2. Introduction
• Data collection can be done automatically in
the EnCase Enterprise
• Requires a lot of hand work and good planning
• This presentation is a putting together
information from various sources and manuals
– Lance Muller blog,
– EnCase presentations and manuals,
– blogs
3. EnCase Enterprise Components that Enable
Forensically sound and Secure Network Investigations
The SAFE (Secure Authentication For EnCase®)
•
•
Authenticates users, administers access rights, retain logs of EnCase transactions, brokers
communications and provides for secure data transmission
The SAFE communicates with Examiners and Target Nodes using encrypted data streams,
ensuring no information can be intercepted and interpreted
The Examiner
•
•
Installed on a computer where authorized investigators perform examinations and audits
Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition
product, with network enhanced capability for security and administration
The Servlet
•
•
A small, passive software agent that gets installed on network workstations and servers
Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner
to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections
•
Enterprise Concurrent Connections are secure parallel connections established between the
Examiner & servers, desktops or laptops that are being searched or investigated
Snapshot
•
The “Snapshot” technology enables the user to scan thousands of computers to detect, collect,
preserve and remediate any network intrusion on an enterprise-wide scale
4. How the EnCase Enterprise
Components Fit Together
Servlets Installed
on Computers
5. Sample Deployment Topology
Main Office A
Main Office B
Target Node
Examiner
Target Node
SAFE
Target Node
Target Node
Target Node
Target Node
WAN
Target Node
Aggregation
Database
Target Node
Examiner
SAFE
Target Node
Target Node
Examiner
Company Headquarters
Target Node
Target Node
Branch Office
Target Node
6. How EnCase® Enterprise and EnCase eDiscovery
Integrate With the Target Network
A Rich Man Solution
7. What we Need
• EnCase Enterprise v7
– safe, examiner (both on the same machine in
basic setup)
• Requires a lot of hand work and good planning
– task definition, plans etc
• As it is in EnCase Enterprise we need
– open case
– user logged into safe with appropriate rights (role)
8. Entry Level EnCase Entreprise System
Main Office A
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
WAN
Target Node
Target Node
Target Node
SAFE /Examiner
Target Node
Additional storage
Target Node
Company Headquarters
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent Connections
• control number of parallel acceses
9. Task
• Collect all pdf, doc and docx files from two machines
defined by IP address
• Scope
– set of IP addresses
• Collection rule
– if file extension is pdf or doc or docx collect file and its metadata
• Procedure
– if node fails do another try
– create report with list of responsive files
10. Login Into EnCase Enterprise
3) choose role
2) choose safe
1) choose user
11. Creating a New Case
Case name is
important, this
one gives us hint
on task
Case information
leads us
13. Doing Enterprise Sweep
General input
• we need a list of targets
In the EnCase term
list of IP addressee where
we have to install servlets
and do sweep
• we need rules to define
responsive data
conditions, keywords,
hashes
• we need general rules
and guidelines
what to do in the case of
failure, errors, location to
store data, reports, tests,
case name, etc
18. Define the Type of the Sweep
Snapshot is mandatory
•collects processes, users, etc
File Processor is our data collector
•collect files
System info is optional
•slow process
•collects machine info, mostly
registry
19. What Snapshot Gets From End Node
•System info parser is optional
•it will collect data about node from
end nodes registry
•to speed up this can be uncheked,
but it is usefull to have that data
20. What Process and OS Data Will Get
Collected
Snapshot – mandatory
•some things which are more
incident response than data
collecting can be disalbled to
speed up
21. Definition of File Collection Criteria
Metadata on files is default
file atributes are collection
criteria
if uncheked only file metadata
is collected
25. Condition Folder in Case
Place Where Conditions are Kept
Conditions sholud be named in meaningfull way
26. Collection Criteria
Collection entry condition is
imported from previoulsy
existing conditions
be lasy and efficient
•automate
•use alredy tested and proofed
code
28. Final List of End Nodes and Tasks to be
Done in Sweep
Can be saved as part of documentation
29. Store Collection Parameters as One of
Intermediate Reports
Usefull later for documentation, goes to case / report folder
30. Sweep is Running
•
•
•
•
It can take a lot of time
monitor status
keep logs
check the impact on the
network and systems
•
•
•
•
some automated tools
case analyzer
keep eye on console
keep eye on disk sage
and free space
36. Create an Status Report
There are alternative
methods to create
intermediate status
reports
I prefer “Save as” in tab
delimieted format
Report goes into case
report folder
37. In Our Procedure Repeat Sweep if Fails
Repeated sweep, now all endnodes are succesfull
39. L01 Collection Files – Sweep Result
Stored in the case
enscript/sweep
folder
Named by
reposnive end
node
Contains:
•responsive files
•snapshot data
•add to case
manually
40. L01 files –Data in the Case
Default view is snapshot view - records about end nodes
41. Getting to Responsive Files in L01
To get to file collector results go to “View Entries”
42. L01 File for End Node
Responsive Files View
All responsive files from one end node
43. How to Create Cumulative L01 File
• All data are in case in node-name.L01 files
– one for each end node
– to put all that into one file without snapshot data
• Condition will create result view
– again already used condition can be applied
• From cumulative L01 and all necessary reports
can be created
– same data but easier to handle
44. In Entry View Use Condition
Already used condition (as collection entry condition)