EnCase Enterprise Basic File Collection


Published on

How to use file collection tool in Encase Enterprise

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

EnCase Enterprise Basic File Collection

  1. 1. Basic Ediscovery Steps in EnCase Enterprise v7 Damir Delija 2014
  2. 2. Introduction • Data collection can be done automatically in the EnCase Enterprise • Requires a lot of hand work and good planning • This presentation is a putting together information from various sources and manuals – Lance Muller blog, – EnCase presentations and manuals, – blogs
  3. 3. EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations The SAFE (Secure Authentication For EnCase®) • • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers communications and provides for secure data transmission The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted The Examiner • • Installed on a computer where authorized investigators perform examinations and audits Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration The Servlet • • A small, passive software agent that gets installed on network workstations and servers Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices. Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the Examiner & servers, desktops or laptops that are being searched or investigated Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect, preserve and remediate any network intrusion on an enterprise-wide scale
  4. 4. How the EnCase Enterprise Components Fit Together Servlets Installed on Computers
  5. 5. Sample Deployment Topology Main Office A Main Office B Target Node Examiner Target Node SAFE Target Node Target Node Target Node Target Node WAN Target Node Aggregation Database Target Node Examiner SAFE Target Node Target Node Examiner Company Headquarters Target Node Target Node Branch Office Target Node
  6. 6. How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network A Rich Man Solution
  7. 7. What we Need • EnCase Enterprise v7 – safe, examiner (both on the same machine in basic setup) • Requires a lot of hand work and good planning – task definition, plans etc • As it is in EnCase Enterprise we need – open case – user logged into safe with appropriate rights (role)
  8. 8. Entry Level EnCase Entreprise System Main Office A Branch Office Target Node Target Node Target Node Target Node Target Node WAN Target Node Target Node Target Node SAFE /Examiner Target Node Additional storage Target Node Company Headquarters SAFE /Examiner • on the same machine Servlet • on the each end node Enterprise Concurrent Connections • control number of parallel acceses
  9. 9. Task • Collect all pdf, doc and docx files from two machines defined by IP address • Scope – set of IP addresses • Collection rule – if file extension is pdf or doc or docx collect file and its metadata • Procedure – if node fails do another try – create report with list of responsive files
  10. 10. Login Into EnCase Enterprise 3) choose role 2) choose safe 1) choose user
  11. 11. Creating a New Case Case name is important, this one gives us hint on task Case information leads us
  12. 12. Case Folder Structure Additional folders: Reports, Conditions, Evidence
  13. 13. Doing Enterprise Sweep General input • we need a list of targets In the EnCase term list of IP addressee where we have to install servlets and do sweep • we need rules to define responsive data conditions, keywords, hashes • we need general rules and guidelines what to do in the case of failure, errors, location to store data, reports, tests, case name, etc
  14. 14. Sweep Enterprise Snapshot For Data Collecting From Enscripts tab choose Sweep Enterprise
  15. 15. Definition of End Nodes for the Collection Sweep In the sweep wizzard define nodes for the sweep
  16. 16. Adding IP Addresses Directly List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut
  17. 17. Running Sweep on the End Nodes End nodes defined and approwed
  18. 18. Define the Type of the Sweep Snapshot is mandatory •collects processes, users, etc File Processor is our data collector •collect files System info is optional •slow process •collects machine info, mostly registry
  19. 19. What Snapshot Gets From End Node •System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
  20. 20. What Process and OS Data Will Get Collected Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up
  21. 21. Definition of File Collection Criteria Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
  22. 22. Entry Condition Defines File Attributes File atributes as criteria for collection
  23. 23. Entry Condition Wizard Conditions can be only typed or imported
  24. 24. Import Already Existed and Tested Condition How to import already existing condition
  25. 25. Condition Folder in Case Place Where Conditions are Kept Conditions sholud be named in meaningfull way
  26. 26. Collection Criteria Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code
  27. 27. Additional Element How to Handle Archives on the End Nodes Default is : no going in into archives
  28. 28. Final List of End Nodes and Tasks to be Done in Sweep Can be saved as part of documentation
  29. 29. Store Collection Parameters as One of Intermediate Reports Usefull later for documentation, goes to case / report folder
  30. 30. Sweep is Running • • • • It can take a lot of time monitor status keep logs check the impact on the network and systems • • • • some automated tools case analyzer keep eye on console keep eye on disk sage and free space
  31. 31. Sweep Status Refresh can be done automatically
  32. 32. Sweep Live Status Live sweep status: end nodes status, modules, success or failure
  33. 33. Sweep Completed One node has failed
  34. 34. Sweep Results in the Analysis Browser Analysis Browser Enscript – all collected data from sweep (no file content)
  35. 35. Sweep Results Responsive Files in the Analysis Browser All responsive files
  36. 36. Create an Status Report There are alternative methods to create intermediate status reports I prefer “Save as” in tab delimieted format Report goes into case report folder
  37. 37. In Our Procedure Repeat Sweep if Fails Repeated sweep, now all endnodes are succesfull
  38. 38. Sweep Data Location Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
  39. 39. L01 Collection Files – Sweep Result Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually
  40. 40. L01 files –Data in the Case Default view is snapshot view - records about end nodes
  41. 41. Getting to Responsive Files in L01 To get to file collector results go to “View Entries”
  42. 42. L01 File for End Node Responsive Files View All responsive files from one end node
  43. 43. How to Create Cumulative L01 File • All data are in case in node-name.L01 files – one for each end node – to put all that into one file without snapshot data • Condition will create result view – again already used condition can be applied • From cumulative L01 and all necessary reports can be created – same data but easier to handle
  44. 44. In Entry View Use Condition Already used condition (as collection entry condition)
  45. 45. Run Condition Use it on “all evidence” on all L01 end nodes files in our case
  46. 46. Results All resposive files as condition result
  47. 47. Bookmark if Necesary Bookmark if needed, for reports etc
  48. 48. Good Practice: Name of Bookmark Folder on Sweep Name Sweep name – bookmark folder name
  49. 49. Creating Cummulative L01 File From Condition Results From all responsive files create L01 file
  50. 50. Create Cummulative L01 File Name it by Sweep Name Name based on sweep, fill notes, goes to evidence folder
  51. 51. Create Cummulative L01 File Include all Needed Include file data and metadata, close on finish is important
  52. 52. Create Cummulative L01 File L01 Format Choose L01 if other forensic tools are used too
  53. 53. Good Practice: Remove all End Node L01 Files From Case To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01
  54. 54. Good Practice: Use Only Cummulative L01 File In all further work use only cumulative L01 file, or even open new case
  55. 55. Structure of the Cummulative L01 File whole logical structure contained also reposive file content
  56. 56. Just to Proof Test with conditon to show all responsive files are here
  57. 57. Finishing • • • • • • Document everything Reports logs backup Store on encrypted media Remove forensically and wipe forensically all temporary and unwanted data and media • Don’t forget to unistall servlets