CEIC and EnCase Essentials v7 Training

Guidance Software

Last week at CEIC we ran four Upgrading EnCase v6 to v7: Who Moved My Cheese? sessions. The sessions were packed with EnCase v6 users who were looking to get past the obstacles that were preventing their full transition to v7. In total we presented to close to 200 attendees and had some really great discussion. By the end of the sessions I could see many of the attendees were ready to get going with v7.

During the process of walking the users through v7 I learned that that quite a few of the folks in each session had yet to view the free EnCase Essentials Training. One of the reasons many had not taken advantage of this free training was that they did not have ready access to the internet at work. Even those who knew about the training were forced to view it during their off hours, when they were able to connect to the internet.

The first thing I did when I got to the office this week was ask our training department to create an offline version of the essentials training and they did. Now anyone that wants to get the basics of v7 can download this offline format of the EnCase Essentials Training and view the lessons anytime, anywhere. In addition, we also updated the companion EnCase Essentials Training Guide, incorporating the changes made in the latest release of EnCase, v7.04. Be sure to download these two files when you get a chance and keep them handy.

On a related note I am planning a v6 to v7 webinar series where we will cover many of the topics that were presented during the CEIC session. Look for more information about this webinar series soon.

v7 Training Update - New Classes Available

Guidance Software

As you probably know we have been conducting an EnCase Forensic v7 Survey for a few weeks now. To date near 600 surveys have been submitted. If you haven't submitted yours yet, please take a few minutes and complete the survey. This is a great opportunity for you to let us know how v7 is working for you and how we can make the product better meet your needs. Reviewing the survey responses it became clear to us that in addition to making enhancements to the product many customers were looking for more v7 training options. Today I want to introduce you to two new v7 training options, both developed to help v7 users get the most out of EnCase.

Parsing Internet Information from a USB Thumb Drive

James Habben The EnCase® Evidence Processor has some great features, but did you know that it can also parse Internet history and bookmarks from a USB thumb drive? Today we will look at forensic artifacts from the use of Mozilla Firefox and Google Chrome web browsers used from the PortableApps.com framework.

First, let’s have a quick intro on the framework. The project was originally created to make a version of Firefox that was able to run solely from a USB thumb drive. It required a computer that was running Windows®, but it did not need Firefox. The thumb drive carried the application and stored all the history, bookmarks, and settings back onto the thumb drive. This setup allows privacy, secrecy, and convenience. Today, the PortableApps.com framework allows for a ton more applications to be run in a portable configuration.

To use the framework, you simply download the installer from the PortableApps.com website. Run the installer and point it to your thumb drive. This installs the framework, but no applications. Here is what the application launcher looks like.

Passware Kit Forensic - Now Available for Purchase

Guidance Software

During the v7 roadshow last year one of the most talked about new features was our Passware integration. The question I heard over and over was "Can I buy Passware from Guidance Software?". At the time unfortunately you could not but I am glad to say that now you can. Before getting into how you can purchase the product, let's talk a little about our integration and what exactly you can do with Passware Kit Forensic.

With EnCase® Forensic v7 you can perform protected file analysis in the evidence processor. Using Passware's Encryption Analyzer, EnCase will identify encrypted and password-protected files. Once protected file analysis is complete, you will be able to see what files are protected as well as the complexity of the protection, pretty cool stuff.

To do what I have briefly described you do not need a license for Passware, this capability is part of v7, no strings attached. However if you want to take the next step and actually decrypt the files you do need the Passware Kit Forensic product, which you can now purchase directly from Guidance.

For those of you not familiar with this product, Passware Kit Forensic is a complete encrypted evidence discovery & decryption solution for computer forensics. It recovers or resets passwords for more than 200 different types of files, as well as decrypts hard drives, PGP archives, and unlocks Windows and Mac accounts. Complete with FireWire Memory Imager, Passware Kit Forensic is the first and only commercial software that decrypts BitLocker, TrueCrypt and FileVault hard disks, and instantly recovers or bypasses Mac and Windows login passwords of seized computers.

The latest version of Passware Kit Forensic, v11.3 includes the following capabilities, to name a few:

• Decrypts 200+ file types
• Decrypts FDE: TrueCrypt, BitLocker, FileVault and PGP
• Recovers Mac user passwords
• Acquires and analyzes live memory images
• Distributed and Cloud Computing acceleration
• Hardware acceleration: NVIDIA & ATI GPU, TACC, multi-cores

As Dmitry Sumin, President of Passware, Inc. said, “Encryption is becoming a major obstacle for digital investigations. We are excited to provide EnCase customers with an efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.” By the way, if you don't already follow Passware on Twitter, you should.

Dmitry and his team have been great to work over this past year and we look forward to providing further integration in the future.

What's the EnCase Processor?

Guidance Software Last week I sat in on an EnCase® Computer Forensics I class held here in our Pasadena Training Center.

It was a great class, nice mix of students from law enforcement, corporate, and consulting organizations. As the class began the lessons on the Evidence Processor, the instructor asked the students if they had ordered their free EnCase Processor yet and to my surprise more than one student asked "What's the EnCase Processor?"

Seeing this firsthand I thought I'd better take a couple of minutes and explain the new EnCase Processor product and let you know how you can order yours today. All EnCase Forensic v7 licenses now include an EnCase Processor dongle so if you purchased v7 in after v7.03 was released you probably already have your EnCase Processor dongle. If you purchased EnCase Forensic v7 before v7.03 was released you just need to fill out a short form to get your free dongle, but I am getting ahead of myself. Back to the task at hand, explaining the new EnCase Processor product.

The EnCase Processor is a standalone evidence processor designed to allow forensic examiners to offload the acquisition and processing of evidence to another computer, freeing up their forensic workstation for casework. Since EnCase Forensic v7 includes an evidence processor already, now you are essentially doubling your processing capacity. The capabilities of the EnCase Processor are the same as the evidence processor in v7 with one additional capability; smartphone acquisition and reporting.

To read about what you can do with the EnCase Processor download the EnCase Forensic v7 Essentials Manual. The manual is full of great information, including details about the different tasks you can automate with the EnCase Processor. As I mentioned, to order your free EnCase Processor take a couple of minutes and fill out the EnCase Processor order form. All you need to have is the physical address you want the dongle shipped and your EnCase Forensic dongle ID. To make it easier, if you have several EnCase Forensic dongles you can fill out the form once and enter all the dongle IDs together, providing you want the Processor dongles shipped to the same address.

Be sure to keep your eye out on this blog for more information about the processor as well as the other new features of EnCase Forensic v7. As always, any questions or comments please let me know.