EnCase v7 live access and data collection

1. Damir Delija, Davorka Foit
Consultant
DataFocus, Zagreb 2014.
On-line Digital Forensic
Investigations
in EnCase Enterprise v7

2. Introduction
On-line digital forensic investigations
live acess to remote machines - preview
Data collection is part of the live
machine investigation
• process data
• disk data
• files
Automated data collection can be done
with EnCase Enterprise
Requires a lot of hand work and good
planning

3. Servlets Installed
on Computers
How the EnCase Enterprise
Components Fit Together

4. EnCase Enterprise Components that
Enable Forensically sound and
Secure Network Investigations
The SAFE (Secure Authentication For EnCase®)
Authenticates users, administers access rights, retain logs of EnCase transactions,
brokers communications and provides for secure data transmission
The SAFE communicates with Examiners and Target Nodes using encrypted data
streams, ensuring no information can be intercepted and interpreted
The Examiner
Installed on a computer where authorized investigators perform examinations and
audits
Leverages the robust functionality of Guidance Software's flagship EnCase Forensic
Edition product, with network enhanced capability for security and administration
The Servlet
A small, passive software agent that gets installed on network workstations and servers
Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise
Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections
Enterprise Concurrent Connections are secure parallel connections established
between the Examiner & servers, desktops or laptops that are being searched or
investigated
Snapshot
The “Snapshot” technology enables the user to scan thousands of computers to
detect, collect, preserve and remediate any network intrusion on an enterprise-wide
scale

5. Entry Level EnCase Entreprise
System
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent
Connections
• control number of
parallel acceses
Main Office A
SAFE /Examiner
Additional storage
Company Headquarters
Target Node
Target Node
Target Node
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node
Target NodeWAN

6. What we need
EnCase Enterprise v7
• safe, examiner (both on the same machine in basic
setup),
• instalation of servlets
• configuration of system
Requires a lot of hand work and good
planning
• task definition, plans etc
As it is in EnCase Enterprise we need
• open case
• user logged into safe with appropriate rights (role)

7. 1) choose user
2) choose safe
3) choose role
Login Into EnCase Enterprise

8. Creating a New Case
Case name is
important, this
one gives us hint
on task
Case information
leads us to what
was all about

9. Live Endnode Preview and
Analyses – Manual Access
How to interactive access endnode for
further analyses if nesecarry
Simple, it is almost same as for
automated sweep and local device
analyses
• have to be logged into EnCase and with open case
• add list of endnodes to access
• choose devices (disks, RAM, process memory) from
endnodes
• do analyses you need
Always remember to be fast
• it is live and it can change
9

10. For live interactive network preview add end nodes manually
Live Endnode Preview and
Access

11. One end node, collect disks, RAM and process memory
List of Endnodes to Access

12. Devices on the end node
What Examiner Station Can
Access

13. Disks and RAM chosen for live acess
Examiner Table View

14. Remote disk looks like any other disk
Remote Disk Analyses

15. Conditions can be used, case processor, enscripts, etc ..
Full Forensic Analyses

16. Automated Access
Enterprise Sweep
General input
we need a list of
targets
we need rules to
define responsive
data
we need general
rules and guidelines
In the EnCase term
list of IP addressee
where we have to
install servlets and do
sweep
conditions, keywords,
hashes
what to do in the case of
failure, errors, location
to store data, reports,
tests, case name, etc

17. Task
Collect all pdf, doc and docx files from two
machines defined by IP address
Scope
• set of IP addresses
Collection rule
• if file extension is pdf or doc or docx collect file and its metadata
Procedure
• if node fails - do another try
• create report with list of responsive files

18. Sweep Enterprise
Snapshot For Data Collecting
From Enscripts tab choose : Sweep Enterprise

19. Definition of End Nodes for the
Collection Sweep
In the sweep wizzard define nodes for the sweep

20. Running Sweep on the End
Nodes
End nodes defined and approwed

21. Define the Type of the Sweep
Snapshot is mandatory
•collects processes, users, etc
File Processor is our data collector
•collect files
System info is optional
•slow process
•collects machine info, mostly
registry

22. What Snapshot Gets From End
Node
•System info parser is optional
•it will collect data about node from
end nodes registry
•to speed up this can be uncheked,
but it is usefull to have that data

23. What Process and OS Data Get
Collected
Snapshot – mandatory
•some things which are more
incident response than data
collecting can be disabled to
speed up

24. Definition of File Collection
Criteria
Metadata on files is default
file atributes are collection
criteria
if uncheked only file metadata
is collected

25. Collection Criteria
Collection entry condition is
imported from previoulsy
existing conditions
be lasy and efficient
•automate
•use already tested and proofed
code

26. Sweep is Running
it can take a lot
of time
monitor status
keep logs
check the
impact on the
network and
systems
some automated
tools
case analyzer
keep eye on
console
keep eye on disk
sage and free
space

27. Sweep Live Status
Live sweep status: end nodes status, modules, success or failure

28. Sweep Completed
One node has failed

29. Sweep Results Responsive Files
in the Analysis Browser
All responsive files

30. Sweep Data Location
Stored in folder:
case/
enscript/
sweep Enterpise/
Scan timestamp

31. L01 Files
Data in the Case
Default view is snapshot view - records about end nodes

32. Getting to Responsive Files
in L01
To get to file collector results go to “View Entries”

33. L01 File for End Node
Responsive Files View
All responsive files from one end node

34. In Entry View Use Condition
Already used condition (as collection entry condition)

35. Run Condition
Use it on “all evidence” on all L01 end nodes files in our case

36. Results
All resposive files as condition result

37. Finishing
Document everything
Reports, logical evidence file, exports,
hash sets
logs
backup
Store on encrypted media
Remove forensically and wipe
forensically all temporary and unwanted
data and media
Don’t forget to unistall servlets

38. Q&A
forenzika@insig2.eu
damir.delija@insig2.eu
davorka.foit@insig2.eu
38