Anyone engaged in DFIR (Digital Forensics & Incident Response) will recognize and understand the field moves and evolves at a rapid rate. There is always something new to learn and understand, with an increasing number of artifacts to parse and examine during a forensic investigation.
Forensic software tools have great feature sets for automating the parsing of many artifacts that might be of relevance to an investigation. However there will be circumstances when there is something new and interesting to parse that has not yet been automated within the core functionality of the software tool, or simply an update to something traditional. Maybe even the automated parsing functionality of your forensic tool requires validation.
This series of blogs will explore the use of EnScript with OpenText™ EnCase™ Forensic (OpenText™ EndPoint™ Investigator) to illustrate how the parsing of artifacts can be extended, to allow for custom parsing and support for the yet automated. The series will center on the examination of mobile devices demonstrating parsing of SQLite databases and the Apple property list, both common data structures.
A typical mobile device contains a vast amount of information that may be of benefit to a criminal, corporate, or civil DFIR investigation. OpenText EnCase Forensic and OpenText™ EnCase™ Mobile Investigator support a number of artifacts from both the mobile operating system and installed applications, as well as analytics and reporting.
For Android and Apple, the sheer quantity of applications and potential artifacts from the mobile OS means there will be circumstances where automated parsing is not supported by EnCase. The use of EnScript can extend your reach and artifact support, allowing you to automate the parsing of the unsupported.
For example, EnCase supports and parses some iOS internet artifacts for Safari and Firefox, however via the use of EnScript and examiner knowledge it is possible to discover and expose internet activity relating to an open tab, with history even if the open tab was being used to browse Privately.
There are several EnScripts freely available for download from EnCase App Central, authored by Simon Key of the Learning Services EnCase training team, that can be used in the forensic examination of a mobile device. The EnScripts mentioned below are in my view extremely valuable and are used frequently during research of artifacts and forensic examination.
Given that content in mobile apps and the mobile OS itself can be stored in SQLite databases there will be a need to provide additional SQLite examination functionality from within EnCase to:
- Allow for the execution of custom SQLite queries and have the results automatically bookmarked in the EnCase case
- Allow viewing the SQLite database with the Write-Ahead-Log (WAL) to see the most current version of the database; and
- Extract binary data for additional examination.
Such EnScripts to provide this level of SQLite examination functionality, available via EnCase App Central are:
- SQLite queries to be run against a database(s)
- Extraction of Binary Large Objects (BLOBs) for further examination in EnCase
- Viewing in a third party application using the write ahead log (WAL)
In addition Apple utilize the Property List in both XML and Binary form. The following are a must if performing examination of an iPhone or iPad.
- Parse relevant tagged plists, or maintain a list of favorites
- Quick view of highlighted plist
The next blogs in this series will illustrate and discuss the examination of SQLite databases and Apple property list using the EnScripts mentioned above, and relate to the field of mobile device examination.
The use of the EnScripts discussed in automating parsing and examining additional mobile artifacts are demonstrated in the DF125 Mobile Device Examinations training class which can be registered for and purchased individually using the above link, or taken as part of the OpenText Learning Subscription, Security Edition Premium. This offers one discounted, flat rate, allowing a qualifying investigator to take an unlimited number of EnCase training courses for one or two years.
The qualified Learning Service EnCase training team have years of experience of EnCase Security products, services and delivering training. Classes can be taken live, instructor led via our vClass platform or in-person at one of our training facilities in Pasadena – CA USA, Gaithersburg – MD USA, Reading – UK or newly established facility in Munich – Germany.
Subscribe to a one-year Security Edition – Premium Subscription or, for more information, a quote for a two-year subscription, or an upgrade contact us.