Continental Store

Encase, IEF & FTK results on the Forensic workstation - FR96

Here is a real case study showing the results that can be achieved when you use the various forensic tools on our workstation.

 

 

Equipment:      Continental FR96 Dual XEON E5-2680 2.7GHz 16 Cores 32 Threads 96GB RAM

Case:                Handling Stolen Goods

Analyst:            One of our clients

 

Evidence:         3 machines and associated devices seized from one house

HDD1 Windows 8          (640 Gigabytes)

HDD2 Windows 7 Pro    (160 Gigabytes)

HDD3 Windows Vista    (120 Gigabytes)

 

Applications:    Multiple Forensic Software Open

 

Encase (6.19.7.2) Total Files/Folders: 760420

 

Internet Evidence Finder (Version, 6.4.2.0070)

 

Application utilises all cores/threads (once allowed to do so in Options): Yes (32)

 

Quick search (common areas)

Total Time:                                            4 minutes 25 seconds.

Quick search RAM (when @ max):          52 Gigabytes

                        Number of Internet Artefacts found:       147,321

 

Full search (including unallocated, volume shadow copies, uninitialized, etc.)

                        Total Time:                                            4 hours 48 minutes.

                        Full search RAM (when @ max):             72 Gigabytes

                        Number of Internet Artefacts found:       342,736

 

Main advantages of full search in this case

Web mail, Windows Live Messenger, In Private Browsing, Facebook, etc.

 



AccessData Forensic Toolkit
(Version, 5.5.0.44 with PostgreSQL DB)

 

Application utilises all cores/threads:      Yes (32)

 

Total Time:                                3 hours 58 minutes

Total RAM (when @ max):          24 Gigabytes

Total Files/Folders:                    1,076,778

 

File structures viewed – Encrypted, Password Protected, 132 Thumbs DB files viewed, 1890 emails, etc.

 

FTK Word list created = 1.97 Gigabytes.  Imported to PRTK. 

 

SAM registry file Admin User login cracked in 2 minutes 19 seconds (10 digit alphanumeric Passphrase!)

 

NTUSER registry file to PRTK (with above Passphrase and URL’s from IEF) to obtain Autocomplete Data.  13 Usernames and Passwords obtained instantly.

 

Encase (Version, 7.10.00.103)

 

Application utilises all cores/threads:      No.

 

Total Time:                                Stopped after several hours (still on first image)

Total RAM (when @ max):          All Available (96 Gigabytes)

Total Files/Folders:                    Unknown

 


back to news

Leave a comment