Your SlideShare is downloading. ×
Encase V7 Presented by Guidance Software   august 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Encase V7 Presented by Guidance Software august 2011

3,368

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Normal
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,368
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
96
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Steve Salinas The Next Evolution inProduct Marketing Manager Digital ForensicsForensic Business UnitJune 2011
  • 2. EnCase© Forensic v7Agenda EnCase© Portable v3• EnCase Forensic – v6 Review – v7’s New Approach to Forensics – v7 Demonstration – v7 Housekeeping• EnCase Portable – Product Review – Demonstration7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 3. EnCase© Forensic v7The Evolution of v67/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 4. EnCase® Forensic v6: A user-driven EnCase© Forensic v7workflow Locate item of Expand search Browse results interest• EnCase Forensic v6 – Examiner must know which functions to run from several locations – Associations must be manually identified by the investigator – The deeper the analysis, the more data to review7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 5. EnCase® Forensic v7: Let EnCase do the work EnCase© Forensic v7 EnCase Processor Find item of interest EnCase automatically finds related items• Complete common processing and indexing before the examiner looks at the case – Template-driven, user-configured – Not required… Examiner can jump directly into evidence and choose to run later7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 6. Demonstration
  • 7. EnCase© Forensic v7v7 is about a New Approach• A New Approach to – Navigation – Processing – Searching – Email – Smartphones and Tablets – Reporting – EnScripts – Evidence Management7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 8. EnCase© Forensic v7EnCase Processor• Recover Folders – FAT Volumes • Searches through the unallocated clusters of a specific FAT partition for the signature of a deleted folder • Rebuilds files and folders that were within that deleted folder – NTFS Folders • Recovers files and folders from Unallocated Clusters and continues to parse through the current Master File Table (MFT) records for files without parent folders. – UFS and EXT2/3 Partitions • Parses the MFT to find files listed but that have no parent directory. All of these files are recovered and placed into the gray Lost Files folder – Formatted Drives • Searches through the drive and recovers folders, subfolders and files from within those folders if the information is still available7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 9. EnCase© Forensic v7EnCase Processor• File Signature Analysis – Performs file signature analysis and notes any mismatches, unknown file signatures• Protected File Analysis – Devices searched recursively – As compound files found, sent through processor functions – Passware integration7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 10. EnCase© Forensic v7EnCase Processor• Hash Analysis – Both MD5 and SHA-1 supported – Libraries • Primary and Secondary • Metadata can be added to the hash records • useful for matching file size – Hash collisions • In v6, only the first hash math would be shown • In v7 all matching hashes are shown – Tagging • Add tag to hash value, such as conviction for a CP image that was used to try, prosecute, and convicted7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 11. EnCase© Forensic v7EnCase Processor• Expand Compound Files – Archives • Up to 15 levels – Registry• Find Email – PST (Microsoft Outlook) – NSF (Lotus Notes) – DBX (Microsoft Outlook Express) – EDB (Microsoft Exchange) – AOL – MBOX7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 12. EnCase© Forensic v7EnCase Processor• Find Internet Artifacts – Comprehensive Option – What’s Identified • History: users browsing history • Cache: locally stored internet information • Cookies: stored website cookie data • Bookmarks: users bookmarks and favorites • Downloads: collects the downloaded data• Search for Keywords – Enter keywords – Processor will search for keyword and store hits7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 13. EnCase© Forensic v7EnCase Processor• Index Text – Index engine optimized for forensic tasks – Language specific noise file – Min word length limits what will be index – Unicode indexing – Word breaking • Integrated Microsoft word-breaking • Not whitespace delimited • Most conservative word-breaking • Allows you to break URLs, for example7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 14. EnCase© Forensic v7EnCase Processor• EnScript Modules – System info parser (Windows, Linux, Mac) • Will run proper script to recover artifacts from the device – IM Parser • Updated to support AOL, MSN, Yahoo latest versions • Output gets put back into the processor tasks – File Carving • Uses same table as signature analysis table • Describe header and footer in same table. • Everything gets indexed, can search carved files – Windows Event Log Parser – Windows Artifact Parser • MFT transaction log, recycle bin, link file parsing all in one – Unix Login – Linux Syslog Parser – Personally Identifiable Information • Credit Cards, phone numbers, email addresses, and SSNs7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 15. EnCase© Forensic v7EnCase Processor• Custom Modules – Custom EnScript modules can be added to the processor – Output can be indexed7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 16. EnCase© Forensic v7EnCase Processor• Other Capabilities – Command Line – Process devices individually • Separate cases integrated back into a new case • Output can be copied to network share or used as local evidence – Templates7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 17. EnCase© Forensic v7Processor Workflow If not mounted, continue Hash, Signature, and Recover Folders Acquire processing Mount Protected file (Each volume) (Device) Analysis Internet Artifacts Device Email Threading Thread DB Archive LEF Send to Create Thumbnail Thumbnail LEF processing queue when Processing Queue Internet LEF device is Index Device Index finished EnScript Modules (Transcript) Transcript LEF Module LEF EnScript Modules Device Index (Device)7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 18. EnCase© Forensic v7Processor – Output Details Archive LEF One Archive LEF generated Evidence Cache - Storage details per Mounted Entry Primary Device Folder EmailThreads.sqlite Email Threading DB One Device Cache Device Cache DeviceIndex.L01 Index generated per Primary Device and Archive I_<GUID>.L01 Internet Artifacts Transcript.L01 Transcript Cache One Internet/Thumbs/ Internet/Thumbs/ Transcript/Module LEF P_<GUID>.L01 Thumbnail Cache Transcript/ generated per Primary Module LEF Device M_<GUID>.L01 Module Results DC_<GUID>.dch Device Cache One Thread DB generated Thread DB per Primary Device E_<GUID>.L01 Email LEFs A_<GUID>.L01 Archive LEFs One Index generated per Device Index SearchHits.bin Search Hits Primary Device Evidence.bin Device Information7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 19. EnCase© Forensic v7EnCase Processor• Automation for – Ease-of-Use – Efficiency – Accuracy – Effectiveness7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 20. Query Snytax
  • 21. EnCase© Forensic v7 Index – Syntax Examples Syntax Example Keyword Search x pirate Phrase Search "x y z" "shiver me timbers" Find any word in a pirate OR parrot OR ninja OR ship document, either word must appear in the or document All words must appear in pirate AND parrot AND ninja AND document and ship Exclude the second search pirate NOT ninja not term Operators as Keywords "And", "Or", "Not" pirates "and" ninjas7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 22. EnCase© Forensic v7 Index – Syntax Examples Proximity Syntax Example First word must occur within specified number of words of the w/n pirate w/5 treasure second First word must precede second within specified number of pre/n pirate pre/5 treasure words First word must not occur within specified number of words of nw/n pirate nw/5 ninja the second First word must not precede second within specified number of npre/n pirate npre/5 ninja words Find word within a specified number of words from the beginning w/n firstword pirate w/10 firstword of the document Find word within a specified number of words from the end of the w/n lastword pirate w/10 lastword document Find word more than a specified number of words from the nw/n firstword pirate nw/10 firstword beginning of the document Find word within a specified number of words at the end of the w/n lastword pirate nw/10 lastword document Find items containing less than specified number of words firstword w/n lastword firstword w/5 lastword Find items containing more than a specified number of words firstword nw/n lastword firstword nw/5 lastword7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 23. EnCase© Forensic v7 Index Syntax ExamplesFields Syntax ExampleMessage Size [Message Size] [Message Size]#1024#Logical Size [Logical Size] [Logical Size]#1024#Modified [Modified] *See DatesCreated [Created] *See DatesBCC [BCC] [BCC]pirate@piratecompany.comSubject [Subject] [Subject]LandlubbersMessage Size [Message Size] [Message Size]#1024#7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 24. EnCase© Forensic v7 Index Syntax ExamplesDates(within a date field) Syntax ExampleYear [Modified]#2010# [Field]#YYYY#Day [Modified]#2010-01-01# [Field]#YYYY-MM-DD#Day, Hour, Minute [Modified]#2010-01-01T012:00# [Field]#YYYY-MM-DDTHH:MM#Day, Hour, Minute, Second [Modified]#2010-01-01T012:00:01# [Field]#YYYY-MM-DDTHH:MM:SS#Date Range [Field]#YYYY-MM-DD…YYYY-MM- [Modified]#2010-01-01...2010-03- DD# 01# [Field]#YYYY…# [Created]#2010…#Date Range (Hour Offset) [Modified](#2010-01-01T12:00:01- [Field](#YYYY-MM-DDTHH:MM:SS- 07:08...2010-03-01#) HH:SS…YYYY-MM-DD#)7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 25. EnCase© Forensic v7 Index Syntax Examples Wildcards Syntax Example single character ? pi?ate multiple character * pirate or nin* Stemming ~ <s:variable x y z> Sail~ <s:sail sail sails sailing sailed> Additional Syntax Example Case Sensitive <c> <c>"Davey Jones" Case Insensitive <-c> <c>"Davey Jones" <-c>pirate Numeric Range #x…y# #123…456# #...y# #...123# #x…# #456…# Grouping x OR (y NOT z) pirate OR (ship NOT ninja)7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 26. EnCase© Forensic v7Searching Processed Data• Index query – General search • gossip – Field • [Extension]docx – Date Search • [Written]#...2008#7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 27. EnCase© Forensic v7Searching Processed Data• Index query – Proximity search • ("Formula Three" w/3 Trucking) – Internet • *hulu.com – Modules • “North Korea”7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 28. EnCase© Forensic v7Additional EnhancementsContinue to do what EnCase hashistorically done best – Broad OS and File system support – Increase support for standard encryption products • File-based, enterprise, and whole disk – Deep analysis of user activity artifacts • Registry, logs, system records, etc.7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 29. EnCase© Forensic v7Raising the Bar• Focus on the user – Processor to automate indexing and common tasks – Efficient searching for “items of interest” – Automated ability to find “related items”7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 30. EnCase© Forensic v7Raising the Bar• New indexing engine – Leverages the powerful new indexing engine used in EnCase® eDiscovery – Sophisticated searching across data & metadata – Versatile query syntax to support basic and advanced users7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 31. EnCase© Forensic v7Raising the Bar• Template driven pre-processing and report generation – Automate repetitive tasks – Facilitate consistent, organizationally-approved best practices7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 32. EnCase© Forensic v7Training• Perfect Time to Learn or Update Skills – V7 is a shift in the workflow V6 users are accustomed to – All GSI facilities teaching classes in V7 beginning July 2011 – Training Partners have access to V7 materials – The Training Passport is a cost effective way to learn V7 – V6 training still available via OnDemand7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 33. EnCase© Forensic v7Training• EnCase Essential – Included with all purchases and upgrades – An OnDemand course designed to familiarize a new user with the basic use of V7 – A guide for V6 users to get a feel for the new interface.7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 34. Pricing Information
  • 35. EnCase© Forensic v7 v7 Pricing at a Glance SMSProduct License Price (Software, Maintenance, & Support)EnCase® Forensic v7 $2995.00* 1 yr @ 20% license price* 2 yr @ 18% license price* 3 yr @ 16% license price*EnCase® Forensic v6 $896.00* 1 yr SMS: $599.00* (20% retail price)Upgrade to EnCase® Forensic v7 2 yr SMS: $1078.20*(18% retail price x2) 3 yr SMS: $1437.60*(16% retail price x 3)EnCase® Forensic Deluxe No Longer OfferedPLSP No Longer OfferedEnCase® ProSuite No Longer OfferedIndividual Modules No Longer OfferedEnCase® Neutrino Product has been End of LifedCustomers current on SMS or PLSP received EnCase Forensic v7 at no cost* International pricing may vary, SMS is required on all upgrades and new licenses 7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 36. EnCase Portable:Forensic Triage & Data Collectionin the Field
  • 37. Business Issues - Problems EnCase© Portable v3• Corporate IT – One organization, many networks – Remote employees infrequently on the network – Limited resources• Law Firms – Delay between request for collection and data being collected – Rely on outside resources or client self collection – Expensive to use these outside resources and risky to rely on self-collection• Law Enforcement – Vast amounts of data to collect – Limited resources – Trade-offs between casework and collection7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 38. Business Issues – Impacts EnCase© Portable v3• Corporate IT – Specialists may need travel to remote location to collect data – Employees may be forced to send their machine to corporate – Downtime for both employees• Law Firms – Time to case resolution – Risk – High consulting costs (Airfare, meals, hotels, etc.)• Law Enforcement – Case backlog grows – Longer time to case resolution – Potentially vital data missed7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 39. Business Issue – Solutions EnCase© Portable v3• Corporate IT – Non-expert collect using trusted & proven technology – No training needed to collect (basic computer skills only) – Allowing employees to retain their machines – Keeping expert resources focused on core competency (analysis)• Law Firms – Immediate data collection & preservation – Reduce cost – Collect with internal personnel with little training required• Law Enforcement – Collect data without requiring forensic expert – Data not altered during search and collection – Option to have immediate access to data7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 40. EnCase Portable EnCase© Portable v3• Automated forensic triage and collection from a USB device, designed for use when – Immediate access to evidence is required – Field personnel, the users of EnCase Portable, have no forensic training and/or experience – Large number of computers in the field to triage – Ability to review data immediately can provide actionable results7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 41. Core Capabilities EnCase© Portable v3• Customizable job creation – Use keywords and hash values to perform targeted collections – Memory acquisition – Full disk imaging7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 42. Core Capabilities EnCase© Portable v3• Multiple operating modes – Live mode – Boot mode• Live triage – Instantly view images on the target machine – Review documents in real-time• Forensically sound – Search and collect while preserving metadata7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 43. Product Overview - Benefits EnCase© Portable v3• Benefits – Triage suspect computers instantly – Preserve digital evidence in the court-vetted EnCase evidence file format – Triage computers in remote locations without sending forensic experts – Seamlessly integrate collected data into EnCase® Forensic or EnCase® Enterprise for analysis – Create a repeatable and defensible triage and collection process using non-technical personnel7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 44. Triage Case Studies EnCase© Portable v3• Parolee Home Visit – During visit, triage solution used to review images, internet history on parolee’s computer – Real-time feedback signals probation officer if parolee has violated terms of parole7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 45. Triage Case Studies EnCase© Portable v3• Border Crossing – Person of interest attempts to enter/leave territory – Agent uses Triage solution to search computer, looking for known terrorist websites, watch list names, etc. – In minutes agent can detect if person should be detained for further questioning7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 46. Triage Case Studies EnCase© Portable v3• Cyber-bullying at a University – Security Team uses triage solution to search computer for Twitter, Facebook logs for evidence of cyber-bullying – Discovering evidence, action against student is taken7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 47. What’s the Takeaway EnCase© Portable v3• Effective Triage can – Provide real-time feedback for first responders – Help target activities of on-site investigations – Assist in identifying suspects and victims – Uncover related misdoings – Provide forensic specialists with direction and focus for investigation7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 48. How EnCase Portable Works EnCase© Portable v3 1. Configured device given to field agents 2. Field agents triage target computers 3. Collected evidence sent back to experts for analysis in EnCase7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 49. EnCase Portable EnCase© Portable v3• With EnCase Portable – Enable first responders to perform triage in a matter of minutes – Review evidence immediately – Utilize proven capabilities of EnCase – Store data in forensically sounds Logical Evidence File or E01 Formats – Fully integrated with EnCase7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 50. Advancing the art of FieldTriage and Acquisition
  • 51. Portable v3 – New Capabilities EnCase© Portable v3• New Portable Management App – Create/Edit Jobs – Device Management – Prepare Storage – Manage Evidence7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 52. Portable v3 – New Capabilities EnCase© Portable v3• In-Field Job Creation – Right from EnCase Portable – No installation of EnCase required – Jobs can be shared after created7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 53. Portable v3 – New Capabilities EnCase© Portable v3• New module support – System Info Parser – Windows Artifact Parser – IM Parser – Log Parsers (Windows, Unix, Linux)7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 54. Pricing Information
  • 55. v3 Pricing at a Glance EnCase© Portable v3 Offering License Price SMS Price (Software, Maintenance, and Support)EnCase® Portable - Single $1,175.00*EnCase® Portable 3-Pack $3,299.00*EnCase® Portable 5-Pack $5,245.00* 1 yr @ 20% license price* 2 yr @ 18% license price*EnCase® Portable 10-Pack $9,990.00* 3 yr @ 16% license price*EnCase® Portable 1-year Term $695.00*EnCase® Portable 2-year Term $1,195.00*EnCase® Portable 3-year Term $2,085.00* Customers with current EnCase Portable SMS will receive v3 at no cost * International pricing may vary, SMS is required on all EnCase Portable licenses 7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved
  • 56. EnCase© Forensic v7Learn More EnCase© Portable v3• EnCase Forensic v7 http://www.guidancesoftware.com/encase-forensic-v7-whats-new.htm• EnCase Portable v3 http://www.guidancesoftware.com/encase-portable.htm• Follow Us – Facebook: facebook.com/guidancesoftware – Twitter: twitter.com/encase – My Twitter: @Steve_at_EnCase – v7 Twitter HashTag: #EF7• Get the news from Guidance Software http://www.guidancesoftware.com/newsroom.htm7/26/2011 Guidance Software, Inc. 2011, All Rights Reserved

×