Guidance Software | Whitepaper
EnCase® Processor
Hardware and Configuration Recommendations
Guidance Software | WP | EnCase® Processor | 2-2012
EnCase® Processor | Hardware and Configuration Recommendations
With the EnCase® Evidence Processor, forensic examiners can run a collection of powerful analytic tools
against evidence in a single automated session. While running this multi-threaded process, the Evidence
Processor optimizes the order and combinations of processing operations.
Examiners can work on other aspects of their case while the Evidence Processor, running unattended,
processes data. The output of the Evidence Processor is stored, per device, on disk instead of memory, so that
multiple devices can be processed simultaneously across several computers, and brought together later for a
case, without the data commingling.
The Evidence Processor contains numerous useful features:
• Acquiring devices directly from the Evidence Processor
• Processing, with limited options, local and network previews without acquiring the devices
• Saving sets of Evidence Processor options as templates to be run with little or no
modification later
• On-screen instructions that guides you through the use of each setting
•A
utomatic processing of the results from any current EnScript modules, according to the
current processor settings (Index, Keyword search, etc.)
Guidance Software recommends running the Evidence Processor after performing an initial triage of your
evidence, validating the data for browsing, and setting the time zones.
Evidence Processor Options
Recovering Folders
Recover Folders attempts to recover files from FAT and NTFS volumes. This operation is particularly
useful when a drive has been reformatted or the MFT is corrupted.
File Signature Analysis
A common technique for masking data is to rename a file and change its extension. For example, image
files might be renamed so that they look like dynamic-link library files. Signature analysis verifies file
type by comparing the file headers, or signature, with the file extension.
The signature analysis process flags all files with signature-extension mismatches according to its File Types
tables. Signature analysis is always enabled so that it can support other Evidence Processor operations.
Protected File Analysis
Protected file analysis uses Passware’s toolkit to identify protected files. The strength of the protection
is stored so that you can try to decrypt weaker passwords before addressing files with more complex
protection.
Thumbnail Creation
When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for
all image files in the selected evidence. This facilitates image browsing.
Guidance Software | WP | EnCase® Processor | 2-2012
2
EnCase® Processor | Hardware and Configuration Recommendations
Hash Analysis
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary
data written in hexadecimal notation. In EnCase, it is the result of a hash function run against any
mounted drive, partition, file, or chunk of data. The most common uses for hashes are to:
• Identify when a chunk of data changes, which frequently indicates evidence tampering
• Verify that data has not changed, in which case the hash should be the same both before
and after the verification
• Compare a hash value against a library of known good and bad hashes, seeking a match.
The Evidence Processor supports calculation of MD5 and SHA1 hashes.
Recommendation
Guidance Software recommends that you calculate hash values. This enables exclusion of known hashes
from Indexing and Keyword search, speeding up overall processing time.
Expand Compound Files
For archive files, Expand Compound Files extracts the compressed or archived files, and process them
according to the other chosen Evidence Processor settings. This includes nested archive files or zip files
within a zip file.
Find E-mail
Select this setting to extract individual messages and attachments from e-mail archives. Find E-mail
supports the following e-mail types:
• PST (Microsoft Outlook)
• NSF (Lotus Notes)
• DBX (Microsoft Outlook Express)
• EDB (Microsoft Exchange)
• AOL
•M
BOX
This setting prepares e-mail archives for the use of e-mail threading and related EnCase e-mail
functionality during case analysis. After extraction is completed, EnCase analyzes the messages and
component files extracted from the e-mail archives according to the other Evidence Processor settings
you selected.
Find Internet Artifacts
This setting identifies internet artifacts, such as browser histories and cached Web pages. You can
optionally examine unallocated space for artifacts, as well.
Search for Keywords
Keywords are text strings or search expressions created to find matching text within entries in a body
of evidence. A search expression can be a GREP expression, containing variables, and it can be flagged
to be case sensitive, a whole word search, or other options. You can also associate a particular codepage
to use with a keyword. Keyword searches created and conducted from within the Evidence Processor
are stored with the device’s evidence cache files, and can be used with any number of cases. Keyword
searches that are not initiated from the Evidence Processor are stored with the case and are case-specific.
Guidance Software | WP | EnCase® Processor | 2-2012
3
EnCase® Processor | Hardware and Configuration Recommendations
Index Text and Metadata
Choose this selection to create a searchable index of the data in the evidence. Creating an index allows you to
quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all files, e-mails, and
module output are indexed, including such EnScript modules as the IM Parser and System Info Parser. The
advantage of having these items indexed is that you will later be able to search across all types of information
and view results in e-mail, files, smartphones, and any other processed data in one search results view.
You can adjust parameters for index creation, such as the minimum word length to index, or whether to
use a noise file (a file containing specific words to ignore). Compared to keyword searches, which search
on the raw text, index searches search the content and metadata for files on the device.
Index Personal Information
When creating an index of case data, select Personal Information to identify and include the following
personal information types.
• Credit cards
• Phone numbers
• E-mail addresses
• Social security numbers
Index Text in Slack and Unallocated Space
As you select options for indexing evidence such as files and e-mails, you can choose to include text
identified in RAM slack, file slack, disk slack, and unallocated space.
Recommendation
Guidance Software recommends that you enable “Index using East Asian script support.” This eliminates useless
Unicode strings comprised of characters from various Asian character sets that cannot be in the same word. This
processing takes some additional time, but it keeps the index smaller, which shortens overall processing time.
Additionally, use hash sets to exclude known files (such as operating system files) from being indexed.
Run EnScript Modules
The EnCase Evidence Processor has the ability to run add-in modules during evidence processing.
Some modules ship as part of EnCase, and you can also add your own EnScript packages. The Evidence
Processor supports the following EnScript Modules.
System Info Parser
The System Information Parser module identifies hardware, software, and user information from
Windows and Linux computers. This module automatically detects the operating system present on the
device, and then collects the specified artifacts.
IM Parser
The IM Parser module searches for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant
Messenger clients. These artifacts include messages and buddy list contents. It also allows you to select
where to search from several general location categories.
File Carver
The File Carver module searches evidence for file fragments based on a specific set of parameters, such
as known file size and file signature. It can also examine unallocated space, as well as search for file
fragments anywhere on the disk. The File Carver generates a report of carved files on disk by default.
Guidance Software | WP | EnCase® Processor | 2-2012
4
EnCase® Processor | Hardware and Configuration Recommendations
Windows Event Log Parser
This module parses .evt and .evtx files for Windows Event Logs, and also allows for processing by condition.
Windows Artifact Parser
The Windows Artifact Parser searches for common Windows operating system artifacts of potential
forensic value, and parses them through a single module. Artifacts of interest include Link files, Recycle
Bin artifacts, and MFT transaction logs. With these artifacts, you can elect to search unallocated, all
files, or selected files.
UNIX Login
This module parses files with the names “wtmp” and “utmp,” but also allows for processing by condition.
Linux Syslog Parser
This module parses the Linux system log files, which have different names and locations, depending
upon the type of Linux used.
EnCase Processor Hardware Recommendations
Following are the recommended specifications for a computer that will be performing processing with
the Evidence Processor or the standalone EnCase Processor. If you have the ability to exceed these
specifications, the recommendation is to increase memory.
Component
Specifications
Memory
16GB
Storage Drives
Drive 1: Operating System and page file
Drive 2: Evidence
Drive 3: Primary Evidence Cache. This drive should
be as fast as possible
CPU
Quad-core i7
Operating System
Windows 7 (64-bit) or Windows Server 2k8 R2
(64-bit)
Evidence Processor Performance Samples
Following are several processing results in which different evidence files were processed using a computer
that met the recommended specifications. The following Evidence Processor configuration was used for
each sample.
Guidance Software | WP | EnCase® Processor | 2-2012
5
EnCase® Processor | Hardware and Configuration Recommendations
Evidence Processor settings for tests
Processor Task
Status
Other Settings (If Any)
Recover Folders
Enabled
File signature analysis
Enabled
Protected file analysis
Enabled
Hash analysis
Enabled
MD5 and SHA1 Enabled
Expand compound files
Enabled
Archived Enabled
Find e-mail
Enabled
All e-mail types enabled
Find internet artifacts
Enabled
Search unallocated space for internet artifacts disabled
Search for keywords
Disabled
Index Text and Metadata
Enabled
Default noise file used
Minimum word length: 3
Maximum word lenght: 64
Skip known items in hash library disabled
Skip all items in hash library disabled
Index using East Asian script support enabled
Modules
Enabled
All modules with default settings enabled
Test Results
Evidence
Filename
Entries
Device Artifacts Evidence
Size generated Filename
(GB)
Ev 1
10,731
233
Ev 2
Ev 3
Items
Indexed
Unique
Total
Processing
Words
Words
Time
Indexed
Indexed
(hh:mm)
(Millions) (Millions)
209
3.82
31,189
3.85
63.78
1:38
110,069 233
2,016
16.9
423,741
14.23
374.03
3:20
761,775 298
15,624
27.2
1,005,015 21.25
729.96
15:12
Test Results Observations
Device size is not the primary factor that affects the time it takes to process an evidence file; the main
factor is the number and type of entries. If Expand Compound Files or Find Email Archives are
selected, more files will be generated and processed.
In the table above, Artifacts generated specifies the number of email and archive files that were identified
and expanded for further processing. The Items indexed column shows the total number of items
indexed. This includes entries in the base evidence file, files in expanded archives, email messages and
attachments, internet history artifacts, and module results.
Tests showed that running the modules in their default configurations did not have a large impact on
the overall processing time. However, modifying these settings can have a large effect on performance.
For example, the File Carver module can take a much longer amount of time if all file types are selected.
If you are concerned about the effect of your module settings on overall processing time, you can run
modules with modified settings in subsequent processing jobs.
Guidance Software | WP | EnCase® Processor | 2-2012
6
EnCase® Processor | Hardware and Configuration Recommendations
Get Guidance
As regulators increase their expectations about each enterprise’s abilities to investigate events, you must
ensure you are prepared when an investigation is required. A common investigation infrastructure
built on EnCase Enterprise will stand up to the scrutiny of your regulators, auditors, and legal system
while reducing the cost and risks of compliance investigations. Enabling the three capabilities required
by the major compliance regulations and frameworks—policies, tools, and response tactics—EnCase
Enterprise makes it easier to perform consistent and reliable investigations. You can deploy it overtly,
to show due care and encourage compliance, or covertly, to perform silent analysis on demand. As it
enhances, structures, and documents the procedures in each investigation, it frees your limited resources
to handle the analysis and interviews that require the human touch.
About Guidance Software (NASDAQ: GUID)
Guidance Software is recognized worldwide as the industry leader in digital investigative solutions.
Its EnCase® platform provides the foundation for government, corporate and law enforcement
organizations to conduct thorough, network-enabled, and court-validated computer investigations of
any kind, such as responding to e-discovery requests, conducting internal investigations, responding to
regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of
the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase®
Enterprise platform is used by more than sixty percent of the Fortune 100, and thousands attend
Guidance Software’s renowned training programs annually. Validated by numerous courts, corporate
legal departments, government agencies and law enforcement organizations worldwide, EnCase
has been honored with industry awards and recognition from Law Technology News, KMWorld,
Government Security News, and Law Enforcement Technology.
For more information about Guidance Software, visit www.guidancesoftware.com.
This paper is provided as an informational resource only. The information contained in this document should not be
considered or relied upon legal counsel or advice.
©2012 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered
trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and
may not be used without prior written permission. All other marks and brands may be claimed as the
property of their respective owners.
7