encase enterprise basic file collection
DESCRIPTION
How to use file collection tool in Encase EnterpriseTRANSCRIPT
![Page 1: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/1.jpg)
Basic Ediscovery Steps in EnCase Enterprise v7
Damir Delija
2014
![Page 2: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/2.jpg)
Introduction
• Data collection can be done automatically in the EnCase Enterprise
• Requires a lot of hand work and good planning
• This presentation is a putting together information from various sources and manuals
– Lance Muller blog,
– EnCase presentations and manuals,
– blogs
![Page 3: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/3.jpg)
EnCase Enterprise Components that Enable Forensically sound and Secure Network Investigations
The SAFE (Secure Authentication For EnCase®) • Authenticates users, administers access rights, retain logs of EnCase transactions, brokers
communications and provides for secure data transmission
• The SAFE communicates with Examiners and Target Nodes using encrypted data streams, ensuring no information can be intercepted and interpreted
The Examiner • Installed on a computer where authorized investigators perform examinations and audits
• Leverages the robust functionality of Guidance Software's flagship EnCase Forensic Edition product, with network enhanced capability for security and administration
The Servlet • A small, passive software agent that gets installed on network workstations and servers
• Connectivity is established between the SAFE, the Servlet, and the EnCase Enterprise Examiner to identify, preview, and acquire local and networked devices.
Enterprise Concurrent Connections • Enterprise Concurrent Connections are secure parallel connections established between the
Examiner & servers, desktops or laptops that are being searched or investigated
Snapshot • The “Snapshot” technology enables the user to scan thousands of computers to detect, collect,
preserve and remediate any network intrusion on an enterprise-wide scale
![Page 4: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/4.jpg)
Servlets Installed on Computers
How the EnCase Enterprise Components Fit Together
![Page 5: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/5.jpg)
Sample Deployment Topology Main Office A
Examiner
Aggregation Database
Company Headquarters
Branch Office
Target Node
Target Node
Target Node
Main Office B
SAFE
Target Node Target Node Target Node
Examiner
Target Node
Target Node
Target Node
SAFE
Target Node
Examiner
Target Node
Target Node
Target Node
WAN
![Page 6: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/6.jpg)
How EnCase® Enterprise and EnCase eDiscovery Integrate With the Target Network
A Rich Man Solution
![Page 7: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/7.jpg)
What we Need
• EnCase Enterprise v7
– safe, examiner (both on the same machine in basic setup)
• Requires a lot of hand work and good planning
– task definition, plans etc
• As it is in EnCase Enterprise we need
– open case
– user logged into safe with appropriate rights (role)
![Page 8: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/8.jpg)
Entry Level EnCase Entreprise System
SAFE /Examiner
• on the same machine
Servlet
• on the each end node
Enterprise Concurrent Connections
• control number of parallel acceses
Main Office A
SAFE /Examiner
Additional storage
Company Headquarters
Target Node
Target Node
Target Node
Branch Office
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node
Target Node WAN
![Page 9: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/9.jpg)
Task • Collect all pdf, doc and docx files from two machines
defined by IP address • Scope
– set of IP addresses
• Collection rule – if file extension is pdf or doc or docx collect file and its metadata
• Procedure – if node fails do another try – create report with list of responsive files
![Page 10: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/10.jpg)
1) choose user
2) choose safe
3) choose role
Login Into EnCase Enterprise
![Page 11: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/11.jpg)
Creating a New Case
Case name is important, this one gives us hint on task Case information leads us
![Page 12: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/12.jpg)
Case Folder Structure
Additional folders: Reports, Conditions, Evidence
![Page 13: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/13.jpg)
Doing Enterprise Sweep
General input • we need a list of targets
• we need rules to define responsive data
• we need general rules and guidelines
In the EnCase term list of IP addressee where
we have to install servlets and do sweep
conditions, keywords,
hashes what to do in the case of
failure, errors, location to store data, reports, tests, case name, etc
![Page 14: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/14.jpg)
Sweep Enterprise Snapshot For Data Collecting
From Enscripts tab choose Sweep Enterprise
![Page 15: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/15.jpg)
Definition of End Nodes for the Collection Sweep
In the sweep wizzard define nodes for the sweep
![Page 16: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/16.jpg)
Adding IP Addresses Directly
List of end nodes can be added directly into wizzard, it is sometimes usefull shortcut
![Page 17: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/17.jpg)
Running Sweep on the End Nodes
End nodes defined and approwed
![Page 18: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/18.jpg)
Define the Type of the Sweep
Snapshot is mandatory •collects processes, users, etc
File Processor is our data collector
•collect files System info is optional
•slow process •collects machine info, mostly registry
![Page 19: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/19.jpg)
What Snapshot Gets From End Node
•System info parser is optional •it will collect data about node from end nodes registry •to speed up this can be uncheked, but it is usefull to have that data
![Page 20: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/20.jpg)
What Process and OS Data Will Get Collected
Snapshot – mandatory •some things which are more incident response than data collecting can be disalbled to speed up
![Page 21: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/21.jpg)
Definition of File Collection Criteria
Metadata on files is default file atributes are collection criteria if uncheked only file metadata is collected
![Page 22: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/22.jpg)
Entry Condition Defines File Attributes
File atributes as criteria for collection
![Page 23: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/23.jpg)
Entry Condition Wizard
Conditions can be only typed or imported
![Page 24: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/24.jpg)
Import Already Existed and Tested Condition
How to import already existing condition
![Page 25: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/25.jpg)
Condition Folder in Case Place Where Conditions are Kept
Conditions sholud be named in meaningfull way
![Page 26: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/26.jpg)
Collection Criteria
Collection entry condition is imported from previoulsy existing conditions be lasy and efficient •automate •use alredy tested and proofed code
![Page 27: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/27.jpg)
Additional Element How to Handle Archives on the End Nodes
Default is : no going in into archives
![Page 28: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/28.jpg)
Final List of End Nodes and Tasks to be Done in Sweep
Can be saved as part of documentation
![Page 29: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/29.jpg)
Store Collection Parameters as One of Intermediate Reports
Usefull later for documentation, goes to case / report folder
![Page 30: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/30.jpg)
Sweep is Running
• It can take a lot of time
• monitor status
• keep logs
• check the impact on the network and systems
• some automated tools
• case analyzer
• keep eye on console
• keep eye on disk sage and free space
![Page 31: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/31.jpg)
Sweep Status
Refresh can be done automatically
![Page 32: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/32.jpg)
Sweep Live Status
Live sweep status: end nodes status, modules, success or failure
![Page 33: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/33.jpg)
Sweep Completed
One node has failed
![Page 34: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/34.jpg)
Sweep Results in the Analysis Browser
Analysis Browser Enscript – all collected data from sweep (no file content)
![Page 35: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/35.jpg)
Sweep Results Responsive Files in the Analysis Browser
All responsive files
![Page 36: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/36.jpg)
Create an Status Report
There are alternative methods to create intermediate status reports
I prefer “Save as” in tab delimieted format Report goes into case report folder
![Page 37: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/37.jpg)
In Our Procedure Repeat Sweep if Fails
Repeated sweep, now all endnodes are succesfull
![Page 38: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/38.jpg)
Sweep Data Location
Stored in folder: case/ enscript/ sweep Enterpise/ Scan timestamp
![Page 39: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/39.jpg)
L01 Collection Files – Sweep Result
Stored in the case enscript/sweep folder Named by reposnive end node Contains: •responsive files •snapshot data •add to case manually
![Page 40: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/40.jpg)
L01 files –Data in the Case
Default view is snapshot view - records about end nodes
![Page 41: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/41.jpg)
Getting to Responsive Files in L01
To get to file collector results go to “View Entries”
![Page 42: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/42.jpg)
L01 File for End Node Responsive Files View
All responsive files from one end node
![Page 43: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/43.jpg)
How to Create Cumulative L01 File
• All data are in case in node-name.L01 files – one for each end node
– to put all that into one file without snapshot data
• Condition will create result view – again already used condition can be applied
• From cumulative L01 and all necessary reports can be created – same data but easier to handle
![Page 44: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/44.jpg)
In Entry View Use Condition
Already used condition (as collection entry condition)
![Page 45: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/45.jpg)
Run Condition
Use it on “all evidence” on all L01 end nodes files in our case
![Page 46: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/46.jpg)
Results
All resposive files as condition result
![Page 47: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/47.jpg)
Bookmark if Necesary
Bookmark if needed, for reports etc
![Page 48: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/48.jpg)
Good Practice: Name of Bookmark Folder on Sweep Name
Sweep name – bookmark folder name
![Page 49: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/49.jpg)
Creating Cummulative L01 File From Condition Results
From all responsive files create L01 file
![Page 50: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/50.jpg)
Create Cummulative L01 File Name it by Sweep Name
Name based on sweep, fill notes, goes to evidence folder
![Page 51: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/51.jpg)
Create Cummulative L01 File Include all Needed
Include file data and metadata, close on finish is important
![Page 52: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/52.jpg)
Create Cummulative L01 File L01 Format
Choose L01 if other forensic tools are used too
![Page 53: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/53.jpg)
Good Practice: Remove all End Node L01 Files From Case
To avoid any duplications etc, remove all endnodes L01 and use only cummulative L01
![Page 54: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/54.jpg)
Good Practice: Use Only Cummulative L01 File
In all further work use only cumulative L01 file, or even open new case
![Page 55: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/55.jpg)
Structure of the Cummulative L01 File
whole logical structure contained also reposive file content
![Page 56: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/56.jpg)
Just to Proof
Test with conditon to show all responsive files are here
![Page 57: EnCase Enterprise Basic File Collection](https://reader034.vdocuments.net/reader034/viewer/2022042513/55635ee0d8b42ae6088b468d/html5/thumbnails/57.jpg)
Finishing
• Document everything
• Reports
• logs
• backup
• Store on encrypted media
• Remove forensically and wipe forensically all temporary and unwanted data and media
• Don’t forget to unistall servlets