Q&A: Transitioning from EnCase Version 6 to Version 7 Webinars
Digital Forensics | Sep 1, 2015
View the webinars: Part 1 and Part 2
Can you discuss how you’ve made reporting less complicated and what resources we could use to simplify reporting even further?
Once the hard work of painstaking analysis and review of an investigation is complete, determining what to share with an external audience is an important, but often time-consuming task. EnCase® Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a polished examination report with a minimum of effort. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power. When time is precious and working with Report Templates is more complex than desired, we built the Report Template Wizard to make it faster and easier to perform basic reporting modifications directly from Bookmarks.
You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates.
We have lots of OS X investigations. What have you done or are you doing to improve MAC support?
In comparison to even just a few years ago, OS X investigation volume continues to grow. In support of this growing need, EnCase 7 has incorporated several capabilities specific to Mac investigations.
EnCase 7 offers comprehensive support for the HFS+ file system, including parsing of extended attributes and double files. Native support is provided for visibility inside OS X disk images, like DMG, bundles, sparse bundles, and the ability to decrypt containers protected FileVault1.
An OS X Processor Module is included to automatically harvest common system information, plists (XML and Binary) as well as system event logs.
EnCase 7 maintains support for investigation of the latest OS X 10.10 Yosemite versions, including remote investigation of a single OS X machine over the network. When operating in this mode, EnCase 7 has full access to logical volumes, which contain data in an unencrypted state, even when protected by FileVault 2.
I could go on for an hour on this topic alone, but it’s worthwhile to mention a couple of resources:
Take a look at our Digital Forensics Today blog for articles on examining Time Machine Backups and the Quick Look Thumbnail cache.
Check out EnCase® App Central, where several EnCase integrated utilities for OS X investigations are available for free download.
You didn’t discuss decryption. Can you talk a bit about your decryption capabilities?
Dealing with full-disk, full-volume, and file-level encryption is increasingly a firm requirement of any investigation. If your tool can't read the data, it doesn't matter how many artifacts are parsed, or how faithfully the evidence is preserved. You won't find much, and it’s a really inconvenient problem.
Encryption vendors are not incentivized to make it easy to decrypt their protection. Yet, this is exactly the capability investigators need.
EnCase 7 addresses this problem by partnering with the industry leaders in encryption technologies and by delivering fully supported decryption capabilities. Some examples of the partners we integrate with include: Symantec Endpoint Encryption, PGP Whole Disk Encryption, Sophos SafeGuard, WinMagic SecureDoc, Dell Data Protection, McAfee Drive Encryption, and more.
I often hear from investigators: "This decryption capability saved my bacon." It's good in a tight situation.
If you want to triage a case but don’t want to process the case first, what is your recommendation?
I think is really important that investigators understand there is a lot of diversity problems and how they need to be solved. Investigators must not only overcome obstacles of understanding the data, but also doing so within time constraints. There's no single way to triage, so EnCase 7 enables several techniques:
a. At times, all you need is a quick look of the evidence to determine whether the evidence is worth processing. Opening an evidence file, or multiple evidence files and viewing them in a single view can be very efficient. Add a couple evidence files or network previews to your Case. In the evidence pane, blue check the files and click the Open button. All of the file system entries can be recursively displayed and sorted, for a quick read of the files and metadata present.
b. Going a bit deeper, you might want to perform some level of processing of the evidence, but want to review the data as it is being processed. The EnCase Evidence Processor provides Prioritized processing, which allows the investigator to review user created data first, as it is processed, independent of the contents of the rest of the evidence.
c. Finally, if you have a good sense of what you are looking for, but still want to perform some basic processing on the data itself, an investigator can perform a search to create a result set, and then just process the items in that result set.
I hope you'll take away the fact that the EnCase toolset gives you many options that can be adapted to your needs and workflow.
Can you provide insight into how to set up the processor settings so that EnCase processes the evidence quickly and effectively?
Entire papers have been written and training labs built on this topic, so I won't go into great detail here. Digital Intelligence, makers of the famed FRED workstations, have published a great article on hardware selection for EnCase 7, which I highly recommend.
If I have one bit of advice to share, it’s that disk I/O on the EnCase Evidence Cache is the first determining factor of performance in EnCase 7. We're dealing with large datasets with millions of items, so having the fastest I/O subsystem and devices is highly recommended. This is much different than the way EnCase 6 was architected, and having an understanding of this is central to a good experience.
How do you mount (View File Structure) multiple files at the same time?
You can try this EnScript®-based filter, available on EnCase App Central.
How could I add the SHA1 hash value to be showed below the MD5 value in the report?
This can be easily modified using the Report Template wizard. You can learn more about this feature in an earlier blog post on the topic.
Can you change reporting properties in Bookmarks?
How do you customize different attributes to show in your report, such as file extension, hash value, deleted etc..?
How could I add the SHA1 hash value to be showed below the MD5 value in the report?
We've made modifying and editing reports much simpler in recent releases. From the Bookmarks view, right click on the Bookmark Folder you want to add to your report. You'll be presented with a dialog that allows you to select the part of the report you'd like to add the folder to, and if you like, you can customize the metadata you would like displayed.
I've put together a brief blog post on this topic, which I recommend if you want to learn more at your convenience.
Can v7 analyze IE 11?
Yes, EnCase offers support for parsing and analyzing contents of IE10 and 11 data formats - specifically, the Extensible Storage Engine format, ESEDB.
Ashley apparently showed an inclusion hash list. How would you show excluded hashed items such as from the NSRL list?
Using Hash Libraries, is it possible to easily EXCLUDE hash values? I think the example used here was filtering looking for specific hashes
The Find Items by Hash Category filter includes the ability to invert the results, which finds items NOT in selected categories. In this way, you can control what you want to see by selecting hash categories and choosing to invert or not.
Can you talk about the difference between conditions and filters and when you should use one versus the other?
Filters allow for more complex logic. Algorithms can be implemented in Filters to work with metadata or content of evidence. Filters are built by Guidance Software, or by investigators comfortable with the EnScript programming language. Several filters are included with EnCase, and you can find more on EnCase App Central.
I’m confused about what is a record versus a bookmark versus something else in v7. It’s different in v6. Can you provide some clarity?
EnCase should provide an accurate estimate of how much longer processing is going to take. My company uses it for incident response, and the client wants to know when they will be provided results. The fact that it can take between a day and a week is unacceptable.
Does the case files size grow as a result of the indexing process? Does this have any impact on the performance of the software?
Does the IM Parser recover instant messenger conversations from Microsoft Lync 2010?