Datafoucs 2014 on line digital forensic investigations damir delija 2
1. Damir Delija, Davorka Foit
Consultant
DataFocus, Zagreb 2014.
On-line Digital Forensic
Investigations
in EnCase Enterprise v7
2. Introduction
On-line digital forensic investigations
live acess to remote machines - preview
Data collection is part of the live
machine investigation
• process data
• disk data
• files
Automated data collection can be done
with EnCase Enterprise
Requires a lot of hand work and good
planning
4. EnCase Enterprise Components that
Enable Forensically sound and
Secure Network Investigations
The SAFE (Secure Authentication For EnCase®)
Authenticates users, administers access rights, retain logs of EnCase transactions,
brokers communications and provides for secure data transmission
The SAFE communicates with Examiners and Target Nodes using encrypted data
streams, ensuring no information can be intercepted and interpreted
The Examiner
Installed on a computer where authorized investigators perform examinations and
audits
Leverages the robust functionality of Guidance Software's flagship EnCase Forensic
Edition product, with network enhanced capability for security and administration
The Servlet
A small, passive software agent that gets installed on network workstations and servers
Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise
Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections
Enterprise Concurrent Connections are secure parallel connections established
between the Examiner & servers, desktops or laptops that are being searched or
investigated
Snapshot
The “Snapshot” technology enables the user to scan thousands of computers to
detect, collect, preserve and remediate any network intrusion on an enterprise-wide
scale
5. Entry Level EnCase Entreprise
System
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent
Connections
• control number of
parallel acceses
Main Office A
SAFE /Examiner
Additional storage
Company Headquarters
Target Node
Target Node
Target Node
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node
Target NodeWAN
6. What we need
EnCase Enterprise v7
• safe, examiner (both on the same machine in basic
setup),
• instalation of servlets
• configuration of system
Requires a lot of hand work and good
planning
• task definition, plans etc
As it is in EnCase Enterprise we need
• open case
• user logged into safe with appropriate rights (role)
7. 1) choose user
2) choose safe
3) choose role
Login Into EnCase Enterprise
8. Creating a New Case
Case name is
important, this
one gives us hint
on task
Case information
leads us to what
was all about
9. Live Endnode Preview and
Analyses – Manual Access
How to interactive access endnode for
further analyses if nesecarry
Simple, it is almost same as for
automated sweep and local device
analyses
• have to be logged into EnCase and with open case
• add list of endnodes to access
• choose devices (disks, RAM, process memory) from
endnodes
• do analyses you need
Always remember to be fast
• it is live and it can change
9
10. For live interactive network preview add end nodes manually
Live Endnode Preview and
Access
11. One end node, collect disks, RAM and process memory
List of Endnodes to Access
12. Devices on the end node
What Examiner Station Can
Access
13. Disks and RAM chosen for live acess
Examiner Table View
15. Conditions can be used, case processor, enscripts, etc ..
Full Forensic Analyses
16. Automated Access
Enterprise Sweep
General input
we need a list of
targets
we need rules to
define responsive
data
we need general
rules and guidelines
In the EnCase term
list of IP addressee
where we have to
install servlets and do
sweep
conditions, keywords,
hashes
what to do in the case of
failure, errors, location
to store data, reports,
tests, case name, etc
17. Task
Collect all pdf, doc and docx files from two
machines defined by IP address
Scope
• set of IP addresses
Collection rule
• if file extension is pdf or doc or docx collect file and its metadata
Procedure
• if node fails - do another try
• create report with list of responsive files
21. Define the Type of the Sweep
Snapshot is mandatory
•collects processes, users, etc
File Processor is our data collector
•collect files
System info is optional
•slow process
•collects machine info, mostly
registry
22. What Snapshot Gets From End
Node
•System info parser is optional
•it will collect data about node from
end nodes registry
•to speed up this can be uncheked,
but it is usefull to have that data
23. What Process and OS Data Get
Collected
Snapshot – mandatory
•some things which are more
incident response than data
collecting can be disabled to
speed up
24. Definition of File Collection
Criteria
Metadata on files is default
file atributes are collection
criteria
if uncheked only file metadata
is collected
25. Collection Criteria
Collection entry condition is
imported from previoulsy
existing conditions
be lasy and efficient
•automate
•use already tested and proofed
code
26. Sweep is Running
it can take a lot
of time
monitor status
keep logs
check the
impact on the
network and
systems
some automated
tools
case analyzer
keep eye on
console
keep eye on disk
sage and free
space
37. Finishing
Document everything
Reports, logical evidence file, exports,
hash sets
logs
backup
Store on encrypted media
Remove forensically and wipe
forensically all temporary and unwanted
data and media
Don’t forget to unistall servlets