Encase V7 Presented by Guidance Software august 2011

Steve Salinas The Next Evolution in
Product Marketing Manager Digital Forensics
Forensic Business Unit
June 2011

EnCase© Forensic v7
Agenda
EnCase© Portable v3

• EnCase Forensic
– v6 Review
– v7’s New Approach to Forensics
– v7 Demonstration
– v7 Housekeeping
• EnCase Portable
– Product Review
– Demonstration
7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved

The Evolution of v6


EnCase® Forensic v6: A user-driven EnCase© Forensic v7

workflow
Locate item of Expand search Browse results
interest

• EnCase Forensic v6
– Examiner must know which functions to run from several locations
– Associations must be manually identified by the investigator
– The deeper the analysis, the more data to review

EnCase® Forensic v7: Let EnCase do the work EnCase© Forensic v7

EnCase Processor
Find item of interest EnCase automatically
finds related items

• Complete common processing and indexing before the examiner looks at the
case
– Template-driven, user-configured
– Not required… Examiner can jump directly into evidence and choose to run later


v7 is about a New Approach
• A New Approach to
– Navigation
– Processing
– Searching
– Email
– Smartphones and Tablets
– Reporting
– EnScripts
– Evidence Management

EnCase Processor
• Recover Folders
– FAT Volumes
• Searches through the unallocated clusters of a specific FAT partition for the signature of a
deleted folder
• Rebuilds files and folders that were within that deleted folder
– NTFS Folders
• Recovers files and folders from Unallocated Clusters and continues to parse through the
current Master File Table (MFT) records for files without parent folders.
– UFS and EXT2/3 Partitions
• Parses the MFT to find files listed but that have no parent directory. All of these files are
recovered and placed into the gray Lost Files folder
– Formatted Drives
• Searches through the drive and recovers folders, subfolders and files from within those
folders if the information is still available


EnCase Processor
• File Signature Analysis
– Performs file signature analysis and notes any
mismatches, unknown file signatures
• Protected File Analysis
– Devices searched recursively
– As compound files found, sent through processor
functions
– Passware integration

EnCase Processor
• Hash Analysis
– Both MD5 and SHA-1 supported
– Libraries
• Primary and Secondary
• Metadata can be added to the hash records
• useful for matching file size
– Hash collisions
• In v6, only the first hash math would be shown
• In v7 all matching hashes are shown
– Tagging
• Add tag to hash value, such as conviction for a CP image that was used to
try, prosecute, and convicted

EnCase Processor
• Expand Compound Files
– Archives
• Up to 15 levels
– Registry
• Find Email
– PST (Microsoft Outlook)
– NSF (Lotus Notes)
– DBX (Microsoft Outlook Express)
– EDB (Microsoft Exchange)
– AOL
– MBOX

EnCase Processor
• Find Internet Artifacts
– Comprehensive Option
– What’s Identified
• History: user's browsing history
• Cache: locally stored internet information
• Cookies: stored website cookie data
• Bookmarks: user's bookmarks and favorites
• Downloads: collects the downloaded data
• Search for Keywords
– Enter keywords
– Processor will search for keyword and store hits

EnCase Processor
• Index Text
– Index engine optimized for forensic tasks
– Language specific noise file
– Min word length limits what will be index
– Unicode indexing
– Word breaking
• Integrated Microsoft word-breaking
• Not whitespace delimited
• Most conservative word-breaking
• Allows you to break URLs, for example

EnCase Processor
• EnScript Modules
– System info parser (Windows, Linux, Mac)
• Will run proper script to recover artifacts from the device
– IM Parser
• Updated to support AOL, MSN, Yahoo latest versions
• Output gets put back into the processor tasks
– File Carving
• Uses same table as signature analysis table
• Describe header and footer in same table.
• Everything gets indexed, can search carved files
– Windows Event Log Parser
– Windows Artifact Parser
• MFT transaction log, recycle bin, link file parsing all in one
– Unix Login
– Linux Syslog Parser
– Personally Identifiable Information
• Credit Cards, phone numbers, email addresses, and SSNs


EnCase Processor

• Custom Modules
– Custom EnScript modules can be added to the
processor
– Output can be indexed


EnCase Processor

• Other Capabilities
– Command Line
– Process devices individually
• Separate cases integrated back into a new case
• Output can be copied to network share or used as local
evidence
– Templates


Processor Workflow
If not mounted, continue Hash, Signature, and
Recover Folders Acquire
processing Mount Protected file
(Each volume) (Device)
Analysis

Internet Artifacts
Device
Email Threading Thread DB Archive LEF

Send to
Create Thumbnail Thumbnail LEF processing
queue when Processing Queue
Internet LEF device is
Index Device Index
finished

EnScript Modules
(Transcript) Transcript LEF
Module LEF

EnScript Modules
Device Index
(Device)


Processor – Output Details
Archive LEF
One Archive LEF generated Evidence Cache - Storage details
per Mounted Entry Primary Device Folder
EmailThreads.sqlite Email Threading DB
One Device Cache
Device Cache DeviceIndex.L01 Index
generated per Primary
Device and Archive I_<GUID>.L01 Internet Artifacts
Transcript.L01 Transcript Cache
One Internet/Thumbs/
Internet/Thumbs/ Transcript/Module LEF P_<GUID>.L01 Thumbnail Cache
Transcript/ generated per Primary
Module LEF
Device M_<GUID>.L01 Module Results
DC_<GUID>.dch Device Cache
One Thread DB generated
Thread DB per Primary Device
E_<GUID>.L01 Email LEFs
A_<GUID>.L01 Archive LEFs
One Index generated per
Device Index
SearchHits.bin Search Hits
Primary Device
Evidence.bin Device Information


EnCase Processor

• Automation for
– Ease-of-Use
– Efficiency
– Accuracy
– Effectiveness


Index – Syntax Examples
Syntax Example
Keyword Search x pirate
Phrase Search "x y z" "shiver me timbers"
Find any word in a pirate OR parrot OR ninja OR ship
document, either word
must appear in the or
document
All words must appear in pirate AND parrot AND ninja AND
document and ship
Exclude the second search pirate NOT ninja
not
term
Operators as Keywords "And", "Or", "Not" pirates "and" ninjas


Index – Syntax Examples
Proximity Syntax Example
First word must occur within specified number of words of the w/n pirate w/5 treasure
second
First word must precede second within specified number of pre/n pirate pre/5 treasure
words
First word must not occur within specified number of words of nw/n pirate nw/5 ninja
the second
First word must not precede second within specified number of npre/n pirate npre/5 ninja
words
Find word within a specified number of words from the beginning w/n firstword pirate w/10 firstword
of the document
Find word within a specified number of words from the end of the w/n lastword pirate w/10 lastword
document
Find word more than a specified number of words from the nw/n firstword pirate nw/10 firstword
beginning of the document
Find word within a specified number of words at the end of the w/n lastword pirate nw/10 lastword
document
Find items containing less than specified number of words firstword w/n lastword firstword w/5 lastword
Find items containing more than a specified number of words firstword nw/n lastword firstword nw/5 lastword


Index Syntax Examples
Fields Syntax Example
Message Size [Message Size] [Message Size]#1024#
Logical Size [Logical Size] [Logical Size]#1024#
Modified
[Modified] *See Dates
Created [Created] *See Dates
BCC
[BCC] [BCC]pirate@piratecompany.com
Subject [Subject] [Subject]Landlubbers
Message Size [Message Size] [Message Size]#1024#


Dates
(within a date field) Syntax Example
Year [Modified]#2010#
[Field]#YYYY#
Day [Modified]#2010-01-01#
[Field]#YYYY-MM-DD#
Day, Hour, Minute [Modified]#2010-01-01T012:00#
[Field]#YYYY-MM-DDTHH:MM#

Day, Hour, Minute, Second [Modified]#2010-01-01T012:00:01#
[Field]#YYYY-MM-DDTHH:MM:SS#
Date Range
[Field]#YYYY-MM-DD…YYYY-MM- [Modified]#2010-01-01...2010-03-
DD# 01#

[Field]#YYYY…# [Created]#2010…#
Date Range (Hour Offset) [Modified](#2010-01-01T12:00:01-
[Field](#YYYY-MM-DDTHH:MM:SS-
07:08...2010-03-01#)
HH:SS…YYYY-MM-DD#)

Wildcards Syntax Example
single character
? pi?ate
multiple character
* pirate or nin*
Stemming
~ <s:variable x y z> Sail~ <s:sail sail sails sailing sailed>

Additional Syntax Example
Case Sensitive <c> <c>"Davey Jones"
Case Insensitive <-c> <c>"Davey Jones" <-c>pirate
Numeric Range
#x…y# #123…456#
#...y# #...123#
#x…# #456…#
Grouping x OR (y NOT z) pirate OR (ship NOT ninja)


Searching Processed Data

• Index query
– General search
• gossip
– Field
• [Extension]docx
– Date Search
• [Written]#...2008#


Searching Processed Data

• Index query
– Proximity search
• ("Formula Three" w/3 Trucking)
– Internet
• *hulu.com
– Modules
• “North Korea”


Additional Enhancements

Continue to do what EnCase has
historically done best
– Broad OS and File system support
– Increase support for standard encryption products
• File-based, enterprise, and whole disk
– Deep analysis of user activity artifacts
• Registry, logs, system records, etc.


Raising the Bar

• Focus on the user
– Processor to automate indexing and common tasks
– Efficient searching for “items of interest”
– Automated ability to find “related items”


Raising the Bar

• New indexing engine
– Leverages the powerful new indexing engine used in
EnCase® eDiscovery
– Sophisticated searching across data & metadata
– Versatile query syntax to support basic and
advanced users


Raising the Bar

• Template driven pre-processing and report
generation
– Automate repetitive tasks
– Facilitate consistent, organizationally-approved best
practices


Training
• Perfect Time to Learn or Update Skills
– V7 is a shift in the workflow V6 users are accustomed to
– All GSI facilities teaching classes in V7 beginning July
2011
– Training Partners have access to V7 materials
– The Training Passport is a cost effective way to learn V7
– V6 training still available via OnDemand


Training

• EnCase Essential
– Included with all purchases and upgrades
– An OnDemand course designed to familiarize a new
user with the basic use of V7
– A guide for V6 users to get a feel for the new
interface.


v7 Pricing at a Glance
SMS
Product License Price (Software, Maintenance, & Support)
EnCase® Forensic v7 $2995.00* 1 yr @ 20% license price*
2 yr @ 18% license price*
EnCase® Forensic v6 $896.00* 1 yr SMS: $599.00* (20% retail price)
Upgrade to EnCase® Forensic v7 2 yr SMS: $1078.20*(18% retail price x2)
3 yr SMS: $1437.60*(16% retail price x 3)

EnCase® Forensic Deluxe No Longer Offered
PLSP No Longer Offered
EnCase® ProSuite No Longer Offered
Individual Modules No Longer Offered
EnCase® Neutrino Product has been End of Lifed
Customers current on SMS or PLSP received EnCase Forensic v7 at no cost
* International pricing may vary, SMS is required on all upgrades and new licenses


EnCase Portable:
Forensic Triage & Data Collection
in the Field

Business Issues - Problems EnCase© Portable v3

• Corporate IT
– One organization, many networks
– Remote employees infrequently on the network
– Limited resources
• Law Firms
– Delay between request for collection and data being collected
– Rely on outside resources or client self collection
– Expensive to use these outside resources and risky to rely on self-collection
• Law Enforcement
– Vast amounts of data to collect
– Limited resources
– Trade-offs between casework and collection


Business Issues – Impacts EnCase© Portable v3

• Corporate IT
– Specialists may need travel to remote location to collect data
– Employees may be forced to send their machine to corporate
– Downtime for both employees
• Law Firms
– Time to case resolution
– Risk
– High consulting costs (Airfare, meals, hotels, etc.)
• Law Enforcement
– Case backlog grows
– Longer time to case resolution
– Potentially vital data missed

Business Issue – Solutions EnCase© Portable v3

• Corporate IT
– Non-expert collect using trusted & proven technology
– No training needed to collect (basic computer skills only)
– Allowing employees to retain their machines
– Keeping expert resources focused on core competency (analysis)
• Law Firms
– Immediate data collection & preservation
– Reduce cost
– Collect with internal personnel with little training required
• Law Enforcement
– Collect data without requiring forensic expert
– Data not altered during search and collection
– Option to have immediate access to data


EnCase Portable EnCase© Portable v3

• Automated forensic triage and collection from a
USB device, designed for use when
– Immediate access to evidence is required
– Field personnel, the users of EnCase Portable, have
no forensic training and/or experience
– Large number of computers in the field to triage
– Ability to review data immediately can provide
actionable results

Core Capabilities EnCase© Portable v3

• Customizable job creation
– Use keywords and hash values to perform targeted
collections
– Memory acquisition
– Full disk imaging


Core Capabilities EnCase© Portable v3

• Multiple operating modes
– Live mode
– Boot mode
• Live triage
– Instantly view images on the target machine
– Review documents in real-time
• Forensically sound
– Search and collect while preserving metadata

Product Overview - Benefits EnCase© Portable v3

• Benefits
– Triage suspect computers instantly
– Preserve digital evidence in the court-vetted EnCase
evidence file format
– Triage computers in remote locations without sending
forensic experts
– Seamlessly integrate collected data into EnCase®
Forensic or EnCase® Enterprise for analysis
– Create a repeatable and defensible triage and collection
process using non-technical personnel

Triage Case Studies EnCase© Portable v3

• Parolee Home Visit
– During visit, triage solution used to review images,
internet history on parolee’s computer
– Real-time feedback signals probation officer if
parolee has violated terms of parole



• Border Crossing
– Person of interest attempts to enter/leave territory
– Agent uses Triage solution to search computer,
looking for known terrorist websites, watch list
names, etc.
– In minutes agent can detect if person should be
detained for further questioning



• Cyber-bullying at a University
– Security Team uses triage solution to search
computer for Twitter, Facebook logs for evidence of
cyber-bullying
– Discovering evidence, action against student is taken


What’s the Takeaway EnCase© Portable v3

• Effective Triage can
– Provide real-time feedback for first responders
– Help target activities of on-site investigations
– Assist in identifying suspects and victims
– Uncover related misdoings
– Provide forensic specialists with direction and focus
for investigation

How EnCase Portable Works EnCase© Portable v3

1. Configured device given to field
agents
2. Field agents triage target
computers
3. Collected evidence sent back to
experts for analysis in EnCase


EnCase Portable EnCase© Portable v3

• With EnCase Portable
– Enable first responders to perform triage in a matter
of minutes
– Review evidence immediately
– Utilize proven capabilities of EnCase
– Store data in forensically sounds Logical Evidence
File or E01 Formats
– Fully integrated with EnCase

Advancing the art of Field
Triage and Acquisition

Portable v3 – New Capabilities EnCase© Portable v3

• New Portable
Management App
– Create/Edit Jobs
– Device Management
– Prepare Storage
– Manage Evidence



• In-Field Job
Creation
– Right from EnCase
Portable
– No installation of
EnCase required
– Jobs can be shared
after created


• New module support
– System Info Parser
– Windows Artifact Parser
– IM Parser
– Log Parsers (Windows,
Unix, Linux)


v3 Pricing at a Glance EnCase© Portable v3

Offering License Price SMS Price
(Software, Maintenance, and Support)
EnCase® Portable - Single $1,175.00*
EnCase® Portable 3-Pack $3,299.00*
EnCase® Portable 5-Pack $5,245.00* 1 yr @ 20% license price*
EnCase® Portable 10-Pack $9,990.00*
EnCase® Portable 1-year Term $695.00*
EnCase® Portable 2-year Term $1,195.00*
EnCase® Portable 3-year Term $2,085.00*

Customers with current EnCase Portable SMS will receive v3 at no cost
* International pricing may vary, SMS is required on all EnCase Portable licenses


Learn More
EnCase© Portable v3
• EnCase Forensic v7
http://www.guidancesoftware.com/encase-forensic-v7-whats-new.htm
• EnCase Portable v3
http://www.guidancesoftware.com/encase-portable.htm
• Follow Us
– Facebook: facebook.com/guidancesoftware
– Twitter: twitter.com/encase
– My Twitter: @Steve_at_EnCase
– v7 Twitter HashTag: #EF7
• Get the news from Guidance Software
http://www.guidancesoftware.com/newsroom.htm

Encase V7 Presented by Guidance Software august 2011

Encase V7 Presented by Guidance Software august 2011

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Encase V7 Presented by Guidance Software august 2011

Similaire à Encase V7 Presented by Guidance Software august 2011 (20)

Plus de CTIN

Plus de CTIN (20)

Dernier

Dernier (20)

Encase V7 Presented by Guidance Software august 2011