My Road to Digital Forensics Excellence

Encase v7 Preview

Posted by Paul Bobby on May 2, 2011

I, like many others, are now playing with the Encase v7 preview (set to expire May 30th). This preview package contains a locked down v7 Forensic client (32bit or 64bit, no enterprise) and comes with a custom-generated evidence file.

Look and Feel
The evidence navigation (tree pane, table pane, detail pane) is still there, but can be viewed in four different modes by using the “Split Mode” option on the interface:

The option we are used to is “Tree-Table” – I wont show that. But Table, Tree, and a new funky “Treable” I will show.

Table removes the tree navigation pane from the display. This frees up real-estate of course, but other than that I’m not sure of the purpose. Perhaps reading email or other large data groups in which the tree content doesn’t change very often.

Tree removes the detail pane completely, leaving you with a Windows Explorer look and feel. Or so it seems. Actually what it has done is remove the Table Pane and moved the Detail Pane from the bottom to the right hand side. This is definitely new. Here’s another screenshot:

Here you will notice that both files and folders are now included in the tree pane on the left. Unlikely I will be using this view mode all that much; I spend a lot of time analyzing my evidence in groups, looking at timestamps etc in large chunks in the Table Pane. This view mode displays one file at a time.

And finally:

Traeble! Good lord, so not to be outdone by OMG, LOL and Muffin Top, I think Guidance Software is looking to add their own word to the Oxford English Dictionary. Thing is though, I sort of like this view mode. Sort of. As you can see in this screenshot it smushes the tree pane navigation in to the NAME column.

It will be interesting to see if Enscripts/Conditions can manipulate that column based on Split Mode type. For example, regular Tree-Table mode (the original view), the files under sub-folders are not visible unless you click the Select-All icon for the folder. Whereas the files really are there in Treable mode, just not made visible by the navigation marks unless you expand them.

Pick any one of the screenshots with a Detail Pane and you’ll notice a new default sub-pane called “Fields”. This lists, in key-value pair mode, the contents of the Details Pane’s various columns (such as Logical Size, File Created etc). One feature request I can already here is this: In the Details Pane you can drag columns left and right to customize the Detail Pane anyway you want – unfortunately the Fields Sub-pane does not update with the ordering of those columns.

More to come.

Update: Treable prevents you from sorting by column – which makes sense since it preserves a tree structure in the NAME field.


5 Responses to “Encase v7 Preview”

  1. Joseph W Shaw II said

    Not to be a party pooper, but do you remember the NDA clause of the beta signup? We’re not supposed to be publicly talking about the beta build(s).

  2. Paul Bobby said

    Thanks Joseph for your comment. Fortunately I had asked this question and the Encase v7 preview is public and not under the same Beta agreement we had signed.

  3. Joseph W Shaw II said

    Excellent! I just wanted to make sure no one got in trouble. I’ve been playing with it since Saturday, and it’s been an adjustment getting used to it after so many years with v6. I was really hoping for multi-monitor support in the beta build, but that doesn’t look like it will happen. I also keep getting crashes when processing evidence with all options selection, though it doesn’t crash when I leave at least one option out. I can’t wait to throw some real evidence into the actual release to get a better idea of how well it really works.

  4. Troy said

    How is it on NTFS?

    I ask because I have seen some recent malware that can be completely live in the NTFS file system, but not shown by Encase when you review the disk. As best I can tell, the current version 6.XX seems to not see some NTFS attributes or rely the NTFS bitmap, which causes certain file attributes not show up in the file and directory listings. The clusters of the missed file attributes are unallocated clusters according to Encase. Other forensics tools do see the attributes that Encase missed.

    Contact me if you would like to discuss.

  5. Joseph W Shaw II said

    Troy, I’d love to get more info on this. I’m going to the Guidance NTFS class at the end of the month and would like to be able to ask them some intelligent questions on it, but this is the first I’ve heard of the type of hiding malware you describe, if I’m understanding this correctly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: