Download encase processor hardware and configuration recommendations

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
Document related concepts
no text concepts found
Transcript 
Whitepaper
ENCASE PROCESSOR
HARDWARE AND CONFIGURATION
RECOMMENDATIONS
EnCase Processor Hardware and Configuration Recommendations
ABOUT THE EVIDENCE PROCESSOR
With the EnCase® Evidence Processor, digital investigators may execute powerful analytic methods against evidence in a
single automated session. While running this multi-threaded process, the Evidence Processor optimizes the order and
combinations of processing operations, ensuring the most efficient execution path is taken.
Examiners can work on other aspects of their case while the Evidence Processor, running unattended,
processes data. The output of the Evidence Processor is stored, per device, on disk, instead of memory, so that multiple
devices can be processed simultaneously across several computers, and compiled into a case, without
the data commingling.
The Evidence Processor contains numerous useful features:
•
Acquiring devices directly from the Evidence Processor
•
Processing, with limited options, local and network previews without acquiring the devices
•
Saving sets of Evidence Processor options as templates to be run with little or no modification later
•
On-screen instructions that guides you through the use of each setting
•
utomatic processing of the results from any current EnScript modules, according to the current processor settings
A
(Index, Keyword search, etc.)
•
rioritized processing for timely review of documents, pictures or evidence within
P
specific time range
•
Expose OS specific artifacts through use of the Linux, Windows and OS X artifact parsers
The Evidence Processor may be used within a single installation of EnCase, and multiple EnCase Processors may be easily
assembled into a processing grid, using EnCase Processor Manager to distribute, prioritize and coordinate processing across
any number of Processor Nodes.
Guidance Software recommends running the Evidence Processor after performing an initial triage of your evidence, validating
the data for browsing, and setting the time zones.
EVIDENCE PROCESSOR OPTIONS
Recovering Folders
Recover Folders attempts to recover files from FAT and NTFS volumes. This operation is particularly useful when a drive
has been reformatted or the MFT is corrupted.
Prioritization
When artifacts like Documents, Pictures or entries falling within a specific date range are of critical importance,
Prioritization may be used to implement multiple stages of processing. When specified, prioritized artifacts are processed
in a first stage, and are made available for examination once all prioritized artifacts are processed. When all artifacts in the
first stage have been processed, all other artifacts are processed in a second stage.
File Signature Analysis
A common technique for masking data is to rename a file and change its extension. For example, image files might be
renamed so that they look like dynamic-link library files. Signature analysis verifies file type by comparing the file headers,
or signature, with the file extension.
The signature analysis process flags all files with signature-extension mismatches according to its File Types tables.
Signature analysis is always enabled so that it can support other Evidence Processor operations.
2
EnCase Processor Hardware and Configuration Recommendations
Protected File Analysis
Protected file analysis uses Passware Forensic technology to identify and classify protected files. The strength of the
protection is stored so that you can try to decrypt weaker passwords with Passware Forensic before addressing files with
more complex protection.
Thumbnail Creation
When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for all image files in the
selected evidence. This facilitates image browsing.
Hash Analysis
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in
hexadecimal notation. In EnCase, it is the result of a hash function run against any mounted drive, partition, file, or chunk
of data. The most common uses for hashes are to:
•
Identify when a chunk of data changes, which frequently indicates evidence tampering
•
Verify that data has not changed, in which case the hash should be the same both before and after the verification
•
Compare a hash value against a library of known good and bad hashes, seeking a match.
The Evidence Processor supports calculation of MD5 and SHA1 hashes.
Recommendation
Guidance Software recommends that you calculate hash values. This enables exclusion of known hashes from Indexing
and Keyword search, speeding up overall processing time.
Expand Compound Files
For archive files, Expand Compound Files extracts compressed or archived files, and processes them according to the
selected Evidence Processor settings. This includes nested archive files or zip files within a zip file. For example, if the
Thumbnail Creation module is selected with Expand Compound files, any Thumbnails residing within expanded archives
will also have thumbnails created.
Find Email
Select this setting to extract individual messages and attachments from email archives. Find Email supports the following
email types:
•
PST (Microsoft Outlook)
•
NSF (Lotus Notes)
•
DBX (Microsoft Outlook Express)
•
EDB (Microsoft Exchange)
•
AOL
•
MBOX
•
EMLX (Apple Mail)
This setting prepares email archives for the use of email threading and related EnCase email functionality during case
analysis. After extraction is completed, EnCase analyzes the messages and component files extracted from the email
archives according to the other Evidence Processor settings you selected.
3
EnCase Processor Hardware and Configuration Recommendations
Find Internet Artifacts
This setting identifies internet artifacts, such as browser histories and cached Web pages. You can optionally examine
unallocated space for artifacts, as well.
Search for Keywords
Keywords are text strings or search expressions created to find matching text within entries in a body of evidence. A
search expression can be a GREP expression, containing variables, and it can be flagged to be case sensitive, a whole word
search, or other options. You can also associate a particular codepage to use with a keyword. Keyword searches created
and conducted from within the Evidence Processor are stored with the device’s evidence cache files, and can be used with
any number of cases. Keyword searches that are not initiated from the Evidence Processor are stored with the case and
are case-specific.
Index Text and Metadata
Creating an index allows you to quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all
files, emails, and module output are indexed, including such EnScript modules as the IM Parser and System Info Parser. The
advantage of having these items indexed is that you will later be able to search across all types of information and view results
in email, files, smartphones, and any other processed data in one search results view.
Compared to keyword searches, which search raw text as it exists on disk, index searches search the content and
metadata for file system entries, records, and other artifacts on the device.
Index Personal Information
When creating an index of case data, select Personal Information to additionally identify and include the following
personal information types.
•
Credit cards
•
Phone numbers
•
Email addresses
•
Social security numbers
Index Text in Slack and Unallocated Space
As you select options for indexing evidence such as files and emails, you can choose to include text identified in RAM slack,
file slack, disk slack, and unallocated space.
Run EnScript Modules
The EnCase Evidence Processor has the ability to run add-in modules during evidence processing. Some modules ship as
part of EnCase, and you can also add your own EnScript packages. The Evidence Processor supports the following EnScript
Modules.
System Info Parser
The System Information Parser module identifies hardware, software, and user information from Windows and Linux
computers. This module automatically detects the operating system present on the device, and collects specified artifacts
describing the machine.
IM Parser
The IM Parser module searches for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant Messenger clients.
These artifacts include messages and buddy list contents. It also allows you to select where to search from several general
location categories.
4
EnCase Processor Hardware and Configuration Recommendations
File Carver
The File Carver module searches evidence for file fragments based on a specific set of parameters, such as known file size
and file signature. File Carver may examine unallocated space, as well as search for file fragments anywhere on the disk.
The File Carver generates a report of carved files on disk by default and can optionally be configured to export carved
artifacts to disk for external review or production.
Windows Event Log Parser
This module parses .evt and .evtx files for Windows Event Logs, and also allows for processing by condition.
Windows Artifact Parser
The Windows Artifact Parser searches for common Windows operating system artifacts of potential forensic value, and
parses them through a single module. Artifacts of interest include Link files, Recycle Bin artifacts, and MFT transaction logs.
With these artifacts, you can elect to search unallocated, all files, or selected files.
OS X Artifact Parse
The OS X Artifact Parser searches for common OS X operating system artifacts of potential forensic value, and parses
them through a single module. Artifacts of interest include XML and Binary Property Lists, Apple System Log files. The OS X
Artifact parser collects and parses artifacts on user accounts, recently opened files, as well as operating system installation
and configuration information.
UNIX Login
This module parses files with the names “wtmp” and “utmp,” but also allows for processing by condition.
Linux Syslog Parser
This module parses the Linux system log files, which have different names and locations, depending upon the type of Linux
used.
5
EnCase Processor Hardware and Configuration Recommendations
HARDWARE AND CONFIGURATION RECOMMENDATIONS
Following are the recommended specifications for a computer that will be performing processing with the Evidence
Processor or the standalone EnCase Processor. If you have the ability to exceed these specifications, the recommendation
is to increase the speed of the Primary Evidence Cache.
Component
Specifications
Memory
16GB
Storage Drives
Drive 1: Operating System and page file
Drive 2: Evidence
Drive 3: Primary Evidence Cache.
CPU
Intel i7 Quad-core
Operating System
Windows 7 (64-bit) or Windows Server 2008 R2
(64-bit)
GET GUIDANCE
As regulators increase their expectations about each enterprise’s abilities to investigate events, you must ensure you are
prepared when an investigation is required. A common investigation infrastructure built on EnCase Enterprise will stand up
to the scrutiny of your regulators, auditors, and legal system while reducing the cost and risks of compliance investigations.
Enabling the three capabilities required by the major compliance regulations and frameworks—policies, tools, and response
tactics—EnCase Enterprise makes it easier to perform consistent and reliable investigations. You can deploy it overtly, to
show due care and encourage compliance, or covertly, to perform silent analysis on demand. As it enhances, structures,
and documents the procedures in each investigation, it frees your limited resources to handle the analysis and interviews
that require the human touch.
6
EnCase Processor Hardware and Configuration Recommendations
ABOUT GUIDANCE
Guidance exists to turn chaos and the unknown into order and the known-so that companies and their
customers can go about their daily lives as usual without worry or disruption, knowing their most valuable
information is safe and secure. The makers of EnCase®, the gold standard in forensic security, Guidance
provides a mission-critical foundation of market-leading applications that offer deep 360-degree visibility
across all endpoints, devices and networks, allowing proactive identification and remediation of threats. From
retail to financial institutions, our field-tested and court-proven solutions are deployed on an estimated 33
million endpoints at more than 70 of the Fortune 100 and hundreds of agencies worldwide, from beginning to
endpoint.
Guidance Software®, EnCase®, EnForce™ and Tableau™ are trademarks owned by Guidance Software and may not be used
without prior written permission. All other trademarks and copyrights are the property of their respective owners.
Related documents
Document
Document
DISTRIBUTED OPERATING SYSTEM
DISTRIBUTED OPERATING SYSTEM
CS 5080 Syllabus
CS 5080 Syllabus
W. Stallings, Operating Systems Internal and Design Principles
W. Stallings, Operating Systems Internal and Design Principles
Chapter 2 – Operating System Overview
Chapter 2 – Operating System Overview
Comp 104: Operating Systems Concepts
Comp 104: Operating Systems Concepts
Document
Document
File - Mr. Champion
File - Mr. Champion
Lecture 1 - Department of Computer Science
Lecture 1 - Department of Computer Science
Why did the size of computers reduce in third generation computer?
Why did the size of computers reduce in third generation computer?
Mainframe computers are those which can handle 100 of user at a
Mainframe computers are those which can handle 100 of user at a