Sunday, March 21, 2010

EnCase Portable device - Review

This blog post is a review of the EnCase portable device. I have had the chance to use the EnCase portable device for several months now, starting with the initial version that was released, but I finally got a chance to sit down and write a review. The current EnCase Portable version that is publicly available is v1.2.1, which was released November 2009.

The EnCase Portable kit consists of a small carrying kit, a HASP security key, the EnCase portable USB device (black) and a 16gb flash device that is used for the collected data (blue) and a IOGear USB hub:

The EnCase Portable device was released about a year ago and is designed to be deployed on a subject's computer to collect a predetermined set or types of files. The device works in one of two ways:

1. You can use the source processor EnScript to chose a predefined collection job (i.e. collect all documents) and then load the USB with this job. When the USB device is run on the target computer, the job is executed and the predetermined type of files are collected.

2. The second method is to insert the USB device on the target computer and choose the pre-determined job at the time of triage.

Method one would be for giving the device to someone who does not know much about EnCase or does not need to interact with the collection process whatsoever. Method two would be for someone with average knowledge of EnCase and could decide what types of files need to be collected at the time of collection in the field.

In addition to the two collection methods described above, the USB device can be used in one of three ways to perform the collection:

1. For computers that support booting from a USB device, you can insert the black USB EnCase portable device and boot directly to an operating system installed on the USB (BartPE-ish).

2. For computers that don't support booting to USB devices (older computers or BIOS is locked down), then you can boot from an included CD-ROM that contains a stand alone operating system and the necessary EnCase program.

3. You can insert the USB on a running device and execute the EnCase portable process directly from the USB while the computer is running.

The EnCase security key must also be connected to the target machine during the time of the collection. There are also three choices for storing the collected data:

1. You can store the collected data on the actual EnCase portable device itself. It is a 4GB flash device, so space is somewhat limited if your collection may contain a large number of files or large amounts of data.

2. You can use the included Kingston 16GB flash device (these devices are horribly slow).

3. You can use your own external USB device such as an external USB hard drive.

If you chose option #3, there is aVB script that is included on the Encase portable device that is intended to be used to prepare your own external USB storage device. There is nothing special about the preperation process, other than a certain folder path must be present. If it is not present. The EnCase portable program will ignore the external storage device and attempt to store the collected data on the EnCase portable device itself.  There is no limitation to the file system of the external storage device and it can be anything Windows can read & write to.

I highly recommend using option #3. If you have this device and are going to be doing collections, get yourself a high-quality large external USB storage device that is USB bus powered, i.e. 7200rpm Tri-Interface (USB/1394a/194b) hard drive (The EnCase portable kit does come with a power supply for the USB hub, which is not pictured above).

When you run the portable EnScript (EnPack), the following menu is displayed:

The lower portion of the window lists the pre-defined collection jobs. The only job not shown is "Create PII Report" which is available if you scroll down. Highlighting a job and clicking "Run Job" starts the collection of those types of files.

Unfortunately, there is no way to see what "Collect Documents Files" entails from here. You either have to know what kind of files that collection job includes from some type of external documentation or have run the job before to know what kinds of files it will collect. The same is true ofr all these jobs types. There is no way to see what "Picture files" entails. I can assure you, all the jobs are comprehensive in the types of files it collects, but there is no way to focus only on certain types of files, such as only .JPG or only .DOCX extensions. These jobs are statically defined and cannot be edited or changed.

Having experience in writing EnScripts, I see many ways to write some custom EnScripts that can be used on this device to collect or filter on any type of criteria. In other words, it would be simple to create a condition type interface that would let you select the types of files to be collected based on metadata, i.e. name, path, size, dates, etc. You could also include the ability to perform keyword searches to define which files to collect, which is not available in this version. The above described functionality is supposed to be available in the next release (v2.0), but I have not yet seen it.

I will mention that the EnCase security key is somewhat limited in that it is designed to only be used with the EnCase portable process. You cannot use this dongle to perform analysis of the collected data. Using EnCase with this security key will report "EnCase Forensic" on the Window title, but it will not display the structure of a loaded local devices and will report "None of the selected devices are available" if you try to load a standard evidence file. It is designed to be for collection only. I assume you could buy this product and get a cert file that is associated with your current EnCase dongle, but I don't really see an advantage.

If you have one of these devices, please feel free to comment below with your experience in using EnCase portable .

If you have one of these devices and want to try a custom built EnScript to collect data, please feel free to email me.

Monday, March 15, 2010

EnScript to export selected files & files based on condition criteria

Several months ago I created an EnScript that exports all the files based on a list of file extensions. The user can enter a list of extensions and any files that match the list of extensions, will  be exported to their original path. You can see the original post here.

I recently had a request for an EnScript to export all the selected files in the case and to maintain their original file paths and original timestamps. Below is the requested EnScript, which will export all the selected files to the case default export folder and maintain their original path and timestamps.

I then went ahead and modified it into another EnScript that will export files based on condition criteria. In cases where an investigator wants to export files based on metatdata, you can use this EnScript to filter and export only the files that match the condition criteria you define. In the example below, I defined two conditions to export files that have a file extension of "jpg" AND was accessed on or after 03/15/2010. You can define as many different conditions as you wish and use Boolean AND/OR/NOT logic to define your conditions.

The above condition will export all the files that have a JPG extension and we accessed on or after March 15, 2010. The files will be exported in their original file paths under the case's default export folder and the timestamps will be maintained.

Download "Export files based on Condition and maintain original path and timestamps"
Download "Export Selected Files and maintain path and timestamp"

Thursday, March 11, 2010

EnCase + F-Response + EnScript = very affordable network forensics & eDiscovery

Most of you are familiar with and have seen the numerous posts on various blogs & websites about the capabilities of F-Response. If you don't already own F-Response, you should go here first!

I don't work for F-Response or Guidance Software, nor do I have any financial interest in either of their successes. I have been using EnCase for many years and have "cut my teeth" using EnCase, so it's one of the primary tools I use. But I cannot personally afford EnCase Enterprise, so I am always looking for alternative ways to perform "Enterprise-wide" forensics. Enter F-Response.

F-Response really helps bridge the gap of available affordable tools that enable an examiner to do network based forensics or remote collections. The only limitation with F-Response was that you really could not automate F-Response in an unattended fashion and have it work together with EnCase, until now :))

Matthew Shannon at F-Response has released a version of F-Response Enterprise that now contains a scriptable object. That object can be controlled by any program that supports COM. So basically, using the standard off-the-shelf version of EnCase Forensic, you can automate the remote connection, analysis and collection of whatever data you want, based on whatever criteria you wish via EnScript.

Below is a fully functional proof-of-concept EnScript that works with the new version of F-Response Enterprise Edition. Requirements:

You need EnCase Forensic version or Law Enforcement version (not Enterprise)
You need the most recent version of F-Response Enterprise version (download page of and the new F-Response scriptable COM object.

To make this POC EnScript work, you need to have the latest version of F-Response Enterprise installed and the basic configuration information completed in the FEMC. Below is an example of the required information that needs to be set in the FEMC:

Once you have this information configured, you do not need the FEMC running, but you do need the F-Response License Manager running and your F-Response dongle connected.

Once you have the above completed, you can open EnCase and run the EnScript below. It will ask for the credentials for the remote machine. The credentials are used to install, start, stop and uninstall the F-Response client on the remote machine, just like if you were doing this manually in the FEMC. The F-Response client does not neet to be installed and/or running already. Specify a remote IP address (or several) then click "OK":

This POC EnScript is specifically designed to search all the remote IP addresses (or machine names) and find a specific file named "F-Response_text.txt" (case sensitive) on the remote machine. If the file is found, EnCase will print out the full path, logical size and created date in the console. This is just a basic POC to demonstrate the capabilities, but the possibilities are endless. You can do *anything* you could normally do while looking at a local disk or evidence file in EnCase. Want to connect to a list of remote machines and collect certain files that match certain criteria? i.e. size, extension, location, whatever? No problem, it can now be done programmatically.

If you were starting from scratch and didn't have either of these tools, the total price to get the tools would be about $8,500. The great thing is both of these are already widely used and owned by many people. You may not have the Enterprise version of F-Response, but you can upgrade to that and have this capability for just a few thousand dollars.

If you are interested in beta testing a full version of the EnScript that collects files based on user-definable criteria, send me an email at beta(at) with "beta test" in the subject line.

Download Here

Tuesday, March 9, 2010

How do you extract information from 45+ cellphones quickly? --> Cellebrite UFED

Scenario: You have a limited amount of time and need to extract information from 45+ cell phones.

Solution: Cellebrite UFED.

First, let me say that I have no relationship or financial interest in Cellebrite, I am merely a user of various cell phone and forensic tools. But after using many of the different tools, Paraben, BitPim, XRY, XACT, Neutrino, DataPilot, Wolf, CellDek, I cannot imaging doing multiple cell phones in a rapid fashion without the CellBrite UFED. This does not mean I would not use other tools in other scenarios, but in this scenario, I needed to do it quickly and with minimal external power. Therefore the Cellebrite UFED worked perfect for this scenario.

All of the above mentioned tools are good, and some of them even extract more information or work with phones that Cellebrite does not work with, but 9 times out of 10, the Cellebrite not only handles the phone, but I can do it in a fairly rapid manner. This review is specifically about the Cellebrite UFED ruggedized model.

The cost of the ruggedized version is a few thousand dollars more than the standard UFED.

Internally, the device is identical to the standard UFED, but externally it has a rubberized protector around the device. It makes the device a little bigger and heavier, but still fairly small and usable. The device has all the same external connectors and ports as the standard UFED. The power supply provided with the UFED device is a a 100-240v power supply designed to work in various countries and power sources.

Software updates:
The Cellebrite company has done an excellent job is keeping the UFED and UME devices as capable as possible by releasing frequent updates. Getting the updates is very simple, you can download the base images from their website. The application update of the UFED device requires a free account be created on their website. All that is needed is the device serial number and device ID, both of which can be obtained from the device's display.

The Ruggedized UFED comes with an integrated battery pack. This allows the UFED to be used in the field with no external power. The battery lasts a fairly long time. In the scenario above, it took a few hours to process all the phones and SIM cards, all of which were done on a single battery pack. An extra battery pack is provided and can be quickly switched out to provide extended operational time.

The Ruggedized UFED also comes with a battery pack for use with phones. The pack is a rechargeable battery pack that comes with numerous phone tips in order to fit a wide range of phones. This allows a user to not only power the UFED device (attached battery pack), but also power the phone that needs to be examined when the phone is dead.

All the UFED devices come with a large collection of cables that fit most of the most common phones types. They are all clearly marked with a unique cable number.

Examination Process:
There are essentially three areas of information to collect when doing a cell phone examination:

1. Phone
2. SIM
3. Media Card (if applicable)

Collecting information from the phone itself requires knowing the phone model and that the Cellebrite device supports that specific model and firmware. I have encountered several phones that are "knock-offs" of the original, specifically Nokia & Apple models, that have normal markings and model numbers, but are Chinese made counterfeits and do not have the same internal firmware as the originals, therefore the UFED device (or any other forensic device) does not work.

In cases where the phone model can be determined or known, the UFED device will tell you exactly what cable number to use and then extract whatever information it can from the phone. Depending on the phone model, the UFED device can typically get at the minimum, contacts, SMS messages & call logs (incoming, outgoing & missed). In other cases, it can typically extract multimedia (videos, photos, ringtones) files from phones that support multimedia.

In a limited number of models, if a SIM card is in the phone, The UFED will also extract information from the SIM card at the same time. In most models though, you need to remove the SIM card and process it separately in the SIM card reader at the bottom of the UFED device. This also depends on whether you want the phone to be able to connect to the network while you process it or if you have a Faraday bag or jammer. If not, then you will want to remove the SIM card and process it separately to avoid the phone from connecting to the cell network.

On some phones, the UFED device will need to install a client application. The UFED device will "push" the application to the phone when it is connected and then you will need to manipulate the phone (install) to get the client installed. Don't forget to delete the client after extraction, as the UFED does nt do this automatically.

Lastly, you may want to process the media card separately. The UFED device can pull multimedia files from the media card of most phones, but if the media card contains other non-multimedia filetypes (doc, exe, zips, etc.), then you will not see those files. I typically image the entire media card separately using a write-blocking device/software and imaging software on a laptop.

PIN locked SIM cards are still not able to be processed unless you can unlock it prior to processing.

One of the best features of the Cellebrite device is the ability to write the extracted data to a USB device (FAT). This allows quick collection and then the USB device can be given to another investigator for review or processing.

Photos of the UFED Ruggedized Model:

The front view
SIM reader at the bottom of the device
SOURCE (left) side of the device
TARGET (right) side of the device
Top view of the device, for connection to the Cellebrite manager program and network
Right side view of battery pack, switch if for charging or battery use, the LEDS are for battery level display
External phone power supply kit
External phone supply kit
Complete kit with cables, device and external phone power supply

Complete kit with cables, device and external phone power supply

Sunday, March 7, 2010

Updated Office 2007 Metadata EnScript

Awhile back I wrote an EnScript to bookmark and log all the metadata from Office documents and Excel spreadhseets. The EnScript is using the EnCase internal function to view compound OLE files and just recurses all the evidence and collects all the metadata for quick reporting. You can see the original post here.

I have updated the EnScritpt to now report the metadata in Office 2007 file (docs and xls). The data is now stored in XML and is parsed and reported the same way as the classic Office documents.

This version prints the results to the console, a local text file and a bookmark, if that option is selected.

Download Here

Saturday, March 6, 2010

EnScript to export all files based on condition criteria

I frequently have a need to export various file types for review or to pass on to a third party.

This EnScript was designed to quickly define what files will be exported based on entryclass criteria, i.e. name, path, extension, etc. When you run the EnScript, a familiar condition window will appear that will allow you to define whatever criteria you want to use to select the files to be exported.

The image below is a simple example to export JPG, JPEG files that only have a signature match:

The files will be exported into a subfolder of the case export folder grouped into subfolders based on the device it came from in case you have multiple devices loaded. Each file type, based on extension, will then be placed into a respective subfolder named after the extention.

 Download Here

Triage Media

Recently, I had a need to quickly collect some files of interest from a hard drive. I had limited time and I was really not concerned with deleted data, only logical files that existed. I manually created a LEF with the areas that interested me, but I then began to think about those areas where people are most likely going to collect artifacts from in a quick triage process.

I came up with (5) five distinct areas on a volume:

User profiles (\Documents & Settings or \Users)
Recycle Bin
System Volume Information
Registry (\Windows\System32\Config)
Program Files

So I built a triage EnScript that contains options to collect data from each of these areas in an automated way.

On the left, there are the five options I mentioned above, then on the right, there is a sixth option, which is a kind of "catch-all" for other areas. The first five options on the left collect *ALL* files, regardless of extension from each respective area. The sixth and final option can be limited by extension and includes those paths that are not already collected in the previous five options.

My purpose of writing this was to have a relatively quick automated way to collect user data from any attached/previewed media and then have that data placed into a logical evidence file in a logical manner that made sense later if I collected data from several pieces of media.

The help button explains each of the options:

Running the EnScript with each of the options will result in up to (6) six LEF files being created for each volume, one for each option, depending on whether that path is present. You can then examine those LEF files as time permits. Obviously the time to process each option is dependant on the amount of data that may or may not be in a specific area.

Download Here

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles