EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 3 of 3 – Reporting with Quick Report

Robert Batzloff

This series of blog posts has focused on keeping your investigation organized and presenting your evidence in a clear, correct and readable format. Clarity, as well as brevity, is key when delivering digital forensic evidence to those who don’t work in the field. This evidence can be dense and hard to understand. Your job is to make the relevant information apparent and easy to digest. You want the information you present to be easy to explain and defend because opposing council will leap at the chance to capitalize on any potential ignorance regarding digital forensics.

As reporting is the final step in an investigation, we’ll close this blog series by looking at my favorite reporting EnScript: Quick Report Lite

EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 2 of 3 – Jamey Tubbs' Time Zone Prior to Processing

Robert Batzloff

And we’re back with another post to walk you through one of the over 150 EnScripts® that can be found at EnCase® App Central. This three-part series will introduce and explore four EnScripts to help you make the most of EnCase App Central, manage and organize your evidence, and finally, show you a new option when it comes to creating your case report. In the previous post we discussed What’s New in App Central and Manfred’s Comprehensive Case Template. In this post we’ll walk through Jamey Tubbs’ incredibly helpful, time-saving EnScript: Time Zone Prior to Processing.

EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 1 of 3 – EnCase App Central & Manfred's Comprehensive Case Template

Robert Batzloff 

Now that the Enfuse Call for Papers has just gone out, I'm reminded of all the hard work that went into CEIC earlier this year. While there was record attendance, I know not everyone was able to make it to Vegas and so I wanted to re-examine a few EnScripts that were showcased in May; specifically EnScripts designed to save time, manage evidence and help create quick, professional reports. In this three part blog series I'll show you how to access and navigate EnCase App Central, how to join the EnCase Developer Network and I'll walk you through these EnScripts:

• What's New in App Central
• Manfred's Comprehensive Case Template
• Time Zone Prior to Processing
• Quick Report 

Learn to Expand on the Value of EnCase at CEIC 2015 with EnScripts and Third-Party Apps

Robert Batzloff

This year at CEIC®, we’re committing more training and trainer resources than ever before to help you boost the benefits of EnCase® in your company’s deployment.

Our goal is to show you the brawn behind power EnCase users and apps, and by learning more about the EnScript® language, help you get to that same level.

With an expanded conference track called EnCase Apps and Integrations, we’ve added 12 sessions that will showcase some of the most dynamic apps developed by EnCase forensic investigators that are easy for you to integrate. We’re also boosting the App World booth hosted by EnScript gurus from Guidance Software and developers from the EnCase community, so you’ve got more experts close at hand during all hours of the conference day.

EnScript and .NET: Debugging in Visual Studio

I have been working on a few projects lately using C# and integrating it with EnScript code, and of course I run into problems in my code. Sometimes the problem is in the EnScript code, but other times it is in the C# code. To be honest, it is more often in the C# code since I have spent less time in that language than EnScript. Especially in the context of making a DLL to interface with EnScript.

If you have been reading this so far while thinking any of the following “What? C# and EnScript? When did this happen?” Check out this one for a little intro. My goal in this post is to show you how to debug your C# code while EnScript is calling it. Yes! You can do that!

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

So many artifacts, so little time… Summer edition

Ken Mizota

EnCase is an extensible digital investigation platform. Simply put, extensibility reduces time and effort for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase work together to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) collaborate to reduce IR time and effort. Let’s walk through a few ways extensibility works in your favor.

Working with EnScript and .NET/C#

Ken Mizota

The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (@SimonDCKey) recent post on the OS X Quick Look Thumbnail Cache: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of Guidance Software Training, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.

Examination of the Mac OS X Quick Look Thumbnail Cache

Simon Key

Thumbnail images can be extracted from a variety of sources in a given piece of evidence under investigation (e.g., cached browser images, thumbs.db files, embedded JPEGs, etc.). In OS X, there is a relatively under-exploited source of thumbnails generated from Quick Look technology. In this post, we’ll explore how this particular artifact can be exposed and understood in your next OS X investigation.

To preface this post, many artifacts created in OS X are most easily reviewed and understood on a Mac natively. However, many investigators lack access to a Mac for forensic investigation. If you haven’t used EnCase for OS X investigations, you may not be aware EnCase has been continuously adding support for investigation of OS X systems, including the comprehensive support for HFS+ extended attributes, Plist parsing, an automated OS X artifact processing module, as well as most recently, native support for decryption of OS X keychains. With each release of EnCase, there are fewer techniques that remain best-suited or unique to a native OS X toolset. That being said… let’s get on with it!

3 Ways to Make IEF and EnCase Work Better Together

Jamie McQuaid, EnCE, Magnet Forensics

As forensic examiners we all use a variety of tools to conduct our investigations. Because the types and needs of every case vary, so must the tools that support them. We all have our favorites but typically an investigator’s toolbox will be filled with a variety of tools to assist with every scenario we encounter.

Investigators are always taught to use the best tool for the job and to work through cases thoroughly and efficiently. Internet Evidence Finder (IEF) has become a valuable tool for those of us working on cases requiring the analysis of Internet evidence and large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices enabling investigators to analyze large amounts of case data quickly and efficiently.

SysTools Outlook Exporter for EnCase – No Outlook Installation Required

Debasish Pramanik, SysTools Software Private Limited

SysTools Outlook Exporter is a plug-in that lets you export mail records found in EnCase Forensic into a Microsoft Outlook PST format file, with no need to install Microsoft Outlook on the machine.

The plug-in package includes SysTools Outlook Viewer, which lets you view the exported PSTs in an Outlook-friendly manner, again without the requirement of having Outlook installed on your local machine. It supports Microsoft Outlook versions 2013, 2010, 2007, 2003 and 2000. With this plug-in, digital forensic investigation teams can enhance the power of EnCase in making their investigations faster.

Part 2 - So much evidence, so many artifacts, so little time…

Ken Mizota

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

Part 1 - So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

Brand New & Improved Volatility Reporting Plugin

Guidance Software

Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.

SEEB USB - Mounted Devices Report App

Brian Jones

Recovering evidence that has been removed from a target machine is tough enough, but then you have to figure out how that evidence was removed and when. Suspects are increasingly removing hard drives from machines or simply dragging and dropping incriminating evidence to thumb drives, cameras, mp3 players or other USB gadgets. The good news is that they digital footprints are often left behind when they plug these devices into the system, and the artifacts that can be recovered often lead to insights about the suspect’s behavior or recovery of the removed data itself.

One of the most popular EnScripts/apps on EnCase App Central addresses this challenge by automating the Window’s Registry examination by locating and reporting on the artifacts that are created when an entry is made in different hives in the registry. For example, when a USB storage device is inserted into a machine, a key is created in the Windows Registry, and everything the operating system needs to know about that storage device is contained in that key. The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Within the Windows operating system is a list of all the USB devices that have been connected to the system in the past. Information includes the device description, its type (printer, camera, disk drive, etc), whether it was connected via a USB hub, its drive letter, and the device's serial number. All of these information types can be identified under the right conditions.

Using Belkasoft Evidence Center in EnCase Forensic Version 7

Robert Bond

I’d like to introduce you to a new tool that expands the data-extraction capabilities of EnCase® Forensic. Belkasoft Evidence Center makes it easy for investigators to search computer hard drives, disk images, and snapshots of a computer's volatile memory for many types of digital evidence.
This volatile evidence includes conversations made in social networks and can quickly locate chats carried over a variety of instant messengers. Analysis of the suspect’s online behavior can be done by investigating the browsing histories of all major Web browsers, the mailboxes of popular email clients, peer-to-peer data, and multi-player game chats.

Memory Analysis is Most Downloaded as EnCase App Central Tops 15,000 Downloads

Robert Bond

It wasn’t that long ago that we celebrated the 10,000^th download at EnCase® App Central. As a source of excellent and fully tested apps that solve real problems for digital investigators, we are extremely pleased that it has become a regular stop for our EnCase community of developers and investigative pros.

Now we’ve passed the 15,000^th download mark, with a few key apps topping the charts as most popular:

Image Analyzer – A Case Simulation in EnCase Forensic

Robert Bond

A new release of Image Analyzer is now available on App Central that now supports the scanning of images for pornographic content in both entries and records. This means investigators can analyze images in the records tab that have been extracted from email archives and compounded files.

Let’s take a look at how an investigator might use Image Analyzer as part of an investigation involving email misuse in a large corporate environment.

Image Analyzer – Categorizer App for Pictures

Robert Bond

The task of correctly identifying pornographic images in either criminal or civil investigations can be very time consuming and is often like looking for a ‘needle in a haystack’. A single case can contain thousands or even millions of images, most of which are not relevant to the investigation. Even when reviewing images in a convenient thumbnail gallery, a human can only moderate about 5000 images per hour when fatigue is taken into consideration. Therefore cases requiring image review are typically labour intensive and are often postponed; creating a backlog of cases which further compounds the issue.

EnCase App Central Delivers its 10,000th App

Guidance Software

EnCase App Central opened its virtual doors in early spring this year with the goal of providing functionality and efficiency to EnCase users by offering EnScripts, templates, and 3rd party Apps. After just a few months, driven by the power of the EnCase community and our 3rd party partners; App Central has become the primary source of efficiency-driving solutions for the tens of thousands of EnCase users worldwide.