LNK file and conditions in EnCase v7

Windows lnk files are very useful source of forensic data. It is not easy to get in analyzed and ordered on their attributes. Traditionally we are usually looking for volume serial numbers to corelate evidence. So how we can do that in ENCase v7 ? Here is the example based on Forensic II training evidence files which I am often using in training Forensic II sessions to extend the idea of condition and filters. I often find people are not thinking in condition way when they are using EnCase.

On the picture is link file „Final Cawin Weapons Purchase Order 2-7-2011.ppdf.LNK“ shown with its attribute bar expanded to „Link Data“ folder. There are two columns automatically populated by encase, “Name” and  “Value” for attribute pairs parsed out of file content. Since this view is available under attribute tab we can create condition based on this values and find which link files has same set of attributes like pointing to the file system with same serial number. Basically we have to ask two things Attribute name is „Serial Number“ and Attribute value is „6A97-109C“  this should return a list of lnk files which points to same file system For that we can create a new condition but there is a catch, since a attributes and not listed in table view column names but in view pane we have to go trough filters in conditions to get a new function which will address attributes name.

This is the result of our action, in filters for AttributeValueRoot we created new filter ValueFS.

If we edit ValueFS filter we see it has exactly the same logic as we noted before (Attribute name is „Serial Number“) and (Attribute value is „6A97-109C“). This values are easily copied from EnCase, but I suggest to save attribute view into txt file and do copy out from there.

Here is this filter applied in condition wizard, it is called as always filters are called trough „equal to“ construct to catch that entries on which filter return hit.

This condition works as any other condition, called from condition tab. It is a good idea to put some meaningful name to results like „Volume Serial XX“ so it is easy to follow what it is.

If you keep you conditions for future use it is a good idea to check ask for value and value required buttons, so you'll be able to reuse it for different combination of attributes and values.

Here we actually insert both values for attribute name and its value into condition box.

Results are as we expected list of lnk files which points to file system with same serial number.

This method can be applied to other objects which has attributes In Encase manual and on the excellent Lance Mueller site you can learn a lot more about conditions, filters and Enscript programming. http://www.forensickb.com/

Here is condition source code

class MainClass {

  class ValueFSClass {

    typedef String[] Array1;

    class FilterDialogClass: DialogClass {

      ArrayEditClass  Variable1;

      StringEditClass Variable2;

      FilterDialogClass(DialogClass parent, ValueFSClass v):

        DialogClass(parent, "Edit Conditions"),

          Variable1(this, "Value matches", START, NEXT, 200, 102, 0, v.Variable1, REQUIRED),

        Variable2(this, "Name equal to", START, NEXT, 200, DEFAULT, 0, v.Variable2, 512, REQUIRED)

      {

      }

    }

    Array1     Variable1;

    String     Variable2;

    ValueFSClass():

      Variable1{"6A97-109C"},

      Variable2 = "Serial Number"

    {

      FilterDialogClass dialog(null, this);

      if (dialog.Execute() != SystemClass::OK)

        SystemClass::Exit();

    }

    bool Main(AttributeValueClass e) {

      return Variable1.Find(e.Value()) >= 0 && e.Name().Compare(Variable2) == 0;

    }

  }

  ValueFSClass ValueFSData;

  bool ValueFS(AttributeValueClass root) {

    forall (AttributeValueClass e in root)

      if (ValueFSData.Main(e))

        return true;

    return false;

  }

  MainClass():

EnCase Enterprise v7 training and education

At the moment I'm involved in preparing training for EnCase  Enterprise product, training is EnCase  Enterprise Examinations for v7 . Clients are not from IT company but from one to the neighboring countries ministry of finance. It is a long, long project delayed with budget problems finally comes to conclusion. Schedule was changed so many times that EnCase  evolved from version 7.05 to 7.08.1 with all new training changes and new software features and of course bugs. Key differences are case processor on separates nodes and non-safe servlet (FIM replacement). Also VMware products are with new versions and sometimes there are compatibility issues.

Preparation is always a bit of lengthily process since I don't have a dedicated classroom or dedicated machines but multipurpose ones which had to be tailored for each training. EnCase  v7 is very resource hungry, when we are talking about enterprise version where training include simulated network of several machines the resource bill is extremely high. Since most of trainings are on client premises we use strong laptops with a lot of external disks to fulfill the role. Priorities are disks, RAM, CPU, network.  For acceptable performance quad core I5 64bit laptop with 16GB+ ram and three sata/ esata disks is enough (xpress card with two esata ports are here extremely useful but on some machines especially Dell can be problems). This configuration has enough power for EnCase  evidence processor and also gives you three or more disks to spread load of virtual machines. In theory training can be provided on customer machines but in practice this  fails since configuration and system administration problems, the best way is to bring your own devices and configured it by yourself.

As for real EnCase  Enterprise training what is important to take into concern is versatility of EnCase  Enterprise. Lance Mueller describes this in his paper with precisely defining main areas of EnCase Enterprise usage. Current training is too much condensed and gives you intro into all capabilities where actually attendee in advance should be able to understand how EE will be used in their work. This is by my experience too optimistic approach since attendees usually does not have much EnCase  experience. Initially EE training was in two separate weeks but later it was changed to one week with idea of unification of EE and Forensic product. Basically this proves as a problem since no one can force customers to get Forensic courses as preparation for Enterprise (problem is always a limitation of their budget) so we usually lack a good understanding of EnCase  forensic abilities. I always suggest to attendees if they are without Forensic training to at least look at free v7 intro online training  but that is often not enough.  The workaround is to extend introduction and add tailored points in the aspects where they’ll work. As we are here talking about financial regulator the stress should be on e-discovery process, then on standard forensic investigation and at the end on the incident response. For each of this tasks different configuration and tools in EnCase , also different user roles are required. Actually very good material for discussion is on the International competition network in the “ Anti-Cartel Enforcement Manual” It puts all this into some defined process close to those which attendees have experience with. From that point we can discuss ideas of e-discovery which is almost unknown idea in our part of Europe.