±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 146

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

EnCase missed some usb activities in the evidence files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

gorvq7222
Senior Member
 

EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 08:20

My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro. Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

You guys could take a look at my blog to see what's going on.
www.cnblogs.com/pieces...31696.html  
 
  

jaclaz
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 09:20

Very likely Encase didn't "miss" anything, simply part of the "USB" related data was cleared or overwritten, as the USB disk was connected to the computer before the USB stick.

Very clever on the part of May to call the important source code files of project "X" as "docu", "painting" and "example", however.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Bunnysniper
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 11:07

- gorvq7222

You guys could take a look at my blog to see what's going on.
www.cnblogs.com/pieces...31696.html


Nice blog article! It decribes exactly why i would never ever buy or use such a "one-click-evidence-button" software. There are five or six locations in the registry where to find evidence of USB activity, plus Eventlog and setupapi.dev.log. I check them all by hand and with several different tools and never with only one tool. The mentioned "another forensic tool " is X-Ways Forensic with its "Device" Registry Report, isnt it?

best regards,
Robin  
 
  

mansiu
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 12:09

- Bunnysniper
- gorvq7222

You guys could take a look at my blog to see what's going on.
www.cnblogs.com/pieces...31696.html


Nice blog article! It decribes exactly why i would never ever buy or use such a "one-click-evidence-button" software. There are five or six locations in the registry where to find evidence of USB activity, plus Eventlog and setupapi.dev.log. I check them all by hand and with several different tools and never with only one tool. The mentioned "another forensic tool " is X-Ways Forensic with its "Device" Registry Report, isnt it?

best regards,
Robin


Can you suggest whats inside your toolkit?

I myself use opensource such as log2timeline, regripper, mft2sv, logparser, etc. and free tool like nirsoft, eventlogexplorer and i wont deny i use EnCase.

Forensic tools are like knife, you are not going to use a victorinox to cut a tree. I just pull out the right tool from my toolkit.

Tools like EnCase is not evil, there are still quite some tasks i found myself cant do without EnCase, for example, manual partition recovery, sector view of disk, keyword search (definitely possible with dtsearch and ftk)  
 
  

mansiu
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 12:11

- gorvq7222
My friend is a developer and her colleague May was suspected of stealing the source code of an important project "X". The Police searched her apartment and seized her brand new laptop which OS is Win10 Pro. Forensic guy Terry used EnCase to do evidence processing . To his surprise, only one usb thumb drive "SanDisk" found in "USB Records".

You guys could take a look at my blog to see what's going on.
www.cnblogs.com/pieces...31696.html


I think you can consider shooting a bug report to GuidanceSoftware. Putting it on the forum is just like "Yeah!! I found a bug!". Thats definitely not good to the community.  
 
  

Bunnysniper
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 13:16

- mansiu

Can you suggest whats inside your toolkit?


Regarding USB activity?
Here we go in random order:

- USBDevView from nirsoft.net
- USB Forensic Tracker from www.orionforensics.com
- USB Historian fromm www.4discovery.com
- the already mentioned "usbdeviceforensics" python script
- USBDeviceForensics from woanware.co.uk

and X-Ways Forensic (Registry Report + Registry Viewer). Some of the tools only work on Windows versions below Windows 8!

I can really recommend the "USB Forensic Tracker" from http://www.orionforensics.com/w_en_page/USB_forensic_tracker.php for examining USB activity. It is a free tool and has everything i need, including customized time zones and Excel export.

best regards,
Robin  
 
  

UnallocatedClusters
Senior Member
 

Re: EnCase missed some usb activities in the evidence files

Post Posted: Oct 06, 17 13:59

First- thank you to gorvq7222 for your contribution to our profession.

For USB investigations, in addition to previously mentioned tools, I use the following methodology:

Step #1: Index all files, folders and unallocated space using Forensic Explorer and OSForensics

Step #2: Run searches for "E:\", "F:\", "G:\", "H:\", "I:\", "J:\"

The reason I search for drive letters is that, if a person accesses files and folders copied to external USB media, then recoverable evidence can be found such as "G:\Folder of stolen documents".

My understanding is that, only files and folders accessed from external USB media will leave a trace; if an individual, for example, copies and files and folders to an external USB drive on a Windows system, but never accesses those files and folder after copying those files and folders to the external USB drive, then there is no recoverable evidence available to determine which specific files and folders were copied to the external USB drive. Correct????

This is why, in my opinion, a search for drive letters such as "E:\" is an important analysis step.  

Last edited by UnallocatedClusters on Oct 07, 17 16:20; edited 1 time in total
 

Page 1 of 2
Page 1, 2  Next