Showing posts with label Digital Investigations. Show all posts
Showing posts with label Digital Investigations. Show all posts

Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

Poweliks: Persistent Malware Living Only in the Registry? Impossible!

James Habben

The ultimate desire for malware authors is to be able to have their code run every time a computer starts, and leave no trace on the disk for us to find. Let me reassure you that it hasn’t happened just yet, at least not that I have seen. There have been plenty of examples over the years that have taken advantage of some clever techniques that disguise their disk-based homes, but that’s just it–disguise!

A couple of recent posts on “Poweliks” here and here shed light on creative measures attackers use to store malware in the Windows Registry. In short, there is a registry value that executes an encoded script stored in another registry value, which then drops a file on disk for execution.

International Law Enforcement and the Importance of Forensics

Anthony Di Bello

Have you noticed? International law enforcement seems to be working together much more cohesively now than in years past. For instance, last week 25 alleged members of the hacker collective “Anonymous” were arrested within countries throughout Europe and South America, including Argentina, Chile, Colombia, and Spain.

SC Magazine Finalist Blog Entry - Forensic Incident Response to the Fore

Anthony Di Bello

I wrote a blog recently that was nominated as a finalist for the SC Magazine Awards. You can check out the original post here, or read below.

EnCase Enterprise 7: Smartphone Support

Anthony Di Bello

Guidance Software has provided support for mobile devices in a number of ways over the years. Our first incarnation of mobile support materialized in a big way in 2007 with EnCase Neutrino, a hardware and software product designed to enable the forensic acquisition of hundreds of then current flip phones and smart phones in a manner compatible for correlation with EnCase case data. This product came in a jumbo sized carry case and included a hardware mobile device write blocker, a patented signal blocking faraday bag, and dozens upon dozens of adapter cables for countless mobile devices.

As time marched on the demand for flip phone capabilities diminished, and the use of smartphones became more and more pervasive both “on the street” and in use by corporate and government employees. As such, at the beginning of 2011 we began to focus exclusively on enhancing smartphone support to include things like iTunes and Blackberry backup files, and deleted file recovery for Android, Windows Mobile and HP Palm OS. By the end of 2011, the number of smartphones in use in the United States overtook the use of traditional flip-phones, validating our approach to the market.

Smartphones to overtake traditional cell phones, become the new 'standard'

Early in 2011 we announced our replacement product focused on smartphones, EnCase Smartphone Examiner. We’ve taken our leadership in the forensic market one step further by enhancing mobile device support to include tablets, as well as integrating the entire capability into the EnCase Enterprise remote investigation solution.

With EnCase Enterprise 7 smartphone and tablet support is included out-of-the-box, supporting our commitment to enable our customers to acquire and analyze data from the broadest range of devices possible. To learn more about integrated smartphone and tablet support with EnCase Enterprise 7, check out this video:

2nd Generation EnCase Evidence File Technical Specification now Available

Guidance Software

Today Guidance Software announced the availability of the technical specifications for the 2nd generation EnCase® evidence file format. The updated format, Ex01, has been optimized for fast data access and memory usage, while maintaining the proven, trusted, and secure technology that has made the EnCase® file format the standard for securing digital evidence.

With this specification, solution providers can now update their offerings to support the new file format.

The 2nd generation file format support the built in encryption capabilities included in EnCase® Forensic Version 7, making the process of transporting and securing evidence much safer.

“We are happy to share the specifications for our new file format with the community”, said Steve Salinas, Sr. Product Marketing Manager for the Forensic Solutions at Guidance Software. “With the ever increasing backlogs forensic departments are faced with today, saving time during the investigation process is critical. By enabling others in the forensic community to incorporate this new format into their solutions, forensic examiners can spend more time completing casework and less time dealing with differing evidence file types.”

The specification document for this new format is available on the Guidance Software Customer Support Portal and in the Guidance Software Document Library.