Guideline for EnCas...
 
Notifications
Clear all

Guideline for EnCase workflow

44 Posts
13 Users
0 Likes
3,508 Views
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

Good morning,

I was asked to come up with a guideline for a normal EnCase work flow. This isn't a "do this every single time" list, more of a "here are some things you should think about doing and the order to do them in." Comments on this would be welcome.

1. Create case - Ensure that you have all relevant information - custodians, clients, case name, etc.
2. Add evidence - E01, LEFs, loose files, etc.
3. Confirm disk geometry, sector count, partitions.
4. Run Partition Finder if indicated
5. Run Recover Deleted Folders
6. Search case - hash and signature analysis
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case
8. Run Case Processor -> File Finder. Export results, add back in as LEF.
9. Search case - hash and signature analysis
10. Search for encrypted or protected files. Address as appropriate.
11. Extract registry hives
12. Index case.

Other tasks outside of EnCase

1. Mount image and scan for viruses
2. Mount image and run triage tool(s) against it
3. Run image in LiveView or VFC to see system as user experienced it
4. Run Run RegRipper and RPRipper against registry hives

 
Posted : 30/11/2009 8:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

1. Mount image and scan for viruses

I would recommend using more than one AV scanner, as well as more than one technique.

2. Mount image and run triage tool(s) against it

Triage tools…such as?

3. Run image in LiveView or VFC to see system as user experienced it

Okay.

4. Run Run RegRipper and RPRipper against registry hives

What is RPRipper? I can't find this described anywhere…

 
Posted : 30/11/2009 9:23 pm
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

1. Mount image and scan for viruses

I would recommend using more than one AV scanner, as well as more than one technique.

I was considering recommending the following AV Scanners

# VIPRE
# Clam
# F-Secure
# Malwarebytes

I left Gargoyle off as it doesn't seem to be holding its own any more.

2. Mount image and run triage tool(s) against it

Triage tools…such as?

To be determined, this is more of a placeholder at the moment. One client often asks "What chat programs are they running and what browsers?" so a tool that can handle answering those questions quickly and accurately. One client really liked the DriveProphet coverage and reports. I'm going to take a look at ADF though that seems more oriented to LE and possibly CP issues.

3. Run image in LiveView or VFC to see system as user experienced it

Okay.

4. Run Run RegRipper and RPRipper against registry hives

What is RPRipper? I can't find this described anywhere…

Whups. Thank you. I meant RipXP.

 
Posted : 30/11/2009 10:07 pm
(@nicci)
Posts: 15
Active Member
 

1. Create case - Ensure that you have all relevant information - custodians, clients, case name, etc.

Really nice step – It will certainly be of a great help a year later, when the trail will begin, this will help you recall the interesting information faster and more accurate.

2. Add evidence - E01, LEFs, loose files, etc.

Of course you need all the data in the case, so you can search and confirm findings as the examination goes on.

3. Confirm disk geometry, sector count, partitions.

True enough.

4. Run Partition Finder if indicated

That’s rarely needed, at least for my perspective (it depends on the dates on which the current partition is made and how old the data we are looking for is, but of course in some cases it will be a good idea).

5. Run Recover Deleted Folders

I do it every time, but so far I haven’t any luck finding anything that will be of help for the tasks I have.

6. Search case - hash and signature analysis

About the hash it depends heavily on what you are looking for. About the signature analysis it’s practical.

7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case

Why I’ll have to add files that are in the mounted image, which is already in the case? Anyway I like to be able to see the drive outside EnCase every now and than, so I mount the image for the sole purpose to see it trough explorer.

8. Run Case Processor -> File Finder. Export results, add back in as LEF.

Again heavily depends on what you are looking for, but sometimes it’s a good idea.

9. Search case - hash and signature analysis

If the previous step included something in the case – it’s a good idea to search again, but I’d do it only for the new files.

10. Search for encrypted or protected files. Address as appropriate.

I’ll add this, before I make the search, hash and signature analysis.

11. Extract registry hives

Yep – really good info there, but I’ll do that even before I start the first search – it may give me idea what to search for.

12. Index case.

I’ll do that if I’ll need to search the case again.

1. Mount image and scan for viruses

As I know only about 40 % of the viruses are found with the existing Antivirus programs, and that’s if I can scan the files with all the existing AVs, it won’t do me almost any good, and if the case isn’t about viruses I probably won’t to do it.

2. Mount image and run triage tool(s) against it

Something more than DriveProphet and ADF. I’ll have to check these two though.

3. Run image in LiveView or VFC to see system as user experienced it

In a lot of cases I believe it’s not necessary to view the system as the user experienced it, or at least I’ll do that after I’m done examining the data with EnCase/FTK or whatever I’m using for the particular case. It can sometimes mislead me and I can miss something important.

4. Run Run RegRipper and RPRipper against registry hives

I’ll add RegReport to that list.

Cheers

Nicci

 
Posted : 01/12/2009 4:30 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Dave,

With respect to AV, that's all you're recommending…run AV scanners?

Thanks,

h

 
Posted : 01/12/2009 4:43 pm
(@jonathan)
Posts: 878
Prominent Member
 

6. Search case - hash and signature analysis
7. Run File Mounter - recursive, not persistent, create LEF, add LEF to case
8. Run Case Processor -> File Finder. Export results, add back in as LEF.
9. Search case - hash and signature analysis
10. Search for encrypted or protected files. Address as appropriate.

As EnCase cannot run these stages iteratively (unlike for example X-Ways Forensics) you would need to run the above in a loop until you are reasonably sure that you have access to every file available.

 
Posted : 01/12/2009 5:11 pm
rjpear
(@rjpear)
Posts: 97
Trusted Member
 

I think you should keep in mind that this is just a guidline and is Flexible depending on the needs of the investigator and the case in hand. All steps DO NOT have to be completed on every investigation. Now if you want to create an SOP that requires certain steps then so be it.. but prepare for a bigger backlog. The Forensic Examiner has to have some leeway or flexibility to be able to get his job done..

As for running AV…Great..as well as Malware programs (Spybot and Adaware..etc..) ..but why do you think that Gargoyle is DOA or not as effective? Is it the support costs?

I think a great topic would be what AV and Malware programs do you run and what report or possible report outputs you get to document the results…

 
Posted : 01/12/2009 6:11 pm
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

Dave,

With respect to AV, that's all you're recommending…run AV scanners?

Thanks,

h

Harlan,

I could rewrite that step as "Look for malware, viruses, trojans, rootkits, …." Exactly what is run will depend on the nature of the investigation, the type of media (I'm not sure you could install a rootkit on a digital audio recorder), and the tools available.

-David

 
Posted : 01/12/2009 10:57 pm
(@kovar)
Posts: 805
Prominent Member
Topic starter
 

I think you should keep in mind that this is just a guidline and is Flexible depending on the needs of the investigator and the case in hand. All steps DO NOT have to be completed on every investigation. Now if you want to create an SOP that requires certain steps then so be it.. but prepare for a bigger backlog. The Forensic Examiner has to have some leeway or flexibility to be able to get his job done..

Do note that my first sentence started with "I was asked to come up with a guideline …". Guidelines are flexible, protocols are fixed. You can deviate from a guideline (within reason). Deviating from a protocol, at least in emergency services, will put you at risk of legal actions.

As for running AV…Great..as well as Malware programs (Spybot and Adaware..etc..) ..but why do you think that Gargoyle is DOA or not as effective? Is it the support costs?<

Support costs and many reports of it failing to live up to expectations. I'd include it along with other tools, but I would not use it as my only tool for this function.

I think a great topic would be what AV and Malware programs do you run and what report or possible report outputs you get to document the results…

I agree….

-David

 
Posted : 01/12/2009 11:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

David,

Sorry, perhaps I should have been more clear…

I could rewrite that step as "Look for malware, viruses, trojans, rootkits, …." Exactly what is run will depend on the nature of the investigation, the type of media

IMHO, looking for malware on a system includes more than running AV scanners. We're all aware, via statistics and professional experience alike, that AV hit rates can range as low as 40%…using multiple AV scanners, particular NOT one already installed on the system, may increase that percentage, but the question remains…by how much.

Over the past three years, I've responded to or managed a number of engagements where the customer had AV installed and up-to-date, but they were hit by a new, undetected variant. I've scanned systems were a2 found things missed by AVG, Clam, and others.

I guess what I'm saying is that, if an analyst is going to run 3 AV scanners, and deem the image "clean"…there's much more that could be done and I wouldn't bank my reputation on 3 AV scanners.

(I'm not sure you could install a rootkit on a digital audio recorder), and the tools available.

I guess that would depend on what OS the recorder is running, and what functionality it provides.

 
Posted : 01/12/2009 11:38 pm
Page 1 / 5
Share: