Basic Ediscovery Steps in EnCase Enterprise v7 Damir Delija 2014
May 26, 2015
Basic Ediscovery Steps in EnCase Enterprise v7
Damir Delija
2014
Introduction
• Data collection can be done automatically in the EnCase Enterprise
• Requires a lot of hand work and good planning
• This presentation is a putting together information from various sources and manuals
– Lance Muller blog,
– EnCase presentations and manuals,
– blogs
EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations
The SAFE (Secure Authentication For EnCase®) • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers
communications and provides for secure data transmission
• The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted
The Examiner • Installed on a computer where authorized investigators perform examinations and audits
• Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration
The Servlet • A small, passive software agent that gets installed on network workstations and servers
• Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the
Examiner & servers, desktops or laptops that are being searched or investigated
Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect,
preserve and remediate any network intrusion on an enterprise-wide scale
Servlets Installed on Computers
How the EnCase Enterprise Components Fit Together
Sample Deployment Topology Main Office A
Examiner
Aggregation Database
Company Headquarters
Branch Office
Target Node
Target Node
Target Node
Main Office B
SAFE
Target Node Target Node Target Node
Examiner
Target Node
Target Node
Target Node
SAFE
Target Node
Examiner
Target Node
Target Node
Target Node
WAN
How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network
A Rich Man Solution
What we Need
• EnCase Enterprise v7
– safe, examiner (both on the same machine in basic setup)
• Requires a lot of hand work and good planning
– task definition, plans etc
• As it is in EnCase Enterprise we need
– open case
– user logged into safe with appropriate rights (role)
Entry Level EnCase Entreprise System
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent Connections
• control number of parallel acceses
Main Office A
SAFE /Examiner
Additional storage
Company Headquarters
Target Node
Target Node
Target Node
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node WAN
Task • Collect all pdf, doc and docx files from two machines
defined by IP address • Scope
– set of IP addresses
• Collection rule – if file extension is pdf or doc or docx collect file and its metadata
• Procedure – if node fails do another try – create report with list of responsive files
1) choose user
2) choose safe
3) choose role
Login Into EnCase Enterprise
Creating a New Case
Case name is important, this one gives us hint on task Case information leads us
Case Folder Structure
Additional folders: Reports, Conditions, Evidence
Doing Enterprise Sweep
General input • we need a list of targets
• we need rules to define responsive data
• we need general rules and guidelines
In the EnCase term list of IP addressee where
we have to install servlets and do sweep
conditions, keywords,
hashes what to do in the case of
failure, errors, location to store data, reports, tests, case name, etc
Sweep Enterprise Snapshot For Data Collecting
From Enscripts tab choose Sweep Enterprise
Definition of End Nodes for the Collection Sweep
In the sweep wizzard define nodes for the sweep
Adding IP Addresses Directly
List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut
Running Sweep on the End Nodes
End nodes defined and approwed
Define the Type of the Sweep
Snapshot is mandatory •collects processes, users, etc
File Processor is our data collector
•collect files System info is optional
•slow process •collects machine info, mostly registry
What Snapshot Gets From End Node
•System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
What Process and OS Data Will Get Collected
Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up
Definition of File Collection Criteria
Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
Entry Condition Defines File Attributes
File atributes as criteria for collection
Entry Condition Wizard
Conditions can be only typed or imported
Import Already Existed and Tested Condition
How to import already existing condition
Condition Folder in Case Place Where Conditions are Kept
Conditions sholud be named in meaningfull way
Collection Criteria
Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code
Additional Element How to Handle Archives on the End Nodes
Default is : no going in into archives
Final List of End Nodes and Tasks to be Done in Sweep
Can be saved as part of documentation
Store Collection Parameters as One of Intermediate Reports
Usefull later for documentation, goes to case / report folder
Sweep is Running
• It can take a lot of time
• monitor status
• keep logs
• check the impact on the network and systems
• some automated tools
• case analyzer
• keep eye on console
• keep eye on disk sage and free space
Sweep Status
Refresh can be done automatically
Sweep Live Status
Live sweep status: end nodes status, modules, success or failure
Sweep Completed
One node has failed
Sweep Results in the Analysis Browser
Analysis Browser Enscript – all collected data from sweep (no file content)
Sweep Results Responsive Files in the Analysis Browser
All responsive files
Create an Status Report
There are alternative methods to create intermediate status reports
I prefer “Save as” in tab delimieted format Report goes into case report folder
In Our Procedure Repeat Sweep if Fails
Repeated sweep, now all endnodes are succesfull
Sweep Data Location
Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
L01 Collection Files – Sweep Result
Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually
L01 files –Data in the Case
Default view is snapshot view - records about end nodes
Getting to Responsive Files in L01
To get to file collector results go to “View Entries”
L01 File for End Node Responsive Files View
All responsive files from one end node
How to Create Cumulative L01 File
• All data are in case in node-name.L01 files – one for each end node
– to put all that into one file without snapshot data
• Condition will create result view – again already used condition can be applied
• From cumulative L01 and all necessary reports can be created – same data but easier to handle
In Entry View Use Condition
Already used condition (as collection entry condition)
Run Condition
Use it on “all evidence” on all L01 end nodes files in our case
Results
All resposive files as condition result
Bookmark if Necesary
Bookmark if needed, for reports etc
Good Practice: Name of Bookmark Folder on Sweep Name
Sweep name – bookmark folder name
Creating Cummulative L01 File From Condition Results
From all responsive files create L01 file
Create Cummulative L01 File Name it by Sweep Name
Name based on sweep, fill notes, goes to evidence folder
Create Cummulative L01 File Include all Needed
Include file data and metadata, close on finish is important
Create Cummulative L01 File L01 Format
Choose L01 if other forensic tools are used too
Good Practice: Remove all End Node L01 Files From Case
To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01
Good Practice: Use Only Cummulative L01 File
In all further work use only cumulative L01 file, or even open new case
Structure of the Cummulative L01 File
whole logical structure contained also reposive file content
Just to Proof
Test with conditon to show all responsive files are here
Finishing
• Document everything
• Reports
• logs
• backup
• Store on encrypted media
• Remove forensically and wipe forensically all temporary and unwanted data and media
• Don’t forget to unistall servlets