Encase V7 Presented by Guidance Software august 2011

The Next Evolution in Digital Forensics

Steve Salinas Product Marketing Manager Forensic Business Unit June 2011

EnCase© Portable v3

EnCase© Forensic v7 Agenda

• EnCase Forensic – v6 Review

– v7’s New Approach to Forensics

– v7 Demonstration

– v7 Housekeeping

• EnCase Portable – Product Review

– Demonstration 7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved

EnCase© Forensic v7 The Evolution of v6

7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved

EnCase© Forensic v7 EnCase® Forensic v6: A user-driven workflow

• EnCase Forensic v6 – Examiner must know which functions to run from several locations – Associations must be manually identified by the investigator – The deeper the analysis, the more data to review


Locate item of interest

Expand search Browse results

EnCase© Forensic v7 EnCase® Forensic v7: Let EnCase do the work

• Complete common processing and indexing before the examiner looks at the case – Template-driven, user-configured – Not required… Examiner can jump directly into evidence and choose to run later


Find item of interest EnCase automatically finds related items

EnCase Processor

Demonstration

EnCase© Forensic v7 v7 is about a New Approach

• A New Approach to – Navigation – Processing – Searching – Email – Smartphones and Tablets – Reporting – EnScripts – Evidence Management


EnCase© Forensic v7 EnCase Processor

• Recover Folders – FAT Volumes

• Searches through the unallocated clusters of a specific FAT partition for the signature of a deleted folder

• Rebuilds files and folders that were within that deleted folder

– NTFS Folders • Recovers files and folders from Unallocated Clusters and continues to parse through the

current Master File Table (MFT) records for files without parent folders.

– UFS and EXT2/3 Partitions • Parses the MFT to find files listed but that have no parent directory. All of these files are

recovered and placed into the gray Lost Files folder

– Formatted Drives • Searches through the drive and recovers folders, subfolders and files from within those

folders if the information is still available



• File Signature Analysis – Performs file signature analysis and notes any

mismatches, unknown file signatures

• Protected File Analysis – Devices searched recursively

– As compound files found, sent through processor functions

– Passware integration



• Hash Analysis – Both MD5 and SHA-1 supported – Libraries

• Primary and Secondary • Metadata can be added to the hash records • useful for matching file size

– Hash collisions • In v6, only the first hash math would be shown • In v7 all matching hashes are shown

– Tagging • Add tag to hash value, such as conviction for a CP image that was used to

try, prosecute, and convicted



• Expand Compound Files – Archives

• Up to 15 levels

– Registry

• Find Email – PST (Microsoft Outlook) – NSF (Lotus Notes) – DBX (Microsoft Outlook Express) – EDB (Microsoft Exchange) – AOL – MBOX



• Find Internet Artifacts – Comprehensive Option – What’s Identified

• History: user's browsing history • Cache: locally stored internet information • Cookies: stored website cookie data • Bookmarks: user's bookmarks and favorites • Downloads: collects the downloaded data

• Search for Keywords – Enter keywords – Processor will search for keyword and store hits



• Index Text – Index engine optimized for forensic tasks – Language specific noise file – Min word length limits what will be index – Unicode indexing – Word breaking

• Integrated Microsoft word-breaking • Not whitespace delimited • Most conservative word-breaking • Allows you to break URLs, for example



• EnScript Modules – System info parser (Windows, Linux, Mac)

• Will run proper script to recover artifacts from the device

– IM Parser • Updated to support AOL, MSN, Yahoo latest versions • Output gets put back into the processor tasks

– File Carving • Uses same table as signature analysis table • Describe header and footer in same table. • Everything gets indexed, can search carved files

– Windows Event Log Parser – Windows Artifact Parser

• MFT transaction log, recycle bin, link file parsing all in one

– Unix Login – Linux Syslog Parser – Personally Identifiable Information

• Credit Cards, phone numbers, email addresses, and SSNs



• Custom Modules

– Custom EnScript modules can be added to the processor

– Output can be indexed



• Other Capabilities

– Command Line

– Process devices individually

• Separate cases integrated back into a new case

• Output can be copied to network share or used as local evidence

– Templates


EnCase© Forensic v7 Processor Workflow


Recover Folders (Each volume)

Hash, Signature, and Protected file

Analysis

Acquire (Device)

Device

If not mounted, continue processing Mount

Archive LEF

Processing Queue

Thread DB

Thumbnail LEF

Transcript LEF

Device Index

EnScript Modules (Device)

Device Index

Internet LEF

Module LEF

Send to processing

queue when device is finished

EnScript Modules (Transcript)

Index

Create Thumbnail

Email Threading

Internet Artifacts

EnCase© Forensic v7 Processor – Output Details


Archive LEF One Archive LEF generated

per Mounted Entry

Internet/Thumbs/

Transcript/

Module LEF

One Internet/Thumbs/

Transcript/Module LEF

generated per Primary

Device

Thread DB One Thread DB generated

per Primary Device

Device Index One Index generated per

Primary Device

Device Cache One Device Cache

generated per Primary

Device and Archive

Primary Device Folder

EmailThreads.sqlite Email Threading DB

DeviceIndex.L01 Index

I_<GUID>.L01 Internet Artifacts

Transcript.L01 Transcript Cache

P_<GUID>.L01 Thumbnail Cache

M_<GUID>.L01 Module Results

DC_<GUID>.dch Device Cache

E_<GUID>.L01 Email LEFs

A_<GUID>.L01 Archive LEFs

SearchHits.bin Search Hits

Evidence.bin Device Information

Evidence Cache - Storage details


• Automation for

– Ease-of-Use

– Efficiency

– Accuracy

– Effectiveness


Query Snytax

EnCase© Forensic v7 Index – Syntax Examples

Syntax Example Keyword Search x pirate

Phrase Search "x y z" "shiver me timbers"

Find any word in a document, either word must appear in the document

or

pirate OR parrot OR ninja OR ship

All words must appear in document and

pirate AND parrot AND ninja AND ship

Exclude the second search term

not pirate NOT ninja

Operators as Keywords "And", "Or", "Not" pirates "and" ninjas


EnCase© Forensic v7 Index – Syntax Examples Proximity Syntax Example First word must occur within specified number of words of the second

w/n pirate w/5 treasure

First word must precede second within specified number of words

pre/n pirate pre/5 treasure

First word must not occur within specified number of words of the second

nw/n pirate nw/5 ninja

First word must not precede second within specified number of words

npre/n pirate npre/5 ninja

Find word within a specified number of words from the beginning of the document

w/n firstword pirate w/10 firstword

Find word within a specified number of words from the end of the document

w/n lastword pirate w/10 lastword

Find word more than a specified number of words from the beginning of the document

nw/n firstword pirate nw/10 firstword

Find word within a specified number of words at the end of the document

w/n lastword pirate nw/10 lastword

Find items containing less than specified number of words firstword w/n lastword firstword w/5 lastword

Find items containing more than a specified number of words firstword nw/n lastword firstword nw/5 lastword


EnCase© Forensic v7 Index Syntax Examples

Fields Syntax Example Message Size [Message Size] [Message Size]#1024# Logical Size [Logical Size] [Logical Size]#1024# Modified

[Modified] *See Dates Created [Created] *See Dates BCC

[BCC] [BCC][email protected] Subject [Subject] [Subject]Landlubbers Message Size [Message Size] [Message Size]#1024#



Dates (within a date field) Syntax Example Year

[Field]#YYYY# [Modified]#2010#

Day [Field]#YYYY-MM-DD# [Modified]#2010-01-01#

Day, Hour, Minute

[Field]#YYYY-MM-DDTHH:MM# [Modified]#2010-01-01T012:00#

Day, Hour, Minute, Second [Field]#YYYY-MM-DDTHH:MM:SS#

[Modified]#2010-01-01T012:00:01#

Date Range [Field]#YYYY-MM-DD…YYYY-MM-

DD#

[Modified]#2010-01-01...2010-03-01#

[Field]#YYYY…# [Created]#2010…#

Date Range (Hour Offset) [Field](#YYYY-MM-DDTHH:MM:SS-

HH:SS…YYYY-MM-DD#)

[Modified](#2010-01-01T12:00:01-07:08...2010-03-01#)



Wildcards Syntax Example single character

? pi?ate multiple character

* pirate or nin* Stemming

~ <s:variable x y z> Sail~ <s:sail sail sails sailing sailed>

Additional Syntax Example Case Sensitive <c> <c>"Davey Jones" Case Insensitive <-c> <c>"Davey Jones" <-c>pirate Numeric Range

#x…y# #123…456#

#...y# #...123#

#x…# #456…#

Grouping x OR (y NOT z) pirate OR (ship NOT ninja)


EnCase© Forensic v7 Searching Processed Data

• Index query

– General search • gossip

– Field • [Extension]docx

– Date Search • [Written]#...2008#


EnCase© Forensic v7 Searching Processed Data

• Index query

– Proximity search • ("Formula Three" w/3 Trucking)

– Internet • *hulu.com

– Modules • “North Korea”


EnCase© Forensic v7 Additional Enhancements

Continue to do what EnCase has

historically done best

– Broad OS and File system support

– Increase support for standard encryption products • File-based, enterprise, and whole disk

– Deep analysis of user activity artifacts • Registry, logs, system records, etc.


EnCase© Forensic v7 Raising the Bar

• Focus on the user

– Processor to automate indexing and common tasks

– Efficient searching for “items of interest”

– Automated ability to find “related items”



• New indexing engine

– Leverages the powerful new indexing engine used in EnCase® eDiscovery

– Sophisticated searching across data & metadata

– Versatile query syntax to support basic and advanced users



• Template driven pre-processing and report generation

– Automate repetitive tasks

– Facilitate consistent, organizationally-approved best practices


EnCase© Forensic v7 Training

• Perfect Time to Learn or Update Skills – V7 is a shift in the workflow V6 users are accustomed to

– All GSI facilities teaching classes in V7 beginning July 2011

– Training Partners have access to V7 materials

– The Training Passport is a cost effective way to learn V7

– V6 training still available via OnDemand


EnCase© Forensic v7 Training

• EnCase Essential

– Included with all purchases and upgrades

– An OnDemand course designed to familiarize a new user with the basic use of V7

– A guide for V6 users to get a feel for the new interface.


Pricing Information

EnCase© Forensic v7 v7 Pricing at a Glance


Product License Price SMS (Software, Maintenance, & Support)

EnCase® Forensic v7 $2995.00* 1 yr @ 20% license price* 2 yr @ 18% license price* 3 yr @ 16% license price*

EnCase® Forensic v6 Upgrade to EnCase® Forensic v7

$896.00* 1 yr SMS: $599.00* (20% retail price) 2 yr SMS: $1078.20*(18% retail price x2) 3 yr SMS: $1437.60*(16% retail price x 3)

EnCase® Forensic Deluxe No Longer Offered

PLSP No Longer Offered

EnCase® ProSuite No Longer Offered

Individual Modules No Longer Offered

EnCase® Neutrino Product has been End of Lifed

Customers current on SMS or PLSP received EnCase Forensic v7 at no cost * International pricing may vary, SMS is required on all upgrades and new licenses

EnCase Portable: Forensic Triage & Data Collection in the Field

EnCase© Portable v3 Business Issues - Problems

• Corporate IT – One organization, many networks – Remote employees infrequently on the network – Limited resources

• Law Firms – Delay between request for collection and data being collected – Rely on outside resources or client self collection – Expensive to use these outside resources and risky to rely on self-collection

• Law Enforcement – Vast amounts of data to collect – Limited resources – Trade-offs between casework and collection


EnCase© Portable v3 Business Issues – Impacts

• Corporate IT – Specialists may need travel to remote location to collect data – Employees may be forced to send their machine to corporate – Downtime for both employees

• Law Firms – Time to case resolution – Risk – High consulting costs (Airfare, meals, hotels, etc.)

• Law Enforcement – Case backlog grows – Longer time to case resolution – Potentially vital data missed


EnCase© Portable v3 Business Issue – Solutions

• Corporate IT – Non-expert collect using trusted & proven technology – No training needed to collect (basic computer skills only) – Allowing employees to retain their machines – Keeping expert resources focused on core competency (analysis)

• Law Firms – Immediate data collection & preservation – Reduce cost – Collect with internal personnel with little training required

• Law Enforcement – Collect data without requiring forensic expert – Data not altered during search and collection – Option to have immediate access to data


EnCase© Portable v3 EnCase Portable

• Automated forensic triage and collection from a USB device, designed for use when – Immediate access to evidence is required

– Field personnel, the users of EnCase Portable, have no forensic training and/or experience

– Large number of computers in the field to triage

– Ability to review data immediately can provide actionable results


EnCase© Portable v3 Core Capabilities

• Customizable job creation

– Use keywords and hash values to perform targeted collections

– Memory acquisition

– Full disk imaging


EnCase© Portable v3 Core Capabilities

• Multiple operating modes – Live mode

– Boot mode

• Live triage – Instantly view images on the target machine

– Review documents in real-time

• Forensically sound – Search and collect while preserving metadata


EnCase© Portable v3 Product Overview - Benefits

• Benefits – Triage suspect computers instantly – Preserve digital evidence in the court-vetted EnCase

evidence file format – Triage computers in remote locations without sending

forensic experts – Seamlessly integrate collected data into EnCase®

Forensic or EnCase® Enterprise for analysis – Create a repeatable and defensible triage and collection

process using non-technical personnel


EnCase© Portable v3 Triage Case Studies

• Parolee Home Visit

– During visit, triage solution used to review images, internet history on parolee’s computer

– Real-time feedback signals probation officer if parolee has violated terms of parole



• Border Crossing

– Person of interest attempts to enter/leave territory

– Agent uses Triage solution to search computer, looking for known terrorist websites, watch list names, etc.

– In minutes agent can detect if person should be detained for further questioning



• Cyber-bullying at a University

– Security Team uses triage solution to search computer for Twitter, Facebook logs for evidence of cyber-bullying

– Discovering evidence, action against student is taken


EnCase© Portable v3 What’s the Takeaway

• Effective Triage can

– Provide real-time feedback for first responders

– Help target activities of on-site investigations

– Assist in identifying suspects and victims

– Uncover related misdoings

– Provide forensic specialists with direction and focus for investigation


EnCase© Portable v3 How EnCase Portable Works


1. Configured device given to field

agents

2. Field agents triage target

computers

3. Collected evidence sent back to

experts for analysis in EnCase

EnCase© Portable v3 EnCase Portable

• With EnCase Portable – Enable first responders to perform triage in a matter

of minutes

– Review evidence immediately

– Utilize proven capabilities of EnCase

– Store data in forensically sounds Logical Evidence File or E01 Formats

– Fully integrated with EnCase


Advancing the art of Field Triage and Acquisition

EnCase© Portable v3 Portable v3 – New Capabilities

• New Portable Management App

– Create/Edit Jobs

– Device Management

– Prepare Storage

– Manage Evidence



• In-Field Job Creation

– Right from EnCase Portable

– No installation of EnCase required

– Jobs can be shared after created



• New module support

– System Info Parser

– Windows Artifact Parser

– IM Parser

– Log Parsers (Windows, Unix, Linux)


Pricing Information

EnCase© Portable v3 v3 Pricing at a Glance

Offering License Price SMS Price (Software, Maintenance, and Support)

EnCase® Portable - Single $1,175.00*

1 yr @ 20% license price* 2 yr @ 18% license price* 3 yr @ 16% license price*

EnCase® Portable 3-Pack $3,299.00*



EnCase® Portable 1-year Term $695.00*

EnCase® Portable 2-year Term $1,195.00*

EnCase® Portable 3-year Term $2,085.00*

Customers with current EnCase Portable SMS will receive v3 at no cost * International pricing may vary, SMS is required on all EnCase Portable licenses


EnCase© Portable v3

EnCase© Forensic v7 Learn More

• EnCase Forensic v7 http://www.guidancesoftware.com/encase-forensic-v7-whats-new.htm

• EnCase Portable v3 http://www.guidancesoftware.com/encase-portable.htm

• Follow Us – Facebook: facebook.com/guidancesoftware

– Twitter: twitter.com/encase

– My Twitter: @Steve_at_EnCase

– v7 Twitter HashTag: #EF7

• Get the news from Guidance Software http://www.guidancesoftware.com/newsroom.htm


Technology

Encase V7 Presented by Guidance Software august 2011