Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

Feature Spotlight: SED Unlock with EnCase & WinMagic SecureDoc

Ken Mizota

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

SEDs render “cold boot” and “evil maid” attacks useless and offer instant encryption and crypto-erase when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.

Case Study: Chesterfield County Police Department

Cynthia Siemens

Profile


Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. In his earlier work as a deputized U.S. Marshal for the Federal Bureau of Investigation’s Child Exploitation Task Force, he was the Task Force Officer, and in his work with Internet Crimes Against Children (ICAC), he served as ICAC representative for his agency.

Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.

Tableau TD3 Forensic Imaging System: Raising the Bar Since 2012

Robert Bond

When Guidance Software originally released the Tableau TD3 forensic imaging system back in 2012, it was revolutionary. Forensic investigators had asked for and eagerly awaited innovations like the color touchscreen user interface, modular architecture, network imaging, and remote triage capabilities. The TD3 also supported write-blocked imaging of SATA, IDE, SAS, FireWire, USB 3.0, and iSCSI (network) storage devices. In 2013, Forensic 4Cast voters named it the Forensic Hardware Tool of the Year. Since its launch, the TD3 development team has relentlessly focused on adding new features, capabilities and options that help investigators get more work done faster, with more options. So if the last time you looked at TD3 was back in 2012, it may be time to take another look.