EnCase 7.1 and FTK 5.5 Tool Evaluation Part 3

encase-1

EnCase v7.10 Updates

Windows 8.1 and Server 2012 R2 Support

EnCase 7.10, EnCase Examiner, SAFE, and the servlet all support Windows 8.1 and Windows Server 2012 R2. Systems running Windows 8.1 via the Evidence Processor (specifically the Windows Artifact parser) and BitLocker encryption are also supported now, and EnCase system requirements and recommended configurations are updated for Windows 8.1, as well. However, Windows 7 (64-bit) is still the optimal choice for using of EnCase.

Select Tagged Items

In EnCase, item tags remain constant throughout the various views. However, it is important to note that selected items (items marked with the blue check)  do not carry over between views. Some of the tasks in EnCase pertain only to selected items. In a scenario where the user would, for example, need to acquire a logical evidence file, the user can efficiently select a group of items based on the tags assigned to them by right-clicking,selecting the “Select tagged items” option,  and then choosing the desired tags.

EnCase Starter Installer

This new update also comes with a new installation wizard to streamline the installation of EnCase Examiner and SAFE (Secure Authentication for EnCase) into a single workflow. This will reduce the time between the download and first installation of the software. This wizard will install Examiner and SAFE on a single machine, and it will also help to simplify basic configuration by generating electronic licenses and SAFE activation files in a single step, as well as configuring SAFE for the examiner. The wizard will also create a network tree with default roles and permissions and allow for machine creation; it will also create key master and investigator user encryption keys.

Internet Explorer 10 and 11 Artifacts Support

With Internet Explorer 10 and on, Microsoft has changed the format in which they store internet history. The index.dat file that stored the history previously has been replaced with WebCacheV[01].dat, which EnCase now provides support for.

Internet Explorer 10 and 11 use an ESE database  (Extensible Storage Engine Database) to commit transactions. This means that this database is often left in what is called a “dirty” state, even during times where Internet Explorer is properly shut down. A dirty state is any time a database has not been cleanly shut down or is running during acquisition. This type of database typically commits transactions when Internet Explorer is closed. EnCase can parse dirty databases, but it will not commit dirty transactions. Transactions can be anything from inserts to deletes, things like clearing the cache or deleting bookmarks. If any of the destructive transactions are committed (clearing cache, deleting bookmarks), then the data is lost and EnCase does not parse the data.

The file can be used in a Windows provided utility called ESENTUTL, which will repair the ESE database and process the transactions. The file is then able to be brought back into EnCase, and the Internet Artifacts Parser can be used to analyze it.

FTK 5.5 Updates.

Bookmarks

In the newest version of FTK, bookmarks have become even more practical and productive assets. One new feature is the ability to easily set a bookmark for a video thumbnail. Upon setting the bookmark, the user can adjust the beginning and end of the video selection, and even generate a report that contains the bookmarked video clip. Bookmarked comments can also now be created, edited, and displayed in HTML format. Another feature offers the ability to create empty bookmarks. These empty bookmarks can act as placeholders and can have information put into them later on.

Mozilla Firefox

There are a few new features for analyzing Firefox, as well. New processing options allow for the expansion of the cache and SQLite files into individual records. Internet artifacts from Firefox are also organized in the Overview and Internet/Chat tabs, and this includes bookmarks, browser history, cookies, downloads, form history, login data, keywords, and favorites. In addition, web pages can be reconstructed from Firefox’s cache and history. If a page cannot be reconstructed, information about the history is displayed as an alternative.

KFF (Known File Filter)

The KFF is used for eliminating or highlighting known files using MD5 hashes generated by the user or other sources. You can now use the right click menu to close groups that were imported into KFF.

Document Content Analysis

Document Content Analysis enables the efficient organization of documents, such as Word documents, text files, and PDFs, in order to be reviewed by the user in a timely manner. These organized groups of documents are known as “clusters” and are displayed in groups (named “Cluster Topic Containers”) in the Evidence Explorer. Each group contains documents with similar keywords and subjects.

Added Languages

In effort to make FTK more widely accessible, the program is now available in more languages. These languages include Chinese, Spanish, Korean, and Portuguese.

Other

FTK 5.5 also includes support for Windows 8 and the 8.1 thumb cache file extraction, along with the creation of video thumbnails when viewing videos in the File Content Viewer.

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education