How do you define an EnCase expert? Having worked on over 400 forensic, e-discovery, and information security cases, Suzanne Widup fits our definition. President and founder of the Digital Forensic Association and a senior analyst on the Verizon RISK Team, she will be joining us at CEIC this month to present a session on “2014 Verizon Data Breach Investigations Report (DBIR) Lessons Learned”–the seventh Verizon DBIR report and the latest in a series released annually that many incident response and information security professionals look forward to reviewing each year.
The 2014 DBIR revealed, among many insights, that although cybercriminals can bypass an organization's security within days, it takes months before malware is detected. Guidance Software contributed to the DBIR and invited Verizon to present highlights of the report at CEIC.
Examination of the Mac OS X Quick Look Thumbnail Cache
Thumbnail images can be extracted from a variety of sources in a given piece of evidence under investigation (e.g., cached browser images, thumbs.db files, embedded JPEGs, etc.). In OS X, there is a relatively under-exploited source of thumbnails generated from Quick Look technology. In this post, we’ll explore how this particular artifact can be exposed and understood in your next OS X investigation.
To preface this post, many artifacts created in OS X are most easily reviewed and understood on a Mac natively. However, many investigators lack access to a Mac for forensic investigation. If you haven’t used EnCase for OS X investigations, you may not be aware EnCase has been continuously adding support for investigation of OS X systems, including the comprehensive support for HFS+ extended attributes, Plist parsing, an automated OS X artifact processing module, as well as most recently, native support for decryption of OS X keychains. With each release of EnCase, there are fewer techniques that remain best-suited or unique to a native OS X toolset. That being said… let’s get on with it!
- Posted by: Miller
- On: 5/07/2014
- No comments
- Categories: EnCase App Central , EnCase Forensic , Mac OS X
EnCase 7.09.04: Extracting Passwords from OS X Keychains
EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.
To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.
In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.
3 Ways to Make IEF and EnCase Work Better Together
As forensic examiners we all use a variety of tools to conduct our investigations. Because the types and needs of every case vary, so must the tools that support them. We all have our favorites but typically an investigator’s toolbox will be filled with a variety of tools to assist with every scenario we encounter.
Investigators are always taught to use the best tool for the job and to work through cases thoroughly and efficiently. Internet Evidence Finder (IEF) has become a valuable tool for those of us working on cases requiring the analysis of Internet evidence and large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices enabling investigators to analyze large amounts of case data quickly and efficiently.
- Posted by: Miller
- On: 4/22/2014
- No comments
- Categories: EnCase App Central , Integration , Internet Evidence Finder
Version 7 Tech Tip: Spotting Full Disk Encryption
With data breaches and data security pushed into the news on seemingly daily basis, we expect today’s digital investigators to be faced with encryption technology more frequently. For those with something to hide, the use of strong encryption has been widely promoted. For those with data they would like to protect, the use of strong encryption is becoming more commonplace by the day. Most enterprises know full disk and file-level encryption is a necessity if you have something worth protecting. Underlining the trend, Windows 8.1 has designs in place to enable BitLocker encryption by default when appropriate hardware is present. One of the strengths of EnCase over the years have been the ability to identify encryption and decrypt evidence in place, exposing data for investigation, without altering its contents.