EnCase missed some ...
 
Notifications
Clear all

EnCase missed some usb activities in the evidence files

9 Posts
5 Users
0 Likes
1,755 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro. Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/7631696.html

 
Posted : 06/10/2017 8:20 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Very likely Encase didn't "miss" anything, simply part of the "USB" related data was cleared or overwritten, as the USB disk was connected to the computer before the USB stick.

Very clever on the part of May to call the important source code files of project "X" as "docu", "painting" and "example", however.

jaclaz

 
Posted : 06/10/2017 9:20 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/7631696.html

Nice blog article! It decribes exactly why i would never ever buy or use such a "one-click-evidence-button" software. There are five or six locations in the registry where to find evidence of USB activity, plus Eventlog and setupapi.dev.log. I check them all by hand and with several different tools and never with only one tool. The mentioned "another forensic tool " is X-Ways Forensic with its "Device" Registry Report, isnt it?

best regards,
Robin

 
Posted : 06/10/2017 11:07 am
(@mansiu)
Posts: 83
Trusted Member
 

You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/7631696.html

Nice blog article! It decribes exactly why i would never ever buy or use such a "one-click-evidence-button" software. There are five or six locations in the registry where to find evidence of USB activity, plus Eventlog and setupapi.dev.log. I check them all by hand and with several different tools and never with only one tool. The mentioned "another forensic tool " is X-Ways Forensic with its "Device" Registry Report, isnt it?

best regards,
Robin

Can you suggest whats inside your toolkit?

I myself use opensource such as log2timeline, regripper, mft2sv, logparser, etc. and free tool like nirsoft, eventlogexplorer and i wont deny i use EnCase.

Forensic tools are like knife, you are not going to use a victorinox to cut a tree. I just pull out the right tool from my toolkit.

Tools like EnCase is not evil, there are still quite some tasks i found myself cant do without EnCase, for example, manual partition recovery, sector view of disk, keyword search (definitely possible with dtsearch and ftk)

 
Posted : 06/10/2017 12:09 pm
(@mansiu)
Posts: 83
Trusted Member
 

My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro. Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/7631696.html

I think you can consider shooting a bug report to GuidanceSoftware. Putting it on the forum is just like "Yeah!! I found a bug!". Thats definitely not good to the community.

 
Posted : 06/10/2017 12:11 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Can you suggest whats inside your toolkit?

Regarding USB activity?
Here we go in random order

- USBDevView from nirsoft.net
- USB Forensic Tracker from http//www.orionforensics.com
- USB Historian fromm www.4discovery.com
- the already mentioned "usbdeviceforensics" python script
- USBDeviceForensics from woanware.co.uk

and X-Ways Forensic (Registry Report + Registry Viewer). Some of the tools only work on Windows versions below Windows 8!

I can really recommend the "USB Forensic Tracker" from http//www.orionforensics.com/w_en_page/USB_forensic_tracker.php for examining USB activity. It is a free tool and has everything i need, including customized time zones and Excel export.

best regards,
Robin

 
Posted : 06/10/2017 1:16 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

First- thank you to gorvq7222 for your contribution to our profession.

For USB investigations, in addition to previously mentioned tools, I use the following methodology

Step #1 Index all files, folders and unallocated space using Forensic Explorer and OSForensics

Step #2 Run searches for "E\", "F\", "G\", "H\", "I\", "J\"

The reason I search for drive letters is that, if a person accesses files and folders copied to external USB media, then recoverable evidence can be found such as "G\Folder of stolen documents".

My understanding is that, only files and folders accessed from external USB media will leave a trace; if an individual, for example, copies and files and folders to an external USB drive on a Windows system, but never accesses those files and folder after copying those files and folders to the external USB drive, then there is no recoverable evidence available to determine which specific files and folders were copied to the external USB drive. Correct????

This is why, in my opinion, a search for drive letters such as "E\" is an important analysis step.

 
Posted : 06/10/2017 1:59 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is Dave Tomczak (of TZWorks) a member here? If not I will try to get him to join and sponsor.

Sure he is ) , though not a frequent poster cry
https://www.forensicfocus.com/Your_Account/profile=tzworks/

I think you can consider shooting a bug report to GuidanceSoftware. Putting it on the forum is just like "Yeah!! I found a bug!". Thats definitely not good to the community.

Well, gorvq7222 is not Terry (the forensic guy that actually used EnCase to do evidence processing ), he only happens to be a friend of a colleague of the "bad girl" May, and somehow the Police (and/or Terry) shared with him Terry's finding on Encase (providing also a couple screenshot of a still open case BTW).

So, more properly is just like "Yeah! A friend of mine has a colleague that was investigated by the Police and the forensic guy Terry found a bug and told me about it!" 😯 .

And now, for no apparent reason, a semi-random Wikipedia page
https://en.wikipedia.org/wiki/Tall_tale

jaclaz

 
Posted : 06/10/2017 6:12 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Step #2 Run searches for "E\", "F\", "G\", "H\", "I\", "J\"

Nice idea. But i do not expect fo find any other result than in

System\MountedDevices\
or
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2\

Your approach is really good if you are expecting any kind of anti-forensics and someone deletes those registry keys.

My understanding is that, only files and folders accessed from external USB media will leave a trace;
if an individual, for example, copies and files and folders to an external USB drive on a Windows system,
but never accesses those files and folder after copying those files and folders to the external USB drive,
then there is no recoverable evidence available to determine which specific files and folders were copied to the
external USB drive. Correct????

It depends -)
There are no lnk files left and no Shellbags…but there is some hope -)
Depending on the configuration of the Indexing Service on Windows, files and folders might have been indexed. It is a simple ESE database which is a very valuable source for evidence. And you can have a view on the antivirus protocol if some malware was found, you might have a file name or a folder hierarchy.

With some luck some files may have been overwritten and you find the name in %SystemRoot%\System32\Winevt\Logs\OAlerts.evtx ("Microsoft Office Alerts") with Event ID 300.

And one more thing a memory dump could be useful. There you could find the history of commands on the CMD shell, perhaps a "copy" or "move" command.

best regards,
Robin

 
Posted : 06/10/2017 9:07 pm
Share: