±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36212
New Yesterday: 0 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Guideline for EnCase workflow

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5, 6, 7  Next 
  

kovar
Senior Member
 

Guideline for EnCase workflow

Post Posted: Nov 30, 09 20:38

Good morning,

I was asked to come up with a guideline for a normal EnCase work flow. This isn't a "do this every single time" list, more of a "here are some things you should think about doing and the order to do them in." Comments on this would be welcome.

1. Create case - Ensure that you have all relevant information - custodians, clients, case name, etc.
2. Add evidence - E01, LEFs, loose files, etc.
3. Confirm disk geometry, sector count, partitions.
4. Run Partition Finder if indicated
5. Run Recover Deleted Folders
6. Search case - hash and signature analysis
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case
8. Run Case Processor -> File Finder. Export results, add back in as LEF.
9. Search case - hash and signature analysis
10. Search for encrypted or protected files. Address as appropriate.
11. Extract registry hives
12. Index case.


Other tasks outside of EnCase:

1. Mount image and scan for viruses
2. Mount image and run triage tool(s) against it
3. Run image in LiveView or VFC to see system as user experienced it
4. Run Run RegRipper and RPRipper against registry hives
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

keydet89
Senior Member
 

Re: Guideline for EnCase workflow

Post Posted: Nov 30, 09 21:23

- kovar

1. Mount image and scan for viruses


I would recommend using more than one AV scanner, as well as more than one technique.

- kovar

2. Mount image and run triage tool(s) against it


Triage tools...such as?

- kovar

3. Run image in LiveView or VFC to see system as user experienced it


Okay.

- kovar

4. Run Run RegRipper and RPRipper against registry hives


What is RPRipper? I can't find this described anywhere...  
 
  

kovar
Senior Member
 

Re: Guideline for EnCase workflow

Post Posted: Nov 30, 09 22:07

- keydet89
- kovar

1. Mount image and scan for viruses


I would recommend using more than one AV scanner, as well as more than one technique.



I was considering recommending the following AV Scanners:

# VIPRE
# Clam
# F-Secure
# Malwarebytes

I left Gargoyle off as it doesn't seem to be holding its own any more.

- keydet89
- kovar

2. Mount image and run triage tool(s) against it


Triage tools...such as?


To be determined, this is more of a placeholder at the moment. One client often asks "What chat programs are they running and what browsers?" so a tool that can handle answering those questions quickly and accurately. One client really liked the DriveProphet coverage and reports. I'm going to take a look at ADF though that seems more oriented to LE and possibly CP issues.

- keydet89
- kovar

3. Run image in LiveView or VFC to see system as user experienced it


Okay.

- kovar

4. Run Run RegRipper and RPRipper against registry hives


What is RPRipper? I can't find this described anywhere...


Whups. Thank you. I meant RipXP.
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

Nicci
Member
 

Re: Guideline for EnCase workflow

Post Posted: Dec 01, 09 16:30

- kovar
1. Create case - Ensure that you have all relevant information - custodians, clients, case name, etc.

Really nice step – It will certainly be of a great help a year later, when the trail will begin, this will help you recall the interesting information faster and more accurate.
- kovar
2. Add evidence - E01, LEFs, loose files, etc.

Of course you need all the data in the case, so you can search and confirm findings as the examination goes on.
- kovar
3. Confirm disk geometry, sector count, partitions.

True enough.
- kovar
4. Run Partition Finder if indicated

That’s rarely needed, at least for my perspective (it depends on the dates on which the current partition is made and how old the data we are looking for is, but of course in some cases it will be a good idea).
- kovar
5. Run Recover Deleted Folders

I do it every time, but so far I haven’t any luck finding anything that will be of help for the tasks I have.
- kovar
6. Search case - hash and signature analysis

About the hash it depends heavily on what you are looking for. About the signature analysis it’s practical.
- kovar
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case

Why I’ll have to add files that are in the mounted image, which is already in the case? Anyway I like to be able to see the drive outside EnCase every now and than, so I mount the image for the sole purpose to see it trough explorer.
- kovar
8. Run Case Processor -> File Finder. Export results, add back in as LEF.

Again heavily depends on what you are looking for, but sometimes it’s a good idea.
- kovar
9. Search case - hash and signature analysis

If the previous step included something in the case – it’s a good idea to search again, but I’d do it only for the new files.
- kovar
10. Search for encrypted or protected files. Address as appropriate.

I’ll add this, before I make the search, hash and signature analysis.
- kovar
11. Extract registry hives

Yep – really good info there, but I’ll do that even before I start the first search – it may give me idea what to search for.
- kovar
12. Index case.

I’ll do that if I’ll need to search the case again.

- kovar
1. Mount image and scan for viruses

As I know only about 40 % of the viruses are found with the existing Antivirus programs, and that’s if I can scan the files with all the existing AVs, it won’t do me almost any good, and if the case isn’t about viruses I probably won’t to do it.
- kovar
2. Mount image and run triage tool(s) against it

Something more than DriveProphet and ADF. I’ll have to check these two though.
- kovar
3. Run image in LiveView or VFC to see system as user experienced it

In a lot of cases I believe it’s not necessary to view the system as the user experienced it, or at least I’ll do that after I’m done examining the data with EnCase/FTK or whatever I’m using for the particular case. It can sometimes mislead me and I can miss something important.
- kovar
4. Run Run RegRipper and RPRipper against registry hives

I’ll add RegReport to that list.

Cheers

Nicci  
 
  

keydet89
Senior Member
 

Re: Guideline for EnCase workflow

Post Posted: Dec 01, 09 16:43

Dave,

With respect to AV, that's all you're recommending...run AV scanners?

Thanks,

h  
 
  

Jonathan
Senior Member
 

Re: Guideline for EnCase workflow

Post Posted: Dec 01, 09 17:11

- kovar
6. Search case - hash and signature analysis
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case
8. Run Case Processor -> File Finder. Export results, add back in as LEF.
9. Search case - hash and signature analysis
10. Search for encrypted or protected files. Address as appropriate.


As EnCase cannot run these stages iteratively (unlike for example X-Ways Forensics) you would need to run the above in a loop until you are reasonably sure that you have access to every file available.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

rjpear
Senior Member
 

Re: Guideline for EnCase workflow

Post Posted: Dec 01, 09 18:11

I think you should keep in mind that this is just a guidline and is Flexible depending on the needs of the investigator and the case in hand. All steps DO NOT have to be completed on every investigation. Now if you want to create an SOP that requires certain steps then so be it.. but prepare for a bigger backlog. The Forensic Examiner has to have some leeway or flexibility to be able to get his job done..

As for running AV...Great..as well as Malware programs (Spybot and Adaware..etc..) ..but why do you think that Gargoyle is DOA or not as effective? Is it the support costs?

I think a great topic would be what AV and Malware programs do you run and what report or possible report outputs you get to document the results...  
 

Page 1 of 7
Page 1, 2, 3, 4, 5, 6, 7  Next