Showing posts with label Mac OS X. Show all posts
Showing posts with label Mac OS X. Show all posts

Q&A: Transitioning from EnCase Version 6 to Version 7 Webinars

Ken Mizota

At parts 1 and 2 of the webinar series, "Transitioning from EnCase Version 6 to Version 7," we ran out of time to answer all of your questions. In this blog post, I've attempted to answer them and hope it helps you continue a productive transition.

View the webinars: Part 1 and Part 2

Can you discuss how you’ve made reporting less complicated and what resources we could use to simplify reporting even further?

Once the hard work of painstaking analysis and review of an investigation is complete, determining what to share with an external audience is an important, but often time-consuming task. EnCase® Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a polished examination report with a minimum of effort. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power. When time is precious and working with Report Templates is more complex than desired, we built the Report Template Wizard to make it faster and easier to perform basic reporting modifications directly from Bookmarks.

Examination of the Mac OS X Quick Look Thumbnail Cache

Simon Key

Thumbnail images can be extracted from a variety of sources in a given piece of evidence under investigation (e.g., cached browser images, thumbs.db files, embedded JPEGs, etc.). In OS X, there is a relatively under-exploited source of thumbnails generated from Quick Look technology. In this post, we’ll explore how this particular artifact can be exposed and understood in your next OS X investigation.

To preface this post, many artifacts created in OS X are most easily reviewed and understood on a Mac natively. However, many investigators lack access to a Mac for forensic investigation. If you haven’t used EnCase for OS X investigations, you may not be aware EnCase has been continuously adding support for investigation of OS X systems, including the comprehensive support for HFS+ extended attributes, Plist parsing, an automated OS X artifact processing module, as well as most recently, native support for decryption of OS X keychains. With each release of EnCase, there are fewer techniques that remain best-suited or unique to a native OS X toolset. That being said… let’s get on with it!

EnCase 7.09.04: Extracting Passwords from OS X Keychains

Ken Mizota

EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.

To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.

In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.

Part 2 - So much evidence, so many artifacts, so little time…

Ken Mizota

In my last post, I summarized a handful of apps that are useful to search and explore your case, and apps that help with malware investigations. For latest updates on apps go to EnCase App central directly, or follow us on twitter @EnCase.

Without further ado, here are some more apps that we hope can help you make your case:

Examining Mac OS X User & System Keychains

Simon Key


To forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –

Safari Form Values Decryptor

James Habben

As a forensic investigator, you are likely already familiar with the artifacts left in storage on a disk from the use of a web browser. The mainstream browsers all provide, for the most part, the same functionality of things like tabbed browsing, remembering history and exposing it in date ranges, storing bookmarks for later viewing, etc.

One of those features is the topic of this blog post: remembering data that a user typed into a form field so that same value doesn’t have to be typed into that same form next time. This is generally referred to as an autofill form values feature. Firefox, Chrome, Internet Explorer, Safari, they all offer this feature, but each of them store these values in a different way.