OpenText™ EnCase™ Forensic software is one of the longest established digital forensic platforms on the market. It has been the primary tool of choice for many investigations and has withstood cross-examination in courts of law and tribunals. The EnCase platform has evolved to include many new features, notably the ‘evidence processor’. This provides an examiner with the options to process the artifacts of a case which may include internet, email, finding protected files, mounting of compound files and indexing as some of the options that are available.
In terms of conducting a digital examination of a seized device, digital forensic examiners have always had granular control over what they do and when they choose to do it. The EnCase tools at an examiner’s disposal include raw and indexed keyword searching and file signature analysis to assist with validating the identity of various file types as being what they purport to be. Compound file structures such as registry hives and archived compressed files are mounted to expose their internal structure and contents. Such identification and interpretation are performed using core functionality and also with the support of numerous custom EnScripts which are available from EnCase App Central and the various EnCase Conditions and Filters, which form part of a standard installation of Encase.
To assist examiners, particularly those who are new to the field of digital forensic examinations with EnCase, but equally applicable to experienced examiners, EnCase provides an alternative method for examiners to access the tools and functionality that they commonly use or consider important in case preparation and examination, which is called ‘Pathways’.
So, what are Pathways? Pathways provides the means to access individual evidence processor options, conditions, filters or custom EnScripts, arranged in an order that represents a workflow of options for an examiner to setup, prepare and examine a case. Notwithstanding the usefulness of an established workflow, this provides a collection of certain EnCase tools that can be called upon without necessarily having to switch tabs, but easily accessible from a drop-down menu. Let us explore what is available as a default and look at how to create your own custom pathway.
To access a Pathway, an examiner can access it from the EnCase home screen or from the top-level Pathway menu item, which is always visible from whichever tab you are working in.
By choosing from either the Full Investigation or Preview/Triage option, the examiner will be presented with the steps to create and prepare a case for examination or triage. This is then followed by the option to add evidence. The examiner will notice that the options in respect to Audit drive space, determining the Time Zone and applying a Hash Library are not accessible. This is intended because until you add evidence to the case, these options have nothing on which to function.
Once the preliminary steps of creating a case, adding evidence, auditing the drive space, determining the time zone and optionally associating a hash library to the case, the examiner is presented with a list of options to assist in finding the data they are looking for. Clicking the question mark will provide additional information about each of the items listed.
In order for an examiner to create their own custom pathway, representing a workflow or collection of frequently used Evidence Processor options, Enscripts, Conditions and Filters, they can choose ‘Create New’ from the Pathways menu to begin creating the workflow. They can also create suitable workflows for the types of examinations conducted, or build a collection of resources commonly used. Whatever the reason, using Pathways saves time from having to remember where particular resources are located or for new examiners, remembering where the various options are.
Pathways does not introduce new functionality as such but harnesses a way of accessing certain preferred options. Many of the ‘what do I do next?’ or ‘where can I find the option to this?’ are contained within the default Full Investigation or Preview/Triage pathways which form part of a standard EnCase installation. Additionally, an examiner has the option to create their own tailored pathway to cater to specific options and a streamlined workflow.
The qualified Learning Service EnCase training team have years of experience of EnCase Forensic and Security products, services and delivering training. See the full list of EnCase courses. For more information, please contact EnCasetraining@opentext.com
Author: Bill Thompson is the Director of Training Consulting in OpenText Learning Services, UK Security division. He is a strong advocate of ensuring that customers get the most from their investment in EnCase products.
