EnCase is an extensible digital investigation platform. Simply put, extensibility reduces time and effort for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase work together to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) collaborate to reduce IR time and effort. Let’s walk through a few ways extensibility works in your favor.
Another way, is to look at adaptability. Your kit is tailored to you, your skillset and your routine. Can you bend your tools to serve your will when needed? EnScript technology plays well with COM and, more recently, .NET/C# to reduce the effort to make your bespoke tools work together. It’s been used in casework for more than a decade and is constantly evolving. Guidance Software offers the de facto course on EnScript, and through the EnCase App Central Developer Network, provides no-cost developer licenses and support.
This brings us to the raison d'être for this post. One of the best ways to realize the benefits of an extensible digital investigation platform is to try out some of the library of apps available. In previous posts, part 1 and part 2, I highlighted some apps that can help search your case, perform volatile memory analysis, and even detect steganography and anti-forensics.
Here are the latest additions, courtesy of ever-vigilant EnCase App Central Developers:
ThreatGRID Malware Analysis and Intelligence for EnCase: Right-click to lookup suspicious hashes within ThreatGRID or submit samples for sandboxing and analysis. Check out this webinar to learn how to use this app, and for more about ThreatGRID.
ShimCache Parser: Isaac Lee exposes this handy Windows artifact to help identify if an executable has actually been run.
C-TAK Trial: Our friends at WetStone Technologies now offer a free 30-day, fully functional trial of C-TAK, for detection of trojans, steganography, anti-forensics tools and more. C-TAK is built on the same technology as WetStone's Gargoyle Investigator trusted in the field for years.
VirusShare.com Hash Library: John Lukach brings an EnCase hash library containing 129 torrents from the VirusShare.com repository of malicious code samples to use as you will in your next case.
Binary Plist Finder: A new addition from Simon Key, this app is intended to search for OS X binary property lists in unallocated space.
E-mail Address Finder: Ryan Jay Ollerenshaw's latest app bookmarks email addresses and counts their occurrences. Simple and on point.
FileProperties: Annette Franchi's latest solution helps reduces effort to copy/paste file properties. This simple operation is built to make getting information into a externally built report more efficient.
Image Analyzer 1-year and 3-year licenses: Image Analyzer now offers sophisticated pornographic image detection in multiple, reasonably priced options. In addition to the free trial, Image Analyzer now offers 1 year and 3 year licenses.
Thanks to all the EnCase App Central Developers who bring these solutions to light. What apps are you looking for? Would you like to learn how to tailor your use of EnCase? Please let us know in the comments, or reach out on Twitter @kenm_encase.