Digital forensics

EnCase Product Suite Overview

Ravi Das
November 16, 2017 by
Ravi Das

Introduction

This guide is designed for several audiences. First and foremost, it is designed for anyone seeking the preliminary knowledge of EnCase and guidance software. Encase has rapidly grown in popularity and demand in all areas of the computer forensics industry. Nowadays employers have started recognizing the importance of this certification and are seeking this credential. Encase meets or exceeds the needs of the computer forensics industry. Moreover, EnCase has become the global gold standard in computer forensics.

This guide was also designed for computer forensics students working either in an educational setting or in a self-study program.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Guidance Software, Inc.

All EnCase product line is developed and maintained by Guidance Software Inc. Guidance Software has been a leader in the forensics industry by providing robust tools and solutions for digital investigations which matches individuals and industries requirements. Guidance Software, Inc. was founded in 1997. Other than industrial purposes Guidance Software is used by legal as well as law enforcement personnel.

Guidance Software provides all Forensics Products, Services & Training. Further information is about the company can be found here.

Guidance Software products are comprehensive and each product provides a unique purpose. Let’s discuss briefly each of them.

EnForce Risk Manager

EnForce Risk Manager is a tool that provides solution for automatically identifying, categorizing, and remediating confidential data across the enterprise. Enforce risk manager gives in-depth insight and control to electronic data across all storage solution and devices like file shares, servers, and cloud repositories. This enables organizations to improve focus onto business intelligence, compliance and strengthen their security solution.

Features:

  • Patented Graf technology: sensitive data can be categorized on vast storage solutions with the depth of ‘paragraph-level’ using EnForce Risk Manager
  • Automated remediation: Users are able to view the file’s matter and remove sensitive content from one storage or every storage where that information resides.
  • Complete relational data intelligence: Co-relation ability of sensitive data on basis of machines, users, geo-locations, and other data points provide additional context for greater insight

On the total number of end user workstations; as well as the geographic location.

  • Customized dashboards: custom dashboards allow the user to clear review and reporting on risk distribution and reduction as sensitive data manifests throughout an organization and create statistical based risk reports.

Scenario of usage

Every organization has valuable data, that’s most often the driving force of their business. However, with storing valuable or sensitive data comes inherent external risk.

Risk of loss or theft

Through Enforce Risk Manager you can automatically pin point, classify and control sensitive data anywhere it is stored on premises or in the cloud, this is achieved with its 360 degree visibility feature augmented with powerful data analytics and meaningful visualizations, hence reducing the surface area of inherent risk and indeed protecting data from internal and external threats.

EnCase Endpoint Security

Encase Endpoint Security is created to merge the two separate industry processes, Incident Detection and Incident Prevention, to help security teams proactively address the gaps in their security process framework. 

An enterprise may have multiple data points. Due to a lack of visibility. some of these data points converts into security gaps.

Features

  • On-demand data search & collection from enterprise-wide endpoints
  • Representable view of endpoint data and activities, no data expertise required
  • Integration with third-party data sources to receive and share intelligence
  • Customizable Report-sharing & exporting as images, PDFs, or spreadsheet files
  • Checking false positive and validate alerts detected by other security technologies
  • Automatically run scans to find sensitive and classified or sensitive data, exposing systems that present a risk and classified information on systems which pose the greatest Security risk
  • Web-based reporting offers a convenient way to swiftly review, act on, and present findings for small and large security teams

Web-based reports offer a quick way to act on Security threats and risks.

  • Kill running malware, morphed instances and related processes
  • Terminating any suspicious processes running from within your IT infrastructure
  • Remotely delete sensitive data files from unauthorized locations

Scenario of usage

This Encase product is actually a combination of three products:

  • Alert triage, where you can discover and prioritize handling of security events and make sure you are tackling the biggest issues first
  • Incident response, where you can bring the full collection of tools to prevent an infection from spreading or continuing to confound your network
  • Threat detection and remediation, where you can visualize what is happening to your network. This is still a work in progress

This Encase product is actually a combination of three products:

  • Alert triage
  • Incident response
  • Threat detection and remediation

EnCase eDiscovery

The EnCase eDiscovery provides with continuous case assessment, an optimized process with the help of which, legal teams can quickly check necessary facts. Encase eDiscovery is designed for enterprise professionals, and provides the following:

Features:

  • Reliable, protected, and non-disruptive collection and preservation
  • Reliable, protected, and non-disruptive collection and preservation
  • Customizable e-discovery support for any combination of cases, users, and data volumes
  • Collaborated secure Central Legal Repository• Strong oversight and management of the entire e-discovery process

Scenario of usage

Source- http://www.coupers.co.kr/default/img/vdata/images/coupers/ediscovery_pic1.jpg

The above diagram represents the workflow of eDiscovery. EnCase eDiscovery enables your organization to hold all the essential capabilities you need from legal hold, identification, collection and preservation to processing, early case assessment (ECA), analytics, review and production. Encase eDiscovery is used either for a single case or multiple matters; it delivers exceptional value that result into faster, cost-effective and consistent discovery while reducing legal risk.

The above diagram represents the workflow of eDiscovery, taking into account on legal aspects which are needed, for all kinds and types of legal cases.

EnCase Forensic 8

Features:

  • Triage reporting: There is an implementation of new triage reporting features so you can quickly share a report with field investigators, attorneys, controllers, or any other involved party. With the help of few clicks you can extract the exact information for your report and generate an HTML report.
  • Investigation Workflows: With a click an examiner can take a case from adding and processing evidence section to creating a report of findings. One of the important parts of an investigation depends on the ability of examiners to uncover evidences. Examiners can be rest assured that navigating EnCase Forensic would never slow down their progress.
  • Persistent blue-checks: In EnCase Forensic 8, you can now “blue-check” important files and those selections will appear no matter what screen you navigate.
  • Tree-view refresh: In EnCase Forensic 8, you would never need to navigate away from the entry view after analyzing the hash, adding a new partition, or processing the evidences to see the results. With just one click of the refresh button your view will get refresh.
  • Multi-colored sweeping bookmarks: This gives the to highlight any given string. You can now easily hone in on a definite portion of a bookmarked string, noting its relevance to the case.

Scenario of usage

Home tab of EnCase forensic 8

EnCase Forensic home tab and creation of new case.

After case creation “Case1” this becomes the home tab of “Case1”

Adding the evidence to the “Case1”

Here in the below screenshot, we have added the evidence file by clicking the “Add Evidence File”, now the examiner can investigate the file as per his knowledge:

If the investigator needs help for further investigation he/she can refer to the “pathways” tab in the encase tool.

How Does EnCase V8 work?

Encase forensics 8 is very rich in forensics functionality. Encase v8 provides functionality to execute powerful analytic methods against evidence in a single automated session. While running this multi-threaded process, the Encase v8 optimizes the order and combinations of processing operations, ensuring the most efficient execution path is taken. The output of the Encase v8 is stored, per device, on disk, instead of memory, so that multiple devices can be processed simultaneously across several computers, and compiled into a case.

Encase forensics 8 is very rich in forensics functionality. Encase v8 provides functionality to execute powerful analytic methods against evidence in a single automated session.

The Encase v8 contains numerous useful features:

  • Acquiring the given devices directly from the Evidence Processor
  • On-screen instructions that guides you through the use of each setting
  • Expose OS specific artifacts through use of the Linux, Windows and OS X artifact parsers
  • Saving sets of Encase v8 options as templates to be run with little or no modification later
  • Automatic processing of the results from any current EnScript modules

The Encase v8 contains numerous useful features:

  • Acquiring the given devices directly from the Evidence Processor
  • On-screen instructions that guides you through the use of each setting
  • informaton and data on any OS based platform.
  • Saving sets of Encase v8 options as templates to be run with little or no modification later
  • Automatic processing of the results from any current EnScript modules

 EnCase forensic 8 OPTIONS

Recovering Folders

Recover Folders attempts to recover files from FAT and NTFS volumes. This action is mainly useful when a drive has been reformatted or the MFT is corrupted.

File Signature Analysis

A commonly used technique for data masking is to rename a file and change the extension. Image files can be renamed so that they look like Windows DLL files. Signature analysis component verifies file type by comparing the file headers, or signature, with the file extension.

The signature analysis process flags all files with signature-extension mismatches according to its File Types tables. Signature analysis is always enabled so that it can support other Encase v8 operations.

A commonly used technique for data masking is to rename a file and change the extension. Image files can be renamed so that they look like Windows DLL files.

Thumbnail Creation

When you select the Thumbnail creation option, the Encase v8 creates thumbnail records for all image files in the selected evidence. This facilitates image browsing.

Hash Analysis

A hash is basically a digital fingerprint of a file, commonly represented as a string data written in a hexadecimal format. The most common use for hashes are to:

  • Verify that data has not changed, in which case the hash should be the same both before and after the verification

The Encase v8 supports the calculation of MD5 and SHA1 hashes.

Expand Compound Files

For archive files, Expand Compound Files extracts compressed or archived files, and processes them according to the selected Encase v8 settings. This includes nested archive files or zip files or .rar files.

Find Email

Select this setting to extract individual messages and attachments from email archives. Find Email supports the following email types:

  • PST (Microsoft Outlook)
  • NSF (Lotus Notes)
  • DBX (Microsoft Outlook Express)
  • EDB (Microsoft Exchange)
  • AOL
  • MBOX
  • EMLX (Apple Mail)

Find Internet Artifacts

This can Identify the internet related artifacts, such as browser histories, cookie and cached Web pages. You can examine the unallocated space for artifacts.

Index Text and Metadata

Encase v8 creates an index which allows you to quickly search for the string. Since the Encase v8 is recursive, all files, emails, and module output are indexed, including such EnScript modules as the IM Parser and System Info Parser. The advantage of having these items indexed is that you will later be able to search across all types of information and the view results in email, files, smartphones, and any other processed data in a one search results view.

With the Encase v8, you can quickly and easily search for all kinds of information and data, any kind of wireless or mobile device.

Index Personal Information

When creating an index of case data, select Personal Information to additionally identify and include the following personal information types.

  • Credit cards
  • Phone  numbers
  • Email  addresses
  • Social security numbers You can quickly and easily categorize any kind of personal information which is deemed to be confidential in nature.

Index Text in Slack and Unallocated Space

As you select options for indexing evidence such as files and emails, you can choose to include text identified in the RAM slack, file slack, disk slack, and the unallocated space.

Run EnScript Modules

The EnCase Encase v8 has the ability to run add-in modules during evidence processing. Some modules ship as part of EnCase, and you can also add your own EnScript packages. The Encase v8 supports the following EnScript Modules.

System Info Parser

The System Information Parser module identifies hardware, software, and user information from Windows and Linux computers. This module detects the operating of devices.

IM Parser

The IM Parser module searches for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant Messenger clients. These artifacts include messages and buddy list contents.

File Carver

The File Carver module of Encase searches evidence for file fragments based on a specific set of parameters, such as known file size and file signature. File Carver examines unallocated space, and searches for file fragments on the disk. It generates a report of carved files on disk by default and can optionally be configured to export carved artifacts to the disk for external review or production.

The File Carver module of Encase find any kind of legal evidence based upon the permutations and constraints that you establish.

OS X Artifact Parse

The OS X Artifact Parser performs the task of searching for common OS X operating system artifacts of potential forensic value. Artifacts of interest include XML and Binary Property Lists, Apple System Log files.

EnCase Forensic Investigation Lifecycle

 

Triage: On investigation site or off site in lab

In case of any incident, the first priority of any investigator or forensics expert is to quickly determine whether the whole case is about so he/she can direct a team in particular direction. The EnCase Forensic has a built in database of potential evidences.

Collect: Image and secure your evidence

An investigator’s first step is to collect evidence using the EnCase Forensic Imager. The EnCase Forensic imager supports almost each variety of disk format e.g. FAT, NTFS, exFAT, ext4 etc. in different disk configurations e.g. RAID, LPM etc. The EnCase Forensic helps you to acquire more evidence than any product on the market. For example, you can collect from a wide variety of operating and file systems, including over 25 types of mobile devices with EnCase Forensic.

Decrypt: Unlock Encrypted Evidence

The EnCase Forensic is unmatched in its decryption capabilities from any other tool provided in the market place, ths offering the broadest support of any forensic solution. Encryption support includes products such as Dell Data Protection, Symantec, McAfee, and many more. It expands the decryption power of EnCase Forensic with

Process: Automate the Routine, Focus on the Investigation

The EnCase Forensic Encase v8 provides industry-leading processing capabilities that can automate the preparation of evidence using EnScript, making it easier to complete the investigation. You can automate complex queries across your varied evidence sources. Also, It can automatically index important links in any database.

Report: custom reports as per requirement

The EnCase Forensic presents a flexible reporting framework that authorizes the investigator to tailor case reports to meet specific needs. It has a comprehensive and triage reporting options built in, which helps to create reports for a wide range of entity.

EnCase Training & Acquisition

Acquisition

Encase is closed source and not a freeware. To start working with EnCase you need to acquire it from Guidance software. Anyone can ask for quotation from here.

Training

The best and popular training source for EnCase is Guidance Software itself. They are equipped with Training Centres, Virtual Class rooms, On-Demand & On-site training. Anyone can customize their training as per their requirement.

Guidance Software also provides the EnCase Certification EnCE (EnCase Certified Examiner). and is also well valued throughout industry.

 

References:

https://www.aperformerltd.com/

http://ondatashop.com/encase-forensic-8/

http://studylib.net/doc/8132627/encase®-processor

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

http://docplayer.net/32987785-Whitepaper-encase-processor-hardware-and-configuration-recommendations.html

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.