Belkasoft Evidence Center Offers Tighter Integration with EnCase

Robert Bond

Belkasoft has announced tighter integration of its flagship forensic tool, Belkasoft Evidence Center, with Guidance Software EnCase, the industry-standard all-in-one computer investigation solution. Supporting the latest version of EnCase 7, users of EnCase software can easily access and analyze data obtained or carved by Belkasoft Evidence Center.

In addition, the new release adds support for *nix and MacOS file systems, enabling Belkasoft users to analyze disks and disk images from a wider range of PCs than ever. The support for file systems used in Windows, *nix and MacOS computers in a single tool is unique to Belkasoft Evidence Center, making it stand out as a single most comprehensive forensic analysis tool.

EnCase Evidence Processor Manager: Working the Backlog

Ken Mizota

I am often asked the question: "When is EnCase going to be able to distribute processing?" EnCase customers have a naturally voracious appetite for processing: As case backlogs grow over time and technology. I’ll define a backlog as a set of evidence, awaiting review by an Investigator. While EnCase Evidence Processor introduced powerful automation capabilities, the task of centrally distributing, prioritizing and managing evidence processing has been largely left up to the best effort of the Investigator.

IEF Evidence Processor Module for EnCase v7

Lance Mueller

Magnet Forensics has released the Internet Evidence FinderTM (IEF) Evidence Processor Module for EnCase v7. The IEF Evidence Processor Module for EnCase v7 is designed to assist digital investigators with their workflow by allowing them to run Internet Evidence Finder (IEF) from within EnCase, without the need to start IEF separately and point to the same evidence files you already have loaded in EnCase.

Evidence Processor Performance Monitoring - Part II

Guidance Software

Feature Spotlight: Performance Test

In the last feature spotlight, I described the new Performance tab in EnCase Version 7.07. In particular, once you have visibility to the performance of Evidence Processor within EnCase, following questions quickly arise:

1. What can I do to speed up Evidence Processor from a hardware perspective?
2. When Evidence Processor is taking longer than expected, what kind of information can I share with Guidance?

How Does Integration Help You as an Investigator?

Lance Mueller

A new IEF/EnCase Processor Module will be available September 12th.

The IEF/EnCase Connector referenced in the Blog is available here.

Let’s imagine I have been assigned to investigate case involving an employee who is suspected of posting threatening comments on a co-worker’s Facebook account (this could either be an internal employee misconduct or criminal investigation). The messages were sent yesterday.

Windows Resilient File System Forensics

Ken Mizota

In the fall of 2012, Microsoft made Windows Server 2012 generally available with a quietly announced feature: Resilient File System (ReFS). Of course, Microsoft does not roll out new file systems casually, and when they do, the ripple effects are generally felt slowly. NTFS has been generally available since Windows NT 3.1, released in 1993. If one runs a data center of any size, swapping out the underlying file system of critical or precious data is not a decision taken lightly. In large part, this justifies a general complacence in our field of digital forensics tools when considering how to deal with this new file system. Today, ReFS is a rare bird: investigators just don’t see it very often. We think that is going to begin to change later this year.

Volatility Reporting Plugin for EnCase Forensic v7

Guidance Software

As most investigators know, volatile memory contains valuable information about the runtime state of the system, registry keys, network connections in memory and much more. One of the most popular tools to handle memory analysis is Volatility, an open source tool created by Volatile Systems.

Examining Mac OS X User & System Keychains

Simon Key

Introduction

To forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –

Safari Form Values Decryptor

James Habben

As a forensic investigator, you are likely already familiar with the artifacts left in storage on a disk from the use of a web browser. The mainstream browsers all provide, for the most part, the same functionality of things like tabbed browsing, remembering history and exposing it in date ranges, storing bookmarks for later viewing, etc.

One of those features is the topic of this blog post: remembering data that a user typed into a form field so that same value doesn’t have to be typed into that same form next time. This is generally referred to as an autofill form values feature. Firefox, Chrome, Internet Explorer, Safari, they all offer this feature, but each of them store these values in a different way.

Unbiased Testing Confirms: EnCase® Forensic is Fastest

Ken Mizota Ken Mizota, Product Manager, Forensic Solutions

Well, that didn’t take long.

A genuine, independent third party, Digital Intelligence, a company recognized and respected in the forensic community and a reseller of forensic-specific solutions, including EnCase® Forensic and AccessData’s Forensic Toolkit (FTK) software, recently published the results of its testing of both FTK and EnCase Forensic.

Feature Spotlight: Direct Network Preview

Guidance Software

EnCase Version 7.06 introduces a new built in ability to perform remote forensics. If you are unfamiliar with the term “remote forensics”, take a moment to review the Gartner Remote Forensics Report for 2012. EnCase Forensic Version 7.06 brings remote forensics to the standard in digital investigations, and enables forensically sound investigation of live devices. In this post, we’ll walk through how to perform a network preview, and we’ll discuss some of the key differences between remote investigation in EnCase Forensic and EnCase Enterprise.

Feature Spotlight: Embedding Hyperlinks in Exported Reports

Guidance Software

EnCase version 7.05 provides the ability to include hyperlinks to original documents and images in reports and offers updated report templates that display more metadata than ever before. View important metadata such as dates, times, physical sector information for unallocated items and hash values. Continue reading to learn how to include hyperlinks in your exported reports.

EnCase v6 to v7 CEIC Session Recap

Guidance Software



It is hard to believe CEIC 2012 was almost two months ago. Since CEIC we have been hard at work on EnCase, in fact recently we released an update to v7, v7.04.1. If you did not receive the email notification about this release you can request the software download links by registering your dongle. Look for another great update to v7 coming in the fall, v7.05.

Examining Volume Shadow Copies – The Easy Way!

Simon Key

INTRODUCTION

The Volume Shadow Copy Service (VSS) is a framework that allows volume-backups to be created while file system writes continue to take place.

Originally implemented in Windows XP and Windows Server 2003, VSS was expanded with Windows Vista, resulting in an additional Windows Explorer Previous Versions properties-sheet.

Using Volatility with EnCase

Mark Morgan

INTRODUCTION

Memory Analysis has come a long way and it is imperative that a good Incident Responder realize the valuable information that can be obtained in analyzing memory.

I have been conducting Incident Response investigation for a few years now and have always used Volatility as my tool of choice. I like it because first off it is open source and I have found it to be very user friendly in identifying possible malware and being able to understand the results that are being retrieved from memory.

CEIC and EnCase Essentials v7 Training

Guidance Software

Last week at CEIC we ran four Upgrading EnCase v6 to v7: Who Moved My Cheese? sessions. The sessions were packed with EnCase v6 users who were looking to get past the obstacles that were preventing their full transition to v7. In total we presented to close to 200 attendees and had some really great discussion. By the end of the sessions I could see many of the attendees were ready to get going with v7.

During the process of walking the users through v7 I learned that that quite a few of the folks in each session had yet to view the free EnCase Essentials Training. One of the reasons many had not taken advantage of this free training was that they did not have ready access to the internet at work. Even those who knew about the training were forced to view it during their off hours, when they were able to connect to the internet.

The first thing I did when I got to the office this week was ask our training department to create an offline version of the essentials training and they did. Now anyone that wants to get the basics of v7 can download this offline format of the EnCase Essentials Training and view the lessons anytime, anywhere. In addition, we also updated the companion EnCase Essentials Training Guide, incorporating the changes made in the latest release of EnCase, v7.04. Be sure to download these two files when you get a chance and keep them handy.

On a related note I am planning a v6 to v7 webinar series where we will cover many of the topics that were presented during the CEIC session. Look for more information about this webinar series soon.

Passware Kit Forensic - Now Available for Purchase

Guidance Software

During the v7 roadshow last year one of the most talked about new features was our Passware integration. The question I heard over and over was "Can I buy Passware from Guidance Software?". At the time unfortunately you could not but I am glad to say that now you can. Before getting into how you can purchase the product, let's talk a little about our integration and what exactly you can do with Passware Kit Forensic.

With EnCase® Forensic v7 you can perform protected file analysis in the evidence processor. Using Passware's Encryption Analyzer, EnCase will identify encrypted and password-protected files. Once protected file analysis is complete, you will be able to see what files are protected as well as the complexity of the protection, pretty cool stuff.

To do what I have briefly described you do not need a license for Passware, this capability is part of v7, no strings attached. However if you want to take the next step and actually decrypt the files you do need the Passware Kit Forensic product, which you can now purchase directly from Guidance.

For those of you not familiar with this product, Passware Kit Forensic is a complete encrypted evidence discovery & decryption solution for computer forensics. It recovers or resets passwords for more than 200 different types of files, as well as decrypts hard drives, PGP archives, and unlocks Windows and Mac accounts. Complete with FireWire Memory Imager, Passware Kit Forensic is the first and only commercial software that decrypts BitLocker, TrueCrypt and FileVault hard disks, and instantly recovers or bypasses Mac and Windows login passwords of seized computers.

The latest version of Passware Kit Forensic, v11.3 includes the following capabilities, to name a few:

• Decrypts 200+ file types
• Decrypts FDE: TrueCrypt, BitLocker, FileVault and PGP
• Recovers Mac user passwords
• Acquires and analyzes live memory images
• Distributed and Cloud Computing acceleration
• Hardware acceleration: NVIDIA & ATI GPU, TACC, multi-cores

As Dmitry Sumin, President of Passware, Inc. said, “Encryption is becoming a major obstacle for digital investigations. We are excited to provide EnCase customers with an efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.” By the way, if you don't already follow Passware on Twitter, you should.

Dmitry and his team have been great to work over this past year and we look forward to providing further integration in the future.

What's the EnCase Processor?

Guidance Software Last week I sat in on an EnCase® Computer Forensics I class held here in our Pasadena Training Center.

It was a great class, nice mix of students from law enforcement, corporate, and consulting organizations. As the class began the lessons on the Evidence Processor, the instructor asked the students if they had ordered their free EnCase Processor yet and to my surprise more than one student asked "What's the EnCase Processor?"

Seeing this firsthand I thought I'd better take a couple of minutes and explain the new EnCase Processor product and let you know how you can order yours today. All EnCase Forensic v7 licenses now include an EnCase Processor dongle so if you purchased v7 in after v7.03 was released you probably already have your EnCase Processor dongle. If you purchased EnCase Forensic v7 before v7.03 was released you just need to fill out a short form to get your free dongle, but I am getting ahead of myself. Back to the task at hand, explaining the new EnCase Processor product.

The EnCase Processor is a standalone evidence processor designed to allow forensic examiners to offload the acquisition and processing of evidence to another computer, freeing up their forensic workstation for casework. Since EnCase Forensic v7 includes an evidence processor already, now you are essentially doubling your processing capacity. The capabilities of the EnCase Processor are the same as the evidence processor in v7 with one additional capability; smartphone acquisition and reporting.

To read about what you can do with the EnCase Processor download the EnCase Forensic v7 Essentials Manual. The manual is full of great information, including details about the different tasks you can automate with the EnCase Processor. As I mentioned, to order your free EnCase Processor take a couple of minutes and fill out the EnCase Processor order form. All you need to have is the physical address you want the dongle shipped and your EnCase Forensic dongle ID. To make it easier, if you have several EnCase Forensic dongles you can fill out the form once and enter all the dongle IDs together, providing you want the Processor dongles shipped to the same address.

Be sure to keep your eye out on this blog for more information about the processor as well as the other new features of EnCase Forensic v7. As always, any questions or comments please let me know.

EnCase Forensic – A Development Perspective

Ken Basore With the release of EnCase v7.03, I wanted to highlight for you a few things that we have been working on over the past several months. Since the release of Version 7, we have heard from many of you that the processing speeds were not acceptable. In addition, we have heard from some of you that there were elements of the new user interface that did not make it easy for you to work your cases the way you prefer. Well, we have listened carefully to all of this feedback, and our Development team has worked hard to make Version 7 easier to use and more robust than any other product, including our own Version 6. With EnCase v7.03, we concentrated on several key areas that were either of concern to our users or could advance the product in important ways.

• Evidence Processor Performance
• Support for Text Indexing in Slack and Unallocated Space
• Compressed review of Search hits
• Additional Artifacts including attached USB devices and mounted network shares

With respect to the first item, we looked at many different types of evidence and found certain areas where we could optimize how EnCase handles the vast amount of data that can be generated during processing. We changed how some data was stored, as well as how often EnCase reads from certain data files, and when we were done v7.03 processed the same evidence 2 – 3 times faster than v7.02. When you add in that EnCase now also indexes slack and unallocated space, the improvement is even more substantial, and users can now expect processing to complete much faster.

Welcome to the EnCase Forensic Blog

Guidance Software

Today we are launching the EnCase Forensic blog.

You might say “why have another blog”, well I am glad you asked. First, while the EnCase Forensic product page has lots of great information about the product, it’s really not conducive to carrying on a conversation with the forensic community. On top of that, we wanted a place where we could talk about EnCase in a much more flexible environment. So this is how the EnCase Forensic blog was born. There will be a number of different topics discussed in this blog, from product releases announcements and future development plans to detailed “How-to” posts, highlighting how best to use a feature in version 7.

If you have suggestions for topics please feel free to drop me an line. Enough about the blog, let's get on with the show. Enjoy!