My Road to Digital Forensics Excellence

Archive for the ‘EnCase’ Category

Encase v7 First Month

Posted by Paul Bobby on August 2, 2011

We have multi-day Evidence Processing times, Date format issues, HD encryption issues, reporting issues and a bunch of other smaller but still irritating gotchas to deal with. Just check the forum if you don’t believe me. Are they all end-user errors? Hah, not likely.

I have not yet worked with an operational v7 public release – Guidance is having difficulties licensing the forensic version to those of us with EE only dongles. *sigh*. But I do believe that the underlying capability of file system parsing is still intact. I tested out EXT/4 for example and found it to parse properly. So Encase, used as a file system browsing tool appears to behave as v6 currently does, and that is to present an accurate representation of the file system for manual review. What concerns  me however is that this core functionality has now been wrapped by a large number of new interface features, requiring a major relearn of the product, but more importantly, requiring considerable new testing on the part of the buyer before they feel that both v6 and v7 generate the same results.

I strongly recommend that no one use this for current production case load without submitting v7 to a rigorous internal testing plan. I only hope that we do not find something that is ‘not a bug’ but in fact a correct interpretation of filesystem/artifact data, and renders all previous v6 case work invalid because v6 did ‘it wrong all along’.

I have become aware that v6 owners, who wish to buy ‘modules’ for their v6 product (for example VFS) can no longer do so and must buy v7 instead. This is bad form Guidance considering the current state of v7.


Posted in EnCase | 1 Comment »

Encase v7 Preview #2

Posted by Paul Bobby on June 4, 2011

The new features for testing in this preview:

  1. The ability to utilize your own evidence and expanded device functionality.
  2. New Email formatting.
  3. New Bookmark functionality.
  4. New Report Templates.
  5. New Modules under Evidence Processor.

I’m going to take a look at #5 first. I believe the Evidence Processor will be one of the key features in forensic analysis for those shops that have large amounts of data to analyze and would welcome a lot of preprocessing to be accomplished prior to actual analysis.

Recall that with Encase v6, you can do a Keyword Search, Hash and signature analysis after you finish the acquisition; even without a dongle attached. The Evidence Processor in Encase v7 appears to be just that, but a lot more. It might be considered generous of Guidance to allow so much ‘stuff’ to be accomplished right up front, but I believe it falls in line with the 21st century approach to large data sets: pre-process as much as you can before the ‘human’ has to sit down and start analyzing.

Here’s a screenshot of the Evidence Processor:


For each evidence item added to your case you can acquire and/or process that evidence. If you want to process, the options in the lower window become available.

Each option is either enabled/disabled, and some of the options come with sub-dialogues. For example, Find Internet Artifacts allows you to search Unallocated or not to the more complicated sub-dialogues of the three newly added modules.

All of this pre-processing is stored in the custom database format that makes Encase v7 so different from previous versions. Once the processing is complete, the case folder structure can be copied to your analysis machine, or given to your level-3 forensic analyst, for actual analysis. It’s a neat method of operation, and remember, when you load the case, there is little lag for case open: you do not have to parse all of this pre-processed data prior to commencing actual analysis. It is all stored in database files.

If adding to the ‘Modules’ section becomes a future feature available to Enscript writers, then we have a real winner. Just imagine the numerous custom modules you would like to run against a target evidence set. Triage comes to mind as a great example of where adding modules to this Evidence Processor will deliver great benefits. Encase Enterprise? Even better. But EE is at least a year away.





Here are the sub-dialogues of the IM Parser and System Info Parser. They should be familiar to you.

image  image

The File Carver module makes use of the File Types global folder (which actually combines File Types and File Signatures in v7). Most of the ‘file types’ are listed solely by file extension, but for those that have headers, and the few that have footers, they become available in the new File Carver module dialogue to be carved during Evidence Processing.

I haven’t found any details on how HTML or Webmail files are carved. I will be testing that.

After clicking Next, you are presented with the Export File dialogue screen where you can specify file sizes for when the headers are found.image

And finally – in case you were wondering. You can add Raw Images with this preview. And here’s what a lot of you have been waiting for. I will testing this out for sure.


Posted in EnCase | 2 Comments »

Tagging in Encase v7

Posted by Paul Bobby on May 3, 2011

Now this feature is quite the treat. Previously you had to bookmark groups of files that shared common criteria, such as “C4P categories, malware, to-be-reviewed” etc., which was serial in nature, and often duplicative. So along comes tagging – and it’s sort of fun to use!

First a screen shot:


These are the four tags that come by default with the Encase v7 preview. Behind the Tag Manager pane you will see that I have tagged the RECYCLER entry with all four tags. I expanded the column for you to see the content of the tag, but by default the tag column is small, you wont see the text, but the colors should mean something to you. Furthermore, where you click within the tag cell will determine which tag is applied.


Where you click is defined by the order of the tags in the tag manager. The tags/ordering is saved with the case, and Case Templates (another cool feature) can be created that incorporate your own custom tagging. The new Conditions (which appear to run against the entire case) work well here: search for Tag contains “Review” and get a listing of all files that need to be Reviewed by your reviewer.

I believe this is a great step forward in providing ways to include junior level forensic analysts with senior level analysts all working on the same case. Remember “Evidence Caches” can be copied so that analysts can have their own working copies. I am not sure if a single copy can simply be shared; at this time Encase v7 is constantly reading/writing from the HDD of your examiner, so while theoretically the cache files should remain static, I don’t know enough about the inner workings to be sure. And with only a single dongle for testing, that will have to wait until later.

Posted in EnCase | Leave a Comment »

Encase v7 Conditions

Posted by Paul Bobby on May 3, 2011

Remember, I’m working with the restricted v7 preview of Encase; so things are bound to change.

The v7 preview that we have comes with zero conditions and filters; so I decided to create one. The following screen shows the test:


I then created a quick condition to display only those files with an extension of .JPG:


In Encase v6, executing this condition on the above Table Pane (i.e. those 11 files) would reduce the Table Pane down to five entries. In Encase v7, things are a little different:


We get a whole new tab displayed called “Results”, and in this tab is listed all files across all evidence sources that meet the condition. This is very FTK-like. I like the functionality, it will certainly come in handy, but I also want the old functionality to allow me to slice-and-dice the Table Pane. So far I haven’t discovered if that is possible.

Posted in EnCase | 1 Comment »