Showing posts with label Reporting. Show all posts
Showing posts with label Reporting. Show all posts

EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting

Part 3 of 3 – Reporting with Quick Report

Robert Batzloff


This series of blog posts has focused on keeping your investigation organized and presenting your evidence in a clear, correct and readable format. Clarity, as well as brevity, is key when delivering digital forensic evidence to those who don’t work in the field. This evidence can be dense and hard to understand. Your job is to make the relevant information apparent and easy to digest. You want the information you present to be easy to explain and defend because opposing council will leap at the chance to capitalize on any potential ignorance regarding digital forensics.

As reporting is the final step in an investigation, we’ll close this blog series by looking at my favorite reporting EnScript: Quick Report Lite

Q&A: Transitioning from EnCase Version 6 to Version 7 Webinars

Ken Mizota

At parts 1 and 2 of the webinar series, "Transitioning from EnCase Version 6 to Version 7," we ran out of time to answer all of your questions. In this blog post, I've attempted to answer them and hope it helps you continue a productive transition.

View the webinars: Part 1 and Part 2

Can you discuss how you’ve made reporting less complicated and what resources we could use to simplify reporting even further?

Once the hard work of painstaking analysis and review of an investigation is complete, determining what to share with an external audience is an important, but often time-consuming task. EnCase® Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a polished examination report with a minimum of effort. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power. When time is precious and working with Report Templates is more complex than desired, we built the Report Template Wizard to make it faster and easier to perform basic reporting modifications directly from Bookmarks.

Feature Spotlight: Report Template Wizard

Ken Mizota

No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.

SEEB USB - Mounted Devices Report App

Brian Jones

Recovering evidence that has been removed from a target machine is tough enough, but then you have to figure out how that evidence was removed and when. Suspects are increasingly removing hard drives from machines or simply dragging and dropping incriminating evidence to thumb drives, cameras, mp3 players or other USB gadgets. The good news is that they digital footprints are often left behind when they plug these devices into the system, and the artifacts that can be recovered often lead to insights about the suspect’s behavior or recovery of the removed data itself.

One of the most popular EnScripts/apps on EnCase App Central addresses this challenge by automating the Window’s Registry examination by locating and reporting on the artifacts that are created when an entry is made in different hives in the registry. For example, when a USB storage device is inserted into a machine, a key is created in the Windows Registry, and everything the operating system needs to know about that storage device is contained in that key. The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Within the Windows operating system is a list of all the USB devices that have been connected to the system in the past. Information includes the device description, its type (printer, camera, disk drive, etc), whether it was connected via a USB hub, its drive letter, and the device's serial number. All of these information types can be identified under the right conditions.

New Flexible Reporting Template in EnCase App Central

Ken Mizota

Recently, a new type of app was added to the EnCase App Central store: the Flexible Examination Report Template. We’re excited to offer this new Case Template, to the EnCase community. If you haven’t done so already, check out EnCase App Central to download the template for free.

Report Templates are used to store the configurations and customizations an investigator makes for a given case, to be reused and reapplied for other similar cases. This template provides a simple, Bookmark structure that is designed to be easy to work with and modify. In this post, I’ll walk you how this new tool can help make your investigations more efficient.