Whitepaper ENCASE PROCESSOR HARDWARE AND CONFIGURATION RECOMMENDATIONS

Transcription

1 Whitepaper ENCASE PROCESSOR HARDWARE AND CONFIGURATION RECOMMENDATIONS

2 ABOUT THE EVIDENCE PROCESSOR With the EnCase Evidence Processor, digital investigators may execute powerful analytic methods against evidence in a single automated session. While running this multi-threaded process, the Evidence Processor optimizes the order and combinations of processing operations, ensuring the most efficient execution path is taken. Examiners can work on other aspects of their case while the Evidence Processor, running unattended, processes data. The output of the Evidence Processor is stored, per device, on disk, instead of memory, so that multiple devices can be processed simultaneously across several computers, and compiled into a case, without the data commingling. The Evidence Processor contains numerous useful features: Acquiring devices directly from the Evidence Processor Processing, with limited options, local and network previews without acquiring the devices Saving sets of Evidence Processor options as templates to be run with little or no modification later On-screen instructions that guides you through the use of each setting Automatic processing of the results from any current EnScript modules, according to the current processor settings (Index, Keyword search, etc.) Prioritized processing for timely review of documents, pictures or evidence within specific time range Expose OS specific artifacts through use of the Linux, Windows and OS X artifact parsers The Evidence Processor may be used within a single installation of EnCase, and multiple EnCase Processors may be easily assembled into a processing grid, using EnCase Processor Manager to distribute, prioritize and coordinate processing across any number of Processor Nodes. Guidance Software recommends running the Evidence Processor after performing an initial triage of your evidence, validating the data for browsing, and setting the time zones. EVIDENCE PROCESSOR OPTIONS Recovering Folders Recover Folders attempts to recover files from FAT and NTFS volumes. This operation is particularly useful when a drive has been reformatted or the MFT is corrupted. Prioritization When artifacts like Documents, Pictures or entries falling within a specific date range are of critical importance, Prioritization may be used to implement multiple stages of processing. When specified, prioritized artifacts are processed in a first stage, and are made available for examination once all prioritized artifacts are processed. When all artifacts in the first stage have been processed, all other artifacts are processed in a second stage. File Signature Analysis A common technique for masking data is to rename a file and change its extension. For example, image files might be renamed so that they look like dynamic-link library files. Signature analysis verifies file type by comparing the file headers, or signature, with the file extension. The signature analysis process flags all files with signature-extension mismatches according to its File Types tables. Signature analysis is always enabled so that it can support other Evidence Processor operations. 2

3 Protected File Analysis Protected file analysis uses Passware Forensic technology to identify and classify protected files. The strength of the protection is stored so that you can try to decrypt weaker passwords with Passware Forensic before addressing files with more complex protection. Thumbnail Creation When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for all image files in the selected evidence. This facilitates image browsing. Hash Analysis A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in hexadecimal notation. In EnCase, it is the result of a hash function run against any mounted drive, partition, file, or chunk of data. The most common uses for hashes are to: Identify when a chunk of data changes, which frequently indicates evidence tampering Verify that data has not changed, in which case the hash should be the same both before and after the verification Compare a hash value against a library of known good and bad hashes, seeking a match. The Evidence Processor supports calculation of MD5 and SHA1 hashes. Recommendation Guidance Software recommends that you calculate hash values. This enables exclusion of known hashes from Indexing and Keyword search, speeding up overall processing time. Expand Compound Files For archive files, Expand Compound Files extracts compressed or archived files, and processes them according to the selected Evidence Processor settings. This includes nested archive files or zip files within a zip file. For example, if the Thumbnail Creation module is selected with Expand Compound files, any Thumbnails residing within expanded archives will also have thumbnails created. Find Select this setting to extract individual messages and attachments from archives. Find supports the following types: PST (Microsoft Outlook) NSF (Lotus Notes) DBX (Microsoft Outlook Express) EDB (Microsoft Exchange) AOL MBOX EMLX (Apple Mail) This setting prepares archives for the use of threading and related EnCase functionality during case analysis. After extraction is completed, EnCase analyzes the messages and component files extracted from the archives according to the other Evidence Processor settings you selected. 3

4 Find Internet Artifacts This setting identifies internet artifacts, such as browser histories and cached Web pages. You can optionally examine unallocated space for artifacts, as well. Search for Keywords Keywords are text strings or search expressions created to find matching text within entries in a body of evidence. A search expression can be a GREP expression, containing variables, and it can be flagged to be case sensitive, a whole word search, or other options. You can also associate a particular codepage to use with a keyword. Keyword searches created and conducted from within the Evidence Processor are stored with the device s evidence cache files, and can be used with any number of cases. Keyword searches that are not initiated from the Evidence Processor are stored with the case and are case-specific. Index Text and Metadata Creating an index allows you to quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all files, s, and module output are indexed, including such EnScript modules as the IM Parser and System Info Parser. The advantage of having these items indexed is that you will later be able to search across all types of information and view results in , files, smartphones, and any other processed data in one search results view. Compared to keyword searches, which search raw text as it exists on disk, index searches search the content and metadata for file system entries, records, and other artifacts on the device. Index Personal Information When creating an index of case data, select Personal Information to additionally identify and include the following personal information types. Credit cards Phone numbers addresses Social security numbers Index Text in Slack and Unallocated Space As you select options for indexing evidence such as files and s, you can choose to include text identified in RAM slack, file slack, disk slack, and unallocated space. Run EnScript Modules The EnCase Evidence Processor has the ability to run add-in modules during evidence processing. Some modules ship as part of EnCase, and you can also add your own EnScript packages. The Evidence Processor supports the following EnScript Modules. System Info Parser The System Information Parser module identifies hardware, software, and user information from Windows and Linux computers. This module automatically detects the operating system present on the device, and collects specified artifacts describing the machine. IM Parser The IM Parser module searches for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant Messenger clients. These artifacts include messages and buddy list contents. It also allows you to select where to search from several general location categories. 4

5 File Carver The File Carver module searches evidence for file fragments based on a specific set of parameters, such as known file size and file signature. File Carver may examine unallocated space, as well as search for file fragments anywhere on the disk. The File Carver generates a report of carved files on disk by default and can optionally be configured to export carved artifacts to disk for external review or production. Windows Event Log Parser This module parses.evt and.evtx files for Windows Event Logs, and also allows for processing by condition. Windows Artifact Parser The Windows Artifact Parser searches for common Windows operating system artifacts of potential forensic value, and parses them through a single module. Artifacts of interest include Link files, Recycle Bin artifacts, and MFT transaction logs. With these artifacts, you can elect to search unallocated, all files, or selected files. OS X Artifact Parse The OS X Artifact Parser searches for common OS X operating system artifacts of potential forensic value, and parses them through a single module. Artifacts of interest include XML and Binary Property Lists, Apple System Log files. The OS X Artifact parser collects and parses artifacts on user accounts, recently opened files, as well as operating system installation and configuration information. UNIX Login This module parses files with the names wtmp and utmp, but also allows for processing by condition. Linux Syslog Parser This module parses the Linux system log files, which have different names and locations, depending upon the type of Linux used. 5

6 HARDWARE AND CONFIGURATION RECOMMENDATIONS Following are the recommended specifications for a computer that will be performing processing with the Evidence Processor or the standalone EnCase Processor. If you have the ability to exceed these specifications, the recommendation is to increase the speed of the Primary Evidence Cache. Component Memory Storage Drives CPU Operating System Specifications 16GB Drive 1: Operating System and page file Drive 2: Evidence Drive 3: Primary Evidence Cache. Intel i7 Quad-core Windows 7 (64-bit) or Windows Server 2008 R2 (64-bit) GET GUIDANCE As regulators increase their expectations about each enterprise s abilities to investigate events, you must ensure you are prepared when an investigation is required. A common investigation infrastructure built on EnCase Enterprise will stand up to the scrutiny of your regulators, auditors, and legal system while reducing the cost and risks of compliance investigations. Enabling the three capabilities required by the major compliance regulations and frameworks policies, tools, and response tactics EnCase Enterprise makes it easier to perform consistent and reliable investigations. You can deploy it overtly, to show due care and encourage compliance, or covertly, to perform silent analysis on demand. As it enhances, structures, and documents the procedures in each investigation, it frees your limited resources to handle the analysis and interviews that require the human touch. 6

7 ABOUT GUIDANCE Guidance exists to turn chaos and the unknown into order and the known-so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure. The makers of EnCase, the gold standard in forensic security, Guidance provides a mission-critical foundation of market-leading applications that offer deep 360-degree visibility across all endpoints, devices and networks, allowing proactive identification and remediation of threats. From retail to financial institutions, our field-tested and court-proven solutions are deployed on an estimated 33 million endpoints at more than 70 of the Fortune 100 and hundreds of agencies worldwide, from beginning to endpoint. Guidance Software, EnCase, EnForce and Tableau are trademarks owned by Guidance Software and may not be used without prior written permission. All other trademarks and copyrights are the property of their respective owners.