datafoucs 2014 on line digital forensic investigations damir delija 2
TRANSCRIPT
Damir Delija, Davorka Foit Consultant
DataFocus, Zagreb 2014.
On-line Digital Forensic
Investigations
in EnCase Enterprise v7
Introduction
On-line digital forensic investigations
live acess to remote machines - preview
Data collection is part of the live
machine investigation • process data
• disk data
• files
Automated data collection can be done
with EnCase Enterprise
Requires a lot of hand work and good
planning
Servlets Installed on Computers
How the EnCase Enterprise
Components Fit Together
EnCase Enterprise Components that
Enable Forensically sound and
Secure Network Investigations
The SAFE (Secure Authentication For EnCase®) Authenticates users, administers access rights, retain logs of EnCase transactions, brokers communications and provides for secure data transmission
The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted
The Examiner Installed on a computer where authorized investigators perform examinations and audits
Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration
The Servlet A small, passive software agent that gets installed on network workstations and servers
Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections Enterprise Concurrent Connections are secure parallel connections established between the Examiner & servers, desktops or laptops that are being searched or
investigated
Snapshot The “Snapshot” technology enables the user to scan thousands of computers to detect, collect, preserve and remediate any network intrusion on an enterprise-wide
scale
Entry Level EnCase Entreprise
System
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent Connections
• control number of parallel acceses
Main Office A
SAFE /Examiner
Additional storage
Company Headquarters
Target Node
Target Node
Target Node
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node WAN
What we need
EnCase Enterprise v7 • safe, examiner (both on the same machine in basic
setup),
• instalation of servlets
• configuration of system
Requires a lot of hand work and good
planning • task definition, plans etc
As it is in EnCase Enterprise we need • open case
• user logged into safe with appropriate rights (role)
1) choose user
2) choose safe
3) choose role
Login Into EnCase Enterprise
Creating a New Case
Case name is important, this one gives us hint on task Case information leads us to what was all about
Live Endnode Preview and
Analyses – Manual Access
How to interactive access endnode for
further analyses if nesecarry
Simple, it is almost same as for
automated sweep and local device
analyses • have to be logged into EnCase and with open case
• add list of endnodes to access
• choose devices (disks, RAM, process memory) from
endnodes
• do analyses you need
Always remember to be fast • it is live and it can change
9
For live interactive network preview add end nodes manually
Live Endnode Preview and
Access
One end node, collect disks, RAM and process memory
List of Endnodes to Access
Devices on the end node
What Examiner Station Can
Access
Disks and RAM chosen for live acess
Examiner Table View
Remote disk looks like any other disk
Remote Disk Analyses
Conditions can be used, case processor, enscripts, etc ..
Full Forensic Analyses
Automated Access
Enterprise Sweep
General input
we need a list of targets
we need rules to define responsive data
we need general rules and guidelines
In the EnCase term
list of IP addressee where we have to install servlets and do sweep
conditions, keywords, hashes
what to do in the case of failure, errors, location to store data, reports, tests, case name, etc
Task
Collect all pdf, doc and docx files from two
machines defined by IP address
Scope • set of IP addresses
Collection rule • if file extension is pdf or doc or docx collect file and its metadata
Procedure • if node fails - do another try
• create report with list of responsive files
Sweep Enterprise
Snapshot For Data Collecting
From Enscripts tab choose : Sweep Enterprise
Definition of End Nodes for the
Collection Sweep
In the sweep wizzard define nodes for the sweep
Running Sweep on the End
Nodes
End nodes defined and approwed
Define the Type of the Sweep
Snapshot is mandatory •collects processes, users, etc
File Processor is our data collector
•collect files System info is optional
•slow process •collects machine info, mostly registry
What Snapshot Gets From End
Node
•System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
What Process and OS Data Get
Collected
Snapshot – mandatory •some things which are more incident response than data collecting can be disabled to speed up
Definition of File Collection
Criteria
Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
Collection Criteria
Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use already tested and proofed code
Sweep is Running
it can take a lot
of time
monitor status
keep logs
check the
impact on the
network and
systems
some automated
tools
case analyzer
keep eye on
console
keep eye on disk
sage and free
space
Sweep Live Status
Live sweep status: end nodes status, modules, success or failure
Sweep Completed
One node has failed
Sweep Results Responsive Files
in the Analysis Browser
All responsive files
Sweep Data Location
Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
L01 Files
Data in the Case
Default view is snapshot view - records about end nodes
Getting to Responsive Files
in L01
To get to file collector results go to “View Entries”
L01 File for End Node
Responsive Files View
All responsive files from one end node
In Entry View Use Condition
Already used condition (as collection entry condition)
Run Condition
Use it on “all evidence” on all L01 end nodes files in our case
Results
All resposive files as condition result
Finishing
Document everything
Reports, logical evidence file, exports,
hash sets
logs
backup
Store on encrypted media
Remove forensically and wipe
forensically all temporary and unwanted
data and media
Don’t forget to unistall servlets
