EnCase and NetClean Collaborate to Increase Investigator Efficiency

Johann Hofmann

We started working with Guidance Software in the USA and spoke to the company’s Product Manager Ken Mizota about how this made customers much more efficient.

”After looking at the capability of NetClean Analyze, we became very interested in working closely with NetClean. By allowing our tools to work together, we will be giving our customers valuable assistance,” says Mizota.

Guidance Software’s EnCase® tool is used for collecting, processing and analyzing forensic data. Because it’s an open platform, the company works with multiple suppliers of complementary products that use data from EnCase. But a software application that analyzes and categorizes images in as sophisticated a way as NetClean Analyze does is extremely valuable, he says.

”We’re seeing that it really solves problems for criminal investigators. They gain in efficiency and save time, which they really appreciate.”

Guidance Software’s customers typically use a large number of tools in their investigations, so it’s important that they are interoperable.

”Our aim is to make our customers’ lives easier, and without tools like NetClean Analyze and EnCase, investigators are not able to efficiently analyze and categorize the large volumes involved. They need the right tools for the job.”

Ken Mizota envisages several other applications for Analyze in the future.

”The great thing about NetClean Analyze is that it can also be used in other types of investigations involving images, which represent an increasingly important component.”

As examples, he mentions harassment cases or employee misuse of corporate resources for collecting pornographic images.

to NetClean Analyze Product Manager Johann Hofmann, the main benefit of the alliance is that the forensic community now stands to gain a more seamless workflow between IT forensics and investigations of still and video images.

”We have a whole lot to learn from Guidance Software, which has been regarded as the gold standard in IT forensics for years. And with NetClean Analyze now emergent as the leader in technology for processing still and video images, we will be building a standard together.”

Guidance Software’s EnCase solution is used for digital investigations conducted by corporations and law-enforcement organizations worldwide. A total of 40,000 licenses are in use by corporate customers such as Symantec, General Electric, Coca-Cola and Pfizer, and the EnCase servlet is estimated to be deployed on over 20 million endpoints worldwide.

The “Shellshock” BASH Vulnerability and EnCase Products

Ken Basore

We know that our customers are concerned about the “Shellshock” BASH vulnerability and whether it affects our EnCase software, our Tableau hardware products, or any of our corporate systems. This is a legitimate concern, and because we have the utmost concern for your organizational and data security, we want to give you all the information you need regarding it. Below we address one by one the key areas that you may be wondering about.

SEC Whistleblower Awards Sound a Clarion Call to Action

Robert Bond

Boardroom failures, financial regulatory lapses, auditor and security analyst conflict of interest, unsatisfactory banking practices, and fraud compelled the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010, placing organizations under greater government scrutiny. The higher standards set by the legislation place enormous responsibility on organizations to be prepared to conduct their own internal investigations and to police themselves more effectively or face penalties and fines.

When the Dodd-Frank Act first passed, Peter Zeidenberg, a DLA Piper partner who worked as a federal prosecutor at the Department of Justice and the U.S. Attorney’s Office, remarked, “Most companies will have to deal with an internal investigation at some point. You’re very lucky if you don’t. In any large company, it’s hard to imagine that at some point in time there’s not going to be some suggestion or allegation of internal misconduct.”

EnCase and Python – Part 2

James Habben

In Part 1 of this post, I shared a method that lets you use Python scripts by configuring a file viewer in EnCase. We used Didier Stevens’ pdf-parser as an example. I also showed how EnScript could be used to greater effect by allowing us to capture the output of pdf-parser directly in a bookmark without having to manually copy and paste. Both of these techniques reduce effort by leveraging capabilities of both EnCase and the Python language.

In this post, I’ll take the same principles and apply them into an EnScript that provides a little more flexibility and functionality. Our goal is to have a GUI that gives you control over the exact functionality you want from the pdf-parser tool.

EnCase and Python - Part 1

James Habben

As a co-author and instructor for Guidance Software’s EnScript Programming course, I spend a lot of time teaching investigators in person around the globe. Investigators are faced with a dizzying variety of challenges. We work together in class, coming up with solutions that send EnCase off to do our bidding. EnCase and EnScript allow us to “bottle” the result of our efforts to share with other investigators (e.g. categorizing internet history, detecting files hidden by rootkits).

Python is used similarly. The interweb hosts great tools written in Python to accomplish all measures of tasks facing DFIR examiners. The community benefits from the hours of work that go into each and every .py that gets baked. It seemed to me that there should be a way for EnCase and Python to work together, so I put together a brief tutorial.