EnCase Enterprise Basic File Collection

Basic Ediscovery Steps in EnCase Enterprise v7

Damir Delija

2014

Introduction

• Data collection can be done automatically in the EnCase Enterprise

• Requires a lot of hand work and good planning

• This presentation is a putting together information from various sources and manuals

– Lance Muller blog,

– EnCase presentations and manuals,

– blogs

EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations

The SAFE (Secure Authentication For EnCase®) • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers

communications and provides for secure data transmission

• The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted

The Examiner • Installed on a computer where authorized investigators perform examinations and audits

• Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration

The Servlet • A small, passive software agent that gets installed on network workstations and servers

• Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices.

Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the

Examiner & servers, desktops or laptops that are being searched or investigated

Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect,

preserve and remediate any network intrusion on an enterprise-wide scale

Servlets Installed on Computers

How the EnCase Enterprise Components Fit Together

Sample Deployment Topology Main Office A

Examiner

Aggregation Database

Company Headquarters

Branch Office

Target Node

Target Node

Target Node

Main Office B

SAFE

Target Node Target Node Target Node

Examiner

Target Node

Target Node

Target Node

SAFE

Target Node

Examiner

Target Node

Target Node

Target Node

WAN

How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network

A Rich Man Solution

What we Need

• EnCase Enterprise v7

– safe, examiner (both on the same machine in basic setup)

• Requires a lot of hand work and good planning

– task definition, plans etc

• As it is in EnCase Enterprise we need

– open case

– user logged into safe with appropriate rights (role)

Entry Level EnCase Entreprise System

SAFE /Examiner

• on the same machine

Servlet

• on the each end node

Enterprise Concurrent Connections

• control number of parallel acceses

Main Office A

SAFE /Examiner

Additional storage

Company Headquarters

Target Node

Target Node

Target Node

Branch Office

Target Node

Target Node

Target Node

Target Node

Target Node

Target Node

Target Node WAN

Task • Collect all pdf, doc and docx files from two machines

defined by IP address • Scope

– set of IP addresses

• Collection rule – if file extension is pdf or doc or docx collect file and its metadata

• Procedure – if node fails do another try – create report with list of responsive files

1) choose user

2) choose safe

3) choose role

Login Into EnCase Enterprise

Creating a New Case

Case name is important, this one gives us hint on task Case information leads us

Case Folder Structure

Additional folders: Reports, Conditions, Evidence

Doing Enterprise Sweep

General input • we need a list of targets

• we need rules to define responsive data

• we need general rules and guidelines

In the EnCase term list of IP addressee where

we have to install servlets and do sweep

conditions, keywords,

hashes what to do in the case of

failure, errors, location to store data, reports, tests, case name, etc

Sweep Enterprise Snapshot For Data Collecting

From Enscripts tab choose Sweep Enterprise

Definition of End Nodes for the Collection Sweep

In the sweep wizzard define nodes for the sweep

Adding IP Addresses Directly

List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut

Running Sweep on the End Nodes

End nodes defined and approwed

Define the Type of the Sweep

Snapshot is mandatory •collects processes, users, etc

File Processor is our data collector

•collect files System info is optional

•slow process •collects machine info, mostly registry

What Snapshot Gets From End Node

•System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data

What Process and OS Data Will Get Collected

Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up

Definition of File Collection Criteria

Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected

Entry Condition Defines File Attributes

File atributes as criteria for collection

Entry Condition Wizard

Conditions can be only typed or imported

Import Already Existed and Tested Condition

How to import already existing condition

Condition Folder in Case Place Where Conditions are Kept

Conditions sholud be named in meaningfull way

Collection Criteria

Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code

Additional Element How to Handle Archives on the End Nodes

Default is : no going in into archives

Final List of End Nodes and Tasks to be Done in Sweep

Can be saved as part of documentation

Store Collection Parameters as One of Intermediate Reports

Usefull later for documentation, goes to case / report folder

Sweep is Running

• It can take a lot of time

• monitor status

• keep logs

• check the impact on the network and systems

• some automated tools

• case analyzer

• keep eye on console

• keep eye on disk sage and free space

Sweep Status

Refresh can be done automatically

Sweep Live Status

Live sweep status: end nodes status, modules, success or failure

Sweep Completed

One node has failed

Sweep Results in the Analysis Browser

Analysis Browser Enscript – all collected data from sweep (no file content)

Sweep Results Responsive Files in the Analysis Browser

All responsive files

Create an Status Report

There are alternative methods to create intermediate status reports

I prefer “Save as” in tab delimieted format Report goes into case report folder

In Our Procedure Repeat Sweep if Fails

Repeated sweep, now all endnodes are succesfull

Sweep Data Location

Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp

L01 Collection Files – Sweep Result

Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually

L01 files –Data in the Case

Default view is snapshot view - records about end nodes

Getting to Responsive Files in L01

To get to file collector results go to “View Entries”

L01 File for End Node Responsive Files View

All responsive files from one end node

How to Create Cumulative L01 File

• All data are in case in node-name.L01 files – one for each end node

– to put all that into one file without snapshot data

• Condition will create result view – again already used condition can be applied

• From cumulative L01 and all necessary reports can be created – same data but easier to handle

In Entry View Use Condition

Already used condition (as collection entry condition)

Run Condition

Use it on “all evidence” on all L01 end nodes files in our case

Results

All resposive files as condition result

Bookmark if Necesary

Bookmark if needed, for reports etc

Good Practice: Name of Bookmark Folder on Sweep Name

Sweep name – bookmark folder name

Creating Cummulative L01 File From Condition Results

From all responsive files create L01 file

Create Cummulative L01 File Name it by Sweep Name

Name based on sweep, fill notes, goes to evidence folder

Create Cummulative L01 File Include all Needed

Include file data and metadata, close on finish is important

Create Cummulative L01 File L01 Format

Choose L01 if other forensic tools are used too

Good Practice: Remove all End Node L01 Files From Case

To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01

Good Practice: Use Only Cummulative L01 File

In all further work use only cumulative L01 file, or even open new case

Structure of the Cummulative L01 File

whole logical structure contained also reposive file content

Just to Proof

Test with conditon to show all responsive files are here

Finishing

• Document everything

• Reports

• logs

• backup

• Store on encrypted media

• Remove forensically and wipe forensically all temporary and unwanted data and media

• Don’t forget to unistall servlets