EnCase 7.10: Better Visibility, Simpler Reporting, More Flexible

For more than 15 years, EnCase has empowered investigators by exposing data invisible to most tools and putting this data at the investigator’s fingertips with flexible, accessible analysis and reporting. EnCase 7.10 is built to continue this tradition.

EnCase 7.10 expands on best-in-class visibility by unlocking self-encrypting drives and supporting OS X investigations with HFS+ Double Files, Quick Look Thumbnail Caches and Keychain parsing. EnCase 7.10 simplifies analysis and reporting through a new Report Template Wizard. Not every investigation is a “dead box” investigation, and EnCase 7.10 has adapted to include EnCase Portable volatile data collection and triage capabilities at no additional cost.Better Visibility: Self-Encrypting Drives

Self-encrypting drives represent a very specific problem for digital investigators. The direction of technology is clear: within the next few years, strong encryption will be baked into the silicon of every hard drive from every major manufacturer. Self-encrypting drives (SED) offer greater data security than traditional full-disk encryption in that the data stored is always encrypted at rest and the keys to decrypt the data never leave the device, which means they cannot be practically brute-forced through traditional means.

In a locked state, the data at rest on a SED is not usable to an investigator. SED security measures prevent a full disk image of the actual data stored. Even if a full image could be taken, since the data encryption key never leaves the SED, there is no way to decrypt the data without the original hardware. The SED must be unlocked to extract the actual data. To an investigator, unlocking is functionally equivalent to decryption. While SED manufacturers adopt the Trusted Computing Group’s OPAL specification, the way a SED is unlocked is specific to each encryption management vendor.

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Encryption management vendors, like WinMagic SecureDoc, manages software-based encryption and SEDs. Working in close partnership with WinMagic, Guidance Software has delivered an ability to unlock SED drives managed by WinMagic SecureDoc. One of the major obstacles to deploying encryption across an enterprise is to maintain the ability to investigate the resulting protected data. EnCase 7.10 and WinMagic SecureDoc together provides first-of-a-kind visibility into the data within a SED.

Better Visibility: OS X and HFS+

EnCase has dramatically expanded tools for OS X investigations. With a dedicated OS X Artifact Parser, HFS+ extended file attributes, and the ability to perform remote forensics on OS X Core Storage logical volumes, no single forensic tool can claim equivalent depth and breadth. EnCase 7.10 extends the value for OS X investigations even further.

EnCase 7.10 includes native parsing of “double” files. OS X uses “double” files or “dot” files to store HFS+ extended file system attributes on non-HFS+ volumes (e.g. FAT, exFAT). Investigators can find information within extended file attributes, like the date/time a file was added to the Trash. OS X Cover Flow images are parsed and viewable as thumbnails in EnCase 7.10, letting investigators see files a user has actually viewed in the Finder. EnCase 7.10 also natively parses OS X Keychain files, and automates the decryption of encryption DMGs with secrets saved in the Keychain.

Simpler Reporting

No forensic investigation is complete without a comprehensive report tailored to the intended audience. EnCase 7 provides a powerful tools to efficiently incorporate the findings of the investigation into a Report Template. While powerful, Report Templates can have a steep learning curve, and particularly in time-sensitive investigations, simplicity may be more desirable than power.

EnCase 7.10 adds the Report Template Wizard. Investigators can quickly add a Bookmark Folder to the Report Template, specify metadata, perform basic formatting, and preview the report. The Report Template Wizard simplifies reporting, while maintaining the power of Report Templates.

More Flexible: Triage and Volatile Data Collection

EnCase 7.10 includes EnCase Portable capabilities at no additional cost. EnCase Portable is built for on-scene investigations and provides a simple, job-based interface to perform volatile data collection and triage while outside the forensic lab. An expert investigator is not required to operate EnCase Portable.

Commonly when on-scene, there is little time to perform investigation: time is of the essence. EnCase Portable simplifies collection of volatile data: live RAM, running processes, open ports, DNS cache, as well as screen captures of open windows on the desktop. Pictures, documents and internet artifacts may be searched in real-time and encryption is detected, giving the investigator actionable intelligence for what to do next within the time available.

Want to learn more about EnCase 7.10 and what it can do for your digital investigations? Take a look at: https://www.guidancesoftware.com/products/Pages/encase-forensic/overview.aspx?cmpid=nav

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...