Showing posts with label Tips. Show all posts
Showing posts with label Tips. Show all posts

POSIX Regular Expressions in EnScript and .NET

James Habben

I am sure you have spent a little intimate time with EnCase doing keyword searches, so you know that EnCase has basic GREP capabilities. This is a powerful feature that allows for searches to be performed with patterns that can eliminate false positive hits. Recently, we hosted a webinar with guest Suzanne Widup, describing some techniques and benefits of using GREP in EnCase.

GREP is a term that comes from the Unix world long ago. It stands for Globally search for Regular Expressions and Print. This command line utility was used to search through data and print out results that matched the given pattern. Because of the popularity of the tool, the name has become synonymous with Regular Expressions (Regex). Though there is a defined standard, POSIX, the syntax of patterns used in Regex actually varies quite wildly depending on the platform engine and programming language that is being used. EnCase is no exception. In homage to our habit of prefixing our product names with “En”, I jokingly refer to our syntax of regex as “EnGrep.”

Feature Spotlight: Report Template Wizard

Ken Mizota

No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.

Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.

Version 7 Tech Tip: Spotting Full Disk Encryption

Graham Jenkins, Guidance Software, Technical Services Engineer

With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.

Version 7 Tech Tip #2: Processing Multiple Cases Serially from a Single Workstation

Jasper Rowe

Did you know you can use a single instance of EnCase® to queue jobs from different cases? 

In previous versions, it was possible to process multiple cases simultaneously using multiple sessions of EnCase. Even though the licensing allowed for this, the processing itself would have had to rely on shared resources. 

Version 7 Tech Tip #1: Matching Parent E-Mails with Attachments in Searches

James Gagen

This is the first in a series of brief, but frequently asked questions and answers about working with EnCase® Forensic Version 7. We hope they save you time and help you close cases faster.

One of the questions we are often asked in Technical Services about working with e-mail searches is, "When I find a relevant e-mail attachment, how can I find the e-mail that the attachment belongs to?" Searching in e-mail may result in keywords being found in both e-mails and attachments. This is how to locate the e-mail to which the attachment belongs:

EnCase v6 to v7 CEIC Session Recap

Guidance Software



It is hard to believe CEIC 2012 was almost two months ago. Since CEIC we have been hard at work on EnCase, in fact recently we released an update to v7, v7.04.1. If you did not receive the email notification about this release you can request the software download links by registering your dongle. Look for another great update to v7 coming in the fall, v7.05.

Parsing Internet Information from a USB Thumb Drive

James Habben The EnCase® Evidence Processor has some great features, but did you know that it can also parse Internet history and bookmarks from a USB thumb drive? Today we will look at forensic artifacts from the use of Mozilla Firefox and Google Chrome web browsers used from the PortableApps.com framework.

First, let’s have a quick intro on the framework. The project was originally created to make a version of Firefox that was able to run solely from a USB thumb drive. It required a computer that was running Windows®, but it did not need Firefox. The thumb drive carried the application and stored all the history, bookmarks, and settings back onto the thumb drive. This setup allows privacy, secrecy, and convenience. Today, the PortableApps.com framework allows for a ton more applications to be run in a portable configuration.

To use the framework, you simply download the installer from the PortableApps.com website. Run the installer and point it to your thumb drive. This installs the framework, but no applications. Here is what the application launcher looks like.