SecureArtisan

My Road to Digital Forensics Excellence

Encase v7 Preview #2

Posted by Paul Bobby on June 4, 2011

The new features for testing in this preview:

  1. The ability to utilize your own evidence and expanded device functionality.
  2. New Email formatting.
  3. New Bookmark functionality.
  4. New Report Templates.
  5. New Modules under Evidence Processor.

I’m going to take a look at #5 first. I believe the Evidence Processor will be one of the key features in forensic analysis for those shops that have large amounts of data to analyze and would welcome a lot of preprocessing to be accomplished prior to actual analysis.

Recall that with Encase v6, you can do a Keyword Search, Hash and signature analysis after you finish the acquisition; even without a dongle attached. The Evidence Processor in Encase v7 appears to be just that, but a lot more. It might be considered generous of Guidance to allow so much ‘stuff’ to be accomplished right up front, but I believe it falls in line with the 21st century approach to large data sets: pre-process as much as you can before the ‘human’ has to sit down and start analyzing.

Here’s a screenshot of the Evidence Processor:

image

For each evidence item added to your case you can acquire and/or process that evidence. If you want to process, the options in the lower window become available.

Each option is either enabled/disabled, and some of the options come with sub-dialogues. For example, Find Internet Artifacts allows you to search Unallocated or not to the more complicated sub-dialogues of the three newly added modules.

All of this pre-processing is stored in the custom database format that makes Encase v7 so different from previous versions. Once the processing is complete, the case folder structure can be copied to your analysis machine, or given to your level-3 forensic analyst, for actual analysis. It’s a neat method of operation, and remember, when you load the case, there is little lag for case open: you do not have to parse all of this pre-processed data prior to commencing actual analysis. It is all stored in database files.

If adding to the ‘Modules’ section becomes a future feature available to Enscript writers, then we have a real winner. Just imagine the numerous custom modules you would like to run against a target evidence set. Triage comes to mind as a great example of where adding modules to this Evidence Processor will deliver great benefits. Encase Enterprise? Even better. But EE is at least a year away.

 

 

 

 

Here are the sub-dialogues of the IM Parser and System Info Parser. They should be familiar to you.

image  image

The File Carver module makes use of the File Types global folder (which actually combines File Types and File Signatures in v7). Most of the ‘file types’ are listed solely by file extension, but for those that have headers, and the few that have footers, they become available in the new File Carver module dialogue to be carved during Evidence Processing.

I haven’t found any details on how HTML or Webmail files are carved. I will be testing that.

After clicking Next, you are presented with the Export File dialogue screen where you can specify file sizes for when the headers are found.image

And finally – in case you were wondering. You can add Raw Images with this preview. And here’s what a lot of you have been waiting for. I will testing this out for sure.

image

Advertisements

2 Responses to “Encase v7 Preview #2”

  1. troy said

    I would really like to know if it accurately parses NTFS file systems. The current version 6.* does not, unfortunately.

  2. Nik said

    What is V6.* not parsing correctly? I am very curious about that!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: