Enacse v7 Entreprise sweep data access trough Infozoom

1. Usage Aspects Techniques For
Enterprise Forensics Data Analytics
Tools
Damir Delija
damir.delija@insig2.eu
"Nove sigurnosne ugroze i kritična
nacionalna infrastruktura“
Zagreb, 12-13.09.2013

2. Idea
• How to analyze data in internal database and
data repositories of forensic tool trough
external data analytics tools
• Or generalization – access to hidden data in
the forensic tools, especially enterprise class
forensic tools
– (this is not a new problem, something very similar
happened in network management ages ago )

3. To explore situation
• To try what can be collected from commercial
forensic tools
– Encase v7, ftk as forensic tools
– Infozoom as data presentation and analyses tool
• also some open source add-ons

4. Evolution Of Enterprise Forensics
Capabilities
disk images Forensic image of remote physical or logical disks, acquired and preserved on forensics workstation
memory images Forensic image of whole RAM of remote node and memory images of processes, acquired and preserved on
forensics workstation
snapshot data Presenting current structure of users, processes, dll, open files, network information (ARP table, DNS table,
routing table)
• Each step brings huge amount of data and metadata into forensic tool
• this data is not worthless even if it is not directly related to first line of examination

5. Forensic tools example: EnCase v7
• Encase v7
– store data in cahces files and evidence file
• cache processed data – usually sqlite
• evidence original data
– Other forensic tools store data in db or various
files (ftk, xways, ufed ...)
– data is there, what you can see is what forensic
tool allows you
• or a huge effort to do a workaround to access data

6. Forensics Components
Encase Enterprise approach
WAN
Main Office B
Branch Office
Target Node Target Node Target Node
Main Office A
Target Node
Target Node
Target Node
SAFE
Target Node
Target Node
Target Node
SAFE
Examiner
Company Headquarters
Examiner
Target Node
Target Node
Target Node
SAFE
Target Node

7. Encase enterprise sweep
• collect live snapshot data from all machines in
enterprise
– on each machine forensic agent (servlet) installed
• data goes into sqlite db file on examiner
machine
• gui and interface in EnCase is harsh and
unhelpful for data extraction / analyses
• access to data from Encase – use data browser
or write Enscript program

8. Simple Network Incident Scenario
step tasks
Snapshot 1 Forensics snapshot: of suspected machines involved in incident
Analyeses internal 2 Snapshot: analyses in forensic tool, export data to other related tools for fine analyses,
External analyses 3 Analyses: based on data properties (not intrinsically forensic values) with external tools, data
is available to non-forensic tools (export, database connection etc).
action or redoing snapshot 4 Analyses: results from step 3 goes back into forensic tool as a list of suspicious processes,
further forensics analyses is carried out (hash analyses, entropy etc)
•for any data consolidation it helps if there is additional view into data available
•this view is problem dependent and very often fuzzy, requires data export into
something else (excell very often) or sql database

9. Example
•set of sweeps and related sqlite db file
•Sweep.sqlite all sweep data in one file

10. Explanation of data
• for each sweep (set of machines snapshots)
– some data are undocumented
– set of machines snapshots contains in various tables
• machine data
• users, groups
• network data (ip, route, arp, mac ..)
• dll and its attributes
– instances of dll, ownership, size, hash, loads
• processes and it attributes
– instances of process, ownership, size, hash ..
– no disk info (another method of access)

11. Data in sweep.sqlite- set of snapshots

12. Snapshot data
• info about snapshots

13. Ip data
• information about IP related data in snapshot
• data in native format (hex etc)

14. Process data
• all data about process as one big view
• easy to spot irregularities
Example svchost.exe
– often infected trough dll injection

15. Example process
svchost.exe on all machines in sweep db

16. EnCase v7 sweep view
• trough EnCase program
• trough case analyzer – browser / reporter
• very rough interface
• no global view

17. EnCase view of sweep data

18. EnCase snapshot & disk view

19. Encase data browser – Case analyzer
Enscript

20. Case analyzer report view

21. Encase – in program view on data

22. INsig2 – Integrirana sigurnost
Example of integration
Other enterprise sec. tools
­ Automated Incident Response Suite automates the task of manually filtering through alert
data via the IDS/SIM/CMS interface
• selects alerts of interest
• performs an investigation trough snapshot
• same idea for data analyses as for plain Encase Enterprise
• additional sources: log collector, SIEM, other forensic tools

23. Conclusion
• useful but need a lot of expertise in all used
tools to get data out and compare really
important data
• lack of standardization
• xml useful
• for a real time incidents to much work on tool
instead on task
• mobile devices puts a whole new dimension in
this problem

24. Related tools & ideas
• Nuix http://www.nuix.com/
• other data mining / data analyses tool
• In last year a lot of vendor specific tools as
part of packages are coming to market mostly
for timeline analyses and connection analyses,
but again lack flexibility

25. Questions ?
• damir.delija@inisg2.eu