Hi
Following scenario I have sytem of interest I can remotely analyze using EnCase Enterprise. In the context of f.e. a malware case I would like to perform a time-analysis.
More specifically I would like to create a timeline for registry hive keys and a timeline for NTFS file system?
What is the best methodology to do this using EnCase Enterprise. It might be that EnCase Enterprise is only used as the collection tool and afther that scripts are used to do the timeanalysis
thx on beforehand for your Feedback
Keith
Keith,
Why are you restricting yourself to EE?
What is the best methodology to do this using EnCase Enterprise.
What do you mean by 'time analysis'?
In EnCase (I'm more familiar with Forensic, but I expect the principles apply to Enterprise), you can sort, filter, select entries on time stamp fields more or less as you want. Getting registry contents into that list is just a question of mounting the hives you ar interested in (active or RP hives).
This is not 'methodology'. It's 'tool functionality'. Methodology is (or should be) largely tool agnostic, as long as the necessary functionality is there. But methodology also depends on what you are trying to do, and 'time analysis' doesn't tell me very much. (Added 'time line' is a bit more specific – I missed that the first time through. But I seem to have answered it already.)
But perhaps all you want to find files/registry entries what was created or written between two well defined points in time, and are still present in the file system/registry – well, then you've got it.
Of course, the next question is how do you want to use the information? Get into Excel? Access? Some charting tool? That may change things.
An even more effective way to find an EE solution is to ask in the appropriate forum at support . guidancesoftware . com , where all the EnCase experts are, as well as EnCase tech support. There may be EE-specific solutions, which I know nothing about.
Do you only have a single system to investigate, or multiple systems?
If only a single system, then I'd preview the machine manually, select the hives you're interested in, and then choose "View File Structure". At this point you can export all the metadata or use Geoff Black's Timeline Analysis EnScript.
It's a good idea to grab the registry hives, into an L01 or copied out, for subsequent analysis with RegRipper.
If you have a lot of machines to investigate, then I believe there's an EnScript module called "Custodian Search" that you can use to grab particular types of files and put them into an L01. IIRC, you can specify the option to preserve only metadata of the files, so it runs reasonably quickly. This lets you gather some data, then analyze it later.
Jon
Keith I am also a big Encase Enterprise user and have done quite a few timelines on intrusion cases. Even though Encase has some enscripts that do a decent job I find that using the Super Timeline Analysis as explained in the following url is a better way to go. After the first time you will see how easy it is with only some basic knowledge of Linux commands.
http//
