EnCase v7 is deeply oriented to indexing as fundamental step in investigation and data analyses, but looks like bad luck which EnCase had in v6 with indexing continues also in v7. It turns out in first few sub-versions of v7 indexing was not implemented correctly and in real life of not much benefit, more horror source.
Things get better and in lastest version 7.9 and 7.10, Now indexing is working more or less ok, but with still some peculiarities and not easy to digest features. I'll compile in this articles some notes, tips which maybe can help.
One quite useful thing from indexed data is to get list of keywords, it can be very useful in password cracking and many other purposes. In version 6 it was possible ti dump this data trough enscript, but in version 7 now this is in passware tool interface. Even if you don't have passware kit, dump can be done, it will generate index.words.txt file which contains data from index file. Documentation is missing and no explanation what is what.But still from there it is possible to feed some dictionary attack tools etc, you'll need some regular expression tools to further extract useful data from it.
A huge issue is also lack of examples, per instance there are predefined patterns in indexing for finding email addresses, credit card numbers etc, but no examples.
There is no clue whatsoever how it works at all, Trying combinations you'll get no result or some confusing errors, there is only one small passus in support forum about but no details, results are erratic even in the latest version v7.10.5.
In ordinary indexing search it is possible to use wild chars and patterns but again it can be quite erratic, I was positive there are some issues with our local language localisation, but never been able to reproduce it in satisfactory way. Very confusing issue is globbing in indexing search and regexp search in raw search. Since it is possible to combine both of it t in same search, using two different query syntax is often misleading.
Things get better and in lastest version 7.9 and 7.10, Now indexing is working more or less ok, but with still some peculiarities and not easy to digest features. I'll compile in this articles some notes, tips which maybe can help.
One quite useful thing from indexed data is to get list of keywords, it can be very useful in password cracking and many other purposes. In version 6 it was possible ti dump this data trough enscript, but in version 7 now this is in passware tool interface. Even if you don't have passware kit, dump can be done, it will generate index.words.txt file which contains data from index file. Documentation is missing and no explanation what is what.But still from there it is possible to feed some dictionary attack tools etc, you'll need some regular expression tools to further extract useful data from it.
A huge issue is also lack of examples, per instance there are predefined patterns in indexing for finding email addresses, credit card numbers etc, but no examples.
There is no clue whatsoever how it works at all, Trying combinations you'll get no result or some confusing errors, there is only one small passus in support forum about but no details, results are erratic even in the latest version v7.10.5.
In ordinary indexing search it is possible to use wild chars and patterns but again it can be quite erratic, I was positive there are some issues with our local language localisation, but never been able to reproduce it in satisfactory way. Very confusing issue is globbing in indexing search and regexp search in raw search. Since it is possible to combine both of it t in same search, using two different query syntax is often misleading.
No comments:
Post a Comment