View RSS Feed

JDMurray's Blog at www.TechExams.Net

Notes on the Preview of EnCase Version 7

Rate this Entry
by , 03-27-2011 at 07:41 PM (12118 Views)
I just attended a preview presentation of EnCase version 7, which is due to be released by CEIC 2011 in May 2011. Although v7 is still about two months away from launch, and not 100% finalized, the preview I saw gave an excellent working demonstration of what EnCase v7 is capable of and how it improves over EnCase v6.

People who are not familiar with EnCase will not find this write-up very interesting, and are probably better off to have a look at EnCase v7 a few months after the product launch (say, around release v7.02). People who are EnCase v6 users, however, will be very interested in the improvements found in EnCase v7 and how it removes several of the v6 features that have pained you for so long.

Oh—for those of you wondering when the EnCase Certified Examiner (EnCE) certification will switch to EnCase v7, that will probably happen about six months after the release of EnCase Forensic v7. In a related note, the 3000th EnCE certification was just awarded.

Here’s a few things I picked up from the preview:

EnCase v7 will be available in only two product releases: Forensic and Enterprise. Both share the same code-base. The only difference is that Enterprise can work across a network while Forensic is for local workstation-use only.

It will be possible to run multiple instances of v7, and run both v6 and v7 simultaneously.
Encase v7 includes built-in support for Smart Phones. In fact, v7 is meant to support any device with an operating system.

The new EnCase v7 GUI is very different from the v6 GUI. The v7 GUI is designed for both users experienced with investigations and users new to investigations that need guiding through the steps of evidence processing.

The v7 GUI workflow is modeled after process-driven forensics. The processing of cases is expedited using standardized procedures for performing as much as 80% of the processing work that is repeated in every case. Procedure-driven processing takes the place of wasting time by “poking around in the evidence.”

EnCase v7 opens to the Home window with Evidence, Search, Browse, and Report sections.
Start by creating a new case or open an existing case.

No more manually creating the case folder hierarchy. The folders for storing .E01 files, exported data, etc. are created automatically.

The only folder locations the user specifies is for the case folder and local evidence folder (these are typically the same folder).

A global evidence folder can point to a single piece of evidence in a network share and be worked on by multiple examiners.

Derivative evidence can be pulled from the global evidence folder into the local evidence folder for a case.

The Evidence tab is very reminiscent of the EnCase v6 GUI. Old timers will use this tab to poke around with evidence as they did with EnCase v6. Tree view in left pane, column pane to the right, etc.

The automated Process Evidence feature performs common evidence preparation based on the case type (fraud, child pornography, etc.)

Acquiring images is under Processing Evidence.

Acquiring to multiple devices simultaneously is now possible by specifying an alternate path.
Exports and reports are stored in a B-trieve database.

The v6 multi-level toolbars are gone. They have been flattened to a single line and combined into top-later menus. (I don’t think anyone will miss those.)

Home plates and blue checks are still there; blue checks will now work outside of bookmarks.
Mounted compound files (ZIP, RAR, registry archives) in v6 would loose bookmarks when unmounted. Compound files are automatically expanded in v7 and bookmarks are preserved.
Breadcrumb navigation will (eventually) be supported, allowing users to backtrack through their use of the EnCase v7 GUI.

Process bars are still in the lower right corner, but no time-to-completion is estimated is present (it was determined estimates were too inaccurate on Windows).

Right-click context menus are still present and have been expanded using information “hover boxes” found in Office 2010.

File hashing is faster and more efficient. The Manage Hash Library interface can import a variety of hash set formats. Hashing can use tags to hash only files with a specific tag, or to automatically tag files that match a specific hash.

Indexing and searching are greatly improved:
  • Improved indexing algorithm (indexing requires only 25% of the time it does in v6)
  • Control searching using logical operations (AND, OR, NOT), stemming, and fields.
  • GREP has been replaced with LexisNexis searching (e.g., Find every occurrence of “Bob” OR “Carol” within five words of “Ted” AND “Alice”).
  • All indices and search results are stored in a (B-trieve) database for fast query and retrieval.
Processing modules are used to provide specialized, built-in evidence processing functionality, such as recover folders, file signature analysis, thread email, find Internet artifacts, read ext4 or hpfs volumes, etc.

Processing modules are run in the order specified by the user.

Modules are written in EnScript.

Just as writing EnScripts has become a cottage industry, so will creating EnCase v7 processing modules.

Results and Records tabs are where most results are displayed (v7 is heavily reliant upon records).

The operation of EnCase v7 will be multi-threaded, which allows several operation to occur (seemingly) concurrently. This should eliminate the “white title bar” and “white window” effects that occur when an operation stalls the single-threaded GUI of EnCase v6.

The maximum number of creatable threads is user selectable, with five being the default.

Tagging is used to logically label case information, such as files and specific search terms.
EnCase 7 can (almost) write your reports for you:
  • Reporting is considered right from the start of the case.
  • Reporting template are used to specify the case information that are included in a standardized report for the case.
  • Custom tags are used to embed information into generated reports.
  • Custom tags allow agency-specific information to be created. No longer are forced to use “examiner” when you are an “analyst.
  • Working with multiple pieces of evidence within a single case is much easier.
The document creation tool is compatible with the OpenDocument standard used by OpenOffice, KOffice, StarOffice, IBM Workplace, and Microsoft Office (2007 SP2 and later).

Evidence file have changed in EnCase v7 such that:
  • the file extensions add an “x” (.Ex01, .Ex02, etc.); reading and writing the .E01 format is still supported.
  • they support hashing using MD5, SHA1, or both.
  • they may be compressed or uncompressed; there are no levels of compress to select.
  • they are always encrypted using AES-128 (which was determined to be much faster than AES-256).
  • the encryption key must be specified when evidence file is created, and exported with the evidence files.
  • they can be password-protected; this password is not used to encrypt the contents of the file.
EnCase v7 will be Microsoft-certified, while EnCase v6 never has been.

FastBloc SE is still supported in v7 (whether you trust using it or not).

EnCase will use the CmStick USB dongles from CodeMeter. These dongles are more robust (resistant to breaking) than the dongles used with EnCase v6. CmSticks also remain un-cracked (for the time being).

All of the features described will be in EnCase Forensics release 7.01. Within three months of the 7.01 release, 7.02 will be released with more features. EnCase Enterprise will be the 7.03 release. A new release is planned for every six months thereafter.

There should not be a significant price increase of EnCase v7 over v6.

If you are current on your SMS, EnCase v7 will be just another update.

And did I mention that those multi-layer toolbars are gone?

**UPDATE (04/02/2011):**
EnCase 6 EnScripts are not directly portable to EnCase 7. Changes were made to EnScript 7 that are not backward-compatible to EnScript 6. There will be an EnScript to analyze an EnScript 6 script and flag any parts of the code that require changing to run in EnCase 7.
The EnCase 6 .ini files used for storing settings, keyword lists, etc. have been replaced by (btrieve? sqlite?) database files.



Total Trackbacks 0
Trackback URL: