SecureArtisan

My Road to Digital Forensics Excellence

Archive for May, 2011

Tagging in Encase v7

Posted by Paul Bobby on May 3, 2011

Now this feature is quite the treat. Previously you had to bookmark groups of files that shared common criteria, such as “C4P categories, malware, to-be-reviewed” etc., which was serial in nature, and often duplicative. So along comes tagging – and it’s sort of fun to use!

First a screen shot:

image

These are the four tags that come by default with the Encase v7 preview. Behind the Tag Manager pane you will see that I have tagged the RECYCLER entry with all four tags. I expanded the column for you to see the content of the tag, but by default the tag column is small, you wont see the text, but the colors should mean something to you. Furthermore, where you click within the tag cell will determine which tag is applied.

image

Where you click is defined by the order of the tags in the tag manager. The tags/ordering is saved with the case, and Case Templates (another cool feature) can be created that incorporate your own custom tagging. The new Conditions (which appear to run against the entire case) work well here: search for Tag contains “Review” and get a listing of all files that need to be Reviewed by your reviewer.

I believe this is a great step forward in providing ways to include junior level forensic analysts with senior level analysts all working on the same case. Remember “Evidence Caches” can be copied so that analysts can have their own working copies. I am not sure if a single copy can simply be shared; at this time Encase v7 is constantly reading/writing from the HDD of your examiner, so while theoretically the cache files should remain static, I don’t know enough about the inner workings to be sure. And with only a single dongle for testing, that will have to wait until later.

Posted in EnCase | Leave a Comment »

Encase v7 Conditions

Posted by Paul Bobby on May 3, 2011

Remember, I’m working with the restricted v7 preview of Encase; so things are bound to change.

The v7 preview that we have comes with zero conditions and filters; so I decided to create one. The following screen shows the test:

image

I then created a quick condition to display only those files with an extension of .JPG:

image

In Encase v6, executing this condition on the above Table Pane (i.e. those 11 files) would reduce the Table Pane down to five entries. In Encase v7, things are a little different:

image

We get a whole new tab displayed called “Results”, and in this tab is listed all files across all evidence sources that meet the condition. This is very FTK-like. I like the functionality, it will certainly come in handy, but I also want the old functionality to allow me to slice-and-dice the Table Pane. So far I haven’t discovered if that is possible.

Posted in EnCase | 1 Comment »

Encase v7 Preview

Posted by Paul Bobby on May 2, 2011

I, like many others, are now playing with the Encase v7 preview (set to expire May 30th). This preview package contains a locked down v7 Forensic client (32bit or 64bit, no enterprise) and comes with a custom-generated evidence file.

Look and Feel
The evidence navigation (tree pane, table pane, detail pane) is still there, but can be viewed in four different modes by using the “Split Mode” option on the interface:

The option we are used to is “Tree-Table” – I wont show that. But Table, Tree, and a new funky “Treable” I will show.

Table removes the tree navigation pane from the display. This frees up real-estate of course, but other than that I’m not sure of the purpose. Perhaps reading email or other large data groups in which the tree content doesn’t change very often.

Tree removes the detail pane completely, leaving you with a Windows Explorer look and feel. Or so it seems. Actually what it has done is remove the Table Pane and moved the Detail Pane from the bottom to the right hand side. This is definitely new. Here’s another screenshot:

Here you will notice that both files and folders are now included in the tree pane on the left. Unlikely I will be using this view mode all that much; I spend a lot of time analyzing my evidence in groups, looking at timestamps etc in large chunks in the Table Pane. This view mode displays one file at a time.

And finally:

Traeble! Good lord, so not to be outdone by OMG, LOL and Muffin Top, I think Guidance Software is looking to add their own word to the Oxford English Dictionary. Thing is though, I sort of like this view mode. Sort of. As you can see in this screenshot it smushes the tree pane navigation in to the NAME column.

It will be interesting to see if Enscripts/Conditions can manipulate that column based on Split Mode type. For example, regular Tree-Table mode (the original view), the files under sub-folders are not visible unless you click the Select-All icon for the folder. Whereas the files really are there in Treable mode, just not made visible by the navigation marks unless you expand them.

Pick any one of the screenshots with a Detail Pane and you’ll notice a new default sub-pane called “Fields”. This lists, in key-value pair mode, the contents of the Details Pane’s various columns (such as Logical Size, File Created etc). One feature request I can already here is this: In the Details Pane you can drag columns left and right to customize the Detail Pane anyway you want – unfortunately the Fields Sub-pane does not update with the ordering of those columns.

More to come.

Update: Treable prevents you from sorting by column – which makes sense since it preserves a tree structure in the NAME field.

Posted in EnCase | 5 Comments »