27
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Just EnCase

  • Upload
    others

  • View
    18

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Just EnCase

Just EnCase Presented By Larry Russell

CalCPA State Technology Committee

May 18, 2012

Page 2: Just EnCase

What is e-Discovery •  Electronically Stored

Information (ESI) • Discover or Monitor for

Fraudulent Activity •  Tools used by Law

Enforcement, Fraud Investigators, and Internal Audit

•  Performed by Trained Investigator

Page 3: Just EnCase

Where is ESI FoundObvious Locations

•  Key custodians •  File servers, workstations,

laptops •  Registry, memory,

metadata, log files, and cache

• Accounting systems and databases

•  Spreadsheet and other Office Documents

•  E-Mails

Page 4: Just EnCase

Where is ESI FoundNot So Obvious Locations

• Backups and archives • Cloud based storage • External storage devices • Smart phones & cameras • Automobile navigation systems

Page 5: Just EnCase

Guidance Software • EnCase Forensic v7

• https://www.guidancesoftware.com/

Page 6: Just EnCase

What EnCase Does •  Image local & server hard

drives, Smartphones, and other data sources

• Detailed listing of collected evidence

•  Evidence processing •  Keyword searches •  Extract e-mails, meta data,

registry entries, and more • Data analysis and reporting

Page 7: Just EnCase

Hard Drive Imaging • Broad OS and File system support • Capture either physical or logical

volumes

Page 8: Just EnCase

Recover Drive Folders • FAT Volumes

– Search unallocated clusters • NTFS Folders

– Recovers files and folders • UFS and EXT2/3 Partitions

– Parses MFT for missing files & folders • Formatted Drives

– Searches for recoverable files and folders

Page 9: Just EnCase

Support for Standard Encryption Products

•  Disk and volume encryption –  Microsoft BitLocker –  GuardianEdge –  Utimaco SafeGuard Easy –  McAfee SafeBoot –  WinMagic SecureDoc –  PGP Whole Disk

Encryption –  Checkpoint FDE

•  File based encryption –  Microsoft Encrypting File

System (EFS) –  CREDANT Mobile

Guardian –  RMS

•  Mounted files –  PST –  S/MIME encrypted email –  NSF (Lotus Notes) –  Protected storage

(ntuser.dat) –  Security hive –  Active Directory 2003 –  EnCase Logical Evidence

File Version 2 Encryption •  Integrates With

–  Passware Password Recovery Forensics Edition

Page 10: Just EnCase

Passware Password Recovery

• Extracting OST File Password

Page 11: Just EnCase

Deep Analysis of User Activity

• Registry • Logs • System records • System Recovery • Prefetch files • Volatile RAM •  Internet activity

Page 12: Just EnCase

Evidence Processing

Page 13: Just EnCase

Smartphone Acquisition • Apple iOS • RIM Blackberry • Google Android • HP Palm OS • Nokia Symbian • Windows Mobile

Page 14: Just EnCase

File Signature Analysis • Performs file signature analysis and

notes any mismatches, unknown file signatures

Page 15: Just EnCase

Hash Analysis • Libraries

– Primary and Secondary – Metadata can be added to the hash

records – useful for matching file size

• Hash collisions –  In v7 all matching hashes are shown

Page 16: Just EnCase

Create Image Thumbnails • Enables fast previewing of images

Page 17: Just EnCase

Expand Compound Files • Archives

– Up to 15 levels

• Registry • Email storage • And more...

Page 18: Just EnCase

Find Email • PST (Microsoft Outlook) • NSF (Lotus Notes) • DBX (Microsoft Outlook Express) • EDB (Microsoft Exchange) • AOL • MBOX

Page 19: Just EnCase

View Emails

Page 20: Just EnCase

Thread Emails • Prepares email conversations for

reviewing

Page 21: Just EnCase

Find Internet Artifacts • Comprehensive Option • What’s Identified

– History: user's browsing history – Cache: locally stored internet information – Cookies: stored website cookie data – Bookmarks: user's bookmarks and

favorites – Downloads: collects the downloaded data

Page 22: Just EnCase

Find Internet Artifacts

Page 23: Just EnCase

Index Text •  Index engine optimized for forensic

tasks •  Language specific noise file • Min word length limits what will be index • Unicode indexing • Word breaking

–  Integrated Microsoft word-breaking –  Not whitespace delimited – Most conservative word-breaking –  Allows you to break URLs, for example

Page 24: Just EnCase

Keyword Grouping

Page 25: Just EnCase

Keyword Searches

Page 26: Just EnCase

EnScript Modules •  System info parser (Windows, Linux, Mac)

–  Will run proper script to recover artifacts from the device •  IM Parser

–  Updated to support AOL, MSN, Yahoo latest versions –  Output gets put back into the processor tasks

•  File Carving –  Uses same table as signature analysis table –  Describe header and footer in same table. –  Everything gets indexed, can search carved files

•  Windows Artifact Parser –  MFT transaction log, recycle bin, link file parsing all in one

•  EnCase Portable Modules –  All included and searchable

Page 27: Just EnCase

Just EnCase

Any More Questions?


Welcome to EnCase Seminar - FORENSIC-PROOF

Welcome to EnCase Seminar - FORENSIC-PROOF

Documents
EnCase Forensic Technology for Decrypting Stenography ...icact.org/upload/2016/0077/20160077_finalpaper.pdf · EnCase Forensic Technology for Decrypting Stenography Algorithm applied

EnCase Forensic Technology for Decrypting Stenography ...icact.org/upload/2016/0077/20160077_finalpaper.pdf · EnCase Forensic Technology for Decrypting Stenography Algorithm applied

Documents
Encase V7 Presented by Guidance Software august 2011

Encase V7 Presented by Guidance Software august 2011

Technology
td2 quickstart guide website - EnCase€¦ · EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions

td2 quickstart guide website - EnCase€¦ · EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions

Documents
Global Cyber Protection Training for Public Sector€¦ · EnCase V7 Computer Forensics II • Recovering encrypted and deleted file partitions and folders • EnCase Evidence Processor

Global Cyber Protection Training for Public Sector€¦ · EnCase V7 Computer Forensics II • Recovering encrypted and deleted file partitions and folders • EnCase Evidence Processor

Documents
EnCase eDiscoverystorage.googleapis.com/.../EnCase_eDiscovery.pdf · 2015. 4. 9. · EnCase eDiscovery, they know they’ve made a winning choice for their internal, legal, ... that

EnCase eDiscoverystorage.googleapis.com/.../EnCase_eDiscovery.pdf · 2015. 4. 9. · EnCase eDiscovery, they know they’ve made a winning choice for their internal, legal, ... that

Documents
LTEC 2013 - EnCase v7.08.01 presentation

LTEC 2013 - EnCase v7.08.01 presentation

Education
EnCase Forensic Features and Functionality · EnCase Forensic also features a case indexer. This powerful tool builds a complete index in multiple languages, allowing for fast and

EnCase Forensic Features and Functionality · EnCase Forensic also features a case indexer. This powerful tool builds a complete index in multiple languages, allowing for fast and

Documents
Encase Guide

Encase Guide

Documents
ENCASE CYBER-SECURITY FORENSICS Email Investigation Recovering

ENCASE CYBER-SECURITY FORENSICS Email Investigation Recovering

Documents
EnCase v6.15 Release Notes

EnCase v6.15 Release Notes

Documents
EnCase Enterprise Basic File Collection

EnCase Enterprise Basic File Collection

Education
Forensics: EnCase, Vista and the Recycle Bin · PDF fileForensics: EnCase, Vista and the Recycle Bin This article covers the examination of the recycle bin in Vista Contents Forensics:

Forensics: EnCase, Vista and the Recycle Bin · PDF fileForensics: EnCase, Vista and the Recycle Bin This article covers the examination of the recycle bin in Vista Contents Forensics:

Documents
Encase Anti-transpirant...The film providedwith ENCASE mechanically limits plant transpiration and moisture loss, providing a range of plant benefits including improvements in heat,

Encase Anti-transpirant...The film providedwith ENCASE mechanically limits plant transpiration and moisture loss, providing a range of plant benefits including improvements in heat,

Documents
encase enterprise

encase enterprise

Documents
EnCase Forensic — Transform Your Investigations · EnCase Forensic v7’s New Approach to Digital Forensics: 1) Acquire Evidence - The key to acquiring forensically sound evidence

EnCase Forensic — Transform Your Investigations · EnCase Forensic v7’s New Approach to Digital Forensics: 1) Acquire Evidence - The key to acquiring forensically sound evidence

Documents
EnCase Forensic & Tableau v20.2 Release · OpenText Confidential. ©2020 All Rights Reserved. 1 EnCase Forensic & Tableau v20.2 Release OpenText commitment to Digital Forensics May

EnCase Forensic & Tableau v20.2 Release · OpenText Confidential. ©2020 All Rights Reserved. 1 EnCase Forensic & Tableau v20.2 Release OpenText commitment to Digital Forensics May

Documents
Hi-Point Firearms Forums - Mouseguns.Com Firearms Forums ... Just encase anyone has difficulties reassembling their Carbine please post your problem on the forum "FIRST" before you

Hi-Point Firearms Forums - Mouseguns.Com Firearms Forums ... Just encase anyone has difficulties reassembling their Carbine please post your problem on the forum "FIRST" before you

Documents
Excerpts from EnCase® Introduction to Computer Forensicsgalaxy.cs.lamar.edu/~bsun/forensics/QuickStart_Training.pdf · 4 EnCase® Concepts Disk and Volume Hash Values EnCase calculates

Excerpts from EnCase® Introduction to Computer Forensicsgalaxy.cs.lamar.edu/~bsun/forensics/QuickStart_Training.pdf · 4 EnCase® Concepts Disk and Volume Hash Values EnCase calculates

Documents
EnCase Version 7.05 Release Notes - EMTemt.com.tr/encaseexaminerv705releasenotes.pdf · EnCase ® Version 7.05 ... Depending on the modules you chose to run and what they found, you

EnCase Version 7.05 Release Notes - EMTemt.com.tr/encaseexaminerv705releasenotes.pdf · EnCase ® Version 7.05 ... Depending on the modules you chose to run and what they found, you

Documents
EnCase Forensic Imager v7.09 User's Guide

EnCase Forensic Imager v7.09 User's Guide

Documents
Encryption Trucrypt Encase

Encryption Trucrypt Encase

Documents
Know Your Adversary: An Adversary Model for Mastering ...3.4 Endpoint Forensics Collection RSA ECAT, Carbon Black, Guidant, EnCase 3.5 Malware Analysis Invincea, EnCase, Cisco ThreatGrid,

Know Your Adversary: An Adversary Model for Mastering ...3.4 Endpoint Forensics Collection RSA ECAT, Carbon Black, Guidant, EnCase 3.5 Malware Analysis Invincea, EnCase, Cisco ThreatGrid,

Documents
Forensic Reporting with EnCase - Georgia State University

Forensic Reporting with EnCase - Georgia State University

Documents
Guidance Software EnCase Enterprise Security Target

Guidance Software EnCase Enterprise Security Target

Documents
EnCase Version 6.12 Modules Manual

EnCase Version 6.12 Modules Manual

Documents
Windows Memory Forensic Analysis using EnCase

Windows Memory Forensic Analysis using EnCase

Technology
Encase Module

Encase Module

Documents
EnCase Forensic Imager v7.06 User's Guide

EnCase Forensic Imager v7.06 User's Guide

Documents
GUIDANCE SOFTWARE EnCase Forensic v7forensicsguru.com/pdf/EnCase_CF1_v7_Syllabus.pdf · GUIDANCE SOFTWARE | EnCase Forensic v7 EnCase® Computer Forensics I Syllabus Day 1 Day one

GUIDANCE SOFTWARE EnCase Forensic v7forensicsguru.com/pdf/EnCase_CF1_v7_Syllabus.pdf · GUIDANCE SOFTWARE | EnCase Forensic v7 EnCase® Computer Forensics I Syllabus Day 1 Day one

Documents