1.0 - Purpose The purpose of this document is to detail the steps that are required to successfully execute EnCase Sweep Enterprise (v7.09) against a target host.
2.0 - Why Executing EnCase Sweep Enterprise against a target host that is suspected of being compromised can provide valuable insight into a number of machine specific activities that can assist with Rapid Response and Assessment of the device. These activities include items such as open TCP/IP connections, running processes and open files.
3.0 - Document Conventions The following table describes the possible conventions utilized during this procedure. Conventions Figure Table Section Box Red Text Bold Text
Description A screen shot for illustrative purposes Refers to a table of data being referenced. A numeric value referring to a location in the procedure. e.g. 1.5 A box containing data being referenced. Provides important details during the procedure. Emphasis on Commands/Menu Selections.
5.0 - Procedure 5.1 – Logon to EnCase Enterprise and create a new case 5.2 – Define the target host on the “SAFE”
Figure 1
5.3 – Open EnCase Sweep Enterprise
Figure 2
5.4 – Create a new scan
Figure 3
5.5 – Select target machine from Network Preview
Figure 4
5.6 – Select “Run Scan”
Figure 5
4
5.7 – Customize Scan and Run
Figure 6
6.0 - Analyze the Results Note: Many different machine specific activates can be reviewed with the returned results. Shown below is an example of the immediate ones I find most useful. The analyst can review additional activities of the returned results as the investigation dictates. After your Sweep Enterprise is complete click on Analysis Browser to view the results.
6.1 – Open TCP/IP Connections Here we can see the open connections. We see the local IP address of the target machine along with the remote IP address the target is communicating with. In addition we can see the process name associated with the connection.
Figure 7 -‐ Open connections
5
6.2 – Running Processes – Applications In this screen shot we can see items such as running processes, the PID and PPID.
Figure 8 -‐ Running processes and applications 6.3 – User Activity -‐ Open files In this screen shot we can see some open files for associated processes. For example, we can see that WordPad is open on this particular machine.
Figure 9 -‐ Open files
6
6.4 – Logged on users In this screen shot we can see last logons to the system.
Figure 10 -‐ Logged on users 6.5 – Mapped Drives In this screenshot we can see a mapped drive letter
Figure 11 -‐ Mapped drives
7.0 - Use Cases A use case for this procedure may involve the investigation of a machine that is suspect of being infected with malware. Using this approach the analyst can review the target host for specific activity and make note of items of interest. For example, if the analyst noticed a suspicious process running on the machine that is communicating with an external end point the analyst could follow up on that lead to determine the legitimacy of the process and end point.
8.0 - Additional Notes EnCase Sweep Enterprise is one tool that can be used in the rapid assessment of hosts that for one reason or another have been brought to your attention. Should you identify suspicious behavior then engage the continuation of your Rapid Response and Assessment procedures to continue with your assessment.
7
DFP-003-001.pdf
Procedure Document. Document Owner(s) Organization Role. Mr. Orinoco DFIR Team. Version Control. Version Date Author Change Description. 1.0 3/2/14 Mr.
