EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 3 of 3 – Reporting with Quick Report

Robert Batzloff

This series of blog posts has focused on keeping your investigation organized and presenting your evidence in a clear, correct and readable format. Clarity, as well as brevity, is key when delivering digital forensic evidence to those who don’t work in the field. This evidence can be dense and hard to understand. Your job is to make the relevant information apparent and easy to digest. You want the information you present to be easy to explain and defend because opposing council will leap at the chance to capitalize on any potential ignorance regarding digital forensics.

As reporting is the final step in an investigation, we’ll close this blog series by looking at my favorite reporting EnScript: Quick Report Lite

EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 1 of 3 – EnCase App Central & Manfred's Comprehensive Case Template

Robert Batzloff 

Now that the Enfuse Call for Papers has just gone out, I'm reminded of all the hard work that went into CEIC earlier this year. While there was record attendance, I know not everyone was able to make it to Vegas and so I wanted to re-examine a few EnScripts that were showcased in May; specifically EnScripts designed to save time, manage evidence and help create quick, professional reports. In this three part blog series I'll show you how to access and navigate EnCase App Central, how to join the EnCase Developer Network and I'll walk you through these EnScripts:

• What's New in App Central
• Manfred's Comprehensive Case Template
• Time Zone Prior to Processing
• Quick Report 

Password Recovery Can be Practical

Guidance Software’s Tableau Unit recently released Tableau™ Password Recovery, a hardware + software solution to accelerate password attacks on protected files, disks, and other containers.

It’s always fun to play with new toys, and when the new hotness is a purpose-built, linearly scalable, password-cracking behemoth, how can one not share? I did a bit of digging while running a two-server Tableau Password Recovery setup through its paces in our labs here in Pasadena, California, and while I found many good tools and tutorials for password cracking, I found it difficult to differentiate the theoretically possible from the actually practical. Here are some thoughts from that process.

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

Feature Spotlight: Report Template Wizard

Ken Mizota

No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.

Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

Feature Spotlight: SED Unlock with EnCase & WinMagic SecureDoc

Ken Mizota

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

SEDs render “cold boot” and “evil maid” attacks useless and offer instant encryption and crypto-erase when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.

Case Study: Chesterfield County Police Department

Cynthia Siemens

Profile

Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. In his earlier work as a deputized U.S. Marshal for the Federal Bureau of Investigation’s Child Exploitation Task Force, he was the Task Force Officer, and in his work with Internet Crimes Against Children (ICAC), he served as ICAC representative for his agency.

So many artifacts, so little time… Summer edition

Ken Mizota

EnCase is an extensible digital investigation platform. Simply put, extensibility reduces time and effort for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase work together to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) collaborate to reduce IR time and effort. Let’s walk through a few ways extensibility works in your favor.

Examination of the Mac OS X Quick Look Thumbnail Cache

Simon Key

Thumbnail images can be extracted from a variety of sources in a given piece of evidence under investigation (e.g., cached browser images, thumbs.db files, embedded JPEGs, etc.). In OS X, there is a relatively under-exploited source of thumbnails generated from Quick Look technology. In this post, we’ll explore how this particular artifact can be exposed and understood in your next OS X investigation.

To preface this post, many artifacts created in OS X are most easily reviewed and understood on a Mac natively. However, many investigators lack access to a Mac for forensic investigation. If you haven’t used EnCase for OS X investigations, you may not be aware EnCase has been continuously adding support for investigation of OS X systems, including the comprehensive support for HFS+ extended attributes, Plist parsing, an automated OS X artifact processing module, as well as most recently, native support for decryption of OS X keychains. With each release of EnCase, there are fewer techniques that remain best-suited or unique to a native OS X toolset. That being said… let’s get on with it!

EnCase 7.09.04: Extracting Passwords from OS X Keychains

Ken Mizota

EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.

To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.

In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.

Digital Forensic Investigators’ Skills are Critical as Investigations Grow More Complex

Robert Bond

Digital forensic evidence is playing a larger role in determining the guilt or innocence of defendants in both civil and criminal matters. As technology captures movement, messages, photos, and the vast majority of what is done on laptops, smartphones, and tablets, it’s increasingly difficult for criminals to cover their digital tracks.

Working more efficiently with Internet Evidence Finder and EnCase Forensic

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Forensic investigators understand that one of the biggest challenges to their cases is time management. As examiners, we would love to spend three months or more on a single case without any other distractions to ensure that every stone is overturned and every detail met with precision, but this is not the reality. Caseloads continually grow far beyond what one person or team can handle and we require the proper processes and tools to manage these cases quickly and efficiently without compromising quality.

EnCase Forensic 7.09: iOS Investigations Out of the Box

Ken Mizota

Most investigators are familiar with the capabilities of EnCase® Forensic as a tool for investigation of desktops, servers, and hard drives, but did you know that ever since EnCase Forensic v7 was introduced, it has provided support for smartphone operating systems out-of-the-box? In Version 7.09, the latest release, EnCase improves smartphone acquisition, analysis and reporting capabilities by adding support for iOS 7 devices.

As you likely know, the mobile device market is dominated by iOS and Android devices. Over 90 percent of the world's smartphone users have an Apple- or Google-powered device. However, even within the majority, there are multiple factors that investigators like you must consider and ultimately deal with, including:

A Treasure Trove of EnCase Version 7 Resources to Help You Make the Transition

Ken Mizota

Not long ago I was at the annual HTCIA conference in Summerlin, Nevada, where I enjoyed having the chance to meet with a number of customers—everyone from recently trained to highly expert investigators. Many of them were proficient in EnCase® Version 6 and wanted to build their EnCase Version 7 skills, but didn’t know where to begin.

If you’ve been wanting to make the transition to EnCase Version 7, but can’t take a trip to an official training center right now, I want you to know about some invaluable resources that can help get you up to speed. Most are free, with a handful of paid online courses at the end.

Version 7 Tech Tip #2: Processing Multiple Cases Serially from a Single Workstation

Jasper Rowe

Did you know you can use a single instance of EnCase® to queue jobs from different cases? 

In previous versions, it was possible to process multiple cases simultaneously using multiple sessions of EnCase. Even though the licensing allowed for this, the processing itself would have had to rely on shared resources. 

Version 7 Tech Tip #1: Matching Parent E-Mails with Attachments in Searches

James Gagen

This is the first in a series of brief, but frequently asked questions and answers about working with EnCase® Forensic Version 7. We hope they save you time and help you close cases faster.

One of the questions we are often asked in Technical Services about working with e-mail searches is, "When I find a relevant e-mail attachment, how can I find the e-mail that the attachment belongs to?" Searching in e-mail may result in keywords being found in both e-mails and attachments. This is how to locate the e-mail to which the attachment belongs:

Using Belkasoft Evidence Center in EnCase Forensic Version 7

Robert Bond

I’d like to introduce you to a new tool that expands the data-extraction capabilities of EnCase® Forensic. Belkasoft Evidence Center makes it easy for investigators to search computer hard drives, disk images, and snapshots of a computer's volatile memory for many types of digital evidence.
This volatile evidence includes conversations made in social networks and can quickly locate chats carried over a variety of instant messengers. Analysis of the suspect’s online behavior can be done by investigating the browsing histories of all major Web browsers, the mailboxes of popular email clients, peer-to-peer data, and multi-player game chats.

New Speed and Power Part of EnCase® Forensic Version 7.08 Session at HTCIA Asia Pacific

Robert Bond

Frank Butler, the Director of ATP Training at Guidance Software, will be presenting a session on EnCase® Forensic v7.08 at the HTCIA AsiaPacific Conference in Hong Kong on December 3, 2013. Now in its third year, EnCase Forensic v7 has evolved into a highly functional and customizable tool. In fact, independent testing proves that it is the fastest, most comprehensive digital forensic solution available to examiners today.

Frank will present some of the most outstanding new features in Version 7.08, including:

The Shortest Path from EnCase Forensic v6 to v7: Two-part "Transitions" Webinar

Robert Bond

Every month we see more digital forensics pros making the leap from EnCase® Forensic v6 to v7. We know that many in our EnCase community gained cutting-edge skills with v6, yet more and more of you are attracted to v7 by our continuing focus on software maturity, stability, and a natural workflow that can be customized to work exactly the way you do, day by day. With each release, new features like distributed processing, remote forensic capability, and the rich and fully tested treasure trove of EnScripts® and apps in EnCase® App Central mean additional investigative power for you and your caseload.

Ease the Transition with a Two-Part Webinar

Join us on December 10^th and later on January 14^th for a walk-through of the steps involved in moving from v6 to v7 as presented by one of our master Guidance Software EnCase trainers.