EnCase 7.10: Better Visibility, Simpler Reporting, More Flexible

For more than 15 years, EnCase has empowered investigators by exposing data invisible to most tools and putting this data at the investigator’s fingertips with flexible, accessible analysis and reporting. EnCase 7.10 is built to continue this tradition.

EnCase 7.10 expands on best-in-class visibility by unlocking self-encrypting drives and supporting OS X investigations with HFS+ Double Files, Quick Look Thumbnail Caches and Keychain parsing. EnCase 7.10 simplifies analysis and reporting through a new Report Template Wizard. Not every investigation is a “dead box” investigation, and EnCase 7.10 has adapted to include EnCase Portable volatile data collection and triage capabilities at no additional cost.Better Visibility: Self-Encrypting Drives

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

In a locked state, the data at rest on a SED is not usable to an investigator. SED security measures prevent a full disk image of the actual data stored. Even if a full image could be taken, since the data encryption key never leaves the SED, there is no way to decrypt the data without the original hardware. The SED must be unlocked to extract the actual data. To an investigator, unlocking is functionally equivalent to decryption. While SED manufacturers adopt the Trusted Computing Group’s OPAL specification, the way a SED is unlocked is specific to each encryption management vendor.

Encryption management vendors, like WinMagic SecureDoc, manages software-based encryption and SEDs. Working in close partnership with WinMagic, Guidance Software has delivered an ability to unlock SED drives managed by WinMagic SecureDoc. One of the major obstacles to deploying encryption across an enterprise is to maintain the ability to investigate the resulting protected data. EnCase 7.10 and WinMagic SecureDoc together provides first-of-a-kind visibility into the data within a SED.

Better Visibility: OS X and HFS+

EnCase has dramatically expanded tools for OS X investigations. With a dedicated OS X Artifact Parser, HFS+ extended file attributes, and the ability to perform remote forensics on OS X Core Storage logical volumes, no single forensic tool can claim equivalent depth and breadth. EnCase 7.10 extends the value for OS X investigations even further.

EnCase 7.10 includes native parsing of “double” files. OS X uses “double” files or “dot” files to store HFS+ extended file system attributes on non-HFS+ volumes (e.g. FAT, exFAT). Investigators can find information within extended file attributes, like the date/time a file was added to the Trash. OS X Cover Flow images are parsed and viewable as thumbnails in EnCase 7.10, letting investigators see files a user has actually viewed in the Finder. EnCase 7.10 also natively parses OS X Keychain files, and automates the decryption of encryption DMGs with secrets saved in the Keychain.

Simpler Reporting

No forensic investigation is complete without a comprehensive report tailored to the intended audience. EnCase 7 provides a powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase 7.10 adds the Report Template Wizard. Investigators can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting, while maintaining the power of Report Templates.

More Flexible: Triage and Volatile Data Collection

EnCase 7.10 includes EnCase Portable capabilities at no additional cost. EnCase Portable is built for on-scene investigations and provides a simple, job-based interface to perform volatile data collection and triage while outside the forensic lab. An expert investigator is not required to operate EnCase Portable.

Commonly when on-scene, there is little time to perform investigation: time is of the essence. EnCase Portable simplifies collection of volatile data: live RAM, running processes, open ports, DNS cache, as well as screen captures of open windows on the desktop. Pictures, documents and internet artifacts may be searched in real-time and encryption is detected, giving the investigator actionable intelligence for what to do next within the time available.

Want to learn more about EnCase 7.10 and what it can do for your digital investigations? Take a look at: https://www.guidancesoftware.com/products/Pages/encase-forensic/overview.aspx?cmpid=nav

Leave a Comment