Transitioning from EnCase Forensic v6 to v7 – Part 1

Presenter: Ashley Hernandez, Master Trainer, Guidance Software

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Welcome everyone and thank you for attending Guidance Software’s webinar, Transitioning from EnCase v6 to EnCase v7. This is part one of a two-part series.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Today we’re going to be featuring two great speakers. The first is Ashley Hernandez, she’s our former Product Manager for EnCase Forensic and EnCase Enterprise, and now she is a Master Trainer for Guidance Software. The second is our current Product Manager, Ken Mizota.

Before we get started with our featured guests, my name is Robert Bond, I’m going to be your host and moderator for this session. If you have any questions during the session itself, please submit them electronically through the Q&A dial-up box on the bottom left of your screen. We’re going to answer your questions in the Q&A session at the very end of the presentation. As always, if you don’t have a chance to submit a question during the presentation, or you’re watching an archived version of the webinar, you can submit your questions to me at robert.bond@guidancesoftware.com.

Now there’s really two goals for us in doing this webinar. The first is to get our v6 users to start enjoying the benefits of v7, and the second is to further train our v7 users so that they can better understand the software, get more comfortable using it. So for the v6 folks we’ve got a great offer, a limited time offer. Normally moving to v7 is around $3290. We’ve actually cut the upgrade price at half from $895 to $450 and then thrown in the three-day transitions training for free, and that had a retail of $1795. We’ve never done this since the product was released back in June 2011, so I encourage you to take advantage of that. With that little promotional offer, let’s get started with the resources.

So for those who attend the webinars regularly, we walk through this and so I’ll do this fairly quickly. We have free start-up training, so if you go to our brand new website and look at the little three lines on the right, click on those three lines, you’re going to see training. Click on training and you’re going to see the full training web page. On the bottom right corner of your training web page in really small font, you’re going to see ‘free start-up training’. Now I encourage you to go to the EnCase forensic piece, or just start-up training, and you’ll have a 10-part 4-hour training where you can really get introduced to the software. The second resource is of course EnCase App Central, and I’m going to show you the top ten most downloaded apps in just a second, but we now have 146 free apps or Enscripts, I encourage you to check it out. The third is our Digital Forensics Today blog, which we write about three different things: one, what’s going on in the digital forensic industry; two, what’s going on with v7 in new releases or maybe highlights, product spotlights on new features; and we also allow the folks that create our apps to write about their certain apps or Enscripts, or our third-party partners like IEF and Belkasoft and folks like that to write about their innovations. And then of course we have collateral.

So here are our top ten most downloaded Enscripts over the past three months. As you can see we have a brand new entry: the Shellbags Parser by Simon Key has been downloaded more than any other Enscript in the past three months, which is really saying something because VSS Examiner and Seeb USB Mounted Devices Report have always led App Central, at least for the past two years. We also have Link File & Jump List Parser and Prefetch Parser which are brand new to App Central as well, I encourage you to check those out. These are our training classes and since this is a forensics webinar I’ve put CF1 and CF2 up top; they’re the most popular with our forensics crowd and in terms of going out and getting your EnCE like the 4500 other EnCE certified folks out there, these are the cornerstone classes. So we’re going to have a quick spotlight feature and we’re going to have a look at two features today. The first is the new features, or the free modules, you get with EnCase Forensic 7 that you didn’t get with 6, and you can see them all listed there, the smartphone examiner, virtual file system module, which a lot of investigators love just to use to see what the target was seeing prior to the investigation. The physical disk emulator, the decryption suite, which is now updated with every dot release of EnCase and the fast block software addition which is integrated within EnCase. The smartphone module is an excellent module, it works seamlessly with EnCase, it’s not going to replace your Cellebrite UFED for example, or Paraben tool, but it certainly works well when you have a phone, Apple 6 or something like that that it recognises, and you can pull all that information into an easy to read report just like the one that you see on the screen right there.

Also with 7.06 the second feature is the remote forensic capability, this was released in 7.06; allows an investigator to use EnCase Forensic to deploy a servlet to a target machine to do triage and collecting on that particular machine. So for version 6 users, this was just like Fin but works a lot better. This is really done in three easy steps: you create an encryption key, then deploy the servlet, then connect to the target machine, and just like you would see an evidence file inside of EnCase you’re going to see that machine come up inside of EnCase so you can start your triage.

You could do this all within the acquire evidence window in EnCase; you create a servlet for each different operating system, and each different servlet is encrypted, so you create your own encryption for that particular servlet, save that in your EnCase folder so you have it and you don’t have to recreate it next time and then you can collect the evidence or information that you want from that particular device, including physical and process memory.

So hopefully that helps, those two features, now we’ll get started with Ashley. Here’s her agenda today, so she’s going to start with just how to create a new case in EnCase v7 all the way through reporting for today. With that Ashley, I encourage you to take it over. Thank you.

Ashley Hernandez: Hi, this is Ashley Hernandez, I am going to be showing you today a little taste of what we go over in our transitions class. So in our transitions class what we cover is in two parts. The first part is for those of you who are familiar with version 6, we want to show you where to find in version 7 the functionality you’re familiar with. So we know you have a large caseload and we want to help you to at least get started with the workflow you’re familiar with in version 6, in version 7.

The second part of this webinar that we’re going to go over [is] how to actually utilise the evidence processor to speed up the examination process. So that’s going to be the place where we’re going to focus on the new functionality in version 7 with the processor and how to set that up to take best advantage of it once you’re ready to move into processing.

So in this session I’m really going to focus on where functionality is that you’re used to using in version 6, in version 7. We know your muscle memory is very strong in 6, you’ve probably had it for up to five or six years that you’ve been using [version] 6, so we want to show you how easy it is to find those pieces and start to work with 7 in the same way you were familiar with working in 6.

There are some new things we’re going to look at, and we’re going to start as if we’re working a new case, so I can take you step by step from the beginning of creating the new case all the way through to reporting in the way that you would not be processing your case. You’ll have to decide whether the case is one you’ll process or not; we’re going to take this as an example of a case maybe where you’re just trying to decide whether a machine is one you want to spend full time processing on, or you’re trying to exclude it from your investigation as not relevant. So we’re not going to do any processing today, hopefully this will get you started on the path to taking 6 for your investigations.

So on my desktop I have EnCase 7 open, I actually have EnCase 7.09 open for us, that is the latest version that’s been released so if you don’t have that go ahead and register your dongle through my account, you can get the latest code through the email, that’ll allow you to get the update right away.

When I’m dropped onto the home screen in EnCase 7 I can see a list of my recent cases here on the top. Any of these are hyperlinked so I can open them and start working with one of those cases. I can also have multiple cases open at the same time: my active case would have a green arrow next to it on the home screen.

But for this example we’re going to make a new case, so from the home screen web pages I’m going to choose ‘new case’.

When we open up the new case dialogue you’ll see that it’s different from the standard dialogue in 6, but in general we’re doing the same type of setup when we open up a new case. We’re going to choose to create a case name, I’m going to call it case 123ab7. Best practice is always to have a naming convention for your case; we don’t have one in this instance so I’m just giving you an example. What you’ll notice as I create a case name, is that down below I have a base case folder. In version 7 we work off of the base case folder to have one case folder for all of your cases to live underneath. If I have my cases folder here, my c\sample\cases folder, underneath that I’m going to have a folder for each one of the cases that I create, and my case file is going to live within that folder. So I have my case folder for each case, keeping everything separate, and my case file will be automatically created underneath it.

Now in 6 you’re familiar with having ‘export in a temp’ and choosing where to place those; we actually place those automatically for you directly inside of the case folder, so you don’t have to create those temp and export directories separately.

We’re not going to be processing this case so we’re not necessarily going to be using our primary evidence cache for indexing, but we’re still going to place the evidence cache folder, we’re going to need to specify a place to put any of our working files while we work with this evidence. So whether it’s a preview or whether it’s something you’re going to need to process, you’re going to need to have an evidence cache location. And since we’re just going to be previewing and working with [this] temporarily, I’m just going to put this evidence cache right in the same folder as my case file. So it’s going to create a folder underneath my case folder for this evidence cache. So that’s what this option does; if you wanted to place it somewhere else, you could uncheck it and place it in a different location. We’ll talk a little bit more about that when we talk about processing in the next webinar.

We can also choose to back up our case – that’s that here, there’s no way to change the increments on the backup but if you wanted to set that you can choose to. I’m going to change my case values though, my case information. I going to use the ‘f’ key to set these fields. We’re going to make this an example case number – 123456. My name is going to be placed here and the description of the case.

This case information could be saved as part of your template, you probably wouldn’t want to save your case number or the description over and over your template, but these templates up above if we were to switch between the templates could have more or less information associated with your case. If you don’t call your examiner an examiner, you call them an investigator, you can change the name of this field so that it matched what you use in your organisation.

So we’ve set up our basic cases. I’m going to use the basic template that ships with EnCase, and I’m going to go ahead and click OK. I’m not choosing to back up, and it’s just warning me that I’m not choosing to back up, and I’m going to click ‘yes’.

Alright, so once we’re dropped in to a case we’re still left on these navigational pages that are helping us find what the next step would be. In this case we’re going to be adding evidence to our case, and so I’m going to use the ‘add evidence’ button. In version 6 we had one button that allowed you to preview cases or add evidence files or do a network preview. Instead of having all those mixed into one dialogue, we’ve now separated them out into separate options.

So the option I’m going to show you first is how we can preview a local device. This would be anything connected to my local machine here. So on ‘add local device’ we see that first we get to choose some options about what we’re previewing. So I could choose to mark write blocked any device connected through Tableau or a legacy block. New to version 7 is the ability to only show devices connected to your machines that are write blocked. This could prevent you from previewing a drive that hasn’t yet been write blocked because it wouldn’t show up in our next preview screen. You also can choose to show physical or processed memory. It doesn’t make much sense to show on your local machine, since you most likely don’t want your local machine’s physical or processed memory, but this would work with our direct preview servlet that we have: the ability to do that across the wire. We’re going to cover direct preview in another webinar.

So we’ve got just our default options here and click ‘next’. It’s going to read the devices connected to my machine, and now you’ll see that for every volume connected to a physical drive we actually show it as a child or an item underneath that physical drive. This helps in version 7 so that you don’t get confused which volume is associated with the physical drives: physical drives always show up as numbers and our volumes are going to show up as letters.

I’m going to choose to preview the physical drive 2: this is a thumb drive connected to my computer that’s just 3.7 gigs, and choose ‘finish’.

So when we choose to add a piece of evidence, we’re going to notice that a new tab, called the ‘evidence’ tab, is opened at the top. And when we’re viewing evidence at the top level, this is like our devices view in version 6. We can see information about the device, whether it’s an evidence file or a preview. In this case it’s actually reading the serial number information and model information of my thumb drive. It’s also going to give me, if this is an evidence file, things like if there were any read errors, all of the information you used to have on your device tab is integrated into this evidence tab.

Instead of just a preview we’re also going to add an evidence file to the case. And in this case, instead of going back to the home screen where I could choose to add an evidence file, for those of you familiar with version 6, we’re going to use the ‘add evidence – add evidence’ file drop-down from the top menu. We use the ‘add evidence’ file drop-down just from the top, like you did in 6.

Here it’s going to let me navigate on my computer using just a regular Windows browser type window to find an evidence file, or multiple evidence files, to add to my case. So I’m going to open that up. Alright, so we have two evidence files in our case and we’re ready to go ahead and start viewing the contents of the evidence. On the evidence tab we get a choice when we want to view the entries, or the equivalent of the entries. We could either click on the name of the file and that will open just that one file, or we could blue check both the preview and the acquired evidence and choose to open them together. So if you want to view multiple pieces of evidence in the same view, on the evidence tab you’re going to blue check them both, and then you’re going to choose ‘open’.

So these are going to open up, and we’re going to parse these file systems and then display them for you. So now you’ll notice we’re on the evidence tab but it says viewing entries, so we’ve actually drilled in equivalently, like if you were on a web page, clicked to a sub page. And that’s going to be our entries. So here’s our preview of our local drive and here’s our evidence file that’s been acquired. So I’m going to kind of collapse our local drive preview, and we’re going to focus most of our time showing where the options were that you’re familiar with in 6 in 7, on our acquired evidence here.

So we’ve opened that together, and as you guys are familiar, most of the options for EnCase are available on the right click, and that is no different in our 7. It wasn’t always the same in earlier versions, so if you tried it back two years ago, two or more years ago actually, you may have seen that not all the options were there on the right click. But for the most part everything you’re familiar with is on the right click now and they’re just grouped into logical categories.

So I’m going to blue check a couple of files – I’m actually going to do it at the folder level and it’ll just propagate down like you’re used to. And I’m going to right click and most of the entry options that you’re familiar with are now going to be on the entries menu here.

So if I have blue checked items, I could choose to do copy files. This is the equivalent of copy and erase, so in other words anything that’s blue checked that I choose to do copy files on is going to copy to a single location, all of the files in just a flat folder. It’s not going to save any of the folder structure, it’s just going to give me the actual file entry data that I have blue checked. So I can do that from the entries tab. If I did want to preserve that folder structure I could choose to do copy folders, and again it’s going to work off of the blue checks.

New to version 7 is the concept of a results set. And we’re going to talk about more about this when we talk about processing, because we can actually choose to do other operations on a subset of files, and we can create a results set from blue checked files, we can create a results set from the results of searching, we could create a results set from filtering… basically any time you have a set of items that you want to do further operations on, you’ve narrowed down what you’re looking at and you want to then either process them or search them, you can create a results set and then just do those operations on the items that are in that results set. So we can create a results set from just blue checked files here on the entries menu.

We also have the ability to do view file structure, so if I want to go and find a PST file, we still have home plate, and we can still double click on the file extension column to sort by file extension. I’m just going to type ‘PST’ to jump me down to any PSTs. And I can see that I have a few here in my case, to enable the view file structure again I’m going to right click, and from the entries sub-menu choose to view file structure, and I’m going to go ahead and parse the PST. And as always in the bottom right you’re going to see the status of the action you just did – it’ll be green and processing as it just goes and parses the PST, and as soon as it’s finished that status bar will disappear.

What I noticed though is now I have a PST that’s available here for me to go ahead and open, so if I wanted to view the contents of this particular PST I can see there’s a plus sign on it and I can click the PST and now I have the ability to view the emails inside of this particular archive. So if I found this email here, ‘food ingredients’, and I found that the attachment was relevant to my investigation, I could go ahead and without processing an item, just by clicking around, I can right click and choose to bookmark that single item. So this is an email that’s interesting to me. I am going to give it a comment and on my destination folder choose where I’d like to place it.

These folders that are created here in the bookmarks tab that I have access to when I bookmark are part of my template. So if you wanted different folders you could add them underneath an existing folder, I could take email here and make a subfolder, write in a new folder, or I could change my template so I had different folders to start with. Right now I’m just going to go ahead and place them in the email folder and click OK

So I have drilled into my emails and I’m still in the evidence tab but now I am viewing email. If I want to go back to the entries view, I go ahead and just use the back button. And that’s going to have me saying viewing entries. So I didn’t have to navigate to another tab, I was able to drill into that directly from the entries tab.

So that’s the ability to still go ahead and view emails.

So we had our items blue checked – this is our sample evidence – and we found on the entries we could do copy files, copy folders, create a sublist of items that was relevant, view file structure… the next thing that we’re going to look at is the ability to do hash and signature analysis outside of the processor. So if you have entries blue checked, you can choose to do hash and sig selected. we conduct both an MD5 and a SHA1, so you can see both of those in the table as well as we can view entropy, which I’m not going to do right now but you can choose to. And verifying file signatures. So those are the options I’m going to go ahead and run on this particular case. And since I only have this evidence file blue checked, it’s running on just the evidence file because I’m working on the selected items. If I wanted to I could also blue check the preview and do hash and signature on a preview. Anything I can do on an evidence file I can go ahead and do on a preview. So I’m going to go ahead and click OK. We’re going to note though that it says these entries must be reloaded in the evidence tab to see changes, so we’re going to talk about that when we come to work with these hash values in a little bit, but just note that it does remind you that you’re going to have to reload your evidence to be able to see the hash values. That’s probably one of the biggest gotchas that we see in our transition classes.

So I’m going to click OK, and that’s going to go ahead and start off my hashing and signature analysis. So we’re working our way through these options on the right click and we saw for entries we have the standard ones available. We also have the standard bookmark options available for either the single item, meaning the highlighted item that I have on the table; selected items would work off the blue checked; folders would work off the current folder. Table view is new for version 7 and we’ll probably show that in the webinar in January, raw text would be our equivalent of sweeping data, we’re going to show that in a little bit… and data structure and transfer text a little bit later as well. So we can still do bookmarking off the right click, we can also off of the right click choose to blue check items and create our logical evidence files. And then one area that I wanted to show you is on the device, we have the option to show the disc view. So we used to have a whole separate tab for the disc view; now if you want to see the disc view for a particular evidence file or device, you select the device and choose disc view. And that’s going to pop it up as its own separate tab. The only thing about the disc view is when you highlight a sector, you’re going to see the actual file entry information for the files for that particular area of the drive. So you can leave the disc view up once you have it up from the evidence and go ahead and navigate through, and as you click on different areas if you flip to the disc view you’ll end up being on that file. So you can flip back and forth and that’s how you access it from version 7. You also can do all your partitions user to find partition additions and deletions from the disc view.

Alright, so those are our general browsing options, we can browse, we can copy files out, we can do signature analysis, hash analysis and we can mount specific PSTs, we can also mount zip files, all of that can be done on this preview or evidence file. But the next area that I want to show is our actual keyword searching.

Now we can choose to keyword search either specific selected items – for instance I’m going to blue check – let’s do unused disc area and unallocated space, and we’ll do the users folder. So I’ve blue checked a good potion of this actual evidence file, this is a sample evidence file that we had made available to you guys to work with. And I’m going to choose to keyword search those particular areas of the drive. If I wanted to keyword search the whole evidence file I could choose to go back up to this top level and search all of my evidence in my case, but I’m going to choose to search just the selected items in this field. So if I want to do just selected items I’m going to select them with blue checks and I’m going to go to raw search selected on the evidences toolbar.

So we used to have global and local keywords, and instead of storing those and displaying them in the case we now store them in files that you can share with other users. So if I want to make a new local search, I’m going to choose to go to new – raw search selected. And instead of having to worry if there’s any other global words selected at the time, I jut go ahead and create the keywords I want to do. So if I want to make a new keyword I can type in the expression like you would before – if you don’t give it a name it’s going to refer to it by its search expression. And I can go ahead and click OK to create that keyword, and I’ll see it listed in the table below. I can also create multiple keywords, remember we’re going to do EnCase, and we’ll do webinar, I’m going to do those in Unicode, and click OK. Now maybe I’ve created these keywords and then decided I want to make a couple of them case sensitive – I want to make Ashley and EnCase case sensitive – instead of having to edit each of them I can actually modify them using the check boxes in the table. It allows us to modify things without having to go in and edit – that’s a new control to version 7.

So I have these created, I’m going to give them a name. If they were specific to my case I would choose to store them with my case, so I would navigate to my cases folder – I’ll just actually put them on my desktop – and I could say “example keywords”. And that would allow me to save these in case I wanted to refer to them later: which keywords did I use in this particular case? And it’s going to store them in a file with those keywords. So I’m going to tick those off, same search options as we had in 6, and as they’re searching you’re going to see them start to show in the bottom here that it’s doing its search. But maybe I wanted to see keywords that I had already created, the equivalent of global keywords. I could go ahead and from my raw search selected, I have this list called ‘soda’, we’re going to consider these global keywords. And I’m going to select soda form my recently used list of keywords, and here it’s got my keywords already populated with the options, so I don’t have to save these each time, it’s going to save these as a file, so I’m just going to go ahead and save Soda. And we’ll make this example Soda. And I could save this again with my case so I have a record of all the searches that I could redo or revisit before going to trial or something, I’ll have a list of which ones I ran, and I’ll click OK on these ones. Notice we have some that have grep in here, I used a grep term down below, and then I’ve got some l33t speak words, I’ve got soda and b0mb with a zero, because that’s relevant to our data that we have.

Great, so I’m going to go ahead and kick these off. I can see that my other search has actually finished, but I’m going to kick these ones off and we’re going to look at the searches as they come in. So one of the things you’re familiar with doing in version 6 is previewing keywords as they come in. So we’re going to view our search using the view – search, get to that tab. When the tab comes up, the subtab for keywords becomes available, and here were the keywords I previously searched for, the example keywords, but here I have the refresh button and when I choose to refresh, I’m going to be able to pull in the new keywords for what I’m currently searching. Let’s see if it gets more hits.

So we’re going to let those ones start to work. We can see on our results that our previous keywords are shown under results as a group; so this if you look at the results is the results of all the words I have EnCase, Ashley, or webinar, so if I scroll through them you’ll notice they can have EnCase, more, and this one has webinar, so in one place I can actually see all of the files that were responsive to any one of the keywords, it doesn’t have to have all of them, it doesn’t have to have just one of them, it’s going to combine those together.

So let’s go back to our search just here, we’ve got the refresh – sorry, didn’t do it fast enough. The refresh would have shown me, I could have clicked on these as they were running, so if I click on 7up for instance I can see just the hits for 7up. Now I have this set to use the review tab, which is my preferred view when I’m reviewing search hits for version 7. It’s going to show me just the hits with the context around it and the line number that that hit is on. If I want to see the whole file I can actually use the line number as a hyperlink to the whole file, and then I’m going to see the whole file as a hit highlighted within the file, if I want to go from item to item or hit to hit. There’s only one in this one, it’s going to take me to the next file if I say ‘next hit’ and I can scroll through the hits the other option I can choose to do is I can use ‘compressed view’. And in compressed view we’re going to centre the hits so you can really compare if it’s the same hit in the file but just in multiple locations, and you can actually go from next item to next item. So here I can see all the hits from next item and I can decide, OK this item is relevant, or I can do next hit and it’ll go to the next file with hits. So compressed view can be toggled off and on and when we’re looking at raw search hit it is searching against the text and hex view, so that’s where you’re going to see the hits.

When we process a case, which we’re going to show in the next webinar, you’re going to see your hits in the transcript and the docked view, because that’s where we extract the text for index. So we’re going to be in text and hex where we do our keyword searches, and we can see there are actually 10,000 hits for 7up but they’re in only 64 files. So if I’d reviewed all 64 files to see if any of them are relevant I may not have to view all 10,000 hits, which would make my review time a bit shorter. You may have to review all 10,000 because that’s what you’re required to do, you can absolutely do that in 7. But if you find that one file has 1500 hits and you know that that file’s not relevant to your case – maybe it’s something that has a known hash value – then we can go ahead and skip over that one and you won’t have to go over and review each other one of those individual hits.

Alright, so that’s how we view our keyword searching and do keyword hits outside of our evidence processing.

So let’s bookmark one of these hits, I’m just going to pick one of these. It may or may not have been relevant, but I’m just going to go ahead and right click and again choose to bookmark our single item. Actually this time I’ll do raw text so we can see in the report at the end that you can actually show the swept text. So, interesting swept text. I’m going to put a comment and we’ll go ahead and put this one in internet artefacts – it’s probably not there but I’m just going to randomly pick one so we can see data in different folders there.

I mentioned that you may want to find items by their hash, or ignore items by their hash. So let’s go back to our evidence, and previously we chose to hash and conduct signature analysis on these evidence files. And so if we look over, I’ll see though that the MD5 and SHA1 hash are blank, and this is why I pointed out this option when we were doing our hash, that you need to refresh your view to be able to see the MD5 and SHA1. So we were viewing entries to refresh, you’re going to use the back button, and then I’m going to just refresh the view on the sample evidence because I’m only really focusing on that one for this case. And when I go and look at it, now I see my MD5 and SHA1. So you just need to do a refresh, only one, once MD5 and SHA are finished to get that data to populate for you.

Alright, so we have our MD5 and SHA1, and now I want to connect my hash library so I can actually view any of the notable items. So I’ve previously created a hash library, we don’t have enough time unfortunately in this webinar to cover everything that’s in the transition class, including creation and modifying hash libraries, but I can show you how to connect your library to your case. So we’re going to go into our case and we’re going to choose hash libraries, and where it says you get the option of two hash libraries, you can have as many hash sets as you want in each hash library, we’re just giving you the opportunity to have two in case you have multiple, in case you have a hash library specific to this case that you’re created, to this matter, and then you have another global hash library that everyone in your department shares that has a white and black list of hash sets.

So we’re going to go ahead and take one hash library. To add it I’m just going to double click on the hash library path, and on my desktop I actually have a hash library folder, and I’m going to click OK. Now our hash library format has changed in version 7, we’re actually using more of a database structure so it scales to millions of hash sets and hash values, so you can’t just share files, you’re going to build that database in a folder and you’ll just point to that folder. So it could be a network location, I just happen to have mine on my desktop. And I only just have one hash set because we’re trying to do a fast example, but this could have as many hash sets as you like.

So I’m going to go ahead and click OK and now my hash library is associated with my case. So now I can do some filtering based on my hash library, so I’ve hashed my files, I can do that either as an individual process off the right click or in processing, and now I’m going to run a filter to find entries by their hash category. Now our filters give us the options when you open them up,do you want to run them on the current view meaning anything that’s in this tab right now – if you had multiple devices like we showed before where you have a preview and you also have an evidence file, you could say just do it on the current device – or you could say to run it on all the evidence files in your whole case. We’re just going to do it on our current view and click OK.

And we’re going to do notable files. Now you can run this on your whole view, or you could run it on selected entries only – I’m going to actually show you how you can run it on selected entries only, so I’m going to click cancel this second, and let’s say we run it on these first three or four folders. So I’m going to search for anything that’s notable in this first area of the drive. So I’m going to filter, find entries by hash category, click OK, the selected entries, I‘m looking for notable. If I had more hash sets any of the categories available on those hash sets would be options on my filter here, so automatically show up, and I’ll click OK. And now it’s going to show me that there were three files that actually had matching hash sets. So those are the items that are matching that notable hash category.

Now you’ll notice that we ended up showing a table view, and for those of you familiar with how it worked in version 6 this is a table view – we could change it back to the way it was in version 6 by switching your split mode to tree table. In general I caution you to not change your split modes most of the time, because the way that we have the panes set up, this pane being the tree, this pane being the table – you don’t need to change. So if you’re ever trying to figure out where something went, I would not try and change your split mode as a general practice. The only time that I change my split mode is for filtering, you only have to change it once to tree table, and that will allow you to narrow in and say OK, was there anything in this folder, nope, anything in this folder, nope, oh there’s the three, by using your home plate. So if you’re familiar with that functionality in 6, it will work by you changing your functionality to tree table, and you can always tell you have an active filter now by this orange bar being active. If you’re not familiar with doing it that way I highly recommend you leaving it on the table view, because that’ll basically show you anything responsive to the filter on your whole set of evidence that you have visible or selected so that’s the only time I ever switch my mode and I typically only ever use tree table just to get the equivalent functionality of what I had in 6.

Alright, so that is how we can get a couple of files that way. We’re going to go ahead and take these three blue text files and we’re going to call them our documents. So I’m going to bookmark the selected items and I’m going to put them in our documents folder and click OK, and then I’m going to turn off my filter by just checking the ‘x’ for that filter. And notice your Dixon box is up at the top here – you can use your Dixon box to blue check or uncheck the whole set, just like you could in 6. And also when you’re on a file, notice your GPS is in the bottom of the very bottom, so we get the actual whole bottom of the screen to be able to use as our GPS, meaning ‘give me the location of the file, what’s its full path’ as well as the physical location of the logical sector, cluster, sector offset, file offset, and links. All of that information is available for you in the bottom.

Alright so we have our items, let’s also show a couple of our other filters, we can bookmark a few more things for our reports, and then I’m going to go ahead and move over to questions. So as far as our filters, we have filters that’ll go ahead and show us all the pictures in our case, so we’re going to say pictures, run that on everything here, on our evidence file. I have it in tree table mode, so I have to home plate to show the responsive items. I could flip it over into gallery – and we’ll pick a picture of a car, picture of Bloglines. I make sure with my Dixon that there’s only two selected there. Actually let’s do a couple more. So we’ll do four. I’ll tick that. And then we’re going to bookmark the selected items and I’m going to put that in my pictures folder. There’s nothing special about the pictures folder that means you can only bookmark pictures into it – I could bookmark pictures into any of these folders and it’s still going to show me the picture in the report.

So I’m going to go ahead and click OK, I’ve bookmarked some pictures, I’m going to turn that filter off. And we bookmarked an email, a document… let’s go ahead and look at what we have in our report.

So I’m going to go to the view menu and choose to look at the report that’s associated with this template. So when I created the template at the beginning of the case it actually had the report formatting all built into it for me. So here we’ve got the reports, it’s filled in my case information on the title page, it also put my case information in the header on the subsequent pages. It gives me a list of the evidence in the case, and if I wanted to make notes on my bookmarks folder, they would show up here.

Actually let me real quickly show you how that works. So if I go to ‘view – bookmarks’, here are my folders, and I can choose to make a note just as I could in version 6, so I’m going to say install software, EnCase 7.09 for this case. Just some notes there so when I come to the report it’ll regenerate it. And now under my notes I’ll see that there’s a note of which software was installed. Then for the notes I’ve bookmarked I’m going to get the general information including dates and times and their MD5. If I entered a comment that would show – there’s a bunch of stuff that I bookmarked there.

I also bookmarked some pictures, so here’s the picture information including the path, dates and times, MD5 and then an embedded image of the picture. For the email I see the full email including the header information at the top and my comments, and then I show the attachment which if we were to export this report I could actually access the report – the attached item, if I choose to export item.

And then for my swept text I can see here is that item where I bookmarked it as an internet artefact and underneath it I have the swept text displayed right under my comments. If I don’t want to use any of these folders I can always hide them. We cover how to customise a report template in the transition course.

So I have my report, I can choose to right click on the report anywhere, save as, and then I can choose which format I want to save it in. So if I choose HTML on ‘export items’, all those items that showed as blue hyperlinks will actually hyperlink when you export them. So now that’s a very quick overview of all the things you need to find when you’re moving from 6 to 7 if you’re keeping the same workflow. What I didn’t highlight in here and what I’m looking forward to showing you in our next webinar is going to be, OK here’s what was in 6, but here’s what’s brand new to 7 that really can speed up your investigation. We’re going to focus on the index and how keyword searching is different than indexing and why you might prefer indexing once you get more familiar with it for at least getting started, and then we’re also going to talk about all the different ways you can process your case, whether you want to focus in on a limited area first and then expand out, or whether you’re going to work to have them all prepared for you in advance by processing in bulk and then focusing on individual files.

Alright so I’ve talked a lot, I’m going to hand over to Robert for a minute and then he’s going to come back and we’re going to talk over some questions.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 19 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles