:00Best Practices in Recovering Data from Water-Damaged DevicesMobile devices are everywhere. The evidence they hold can be the key to a successful investigation outcome, if you are able to acquire it. Water-damaged phones add even more complexity. How successful have you and your agency been in responding to water-damaged devices?<br />
<br />
Steve Watson, a technologist focused in the areas of e-discovery, forensics, risk and compliance, posed this question to a full house at Enfuse (CEIC 2015) earlier this year. The popularity of his session, “Water-Damaged Devices – An Analysis of Evidence Locker Corrosion,” made a clear statement that EnCase® users are ready and eager to learn how best to tackle the data that resides on damaged devices.<br />
<br />
<a name='more'></a>If you missed this popular lecture, you can read a brief summary of it in this blog, and also download the complete slide presentation here: <a href="https://www.guidancesoftware.com/ceic/Documents/Water%20Damaged%20Devices%20-%20An%20Analysis%20of%20Evidence%20Locker%20Corrosion-Watson-5-21-2015.pdf" target="_blank">Water-Damaged Devices: An Analysis of Evidence Locker Corrosion</a>. We’d also like to remind you to register early for <a href="https://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx" target="_blank">Enfuse 2016</a>, where you can hear similar topics that will showcase the latest and most innovative tools and techniques to make your job easier as a forensic investigator.<br />
<div>
<br />
<h4>
Survey Proves More Research is Needed on Damaged Devices</h4>
<div>
<div>
Recently, Watson performed an industry survey of federal, state, and local agencies to gather trends in damaged devices. What he found was that most agencies receive water-damaged devices so infrequently that they can’t develop solid experience in this area:</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuo6rTw8kprn-0ehNU3DhXLYBMhpCZfcbP0l9S1O432BqDVtOudvfm_WN-p-HxdP4UyexV620QsjUKg901An0-gnJueybhfbjbdqIRAhNq2llAQrEU03jO7qIFmhvgbTHWlgiqlQZddmk/s1600/water+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuo6rTw8kprn-0ehNU3DhXLYBMhpCZfcbP0l9S1O432BqDVtOudvfm_WN-p-HxdP4UyexV620QsjUKg901An0-gnJueybhfbjbdqIRAhNq2llAQrEU03jO7qIFmhvgbTHWlgiqlQZddmk/s400/water+1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<div>
The survey was used by Watson to launch <a href="http://www.waterdamageddevices.com/" target="_blank">The Damaged Devices Project</a>—a series of research projects whereby devices are exposed to damage with scientific precision, followed by remediation and documentation. The results are then published to the digital forensics community. The scope of his research is on liquid damage, thermal damage, impact damage and ballistics damage. His session at CEIC (Enfuse), however, focused specifically on the damage that occurs to mobile phones that have been submerged in water. </div>
<div>
<br /></div>
<div>
Watson reported from his survey responses that most devices spend less than 30 days under water:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5cs2FZEyoYDD3A5qYArnixtxUIpEoS6627eeS6lnEgHPNvQEIDCBPdw8hYvkeSdAwNi4UVOLUGtNFydkAz5HacFSkeygTsVtXHvkwX7OC-cvBblh3uOYQS6MnJGZuARU8K7hqT4LgTEk/s1600/water+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5cs2FZEyoYDD3A5qYArnixtxUIpEoS6627eeS6lnEgHPNvQEIDCBPdw8hYvkeSdAwNi4UVOLUGtNFydkAz5HacFSkeygTsVtXHvkwX7OC-cvBblh3uOYQS6MnJGZuARU8K7hqT4LgTEk/s320/water+2.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The majority of forensic examiners said a damaged device sits in an evidence locker room for at least three days before it is retrieved for cleaning in preparation for data acquisition. The problem here, according to Watson, is that as the duration of time increases that a water-damaged phone waits in evidence storage to be prepared for data acquisition, the corrosion and sediment buildup also increases exponentially.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTk1LSuvJ6DVeuQojoRyxE0utMt7ixud78N7fu_7gNzJbFKpqeJhAjuWrsdfgeO4-V8DcR8YR74pnma-l6DaOAneai4QeT0sYu2rMcalayyX0Kc6y2xE4kpTM6ukN4ure6vefn_pI9gXU/s1600/water+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTk1LSuvJ6DVeuQojoRyxE0utMt7ixud78N7fu_7gNzJbFKpqeJhAjuWrsdfgeO4-V8DcR8YR74pnma-l6DaOAneai4QeT0sYu2rMcalayyX0Kc6y2xE4kpTM6ukN4ure6vefn_pI9gXU/s320/water+3.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
In addition to risks of mold, biological hazards, battery damage, and electric discharge, mobile devices that stay zipped up in a locker room evidence bag will show greater liquid damage, including:</div>
<br />
<ul class="list">
<li>PCB layer damage</li>
<li>Rust</li>
<li>Pitting on the PCB traces</li>
<li>Corrosion (galvanic or electrolytic)</li>
<li>Damage to SMT leads</li>
</ul>
<div class="MsoNormal">
<br /></div>
<h4 style="clear: both;">
Top Five Recommendations to Remediate Water-Damaged Phones</h4>
<div class="separator" style="clear: both;">
The audience walked away with Watson’s top five recommendations in remediating water-damaged devices:</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<ol>
<li>Remove the battery as soon as possible</li>
<li>Do not attempt a power-on or charge until dry</li>
<li>The device is more stable if transported in water to the lab for cleaning</li>
<li>If you can’t transport the device in liquid, disassemble and make a best effort to dry it before shipping or storing</li>
<li>Do not expect a successful acquisition from devices that have remained in evidence bags for nine months or more </li>
</ol>
<br />
<div class="separator" style="clear: both;">
Watson maintained an interactive session through a live demonstration of two phones that had been submerged for three days in water and then stored in an evidence bag for 221 days. The damaged phones were used to share best practices in phone disassembly, identification of damaged areas, and cleaning and drying of the device. To get the rest of these best practices and more, click here to download the complete presentation: <a href="https://www.guidancesoftware.com/ceic/Documents/Water%20Damaged%20Devices%20-%20An%20Analysis%20of%20Evidence%20Locker%20Corrosion-Watson-5-21-2015.pdf" target="_blank">Water-Damaged Devices: An Analysis of Evidence Locker Corrosion</a>. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
You can also track or participate in this ongoing research on damaged devices by visiting Watson’s website: <a href="http://www.waterdamageddevices.com/" target="_blank">The Damaged Devices Project</a>.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Don’t forget that you can attend other top-notch sessions like this one at <a href="https://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx" target="_blank">Enfuse 2016 in Las Vegas, May 23-26, 2016</a>. Enfuse brings the power of hands-on labs, learning sessions, and networking events together in a way that will take your work—and your career—to a whole new level. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="https://www.guidancesoftware.com/ceic/Pages/about-ceic.aspx" target="_blank">Click here to learn more about Enfuse</a> and how you can save over 40% off the regular conference registration fee if you act by November 30, 2015.</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-43216865216617727172015-10-06T14:50:00.000-07:002015-10-13T13:15:15.036-07:00EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting <h4>
Part 3 of 3 – Reporting with Quick Report</h4>
Robert Batzloff<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
This series of blog posts has focused on keeping your
investigation organized and presenting your evidence in a clear, correct and
readable format. Clarity, as well as brevity, is key when delivering digital
forensic evidence to those who don’t work in the field. This evidence can be
dense and hard to understand. Your job is to make the relevant information
apparent and easy to digest. You want the information you present to be easy to
explain and defend because opposing council will leap at the chance to capitalize
on any potential ignorance regarding digital forensics. </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
As reporting is the final step in an investigation, we’ll
close this blog series by looking at my favorite reporting EnScript: Quick
Report Lite</div>
<div class="MsoNoSpacing">
</div>
<a name='more'></a><br />
<h4>
Quick Report Lite</h4>
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010154WS&k" target="_blank">Download Here </a><br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<div class="MsoNoSpacing">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->Brett Liddicoet’s Quick Report EnScript creates a fully
linked HTML report from the examiners selected bookmark folders. Bookmarks,
they’re like the gift that keeps giving. As mentioned before the bookmarks
create the outline for the report, so a well-organized bookmark structure will
result in a clear, readable report. </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Brett’s script makes it incredibly easy for you to
customize the report’s logo, requiring no HTML, and it also allows you to link
reports from other forensic tools and other external files. Quick Report makes
it easy to create and submit reports from the field or quickly share up to the
minute updates on a case’s status. This report can also be easily distributed
on CD or USB and it’s compatible with Internet Explorer, Firefox and Safari.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Launch Quick Report from EnScript menu bar when your investigation
is complete and you’re ready to create a report. Once launched, Quick Report’s
menu opens in its own window. From here you can select which bookmark folders you’d
like to include in the report. You can choose which format you’d prefer the contained
data be displayed as well as which logo and case information you want attached
to the report. Selecting a new logo is easy and only requires a destination
folder. You can also add external links in the same way from this menu.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxK8geods06BwlMmm6L5pTEB_TgpSoQzm-fix1mjMKruTIg-YiBWCuOeLpxqIuHBi9hKOtqZCVkXwrQLUsrb0Gz2XE49jJEDkft-BVju7kdAMYL2DfvlNf60xuUm-F-rbS4-hgeC1pscrF/s1600/Quick+Report+Image+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="533" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxK8geods06BwlMmm6L5pTEB_TgpSoQzm-fix1mjMKruTIg-YiBWCuOeLpxqIuHBi9hKOtqZCVkXwrQLUsrb0Gz2XE49jJEDkft-BVju7kdAMYL2DfvlNf60xuUm-F-rbS4-hgeC1pscrF/s640/Quick+Report+Image+1.png" width="640" /></a></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<br />
<div class="MsoNoSpacing">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<div class="MsoNoSpacing">
Once you have chosen all your settings, select ok and the
fully-linked report will open in your default browser. You can see that the
custom logo is displayed on the top left, the case info and linked bookmark
folders just below it, and the selected bookmark folder’s contents to the
right. </div>
<br />
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-5xQtoFMhJmowqzSI3QmSkEzu5lcSO55oOx3Ca6GnzXIpdO8VNg3LvwZWNdMgeuUGLVHeyCfW3BGcISKJWAeSk7Gb4JhLGIhuSC5_z4K0iTfOq4_4_4OozxwFnO5Sk1aPqMcKjrO-0lEd/s1600/Quick+Report+Image+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-5xQtoFMhJmowqzSI3QmSkEzu5lcSO55oOx3Ca6GnzXIpdO8VNg3LvwZWNdMgeuUGLVHeyCfW3BGcISKJWAeSk7Gb4JhLGIhuSC5_z4K0iTfOq4_4_4OozxwFnO5Sk1aPqMcKjrO-0lEd/s640/Quick+Report+Image+2.png" width="444" /></a></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<div class="MsoNoSpacing">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<div class="MsoNoSpacing">
All relevant files displayed on the right also feature an
icon in their top right corner. This is a hyperlink that reveals further data
regarding the bookmarked item. </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Brett’s EnScript is available in the free Lite version
discussed here, as well as a pro version for $39.00 that includes customizable
templates, print options and more. </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
Thank you once more for reading. The four EnScripts I've written about in this showcase, as well over a 100 more can be found at <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank">EnCase <span id="goog_1322240624"></span></a><a href="https://www.blogger.com/"></a><a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank">App Central</a><span id="goog_1322240625"></span> for absolutely free.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZPspt49EVSgQqrF3UGYSvDTdwj420m12oDAOAoUGA-v6JzT3LXA2syZbgW-C4I1ZUijT_vlFYW2-TLDtcUXqQOXS20urriIvIMe0BQddxgHHXq0tZMmOF4YcFWHH8XcPhmwhBp_1nRYM/s1600/take+my+money.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZPspt49EVSgQqrF3UGYSvDTdwj420m12oDAOAoUGA-v6JzT3LXA2syZbgW-C4I1ZUijT_vlFYW2-TLDtcUXqQOXS20urriIvIMe0BQddxgHHXq0tZMmOF4YcFWHH8XcPhmwhBp_1nRYM/s320/take+my+money.png" width="320" /></a></div>
<div class="MsoNoSpacing" style="text-align: center;">
<span style="font-size: xx-small;"><span style="font-size: x-small;">Oh, wait.</span></span></div>
<div class="MsoNoSpacing">
</div>
<div class="MsoNoSpacing">
<span style="mso-spacerun: yes;"></span></div>
<div class="MsoNoSpacing">
<span style="mso-spacerun: yes;"> </span></div>
<div class="MsoNoSpacing">
</div>
<div class="MsoNoSpacing">
</div>
<div class="MsoNoSpacing">
I plan to post several more blogs showcasing
the EnScripts available at EnCase App Central. If there is an EnScript category
you would like me to cover or maybe a single EnScript you think deserves some
more coverage or if you’d like a tutorial for any of the 150+ available
EnScripts, please let me know in the comments.</div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
You can also connect with EnCase App Central via their
Twitter account (<a href="https://twitter.com/EnCase_Apps">@EnCase_Apps</a>),
where you can find links to all the new or updated EnScripts the day they’re
made available. </div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
If you have any questions regarding the EnScripts
discussed in this blog post you can email EnCase App Central directly <a href="mailto:encaseappcentral@guidancesoftware.com">encaseappcentral@guidancesoftware.com</a>
or utilize the EnCase App Central support portal, each EnScript developer has a
discussion board dedicated to answering questions or posting more information
about their EnScripts. </div>
<br />Robert Batzloffhttp://www.blogger.com/profile/00799441756978164438noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-43641778352449448032015-09-10T11:40:00.000-07:002015-10-06T14:42:26.760-07:00EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting <h4>
Part 2 of 3 – Jamey Tubbs' Time Zone Prior to Processing</h4>
<author>Robert Batzloff</author><br />
<br />
<div class="MsoNormal">
And we’re back with another post to walk you through one of the over 150 EnScripts® that can be found at <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank">EnCase® App Central</a>. This three-part series will introduce and explore four EnScripts to help you make the most of EnCase App Central, manage and organize your evidence, and finally, show you a new option when it comes to creating your case report. In the previous post we discussed <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010178WS&k%20-" target="_blank">What’s New in App Central</a> and <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010178WS&k" target="_blank">Manfred’s Comprehensive Case Template</a>. In this post we’ll walk through Jamey Tubbs’ incredibly helpful, time-saving EnScript: Time Zone Prior to Processing.<br />
<h4>
<a name='more'></a><br />Time Zone Prior to Processing</h4>
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010044WS&k" target="_blank">Download Here</a><br />
<br />
As an examiner it’s critical to determine the time zone settings of hard drives with the Windows OS installed before processing the evidence. Time stamps and other temporally related items usually provide the most damning evidence or the best alibis. Without the proper time zone setting, the former can easily become the latter and then the bad guy walks.<br />
<br />
If regional time zone settings are not defined by the user, then by default EnCase implements the examination machine’s regional settings on the case during processing. It’s not a good idea to let EnCase determine the time zone based on the examination machine’s settings. Doing so runs the risk of invalidating evidence because multiple evidence files from multiple computers may have different regional settings, different from one another as well as the examiner’s machine.<br />
<br />
What you should do is locate the time zone setting for each device, bookmark these settings, and then manually change each device’s time zone settings under the device menu. The steps involved in properly determining a device’s time zone setting are pedantic, time-consuming, and include navigating the SYSTEM registry hive, combing through ControlSet subfolders, interpreting hex with Little-endian, etc.<br />
<br />
<h4>
Enter the "Time Zone Prior to Processing" EnScript</h4>
Instead, you can use this EnScript, created by Guidance’s own <a href="https://www.guidancesoftware.com/training/Pages/Instructor.aspx#/p/12" target="_blank">Jamey Tubbs</a> (<a href="http://www.twitter.com/jameytubbs" target="_blank">@JameyTubbs</a>), and automatically parse out the proper time zone information for each device. The EnScript then automatically creates a bookmark folder for every device in your case containing time zone information, making this info easy to find and reference.<br />
<br />
The one thing the script does not do is make the change within the device settings; you need to complete this final step on each evidence file before processing. I’ll show you how to run the EnScript and then note when and where you must make these changes.<br />
<br />
Like most EnScripts on EnCase App Central, this EnScript is simple to run. Select the EnScript option from the toolbar and run Time Zone Prior to Processing. Most EnScripts contain a unique UI or menu but this EnScript automatically runs and its progress can be seen at the bottom right of the screen.<br />
<br />
Once complete, a bookmark folder titled Time Zone Information will be created in the tree pane. Within it will be subfolders for each device’s respective time zone information. Selecting the device in the table pane and selecting the ‘report’ tab in the view pane will show you the TimeZoneRegistry Data, here you’ll find the information you’re looking for.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA6LBLJ9VXpYZ6VcjY0x6q-bgRYcorgCo6yMM7zENOcJKlaDf_CWEuG-j_uH2Y8QZczm9AzAP8neE6II4hj-gv7ZGtB5bapXtT_DEoKGowsz0MfUwwfRZO5uo4Mkjm91c2Pq9AuYfWdWo/s1600/Time+Zone+Image+1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA6LBLJ9VXpYZ6VcjY0x6q-bgRYcorgCo6yMM7zENOcJKlaDf_CWEuG-j_uH2Y8QZczm9AzAP8neE6II4hj-gv7ZGtB5bapXtT_DEoKGowsz0MfUwwfRZO5uo4Mkjm91c2Pq9AuYfWdWo/s640/Time+Zone+Image+1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Gotcha, Peterson.</td></tr>
</tbody></table>
<br />
This last step is arguably the most important and must be done manually. The EnScript only gives you the time zone information; it’s up to you to implement it. If you don’t and then process your evidence, you run the risk of reporting incorrect time zone information. And again, bad guy goes free.<br />
<br />
To change the device’s time zone setting go to the Evidence, Viewing (Entry) tab. Right-click on the evidence file in the left pane; select Device, Modify Time Zone Settings. Select the proper time zone as noted in the newly created bookmark folder and then process your evidence.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivgWYslVF0NIcOjOxduhOFQn8tRVzNwaL4hihEmnICodVU0Qh7UpBsnIC5w5pb7TdwgLQTD-QxAde1UVtM2KjokM_qVV4MoSr_i27Mc1xo6ZP1U9VdLl3YiN4OMZa4lUbMqHQbxvcEXgM/s1600/Time+Zone+Image+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivgWYslVF0NIcOjOxduhOFQn8tRVzNwaL4hihEmnICodVU0Qh7UpBsnIC5w5pb7TdwgLQTD-QxAde1UVtM2KjokM_qVV4MoSr_i27Mc1xo6ZP1U9VdLl3YiN4OMZa4lUbMqHQbxvcEXgM/s640/Time+Zone+Image+2.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
There you have it. One free EnScript developed by one of our long-term trainers can save you time and make sure your evidence is in proper order before processing. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Thanks again for reading.</b> Our next post will highlight the fantastic EnScript, Quick Report, from Brett Liddicoet. If there is an EnScript category you'd like me to cover or maybe a single EnScript you think deserves some more coverage, or if you’d like a tutorial for any of the 150+ available EnScripts, please let me know in the comments.</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
You can connect with EnCase App Central on <a href="http://www.twitter.com/encase_apps" target="_blank">Twitter </a>account, where you can find links to all the new or updated EnScripts the day they’re made available. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
If you have any questions regarding the EnScripts discussed in this blog post, <a href="mailto:encaseappcentral@guidancesoftware.com" target="_blank">drop us a line</a> or visit the <a href="https://support.guidancesoftware.com/forum/forumdisplay.php?f=65" target="_blank">EnCase App Central support portal</a>. Each EnScript developer has a discussion board dedicated to answering questions or posting more information about their EnScripts. </div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-40322180620894394212015-09-01T15:07:00.000-07:002015-09-04T16:24:32.137-07:00Q&A: Transitioning from EnCase Version 6 to Version 7 Webinars<author>Ken Mizota</author><br />
<div class="MsoNormal">
<br />
At parts 1 and 2 of the webinar series, "Transitioning from EnCase Version 6 to Version 7," we ran out of time to answer all of your questions. In this blog post, I've attempted to answer them and hope it helps you continue a productive transition.<br />
<br />
View the webinars: <a href="https://www.guidancesoftware.com/Resources/Pages/webinars/Transitioning-from-EnCase-Forensic-Version-6-to-Version-7.aspx">Part 1</a> and <a href="https://www.guidancesoftware.com/Resources/Pages/webinars/Transitioning-from-EnCase-Forensic-Version-6-to-Version-7-part-2.aspx">Part 2</a><br />
<br />
<b>Can you discuss how you’ve made reporting less complicated and what resources we could use to simplify reporting even further?</b><br />
<br />
Once the hard work of painstaking analysis and review of an investigation is complete, determining what to share with an external audience is an important, but often time-consuming task. EnCase® Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a polished examination report with a minimum of effort. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power. When time is precious and working with Report Templates is more complex than desired, we built the Report Template Wizard to make it faster and easier to perform basic reporting modifications directly from Bookmarks.<br />
<a name='more'></a><br />
You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates.<br />
<br />
<b>We have lots of OS X investigations. What have you done or are you doing to improve MAC support?</b><br />
<br />
In comparison to even just a few years ago, OS X investigation volume continues to grow. In support of this growing need, EnCase 7 has incorporated several capabilities specific to Mac investigations.<br />
<br />
EnCase 7 offers comprehensive support for the HFS+ file system, including parsing of extended attributes and double files. Native support is provided for visibility inside OS X disk images, like DMG, bundles, sparse bundles, and the ability to decrypt containers protected FileVault1. <br />
<br />
An OS X Processor Module is included to automatically harvest common system information, plists (XML and Binary) as well as system event logs.<br />
<br />
EnCase 7 maintains support for investigation of the latest OS X 10.10 Yosemite versions, including remote investigation of a single OS X machine over the network. When operating in this mode, EnCase 7 has full access to logical volumes, which contain data in an unencrypted state, even when protected by FileVault 2.<br />
<br />
I could go on for an hour on this topic alone, but it’s worthwhile to mention a couple of resources:<br />
<br />
Take a look at our Digital Forensics Today blog for articles on examining Time Machine Backups and the <b><a href="http://encase-forensic-blog.guidancesoftware.com/2014/05/examination-of-mac-os-x-quick-look.html" target="_blank">Quick Look Thumbnail cache</a></b>.<br />
<br />
Check out <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank"><b>EnCase® App Central</b></a>, where several EnCase integrated utilities for OS X investigations are available for free download.<br />
<br />
<b>You didn’t discuss decryption. Can you talk a bit about your decryption capabilities?</b><br />
<br />
Dealing with full-disk, full-volume, and file-level encryption is increasingly a firm requirement of any investigation. If your tool can't read the data, it doesn't matter how many artifacts are parsed, or how faithfully the evidence is preserved. You won't find much, and it’s a really inconvenient problem.<br />
<br />
Encryption vendors are not incentivized to make it easy to decrypt their protection. Yet, this is exactly the capability investigators need. <br />
<br />
EnCase 7 addresses this problem by partnering with the industry leaders in encryption technologies and by delivering fully supported decryption capabilities. Some examples of the partners we integrate with include: Symantec Endpoint Encryption, PGP Whole Disk Encryption, Sophos SafeGuard, WinMagic SecureDoc, Dell Data Protection, McAfee Drive Encryption, and more.<br />
<br />
I often hear from investigators: "This decryption capability saved my bacon." It's good in a tight situation.<br />
<br />
<b>If you want to triage a case but don’t want to process the case first, what is your recommendation?</b><br />
<br />
I think is really important that investigators understand there is a lot of diversity problems and how they need to be solved. Investigators must not only overcome obstacles of understanding the data, but also doing so within time constraints. There's no single way to triage, so EnCase 7 enables several techniques:<br />
<br />
a. At times, all you need is a quick look of the evidence to determine whether the evidence is worth processing. Opening an evidence file, or multiple evidence files and viewing them in a single view can be very efficient. Add a couple evidence files or network previews to your Case. In the evidence pane, blue check the files and click the Open button. All of the file system entries can be recursively displayed and sorted, for a quick read of the files and metadata present.<br />
<br />
b. Going a bit deeper, you might want to perform some level of processing of the evidence, but want to review the data as it is being processed. The EnCase Evidence Processor provides Prioritized processing, which allows the investigator to review user created data first, as it is processed, independent of the contents of the rest of the evidence.<br />
<br />
c. Finally, if you have a good sense of what you are looking for, but still want to perform some basic processing on the data itself, an investigator can perform a search to create a result set, and then just process the items in that result set.<br />
<br />
I hope you'll take away the fact that the EnCase toolset gives you many options that can be adapted to your needs and workflow.<br />
<br />
<b>Can you provide insight into how to set up the processor settings so that EnCase processes the evidence quickly and effectively?</b><br />
<br />
Entire papers have been written and training labs built on this topic, so I won't go into great detail here. <a href="https://www.digitalintelligence.com/" target="_blank"><b>Digital Intelligence</b></a>, makers of the famed FRED workstations, have published a great article on <a href="https://www.digitalintelligence.com/support/kb/article/software/quantifying-hardware-selection-in-an-encase-7-environment" target="_blank"><b>hardware selection for EnCase 7</b></a>, which I highly recommend.<br />
<br />
If I have one bit of advice to share, it’s that disk I/O on the EnCase Evidence Cache is the first determining factor of performance in EnCase 7. We're dealing with large datasets with millions of items, so having the fastest I/O subsystem and devices is highly recommended. This is much different than the way EnCase 6 was architected, and having an understanding of this is central to a good experience.<br />
<br />
<b>How do you mount (View File Structure) multiple files at the same time?</b><br />
<br />
You can try<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010061WS" target="_blank"> <b>this EnScript®-based filter, available on EnCase App Central</b></a>.<br />
<br />
<b>How could I add the SHA1 hash value to be showed below the MD5 value in the report? </b><br />
<br />
This can be easily modified using the Report Template wizard. You can learn more about this feature in an <a href="http://encase-forensic-blog.guidancesoftware.com/2014/08/feature-spotlight-report-template-wizard.html" target="_blank"><b>earlier blog post on the topic</b></a>.<br />
<br />
<b>Can you change reporting properties in Bookmarks?</b><br />
<b>How do you customize different attributes to show in your report, such as file extension, hash value, deleted etc..?</b><br />
<b>How could I add the SHA1 hash value to be showed below the MD5 value in the report? </b><br />
<br />
We've made modifying and editing reports much simpler in recent releases. From the Bookmarks view, right click on the Bookmark Folder you want to add to your report. You'll be presented with a dialog that allows you to select the part of the report you'd like to add the folder to, and if you like, you can customize the metadata you would like displayed.<br />
<br />
I've put together a <a href="http://encase-forensic-blog.guidancesoftware.com/2014/08/feature-spotlight-report-template-wizard.html" target="_blank"><b>brief blog post on this topic</b></a>, which I recommend if you want to learn more at your convenience.<br />
<br />
<b>Can v7 analyze IE 11?</b><br />
<br />
Yes, EnCase offers support for parsing and analyzing contents of IE10 and 11 data formats - specifically, the Extensible Storage Engine format, ESEDB.<br />
<br />
<b>Ashley apparently showed an inclusion hash list. How would you show excluded hashed items such as from the NSRL list? </b><br />
<b>Using Hash Libraries, is it possible to easily EXCLUDE hash values? I think the example used here was filtering looking for specific hashes</b><br />
<br />
The Find Items by Hash Category filter includes the ability to invert the results, which finds items NOT in selected categories. In this way, you can control what you want to see by selecting hash categories and choosing to invert or not.<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnPBB7lhe5Zb4oKKqymttZUWfipL8DA6GXLtE2Taa5ZjtM3Bxp6HnBM-jsN6PWbk92eDcNTv-RBCiPG3DKirNYKiPS0H3oV14UJ1j1b__6J2eIretHRPKH18OhAekny99z70-X7ai2CK4/s1600/blog+pic+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Check to invert - find items not in selected categories" border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnPBB7lhe5Zb4oKKqymttZUWfipL8DA6GXLtE2Taa5ZjtM3Bxp6HnBM-jsN6PWbk92eDcNTv-RBCiPG3DKirNYKiPS0H3oV14UJ1j1b__6J2eIretHRPKH18OhAekny99z70-X7ai2CK4/s320/blog+pic+1.png" title="Find Items by Hash Category" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Can you talk about the difference between conditions and filters and when you should use one versus the other?</b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Filters and Conditions functionally perform similar tasks: subjecting data to criteria and presenting a result set to you for review. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Conditions are intended to be used to filter in on specific metadata about a file. A point-and-click user interface is provided to implement simple or complex, boolean logic operating on the metadata of files or emails. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR2qimuYJ8sqcxAyGQQKwDIJjRiqeOcyNMYG6ti1oXG4E277VOVCUlgXuQcIEQGvqrW8hqJtVAY-4wlbzwG6phjHK8ylpni_0lWRpIKxiYhz7aVmwU5XzJD_tmrDQDRBdCLug6fRxVWo8/s1600/blog+pic+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Adding simple or complex logic to metadata operations on files or emails" border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR2qimuYJ8sqcxAyGQQKwDIJjRiqeOcyNMYG6ti1oXG4E277VOVCUlgXuQcIEQGvqrW8hqJtVAY-4wlbzwG6phjHK8ylpni_0lWRpIKxiYhz7aVmwU5XzJD_tmrDQDRBdCLug6fRxVWo8/s400/blog+pic+2.png" title="Adding simple or complex logic to metadata operations on files or emails" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
Filters allow for more complex logic. Algorithms can be implemented in Filters to work with metadata or content of evidence. Filters are built by Guidance Software, or by investigators comfortable with the EnScript programming language. Several filters are included with EnCase, and you can find more on <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx" target="_blank"><b>EnCase App Central</b></a>. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Why can't I layer conditions and filters like I could in Version 6?</b></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
Earlier releases in v7 did not include this capability. More recently, you can create Result Sets from your conditions and filters. Result Sets can then be subsequently filtered to achieve layering of searches. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRShb2CWBwSOX5QB5umVXUfDZzK6UcEft94SNRcxL-Yx2PGFI4f6jbuRzhUKhz8Nh8eOwDEZ_EhMk3K0jNvCD7tTwEQJJXaY9i0p3HazF5g1qnQZ8gM1qc82v8fck9tkkFRPZRzcNpOWk/s1600/blog+pic+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Run Find Items by Hash Category" border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRShb2CWBwSOX5QB5umVXUfDZzK6UcEft94SNRcxL-Yx2PGFI4f6jbuRzhUKhz8Nh8eOwDEZ_EhMk3K0jNvCD7tTwEQJJXaY9i0p3HazF5g1qnQZ8gM1qc82v8fck9tkkFRPZRzcNpOWk/s400/blog+pic+3.png" title="Run Find Items by Hash Category" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br /></div>
<div>
<div>
<b>I’m confused about what is a record versus a bookmark versus something else in v7. It’s different in v6. Can you provide some clarity?</b></div>
<div>
<br /></div>
<div>
Records result from analysis of data residing within an evidence file. They represent derived data. </div>
<div>
Bookmarks are a reference to data in your case. They represent an investigator’s commentary and notes. </div>
<div>
<br /></div>
<div>
EnCase Version 6 treated all data as if it resided in an evidence file, in a specific tree structure. When dealing with composite artifacts, such as system information, Internet artifacts, or even a complex i-nbox folder structure in a PST, a singular tree structure encompassing ALL data wasn’t sufficient for dealing with large volumes of items. </div>
<div>
<br /></div>
<div>
Version 7 adds the ability to differentiate between entries in a file system from records derived from the data, and keeps the ability to annotate, comment, and report on either in Bookmarks. </div>
<div>
<br /></div>
<div>
<b>I haven’t seen a module for rebuilding webpages. Do you have one?</b></div>
<div>
<b><br /></b></div>
<div>
There is a <b><a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010031WS" target="_blank">webpage rebuilder EnScript </a></b>available on EnCase App Central.</div>
<div>
<br /></div>
<div>
<b>My favorite feature of v6 was being able to Timeline -- is there anything like that in v7 or is there a plan to include it in upcoming releases?</b> </div>
<div>
<br /></div>
<div>
I recommend reviewing the <b><a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010033WS" target="_blank">MACE Timeline EnScript</a></b> on EnCase App Central. </div>
<div>
<b><br /></b></div>
</div>
<div>
<div>
<b>It seems that v7 is intended for complex cases, whereas v6 was intended to handle simple cases. How can I effectively use v7 for simple cases?</b></div>
<div>
<br /></div>
<div>
In the last webinar, I talked a bit about triaging a case using v7. In short, v7 can be used for simple triage and for viewing file systems quickly and efficiently. It also has the range to handle larger, more complex cases involving many types of data for review. </div>
<div>
<br /></div>
<div>
One of the triage features discussed is the ability to open multiple devices simultaneously, performing a recursive "green plate" search, and sorting all entries across devices simply. </div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWJ0mMgKxKNUcef314zL7FThS6QbPcab1c7xztlYKmv6m0Y22aj55wB6D4u025g1r98HNnTiSpxjUAv5ZZhw2qShB0ihE1E1FOR5uCEhKXm0whGGZ2jCvER51IoK5aWBaWGAKxf1IZ7LY/s1600/blog+pic+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Open multiple devices simultaneously" border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWJ0mMgKxKNUcef314zL7FThS6QbPcab1c7xztlYKmv6m0Y22aj55wB6D4u025g1r98HNnTiSpxjUAv5ZZhw2qShB0ihE1E1FOR5uCEhKXm0whGGZ2jCvER51IoK5aWBaWGAKxf1IZ7LY/s400/blog+pic+4.png" title="Open multiple devices simultaneously" width="400" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div>
<b>EnCase should provide an accurate estimate of how much longer processing is going to take. My company uses it for incident response, and the client wants to know when they will be provided results. The fact that it can take between a day and a week is unacceptable.</b></div>
<div>
<br /></div>
<div>
Version 6 is no different in this regard. Depending on what you ask EnCase to do, performance will vary. </div>
<div>
<br /></div>
<div>
In v7, we introduced the <a href="http://encase-forensic-blog.guidancesoftware.com/2013/09/evidence-processor-performance_6.html" target="_blank"><b>Performance view</b></a> within <a href="http://encase-forensic-blog.guidancesoftware.com/2013/09/encase-evidence-processor-manager.html" target="_blank"><b>Evidence Processor Manager</b></a>. This allows you to view the precise work that is being executed at the moment, including an estimate of progress. </div>
<div>
<br /></div>
<div>
<b>The evidence cache takes up quite a bit of space. I can I manage it more efficiently on my system.</b></div>
<div>
<br /></div>
<div>
Whereas v6 could take minutes or hours to open a case with many evidence files and many bookmarks, v7 can open such cases within seconds. How does v7 do this? The answer is the evidence cache. </div>
<div>
<br /></div>
<div>
The size of the evidence cache can be quite large, and that is simply inevitable when processing and extracting data from large evidence files. </div>
<div>
<br /></div>
<div>
The most effective way of managing the size of the evidence cache is to perform only the processing and analysis that you need. For example, using the File Carver module to extract files from unallocated space can significantly increase storage requirements, because each individual file is being extracted for review. If your case doesn't require carving in unallocated, then this analysis may be eliminated, reducing the impact on the evidence cache. </div>
<div>
<br /></div>
<div>
<b>In EnCase® Enterprise, to get a memory image I need to add host list (of IP addresses) as targets, Why can I not pick from a list of machines that EnCase knows have servlets installed!?</b></div>
<div>
<br /></div>
<div>
Neither v6 nor v7 has a method of determining where servlets are installed. The servlet is passive by nature, which means it does not reach out to communicate with the EnCase Examiner or SAFE. This avoids introducing unnecessary network traffic. </div>
<div>
<br /></div>
<div>
<b>What should I expect when I use File Carver in v7? It doesn’t appear to work as well as the file carver in v6.</b></div>
<div>
<br /></div>
<div>
File Finder and File Carver offer different capabilities. We have a <b><a href="https://support.guidancesoftware.com/node/3799" target="_blank">detailed knowledgebase article </a></b>on how File Carver works and the differences between File Carver and File Finder on the Guidance Software Support Portal.</div>
<div>
<br /></div>
</div>
<div>
<div>
<b>In v6 I could choose the option ‘Tag Selected Files’ in Bookmarks so that they’d show up in Entries already checked. Is there a similar function in v7?</b></div>
<div>
<br /></div>
<div>
Both Tag and Untag Selected Items, as well as the inverse, Select Tagged Items, are possible in EnCase 7. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7z4DU26WjzaeE1JkjfGQrnEPshW5u_VsNknRImbAoVcO0Jyzdp6OK59TmR73Tx04rC-CSfeK-3Fs-6R97MBqei6wAcsxSakD5qbvCttRcp0vi45xT5r7tPaqorTkhToSeKocvf1-wZzU/s1600/blog+pic+5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7z4DU26WjzaeE1JkjfGQrnEPshW5u_VsNknRImbAoVcO0Jyzdp6OK59TmR73Tx04rC-CSfeK-3Fs-6R97MBqei6wAcsxSakD5qbvCttRcp0vi45xT5r7tPaqorTkhToSeKocvf1-wZzU/s1600/blog+pic+5.png" /></a></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div>
<b>Does the case files size grow as a result of the indexing process? Does this have any impact on the performance of the software?</b></div>
<div>
<br /></div>
<div>
The case file does not grow significantly, but the Evidence Cache, a component unique to EnCase 7, will grow with the size of the data indexed. In some ways, the performance of the software is enhanced by having more data indexed – index searches are faster, more convenient, and more versatile than raw keyword searches. </div>
<div>
<br /></div>
<div>
<b>In v6 I could export a quick report based on items I had checked and any columns I wanted in the Entries pane. Is there a similar function in v7? </b></div>
<div>
<br /></div>
<div>
Yes, in the upper right corner of the table view, you can click “Save As”. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj66yEs7Wjy_AutEwgfbUXe2qLhpS0Mw5SpkZMVrqm9sQlEspc37v-c4nS2IU76yJFPONgjC1yt_P0BMJOgQ-2AsIFq865RpP6fATyB1aPbTKrU602XZq5McrwiueLYzj4-lqLSfJPg2yI/s1600/blog+pic+6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj66yEs7Wjy_AutEwgfbUXe2qLhpS0Mw5SpkZMVrqm9sQlEspc37v-c4nS2IU76yJFPONgjC1yt_P0BMJOgQ-2AsIFq865RpP6fATyB1aPbTKrU602XZq5McrwiueLYzj4-lqLSfJPg2yI/s320/blog+pic+6.png" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>Does the IM Parser recover instant messenger conversations from Microsoft Lync 2010?</b></div>
<div>
<br /></div>
<div>
No, not at this time. </div>
<div>
<b><br /></b></div>
<div>
<b>Can v7 parse out chats from smartphone extracted in EnCase?</b></div>
<div>
<br /></div>
<div>
The smartphone examiner can extract SMS messages, but due to the variety of chat applications and artifacts on smartphone operating systems, EnCase does not claim to support extraction of all chat applications or artifacts. </div>
<div>
<br /></div>
<div>
<b>The ability to sweep bookmarks was not available in early versions of 7. Has this functionality been added in since?</b></div>
<div>
<br /></div>
<div>
Yes, after sweeping text in Text or Hex tabs, you can right-click, select Bookmark, and then Raw text. </div>
<div>
<br /></div>
</div>
<b>Questions</b>? Have v7 tips of your own? I welcome discussion in the comments section below.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-26497740399892786742015-08-26T09:59:00.000-07:002015-12-03T16:13:55.535-08:00EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting <h4>
Part 1 of 3 – EnCase App Central & Manfred's Comprehensive Case Template</h4>
<span style="font-size: small; font-weight: normal;">Robert Batzloff </span><br />
<br />
Now that the Enfuse Call for Papers has just gone out, I'm reminded of all the hard work that went into CEIC earlier this year. While there was record attendance, I know not everyone was able to make it to Vegas and so I wanted to re-examine a few EnScripts that were showcased in May; specifically EnScripts designed to save time, manage evidence and help create quick, professional reports. In this three part blog series I'll show you how to access and navigate EnCase App Central, how to join the EnCase Developer Network and I'll walk you through these EnScripts:<br />
<br />
<ul class="list">
<li>What's New in App Central</li>
<li>Manfred's Comprehensive Case Template</li>
<li>Time Zone Prior to Processing</li>
<li>Quick Report </li>
</ul>
<ul class="list"></ul>
<a name='more'></a>EnCase App Central is an aggregate for EnScripts, filters, templates and almost any other mod you can think of for use with Guidance Software products. It's designed similarly to your typical e-commerce site, except that 90% of its catalog is free. Populated with over 150 EnScripts, these small executables are designed to work with or within EnCase, adding or automating features and giving users the opportunity to customize their EnCase experience. Most of these EnScripts are written by hands-on users and experts like those of the Guidance Software training team and many experts in our EnCase community. The catalog is also home to several integrations designed by third-party developers like Image Analyzer, Cisco AMP Threat Grid, and Magnet Forensics. <br />
<br />
You can find EnCase App Central at the Guidance website (<a href="https://www.guidancesoftware.com/">www.guidancesoftware.com</a>) under the 'hamburger' menu button in the top right corner, or by jumping directly to <a href="https://www.guidancesoftware.com/appcentral/Pages/default.aspx%5C" target="_blank">EnCase App Central</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheHv3yFkOVYdJgEcsbRhrnryGyneQnJACxlVp_-CLvu_MqMXTq8wBUFrjCMkE47Lo_k6hdu2XUG-_vCFwmNTPHxyoa66U8HG5wQ6UV4m60uJYSunVupvtvUjDUB5GEXKlRJkLuOGDJfsJd/s1600/App+Central+Location+on+Site.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheHv3yFkOVYdJgEcsbRhrnryGyneQnJACxlVp_-CLvu_MqMXTq8wBUFrjCMkE47Lo_k6hdu2XUG-_vCFwmNTPHxyoa66U8HG5wQ6UV4m60uJYSunVupvtvUjDUB5GEXKlRJkLuOGDJfsJd/s640/App+Central+Location+on+Site.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
From the EnCase App Central home page you can <a href="https://www.guidancesoftware.com/appcentral/pages/searchresults.aspx?k=*">view all EnScripts</a>, search for a specific EnScript, or <a href="https://www.guidancesoftware.com/appcentral/Pages/EnCaseDeveloperApp.aspx">apply for the EnCase Developer Network</a>, where you'll be given the tools and support to create and submit your own EnScripts. Acceptance into the program grants you these benefits:<br />
<br />
<ul class="list">
<li>An EnCase Developer license (Dongle) </li>
<li>Exclusive access to the v7 SDK </li>
<li>Access to up to date information on programing EnCase EnScripts </li>
<li>Receive pre-release builds of EnCase </li>
<li>Receive code samples</li>
<li>Receive sample evidence files for testing </li>
<li>Access to Guidance technical support </li>
<li>Guidance will QC your work </li>
<li>Exclusive rights to publish your EnScripts on EnCase App Central </li>
<li>Worldwide visibility for your EnScript </li>
<li>Guidance will manage the purchase of your work </li>
<li>Customer feedback on your EnScript </li>
<li>Ability to offer your EnScripts for free or for a fee</li>
</ul>
<h3>
What's New in App Central <span style="font-size: x-small;"> </span></h3>
<h3>
<span style="font-size: x-small;"><a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010108WS&k" target="_blank">Download Here</a></span>
</h3>
The first EnScript I want to talk about is called, What's New in App Central. It can be run from the home menu and does not require a case to be open. This EnScript checks EnCase App Central to see if any new EnScripts have been recently added. Its simple UI shows the last time you used the EnScript to check EnCase App Central's inventory and all the previous EnScripts available. Clicking 'check' provides you with a list of all the new EnScripts that have been added to the site or updated since your last visit.<br />
<br />
It's one of my favorite EnScripts because it's a creative use of the EnScript language and really shows the variety of things you can create with EnScript. It's a quick, easy way to see what new or updated EnScripts are available without having to leave EnCase.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2R5v5y7D1I1Q2XlLMvdJ0fNxeIJF0pb5KFrgLMju2EutKuVm4iLlBJIzoW2FZszoAIT5RFiqyF72JKOg-ifXBv0P9TTskEFWE2Ct4rdESgmFTR-9n6bSOegdJzFkPFWzmYnceQSwAlV4C/s1600/Whats+New+in+App+Central+Image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2R5v5y7D1I1Q2XlLMvdJ0fNxeIJF0pb5KFrgLMju2EutKuVm4iLlBJIzoW2FZszoAIT5RFiqyF72JKOg-ifXBv0P9TTskEFWE2Ct4rdESgmFTR-9n6bSOegdJzFkPFWzmYnceQSwAlV4C/s640/Whats+New+in+App+Central+Image.png" width="640" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>Clicking any of the EnScript titles will take the user directly to their product page where the EnScript can be downloaded.</i></span></div>
<h3>
</h3>
<h3>
Manfred's Comprehensive Case Template</h3>
<h3>
<b><span style="font-size: x-small;"><a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010178WS&k" target="_blank">Download Here</a></span></b></h3>
<a href="https://www.guidancesoftware.com/training/Pages/Instructor.aspx#/p/1" target="_blank">Manfred Hatzesberger</a> (<a href="https://twitter.com/manfred_encase" target="_blank">@manfred_encase</a>) joined Guidance Software as an instructor in January of 2006, and is the Training Manager at the Pasadena office. Originally from Germany, Manfred conducts numerous courses in Europe in his native language, in addition to our US based facilities. He knows EnCase. He knows investigations and he knows investigators.<br />
<br />
When investigating you're going to come across a laundry list of artifacts that require further investigation or provide the evidence needed to close a case. To capture these items within EnCase you'll use bookmarks.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8L7U0rZOFPwrZYr4i6GJ44hxyfM_ZC0QWsv2vk2Flb4IL_rQHhVYOxyUHYaM1noh2N23tg_v7ShWM2xHOz4GagbS6C1n5QMXKdQGY_CMw_H1qo7b7d8qSPIlV8m6yP2O6o43IiRgnyV0G/s1600/Bookmarking+in+Encase.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8L7U0rZOFPwrZYr4i6GJ44hxyfM_ZC0QWsv2vk2Flb4IL_rQHhVYOxyUHYaM1noh2N23tg_v7ShWM2xHOz4GagbS6C1n5QMXKdQGY_CMw_H1qo7b7d8qSPIlV8m6yP2O6o43IiRgnyV0G/s400/Bookmarking+in+Encase.png" width="400" /></a></div>
<div style="text-align: center;">
<span style="font-size: x-small;"><i>To use bookmarks, select an item or blue-check multiple items then right click. From the menu select 'Bookmark'.</i></span></div>
<br />
All bookmarked items will be viewed in the bookmark view tab. The folder structure of the bookmark view is determined by the template selected when creating a case. The structure can be added to or edited during your investigation depending on what artifacts you encounter, the structure is also what creates the outline of your final report.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5aXTpjwx2aBk6iR2bPmBhadkW9rERzJqXnyouL-kehlNOpZRM-4HTFY_gTbyX9yjht9vax_Q3-rtQ10TWasJ6w-njNMXRCS9mv3iDim_NP4zYQhaxMp_J4fp8fTgpftfLMibqdZ3QYDPu/s1600/Manfred+Template+Final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5aXTpjwx2aBk6iR2bPmBhadkW9rERzJqXnyouL-kehlNOpZRM-4HTFY_gTbyX9yjht9vax_Q3-rtQ10TWasJ6w-njNMXRCS9mv3iDim_NP4zYQhaxMp_J4fp8fTgpftfLMibqdZ3QYDPu/s640/Manfred+Template+Final.png" width="227" /></a></div>
<br />
Manfred's case template is populated with 80+ bookmark folders that account for a majority of the artifacts encountered by a digital forensic investigator. This comprehensive folder structure is helpful when organizing evidence during your investigations. Before your investigation even begins, Manfred's template has created a home for anything you'll want to revisit, investigate further or include in your report. My favorite part of the template is how well it translates into a final report, its structure and helpful folders make sure your evidence will already be prepared in an order best suited for presentation.<br />
<br />
Once you've downloaded the template from EnCase App Central, you just need to drop it into the template folder wherever your copy of EnCase 7 is installed (Program Files > EnCase> Templates) and it will be available the next time you launch EnCase.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnaNLiI9Xhm_INUCWilOt_2kygkz2dGELwBid_NlGOSt1AXQ9n-0jl5seljgw3nPZ6vkcS-qvumB2Crt4biyx1Be0miqNyqHh9s8X6jhNF9NKDOiM2GQsPwDqbBkdlAMxIsf0kflCP-wck/s1600/Case+Settings+for+EnCase+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnaNLiI9Xhm_INUCWilOt_2kygkz2dGELwBid_NlGOSt1AXQ9n-0jl5seljgw3nPZ6vkcS-qvumB2Crt4biyx1Be0miqNyqHh9s8X6jhNF9NKDOiM2GQsPwDqbBkdlAMxIsf0kflCP-wck/s640/Case+Settings+for+EnCase+7.png" width="600" /></a></div>
<br />
Thanks for reading. Stay tuned for part two of this series where I'll walk you through Jamey Tubb's excellent EnScript, Time Zone Info Prior to Processing. If there is an EnScript category you would like me to cover or maybe a single EnScript you think deserves some more coverage or if you'd like a tutorial for any of the 150+ available EnScripts, please let me know in the comments.<br />
<br />
You can also connect with EnCase App Central via their Twitter account (<a href="https://mobile.twitter.com/EnCase_Apps">@EnCase_Apps</a>), where you can find links to all the new or updated EnScripts the day they're made available.<br />
<br />
If you have any questions regarding the EnScripts discussed in this blog post you can email EnCase App Central directly <a href="mailto:encaseappcentral@guidancesoftware.com">encaseappcentral@guidancesoftware.com</a> or utilize the <a href="https://support.guidancesoftware.com/forum/forumdisplay.php?f=65" target="_blank">EnCase App Central support portal</a>, each EnScript developer has a discussion board dedicated to answering questions or posting more information about their EnScripts. guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-65258573821410788152015-07-01T14:59:00.001-07:002015-07-01T14:59:57.389-07:00Password Recovery Can be PracticalGuidance Software’s Tableau Unit recently released <a href="https://www.guidancesoftware.com/products/Pages/tableau/products/tableau-password-recovery.aspx" target="_blank">Tableau™ Password Recovery</a>, a hardware + software solution to accelerate password attacks on protected files, disks, and other containers.<br />
<br />
It’s always fun to play with new toys, and when the new hotness is a purpose-built, linearly scalable, password-cracking behemoth, how can one not share? I did a bit of digging while running a two-server Tableau Password Recovery setup through its paces in our labs here in Pasadena, California, and while I found many good tools and tutorials for password cracking, I found it difficult to differentiate the theoretically possible from the actually practical. Here are some thoughts from that process.<br />
<br />
<a name='more'></a><h3>
Data protection is ancient</h3>
<div>
Each step forward in communication technology has been accompanied by a corresponding technology to protect the idea itself. Ancient Greeks used a <a href="https://en.wikipedia.org/wiki/Scytale" target="_blank">scytale</a>, a rod wrapped with a strip of parchment, to protect messages on the battlefield. Presumably, cryptanalysts of the day had to be moderately talented at woodwork. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguZvJI5uSXoZTJIP3CboRmIsz2I8jmNyQpzQewXsb059uFcnLZon4qgVG8LYS0l0bu741gFgl9tYe-NPZGsNZX4J4wfh3dOSV0wSM073HfE2svYkhbRuddFvMOJTy3vS7_qjsKfmM3dzu0/s1600/scytale.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguZvJI5uSXoZTJIP3CboRmIsz2I8jmNyQpzQewXsb059uFcnLZon4qgVG8LYS0l0bu741gFgl9tYe-NPZGsNZX4J4wfh3dOSV0wSM073HfE2svYkhbRuddFvMOJTy3vS7_qjsKfmM3dzu0/s320/scytale.jpg" width="320" /></a></div>
<div>
While data protection is ancient, our tools don’t have to be. Modern cryptography and cryptanalysis is not the stuff of whittlers, but rather mathematicians and statisticians. One can’t throw a scytale these days without hitting protected data, increasingly protected by strong cryptography: more math than most computers can deal with effectively. The domain of the problem is massive, making it costly to solve in terms of compute and duration. The good news is we know the math, and there are established <a href="http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/" target="_blank">techniques </a>we can use. </div>
<div>
<br /></div>
<div>
The problem in practice decomposes into a few pieces:</div>
<div>
<ol>
<li>How to detect protected data?</li>
<li>How to expose protected contents for human review?</li>
<li>How to scale and manage effectively?</li>
</ol>
<h3>
Disk and file encryption</h3>
</div>
<div>
Full-disk encryption is commonplace and arguably in in most enterprises is the norm. We know detecting full disk encryption is useful to investigators, because one of the most consistently popular blog posts here is Graham Jenkins’ <a href="http://encase-forensic-blog.guidancesoftware.com/2014/04/version-7-tech-tip-spotting-full-disk.html" target="_blank">Spotting Full Disk Encryption</a>. Graham points out how EnCase® provides visibility to the encrypted data itself, which can inform the investigator of appropriate next steps. EnCase also determines the encryption provider and prompts for credentials. The screenshot below appears when I attempt to preview my own encrypted OS drive:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSk-LZnGTmTRwpzJ8RIz4bege4MQDP6tOWRgZoKZBwq5JI9YIjpm-alUDvyR33HprRumUWL2t6u-nduGEGUgXbt2jdhm2lg0rZlY55wR_DcX3P2y1SqiJSrkdPCxMMEAg7dD0xw4fYOSeV/s1600/mydisk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSk-LZnGTmTRwpzJ8RIz4bege4MQDP6tOWRgZoKZBwq5JI9YIjpm-alUDvyR33HprRumUWL2t6u-nduGEGUgXbt2jdhm2lg0rZlY55wR_DcX3P2y1SqiJSrkdPCxMMEAg7dD0xw4fYOSeV/s320/mydisk.png" width="260" /></a></div>
<div>
Our team works with major disk encryption solutions such as: Check Point Full Disk Encryption, Credant Mobile Guardian and Dell Data Protection, GuardianEdge, McAfee Endpoint Encryption, Microsoft BitLocker, Sophos SafeGuard, Symantec PGP, Symantec Endpoint Encryption, and WinMagic SecureDoc. This is made possible through direct collaboration with the individual encryption vendors, and it's well worth the effort. </div>
<div>
<br /></div>
<h3>
What are we dealing with? Detecting protected files</h3>
<div>
Getting access to the volume itself is just one step. In EnCase, we use file signature analysis to examine the file extensions, headers and footers of files to determine if their appearance in the file system is consistent with the data they truly represent. </div>
<div>
<br /></div>
<div>
Let’s say we have a password-protected Excel 2010 workbook. The workbook is still recognizable by signature analysis as an Excel workbook, but if you tried to open the file, you’d be asked for a password. If you examine the contents of the workbook in Hex or Text views, you’d see seemingly meaningless data. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMYSWQ2CjHOEvKMgWu3-vCNnXbwRQlKcBvRZF6h_z8cKGOooQavPyNAVGiAJKyWj3taLa8yPlHnqkdF4lRWT7vYhpkJmd6YXrtAjlpXHRlP1ifndCh9HSPTnRY7ElHGFU076iYWdfXv5m5/s1600/encryptedxls.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMYSWQ2CjHOEvKMgWu3-vCNnXbwRQlKcBvRZF6h_z8cKGOooQavPyNAVGiAJKyWj3taLa8yPlHnqkdF4lRWT7vYhpkJmd6YXrtAjlpXHRlP1ifndCh9HSPTnRY7ElHGFU076iYWdfXv5m5/s640/encryptedxls.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
But is this file actually protected? If so, how is it protected? We can answer this by running Protected File Analysis in the EnCase Processor. EnCase uses the Passware Encryption Analyzer to identify encrypted and password-protected files. Protected file analysis is available in all EnCase editions, including EnCase® eDiscovery, where protected files are automatically identified as exceptions during processing.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT6Uh4bk7x5Kbz1aa-_Ff12IjE2uEtZksPcjd8MefrdQkpst22K3AeovdJBcshR-b7wB6L5Ygw535aTg3UxeGBQJ6cOzZVEWryjpkxV_uafXUMfM4hIrBAvDAvlbEX1RBzaSY9dXsw0l0M/s1600/protectedfiles.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT6Uh4bk7x5Kbz1aa-_Ff12IjE2uEtZksPcjd8MefrdQkpst22K3AeovdJBcshR-b7wB6L5Ygw535aTg3UxeGBQJ6cOzZVEWryjpkxV_uafXUMfM4hIrBAvDAvlbEX1RBzaSY9dXsw0l0M/s400/protectedfiles.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After Protected File Analysis, we can see which files are protected, and also what type of password recovery method is required to unlock the contents. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FLni0gAAVsUJfghm-cMpzcUOIV9dlk3YOgmfgXTocBBur8JhJmcvrhTS6fhc5aV1ruP0jg2ZEbP43j6n3PP4O_yTaTdGdFMQvKs0koIKd92g6pU5CiF8VhS3tU_LayqRr3zdLxOtcIIW/s1600/pfaresults.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6FLni0gAAVsUJfghm-cMpzcUOIV9dlk3YOgmfgXTocBBur8JhJmcvrhTS6fhc5aV1ruP0jg2ZEbP43j6n3PP4O_yTaTdGdFMQvKs0koIKd92g6pU5CiF8VhS3tU_LayqRr3zdLxOtcIIW/s640/pfaresults.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Even just these two pieces of data inform the next steps of our case.</div>
<div>
<br /></div>
<h3>
Peering inside: Using Passware and EnCase</h3>
<div>
Now that we’ve identified the file as protected, and we know specifically how it is protected, all we have to do is to open it! Unfortunately, this is where the “more math than computers can handle efficiently” issue appears. Fortunately, we have a few options within arm’s reach. </div>
<div>
<br /></div>
<div>
We can decrypt the file with Passware Kit Forensic directly. <a href="http://encase-forensic-blog.guidancesoftware.com/2012/03/passware-kit-forensic-now-available-for.html" target="_blank">Passware Kit Forensic</a> is one of the most comprehensive, well-maintained, and supported password recovery tools commercially available. If you have Passware Kit Forensic installed on your workstation, you can export the file from EnCase or add Passware as a file viewer for right-click efficiency.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBpjaD39Xn8vxU4xSLuCiLzdy262GqOJBtBc9iMetk3ZkrSloI7_mP_393_qfgtLycfivDPMtE18XPXrbWOPRaYJhjPdZdWUZuo4fr34YX-Dh3vh42S2vvk0hZsFm46ipNfLubMl1q-b9s/s1600/openwith.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBpjaD39Xn8vxU4xSLuCiLzdy262GqOJBtBc9iMetk3ZkrSloI7_mP_393_qfgtLycfivDPMtE18XPXrbWOPRaYJhjPdZdWUZuo4fr34YX-Dh3vh42S2vvk0hZsFm46ipNfLubMl1q-b9s/s640/openwith.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Passware Kit Forensic provides decryption capabilities for over 200 file types and implements a full spectrum of attacks, from instantaneous decryption to brute force. I won’t provide a full treatment of Passware Kit Forensic here, so take a look at the <a href="http://www.lostpassword.com/passware-kit-forensic/index.html" target="_blank">Passware site</a> for more resources. </div>
<div>
<br /></div>
<div>
One approach worth mentioning is the dictionary attack. Dictionary attacks are a relatively intelligent solution to a vast problem: If we’re trying all the potential permutations of a password, where shall we begin? Conveniently, humans think and communicate in words, so words are a reasonable place to start when looking for decryption keys or passwords used by humans. Dictionary attacks use word lists as inputs to determine a decryption key. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi_BUWRaBH_2lG45KtAPT8R8hea4_MWI5us8fjvtiW_gSswzkjHa2KUpH3yYTcRuyCB0KBpCNjTkyybuLS7nXIHuSzQsfKOe83GXaizTGV7XCYkfyLVVeaZDtPf5u8v5XMeAeBjOw925X0/s1600/passwareexport.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi_BUWRaBH_2lG45KtAPT8R8hea4_MWI5us8fjvtiW_gSswzkjHa2KUpH3yYTcRuyCB0KBpCNjTkyybuLS7nXIHuSzQsfKOe83GXaizTGV7XCYkfyLVVeaZDtPf5u8v5XMeAeBjOw925X0/s200/passwareexport.png" width="200" /></a></div>
<div>
If a general set of words are a reasonable place to start, then wouldn’t words found within a specific data set be that much better? Wouldn’t including passwords found within a case, extracted from Windows or from <a href="http://encase-forensic-blog.guidancesoftware.com/2013/07/examining-mac-os-x-user-system-keychains.html" target="_blank">OS X keychains</a> also be a good starting point? </div>
<div>
<br /></div>
<div>
After processing and indexing evidence in a case, EnCase enables export of words discovered in the case for use by Passware Kit Forensic dictionary attacks. It’s always wise to start with a good dictionary whenever possible, and Passware Kit Forensic makes sure the dictionary informs the attack execution plan.</div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
Adding it all up: Efficient, Manageable, Scalable</h3>
<div>
Of course, the principal problem of password recovery is not determining what you can recover, nor using the right technique. Inevitably, any standing password recovery capability needs to make computationally expensive tasks efficient and manageable. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPWBipUYtfLVd0vvnlsp4BSDzyWe7n4pofFY16THe-4DjOqwDBidqovqYwYIGR_qmPpbHspxPM2j9gn-L2_pGRsjMQZe7ZR0w7bZYl4ZLTHlB9DIdjnq82Kh9Gkhr57bQpPHxiTF5F_m5z/s1600/tpr.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPWBipUYtfLVd0vvnlsp4BSDzyWe7n4pofFY16THe-4DjOqwDBidqovqYwYIGR_qmPpbHspxPM2j9gn-L2_pGRsjMQZe7ZR0w7bZYl4ZLTHlB9DIdjnq82Kh9Gkhr57bQpPHxiTF5F_m5z/s400/tpr.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have two Tableau Password Recovery servers in the lab. Working together, they accelerate password recovery attacks by orders of magnitude relative to use of a CPU alone. Each server comes outfitted with four Tableau Accelerator Gen2 PCI boards (TACC2). Protected files, like PGP self-decrypting archives can be attacked at rates exceeding 1.5 million passwords/second. Multiple Tableau Password Recovery servers can operate in parallel with linear performance scalability. If you need greater acceleration, simply add another server. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Tableau Password Recovery has been directly integrated into EnCase, making recovering password protected files a few clicks away. Select files to recover, submit them to the Tableau Password Recovery server, and monitor the status.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0bCir9tCcN04fUGiHbHXR6qaTpCy8zQ3mF78OVVI0oXQ5u0B1Tm7Fh-sR8YP63kpbuOKn1CmmLTTt_L3ggbaOoppHuatfWZYHi7QHaE8EhG8bp6ROsTvejGRoXonm5kMaY8IpHVV4w-o5/s1600/displaystatus.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0bCir9tCcN04fUGiHbHXR6qaTpCy8zQ3mF78OVVI0oXQ5u0B1Tm7Fh-sR8YP63kpbuOKn1CmmLTTt_L3ggbaOoppHuatfWZYHi7QHaE8EhG8bp6ROsTvejGRoXonm5kMaY8IpHVV4w-o5/s640/displaystatus.png" width="640" /></a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
When password recovery has completed a job, the recovered file can be retrieved and automatically added to the case, including the recovered password and execution log for further review. The decrypted file is automatically linked to the original protected file. It’s a minor thing, but we know it makes for one less thing to track. </div>
<div>
<br /></div>
<div>
Any treatment of practical password recovery would be incomplete without mentioning GPU-based acceleration. GPUs effectively accelerate many password-recovery algorithms. But that performance comes at a cost. Today’s single card solutions consume <a href="http://www.anandtech.com/show/8526/nvidia-geforce-gtx-980-review/21" target="_blank">300W under load</a>, and multi-GPU configurations require power supplies in excess of 1000W. Greater power consumption increases operational costs in the form of cooling and component failure. Reliably sourcing compatible replacement parts can be challenging, creating ongoing maintenance, testing and other hidden costs. GPUs excel at high-end throughput, but top-end speed can’t be the only factor in a practical password recovery. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQbELMeT6wsKF1-JFWhjKwKjhRGFrTOsdrzOCXX9PWxy5Mpru6O0NsypV3_CyH3pbyxEtypNfyAbxf1K80cIKH10AyyuOr41QTL62y1tyEaL9KDNG12dktkjazXCC0l3rzIZGbNNX3h34p/s1600/tprcomp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQbELMeT6wsKF1-JFWhjKwKjhRGFrTOsdrzOCXX9PWxy5Mpru6O0NsypV3_CyH3pbyxEtypNfyAbxf1K80cIKH10AyyuOr41QTL62y1tyEaL9KDNG12dktkjazXCC0l3rzIZGbNNX3h34p/s640/tprcomp.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
The table above compares passwords-per-second versus passwords-per-second-per-watt for three different password-recovery solutions. Passwords-per-watt turns out to be a good way to describe not only top-end speed, but also the inherent reliability and manageability of the system. Tableau Password Recovery achieves acceleration on par with multi-GPU solutions, while sipping watts.</div>
<div>
<br /></div>
<div>
Finally, Tableau Password Recovery is a Tableau forensic product to the core. The FPGA-based accelerator technology not only allows the system to run cooler, but also enables future flexibility. As with all Tableau products, Tableau Password Recovery will receive no-cost software updates without requiring hardware changes. These updates will add new algorithms for acceleration as well as improve efficiency of existing accelerators. </div>
<div>
<br /></div>
<div>
If you find this information useful, or would simply like to learn more, I’m happy to chat via comments below or reach me on <a href="https://twitter.com/kenmizota" target="_blank">Twitter @kenmizota</a>.</div>
<div>
<br /></div>
Ken Mizotahttp://www.blogger.com/profile/14925840545540287247noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-26987957525003276922015-06-25T15:42:00.000-07:002015-06-25T15:42:53.892-07:00Why Now is the Time to Make the Move to EnCase® Version 7<author>Robert Bond</author><br />
<author><br /></author>
<div class="MsoNormal">
I’ve been fortunate enough to meet a number of forensic investigators—both in law enforcement and inside corporations—and to hear a little about how they do their work. All of us in every line of work have preferred tools, checkpoints, and workflows, so it can be very easy to procrastinate on making the change to a new version of a favorite tool. However, I’m genuinely excited to tell you that, if you’ve been waiting for the right time to upgrade to EnCase Forensic version 7, that time is now.<br />
<a name='more'></a><br />
Making the switch has been a productive choice for a number of our community of users. Take Dave Papargiris of Evidox, for instance. At the welcome reception at last year’s CEIC® he told me, “I’ve started transitioning over to v7 and there are definite advantages.” He “grew up” on v6, but took the plunge, and is seeing how his work gets faster and with less effort at Version 7.<br />
<br />
We believe you can work with more power and speed at Version 7, and to help you do that, we’re offering the EnCase Forensic v7 upgrade package – both product and training – at 80 percent off. Yes—80 percent.<br />
<br />
<h4>
What’s in it For You?</h4>
Plenty:<br />
<ul class="list">
<li>A faster, more powerful processor</li>
<li>Support for more OSes and applications you work with</li>
<li>Remote forensic capability</li>
<li>Integrated smartphone and tablet module</li>
<li>Over 100 metadata-based reports in Case Analyzer</li>
<li>More than 130 task-focused apps and EnScripts® on EnCase® App Central</li>
</ul>
<ul class="MsoNormal">
<b>It’s a great time to make the move.</b> I hope you’ll take advantage of this unprecedented offer today, because it ends on August 31. Call us at 1 (888) 999-9712 today, and look for some more blog posts in the coming weeks that focus in on how to do things in v7 that you do multiple times a day in v6.
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-86558388755880296772015-06-03T19:35:00.000-07:002015-06-09T18:32:44.566-07:00EnScript and Python: Exporting Many Files for Heuristic Processing - Part 1<author>James Habben with Chet Hosmer</author><br />
<br />
<div class="MsoNormal">
I discovered something very cool this year at CEIC: people actually read my blog posts! The realization came when I found out there were two sessions focusing on Python, and both of them talked about my #en2py techniques that I presented in this blog last year.<br />
<br />
One of the sessions, Heuristic Reasoning with Python and EnCase, was presented by <i><b>the </b></i>Python forensics guy, Chet Hosmer of <a href="http://python-forensics.org/">python-forensics.org</a>. I got a chance to chat with him after his session, and the discussion led to what you are about to read. Chet has a number of Python scripts that can make a difference in forensic cases, and we decided a joint blog post would be a fun way to touch on the integration between EnCase and Python with another technique. This will be a two-part post with the first part focusing on getting the files out. The second will get some fancy on it by putting a GUI on the front to accept options in the processing. I will now let Chet explain the benefits of his work.<br />
<br />
<h4>
Function and Benefits of Heuristic Reasoning</h4>
<i>Applying heuristics during deep-dive investigation allows us to apply rules of thumb during the process. In order to bring this to light, we chose to integrate a Python script that performs “what I call” heuristic indexing of binary files. Binary files like memory snapshots, executable files and photo graphic images have ASCII text embedded with the binary data. Extracting these “text sequences or remnants” and then making sense of them can be a challenge. </i><br />
<i><br /></i>
<i>The issue with traditional approaches like dictionary comparisons or keyword lists, is the occurrence of misspelled words, slang, technical jargon, malware strings, filenames, and function names. These can all be missed because they are not in the dictionary or keyword list, an example is shown in the <a href="http://www.usatoday.com/story/news/nation/2012/11/25/casey-anthony-suffocation-google/1725253/" target="_blank">Casey Anthony</a> investigation. Another traditional approach would be to report on all “text sequences or remnants” this can results in a voluminous number of nonsensical meaningless text strings that can overwhelm investigators.</i><br />
<i><br /></i>
<i>My approach (originally outlined in my text, <a href="http://www.amazon.com/Python-Forensics-workbench-inventing-technology/dp/0124186769" target="_blank">Python Forensics</a>) uses a set of 400,000 common English words, (loosely a mini corpus of words) to generate a weighted heuristic model. I have since created additional models for medical and pharmaceutical domains and I’m working on common words used within text messages. </i><br />
<i><br /></i>
<i>Using Python, I load the specific weighted heuristics into a Set. Then during the process of extracting “text sequences or remnants” from the binary file(s), the same algorithm is applied to each extracted sequence as was used to build the weighted heuristics. The calculated heuristic is then used as a lookup value. If the value is found in the loaded weighted set, then the word is considered probable and reported. One other final step I should mention…. most languages have what are referred to as “stop words” such as, (whenever, always, another, elsewhere etc). English is no exception. These stop words are filtered from the final list as they typically have little probative value. Each identified word that passes these filters is stored in a dictionary, one of the great built-in data structures within Python. Dictionaries are key, value pairs, in this case the key is the probable word string and the value is the number of times the word is discovered. This allows me to then produce a resulting list of probable words either sorted alphabetically or by frequency of occurrence.</i><br />
<i><br /></i>
<i>Therefore, the bottom line benefits of heuristic indexing include:</i><br />
<ol>
<li><i>Accurate identification of a broad set of probable words from binary data</i></li>
<li><i>Slang, technical jargon, filenames, misspelled words are also identified</i></li>
<li><i>Strings that represent nonsense strings are filtered out</i></li>
<li><i>Common stop words are ignored</i></li>
<li><i>The frequency of words found or alphabetical results are possible</i></li>
<li><i>New weighted heuristic models can be created</i></li>
</ol>
<i>In order to apply this method more broadly to a case instead of a single file, we needed a method to allow EnCase (via an EnScript), to export multiple selected files to be processed by the Python script. I turned to James, the EnScript Guru for help.</i><br />
<br />
<h4>
Method of Choosing Files</h4>
In my <a href="http://encase-forensic-blog.guidancesoftware.com/2014/09/encase-and-python-part-1.html" target="_blank">previous posts</a>, I used a simple technique in EnScript to send the highlighted file out from EnCase to the local disk to allow for a Python script to access the data. This works great for Python scripts that are designed to process one file at a time, but it is not very efficient for the examiner when that one file has not been pinpointed yet. There are many Python scripts out there that are designed to process a whole set of files in a designated folder.<br />
<br />
In <a href="http://encase-forensic-blog.guidancesoftware.com/2014/10/encase-and-python-automating-windows.html" target="_blank">another post</a>, I looped through files in the case, but I was targeting certain filenames known to contain evidence from Windows 8 Phone apps. The structure there is similar to what I have here, but the interaction with Python is the difference.<br />
<br />
Chet and I talked at CEIC about how to do exactly this in EnScript, and came to the conclusion that the rest of the world should know about this as well! OK, maybe not the world, but I’m sure you appreciate that we didn’t keep this buried in some dark closet somewhere.<br />
<br />
I have talked about <b>ItemIteratorClass </b>before, but it was in a simple post about the <a href="http://encase-forensic-blog.guidancesoftware.com/2014/04/enscript-changes-from-encase-version-6.html" target="_blank">changes in EnScript from EnCase v6 to v7</a>. This is the class that gives us access to all of the files in the case. There are a lot of options explained in that post, so I won’t drag it out here. The mode we will focus on is <b>CURRENTVIEW_SELECTED</b>, which will give us a collection of the files that the examiner has blue-checked in the EnCase interface before running the EnScript.<br />
<br />
Because we are processing multiple files, the execution of the Python script needs to happen once the loop is complete. The loop will be doing the work of identifying selected files and exporting them to the disk.<br />
<br />
<h4>
EnScript Walkthrough</h4>
The usage of ItemIteratorClass starts off with setting some values in variables. I defined these as global variables for reasons you will see in part 2. The mode I chose here allows an examiner to blue-check any number of files in EnCase, and send this collection to the EnScript for export.<br />
<br />
The NOPROXY is used because I am not looking to get any hashes calculated and it speeds up the loop. The NORECURSE option is also used to speed up the loop. With the mode using the current view, the recursing into compound files isn’t possible, anyway.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDn4Nhtaq9nzdMQ4xSieo1Px2dYtx1PlANVfDAZrXZsCcxXQjArzPk320sPaeqIps7WjtEW7Q3iQ9tW7bqg_S0Q7xtwRFLCs1JqNZO05qDJi3dkTYV1ECmXHrRmDQYI93KyJI5cO3Zfl4/s1600/python+image+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDn4Nhtaq9nzdMQ4xSieo1Px2dYtx1PlANVfDAZrXZsCcxXQjArzPk320sPaeqIps7WjtEW7Q3iQ9tW7bqg_S0Q7xtwRFLCs1JqNZO05qDJi3dkTYV1ECmXHrRmDQYI93KyJI5cO3Zfl4/s640/python+image+1.png" width="640" /></a></div>
<br />
Then we enter into the loop to find all of the files. There's a fairly bulky chunk of code here, but it has a purpose behind it. When you are dealing with files from evidence, you are potentially pulling files from folders all over the drive. Chances are good you will find a couple files with the same name. On line 22, I am using a GUID that is generated by EnCase and is unique inside the evidence file. Lines 20-23 all together are modifying the filename to include this GUID, but also retain the same extension for identity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilCa4uhfBEFJ3NgCoRvx7zlPGHYc4TWGfHtpzRmYFdXcCSI8cJGz0iex5fx3X0f2Xz_r2DdzUDj7FB-rRrz6RzPzGeOM_NXWvE2gaPyMk15JTnvcYlUt8jKyjW9Lf_yPToS91Pd_ZAAY8/s1600/python+image+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilCa4uhfBEFJ3NgCoRvx7zlPGHYc4TWGfHtpzRmYFdXcCSI8cJGz0iex5fx3X0f2Xz_r2DdzUDj7FB-rRrz6RzPzGeOM_NXWvE2gaPyMk15JTnvcYlUt8jKyjW9Lf_yPToS91Pd_ZAAY8/s640/python+image+3.png" width="640" /></a></div>
<br />
<br />
There is a little irritation that pops up when you use any of the modes focusing on the current view. It locks that view in EnCase for the examiner running the EnScript while the iterator is active. Line 31 happens immediately after the looping export code, and this clears the iterator to release the view for the examiner while Python does its thing. Little things matter!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYf3p4bD92RBh2d-TaTdp4LVLK7D2sLJGlP7QryR2hxzMrJ8Qc1-2BfBx9Ww4bsnSDTVdl5UYSzQjmerzGosa4LZrAA6PAGxgQyjldtINAuskyqoR7M13VChiQ-Spu5gPcW8pqtLSY79Q/s1600/python+image+4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYf3p4bD92RBh2d-TaTdp4LVLK7D2sLJGlP7QryR2hxzMrJ8Qc1-2BfBx9Ww4bsnSDTVdl5UYSzQjmerzGosa4LZrAA6PAGxgQyjldtINAuskyqoR7M13VChiQ-Spu5gPcW8pqtLSY79Q/s200/python+image+4.png" width="200" /></a></div>
<br />
<br />
<br />
Depending on the Python script you are using and the amount of data you are processing, you may have to adjust the timeout value on line 41. If this value is not large enough, the output from Python will be either missing or cut short.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIsVZJ5moAR4Ij01BObOTRh9kMF2yLgZZnhJUCxsOBNqGQOBOgDIzP1jOBj8P5WFeQlpfCLX6x2QvE8C8W6FxvRVdlibAPPzUqNHGQyjk5fAMWk8_h2bg9_c6darVeexxurbM0vsuoikM/s1600/python+image+5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="26" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIsVZJ5moAR4Ij01BObOTRh9kMF2yLgZZnhJUCxsOBNqGQOBOgDIzP1jOBj8P5WFeQlpfCLX6x2QvE8C8W6FxvRVdlibAPPzUqNHGQyjk5fAMWk8_h2bg9_c6darVeexxurbM0vsuoikM/s640/python+image+5.png" width="640" /></a></div>
<br />
<br />
You're getting a two-for-one deal in this joint blog post, because now Chet is going to explain some Python code now. (I don’t want to read any complaints about the length of this post!)<br />
<br />
<h4>
Python Walkthrough</h4>
The overview of the Python script is shown in the figure below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja6kRnjQS76tBMBYH2FVrChcYJhGXeHwHLYFvyDS7pRZTmOKCecUII-E7L21E4TjqTPYkb0tJt6bO7ezrC18dgT4LhGf8NbIOI6YJpQ8KP30W-t-hVoNzhkz5hKvEVZkpm80ja0ojvzMQ/s1600/PythonGraphic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja6kRnjQS76tBMBYH2FVrChcYJhGXeHwHLYFvyDS7pRZTmOKCecUII-E7L21E4TjqTPYkb0tJt6bO7ezrC18dgT4LhGf8NbIOI6YJpQ8KP30W-t-hVoNzhkz5hKvEVZkpm80ja0ojvzMQ/s400/PythonGraphic.jpg" width="400" /></a></div>
<br />
<br />
The Script employs a Heuristic Model created from one or more word dictionaries. Dictionaries and vernaculars can be expanded through the training of the model. The Heuristic Indexer receives selected file(s) from EnCase and then extracts possible word strings from each of the files. Heuristics are calculated for each extracted string and then compared against the Heuristic Model. The result is a report that is delivered back to EnCase.<br />
<br />
For Part I of the blog I want to focus on the primary integration between James’ EnScript and the Python Heuristic Indexer.<br />
<br />
The main entry point for the Python Script prints out some information messages and then obtains the path and individual filenames exported by the EnScript by parsing the command line arguments. Then for each file found, the IndexAllWords() function is called to perform the string extraction and subsequent Heuristic analysis. I have highlighted the key lines of the Python script.<br />
<br />
<h4>
Python Main Entry Point</h4>
# Main program for pyIndex<br />
<br />
if __name__ == "__main__":<br />
<br />
# Print Script Basics<br />
print "\nHeuristic Indexer v 1.1 CEIC 2015"<br />
print "Python Forensics, Inc. \n"<br />
<br />
print "Script Started", str(datetime.now())<br />
print<br />
<br />
# Obtain the arguments passed in by the Enscript<br />
# In Phase I the only argument passed is<br />
# path where the EnScript copied the selected files<br />
<br />
targetPath = ParseCommandLine()<br />
<br />
print "Processing EnCase Target Path: ", targetPath<br />
print<br />
<br />
# using the targetPath, obtain a list of filenames<br />
# using the Python os module<br />
<br />
targetList = os.listdir(targetPath)<br />
<br />
<br />
# Creating an object to process<br />
# probable words<br />
# the matrix.txt file contains heuristic model<br />
<br />
wordCheck = classWordHeuristics("matrix.txt")<br />
<br />
# Now we can iterate through the list of files<br />
# Calling the IndexAllWords() function for each<br />
# file. The IndexAllWords() performs the word<br />
# extraction, heuristic processing and reports<br />
# results back to EnCase via Standard Out<br />
<br />
<br />
for eachFile in targetList:<br />
<br />
fullPath = os.path.join(targetPath, eachFile)<br />
print "####################################"<br />
print "## Processing File: ", eachFile<br />
print "####################################\n"<br />
<br />
IndexAllWords(fullPath, wordCheck)<br />
<br />
print "Script Ended", str(datetime.now())<br />
print<br />
<br />
# Script End<br />
<br />
<h4>
Results: So What Do I Get From All of This?</h4>
Here is a screen shot and an abbreviated excerpt from an actual EnCase / Python marriage.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFYBL8BBw5hvBU6Z6QcZc4qVPw-Z704RIRekO8KryyQNdBqoi3MKpQoV-STq9iGdxVqqC-lTGJHG3Z7pPYwuIucU0CeDWCDSbOJMk23cXhCwHJ_Vk6yPjVdElOzhnklhux7GifFQtOhSY/s1600/python+image+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="536" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFYBL8BBw5hvBU6Z6QcZc4qVPw-Z704RIRekO8KryyQNdBqoi3MKpQoV-STq9iGdxVqqC-lTGJHG3Z7pPYwuIucU0CeDWCDSbOJMk23cXhCwHJ_Vk6yPjVdElOzhnklhux7GifFQtOhSY/s640/python+image+2.png" width="640" /></a></div>
<br />
<h4>
Closing Thoughts</h4>
<b>James</b>: This was a new (and exciting) opportunity for me to have a guest author in a joint post. I am so happy to hear that my #en2py techniques have helped others. EnCase is a powerful platform on its own, but enhancing it with the libraries available in other languages and tools just makes everything that much better for examiners. I hope you find this useful and thanks for taking the time to read through this!<br />
<br />
<b>Chet</b>: <i>The catalyst behind Python Forensics, Inc. is to create a collaborative environment for the rapid development of new investigative scripts that can directly benefit investigators. I hope this blog will get you interested in developing and/or using EnScripts and Python in your next endeavor. I would like to thank James for his enthusiasm for the project and I look forward to Part II.</i><br />
<br />
<b>The Final Details</b><br />
<br />
<a href="https://www.guidancesoftware.com/EnScript-and-Python-Exporting-Many-Files-for-Heuristic-Processing.zip">Download the EnScript here</a>.<br />
<a href="http://www.python-forensics.org/" target="_blank">Download Chet's Python script here</a>.<br />
Look for an email invitation and announcements on Twitter about an upcoming webinar we're planning with Chet called, "EnCase and Python: Extending Your Investigative Capabilities."<br />
<br />
<a href="http://www.twitter.com/chethosmer" target="_blank">Chet Hosmer</a><br />
<a href="http://www.twitter.com/pythonforensics" target="_blank">@PythonForensics</a><br />
Founder of python-forensics.org<br />
<br />
James Habben<br />
<a href="http://www.twitter.com/jameshabben" target="_blank">@JamesHabben</a><br />
Master Instructor at Guidance Software<br />
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-60754214699461488222015-05-28T16:40:00.001-07:002015-12-18T06:45:33.920-08:00My Thoughts on CEIC 2015<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS 明朝";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:"MS 明朝";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:-536870145 1073743103 0 0 415 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
mso-themecolor:hyperlink;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:purple;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"MS 明朝";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<h3 class="MsoNormal">
CEIC 2015 is Over </h3>
<div class="MsoNormal">
This year’s CEIC is over. After a long and relaxing holiday
weekend, it feels almost like it was months ago. I really enjoy being involved
with CEIC every year because it gives me a chance to catch up with old friends
and meet new ones. The real reason (at least the one we tell our bosses) we all
go to CEIC is for the great sessions. There were so many of them this year that
I wish I could have cloned myself to see them all. To make it a bit more
difficult, CEIC is not just a training conference for me since I am part of the
team putting it on. I wanted to put down some of my experiences from this year.
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The most rewarding thing to me during the entire conference
is to hear from past students about their success in completing the EnCE
certification. The only way to achieve that cert is by dedication and
perseverance. I get thanks from them for teaching classes they attended, but I
didn’t take the test. Their excitement and enthusiasm is infectious and I love
it! Congratulations to everyone who passed the 1<sup>st</sup> phase during
CEIC, and good luck on the 2<sup>nd</sup>.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If you didn’t get to attend CEIC this year, you missed a
good one. Try again for next year, and I think you will be well rewarded.</div>
<h3 class="MsoNormal">
Some Sessions</h3>
<div class="MsoNormal">
Because I am part of the setup and operations of CEIC, I am
not usually able to attend full session, but there are a few that I really
enjoyed that I wanted to give mention to.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Monday started off great hearing about new features in IEF
from <a href="https://twitter.com/reccetech" rel="nofollow" target="_blank">Jamie McQuaid</a> and Rob Maddox
of Magnet Forensics in <b>Investigating a User’s Internet Activity across
Computers, Smartphones and Tablets</b>. This team knows how to stay on top of
industry trends and to enhance their tools with a quick response. It is great
to know that Guidance has a partner dedicated to examiners like we are.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A must-see for me is <b>Tracking the Use of USB Storage on
Windows 8 </b><span style="mso-bidi-font-weight: bold;">by <a href="https://twitter.com/ColinCree" rel="nofollow" target="_blank">Colin Cree</a>. He has been researching
USB artifacts on Windows for many years, and somehow seems to find new
intricacies every year. No disappointment this year!</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">It’s a safe bet on
the SANS crew. I enjoyed <b>APT Attacks Exposed: Network, Host, Memory and
Malware Analysis</b> since you can never learn too much about how others
operate and think. It helps us all grow, and I am glad that <a href="https://twitter.com/robtlee" rel="nofollow" target="_blank">Rob Lee</a>, <a href="https://twitter.com/asoni" rel="nofollow" target="_blank">Anuj Soni</a>, <a href="https://twitter.com/chadtilbury" rel="nofollow" target="_blank">Chad Tilbury</a>, and <a href="https://twitter.com/MalwareJake" rel="nofollow" target="_blank">Jake Williams</a> are sharing their
experiences.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">I am a firm believer
in everyone learning to code as a skill. <a href="https://twitter.com/maridegrazia" rel="nofollow" target="_blank">Mari DeGrazia</a> and <a href="https://twitter.com/rdormi" rel="nofollow" target="_blank">Ron Dormido</a> laid out a great foundation
in <b>Practical Python Forensics</b> for those wanting to learn Python as their
language. Extra points since they showed how to integrate EnCase and Python!</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">Memory forensics has
become a huge source of information in all types of investigations, and <a href="https://twitter.com/gleeda" rel="nofollow" target="_blank">Jamie Levy</a> knows this better than most.
As a part of the Volatility team, she is an immense resource and shared it in <b>Rootkits,
Exfil and APT: RAM Conquers All</b> to help us all. I learned a lot about using
Volatility from this session. I also learned about her twitter handle outside
of the session, but leave it to her to spread that.</span></div>
<h3 class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">My Sessions</span></h3>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">I had a lot of fun
this year talking in my sessions. I talked about how you can expand EnScript
with .NET and Python code. It was exciting to me since everyone seemed to also
be excited about the possibilities. I also got a chance to speak with <a href="https://twitter.com/cybr4n6" rel="nofollow" target="_blank">Matt McFadden</a>
about EnCase Portable and the huge potential it has for examiners. Got to share
how I used Portable on a case to handle a location with 4 examiners and 60+
computers, and we were done before dinner! Talked to many after the session
that were excited about using it at home.</span></div>
<h3 class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">Deserved Recognition</span></h3>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">Lastly, I wanted to
give some recognition for a couple people from the Guidance Software team that
really make CEIC the conference that it is. The entire Guidance team works really
hard for this event, but these two really make it shine.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">There is a technical
team that I am part of every year, and it is managed by <a href="https://twitter.com/jameytubbs" rel="nofollow" target="_blank">Jamey Tubbs</a> from the training
division. He puts in a ton of hours, before many of you even register for CEIC,
in working with the event team, hotel technical staff, and our computer rental
vendor. Our conference is unique from many others because of the large scale
labs with supplied computers, and it would not be the same without him.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">Until you read from me again!</span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;">James Habben</span></div>
<div class="MsoNormal">
<span style="mso-bidi-font-weight: bold;"><a href="https://twitter.com/jameshabben" rel="nofollow" target="_blank">@JamesHabben</a> </span></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-26888196615209666902015-05-12T13:05:00.000-07:002015-05-12T13:05:37.141-07:00Digital Forensic Notables and Top-flight Instructors On Tap at CEIC 2015 (This is Part 3 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC 2015.)<br />
<br />
The <a href="http://encase-forensic-blog.guidancesoftware.com/2015/04/ceic-sessions-on-digital-forensics.html" target="_blank">first post </a>in this series talked about how we're expanding on the core competency of the EnCase community who converge on CEIC each year. The <a href="http://encase-forensic-blog.guidancesoftware.com/2015/04/the-good-bad-and-diverse-gain-more.html" target="_blank">second post</a> drilled down into the plethora and diversity of digital artifacts and showcased sessions designed to address these exploding challenges. In this final post, we present the marquee of acclaimed industry experts who will be on hand to teach new technologies and tools and share hard-earned insight from decades of experience in digital investigations.<br />
<a name='more'></a><br />
<h4>
Diverse Expertise Brings Extra Value to CEIC 2015</h4>
A key benefit of CEIC is the diversity in topics that cover a wide range of technologies and tools that are critical to investigations. The tracks on digital forensics do not espouse a particular agenda, but acknowledge that all technologies and investigative techniques must ultimately be woven together.<br />
<br />
Our speaker portfolio is also diverse and plays out as the “who’s who” in the digital forensics industry. Here’s a snippet of the best and brightest who have been secured as presenters, trainers, and panelists at CEIC 2015:<br />
<br />
<b><a href="http://www.twitter.com/suzannewidup" target="_blank">Suzanne Widup</a></b>, president and founder of the <a href="http://www.digitalforensicsassociation.org/" target="_blank">Digital Forensics Association</a> and a senior analyst on the <a href="http://www.verizonenterprise.com/products/security/incident-management-ediscovery/risk-labs.xml" target="_blank">Verizon RISK Team</a>, is also the author of <a href="http://www.encasebook.com/" target="_blank">Computer Forensics and Digital Investigation with EnCase Forensic v7</a>. She will lead an interactive panel with fellow forensic practitioners who will share potential pitfalls and strategies for success.<br />
<br />
<b>Shawn McCreight</b>, founder, Chairman, and Chief Technical Officer of Guidance Software, will give a preview of the new and advanced features that are part of the future of EnCASe. Be sure to mark these sessions on your calendar:<br />
<ul class="list">
<li>The Future of EnCase: Tuesday, May 19, 11:00 a.m.</li>
<li>Searching in EnCase 8 with EQL: Wednesday, May 20, 11:00 a.m.</li>
</ul>
<ul class="MsoNormal">
<b>Amber Schroader</b>, CTO of Paraben Corporation, is back by popular demand to share what you need to survive the apocalypse of BYOD and personal mobility devices. You can also learn more from Amber at the recent Guidance Software webinar, Six Keys to Conducting Effective Mobile Forensic Investigations.<br />
<br />
<b>Jad Saliba</b>, Founder and CTO of <a href="http://www.magnetforensics.com/" target="_blank">Magnet Forensics</a>, will be featured in two sessions this year on overcoming anti-forensics efforts and more about Dropbox encryption and tactics for decrypting Dropbox databases.<br />
<br />
<b>Sarah Edwards</b> from <a href="https://www.sans.org/" target="_blank">SANS Institute</a> is on board to help you interpret iCloud artifacts.<br />
<br />
<b>David Cowen </b>and<b> Matthew Seyer </b>from <a href="http://www.g-cpartners.com/default.aspx" target="_blank">G-C Partners</a> will share what you need to know on sophisticated file system journaling.<br />
<br />
<b>Ben Le Mere</b> of <a href="http://www.berla.co/" target="_blank">Berla Corporation </a>will help you analyze data from different infotainment and telematics systems.<br />
<br />
<b>Dmitry Sumin</b> of <a href="http://www.passware.com/" target="_blank">Passware </a>will help you accelerate password cracking.<br />
<br />
We don’t have enough room in this post to share every notable speaker with you, but hope you’ll click over to the <a href="http://www.ceicconference.com/" target="_blank">CEIC 2015 agenda</a> to peruse the list yourself. After viewing the bios of the 54 speakers who make up the four tracks for digital forensics, you’ll have 54 solid reasons why you need to be at CEIC. We hope to see you there!</ul>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-4062957341828881442015-05-07T13:11:00.000-07:002015-08-26T11:14:24.867-07:00Learn to Expand on the Value of EnCase at CEIC 2015 with EnScripts and Third-Party Apps<author>Robert Batzloff</author><br />
<br />
<div class="MsoNormal">
This year at CEIC<b><span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 12.0pt; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "MS Mincho"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: major-latin;">®</span></b>, we’re committing more training and trainer resources than ever before to help you boost the benefits of EnCase<b><span style="font-family: "Calibri","sans-serif"; font-size: 14.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 12.0pt; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "MS Mincho"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: major-latin;">®</span></b> in your company’s deployment.<br />
<br />
Our goal is to show you the brawn behind power EnCase users and apps, and by learning more about the EnScript® language, help you get to that same level.<br />
<br />
With an expanded conference track called EnCase Apps and Integrations, we’ve added 12 sessions that will showcase some of the most dynamic apps developed by EnCase forensic investigators that are easy for you to integrate. We’re also boosting the App World booth hosted by EnScript gurus from Guidance Software and developers from the EnCase community, so you’ve got more experts close at hand during all hours of the conference day.<br />
<br />
<a name='more'></a><br /><br />
<h4>
Learn to Unleash the Power of EnScript--and Write Your Own</h4>
The new EnCase Apps and Integrations track this year will help you build and then flex your own EnScript muscles so you can easily use the unique language for automating, customizing, and expanding the value of EnCase. <br />
<br />
<b>For the advanced developer:</b> We’ve designated James Habben, a popular Guidance Software instructor and experienced EnScript programmer, to share techniques for using EnScript to perform advanced customizations, such as modifying the EnCase UI to automate common tasks and integrating EnScript with existing .NET applications.<br />
<br />
<b>For the beginning developer: </b>Lance Mueller, a widely recognized senior forensic analyst with IBM’s Emergency Response Services, will join us to teach the basic skills of writing and using EnScripts. And we're offering other labs that will walk you through basic tasks like using EnCase App Central, running an EnScript, installing an EnScript plug-in, and more.<br />
<br />
<h4>
Learn New Efficiencies from Specialty App Developers</h4>
We’re excited to feature Jessica Bair, who worked with Guidance Software for 13 years and is now with Advanced Threat Solutions at <b>Cisco Security</b>, in a lab on “AMP ThreatGRID for Law Enforcement.” You'll learn about and then get your hands on Cisco’s new program for dynamic malware analysis and threat intelligence.<br />
<br />
You can also sit down with the technical team from <b>Magnet Forensics</b> in a hands-on lab using Internet Evidence Finder (IEF) to recover and analyze a wide variety of Internet-related artifacts.<br />
<br />
Don’t miss the opportunity in the EnCase Apps and Integration track to hear from <b>Belkasoft's </b>Yuri Gubanov, a renowned computer forensics expert and frequent speaker at industry events around the world. He’ll help you extend EnCase functionality with third-party tools and show you how to jump-start an investigation and receive a result in a matter of minutes, not hours, with the help of Belkasoft Evidence Center.<br />
<br />
Because of the rapidly growing interest in the high-level programming language Python, we are offering two sessions to address what you need to know: Chet Hosmer with <b>WetStone Technologies </b>will demonstrate how to apply natural language understanding and heuristic reasoning using Python. Mari DeGrazia with <b>Verizon RISK Team</b> will help you step up your game with practical applications for Python to automate repetitive DFIR tasks and quickly parse digital forensics artifacts.<br />
<br />
And finally, to save you time in learning to use the most popular apps, we’ve got three sessions titled “EnCase App Central Showcase” that will highlight a variety of apps related specifically to malware investigations, forensics, and general utilities. <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-agenda-table.aspx" target="_blank">Click here to see the full agenda</a> with speaker bios for the EnCase Apps and Integrations track.<br />
<br />
<h4>
App World Provides Interaction with EnScript Developers and EnCase Trainers</h4>
So much of CEIC booth traffic hovers around the EnCase App Central booth every year, so this year we’re making it more accessible. It will be located in the expo hall next to the Guidance Software main booth and will feature three stations each hosted by a rotating group of training staff, product managers, and third-party developers and EnScript professionals. It will also include several demonstrations and tutorials, including how to use the EnScript language, download EnScripts from EnCase App Central, or expand the power of your own EnCase deployment.<br />
<br />
<h4>
Isn’t it Time You Became an EnScript Developer, Too?</h4>
And finally, we want you to know that the App World team has the time to meet with you at CEIC, as well as the resources and reasons to help you take that step to become an EnScript developer yourself. We’d like to encourage you to join the EnCase forensic investigators from around the world who are part of a thriving community that create case-cracking EnScripts and specialty apps.<br />
<br />
You can meet with us at CEIC to discuss our program for developers, <a href="mailto:Robert.batzloff@guidance.com" target="_blank">email me</a>. or <a href="https://www.guidancesoftware.com/appcentral/Pages/EnCaseDeveloperApp.aspx" target="_blank">click here to apply </a>for the program today.<br />
<br />
Here’s a sampling of the benefits you’ll receive when you become part of our EnCase Developer Network:<br />
<ul class="list"><br />
<li>EnCase developer license (dongle)</li>
<li>Exclusive access to the v7 SDK</li>
<li>Up-to-date information on programing EnCase EnScripts</li>
<li>Pre-release builds of EnCase</li>
<li>Code samples</li>
<li>Sample evidence files for testing</li>
<li>Access to Guidance technical support</li>
<li>QC of your work by Guidance professionals</li>
<li>Exclusive rights to publish your EnScripts on EnCase App Central</li>
<li>Worldwide visibility for your EnScript</li>
<li>Management of the purchase of your work by Guidance</li>
<li>Valuable customer feedback on your EnScript</li>
<li>Choice to offer your EnScripts for free or for a fee</li>
</ul>
<ul class="MsoNormal">
Be sure to visit the <a href="http://www.ceicconference.com/" target="_blank">CEIC website</a> for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now.
</ul>
<div>
<i>Robert Batzloff is the Associate Product Manager for EnCase App Central at Guidance Software.</i></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-67950573693364662132015-04-29T14:29:00.000-07:002015-04-29T14:30:12.533-07:00The Good, the Bad, and the Diverse: Gain More Visibility into the Growing Diversity of Devices, OS’s and Artifacts<i>(This is Part 2 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC</i><i><span style="font-family: "Calibri","sans-serif"; font-size: 12.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: major-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "MS Mincho"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: major-latin;">®</span></i><i> 2015. <a href="http://encase-forensic-blog.guidancesoftware.com/2015/04/ceic-sessions-on-digital-forensics.html" target="_blank">Read Part 1 here</a>.)</i><br />
<br />
One of the biggest challenges for investigators today is not only the number of devices or the amount of data (the average hard drive has just crossed the 1TB threshold), but the number and diversity of applications and artifacts that are on a system.<br />
<br />
Frankly, we feel your pain. We know there’s no single tool that investigators can rely on to support all applications, browsers, and file systems. We get it when practitioners tell us they require a larger toolbox and deeper skill set to support the overwhelming challenges in digital investigations.<br />
<br />
Guidance Software uses CEIC to bring together all of the speakers with their tools and apps that integrate with EnCase and provide you with better visibility into systems, applications and artifacts.<br />
<br />
There are four tracks that focus on digital investigations:<br />
<ul class="list"><br />
<li>Digital Forensics Labs</li>
<li>Advanced Digital Forensics Labs</li>
<li>Topics in Digital Forensics</li>
<li>Mobile Devices and Cloud Investigations</li>
</ul>
<duv ckass="MsoNormal">
We want to remind you that the hands-on labs fill up fast, as 70 percent of attendees say that labs are the number one reason they attend CEIC. So, <a href="https://www.cvent.com/events/ceic-2015/registration-afef0e26f2aa4c6387b05ed1fc8867fa.aspx" target="_blank">click here to register</a> now.<br />
<br />
You can <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-agenda-table.aspx" target="_blank">view the agenda</a> here to read session descriptions and speaker bios on the 44 lab, lecture, and panel sessions that focus on digital forensics. You can also get a sneak preview on a few of the hands-on lab topics that are sure to warrant a packed room, such as the ones we've highlighted here below.<br />
</duv>
<br />
<h4>
<br />Digital Forensics Session Highlight: File System Journaling Forensics</h4>
David Cowen and Matthew Seyer of G-C Partners, LLC, will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. You will learn:<br />
<ul class="list"><br />
<li>What data is stored by your file systems?</li>
<li>How to gather the data using EnCase.</li>
<li>How to use a free parser to understand the data.</li>
</ul>
<div class="MsoNormal">
<h4>
Digital Forensics Session Highlight: Vehicle Systems Forensics</h4>
Ben LeMere, CEO of Berla Corporation, is back by popular demand this year. We know students of vehicle forensics will be glad to hear that you'll be able to get your hands on the data stored in several different infotainment and telematics systems in his practical, hands-on lab session. Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This is cutting-edge technology that is quickly becoming more pervasive in the field of investigations.<br />
<br />
<h4>
Digital Forensics Session Highlight: Windows ShellBag Forensics in Depth</h4>
Vincent Lo, Digital Forensics and Incident Response Investigator, knows that ShellBag behavior is a challenging task for “forensicators.” The problem of identifying when and which folders a user accessed arises often and investigators attempt to search for them in the ShellBag information because it may contain registry keys indicating which folders the user accessed previously. Their timestamps may demonstrate when they were accessed. Nevertheless, a lot of activities can create/update the timestamps. That’s why you won’t want to miss this hands-on lab, where you’ll understand the details of ShellBag information, review various activities across Windows operating systems and learn how to interpret it correctly.<br />
<br />
If it wasn’t obvious before this blog, now it should be loud and clear: this year’s sessions on digital forensics pull no punches when it comes to providing more visibility to the good, the bad, and the sometimes very ugly and diverse applications and artifacts you face every day.<br />
<br />
Stay tuned for Part 3 of this blog topic on digital forensics, where we’ll shed light on the caliber of speakers we’re bringing in to teach these sessions mentioned here. We're confident that these are experts whom you know and trust.<br />
<br />
In the meantime, be sure to visit the <a href="http://www.ceicconference.com/" target="_blank">CEIC website</a> for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now. Also, be sure to follow us on <a href="https://www.facebook.com/guidancesoftware" target="_blank">Facebook</a>, <a href="http://www.twitter.com/encase" target="_blank">Twitter</a>, and <a href="https://www.linkedin.com/company/guidance-software" target="_blank">LinkedIn </a>for the latest CEIC buzz and conversation.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-25423316390934542692015-04-21T18:39:00.000-07:002015-04-21T18:39:10.783-07:00Ask the Expert: Yuri Gubanov, CEO of BelkasoftIn our recent webinar with Yuri and Oleg from Belkasoft, we had quite a few interesting questions and even more interesting answers. They presented three case studies that leveraged EnCase Forensic and Belkasoft digital forensics tools to uncover critical evidence. You can <a href="http://goo.gl/ZqpXGv" target="_blank">watch the on-demand webinar here</a>.<br />
<br />
<b>Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?</b><br />
<br />
<a name='more'></a>A: Sure! As a Guidance Software partner, we support all images created by their tools, particularly physical images such as E01 and Ex01, logical images such as L01 and Lx01, and of course, memory dumps.<br />
<b><br /></b>
<b>Q: In one of your stories, your tool found some Skype data inside something you call “SQLite freelist.” When SQLite deletes data, does it always go to a freelist?</b><br />
<br />
A: It's only true for databases configured without the option called “AutoVacuum.” If this option presents, no freelist is used, unfortunately. However, quite a few forensically important applications store their data inside SQLite databases configured without this option. In particular, Skype, WhatsApp, Chrome, Firefox, and many more.<br />
<br />
<b>Q: Are there any chances to find SQLite data if it is not present in regular SQLite areas (I mean tables) and freelist?</b><br />
<br />
A: SQLite forensic analysis is a tricky thing because SQLite itself is tricky. Besides regular tables and freelist area, which we already explained, it has some more peculiarities. For example, older versions of SQLite had a so-called “journal” file, which was used to coordinate database transactions. Newer versions of SQLite have so-called Write Ahead Log files, or WAL-files, which contain uncommitted transaction data. Both journal and WAL files sit in the same folder as the main database and may contain up to 20-30% of data inside the main database file.<br />
<br />
For example, my Skype database is around 100 megabytes (yes, I've used Skype for a long time and never delete my history). In my setup journal file for my Skype account is 20 megabytes, which is 20%. So if you don’t investigate these files, you are going to lose 20% of the information, which you absolutely cannot afford in the course of criminal investigation. That’s why you need a tool like Evidence Center to automate such routine things. For a moment, there are not many forensic tools capable of doing automatic processing of freelist, journal and WAL files, so this is one reason to have Evidence Center to complement your EnCase installation.<br />
<br />
I should also mention that a SQLite database can have so-called unallocated space. It resembles a regular hard drive, which can also have unallocated space, This space does not belong to any table and is not a freelist. Inside this space you may find some remnants of deleted data, not necessarily completely valid, because it may have been already overwritten or corrupted. However, in our experience, we were able to find meaningful conversations there. Technically, you can carve unallocated space inside SQLite database and find data, as we discussed with Skype chats or WhatsApp messages. This is what Evidence Center can do automatically for you. This info, if found, is then merged with existing data (I mean, non-deleted data from regular tables) and can be imported back to EnCase Forensic.<br />
<br />
<b>Q: What can a criminal do to hide data stored once inside an SQLite database and what can Belkasoft together with EnCase do against such attempts?</b><br />
<br />
A: Well, to hide SQLite data they can do pretty much the same as with other files. They can move a file, delete it, or rename or delete data by using regular means of an application, which uses a particular SQLite database. We have already discussed what happens when data is deleted from an app itself: it goes to a freelist and can be partially recovered. When a file is renamed or deleted, Evidence Center can carve such a file. There are also some changes to find remnants of data inside special system areas such as hibernation or pagefile, shadow volume copy, live RAM dump, if any, and so on. Evidence Center supports all these scenarios.<br />
<br />
<b>Q: In the drug story, you were looking for Facebook chats. Will you download Facebook chats from online? Do you need a password for that?</b><br />
<br />
A: No, the tool never goes online. Instead, the investigator was trying to locate chats inside a RAM dump he had. When someone chats via Facebook or any other app, this data is kept inside RAM, where it can be then found. To find such data we use a signature approach. We know signatures for data layout in RAM for hundreds of types of applications and do data extraction for you out of the box. Therefore, no internet is required and no Facebook password is required. Note, however, that you can hardly hope to extract all chats, just a small fraction of an entire history.<br />
<br />
<b>Q: If only remnants of Facebook chats could be found on a switched off machine, how long is the history you are able to recover? Can a whole history be recovered, theoretically and practically?</b><br />
<br />
A: Theoretically, if the history is small, it is possible to recover the entire history. Practically speaking, you can generally only recover some very recent chats. This is because portions of RAM are overwritten every fraction of a second and older messages are gone quickly. If not gone, they can be corrupted. That’s life, but this is better than having nothing. Facebook and other browser applications do not store anything on a hard drive (if we are not talking about the mobile Facebook app), so the only chance to find anything is to search inside RAM.<br />
<br />
<b>Q: How quick is the data processing?</b><br />
<br />
A: It depends on the size of your EnCase image file and your hardware. In our lab 500 GB hard drive with all types of analysis, we have, selected, takes about 8 hours to complete. 2Tb drive with around half-million photos, takes about 18 hours, but this is because of huge amount of picture processing. We recommend you to have at least 16 GB of memory to have comfort processing time, but this is not a hard requirement. During conferences (by the way, we will be on Guidance Software’s CEIC conference as a sponsor and presenter this year), well, during conferences we use a laptop with just 4Gb of memory and the product works perfectly fast.<br />
<br />
<b>Q: You say you can recover deleted SQLite data. What about other types of deleted data? Can you restore them?</b><br />
<br />
A: Almost all types of data which we can analyze being non-deleted, we can carve. To name a few: documents, emails, pictures, system files such as registries, event logs, thumbnails, jumplists, chats and browser histories, SQLite databases, and many more types of data.<br />
<br />
<b>Q: You say you work with multiple platforms and multiple devices. Which platforms/devices do you support?</b><br />
<br />
A: We work on Windows only, but support a wide variety of Windows version from Windows XP to the most new and fancy Windows 10. However, we can also analyze all major operating systems such as Mac OS X, iOS, Linux/Unix, Android, Windows Phone, and Blackberry. Concerning devices, we support both computers and laptops as well as all modern smartphone platforms. By the way, we can also work on special “forensic” portable builds of Windows.<br />
<br />
<b>Q: In the story with the lost girl, the investigator was lucky to find the girl’s laptop in a sleep mode without a password, so there were no problems to capture a RAM dump. However, if a computer is switched off, how do you do live RAM analysis?</b><br />
<br />
A: Windows and other systems usually use two types of files that we can roughly call “RAM dumps made by the operating system itself," These are pagefile (where your virtual memory is kept) and hibernation file (used to quickly turn computer on after hibernation). Both files contain memory artifacts because they are indeed memory. Unlike RAM, they survive reboot so you can investigate them. Interestingly, that inside you can find quite old data. For example, we've seen a few cases with Facebook chats as old as few months inside a pagefile.<br />
<b><br /></b>
<b>Have other questions? Tips or ideas? </b>Talk to us in the comments section below.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-36797460918118083312015-04-17T10:26:00.000-07:002015-04-17T10:26:56.732-07:00CEIC Sessions on Digital Forensics Deliver on the EnCase Community's Core Competency <i>(This is part 1 of a three-part series on the all-new, enhanced digital forensics labs and lectures at CEIC 2015.)</i>
<br />
<br />
Our conversations at CEIC usually dwell on how best to uncover data that will provide evidence to prove a wrongdoing. Today that data and those artifacts are found amongst
hundreds of thousands of files on a target system. Only through tens of
thousands of investigations by the EnCase community over 18 years and through the application of your hard-won expertise are we able to design a curriculum that serves your most
vital needs.<br />
<br />
<h4>
The DNA of CEIC: 18 Years of Digital Forensics Leadership at One Event</h4>
Best-in-class digital forensics technology and best-in-class investigators come together at CEIC. Together, we've built a proud heritage, and we're pleased that thousands of you will travel from many parts of the world to attend CEIC 2015 with us.<br />
<a name='more'></a><h4>
<span style="font-weight: normal;"><br />When we planned this year's CEIC, we wanted to continue to expand on the best part of our legacy together. To take an example from other industries, cattle breeders use DNA forensic investigations to prove which stock will yield the highest quality steak. Winemakers employ DNA fingerprinting to authenticate the heritage of high-quality grapes and demarcate them from lesser varietals.</span><br style="font-weight: normal;" /><br style="font-weight: normal;" /><span style="font-weight: normal;">We set out to do just the same: identify the genetics of our EnCase technology and you, our community, and to use that core competency to differentiate this year's CEIC as the most valuable educational event produced to date.</span></h4>
<br />Our mission this year was to renew our focus on powerful digital forensics techniques--our DNA. To continue the heritage that we share with you, our community, we've enriched and expanded our agenda to provide the highest possible quality of education for forensic professionals.<br />
<br />
<h4>
Focus on the Diversity of Data that Drives Your Investigations</h4>
What’s on the top of your “need to know” list this year? It might be one of our 18 interactive and practical lab workshops, including:<br />
<ul class="list"><br />
<li>The Ubiquity of iCloud Artifacts</li>
<li>Sophisticated File System Journaling Forensics</li>
<li>Vehicle Forensics</li>
<li>P2P Investigations</li>
</ul>
<div class="MsoNormal">
Or it might be one of the 26 lectures in digital forensics, including mobile and cloud investigations:
<br />
<ul class="list"><br />
<li>Cloud Forensics: Bringing Evidence Back to Earth</li>
<li>Investigating Exchange, Microsoft Cloud Services, and Office 365</li>
<li>Mobile Forensics: Challenges in Obtaining, Analyzing, and Applying Evidence</li>
<li>Forensic Analysis Mistakes and How to Avoid Them</li>
</ul>
<div>
We'll take a deeper dive in Parts 2 and 3 of this blog post series, sharing more details about all these topics being presented by the best and brightest in our industry.</div>
<div>
<br /></div>
<div>
In the meantime, visit our <a href="http://www.ceicconference.com/" target="_blank">CEIC event website t</a>o see the agenda in detail, register, and more. </div>
<div class="MsoNormal">
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-53599649668495896752015-04-10T09:20:00.000-07:002015-04-10T21:31:39.544-07:00Ask the Expert: Amber Schroader of Paraben CorporationRecently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, <a href="https://www.guidancesoftware.com/resources/Pages/webinars/6-Keys-to-Conducting-Effective-Mobile-Forensic-Investigations.aspx" target="_blank">Six Keys to Conducting Effective Mobile Forensic Investigations</a>. A number of our attendees had questions that we wanted to capture here along with Amber's answers.<br />
<br />
<h3>
What do you recommend when dealing with the drivers on pay-as-you-go devices?</h3>
<a name='more'></a>When doing smart devices with pay-as-you go providers, you typically do have to work with different drivers that come from that provider. For example, a Tracphone pay-as-you-go Android will have different drivers than the standard Android device that was released to Verizon. I work a lot in virtual machines, which is nice because I can roll back drivers through the VM. However, when I work on standalone systems for my examinations, I have a separate system that I don’t work with a full driver pack on and I only install drivers as needed, which is where I do my pay-as-you-go devices. I will blow a fresh image to this machine after each device to ensure all conflicts are removed. Those conflicts in drivers are what will stop most of the pay-as-you-go devices from processing.<br />
<br />
<h3>
What do you do with feature phones like Nokia, Samsung, LG, and Motorola?</h3>
I follow the same process with all the devices--smartphones or feature phones-- which means physical, logical, and then accessories in processing. I'm still receiving a good percentage of feature phones with the cases that I will work as they are trending up in popularity.<br />
<h3>
<br />What kind of information can you get from cell tower records? </h3>
Typically you can get the longitude and latitude of the call details from the device, as well as date and time stamps. It's a great way to get reference points to where calls would have been geographically made. I'll take this data as well as data from a device if the location services were turned on, which will allow you to pinpoint geographic location for the calls, etc.<br />
<br />
<h3>
What is the value of IP Box? Does it work?</h3>
An IP Box is a brute-force attack for iOS devices and there are devices, as well, that work with Android. We have tested a few of the options out there and have had mixed results; on 3 out of the 5 devices we tested were bricked upon using the IP Box which was a really high risk as the device if it were evidence they would have been destroyed. The other problem is the flaw that the IP Box typically exploits with the iOS versions was patched, so it will not work with updated devices. The problem with encryption will plague us forever as it always has. I guess the examiner needs to keep that in mind before they get caught up in a trend that might be able to help with one case but not be able to help them long term. I think the IP Box approach as it stands is a short term patch not a long term solution. The FoneFunShop in the UK will preview and make available a lot of these type tools and examiners can look there for details. <br />
<br />
<h3>
What is the process you recommend for working with a device, what steps for logical to physical, etc.?</h3>
With most of my examinations, I typically try to work with the device physically, then logically. The reason I do this process is because if the device is encrypted, a lot of times you can get around the encryption with the physical methods and even in some cases do a simple text search for “password” and then find the password for the device that is needed for the logical image. After I have both of those images, I then will process the media card and SIM card separately so I can review that data as well. If I have CDR records, I will add that into the processing, too.<br />
<br />
<h3>
Many investigators uncover data that is encoded, but confuse it as encrypted. Can you discuss the difference?</h3>
Encoded data is data that needs an interpreter to be able to have us understand what it is saying while encrypted data is data that has been converted to cypher text. Thinking of it like a puzzle with the encoded data we have the box and we have to reference the box to be able to make sense of the pieces. With cypher text we have a variety of puzzle pieces from a variety of puzzles mixed together and we have no box for reference.<br />
<h3>
<br />Which devices do you see are emerging as the most difficult to deal with for digital forensics?</h3>
Smartphones are still the hardest with the encryption changes and the cloud storage capabilities. The other area that is always difficult with them, and that we are seeing such a strong push in, are the burn phone or pay as you go market with smartphones and they all are flashed differently than what we see from the standard telecom versions.<br />
<h3>
<br />You talked about manufacturers like Apple and their position on encryption and law enforcement – how do you see these affecting investigations?</h3>
I think as the manufacturers pull more to privacy instead of investigations, it's going to get harder and harder for us to gain access to the device. We will start doing a lot more monitoring and even live capture in investigations or have to work more and more with backup records and gain access to records in the cloud.<br />
<h3>
<br />Is there any rooting kit that is recommended over another? I'm thinking in terms of forensic soundness and reliability.</h3>
Each rooting option is typically custom based on your tool selection for acquisition. With all acquisition tool methods, you should validate and check how they are processing the device.<br />
<h3>
<br />Does a device in DFU mode still require a user pin/password for acquisition?</h3>
No, it's no longer needed. However, please note the restrictions on what devices support DFU mode.<br />
<br />
<h3>
Is there any particular rooting kit, for example Kingo for Android, that is recommended over another?</h3>
For rooting a device, it will depend on the method used by your acquisition tool. Most of them choose to design their own root method. Rooting a device will not change access unless that is the technique used by your acquisition tool.<br />
<br />
<h3>
Any solutions for Chromebooks?</h3>
Chromebooks are an odd hybrid in devices and for us are currently being researched for support addition. We've had difficulties with some of the encryption that is found by default on the device and are working to get around those barriers.<br />
<br />
<h3>
Are Blackberrys still the most difficult devices to crack?</h3>
BlackBerry devices are still very difficult to work with. The reason is they still are a very clean device. Even when working with the new 10 devices in Device Seizure, we have to work with them through doing a backup record and then parsing that record. However, the one part that has improved is that the newer BB devices do use Android Apps so the parsing of that data is easier than when they worked 100% proprietary.<br />
<br />
<h3>
Is there any way to analyze BlackBerry RAW data for analysis (malware for example)?</h3>
BlackBerry devices are not as easy to do a physical image to get a RAW image. We have very limited capabilities in this area as most companies do. This does prohibit you from being able to do some of the file system analysis you need to be able to do for malware detection. With all BlackBerry devices, the support changes by model so it is something to check and make sure the file system acquisition is supported to be able to do that type of scan.<br />
<br />
<h3>
How effective are factory resets in truly wiping all data?</h3>
Most of the data is cleared in a factory reset, but it's always good to go back and check. I do an image before and after and compare the data to make sure all user-oriented data has been removed from the device.<br />
<br />
<h3>
I noticed that since Apple Devices like to power up upon plugging in, I guess if you're going to put it into DFU mode you should do it in a box. After it goes into DFU mode, is it active with a network?</h3>
It is no longer active on the network when it is in DFU mode. You do have to power it off completely to get it to go into DFU.<br />
<br />
<h3>
Can a VM assist in minimizing driver conflicts between pay-as-you-go and contract phones?</h3>
Yes, virtual machines can be a good tool to work with all the changing drivers with mobile devices. I use the rollback functionality with my virtual machine to be able to adjust for the different drivers.<br />
<br />
<h3>
How about encrypted iTunes backup?</h3>
iTunes backups can have encryption that is separate from the device encryption. Depending on the version of the device that you are dealing with, you can get around this encryption through a physical image done through DFU mode. There are also third-party tools that can break this encryption, such as Elcomsoft and Passware.<br />
<br />
<h3>
I know there are many tools available on the market, do you know of or would any of you have plans to integrate tools such as Oxygen, or the way they parse data and some of their viewers into EnCase Forensic?</h3>
I know that we do not have plans to integrate with Oxygen. Integrating with a tool like EnCase Forensic makes a lot more sense. For our approach, as it stands, we read other tools image formats into Device Seizure so that you can cross validate, etc.<br />
<br />
<h3>
Also, is putting a device into airplane mode a viable option instead of using a Faraday device or 30 sheets of foil?</h3>
Airplane mode is a viable option in a lot of cases, but if I know I'm working with evidence that is set to go to court, I still prefer to use the Faraday cage option to ensure I have the best protection. Since I did not design airplane mode on the device, I cannot testify to what it is doing and whether it's 100 percent blocked from activating any signals on the device. I like to have the strength of the physics behind me by using a Faraday cage.<br />
<br />
<h3>
Taking off your vendor hat, can you compare the offerings from the leading mobile hardware acquisition device providers?</h3>
There are a lot of advantages and disadvantages to every tool. It's like looking for the perfect car. You'll always find something you wish you had. What I do to really break down the tools is I run them through my test plans and then rank my tools based on how they did in the test plan. I then will process through devices based on the tools capabilities for that type of device. I will always process the device with both my tier 1 and tier 2 tool and then check the results as you never know if one tool will see something the other does not. I think it is a mistake for a lab to just have one tool with any type of examination but especially when it comes to mobile devices because they are so diverse and difficult to deal with. If a tool does not pass my test/validation plan I do not use it.<br />
<br />
<h3>
What signals can the mobile device receive that need to be protected against when there is no internet or cell service connection, or those services have been turned off?</h3>
I believe in covering yourself with the device signals, because it's something you literally cannot see that will destroy the evidence. I always use a Faraday device when processing if I know that the device needs to be maintained as pristine evidence. Some of the civil cases I deal with just want the data and have already not maintained it properly so for those devices my SOP I put in airplane mode. Bluetooth and possibly IrDA for older phones are the most common signals outside of internet and cell service.<br />
<br />
<h3>
Is there any listing anywhere that has a continuously updated list of devices and whether they can be physically imaged / logically imaged. Or just any particular quirks with a model?</h3>
There is no general listing for that data as it is about the capabilities of the tool you're using on what it will support with each device. Guidance Software and my company, Paraben, maintain a current list of all the supported models and device profiles we support and what is supported with each, but this list becomes outdated as soon as new phones are released, so we often support more devices than are on our own list. I am guessing many of the other tool companies maintain a similar list and you just have to request it.<br />
<br />
<h3>
What are your views about time constraints in an investigation since every device may be different and you advise to keep trying to get to the data?</h3>
With time constraints, I would recommend you work with a logical image in most cases. The advantage with the logical image is that with smart devices they contain a lot of deleted data in the logical structure because the data in a database. It is the fastest acquisition option that will yield you the highest results if you do not have the time to do all the available processing on the device or are experiencing problems with full physical imaging.<br />
<br />
<h3>
Can you discuss best practices in working with iOS 7 and 8 passwords and how to work around them?</h3>
With a lot of the later iOS devices there are just not a lot of options out there. I discussed both password recovery with software and with hardware in a few of the other questions; both have risks. In the end this is a problem we will be facing for a long time with us as investigators simply being locked out of the device by the manufacturer.<br />
<h3>
<br />Do you have any advice for by-passing PINs?</h3>
For bypassing PINs there are a few options out there.I look at FunFoneShop in the UK for a lot of the flasher style attacks. I have answered another question about IP boxes as they are the latest trend. With all the bypass hardware options, be very careful as I have had them brick the phone before. It requires testing and you need to weigh the risk to reward. For software options I have used both Elcomsoft and Passware tools with good results with both. The software has less of a risk but still should be tested.<br />
<br />
<h3>
Do you have any suggestions for approaching mobile malware with a similar methodology as your app rule? </h3>
Malware/spyware is a little bit harder, but the principle is still the same as far as finding the app data. You need to make sure your mobile forensic tool will acquire the file system on the device. As long as it does that, you will be able to find the malware/spyware as that is where it is stored.<br />
<br />
<h3>
Is it true that if you do not have the pin for an iPhone 5 and above, it is impossible to analyze it?</h3>
That is correct; you do need to be able to have the lock to gain access. They changed chips on the device so you cannot get around it by doing a physical image. However, I still get devices of all ages in that I use the physical bypass on.<br />
<h3>
<br />What is the investigation like with a locked device?</h3>
Depends on the device and what has locked it. With feature phones, a lot of times you can get around locked devices by doing a physical image first and then searching for “password”. It will show in the physical image. For smart device, it depends on the device. With a lot of them, it will be firmware dependent as well as hardware dependent as we can get around of a lot of locks software-wise but because they tie them to the chips, that has caused a greater barrier. It is much easier to work around Android protection than iOS. I also use 3rd party decryption tools such as Passware and Elcomsoft for password breaking.<br />
<br />
<h3>
What about password-protected iOS 8 devices and how to work with them – IP boxes?</h3>
I had another question about IP boxes. They're a risky option when it comes to password-protected devices and they also don’t work past 8.1. Right now you're stuck with only risky options that do risk the entire integrity of the device. You have to decide if the risk is worth it as those types of brute force attacks like IP boxes can destroy the device.<br />
<h3>
<br />We use Good technology for our MDM, which is containerized. Would this data be available for investigations?</h3>
It depends on how they're storing the data. I have not reviewed that particular tool, but my guess is they're storing it in a database. If that database is encrypted, it should be fine, but you'll want to check that as the raw databases used in mobile devices can be parsed.<br />
<h3>
<br />Can forensics be conducted remotely or do you have to have the actual device?</h3>
As it stands now with mobile forensics, you do have to have physical access to the device to be able to do an acquisition. I do not believe that will always be the case, but for now it is.<br />
<h3>
<br />How did you get involved in digital forensics at the beginning of your career and what would you say the process is now for someone interested in breaking in to the market?</h3>
I found this a great field for the dyslexic, which I am. We do things backwards naturally and it really has helped in my problem-solving and investigative skills. I was involved early because I was willing to give something that was not popular a try. For those getting into the field I recommend that they specialize and really get strong skills in one area but still be able to do other types of examinations. A good example is mobile forensics. A lot of investigators who work in this area do not do hard-drive examinations.<br />
<h3>
<br />You mentioned that there was a Supreme Court Ruling concerning seizure and shielding. Do we have a case that we can research?</h3>
Here's a<a href="http://www.natlawreview.com/article/landmark-supreme-court-ruling-protects-cell-phones-warrantless-searches" target="_blank"> link to an article</a>. There are many other references as well. I am not a lawyer, so I don't want to offer an unqualified opinion.<br />
<br />
<h3>
What about airplane mode?</h3>
Airplane mode can be useful to be able to take the device off the network. It is not a method I use frequently, but it is a viable option. In most scenarios I don’t recommend it as it requires the first responder to place the device in airplane mode and I don’t advise that someone who has not been trained fully start rummaging through the device.<br />
<br />
<b>Comments? More questions? What works for you?</b> We welcome your thoughts in the Comments section below.<br />
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-76602617883324579472015-03-31T13:59:00.000-07:002015-03-31T13:59:14.635-07:00CEIC 2015: New EnCase Basics Track Shortens Your Learning CurveLet's talk a little bit about basic training. Nothing is more critical to the success of your EnCase<span style="font-family: Calibri, sans-serif; font-size: 12pt;">®</span> implementation than the buy-in and performance of the people who use it. After all, if your IT, security, or litigation support specialists fail to successfully learn the software, you can't truly maximize your organization's investment.<br />
<br />
If you're one of our newer customers, our new EnCase Basics track at <a href="http://www.ceicconference.com/" target="_blank">CEIC 2015</a> makes perfect sense. With four days of focused training and over 1,400 professional peers and experts, CEIC can help you or other new EnCase users in your organization gear up to address new challenges head-on.<br />
<br />
<h4>
<a name='more'></a>Digital and Security Investigations are Converging</h4>
<br />
More and more digital investigators are being incident response and cyber forensics specialists, too. At Guidance Software, we don't just sell you security, legal, and forensics products--we invest in your ability to prevent, detect, and respond to the ever-changing threat landscape.<br />
<br />
According to <a href="https://www.guidancesoftware.com/resources/Pages/doclib/Document-Library/SANS-2014-Survey-of-Endpoint-Intelligence.aspx" target="_blank">SANS 2014 Survey of Endpoint Intelligence</a>, 60 percent of organizations plan to automate incident response within 24 months. To help you do that, we've dedicated 50 percent of the EnCase Basics track to helping you unleash the power of your EnCase<span style="font-family: Calibri, sans-serif; font-size: 16px;">®</span> Cybersecurity and EnCase<span style="font-family: Calibri, sans-serif; font-size: 16px;">®</span> Analytics products.<br />
<br />
Register today and request these six powerful labs to accelerate your incident response and threat-hunting capabilities with EnCase:<br />
<ul class="list"><br />
<li>Getting Started with EnCase Cybersecurity (Parts 1 and 2)</li>
<li>Getting Started with EnCase Analytics (Parts 1 and 2)</li>
<li>Incident Response with EnCase Cybersecurity and EnCase Analytics (Parts 1 and 2)</li>
</ul>
<div class="MsoNormal">
We're pleased to announce that our popular, EnCE-certified instructor Ashley Hernandez will lead these highly rated labs again this year. As a sought-after security speaker, she's been featured at numerous industry conferences, including HTCIA and ICAC, and she enthusiastically interacts with a large Twitter following at <a href="http://www.twitter.com/ashleyatencase" target="_blank">@AshleyatEnCase</a>.<br />
<br />
<h4>
Faster Time-to-value for New EnCase Users</h4>
We know your time is valuable and respect the way you invest it, so we guarantee that these EnCase Basics ssessions will shorten your learning curve. In addition to the security sessions mentioned above, the new track also offers courses on maximizing your use of EnCase<span style="font-family: Calibri, sans-serif; font-size: 12pt;">®</span> Enterprise and EnCase<span style="font-family: Calibri, sans-serif; font-size: 12pt;">®</span> eDiscovery that will be taught by <a href="https://twitter.com/btshzr" target="_blank">Daniel Smyth</a>, a field-tested expert in forensics, e-discovery, and cybersecurity as well as a training course developer, instructor, on-site services practitioner, and consultant.<br />
<br />
Not only are Guidance Software trainers like Ashley and Daniel targeting their course material for you to put to use immediately, but we're also offering a new "Ask the Trainers" booth at CEIC 2015 to boost your training and give you access to even more expert knowledge. We'll staff the information center during all hours of the conference, so stop by any time to ask an instructor your burning questions.<br />
<br />
<h4>
"Open" EnCE<span style="font-family: Calibri, sans-serif; font-size: 12pt;">®</span> and EnCEP<span style="font-family: Calibri, sans-serif; font-size: 12pt;">®</span> Testing at CEIC</h4>
We've made it easier than ever this year to complete your EnCE and EnCEP exams and quickly drop your Padawan apprentice cloak for that of a Jedi master.<br />
<br />
"Open Testing" is a new benefit of this year's CEIC, and it means "no appointment necessary." Exams will be offered on Monday, May 18 through Wednesday, MAy 20 from 8:00 a.m. to 3:00 p.m. each day. The only caveat is that you must be pre-approved for the testing by April 24. <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-certifications.aspx?cmpid=nav#ence" target="_blank">Click here for detailed instructions</a> on gearing up to take your EnCE and EnCEP exams.<br />
<br />
And finally, don't forget to sign up for and attend the EnCE Prep session in the EnCase Basic track prior to testing. No doubt you'll learn a great deal from veteran Guidance Software instructor and retired U.S. Army special agent Jamey Tubbs in this brief, high-level review. You can also connect with <a href="http://www.twitter.com/jameytubbs" target="_blank">Jamey on Twitter</a>.<br />
<br />
Visit the CEIC website for information on the current event agenda, registration and travel information, sponsor and exhibitor opportunities, and to register today. We hope you'll also interact with us on <a href="http://www.facebook.com/guidancesoftware" target="_blank">Facebook</a>, <a href="http://www.twitter.com/encase" target="_blank">Twitter</a>, and <a href="http://www.linkedin.com/company/guidance-software" target="_blank">LinkedIn </a>for the latest news and conversation. </div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-67233937950333343442015-03-30T15:33:00.000-07:002015-03-31T14:11:20.352-07:00Parsing Windows ShellBags Using the ShellBags Parser EnScript<author>Simon Key</author><br />
<div class="MsoNormal">
<h3>
<strong><br /></strong></h3>
<h3>
<strong>Introduction</strong></h3>
ShellBags are used to store settings for shell-folders that have been browsed by the user in the Windows GUI. Each shell-folder is seen by the operating system as an item in the Windows shell namespace, the path to which starts with the user's desktop.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2n0YHLIo2WA07my2-2ecKpx3YCU6WjOKX2YMXrtH2NvRgGLtVNyxSH428y6Tmw1bFmrWBeVOGI12ppsdGKcPMCVkMruNPxeEHEwKrJ4dkVZjM28nfpyjqDVcn41DlKkONFUx9-mNAuNg/s1600/image001.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2n0YHLIo2WA07my2-2ecKpx3YCU6WjOKX2YMXrtH2NvRgGLtVNyxSH428y6Tmw1bFmrWBeVOGI12ppsdGKcPMCVkMruNPxeEHEwKrJ4dkVZjM28nfpyjqDVcn41DlKkONFUx9-mNAuNg/s1600/image001.png" height="640" width="376" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 1 - Viewing the Windows shell namespace in Windows Explorer
</span></td></tr>
</tbody></table>
<br />
Shell-folders won't always be represented as a physical folder on disk. A good example of this might be a shell-folder representing a control-panel category or the results of a search.<br />
<br />
ShellBag analysis can be useful from a forensic point of view because it can give a strong indication as to what shell-folders were accessed and when. This can be particularly useful when it comes to shell-folders that have since been deleted or those that were located on a removable disk.<br />
<a name='more'></a><br />
<h3>
ShellBag Data-Location & Manual Examination</h3>
Under versions of Microsoft Windows operating systems starting with Vista, ShellBag data is stored in the following Registry keys -<br />
<br />
<ul class="list">
<li>HKCU\Software\Microsoft\Windows\Shell (USER.DAT)</li>
<li>HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell (USRCLASS.DAT)</li>
</ul>
Both of the above keys will contain two sub-keys: <strong>Bags</strong> and <strong>BagMRU</strong>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4V7pRFlXzYyuklZfd_rofVdlyIJzwx84qwVXSLILbAvA26xv7t_IUiFaWvPZWrGeC0oeMCDaUqIt3ASYQFU5Bd4-W3N_Wl0GWh9D6v9WWGab8EWNcE24su1dTgJL8XpVBupf7FZbGzFU/s1600/image002.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4V7pRFlXzYyuklZfd_rofVdlyIJzwx84qwVXSLILbAvA26xv7t_IUiFaWvPZWrGeC0oeMCDaUqIt3ASYQFU5Bd4-W3N_Wl0GWh9D6v9WWGab8EWNcE24su1dTgJL8XpVBupf7FZbGzFU/s1600/image002.png" height="344" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 2 - Viewing ShellBag Registry keys in the Windows Regedit application on the author’s computer</span></td></tr>
</tbody></table>
<br />The settings for each shell folder are stored in a sub-key of the <strong>Bags</strong> key. These sub-keys are called 'slots' and organized in a flat list. Each slot is identified by an index number and will contain a number of settings such as the mode in which the contents of a folder were viewed (tiles, icons, details, etc.), and the icon size (where relevant).<br />
<br />
Slots are referenced by keys and associated values in the <strong>BagMRU</strong> hierarchy. These keys reflect the user's shell-namespace. Each key represents the contents of a shell-folder. It will contain a <strong>NodeSlot</strong> value, <strong>MRUListEx</strong> value, and a binary-value and sub-key for each child shell-folder. The <strong>NodeSlot</strong> value specifies the slot in which the associated shell-folder's settings are stored. The <strong>MRUListEx</strong> value is an array of 4-byte integer-values terminated by 0xffff. This array represents the order in which the child shell-folders were last accessed, most-recent first.<br />
<br />
The structure of the binary-value representing each shell-item will depend on the nature of that item. In some cases it might be a physical folder on disk; in others it might be a network location, control-panel item, search folder, user library or known folder identified by a GUID.<br />
<br />
The following screenshot shows a ShellBags binary-value for a folder named <strong>48</strong>, which exists in the <strong>Pictures</strong> folder for a computer-user called Rebecca Howe. The ShellBag path to this value is <strong>Desktop\4\1\1</strong>.<br />
<br />
<img alt="" src="" title="" />
<img alt="" src="" title="" />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgPSiXivHnH9pxXdGhhjjU0IPoJ2kojJgABHSZhETVZnh2H_gEbP8RbWF8jgjeqbpOW5fgrKuUQGwjTzjtA7jQZb-Anmexl5NEK5ke9dmnLbYtonS4CYt5wfalr1aF04PD4IHzm-YFRtk/s1600/image003.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgPSiXivHnH9pxXdGhhjjU0IPoJ2kojJgABHSZhETVZnh2H_gEbP8RbWF8jgjeqbpOW5fgrKuUQGwjTzjtA7jQZb-Anmexl5NEK5ke9dmnLbYtonS4CYt5wfalr1aF04PD4IHzm-YFRtk/s1600/image003.png" height="411" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 3 - Viewing a ShellBag Registry value relating to a folder named 48</span></td></tr>
</tbody></table>
<br />
If we look in the folder that has the same name as the binary-value, we can see that it contains a <strong>NodeSlot</strong> value of 70 –<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij8Qo2DyeeWmcBhlrsLiaciQthkS8-q6crk_0V8fLuSzpefGN2yrdgh9jd56CmPmO-xit58TFf-VgUkr6wV_EgZ-RNA_1pQOw_FfE6nT5siBs8DfxStDYANWIfuF0mc9E_-U6zW4W-ByQ/s1600/image004.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij8Qo2DyeeWmcBhlrsLiaciQthkS8-q6crk_0V8fLuSzpefGN2yrdgh9jd56CmPmO-xit58TFf-VgUkr6wV_EgZ-RNA_1pQOw_FfE6nT5siBs8DfxStDYANWIfuF0mc9E_-U6zW4W-ByQ/s1600/image004.png" height="320" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 4 – Viewing the NodeSlot value for the folder ‘48’</span></td></tr>
</tbody></table>
<br />
If we take a look at slot 70 we can see that it contains a <strong>Shell</strong> sub-folder, which in turn contains a sub-folder named using a GUID. The latter contains Registry values representing the logical view mode (3, which represents icon view) and icon size (96) –<br />
<br />
<img alt="" src="" title="" />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKZ_N1v-UweE5RBVwxF_wCnJKdskl64vNrXTo1f-E72wqqBsueUgbWkw5n5ctiWPjvN3mDaKoh6-yFORdrVV6k6PvpkDPOXeBUU05HS5t3F269KLbB4iywf7Qb1XLB73VNidyzQyAGrs/s1600/image005.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKZ_N1v-UweE5RBVwxF_wCnJKdskl64vNrXTo1f-E72wqqBsueUgbWkw5n5ctiWPjvN3mDaKoh6-yFORdrVV6k6PvpkDPOXeBUU05HS5t3F269KLbB4iywf7Qb1XLB73VNidyzQyAGrs/s1600/image005.png" height="352" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 5 – Viewing the LogicalViewMode and IconSize settings</span></td></tr>
</tbody></table>
<br />
<h3>
<strong>ShellBag Analysis Using the ShellBag Parser EnScript</strong></h3>
The ShellBag Parser EnScript was designed to make it easy in EnCase® to parse ShellBag Registry data from NTUSER.DAT and USRCLASS.DAT Registry hive-files. The script has been tested with data from Windows Vista, Windows 7 and Windows 8.1. Please note that the script does not support Windows XP.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimFgLeSJz4cyFAEEm3yzYIGSl5_bndNXH1XMPF5WuWAlbONElMnXTslRaOiZafp1urwZVQUIj40R4WTnKyTmaSIdiUraimIiGX5f-Y-3xR3aD52wawInVm_Fn51VZZLigxkuFTLzq1pUY/s1600/image006.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimFgLeSJz4cyFAEEm3yzYIGSl5_bndNXH1XMPF5WuWAlbONElMnXTslRaOiZafp1urwZVQUIj40R4WTnKyTmaSIdiUraimIiGX5f-Y-3xR3aD52wawInVm_Fn51VZZLigxkuFTLzq1pUY/s1600/image006.png" height="401" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 6 – Running the ShellBags Parser EnScript</span></td></tr>
</tbody></table>
<br />
The script produces two types of output: a data bookmark for each Registry hive, and a tab-delimited spreadsheet containing the ShellBag entries from all hives.<br />
<br />
The contents of the data bookmark for the UsrClass.dat hive that we parsed manually appears as follows. Note the entry for the <strong>48</strong> folder that we parsed earlier -<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKEYxpLkSbkkC6O37c_tN29GhAtge63QQtGDlDbIysxf9Hoc4dOsqvSfFn0VtQ6bAoS29tugakfvkcc7NImbrFq7-TEDn7kk7VAGo2SOpBr_FlUpJY2RQUWTcrWQuzvmXb7GFfF6Qxc2k/s1600/image007.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKEYxpLkSbkkC6O37c_tN29GhAtge63QQtGDlDbIysxf9Hoc4dOsqvSfFn0VtQ6bAoS29tugakfvkcc7NImbrFq7-TEDn7kk7VAGo2SOpBr_FlUpJY2RQUWTcrWQuzvmXb7GFfF6Qxc2k/s1600/image007.png" height="401" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 7 – Running the ShellBags Parser EnScript</span></td></tr>
</tbody></table>
<br />
The <strong>LogicalViewMode</strong> and <strong>IconSize</strong> values match those we observed earlier albeit in a more readable way. The <strong>MRU Index</strong> column indicates the order in which the shell-folders were accessed with a value of zero representing the folder that was most recently accessed. EnCase® will display the folders in order (most recent first) provided that the columns haven’t been sorted.<br />
<br />
The script will produce up to five timestamps for each shell-folder, the first being the <strong>Registry Created</strong> timestamp. This originates from the <strong>BagMRU</strong> Registry key associated with the folder and typically represents the time the folder was first accessed (browsed).<br />
<br />
The second timestamp is the <strong>Registry Last-Accessed</strong> timestamp. This originates from the last-written date of the parent <strong>BagMRU</strong> Registry key and is only available for the child shell-folder that was most recently accessed. The logic behind this is that the <strong>MRUListEx</strong> value would have been updated when that folder was last-accessed, which would have in-turn updated the parent Registry key's last-written timestamp (Registry values do not have timestamps – those shown in EnCase® belong to the parent Registry key). In this case the <strong>48</strong> folder does not have a <strong>Registry Last-Accessed</strong> timestamp because the sibling <strong>2010-08-18 Antigua</strong> folder was the last folder to be accessed.<br />
<br />
The <strong>Target Created</strong>, <strong>Target Last-Accessed</strong> and <strong>Target Last-Modified</strong> timestamps are self-explanatory. They originate from a block of data to be found in certain shell-item Registry streams that refer to physical folders. This block will also contain the MFT record and sequence numbers of folders located on NTFS volumes. <br />
<br />
It’s worth noting that the timestamps for the target folder are stored in DOS GMT format, which has a two-second granularity. The timestamps themselves may not always be up-to-date; we can see an example of this if we take a look at the <strong>48</strong> folder itself.<br />
<br />
<img alt="" src="" title="" />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF6AzgwUrND5zyFoSMlIzy62D24RHY9YF3QGDvVNdZMicKjgZ7nWmhuaU7X8bgBgs-UZMpksD7HOQcoeuYylwKigsgRfBPOUxkx8r-gYQ4RCOl1-Y2kXaDsepnbQNZ7RSrE_K59JnhXUg/s1600/image008.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF6AzgwUrND5zyFoSMlIzy62D24RHY9YF3QGDvVNdZMicKjgZ7nWmhuaU7X8bgBgs-UZMpksD7HOQcoeuYylwKigsgRfBPOUxkx8r-gYQ4RCOl1-Y2kXaDsepnbQNZ7RSrE_K59JnhXUg/s1600/image008.png" height="401" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 8 – Viewing metadata for the 48 folder</span></td></tr>
</tbody></table>
<br />
The above screenshot confirms that the target folder’s MFT record and sequence number match those decoded from the ShellBags entry. The created timestamp is out by two seconds because of the DOS-timestamp granularity issue. The last-accessed and last-written/modified timestamps are not up-to-date, which is not always a bad thing - outdated timestamps can corroborate the time that other significant events took place on the system.<br />
<br />
Having examined the bookmarks created by the script, the contents of the spreadsheet are straightforward and don’t really require any further elaboration.<br />
<br />
<img alt="" src="" title="" />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDv6CcNvcWOygHKZlH1Ac2fma8iYUjzjjIEGWs0nhRggQhTyMT-b95XQtNncCsADGD7MmFxN_DJMZwgLXSoB68nH4nXiDqqr83f9f-JZE8Cd8deXwymcVarE4stPaITP5ymwwUjkLcW38/s1600/image009.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDv6CcNvcWOygHKZlH1Ac2fma8iYUjzjjIEGWs0nhRggQhTyMT-b95XQtNncCsADGD7MmFxN_DJMZwgLXSoB68nH4nXiDqqr83f9f-JZE8Cd8deXwymcVarE4stPaITP5ymwwUjkLcW38/s1600/image009.png" height="302" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 9 – Viewing the output spreadsheet (additional formatting has been applied)</span></td></tr>
</tbody></table>
<br />
<h3>
<strong>Resolving Known Folder GUIDs</strong></h3>
When it comes to resolving the names of known folders (<strong>Documents, Pictures, Videos,</strong> etc.) the ShellBags Parser EnScript uses an internal list, which it writes to a tab-delimited file called <strong>GUIDs.csv</strong> in the same folder as the script. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyA1nBsWVxHequRBJmluGMaa3rWIUkP9rA6ANAm4IlJlpFqdszajLZ5kZfxNW9WcuzQj_dhPn4DWLTwIPDzabrelUKoQ1dr911OKqcOi9Wg57Iq8SVWZopQfJlY2pXc7bgAJgn251Rzps/s1600/image010.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyA1nBsWVxHequRBJmluGMaa3rWIUkP9rA6ANAm4IlJlpFqdszajLZ5kZfxNW9WcuzQj_dhPn4DWLTwIPDzabrelUKoQ1dr911OKqcOi9Wg57Iq8SVWZopQfJlY2pXc7bgAJgn251Rzps/s1600/image010.png" height="332" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: 15px; text-align: start;">Figure 10 – Viewing the GUIDs.csv file as text</span></td></tr>
</tbody></table>
<br />
Once extracted, the script will read the contents of this file the next time it runs. The examiner can modify the contents of this so as to add new GUIDs as and when they are encountered.<br />
<br />
<h3>
<strong>Caveats</strong></h3>
There are a number of caveats that the examiner should be aware of when using the ShellBags Parser EnScript.<br />
<br />
First and most importantly, not everything is known about the shell-item structures stored in BagMRU entries and the operation of ShellBags in general. The script will do its best to parse these structures accurately but may encounter some that it can't parse at all and others that it won't interpret correctly. The examiner should never treat the findings of the script as the 'be all and end all' of everything and seek further corroboration whenever necessary. The author would appreciate being informed should the script be found to produce erroneous, incomplete or inaccurate data.<br />
<br />
Secondly, the script does not currently support the recovery of deleted ShellBag data. Other tools are available that support this functionality.<br />
<br />
<h3>
<strong>Acknowledgements</strong></h3>
The author wishes to acknowledge the excellent work and information made available by Joachim Metz, Chad Tilbury, Dan Pullega, Eric Zimmerman, and Nicole Ibrahim. Eric Zimmerman's <strong>ShellBags Explorer</strong> utility was a particularly valuable resource when it came to writing this EnScript.<br />
<br />
<strong>Simon Key <a href="mailto:simon.key@encase.com">simon.key@encase.com</a> <br />
Course Developer III<br />
GSI</strong>Anonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-10656571429425525672015-03-27T15:50:00.000-07:002015-03-27T15:50:18.640-07:00Build New Skills while Rubbing Shoulders with the Industry’s Brightest at CEIC 2015<br />This year when the best minds in security and digital forensics converge at CEIC May 18-21, 2015, you have an unprecedented opportunity to gaining skills and knowledge on real solutions to your biggest data-related challenges, as well as to collaborate with like-minded professionals who bring to CEIC plenty of war stories not unlike your own.<br />
<br />
We’re excited to feature this year’s “EnCase in Action” conference track in today’s blog. We worked hard to pack it with sessions that will put real-world context around some of the EnCase capabilities you've heard so much about.<br />
<a name='more'></a><b><br /></b>
<b>EnCase in Action Panels: Lessons Learned, Problems Solved, Moments of Sheer Genius</b><br />
<br />
Seven of the 11 Encase in Action sessions are panels promising a wealth of new best practices, processes, and unique solutions to your everyday challenges. The panel topics are:<br />
<ul class="list">
<li>Investigating Employee Misconduct with EnCase</li>
<li>Driving a Defensible E-Discovery Practice with EnCase</li>
<li>Digital Investigations in International Jurisdictions</li>
<li>CISOs and the Art Of Defining And Driving Enterprise Security</li>
<li>Law Enforcement and EnCase</li>
<li>The Government and EnCase</li>
<li>Incident Response Best Practices and True Stories</li>
</ul>
<div class="MsoNormal">
When you read the biographies in our online CEIC conference agenda, you'll discover that this year’s panelists are deeply experienced and represent powerhouse companies who are bold, proactive and deliberate in their approach to security, legal, and digital investigations. Here are just a few of the companies where our “Encase in Action” track panelists are pushing the envelope:<br />
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpqyyEnb_yxLdTkgVCPNyIMft4jub7ayRK6tScrf2lWl-USOCAQSBFTm8VTcPOb_Wjh16M2LUSVQ5YA58ecHZKuMcxc8pcnqPU22Q5W_CWrHgLNFycFpg4KOMtg_VjE8o47z74l1KWJ6c/s1600/ceic+speaker+logos.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpqyyEnb_yxLdTkgVCPNyIMft4jub7ayRK6tScrf2lWl-USOCAQSBFTm8VTcPOb_Wjh16M2LUSVQ5YA58ecHZKuMcxc8pcnqPU22Q5W_CWrHgLNFycFpg4KOMtg_VjE8o47z74l1KWJ6c/s1600/ceic+speaker+logos.png" height="225" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Encase in Action Case Studies: Peer Stories will Resonate and Motivate</b></div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
Our attendee-driven Encase in Action agenda also features comprehensive lectures that drill down into real-life case studies. These will surely resonate with attendees who are responsible for e-discovery, digital forensics, and security in business or government. The case study topics are:<br />
<ul class="list">
<li>Transforming E-Discovry through Use of Scorecards (Procter & Gamble)</li>
<li>Forensic Investigations in Corporate Internal Audits (SAP America)</li>
<li>ATOS Case Study: Implementing a Cyber Defense and Response Framework with EnCase Technology</li>
</ul>
<div class="MsoNormal">
When all is said and done, you can expect to leave CEIC empowered with a global plan of attack to turn your legal and security challenges into an actionable, efficient and results-oriented process moving forward.<br />
<br />
Visit the <a href="http://www.ceicconference.com/" target="_blank">CEIC event websit</a>e for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and register now. Also, be sure to follow us on <a href="https://www.facebook.com/CEIC.Conf" target="_blank">Facebook</a>, <a href="http://www.twitter.com/ceic_conf" target="_blank">Twitter</a>, and <a href="https://www.linkedin.com/company/guidance-software" target="_blank">LinkedIn </a>for the latest CEIC buzz and conversation. </div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6012180255551454314.post-15774154562673705632015-03-09T12:38:00.000-07:002015-03-26T17:17:39.341-07:00AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime<author>Jessica Bair, Cisco</author><br />
<br />
<div class="MsoNormal">
Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.<br />
<br />
Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics/digital investigation capabilities. Malware analysis is also a critical part of digital investigation: to prove or disprove a "Trojan defense" for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.<br />
<br />
<a name='more'></a>The AMP Threat Grid for Law Enforcement program is designed for state and local agencies with fewer than 1,000 sworn officers. In the United States, this encompasses more than 99.5 percent of <a href="ttp://www.bjs.gov/content/pub/pdf/csllea08.pdf" target="_blank">law-enforcement agencies</a>. Once empowered with AMP Threat Grid, within seconds of a threat-intelligence query or withing a few minutes of submitting a suspicious file or URL for analysis, an investigator will have the ability to view and download an easy-to-read and comprehensive report detailing the actual behavior of the submitted file, including changes to the file system, registry, command-and-control communication, downloads, code injection, and other malicious activity.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In addition, AMP Threat Grid will correlate the file with the millions of samples and billions of artifacts in the threat intelligence database, providing instant global and historical context. The program also includes seamless integration with EnCase<span style="font-family: Arial, sans-serif;"><span style="font-size: x-small;">® </span></span>Forensic to reduce investigators' time and effort to identify and analyze suspected malware.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The AMP Threat Grid for Law Enforcement program includes:<br />
<ul class="list">
<li>Two portal user accounts per agency</li>
<li>Up to five samples (of suspicious files or compute programs) or URLs submitted per day, per user, for analysis through the portal or via the API integration with EnCase Forensic</li>
<li>Unlimited sample queries through the portal or via the API integration with EnCase Forensic, including file hash values, IP addresses, domains, registry keys, and file paths</li>
<li>The AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript and installation guide, training manual and video, and EnCase Forensic case template</li>
<li>Access to regularly scheduled law enforcement-only WebEx sessions for training and peer discussion</li>
</ul>
<div class="MsoNormal">
Cisco will host a hands-on lab for threat intelligence and dynamic malware analysis at the <a href="http://www.ceicconference.com/" target="_blank">Computer and Enterprise Investigations Conference</a> (CEIC) to be held at Caesars Palace in Las Vegas, May 18-21, 2015.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Law-enforcement investigators can register for the program on the <a href="http://www.threatgrid.com/le/" target="_blank">Threat Grid Law Enforcement Program</a> page. The <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010126WS&k=threatgrid" target="_blank">AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript</a> is available for download at no cost to Guidance Software customers from the EnCase App Central store; it includes a 30-day pilot of the full solution for non-law enforcement incident responders, with free malware sample submissions and contextual searches of the Threat Grid threat intelligence repository. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i>Jessica Bair, EnCE, EnCEP</i></div>
<div class="MsoNormal">
<i>jbair@cisco.com</i></div>
<div class="MsoNormal">
<i>Sr. Manager, Business Development</i></div>
<div class="MsoNormal">
<i>Advanced Threat Solutions, Cisco Security Group</i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Comments</b>? <b>Questions</b>? We welcome discussion in the section below.</div>
<div class="MsoNormal">
<br /></div>
</div>
Unknownnoreply@blogger.com0