EnCase Integrated Threat Toolkit (EITT)
EITT was created to assist DFIR investigators with OSTs. The toolkit comes more than 15 integrated modules allowing an investigator to quickly locate and annihilate cyber threats against their enterprise. EITT was developed by the Professional Services team at Guidance Software to be a must-have addition to any DFIR workflow.
This free download includes the EITT installer and user guide. An unlimited release version that allows simultaneous endpoint connections is available with EnCase EndPoint Security.
Note: The EnCase Integrated Threat Toolkit is designed for use with EnCase v7.
Cyber Analysis Modules:
-PDF Tool Analysis
-Volatility for Windows, Linux and Mac
-Plaso - Log2Timeline
-Plaso - Psort
-Reverse Shell Module
Investigative Script Modules:
- Registry Parser
-Find Temp Executable Search
MFT Parser: Parses the $MFT on any Windows OS.
UsnJrnl Parser: Parses the $UsnJrnl on any Windows OS.
PreFetch Parser: Parses the Prefetch folder located on Windows OS and looks for any file with the extension of “.pf.”
MWD Registry Parser: Looks for any type of binary value located in the Windows Registries. It will use a “Blacklist Path” file if provided and will ignore any “Whitelist Path” files.
Find Temp Executable Search: Searches an Operating System looking for any executables located in any temp directory on the system.
Malware Entropy Date Range Search: Searches a Target system for any file that has an Entropy value above the value provided in the Entropy field.
Known Malware Paths: Searches a Target system for any file path/extension that is contained in a provided “Blacklist” and/or has an Entropy value above the value provided in the Entropy field.
RAM Dump: The acquisition of memory from a target machine. This module will launch EnCase Enterprise in the background and acquire the image, placing it in a Logical Evidence File (LEF) for future use.
Strings: Uses the System Internals (owned by Microsoft®) strings.exe that parses through any file and provides a resulting text file with any ASCII character located in the target file.
MD5 Module: Searches for any MD5 value provided, individually or in a text file.
RegRipper Module: Allows the user to process multiple Registry Hive files across an endpoint. The Registry hives will be copied into the output folder as native files as well as contained in a LEF for future use. Each “plugin” or “Profile” will be processed against the required hive file, and an output result will be placed in the ToolLogs subfolder for review.
PDF Parser: Uses PDFID to run the Triage, Name Obfuscation and Embedded File plugins—identifying the fundamental elements of PDF files.
Volatility for Windows, Linux and Mac: Uses the Open Source Volatility Framework to parse and analyze memory dumps from the respective systems.
Plaso (Log2Timeline and Psort) incorporated the Super Timeline Analysis functionality into a GUI Interface.
Reverse Shell Module provides the ability to create an embedded command shell onto the EITT from a Target Machine.
PST Timeline gives the ability to process a timeline from a provided PST file.