Transitioning from EnCase Forensic v6 to v7 – Part 2

Presenter: Ashley Hernandez, Master Trainer, Guidance Software

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Welcome everyone and thank you for attending Guidance Software’s webinar, Transitioning from EnCase version 6 to EnCase version 7 – part two of this two-part series.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So this week just like last week we have the same great speakers: Ashley Hernandez who’s one of our Master Trainers here at Guidance Software, and also Ken Mizota who’s our Product Manager for both EnCase Forensic and EnCase Enterprise. And also just like last week, my name is Robert Bond and I’m going to be your host and moderator for this session. If you have any questions during the session itself please submit them electronically through the Q&A dialogue box on the bottom right portion of your screen. We’re going to answer your questions in the Q&A session with Ken Mizota at the very end of Ashley’s presentation. And as always, if you don’t have a chance to submit a question during the presentation or you’re watching an archived version of the webinar, you can submit your questions to me at robert.bond@guidancesoftware.com.

So again we have two goals for this webinar: number one is to get our v6 users over to v7, really want them to see the new features, get comfortable with the software and offer them a package, and we’ll talk about that in just a second. Number two is for our v7 users to get more comfortable with the software, learn more about it, and we want to try and do that today and also point you to several other resources that may help you.

So again for the v6 folks we’ve got a great offer. So since v7 has been launched, and that was June 2011, it’s always cost $3290 to get an upgrade, SMS and then the three-day Transitions training. Transitions training is now free. The upgrade price is half off, and then of course you still have SMS. So it’s a great price, we encourage you to call us at 1-888-999-9712 to learn more.

So on to the v7 resources. So last week we talked about App Central and on-demand training that you can get from our website. This week we’re going to talk about YouTube. So when v7 was first launched, first couple of years, we came out with seven reasons to upgrade in a four-part webinar mini-series that’s now on our Guidance Software YouTube channel. I encourage you to check them out, they’re great in terms of introducing you to the interface and the new features. Also if you search on Simon Key you can get videos on his latest EnScripts, he’s got a few of them out there, including the one you see up on the screen, Exif GPS Reader EnScript. There are also two great study guides by two great people, Suzanne Widup has a Computer Forensics and Digital Investigations With EnCase Forensic v7 which we featured in this webinar series, and also Steve Bunting’s official guide, EnCE Study Guide. Both of those are available on Amazon, or wherever you shop for books. And then I also encourage everybody to join the support portal: simply go to Guidance Software, choose Support, you have to register there but then you have a ton of information, a lot of great examiners that are contributing to that support portal and that knowledge base.

Here are our training classes, just like last week I put the two cornerstone training classes for forensic examinations up there: CF1 and CF2, you can have access to these classes and any other classes for one year in unlimited amounts including our V class, which is our simulcast class, for $5995. you can call us if you have any questions about that as well.

So there are two features that I want to spotlight today in this second of the two-part series. The first is our case analyser feature – great set of reports, about 106 reports. It’s a snapshot of user activity including cached images, browser history, user searches and far, far more than that. Here’s a little quick glimpse of the report, so again 106 different reports and it just allows you to focus more on the investigation and less on digging through folders to find artefacts that might disturb you in your investigation. Here you get them all in one place. Of course you can bookmark these and send them right off to your examiner report.

The second feature came out with 7.09 a few months back and allows you to create a portable device from either EnCase Forensic or EnCase Enterprise. All you do is you get an empty USB drive, simply copy the binaries from EnCase Forensic or EnCase Enterprise to that empty USB drive, and then you can put that along with your licence – you do need a Forensic licence, Portable licence or Enterprise licence – to go into the target machine with the empty USB drive with the binaries, and then you can do your triage or collection on that machine. So just another way to get a portable when you need it from Forensic or Enterprise.

So now we’re going to start with Ashley, Ashley’s going to get us started with using the new result set processing feature, and then she’s going to wind up with the external review package, a lot of good information in this session. Ashley, please, take it away.

Ashley Hernandez: Alright, so when we left off last time we had done some of the manual preview work that we typically do in a case, and in version 6 you were used to working on a case without having to process. So what we’re going to show in today’s demonstration is once you’ve kind of triaged and decided if you want to investigate further, how do we leverage our new functionality in 7: the ability to process your case, and how we can do that in a very targeted way, as well as taking advantage of processing your whole case. That’s kind of where we’re going to be going.

So I’m going to open up the case that we worked last time, which is listed under my recent cases, and we’re going to go ahead and look at our evidence that was added before. So if I browse to my evidence I can see my two evidence files, I have my local preview and my evidence file here, my sample evidence. And we can see that the process is static in both of these, it’s unprocessed. So I’m going to open up my sample evidence, and in this case I don’t actually want to process my whole case. I want to be able to target my investigation to just email at this point. We did some triage and looked for keywords, and now I’m ready to focus just on those emails.

So just like you would in 6, if I wanted to find PSTs I’m going to home plate, or I’m going to use a set include on the root of my drive, and then I’m going to sort by file extension and using the autotype it’s going to find my PSTs. So I can see that I had already mounted two PSTs, I can tell that because they have the green plus sign next to them, but I want to actually process, meaning index and mount, all of these PSTs that I’ve found in my case.

So in this instance I can see that I have five items selected in my Dixon box, and those are the ones that I’m going to process. So I don’t want to index my whole case, I don’t want to process my whole case, I really just want to focus on these particular email archives. So I’m going to make a results set of those. This is something new to 7. from these entries I’m going to say “create results”, and that’s basically a container of items that I want to do some specific functions with, maybe I want to review them, or in this instance I’m going to process them. So I’m going to say these are email archives of interest. I’ve selected the ones that are interesting to me – you know, if you only wanted to process some of your PSTs, or a few PSTs and OSTs, you would select which ones you wanted to find. And you click OK. So that’s going to save them so we can access that in our processor.

I’m doing this example with email but you could do the same thing with docx files, you could do it with spreadsheets, anything that you would normally filter on you could go ahead and set those files using your blue checks, and then choose to just process the blue checked files once you’ve put them into a results set.

Alright, so we have our emails that we want to process, and now we’re going to go ahead and go to our process option. So here on the evidence tab we have the button to process, and that’s going to bring up our evidence processor. So when we look at the evidence processor this is really the new screen that we deal with in version 7. And we get a couple of choices of what we’re going to process, outlined in the top left corner. Both of my evidence files that I have right now are unprocessed evidence files, so I could choose to do my evidence files, that would not include my preview since it’s not an evidence file. But if you had multiple evidence files in your case – maybe you had six evidence files, four of them were processed and two were not processed – this would allow you to choose to just process the ones that weren’t previously processed.

If I’d used the blue check – anywhere in version 7 that you see the word ‘selected’, if I’d just blue checked specific unprocessed files – then that would work on the selected or highlighted items. The current item is the actual highlighted item in my evidence tab, that’s the set of sample evidence, but we’re going to focus on the result set, meaning those items that I just selected.

So if I click on ‘result set’, I can see that all of the different results that I’ve previously done are available, so if I wanted to just process the example keyword result that I’ve had before, I could choose to do that, but I’m going to focus on the email archive of interest. So anything that you’ve done through search or through conditions, or through filters: anything that creates those results sets, which are the containers of things we want to look at in more detail, you can choose to process just those items, I don’t have to process my whole case.

So I’m going to do the email archives and click OK. And then I’m going to choose to run specific options. Now I actually already have the option sets, but we’re going to go over what all the different options in the processor are, and why you might choose to use them.

So I’m going to go ahead and use the defaults, just so you can see what by default is checked when you go ahead and run 7 for the first time in the processor. You’ll notice that we check ‘running recover folders’, and recover folders is the ability to have your FAT and NTFS volumes try and recover deleted or corrupted items. And so if you want to do that operation you can go ahead and check to have that run either the first time you run the processor, or you could run it later, you don’t have to run all these options at once.

Signature analysis is one that you would want to run before running the index, and that’s why we have that little exclamation point in front of it. You’ll notice signature analysis, protected file analysis and hash analysis all have that exclamation point saying that if you’re going to index, you’re going to want to go ahead and have that information available to us when we do the index.

The reason we want to run things like signature analysis and hash analysis at the time of indexing is so we can actually index those values, the results of signature and hash analysis, so we can quickly go ahead and search for those values in our search engine. Instead of having to load all those files up into memory we can search just the database of information of the signature and hash that’s stored in our index.

So signature analysis, same as it worked in 6, if you want to run signature analysis, go ahead and have that checked. Protected file analysis is something new in 7, and that’s the ability to run the built-in – in other words you don’t have to pay extra for it – capability of Passware to identify items that are protected. So this will tell you if files are encrypted or password-protected, and that’s important for us to know because it’ll help us determine if that file has actually been indexed. If a file was encrypted and the data is just – to the human readable eye – junk, we want to make sure that we decrypt that file before we index it. And so you really want to have a good sense of which items are protected or not. And so you can choose to run this now or you can also choose to run it later, to identify which files you may want to handle outside of the processor.

A great thing about Passware as well is that when we generate the results of the protection level, it’ll tell you how strong or weak that protection is, so we’ll kind of get a sense of how hard it would be to break that file open.

When we locate images we’ll create a thumbnail of those and then you’ll have one place that you can go look at all the thumbnails of all the images across your device, or whichever items you had actually chosen to process. So in this case it would be the thumbnails of just the emails that had pictures. Hash analysis we have two choices: we have MD5 and SHA1, both of those are built in to our version 7 view, so you’ll be able to see both of those hash values for you in the table.

Expanding compound files: now we had selected individual email archives and by using ‘find email’, those will be opened up, but if we had selected files and wanted to process those and mount them, and then look through those particular archives you could choose to expand compound files. You can see the list on the right-hand side of what we’re going to be expanding; in this instance it would be zip, gzip, tar, rar, thumbs.db, cpio, vzip2 and jumplist files. For email we support all of the email types listed on the right-hand side; PST does include OST files, so it’s OK if it’s in OST or PST, both of those would be able to be mounted, so that’s going to be important for the items that we’ve selected.

Internet artefacts is another type of operation we can look for, you can see the browsers we support listed on the right-hand side. The only option you have to set here is whether or not you want to search in unallocated for internet artefacts. We assume that you’re not going to care which browser internet artefacts come from, we’re going to search for all of them, but one choice is whether or not you really want to carve out of unallocated for internet artefacts.

With any of these options that are in blue, and in pretty much anything in 7 that’s in blue, it acts as a hyperlink. If you click on the hyperlink you’ll notice that you are then prompted with the options that you may want to change for that particular item. Now we saw raw keyword searching outside of the evidence processor, we could also choose to raw keyword search inside of the evidence processor. And that option is here, which would give you the same keyword dialogue that we’re used to.

Next we have our index, which is probably the most important part of processing, because this is where we get to pull out the text from both the body of the [indecipherable] items that we’re searching as well as the metadata, and store them in the index. This is what really allows us to make our searches efficient, and we’re going to show how we can search that index when it’s done.

The other value of the index is we talked about Passware a little bit earlier in our protected file analysis, and index is basically all the words that have been found on the drive. And those words could potentially contain passwords that you would want to use to try and decrypt protected files. So if you owned Passware this would be something that you had outside of EnCase, you could take your index and export that as a word list that you could then import as a dictionary into Passware to try and decrypt particular files.

In addition to our standard words that we look for you can also choose to look for specific patterns, so this is similar to grep, the grep terms we had in version 6 as your keywords. We can look for credit cards, government IDs, phone numbers, email addresses… and most of these patterns are user-centric.

Now I know several of you have asked where the EnScripts went from version 6, and so if we look in the Modules folder here, some of them have been renamed but the functionality is still there. So our Windows Initialise Case is now part of our System Information Parser, as well as our Linux Initialise Case. So if you run System Information Parser, whether it’s a Windows or a Linux box, we’re going to go ahead and pull up these particular artefacts: the startup, the OS, the user activity. New to 7 though we also show which USB devices – if we can determine – has been plugged in to the machine, what networks they may have had, what autoruns they may have had. All of those things that used to be in Windows Initialise Case are now found in System Information Parser, plus we get much, much more artefacts. It’s meant to support Windows 7 and later versions of our systems.

We still have the instant messaging parser that we had in 6, and the old Files Finder script is now called File Carver, and if we open that up by clicking the options, we can see that we can now carve for any of the types of data that have file type information. We used to be limited to only specific types, now we can search for all of them. If you want to focus on the optimised types, meaning the types where when you’re carving for the file we can get the size of the file out of the header, you can narrow down to just those optimised types, which is going to look more like the list we’ve got in 6 for those specific types of files.

You also have the option of whether you want to look in unallocated, file slack, and then HTML and webmail just like we did in version 6.

Our event log parsers are still available for Windows, Linux and Unix, and then we have in our Windows artefact parser, we used to have three separate scripts for parsing artefacts out of Windows: we had the link file parser script, and the recycle bin script, and then we had the $logfile,which was the MST transactions. You can now access all three of those through this one module. And those run fairly quickly: system information is probably one I would always choose to run because it’s quick and it gives you a lot of valuable information about the system.

Alright, so those are the general options that we have in the evidence processor, but what we want to see is which ones we’re going to do for the email. So I’m going to load up my saved settings for email, so if I make changes here and I want to save them for later use I could choose to save my settings to my desktop. But what I’m going to choose to do is load ones that I previously set for emails. I’m going to go into my documents – EnCase – and I’m going to locate my email processing options.

So here it’s saved my settings for me, I don’t have to remember what they were. I’m going to go ahead and expand any compound files that I find inside of the emails because I know my PST files are going to mount using the ‘find email’ option, and I’m going to go ahead even though I have only PSTs, going to leave them all checked, it won’t take any extra time to do these multiple options, and then I’m going to choose to index the contents of those emails so we’ll be able to search them. And then modules you can always run even if you’re not selecting those particular files, they’re going to run across the whole device. So I’m going to choose to run the system information parser. So I’m going to process my email, it gives me an option to do a label for that so I can see it when I look later at how it’s been processed, and then new in 7 is our ability to manage multiple evidence processors. And in this case I’m just going to queue this evidence right away so that it will start running right away on my local system. If I’d set up multiple processors this would go into the queue and any of the available processors would pick it up. If you don’t check this box, if you leave it unchecked, it’s going to look like your processor didn’t start, because you didn’t tell it to immediately queue it. You have to say basically “go ahead and hit go” and set it to run, before it’s done. So that’s probably one of the most common trip-ups I see with the latest version is that if you don’t have it immediately queued it won’t start running as soon as I click ‘OK’

So I do want this to run right away, and we’re going to click ‘OK’ and let this particular processing job run. So that’s going to run in this case, and I can tell it’s running because it was listed and is showing here in the bottom right with a green status bar that it’s going ahead and is active.

So if we were to view our processor manager, that’s going to be the list of all the evidence files that have been processed on this machine. And I can see that my status is currently running, and now it’s complete.

So I’m going to go ahead and close out my processor manager, and now that it’s complete I am ready to start looking at these emails.

So it did a bunch of stuff all together, the main advantage, or one of the main advantages, of the processor is that it optimises the order and makes sure all of the emails are extracted, any compound files inside of those are extracted, and it manages that process very quickly so that it can then index most completely all of the data that it finds.

So now that we have it indexed , the power of 7 is going to be on that search tab. So we’re going to use ‘view – search’ to look at our search tab. This is the same tab we were on earlier to look at our keywords, remember we looked for some specific keywords as well as additional examples, but now I’m going to use the index to find some items of interest very quickly in those emails that I just indexed. The index works against the items that have been processed, so the only way you can generate an index is through that processor.

So the first thing that I’m going to look for in this case has to do with a distribution dispute, so I want to start looking for the word ‘distribution’. This top left kind of box is where you’re going to type in your search, so as I start typing the word ‘distribution’ I can see listed down below the possible items in my index that match what I’m typing. So if I wanted to say ‘distribution’ I can see it’s listed here, but maybe I also want ‘distribute’ and this one looks like it’s misspelled which I wouldn’t have found with a keyword, and so one of the things that we have in the index are the ability to use some operators to generalise, just like you would in a keyword with grep. So I’m going to use the star to say “starts with ‘distribution’ and then can have any number of characters after it”. So I can go ahead and run that search by just clicking ‘enter’. And here are my emails, I can see the email icon, that locate the hits for distribution. So down below in the report I can see the hits for those particular items. And I can see that there’s probably quite a few listed in here. And for this instance we’re going to say that we want to see emails in our list that have to do with distribution, but we’ve been told – we want to know if Franklin is involved in those emails. So one of the great things about email in version 7 is we can actually search across the address fields and be specific in saying “hey, I don’t want to find Franklin anywhere, I want to find Franklin on the To, From, CC, BCC sort of field.” so the way we narrow down by field, we still want it to say ‘distribution’, but we also want it to include information about Franklin. So I’m going to say ‘and’ and use my field drop-down.

From the field drop-down we can see that there are some items here like our CC, BCC and we’ve got From and To, and maybe we wanted to go To Franklin or From Franklin or CC Franklin or BCC Franklin. We’ve actually built in the ability to look across all of those address fields using ‘address’. So using the address field you’re going to be able to search across all of those different To, CC, BCC. And I can just type in his name, Franklin, and I can see that there’s several hits. So this is going to narrow down the number of items I have to look at to the things that have to do with distribution, but also the emails shown to contain Franklin in the address in one of the fields.

So it didn’t remove a lot, I can see it went from 59 to 41, but now I have less emails that I need to look through, and they’re more relevant to what I’ve been asked to look for in my case. So we’re going to find one of these emails here, and maybe we find that it says address, it looks like there’s a bunch in this particular list, so I’m going to go ahead and use ‘go to file’. Because once you’ve found the item you thought was interesting, you’re going to want to see it in the email archive it was generated from. So we’re going to do that by selecting the item and then on the toolbar here we’re going to use ‘go to file’. You can use the toolbar or if you’re used to it; you can also use the right click, ‘go to file’.

Alright, so here we have the email, and it talks about the distribution contract dispute that we were told to look into. And this email looks interesting to us, and we can see that Franklin Brown is listed in one of the recipient fields.

But now we don’t want to just look at this email, we want to look at the whole conversation around the email. And to do that, we want to choose to find related and show conversation. This is our ability to rebuild the message using the message ID, thread ID or conversation ID built into the email archive format itself.

Alright, so we’re going to take this ‘show conversation’ and here we can see the replies and messages back from the different emails in the chain. And so we can see that there are some emails that talk about gossip, and “I apologise for the gossip that I did”, and so if we look through these emails, there are some that say “this is inappropriate”, “do not gossip”, maybe those are things that we all want to have reviewed by our HR department, for instance.

So I’m going to mark these ones, all of the emails in the chain, by tagging them. So I’m blue checking and I’m choosing to tag them because I’m going to want to at some point hand these over to HR but maybe I want to look at them a bit first.

So I’m going to choose to tag selected items. From the ‘tag selected items’ I can choose which tag I want to use, and I’m going to choose to review the items that I’ve tagged. And I’m going to click ‘OK’.

So all of those items have now been tagged, so I know I can go look at them at a later point. From our tag menu you can also go to ‘manage tags’ and you’ll see that we have – or even just down below – we now also have hot keys for each of these tags, so if I wanted to just do Alt+1, that would also have tagged those items.

Now I’ve drilled in from my search window to look at a particular email, and then from that email in the archive I did a conversation, and now I’ve tagged that conversation. But I want to go back to my original search, and just like if you had done that navigation through web pages, I have gone from one web page to the other, but I’m still in the same browser tab, I can choose to go back to see all of the emails in the archive that were relevant, and I can go back one more time to see the list of files that were responsive, and I can see that I have indeed in the table here, anything that’s tagged, the tag will show up in any view. We can see the emails that were part of that particular conversation, and in the conversation view they’re [indecipherable] so it’s just going to tag one of those for each.

And now I want to go ahead and just find the ones that I tagged and send them to HR for them to review.

So we were doing the search before, now I’m going to choose to look at the tags. And here I can see, of the tags in my case, how many items have been tagged with that particular tag. The review tag is the one we used for the emails that were of interest, so I’m going to click on view, and here are my items that were tagged for review.

So I want to send these in a review package to my HR team. So from the toolbar I’m going to choose the review package, and export. And I’m going to do all of the items here, and I’m going to give them the name of the email because that’s the name column, and that’s probably about all they’re going to need out of these fields. We’re just going to give them the name of the email, and we’re going to give them the tags they can use. If they were documents, or pictures, we could also choose to export a copy of those items using the export items checkbox here. So I’m going to export these to my desktop.

And here is what I could send to HR. So the review package is available to anyone, and they can choose to look at the items – you’ll notice that the emails here, even though they don’t have an email browser, like they didn’t have to bring this into their own version of Outlook – they’re able to see the name of the email as well as the metadata at the top of the email, and then the emails themselves. So HR could review these items and say hey, you know, maybe they want to put this one in the report, that one is something that they’re concerned about, and they also want to put [in] the reporting that she was not supposed to gossip in the report. So they mark two items in the review package. Now you can make as many review packages as you want, and the review package is an HTML application, there’s no licensing on it, so anyone can look at or be sent and review the review package themselves as long as they have a browser installed on their actual computer.

So they’ve tagged two items and they’re going to send that information back to you, so I’m going to export their markup. And I’m just going to save the path [indecipherable], click OK. And then inside of my window here, I can take their tags from the review package and import them in.

now the file that they’re sending back to me, it doesn’t actually contain any case data, it just has identifiers for each of the files, and which tag to mark. So they could actually email this file back to you – if you sent them say a disc with all the documents that you wanted them to review, they could still just email you back this file by itself.

And here’s the tag they used, ‘add to report’. And as I click ‘finish’ I can see that those two items are now tagged in my case. So in this case we triaged using some raw keywords in our first demonstration, and we did some reporting there, and now we’ve gone through and just chose to process email, I wasn’t processing the whole case, and I went ahead and did an index search for email items that had my subject matter as well as the address information being for a particular user.

So that’s what we did in this case, we were able to send emails out without them having to have any sort of viewer, and they could provide feedback to us that was automatically applied to our case.

Alright, so that’s case one, I’m going to go ahead and close this case. Save it, close it. And now we’re going to move into another case that I have, that has to do with an iOS 7 device. So I’m going to open that up. And I have two evidence files in here, I have this one called “iOS 7 video” but it’s actually just a regular hard drive with an operating system, and then this is my smartphone device. So this is a smartphone that maybe was acquired through our ‘add evidence – acquire smartphone’ option, you can see we do acquire Apple iOS devices. We can also look at Apple iTunes backup as well.

So assuming we’ve acquired those and we have them in our case, in this instance I actually did processing of the whole drive. So instead of trying to focus on emails or internet artefacts, I processed basically with the default options, and I’m ready to now come and look at my results.

So if you had, say, a couple of hours of machine time you wanted to just dedicate, maybe you go home for the night and you want to just do the full processing instead of triaging, this would allow you to come back in the next day and do some review of a particular matter.

Again, once it’s processed, I’m going to view the search tab, because that’s really where I’m going to drive my investigation from.

So in this case we know that we’re trying to determine if this person has any information about the Harlequins game against the London Irish. So this is a UK evidence file set that we have here. And so we’re going to first start looking for some of the terms that we know are related to this case.

So if I start typing Harlequins, we can see that there’s a couple here. I actually, as an examiner, happen to know that they might also be called Quins. So instead of doing Harlequins and then putting an asterisk at the end, instead of doing that at the end, I’m going to do it at the beginning and say it should end with Quins.

Now the only thing I couldn’t do here is *quin*. You have to not have wildcards on both sides. So if I wanted Quins or Quin, then I would have to actually write both of those out. So Harlequins or Quins, we want to find items with that, and we want to have reference to London Irish. So we can group items together using the parentheses, so if you guys remember back to math class in elementary or maybe junior high, the please excuse my dear aunt Sally or whatever acronym you used for that, parentheses kind of with top-level groupers, and we’re going to have the word ‘London’ within a couple words, specifically within two words, of the word Irish. Now I’m kind of mixing cases here, upper case and lower case, and I’m doing that on purpose, because even though you’re typing it in either an upper or a lower case, while our index is case sensitive, our query is not case sensitive unless you’d like it to be. If you wanted it to be specifically London with a capital ‘L’ and Irish with a capital ‘I’, you could go ahead and say, hey make that case sensitive, using this upper and lower case option on the top, or you could just type in “[C]”. That would mean both London and Irish needed to match capitalisation exactly.

But I just want to find any reference to the Harlequins, and London Irish, meaning London needs to be within two words of Irish. This would find Irish within – before London; if you wanted it to be in a specific order you could say “London preceding” using the “PRE – Irish” by two words. Now I went through a lot of different options here really quickly, and if you ever need kind of a quick look of hey, how were those operations done again? I’d like to point out there’s a little question mark button right here next to the help window, and if you click on that and you choose to go to the search operations, we give you an example of all the different search operations you can do in our index. So we’ll give you how to escape things out, how to do proximity, how to search things together using parentheses, how to use the fields, even though we’ve given an example of those in this webinar, that’s available to you to quickly access, and it’s always there using the question mark help specific to the index search.

Alright, so we have our search how we want, we can either use the play button is what I usually call this green triangle to the top right, or you can always click ‘enter’ just at the end of the search box. And now we’re going to find a bunch of items, we can tell which device they’re on based on the primary device, so here are some items that are referring to the actual hard drive, even though it says video, it’s just kind of a poor name for that device, but it’s the hard drive that referred to the big game, Harlequins versus London Irish. And then we also have event information inside of the phone itself that indicates Harlequins 51 versus 17 London Irish. So we can see some information on both their hard drive and the mobile device in one view that shows that maybe they know something about the London Irish – Harlequins game.

We’d have to do more investigation, these are just kind of top-level items that we might want to look into. But this would give us a good place to start, and we can see both are mentioned on the device itself.

So the next thing we want to do is say hey, was this device ever connected or related to this particular hard drive? And we’re going to do that also using a search – and actually, we’re going to do a search that’s going to look for items, and we’re going to end up finding out they were probably connected, but if you wanted to show actually how to connect whether an iPhone was actually connected to a hard drive itself, in our advanced training course we go over smartphones in detail and we show you how to find the unique identifier for that cellphone located on the hard drive’s backup area. So we’re going to do a search that’s basically for pictures, and maybe indicates that they were connected, but if you wanted to have some more hard-based evidence for those being connected, we do cover that in the advanced class. Unfortunately we don’t have enough time to go through too much detail on iOS forensics in this particular webinar.

So we saw that there are the fields, and we used ‘address’ for our email investigation. The one that you’re going to want to use in version 7 probably the most, just to kind of get you started, is the category. This one acts a lot like the conditions used to act in version 6, but it’s a lot faster and it does it across all your different types. So whether the picture is in results from a EnScript or it’s an email or if it’s in a regular device, when you choose ‘category – picture’ you’re looking across your whole evidence set.

So if we choose ‘category – picture’ we can locate all the pictures on these particular devices. But we want to go ahead and narrow it down to say, you know what, I only want pictures that were created in December of 2013. That’s when I think the interesting pictures occur. So I’m going to say ‘category – picture’ and another field we have available to us are date fields. So anything with this calendar icon: accessed, created, modified, viewed, sent – are date fields. And notice we also have kind of a magic field, like we did in the address, in dates. Date will look across any of the addresses in the calendar icon in front of them. But I want to specifically narrow it down to created, and the format we have for searching for dates is to do the least specific, meaning the year, down to the most specific, meaning the day or even hour, minute, second, you can get really granular here. But we’re going to focus on it being in 2013, and then we want it to be a particular month, so I’m going to say it’s in December. So I’m going to put in 12. That’s going to look for any files that are category picture, that were created – whether they’re on the video device or the regular device – in December of 2013.

So that’s going to narrow my number of files that I need to review down to just 298. But I want to even narrow it down further to say, you know what, show me the big files, right? I don’t need to see all the files, I want to focus on files that are larger. So I’m going to say it needs to be a picture, created in my date range, and the logical size, we want it to be, let’s say a million bytes or more. So in the new search engine we use the ellipses kind of like a greater than or less than symbol. So it needs to be 1000 bytes or more, and I’m not going to send an upper limit, I’m not going to put like 2 million bytes here, because we’re just going to say one million bytes or anything higher than that. We could also have done the same thing with our dates, we could have said hey, we want December 2013 through maybe we want it through January of 2014. So this ellipses works as a duration. So I’m going to go ahead and say, for this particular search, I want it December 2013, and I want it to be over 1 million bytes.

Alright. And now I have just 11 items to look at. I’ve got some pictures here, that I can look at the pictures view. I can also see in my GPS here that they look like they’re on the camera roll of my iPhone device that’s listed. And if I look through the ones on my hard drive, I’m going to notice that they’re going to look a lot like the ones that were in my phone. And specific, if we look over here in my MD5 column, I’ll search and be able to match up some of the hash values. There we go. And I can see that for each of these pictures I see a copy not just on my phone but also I’m seeing it in the users/ios/app/data/roaming mobile sync backup location.

So we go into more detail on how those backup files are created, but you can see that these files that exist on the phone are also present on the backup that’s located on the hard drive that we have. And we can see those are right next to each other in this search window. So if you need to triage, you can always just select the files you want to focus in on, but if you’re able to process the whole device, and maybe process the whole cell phone, you’ll maybe start to build these connections between the two pieces of evidence all through the search, we have a lot of stuff built in our search and the more you get familiar with just the little nomenclature here – again, that question mark is a great help in case you’re not doing searches every day, you can refresh your memory on how to really narrow down, how to work with the searches.

So that pretty much covers what I was going to go over in this particular webinar.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles