SlideShare una empresa de Scribd logo

EnCase Enterprise Basic File Collection

Damir Delija
Damir Delija

How to use file collection tool in Encase Enterprise

Educación
1 de 57
Descargar para leer sin conexión
Basic Ediscovery Steps in EnCase Enterprise v7 Damir Delija 2014
Introduction • Data collection can be done automatically in the EnCase Enterprise • Requires a lot of hand work and good planning • This presentation is a putting together information from various sources and manuals – Lance Muller blog, – EnCase presentations and manuals, – blogs
EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations The SAFE (Secure Authentication For EnCase®) • • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers communications and provides for secure data transmission The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted The Examiner • • Installed on a computer where authorized investigators perform examinations and audits Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration The Servlet • • A small, passive software agent that gets installed on network workstations and servers Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices. Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the Examiner & servers, desktops or laptops that are being searched or investigated Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect, preserve and remediate any network intrusion on an enterprise-wide scale
How the EnCase Enterprise Components Fit Together Servlets Installed on Computers
Sample Deployment Topology Main Office A Main Office B Target Node Examiner Target Node SAFE Target Node Target Node Target Node Target Node WAN Target Node Aggregation Database Target Node Examiner SAFE Target Node Target Node Examiner Company Headquarters Target Node Target Node Branch Office Target Node
How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network A Rich Man Solution
What we Need • EnCase Enterprise v7 – safe, examiner (both on the same machine in basic setup) • Requires a lot of hand work and good planning – task definition, plans etc • As it is in EnCase Enterprise we need – open case – user logged into safe with appropriate rights (role)
Entry Level EnCase Entreprise System Main Office A Branch Office Target Node Target Node Target Node Target Node Target Node WAN Target Node Target Node Target Node SAFE /Examiner Target Node Additional storage Target Node Company Headquarters SAFE /Examiner • on the same machine Servlet • on the each end node Enterprise Concurrent Connections • control number of parallel acceses
Task • Collect all pdf, doc and docx files from two machines defined by IP address • Scope – set of IP addresses • Collection rule – if file extension is pdf or doc or docx collect file and its metadata • Procedure – if node fails do another try – create report with list of responsive files
Login Into EnCase Enterprise 3) choose role 2) choose safe 1) choose user
Creating a New Case Case name is important, this one gives us hint on task Case information leads us
Case Folder Structure Additional folders: Reports, Conditions, Evidence
Doing Enterprise Sweep General input • we need a list of targets In the EnCase term list of IP addressee where we have to install servlets and do sweep • we need rules to define responsive data conditions, keywords, hashes • we need general rules and guidelines what to do in the case of failure, errors, location to store data, reports, tests, case name, etc
Sweep Enterprise Snapshot For Data Collecting From Enscripts tab choose Sweep Enterprise
Definition of End Nodes for the Collection Sweep In the sweep wizzard define nodes for the sweep
Adding IP Addresses Directly List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut
Running Sweep on the End Nodes End nodes defined and approwed
Define the Type of the Sweep Snapshot is mandatory •collects processes, users, etc File Processor is our data collector •collect files System info is optional •slow process •collects machine info, mostly registry
What Snapshot Gets From End Node •System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
What Process and OS Data Will Get Collected Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up
Definition of File Collection Criteria Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
Entry Condition Defines File Attributes File atributes as criteria for collection
Entry Condition Wizard Conditions can be only typed or imported
Import Already Existed and Tested Condition How to import already existing condition
Condition Folder in Case Place Where Conditions are Kept Conditions sholud be named in meaningfull way
Collection Criteria Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code
Additional Element How to Handle Archives on the End Nodes Default is : no going in into archives
Final List of End Nodes and Tasks to be Done in Sweep Can be saved as part of documentation
Store Collection Parameters as One of Intermediate Reports Usefull later for documentation, goes to case / report folder
Sweep is Running • • • • It can take a lot of time monitor status keep logs check the impact on the network and systems • • • • some automated tools case analyzer keep eye on console keep eye on disk sage and free space
Sweep Status Refresh can be done automatically
Sweep Live Status Live sweep status: end nodes status, modules, success or failure
Sweep Completed One node has failed
Sweep Results in the Analysis Browser Analysis Browser Enscript – all collected data from sweep (no file content)
Sweep Results Responsive Files in the Analysis Browser All responsive files
Create an Status Report There are alternative methods to create intermediate status reports I prefer “Save as” in tab delimieted format Report goes into case report folder
In Our Procedure Repeat Sweep if Fails Repeated sweep, now all endnodes are succesfull
Sweep Data Location Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
L01 Collection Files – Sweep Result Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually
L01 files –Data in the Case Default view is snapshot view - records about end nodes
Getting to Responsive Files in L01 To get to file collector results go to “View Entries”
L01 File for End Node Responsive Files View All responsive files from one end node
How to Create Cumulative L01 File • All data are in case in node-name.L01 files – one for each end node – to put all that into one file without snapshot data • Condition will create result view – again already used condition can be applied • From cumulative L01 and all necessary reports can be created – same data but easier to handle
In Entry View Use Condition Already used condition (as collection entry condition)
Run Condition Use it on “all evidence” on all L01 end nodes files in our case
Results All resposive files as condition result
Bookmark if Necesary Bookmark if needed, for reports etc
Good Practice: Name of Bookmark Folder on Sweep Name Sweep name – bookmark folder name
Creating Cummulative L01 File From Condition Results From all responsive files create L01 file
Create Cummulative L01 File Name it by Sweep Name Name based on sweep, fill notes, goes to evidence folder
Create Cummulative L01 File Include all Needed Include file data and metadata, close on finish is important
Create Cummulative L01 File L01 Format Choose L01 if other forensic tools are used too
Good Practice: Remove all End Node L01 Files From Case To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01
Good Practice: Use Only Cummulative L01 File In all further work use only cumulative L01 file, or even open new case
Structure of the Cummulative L01 File whole logical structure contained also reposive file content
Just to Proof Test with conditon to show all responsive files are here
Finishing • • • • • • Document everything Reports logs backup Store on encrypted media Remove forensically and wipe forensically all temporary and unwanted data and media • Don’t forget to unistall servlets

Recomendados

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Linux distributions
Linux distributionsLinux distributions
Linux distributionsRJ Mehul Gadhiya
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linuxanandvaidya
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 

Recomendados

Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows ForensicsPrince Boonlia
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Linux distributions
Linux distributionsLinux distributions
Linux distributionsRJ Mehul Gadhiya
 
An Introduction to Linux
An Introduction to LinuxAn Introduction to Linux
An Introduction to Linuxanandvaidya
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
Redash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data LakesRedash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data LakesDatabricks
 
Genesys voice portal whitepaper
Genesys voice portal whitepaperGenesys voice portal whitepaper
Genesys voice portal whitepaperRanjit Patel
 
The Android graphics path, in depth
The Android graphics path, in depthThe Android graphics path, in depth
The Android graphics path, in depthChris Simmonds
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualizationSasikumar Thirumoorthy
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in androidHaifeng Li
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Horizon 8 + Instant Clones
Horizon 8 + Instant ClonesHorizon 8 + Instant Clones
Horizon 8 + Instant ClonesMarketingArrowECS_CZ
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia FrameworkOpersys inc.
 
Xen architecture q1 2008
Xen architecture q1 2008Xen architecture q1 2008
Xen architecture q1 2008colegio letonia
 
System Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 OverviewSystem Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 OverviewAmit Gatenyo
 
X Window System
X Window SystemX Window System
X Window SystemRon Bandes
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Introduction to Linux basic
Introduction to Linux basicIntroduction to Linux basic
Introduction to Linux basicf114n
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
SharePoint Troubleshooting
SharePoint TroubleshootingSharePoint Troubleshooting
SharePoint TroubleshootingToby McGrail
 

Más contenido relacionado

La actualidad más candente

Redash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data LakesRedash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data LakesDatabricks
 
Genesys voice portal whitepaper
Genesys voice portal whitepaperGenesys voice portal whitepaper
Genesys voice portal whitepaperRanjit Patel
 
The Android graphics path, in depth
The Android graphics path, in depthThe Android graphics path, in depth
The Android graphics path, in depthChris Simmonds
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in androidHaifeng Li
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia FrameworkOpersys inc.
 
Xen architecture q1 2008
Xen architecture q1 2008Xen architecture q1 2008
Xen architecture q1 2008colegio letonia
 
System Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 OverviewSystem Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 OverviewAmit Gatenyo
 
X Window System
X Window SystemX Window System
X Window SystemRon Bandes
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Introduction to Linux basic
Introduction to Linux basicIntroduction to Linux basic
Introduction to Linux basicf114n
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 

La actualidad más candente (20)

Redash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data LakesRedash: Open Source SQL Analytics on Data Lakes
Redash: Open Source SQL Analytics on Data Lakes
 
Genesys voice portal whitepaper
Genesys voice portal whitepaperGenesys voice portal whitepaper
Genesys voice portal whitepaper
 
The Android graphics path, in depth
The Android graphics path, in depthThe Android graphics path, in depth
The Android graphics path, in depth
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Understanding binder in android
Understanding binder in androidUnderstanding binder in android
Understanding binder in android
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Horizon 8 + Instant Clones
Horizon 8 + Instant ClonesHorizon 8 + Instant Clones
Horizon 8 + Instant Clones
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia Framework
 
Xen architecture q1 2008
Xen architecture q1 2008Xen architecture q1 2008
Xen architecture q1 2008
 
System Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 OverviewSystem Center Configuration Manager 2012 Overview
System Center Configuration Manager 2012 Overview
 
X Window System
X Window SystemX Window System
X Window System
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Introduction to Linux basic
Introduction to Linux basicIntroduction to Linux basic
Introduction to Linux basic
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 

Similar a EnCase Enterprise Basic File Collection

Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
SharePoint Troubleshooting
SharePoint TroubleshootingSharePoint Troubleshooting
SharePoint TroubleshootingToby McGrail
 
Why advanced monitoring is key for healthy
Why advanced monitoring is key for healthyWhy advanced monitoring is key for healthy
Why advanced monitoring is key for healthyDenodo
 
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...BI Brainz
 
Sap security online training
Sap security online trainingSap security online training
Sap security online trainingsapscmit
 
Oracle apps scm online training
Oracle apps scm online trainingOracle apps scm online training
Oracle apps scm online trainingsaptpmit
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
Maintaining and Caring for your EPM Environment
Maintaining and Caring for your EPM EnvironmentMaintaining and Caring for your EPM Environment
Maintaining and Caring for your EPM EnvironmentEmtec Inc.
 
Care and Maintenance of Your EPM Environment
Care and Maintenance of Your EPM EnvironmentCare and Maintenance of Your EPM Environment
Care and Maintenance of Your EPM EnvironmentEmtec Inc.
 
Storage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler TrainingStorage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler TrainingSolarWinds
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewDell World
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...rschuppe
 
Performance Analysis of Idle Programs
Performance Analysis of Idle ProgramsPerformance Analysis of Idle Programs
Performance Analysis of Idle Programsgreenwop
 
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...eCapital Advisors
 
(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environment(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environmentBIOVIA
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...Xoomworks Business Intelligence
 
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...Nagios
 

Similar a EnCase Enterprise Basic File Collection (20)

Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
SharePoint Troubleshooting
SharePoint TroubleshootingSharePoint Troubleshooting
SharePoint Troubleshooting
 
Why advanced monitoring is key for healthy
Why advanced monitoring is key for healthyWhy advanced monitoring is key for healthy
Why advanced monitoring is key for healthy
 
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
Analysing and Troubleshooting Performance Issues in SAP BusinessObjects BI Re...
 
Sap security online training
Sap security online trainingSap security online training
Sap security online training
 
Oracle apps scm online training
Oracle apps scm online trainingOracle apps scm online training
Oracle apps scm online training
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
 
Maintaining and Caring for your EPM Environment
Maintaining and Caring for your EPM EnvironmentMaintaining and Caring for your EPM Environment
Maintaining and Caring for your EPM Environment
 
Care and Maintenance of Your EPM Environment
Care and Maintenance of Your EPM EnvironmentCare and Maintenance of Your EPM Environment
Care and Maintenance of Your EPM Environment
 
Storage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler TrainingStorage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler Training
 
SAP Basis Overview
SAP Basis OverviewSAP Basis Overview
SAP Basis Overview
 
KACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting OverviewKACE Agent Architecture and Troubleshooting Overview
KACE Agent Architecture and Troubleshooting Overview
 
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
Application Performance Troubleshooting 1x1 - Part 2 - Noch mehr Schweine und...
 
Performance Analysis of Idle Programs
Performance Analysis of Idle ProgramsPerformance Analysis of Idle Programs
Performance Analysis of Idle Programs
 
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...
Managing Your Hyperion Environment – Performance Tuning, Problem Solving and ...
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environment(ATS6-PLAT07) Managing AEP in an enterprise environment
(ATS6-PLAT07) Managing AEP in an enterprise environment
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...How to pinpoint and fix sources of performance problems in your SAP BusinessO...
How to pinpoint and fix sources of performance problems in your SAP BusinessO...
 
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...
Nagios Conference 2011 - Nate Broderick - Nagios XI Large Implementation Tips...
 

Más de Damir Delija

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...Damir Delija
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Damir Delija
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Damir Delija
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Damir Delija
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsDamir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Damir Delija
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload managerDamir Delija
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza Damir Delija
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokaziDamir Delija
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaDamir Delija
 

Más de Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 
2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza 2013 obrada digitalnih dokaza
2013 obrada digitalnih dokaza
 
Tip zlocina digitalni dokazi
Tip zlocina digitalni dokaziTip zlocina digitalni dokazi
Tip zlocina digitalni dokazi
 
Sigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavimaSigurnost i upravljanje distribuiranim sustavima
Sigurnost i upravljanje distribuiranim sustavima
 

Último

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.MateoGardella
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 

Último (20)

Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 

EnCase Enterprise Basic File Collection

  • 1. Basic Ediscovery Steps in EnCase Enterprise v7 Damir Delija 2014
  • 2. Introduction • Data collection can be done automatically in the EnCase Enterprise • Requires a lot of hand work and good planning • This presentation is a putting together information from various sources and manuals – Lance Muller blog, – EnCase presentations and manuals, – blogs
  • 3. EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations The SAFE (Secure Authentication For EnCase®) • • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers communications and provides for secure data transmission The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted The Examiner • • Installed on a computer where authorized investigators perform examinations and audits Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration The Servlet • • A small, passive software agent that gets installed on network workstations and servers Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices. Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the Examiner & servers, desktops or laptops that are being searched or investigated Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect, preserve and remediate any network intrusion on an enterprise-wide scale
  • 4. How the EnCase Enterprise Components Fit Together Servlets Installed on Computers
  • 5. Sample Deployment Topology Main Office A Main Office B Target Node Examiner Target Node SAFE Target Node Target Node Target Node Target Node WAN Target Node Aggregation Database Target Node Examiner SAFE Target Node Target Node Examiner Company Headquarters Target Node Target Node Branch Office Target Node
  • 6. How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network A Rich Man Solution
  • 7. What we Need • EnCase Enterprise v7 – safe, examiner (both on the same machine in basic setup) • Requires a lot of hand work and good planning – task definition, plans etc • As it is in EnCase Enterprise we need – open case – user logged into safe with appropriate rights (role)
  • 8. Entry Level EnCase Entreprise System Main Office A Branch Office Target Node Target Node Target Node Target Node Target Node WAN Target Node Target Node Target Node SAFE /Examiner Target Node Additional storage Target Node Company Headquarters SAFE /Examiner • on the same machine Servlet • on the each end node Enterprise Concurrent Connections • control number of parallel acceses
  • 9. Task • Collect all pdf, doc and docx files from two machines defined by IP address • Scope – set of IP addresses • Collection rule – if file extension is pdf or doc or docx collect file and its metadata • Procedure – if node fails do another try – create report with list of responsive files
  • 10. Login Into EnCase Enterprise 3) choose role 2) choose safe 1) choose user
  • 11. Creating a New Case Case name is important, this one gives us hint on task Case information leads us
  • 12. Case Folder Structure Additional folders: Reports, Conditions, Evidence
  • 13. Doing Enterprise Sweep General input • we need a list of targets In the EnCase term list of IP addressee where we have to install servlets and do sweep • we need rules to define responsive data conditions, keywords, hashes • we need general rules and guidelines what to do in the case of failure, errors, location to store data, reports, tests, case name, etc
  • 14. Sweep Enterprise Snapshot For Data Collecting From Enscripts tab choose Sweep Enterprise
  • 15. Definition of End Nodes for the Collection Sweep In the sweep wizzard define nodes for the sweep
  • 16. Adding IP Addresses Directly List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut
  • 17. Running Sweep on the End Nodes End nodes defined and approwed
  • 18. Define the Type of the Sweep Snapshot is mandatory •collects processes, users, etc File Processor is our data collector •collect files System info is optional •slow process •collects machine info, mostly registry
  • 19. What Snapshot Gets From End Node •System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
  • 20. What Process and OS Data Will Get Collected Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up
  • 21. Definition of File Collection Criteria Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
  • 22. Entry Condition Defines File Attributes File atributes as criteria for collection
  • 23. Entry Condition Wizard Conditions can be only typed or imported
  • 24. Import Already Existed and Tested Condition How to import already existing condition
  • 25. Condition Folder in Case Place Where Conditions are Kept Conditions sholud be named in meaningfull way
  • 26. Collection Criteria Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code
  • 27. Additional Element How to Handle Archives on the End Nodes Default is : no going in into archives
  • 28. Final List of End Nodes and Tasks to be Done in Sweep Can be saved as part of documentation
  • 29. Store Collection Parameters as One of Intermediate Reports Usefull later for documentation, goes to case / report folder
  • 30. Sweep is Running • • • • It can take a lot of time monitor status keep logs check the impact on the network and systems • • • • some automated tools case analyzer keep eye on console keep eye on disk sage and free space
  • 31. Sweep Status Refresh can be done automatically
  • 32. Sweep Live Status Live sweep status: end nodes status, modules, success or failure
  • 34. Sweep Results in the Analysis Browser Analysis Browser Enscript – all collected data from sweep (no file content)
  • 35. Sweep Results Responsive Files in the Analysis Browser All responsive files
  • 36. Create an Status Report There are alternative methods to create intermediate status reports I prefer “Save as” in tab delimieted format Report goes into case report folder
  • 37. In Our Procedure Repeat Sweep if Fails Repeated sweep, now all endnodes are succesfull
  • 38. Sweep Data Location Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
  • 39. L01 Collection Files – Sweep Result Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually
  • 40. L01 files –Data in the Case Default view is snapshot view - records about end nodes
  • 41. Getting to Responsive Files in L01 To get to file collector results go to “View Entries”
  • 42. L01 File for End Node Responsive Files View All responsive files from one end node
  • 43. How to Create Cumulative L01 File • All data are in case in node-name.L01 files – one for each end node – to put all that into one file without snapshot data • Condition will create result view – again already used condition can be applied • From cumulative L01 and all necessary reports can be created – same data but easier to handle
  • 44. In Entry View Use Condition Already used condition (as collection entry condition)
  • 45. Run Condition Use it on “all evidence” on all L01 end nodes files in our case
  • 46. Results All resposive files as condition result
  • 47. Bookmark if Necesary Bookmark if needed, for reports etc
  • 48. Good Practice: Name of Bookmark Folder on Sweep Name Sweep name – bookmark folder name
  • 49. Creating Cummulative L01 File From Condition Results From all responsive files create L01 file
  • 50. Create Cummulative L01 File Name it by Sweep Name Name based on sweep, fill notes, goes to evidence folder
  • 51. Create Cummulative L01 File Include all Needed Include file data and metadata, close on finish is important
  • 52. Create Cummulative L01 File L01 Format Choose L01 if other forensic tools are used too
  • 53. Good Practice: Remove all End Node L01 Files From Case To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01
  • 54. Good Practice: Use Only Cummulative L01 File In all further work use only cumulative L01 file, or even open new case
  • 55. Structure of the Cummulative L01 File whole logical structure contained also reposive file content
  • 56. Just to Proof Test with conditon to show all responsive files are here
  • 57. Finishing • • • • • • Document everything Reports logs backup Store on encrypted media Remove forensically and wipe forensically all temporary and unwanted data and media • Don’t forget to unistall servlets