Now Available OnDemand: Advanced Internet Examinations Course

Good news: Now you can learn the latest browser artifacts and peer-to-peer sharing applications in our newly recorded EnCase OnDemand Advanced Internet Examinations course. Examiners who take this updated class will leave equipped to understand user activity and recover evidence critical for your investigations.

Forensic Focus Review: Guidance Software EnCase Training Computer Forensics I Course in Slough, U.K.

Scar de Courcier

During the first week of December 2014, Guidance Software ran a computer forensics training course at its Slough offices in the UK, with the aim of helping forensic practitioners to understand and use EnCase as part of their investigations. 

Background

The course was developed by Guidance Software with a view to introducing new digital forensics practitioners to the field. The students are usually new IT security professionals, law enforcement agents and forensic investigators, and many have minimal training in computing.  Computer Forensics I is available both in person at one of Guidance Software's training centres, or online via their OnDemand solution, which provides live remote classes for students around the world.

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

POSIX Regular Expressions in EnScript and .NET

James Habben

I am sure you have spent a little intimate time with EnCase doing keyword searches, so you know that EnCase has basic GREP capabilities. This is a powerful feature that allows for searches to be performed with patterns that can eliminate false positive hits. Recently, we hosted a webinar with guest Suzanne Widup, describing some techniques and benefits of using GREP in EnCase.

GREP is a term that comes from the Unix world long ago. It stands for Globally search for Regular Expressions and Print. This command line utility was used to search through data and print out results that matched the given pattern. Because of the popularity of the tool, the name has become synonymous with Regular Expressions (Regex). Though there is a defined standard, POSIX, the syntax of patterns used in Regex actually varies quite wildly depending on the platform engine and programming language that is being used. EnCase is no exception. In homage to our habit of prefixing our product names with “En”, I jokingly refer to our syntax of regex as “EnGrep.”

Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.

Working with EnScript and .NET/C#

Ken Mizota

The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (@SimonDCKey) recent post on the OS X Quick Look Thumbnail Cache: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of Guidance Software Training, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.

Suzanne Widup: The 2014 Verizon DBIR, a New EnCase v7 Book, and a Two-Part Webinar Series

How do you define an EnCase expert? Having worked on over 400 forensic, e-discovery, and information security cases, Suzanne Widup fits our definition. President and founder of the Digital Forensic Association and a senior analyst on the Verizon RISK Team, she will be joining us at CEIC this month to present a session on “2014 Verizon Data Breach Investigations Report (DBIR) Lessons Learned”–the seventh Verizon DBIR report and the latest in a series released annually that many incident response and information security professionals look forward to reviewing each year.

The 2014 DBIR revealed, among many insights, that although cybercriminals can bypass an organization's security within days, it takes months before malware is detected. Guidance Software contributed to the DBIR and invited Verizon to present highlights of the report at CEIC.

A Treasure Trove of EnCase Version 7 Resources to Help You Make the Transition

Ken Mizota

Not long ago I was at the annual HTCIA conference in Summerlin, Nevada, where I enjoyed having the chance to meet with a number of customers—everyone from recently trained to highly expert investigators. Many of them were proficient in EnCase® Version 6 and wanted to build their EnCase Version 7 skills, but didn’t know where to begin.

If you’ve been wanting to make the transition to EnCase Version 7, but can’t take a trip to an official training center right now, I want you to know about some invaluable resources that can help get you up to speed. Most are free, with a handful of paid online courses at the end.

The Shortest Path from EnCase Forensic v6 to v7: Two-part "Transitions" Webinar

Robert Bond

Every month we see more digital forensics pros making the leap from EnCase® Forensic v6 to v7. We know that many in our EnCase community gained cutting-edge skills with v6, yet more and more of you are attracted to v7 by our continuing focus on software maturity, stability, and a natural workflow that can be customized to work exactly the way you do, day by day. With each release, new features like distributed processing, remote forensic capability, and the rich and fully tested treasure trove of EnScripts® and apps in EnCase® App Central mean additional investigative power for you and your caseload.

Ease the Transition with a Two-Part Webinar

Join us on December 10^th and later on January 14^th for a walk-through of the steps involved in moving from v6 to v7 as presented by one of our master Guidance Software EnCase trainers.

CEIC and EnCase Essentials v7 Training

Guidance Software

Last week at CEIC we ran four Upgrading EnCase v6 to v7: Who Moved My Cheese? sessions. The sessions were packed with EnCase v6 users who were looking to get past the obstacles that were preventing their full transition to v7. In total we presented to close to 200 attendees and had some really great discussion. By the end of the sessions I could see many of the attendees were ready to get going with v7.

During the process of walking the users through v7 I learned that that quite a few of the folks in each session had yet to view the free EnCase Essentials Training. One of the reasons many had not taken advantage of this free training was that they did not have ready access to the internet at work. Even those who knew about the training were forced to view it during their off hours, when they were able to connect to the internet.

The first thing I did when I got to the office this week was ask our training department to create an offline version of the essentials training and they did. Now anyone that wants to get the basics of v7 can download this offline format of the EnCase Essentials Training and view the lessons anytime, anywhere. In addition, we also updated the companion EnCase Essentials Training Guide, incorporating the changes made in the latest release of EnCase, v7.04. Be sure to download these two files when you get a chance and keep them handy.

On a related note I am planning a v6 to v7 webinar series where we will cover many of the topics that were presented during the CEIC session. Look for more information about this webinar series soon.

v7 Training Update - New Classes Available

Guidance Software

As you probably know we have been conducting an EnCase Forensic v7 Survey for a few weeks now. To date near 600 surveys have been submitted. If you haven't submitted yours yet, please take a few minutes and complete the survey. This is a great opportunity for you to let us know how v7 is working for you and how we can make the product better meet your needs. Reviewing the survey responses it became clear to us that in addition to making enhancements to the product many customers were looking for more v7 training options. Today I want to introduce you to two new v7 training options, both developed to help v7 users get the most out of EnCase.