Quantcast
Channel: Digital Forensics Today Blog
Viewing all 114 articles
Browse latest View live

The “Shellshock” BASH Vulnerability and EnCase Products

September 30, 2014, 9:42 am
$
0
0
Ken Basore

We know that our customers are concerned about the “Shellshock” BASH vulnerability and whether it affects our EnCase software, our Tableau hardware products, or any of our corporate systems. This is a legitimate concern, and because we have the utmost concern for your organizational and data security, we want to give you all the information you need regarding it. Below we address one by one the key areas that you may be wondering about.

EnCase-based Applications (EnCase Forensic, EnCase Enterprise, EnCase eDiscovery, EnCase Cybersecurity, EnCase Analytics, and EnCase Portable) and all of the applications that run on them are NOT affected by the Shellshock vulnerability, as they do not run on Linux and do not use BASH. This is true for all versions of the applications.

EnCase Servlets run on a wide range of operating systems, including Linux, Unix, HP-UX, and various other *nix-based systems. All of our Unix-based servlets are self-contained applications that can be launched via BASH, but do not interact with the BASH shell while they are running. As a result, the servlets are NOT affected by the vulnerability. However, users should check the operating system in which they are running for risks associated with other applications.

EnCase LinEn: Guidance Software provides a free imaging tool that runs on Linux. LinEn is a self-contained application that can be launched via BASH, but which does not interact with the BASH shell while it is running. As a result, LinEn is NOT affected by the vulnerability, but users should check the operating system in which it is running for risks associated with other applications.

EnCase eDiscovery Review: The EnCase eDiscovery Review SaaS application does use certain Linux systems that utilize the BASH shell. Once we learned of the original vulnerability, we immediately patched our systems or applied other well-established techniques to mitigate any risk to our systems. This includes additional attack vectors that have come to light since the original news was released. At this time, EnCase eDiscovery Review is NOT vulnerable to the known Shellshock/BASH vulnerabilities.

Tableau Products: One of our Tableau products, TD3, runs a Linux operating system with a vulnerable version of BASH. Although the primary use case for the Tableau TD3 does not include attaching it to a network and exposing it to potential attack from an outside attacker, we are testing a patch that will fix the vulnerability and we will be releasing it in the next few days to our customers. 

Guidance Software, Inc. Web-based Systems: As with most companies with any type of a web presence, Guidance Software did have internet-facing systems that were affected by this vulnerability. Upon learning of the issue, we immediately started working with our vendors and suppliers to obtain patches for those systems. As of this date, we have patched all our systems or applied other well-established techniques to mitigate any risk. At this time, we are confident that there is NO risk to any GSI web-facing system and all of our data, including confidential customer data, is secure.

Rest assured that we maintain a relentless commitment to the security of all of our software and systems and will continue our diligent efforts to validate that security. If you have any questions, please contact us here.

Ken Basore is the Senior Vice President of Research and Development at Guidance Software, Inc.
Search

EnCase and NetClean Collaborate to Increase Investigator Efficiency

October 7, 2014, 9:14 am
$
0
0
Johann Hofmann

We started working with Guidance Software in the USA and spoke to the company’s Product Manager Ken Mizota about how this made customers much more efficient.

”After looking at the capability of NetClean Analyze, we became very interested in working closely with NetClean. By allowing our tools to work together, we will be giving our customers valuable assistance,” says Mizota.

Guidance Software’s EnCase® tool is used for collecting, processing and analyzing forensic data. Because it’s an open platform, the company works with multiple suppliers of complementary products that use data from EnCase. But a software application that analyzes and categorizes images in as sophisticated a way as NetClean Analyze does is extremely valuable, he says.

”We’re seeing that it really solves problems for criminal investigators. They gain in efficiency and save time, which they really appreciate.”

Guidance Software’s customers typically use a large number of tools in their investigations, so it’s important that they are interoperable.

”Our aim is to make our customers’ lives easier, and without tools like NetClean Analyze and EnCase, investigators are not able to efficiently analyze and categorize the large volumes involved. They need the right tools for the job.”

Ken Mizota envisages several other applications for Analyze in the future.

”The great thing about NetClean Analyze is that it can also be used in other types of investigations involving images, which represent an increasingly important component.”

As examples, he mentions harassment cases or employee misuse of corporate resources for collecting pornographic images.

to NetClean Analyze Product Manager Johann Hofmann, the main benefit of the alliance is that the forensic community now stands to gain a more seamless workflow between IT forensics and investigations of still and video images.

”We have a whole lot to learn from Guidance Software, which has been regarded as the gold standard in IT forensics for years. And with NetClean Analyze now emergent as the leader in technology for processing still and video images, we will be building a standard together.”

Guidance Software’s EnCase solution is used for digital investigations conducted by corporations and law-enforcement organizations worldwide. A total of 40,000 licenses are in use by corporate customers such as Symantec, General Electric, Coca-Cola and Pfizer, and the EnCase servlet is estimated to be deployed on over 20 million endpoints worldwide.

EnCase and Python – Automating Windows Phone 8 Analysis

October 13, 2014, 9:51 am
$
0
0
James Habben

Roll Call


You may have read my introductory post about using Python scripts with encase. You may have also read my part 2 follow-up, which put a GUI on top of Didier Stevens’ pdf-parser. Did you also read Kevin Breen’spost? He wrote about using EnScript to call out to David Kovar’s analyzemft script using EnScript. Then Chip wrote a post about sending data out to get parsed by parser-usnjrnl.

Here comes another one to add to the list of #en2py projects. This time the scripts are parsing data from Windows Phone 8 evidence. Adrian Leong wrote a few Python scripts to get SMS, Call History, and Contacts and blogged them to the world a few days ago.

Scenario


These caught my attention because of a case (weirdly, several cases lately) at my task force that involved a Windows 8 phone. There aren’t a lot of options for acquiring Windows phones, so our resident JTAG expert worked his magic and coerced the device into giving it up. With this dd image, we could now see the partitions and file systems from the inside out. The problem now was in getting readable data out.

If you haven’t done any research for Windows phone tools on your own, let me save you some effort – there aren’t many. EnCase was able to see all the files, but has no data parsing tools. Several other tool companies have recently released some Windows phone tools, but they couldn’t parse the data from this phone, either. We found a Python script that was able to do some work on it, but ran into errors part way through the data and choked. We patched up the Python script and got it limping along enough to get the SMS needed.

Fast-forward a couple weeks and I stumble on Adrian’s post with the tools mentioned. Wow! What a great tool to rip this data out! I thought, “Why don’t I put an EnScript in front of these to automate the work?” So, here we are. This is a bonus since it will run three Python scripts for one EnScript. Can’t beat that deal!

EnScript Breakdown


I went straight for the GUI version since I already gave the basics earlier. I started off with the same structure as the EnScript I used to put a GUI over the pdf-parser. Not much to the GUI on this one since there aren’t any options in the Python scripts behind this. I am making bookmarks of the files being parsed as the EnScript moseys along its way. Checkbox at the bottom has EnCase open Windows Explorer at the output folder location when everything is done. Opening Explorer makes it easier to review the data instead of having to dig into the folders manually.



I am assuming that you have your Python installed at the default of c:\python27, but you can change that location on line 36 if it’s different. I have also assumed that you copied these three Python scripts into that same folder. Again, the location can be changed, if yours is different, on line 37, as follows:



Another little tidbit I started putting into my EnScripts is to have EnCase open the folder of the output files in Windows Explorer so I don’t have to dig in to find them. The GUI has a checkbox to allow user preference, and that value gets stored into a variable. Line 68 checks that variable and uses the API to open the window.



There are two files of concern here: store.vol and phone. I’m using ItemIteratorClass to loop through all of the files in the case (lines 55 and 56). Then I check first to make sure that I don’t end up processing some folder named like one of the target files (line 58). As long as it’s a file, then I check the name to see if it matches our targets (lines 59 and 60).



I took a little bit of a lazy approach on the RunParser function and copy/pasted some of the code inside. Bad form for a programmer, but then again I never claimed to be one! Lines 88, 97, and 106 each check for the filename to make sure each of the Python scripts are run against the file they expect to parse. Other than running the different Python scripts, the code is identical.



The Results


The bookmarks that result from running this EnScript aren’t very detailed. The Python scripts used here all generate their output in the form of tab-separated value (TSV) formatted files. This type of data ends up looking pretty ugly in the comments section of a bookmark. The bookmarks are really just for the purpose of documenting the files that got parsed.



You may notice in the output folder that there is a big ugly number tagged onto the name. If you did, then I applaud your observation skills! If not, work on those…

This is the MD5 hash of the file that was parsed. The idea with this EnScript is that you can just point and shoot. You can load up 20 Windows phones (have they sold this many?) into the same case and let the EnScript do the work to locate, export, and kick off the parsing for every one of them. The MD5 ensures a unique filename so they don’t overwrite each other, and it allows you to track it back to the source file.



Now it’s Time to Say Goodbye…


I hope that these Python scripts help you in your DFIR travels, should you run across a Windows 8 phone. I know they helped us (Thanks Adrian!). Perhaps this EnScript will help save you some time in not having to dig into the evidence file to find these data files. Work smart and let your tools do some of the work for you. This is what EnScript is designed to do.

Sorry I don’t have a sample evidence file for you, but perhaps someone out there has one to share? I welcome discussion in the Comments section below.

I teach techniques like this and more in our EnScript course. Come join me in one of our facilities, or bring me to your location. The more exotic the location, the better the price!*

Get the Python scripts here.
Get the EnScript here.

James Habben
@JamesHabben

* Sadly, I actually have no control over price

Underestimate the Power of EnCase® and Volatile Data You Must Not

November 6, 2014, 2:22 pm
$
0
0
Jamey Tubbs

BOTs, BOTs, BOTs

While investigating a recent Java BOT I found some items that you might also find helpful in your battle against the dark side. (Yes, I will continue to make Star Wars quotes and puns throughout this blog). I enjoyed the investigation so much that I added it to one of our class lessons in the Host Intrusion Methodology and Investigations course at Guidance Software.

I could not have completed this task without the help of James Habben, a great friend of mine and fellow instructor at Guidance Software. When I use the word “I” in this blog, sometimes it is the royal “I,” meaning “we.” Thanks, James.

The first thing I did was take a snapshot of the volatile data using EnCase Version 7, and I saw that port 1000 was being held open by javaw.exe.

A little Google search resulted in the following information: “’"javaw.exe’ belongs to Java from Sun Microsystems, Inc. The javaw.exe command is identical to java.exe, except that with javaw.exe there is no associated console window.” This would be perfect for malware attempting to spawn a Java process and yet not display a console window while doing so.


Prior to examining the RAM, a quick “wookie” (WIKI) search tells us a little more data about the way Java works: Java executable files can be found in the form of .jar files. (http://en.wikipedia.org/wiki/JAR_%28file_format%29) “An executable Java program can be packaged in a JAR file, along with any libraries the program uses. JAR files are fundamental archive files, built on the ZIP file format and have the .jar file extension.”

So we ask ourselves, “What is the next step”? {Yoda voice}Truly wonderful, the mind of the RAM is…

A look at the process memory is warranted. I decided a simple search in the process memory of the Javaw.exe for the .jar filename was a longshot, but who knows? As seen in the image below, you can view the name of the .jar file along with the path to the file. (Server_1392852684035.jar)



This is all fine and good, but it does not help me track down the command-and-control server in charge of my little bot. Where then do we start to find that little nugget of information? Let’s look in the Server_1392852684035.jar file.

If you remember from my earlier quote of the “Wookie”-pedia, .jar files employ the .zip file format, so we can use WINRAR or WINZIP to unzip it as seen in the image below.


As you can also see there is a config.txt file located inside, which is where we would expect to find our configuration information for the death star inside R2D2… Sorry, I mean the configuration information for the BOT inside the .jar file. (I made a pun about a robot when talking about a BOT, get it?)

I went back to the process memory and searched for the Server_1392852684035.jar file and found something else very interesting. As you can see in the image below, just above the Server_1392852684035.jar file name there is a string of Unicode characters that looked a little strange to me.


Sure enough, it was 960 bytes long and that also struck a chord. Let’s take a look at the contents of the config.txt file. And as you can see, the 960 bytes represented in Unicode in RAM are the same as the 480 bytes of the config.txt file represented in ASCII.



What would you do at this point? Just before the contents of the config file in RAM is the text “AES/ECB/PKCS5Padding,” highlighted in yellow. I knew AES was the acronym for Advanced Encryption Standard and this might help in some small way, so I asked my friend Google what AES/ECB/PKCS5Padding was.

I found the following in the very first hit, which was entitled Cipher (Java Platform SE 7 ) - Oracle Documentation: Every implementation of the Java platform is required to support the following standard Cipher transformations with the key sizes in parentheses:
  • AES/CBC/NoPadding (128)
  • AES/CBC/PKCS5Padding (128)
  • AES/ECB/NoPadding (128)
  • AES/ECB/PKCS5Padding (128)
  • DES/CBC/NoPadding (56)
  • DES/CBC/PKCS5Padding (56)
  • DES/ECB/NoPadding (56)
  • DES/ECB/PKCS5Padding (56)
  • DESede/CBC/NoPadding (168)
  • DESede/CBC/PKCS5Padding (168)
  • DESede/ECB/NoPadding (168)
  • DESede/ECB/PKCS5Padding (168)
  • RSA/ECB/PKCS1Padding (1024, 2048)
  • RSA/ECB/OAEPWithSHA-1AndMGF1Padding (1024, 2048)
  • RSA/ECB/OAEPWithSHA-256AndMGF1Padding (1024, 2048)
I highlighted the text above in yellow—that was really helpful to me. I was dealing with 128-bit AES encryption. I now knew I was looking for a 16-byte string of characters to use as the key. 1 byte = 8 bits, so 128 bits divided by 8 = 16 bytes. (I bet Darth Vader wished he had encrypted the Death Star plans much better.)

So, going back to look one more time at the image showing the contents of the config.txt file in RAM, you will see a 16-byte key just in front of the 960 Unicode bytes that make were loaded into the process memory from the config.txt file. What would the chances be that those 16 bytes (highlighted in orange in the image), “15af8sd4s1c5s511”, would be the key to unlocking the config.txt?

As it turned out, when I decrypted the file with the key the contents were still unreadable and I lost a little hope. Did I do something wrong? Was it the correct key? What was going on? (If you’re thinking I’m going to make a Star Wars pun quoting General Tarkin, “Evacuate in our moment of triumph? I think you overestimate their chances,” then you would be wrong and, as Darth Vader would say, “I find your lack of faith disturbing.”)

As it happens, I discovered that it was doubly encrypted with a second 16-byte key,which I also found in RAM and simply put into the decryption engine using Cryptool 2.0. I found the IP address of the command-and-control server was 172.21.12.121 with a password of 1234, and it utilized ports 1000 and 1001 to send and receive data.

We go into more detail in our class called Host Intrusion Methodology and Investigation on this exact bot and the decryption methodology used in this blog post.


My decryption engine built in Cryptool 2.0 is shown in the image below. In one of the best quotes of the Star Wars Film Episode IV - A New Hope coming from an intercom in the Death Star control room: “Stand by…….stand by….”. Here is the decryption model in Cryptool 2.0


To sum up, I’d like to say, when dealing with malware, volatile data is an absolute must. Imagine that we had not obtained the volatile data… Where would we have started? Of course, when someone lays it out like it this--play by the numbers--everything seems just a bit easier.

Comments? Ideas? I welcome your input in the comments section below.

Jamey Tubbs is a Director of Professional Development and Training at Guidance Software. He previously served as a CID Special Agent in the U.S. Army Criminal Investigation Command.

Forensic Focus Review: Guidance Software EnCase Training Computer Forensics I Course in Slough, U.K.

January 2, 2015, 8:49 am
$
0
0
Scar de Courcier

During the first week of December 2014, Guidance Software ran a computer forensics training course at its Slough offices in the UK, with the aim of helping forensic practitioners to understand and use EnCase as part of their investigations. 

Background

The course was developed by Guidance Software with a view to introducing new digital forensics practitioners to the field. The students are usually new IT security professionals, law enforcement agents and forensic investigators, and many have minimal training in computing. Computer Forensics I is available both in person at one of Guidance Software's training centres, or online via their OnDemand solution, which provides live remote classes for students around the world.

Course Structure

Upon arriving at the venue, I received a course manual which covered the subjects we would be studying. This proved useful throughout the week as it contained all of the slides the instructors were using in their presentations, as well as some extra information about each element of the course. The manual made it easy to keep up with the pace of the lessons and was particularly helpful during some of the practical exercises. There were step-by-step instructions on how to use EnCase throughout an investigation, which proved useful during the course itself but would also be valuable to anyone who is using EnCase in their day-to-day work. 

The training began quite early every day, with students in the building by 8am. Two trainers, Bill Thompson and Carl Purser, split the delivery between themselves with Bill training for the majority of the first couple of days and Carl taking more lessons towards the end of the week. Everyone in the class was introduced to each other and there was time in between lessons to speak to other students and learn about their professions. This, coupled with the anecdotes and laid-back training style of both the instructors, made the course particularly enjoyable. 

Our first few lessons covered the basics of forensic methodology and case creation, including how to store case files in an accurate and useful manner, how to provide continuity in order to demonstrate where evidence has been located at all times, and what to do when things go wrong. The course also covered some of the legalities surrounding forensic examination, including how to ensure that you are legally allowed to perform a search & seizure, and how to document a crime scene upon arrival. 

There was a strong focus on safety, with a section dedicated to ensuring the security of the forensic examiner, something that is not always touched upon during training and talks about digital forensics. This was particularly helpful to new practitioners in the field as it gave an idea of the kinds of things investigators should be looking out for, and how to avoid ending up in compromising situations. The instructors included some examples from their own cases and those of their colleagues, which helped to bring their lectures to life and demonstrate how the things we were learning could be applied in the real world. 

Once the basics of forensic investigation had been covered, we moved on to navigating EnCase itself. An especially useful part of this lesson was the explanations given by the instructors about why certain features had been added. They took care to explain not only the function of each option but its background; when it had been added, and how some features differed from previous versions of EnCase. This allowed the students to see how EnCase is constantly being improved and updated, and made it easier to remember to perform certain tasks which might otherwise have been overlooked. 

Certain parts of EnCase were revisited again and again, which solidified them in our memories and meant that by the end of the week some things, such as checking the 'Dixon box' to ensure that no extra elements had been selected, or 'set including' within a particular folder to show all entries, files and subfolders, became almost second nature before continuing with our investigations. 

Some time was set aside to discuss the manifold places from which digital evidence can nowadays be gleaned, with examples including a video camera housed inside a child's doll. This served to underline the importance of checking a scene thoroughly, and of knowing how to use several different tools to examine evidence from a wide variety of sources. 

We delved into creating digital evidence files from thumb drives, including how to use different methods of encryption and how these are incorporated into EnCase itself. After this we spent some time discussing binary and hexadecimal, going over the ways in which data are stored and doing some translation exercises to get us used to working with binary and hex. 

The course then included some information on how computers are put together in terms of hardware, which was an interesting element and one that is not always included when discussing digital forensics. This was helpful as it gave students an idea of what is physically going on behind the scenes while an investigator is collecting evidence and analysing data. 

A description of file structures followed, along with examples of how the same evidence is stored on different systems, and how all of these can be examined using EnCase. Throughout the course we worked on two main example cases, which was helpful as it meant we could cross-check evidence easily and compare how the same file looked when using different methods to examine it. 

The bookmarking options in EnCase were explained at length, which helped us to understand how these feed into the reports which are automatically generated at the end of an examination. 

We then spent the majority of a day discussing keyword analysis and search queries, including how to ensure that the correct search terms are being used and how to cross-reference keywords from different evidence sources. Again, the textbook proved to be very helpful here, as its step-by-step instructions demonstrated exactly how to create the necessary searches and included screenshots of EnCase itself with arrows illustrating which items to include and in which order. We spent some time going over how to write search terms effectively to bring back the most relevant results, and the specific syntax of EnCase's own searching structure. 

Hash analysis, which is of course one of the backbones of digital forensic investigations, was covered towards the end of the week, once all the basics had been explained. This meant that by the time we started looking at creating hash sets and managing hash libraries, we already had a solid understanding of both EnCase and the evidence sources being examined. 

The final part of the course involved a more thorough look at EnCase's reporting capabilities, followed by a lesson on backing up and restoring cases where necessary. The course concluded with a final practical exercise using the cases we had been introduced to earlier in the week. This allowed the students to apply the knowledge gained during the course to a simulated scenario and helped to solidify our knowledge of how to use EnCase in a digital investigation. 

Evaluation

The course moved at a good pace, with the instructors taking time to explain things where necessary but not dwelling for too long on individual elements of EnCase. Both Bill and Carl were very patient with all the students, taking the time to ensure that everyone was keeping up, and helping those who fell behind from time to time. 

At the end of each section there was time for questions, and both of the instructors made themselves available during lunchtimes and at the end of the day for anyone who wanted to ask extra questions or go over what they had learned. 

Whilst the course itself was focused on using EnCase, the instructors also described how to include certain other tools as part of an investigation, and there were several free resources provided for students to take away with them once the course had ended. These included a LinEn disk, which contained the Linux version of the EnCase acquisition tool; some instructional documents concerning EnCase itself and digital forensics investigations in general; and some research papers in the digital forensics and computer security fields. 

Overall, my experience with the EnCase Computer Forensics I training was very positive. I left at the end of the week feeling confident that I could use EnCase effectively during my own investigations, and also with a renewed interest in and understanding of digital systems and their use in criminal investigations.

Learn more about training courses available from Guidance Software here.

Top 6 Reasons to Use EnCase and IEF Together

January 20, 2015, 10:09 am
$
0
0
Jamie McQuaid, Magnet Forensics

As a forensic examiner, you rely on a variety of tools to conduct your investigations. The types and needs of every case vary, often making it necessary to use more than one tool to find what you’re looking for. Depending on the scenario, investigators need to use the tools that will enable them to work through cases thoroughly and efficiently.

A lot of investigators are using EnCase®, by Guidance Software, as their primary forensic suite. EnCase is a great tool because it’s versatile and can recover data in almost any type of investigation you are working with. Whether it’s a network intrusion, malware outbreak, missing persons, child exploitation, or IP theft case, EnCase enables investigators to examine many types of computers and media.

Internet Evidence Finder (IEF) has become a valuable tool for cases involving the analysis of Internet evidence and/or large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices, allowing investigators to analyze large amounts of case data quickly and efficiently.

EnCase and IEF are both excellent tools to have in your toolkit. One of the major challenges faced by forensic investigators is knowing where to begin an investigation. Using EnCase and IEF together allows you to maximize the benefits of both tools: the versatility of EnCase and the simplicity, speed and comprehensiveness of IEF.

Here are the top six reasons to use EnCase and IEF together to get the best results for your investigations:

1) Start Your Digital Forensics Investigation with a Comprehensive Set of Evidence

IEF automates the recovery of data from hundreds of the most commonly used and evidence-rich applications, quickly providing you with a bird’s-eye view of a suspect’s activity on a system. With EnCase, investigators can target their searches and zero-in on specific areas of interest. Combining your IEF search with the processing tasks of EnCase will provide you with the most comprehensive data set of evidence to start your analysis.

Here’s a popular workflow used by many EnCase and IEF users:
  • Obtain your image
  • Run an IEF search to uncover commonly used artifacts and evidence
  • Load that data into EnCase to conduct a more granular search while validating IEF’s results
  • Export or report results in different formats from either tool.

2) Analyze Results from Both Tools Together

EnCase allows investigators to search and sort many different types of data using multiple views (i.e. Hex, text, files and folders, or native viewers). We have created several EnScripts® that allow investigators to seamlessly run IEF from within EnCase, or load the results from an IEF search directly into EnCase. In doing so, you can take advantage of the strengths of both tools to maximize the collection of your evidence.

3) Recover Evidence from New and Updated Applications

Applications are constantly emerging and changing. Each new system or app update has the potential to completely change an investigator’s workflow and his or her ability to recover the right evidence. Support for favorite forensic tools is crucial in being able to stay on top of the most recent updates.

IEF stays on top of these changes with frequent software updates so that you aren’t missing out on valuable evidence. Having a dedicated team to seek out the most popular apps and maintain support for them is essential to many investigations, especially those involving mobile devices and applications. With EnCase, there is a ton of support that comes from their community of users. Since EnScripts can be created by anyone, EnCase users are often able to develop new scripts to support changes in applications and share them with other users.

With the help of both IEF and EnCase, investigators can make sure they stay on top of new and updated applications.

4) Share Evidence Easily and Collaborate with Case Stakeholders

Both IEF and EnCase provide investigators with reporting flexibility, offering various exporting formats to accommodate different reporting requirements and processes defined by your organization. Whether you’re looking for a full HTML report, or a simple CSV file for additional analysis, both tools allow you to export in various formats, meaning you can easily integrate your data sets.

Since IEF and EnCase are well integrated with various EnScript options, you can choose to export your data from whichever tool or format you prefer. They both also support collaborative work using portable cases that can be shared among investigators, analysts or other stakeholders. This allows others to add their own bookmarks, tags, or comments to a case and then pass that information back and forth throughout an investigation.

5) Visualize Evidence to See the Whole Story

Visual representations of evidence often tell the most compelling story. EnCase has many viewing options, while IEF allows you to visualize much of the data it finds by using timelines, geolocation mapping, and even chat message threading.

With EnCase, investigators can view search results in Hex, text, files and folders, or native viewer formats to identify potential evidence quickly. The various viewing options make it easy for investigators to review results in the format that makes the most sense for them and their case.

IEF offers a number of visualization tools that allow investigators to analyze and present their evidence in a visually compelling format. Timelines enable investigators to map out a suspect’s activity over a period of time. Showing the activities of a user before and after an incident, investigators can often demonstrate a suspect’s state of mind or intent. Other IEF visualization tools include World Map, which plots recovered GPS or geolocation data on a map, and Chat Threading, which allows investigators to view chat conversation in a format similar to how the suspect or victim would have viewed the conversation on their mobile device.

IEF and EnCase both have excellent viewing and visualization tools available to assist investigators. In using these tools together, investigators will get the best of both worlds when it comes to reviewing recovered data.

6) Understand a Suspect’s Activity across Multiple Devices

Modern forensic investigations will often include multiple PCs and mobile devices. The traditional process of analyzing a PC and mobile device separately no longer works. Analyzing evidence separately breaks up the user’s activity, which can be very difficult when trying to piece together a timeline of events. For example, when analyzing a suspect’s browser activity, it shouldn’t matter whether they browsed using their PC or mobile device. Combining IEF’s mobile analysis capabilities with your traditional PC analysis in EnCase will allow you to see the best of both worlds.

If the evidence is analyzed together, investigators will save time and have a more holistic view into a suspect’s activity. The primary goal of your investigation should focus on the suspect’s actions, not their devices.

Caseloads for examiners are growing far beyond anything manageable with manual tools and traditional forensic processes. Investigators must find a way to maximize their time and energy by accelerating their investigations without compromising on quality. Finding ways to work smarter, not harder, is essential to keep up with the increasing workload. Tools like IEF and EnCase allow investigators to maximize their analysis time and minimize time spent on repetitive tasks.

Please comment below or let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Firefox Cache2 Storage Breakdown

February 10, 2015, 3:43 pm
$
0
0
Mozilla introduced a new format of storage ** ** for the Firefox browser in version 27. It was defaulted off until recently in version 32, when it was turned on. Mozilla claims in its recent statements that cache2 is more efficient to speed up the browser.

Here is a good write-up about the previous version of cache in case you encounter it. Pretty much every forensic tool supports it—which brings me to my next point.

Discovery

My colleague Carl Purser is the one who told me about this new version. He showed me the new files and such, and then we wondered together about what tools support the new version. I sent out a tweet, but only got crickets in response.


This got me curious about the structure, so I grabbed a copy of the latest Firefox source code and got to gettin’.

 

There are two types of files in the cache. A file called ”index” is exactly that. It holds records for each of the files that are tracked in the cache2 folder. The other type is the cached file itself, which is named with a sha1 hash of the file’s URL. The meat is in the cache files, but let’s gets the index file out of the way first.

Index File

The index file starts off with a 12-byte header.



Currently the version is 1. If this value changes, it will be time to research again. You will likely find the dirty flag on since DFIR best practices still say to ‘pull the plug.’ It’s OK. I haven’t noticed anything significant from it. The Last modified can be interpreted easily by DCode.


The records are fairly simple and start immediately after the header.


Forensically, there isn’t a whole lot to see here, but the work is done and it makes sense to share. Perhaps someone else can spot something important.

Cache Files

The cache files start as the files that come over the wire. After the end of the original content, Firefox stores a bunch of metadata from the web server. To locate the metadata you have to read the last four bytes of the file in Big Indian.


At this location, we have more math to do. It starts with a 4 byte hash of the file content. Then there are hashes applied to the cache file content in chunks of 262,144 bytes. For each chunk of the file, there’s a two-byte portion of a hash value. The file I’m using here is 193,903 bytes.

193,903 / 262,144 = 0.739681243896484375

The last chunk will always be a value less than 262,144. If there is any remainder from the division, then round up. This file is under the chunk size, so we just round up to having one chunk. This means we skip 6 bytes (4 hash, 2 chunk hash).


Now we’re at the meat of the metadata. If you haven’t caught on yet, these numbers are all stored in Big Endian. It is referred to as network byte order in the code.



At the end of the URI is a NULL byte 0x00. Following the NULL byte are attributes in NULL terminated name value pairs. Here is an attribute named ‘security-info’ followed by a NULL byte. The value of this attribute is Base64-encoded and contains information about the HTTPS stream that was used to fetch this file.


There is no length property so you just go until you find the NULL byte. The next attribute is named ‘request-method’ with GET as the value.


Then there is a ‘response-head’ name. Followed by the HTTP response data sent from the server.



Automated Tools
Finally, to follow in the EnCase forensic training methodology, the customary ”easy way” after digging into the details of the data. It’s a personal goal of mine to start learning Python, so this worked out to be a nice, simple project to get a start. I posted the code on GitHub to share with the community. (https://github.com/JamesHabben/FirefoxCache2)

Simon Key (https://twitter.com/simondckey) wrote an EnCase Evidence Processor plugin in EnScript. This will create a LEF to contain parsed data from the cache files. It doesn’t go after the index file because it doesn’t contain enough data on its own and doesn’t really add much beyond the metadata inside the cache files.



The results of the Module are added in the Records tab. There you will find the files stripped of the added cache2 metadata, and also decompressed if they were transferred in gzip compression.


 All of this will be added to our Advanced Internet Examinations course shortly, along with a grip of other new material. Check back soon to see the updated syllabus, or follow me on Twitter for updates as they come out.

You can find the Evidence Processor Module in the EnCase App Central store here. Commercial Tools So far, there are three commercial tools that I know of that support this cache2 structure. I have listed them on my GitHub page and I will keep that list up to date as I am told about more tools supporting the format. Here is the list as of now:
Company
Tool
Digital Detective
NetAnalysis & HstEx
Foxton Software
Browser History Viewer (Free)
NirSoft
MozillaCacheView (Free)
If you know of other tools, please reach out to me and I am happy to update the list, and drop a comment below if you have any thoughts about what I’ve covered here.
James Habben

Using EnCase with the Latest Release of Belkasoft Evidence Center

February 17, 2015, 10:04 am
$
0
0
Yuri Gubanov, Belkasoft

Belkasoft has just updated its digital forensics suite, Belkasoft Evidence Center, making the tool a true, all-in-one forensic solution. When seamlessly integrated with EnCase, the two tools can cover nearly every digital forensic need. Belkasoft Evidence Center helps you jump-start investigations by automatically discovering evidence gathered from many different sources.

In its biggest update in two years, Belkasoft has done more than learn a few new tricks. It now extracts and analyzes evidence from pretty much any data source you can imagine. Hard drives and drive images with Windows, Linux, Ubuntu, and many other operating systems; smartphone backups in all popular formats; UFED images and chip-off dumps; live memory dumps; and many virtual machines can be scanned for available evidence. This major update turns Belkasoft Evidence Center into a true, all-in-one digital forensic tool.

We added several new modules to bring about these changes.


Evidence Discovery Module

The newly added File System module allows reading the complete file system of a device, dump, drive or memory image, mobile phone or tablet. This new module displays data stored in all volumes and partitions, files and folders, including special files and folders such as $OrphanFiles, $Log, $BadClus etc.

The File System module supports a wide range of file systems used in Windows, Linux (including Linux forks such as Android and Ubuntu), Mac OS X and iOS.

Custom Scripting Engine

Small things can create a great usage experience – or totally ruin it. A simple, routine operation repeated a hundred times every day can quickly make using even the best tool a nightmare.

In this release, Belkasoft Evidence Center addresses this issue by allowing its users automate routine operations or automate just about any task. The newly introduced custom scripting engine uses a C#-like programming language, making the tool infinitely extensible with Belkasoft and third-party modules.

The new scripting engine makes creating add-on modules easy. Users can write their own modules to add product features and extend its functionality. These modules are seamlessly integrated into the user interface and enjoy access to raw data and extracted evidence. By assigning a dedicated hot key or toolbar button to a new module, users can automate repeat operations.

Belkasoft offers a bunch of ready-made scripts along with their full source codes in simplified C#. To give an example, one of the sample scripts implements custom carving using a pre-defined signature. The new scripting mechanism makes it easy to share and exchange custom scripts.

More Enhancements

What else is new in Belkasoft Evidence Center 7.0? Major improvements to Live RAM analysis enable convenient extraction and analysis of running processes. The newly added Hex Viewer enables binary analysis of any file on the disk, disk image, process or a memory dump.

Belkasoft Evidence Center continues delivering extensive acquisition and analytic support out of the box, discovering evidence in many popular formats such as email, documents, mobile apps, SQLite databases, registry and system files, Internet chats and social networks, pictures, videos and many more. The number of supported evidence types in Belkasoft Evidence Center 7.0 exceeded 500.

Improved EnCase Integration

Leveraging the scripting capability, Belkasoft Evidence Center is seamlessly integrated with Guidance Software EnCase. Working together, the two products can cover every digital forensic need. With Belkasoft Evidence Center, users can jump-start their investigations by automatically discovering evidence gathered from the many different sources. Analyzing collected data in EnCase Forensic delivers powerful and comprehensive crime-solving abilities.


EnCase App Central Partner of the Month

The improvements in Belkasoft Evidence Center have earned the company the EnCase® App Central Partner of the Month honor for the second time since the store opened nearly two years ago. With investigations involving social media exploding in volume, a tool like Belkasoft Evidence Center is critital to finding potential evidence not only for law enforcement, but also for corporate IT for security, e-discovery collections, and cases involving human resources policy violations.

For a free 30-day trial of Belkasoft Evidence Center, please visit http://belkasoft.com/get. And for a demonstration of the tool, don't miss our upcoming webinar featuring Belkasoft's own Yuri Gubanov and Oleg Afonin on March 18th, 2015.


Yuri Gubanov is the founder and CEO of Belkasoft. 

Originally published in Forensic magazine.
Search

EnScript and .NET: Debugging in Visual Studio

March 4, 2015, 2:31 pm
$
0
0
I have been working on a few projects lately using C# and integrating it with EnScript code, and of course I run into problems in my code. Sometimes the problem is in the EnScript code, but other times it is in the C# code. To be honest, it is more often in the C# code since I have spent less time in that language than EnScript. Especially in the context of making a DLL to interface with EnScript.

If you have been reading this so far while thinking any of the following “What? C# and EnScript? When did this happen?” Check out this one for a little intro. My goal in this post is to show you how to debug your C# code while EnScript is calling it. Yes! You can do that!

Debugging in EnScript


First, let’s have a quick review on debugging your EnScript code inside EnCase. The default operation when in the IDE is to debug. The start button and its assigned F5 shortcut.

EnScript Debugging Button in EnCase

If I have a problem to debug in the EnScript code, I just click a breakpoint next to where I want to stop. You can see my breakpoint on line 7, with the yellow arrow on top of it showing that this line is about to be executed.

Setting EnScript Breakpoint for Debugging in EnCase

Line 8 contains a function that I am bringing in from my C# DLL mentioned on the first line. If I use Step Into over my EnScript code, it will walk down the lines here without digging into the C# code. EnCase doesn’t have the source code, Visual Studio does.


Connecting Visual Studio Debugger


To get to the source code of the C# project, we need to connect EnCase and Visual Studio together. It is fairly simple, but it is not something I realized was possible until one of our developers showed me a couple years ago. I am finally getting to write this to share with all of you.

First thing is that you need to have a project written and built. Make sure the output type is Class Library.

C# Project Properties in Microsoft Visual Studio


Use the build menu to create the DLL file. This file needs to be placed beside the EnScript source code, so copy it over there.

Building C# Project in Microsoft Visual Studio


Put the assembly command in the EnScript code, and make sure it compiles. This is important to do, because the compile process is what reads into the DLL file to load all the symbols.

Assembly Command in EnScript Code using EnCase

You can confirm the DLL stuff was loaded by viewing the Class Browser. In there you should find a bunch of things mentioned about DotNet, but you should also find your project namespace, public classes, and public functions in there.

EnScript Class Browser Showing C# Classes Loaded in EnCase


Once you have compiled successfully, the symbols are loaded and ready to go. Go back into Visual Studio and use the Debug menu drop down to find the Attach to Process option.

Debug Menu Attach to Process in Microsoft Visual Studio with EnCase


In the window that pops up, find the EnCase.exe process and click the Attach button.

Microsoft Visual Studio Attach to Process Window Showing EnCase.exe Process


Visual Studio is now in a paused state waiting for control to come over. To get the debugger in Visual Studio to trip, you have to set a break point on code in C#. Otherwise the code will just execute without stopping.

Hit the start button in EnCase, and wait for your C# breakpoint.

Microsoft Visual Studio C# Code Showing Breakpoint


Tips


#1 File Lock

There is a complexity with the integration of EnCase and the .NET stuff. The bridge between managed and unmanaged code is not easy. Just ask anyone who has called into unmanaged/native DLLs from C#.

When you compile your EnScript project, EnCase places a lock on the DLL file. If you point your EnScript to the DLL location where Visual Studio builds to, then VS will fail to build while EnCase has that lock. If you are trying to copy the built DLL into the folder where your EnScript project is at, you will get an error message saying that it cannot overwrite the file.

The only way to release the lock is to exit EnCase entirely. Use the Save All option and it will be easier to open back up into your EnScript project.

#2 Project Type

Because of the file lock, I typically start my projects as a Windows or Console Application. I put some basic test code inside the ProgramClass and I add another class module to contain the code I intend to use in EnScript. This allows me to debug as much of the code natively inside Visual Studio as I can before bringing EnScript into the mix. Once I am comfortable with the code, I change the project type over to the Class Library and start testing my code with EnScript.

#3 Logging

You can get error messages logged from the .NET code (and other things), and direct them to the console in EnCase or to a file on your drive. You will find these options in the Tools dropdown in the Options… menu item. Then Debug Tab, and the Show Logging button.

EnCase Debug Logging Options

Closing


You can download my EnScript and C# code here to follow along in the screen shots. There is nothing amazing happening in that code, but you are welcome to use it in your forensic projects (with proper credit of course)…

I would love to see you attend the EnScriptProgramming course, and then we can talk face to face about the possibilities of this bridge.

Hit me up on Twitter or leave a comment below if you have any questions. Thanks for reading!

James Habben
@JamesHabben

AMP Threat Grid Empowers Law Enforcement to Fight Cybercrime

March 9, 2015, 12:38 pm
$
0
0
Jessica Bair, Cisco

Recognizing the critical need for state and local law enforcement agencies to have state-of-the art technologies to effectively fight digital crime, Cisco is creating the AMP Threat Grid for Law Enforcement Program. The program is designed to empower those working to protect our communities from cybercriminals with its dynamic malware analysis and threat intelligence platform.

Computers are central to modern criminal investigations, whether as instruments to commit the crime, as is the case for phishing, hacking, fraud or child exploitation; or as a storage repository for evidence of the crime, which is the case for virtually any crime. In addition, those using computers for criminal activity continue to become more sophisticated, and state and local law enforcement agencies struggle to keep up with their internal computer forensics/digital investigation capabilities. Malware analysis is also a critical part of digital investigation: to prove or disprove a "Trojan defense" for suspects, wherein the accused rightly or falsely claims a malicious software program conducted the criminal activity and not the user; and to investigate unknown software and suspicious files on the computers of the victims of cybercriminal activity for evidence of the crime.

The AMP Threat Grid for Law Enforcement program is designed for state and local agencies with fewer than 1,000 sworn officers. In the United States, this encompasses more than 99.5 percent of law-enforcement agencies. Once empowered with AMP Threat Grid, within seconds of a threat-intelligence query or withing a few minutes of submitting a suspicious file or URL for analysis, an investigator will have the ability to view and download an easy-to-read and comprehensive report detailing the actual behavior of the submitted file, including changes to the file system, registry, command-and-control communication, downloads, code injection, and other malicious activity.

In addition, AMP Threat Grid will correlate the file with the millions of samples and billions of artifacts in the threat intelligence database, providing instant global and historical context. The program also includes seamless integration with EnCase® Forensic to reduce investigators' time and effort to identify and analyze suspected malware.

The AMP Threat Grid for Law Enforcement program includes:
  • Two portal user accounts per agency
  • Up to five samples (of suspicious files or compute programs) or URLs submitted per day, per user, for analysis through the portal or via the API integration with EnCase Forensic
  • Unlimited sample queries through the portal or via the API integration with EnCase Forensic, including file hash values, IP addresses, domains, registry keys, and file paths
  • The AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript and installation guide, training manual and video, and EnCase Forensic case template
  • Access to regularly scheduled law enforcement-only WebEx sessions for training and peer discussion
Cisco will host a hands-on lab for threat intelligence and dynamic malware analysis at the Microsoft Digital Crime Consortium (DTCC), March 9-13, 2015; and at the Computer and Enterprise Investigations Conference (CEIC) to be held at Caesars Palace in Las Vegas, May 18-21, 2015.

Law-enforcement investigators can register for the program on the Threat Grid Law Enforcement Program page. The AMP Threat Grid Malware Analysis and Intelligence for EnCase EnScript is available for download at no cost to Guidance Software customers from the EnCase App Central store; it includes a 30-day pilot of the full solution for non-law enforcement incident responders, with free malware sample submissions and contextual searches of the Threat Grid threat intelligence repository. 

Jessica Bair, EnCE, EnCEP
jbair@cisco.com
Sr. Manager, Business Development
Advanced Threat Solutions, Cisco Security Group

Comments? Questions? We welcome discussion in the section below.

Build New Skills while Rubbing Shoulders with the Industry’s Brightest at CEIC 2015

March 27, 2015, 3:50 pm
$
0
0

This year when the best minds in security and digital forensics converge at CEIC May 18-21, 2015, you have an unprecedented opportunity to gaining skills and knowledge on real solutions to your biggest data-related challenges, as well as to collaborate with like-minded professionals who bring to CEIC plenty of war stories not unlike your own.

We’re excited to feature this year’s “EnCase in Action” conference track in today’s blog. We worked hard to pack it with sessions that will put real-world context around some of the EnCase capabilities you've heard so much about.

EnCase in Action Panels: Lessons Learned, Problems Solved, Moments of Sheer Genius

Seven of the 11 Encase in Action sessions are panels promising a wealth of new best practices, processes, and unique solutions to your everyday challenges. The panel topics are:
  • Investigating Employee Misconduct with EnCase
  • Driving a Defensible E-Discovery Practice with EnCase
  • Digital Investigations in International Jurisdictions
  • CISOs and the Art Of Defining And Driving Enterprise Security
  • Law Enforcement and EnCase
  • The Government and EnCase
  • Incident Response Best Practices and True Stories
When you read the biographies in our online CEIC conference agenda, you'll discover that this year’s panelists are deeply experienced and represent powerhouse companies who are bold, proactive and deliberate in their approach to security, legal, and digital investigations. Here are just a few of the companies where our “Encase in Action” track panelists are pushing the envelope:

Encase in Action Case Studies: Peer Stories will Resonate and Motivate

Our attendee-driven Encase in Action agenda also features comprehensive lectures that drill down into real-life case studies. These will surely resonate with attendees who are responsible for e-discovery, digital forensics, and security in business or government. The case study topics are:
  • Transforming E-Discovry through Use of Scorecards (Procter & Gamble)
  • Forensic Investigations in Corporate Internal Audits (SAP America)
  • ATOS Case Study: Implementing a Cyber Defense and Response Framework with EnCase Technology
When all is said and done, you can expect to leave CEIC empowered with a global plan of attack to turn your legal and security challenges into an actionable, efficient and results-oriented process moving forward.

Visit the CEIC event website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and register now. Also, be sure to follow us on FacebookTwitter, and LinkedIn for the latest CEIC buzz and conversation. 

Parsing Windows ShellBags Using the ShellBags Parser EnScript

March 30, 2015, 3:33 pm
$
0
0
Simon Key


Introduction

ShellBags are used to store settings for shell-folders that have been browsed by the user in the Windows GUI. Each shell-folder is seen by the operating system as an item in the Windows shell namespace, the path to which starts with the user's desktop.

Figure 1 - Viewing the Windows shell namespace in Windows Explorer

Shell-folders won't always be represented as a physical folder on disk. A good example of this might be a shell-folder representing a control-panel category or the results of a search.

ShellBag analysis can be useful from a forensic point of view because it can give a strong indication as to what shell-folders were accessed and when. This can be particularly useful when it comes to shell-folders that have since been deleted or those that were located on a removable disk.

ShellBag Data-Location & Manual Examination

Under versions of Microsoft Windows operating systems starting with Vista, ShellBag data is stored in the following Registry keys -

  • HKCU\Software\Microsoft\Windows\Shell (USER.DAT)
  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell (USRCLASS.DAT)
Both of the above keys will contain two sub-keys: Bags and BagMRU.

Figure 2 - Viewing ShellBag Registry keys in the Windows Regedit application on the author’s computer

The settings for each shell folder are stored in a sub-key of the Bags key. These sub-keys are called 'slots' and organized in a flat list. Each slot is identified by an index number and will contain a number of settings such as the mode in which the contents of a folder were viewed (tiles, icons, details, etc.), and the icon size (where relevant).

Slots are referenced by keys and associated values in the BagMRU hierarchy. These keys reflect the user's shell-namespace. Each key represents the contents of a shell-folder. It will contain a NodeSlot value, MRUListEx value, and a binary-value and sub-key for each child shell-folder. The NodeSlot value specifies the slot in which the associated shell-folder's settings are stored. The MRUListEx value is an array of 4-byte integer-values terminated by 0xffff. This array represents the order in which the child shell-folders were last accessed, most-recent first.

The structure of the binary-value representing each shell-item will depend on the nature of that item. In some cases it might be a physical folder on disk; in others it might be a network location, control-panel item, search folder, user library or known folder identified by a GUID.

The following screenshot shows a ShellBags binary-value for a folder named 48, which exists in the Pictures folder for a computer-user called Rebecca Howe. The ShellBag path to this value is Desktop\4\1\1.


Figure 3 - Viewing a ShellBag Registry value relating to a folder named 48

If we look in the folder that has the same name as the binary-value, we can see that it contains a NodeSlot value of 70 –

Figure 4 – Viewing the NodeSlot value for the folder ‘48’

If we take a look at slot 70 we can see that it contains a Shell sub-folder, which in turn contains a sub-folder named using a GUID. The latter contains Registry values representing the logical view mode (3, which represents icon view) and icon size (96) –


Figure 5 – Viewing the LogicalViewMode and IconSize settings

ShellBag Analysis Using the ShellBag Parser EnScript

The ShellBag Parser EnScript was designed to make it easy in EnCase® to parse ShellBag Registry data from NTUSER.DAT and USRCLASS.DAT Registry hive-files. The script has been tested with data from Windows Vista, Windows 7 and Windows 8.1. Please note that the script does not support Windows XP.

Figure 6 – Running the ShellBags Parser EnScript

The script produces two types of output: a data bookmark for each Registry hive, and a tab-delimited spreadsheet containing the ShellBag entries from all hives.

The contents of the data bookmark for the UsrClass.dat hive that we parsed manually appears as follows. Note the entry for the 48 folder that we parsed earlier -

Figure 7 – Running the ShellBags Parser EnScript

The LogicalViewMode and IconSize values match those we observed earlier albeit in a more readable way. The MRU Index column indicates the order in which the shell-folders were accessed with a value of zero representing the folder that was most recently accessed. EnCase® will display the folders in order (most recent first) provided that the columns haven’t been sorted.

The script will produce up to five timestamps for each shell-folder, the first being the Registry Created timestamp. This originates from the BagMRU Registry key associated with the folder and typically represents the time the folder was first accessed (browsed).

The second timestamp is the Registry Last-Accessed timestamp. This originates from the last-written date of the parent BagMRU Registry key and is only available for the child shell-folder that was most recently accessed. The logic behind this is that the MRUListEx value would have been updated when that folder was last-accessed, which would have in-turn updated the parent Registry key's last-written timestamp (Registry values do not have timestamps – those shown in EnCase® belong to the parent Registry key). In this case the 48 folder does not have a Registry Last-Accessed timestamp because the sibling 2010-08-18 Antigua folder was the last folder to be accessed.

The Target Created, Target Last-Accessed and Target Last-Modified timestamps are self-explanatory. They originate from a block of data to be found in certain shell-item Registry streams that refer to physical folders. This block will also contain the MFT record and sequence numbers of folders located on NTFS volumes.

It’s worth noting that the timestamps for the target folder are stored in DOS GMT format, which has a two-second granularity. The timestamps themselves may not always be up-to-date; we can see an example of this if we take a look at the 48 folder itself.


Figure 8 – Viewing metadata for the 48 folder

The above screenshot confirms that the target folder’s MFT record and sequence number match those decoded from the ShellBags entry. The created timestamp is out by two seconds because of the DOS-timestamp granularity issue. The last-accessed and last-written/modified timestamps are not up-to-date, which is not always a bad thing - outdated timestamps can corroborate the time that other significant events took place on the system.

Having examined the bookmarks created by the script, the contents of the spreadsheet are straightforward and don’t really require any further elaboration.


Figure 9 – Viewing the output spreadsheet (additional formatting has been applied)

Resolving Known Folder GUIDs

When it comes to resolving the names of known folders (Documents, Pictures, Videos, etc.) the ShellBags Parser EnScript uses an internal list, which it writes to a tab-delimited file called GUIDs.csv in the same folder as the script.

Figure 10 – Viewing the GUIDs.csv file as text

Once extracted, the script will read the contents of this file the next time it runs. The examiner can modify the contents of this so as to add new GUIDs as and when they are encountered.

Caveats

There are a number of caveats that the examiner should be aware of when using the ShellBags Parser EnScript.

First and most importantly, not everything is known about the shell-item structures stored in BagMRU entries and the operation of ShellBags in general. The script will do its best to parse these structures accurately but may encounter some that it can't parse at all and others that it won't interpret correctly. The examiner should never treat the findings of the script as the 'be all and end all' of everything and seek further corroboration whenever necessary. The author would appreciate being informed should the script be found to produce erroneous, incomplete or inaccurate data.

Secondly, the script does not currently support the recovery of deleted ShellBag data. Other tools are available that support this functionality.

Acknowledgements

The author wishes to acknowledge the excellent work and information made available by Joachim Metz, Chad Tilbury, Dan Pullega, Eric Zimmerman, and Nicole Ibrahim. Eric Zimmerman's ShellBags Explorer utility was a particularly valuable resource when it came to writing this EnScript.

Simon Key simon.key@encase.com
Course Developer III
GSI

CEIC 2015: New EnCase Basics Track Shortens Your Learning Curve

March 31, 2015, 1:59 pm
$
0
0
Let's talk a little bit about basic training. Nothing is more critical to the success of your EnCase® implementation than the buy-in and performance of the people who use it. After all, if your IT, security, or litigation support specialists fail to successfully learn the software, you can't truly maximize your organization's investment.

If you're one of our newer customers, our new EnCase Basics track at CEIC 2015 makes perfect sense. With four days of focused training and over 1,400 professional peers and experts, CEIC can help you or other new EnCase users in your organization gear up to address new challenges head-on.

Digital and Security Investigations are Converging


More and more digital investigators are being incident response and cyber forensics specialists, too. At Guidance Software, we don't just sell you security, legal, and forensics products--we invest in your ability to prevent, detect, and respond to the ever-changing threat landscape.

According to SANS 2014 Survey of Endpoint Intelligence, 60 percent of organizations plan to automate incident response within 24 months. To help you do that, we've dedicated 50 percent of the EnCase Basics track to helping you unleash the power of your EnCase® Cybersecurity and EnCase® Analytics products.

Register today and request these six powerful labs to accelerate your incident response and threat-hunting capabilities with EnCase:

  • Getting Started with EnCase Cybersecurity (Parts 1 and 2)
  • Getting Started with EnCase Analytics (Parts 1 and 2)
  • Incident Response with EnCase Cybersecurity and EnCase Analytics (Parts 1 and 2)
We're pleased to announce that our popular, EnCE-certified instructor Ashley Hernandez will lead these highly rated labs again this year. As a sought-after security speaker, she's been featured at numerous industry conferences, including HTCIA and ICAC, and she enthusiastically interacts with a large Twitter following at @AshleyatEnCase.

Faster Time-to-value for New EnCase Users

We know your time is valuable and respect the way you invest it, so we guarantee that these EnCase Basics ssessions will shorten your learning curve. In addition to the security sessions mentioned above, the new track also offers courses on maximizing your use of EnCase® Enterprise and EnCase® eDiscovery that will be taught by Daniel Smyth, a field-tested expert in forensics, e-discovery, and cybersecurity as well as a training course developer, instructor, on-site services practitioner, and consultant.

Not only are Guidance Software trainers like Ashley and Daniel targeting their course material for you to put to use immediately, but we're also offering a new "Ask the Trainers" booth at CEIC 2015 to boost your training and give you access to even more expert knowledge. We'll staff the information center during all hours of the conference, so stop by any time to ask an instructor your burning questions.

"Open" EnCE® and EnCEP® Testing at CEIC

We've made it easier than ever this year to complete your EnCE and EnCEP exams and quickly drop your Padawan apprentice cloak for that of a Jedi master.

"Open Testing" is a new benefit of this year's CEIC, and it means "no appointment necessary." Exams will be offered on Monday, May 18 through Wednesday, MAy 20 from 8:00 a.m. to 3:00 p.m. each day. The only caveat is that you must be pre-approved for the testing by April 24. Click here for detailed instructions on gearing up to take your EnCE and EnCEP exams.

And finally, don't forget to sign up for and attend the EnCE Prep session in the EnCase Basic track prior to testing. No doubt you'll learn a great deal from veteran Guidance Software instructor and retired U.S. Army special agent Jamey Tubbs in this brief, high-level review. You can also connect with Jamey on Twitter.

Visit the CEIC website for information on the current event agenda, registration and travel information, sponsor and exhibitor opportunities, and to register today. We hope you'll also interact with us on Facebook, Twitter, and LinkedIn for the latest news and conversation.  

Ask the Expert: Amber Schroader of Paraben Corporation

April 10, 2015, 9:20 am
$
0
0
Recently, Amber Schroader, the CTO of Paraben Corporation, joined us for a well-attended webinar, Six Keys to Conducting Effective Mobile Forensic Investigations. A number of our attendees had questions that we wanted to capture here along with Amber's answers.

What do you recommend when dealing with the drivers on pay-as-you-go devices?

When doing smart devices with pay-as-you go providers, you typically do have to work with different drivers that come from that provider. For example, a Tracphone pay-as-you-go Android will have different drivers than the standard Android device that was released to Verizon. I work a lot in virtual machines, which is nice because I can roll back drivers through the VM. However, when I work on standalone systems for my examinations, I have a separate system that I don’t work with a full driver pack on and I only install drivers as needed, which is where I do my pay-as-you-go devices. I will blow a fresh image to this machine after each device to ensure all conflicts are removed. Those conflicts in drivers are what will stop most of the pay-as-you-go devices from processing.

What do you do with feature phones like Nokia, Samsung, LG, and Motorola?

I follow the same process with all the devices--smartphones or feature phones-- which means physical, logical, and then accessories in processing. I'm still receiving a good percentage of feature phones with the cases that I will work as they are trending up in popularity.


What kind of information can you get from cell tower records? 

Typically you can get the longitude and latitude of the call details from the device, as well as date and time stamps. It's a great way to get reference points to where calls would have been geographically made. I'll take this data as well as data from a device if the location services were turned on, which will allow you to pinpoint geographic location for the calls, etc.

What is the value of IP Box? Does it work?

An IP Box is a brute-force attack for iOS devices and there are devices, as well, that work with Android. We have tested a few of the options out there and have had mixed results; on 3 out of the 5 devices we tested were bricked upon using the IP Box which was a really high risk as the device if it were evidence they would have been destroyed. The other problem is the flaw that the IP Box typically exploits with the iOS versions was patched, so it will not work with updated devices. The problem with encryption will plague us forever as it always has. I guess the examiner needs to keep that in mind before they get caught up in a trend that might be able to help with one case but not be able to help them long term. I think the IP Box approach as it stands is a short term patch not a long term solution. The FoneFunShop in the UK will preview and make available a lot of these type tools and examiners can look there for details.

What is the process you recommend for working with a device, what steps for logical to physical, etc.?

With most of my examinations, I typically try to work with the device physically, then logically. The reason I do this process is because if the device is encrypted, a lot of times you can get around the encryption with the physical methods and even in some cases do a simple text search for “password” and then find the password for the device that is needed for the logical image. After I have both of those images, I then will process the media card and SIM card separately so I can review that data as well. If I have CDR records, I will add that into the processing, too.

Many investigators uncover data that is encoded, but confuse it as encrypted. Can you discuss the difference?

Encoded data is data that needs an interpreter to be able to have us understand what it is saying while encrypted data is data that has been converted to cypher text. Thinking of it like a puzzle with the encoded data we have the box and we have to reference the box to be able to make sense of the pieces. With cypher text we have a variety of puzzle pieces from a variety of puzzles mixed together and we have no box for reference.


Which devices do you see are emerging as the most difficult to deal with for digital forensics?

Smartphones are still the hardest with the encryption changes and the cloud storage capabilities.  The other area that is always difficult with them, and that we are seeing such a strong push in, are the burn phone or pay as you go market with smartphones and they all are flashed differently than what we see from the standard telecom versions.


You talked about manufacturers like Apple and their position on encryption and law enforcement – how do you see these affecting investigations?

I think as the manufacturers pull more to privacy instead of investigations, it's going to get harder and harder for us to gain access to the device. We will start doing a lot more monitoring and even live capture in investigations or have to work more and more with backup records and gain access to records in the cloud.


Is there any rooting kit that is recommended over another? I'm thinking in terms of forensic soundness and reliability.

Each rooting option is typically custom based on your tool selection for acquisition. With all acquisition tool methods, you should validate and check how they are processing the device.


Does a device in DFU mode still require a user pin/password for acquisition?

No, it's no longer needed. However, please note the restrictions on what devices support DFU mode.

Is there any particular rooting kit, for example Kingo for Android, that is recommended over another?

For rooting a device, it will depend on the method used by your acquisition tool. Most of them choose to design their own root method. Rooting a device will not change access unless that is the technique used by your acquisition tool.

Any solutions for Chromebooks?

Chromebooks are an odd hybrid in devices and for us are currently being researched for support addition. We've had difficulties with some of the encryption that is found by default on the device and are working to get around those barriers.

Are Blackberrys still the most difficult devices to crack?

BlackBerry devices are still very difficult to work with. The reason is they still are a very clean device. Even when working with the new 10 devices in Device Seizure, we have to work with them through doing a backup record and then parsing that record. However, the one part that has improved is that the newer BB devices do use Android Apps so the parsing of that data is easier than when they worked 100% proprietary.

Is there any way to analyze BlackBerry RAW data for analysis (malware for example)?

BlackBerry devices are not as easy to do a physical image to get a RAW image. We have very limited capabilities in this area as most companies do. This does prohibit you from being able to do some of the file system analysis you need to be able to do for malware detection. With all BlackBerry devices, the support changes by model so it is something to check and make sure the file system acquisition is supported to be able to do that type of scan.

How effective are factory resets in truly wiping all data?

Most of the data is cleared in a factory reset, but it's always good to go back and check. I do an image before and after and compare the data to make sure all user-oriented data has been removed from the device.

I noticed that since Apple Devices like to power up upon plugging in, I guess if you're going to put it into DFU mode you should do it in a box. After it goes into DFU mode, is it active with a network?

It is no longer active on the network when it is in DFU mode. You do have to power it off completely to get it to go into DFU.

Can a VM assist in minimizing driver conflicts between pay-as-you-go and contract phones?

Yes, virtual machines can be a good tool to work with all the changing drivers with mobile devices. I use the rollback functionality with my virtual machine to be able to adjust for the different drivers.

How about encrypted iTunes backup?

iTunes backups can have encryption that is separate from the device encryption. Depending on the version of the device that you are dealing with, you can get around this encryption through a physical image done through DFU mode. There are also third-party tools that can break this encryption, such as Elcomsoft and Passware.

I know there are many tools available on the market, do you know of or would any of you have plans to integrate tools such as Oxygen, or the way they parse data and some of their viewers into EnCase Forensic?

I know that we do not have plans to integrate with Oxygen. Integrating with a tool like EnCase Forensic makes a lot more sense. For our approach, as it stands, we read other tools image formats into Device Seizure so that you can cross validate, etc.

Also, is putting a device into airplane mode a viable option instead of using a Faraday device or 30 sheets of foil?

Airplane mode is a viable option in a lot of cases, but if I know I'm working with evidence that is set to go to court, I still prefer to use the Faraday cage option to ensure I have the best protection. Since I did not design airplane mode on the device, I cannot testify to what it is doing and whether it's 100 percent blocked from activating any signals on the device. I like to have the strength of the physics behind me by using a Faraday cage.

Taking off your vendor hat, can you compare the offerings from the leading mobile hardware acquisition device providers?

There are a lot of advantages and disadvantages to every tool. It's like looking for the perfect car. You'll always find something you wish you had. What I do to really break down the tools is I run them through my test plans and then rank my tools based on how they did in the test plan. I then will process through devices based on the tools capabilities for that type of device. I will always process the device with both my tier 1 and tier 2 tool and then check the results as you never know if one tool will see something the other does not. I think it is a mistake for a lab to just have one tool with any type of examination but especially when it comes to mobile devices because they are so diverse and difficult to deal with. If a tool does not pass my test/validation plan I do not use it.

What signals can the mobile device receive that need to be protected against when there is no internet or cell service connection, or those services have been turned off?

I believe in covering yourself with the device signals, because it's something you literally cannot see that will destroy the evidence.  I always use a Faraday device when processing if I know that the device needs to be maintained as pristine evidence. Some of the civil cases I deal with just want the data and have already not maintained it properly so for those devices my SOP I put in airplane mode. Bluetooth and possibly IrDA for older phones are the most common signals outside of internet and cell service.

Is there any listing anywhere that has a continuously updated list of devices and whether they can be physically imaged / logically imaged.  Or just any particular quirks with a model?

There is no general listing for that data as it is about the capabilities of the tool you're using on what it will support with each device. Guidance Software and my company, Paraben, maintain a current list of all the supported models and device profiles we support and what is supported with each, but this list becomes outdated as soon as new phones are released, so we often support more devices than are on our own list. I am guessing many of the other tool companies maintain a similar list and you just have to request it.

What are your views about time constraints in an investigation since every device may be different and you advise to keep trying to get to the data?

With time constraints, I would recommend you work with a logical image in most cases. The advantage with the logical image is that with smart devices they contain a lot of deleted data in the logical structure because the data in a database. It is the fastest acquisition option that will yield you the highest results if you do not have the time to do all the available processing on the device or are experiencing problems with full physical imaging.

Can you discuss best practices in working with iOS 7 and 8 passwords and how to work around them?

With a lot of the later iOS devices there are just not a lot of options out there. I discussed both password recovery with software and with hardware in a few of the other questions; both have risks. In the end this is a problem we will be facing for a long time with us as investigators simply being locked out of the device by the manufacturer.


Do you have any advice for by-passing PINs?

For bypassing PINs there are a few options out there.I look at FunFoneShop in the UK for a lot of the flasher style attacks. I have answered another question about IP boxes as they are the latest trend. With all the bypass hardware options, be very careful as I have had them brick the phone before. It requires testing and you need to weigh the risk to reward. For software options I have used both Elcomsoft and Passware tools with good results with both. The software has less of a risk but still should be tested.

Do you have any suggestions for approaching mobile malware with a similar methodology as your app rule? 

Malware/spyware is a little bit harder, but the principle is still the same as far as finding the app data. You need to make sure your mobile forensic tool will acquire the file system on the device. As long as it does that, you will be able to find the malware/spyware as that is where it is stored.

Is it true that if you do not have the pin for an iPhone 5 and above, it is impossible to analyze it?

That is correct; you do need to be able to have the lock to gain access. They changed chips on the device so you cannot get around it by doing a physical image. However, I still get devices of all ages in that I use the physical bypass on.


What is the investigation like with a locked device?

Depends on the device and what has locked it. With feature phones, a lot of times you can get around locked devices by doing a physical image first and then searching for “password”. It will show in the physical image. For smart device, it depends on the device. With a lot of them, it will be firmware dependent as well as hardware dependent as we can get around of a lot of locks software-wise but because they tie them to the chips, that has caused a greater barrier. It is much easier to work around Android protection than iOS. I also use 3rd party decryption tools such as Passware and Elcomsoft for password breaking.

What about password-protected iOS 8 devices and how to work with them – IP boxes?

I had another question about IP boxes. They're a risky option when it comes to password-protected devices and they also don’t work past 8.1. Right now you're stuck with only risky options that do risk the entire integrity of the device. You have to decide if the risk is worth it as those types of brute force attacks like IP boxes can destroy the device.


We use Good technology for our MDM, which is containerized. Would this data be available for investigations?

It depends on how they're storing the data. I have not reviewed that particular tool, but my guess is they're storing it in a database. If that database is encrypted, it should be fine, but you'll want to check that as the raw databases used in mobile devices can be parsed.


Can forensics be conducted remotely or do you have to have the actual device?

As it stands now with mobile forensics, you do have to have physical access to the device to be able to do an acquisition. I do not believe that will always be the case, but for now it is.


How did you get involved in digital forensics at the beginning of your career and what would you say the process is now for someone interested in breaking in to the market?

I found this a great field for the dyslexic, which I am. We do things backwards naturally and it really has helped in my problem-solving and investigative skills. I was involved early because I was willing to give something that was not popular a try. For those getting into the field I recommend that they specialize and really get strong skills in one area but still be able to do other types of examinations. A good example is mobile forensics. A lot of investigators who work in this area do not do hard-drive examinations.


You mentioned that there was a Supreme Court Ruling concerning seizure and shielding. Do we have a case that we can research?

Here's a link to an article. There are many other references as well. I am not a lawyer, so I don't want to offer an unqualified opinion.

What about airplane mode?

Airplane mode can be useful to be able to take the device off the network. It is not a method I use frequently, but it is a viable option. In most scenarios I don’t recommend it as it requires the first responder to place the device in airplane mode and I don’t advise that someone who has not been trained fully start rummaging through the device.

Comments? More questions? What works for you? We welcome your thoughts in the Comments section below.

CEIC Sessions on Digital Forensics Deliver on the EnCase Community's Core Competency

April 17, 2015, 10:26 am
$
0
0
(This is part 1 of a three-part series on the all-new, enhanced digital forensics labs and lectures at CEIC 2015.)

Our conversations at CEIC usually dwell on how best to uncover data that will provide evidence to prove a wrongdoing. Today that data and those artifacts are found amongst hundreds of thousands of files on a target system. Only through tens of thousands of investigations by the EnCase community over 18 years and through the application of your hard-won expertise are we able to design a curriculum that serves your most vital needs.

The DNA of CEIC: 18 Years of Digital Forensics Leadership at One Event

Best-in-class digital forensics technology and best-in-class investigators come together at CEIC. Together, we've built a proud heritage, and we're pleased that thousands of you will travel from many parts of the world to attend CEIC 2015 with us.


When we planned this year's CEIC, we wanted to continue to expand on the best part of our legacy together. To take an example from other industries, cattle breeders use DNA forensic investigations to prove which stock will yield the highest quality steak. Winemakers employ DNA fingerprinting to authenticate the heritage of high-quality grapes and demarcate them from lesser varietals.

We set out to do just the same: identify the genetics of our EnCase technology and you, our community, and to use that core competency to differentiate this year's CEIC as the most valuable educational event produced to date.


Our mission this year was to renew our focus on powerful digital forensics techniques--our DNA. To continue the heritage that we share with you, our community, we've enriched and expanded our agenda to provide the highest possible quality of education for forensic professionals.

Focus on the Diversity of Data that Drives Your Investigations

What’s on the top of your “need to know” list this year? It might be one of our 18 interactive and practical lab workshops, including:

  • The Ubiquity of iCloud Artifacts
  • Sophisticated File System Journaling Forensics
  • Vehicle Forensics
  • P2P Investigations
Or it might be one of the 26 lectures in digital forensics, including mobile and cloud investigations:

  • Cloud Forensics: Bringing Evidence Back to Earth
  • Investigating Exchange, Microsoft Cloud Services, and Office 365
  • Mobile Forensics: Challenges in Obtaining, Analyzing, and Applying Evidence
  • Forensic Analysis Mistakes and How to Avoid Them
We'll take a deeper dive in Parts 2 and 3 of this blog post series, sharing more details about all these topics being presented by the best and brightest in our industry.

In the meantime, visit our CEIC event website to see the agenda in detail, register, and more. 
Search

Ask the Expert: Yuri Gubanov, CEO of Belkasoft

April 21, 2015, 6:39 pm
$
0
0
In our recent webinar with Yuri and Oleg from Belkasoft, we had quite a few interesting questions and even more interesting answers. They presented three case studies that leveraged EnCase Forensic and Belkasoft digital forensics tools to uncover critical evidence. You can watch the on-demand webinar here.

Q: Guys, you mentioned analysis of Live RAM dump created by Belkasoft tool. We use winen.exe tool by Guidance Software. Will you work with dumps created by this tool?

A: Sure! As a Guidance Software partner, we support all images created by their tools, particularly physical images such as E01 and Ex01, logical images such as L01 and Lx01, and of course, memory dumps.

Q: In one of your stories, your tool found some Skype data inside something you call “SQLite freelist.” When SQLite deletes data, does it always go to a freelist?

A: It's only true for databases configured without the option called “AutoVacuum.” If this option presents, no freelist is used, unfortunately. However, quite a few forensically important applications store their data inside SQLite databases configured without this option. In particular, Skype, WhatsApp, Chrome, Firefox, and many more.

Q: Are there any chances to find SQLite data if it is not present in regular SQLite areas (I mean tables) and freelist?

A: SQLite forensic analysis is a tricky thing because SQLite itself is tricky. Besides regular tables and freelist area, which we already explained, it has some more peculiarities. For example, older versions of SQLite had a so-called “journal” file, which was used to coordinate database transactions. Newer versions of SQLite have so-called Write Ahead Log files, or WAL-files, which contain uncommitted transaction data. Both journal and WAL files sit in the same folder as the main database and may contain up to 20-30% of data inside the main database file.

For example, my Skype database is around 100 megabytes (yes, I've used Skype for a long time and never delete my history). In my setup journal file for my Skype account is 20 megabytes, which is 20%. So if you don’t investigate these files, you are going to lose 20% of the information, which you absolutely cannot afford in the course of criminal investigation. That’s why you need a tool like Evidence Center to automate such routine things. For a moment, there are not many forensic tools capable of doing automatic processing of freelist, journal and WAL files, so this is one reason to have Evidence Center to complement your EnCase installation.

I should also mention that a SQLite database can have so-called unallocated space. It resembles a regular hard drive, which can also have unallocated space, This space does not belong to any table and is not a freelist. Inside this space you may find some remnants of deleted data, not necessarily completely valid, because it may have been already overwritten or corrupted. However, in our experience, we were able to find meaningful conversations there. Technically, you can carve unallocated space inside SQLite database and find data, as we discussed with Skype chats or WhatsApp messages. This is what Evidence Center can do automatically for you. This info, if found, is then merged with existing data (I mean, non-deleted data from regular tables) and can be imported back to EnCase Forensic.

Q: What can a criminal do to hide data stored once inside an SQLite database and what can Belkasoft together with EnCase do against such attempts?

A: Well, to hide SQLite data they can do pretty much the same as with other files. They can move a file, delete it, or rename or delete data by using regular means of an application, which uses a particular SQLite database. We have already discussed what happens when data is deleted from an app itself: it goes to a freelist and can be partially recovered. When a file is renamed or deleted, Evidence Center can carve such a file. There are also some changes to find remnants of data inside special system areas such as hibernation or pagefile, shadow volume copy, live RAM dump, if any, and so on. Evidence Center supports all these scenarios.

Q: In the drug story, you were looking for Facebook chats. Will you download Facebook chats from online? Do you need a password for that?

A: No, the tool never goes online. Instead, the investigator was trying to locate chats inside a RAM dump he had. When someone chats via Facebook or any other app, this data is kept inside RAM, where it can be then found. To find such data we use a signature approach. We know signatures for data layout in RAM for hundreds of types of applications and do data extraction for you out of the box. Therefore, no internet is required and no Facebook password is required. Note, however, that you can hardly hope to extract all chats, just a small fraction of an entire history.

Q: If only remnants of Facebook chats could be found on a switched off machine, how long is the history you are able to recover? Can a whole history be recovered, theoretically and practically?

A: Theoretically, if the history is small, it is possible to recover the entire history. Practically speaking, you can generally only recover some very recent chats. This is because portions of RAM are overwritten every fraction of a second and older messages are gone quickly. If not gone, they can be corrupted. That’s life, but this is better than having nothing. Facebook and other browser applications do not store anything on a hard drive (if we are not talking about the mobile Facebook app), so the only chance to find anything is to search inside RAM.

Q: How quick is the data processing?

A: It depends on the size of your EnCase image file and your hardware. In our lab 500 GB hard drive with all types of analysis, we have, selected, takes about 8 hours to complete. 2Tb drive with around half-million photos, takes about 18 hours, but this is because of huge amount of picture processing. We recommend you to have at least 16 GB of memory to have comfort processing time, but this is not a hard requirement. During conferences (by the way, we will be on Guidance Software’s CEIC conference as a sponsor and presenter this year), well, during conferences we use a laptop with just 4Gb of memory and the product works perfectly fast.

Q: You say you can recover deleted SQLite data. What about other types of deleted data? Can you restore them?

A: Almost all types of data which we can analyze being non-deleted, we can carve. To name a few: documents, emails, pictures, system files such as registries, event logs, thumbnails, jumplists, chats and browser histories, SQLite databases, and many more types of data.

Q: You say you work with multiple platforms and multiple devices. Which platforms/devices do you support?

A: We work on Windows only, but support a wide variety of Windows version from Windows XP to the most new and fancy Windows 10. However, we can also analyze all major operating systems such as Mac OS X, iOS, Linux/Unix, Android, Windows Phone, and Blackberry. Concerning devices, we support both computers and laptops as well as all modern smartphone platforms. By the way, we can also work on special “forensic” portable builds of Windows.

Q: In the story with the lost girl, the investigator was lucky to find the girl’s laptop in a sleep mode without a password, so there were no problems to capture a RAM dump. However, if a computer is switched off, how do you do live RAM analysis?

A: Windows and other systems usually use two types of files that we can roughly call “RAM dumps made by the operating system itself," These are pagefile (where your virtual memory is kept) and hibernation file (used to quickly turn computer on after hibernation). Both files contain memory artifacts because they are indeed memory. Unlike RAM, they survive reboot so you can investigate them. Interestingly, that inside you can find quite old data. For example, we've seen a few cases with Facebook chats as old as few months inside a pagefile.

Have other questions? Tips or ideas? Talk to us in the comments section below.

The Good, the Bad, and the Diverse: Gain More Visibility into the Growing Diversity of Devices, OS’s and Artifacts

April 29, 2015, 2:29 pm
$
0
0
(This is Part 2 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC® 2015. Read Part 1 here.)

One of the biggest challenges for investigators today is not only the number of devices or the amount of data (the average hard drive has just crossed the 1TB threshold), but the number and diversity of applications and artifacts that are on a system.

Frankly, we feel your pain. We know there’s no single tool that investigators can rely on to support all applications, browsers, and file systems. We get it when practitioners tell us they require a larger toolbox and deeper skill set to support the overwhelming challenges in digital investigations.

Guidance Software uses CEIC to bring together all of the speakers with their tools and apps that integrate with EnCase and provide you with better visibility into systems, applications and artifacts.

There are four tracks that focus on digital investigations:

  • Digital Forensics Labs
  • Advanced Digital Forensics Labs
  • Topics in Digital Forensics
  • Mobile Devices and Cloud Investigations
We want to remind you that the hands-on labs fill up fast, as 70 percent of attendees say that labs are the number one reason they attend CEIC. So, click here to register now.

You can view the agenda here to read session descriptions and speaker bios on the 44 lab, lecture, and panel sessions that focus on digital forensics.  You can also get a sneak preview on a few of the hands-on lab topics that are sure to warrant a packed room, such as the ones we've highlighted here below.


Digital Forensics Session Highlight: File System Journaling Forensics

David Cowen and Matthew Seyer of G-C Partners, LLC, will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. You will learn:

  • What data is stored by your file systems?
  • How to gather the data using EnCase.
  • How to use a free parser to understand the data.

Digital Forensics Session Highlight: Vehicle Systems Forensics

Ben LeMere, CEO of Berla Corporation, is back by popular demand this year. We know students of vehicle forensics will be glad to hear that you'll be able to get your hands on the data stored in several different infotainment and telematics systems in his practical, hands-on lab session. Vehicle Infotainment and Telematics systems store a vast amount of data such as recent destinations, favorite locations, call logs, contact lists, SMS messages, emails, pictures, videos, social media feeds, and the navigation history of everywhere the vehicle has been. This information is not easily retrievable and is typically stored in several different systems within a vehicle not traditionally associated with event data. This is cutting-edge technology that is quickly becoming more pervasive in the field of investigations.

Digital Forensics Session Highlight: Windows ShellBag Forensics in Depth

Vincent Lo, Digital Forensics and Incident Response Investigator, knows that ShellBag behavior is a challenging task for “forensicators.” The problem of identifying when and which folders a user accessed arises often and investigators attempt to search for them in the ShellBag information because it may contain registry keys indicating which folders the user accessed previously. Their timestamps may demonstrate when they were accessed. Nevertheless, a lot of activities can create/update the timestamps. That’s why you won’t want to miss this hands-on lab, where you’ll understand the details of ShellBag information, review various activities across Windows operating systems and learn how to interpret it correctly.

If it wasn’t obvious before this blog, now it should be loud and clear: this year’s sessions on digital forensics pull no punches when it comes to providing more visibility to the good, the bad, and the sometimes very ugly and diverse applications and artifacts you face every day.

Stay tuned for Part 3 of this blog topic on digital forensics, where we’ll shed light on the caliber of speakers we’re bringing in to teach these sessions mentioned here. We're confident that these are experts whom you know and trust.

In the meantime, be sure to visit the CEIC website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now. Also, be sure to follow us on Facebook, Twitter, and LinkedIn for the latest CEIC buzz and conversation.

Learn to Expand on the Value of EnCase at CEIC 2015 with EnScripts and Third-Party Apps

May 7, 2015, 1:11 pm
$
0
0
Robert Batzloff

This year at CEIC®, we’re committing more training and trainer resources than ever before to help you boost the benefits of EnCase® in your company’s deployment.

Our goal is to show you the brawn behind power EnCase users and apps, and by learning more about the EnScript® language, help you get to that same level.

With an expanded conference track called EnCase Apps and Integrations, we’ve added 12 sessions that will showcase some of the most dynamic apps developed by EnCase forensic investigators that are easy for you to integrate. We’re also boosting the App World booth hosted by EnScript gurus from Guidance Software and developers from the EnCase community, so you’ve got more experts close at hand during all hours of the conference day.

Learn to Unleash the Power of EnScript--and Write Your Own

The new EnCase Apps and Integrations track this year will help you build and then flex your own EnScript muscles so you can easily use the unique language for automating, customizing, and expanding the value of EnCase.

For the advanced developer: We’ve designated James Habben, a popular Guidance Software instructor and experienced EnScript programmer, to share techniques for using EnScript to perform advanced customizations, such as modifying the EnCase UI to automate common tasks and integrating EnScript with existing .NET applications.

For the beginning developer: Lance Mueller, a widely recognized senior forensic analyst with IBM’s Emergency Response Services, will join us to teach the basic skills of writing and using EnScripts. And we're offering other labs that will walk you through basic tasks like using EnCase App Central, running an EnScript, installing an EnScript plug-in, and more.

Learn New Efficiencies from Specialty App Developers

We’re excited to feature Jessica Bair, who worked with Guidance Software for 13 years and is now with Advanced Threat Solutions at Cisco Security, in a lab on “AMP ThreatGRID for Law Enforcement.” You'll learn about and then get your hands on Cisco’s new program for dynamic malware analysis and threat intelligence.

You can also sit down with the technical team from Magnet Forensics in a hands-on lab using Internet Evidence Finder (IEF) to recover and analyze a wide variety of Internet-related artifacts.

Don’t miss the opportunity in the EnCase Apps and Integration track to hear from Belkasoft's Yuri Gubanov, a renowned computer forensics expert and frequent speaker at industry events around the world. He’ll help you extend EnCase functionality with third-party tools and show you how to jump-start an investigation and receive a result in a matter of minutes, not hours, with the help of Belkasoft Evidence Center.

Because of the rapidly growing interest in the high-level programming language Python, we are offering two sessions to address what you need to know: Chet Hosmer with WetStone Technologies will demonstrate how to apply natural language understanding and heuristic reasoning using Python. Mari DeGrazia with Verizon RISK Team will help you step up your game with practical applications for Python to automate repetitive DFIR tasks and quickly parse digital forensics artifacts.

And finally, to save you time in learning to use the most popular apps, we’ve got three sessions titled “EnCase App Central Showcase” that will highlight a variety of apps related specifically to malware investigations, forensics, and general utilities.  Click here to see the full agenda with speaker bios for the EnCase Apps and Integrations track.

App World Provides Interaction with EnScript Developers and EnCase Trainers

So much of CEIC booth traffic hovers around the EnCase App Central booth every year, so this year we’re making it more accessible.  It will be located in the expo hall next to the Guidance Software main booth and will feature three stations each hosted by a rotating group of training staff, product managers, and third-party developers and EnScript professionals. It will also include several demonstrations and tutorials, including how to use the EnScript language, download EnScripts from EnCase App Central, or expand the power of your own EnCase deployment.

Isn’t it Time You Became an EnScript Developer, Too?

And finally, we want you to know that the App World team has the time to meet with you at CEIC, as well as the resources and reasons to help you take that step to become an EnScript developer yourself. We’d like to encourage you to join the EnCase forensic investigators from around the world who are part of a thriving community that create case-cracking EnScripts and specialty apps.

You can meet with us at CEIC to discuss our program for developers, email me. or click here to apply for the program today.

Here’s a sampling of the benefits you’ll receive when you become part of our EnCase Developer Network:

  • EnCase developer license (dongle)
  • Exclusive access to the v7 SDK
  • Up-to-date information on programing EnCase EnScripts
  • Pre-release builds of EnCase
  • Code samples
  • Sample evidence files for testing
  • Access to Guidance technical support
  • QC of your work by Guidance professionals
  • Exclusive rights to publish your EnScripts on EnCase App Central
  • Worldwide visibility for your EnScript
  • Management of the purchase of your work by Guidance
  • Valuable customer feedback on your EnScript
  • Choice to offer your EnScripts for free or for a fee
    Be sure to visit the CEIC website for information on the current event agenda, registration information, sponsor and exhibitor opportunities, and to register now.
Robert Batzloff is the Associate Product Manager for EnCase App Central at Guidance Software.

Digital Forensic Notables and Top-flight Instructors On Tap at CEIC 2015

May 12, 2015, 1:05 pm
$
0
0
(This is Part 3 of a 3-part series on the all-new and enhanced digital forensics labs and lectures at CEIC 2015.)

The first post in this series talked about how we're expanding on the core competency of the EnCase community who converge on CEIC each year. The second post drilled down into the plethora and diversity of digital artifacts and showcased sessions designed to address these exploding challenges. In this final post, we present the marquee of acclaimed industry experts who will be on hand to teach new technologies and tools and share hard-earned insight from decades of experience in digital investigations.

Diverse Expertise Brings Extra Value to CEIC 2015

A key benefit of CEIC is the diversity in topics that cover a wide range of technologies and tools that are critical to investigations.  The tracks on digital forensics do not espouse a particular agenda, but acknowledge that all technologies and investigative techniques must ultimately be woven together.

Our speaker portfolio is also diverse and plays out as the “who’s who” in the digital forensics industry.  Here’s a snippet of the best and brightest who have been secured as presenters, trainers, and panelists at CEIC 2015:

Suzanne Widup, president and founder of the Digital Forensics Association and a senior analyst on the Verizon RISK Team, is also the author of Computer Forensics and Digital Investigation with EnCase Forensic v7. She will lead an interactive panel with fellow forensic practitioners who will share potential pitfalls and strategies for success.

Shawn McCreight, founder, Chairman, and Chief Technical Officer of Guidance Software, will give a preview of the new and advanced features that are part of the future of EnCASe. Be sure to mark these sessions on your calendar:
  • The Future of EnCase: Tuesday, May 19, 11:00 a.m.
  • Searching in EnCase 8 with EQL: Wednesday, May 20, 11:00 a.m.
    Amber Schroader, CTO of Paraben Corporation, is back by popular demand to share what you need to survive the apocalypse of BYOD and personal mobility devices. You can also learn more from Amber at the recent Guidance Software webinar, Six Keys to Conducting Effective Mobile Forensic Investigations.

    Jad Saliba, Founder and CTO of Magnet Forensics, will be featured in two sessions this year on overcoming anti-forensics efforts and more about Dropbox encryption and tactics for decrypting Dropbox databases.

    Sarah Edwards from SANS Institute is on board to help you interpret iCloud artifacts.

    David Cowen and Matthew Seyer from G-C Partners will share what you need to know on sophisticated file system journaling.

    Ben Le Mere of Berla Corporation will help you analyze data from different infotainment and telematics systems.

    Dmitry Sumin of Passware will help you accelerate password cracking.

    We don’t have enough room in this post to share every notable speaker with you, but hope you’ll click over to the CEIC 2015 agenda to peruse the list yourself. After viewing the bios of the 54 speakers who make up the four tracks for digital forensics, you’ll have 54 solid reasons why you need to be at CEIC. We hope to see you there!

My Thoughts on CEIC 2015

May 28, 2015, 4:40 pm
$
0
0

CEIC 2015 is Over

This year’s CEIC is over. After a long and relaxing holiday weekend, it feels almost like it was months ago. I really enjoy being involved with CEIC every year because it gives me a chance to catch up with old friends and meet new ones. The real reason (at least the one we tell our bosses) we all go to CEIC is for the great sessions. There were so many of them this year that I wish I could have cloned myself to see them all. To make it a bit more difficult, CEIC is not just a training conference for me since I am part of the team putting it on. I wanted to put down some of my experiences from this year.

The most rewarding thing to me during the entire conference is to hear from past students about their success in completing the EnCE certification. The only way to achieve that cert is by dedication and perseverance. I get thanks from them for teaching classes they attended, but I didn’t take the test. Their excitement and enthusiasm is infectious and I love it! Congratulations to everyone who passed the 1st phase during CEIC, and good luck on the 2nd.

If you didn’t get to attend CEIC this year, you missed a good one. Try again for next year, and I think you will be well rewarded.

Some Sessions

Because I am part of the setup and operations of CEIC, I am not usually able to attend full session, but there are a few that I really enjoyed that I wanted to give mention to.

Monday started off great hearing about new features in IEF from Jamie McQuaid and Rob Maddox of Magnet Forensics in Investigating a User’s Internet Activity across Computers, Smartphones and Tablets. This team knows how to stay on top of industry trends and to enhance their tools with a quick response. It is great to know that Guidance has a partner dedicated to examiners like we are.

A must-see for me is Tracking the Use of USB Storage on Windows 8 by Colin Cree. He has been researching USB artifacts on Windows for many years, and somehow seems to find new intricacies every year. No disappointment this year!

It’s a safe bet on the SANS crew. I enjoyed APT Attacks Exposed: Network, Host, Memory and Malware Analysis since you can never learn too much about how others operate and think. It helps us all grow, and I am glad that Rob Lee, Anuj Soni, Chad Tilbury, and Jake Williams are sharing their experiences.

I am a firm believer in everyone learning to code as a skill. Mari DeGrazia and Ron Dormido laid out a great foundation in Practical Python Forensics for those wanting to learn Python as their language. Extra points since they showed how to integrate EnCase and Python!

Memory forensics has become a huge source of information in all types of investigations, and Jamie Levy knows this better than most. As a part of the Volatility team, she is an immense resource and shared it in Rootkits, Exfil and APT: RAM Conquers All to help us all. I learned a lot about using Volatility from this session. I also learned about her twitter handle outside of the session, but leave it to her to spread that.

My Sessions

I had a lot of fun this year talking in my sessions. I talked about how you can expand EnScript with .NET and Python code. It was exciting to me since everyone seemed to also be excited about the possibilities. I also got a chance to speak with Matt McFaddenabout EnCase Portable and the huge potential it has for examiners. Got to share how I used Portable on a case to handle a location with 4 examiners and 60+ computers, and we were done before dinner! Talked to many after the session that were excited about using it at home.

Deserved Recognition

Lastly, I wanted to give some recognition for a couple people from the Guidance Software team that really make CEIC the conference that it is. The entire Guidance team works really hard for this event, but these two really make it shine.

There is a technical team that I am part of every year, and it is managed by Jamey Tubbs from the training division. He puts in a ton of hours, before many of you even register for CEIC, in working with the event team, hotel technical staff, and our computer rental vendor. Our conference is unique from many others because of the large scale labs with supplied computers, and it would not be the same without him.

On the event team, we are lucky to have Jennifer Iwatatake on CEIC this year. She has been involved for a couple years, but she was the boss this year and knocked it out of the park. I think this was the smoothest CEIC yet for the operational staff and I heard the same from many others as well. I am sure that she is already on top of planning an even better CEIC for next year!

Until you read from me again!
James Habben
@JamesHabben 
Viewing all 114 articles
Browse latest View live
Search