As a forensic examiner, you rely on a variety of tools to conduct your investigations. The types and needs of every case vary, often making it necessary to use more than one tool to find what you’re looking for. Depending on the scenario, investigators need to use the tools that will enable them to work through cases thoroughly and efficiently.
A lot of investigators are using EnCase®, by Guidance Software, as their primary forensic suite. EnCase is a great tool because it’s versatile and can recover data in almost any type of investigation you are working with. Whether it’s a network intrusion, malware outbreak, missing persons, child exploitation, or IP theft case, EnCase enables investigators to examine many types of computers and media.
Internet Evidence Finder (IEF) has become a valuable tool for cases involving the analysis of Internet evidence and/or large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices, allowing investigators to analyze large amounts of case data quickly and efficiently.
EnCase and IEF are both excellent tools to have in your toolkit. One of the major challenges faced by forensic investigators is knowing where to begin an investigation. Using EnCase and IEF together allows you to maximize the benefits of both tools: the versatility of EnCase and the simplicity, speed and comprehensiveness of IEF.
Here are the top six reasons to use EnCase and IEF together to get the best results for your investigations:
1) Start Your Digital Forensics Investigation with a Comprehensive Set of Evidence
IEF automates the recovery of data from hundreds of the most commonly used and evidence-rich applications, quickly providing you with a bird’s-eye view of a suspect’s activity on a system. With EnCase, investigators can target their searches and zero-in on specific areas of interest. Combining your IEF search with the processing tasks of EnCase will provide you with the most comprehensive data set of evidence to start your analysis.Here’s a popular workflow used by many EnCase and IEF users:
- Obtain your image
- Run an IEF search to uncover commonly used artifacts and evidence
- Load that data into EnCase to conduct a more granular search while validating IEF’s results
- Export or report results in different formats from either tool.
2) Analyze Results from Both Tools Together
EnCase allows investigators to search and sort many different types of data using multiple views (i.e. Hex, text, files and folders, or native viewers). We have created several EnScripts® that allow investigators to seamlessly run IEF from within EnCase, or load the results from an IEF search directly into EnCase. In doing so, you can take advantage of the strengths of both tools to maximize the collection of your evidence.3) Recover Evidence from New and Updated Applications
Applications are constantly emerging and changing. Each new system or app update has the potential to completely change an investigator’s workflow and his or her ability to recover the right evidence. Support for favorite forensic tools is crucial in being able to stay on top of the most recent updates.IEF stays on top of these changes with frequent software updates so that you aren’t missing out on valuable evidence. Having a dedicated team to seek out the most popular apps and maintain support for them is essential to many investigations, especially those involving mobile devices and applications. With EnCase, there is a ton of support that comes from their community of users. Since EnScripts can be created by anyone, EnCase users are often able to develop new scripts to support changes in applications and share them with other users.
With the help of both IEF and EnCase, investigators can make sure they stay on top of new and updated applications.
4) Share Evidence Easily and Collaborate with Case Stakeholders
Both IEF and EnCase provide investigators with reporting flexibility, offering various exporting formats to accommodate different reporting requirements and processes defined by your organization. Whether you’re looking for a full HTML report, or a simple CSV file for additional analysis, both tools allow you to export in various formats, meaning you can easily integrate your data sets.Since IEF and EnCase are well integrated with various EnScript options, you can choose to export your data from whichever tool or format you prefer. They both also support collaborative work using portable cases that can be shared among investigators, analysts or other stakeholders. This allows others to add their own bookmarks, tags, or comments to a case and then pass that information back and forth throughout an investigation.
5) Visualize Evidence to See the Whole Story
Visual representations of evidence often tell the most compelling story. EnCase has many viewing options, while IEF allows you to visualize much of the data it finds by using timelines, geolocation mapping, and even chat message threading.With EnCase, investigators can view search results in Hex, text, files and folders, or native viewer formats to identify potential evidence quickly. The various viewing options make it easy for investigators to review results in the format that makes the most sense for them and their case.
IEF offers a number of visualization tools that allow investigators to analyze and present their evidence in a visually compelling format. Timelines enable investigators to map out a suspect’s activity over a period of time. Showing the activities of a user before and after an incident, investigators can often demonstrate a suspect’s state of mind or intent. Other IEF visualization tools include World Map, which plots recovered GPS or geolocation data on a map, and Chat Threading, which allows investigators to view chat conversation in a format similar to how the suspect or victim would have viewed the conversation on their mobile device.
IEF and EnCase both have excellent viewing and visualization tools available to assist investigators. In using these tools together, investigators will get the best of both worlds when it comes to reviewing recovered data.
6) Understand a Suspect’s Activity across Multiple Devices
Modern forensic investigations will often include multiple PCs and mobile devices. The traditional process of analyzing a PC and mobile device separately no longer works. Analyzing evidence separately breaks up the user’s activity, which can be very difficult when trying to piece together a timeline of events. For example, when analyzing a suspect’s browser activity, it shouldn’t matter whether they browsed using their PC or mobile device. Combining IEF’s mobile analysis capabilities with your traditional PC analysis in EnCase will allow you to see the best of both worlds.If the evidence is analyzed together, investigators will save time and have a more holistic view into a suspect’s activity. The primary goal of your investigation should focus on the suspect’s actions, not their devices.
Caseloads for examiners are growing far beyond anything manageable with manual tools and traditional forensic processes. Investigators must find a way to maximize their time and energy by accelerating their investigations without compromising on quality. Finding ways to work smarter, not harder, is essential to keep up with the increasing workload. Tools like IEF and EnCase allow investigators to maximize their analysis time and minimize time spent on repetitive tasks.
Please comment below or let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
No comments :
Post a Comment