EnScript and .NET: Debugging in Visual Studio

I have been working on a few projects lately using C# and integrating it with EnScript code, and of course I run into problems in my code. Sometimes the problem is in the EnScript code, but other times it is in the C# code. To be honest, it is more often in the C# code since I have spent less time in that language than EnScript. Especially in the context of making a DLL to interface with EnScript.

If you have been reading this so far while thinking any of the following “What? C# and EnScript? When did this happen?” Check out this one for a little intro. My goal in this post is to show you how to debug your C# code while EnScript is calling it. Yes! You can do that!

EnCase and Python – Automating Windows Phone 8 Analysis

James Habben

Roll Call

You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’s post? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.

EnCase and Python – Part 2

James Habben

In Part 1 of this post, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used Didier Stevens’ pdf-parser as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.

In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.

EnCase and Python - Part 1

James Habben

As a co-author and instructor for Guidance Software’s EnScript Programming course, I spend a lot of time teaching investigators in person around the globe. Investigators are faced with a dizzying variety of challenges. We work together in class, coming up with solutions that send EnCase off to do our bidding. EnCase and EnScript allow us to “bottle” the result of our efforts to share with other investigators (e.g. categorizing internet history, detecting files hidden by rootkits).

Python is used similarly. The interweb hosts great tools written in Python to accomplish all measures of tasks facing DFIR examiners. The community benefits from the hours of work that go into each and every .py that gets baked. It seemed to me that there should be a way for EnCase and Python to work together, so I put together a brief tutorial.

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

Working with EnScript and .NET/C#

Ken Mizota

The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (@SimonDCKey) recent post on the OS X Quick Look Thumbnail Cache: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of Guidance Software Training, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.

3 Ways to Make IEF and EnCase Work Better Together

Jamie McQuaid, EnCE, Magnet Forensics

As forensic examiners we all use a variety of tools to conduct our investigations. Because the types and needs of every case vary, so must the tools that support them. We all have our favorites but typically an investigator’s toolbox will be filled with a variety of tools to assist with every scenario we encounter.

Investigators are always taught to use the best tool for the job and to work through cases thoroughly and efficiently. Internet Evidence Finder (IEF) has become a valuable tool for those of us working on cases requiring the analysis of Internet evidence and large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices enabling investigators to analyze large amounts of case data quickly and efficiently.

Version 7 Tech Tip: Spotting Full Disk Encryption

Graham Jenkins, Guidance Software, Technical Services Engineer

With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.

Part 2 - So much evidence, so many artifacts, so little time…

Ken Mizota

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

Part 1 - So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

Brand New & Improved Volatility Reporting Plugin

Guidance Software

Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.

Working more efficiently with Internet Evidence Finder and EnCase Forensic

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Forensic investigators understand that one of the biggest challenges to their cases is time management. As examiners, we would love to spend three months or more on a single case without any other distractions to ensure that every stone is overturned and every detail met with precision, but this is not the reality. Caseloads continually grow far beyond what one person or team can handle and we require the proper processes and tools to manage these cases quickly and efficiently without compromising quality.

Using Belkasoft Evidence Center in EnCase Forensic Version 7

Robert Bond

I’d like to introduce you to a new tool that expands the data-extraction capabilities of EnCase® Forensic. Belkasoft Evidence Center makes it easy for investigators to search computer hard drives, disk images, and snapshots of a computer's volatile memory for many types of digital evidence.
This volatile evidence includes conversations made in social networks and can quickly locate chats carried over a variety of instant messengers. Analysis of the suspect’s online behavior can be done by investigating the browsing histories of all major Web browsers, the mailboxes of popular email clients, peer-to-peer data, and multi-player game chats.

Open for Business: Proactive Discovery Joins Technology Alliance Program

Jason Fredrickson

This week we celebrate bringing Proactive Discovery, a leader in the high-tech crime investigations and e-discovery services markets, into our Guidance Software Technology Alliance Program. I’m delighted to have Martin Siefert and his team as part of the alliance. They are sharp developers with deep expertise developing apps that extend our core EnCase® technology–and that make a difference to investigators and information security professionals every day.

Proactive Discovery has a proven record of developing custom EnCase solutions to solve specific challenges faced by their customers, ranging from forensic tools to custom data carvers to enterprise incident-response tools and more. Integrating their work with EnCase is a great example of how we’re proving what our CEO, Victor Limongelli, said in his welcome keynote at CEIC 2013 last May: Guidance Software and EnCase are “open for business.”

Image Analyzer – A Case Simulation in EnCase Forensic

Robert Bond

A new release of Image Analyzer is now available on App Central that now supports the scanning of images for pornographic content in both entries and records. This means investigators can analyze images in the records tab that have been extracted from email archives and compounded files.

Let’s take a look at how an investigator might use Image Analyzer as part of an investigation involving email misuse in a large corporate environment.

Image Analyzer – Categorizer App for Pictures

Robert Bond

The task of correctly identifying pornographic images in either criminal or civil investigations can be very time consuming and is often like looking for a ‘needle in a haystack’. A single case can contain thousands or even millions of images, most of which are not relevant to the investigation. Even when reviewing images in a convenient thumbnail gallery, a human can only moderate about 5000 images per hour when fatigue is taken into consideration. Therefore cases requiring image review are typically labour intensive and are often postponed; creating a backlog of cases which further compounds the issue.

IEF Evidence Processor Module for EnCase v7

Lance Mueller

Magnet Forensics has released the Internet Evidence FinderTM (IEF) Evidence Processor Module for EnCase v7. The IEF Evidence Processor Module for EnCase v7 is designed to assist digital investigators with their workflow by allowing them to run Internet Evidence Finder (IEF) from within EnCase, without the need to start IEF separately and point to the same evidence files you already have loaded in EnCase.

How Does Integration Help You as an Investigator?

Lance Mueller

A new IEF/EnCase Processor Module will be available September 12th.

The IEF/EnCase Connector referenced in the Blog is available here.

Let’s imagine I have been assigned to investigate case involving an employee who is suspected of posting threatening comments on a co-worker’s Facebook account (this could either be an internal employee misconduct or criminal investigation). The messages were sent yesterday.