EnCase 7.1 and FTK 5.5 Tool Evaluation Part 2


EnCase v7.10 Updates

EnCase Portable Capabilities

EnCase 7.10 comes with full EnCase Portable capabilities. EnCase portable was a standalone product that worked separately from EnCase Forensic and EnCase Enterprise, however, with this update it is now included.

EnCase Portable is a USB key based tool that is designed for non-expert and on-scene use. The goal of this tool is to allow forensically trained investigators configure jobs on a USB key that can be sent out on-site with any non-expert who has minimal training.  EnCase Portable is built for scenarios where non-technicians are forced to work within tight timeframes, such as a situation where the non-technician needs to figure out whether or not a drive is encrypted or if a computer can be shut down.

EnCase Portable requires an exclusive dongle to employ the job-based triage and collection. The Portable dongle can be configured to do a multitude of things: live RAM acquisition, taking a snapshot of running processes, ports, DNS chase, ARP, detection of full-disk encryption, the search and preview of pictures, and running bespoke EnScript.

Encase 7.10 has many core capabilities for job-based collection and triage. These features include triaging a running system, collecting and viewing images quickly and easily, running pre-configured and custom collection jobs in a forensically sound manner, and allowing the use of keywords and metadata as well as hash values and other information to run targeted searches. 7.10 also allows a technician to collect volatile data, such as live RAM and snapshots of processes, as well as identify encrypted volumes and take screen captures of suspect machines and open windows.


Report Template Wizard

EnCase version 7.10 also adds the Report Template Wizard. This wizard allows the user to quickly add a bookmark folder to the report template, specify metadata, perform basic formatting and preview the report. The interface allows navigation directly from bookmarks to report templates, and gives access to the add folder which is the Report Template Wizard. The goal of this wizard is to create a comprehensive report that is tailored to its intended audience. Regardless of the nature of the case (whether it is a criminal or civil investigation or a company’s internal affairs), the end result is to share the findings. The report template wizard is designed to efficiently incorporate the findings of an investigation into a formalized report.

The report templates are intended to be used multiple times. Once a report template is established with the correct formatting and sections for a specific case type, it can be reused for all similar cases.  In certain instances time is precious, and modifying a report template can be complex. The report template wizard’s goal is to make basic reporting modifications quicker and easier to perform directly from Bookmarks.


SED Unlock with EnCase & WinMagic SecureDoc

Self-encrypting drives (SEDs) offer greater security than traditional full-disk encryption.  The data is always encrypted at rest and the keys to decrypt the data never leave the device, meaning they cannot be brute-forced through traditional means. This creates a problem for digital investigators attempting to do disk-based forensics.

In a locked state, all data on a SED isn’t usable to an investigator. SED security prevents a full disk image of the actual data stored. Since the data encryption key never leaves the drive, there is no way to decrypt the data without the original hardware. The SED has to be unlocked to extract any of the actual data. Unlocking the SED requires authentication, which happens independently from the operating system.

EnCase 7.10 works with WinMagic SecureDoc to enable forensic investigation of self-encrypting drives. Products like WinMagic SecureDoc are used to manage software-based encryptions and SEDs. A major obstacle is maintaining the ability to investigate the resulting data once a drive is decrypted.  Encase 7.10 and SecureDoc work together to provide a “first-of-a-kind” visibility into data within a SED.

Better Visibility: OS X and HFS+

With 7.10, EnCase greatly expanded its uses for investigations in the OS X operating system. It now has the ability to perform forensics on OS X Core storage logical volumes and a dedicated OS X Artifact Parser. EnCase now includes parsing of “double” files. OS X uses double files to store HFS+ extended file system attributes such as the date or time a file was moved to the trash. OS X’s Cover Flow images are now viewable as thumbnails in EnCase. This allows investigators to see files as a user would in the finder. 7.10 now natively parses OS X Keychain (Apple’s password management system) files, and will automate the decryption of encryption DMGs (Macintosh OS X disc images) which have secrets saved in the Keychain.

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team