Transforming EnCase Endpoint

Investigator to an Artifact-First Model

Lab
Session SC37

October 6, 2022 | Jeremy Fryd, Sr. Solutions Consultant, OpenText

Walker Johnson, Lead Solutions Consultant, OpenText
OpenText ©2022 All rights reserved 1
Artifact first
Today's EnCase stores and presents artifacts
using an "evidence/folder/container/artifacts"
model.
But in an "artifacts first", or artifacts centric model,
all artifacts across all evidence in the case are
presented within a single, adaptive and
customizable view.
This single view makes activities such as spatial
analysis more seamless.
This session shows you how to improve the
efficiency of your digital forensic investigations.

OpenText ©2022 All rights reserved 2

Agenda

• Artifact User Guide

• Snapshot
• System Info Parser
• Snapshot
• File Processor
• Analysis Browser
• Forensic Artifact Condition
• Processor
• Processor Node
• Parallel Processing
• Case Analyser

OpenText ©2022 All rights reserved 3

Resources
OpenText EnCase
Encase Artifacts Artifacts Users Guide

Link> My Support

OpenText ©2022 All rights reserved 4

Artifacts First
Sweep Enterprise

OpenText ©2022 All rights reserved 5

Sweep Enterprise…. 3 modules

System Info Parser Snapshot File Processor

Recovers information from the Recovers basic operating Automated file collection based
Windows Registry with the system information and the on metadata, hash‐analysis or
option to recover data from the volatile data raw keyword searching
live Registry in RAM
User accounts Open ports
Hardware configuration Open processes
System services Open files
Removable media Network users (and logged in user)
Mapped drives Network interfaces
Visited UNC paths Program instances
Installed applications ARP and DNS tables

OpenText ©2022 All rights reserved 6

Analysis Browser or Case Analyser

Analysis Browser will show the results.

Information is displayed in folders.
The Analysis Browser view may be accessed through another menu item: Tools->Case Analyzer

OpenText ©2022 All rights reserved 7

Sweep for artifacts first

Login in to EnCase
Password : Enfuse2022!
Choose EnScript->Sweep Enterprise
Select Create scan
Import Targets
Add target - choose either you own machine or xxxxxxxxx
Run Scan
Select System Info Parser and Snapshot
Select File Processor – Collect contents
Create a condition to collect prefetch

OpenText ©2022 All rights reserved 8

Collecting Artifacts with File Processor

Path example
C:\Users\jfryd\Documents\EnCase\Cases\Probe-01\EnScript\Sweep Enterprise\Scan 2022_03_04
11_07_29_AM

OpenText ©2022 All rights reserved 9

Forensic Artifact Condition

OpenText ©2022 All rights reserved 10

Artifact Condition for import

OpenText ©2022 All rights reserved 11

Artifacts First

As soon as an Evidence file acquired

Case Overview is displayed

This view will automatically

update as you process evidence

Create a Case – EnFuse2022

Bring in the Peterson evidence file
Check the results

OpenText ©2022 All rights reserved 12

Automate your processing

Drop in Peterson Evidence file

Process immediately for Artifacts
Process with consistency
Create and implement custom processing options
• ( select Internet artifacts)
Be prompted every time or choose to be left alone
Once processing is complete -> Run Case Analyser

OpenText ©2022 All rights reserved 13

Optimising- getting to Artifacts quicker Just because EnCase allows you to switch
on a multitude of processing settings
doesn’t mean you should. The principle is to
use the correct options for the job you’re
trying to perform and no more

Processing Options
Processing Profile
OCR (great but as a pre process option
scan all attachments maybe target these
better ) fire off an OCR job later
Light processing initially on the front end
then do additional processing later .t
This make EnCase faster, more versatile
evidence first
Don’t over selected on processing options

OpenText ©2022 All rights reserved 14

Case Analyser – for Artifacts first approach

OpenText ©2022 All rights reserved 15

 Thank you

[Link]/opentext

[Link]/company/opentext

[Link]