I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.
Part 1 - So much evidence, so many artifacts, so little time…
I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.
- Posted by: Miller
- On: 4/07/2014
- No comments
EnScript Changes From EnCase Version 6 to Version 7
You may know that Version 6 of EnCase keeps the majority of data in memory, which gives you fast access to the evidence items in a case, but is not conducive to handling large data sets. In addition, keeping most data in memory requires that records and entries be handled separately.
EnCase Version 7 behaves in a similar way to a database in that working through multiple evidence items is accomplished using an iterator. This makes for more stable processing and allows the EnScript programmer to handle both entries and records in a more streamlined way. It is possible, for instance, to iterate through all of the evidence items in a case (entries and e-mail attachments, for instance), quickly identifying those items that are pictures or documents.
EnCase Version 7 behaves in a similar way to a database in that working through multiple evidence items is accomplished using an iterator. This makes for more stable processing and allows the EnScript programmer to handle both entries and records in a more streamlined way. It is possible, for instance, to iterate through all of the evidence items in a case (entries and e-mail attachments, for instance), quickly identifying those items that are pictures or documents.
Brand New & Improved Volatility Reporting Plugin
Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.
- Posted by: Miller
- On: 3/26/2014
- No comments
- Categories: EnCase App Central , Integration , Memory Analysis , Volatility
Working more efficiently with Internet Evidence Finder and EnCase Forensic
Forensics Consultant, Magnet Forensics
Forensic investigators understand that one of the biggest challenges to their cases is time management. As examiners, we would love to spend three months or more on a single case without any other distractions to ensure that every stone is overturned and every detail met with precision, but this is not the reality. Caseloads continually grow far beyond what one person or team can handle and we require the proper processes and tools to manage these cases quickly and efficiently without compromising quality.
- Posted by: Miller
- On: 3/20/2014
- No comments
- Categories: EnCase Forensic , Integration , Internet Evidence Finder
SEEB USB - Mounted Devices Report App
Recovering evidence that has been removed from a target machine is tough enough, but then you have to figure out how that evidence was removed and when. Suspects are increasingly removing hard drives from machines or simply dragging and dropping incriminating evidence to thumb drives, cameras, mp3 players or other USB gadgets. The good news is that they digital footprints are often left behind when they plug these devices into the system, and the artifacts that can be recovered often lead to insights about the suspect’s behavior or recovery of the removed data itself.
One of the most popular EnScripts/apps on EnCase App Central addresses this challenge by automating the Window’s Registry examination by locating and reporting on the artifacts that are created when an entry is made in different hives in the registry. For example, when a USB storage device is inserted into a machine, a key is created in the Windows Registry, and everything the operating system needs to know about that storage device is contained in that key. The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Within the Windows operating system is a list of all the USB devices that have been connected to the system in the past. Information includes the device description, its type (printer, camera, disk drive, etc), whether it was connected via a USB hub, its drive letter, and the device's serial number. All of these information types can be identified under the right conditions.
- Posted by: Miller
- On: 3/12/2014
- No comments
- Categories: EnCase App Central , Registry , Reporting , USB