Friday, May 17, 2013

EnCase EnScript to automate Internet Evidence Finder (IEF) for EnCase v6 & v7


In an effort to try and make the workflow easier for examiners, I have developed an Internet Evidence Finder EnScript for use with EnCase® v6 & v7. The goal of this EnScript is to make it easier for the examiner to launch an artifact search from within EnCase while they may be analyzing their case. IEF will run in the background and provide a familiar search status screen while it is searching and the examiner can continue working on their case in EnCase.
Once completed, the artifacts will be held in an IEF case file, just like if you had launched IEF the traditional way. In addition, once IEF has completed the search for artifacts, the EnScript provides the ability to copy the found artifact information back into EnCase as record data or into an Excel spreadsheet for additional review.
To install, simply copy the “Internet Evidence Finder.EnPack” to the appropriate folder, depending on the version of EnCase you are using. For EnCase v6 the typical location is:
C:\Program Files\EnCase6\EnScript\
or
C:\Program Files (x86)\EnCase6\EnScript\
For EnCase v7, the location typically is:
C:\Program Files\EnCase7\EnScript\
or
C:\Program Files (x86)\EnCase7\EnScript\
To run in EnCase v7, Choose “EnScript->Run” from to top menu bar, then select the EnScript (EnPack) you just copied into that folder.
For EnCase v6, double-click on the “Internet Evidence Finder” EnScript listed in the filter pane (lower-right).
Once the EnScript is run, you will be presented with the following dialog:
Enscript Main Dialog
The first option equates to the “Search Type” option in IEF and defaults to “Full”. In the EnCase v7 EnScript, you are presented with three export options; None, EnCase Records or Excel Spreadsheet. These options do not exist in the EnCase v6 EnScript. “None” means the data found by IEF will be stored inside an IEF case file and can always be viewed by using IEF. The “EnCase Records” option means a copy of the found data will be exported from IEF and placed inside the EnCase Records tab for the current case. The last option of “Excel Spreadsheet” means a copy of the found data will be exported from IEF and placed inside an Excel Spreadsheet with each artifact type getting its own worksheet. The IEF case file and data are created and stored in the case’s default export folder.
The next option determines if you want the EnScript to automatically launch the IEF viewer and load the found artifacts so you can immediately review them in IEF.
The fourth option determines the types of artifacts you want IEF to search for.
Any text in the case notes is automatically transferred to IEF and entered into the IEF Case file. In addition, the examiner name and evidence number (EnCase v7) are automatically pulled from the EnCase case information when the case was initially created.
The final two options specify where the IEF.EXE and IEFRV.EXE files are. These two files are needed in order to launch IEF in the background and later load the case data, if selected. Once initially entered, this information remains each time you run the EnScript.
Once you click “OK”, you are presented with an evidence list where you can select which pieces of evidence you would like to process.
Evidence to process
Once run, IEF will launch in the background and process all the evidence files you selected. An IEF status screen will be displayed:
Search Status
If you selected the option to have IEF Report Viewer launch, the case will be automatically loaded and displayed in the report viewed once complete.
Report Viewer
If you chose the export option to have the data exported into EnCase Records, you will see this from the Evidence pane in EnCase v7:
Report Viewer
Clicking on that LEF will load the records in the records tab of EnCase:
Records Loaded
You can then view the found IEF artifact data the same way as you view other data stored in the EnCase Records structure and build custom filters/conditions to identify specific artifacts. You can always view the IEF data natively in IEF Report Viewer by double-clicking the IEFv6 case file stored in the default export folder of the case.
If you chose the “Excel Spreadsheet” export option, Excel (required) will automatically start and display the artifacts with each category of artifact on a separate worksheet. By default the XLS file is automatically saved in the default export folder of the case along with the IEF case file and other associated data.
Excel Spreadsheet

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com


Computer Forensics, Malware Analysis & Digital Investigations

Random Articles