Showing posts with label Integration. Show all posts
Showing posts with label Integration. Show all posts

EnCase and Python – Automating Windows Phone 8 Analysis

James Habben

Roll Call


You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’s post? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.

EnCase and Python – Part 2

James Habben

In Part 1 of this post, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used Didier Stevens’ pdf-parser as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.

In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.

EnCase and Python - Part 1

James Habben

As a co-author and instructor for Guidance Software’s EnScript Programming course, I spend a lot of time teaching investigators in person around the globe. Investigators are faced with a dizzying variety of challenges. We work together in class, coming up with solutions that send EnCase off to do our bidding. EnCase and EnScript allow us to “bottle” the result of our efforts to share with other investigators (e.g. categorizing internet history, detecting files hidden by rootkits).

Python is used similarly. The interweb hosts great tools written in Python to accomplish all measures of tasks facing DFIR examiners. The community benefits from the hours of work that go into each and every .py that gets baked. It seemed to me that there should be a way for EnCase and Python to work together, so I put together a brief tutorial.

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

Working with EnScript and .NET/C#

Ken Mizota

The ability to manipulate and interpret data structures within evidence has long been a strength of EnCase. EnScript—a core EnCase technology—has enabled investigators and incident responders to be efficient, automating the most sophisticated or mind-numbingly rote techniques. For instance, take Simon Key's (@SimonDCKey) recent post on the OS X Quick Look Thumbnail Cache: the ability to mine, extract and work with critical data for your case is available now. This app, courtesy of Guidance Software Training, just happens to be free, enabling the DFIR community to take advantage. If you need to keep pace with the perpetually accelerating gap between data and the investigator’s ability to understand that data, having extensible, flexible tools in your kit is not optional.

So much evidence, so many artifacts, so little time…

Ken Mizota

I’ve recently taken to tweeting about some of the latest additions to EnCase App Central and it’s been a reminder of the impressive ingenuity and dedication within the digital investigations community. Our humble app store has grown to house over 100 solutions, extending and increasing the efficiency and efficacy of digital investigations. At Guidance Software, we take pride in shipping software that helps investigators find more evidence, faster and we see EnCase App Central as a key component of EnCase.

Brand New & Improved Volatility Reporting Plugin

Guidance Software

Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.

Working more efficiently with Internet Evidence Finder and EnCase Forensic

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Forensic investigators understand that one of the biggest challenges to their cases is time management. As examiners, we would love to spend three months or more on a single case without any other distractions to ensure that every stone is overturned and every detail met with precision, but this is not the reality. Caseloads continually grow far beyond what one person or team can handle and we require the proper processes and tools to manage these cases quickly and efficiently without compromising quality.

Using Belkasoft Evidence Center in EnCase Forensic Version 7

Robert Bond

I’d like to introduce you to a new tool that expands the data-extraction capabilities of EnCase® Forensic. Belkasoft Evidence Center makes it easy for investigators to search computer hard drives, disk images, and snapshots of a computer's volatile memory for many types of digital evidence.

This volatile evidence includes conversations made in social networks and can quickly locate chats carried over a variety of instant messengers. Analysis of the suspect’s online behavior can be done by investigating the browsing histories of all major Web browsers, the mailboxes of popular email clients, peer-to-peer data, and multi-player game chats.

Belkasoft Evidence Center automates the analysis of office documents by extracting plain text, metadata and embedded objects, allowing you to run searches and use the many powerful analytic features available in EnCase® Version 7.

Finally, Evidence Center helps automatically identify pictures and videos with scanned text, human faces and pornographic content. In addition, the tool can identify forged pictures (images that have been edited after leaving the camera), locate encrypted files, and analyze mobile backups, system, and registry files.

How Belkasoft Evidence Center Integrates with EnCase Forensic

Evidence Center is tightly integrated with EnCase Version 7, allowing investigators to acquire the many types of evidence supported by Evidence Center via the familiar EnCase user interface. After performing the acquisition, collected data can be processed and investigated inside of EnCase Version 7 with the many powerful analysis features.

The integration is implemented via the free “BelkasoftDataImport” plugin, allowing EnCase users to seamlessly access information collected by Belkasoft Evidence Center.

Integration Benefits

With the integration of the two powerful forensic products, EnCase users gain access to powerful data search and carving abilities provided by the Belkasoft technology. Belkasoft Evidence Center is designed specifically to collect information about suspects’ communications and online activities such as chats, postings and comments they make over a wide range of carriers. Its ability to carve data from allocated, unallocated or entire disk space sets it apart from similar tools, while its ability to capture and carve raw memory dumps makes it possible to discover many types of ephemeral evidence (see below).

Belkasoft Evidence Center can extract the following types of evidence:

  • Conversations carried over in a wide range of 80+ popular instant messengers (Skype, MSN, AIM, ICQ, Miranda, Trillian, the Chinese QQ Messenger, and many others)
  • Facebook, Twitter, Google+ posts and other social network communications (via Live RAM analysis)
  • Chats occurred in popular online computer games (e.g. World of Warcraft or Lineage) and peer-to-peer applications
  • Messages sent and received in Gmail, Hotmail and other webmail systems (via Live RAM analysis)
  • Regular emails (Outlook, Windows Live Mail and a wide range of other email clients)
  • Web browsing histories in all popular Web browsers (including Privacy/Incognito modes via Live RAM analysis)

Analyzes Windows, Linux and Mac OS X apps and file systems

Evidence Center supports Windows, *nix and Mac OS X file systems, and recognizes applications specific to these operating systems. This allows investigators analyze hard drives and memory sets collected from computers running almost any operating system in existence.

Automates document analysis

In addition to chats, emails and browsing histories, Belkasoft Evidence Center can discover and analyze documents, extracting plain text, metadata and embedded objects from many different types of files. Extracting plain text from a range of document formats allows running automated keyword searches through all of the suspect’s documents discovered on the computer.

Detects scanned text, human faces, pornography and forged images

The Ultimate edition of Belkasoft Evidence Center comes with the ability to analyze still images and videos for signs of scanned documents, human faces and pornographic content. The automated detection of illicit content saves investigators countless hours of manually searching through a system’s images. Discovers files that have been edited, launched or otherwise accessed

The latest editions of Belkasoft tools gained the ability to locate and analyze Windows artifacts such as jumplists. Jumplists contain information about files accessed by the user over the history of the machine. Jumplist history has not gained much recognition, and is often not affected by various “cleaners” and privacy tools. Analyzing jumplist items allows investigators to learn which files were created, edited, launched or otherwise accessed months or even years ago. Jumplists contain information about access to files that have been deleted, allowing investigators to obtain evidence that a certain file existed in a certain location.

Integrating Evidence Center with Guidance Software EnCase

To start using Evidence Center, you will need to install the tool. Obtain the product and EnCase integration script from the App Central and install it by placing the BelkasoftDataImport.EnPack file into your EnCase script folder (normally, that would be "C:\Program Files\EnCase7\EnScript\EvidenceProcessor\").

You will also need to place the script license file BelkasoftIntegration.EnLicense to your EnCase license folder (normally, "C:\Program Files\EnCase7\License\").

In a final integration step, open the "ModuleList.EnScript" in "C:\EnScript\EvidenceProcessor\". If this file does not exist, create it. Add the following string: include "BelkasoftDataImport.EnPack"

Congratulations! You have just completed the integration, and can start using Evidence Center.

Start Using Evidence Center

To start using Evidence Center, first add some evidence files to your case. Open "Evidence Processor" and select an evidence file you would like to analyze. You should see the "Belkasoft Data Import" module available in the module list. Tick the box and click OK.

Belkasoft Evidence Center will be launched. You will be prompted whether you’d like to carve data or analyze existing files. You can skip either option by clicking the Cancel button in the corresponding dialog.

Wait until all tasks are finished. During the analysis you can cancel any task in the Task Manager window. When all tasks are finished, close Evidence Center. Once you've done that, the data will be imported into EnCase automatically. It’s that easy!

Using EnCase to Analyze Evidence Collected with Belkasoft Evidence Center

Now you’re ready to begin analyzing the data collected by Evidence Center. In EnCase, navigate to the Records tab, select drive image you’ve just analyzed, and open "Belkasoft Data Import – Records".

Under "Belkasoft Data Import – Records," you will find the results extracted by Belkasoft Evidence Center.

Exclusive to EnCase Customers

Belkasoft Chat Analyzer and Chat and Social Analyzer offer many more valuable features at a much lower price point compared to what is available on the Belkasoft Web site. The following Belkasoft products are available at special pricing to EnCase® Forensic and EnCase® Enterprise Version 7 users, and can be purchased exclusively through EnCase® App Central:

  • Belkasoft Chat Analyzer
    Exclusive pricing for EnCase customers! Identical, feature-wise, to Belkasoft IM Analyzer, which sells for a regular price of $499.
  • Chat and Social Analyzer
    Chat & Social Analyzer includes many more essential features compared to the Belkasoft IM Analyzer. Basically, it adds the abilities to carve volatile memory dumps for remnants of social networking communications.
  • Evidence Center Pro
    This edition is similar in most respects to Evidence Center Pro available from Belkasoft’s Web site, the App Central edition adds the ability to carve disk space for destroyed evidence, and introduces email and browsing history analysis.
  • Evidence Center Ultimate
    This edition is similar in most respects to Evidence Center Pro available from Belkasoft’s Web site, the App Central edition adds the ability to extract text from office documents and identify pictures and videos with content of interest (scanned text, human faces, pornography).