We've Moved! Visit Our New Blog

We’ve got a fresh new look! 

Please visit us at our NEW blog: https://www.guidancesoftware.com/resources/blogs

Wishing you a happy and prosperous 2016!

Easter Egg Hunt - The Final Leg

UPDATE: We have our three winners! Thanks for playing and helping us celebrate our new look and logo, everyone.

Ask the Expert: Yuri Gubanov, CEO of Belkasoft

In our recent webinar with Yuri and Oleg from Belkasoft, we had quite a few interesting questions and even more interesting answers. They presented three case studies that leveraged EnCase Forensic and Belkasoft digital forensics tools to uncover critical evidence. You can watch the on-demand webinar here.

Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?

Ask the Expert: Amber Schroader of Paraben Corporation

Recently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, Six Keys to Conducting Effective Mobile Forensic Investigations. A number of our attendees had questions that we wanted to capture here along with Amber's answers.

What do you recommend when dealing with the drivers on pay-as-you-go devices?

Using EnCase with the Latest Release of Belkasoft Evidence Center

Yuri Gubanov, Belkasoft

Belkasoft has just updated its digital forensics suite, Belkasoft Evidence Center, making the tool a true, all-in-one forensic solution. When seamlessly integrated with EnCase, the two tools can cover nearly every digital forensic need. Belkasoft Evidence Center helps you jump-start investigations by automatically discovering evidence gathered from many different sources.

In its biggest update in two years, Belkasoft has done more than learn a few new tricks. It now extracts and analyzes evidence from pretty much any data source you can imagine. Hard drives and drive images with Windows, Linux, Ubuntu, and many other operating systems; smartphone backups in all popular formats; UFED images and chip-off dumps; live memory dumps; and many virtual machines can be scanned for available evidence. This major update turns Belkasoft Evidence Center into a true, all-in-one digital forensic tool.

We added several new modules to bring about these changes.

Top 6 Reasons to Use EnCase and IEF Together

Jamie McQuaid, Magnet Forensics

As a forensic examiner, you rely on a variety of tools to conduct your investigations. The types and needs of every case vary, often making it necessary to use more than one tool to find what you’re looking for. Depending on the scenario, investigators need to use the tools that will enable them to work through cases thoroughly and efficiently.

A lot of investigators are using EnCase®, by Guidance Software, as their primary forensic suite. EnCase is a great tool because it’s versatile and can recover data in almost any type of investigation you are working with. Whether it’s a network intrusion, malware outbreak, missing persons, child exploitation, or IP theft case, EnCase enables investigators to examine many types of computers and media.

Forensic Focus Review: Guidance Software EnCase Training Computer Forensics I Course in Slough, U.K.

Scar de Courcier

During the first week of December 2014, Guidance Software ran a computer forensics training course at its Slough offices in the UK, with the aim of helping forensic practitioners to understand and use EnCase as part of their investigations. 

Background

The course was developed by Guidance Software with a view to introducing new digital forensics practitioners to the field. The students are usually new IT security professionals, law enforcement agents and forensic investigators, and many have minimal training in computing.  Computer Forensics I is available both in person at one of Guidance Software's training centres, or online via their OnDemand solution, which provides live remote classes for students around the world.

Help for the Help Desk: Announcing EnCase® Remote Recovery + for Fast, Remote File Recovery

When a sales director on another continent needs a contract file un-deleted—stat!—who’s she gonna call? IT help desk. Problem is, that usually means she needs to ship her laptop to headquarters or someone from IT has to get on a plane, train, or automobile. And both of those options require taking her offline when every moment of downtime could lose her a deal.

Enter EnCase® Remote Recovery +.

EnCase and Python – Automating Windows Phone 8 Analysis

James Habben

Roll Call

You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’s post? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.

EnCase and NetClean Collaborate to Increase Investigator Efficiency

Johann Hofmann

We started working with Guidance Software in the USA and spoke to the company’s Product Manager Ken Mizota about how this made customers much more efficient.

”After looking at the capability of NetClean Analyze, we became very interested in working closely with NetClean. By allowing our tools to work together, we will be giving our customers valuable assistance,” says Mizota.

Guidance Software’s EnCase® tool is used for collecting, processing and analyzing forensic data. Because it’s an open platform, the company works with multiple suppliers of complementary products that use data from EnCase. But a software application that analyzes and categorizes images in as sophisticated a way as NetClean Analyze does is extremely valuable, he says.

”We’re seeing that it really solves problems for criminal investigators. They gain in efficiency and save time, which they really appreciate.”

Guidance Software’s customers typically use a large number of tools in their investigations, so it’s important that they are interoperable.

”Our aim is to make our customers’ lives easier, and without tools like NetClean Analyze and EnCase, investigators are not able to efficiently analyze and categorize the large volumes involved. They need the right tools for the job.”

Ken Mizota envisages several other applications for Analyze in the future.

”The great thing about NetClean Analyze is that it can also be used in other types of investigations involving images, which represent an increasingly important component.”

As examples, he mentions harassment cases or employee misuse of corporate resources for collecting pornographic images.

to NetClean Analyze Product Manager Johann Hofmann, the main benefit of the alliance is that the forensic community now stands to gain a more seamless workflow between IT forensics and investigations of still and video images.

”We have a whole lot to learn from Guidance Software, which has been regarded as the gold standard in IT forensics for years. And with NetClean Analyze now emergent as the leader in technology for processing still and video images, we will be building a standard together.”

Guidance Software’s EnCase solution is used for digital investigations conducted by corporations and law-enforcement organizations worldwide. A total of 40,000 licenses are in use by corporate customers such as Symantec, General Electric, Coca-Cola and Pfizer, and the EnCase servlet is estimated to be deployed on over 20 million endpoints worldwide.

The “Shellshock” BASH Vulnerability and EnCase Products

Ken Basore

We know that our customers are concerned about the “Shellshock” BASH vulnerability and whether it affects our EnCase software, our Tableau hardware products, or any of our corporate systems. This is a legitimate concern, and because we have the utmost concern for your organizational and data security, we want to give you all the information you need regarding it. Below we address one by one the key areas that you may be wondering about.

SEC Whistleblower Awards Sound a Clarion Call to Action

Robert Bond

Boardroom failures, financial regulatory lapses, auditor and security analyst conflict of interest, unsatisfactory banking practices, and fraud compelled the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010, placing organizations under greater government scrutiny. The higher standards set by the legislation place enormous responsibility on organizations to be prepared to conduct their own internal investigations and to police themselves more effectively or face penalties and fines.

When the Dodd-Frank Act first passed, Peter Zeidenberg, a DLA Piper partner who worked as a federal prosecutor at the Department of Justice and the U.S. Attorney’s Office, remarked, “Most companies will have to deal with an internal investigation at some point. You’re very lucky if you don’t. In any large company, it’s hard to imagine that at some point in time there’s not going to be some suggestion or allegation of internal misconduct.”

EnCase and Python – Part 2

James Habben

In Part 1 of this post, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used Didier Stevens’ pdf-parser as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.

In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.

EnCase and Python - Part 1

James Habben

As a co-author and instructor for Guidance Software’s EnScript Programming course, I spend a lot of time teaching investigators in person around the globe. Investigators are faced with a dizzying variety of challenges. We work together in class, coming up with solutions that send EnCase off to do our bidding. EnCase and EnScript allow us to “bottle” the result of our efforts to share with other investigators (e.g. categorizing internet history, detecting files hidden by rootkits).

Python is used similarly. The interweb hosts great tools written in Python to accomplish all measures of tasks facing DFIR examiners. The community benefits from the hours of work that go into each and every .py that gets baked. It seemed to me that there should be a way for EnCase and Python to work together, so I put together a brief tutorial.

Fear and Loathing in Internet History

James Habben

As a DFIR examiner, poring over internet history records is a well-loathed daily activity. We spend hours looking at these lists trying to find an interesting URL that moves our case one direction or another. Sometimes we can use a filtering mechanism to remove URLs that we know for certain are uninteresting, but keeping a list like this up to date is a manual task. I used Websense to assist with this type of work at my previous job, but I have also had brief experiences with Blue Coat. as well.

POSIX Regular Expressions in EnScript and .NET

James Habben

I am sure you have spent a little intimate time with EnCase doing keyword searches, so you know that EnCase has basic GREP capabilities. This is a powerful feature that allows for searches to be performed with patterns that can eliminate false positive hits. Recently, we hosted a webinar with guest Suzanne Widup, describing some techniques and benefits of using GREP in EnCase.

GREP is a term that comes from the Unix world long ago. It stands for Globally search for Regular Expressions and Print. This command line utility was used to search through data and print out results that matched the given pattern. Because of the popularity of the tool, the name has become synonymous with Regular Expressions (Regex). Though there is a defined standard, POSIX, the syntax of patterns used in Regex actually varies quite wildly depending on the platform engine and programming language that is being used. EnCase is no exception. In homage to our habit of prefixing our product names with “En”, I jokingly refer to our syntax of regex as “EnGrep.”

Feature Spotlight: Report Template Wizard

Ken Mizota

No forensic investigation is complete without a comprehensive report tailored to the intended audience. Whether the cases involve crime, civil litigation, or policy non-compliance, the end goal of an investigation is to share findings with others. EnCase Version 7 provides powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase Version 7.10 adds the Report Template Wizard. You can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting while maintaining the power of Report Templates. Read on beyond the jump to learn more.

Feature Spotlight: Portable Triage

Ken Mizota

EnCase 7.10 now includes full EnCase Portable capabilities at no additional cost.

In this post, I’ll explain what this means to the investigator and show some practical tips on how to make use of your new-found ability. Acquire Live RAM? Detect encryption? Perform snapshot? Capture screenshots of running Windows? Learn more after the jump.

Feature Spotlight: SED Unlock with EnCase & WinMagic SecureDoc

Ken Mizota

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

SEDs render “cold boot” and “evil maid” attacks useless and offer instant encryption and crypto-erase when a drive needs to be repurposed. SEDs are very attractive, but present significant obstacles to traditional disk-based forensics. In this post, we’ll walk through how EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives.