공장장과 함께하는 디지털 포렌식 이야기

현재 EnCase 6의 Case Process EnScript 중 Windows Initialize Case(WIC)가 Windows 7을 제대로 지원하지 않고 있습니다.

곧 나올 EnCase7에서는 해결될지 어떨지 모르지만 암튼 불편하죠.

해당 EnScript를 약간 수정하면 Windows7에서도 WIC가 돌아갑니다.

아직 EnCase 내부에서 Windows 7을 처리하는 루틴이 제대로 되어 있지 않아서 일단 Vista인 것처럼 속이는 방법을 쓰는 우회방법입니다.

일단

\EnCase 6\Enscript\Include 폴더에 있는

GSI_Reg_InitializeCaseUtilityLib 을 수정해야 합니다.
SnapshotClass::OperatingSystems GetOSVersion() { return OsVersion; }
요렇게 되어 있는 내용을
SnapshotClass::OperatingSystems GetOSVersion() { SnapshotClass::OperatingSystems os = OsVersion; if(OsVersion == SnapshotClass::WINDOWS7) { os = SnapshotClass::WINDOWSVISTA; } return os; }
요렇게 바꾸어 주시면 됩니다.

그다음, 같은 폴더에 있는

GSI_SweepCaseLib 파일의 내용 중에서
if (buffer.Contains("6.0")) { return SnapshotClass::WINDOWSVISTA; }
요렇게 되어 있는 내용을 찾은 후 그 아래에
if (buffer.Contains("6.1")) { return SnapshotClass::WINDOWS7; }
요 내용을 추가해 주시면 됩니다.

Thanks Adam ;-)

EnCase 6.14 버전이 출시되었습니다.

설치시 어떤 작업이 이루어지는지 보여줍니다. 보통 HASP Driver 설치에 시간이 많이 걸리곤 했죠.

Options 항목에 Code Page가 추가되었습니다.

어떤 역할을 할까요?

이제 EnCase 내부에서 RAR 파일도 Mount 해서 내용을 확인할 수 있습니다.

HPUX의 파일 시스템인 VxFS와 UFS를 지원합니다.

exFAT를 지원합니다.

그 밖에

Linen이 Multithread를 지원해서 Imaging 속도를 향상시켰다고 합니다. 해봐야 알듯합니다.

Vista 64에서 Prosuite(PDE,VFS,EDS)가 제대로 동작합니다.

출처 : NetworkWorld

First Estonia. Then Georgia. Increasingly, the theoretical potential for cyberwar is becoming hard reality. One new report argues that the unchecked proliferation of cyber warfare weapons is comparable to that of nuclear warheads. At least one branch of the US military, United States Navy takes the threat seriously and monitors cyber threats on a daily basis.

To combat this growing threat Guidance Software announced on Monday a new proactive version of its classic digital forensic software, EnCase, already in use by government and law enforcement worldwide for conducting incident response investigations. By partnering with Bit9 and HBGary, Guidance Software believes EnCase CyberSecurity fills a future need for computer network defense, counterintelligence, and incident response-tasked government agencies. In adding threat and memory analytics, the Pasadena, California-based contractor says government agencies will now be able to completely recover computers from malicious code attacks, proactively identify enterprise wide at-risk computers, combat evolving malware, and also conduct deep code analysis of suspicious binaries or processes.

Bit9 is a leader in white list technology, and owns a database of several thousand "good" and "bad" files. It has already partnered with Guidance Software for its Encase Bit9 Analyzer. Within the new EnCase CyberSecurity product, the EnCase Bit9 Analyzer reputation service will be integrated to provide multiple types of digital investigations, including forensics and eDiscovery. Say for example a typical enterprise-wide incident response investigation includes 100,000 files; finding the one foreign file that's germane to the investigation can be daunting. Doug Cahill, Vice President, Business Development at Bit9, said "the use of the EnCase Bit9 Analyzer by federal agencies, financial services companies, retailers, manufacturing firms, and others allows investigators and forensics teams to quickly eliminate 'known good' files expediting the investigation saving time, and lowering the cost of the investigation."

But physical drives aren't the only hiding places for malware today.

"Cyberattackers increasingly are injecting malware into memory," said Greg Hoglund, CEO and founder of HBGary. "Most malware is just a variant, repackaging itself so that virus scanners cannot detect them. Memory analytics is a better way to detect malware." As a result, Guidance Software will also integrate HBGary Responder Pro's memory analytic capabilities and malware detection into Encase CyberSecurity.

Guidance Software says EnCase Cybersecurity will be available in the third quarter of 2009.

Robert Vamosi is a risk, fraud, and security analyst for Javelin Strategy & Research and an independent computer security writer covering criminal hackers and malware threats.

출처 : NetworkWorld