Saturday, July 31, 2010

EnScript Programming Course in Melbourne, Australia

I just finished a second week of EnScript training in Melbourne, Australia with an Australian training partner named Invest-e-gate (website down for remodel at the moment). The founder of the company and I used to work together at Guidance a lifetime ago, but it was great to see him again and to find that he is staying on the cutting edge of things, just like usual.

It was a great group of students, very committed and interested in taking the use of EnCase to the next level through automation and getting some results and configurability that you can't get through the canned version of EnCase. It was amazing to spend two weeks in Australia in two separate cities but to have back-to-back classes with such committed and smart students. All of the students were able to get through the formal lessons quickly, so we spent a lot of extra time developing personal projects and ideas.

Many students had several great ideas on how to use the EnScript features, including sending lots of data inside of EnCase to a database and collecting the data from several different examiners. Some of the other ideas put to use by the students was to use EnScript to help categorize bookmarks (images) for quick triage.

If you rely on hashing a lot, a idea for thought is using the power of EnScript to *quickly* hash a small portion of each file (say 20 bytes) and then create a sub-set of "possible" matches. Then you can invest the time and effort to hashing the entire file programmatically. This can dramatically reduce the amount of time you spend doing hash comparisons, since the process of generating a hash is the time consuming part. Generating a hash of a small area of the file is way quicker and lets you reduce the pool of possible entries that may match your full-sized hash values and therefore lets you spend a lot less time generating hashes on all the files.

If you do hash analysis a lot, you can also reduce your hash comparison speed if you start collecting hash values and file sizes of each file you want to identify (NIST hash sets have file size). You can then use an EnScript to first look for files that are the same size as the ones in your list, then only hash those, since if the file size if different, the hash will have to be different and therefore there is no need to invest the time or computing power to hash it.

We also spent some time discussing entropy and how to use that programmatically to identify files with different hash values, but with similar content, as well as using it to help find malware. Great stuff!

Here are a few cheesy shots from class in Melbourne.

Anyway, I am now back in Bangkok and I am planning on doing another EnScript course at the beginning of the year, hopefully in the Netherlands. If anyone else is interested in hosting a class, please let me know and we will see if we can pull off a course in your area. Meanwhile, back to work and hopefully some new upcoming blog posts & practicals!

If you are in and around Australia and need forensic training, I highly recommend invest-e-gate. State of the art training facilities and like I mentioned, they are doing some cutting-edge stuff in all areas of security & forensics.

Invest-e-gate Pty Ltd
+61 3 9016 4451

Friday, July 23, 2010

EnScript Programming Course in Sydney

It has been several weeks since my last post and I have been fairly busy, but I thought I would post a quick update.

I just finished an EnScript Programming course in Sydney, Australia. I have to say, the students who attended the course were very sharp. All of them immediately began to come up with ideas and ways to use EnScripts in their workloads.

A couple of ideas that came from the students were using an EnScript to parse through all the archive files and extract all the user-defined file-types, such as JPGs, GIFs & PNGs from inside the archives and then create a new LEF with just those files. THe thought process was sometimes the image you are examining has a lot of archive files and mounting them all at once is a memory/resource issue. By putting them all in a LEF, EnCase does not need to virtually reconstruct the archive in memory, so its less of a resource problem.

Another idea was using an EnScript to access the Document view in EnCase and extract embedded graphics in office docs and other document types and then be able to export or collect those images separately to be able to quickly see the images that are embedded within files, without having to read the docs.

Brian Jones has come up with several EnScripts that have been posted to the Guidance support portal, you should check them out.

It was a great class and great students, very inspiring to see people coming up with new ideas to leverage the power of EnScripts. I am now off to Melbourne to teach another EnScript class there.

Here are a few pictures from class:

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles