tag:blogger.com,1999:blog-21689911196864605782024-02-19T08:15:29.578-08:00EnCase Enterprise BlogAnonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.comBlogger58125tag:blogger.com,1999:blog-2168991119686460578.post-62497620418173425792016-05-20T17:34:00.001-07:002016-05-20T17:34:09.943-07:00We've Moved! Visit Our New Blog<div class="p1">
<span class="s1">We’ve got a fresh new look! </span></div>
<div class="p1">
<br /></div>
<div class="p1">
Please visit us at our NEW blog: <span class="s2"><a href="https://www.guidancesoftware.com/resources/blogs">https://www.guidancesoftware.com/resources/blogs</a></span></div>
guidancesoftware101http://www.blogger.com/profile/13513583878393331499noreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-21483596968957466532016-01-01T06:00:00.000-08:002016-01-01T06:00:10.977-08:00Wishing you a happy and prosperous 2016!<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPlnpYK5wFsBLiQbg5geH4uPfoZBGvIdxB6BXq4jonAYc6EgdfMoEw7dhIuvVdTIIAN8fi6-G-wSzMcV9GcZsu8O7ShS0IAnlPQswTk6UiRMAH8ye4GtzKh3qoJm76i9_2O5vir8Ob6Y/s1600/happyNewYear2016.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPlnpYK5wFsBLiQbg5geH4uPfoZBGvIdxB6BXq4jonAYc6EgdfMoEw7dhIuvVdTIIAN8fi6-G-wSzMcV9GcZsu8O7ShS0IAnlPQswTk6UiRMAH8ye4GtzKh3qoJm76i9_2O5vir8Ob6Y/s1600/happyNewYear2016.png" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/05219056359611084358noreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-28432672620229777862015-11-03T17:29:00.002-08:002015-11-04T10:06:01.926-08:00Easter Egg Hunt - The Final LegUPDATE: We have our three winners! Thanks for playing and helping us celebrate our new look and logo, everyone.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieyNDlHE_gjR-i9-1sLlzfHZedihMAL-N4guNMxAcogyCgzAQkFDmWJaY7E4WZOeq3wBLrKi4wAHnViBUZUvY_9QOP3eR_-2GSMr9mUH1RHAZjrMIy113ZV5ZxszffH2v1o4hH14-29nk/s1600/game+over.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieyNDlHE_gjR-i9-1sLlzfHZedihMAL-N4guNMxAcogyCgzAQkFDmWJaY7E4WZOeq3wBLrKi4wAHnViBUZUvY_9QOP3eR_-2GSMr9mUH1RHAZjrMIy113ZV5ZxszffH2v1o4hH14-29nk/s320/game+over.png" width="320" /></a></div>
<br />
<a name='more'></a><br />
<br />
<br />
<h4>
Original blog post</h4>
Woo-hoo! You've found the fourth and final location of the "Easter egg" hunt for the fourth and final part of our new logo. Somewhere in this blog post is a link to that piece. And if you're new to the <a href="https://www2.guidancesoftware.com/PublishingImages/you-cant-see-me.jpg" target="_blank">g</a>ame and are starting here instead of at the beginning, may we recommend that you check out our Twitter feed (no account required) or Facebook page for clues on the other three parts.<br />
<br />
<b>Hurry</b>! Send the four logo pieces and the four URLs where you found them to newsroom@guidancesoftware.com.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-31716168615285777162015-04-21T18:40:00.000-07:002015-04-21T18:40:34.815-07:00Ask the Expert: Yuri Gubanov, CEO of BelkasoftIn our recent webinar with Yuri and Oleg from Belkasoft, we had quite a few interesting questions and even more interesting answers. They presented three case studies that leveraged EnCase Forensic and Belkasoft digital forensics tools to uncover critical evidence. You can <a href="http://goo.gl/ZqpXGv" target="_blank">watch the on-demand webinar here</a>.<br />
<br />
<b>Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?</b><br />
<br />
<a name='more'></a>A: Sure! As a Guidance Software partner, we support all images created by their tools, particularly physical images such as E01 and Ex01, logical images such as L01 and Lx01, and of course, memory dumps.<br />
<b><br /></b><b>Q: In one of your stories, your tool found some Skype data inside something you call “SQLite freelist.” When SQLite deletes data, does it always go to a freelist?</b><br />
<br />
A: It's only true for databases configured without the option called “AutoVacuum.” If this option presents, no freelist is used, unfortunately. However, quite a few forensically important applications store their data inside SQLite databases configured without this option. In particular, Skype, WhatsApp, Chrome, Firefox, and many more.<br />
<br />
<b>Q: Are there any chances to find SQLite data if it is not present in regular SQLite areas (I mean tables) and freelist?</b><br />
<br />
A: SQLite forensic analysis is a tricky thing because SQLite itself is tricky. Besides regular tables and freelist area, which we already explained, it has some more peculiarities. For example, older versions of SQLite had a so-called “journal” file, which was used to coordinate database transactions. Newer versions of SQLite have so-called Write Ahead Log files, or WAL-files, which contain uncommitted transaction data. Both journal and WAL files sit in the same folder as the main database and may contain up to 20-30% of data inside the main database file.<br />
<br />
For example, my Skype database is around 100 megabytes (yes, I've used Skype for a long time and never delete my history). In my setup journal file for my Skype account is 20 megabytes, which is 20%. So if you don’t investigate these files, you are going to lose 20% of the information, which you absolutely cannot afford in the course of criminal investigation. That’s why you need a tool like Evidence Center to automate such routine things. For a moment, there are not many forensic tools capable of doing automatic processing of freelist, journal and WAL files, so this is one reason to have Evidence Center to complement your EnCase installation.<br />
<br />
I should also mention that a SQLite database can have so-called unallocated space. It resembles a regular hard drive, which can also have unallocated space, This space does not belong to any table and is not a freelist. Inside this space you may find some remnants of deleted data, not necessarily completely valid, because it may have been already overwritten or corrupted. However, in our experience, we were able to find meaningful conversations there. Technically, you can carve unallocated space inside SQLite database and find data, as we discussed with Skype chats or WhatsApp messages. This is what Evidence Center can do automatically for you. This info, if found, is then merged with existing data (I mean, non-deleted data from regular tables) and can be imported back to EnCase Forensic.<br />
<br />
<b>Q: What can a criminal do to hide data stored once inside an SQLite database and what can Belkasoft together with EnCase do against such attempts?</b><br />
<br />
A: Well, to hide SQLite data they can do pretty much the same as with other files. They can move a file, delete it, or rename or delete data by using regular means of an application, which uses a particular SQLite database. We have already discussed what happens when data is deleted from an app itself: it goes to a freelist and can be partially recovered. When a file is renamed or deleted, Evidence Center can carve such a file. There are also some changes to find remnants of data inside special system areas such as hibernation or pagefile, shadow volume copy, live RAM dump, if any, and so on. Evidence Center supports all these scenarios.<br />
<br />
<b>Q: In the drug story, you were looking for Facebook chats. Will you download Facebook chats from online? Do you need a password for that?</b><br />
<br />
A: No, the tool never goes online. Instead, the investigator was trying to locate chats inside a RAM dump he had. When someone chats via Facebook or any other app, this data is kept inside RAM, where it can be then found. To find such data we use a signature approach. We know signatures for data layout in RAM for hundreds of types of applications and do data extraction for you out of the box. Therefore, no internet is required and no Facebook password is required. Note, however, that you can hardly hope to extract all chats, just a small fraction of an entire history.<br />
<br />
<b>Q: If only remnants of Facebook chats could be found on a switched off machine, how long is the history you are able to recover? Can a whole history be recovered, theoretically and practically?</b><br />
<br />
A: Theoretically, if the history is small, it is possible to recover the entire history. Practically speaking, you can generally only recover some very recent chats. This is because portions of RAM are overwritten every fraction of a second and older messages are gone quickly. If not gone, they can be corrupted. That’s life, but this is better than having nothing. Facebook and other browser applications do not store anything on a hard drive (if we are not talking about the mobile Facebook app), so the only chance to find anything is to search inside RAM.<br />
<br />
<b>Q: How quick is the data processing?</b><br />
<br />
A: It depends on the size of your EnCase image file and your hardware. In our lab 500 GB hard drive with all types of analysis, we have, selected, takes about 8 hours to complete. 2Tb drive with around half-million photos, takes about 18 hours, but this is because of huge amount of picture processing. We recommend you to have at least 16 GB of memory to have comfort processing time, but this is not a hard requirement. During conferences (by the way, we will be on Guidance Software’s CEIC conference as a sponsor and presenter this year), well, during conferences we use a laptop with just 4Gb of memory and the product works perfectly fast.<br />
<br />
<b>Q: You say you can recover deleted SQLite data. What about other types of deleted data? Can you restore them?</b><br />
<br />
A: Almost all types of data which we can analyze being non-deleted, we can carve. To name a few: documents, emails, pictures, system files such as registries, event logs, thumbnails, jumplists, chats and browser histories, SQLite databases, and many more types of data.<br />
<br />
<b>Q: You say you work with multiple platforms and multiple devices. Which platforms/devices do you support?</b><br />
<br />
A: We work on Windows only, but support a wide variety of Windows version from Windows XP to the most new and fancy Windows 10. However, we can also analyze all major operating systems such as Mac OS X, iOS, Linux/Unix, Android, Windows Phone, and Blackberry. Concerning devices, we support both computers and laptops as well as all modern smartphone platforms. By the way, we can also work on special “forensic” portable builds of Windows.<br />
<br />
<b>Q: In the story with the lost girl, the investigator was lucky to find the girl’s laptop in a sleep mode without a password, so there were no problems to capture a RAM dump. However, if a computer is switched off, how do you do live RAM analysis?</b><br />
<br />
A: Windows and other systems usually use two types of files that we can roughly call “RAM dumps made by the operating system itself," These are pagefile (where your virtual memory is kept) and hibernation file (used to quickly turn computer on after hibernation). Both files contain memory artifacts because they are indeed memory. Unlike RAM, they survive reboot so you can investigate them. Interestingly, that inside you can find quite old data. For example, we've seen a few cases with Facebook chats as old as few months inside a pagefile.<br />
<b><br /></b><b>Have other questions? Tips or ideas? </b>Talk to us in the comments section below.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-87601976666404505412015-04-10T09:29:00.001-07:002015-04-10T09:29:21.442-07:00Ask the Expert: Amber Schroader of Paraben CorporationRecently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, <a href="https://www.guidancesoftware.com/resources/Pages/webinars/6-Keys-to-Conducting-Effective-Mobile-Forensic-Investigations.aspx" target="_blank">Six Keys to Conducting Effective Mobile Forensic Investigations</a>. A number of our attendees had questions that we wanted to capture here along with Amber's answers.<br />
<br />
<h3>
What do you recommend when dealing with the drivers on pay-as-you-go devices?</h3>
<a name='more'></a>When doing smart devices with pay-as-you go providers, you typically do have to work with different drivers that come from that provider. For example, a Tracphone pay-as-you-go Android will have different drivers than the standard Android device that was released to Verizon. I work a lot in virtual machines, which is nice because I can roll back drivers through the VM. However, when I work on standalone systems for my examinations, I have a separate system that I don’t work with a full driver pack on and I only install drivers as needed, which is where I do my pay-as-you-go devices. I will blow a fresh image to this machine after each device to ensure all conflicts are removed. Those conflicts in drivers are what will stop most of the pay-as-you-go devices from processing.<br />
<br />
<h3>
What do you do with feature phones like Nokia, Samsung, LG, and Motorola?</h3>
I follow the same process with all the devices--smartphones or feature phones-- which means physical, logical, and then accessories in processing. I'm still receiving a good percentage of feature phones with the cases that I will work as they are trending up in popularity.<br />
<h3>
<br />What kind of information can you get from cell tower records? </h3>
Typically you can get the longitude and latitude of the call details from the device, as well as date and time stamps. It's a great way to get reference points to where calls would have been geographically made. I'll take this data as well as data from a device if the location services were turned on, which will allow you to pinpoint geographic location for the calls, etc.<br />
<br />
<h3>
What is the value of IP Box? Does it work?</h3>
An IP Box is a brute-force attack for iOS devices and there are devices, as well, that work with Android. We have tested a few of the options out there and have had mixed results; on 3 out of the 5 devices we tested were bricked upon using the IP Box which was a really high risk as the device if it were evidence they would have been destroyed. The other problem is the flaw that the IP Box typically exploits with the iOS versions was patched, so it will not work with updated devices. The problem with encryption will plague us forever as it always has. I guess the examiner needs to keep that in mind before they get caught up in a trend that might be able to help with one case but not be able to help them long term. I think the IP Box approach as it stands is a short term patch not a long term solution. The FoneFunShop in the UK will preview and make available a lot of these type tools and examiners can look there for details.<br />
<br />
<h3>
What is the process you recommend for working with a device, what steps for logical to physical, etc.?</h3>
With most of my examinations, I typically try to work with the device physically, then logically. The reason I do this process is because if the device is encrypted, a lot of times you can get around the encryption with the physical methods and even in some cases do a simple text search for “password” and then find the password for the device that is needed for the logical image. After I have both of those images, I then will process the media card and SIM card separately so I can review that data as well. If I have CDR records, I will add that into the processing, too.<br />
<br />
<h3>
Many investigators uncover data that is encoded, but confuse it as encrypted. Can you discuss the difference?</h3>
Encoded data is data that needs an interpreter to be able to have us understand what it is saying while encrypted data is data that has been converted to cypher text. Thinking of it like a puzzle with the encoded data we have the box and we have to reference the box to be able to make sense of the pieces. With cypher text we have a variety of puzzle pieces from a variety of puzzles mixed together and we have no box for reference.<br />
<h3>
<br />Which devices do you see are emerging as the most difficult to deal with for digital forensics?</h3>
Smartphones are still the hardest with the encryption changes and the cloud storage capabilities. The other area that is always difficult with them, and that we are seeing such a strong push in, are the burn phone or pay as you go market with smartphones and they all are flashed differently than what we see from the standard telecom versions.<br />
<h3>
<br />You talked about manufacturers like Apple and their position on encryption and law enforcement – how do you see these affecting investigations?</h3>
I think as the manufacturers pull more to privacy instead of investigations, it's going to get harder and harder for us to gain access to the device. We will start doing a lot more monitoring and even live capture in investigations or have to work more and more with backup records and gain access to records in the cloud.<br />
<h3>
<br />Is there any rooting kit that is recommended over another? I'm thinking in terms of forensic soundness and reliability.</h3>
Each rooting option is typically custom based on your tool selection for acquisition. With all acquisition tool methods, you should validate and check how they are processing the device.<br />
<h3>
<br />Does a device in DFU mode still require a user pin/password for acquisition?</h3>
No, it's no longer needed. However, please note the restrictions on what devices support DFU mode.<br />
<br />
<h3>
Is there any particular rooting kit, for example Kingo for Android, that is recommended over another</h3>
For rooting a device, it will depend on the method used by your acquisition tool. Most of them choose to design their own root method. Rooting a device will not change access unless that is the technique used by your acquisition tool.<br />
<br />
<h3>
Any solutions for Chromebooks?</h3>
Chromebooks are an odd hybrid in devices and for us are currently being researched for support addition. We've had difficulties with some of the encryption that is found by default on the device and are working to get around those barriers.<br />
<br />
<h3>
Are Blackberrys still the most difficult devices to crack?</h3>
BlackBerry devices are still very difficult to work with. The reason is they still are a very clean device. Even when working with the new 10 devices in Device Seizure, we have to work with them through doing a backup record and then parsing that record. However, the one part that has improved is that the newer BB devices do use Android Apps so the parsing of that data is easier than when they worked 100% proprietary.<br />
<br />
<h3>
Is there any way to analyze BlackBerry RAW data for analysis (malware for example)?</h3>
BlackBerry devices are not as easy to do a physical image to get a RAW image. We have very limited capabilities in this area as most companies do. This does prohibit you from being able to do some of the file system analysis you need to be able to do for malware detection. With all BlackBerry devices, the support changes by model so it is something to check and make sure the file system acquisition is supported to be able to do that type of scan.<br />
<br />
<h3>
How effective are factory resets in truly wiping all data?</h3>
Most of the data is cleared in a factory reset, but it's always good to go back and check. I do an image before and after and compare the data to make sure all user-oriented data has been removed from the device.<br />
<br />
<h3>
I noticed that since Apple Devices like to power up upon plugging in, I guess if you're going to put it into DFU mode you should do it in a box. After it goes into DFU mode, is it active with a network?</h3>
It is no longer active on the network when it is in DFU mode. You do have to power it off completely to get it to go into DFU.<br />
<br />
<h3>
Can a VM assist in minimizing driver conflicts between pay-as-you-go and contract phones?</h3>
Yes, virtual machines can be a good tool to work with all the changing drivers with mobile devices. I use the rollback functionality with my virtual machine to be able to adjust for the different drivers.<br />
<br />
<h3>
How about encrypted iTunes backup?</h3>
iTunes backups can have encryption that is separate from the device encryption. Depending on the version of the device that you are dealing with, you can get around this encryption through a physical image done through DFU mode. There are also third-party tools that can break this encryption, such as Elcomsoft and Passware.<br />
<br />
<h3>
I know there are many tools available on the market, do you know of or would any of you have plans to integrate tools such as Oxygen, or the way they parse data and some of their viewers into EnCase Forensic?</h3>
<br />
I know that we do not have plans to integrate with Oxygen. Integrating with a tool like EnCase Forensic makes a lot more sense. For our approach, as it stands, we read other tools image formats into Device Seizure so that you can cross validate, etc.<br />
<br />
<h3>
Also, is putting a device into airplane mode a viable option instead of using a Faraday device or 30 sheets of foil?</h3>
Airplane mode is a viable option in a lot of cases, but if I know I'm working with evidence that is set to go to court, I still prefer to use the Faraday cage option to ensure I have the best protection. Since I did not design airplane mode on the device, I cannot testify to what it is doing and whether it's 100 percent blocked from activating any signals on the device. I like to have the strength of the physics behind me by using a Faraday cage.<br />
<br />
<h3>
Taking off your vendor hat, can you compare the offerings from the leading mobile hardware acquisition device providers?</h3>
There are a lot of advantages and disadvantages to every tool. It's like looking for the perfect car. You'll always find something you wish you had. What I do to really break down the tools is I run them through my test plans and then rank my tools based on how they did in the test plan. I then will process through devices based on the tools capabilities for that type of device. I will always process the device with both my tier 1 and tier 2 tool and then check the results as you never know if one tool will see something the other does not. I think it is a mistake for a lab to just have one tool with any type of examination but especially when it comes to mobile devices because they are so diverse and difficult to deal with. If a tool does not pass my test/validation plan I do not use it.<br />
<br />
<h3>
What signals can the mobile device receive that need to be protected against when there is no internet or cell service connection, or those services have been turned off?</h3>
I believe in covering yourself with the device signals, because it's something you literally cannot see that will destroy the evidence. I always use a Faraday device when processing if I know that the device needs to be maintained as pristine evidence. Some of the civil cases I deal with just want the data and have already not maintained it properly so for those devices my SOP I put in airplane mode. Bluetooth and possibly IrDA for older phones are the most common signals outside of internet and cell service.<br />
<br />
<h3>
Is there any listing anywhere that has a continuously updated list of devices and whether they can be physically imaged / logically imaged. Or just any particular quirks with a model?</h3>
There is no general listing for that data as it is about the capabilities of the tool you're using on what it will support with each device. Guidance Software and my company, Paraben, maintain a current list of all the supported models and device profiles we support and what is supported with each, but this list becomes outdated as soon as new phones are released, so we often support more devices than are on our own list. I am guessing many of the other tool companies maintain a similar list and you just have to request it.<br />
<br />
<h3>
What are your views about time constraints in an investigation since every device may be different and you advise to keep trying to get to the data?</h3>
With time constraints, I would recommend you work with a logical image in most cases. The advantage with the logical image is that with smart devices they contain a lot of deleted data in the logical structure because the data in a database. It is the fastest acquisition option that will yield you the highest results if you do not have the time to do all the available processing on the device or are experiencing problems with full physical imaging.<br />
<br />
<h3>
Can you discuss best practices in working with iOS 7 and 8 passwords and how to work around them?</h3>
With a lot of the later iOS devices there are just not a lot of options out there. I discussed both password recovery with software and with hardware in a few of the other questions; both have risks. In the end this is a problem we will be facing for a long time with us as investigators simply being locked out of the device by the manufacturer.<br />
<h3>
<br />Do you have any advice for by-passing PINs?</h3>
For bypassing PINs there are a few options out there.I look at FunFoneShop in the UK for a lot of the flasher style attacks. I have answered another question about IP boxes as they are the latest trend. With all the bypass hardware options, be very careful as I have had them brick the phone before. It requires testing and you need to weigh the risk to reward. For software options I have used both Elcomsoft and Passware tools with good results with both. The software has less of a risk but still should be tested.<br />
<br />
<h3>
Do you have any suggestions for approaching mobile malware with a similar methodology as your app rule? </h3>
Malware/spyware is a little bit harder, but the principle is still the same as far as finding the app data. You need to make sure your mobile forensic tool will acquire the file system on the device. As long as it does that, you will be able to find the malware/spyware as that is where it is stored.<br />
<br />
<h3>
Is it true that if you do not have the pin for an iPhone 5 and above, it is impossible to analyze it?</h3>
That is correct; you do need to be able to have the lock to gain access. They changed chips on the device so you cannot get around it by doing a physical image. However, I still get devices of all ages in that I use the physical bypass on.<br />
<h3>
<br />What is the investigation like with a locked device?</h3>
Depends on the device and what has locked it. With feature phones, a lot of times you can get around locked devices by doing a physical image first and then searching for “password”. It will show in the physical image. For smart device, it depends on the device. With a lot of them, it will be firmware dependent as well as hardware dependent as we can get around of a lot of locks software-wise but because they tie them to the chips, that has caused a greater barrier. It is much easier to work around Android protection than iOS. I also use 3rd party decryption tools such as Passware and Elcomsoft for password breaking.<br />
<br />
<h3>
What about password-protected iOS 8 devices and how to work with them – IP boxes?</h3>
I had another question about IP boxes. They're a risky option when it comes to password-protected devices and they also don’t work past 8.1. Right now you're stuck with only risky options that do risk the entire integrity of the device. You have to decide if the risk is worth it as those types of brute force attacks like IP boxes can destroy the device.<br />
<h3>
<br />We use Good technology for our MDM, which is containerized. Would this data be available for investigations?</h3>
It depends on how they're storing the data. I have not reviewed that particular tool, but my guess is they're storing it in a database. If that database is encrypted, it should be fine, but you'll want to check that as the raw databases used in mobile devices can be parsed.<br />
<h3>
<br />Can forensics be conducted remotely or do you have to have the actual device?</h3>
As it stands now with mobile forensics, you do have to have physical access to the device to be able to do an acquisition. I do not believe that will always be the case, but for now it is.<br />
<h3>
<br />How did you get involved in digital forensics at the beginning of your career and what would you say the process is now for someone interested in breaking in to the market?</h3>
I found this a great field for the dyslexic, which I am. We do things backwards naturally and it really has helped in my problem-solving and investigative skills. I was involved early because I was willing to give something that was not popular a try. For those getting into the field I recommend that they specialize and really get strong skills in one area but still be able to do other types of examinations. A good example is mobile forensics. A lot of investigators who work in this area do not do hard-drive examinations.<br />
<h3>
<br />You mentioned that there was a Supreme Court Ruling concerning seizure and shielding. Do we have a case that we can research?</h3>
Here's a<a href="http://www.natlawreview.com/article/landmark-supreme-court-ruling-protects-cell-phones-warrantless-searches" target="_blank"> link to an article</a>. There are many other references as well. I am not a lawyer, so I don't want to offer an unqualified opinion.<br />
<br />
<h3>
What about airplane mode?</h3>
Airplane mode can be useful to be able to take the device off the network. It is not a method I use frequently, but it is a viable option. In most scenarios I don’t recommend it as it requires the first responder to place the device in airplane mode and I don’t advise that someone who has not been trained fully start rummaging through the device.<br />
<br />
<div>
</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
<b>Comments? More questions? What works for you?</b> We welcome your thoughts in the Comments section below.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-46250417568982611272015-01-27T12:51:00.000-08:002015-02-24T10:09:36.884-08:00Using EnCase with the Latest Release of Belkasoft Evidence Center<author>Yuri Gubanov, Belkasoft</author>
<br />
<br />
Belkasoft has just updated its digital forensics suite, Belkasoft Evidence Center, making the tool a true, all-in-one forensic solution. When seamlessly integrated with EnCase, the two tools can cover nearly every digital forensic need. Belkasoft Evidence Center helps you jump-start investigations by automatically discovering evidence gathered from many different sources.<br />
<br />
In its biggest update in two years, Belkasoft has done more than learn a few new tricks. It now extracts and analyzes evidence from pretty much any data source you can imagine. Hard drives and drive images with Windows, Linux, Ubuntu, and many other operating systems; smartphone backups in all popular formats; UFED images and chip-off dumps; live memory dumps; and many virtual machines can be scanned for available evidence. This major update turns Belkasoft Evidence Center into a true, all-in-one digital forensic tool.<br />
<br />
We added several new modules to bring about these changes.<br />
<br />
<a name='more'></a><img src="http://www.dfinews.com/sites/dfinews.com/files/FileSystem.png" /><br />
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
Evidence Discovery Module</h4>
The newly added File System module allows reading the complete file system of a device, dump, drive or memory image, mobile phone or tablet. This new module displays data stored in all volumes and partitions, files and folders, including special files and folders such as $OrphanFiles, $Log, $BadClus etc.<br />
<br />
The File System module supports a wide range of file systems used in Windows, Linux (including Linux forks such as Android and Ubuntu), Mac OS X and iOS.<br />
<br />
<h4>
Custom Scripting Engine</h4>
Small things can create a great usage experience – or totally ruin it. A simple, routine operation repeated a hundred times every day can quickly make using even the best tool a nightmare.<br />
<br />
In this release, Belkasoft Evidence Center addresses this issue by allowing its users automate routine operations or automate just about any task. The newly introduced custom scripting engine uses a C#-like programming language, making the tool infinitely extensible with Belkasoft and third-party modules.<br />
<br />
The new scripting engine makes creating add-on modules easy. Users can write their own modules to add product features and extend its functionality. These modules are seamlessly integrated into the user interface and enjoy access to raw data and extracted evidence. By assigning a dedicated hot key or toolbar button to a new module, users can automate repeat operations.<br />
<br />
Belkasoft offers a bunch of ready-made scripts along with their full source codes in simplified C#. To give an example, one of the sample scripts implements custom carving using a pre-defined signature. The new scripting mechanism makes it easy to share and exchange custom scripts.<br />
<br />
<h4>
More Enhancements</h4>
What else is new in Belkasoft Evidence Center 7.0? Major improvements to Live RAM analysis enable convenient extraction and analysis of running processes. The newly added Hex Viewer enables binary analysis of any file on the disk, disk image, process or a memory dump.<br />
<br />
Belkasoft Evidence Center continues delivering extensive acquisition and analytic support out of the box, discovering evidence in many popular formats such as email, documents, mobile apps, SQLite databases, registry and system files, Internet chats and social networks, pictures, videos and many more. The number of supported evidence types in Belkasoft Evidence Center 7.0 exceeded 500.<br />
<br />
<h4>
Improved EnCase Integration</h4>
<h4>
<span style="font-weight: normal;">Leveraging the scripting capability, Belkasoft Evidence Center is seamlessly integrated with Guidance Software EnCase. Working together, the two products can cover every digital forensic need. With Belkasoft Evidence Center, users can jump-start their investigations by automatically discovering evidence gathered from the many different sources. Analyzing collected data in EnCase Forensic delivers powerful and comprehensive crime-solving abilities.</span></h4>
<div>
<span style="font-weight: normal;"><br /></span></div>
<h4>
EnCase App Central Partner of the Month</h4>
The improvements in Belkasoft Evidence Center have earned the company the EnCase<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 16.8666667938232px;">®</span> App Central Partner of the Month honor for the second time since the store opened nearly two years ago. With investigations involving social media exploding in volume, a tool like Belkasoft Evidence Center is critital to finding potential evidence not only for law enforcement, but also for corporate IT for security, e-discovery collections, and cases involving human resources policy violations.<br />
<br />
For a free 30-day trial of Belkasoft Evidence Center, please visit <a href="http://belkasoft.com/get.">http://belkasoft.com/get.</a> And for a demonstration of the tool, don't miss our upcoming webinar featuring Belkasoft's own Yuri Gubanov and Oleg Afonin on March 18th, 2015.<br />
<h4>
<i><br /></i></h4>
<h4>
<i>Yuri Gubanov is the founder and CEO of Belkasoft. </i></h4>
<a href="http://www.forensicmag.com/product-releases/2014/12/belkasoft-evidence-center?et_cid=4318393&et_rid=573579796&location=top" target="_blank">Originally published in <i>Forensic </i>magazine</a>.<br />
<a href="http://www.forensicmag.com/product-releases/2014/12/belkasoft-evidence-center?et_cid=4318393&et_rid=573579796&location=top" target="_blank">Originally published in <i>Forensic </i>magazine</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-64670901246186298782015-01-20T17:01:00.002-08:002015-01-20T17:01:29.224-08:00Top 6 Reasons to Use EnCase and IEF Together<author>Jamie McQuaid, Magnet Forensics</author>
<br />
<br />
As a forensic examiner, you rely on a variety of tools to conduct your investigations. The types and needs of every case vary, often making it necessary to use more than one tool to find what you’re looking for. Depending on the scenario, investigators need to use the tools that will enable them to work through cases thoroughly and efficiently.<br />
<br />
A lot of investigators are using EnCase®, by Guidance Software, as their primary forensic suite. EnCase is a great tool because it’s versatile and can recover data in almost any type of investigation you are working with. Whether it’s a network intrusion, malware outbreak, missing persons, child exploitation, or IP theft case, EnCase enables investigators to examine many types of computers and media.<br />
<a name='more'></a><br />
Internet Evidence Finder (IEF) has become a valuable tool for cases involving the analysis of Internet evidence and/or large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices, allowing investigators to analyze large amounts of case data quickly and efficiently.<br />
<br />
EnCase and IEF are both excellent tools to have in your toolkit. One of the major challenges faced by forensic investigators is knowing where to begin an investigation. Using EnCase and IEF together allows you to maximize the benefits of both tools: the versatility of EnCase and the simplicity, speed and comprehensiveness of IEF.<br />
<br />
Here are the top six reasons to use EnCase and IEF together to get the best results for your investigations:<br />
<br />
<h4>
1) Start Your Digital Forensics Investigation with a Comprehensive Set of Evidence</h4>
IEF automates the recovery of data from hundreds of the most commonly used and evidence-rich applications, quickly providing you with a bird’s-eye view of a suspect’s activity on a system. With EnCase, investigators can target their searches and zero-in on specific areas of interest. Combining your IEF search with the processing tasks of EnCase will provide you with the most comprehensive data set of evidence to start your analysis.<br />
<br />
Here’s a popular workflow used by many EnCase and IEF users:<br />
<ul class="list">
<li>Obtain your image</li>
<li>Run an IEF search to uncover commonly used artifacts and evidence</li>
<li>Load that data into EnCase to conduct a more granular search while validating IEF’s results</li>
<li>Export or report results in different formats from either tool.</li>
</ul>
<h4>
2) Analyze Results from Both Tools Together</h4>
EnCase allows investigators to search and sort many different types of data using multiple views (i.e. Hex, text, files and folders, or native viewers). We have created several EnScripts® that allow investigators to seamlessly run IEF from within EnCase, or load the results from an IEF search directly into EnCase. In doing so, you can take advantage of the strengths of both tools to maximize the collection of your evidence.<br />
<br />
<h4>
3) Recover Evidence from New and Updated Applications</h4>
Applications are constantly emerging and changing. Each new system or app update has the potential to completely change an investigator’s workflow and his or her ability to recover the right evidence. Support for favorite forensic tools is crucial in being able to stay on top of the most recent updates.<br />
<br />
IEF stays on top of these changes with frequent software updates so that you aren’t missing out on valuable evidence. Having a dedicated team to seek out the most popular apps and maintain support for them is essential to many investigations, especially those involving mobile devices and applications. With EnCase, there is a ton of support that comes from their community of users. Since EnScripts can be created by anyone, EnCase users are often able to develop new scripts to support changes in applications and share them with other users.<br />
<br />
With the help of both IEF and EnCase, investigators can make sure they stay on top of new and updated applications.<br />
<br />
<h4>
4) Share Evidence Easily and Collaborate with Case Stakeholders</h4>
Both IEF and EnCase provide investigators with reporting flexibility, offering various exporting formats to accommodate different reporting requirements and processes defined by your organization. Whether you’re looking for a full HTML report, or a simple CSV file for additional analysis, both tools allow you to export in various formats, meaning you can easily integrate your data sets.<br />
<br />
Since IEF and EnCase are well integrated with various EnScript options, you can choose to export your data from whichever tool or format you prefer. They both also support collaborative work using portable cases that can be shared among investigators, analysts or other stakeholders. This allows others to add their own bookmarks, tags, or comments to a case and then pass that information back and forth throughout an investigation.<br />
<br />
<h4>
5) Visualize Evidence to See the Whole Story</h4>
Visual representations of evidence often tell the most compelling story. EnCase has many viewing options, while IEF allows you to visualize much of the data it finds by using timelines, geolocation mapping, and even chat message threading.<br />
<br />
With EnCase, investigators can view search results in Hex, text, files and folders, or native viewer formats to identify potential evidence quickly. The various viewing options make it easy for investigators to review results in the format that makes the most sense for them and their case.<br />
<br />
IEF offers a number of visualization tools that allow investigators to analyze and present their evidence in a visually compelling format. Timelines enable investigators to map out a suspect’s activity over a period of time. Showing the activities of a user before and after an incident, investigators can often demonstrate a suspect’s state of mind or intent. Other IEF visualization tools include World Map, which plots recovered GPS or geolocation data on a map, and Chat Threading, which allows investigators to view chat conversation in a format similar to how the suspect or victim would have viewed the conversation on their mobile device.<br />
<br />
IEF and EnCase both have excellent viewing and visualization tools available to assist investigators. In using these tools together, investigators will get the best of both worlds when it comes to reviewing recovered data.<br />
<br />
<h4>
6) Understand a Suspect’s Activity across Multiple Devices</h4>
Modern forensic investigations will often include multiple PCs and mobile devices. The traditional process of analyzing a PC and mobile device separately no longer works. Analyzing evidence separately breaks up the user’s activity, which can be very difficult when trying to piece together a timeline of events. For example, when analyzing a suspect’s browser activity, it shouldn’t matter whether they browsed using their PC or mobile device. Combining IEF’s mobile analysis capabilities with your traditional PC analysis in EnCase will allow you to see the best of both worlds.<br />
<br />
If the evidence is analyzed together, investigators will save time and have a more holistic view into a suspect’s activity. The primary goal of your investigation should focus on the suspect’s actions, not their devices.<br />
<br />
Caseloads for examiners are growing far beyond anything manageable with manual tools and traditional forensic processes. Investigators must find a way to maximize their time and energy by accelerating their investigations without compromising on quality. Finding ways to work smarter, not harder, is essential to keep up with the increasing workload. Tools like IEF and EnCase allow investigators to maximize their analysis time and minimize time spent on repetitive tasks.<br />
<br />
Please comment below or let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-69923912343659142302015-01-02T08:52:00.000-08:002015-01-02T08:52:00.372-08:00Forensic Focus Review: Guidance Software EnCase Training Computer Forensics I Course in Slough, U.K.<author>Scar de Courcier</author><br />
<br />
<div class="MsoNormal" style="line-height: 13.65pt;">
</div>
<span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;">During the first week of
December 2014, Guidance Software ran a computer forensics training course at
its Slough offices in the UK, with the aim of helping forensic practitioners to
understand and use EnCase as part of their investigations.<span class="apple-converted-space"> </span></span><br />
<span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;"><span class="apple-converted-space"><br /></span></span><span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;"><b>Background</b></span><span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br />
</span><br />
<span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;">The course was developed by Guidance Software with a view to introducing new
digital forensics practitioners to the field. The students are usually new IT
security professionals, law enforcement agents and forensic investigators, and
many have minimal training in computing.<span class="apple-converted-space"> </span></span><span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;">
Computer Forensics I is available both in person at one of Guidance Software's
training centres, or online via their OnDemand solution, which provides live
remote classes for students around the world.</span><span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;"><br /></span><br />
<span style="color: #222222; font-family: "Arial","sans-serif"; font-size: 10.0pt;">
<a name='more'></a><b>Course Structure</b><br />
<br />
Upon arriving at the venue, I received a course manual which covered the
subjects we would be studying. This proved useful throughout the week as it
contained all of the slides the instructors were using in their presentations,
as well as some extra information about each element of the course. The manual
made it easy to keep up with the pace of the lessons and was particularly
helpful during some of the practical exercises. There were step-by-step
instructions on how to use EnCase throughout an investigation, which proved
useful during the course itself but would also be valuable to anyone who is
using EnCase in their day-to-day work.<span class="apple-converted-space"> </span><br />
<br />
The training began quite early every day, with students in the building by 8am.
Two trainers, Bill Thompson and Carl Purser, split the delivery between
themselves with Bill training for the majority of the first couple of days and
Carl taking more lessons towards the end of the week. Everyone in the class was
introduced to each other and there was time in between lessons to speak to
other students and learn about their professions. This, coupled with the
anecdotes and laid-back training style of both the instructors, made the course
particularly enjoyable.<span class="apple-converted-space"> </span><br />
<br />
Our first few lessons covered the basics of forensic methodology and case
creation, including how to store case files in an accurate and useful manner,
how to provide continuity in order to demonstrate where evidence has been
located at all times, and what to do when things go wrong. The course also
covered some of the legalities surrounding forensic examination, including how
to ensure that you are legally allowed to perform a search & seizure, and
how to document a crime scene upon arrival.<span class="apple-converted-space"> </span><br />
<br />
There was a strong focus on safety, with a section dedicated to ensuring the
security of the forensic examiner, something that is not always touched upon
during training and talks about digital forensics. This was particularly
helpful to new practitioners in the field as it gave an idea of the kinds of things
investigators should be looking out for, and how to avoid ending up in
compromising situations. The instructors included some examples from their own
cases and those of their colleagues, which helped to bring their lectures to
life and demonstrate how the things we were learning could be applied in the
real world.<span class="apple-converted-space"> </span><br />
<br />
Once the basics of forensic investigation had been covered, we moved on to
navigating EnCase itself. An especially useful part of this lesson was the
explanations given by the instructors about why certain features had been
added. They took care to explain not only the function of each option but its
background; when it had been added, and how some features differed from
previous versions of EnCase. This allowed the students to see how EnCase is
constantly being improved and updated, and made it easier to remember to
perform certain tasks which might otherwise have been overlooked.<span class="apple-converted-space"> </span><br />
<br />
Certain parts of EnCase were revisited again and again, which solidified them
in our memories and meant that by the end of the week some things, such as
checking the 'Dixon box' to ensure that no extra elements had been selected, or
'set including' within a particular folder to show all entries, files and
subfolders, became almost second nature before continuing with our
investigations.<span class="apple-converted-space"> </span><br />
<br />
Some time was set aside to discuss the manifold places from which digital
evidence can nowadays be gleaned, with examples including a video camera housed
inside a child's doll. This served to underline the importance of checking a
scene thoroughly, and of knowing how to use several different tools to examine
evidence from a wide variety of sources.<span class="apple-converted-space"> </span><br />
<br />
We delved into creating digital evidence files from thumb drives, including how
to use different methods of encryption and how these are incorporated into
EnCase itself. After this we spent some time discussing binary and hexadecimal,
going over the ways in which data are stored and doing some translation
exercises to get us used to working with binary and hex.<span class="apple-converted-space"> </span><br />
<br />
The course then included some information on how computers are put together in
terms of hardware, which was an interesting element and one that is not always
included when discussing digital forensics. This was helpful as it gave
students an idea of what is physically going on behind the scenes while an
investigator is collecting evidence and analysing data.<span class="apple-converted-space"> </span><br />
<br />
A description of file structures followed, along with examples of how the same
evidence is stored on different systems, and how all of these can be examined
using EnCase. Throughout the course we worked on two main example cases, which
was helpful as it meant we could cross-check evidence easily and compare how
the same file looked when using different methods to examine it.<span class="apple-converted-space"> </span><br />
<br />
The bookmarking options in EnCase were explained at length, which helped us to
understand how these feed into the reports which are automatically generated at
the end of an examination.<span class="apple-converted-space"> </span><br />
<br />
We then spent the majority of a day discussing keyword analysis and search
queries, including how to ensure that the correct search terms are being used
and how to cross-reference keywords from different evidence sources. Again, the
textbook proved to be very helpful here, as its step-by-step instructions
demonstrated exactly how to create the necessary searches and included
screenshots of EnCase itself with arrows illustrating which items to include
and in which order. We spent some time going over how to write search terms
effectively to bring back the most relevant results, and the specific syntax of
EnCase's own searching structure.<span class="apple-converted-space"> </span><br />
<br />
Hash analysis, which is of course one of the backbones of digital forensic
investigations, was covered towards the end of the week, once all the basics
had been explained. This meant that by the time we started looking at creating
hash sets and managing hash libraries, we already had a solid understanding of
both EnCase and the evidence sources being examined.<span class="apple-converted-space"> </span><br />
<br />
The final part of the course involved a more thorough look at EnCase's
reporting capabilities, followed by a lesson on backing up and restoring cases
where necessary. The course concluded with a final practical exercise using the
cases we had been introduced to earlier in the week. This allowed the students
to apply the knowledge gained during the course to a simulated scenario and
helped to solidify our knowledge of how to use EnCase in a digital
investigation.<span class="apple-converted-space"> </span><br />
<br />
<b>Evaluation</b><br />
<br />
The course moved at a good pace, with the instructors taking time to explain
things where necessary but not dwelling for too long on individual elements of
EnCase. Both Bill and Carl were very patient with all the students, taking the
time to ensure that everyone was keeping up, and helping those who fell behind
from time to time.<span class="apple-converted-space"> </span><br />
<br />
At the end of each section there was time for questions, and both of the
instructors made themselves available during lunchtimes and at the end of the
day for anyone who wanted to ask extra questions or go over what they had
learned.<span class="apple-converted-space"> </span><br />
<br />
Whilst the course itself was focused on using EnCase, the instructors also
described how to include certain other tools as part of an investigation, and
there were several free resources provided for students to take away with them
once the course had ended. These included a LinEn disk, which contained the
Linux version of the EnCase acquisition tool; some instructional documents
concerning EnCase itself and digital forensics investigations in general; and
some research papers in the digital forensics and computer security fields.<span class="apple-converted-space"> </span><br />
<br />
Overall, my experience with the EnCase Computer Forensics I training was very
positive. I left at the end of the week feeling confident that I could use
EnCase effectively during my own investigations, and also with a renewed
interest in and understanding of digital systems and their use in criminal
investigations.<br />
<br />
<i>Learn more about training courses available from Guidance Software<span class="apple-converted-space"> </span><a href="https://www.guidancesoftware.com/training/Pages/Training-Overview.aspx" target="_blank" title="https://www.guidancesoftware.com/training/Pages/Training-Overview.aspx"><span style="color: #5493b4; text-decoration: none; text-underline: none;">here</span></a>.</i><o:p></o:p></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-90430889173137218352014-10-14T06:01:00.001-07:002014-10-14T06:01:34.268-07:00Help for the Help Desk: Announcing EnCase® Remote Recovery + for Fast, Remote File Recovery When a sales director on another continent needs a contract file un-deleted—stat!—who’s she gonna call? IT help desk. Problem is, that usually means she needs to ship her laptop to headquarters or someone from IT has to get on a plane, train, or automobile. And both of those options require taking her offline when every moment of downtime could lose her a deal.<br />
<br />
Enter <a href="http://goo.gl/kRlnOC" target="_blank">EnCase<span style="font-family: Calibri, sans-serif; font-size: 12pt; line-height: 115%;">®</span> Remote Recovery +.</a><br />
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1sW4uBnLMAg3UEf0QmoMUmLvcn3giR4pDySlxyTUC4uGxLzACwz67EcgZzWO8kQE1fVTbcMWhcpVw8_MxGhyphenhyphenzreKmIZyIyDcFjfWSkyWx_aJpBXedMx2I2wd3oQ3sd0Lzd9sh0NzYkpg/s1600/EnCase-Remote-Recovery-Plus-Logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="EnCase Remote Recovery + " border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1sW4uBnLMAg3UEf0QmoMUmLvcn3giR4pDySlxyTUC4uGxLzACwz67EcgZzWO8kQE1fVTbcMWhcpVw8_MxGhyphenhyphenzreKmIZyIyDcFjfWSkyWx_aJpBXedMx2I2wd3oQ3sd0Lzd9sh0NzYkpg/s1600/EnCase-Remote-Recovery-Plus-Logo.png" title="Announcing EnCase Remote Recovery +" /></a></div>
<br />
We listened to our customers and then took a long, hard look at the kinds of tools available on the market today for key IT help desk challenges, such as:<br />
<ul class="list">
<li>The frequent--and often urgent--request to recover files from remote devices</li>
<li>Having to take users offline to recover files</li>
<li>Needing to either travel or have the system in question shipped to help desk staff</li>
<li>Having no way to remotely troubleshoot system configuration and network connectivity problems</li>
<li>The need to support an unlimited number of endpoint devices on a limited tools budget</li>
</ul>
<div class="MsoNormal">
Turns out there were no tools on the market that could solve all of these problems--not all the problems at once, and not without buying a copy for each end user being supported. We knew that our EnCase products have these key capabilities built into their supporting technology. So we created <a href="http://goo.gl/kRlnOC">EnCase Remote Recovery +</a> to enable IT help desk staff and system administrators to do all of these things securely, remotely, and affordably--at one, low price:<br />
<ul class="list">
<li>Remotely restore or undelete files, folders, and directories</li>
<li>Easily copy files from remote systems regardless of operating system (we cover Windows, Linux, HP-UX, Macintosh OS X, Unix, AIX, Solaris, and NetWare out of the box)</li>
<li>Remotely create live diagnostic snapshots of system information</li>
<li>Keep users online while you work</li>
</ul>
<div class="MsoNormal">
<div class="MsoNormal" style="margin-bottom: .0001pt; margin: 0in;">
Although it's based on the industry-standard product for internal investigations, EnCase<span style="font-family: Calibri, sans-serif; font-size: 12pt; line-height: 115%;">®</span> Enterprise, EnCase Remote Recovery + is designed to be easy to use, with no formal training or forensic expertise required. </div>
<br />
Why not share this blog post with a colleague at your IT help desk? We have a great free trial offer, and he or she can download <a href="http://goo.gl/kRlnOC">EnCase Remote Recovery<b> </b>+</a> today.<br />
<br />
<b>Comments? Stories from the Help Desk Trenches? </b>We welcome discussion in the Comments section below.<br />
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-91525490312416433902014-10-13T09:50:00.001-07:002014-10-13T09:50:52.981-07:00EnCase and Python – Automating Windows Phone 8 Analysis<author>James Habben</author>
<br />
<br />
<h3><b>Roll Call</b></h3>
<br />
You may have read my <a href="http://encase-forensic-blog.guidancesoftware.com/2014/09/encase-and-python-part-1.html">introductory post</a> about using Python scripts with encase. You may have also read my <a href="http://encase-forensic-blog.guidancesoftware.com/2014/09/encase-and-python-part-2.html">part 2 follow-up</a>, which put a GUI on top of <a href="https://twitter.com/DidierStevens">Didier Stevens’</a> pdf-parser. Did you also read <a href="https://twitter.com/kevthehermit">Kevin Breen’s</a> <a href="http://techanarchy.net/2014/09/encase-and-analyzemft/">post</a>? He wrote about using EnScript to call out to <a href="https://twitter.com/dckovar">David Kovar’s</a> analyzemft script using EnScript. Then <a href="https://twitter.com/ChipRAFP">Chip</a> wrote a <a href="http://chip-dfir.techanarchy.net/?p=138">post</a> about sending data out to get parsed by <a href="https://code.google.com/p/parser-usnjrnl/">parser-usnjrnl</a>.
<br />
<a name='more'></a>
<br />
Here comes another one to add to the list of #en2py projects. This time the scripts are parsing data from Windows Phone 8 evidence. <a href="https://twitter.com/Cheeky4n6Monkey">Adrian Leong</a> wrote a few Python scripts to get SMS, Call History, and Contacts and <a href="http://cheeky4n6monkey.blogspot.com.au/2014/10/windows-phone-80-sms-call-history-and.html">blogged</a> them to the world a few days ago.
<br />
<br />
<h3><b>Scenario</b></h3>
<br />
These caught my attention because of a case (weirdly, several cases lately) at my task force that involved a Windows 8 phone. There aren’t a lot of options for acquiring Windows phones, so our resident JTAG expert worked his magic and coerced the device into giving it up. With this dd image, we could now see the partitions and file systems from the inside out. The problem now was in getting readable data out.
<br />
<br />
If you haven’t done any research for Windows phone tools on your own, let me save you some effort – there aren’t many. EnCase was able to see all the files, but has no data parsing tools. Several other tool companies have recently released some Windows phone tools, but they couldn’t parse the data from this phone, either. We found a Python script that was able to do some work on it, but ran into errors part way through the data and choked. We patched up the Python script and got it limping along enough to get the SMS needed.
<br />
<br />
Fast-forward a couple weeks and I stumble on Adrian’s post with the tools mentioned. Wow! What a great tool to rip this data out! I thought, “Why don’t I put an EnScript in front of these to automate the work?” So, here we are. This is a bonus since it will run three Python scripts for one EnScript. Can’t beat that deal!
<br />
<br />
<h3><b>EnScript Breakdown</b></h3>
<br />
I went straight for the GUI version since I already gave the basics earlier. I started off with the same structure as the EnScript I used to put a GUI over the pdf-parser. Not much to the GUI on this one since there aren’t any options in the Python scripts behind this. I am making bookmarks of the files being parsed as the EnScript moseys along its way. Checkbox at the bottom has EnCase open Windows Explorer at the output folder location when everything is done. Opening Explorer makes it easier to review the data instead of having to dig into the folders manually.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpm4p_oYhxooWhIzxqNF8LVptQCR0teoNpqSdV5tgrtk2AOqKXzMCf_LIj-GllH8rJq209tbJ3MPesuUdpDedKwj08Yc91juAhuOUdB_YM7XuSwPKcUG2fPWHiN25fuoSArMuVa96We6Q/s1600/python-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpm4p_oYhxooWhIzxqNF8LVptQCR0teoNpqSdV5tgrtk2AOqKXzMCf_LIj-GllH8rJq209tbJ3MPesuUdpDedKwj08Yc91juAhuOUdB_YM7XuSwPKcUG2fPWHiN25fuoSArMuVa96We6Q/s1600/python-1.png" /></a></div>
<br />
<br />
I am assuming that you have your Python installed at the default of c:\python27, but you can change that location on line 36 if it’s different. I have also assumed that you copied these three Python scripts into that same folder. Again, the location can be changed, if yours is different, on line 37, as follows:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU_PCcohBQO7KoD_tRPpCWwWDvMPRkb7shbrkohxCqeVyxBVEdG-7PfXoi-768d38dPCrTYUFmUNCL4PqG89RrhGH4TyBFLPeA209a3V-uvcDwy4ywHsT-0_3ihqWGE2QkXI4utDV-tyk/s1600/python-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU_PCcohBQO7KoD_tRPpCWwWDvMPRkb7shbrkohxCqeVyxBVEdG-7PfXoi-768d38dPCrTYUFmUNCL4PqG89RrhGH4TyBFLPeA209a3V-uvcDwy4ywHsT-0_3ihqWGE2QkXI4utDV-tyk/s1600/python-2.png" /></a></div>
<br />
<br />
Another little tidbit I started putting into my EnScripts is to have EnCase open the folder of the output files in Windows Explorer so I don’t have to dig in to find them. The GUI has a checkbox to allow user preference, and that value gets stored into a variable. Line 68 checks that variable and uses the API to open the window.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBBwfrwY05zVaVvbBnz-V0ajx8ClS8iMfYS1kQq3eKqB7yBvW2nONcI3BNuKomWmlS3KeLDCktGONtIkEDp06don4d0L8q1cdUJC8zC94X8JkCuB9XIvjeU6Fo_vrM2jyfmTsWLxB0ofY/s1600/python-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBBwfrwY05zVaVvbBnz-V0ajx8ClS8iMfYS1kQq3eKqB7yBvW2nONcI3BNuKomWmlS3KeLDCktGONtIkEDp06don4d0L8q1cdUJC8zC94X8JkCuB9XIvjeU6Fo_vrM2jyfmTsWLxB0ofY/s1600/python-3.png" /></a></div>
<br />
<br />
There are two files of concern here: store.vol and phone. I’m using ItemIteratorClass to loop through all of the files in the case (lines 55 and 56). Then I check first to make sure that I don’t end up processing some folder named like one of the target files (line 58). As long as it’s a file, then I check the name to see if it matches our targets (lines 59 and 60).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujRJWdjXUF9LuXcgGqBoi4fVnt01Fowh_arbf3y834-VghPYZjuT_wuay7AgtiQPP7zt6iLheG88NVJ90Y1UqHyKqGicovXrOwu1C60vGPMvgs2wYkXT7_Gtmm0k0l8g0RwDWGktC740/s1600/python-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujRJWdjXUF9LuXcgGqBoi4fVnt01Fowh_arbf3y834-VghPYZjuT_wuay7AgtiQPP7zt6iLheG88NVJ90Y1UqHyKqGicovXrOwu1C60vGPMvgs2wYkXT7_Gtmm0k0l8g0RwDWGktC740/s1600/python-4.png" /></a></div>
<br />
<br />
I took a little bit of a lazy approach on the RunParser function and copy/pasted some of the code inside. Bad form for a programmer, but then again I never claimed to be one! Lines 88, 97, and 106 each check for the filename to make sure each of the Python scripts are run against the file they expect to parse. Other than running the different Python scripts, the code is identical.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8AC5XmWl9r36CSF1APRk_Gi8Vg_g1vG5DpnkP7coRQMyeKsJB-Q-ClquiuH4l50h9tiO0XIlHz5xgWgLmyLfg4q38-fVX6Fh1BBWmysaow2F-yE1e9ab9myyJBxTA7g-OYT2s7MSSkwY/s1600/python-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8AC5XmWl9r36CSF1APRk_Gi8Vg_g1vG5DpnkP7coRQMyeKsJB-Q-ClquiuH4l50h9tiO0XIlHz5xgWgLmyLfg4q38-fVX6Fh1BBWmysaow2F-yE1e9ab9myyJBxTA7g-OYT2s7MSSkwY/s1600/python-5.png" /></a></div>
<br />
<br />
<h3><b>The Results</b></h3>
<br />
The bookmarks that result from running this EnScript aren’t very detailed. The Python scripts used here all generate their output in the form of tab-separated value (TSV) formatted files. This type of data ends up looking pretty ugly in the comments section of a bookmark. The bookmarks are really just for the purpose of documenting the files that got parsed.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBIsaUDjp0gFGDghQtb8Gsz4Ta4edhTZfN9iXpT4ibtkMJvxVqk_y7o2GGU0-68RxK2PmpS8571FRiZtKhcHGfm2OUjl9k0AO0xlFfNRPtfoB318jEEv54_lhO05u8YmXiLvohe2tinsQ/s1600/python-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBIsaUDjp0gFGDghQtb8Gsz4Ta4edhTZfN9iXpT4ibtkMJvxVqk_y7o2GGU0-68RxK2PmpS8571FRiZtKhcHGfm2OUjl9k0AO0xlFfNRPtfoB318jEEv54_lhO05u8YmXiLvohe2tinsQ/s1600/python-6.png" /></a></div>
<br />
<br />
You may notice in the output folder that there is a big ugly number tagged onto the name. If you did, then I applaud your observation skills! If not, work on those…
<br />
<br />
This is the MD5 hash of the file that was parsed. The idea with this EnScript is that you can just point and shoot. You can load up 20 Windows phones (have they sold this many?) into the same case and let the EnScript do the work to locate, export, and kick off the parsing for every one of them. The MD5 ensures a unique filename so they don’t overwrite each other, and it allows you to track it back to the source file.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4tz4M9lMbJy0k0S6CgFE2rE83mWqtTaVdrHh0PhIrKqbhreK9CTqawB3AaXfFSFklEkazRkSyhaWuzLpW7aVHCiRupBzQFO1Xu8Y7uDsx_sj4c1aOtPvIBeQaU_X8BTNXxcBj8nG23kQ/s1600/python-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4tz4M9lMbJy0k0S6CgFE2rE83mWqtTaVdrHh0PhIrKqbhreK9CTqawB3AaXfFSFklEkazRkSyhaWuzLpW7aVHCiRupBzQFO1Xu8Y7uDsx_sj4c1aOtPvIBeQaU_X8BTNXxcBj8nG23kQ/s1600/python-7.png" /></a></div>
<br />
<br />
<h3><b>Now it’s Time to Say Goodbye…</b></h3>
<br />
I hope that these Python scripts help you in your DFIR travels, should you run across a Windows 8 phone. I know they helped us (Thanks Adrian!). Perhaps this EnScript will help save you some time in not having to dig into the evidence file to find these data files. Work smart and let your tools do some of the work for you. This is what EnScript is designed to do.
<br />
<br />
Sorry I don’t have a sample evidence file for you, but perhaps someone out there has one to share? I welcome discussion in the Comments section below.
<br />
<br />
I teach techniques like this and more in our <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript course</a>. Come join me in one of our facilities, or bring me to your location. The more exotic the location, the better the price!*
<br />
<br />
Get the Python scripts <a href="http://cheeky4n6monkey.blogspot.com.au/2014/10/windows-phone-80-sms-call-history-and.html">here</a>.<br />
Get the EnScript <a href="http://download.guidancesoftware.com/OOy4jvznqkOQd1EL1jKkbHMQGMe9Sj0mBRVpg9n9Bf3dqd3mFCOq8gEFsCVe7DAS233NwelblK8%3D">here</a>.
<br />
<br />
James Habben<br />
<a href="https://twitter.com/JamesHabben">@JamesHabben</a>
<br />
<br />
* Sadly, I actually have no control over price
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-3391932348841847742014-10-07T09:15:00.000-07:002014-10-07T09:15:18.075-07:00EnCase and NetClean Collaborate to Increase Investigator Efficiency<author>Johann Hofmann</author>
<br />
<br />
We started working with Guidance Software in the USA and spoke to the company’s Product Manager Ken Mizota about how this made customers much more efficient.
<br />
<br />
”After looking at the capability of NetClean Analyze, we became very interested in working closely with NetClean. By allowing our tools to work together, we will be giving our customers valuable assistance,” says Mizota.
<br />
<br />
Guidance Software’s EnCase® tool is used for collecting, processing and analyzing forensic data. Because it’s an open platform, the company works with multiple suppliers of complementary products that use data from EnCase. But a software application that analyzes and categorizes images in as sophisticated a way as NetClean Analyze does is extremely valuable, he says.
<br />
<br />
”We’re seeing that it really solves problems for criminal investigators. They gain in efficiency and save time, which they really appreciate.”
<br />
<br />
Guidance Software’s customers typically use a large number of tools in their investigations, so it’s important that they are interoperable.
<br />
<br />
”Our aim is to make our customers’ lives easier, and without tools like NetClean Analyze and EnCase, investigators are not able to efficiently analyze and categorize the large volumes involved. They need the right tools for the job.”
<br />
<br />
Ken Mizota envisages several other applications for Analyze in the future.
<br />
<br />
”The great thing about NetClean Analyze is that it can also be used in other types of investigations involving images, which represent an increasingly important component.”
<br />
<br />
As examples, he mentions harassment cases or employee misuse of corporate resources for collecting pornographic images.
<br />
<br />
to NetClean Analyze Product Manager Johann Hofmann, the main benefit of the alliance is that the forensic community now stands to gain a more seamless workflow between IT forensics and investigations of still and video images.
<br />
<br />
”We have a whole lot to learn from Guidance Software, which has been regarded as the gold standard in IT forensics for years. And with NetClean Analyze now emergent as the leader in technology for processing still and video images, we will be building a standard together.”
<br />
<br />
Guidance Software’s EnCase solution is used for digital investigations conducted by corporations and law-enforcement organizations worldwide. A total of 40,000 licenses are in use by corporate customers such as Symantec, General Electric, Coca-Cola and Pfizer, and the EnCase servlet is estimated to be deployed on over 20 million endpoints worldwide.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-36222887820020677472014-09-30T09:34:00.000-07:002014-09-30T09:34:11.292-07:00The “Shellshock” BASH Vulnerability and EnCase Products<author>Ken Basore</author><br />
<br />
<div class="MsoNormal">
We know that our customers are concerned about the “<a href="http://en.wikipedia.org/wiki/Shellshock_(software_bug)" target="_blank">Shellshock” BASH vulnerability</a> and whether it affects our EnCase software, our Tableau hardware products, or any of our corporate systems. This is a legitimate concern, and because we have the utmost concern for your organizational and data security, we want to give you all the information you need regarding it. Below we address one by one the key areas that you may be wondering about.<br />
<a name='more'></a><br />
<b>EnCase-based Applications</b> (EnCase Forensic, EnCase Enterprise, EnCase eDiscovery, EnCase Cybersecurity, EnCase Analytics, and EnCase Portable) and all of the applications that run on them are NOT affected by the Shellshock vulnerability, as they do not run on Linux and do not use BASH. This is true for all versions of the applications.<br />
<br />
<b>EnCase Servlets</b> run on a wide range of operating systems, including Linux, Unix, HP-UX, and various other *nix-based systems. All of our Unix-based servlets are self-contained applications that can be launched via BASH, but do not interact with the BASH shell while they are running. As a result, the servlets are NOT affected by the vulnerability. However, users should check the operating system in which they are running for risks associated with other applications.<br />
<br />
<b>EnCase LinEn:</b> Guidance Software provides a free imaging tool that runs on Linux. LinEn is a self-contained application that can be launched via BASH, but which does not interact with the BASH shell while it is running. As a result, LinEn is NOT affected by the vulnerability, but users should check the operating system in which it is running for risks associated with other applications.<br />
<br />
<b>EnCase eDiscovery Review</b>: The EnCase eDiscovery Review SaaS application does use certain Linux systems that utilize the BASH shell. Once we learned of the original vulnerability, we immediately patched our systems or applied other well-established techniques to mitigate any risk to our systems. This includes additional attack vectors that have come to light since the original news was released. At this time, EnCase eDiscovery Review is NOT vulnerable to the known Shellshock/BASH vulnerabilities.<br />
<br />
<b>Tableau Products:</b> One of our Tableau products, TD3, runs a Linux operating system with a vulnerable version of BASH. Although the primary use case for the Tableau TD3 does not include attaching it to a network and exposing it to potential attack from an outside attacker, we are testing a patch that will fix the vulnerability and we will be releasing it in the next few days to our customers.
<br />
<br />
<b>Guidance Software, Inc. Web-based Systems: </b> As with most companies with any type of a web presence, Guidance Software did have internet-facing systems that were affected by this vulnerability. Upon learning of the issue, we immediately started working with our vendors and suppliers to obtain patches for those systems. As of this date, we have patched all our systems or applied other well-established techniques to mitigate any risk. At this time, we are confident that there is NO risk to any GSI web-facing system and all of our data, including confidential customer data, is secure.<br />
<br />
Rest assured that we maintain a relentless commitment to the security of all of our software and systems and will continue our diligent efforts to validate that security. If you have any questions, <a href="https://www.guidancesoftware.com/about/pages/contactus.aspx?cmpid=nav#CustomerService" target="_blank">please contact us here</a>.<br />
<br />
<i>Ken Basore is the Senior Vice President of Research and Development at Guidance Software, Inc.</i></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-29239832052943602092014-09-26T09:36:00.000-07:002014-09-28T12:46:16.652-07:00 SEC Whistleblower Awards Sound a Clarion Call to Action<div style="margin-bottom: .0001pt; margin: 0in;">
<author>Robert Bond</author>
<br />
<br />
Boardroom failures, financial regulatory lapses, auditor and
security analyst conflict of interest, unsatisfactory banking practices, and
fraud compelled the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010, placing
organizations under greater government scrutiny. The higher standards set by
the legislation place enormous responsibility on organizations to be prepared
to conduct their own internal investigations and to police themselves more
effectively or face penalties and fines.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
When the Dodd-Frank Act first passed, Peter Zeidenberg, a
DLA Piper partner who worked as a federal prosecutor at the Department of
Justice and the U.S. Attorney’s Office, <a href="http://www.insidecounsel.com/2011/08/01/conducting-internal-investigations-8-important-ste">remarked</a>,
“Most companies will have to deal with an internal investigation at some point.
You’re very lucky if you don’t. In any large company, it’s hard to imagine that
at some point in time there’s not going to be some suggestion or allegation of
internal misconduct.”</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
</div>
<a name='more'></a><br />
<div class="MsoNormal">
<b>SEC Whistleblower
Program is Gaining Traction<o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Three years later, Zeidenberg has been proven correct and one
of the most visible elements to come out of the Dodd-Frank legislation has been
the Securities and Exchange Commission’s (SEC’s) Whistleblower program. Over
6,500 people have offered confidential information to the SEC in hopes of
earning the 10%-30% of the settlement amount that the legislation promises,
according to the <i>Wall Street Journal</i>. In fact, the awards are increasing in both
size and frequency over the past year and appear to be gaining awareness
overseas. The SEC’s most recent annual report noted that 11 percent of the tips
received had come from overseas and that they expect that percentage to
increase. Adding fuel to the fire, last week in a speech in New York, <a href="http://www.nytimes.com/2014/09/26/us/politics/eric-holder-resigning-as-attorney-general.html?_r=0">soon-to-be-former</a>
U.S. Attorney General Eric Holder encouraged more potential whistleblowers to
step up to help prevent the next financial collapse. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
This week, the <a href="http://link.law.com/5163360e34b9b0a8048c87581uj2h.11u0/VCHjkMPomBYgW9xgA93d3">SEC
announced the award of a record $30 million</a> to an overseas employee who reported
fraud at an American company with global operations. Interestingly, had the
employee reported the fraud earlier, the bounty might have been even larger, according
to the SEC. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Eric Holder and the SEC are sending a clear message to
corporations and their employees in the US and around the world. Companies are
expected to not only change the practices that contributed to the financial
crisis’ in 2002 and 2008, but also monitor those changes and ensure that their
organizations are complying with the numerous regulations that are a part of
Sarbanes-Oxley and Dodd-Frank or face consequences. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Essential Compliance
Step One: An Investigative Infrastructure<o:p></o:p></b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
Publicly traded companies—and especially multinational
corporations—can take an essential step toward compliance by establishing a
comprehensive investigative infrastructure that enables visibility and
searchability of all network endpoints. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Simply installing <a href="http://www.guidancesoftware.com/enterprise">EnCase® Enterprise</a> puts
you solidly on the path to compliance with key sections of Sarbanes-Oxley (SOX)
and in a state of readiness to respond to demands for information from the SEC.
It's working for legal, HR, and risk/compliance teams inside 70 percent of the
Fortune 100, it’s discreet and nondisruptive to business operations, and it’s
the foundation for <a href="https://www.guidancesoftware.com/solutions/Pages/enterprise/by-job-role/compliance-risk-professional.aspx?cmpid=nav">other
EnCase products</a> that support compliance, information security, and
e-discovery readiness, as well. <o:p></o:p></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
<b>Comments? Stories
from the Risk/Compliance Trenches? </b>I welcome discussion in the section
below, whether on this topic or on one you would like to see us write about here
in the blog.<o:p></o:p></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-15398478911703971042014-09-22T10:33:00.002-07:002014-09-22T10:33:58.815-07:00EnCase and Python – Part 2<author>James Habben</author>
<br />
<br />
In <a href="http://encase-forensic-blog.guidancesoftware.com/2014/09/encase-and-python-part-1.html#more">Part 1 of this post</a>, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used <a href="http://blog.didierstevens.com/programs/pdf-tools/">Didier Stevens’ pdf-parser</a> as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.
<br />
<br />
In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.
<br />
<a name='more'></a>
<br />
<h3><b>EnScript Method: Hard Mode</b></h3>
<br />
Here are the options displayed from pdf-parser:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoqrutKmmFynCyIphwRUc0lZXnprusINyQVHtmcRB_RWFgSNTbdQ9gFl9TUP-9VD-SAvFUVPfJryFPMXfr045_butpMPMNxkhn58l5Xad5cQIERLchpGGhrhKru_LkU4cP0K7XZVrWcbMc/s1600/part-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoqrutKmmFynCyIphwRUc0lZXnprusINyQVHtmcRB_RWFgSNTbdQ9gFl9TUP-9VD-SAvFUVPfJryFPMXfr045_butpMPMNxkhn58l5Xad5cQIERLchpGGhrhKru_LkU4cP0K7XZVrWcbMc/s1600/part-1.png" /></a></div>
<br />
<br />
Not only will we have a simple GUI to trigger pdf-parser, <a href="http://download.guidancesoftware.com/1H+vBXhWvGfk3BEmIOloNKEqV/X1Bn+KYEJo/uUHXGRh05KFfQCvSik9H/OP5jWmPOqqZAOSeRvLpSRnfOoS1g%3D%3D">but this EnScript</a> (sample code, no registration required) will also process all PDF files in the case instead of being limited to a single highlighted PDF file. Here is the GUI displayed at the start of this EnScript.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmYpUvMQIzfLRdIsuygjMFu5AwK7PaEIJvA0RVmWX_WEQJszDV0bAf3SkcZMOtv5VoLHn043kyXN8Q_BBXSdOQJ3WUo27XdMwm1GDFcrL9iM8RYqwU0P-HUvYFMEs9MVNy5IbOA3NLyJNA/s1600/part-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmYpUvMQIzfLRdIsuygjMFu5AwK7PaEIJvA0RVmWX_WEQJszDV0bAf3SkcZMOtv5VoLHn043kyXN8Q_BBXSdOQJ3WUo27XdMwm1GDFcrL9iM8RYqwU0P-HUvYFMEs9MVNy5IbOA3NLyJNA/s1600/part-2.png" /></a></div>
<br />
<br />
The part that makes this EnScript so much harder than the last post is the introduction of a dialog box to collect input. Unlike IDEs like Visual Studio, EnCase does not provide WYSIWYG capability to drag and drop UI controls. With EnScript, it’s all about typing the objects out, and laying them out by hand. Dialogs have to be coded as a custom class, and this brings a lot of scary demons out of the closets for many programmers. OOP! Object Oriented Programming. This one is pretty simple, though. Take a look:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHnukxOajc4NWbyhyphenhyphen4j1Xlo8JGR5Ztps73v6ZDAhk4VbVFXEPW8GClTraVw-1puUBZEx5-OT4O0IWbijB0enKdx96EGMuAFZMZfmMl8kMsF0PyJPlFmgDgQvCPdlpI-XF_k1d0vbG53ZjC/s1600/part-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHnukxOajc4NWbyhyphenhyphen4j1Xlo8JGR5Ztps73v6ZDAhk4VbVFXEPW8GClTraVw-1puUBZEx5-OT4O0IWbijB0enKdx96EGMuAFZMZfmMl8kMsF0PyJPlFmgDgQvCPdlpI-XF_k1d0vbG53ZjC/s1600/part-3.png" /></a></div>
<br />
<br />
I have a bunch of checkboxes that turn on options for pdf-parser. I created a global String variable named PyArgs to collect up all of these options that are desired. So here’s a little code block to put the desired options in. You’ll notice that the variables inside the if conditions match those referenced by the dialog in lines 18-23.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKvFj4Zq6vzpIIqyf_qhhzJ6NPCepY5gRHExZIcvbKDfy-7rI54Xe_7ZqV-EiueLTtM7WKDxWmIMO3Y5riDSX3U94M_HPOuJwgZ2AjNaHhB9E6-kX4Pd3tdZ1fgbyWxz7POmOp88D4gqp6/s1600/part-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKvFj4Zq6vzpIIqyf_qhhzJ6NPCepY5gRHExZIcvbKDfy-7rI54Xe_7ZqV-EiueLTtM7WKDxWmIMO3Y5riDSX3U94M_HPOuJwgZ2AjNaHhB9E6-kX4Pd3tdZ1fgbyWxz7POmOp88D4gqp6/s1600/part-5.png" /></a></div>
<br />
<br />
I mentioned that this EnScript is going to parse multiple PDF files, not just the highlighted one as we did in the last post. Here is where I use the ItemIteratorClass to obtain access to the files in the evidence file. Of course, I only want to process PDF files, so I filter those out.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJY6MzRFQ7aCElQo7bq5g-63Jd5GCd2o937Vce_b287ZmpxqEcGis8wpIXEDD7KkApUEjaF1J9wbSEsxvkzUA3Vb9PqQnzYLY5ZN4VAoA6g65UGPKLX5D34usvGSvmayL7TJH59qRDtMo6/s1600/part-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJY6MzRFQ7aCElQo7bq5g-63Jd5GCd2o937Vce_b287ZmpxqEcGis8wpIXEDD7KkApUEjaF1J9wbSEsxvkzUA3Vb9PqQnzYLY5ZN4VAoA6g65UGPKLX5D34usvGSvmayL7TJH59qRDtMo6/s1600/part-6.png" /></a></div>
<br />
<br />
Now, the function that runs the Python code. You should find it pretty familiar, that is, if you read the last post. It opens the file internally, and then copies the data out to a temporary external file for Python to access. I bumped the wait time up on line 105 since some of my larger PDF’s were taking longer than the one-second time I used previously. I added the CopyItemData() on line 107 because that will actually tie in the metadata of each PDF file with the bookmark that is created.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL7rm0JVaF4neQMpXja8Pm50B8cnFwoO8IjB46ih5FY8u5eLf0W0x2LQGwaVwMDIYb6WkL9hGiqbzzsGsVdyZcpqN1e0dYe2SJ_mQ24OKtESB_i5KlQ_sRSPySmzfY3Gc2B8c7fYISk3zZ/s1600/part-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL7rm0JVaF4neQMpXja8Pm50B8cnFwoO8IjB46ih5FY8u5eLf0W0x2LQGwaVwMDIYb6WkL9hGiqbzzsGsVdyZcpqN1e0dYe2SJ_mQ24OKtESB_i5KlQ_sRSPySmzfY3Gc2B8c7fYISk3zZ/s1600/part-7.png" /></a></div>
<br />
<br />
Give this one some time to run since it is going against all files in the case. The results should look like this, more or less depending on the options that you checked in the dialog.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhibgcepGMdedVG4k4y7ew0RNaPQrlXCZLtXnS-7Q5V5yp2dKyHbv0S1a_WmSZdVsw-Ok34GsVZSt8bxp_0R3-lHZ96H9uxB8QEWB8O4VUFExLFm0FqSuMsZQD__mwnQ77LMdK7bGjhqMKO/s1600/part-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhibgcepGMdedVG4k4y7ew0RNaPQrlXCZLtXnS-7Q5V5yp2dKyHbv0S1a_WmSZdVsw-Ok34GsVZSt8bxp_0R3-lHZ96H9uxB8QEWB8O4VUFExLFm0FqSuMsZQD__mwnQ77LMdK7bGjhqMKO/s1600/part-8.png" /></a></div>
<br />
<br />
Whether as an examiner downloading this as an EnScript to use in cases, or as an EnScripter looking to integrate more Python scripts with EnCase, I hope you found this useful. Let me know in the comments or on <a href="https://twitter.com/hashtag/en2py?src=hash">Twitter #en2py</a> if there are topics you would like to see here.
<br />
<br />
James Habben<br />
@JamesHabben
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-45454096908982861572014-09-10T14:42:00.000-07:002014-09-12T12:48:07.343-07:00EnCase and Python - Part 1<author>James Habben</author>
<br />
<br />
As a co-author and instructor for Guidance Software’s <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript Programming</a> course, I spend a lot of time teaching investigators in person around the globe. Investigators are faced with a dizzying variety of challenges. We work together in class, coming up with solutions that send EnCase off to do our bidding. EnCase and EnScript allow us to “bottle” the result of our efforts to share with other investigators (e.g. <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010123WS">categorizing internet history</a>, <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010132WS">detecting files hidden by rootkits</a>).
<br />
<br />
Python is used similarly. The interweb hosts great tools written in Python to accomplish all measures of tasks facing DFIR examiners. The community benefits from the hours of work that go into each and every .py that gets baked. It seemed to me that there should be a way for EnCase and Python to work together, so I put together a brief tutorial.
<br />
<a name='more'></a>
<br />
I’m writing this post primarily as a tutorial for EnScripters, but I thought I would drop in a little something for the EnCase Examiners that are reading through this, as well. To do this, I’m going to use a favorite Python script called pdf-parser.py written by Didier Stevens throughout this tutorial. You can download pdf-parser.py directly from <a href="http://blog.didierstevens.com/programs/pdf-tools/">Didier Stevens’ blog</a>. I’m making an assumption that you have Python already, and it is located at c:\Python27\Python.exe. And to make things simpler, let’s place the pdf-parser.py file in the same folder. If your paths are different, just make note for the rest of the tutorial.
<br />
<br />
This tutorial is broken out into several sections that range from easy to expert. First will be a method of using a Python module that anyone can put together in EnCase. Then I work through EnScript methods that most of you with a little programming experience can follow. The final section covers an EnScript that takes input from the examiner through the use of a GUI and passes those options on through to Python for execution.
<br />
<br />
<h3><b>Examiner Method: External File Viewers</b></h3>
<br />
Open your File Viewers window (right click ‘open with’) and create a new view with these settings:
<ul class="list"><li>Name: PDF-Parser (Python)</li>
<li>Application Path: c:\windows\system32\cmd.exe</li>
<li>Command Line: /k c:\Python27\Python.exe "c:\Python27\pdf-parser.py" [file]</li></ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkZy6M_BcdSuZw-VVgZfed4nIx6-n9SDh3rsojIIKx_h5kcT5K9fs0GEF08-JSGsXV-dfNI7w8AwVmeRmBaZpkqHTjhibHiTAxG8Qz9E4u5pA3TlkE85V5j1X0dlB45bRSjrDpAdpUrBpA/s1600/python-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkZy6M_BcdSuZw-VVgZfed4nIx6-n9SDh3rsojIIKx_h5kcT5K9fs0GEF08-JSGsXV-dfNI7w8AwVmeRmBaZpkqHTjhibHiTAxG8Qz9E4u5pA3TlkE85V5j1X0dlB45bRSjrDpAdpUrBpA/s1600/python-1.png" /></a></div>
<br />
<br />
We’re not going directly to the Python executable because it’s designed to run its tasks and quit. This will result in the command shell showing and disappearing very quickly. Instead, we use cmd.exe with the /k parameter to get the window open, execute the task, and stay open for us to review the output.
<br />
<br />
Click OK twice, and you will find the data from pdf-parser in a window. You’ll likely have to adjust your screen buffers in order to get the complete data, especially for the larger PDF files.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtSCONlbq9C-x8YAD7ONSTjAFCXnEz0fW48wLSvA-vPYBOB93quhAFlBBxfiK_OGlHMHCbO1wphbBd7F2vezxuwypJ4OdpQXOW3G-FKS1xi6VpvskuUxZVw4PdYsX_Y3Re2Jvkve1Ykj30/s1600/python-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtSCONlbq9C-x8YAD7ONSTjAFCXnEz0fW48wLSvA-vPYBOB93quhAFlBBxfiK_OGlHMHCbO1wphbBd7F2vezxuwypJ4OdpQXOW3G-FKS1xi6VpvskuUxZVw4PdYsX_Y3Re2Jvkve1Ykj30/s1600/python-2.png" /></a></div>
<br />
<br />
You can now run this on any PDF file in EnCase with a right click. To keep them around you’ll have to copy/paste the results into a text file or bookmark.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQNtOElXqvdeSLGOsmwM0TUcJxV101S0Evm6EbCm9RJUSHLwF5WWK9M3NPP2vuUOQOnVbhS_nd9OmFkONwdLHK4x9Ws_d7UBV66XqQV8fiCSOnfVMtaBNe_ZBB0ivt88qC2O6iVgRuRLk/s1600/python-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQNtOElXqvdeSLGOsmwM0TUcJxV101S0Evm6EbCm9RJUSHLwF5WWK9M3NPP2vuUOQOnVbhS_nd9OmFkONwdLHK4x9Ws_d7UBV66XqQV8fiCSOnfVMtaBNe_ZBB0ivt88qC2O6iVgRuRLk/s1600/python-3.png" /></a></div>
<br />
<h3><b>EnScript Method: Easy Mode</b></h3>
<br />
Sample code is available for download <a href="http://download.guidancesoftware.com/kJEm1ejre/gDwIkzH5vNoq+AW2I6o6teamdvw/3F4yBUfmA7DDuMh9jqkLkTfhiB">here</a>.
<br />
<br />
EnCase provides functionality in EnScript to run external tools utilizing ExecuteClass. This is essentially the same as running a tool at the command shell. The nice thing here is that we can capture the output from these tools, and bring it back into EnCase. Here’s what the help page shows:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGEgMQaEhfo1jNlh43Ll_Ade5hS_mbj3b0ip0QNka7lTwkG5gqs0WPHySblaPAyj_9nQz4q32h8LyCTSDIcPGGa4f3EURnFvTNqi1TavzJIvKKPtdmu_0jfbbp8xvwt2kJBG2CBWYYUOKw/s1600/python-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGEgMQaEhfo1jNlh43Ll_Ade5hS_mbj3b0ip0QNka7lTwkG5gqs0WPHySblaPAyj_9nQz4q32h8LyCTSDIcPGGa4f3EURnFvTNqi1TavzJIvKKPtdmu_0jfbbp8xvwt2kJBG2CBWYYUOKw/s1600/python-4.png" /></a></div>
<br />
<br />
And here’s a very simple example Python script to show the interaction. It outputs “hello world” to the command shell, and then loops through the arguments provided and writes them to the command shell, as well.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEa-rzPEetlYcWe6c7IRRI1P4khHoHhjzUHxWObRIYavIH0edCxY1XkAveZTxVeFkWijPRQvspDUwnNeVpCSVQp5vHI6JJiB-vie-DPGi5vZ7nm7Itu8HB4RYfijguBk_MSKnyXRkY2HIF/s1600/python-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEa-rzPEetlYcWe6c7IRRI1P4khHoHhjzUHxWObRIYavIH0edCxY1XkAveZTxVeFkWijPRQvspDUwnNeVpCSVQp5vHI6JJiB-vie-DPGi5vZ7nm7Itu8HB4RYfijguBk_MSKnyXRkY2HIF/s1600/python-5.png" /></a></div>
<br />
<br />
Here are the basics of getting an EnScript to run a Python script and collect the output. For simplicity, I’ve hard coded several values. The location of these two scripts doesn’t matter much, but they do need to be located next to each other in the same folder.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXC11kC8vQv_0bMHczHSJQsGIsQuuqMX4YnqAoOApaxCpR_wGpO5qnI5e8PoiCfbkzPgEtT3PE99RbMKebz_Tfr1vjJ9HnomshEhjXpKm5rpS-bhN2IfY_hP2lQ-TLmxrTerSLjfFW_BK/s1600/python-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXC11kC8vQv_0bMHczHSJQsGIsQuuqMX4YnqAoOApaxCpR_wGpO5qnI5e8PoiCfbkzPgEtT3PE99RbMKebz_Tfr1vjJ9HnomshEhjXpKm5rpS-bhN2IfY_hP2lQ-TLmxrTerSLjfFW_BK/s1600/python-6.png" /></a></div>
<br />
<br />
ExecuteClass uses a ConnectionClass as a tunnel to send and receive program data through. This allows us to execute on a remote machine, but here we use LocalMachine on line 18 to designate the examiner’s computer.
<br />
<br />
Some notes:
<ul class="list"><li>Backslashes in EnScript code need to be escaped “\\”</li>
<li>The uppercase L and M characters of LocalMachine</li>
<li>SetApplication() needs to be given a full and valid path to an executable</li>
<li>SetFolder() only sets the working directory and is not required</li>
<li>SetCommandLine() takes all parameters going to the set application</li>
<li>Make sure to quote any paths that might contain spaces</li></ul>
The output looks like this:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYhw-UYNmJAXFEPsq2_1IHNCznWDr6t3I4w-LjFM1_S0kCs9sh0m4ztTTMBO97sWZHO6W4vFNKFW02rmFtXvg0bAZ9cdeEkD3R8xg4KWOi5FwdAv6kMqiIBvQYRX_gwhBe2s90RAdoFWLp/s1600/python-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYhw-UYNmJAXFEPsq2_1IHNCznWDr6t3I4w-LjFM1_S0kCs9sh0m4ztTTMBO97sWZHO6W4vFNKFW02rmFtXvg0bAZ9cdeEkD3R8xg4KWOi5FwdAv6kMqiIBvQYRX_gwhBe2s90RAdoFWLp/s1600/python-7.png" /></a></div>
<br />
<br />
<h3><b>EnScript Method: Intermediate Mode</b></h3>
<br />
The example above provides input to the Python script and collects the output, but it has no file data to act upon. Here I’ll demonstrate how to send the currently highlighted entry in EnCase out to where Python can work with it, but the code will remain as simple as possible to show just what is needed to apply this to other Python scripts.
<br />
<br />
I’ve switched over to using the pdf-parser since the previous Python script doesn’t have any code for working with files. Take a look:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-CGz55aZShB8dcTn7Wzmr_3Q2iQ6UhwVWd4kfaoUNwdUuuoS60_4Id6MhdpXzH2n3r6KEEXKRcbgPNRAL3v9vLLwoGikJuA4yL7A6zDrAjg4AmpNSzhoUtVK2O29JnemcGkNdix1NeVMC/s1600/python-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-CGz55aZShB8dcTn7Wzmr_3Q2iQ6UhwVWd4kfaoUNwdUuuoS60_4Id6MhdpXzH2n3r6KEEXKRcbgPNRAL3v9vLLwoGikJuA4yL7A6zDrAjg4AmpNSzhoUtVK2O29JnemcGkNdix1NeVMC/s1600/python-8.png" /></a></div>
<br />
<br />
Line 6 does the work of telling us which file the examiner has highlighted. The GetCurrentItem function returns an ItemClass object that can be a file from any of these views: Evidence (EntryClass), Records (RecordClass), Results (ResultClass), or Bookmarks (BookmarkClass).
<br />
<br />
Because the pdf-parser doesn’t understand e01 evidence files, the PDF files have to be taken out and placed on the file system where they can be accessed individually. Lines 9 and 10 open the file internally and an empty one externally, while line 11 fills the external with the contents of the internal.
<br />
<br />
Once Python has finished its work, we create a bookmark folder (Line 24) and a note (line 25) inside that holds the output (line 26) of the pdf-parser.
<br />
<br />
The results in the bookmarks tab display the results:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJKV2KcVOF8aiRKsQm63HGxHIw4zIPzltj62QczgDJugLRyeauPapf6YUPAeqKngiDRB6nlQaI0RSqQeRuSxalqE1rhAMx0rr9sDmSU5uF4BtHkr3TAxxmcJGDj6hC7WC-YgKTLRIh52-l/s1600/python-9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJKV2KcVOF8aiRKsQm63HGxHIw4zIPzltj62QczgDJugLRyeauPapf6YUPAeqKngiDRB6nlQaI0RSqQeRuSxalqE1rhAMx0rr9sDmSU5uF4BtHkr3TAxxmcJGDj6hC7WC-YgKTLRIh52-l/s1600/python-9.png" /></a></div>
<br />
<h3><b>Make it Work for You</b></h3>
<br />
The EnScript just above has been made simple enough that this can be modified easily to use any other Python module that targets individual files of any type. Line 13 is what needs to be changed.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik0gSMdUs9ybHwuUZYO2zoXP5mm2V1lNE7GIJkxZhgkmKp2IppyxgvXp_ppxAgS3BV9DudU73dC5-B8JRIX9z-oyg_a0RZXVWoHStINww3HWXbtP5929NYMfBm0l_MaydGKS-elBG2E0XA/s1600/python-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik0gSMdUs9ybHwuUZYO2zoXP5mm2V1lNE7GIJkxZhgkmKp2IppyxgvXp_ppxAgS3BV9DudU73dC5-B8JRIX9z-oyg_a0RZXVWoHStINww3HWXbtP5929NYMfBm0l_MaydGKS-elBG2E0XA/s1600/python-10.png" /></a></div>
<br />
<br />
Now you can take advantage of the great work from our community and apply the Python tools to files inside your EnCase evidence files. I did a search and found a few Python based projects to consider:
<ul class="list"><li>analyzeMFT - <a href="http://www.integriography.com/">http://www.integriography.com</a></li>
<li>$USNJRNL•$J Parser - <a href="http://code.google.com/p/parser-usnjrnl">http://code.google.com/p/parser-usnjrnl</a></li>
<li>libpff - <a href="https://code.google.com/p/libpff">https://code.google.com/p/libpff</a></li>
<li>peepdf - <a href="https://code.google.com/p/peepdf">https://code.google.com/p/peepdf</a></li>
<li>registrydecoder - <a href="https://code.google.com/p/registrydecoder">https://code.google.com/p/registrydecoder</a></li>
<li>ntdsxtract - <a href="https://code.google.com/p/ntdsxtract">https://code.google.com/p/ntdsxtract</a></li>
<li><a href="http://techanarchy.net/2014/09/encase-and-analyzemft/">techanarchy.net/2014/09/encase-and-analyzemft</a> </li></ul>
Download the official Twitter app <a href="https://twitter.com/download?ref_src=MailTweet-iOS">here</a>.
<br />
<br />
Tell me your favorite Python based file parser in the comments below or on Twitter with hashtag #en2py. In the next post, I’ll be showing you an EnScript that is more advanced and utilizes a GUI to accept input from the examiner when running the pdf-parser Python script.
<br />
<br />
James Habben<br />
<a href="https://twitter.com/JamesHabben">@JamesHabben</a>
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-41622666634730003602014-09-02T08:38:00.000-07:002014-09-02T08:38:05.240-07:00Fear and Loathing in Internet History<author>James Habben</author>
<br />
<br />
As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.
<br />
<a name='more'></a>
<br />
What I would like to present to you here is a proof-of-concept (PoC) to automate the task of maintaining and filtering internet history. The companies that provide this type of service do so for a fee, and they provide their data in a proprietary closed system to protect their intellectual property. I was able to locate a service that provides downloadable category lists that I could easily work with to prove (or disprove) this concept. The lists are not free, but the costs seem very reasonable. For instance, a business downloading updated tables once a month only needs to pony up $6 a month.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0QstbRgLx2OZiWY1PCZv_BjvTmDV83Cu1VKnNwFn9bAERBw4Wk-4qGkPcFkr7h3wJRlvCGZLAbnjJoXFQ4Zw8kbcOwHLm9XpzWI2CISOikUIG9fVJFKRNYACRiY6fJSYwiEUbMjOFV_A/s1600/url-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0QstbRgLx2OZiWY1PCZv_BjvTmDV83Cu1VKnNwFn9bAERBw4Wk-4qGkPcFkr7h3wJRlvCGZLAbnjJoXFQ4Zw8kbcOwHLm9XpzWI2CISOikUIG9fVJFKRNYACRiY6fJSYwiEUbMjOFV_A/s1600/url-1.png" /></a></div>
<br />
<a href="http://urlblacklist.com/">http://urlblacklist.com/</a>
<br />
<br />
<h3><b>The EnScript Alternative</b></h3>
<br />
I created an EnScript that can ingest this information and place it into a SQLite db for fast and easy lookups. I created a second EnScript that uses this generated SQLite db file to run through the internet history records parsed by EnCase and display them in a categorized view. This should allow you to save time and dig directly into the category that is most pertinent to your case. If a URL is not found in the db, then you revert back to the old mode of poring through the unknown list, only this time it has been significantly reduced by the known URLs.
<br />
<br />
You can <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010123WS">get both EnScripts here</a>. I also included a database that I downloaded in 2012 and converted to the SQLite db for you to play/test with.
<br />
<br />
I am using the TDurden evidence file here, which Guidance Software provides, for the following screenshots. The only things you need to do are load the evidence into a case and run the evidence processor to parse the internet history.
<br />
<br />
When you’re ready, run the “Categorize Internet History” EnScript. In my screenshot you may notice that I have 300 records showing for the IE history. When the EnScript window shows up, point it to the SQLite file that you downloaded along with the EnScripts (or a more recent db that you converted).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUE-5TmYEzl48Q5GQK8FEfIt_dqGAfXPzRfGZNh1rsLQJduqOH5Kfi7RXitZkhU4L2lAGkIvf_eYtgMTU8z4bIwNK5DlS5sz88EvDxFNo0bt2choBhV8az2tgJ68UYQD9dzzKnjM7t1fc/s1600/url-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUE-5TmYEzl48Q5GQK8FEfIt_dqGAfXPzRfGZNh1rsLQJduqOH5Kfi7RXitZkhU4L2lAGkIvf_eYtgMTU8z4bIwNK5DlS5sz88EvDxFNo0bt2choBhV8az2tgJ68UYQD9dzzKnjM7t1fc/s1600/url-2.png" /></a></div>
<br />
<br />
The process will take a few minutes to sort through all of the records, but when it’s done, you’ll see a window looking something like this:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUgRDVNXGvFtw_5CZT-Vvpino0nUjjwCho4FeS6elb3Hudyqz9xGPA-UGEE0PlOK-PZdTRqflpXRPHW15uqeUUU5_NSsyalCaUULyFkGSsh2fzXc0C_26jA93QC3Xzrok6FtpSmq5-RSk/s1600/url-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUgRDVNXGvFtw_5CZT-Vvpino0nUjjwCho4FeS6elb3Hudyqz9xGPA-UGEE0PlOK-PZdTRqflpXRPHW15uqeUUU5_NSsyalCaUULyFkGSsh2fzXc0C_26jA93QC3Xzrok6FtpSmq5-RSk/s1600/url-3.png" /></a></div>
<br />
<br />
This EnScript will only show you categories that have records from your evidence file. There were <a href="http://urlblacklist.com/?sec=download#categories">73 categories</a> at last count.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4lLBV9D4UG9rWeoSiEL9qcT93O1j5VbvnOxvJ8FFCc5u7u5OdDUaNDJSWWDCibmW_VLpmFQJXiHQZzm8XU-P_rOKGgJiB2ljcP8ndBv-hZ1_6gkx5YE2hk91PieHguIzfP_5P1Ys_B54/s1600/url-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4lLBV9D4UG9rWeoSiEL9qcT93O1j5VbvnOxvJ8FFCc5u7u5OdDUaNDJSWWDCibmW_VLpmFQJXiHQZzm8XU-P_rOKGgJiB2ljcP8ndBv-hZ1_6gkx5YE2hk91PieHguIzfP_5P1Ys_B54/s1600/url-4.png" /></a></div>
<br />
<br />
The history records that can’t be found in the db will be listed in the bottom “category” that I make up called Unknown. In the TDurden case, it is showing 163 records, which is almost half of the original uncategorized list. I don’t know about you, but I think a reduction of 50% is a gift from the DFIR gods!
<br />
<br />
Please download this and try it against your cases. If this helps to reduce your workload at all, please let me know here in the comments or on <a href="http://www.twitter.com/jameshabben">Twitter</a>. I’m looking to expand the data sources, but I want to prove the concept before spending more time on it. One source I‘ll soon look at is the malwaredomainlist.com lists. If this proves useful to enough examiners, it will give me some weight to approach the big guys in this industry to see about exposing some sort of API.
<br />
<br />
<h3><b>Deeper Tech for Those Who Care</b></h3>
<br />
The db design is pretty simple at the moment. There are three tables:
<ul class="list"><li>Categories: List of categories ingested from the lists</li>
<li>Domains: Domains (and subdomains)</li>
<li>URLs: Complete URL for specific pages different than the domain.</li></ul>
The Categorize Internet History EnScript goes through the internet history records parsed by EnCase, but only looks at those typed as history records as indicated by the “internet artifact type” column of the records view. This type is independent of the browser that generated the artifact.
<br />
<br />
When checking for a given URL in the db, the EnScript does some normalization, such as https vs. http, trailing slashes, etc. Then it searches the URLs table to see if there is a very specific categorization record for this URL. If one is not found, it then searches the normalized domain of the URL in the domains table.
<br />
<br />
Both of the tables have indexes on the text fields to provide much faster searching.
<br />
<br />
I intend to expand this db design a bit more. For one, I would like to be able to show which source is providing the categorization data when the time comes to include multiple sources.
<br />
<br />
James Habben<br />
<a href="https://twitter.com/jameshabben">@JamesHabben</a>
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-65232577476776359542014-08-13T16:40:00.000-07:002014-08-13T16:42:21.597-07:00POSIX Regular Expressions in EnScript and .NET<author>James Habben</author>
<br />
<br />
I am sure you have spent a little intimate time with EnCase doing keyword searches, so you know that EnCase has basic GREP capabilities. This is a powerful feature that allows for searches to be performed with patterns that can eliminate false positive hits. Recently, we hosted a webinar with guest Suzanne Widup, describing some techniques and <a href="https://www.guidancesoftware.com/resources/Pages/webinars/Using-GREP-Searches-to-Speed-Investigations.aspx">benefits of using GREP in EnCase</a>.
<br />
<br />
GREP is a term that comes from the <a href="https://en.wikipedia.org/wiki/Grep">Unix world</a> long ago. It stands for Globally search for Regular Expressions and Print. This command line utility was used to search through data and print out results that matched the given pattern. Because of the popularity of the tool, the name has become synonymous with Regular Expressions (Regex). Though there is a defined standard, POSIX, the syntax of patterns used in Regex actually varies quite wildly depending on the platform engine and programming language that is being used. EnCase is no exception. In homage to our habit of prefixing our product names with “En”, I jokingly refer to our syntax of regex as “EnGrep.”
<br />
<a name='more'></a>
<br />
EnGrep has some limitations and differences in function. Before I show you why there is something so noteworthy as to call for a whole blog post about POSIX Regex, I would like to walk through a few of these differences. This is by no means an exhaustive list:
<br />
<br />
<ul class="list"><li><a href="http://www.regular-expressions.info/brackets.html"><b>Subgroups:</b></a> In Regex, a set of parentheses exposes the ability to retrieve matches that are restricted to the pattern inside those parentheses. This allows you to define a complex pattern that uses more criteria to locate and validate data, but only retrieve the parts that are relevant for results. EnGrep supports grouping characters with parentheses, but there is no mechanism for retrieving matches from within those groups.</li>
<li><a href="http://www.regular-expressions.info/lookaround.html"><b>Look-Arounds:</b></a> This is a powerful feature that allows for matches to validate data that prepends or appends the relevant hit without affecting the size of the data of the actual result. This can sometimes be interchangeable with subgroups for ultimate functionality, but these are usually more efficient. EnGrep does not support these.</li>
<li><b>Pipe Grouping:</b> This is not a feature, but a behavior difference. Using a pattern in EnGrep such as “Habben|Key|Lukach|Mizota” would find a result of “HabbeKeyukacMizota”. If you were trying for complete names, you would have to modify the pattern like this “(Habben)|(Key)|(Lukach)|(Mizota)” to get the intended result. With a POSIX-compatible engine, the first pattern takes on the behavior of the second automatically without having to place the groups around each of the names.</li></ul>
EnGrep has done a great job for examiners over the years, but it can be a bit frustrating to programmers looking for more exact results. This is especially true if you have come from using a language that has the full capabilities of Regex available.
<br />
<br />
<h3><b>.NET to the rescue</b></h3>
<br />
If you haven’t read through the previous blog post about .NET integration, why not take a few minutes now to understand <a href="http://encase-forensic-blog.guidancesoftware.com/2014/06/working-with-enscript-and-netc.html">how this works</a>.
<br />
<br />
The power we are taking advantage of here comes from the .NET library at System.Text.RegularExpressions (http://msdn.microsoft.com/en-us/library/system.text.regularexpressions.regex.aspx). We just have to put together a small c# project that essentially translates the .NET API functions over to EnScript land. Here are the API functions I have gone after:
<br />
<br />
<ul class="list"><li><a href="http://msdn.microsoft.com/en-us/library/b49yw9s8.aspx"><b>Matches:</b></a></li>
<ul class="list"><li>Parameters: Input text, Regex pattern, RegexOptions</li>
<li>Returns: MatchCollection object</li></ul>
<li><a href="http://msdn.microsoft.com/en-us/library/taz3ak2f.aspx"><b>Replace:</b></a></li>
<ul class="list"><li>Parameters: Input text, Regex pattern, Replacement text, RegexOptions</li>
<li>Returns: string</li></ul></ul>
While creating this project, I discovered a bit of a limitation in the integration of .NET and EnScript. Enumerated types do not like to transfer from .NET into EnScript. I tried working with the types directly in EnScript, and I tried defining my own custom types in my project namespace. <a href="http://msdn.microsoft.com/en-us/library/system.text.regularexpressions.regexoptions.aspx">Here is the full list of options</a>.
<br />
<br />
My C# code then had to do a bit of work more than just simply exposing the API for Regex. I created two functions that accept a couple bool type parameters instead of the RegexOptions type that I couldn’t pass directly from EnScript. I chose two options that I felt would be useful. Here they are:
<br />
<pre>
public static MatchCollection Matches(string input, string pattern,
bool ignoreCase = true, bool multiLine = false ) {
System.Text.RegularExpressions.RegexOptions regexOptions = 0;
if (ignoreCase) regexOptions |= RegexOptions.IgnoreCase;
if (multiLine) regexOptions |= RegexOptions.Multiline;
return Regex.Matches(input, pattern, regexOptions);
}
public static string Replace(string input, string pattern, string replacement,
bool ignoreCase = true, bool multiLine = false) {
System.Text.RegularExpressions.RegexOptions regexOptions = 0;
if (ignoreCase) regexOptions |= RegexOptions.IgnoreCase;
if (multiLine) regexOptions |= RegexOptions.Multiline;
return Regex.Replace(input, pattern, replacement, regexOptions);
}
</pre>
If you like my implementation, you don’t need to create a c# project, since I’m providing the DLL to reference in your EnScripts down below.
<br />
<br />
<h3><b>Here comes the fun part</b></h3>
<br />
You need to place the DLL file somewhere (I place it beside the EnScript for ease) and then put a line at the top of your EnScript.
<br />
<pre>
assembly “RegexLib.dll”
</pre>
Now compile the EnScript and you’ll find the new Regex functions in the class browser.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhluq3GpICu3VLslrcDf5YHyfLxUwIqtDmoTFzrLoi_OzpY046MP9WOOYPmzM9o4n8diwEQO2wXleMjjQJHbLVQd5AQFg8hvHZ-S3bM1BDu-aYzU38ZGy26TItaOR2g1_uvz0XPgHjAu4eH/s1600/posix-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhluq3GpICu3VLslrcDf5YHyfLxUwIqtDmoTFzrLoi_OzpY046MP9WOOYPmzM9o4n8diwEQO2wXleMjjQJHbLVQd5AQFg8hvHZ-S3bM1BDu-aYzU38ZGy26TItaOR2g1_uvz0XPgHjAu4eH/s1600/posix-1.png" /></a></div>
<br />
<br />
Define an object to collect the matches:
<pre>
System::Text::RegularExpressions::MatchCollection matches;
</pre>
Because I defined the functions as static, you call them like this:
<pre>
matches = RegexLib::RegexClass::Matches(...);
</pre>
Then you can list the matches in the collection like this:
<pre>
foreach (System::Text::RegularExpressions::Match ma in matches) {
Console.WriteLine("match[{0}]: {1}", ma.Index(), ma.Value());
}
</pre>
Let’s put this all together and create a scenario so we have something to search for. You have parsed internet history from a suspect drive. He is accused of being a weirdo that actually enjoys Windows 8. He is also a privacy nut, so he uses duckduckgo.com as his primary search engine. Our task is to give a quick report of the searches performed on this computer.
<br />
<br />
We could build an EnGrep pattern to find the appropriate URL matches, but we’re going to highlight the power of sub matches to display data that is easier to read. Here’s what the target URL format looks like:
<pre>
https://duckduckgo.com/?q=encase
</pre>
Like most search engines, they use the q= parameter for the queries typed by the visitor. Query string values are delimited with & signs, and URLs are terminated with whitespace. Now that we are using POSIX Regex, we have some additional symbols like \S that represent non-whitespace characters and \s for whitespace characters. I have colored the grouping parentheses in red. This should do the trick:
<pre>
https?://duckduckgo.com\S+q=([^&\s]+)\S*
</pre>
In the attached demonstration EnScript, I’ve defined a list of URL values using NameListClass objects so they would be similar to iterating through URL history records that have been parsed out by the Evidence Processor. Remember that when you want to put a backslash into EnScript source code, you have to escape it.
<pre>
System::Text::RegularExpressions::MatchCollection matches;
matches = RegexLib::RegexClass::Matches(url.Name(),
"https?://duckduckgo.com\\S+q=([^&\\s]+)\\S*", true, false);
</pre>
Since I have used the sub groups, we have to get a bit fancier in the code to access the value of the query and pull it out from the rest of the URL. There is a property of the MatchCollection that exposes the groups called Groups(). The Item() method allows us to address a single group from the collection. Group #0 is always going to be the whole match. I have only one group defined inside the pattern, so I know that group #1 will be the query text that we are looking for.
<pre>
foreach (System::Text::RegularExpressions::Match ma in matches) {
Console.WriteLine("Search Phrase: {0}", ma.Groups().Item(1).Value());
Console.WriteLine(" Full URL: {0}", ma.Value());
}
</pre>
The last bit before we finish up is to remove those + signs that make the queries a bit more difficult to read. This will take care of that:
<pre>
String CleanTerms (String input) {
input.Replace("+", " ");
return input;
}
</pre>
So the final result in the console looks like this:
<pre>
Search Phrase: man eating cockroaches
Full URL: https://duckduckgo.com/?q=man+eating+cockroaches
Search Phrase: what seasoning to cook monkey brains
Full URL: https://duckduckgo.com/?q=what+seasoning+to+cook+monkey+brains
</pre>
<a href="http://download.guidancesoftware.com/eEPGNdAeYg5a8r1jcj8Mp653l5jEwF60WH0gGfZhV5ZyFSyPjXnhbKLZKeiF/i5SB9RT7Ckg1vc%3D">Download the example EnScript and .NET DLL file here</a>.
<br />
<br />
There is a down side to the Regex available through the .NET libraries. The functions available only accept string input. That means we can use Regex when looking for text based patterns, but EnGrep still reigns king when searching for patterns like file headers.
<br />
<br />
Do you have an idea for using POSIX Regex in EnScript? Let me know in the comments or on Twitter.
<br />
<br />
James Habben<br />
@JamesHabben
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-65856389346417122772014-08-07T15:24:00.001-07:002014-08-07T15:24:59.538-07:00Feature Spotlight: Report Template Wizard<author>Ken Mizota</author>
<br />
<br />
No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.
<br />
<br />
EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.
<br />
<a name='more'></a>
<br />
EnCase Report Templates enable a great deal of sophistication in how a report is tailored. Moreover, the templates are designed for re-use: Once you have a set of formats, sections and metadata of interest for a given case type, they’re intended to be used over and over again. However, there are times, especially in the heat of an investigation, where time is precious and Report Template modification can be more complex than desired. The Report Template Wizard has been built to make it faster and easier to perform basic reporting modifications directly from Bookmarks.
<br />
<br />
<h3><b>Simpler, Less Effort</b></h3>
<br />
Over the lifetime of EnCase 7, customers have consistently told me, “It’s too hard to add Bookmarks to my report.” EnCase v7.10 adds navigation directly from Bookmarks to Report Templates, and gives us access to “Add folder to report,” i.e., the Report Template Wizard.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN-JxduBUxgip6DxgKHKKjGoEKEyGRz534kys4s2gDy2we-D6xZoryE1czwim9WDdC2uxloqqXBKMd6Wtn4gWD1eZjDaUKZ1GqYCdQ-2S6DIPImZHVMK44D_9dWuT8HRzD8qn4Jd-Jc-s/s1600/template-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN-JxduBUxgip6DxgKHKKjGoEKEyGRz534kys4s2gDy2we-D6xZoryE1czwim9WDdC2uxloqqXBKMd6Wtn4gWD1eZjDaUKZ1GqYCdQ-2S6DIPImZHVMK44D_9dWuT8HRzD8qn4Jd-Jc-s/s1600/template-1.png" /></a></div>
<br />
<br />
You can also right-click on the Bookmark Folder you’d like to add to your report:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXPpuZZB1DhV-xaMlF5bf7ns_0a0GFQVdBFnzqDTu2x011VsUYaoUrPbzv_BxqgekrhhIvKNOQxp_sUREgOLVuaY4cdEQrlEOuhezC8psSbMT9O5rRNAMDUjWtyWA8DPN_tfLN3Gv7JY/s1600/template-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXPpuZZB1DhV-xaMlF5bf7ns_0a0GFQVdBFnzqDTu2x011VsUYaoUrPbzv_BxqgekrhhIvKNOQxp_sUREgOLVuaY4cdEQrlEOuhezC8psSbMT9O5rRNAMDUjWtyWA8DPN_tfLN3Gv7JY/s1600/template-2.png" /></a></div>
<br />
<br />
If you already have a Report Section ready for the Bookmark, you can quickly add it to an existing section (1). Or, you can add a new section (2).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRvnLTtrq2pp499GV1R9cDnaDgHF7CEb3o0Sb_0_I9s8_xtmSg3LT0kvA0yBGwnG1BXd3iG-0ah6zTpr3qPeNuU5el-cnuzMEXQhiksVcIae_lzib4O0zhncUZKrOJ7RRxKczkHNbgGds/s1600/template-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRvnLTtrq2pp499GV1R9cDnaDgHF7CEb3o0Sb_0_I9s8_xtmSg3LT0kvA0yBGwnG1BXd3iG-0ah6zTpr3qPeNuU5el-cnuzMEXQhiksVcIae_lzib4O0zhncUZKrOJ7RRxKczkHNbgGds/s1600/template-3.png" /></a></div>
<br />
<br />
Next, pick some basic formatting, like whether you want numbering of each item to restart at 1, or if you want to hyperlink from the report to a location with exported evidence. You can also preview my report here, but why not customize the metadata that you’d like to see for this Bookmark Folder.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCW8ZvlSN2KUVmDoX8FvpaT2bDqFXaN4uWssEmGR43THoHn1lvVrFjCsBErAdK6byJIgUSb-bhhEnY3Vf2RkN7VFyLTfPBLe-aAosV1XgJb_4VQwXRkSR0YljN3bou6w78bVDIc0CY-vU/s1600/template-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCW8ZvlSN2KUVmDoX8FvpaT2bDqFXaN4uWssEmGR43THoHn1lvVrFjCsBErAdK6byJIgUSb-bhhEnY3Vf2RkN7VFyLTfPBLe-aAosV1XgJb_4VQwXRkSR0YljN3bou6w78bVDIc0CY-vU/s1600/template-4.png" /></a></div>
<br />
<br />
The Customize metadata button launches a selection window with an integrated preview. In this view you can select fields from all of the available metadata fields in EnCase (1), set the display order (2) and see a live preview of how the Bookmark Folder will be displayed in your Report Section (3).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieoO17oVBopFvZoYNqZSuEM1bDCOrNNz7fOrgzwTNKYfH2z1fA_nNqd97XOCQPNzI7jojts3gYo9NyiitJjKUzd_4Rbei0Jw29reAY7VIEhlSEHqbyCD7qctocwkDaTXPSsx6y7pI5p0I/s1600/template-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieoO17oVBopFvZoYNqZSuEM1bDCOrNNz7fOrgzwTNKYfH2z1fA_nNqd97XOCQPNzI7jojts3gYo9NyiitJjKUzd_4Rbei0Jw29reAY7VIEhlSEHqbyCD7qctocwkDaTXPSsx6y7pI5p0I/s1600/template-5.png" /></a></div>
<br />
<br />
Once the selections have been made, and the Report Sections looks the way you want, the Report Template is updated automatically:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMFX9IkmX6Rm_QagzDS6a3CshKekCMMVktPP2JeZQy6vWRg55W1_Q8ovc6LPmzhV4uQRavu7293dn5hGidS-PRdoBESsOmeZsvuauQ_Nnqn3csWebKGNpvE5Xa8jeW0-s4Ug0ukkp2xUY/s1600/template-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMFX9IkmX6Rm_QagzDS6a3CshKekCMMVktPP2JeZQy6vWRg55W1_Q8ovc6LPmzhV4uQRavu7293dn5hGidS-PRdoBESsOmeZsvuauQ_Nnqn3csWebKGNpvE5Xa8jeW0-s4Ug0ukkp2xUY/s1600/template-6.png" /></a></div>
<br />
<br />
To make things even simpler, if you have a somewhat sparsely populated report, you can now hide empty sections i.e. those sections containing no Bookmarks or Notes.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAMbIikQa3tSq1GY8YMAejppF3Ywyp1pO6DOTIVa22fUv3axbLR49_fTarRmHbV76PHA__ojBgbEpnxUFTY50c2wz5SMF6Kk2E7b-jbgjkMFlVZm7XH_T0-7IK0Ghfojp5ye11RX2L_C0/s1600/template-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAMbIikQa3tSq1GY8YMAejppF3Ywyp1pO6DOTIVa22fUv3axbLR49_fTarRmHbV76PHA__ojBgbEpnxUFTY50c2wz5SMF6Kk2E7b-jbgjkMFlVZm7XH_T0-7IK0Ghfojp5ye11RX2L_C0/s1600/template-7.png" /></a></div>
<br />
<br />
I hope you find these new tools helpful in your next investigation. Whether your case workload is measured in hours or weeks, the EnCase 7.10 Report Template Wizard gives you greater efficiency. Let us know what you think in the comments, or reach me on <a href="https://twitter.com/kenm_encase">Twitter @kenm_encase</a>.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-27739831508748668662014-08-06T12:49:00.000-07:002014-08-06T12:49:03.209-07:00Feature Spotlight: Portable Triage<author>Ken Mizota</author>
<br />
<br />
EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.
<br />
<br />
In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.
<br />
<a name='more'></a>
<br />
If you’re unfamiliar with <a href="https://www.guidancesoftware.com/products/Pages/encase-portable/overview.aspx">EnCase Portable</a>, it is a USB key-based tool, designed for on-scene work, namely <a href="https://www.guidancesoftware.com/products/Pages/EnCase-Portable/Triage.aspx">triage</a> and <a href="https://www.guidancesoftware.com/products/Pages/EnCase-Portable/Collect.aspx">collection</a>. EnCase Portable offers two modes of use: The forensically trained investigator can configure jobs on the EnCase Portable USB key and the non-expert field technician can use Portable with a minimum of effort or training.
<br />
<br />
Jobs can be configured to consist of any combination of processing modules depending on the type of on-scene work. e.g.
<ul class="list"><li>Live RAM acquisition</li>
<li>Take a snapshot of running processes, ports, DNS cache, ARP, etc.</li>
<li>Detect full-disk encryption</li>
<li>Search for and preview pictures</li>
<li>Run bespoke EnScript</li></ul>
Once configured, EnCase Portable is built for situations where a non-expert technician is pressed into duty to perform in on a tight timeframe. On-scene personnel don’t have time to wait for analysis or processing to occur, they need to know which action to take next. Think of these sorts of questions: “Is the drive encrypted?” “Can I shut it down?”
<br />
<br />
EnCase Portable is a standalone product that works independently of EnCase Forensic and EnCase Enterprise, but now is available as part of its older, more capable siblings.
<br />
<br />
<h3><b>Configuring a Portable Device</b></h3>
<br />
In the Tools menu, you’ll find a new option, Create Portable Device.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSwYyxTgV2vbCb5L1rubksjZtSbv8f81CVApOczKvdwtHrKaii-5tPkSC1kgFx4HaJ1uRhYXwDdowPepSBL0TNG2hammHWaArMHVqSZm3xaSykWOHd0eoZD4G4-Cjw_cAnY8Sn2XEXXWn8/s1600/portable-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSwYyxTgV2vbCb5L1rubksjZtSbv8f81CVApOczKvdwtHrKaii-5tPkSC1kgFx4HaJ1uRhYXwDdowPepSBL0TNG2hammHWaArMHVqSZm3xaSykWOHd0eoZD4G4-Cjw_cAnY8Sn2XEXXWn8/s1600/portable-1.png" /></a></div>
<br />
<br />
With this tool, you’ll be able to configure any removable storage device, including an EnCase Portable USB key to run EnCase Portable. When we launch the tool, Portable Management appears. From this interface, we can create and manage jobs, and prepare new devices. Select a locally attached external storage device (e.g. F: ) and click Configure Device.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTAaFjA_JjJYS_UiCiV2U6_xasLx9YtFZRJ0CwfM6y3580GmED7EhiQSfj-VhN6HhyfGc53BcS2HBmN49KVMd-5oCkX7JiEuckAkaxCVuyATQ70V0KMEARRvm4RAipkRtG3YkArK-sj-5S/s1600/portable-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTAaFjA_JjJYS_UiCiV2U6_xasLx9YtFZRJ0CwfM6y3580GmED7EhiQSfj-VhN6HhyfGc53BcS2HBmN49KVMd-5oCkX7JiEuckAkaxCVuyATQ70V0KMEARRvm4RAipkRtG3YkArK-sj-5S/s1600/portable-2.png" /></a></div>
<br />
<br />
EnCase will begin to copy all required binaries and libraries to the selected USB device.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdN480-obxy4YcWNvlGjlrpQ8kUi8o5tqjRnw1MYRGYT44aLHsm-HafFTmBt0tW64Fip07XB5kf8-nGD_ctrahDO35jCNVFzjlfYEthvTcqg3JY2mZ_c8-EzPR9O3M8FpHmws7nXmskone/s1600/portable-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdN480-obxy4YcWNvlGjlrpQ8kUi8o5tqjRnw1MYRGYT44aLHsm-HafFTmBt0tW64Fip07XB5kf8-nGD_ctrahDO35jCNVFzjlfYEthvTcqg3JY2mZ_c8-EzPR9O3M8FpHmws7nXmskone/s1600/portable-3.png" /></a></div>
<br />
<br />
Once complete, then we can select the type of job we want to add to the Portable device. In the example below, we’ll select the On-scene Intelligence Collection job (1) and add it to the device (2).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwl4iIk4iqirAIl0qTZUlbQ4zw935rAlovEQUy7oSIzukuNshoKGjsDT_cYbyun_XcNQ93ZHYdC_DmMOCXxFhH1nIm-PN84s1yr86wC8JMXh9MUI1-QkiL63v3-Jf_CRJjbBMHAZj3eJi/s1600/portable-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdwl4iIk4iqirAIl0qTZUlbQ4zw935rAlovEQUy7oSIzukuNshoKGjsDT_cYbyun_XcNQ93ZHYdC_DmMOCXxFhH1nIm-PN84s1yr86wC8JMXh9MUI1-QkiL63v3-Jf_CRJjbBMHAZj3eJi/s1600/portable-4.png" /></a></div>
<br />
<br />
We have just crafted a fully functional EnCase Portable device, complete with EnCase installation and Portable jobs with a few clicks. All we need to do now is take our USB drive, and our EnCase Forensic, Enterprise or Portable dongle and head on-scene, or mail it to on-scene personnel (half-way around the world).
<br />
<br />
<h3><b>Easy On-Scene Intelligence</b></h3>
<br />
We’ve configured a single job on the USB stick, so let’s see how the on-scene technician will interact with the tool. All the technician needs to do is plug in the prepared Portable device and their Portable USB key into the target machine. If you have an old and crusty USB stick, and an equally crusty EnCase Forensic dongle, it would look like this:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYslZxpSNR8XymLywCNgtCzwpQnS6Y5Bq7Mhheud-qEie1tMsb9pXY-p9WbSpHMvnIWvsT3llwxnKABMiy_jCFom1DDoof7q0xfcK-qbFG9R5DygseMzl9g9KaZBCALyndgrtx2imVSZ9p/s1600/portable-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYslZxpSNR8XymLywCNgtCzwpQnS6Y5Bq7Mhheud-qEie1tMsb9pXY-p9WbSpHMvnIWvsT3llwxnKABMiy_jCFom1DDoof7q0xfcK-qbFG9R5DygseMzl9g9KaZBCALyndgrtx2imVSZ9p/s1600/portable-5.png" /></a></div>
<br />
<br />
Of course, if you already own an EnCase Portable dongle, you can also configure that device with the same capability (and use a single dongle if you like).
<br />
<br />
From Windows Explorer, execute Run Portable.exe. EnCase launches and automatically loads the EnCase Portable UI. Since we only prepared the USB stick with one drive, we only have one option:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIIcdyCr2qXEhZXRCsbnwwcvOd0G5gWrFprENwRMRm0Tj5HOooPovX18E4D3EVWhNEyHxZTqG49cFsIQOTz_CZpqDONu7KtdY-RryrxflrsYp7cnVi9YiWFsZqhS-_QVx_xq0JmuKb956P/s1600/portable-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIIcdyCr2qXEhZXRCsbnwwcvOd0G5gWrFprENwRMRm0Tj5HOooPovX18E4D3EVWhNEyHxZTqG49cFsIQOTz_CZpqDONu7KtdY-RryrxflrsYp7cnVi9YiWFsZqhS-_QVx_xq0JmuKb956P/s1600/portable-6.png" /></a></div>
<br />
<br />
With a click of the mouse the job executes. This pre-configured job collects live RAM, performs a snapshot to obtain running processes and other volatile artifacts, collects screen captures of open windows, and scans physical volumes to detect full disk encryption. This job is designed to run within a short period of time, but of course the jobs may be tailored to meet your needs (i.e. snapshot only, live RAM only).
<br />
<br />
All of the data and resulting analysis is captured onto the Portable device for immediate or later review back in the lab. For example, you could use the encryption report to determine if it is safe to turn off a target machine and image it with a <a href="https://www.guidancesoftware.com/products/Pages/tableau/products/duplicators.aspx">Tableau Forensic Duplicator</a>. You might collect live RAM so that you can return to your lab and use the <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010069WS">Volatility Reporting Plugin</a> within EnCase.
<br />
<br />
<h3><b>Craft your diamond sword</b></h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQD92H3S61-GO9qRFMOqShRibBzZBObEikmFbfCd7NZ7EUD4YwUMvfdQnS0O0ap8GsZh0iYg3EWOvaemmCH6dYNWd8r40pBdsLRcGi_oqGL2EpFLqhegXOb53xcY-xBvE7IwHJ-S0Lxqb/s1600/portable-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQD92H3S61-GO9qRFMOqShRibBzZBObEikmFbfCd7NZ7EUD4YwUMvfdQnS0O0ap8GsZh0iYg3EWOvaemmCH6dYNWd8r40pBdsLRcGi_oqGL2EpFLqhegXOb53xcY-xBvE7IwHJ-S0Lxqb/s1600/portable-7.png" /></a></div>
<br />
<br />
<center><i>(not an actual screenshot)</i></center>
<br />
<br />
I don’t play <a href="https://minecraft.net/">Minecraft</a>, but I think the “crafting” analogy in this case works. We think this new ability will provide a great value to investigators, primarily because investigations require flexibility: You don’t know what you will encounter next, but you likely have the raw materials at your disposal to fashion the tool you need. Give this new-found ability a try in EnCase 7.10, and let us know how your on-scene investigations go in the comments below, or reach me on Twitter <a href="https://twitter.com/kenm_encase">@kenm_encase</a>.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-39346231266642015892014-08-06T08:51:00.000-07:002014-08-06T08:51:09.534-07:00Feature Spotlight: SED Unlock with EnCase & WinMagic SecureDoc<author>Ken Mizota</author>
<br />
<br />
Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.
<br />
<br />
SEDs render <a href="http://en.wikipedia.org/wiki/Cold_boot_attack">“cold boot”</a> and <a href="https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html">“evil maid”</a> attacks useless and offer instant encryption and <a href="http://kb.sandisk.com/app/answers/detail/a_id/14851/~/what-is-crypto-erase%3F">crypto-erase</a> when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.
<br />
<a name='more'></a>
<br />
<h3><b>Always Encrypted, Not Always Locked</b></h3>
<br />
In a locked state, the data at rest on a SED is not usable to an investigator. SED security measures prevent a full disk image of the actual data stored. Even if a full image could be taken, since the data encryption key never leaves the SED, there is no way to decrypt the data without the original hardware. The SED must be unlocked to extract the actual data. Unlocking requires authentication, which is performed independent of an operating system.
<br />
<br />
Since the encryption is hardware-based, to an investigator, unlocking is functionally equivalent to decryption. While SED manufacturers adopt the Trusted Computing Group’s OPAL specification, the way a SED is unlocked is specific to each encryption management vendor.
<br />
<br />
<h3><b>WinMagic SecureDoc and EnCase</b></h3>
<br />
Products like WinMagic SecureDoc manage software-based encryption and SEDs. Working in close partnership with WinMagic, Guidance Software has delivered an ability to unlock SED drives managed by WinMagic SecureDoc. One of the major obstacles to deploying encryption across an enterprise is to maintain the ability to investigate the resulting protected data. EnCase 7.10 and SecureDoc together provide first-of-a-kind visibility into the data within a SED.
<br />
<br />
Earlier this year, Guidance and WinMagic jointly presented a proof-of-concept of this technology at <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-archives.aspx">CEIC 2014</a>. Subsequently, Garry McCracken on the <a href="http://www.winmagic.com/blog/2014/06/19/computer-forensics-and-self-encrypting-drives/">SecureSpeak blog</a> shared more info on how SEDs work in addition to helpful info on <a href="http://www.winmagic.com/blog/2013/12/19/does-software-full-disk-encryption-fde-thwart-computer-forensics/">full disk encryption</a>. Now that EnCase 7.10 has been released, investigators can see how EnCase may be used to unlock a SecureDoc managed SED.
<br />
<br />
<h3><b>Decrypted and Write- Blocked</b></h3>
<br />
When a SED is configured with pre-boot authentication, only the 128MB OPAL “MBR Shadow” volume is visible to the OS. In Windows Disk Manager, this volume is presented as a smallish volume labeled “WINMAGIC.”
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkBIrH5NpjzikfE1eOZJB94THF-gyJBy7ottrCa706hDd9YVwT-EAsuKiGf9DupWqWlj9kViOipuQy8PR4NPMjQWwcwdp9oQ6_wISk0-8THkYbUQBoYu-AwLpVCelqVU5lXEg9O1keU6zV/s1600/boot-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkBIrH5NpjzikfE1eOZJB94THF-gyJBy7ottrCa706hDd9YVwT-EAsuKiGf9DupWqWlj9kViOipuQy8PR4NPMjQWwcwdp9oQ6_wISk0-8THkYbUQBoYu-AwLpVCelqVU5lXEg9O1keU6zV/s1600/boot-1.png" /></a></div>
<br />
<br />
Naturally, Windows Explorer doesn’t yield any more info.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt5t0ebHP5iA3VjC-sqlBV4Eefa9tX_v4I16I3l6mVB-yKqICOHtC1XNziMGjXmjY1OxRXHFs-W1enM6JrtzlUfg8F8YamGLWHaXXW1FiI-cKNhQuOaM8S8xYIEkG4bTQP99pjBUbhozEt/s1600/boot-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt5t0ebHP5iA3VjC-sqlBV4Eefa9tX_v4I16I3l6mVB-yKqICOHtC1XNziMGjXmjY1OxRXHFs-W1enM6JrtzlUfg8F8YamGLWHaXXW1FiI-cKNhQuOaM8S8xYIEkG4bTQP99pjBUbhozEt/s1600/boot-2.png" /></a></div>
<br />
<br />
Next, let’s take a look in EnCase 7.10. We’ll add a physical device to our case:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisEFymIz9SQre5tadVVWG98BnORez6zWunNifI6CVdoX-9cWn3qP1y9p39guVMMDoIT_xXuvLbx2amIks2VoqA6hNbcL6C3KP-vQfRU-ZFaIk8zWOlsJSFlUubArkSwnXc7osuHYKtPhUf/s1600/boot-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisEFymIz9SQre5tadVVWG98BnORez6zWunNifI6CVdoX-9cWn3qP1y9p39guVMMDoIT_xXuvLbx2amIks2VoqA6hNbcL6C3KP-vQfRU-ZFaIk8zWOlsJSFlUubArkSwnXc7osuHYKtPhUf/s1600/boot-3.png" /></a></div>
<br />
<br />
When we open the device from the Evidence tab, SecureDoc’s MBR Shadow volume is recognized by EnCase, and we are prompted to provide a SecureDoc Recovery Key and Password.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9OvhIk_jnE5kqbTesH6cTWrTKBONkFq2dOlJnYRwcHANOQLL641kxxJcx0SbZYz774OWvrss5y-0O6CN9xGBhn5LCEPr-2ECCXYPCmettVmoEEGnOwFcpEIftKh9KfvRNkHDs7VxbSECP/s1600/boot-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9OvhIk_jnE5kqbTesH6cTWrTKBONkFq2dOlJnYRwcHANOQLL641kxxJcx0SbZYz774OWvrss5y-0O6CN9xGBhn5LCEPr-2ECCXYPCmettVmoEEGnOwFcpEIftKh9KfvRNkHDs7VxbSECP/s1600/boot-4.png" /></a></div>
<br />
<br />
Once we enter the path to recovery key and the password, the SED is unlocked by EnCase and the contents of the encrypted volume are presented to the investigator.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggOZrVgOdRT5Hl5xUKUgGHC7FIHcYEmvA9NsRpI0bNasThl8mI79yuS3rwnhB5UHLwLtPQpplxrYrus0om5lRCGwSDQgBR6rBpCNExfuUO8zjECoNjv04JK9J947LxbeHWhQmFauMTXtUt/s1600/boot-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggOZrVgOdRT5Hl5xUKUgGHC7FIHcYEmvA9NsRpI0bNasThl8mI79yuS3rwnhB5UHLwLtPQpplxrYrus0om5lRCGwSDQgBR6rBpCNExfuUO8zjECoNjv04JK9J947LxbeHWhQmFauMTXtUt/s1600/boot-5.png" /></a></div>
<br />
<br />
The volume’s file system is parsed just like any unencrypted volume and can be investigated just like any other drive. Decryption is taken care of transparently by the SED hardware. This unlocked state persists until the device is physically disconnected from the Examiner machine.
<br />
<br />
There is one more wrinkle to this technology: while the drive is unlocked in EnCase, the Windows OS still sees only the Shadow MBR!
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtmTouAX9qkorpCOMq2VnmDCxmXI1eond8Sx-HLQqrvCSF10ditoSyVb-trOdMW6wb9-QewJ3GDB07JvJnZ6ORwBm_35BL8TJ1ejzAbwDMETW5a99Bq7le-BxN9YVvVN4e8C73AO-jjhA9/s1600/boot-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtmTouAX9qkorpCOMq2VnmDCxmXI1eond8Sx-HLQqrvCSF10ditoSyVb-trOdMW6wb9-QewJ3GDB07JvJnZ6ORwBm_35BL8TJ1ejzAbwDMETW5a99Bq7le-BxN9YVvVN4e8C73AO-jjhA9/s1600/boot-6.png" /></a></div>
<br />
<br />
Since the OS can’t see the contents of the unlocked volume, it can’t touch or tamper with the contents of the actual data of interest. While not explicitly enabled via hardware bridge (i.e. <a href="https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-bridges.aspx">Tableau Forensic Bridges</a>), the contents are effectively—and I will add, serendipitously—write-blocked.
<br />
<br />
While SEDs have been around for some time, they have only recently begun to attract more attention. It may be argued that the need for data privacy has never been greater, and the demand for SEDs across enterprises and individuals is strong. Guidance Software and WinMagic understand that a major part of data protection is not just preventing access, but also allowing authorized use. I’d love to hear your experiences working with SEDs, or your thoughts on where you see this technology headed for investigations. Please feel free to comment below, or reach me on <a href="https://twitter.com/kenm_encase">Twitter @kenm_encase</a>.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-27831502891655492662014-08-04T09:25:00.002-07:002014-08-04T09:28:21.260-07:00Case Study: Chesterfield County Police Department<author>Cynthia Siemens</author>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu2mu4zvb387iDc8FMdx2FPpZnAGwNQPCpzJ4xM-yP7XCZQ9yCn_iL-QtkKtNW0rGY2ClvCtcvUCodFx_q-6WF4HXGmLrYnfog3kZm8D2wURkWrqbl9-7nHnAuWIXNsy9xRVnbux_zIWs0/s1600/chesterfield.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu2mu4zvb387iDc8FMdx2FPpZnAGwNQPCpzJ4xM-yP7XCZQ9yCn_iL-QtkKtNW0rGY2ClvCtcvUCodFx_q-6WF4HXGmLrYnfog3kZm8D2wURkWrqbl9-7nHnAuWIXNsy9xRVnbux_zIWs0/s320/chesterfield.jpg" /></a></div>
<h3><b>Profile</b></h3>
<br />
Many digital investigators in law enforcement work for multiple teams and agencies. Keith Vincent is no exception. In his current role in the Economic Crimes Unit of the Chesterfield County Police Department, his title is Detective. In his earlier work as a deputized U.S. Marshal for the Federal Bureau of Investigation’s Child Exploitation Task Force, he was the Task Force Officer, and in his work with Internet Crimes Against Children (ICAC), he served as ICAC representative for his agency.
<br />
<a name='more'></a>
<br />
Not long ago ICAC completed Operation “Spring Clean” in the Richmond, Virginia area, which involved 17 search warrants and resulted in six arrests for the sexual exploitation of children committed via the internet and facilitated through the use of technology. “Most of the cases went federal,” Vincent said, “and the smaller ones were prosecuted at the state level by the attorney general’s office.” To support these operations as well as to investigate other criminal acts in Chesterfield, Virginia, Vincent has always needed to use state-of-the-art digital investigations tools.
<br />
<br />
<h3><b>Background</b></h3>
<br />
Until recently, Vincent was a member of the Chesterfield County Police Department’s Special Victims Unit (SVU), which was historically tasked with the investigation of child sexual abuse, physical abuse, and neglect cases. “Now the SVU’s scope has expanded and they investigate all sex offenses, regardless of the age of the victim, as well as physical abuse and neglect,” Vincent said. In his current role with the Economic Crimes Unit, he primarily concentrates on computer forensics investigations, as well as proactive online investigations.
<br />
<br />
<h3><b>Challenges</b></h3>
<br />
As with many law-enforcement investigative teams, caseloads are constantly rising, yet budgets do not inflate at the same rate, if at all. The Chesterfield County Police Department had been using a free forensics tool prior to the time that Vincent joined the team. “We were looking for something to replace it and had some grant money through another division. I ran across EnCase by talking with some FBI guys and others, asking what they use.” Vincent’s team bought EnCase Forensic as well as an Annual Training Passport, “and they sent me up to Washington DC for training.”
<br />
<br />
<h3><b>Solution and Results</b></h3>
<br />
One of the features that helps keep Vincent productive is the gallery view. He said, “I call the gallery view in EnCase Forensic ‘the home plate,’ and it helps me work a lot faster. I like the fact that I can green-check or home-plate a particular part of the file tree and then go over to the gallery view and see all the images at once. One of the first things I do regardless of the case is jump right into the gallery view in the user’s profile to see which JPEGs happen to be there.”
<br />
<br />
While working with the SVU unit, Vincent was given an arson case—a rare type of case for him—to investigate. “The fire marshal and one of the arson investigators handed me the laptop and gave me some background on what they were looking for. The suspect was allegedly setting fire to abandoned properties. He set fire to several abandoned homes, some with homeless people living in them, but fortunately they weren’t harmed. After setting a fire, the suspect hid out of sight and took photographs of the firefighters fighting the fire, Vincent asked the fire marshal and arson investigator what type of potential evidence they needed, and they asked for anything that could tie the suspect to the scene of the fire. He reported, “We’re looking for any documents, we’re looking for e-mails, internet history, etc. So I found his profile and looked into his user data. I home-plated everything and started looking at his temporary internet files. I did several keyword searches, including using the name of the city, 'Chesterfield,’ as one of the keywords searches, and I got 30,000 hits.”
<br />
<br />
In the text strings where “Chesterfield” appeared, Vincent found that the vast majority involved the Chesterfield Fire Department. When he searched on “fire department,” he found 3,500 instances that led to online stories of arson investigations across the country. “He looked at wildfires out west, and had a keen interest in arson investigations in Chicago,” he said. “And I found 900 instances
of the word ‘arson.’ Some of the text strings I found were Google searches on ways to avoid being caught for arson. He actually searched in the Virginia code book on the laws about and punishment for arson. He even logged into and was a member of some prison chat forums that seem to be run by former prison inmates. He was Googling defense attorneys, what the uniforms were like in certain jails. He was very detailed in his research.”
<br />
<br />
Vincent took the potential evidence to the investigator and the fire marshal and said, “I think you’ve got to sit down with his attorney. The suspect’s attorney met with the prosecuting attorney for a meeting. And the defense attorney looked at the evidence and said, ‘We’re pleading guilty to everything.’”
<br />
<br />
Armed with thorough and useful results from his use of EnCase Forensic and leveraging his “very good experiences with training” covered by his Annual Training Passport, Vincent considers the Chesterfield County Police Department well-equipped to efficiently investigate every case their agency and partner agencies hand over to them, and to help those agencies uncover criminal activity and bring the perpetrators to justice.
<br />
<br /> Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-42544534453319938302014-08-04T09:08:00.000-07:002014-08-04T09:08:35.246-07:00Poweliks: Persistent Malware Living Only in the Registry? Impossible!<author>James Habben</author>
<br />
<br />
The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!
<br />
<br />
A couple of recent posts on “Poweliks” <a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3377">here</a> and <a href="https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html">here</a> shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.
<br />
<a name='more'></a>
<br />
Now the reason for this post: What to do? This persistence mechanism provides us with a practical challenge to sharpen our tools and skills. I’ll show how to use EnCase and EnScript to scour a machine for artifacts such as those left by our friend above. The implementation details will differ from tool to tool, but the basic investigative method should hold.
<br />
<br />
You may be thinking about RegistryClass from the EnScript API, and in that case you would be on the right track. This class is a generally underutilized part of the EnScript API: I know this because our customers on <a href="http://www.forensicfocus.com/Forums/viewtopic/p=6573233/">ForensicFocus forums</a> were asking about RegistryClass fairly recently.
<br />
<br />
<h3><b>Diving Deep with MountVolume</b></h3>
<br />
Catch your breath, let’s dive deep. The RegistryClass is designed as a precision tool to carve out keys and values from specific locations. In this case, we’re taking a broader sweep because there have been several variants already that have used different locations for autostart functions. We’ll access the raw internal entries of the Registry through the EntryClass::MountVolume() method. This is the EnScript equivalent to the EnCase right-click > Entries > View File Structure tool.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhipJjiQy67FMGiFppGjqNtJkLMZJzSwoCR8A5cFzThLE6-8nw-H6MQs12hflW7YqgIfG5dMvNrTDMz3m1BIusmaxAnAYPdL_D61HvakSP3LpNfVo3tj5XEo-nlDOFjaR4R1BpNWJCJW0c/s1600/image-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhipJjiQy67FMGiFppGjqNtJkLMZJzSwoCR8A5cFzThLE6-8nw-H6MQs12hflW7YqgIfG5dMvNrTDMz3m1BIusmaxAnAYPdL_D61HvakSP3LpNfVo3tj5XEo-nlDOFjaR4R1BpNWJCJW0c/s1600/image-1.png" /></a></div>
<br />
<br />
The options listed also have further documentation provided at the top of that EntryClass page:
<br />
<br />
<i>These flags determine how entries created from mounted volumes.<br />
PERSIST - entries from mounted volume will not be destroyed when the variables go out of scope. The entries will stay in memory until the case they are linked to is destroyed.<br />
CALCUNALLOC - calculate unallocated space inside the mounted volume<br />
SCANDELETED - When mounting compound volumes, this flag will tell Encase to search for deleted entries inside the compound volume.<br />
MOUNTNOPOPUP - prevents popups when a volume or file type is parsed which would cause a password dialog or other dialog to come up.<br />
RESOLVEPATHS - This option is only relevant for Vista thumbs.db file. This file does not contain paths or names of any sort, just hash that relates back to the path. Using this option will get the path back.<br />
FORCEKNOWN - When mounting, only known compound or encrypted files will be parsed. If EnCase encounters part of a compound file it isn't sure how to parse it will exit and not mount the whole volume.</i>
<br />
<br />
The return value coming from MountVolume() is a VolumeClass object which inherits from EntryClass. That allows us to treat a volume like an entry and loop through its children. The two relevant lines of code are inside the blue squares here:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtEW7YUZ5SnH_KLNcwpya4-H2Dq9zw7hwmKn2JUq5warm6zViLxV6mOKwaMC6n4hErdY95PEDWKToQdlDPjn6lxK5PcW2kzBSiSExxXH0ykAN3dWy1asdRJZ9cY4mc_f3l0wdUlV669BM/s1600/image-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtEW7YUZ5SnH_KLNcwpya4-H2Dq9zw7hwmKn2JUq5warm6zViLxV6mOKwaMC6n4hErdY95PEDWKToQdlDPjn6lxK5PcW2kzBSiSExxXH0ykAN3dWy1asdRJZ9cY4mc_f3l0wdUlV669BM/s1600/image-2.png" /></a></div>
<br />
<br />
<h3><b>Artifact Check</b></h3>
<br />
Let’s go for a quick review of the artifacts discovered so far.
<br />
<br />
<b>EP_X0FF</b> discovered a key name with a null character in it:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDIGoqEt32LIG5UZhk9891n5LtTgJ3FCuZ89dRr6Uk8LKivuk6pk4wsHMl9J52B3EycMlX50ngRQnb2_pfI4nZkP9BD2mIV1VpU3VHsGwnNHrKXq7HFx-10Ooum4BAGvYCIHWzA1d_pI/s1600/image-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDIGoqEt32LIG5UZhk9891n5LtTgJ3FCuZ89dRr6Uk8LKivuk6pk4wsHMl9J52B3EycMlX50ngRQnb2_pfI4nZkP9BD2mIV1VpU3VHsGwnNHrKXq7HFx-10Ooum4BAGvYCIHWzA1d_pI/s1600/image-3.png" /></a></div>
<br />
<br />
Paul Rascagnères of <a href="https://blog.gdatasoftware.com/blog.html">GData</a> observed a key name with an invalid character in it:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjggB1lIpZ7yjZMzGu7Xqni8NpQqYzR3xQ15UhnOekTdKnWw5Ywy8AdWtOfXzOA2y8Bw-QFGWe9jaCHeYO0nqTpg2jPTfSlYwfk4IHUKoJ_TAf28uDyJCagOnAVwgwywfoY-cuiso6sga0/s1600/image-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjggB1lIpZ7yjZMzGu7Xqni8NpQqYzR3xQ15UhnOekTdKnWw5Ywy8AdWtOfXzOA2y8Bw-QFGWe9jaCHeYO0nqTpg2jPTfSlYwfk4IHUKoJ_TAf28uDyJCagOnAVwgwywfoY-cuiso6sga0/s1600/image-4.png" /></a></div>
<br />
<br />
and found code inside the default value for that key a little bit different:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtuHsysWxaoI4TwSFJL_dHZlcGfwPqXqsaI94PVV0rOapp-lcC1IkfJ7WbI2H8r4C6ZlbHo2wGxJZi3rkqgQBMPJpJNnaicvSjoI8eeAKQj_19irIxMTF1-qQisqIZnzhAEvJdaExQmWg/s1600/image-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtuHsysWxaoI4TwSFJL_dHZlcGfwPqXqsaI94PVV0rOapp-lcC1IkfJ7WbI2H8r4C6ZlbHo2wGxJZi3rkqgQBMPJpJNnaicvSjoI8eeAKQj_19irIxMTF1-qQisqIZnzhAEvJdaExQmWg/s1600/image-5.png" /></a></div>
<br />
<br />
Then, <b>B-boy/StyLe/</b>, <b>aharonov</b>, and <b>Picasso</b> found a new variant that moved locations and has different code again:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCrmw6AsIIoRO8DWqeXWnAC5Wco3136VnhcRdJAoHAKP3ZDDUvl7EpD95eM4MbHXNA2CzOnnGiNxPk5hQxTljuAxyvFx1iV_My7Fnd0qSYBRvi9SsxbAMG8qcBJwhb1BIxGIUNYY8w4jo/s1600/image-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;">
<img style="width: 90% !important; height: auto !important; border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCrmw6AsIIoRO8DWqeXWnAC5Wco3136VnhcRdJAoHAKP3ZDDUvl7EpD95eM4MbHXNA2CzOnnGiNxPk5hQxTljuAxyvFx1iV_My7Fnd0qSYBRvi9SsxbAMG8qcBJwhb1BIxGIUNYY8w4jo/s1600/image-6.png" /></a></div>
<br />
<br />
My first reaction was to look for key names that had non-ASCII characters until the later discovery didn’t use any of those characters. Instead, our EnScript will focus on some keywords inside the code that are consistent across the samples so far. Those are:
<br />
<ul class="list"><li>Rundll32.exe</li>
<li>Javascript:</li>
<li>RunHTMLApplication</li></ul>
It started off in the HKCU area, which would be easy enough to handle and be fairly speedy as well. Then they decided to go into the seemingly bottomless pit known as the SOFTWARE hive (hive… hive… hive…). No problem for the EnScript code, but it means that we’ll stare at it a bit longer while it works through.
<br />
<br />
Here’s the rundown of the procedure in EnScript:
<ol><li>Iterate through the files in evidence and determine which are reg hives</li>
<li>Use the MountVolume() to have EnCase parse the internals</li>
<li>Iterate through all the values of each hive and filter out values that are too small</li>
<li>Do a keyword search in the data of values</li>
<li>Verify that all three keywords have hits in the data</li>
<li>Note the find in the console</li></ol>
<h3><b>Downloadable Code Sample</b></h3>
<br />
I’ve written sample code to illustrate one way of going about searching for this type of artifact on a disk. The sample code may be executed against an evidence file, a live preview of a local disk, or a remote disk via servlet.
<br />
<br />
In an effort to keep your EnCase machines clean of malware, I’ve created a .REG import file that has the characteristics of the malware discussed above, but none of the harmful effects. This way you can merge this file on a machine and run the EnScript to test. I would still suggest deleting the key when you are done testing, anyway.
<br />
<br />
You can download a ZIP archive containing the EnScript source code and the sample .REG file <a href="http://download.guidancesoftware.com/2PFYKK+zabzTHJZg9+UmYCXbXk7LTyLp9v/jFqOvrMwdxp1IiPkmQn2QzbN3QBZ5wJk79cEYNQmhfjJERuVL0w%3D%3D">here</a>.
<br />
<br />
As an aside, if you uncomment line 21 and comment line 20, the EnScript will run faster, but it will require you to find the registry hives manually and blue-check them.
<br />
<br />
If you’re interested, I’ve considered extending this into an EnCase Enterprise-enabled based EnScript that would allow the examiner to punch in a range of IP addresses to do this same scan. Let me know if you’d find this valuable in the comments below. Or, maybe I can show you how to do it at the next <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript course</a>.
<br />
<br />
Hashes of related malware for reference courtesy of GData (if you are feeling adventurous):
<br />
<br />
74e0d21fe9edf7baf489e29697fff8bc4a6af811e6fe3027842fe96f6a00a2d9<br />
88bc64e5717a856b01a04684c7e69114d309d52a885de9fc759e5a99ac20afd5<br />
4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb<br />
e8d6943742663401e5c44a5fa9cfdd8fad6a9a0dc0f886dc77c065a86c0e10aa<br />
<br />
Happy hunting!
<br />
<br />
James Habben
@JamesHabben
<br />
<br />
James is a Master Instructor with Guidance Software, Inc. and instructs digital investigators, incident responders and malware researchers alike as part of the <a href="https://www.guidancesoftware.com/training/Pages/Training-Overview.aspx?cmpid=nav">Guidance Software Training team</a>. James applies knowledge from his background in corporate investigations to his instruction and while he is not teaching <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript Programming</a>, <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase-V7-Computer-Forensics-I.aspx">Computer Forensics</a>, or <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/Host-Intrusion-Methodology-and-Investigation.aspx">Host Intrusion Investigation Methodology</a>, he enjoys his current duties as a Reserve Probation Officer.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-5183054460497638362014-07-17T16:55:00.003-07:002014-07-17T16:55:53.040-07:00Tableau TD3 Forensic Imaging System: Raising the Bar Since 2012<author>Robert Bond</author>
<br />
<br />
When Guidance Software originally released the <a href="https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-duplicators/td3.aspx">Tableau TD3 forensic imaging system</a> back in 2012, it was revolutionary. Forensic investigators had asked for and eagerly awaited innovations like the color touchscreen user interface, modular architecture, network imaging, and remote triage capabilities. The TD3 also supported write-blocked imaging of SATA, IDE, SAS, FireWire, USB 3.0, and iSCSI (network) storage devices. In 2013, Forensic 4Cast voters named it the Forensic Hardware Tool of the Year. Since its launch, the TD3 development team has relentlessly focused on adding new features, capabilities and options that help investigators get more work done faster, with more options. So if the last time you looked at TD3 was back in 2012, it may be time to take another look.
<br />
<a name='more'></a>
<br />
<b>Add New Features Easily with the Tableau Firmware Update (TFU)</b>
<br />
<br />
Adding new features to TD3 using the Tableau Firmware Update (TFU) utility is fast and easy. Even better: it’s free. Investigators receive all Tableau feature enhancements through firmware updates at no cost.
<br />
<br />
TD3 Speaks Your Language, Supports exFAT, and Offers 1:2 “Twinning”
<br />
<br />
Since launch we’ve added support for exFAT evidence drives which provides a cross-platform disk format, supported by Windows, MacOS and Linux. ExFAT also provides support for drives greater than 2TB. At the request of our Japanese customers, we added disk-to-disk ‘clipping’ support, which sets a DCO on the destination drive and allows easy imaging of game box drives, by allowing the evidence drive to exactly match the sector count of the suspect system’s drive. Support for imaging to or from iSCSI network shares enhanced TD3’s network forensics capabilities. Using a workstation connected via network to TD3, you can preview as well as collect files and folders of suspect drives. We also added in support for new EnCase v7 .ex01 output file format.
<br />
<br />
Earlier in 2014, we added support for 1:2 duplication (“twinning”) using two TDS2 SATA drive enclosures. We’ve also added the ability to restore a DCO on a source (suspect) drive, after the TD3 completes its imaging process.
<br />
<br />
For our international customers, probably the best new trick we’ve taught TD3 is the ability to speak in their language. As of Q2 2014, TD3’s UI supports Spanish, Portuguese, German, Russian and simplified Chinese languages. Since launch, TD3 has been continuously improved with new drive information, S.M.A.R.T. drive data, new media support, and many, many other new features too numerous to mention. (We even added sound effects, so you can tell when TD3 has finished an operation, from across the room.)
<br />
<br />
<b>New Expansion Modules and Storage Options Make TD3 an Even Better Choice</b>
<br />
<br />
Earlier this year, two new expansion modules were released for TD3. The TDPX8-RW USB 3.0 Output Module gives the user a new way to output TD3 evidence files: SuperSpeed USB 3.0. This new module is now included with every new TD3 kit at no additional charge. When collecting highly secure evidence, the TDPX8-RW lets you use keypad-authenticated, AES-encrypted USB 3.0 storage systems with TD3. TDPX8-RW is an option for using the new TDS2 drive enclosure, also now bundled with TD3. The locking handle on TDS2 enables easy drive replacement while also securing the 3.5” SATA hard drive within the enclosure. No need for cables, as the SATA power and signal connections are made directly between the TD3 and TDS2, as part of TD3’s modular architecture.
<br />
<br />
Also introduced this year for TD3 is the new TDPXE Dual-port Gigabit Ethernet expansion module. TDPXE offers the flexibility and increased performance afforded by two additional network connections. TDPXE also supports the use of “jumbo frames,” potentially doubling the network performance of TD3.
<br />
<br />
<b>Operate TD3 Remotely with New Web Interface</b>
<br />
<br />
Showcased at CEIC 2014, the new TD3 web UI lets you connect to, manage, and operate a TD3 remotely. Just connect your browser to a networked TD3 and go! Scheduled for public release in August 2014, the new WebUI will allow remote operation and management of one or many TD3s deployed at remote locations, from a headquarters lab located anywhere in the world.
<br />
<br />
Want to know more about TD3, and what it can do for your digital investigations? Take a look at <a href="https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-duplicators/td3.aspx">https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-duplicators/td3.aspx</a>
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-41270301935941623952014-06-27T16:42:00.000-07:002014-06-27T16:48:12.172-07:00So many artifacts, so little time… Summer edition<author>Ken Mizota</author>
<br />
<br />
EnCase is an extensible digital investigation platform. Simply put, <a href="http://encase-forensic-blog.guidancesoftware.com/2013/08/how-does-integration-help-you-as.html">extensibility reduces time and effort</a> for the investigator. One way to validate this claim for yourself is to take a look at the depth and breadth of the ways EnCase can work with existing tools in your kit. For example: Do you already own Magnet Forensic's IEF? IEF and EnCase <a href="http://encase-forensic-blog.guidancesoftware.com/2014/04/3-ways-to-make-ief-and-encase-work.html">work together</a> to reduce work for investigators. Have you considered how to integrate threat intelligence into your DFIR regimen? EnCase and Cisco Security (formerly ThreatGRID) <a href="https://www.guidancesoftware.com/resources/Pages/webinars/Threat-Intelligence-for-EnCase.aspx">collaborate to reduce IR time and effort</a>. Let’s walk through a few ways extensibility works in your favor.
<br />
<a name='more'></a>
<br />
Another way, is to look at adaptability. Your kit is tailored to you, your skillset and your routine. Can you bend your tools to serve your will when needed? EnScript technology plays well with COM and, more recently, <a href="http://encase-forensic-blog.guidancesoftware.com/2014/06/working-with-enscript-and-netc.html">.NET/C#</a> to reduce the effort to make your bespoke tools work together. It’s been used in casework for more than a decade and is constantly evolving. Guidance Software offers the de facto course on <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript</a>, and through the <a href="https://www1.guidancesoftware.com/enCaseDeveloperApp.aspx?id=1000019663">EnCase App Central Developer Network</a>, provides no-cost developer licenses and support.
<br />
<br />
This brings us to the raison d'être for this post. One of the best ways to realize the benefits of an extensible digital investigation platform is to try out some of the library of apps available. In previous posts, <a href="http://encase-forensic-blog.guidancesoftware.com/2014/04/so-much-evidence-so-many-artifacts-so.html">part 1</a> and <a href="http://encase-forensic-blog.guidancesoftware.com/2014/04/so-much-evidence-so-many-artifacts-so_9.html">part 2</a>, I highlighted some apps that can help <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010112WS">search your case</a>, perform <a href="http://encase-forensic-blog.guidancesoftware.com/2014/03/brand-new-improved-volatility-reporting.html">volatile memory analysis</a>, and even <a href="http://encase-forensic-blog.guidancesoftware.com/2013/07/c-tak-by-wetstone.html">detect steganography and anti-forensics</a>.
<br />
<br />
Here are the latest additions, courtesy of ever-vigilant EnCase App Central Developers:
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010126WS">ThreatGRID Malware Analysis and Intelligence for EnCase</a>: Right-click to lookup suspicious hashes within ThreatGRID or submit samples for sandboxing and analysis. Check out this <a href="https://www.guidancesoftware.com/resources/Pages/webinars/Threat-Intelligence-for-EnCase.aspx">webinar</a> to learn how to use this app, and for more about ThreatGRID.
<br />
<br />
ShimCache Parser: Isaac Lee exposes this handy Windows artifact to help identify if an executable has actually been run.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010131WS">C-TAK Trial</a>: Our friends at WetStone Technologies now offer a free 30-day, fully functional trial of C-TAK, for detection of trojans, steganography, anti-forensics tools and more. C-TAK is built on the same technology as WetStone's <a href="https://www.wetstonetech.com/product/gargoyle-investigator/">Gargoyle Investigator</a> trusted in the field for years.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010081WS">VirusShare.com Hash Library</a>: John Lukach brings an EnCase hash library containing 129 torrents from the VirusShare.com repository of malicious code samples to use as you will in your next case.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010125WS">Binary Plist Finder</a>: A new addition from Simon Key, this app is intended to search for OS X binary property lists in unallocated space.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010130WS">E-mail Address Finder</a>: Ryan Jay Ollerenshaw's latest app bookmarks email addresses and counts their occurrences. Simple and on point.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010124WS">FileProperties</a>: Annette Franchi's latest solution helps reduces effort to copy/paste file properties. This simple operation is built to make getting information into a externally built report more efficient.
<br />
<br />
<a href="https://www.guidancesoftware.com/appcentral/pages/searchresults.aspx?k=image%20analyzer">Image Analyzer 1-year and 3-year licenses</a>: Image Analyzer now offers sophisticated pornographic image detection in multiple, reasonably priced options. In addition to the <a href="https://www.guidancesoftware.com/appcentral/pages/searchresults.aspx?k=image%20analyzer">free trial</a>, Image Analyzer now offers <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010128WS">1 year</a> and <a href="https://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010129WS">3 year</a> licenses.
<br />
<br />
Thanks to all the EnCase App Central Developers who bring these solutions to light. What apps are you looking for? Would you like to learn how to tailor your use of EnCase? Please let us know in the comments, or reach out on Twitter <a href="https://twitter.com/kenm_encase">@kenm_encase</a>.
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2168991119686460578.post-31155649201044773852014-06-13T10:16:00.002-07:002014-06-13T11:45:02.110-07:00Working with EnScript and .NET/C#<authro>Ken Mizota</authro>
<br />
<br />
The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (<a href="https://twitter.com/SimonDCKey">@SimonDCKey</a>) recent <a href="http://encase-forensic-blog.guidancesoftware.com/2014/05/examination-of-mac-os-x-quick-look.html">post on the OS X Quick Look Thumbnail Cache</a>: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of <a href="https://www.guidancesoftware.com/training/Pages/training-overview.aspx">Guidance Software Training</a>, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.
<br />
<a name='more'></a><br />
In this post, we'll talk about some of the benefits of using EnScript in your investigations while leveraging your expertise and existing code in C#/.NET. If you missed Hector Carmona's <a href="https://www.guidancesoftware.com/ceic/Pages/ceic-agenda-table.aspx#agenda_73">CEIC 2014</a> lab session "Extending EnCase: Beyond EnScript," please read on!
<br />
<br />
<b>Why go beyond?</b>
<br />
<br />
First, let's talk about some of the reasons why EnScript is an excellent addition to the kit for many investigators:
<br />
<br />
<ul class="list">
<li>EnScript is built for investigations. EnScript automates and simplifies many activities in forensics, like iterating through entries, and filtering and searching through data. One would be hard pressed to build a set of libraries as robust as the EnScript API.</li>
<li>EnScript enables unparalleled direct access to forensic data and all of the derived facts and data within your case (e.g. tags, bookmarks, artifacts, records, etc.). There's no other API that allows comprehensive, yet structured access to raw forensic data and associated facts.</li>
</ul>
Of course, we can also point out some circumstances that present obstacles to the use of EnScript:
<br />
<br />
<ul class="list">
<li>You would like to leverage the logic and implementation of an existing library/source code that is not written in EnScript.</li>
<li>You are unfamiliar with EnScript and don't have time to invest in understanding the API. The EnCase IDE is no substitute for Visual Studio.</li>
</ul>
We get it. Talented investigators are a popular bunch. They're usually busy doing investigations. So, let's get on with it and show how we can address these cons with the latest updates to EnCase.
<br />
<br />
<b>EnCase and C#</b>
<br />
<br />
In EnCase 7.09, the EnScript API was enhanced to enable C# developers to easily embed .NET assemblies in EnScript code, instantiate any .NET data type within EnScript, and stream binary data to C# from EnScript and from EnScript to C#.
<br />
<br />
That last paragraph is a mouthful, so I'll pause for a moment to let that marinate…
<br />
<br />
You can implement logic in C# and leverage that technology in EnScript. This is likely best explained with a set of basic examples. Here is a link to download <a href="http://download.guidancesoftware.com/bHe+HjkXBy4MPeX0c/VViTYSBgbhr5a4LhtO6D0m1LaRlArGJzjdL6pJa0j1e/aYJgT/QGOfZO8%3D">code samples</a> referenced below.
<br />
<br />
<b>SampleClass</b>
<br />
<br />
For illustration, SampleClass.cs is provided to define a class in C#. We're going to use SampleClass as the basis for a .NET assembly, which we will embed and interact with via EnScript. SampleClass does a few simple things:
<br />
<br />
It exposes few members of type integer, string, date/time and GUID:
<br />
<pre> public int IntProperty { get; set; }
public string StringProperty { get; set; }
public DateTime DateTimeProperty { get; set; }
public Guid GUIDProperty { get; set; }
</pre>
Implements a method to output the value of the members.
<br />
<pre> void Print(Stream outStream)
{
if (outStream.CanWrite)
{
var outWriter = new StreamWriter(outStream);
outWriter.WriteLine("Sample Class");
outWriter.WriteLine(" IntProperty: {0}", IntProperty);
outWriter.WriteLine(" StringProperty: {0}", StringProperty);
outWriter.WriteLine(" DateTimeProperty: {0}", DateTimeProperty);
outWriter.WriteLine(" GUIDProperty: {0}", GUIDProperty);
outWriter.Flush();
}
}
</pre>
<br />
...and takes a data stream and outputs the even lines.
<br />
<pre>public Stream GetEvenLines(Stream input)
{
var output = new MemoryStream();
var reader = new StreamReader(input);
var writer = new StreamWriter(output);
int count = 0;
while (!reader.EndOfStream)
{
var line = reader.ReadLine();
if (++count % 2 == 0)
{
writer.WriteLine(line);
}
}
writer.Flush();
return output;
}
}
</pre>
<br />
<b>C# in EnScript - Working with Files</b>
<br />
<br />
Once SampleClass has been compiled into a DLL (e.g. CEIC.dll), we are basically ready to use it in EnScript. We just need to embed the .NET assembly in an EnScript:
<br />
<pre>assembly embed "Include\CEIC.dll"
</pre>
The "embed" keyword allows us to embed the DLL itself in an EnPack, so the DLL doesn't have to be distributed independent of the EnPack code.
<br />
<br />
A file in EnScript can be wrapped in a DotNetStreamClass, and passed to the embedded DLL to be worked with natively in C#. Here we see a local file being opened in EnScript, and wrapped as a DotNetStreamClass.
<br />
<pre> LocalFileClass file();
if (file.Open(SystemClass::ScriptPath(), FileClass::TEXTCRLF)) {
CEIC::SampleClass sample();
System::IO::Stream inputStream = new DotNetStreamClass(file);
</pre>
This stream may be passed into .NET… here we pass a file to our SampleClass to retrieve the even numbered lines.
<br />
<pre><i>System::IO::Stream outputStream = sample.GetEvenLines(inputStream);</i></pre>
<br />
The OutputStream must also be wrapped in a DotNetFileClass:
<br />
<pre>FileClass outputFile = new DotNetFileClass(outputStream);
</pre>
<br />
The function PrintFile simply outputs the contents of a file to the Console.
<br />
<pre>
PrintFile("Original", file);
PrintFile("Even Lines", outputFile);
</pre>
It should be noted, when the .NET stream is no longer needed it should be explicitly disposed. If you don't explicitly do this, memory leaks may occur.
<br />
<pre>
inputStream.Dispose();
outputStream.Dispose();
</pre>
<br />
<b>C# in EnScript - Working with Plain Old Data Types</b>
<br />
<br />
Now, let's say I don't want to use files to pass between EnScript and C#. Perhaps I'd like to access plain old data types, a.k.a, <a href="http://en.wikipedia.org/wiki/Plain_Old_Data_Structures">PODS</a>, directly within EnScript.
<br />
<br />
After instantiating SampleClass, I can set properties in the .NET class . In this example, we simply set a few variables and output to console:
<br />
<pre>
CEIC::SampleClass sample();
// POD Types
sample.SetIntProperty(42);
sample.SetStringProperty("This is a string that is being sent to .NET");
int intVal = sample.IntProperty();
String stringVal = sample.StringProperty();
Console.WriteLine("POD Values");
Console.WriteLine(" IntVal = {0}", intVal);
Console.WriteLine(" StringVal = {0}", stringVal);
</pre>
<br />
We can also use standard .NET classes (like DateTime and GUID) within EnScript. The sample below shows the assignment operation for two members, and retrieval of the stored data, written to the console:
<br />
<pre> System::DateTime dateTime = System::DateTime::Now();
System::Guid guid = System::Guid::NewGuid();
sample.SetDateTimeProperty(dateTime);
sample.SetGUIDProperty(guid);
Console.WriteLine("SampleClass");
Console.WriteLine(" IntProperty = {0}", sample.IntProperty());
Console.WriteLine(" StringProperty = {0}", sample.StringProperty());
Console.WriteLine(" DateTimeProperty = {0}", sample.DateTimeProperty().ToString());
Console.WriteLine(" GUIDProperty = {0}", sample.GUIDProperty().ToString());
</pre>
<br />
<b>Maximum Benefits, Minimum Investment</b>
<br />
<br />
With this capability, you can invest your time agonizing over how to make your code do what it does best, and less time implementing your algorithm in EnScript. Armed with the concepts illustrated in the examples above, once forensic data is made accessible programmatically to C#, you can not only leverage your own algorithms and libraries built in C#, but also all of the capabilities that C#/.NET provides out of the box. This integration capability enables more code to be re-used, and perhaps most importantly, development effort on your part may be reduced or minimized.
<br />
<br />
<b>Want to be a Developer?</b>
<br />
<br />
Before closing, I’d like to point out some resources available if you would like to learn more:
<br />
<br />
<a href="https://www1.guidancesoftware.com/enCaseDeveloperApp.aspx?id=1000019663">Join the EnCase App Central Developer Network</a>: Get a free 1-year EnCase Forensic SDK and developer support.
<br />
<br />
Take an <a href="https://www.guidancesoftware.com/training/Pages/courses/classroom/EnCase%C2%AE-EnScript%C2%AE-Programming.aspx">EnScript course</a>. There's literally nothing that compares to the hands-on Guidance Software Training course, and I urge you to attend if at all possible. Better yet, sign up for an <a href="https://www.guidancesoftware.com/training/Pages/annual-training-passport.aspx?cmpid=nav">Annual Training Passport</a> and take a few other classes too. You'll be glad you did.
<br />
<br />
<b>Have ideas for C# and EnScript projects?</b> Would you have a use for other API level integrations to better leverage your existing code? Post your comments below or tweet us @EnCase or @kenm_encase.
<br />
<br />Unknownnoreply@blogger.com0