Guidance Software | Whitepaper EnCase® Processor Hardware and Configuration Recommendations Guidance Software | WP | EnCase® Processor | 2-2012 EnCase® Processor | Hardware and Configuration Recommendations With the EnCase® Evidence Processor, forensic examiners can run a collection of powerful analytic tools against evidence in a single automated session. While running this multi-threaded process, the Evidence Processor optimizes the order and combinations of processing operations. Examiners can work on other aspects of their case while the Evidence Processor, running unattended, processes data. The output of the Evidence Processor is stored, per device, on disk instead of memory, so that multiple devices can be processed simultaneously across several computers, and brought together later for a case, without the data commingling. The Evidence Processor contains numerous useful features: • Acquiring devices directly from the Evidence Processor • Processing, with limited options, local and network previews without acquiring the devices • Saving sets of Evidence Processor options as templates to be run with little or no modification later • On-screen instructions that guides you through the use of each setting •A utomatic processing of the results from any current EnScript modules, according to the current processor settings (Index, Keyword search, etc.) Guidance Software recommends running the Evidence Processor after performing an initial triage of your evidence, validating the data for browsing, and setting the time zones. Evidence Processor Options Recovering Folders Recover Folders attempts to recover files from FAT and NTFS volumes. This operation is particularly useful when a drive has been reformatted or the MFT is corrupted. File Signature Analysis A common technique for masking data is to rename a file and change its extension. For example, image files might be renamed so that they look like dynamic-link library files. Signature analysis verifies file type by comparing the file headers, or signature, with the file extension. The signature analysis process flags all files with signature-extension mismatches according to its File Types tables. Signature analysis is always enabled so that it can support other Evidence Processor operations. Protected File Analysis Protected file analysis uses Passware’s toolkit to identify protected files. The strength of the protection is stored so that you can try to decrypt weaker passwords before addressing files with more complex protection. Thumbnail Creation When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for all image files in the selected evidence. This facilitates image browsing. Guidance Software | WP | EnCase® Processor | 2-2012 2 EnCase® Processor | Hardware and Configuration Recommendations Hash Analysis A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in hexadecimal notation. In EnCase, it is the result of a hash function run against any mounted drive, partition, file, or chunk of data. The most common uses for hashes are to: • Identify when a chunk of data changes, which frequently indicates evidence tampering • Verify that data has not changed, in which case the hash should be the same both before and after the verification • Compare a hash value against a library of known good and bad hashes, seeking a match. The Evidence Processor supports calculation of MD5 and SHA1 hashes. Recommendation Guidance Software recommends that you calculate hash values. This enables exclusion of known hashes from Indexing and Keyword search, speeding up overall processing time. Expand Compound Files For archive files, Expand Compound Files extracts the compressed or archived files, and process them according to the other chosen Evidence Processor settings. This includes nested archive files or zip files within a zip file. Find E-mail Select this setting to extract individual messages and attachments from e-mail archives. Find E-mail supports the following e-mail types: • PST (Microsoft Outlook) • NSF (Lotus Notes) • DBX (Microsoft Outlook Express) • EDB (Microsoft Exchange) • AOL •M BOX This setting prepares e-mail archives for the use of e-mail threading and related EnCase e-mail functionality during case analysis. After extraction is completed, EnCase analyzes the messages and component files extracted from the e-mail archives according to the other Evidence Processor settings you selected. Find Internet Artifacts This setting identifies internet artifacts, such as browser histories and cached Web pages. You can optionally examine unallocated space for artifacts, as well. Search for Keywords Keywords are text strings or search expressions created to find matching text within entries in a body of evidence. A search expression can be a GREP expression, containing variables, and it can be flagged to be case sensitive, a whole word search, or other options. You can also associate a particular codepage to use with a keyword. Keyword searches created and conducted from within the Evidence Processor are stored with the device’s evidence cache files, and can be used with any number of cases. Keyword searches that are not initiated from the Evidence Processor are stored with the case and are case-specific. Guidance Software | WP | EnCase® Processor | 2-2012 3 EnCase® Processor | Hardware and Configuration Recommendations Index Text and Metadata Choose this selection to create a searchable index of the data in the evidence. Creating an index allows you to quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all files, e-mails, and module output are indexed, including such EnScript modules as the IM Parser and System Info Parser. The advantage of having these items indexed is that you will later be able to search across all types of information and view results in e-mail, files, smartphones, and any other processed data in one search results view. You can adjust parameters for index creation, such as the minimum word length to index, or whether to use a noise file (a file containing specific words to ignore). Compared to keyword searches, which search on the raw text, index searches search the content and metadata for files on the device. Index Personal Information When creating an index of case data, select Personal Information to identify and include the following personal information types. • Credit cards • Phone numbers • E-mail addresses • Social security numbers Index Text in Slack and Unallocated Space As you select options for indexing evidence such as files and e-mails, you can choose to include text identified in RAM slack, file slack, disk slack, and unallocated space. Recommendation Guidance Software recommends that you enable “Index using East Asian script support.” This eliminates useless Unicode strings comprised of characters from various Asian character sets that cannot be in the same word. This processing takes some additional time, but it keeps the index smaller, which shortens overall processing time. Additionally, use hash sets to exclude known files (such as operating system files) from being indexed. Run EnScript Modules The EnCase Evidence Processor has the ability to run add-in modules during evidence processing. Some modules ship as part of EnCase, and you can also add your own EnScript packages. The Evidence Processor supports the following EnScript Modules. System Info Parser The System Information Parser module identifies hardware, software, and user information from Windows and Linux computers. This module automatically detects the operating system present on the device, and then collects the specified artifacts. IM Parser The IM Parser module searches for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant Messenger clients. These artifacts include messages and buddy list contents. It also allows you to select where to search from several general location categories. File Carver The File Carver module searches evidence for file fragments based on a specific set of parameters, such as known file size and file signature. It can also examine unallocated space, as well as search for file fragments anywhere on the disk. The File Carver generates a report of carved files on disk by default. Guidance Software | WP | EnCase® Processor | 2-2012 4 EnCase® Processor | Hardware and Configuration Recommendations Windows Event Log Parser This module parses .evt and .evtx files for Windows Event Logs, and also allows for processing by condition. Windows Artifact Parser The Windows Artifact Parser searches for common Windows operating system artifacts of potential forensic value, and parses them through a single module. Artifacts of interest include Link files, Recycle Bin artifacts, and MFT transaction logs. With these artifacts, you can elect to search unallocated, all files, or selected files. UNIX Login This module parses files with the names “wtmp” and “utmp,” but also allows for processing by condition. Linux Syslog Parser This module parses the Linux system log files, which have different names and locations, depending upon the type of Linux used. EnCase Processor Hardware Recommendations Following are the recommended specifications for a computer that will be performing processing with the Evidence Processor or the standalone EnCase Processor. If you have the ability to exceed these specifications, the recommendation is to increase memory. Component Specifications Memory 16GB Storage Drives Drive 1: Operating System and page file Drive 2: Evidence Drive 3: Primary Evidence Cache. This drive should be as fast as possible CPU Quad-core i7 Operating System Windows 7 (64-bit) or Windows Server 2k8 R2 (64-bit) Evidence Processor Performance Samples Following are several processing results in which different evidence files were processed using a computer that met the recommended specifications. The following Evidence Processor configuration was used for each sample. Guidance Software | WP | EnCase® Processor | 2-2012 5 EnCase® Processor | Hardware and Configuration Recommendations Evidence Processor settings for tests Processor Task Status Other Settings (If Any) Recover Folders Enabled File signature analysis Enabled Protected file analysis Enabled Hash analysis Enabled MD5 and SHA1 Enabled Expand compound files Enabled Archived Enabled Find e-mail Enabled All e-mail types enabled Find internet artifacts Enabled Search unallocated space for internet artifacts disabled Search for keywords Disabled Index Text and Metadata Enabled Default noise file used Minimum word length: 3 Maximum word lenght: 64 Skip known items in hash library disabled Skip all items in hash library disabled Index using East Asian script support enabled Modules Enabled All modules with default settings enabled Test Results Evidence Filename Entries Device Artifacts Evidence Size generated Filename (GB) Ev 1 10,731 233 Ev 2 Ev 3 Items Indexed Unique Total Processing Words Words Time Indexed Indexed (hh:mm) (Millions) (Millions) 209 3.82 31,189 3.85 63.78 1:38 110,069 233 2,016 16.9 423,741 14.23 374.03 3:20 761,775 298 15,624 27.2 1,005,015 21.25 729.96 15:12 Test Results Observations Device size is not the primary factor that affects the time it takes to process an evidence file; the main factor is the number and type of entries. If Expand Compound Files or Find Email Archives are selected, more files will be generated and processed. In the table above, Artifacts generated specifies the number of email and archive files that were identified and expanded for further processing. The Items indexed column shows the total number of items indexed. This includes entries in the base evidence file, files in expanded archives, email messages and attachments, internet history artifacts, and module results. Tests showed that running the modules in their default configurations did not have a large impact on the overall processing time. However, modifying these settings can have a large effect on performance. For example, the File Carver module can take a much longer amount of time if all file types are selected. If you are concerned about the effect of your module settings on overall processing time, you can run modules with modified settings in subsequent processing jobs. Guidance Software | WP | EnCase® Processor | 2-2012 6 EnCase® Processor | Hardware and Configuration Recommendations Get Guidance As regulators increase their expectations about each enterprise’s abilities to investigate events, you must ensure you are prepared when an investigation is required. A common investigation infrastructure built on EnCase Enterprise will stand up to the scrutiny of your regulators, auditors, and legal system while reducing the cost and risks of compliance investigations. Enabling the three capabilities required by the major compliance regulations and frameworks—policies, tools, and response tactics—EnCase Enterprise makes it easier to perform consistent and reliable investigations. You can deploy it overtly, to show due care and encourage compliance, or covertly, to perform silent analysis on demand. As it enhances, structures, and documents the procedures in each investigation, it frees your limited resources to handle the analysis and interviews that require the human touch. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to e-discovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase® Enterprise platform is used by more than sixty percent of the Fortune 100, and thousands attend Guidance Software’s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from Law Technology News, KMWorld, Government Security News, and Law Enforcement Technology. For more information about Guidance Software, visit www.guidancesoftware.com. This paper is provided as an informational resource only. The information contained in this document should not be considered or relied upon legal counsel or advice. ©2012 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. 7