EnCase Forensic Version 6.11 User`s Guide
Contents
1. Selecting Tree Entries for Operations Selection is the way to choose multiple items in the Tree pane to manage them While highlighting and including in the Tree pane drive the content of the Table pane selecting does not Selecting determines which entries are processed by analytic operations such as bookmarking searching filtering and hashing When you select an item by clicking a check box the selection propagates upwards in the hierarchy to include related structure Navigating the EnCase Interface 121 Figure 24 Selecting items where 1 is the item that you checked with a mouse click 2 is a selected ancestor that was propagated from the initial selection whose entire contents are included in a future operation as indicated by the white background of the checkbox and 3 is a selected ancestor that was propagated from the initial selection whose contents are not included as a result its checkbox has a gray background The arrow shows the direction of the propagation SOM Entries eos GSI DOC 102033 10 0 36 21 1 T uc DIE Extend HDS Documents and Settings Som E Administrator SOME Application Data OG Identities po co 1528F8281 FFEB 4B87 88BC 9EFA39428363 Wf C Microsoft I Credentials Click gt A S 1 5 21 1861619204 450663806 4267828160 500 ES Crypto HOLE Internet Explorer Lp Quick Launch DIE Media Player OG mmc BDO Protect gt I S 12. O file location Neseutil mh filepath publ edb If the EDB file is in an inconsistent state first try to recover as follows O c Exchange BIN Eseutil exe r E Click Yes to run the repair Note that the three character log file base name represents the first log file Files are sequentially named with E log being the first log file Run a check step 5 on the resulting EDB file If the file is still in an inconsistent state attempt to repair the EDB file This may result in the loss of some data currently in the log files Run the repair as follows O c Exchange BIN Eseutil exe p For additional information on the Eseutil program read the Microsoft article at http support microsoft com kb 272570 en us http support microsoft com kb 272570 en us Cleaning an EDB Database The MS Exchange Server stores email messages in an EDB file on a server with a corresponding log file named E log The log file is where Exchange stores data to be committed to the EDB file In older Server versions there is also a corresponding stm file When the log file contains data that has not been committed to the EDB file the EDB file is in an inconsistent or dirty state EnCase is unable to parse inconsistent EDB files When an EDB file is dirty there are several tests that can be run on it to determine whether the files are merely out of sync or are in fac
3. TI TTTTIIITT 4 Name Filter IC Application Data C3 Cookies Desktop Favorites C Local Settings C My Documents NetHood Cj PrintHood OD Vio nn sf ainiwe C3 Recent SendTo c Start Menu C3 Templates NTUSER DAT LJ sti Trace log O ntuser dat LOG e Q ntuser ini Highlighting differs from selecting Selecting clicking one or more check boxes constructs a collection for processing by an analytic operation such as bookmarking or hashing Highlighting also differs from including Including clicking to display the green polygon displays all the items found in the included branch of the tree from the top level down to the item you clicked Navigating the EnCase Interface 119 Displaying Expanded Tree Entry Information You can include all the lower levels of the hierarchy of an item for display in the Table tab with a single mouse click You do not have to explicitly expand the tree folders When you click the Set Include polygon in the Tree pane or right click and choose Set Include from the menu this occurs B The Set Include icon of the highlighted item turns green B Items on the lower levels of the hierarchy are also included as indicated by the green icons B The content of all the entries or object
4. sees nnne 322 Parsing a Locally Encrypted Mailbox nennen 322 Enery pted Block RR 323 Decrypted BIOK 5 aeuo ee n eO On NH ODEUURI eaa Re eH erts 324 Locally Encrypted NSF Parsing Results 325 CHAPTER 9 Analyzing and Searching Files 327 Signat reAnalysisu ime sesh toes INTER HEISE RI RIS ET RN DDR EGG NER TRISTE Rea tod 328 File Si BEBEUTOS ite m edet aE EIER EET TARTE Ug I te Ce Ote ttes EEE nee 328 File Signatures with Suffixes ssssssssssseeeeeenenenennneette tnnt nennen nennen tenet 329 Viewing the File Signature Directory cccsscsesessseeeeseteesesesesnsnenesescscscececeeeensneeceseeeeneneseseseanenenes 329 Adding a New File Signature c cccccccssssssetesesesesnensnesessscseecesesesenssesesesesnenenenessssseeceseeenensneseseseanenenes 331 Editing a Signature eene een ote sade dentro ort bas e p He We e ei po e e d nee 332 Performing a Signature Analysis seen tenente 333 Viewing Signature Analysis Results Part 1 334 Viewing Signature Analysis Results Part 2 sse 335 Sienat reArialysis begerid bite nep Rb rete ie Eidos tiv epe totae Eb pan 336 EnScript Programming Language iniiaiee ane en ie n E Ea E EEE a E 337 Included Brscript Comnporients eie iyeon ni ion pta aA e ai rE ier 337 BS CLIP ty POS 1 ETEA E EAEE EEE E E E E AEE esas 338 Hash Analysis eironi EEE E re rh o pee Ave E e Etat E AREA AEE 338 File Has bitin Beasties a n E E te ETE
5. Lj App Descriptors Ab Archive Files Cases Cases L Encryption Keys Se EnScript Types Ag EnScripts A File Signatures A File Types 2 OM 5 File Viewers EZEZ Ten Dol I 04 Keywords A Name gi Export Machine Profiles 5 a p File Viewer Maximize view Window s Import M Packages E sd Projects ij New Folder Application Path 3 sare vSChange Request 54983G5 T cpview exe Imi B Set Included Folders Num i A Text Styles Command Line Include Sub Folders Shift Num jer Table Pane gt ile Include Single Folder Ctrl Num View Pane b Filter Pane gt Cancel X Close Tab Ctrl F4 EI Show Name 4 Previous Tab Ctrl Shift Tab gt Next Tab Ctrl Tab i E Table Report 7 Code C Auto Fit Reset view Name Filter end Path View Maximized C 1 jl Fie Viewert 000 YAChange Request file 1 Display the File Viewers tree in the Tree pane O On the main window click View gt File Viewers or O On the Tree pane click File Viewers The File Viewer tree appears Viewing File Content 295 2 Right click the root of the File Viewers tree and select New The New File Viewer dialog appears 3 Browse to the file viewer s executable make any other changes to the settings on the dialog and click OK The file viewer appears in the file viewer table Associating the File Viewer s File Types with the Viewer When you add a new file viewer to your EnCase application yo
6. CI 17 09 SucCese CI 18 E voe stock C 29 Ell SFT Alocasen trao Bom ied nex Eum Brn eene jest T conso Deisis Output C tok C Codeosge C of11691 oo Y rers 2 condtors ie coy DOG Y O y Dag y CQ Ge SOIT n E 2 pur Do cy Doy Doy Dag amp Quota nR Uy OQ y Dare y Sas y Doc e rocas nT ern E eral ti GUIDSSO ENTE Extend PS 13971256 LS 1392208 C 349974 0 288 FOO LE 1 4 The next figure shows the same files as they appear encrypted B8 EnCase Enterprise Training Ple Edt Vew Tools Help Stew UF Open ll Sove lt a Print e Add Device Cl search 3 togon T rogoft 3 sees D acqure aeo i Galery DTmeine Jox code 21 imo ew fhe afe LH BL f orot Otok Codepege 16 162 t LI pa BD rrereopt F acire deest T console pan T 00000126 3 2g1 84L78 MU AS Y Y Y V cr Q PSAOBa i MOEG OAG x1 ME Epes M P REP kt am BS N rne Ae e t Yr OO Evidence 10000010 xf NA U aA C t RAXSi m Cn I EG 94 p726 A i o I0 OB Os OO 2 a e a2k5C 14 N t e GY amp x SUC RR E E go eret Ikjnjd2 x2 oJDARDOF eje AZAZ S rSXS AR DyY a8 t s ED fto XIy KONG cf RTG SZI OH s3 0 dtDio soZW E ol d CO ProneDotarests 000020 x amp 4P Kiro amp Z ace 5 5200 GI Pv Fy G 108 O FO Sd Y a 0t IE RAN I A 12r 05 1 EGIL AIUK HO woe Dex EE Sou Corple H a d Aect7j oUtS P T N BOE A
7. Soge Entre D LJ 3 GH d Name Click nE R 2 Identities D wa Gd Arpication Dat Desktop 3 Gy 528F8281 FFEB 4 T em C Favorites 4 Microsoft GG Identities M Local Settings F3 c dential Lg 3C 4528F8281 FFEB 4 L 5 Credentials E Microsoft Kad My Documents O 6 5 1 5 21 18616192 HG Credentials NetHood LJ 7 Crypto D Crypto C PrintHood C 8 Grsa L Internet Explorer Ea Recent Lj 9 C35 1 5 21 18616192 Lea c Media Player SendTo 10 Internet Explorer Pee mac Start Menu 11 Quick Launch Protect jj s 5 1 5 21 18616 Sa erens 12 desktop ini C NTUSER DAT J 13 9 Launch Internet Ex OG SystemCertificates SUT HoD My L Sti_Trace log 14 _ Show Desktop scf BO Windows L ntuser dat LOG 15 amp 9 VMware Workstatio DE Themes L ntuser ini C 16 O Desktop htt CE Cookies G 17 C3 Media Player og Desktop L 18 MMC OB Favorites OG Local Settings Hog My Documents gG NetHood oG PrintHood 19 O Protect 20 5 1 5 21 18616192 21 Q 880b5e95 4e2e 45 22 Preferred Log Recent LJ 23 CREDHIST gt SendTo 24 SystemCertificates HHG Start Menu 2516 My Lg Templates 26 Certificates Ho All Users CJ 27 cns 28 CTLs G 29 windows 30 Themes 31 Custom theme 32 desktop ini 34 N indev dat
8. l Report 5 Gallery Timeline J Disk ig Code Name 2 Signature E ae ud 410 lal 9387129 120 1 1 gif AOL ART gif GIF 411 d 9388114 120 1 1 gif AOL ART gif GIF 3 412 E 9415634_120_1 1 gif AOL ART gif GIF 3 313 E AAAAAAXGPJ 1 GIF AOL ART GIF GIF 4 413 ad AAAAAAZDGZ 1 GIF AOL ART GIF GIF 415 account icon 1 aif AOL ART gif GIF 416 ud address icon 2 dif AOL ART gif GIF 417 id aim 1 gif AOL ART gif GIF 418 d all off 1 aif AOL ART gif GIF B 419 E all_on 1 gif AOL ART gif GIF o 420 3g alternate 728x90 15H1 gif AOL ART gif GIF 4 aa E aolhometown 1 gif AOL ART gif GIF 422 auction icon 1 aif AOL ART gif GIF 423 bewipe_ss 1 gif AOL ART gif GIF 424 block_carley_ZDNet 1 gif AOL ART gif GIF v Viewing Signature Analysis Results Part 2 1 Click Set Include in the Entries selection in the Tree pane App Descriptors gt EnScr 4 gt X i3 Home Bookmarks 4 oils File Extents d Permissio4 gt Ere Entries n 1 A list of case files and their associated file signature and other data appears in the Table pane C3 Home Beokmarks 4 afeFile Extents f Permissio4 gt 2 Sort the data if desired In this case the red triangle in the Name column indicates the display is sorted alphabetically by name 336 EnCase Forensic Version 6 11 User s Guide Signature Analysis Legend
9. In Fle File ll s Report Ext Type lai 3 Home s sFile Extents Permissions J References Gop Entries OSS belle mi ton ong y Gt Q DRIVER 0028 Lj 2 BY unallocated Clusters i Export Prerequisite Added Device X Close Delete CopyJUnErase Copy Folders inp Bookmark Data Ctri B Bookmark Folder Structure Create Hash Set Create Logical Evidence File xj HE Acquire lt he deh Search Hash and Signature Analysis Restore New Image Fie Hash Donot add Scan Disk Configuration C Add to Case Scan for LYM Replace source device Verify File Integrit Analyze EFS Restart Acquistion pa Ef Modify time zone settings Mount as Network Share Mount as Emulated Disk Rename F2 Expand Contract Space Expand All Contract All Ned Cancel Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctri Num To open the Acquisition wizard 1 To reach the Entries tree in the Tree pane click Cases gt Entries gt Home The Entries tree displays in the Tree pane 2 In the Entries tree highlight the desired device 3 Right click the highlighted device object The Device right click menu appears 4 Click Acquire The Acquisition wizard appears Continue creating an EnCase evidence file by completing the acquisition specification us
10. m a Notes about the Faculty err Workshop on Secure Software Development The Guidance Software Support Portal includes the EnCase User Hardware and EnScript New Record for the Largest forums our new bug tracking system a knowledge base and other important tools and links This site CVE Entry brings valuable resources and message boards into one convenient location allowing law lock Admnistrati e A Look at MITRESOOs OVAL enforcement and corporate security professionals to exchange ideas ask questions and provide e Block Admnistration Schemas A Weak Proof of solutions Thousands of skilled and experienced users are registered on the boards reviewing posts every day and can Pe i ror Entries Compliance offer their expertise on the functionality of EnCase software forensic hardware issues and EnScript writing The z imk ian e Virtualization Is Successful Guidance Software Support Portal is an important resource for the forensic analyst e Submit Poll Because Operating Systems Are Weak Welcome Open Source Outclassing 123 reads Home Router Vendor C Cs Firmware Announcing EnCase Lab Edition Guidance Software Home Page oon jp M M M Download Center My ys N V D Information amp Responses Hello EnCase Users Guidance Software is please to announce our new collaboration forensic solution for government users called EnCase Guidance Product Version Matris e New forensic lab opened at Lab Edition
11. fie Sagart ie M8 Comnpuwsmor dd en Sn C funt emat Somali m Cum tas o re lace Working with Evidence 247 To create a logical evidence file 1 In the Tree pane click Cases Entries Home The Entries tree appears in the Tree pane Select the files and folders to be associated with the logical evidence file Right click the parent object on the Entry tree and click Create Logical Evidence File The Sources page of the Create Logical Evidence File wizard appears Accept the default settings or enter desired values and then click Next The Outputs page of the Create Logical Evidence File wizard appears Enter the appropriate values and enter or browse to the path and filename of the logical evidence file to be created Click Next The results dialog appears with a status of complete Recovering Folders The following types of folders can be recovered E Folders on FAT volumes as described in Recovering Folders on FAT Volumes NTFS folders as described in Recovering NTFS Folders E UFS and EXT2 3 partitions as described in Recovering UFS and EXT2 3 Volumes 248 EnCase Forensic Version 6 11 User s Guide Recover Folders on FAT Volumes After adding an evidence file to a case run Recover Folders on all FAT partitions by right clicking on each device and selecting it This command searches through the unallocated clusters of a specific FAT partition for the dot double dot
12. seen 413 Creating Bookmark ET REISEN EE UIDI EH PUR E EE GO tI ode ce e DS eir eieol 414 Creating a Highlighted Data Bookmark eere 415 Creating a Notes Bookmark tenente tenentes 416 Creating a Folder Information Structure Bookmark sese 417 Creating a Notable File Bookmark sse 418 Creating a File Group Bookmark sse tenere nne enne 419 Creating a Log Record Bookmark sse nen enne 420 Creating a Snapshot Bookmark sse nennen nennen 421 Creating a Datamark as a Bookmark cccscscsssssseesseeeesetetesesesesnenenesesessseececeeesenesesesesesnanenesenesseeeeeees 422 Usins Bookmarks notet intei dieere Cutie biet o tete eta lbes bre ond 422 Biting a Bookmark 3055 8 ipee e ott ie IR uri eei bier SA 423 Bookmark Editing Dialogs iab tege he bibere decia ebbe ese airan 424 Edit Highlighted Data Bookmarks Dialog sse 425 Edit Note Bookmarks Dialog nene 426 Edit Folder Information Structure Bookmarks Dialog see eee 426 Edit Notable File Bookmarks Dialog sse eee 427 Edit Snapshot Bookmarks Dialog sse nennen 427 Edit Log Record Bookmarks Dialog seen 428 BditDatamiatrks Dial g eiue ena estes eror estas ied aret d vars R oe 428 Editbookmark Folder Dialogs 5 i bero en eh D tote o tret ed sen ied 429 Edit Poldet Dial g 5 dona
13. 2 Copy the files shown here from the server to the appropriate location The table assumes the server installation is c program files Nsbaadmin 386 EnCase Forensic Version 6 11 User s Guide Additional SafeBoot installation files Copy from Copy To C Program Files SBAdmin SDMCFG INI C Program Files EnCase6 Lib SafeBoot Technology C Program C Program Files EnCase6 Lib SafeBoot SDAIMES Exporting a Machine Profile from the SafeBoot Server Before you can perform an offline decryption of a SafeBoot encrypted drive you first need to export the target machine profile from the SafeBoot server Here are the steps to accomplish an offline machine profile Be sure that you have obtained the SDMCFG INI and SbAlg dll files from the SafeBoot Server as described in SafeBoot Setup on page 385 1 Logon to the SafeBoot server with an administrator account 2 Launch SafeBoot Administration Tools from Start Menu Programs SafeBoot Administrator Tools SafeBook Administration Log in with the SafeBoot administrator account Click the Device tab Expand the SafeBoot Machine Group tree ov Ur E w Double click on the SafeBoot Machine child in the SafeBoot Machine Group tree A list of all computers registered to this particular SafeBoot database appears on the right side of the SafeBoot Administrator screen 7 Right click the computer name you wish to decrypt then select Export Configuration from the m
14. 6 Right click the Palm Pilot object in the Entry tree and click Acquire The After Acquisition page of the Acquisition wizard appears EOC fe Entry 09a O Copy Folcers EARE ii Bookmark Folcer Stuctue ATE eae x Activate Single Files Crete Hash Get Acquire another disk Search Hash and Signature Analysis Close Delete M New Image File Delete All Selected FD dete Do not add Export Recover Folders C Add to Case Lol SERT Replace source device Hash i Scan Disk Corfiquration Restart Acquisition Scan for LVM i Verify File Integrity Existing Evidence File wen 7 Continue the acquisition from Step 1 of Specifying and Running an Acquisition When the Acquisition Results dialog closes the acquisition is complete Leaving Console Mode To leave console mode you must do a soft reset on the Palm Pilot Turning the Palm Pilot off and back on does not take it out of console mode and leaving it in console mode causes the battery to drain faster than usual To leave console mode 1 Locate the small hole on the back of the Palm Pilot labeled RESET 2 Press the tip of a pen into the hole Working with Evidence 223 Acquisition Times Initially previewing a serial Palm Pilot PDA may be slow because standard serial ports transfer data at a maximum speed of 115kbps The preview and acquisition of a Palm Pilot Vx for example takes between 30 and 40 minutes USB Palm Pilots
15. 1 Start EnCase 2 Vista displays a prompt with the heading An unidentified program wants access to your computer User Account Control es Don t run the program unless you know where it s from or you ve used it before C T EnCase exe J Unidentified Publisher Cancel I don t know where this program is from or what it s for gt Allow Itrust this program I know where it s from or I ve used it before v Details User Account Control helps stop unauthorized changes to your computer Installing EnCase Forensic 41 3 Click Allow Vista does not allow drag and drop between applications with different security levels You must disable the User Account Control UAC to drag files to EnCase from the Windows shell For details see Disabling Microsoft Windows Vista User Account Control on page 41 Disabling Microsoft Windows Vista User Account Control You can use the User Account Control UAC security feature in Microsoft Windows Vista to perform common tasks as a non administrator called standard user and as an administrator without having to switch users log off or use Run As In prior versions of Windows the majority of user accounts were configured as members of the local administrator s group because administrator privileges are required to install update and run many software applications without conflicts and to perform typical system level tasks With UAC enabled you can run most app
16. 22 show Columns Go ASNE Fies E OK d Cancel Column SDC Eanpds zip Sort gt EHO s Zip Volume Select Item Space Lor Nes Goto Parent BkSp To view or mount compressed files 1 Navigate to the compressed file you want to view or mount 2 Continue with step 2 of Viewing File Structure The file structure of the compressed file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Viewing File Content 303 Viewing Lotus Notes Files Lotus Notes versions 5 6 6 5 and 7 provide NSF support which allows you to view email appointments and journal entries 1 2 9 Navigate to the NSF file you want to view or mount As needed select Calculate unallocated space then select Find deleted content Continue with step 2 of Viewing File Structure The file structure of the email nsf file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Notice the icon for the compound email file looks like a disk drive and no compound volume indicator is added to the icon after it is parsed Viewing MS Exchange Files MS Exchange 2000 2003 edb support provides the ability to view mailboxes and emails 1 2 3 Navigate to the edb file you want to view or mount As needed select Calculate unallocated space then select Find deleted content Continue with step 2
17. Miew Search Hits Bookmark Selected Items ES Show Columns Column Hide Ctrl H Sort gt Set Lock Select Item Space I Go to Parent BkSp Fit to Data PO Auto Fit All You can change the order in which the columns appear by grabbing the column header and dragging the column to the desired location Note Change column order by left clicking the column header and dragging it to another location Setting a Lock on Columns Use Set Lock to scroll right and left in a table while continuing to show certain columns Columns are locked on the left side of the Table pane To lock a column 1 Place the cursor in a column to be locked 2 Right click and select Set Lock in the sub menu P m File File 43 Copy Ctrl C LJ Show Excluded CI Show Deleted X Delete Delete Delete All Selected Ctrl Delete Exclude Ctrl E Exclude All Selected Ctrl Shift E a Export Tag File Ctrl T A View Search Hits Bookmark Selected Items ES Show Columns Column Hide Ctrl H Select Item Space Reset 3 Go to Parent BkSp Fit to Data Auto Fit All Navigating the EnCase Interface 127 The lock is set on the position of the column If other columns are moved into that position they too are locked To release the lock 1 Right click the locked column 2 Select Columns 3 Select Unlock Excluding Search Hits The Exclude option hides one or more search hits fr
18. X U G P wa pr s Ya uB 20 4g FSTest j Boi 91 y Q a9Ey C f et 99 S D Lia y DUS ita yw p S iX usi tO yxp 6ux n 8 Z 9 210 nG Heg Indexing 2 za Kova DZ IPIN Let cius sig ox Pif R t zjS8z X pZDR w wkQ UST AMEN H D 2 ge EC g Internet search gt p I t Keywords Hig Lotus IZ Ax5 amp d gen 342 L pae xEY V YARDS Boks 6j8mQcEu a F 70 ZesADII By teemaspo gii g OutsideIn d26iy8q clO eW NxeOfipy t Oyur a i X kYK x FX 2g 965Y i xXAXP QY L1oe3z lf Y e GErP ce E Z0 0 0 A Heg SafeBootEncryption 1 sa er re IAA g SmokeTest E email th Analyzing and Searching Files 399 When parsing is complete and successful a directory list displays In the illustration the folder is entitled smime p7m The text of the email is shown in the Text pane while the email s attachments appear in the Table pane You should view and work with content in the Records tab E Fle Edt View Tools Meb ien Fen lel Sove Ld Print se Add Device Q Search CI Logon 3 Refresh i x fige coe GA eaey 2 rine oe 9s code Cyrene inl Uses Cu sues ines Cones 0 EAE fi Hace sac Pie extents B Permasecs References LY Hash Propertes O 1 C Alternate Body boe Envies IC 2 G wee 1050 Horiz smer Sz Gr Pact BOC 3 sre Fies osa amp OCC Encrypted Sgned weh att thot C1 Gl weter ioc po FEG Picture BOO veox SOO D 5erypted Signed with Att
19. sssssssssseseeeeeeeneneeeneneenenennenen nnt tenente CaseOpti nsiTab 5i e E be setenta tient ibit eb ods tides Global Taba ke ceith e etenim emet eroe atate ted E E jud Fonts Tab of the Options Dialog ccccesesseseeseseseseesetetesesesesnsenesessscecscecesensnesesesesnsnenenesessseeseceeeeenenes EnSctipt TAD sevice ac tem dem er ER ER eere RO D e dien m ee RT Ten Eon esee estat Storage Paths Taba 55st ee eed n te ere ee enn iet ere e v Aon rtt Sharing Configuration Files ertet ome eet te t ep de ene hi ipei deoa e tete ovens Vista Examiner Support ies ende rn a e E E re risa der ORN Disabling Microsoft Windows Vista User Account Control sss Running a 32 bit Application on a 64 bit Platform sss CHAPTER 4 Using LinEn IntrOdUChON e Viewing the License for Lin EN siseste i E E ee E E oa aE a E E a EENE Creating a LINEN Boot Disc E E E A E E E e RE AST Configuring Your Linux Distribution rrt Obtaining a Linux Distribution veneni E E E eene nennen 15 16 EnCase Forensic Version 6 11 User s Guide Contents EinEnset Up Under SU SE ettet teet tree tte d ete ee eee eee ete eri d eb e e dan 49 LinEn Set Up Under Red Hatero rrine EE EREE E E tentent nnne 49 Performing Acquisitions with LinEn ccccccssssssessssseesssstesesesesnsnsnesesescecececeeeeneneseseseanenenesesssssceceeeeeeneies 50 Setup for a Drive to Drive Acquisition 50 Doing a Drive to Drive Acquisit
20. Add Device Add Raw Image Exit You may see different options on the File menu depending on your context The File menu provides the following commands New displays the Case Options dialog where you define the case you want to add Open displays the Open dialog where you select a previously saved case Save saves the previously saved case file or displays the Save dialog where you enter the filename path and file type for the case file you want to save Save As displays the Save As dialog where you enter the filename path and file type for the case file under a different name Save All displays the Save All dialog where you enter the filename path and file type for both the case file and EnCase global settings Navigating the EnCase Interface 63 Print displays a Print dialog where you define the print settings for the content Table Report Code depending on what is displayed in the Table pane Printer Setup displays the Print Setup dialog where you select a printer and choose printer settings Add Device displays the Add Device wizard where you define the preview and acquire parameters for a device This command appears in the menu only when a case is open Add Raw Image displays the Add Raw Image dialog where you select image files to be added to the open case This command appears in the menu only when a case is open Exit closes the program If content has changed you are prompted to save it E
21. The Table Pane menu corresponds to the tabs appearing in the table pane The tabs in the table pane depend on the tab currently selected in the tree pane View IE App Descriptors 3b Archive Files a Cases 35 Encryption Keys Rg EnScript Z EnScript Types Z File Signatures Al File Types E File viewers Keywords B Report 3 Gallery Timeline p Disk Code Machine Profiles Ix o p T un e t in Packages Projects SAFEs Text Styles i u gw a SAFEs Sub Tabs Table Pane E Table view Pane Report Filter Pane ks Gallery Timeline X Close Tab Ctrl F4 A Disk II Show Name M Code 4 Previous Tab Ctrl Shift Tab gt Next Tab Ctrl Tab Ll Auto Fit Reset view 71 72 EnCase Forensic Version 6 11 User s Guide Table Pane Menu The Table Pane command on the View menu displays the Table Pane menu The table pane contains a collection of context sensitive tabs The context is driven by the tab displayed in the tree pane The table pane menu is context sensitive as well Each of the tabs in the Table pane has a corresponding tab in the Table pane tab bar and a corresponding command on the Table Pane menu HH Table E Report ux Gallery 2 Timeline f Disk 4 Code Table displays the Table tab in the table pane It displays by default Report displays the Report tab in the table pane It displays by default Galler
22. ai MOG800B BMP Yes BMP Bitmap Image Picture 540 d MOG800x BMP Yes BMP Bitmap Image Picture 541 d PAG6106 BMP Mo BMP BitmapImage Picture 542 MoGs00Bx BMP No BMP Bitmap Image Picture 543 i OkG700 BMP No BMP Bitmap Image Picture 544 d MOdG9000 BMP Yes BMP BitmapImage Picture 545 8 665 No BBS Bulletin Board Text Document 546 d ATG1100 BMP Mo BMP BitmapImage Picture 547 d CLG1100 BMP Mo BMP Bitmap Image Picture E 2 Place the cursor anywhere in the In Report column and right click for a dropdown menu In Report Ctrl R In Report Invert Selected Items Ctrl Shift R 43 Copy Ctrl C gg Export Copy UnErase i Bookmark Data Ctrl B Activate Single Files Create Hash Set View File Structure Analyze EFS SS show Columns Column gt Sort Select Item Space Go to Parent BkSp 446 EnCase Forensic Version 6 11 User s Guide 3 Select In Report On the Table pane the In Report column entry changes to a true value 4 Click the Report panel to see its contents Report Multiple Files Open a case and display its contents in the Table pane 1 Check the boxes next to the record numbers to include in the report 538 539 541 544 and 545 in the figure 3 Report E Gallery lt Timeline Disk ig Code ars Fiter E aed ud wi 538 La MOG750 BMP No BMP Bitmap Image Picture M 539 MoGs00B
23. A coordinated set of glyphs designed with stylistic unity A font usually comprises an alphabet of letters numerals and punctuation marks G Globally Unique Identifier GUID A GUID is a pseudo random number used in software applications While each generated GUID is not guaranteed to be unique the total number of unique keys 22s or 3 4 x 10 is so large that the probability of the same number being generated twice is exceptionally small Glossary of Terms 529 GREP An acronym for search Globally for lines matching the Regular Expression and Print them GREP is a command line utility originally written for use with the Unix operating system The default behavior of GREP takes a regular expression on the command line reads standard input or a list of files and outputs the lines containing matches for the regular expression The GREP implementation in EnCase has a smaller subset of operators than GREP used in Unix GUID See Globally Unique Identifier H Hash A method used to generate a unique identifier for the data the hash value represents There are several standardized hashing algorithms EnCase uses the 128 bit MD5 hashing algorithm which has 2 128 unique values This ensures that the chance of finding an identical hash value using a different data set is exceptionally small Hash Sets Collections of hash values for groups of files Hexadecimal A numeral system with a radix or base of 16 usual
24. Close Case 177 152 EnCase Forensic Version 6 11 User s Guide Overview of Case Structure An evidence case has a tripartite structure consisting of an evidence file a case file and EnCase program configuration files The case file contains information specific to one case It contains B pointers to one or more evidence files or previewed devices E bookmarks E search results B sorts E hash analysis results B signature analysis reports Note A case file must be created before any media can be previewed or evidence files analyzed Indeed one of the most powerful features of the program is its ability to organize different media so they can be searched as a unit rather than individually Case Management Before starting an investigation give consideration to how the case is accessed once it is created For example more than one investigator may need to view the information To accomplish this evidence files can reside on a central server Creating temporary export and evidence folders allows file segregation and control A temporary folder holds any transient files created during an investigation The export folder provides a destination for data copied from the evidence file Create an evidence folder to store evidence Temp and Export folders are built when a case is created Case Management 153 Concurrent Case Management The program can open more than one case at a time Each case appears in the Table pane and
25. HOOG Root Entry Select Item Space OG BDocumentSumr Goto Parent BkSp op BSummaryInforr To view or mount OLE files 1 Navigate to the OLE file you want to view or mount 2 Continue with step 2 of Viewing File Structures The file structure of the OLE file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice 302 EnCase Forensic Version 6 11 User s Guide Viewing Compressed Files EnCase applications can mount compressed files including WinZip zip GZip gz and Unix tape archive tar files The contents are displayed as long as the container is not password protected Only the modified date and times are shown on gz and tar files as the compression processes do not store any other dates or times GZip files are not labeled by name only by their content file type and a gz extension For example decompressing the file document doc gz displays the uncompressed doc file Bookmarks J Search Hits i Records Devices ep Secure Storage Keywords Report E5 Gallery Timeline Z Disk 4g Code 4 Name es NN SDL Single Files E d E npds zip 43 Copy Ctrl C a Export Copy UnErase rr Bookmark Data Ctrl B View File Structure xj Create Hash Set This file has a GZ signature Continue parsing View File Structure Send To Calculate unallocated space x Analyze EFS
26. New open la Save Print se Add Device Q Search 3 Logon Refresh gt lt Delete Update gt EnScript Types ig EnScripts File Signed gt x d Report E2 Gallery Timeline f Disk 4g Code A Search Hits 3Records fZ Devices VD secure Sto4 gt Name Preview J n exl al DE Phone Numbers 2 7 1 S unallocated Clusters OQfce 3RI XHYBoMb VA DIKE BoMb Big ThumbiBig Thumb Unallocated Clusters rou ee with 4 dg year 12 gj Unallocated Clusters NvscP e 3L V beebomBy n t bomB Big Thumb Big Thumb Unallocated Clusters MoL Bore n Eo amp Unallocated Clusters S8 b 3 md i BoMby r 4 BoMb Big Thumb Big Thumb Unallocated Clusters HD Stopscript o SetUp OO Enterprise E Text oc Transcript E Picture Report C Console F Details a Output Lock Codepage 0 196 D 0141230910 F8 16 A6 29 AC 19 ZB 64 17 58 2E 9F C5 B3 40 15 6C D 77 EA FB 81 FB 4F ES 67 F4 OD C6 69 s jotta X YAR 1 v D 0sg Ei a 0141230940 58 4F OB 60 E D9 E6 AF E6 3C Dl 54 46 42 87 56 BO 23 EC 1 EC E6 76 57 7B 95 DD DZ 79 C3 X0 gUs e HTFB V fi isvU YOyk 141230970 59 EC 3C Fl AE EB AC AZ 14 42 A8 88 04 DA 85 EE AZ CA 58 EO F6 78 24 7E 07 4F 83 GA AE CO i fi oc B icEX xf 0fSe LsG BQpOpy B LFZ d 0141231030 56 C3 D4 38 FS 55 BS 1D E8 BS Fl AO C9 OE 80 22 3B 00 08 70 9C 96 SO Al CD 07 BC FD 08 FS 886Un f pe P tMers 01412310
27. sharren redmond Home Forum Knowledge Base Bug Tracker My Profile Request Form Support Portal Tutorial LogOut Administer v Notes about the Faculty Search Workshop on Secure Software Development The Guidance Software Support Portal includes the EnCase User Hardware and EnScript e EUIVAXL ELLLLLLLLLLI e New Record for the Largest orums our new bug tracking system a knowledge base and other important tools and links This site CVE Entry brings valuable resources and message boards into one convenient location allowing law e ALook at MITRE ZZs OVAL enforcement and corporate security professionals to exchange ideas ask questions and provide Block Admnistration Schemas A Weak Proof of solutions Thousands of skilled and experienced users are registered on the boards reviewing posts every day and can x Sa Compliance offer their expertise on the functionality of EnCase software forensic hardware issues and EnScript writing The z See Virtualization Is Successful Guidance Software Support Portal is an important resource for the forensic analyst e Submit Poll Because Operating Systems fc ELSE Are Weak Welcome Open Source Outclassing 123 reads Firmware Announcing EnCase Lab Edition e Guidance Software Home Page more e Download Center ino herrera at 2008 04 03 22 21 News Items My Account Hello EnCase Users e N V D Information amp Responses Guidance Softw
28. ts Files Containing Index Terms Stemming f Files Containing Index Terms Diacritic Match f Files Containing Index Terms Umlaut fE Files Containing Index Terms Exact Match _ f Files Containing Index Terms Any distance x 2 Double click on the condition you would like to use All of the Index Conditions use the same dialog Edit Conditions xj Body Contains maoo Cancel 3 Enter the term you want to search for and click OK When complete the Table pane lists files that meet the condition requirements E Table Report Ez Gallery 4 Timeline f Disk ig Code In File File Name Filter TPE ENA Dos LJ 1 j Bomb Making Instruction Bomb Finder htm Web Page LJ 2 3 Stuff to do doc Bomb Finder doc Word Document The Filter column shows the condition that was run Analyzing and Searching Files 367 Generating an Index Open a case containing evidence files 1 2 If you know the files you want to specifically index select them in the Table pane Home I Bookmarks 4 gt Name ote File Extents Pern4 P 1 Film Canister Fireball files DOM Entries 7 2 Anarchist Book doc dog J Bonnie and Clyde NI 31 Bomb Making Instruction oC Bonnie Wi 4 3 Film Canister Fireball htm DL Clyde NI 51 stuff to do doc A E Select Tools Index Case File Edit View Tools Help iL New ZZ Oper 4l Index
29. 04 29 2003 05 04 29 2003 05 Kimberly Stone ki deci pee support O 18 3 RE Where are the True False False RE Where are the 04 29 2003 03 04 29 2003 03 35 Mike Ciaramitaro lt i Message 19 HB RE Entry 964 is no True False False RE Entry 964 is no 04 29 2003 01 04 29 2003 01 Mike Ciaramitaro lt LOD Read RE Block Size 20 RE Tell me somethi True False False RE Tell me sometl 04 29 2003 11 04 29 2003 11 Mike Ciaramitaro lt oc feature requests integrated into list L 21 Q FW Can you prepa True False False FW Can you prepa 04 29 2003 08 04 29 2003 08 13 Mike Ciaramitaro lt OC Read 22 RE bug True False False RE bug 04 29 2003 08 09 04 29 2003 08 09 Sharren Redmond roD Fw 23 Q RE version 4 13 n True False False RE version 4 13 n 04 29 2003 08 04 29 2003 08 07 Jeffrey Misner lt jef HOT RE More on the missing Checksum error 2 new build as of 25th True False False newbuldasof25th 04 28 2003 09 49 04 28 2003 09 49 QA Team QATea 00 a RE Safe True False oT 04 25 2003 05 44 04 25 2003 05 44 QA Team lt QaTe Emails and their attachments can be accessed and used for investigative purposes Export to msg The Export to msg option for mail files and mail files attachments lets you preserve the folder structure from the parsed volume down to the entry or entries selected This option is available
30. Add the evidence files to one case View Cases Subtabs Devices Right click any evidence file row and select Edit Disk Configuration PF ww P n The Disk Configuration dialog appears 230 EnCase Forensic Version 6 11 User s Guide 5 In Disk Configuration right click on the appropriate disk configuration then click New 6 Enter the start sector and size of the selected disk configuration and then click OK Validating Parity on a RAID 5 The Validate Parity command checks the parity of the physical disks used to assemble the RAID 5 Thus if the RAID 5 was rebuilt with a missing disk this feature will not work To check the parity 1 From the Cases tab right click the RAID 5 volume icon and then click Validate Parity 2 The validation process status displays in the Thread Status line at the bottom right of the EnCase main window RAID 10 RAID 10 arrays require at least 4 drives implemented as a striped array of RAID 1 arrays Acquiring Virtual PC Images With Microsoft Virtual PC 2004 you can run multiple PC based operating systems simultaneously on one workstation Users save images of these virtual PCs in a fashion similar to VMware EnCase applications treat Microsoft Virtual PC 2004 images as devices to be submitted to the same investigation as physical devices Virtual PC can create flat and sparse files both of which are supported transparently by EnCase applications Add Virtual PC files via the Add
31. B DH 96 08 26 amp B DH 96 09 06 amp B DH 96 09 09 amp B DH 96 09 13 amp B DH 96 0 x b The Picture Tab The Picture tab of the View pane displays the contents of an image file r Text amp dlHex foo A Transcript Report C Console died e eos The Report Tab Navigating the EnCase Interface The Report tab displays a detailed list of file attributes in the View pane rme ghe ow rese renee Icora fere oar lock Dose LJANI Nome 104 0421 _MG JPG File Ext JPG File Type JPEG File Category Pieture Descnption Pie Archive 1s Deleted No Last Accessed 06 04 02 05 04 30PM File Created 05 14 02 11 02 304M Last Written 14 25 02 04 06 000M Entry Modified 06 04 02 05 50 00M Pie Acqured 07 03 02 11 10 098 Loges Size 06 758 inalged See 06 758 Physical Size 06 064 Starting Odert 0C C283589 File Extents 1 Permissions ves References 0 Physical Location 60 622 528 PhysicalSector 1 134 418 E Hurter x Fi 10067 Code Page 0 Ful Path Hurter XP Hunter XPVCDocuments snd Settings Bob MunteriLocal SettingsWoplicstion Dana MicrosomcD BurringiHunter Pics Chnstina Oetewt 104 0421_IMG PG 15 Duplicate No 15 Interval No IsOverenter No Permissions Name Gob Humar w 1 5 21 127927 2021 1580010081 854245190 1004 Property Allow Percisenns J cLM P FLM pref Name Syatom 1518 Property Allow Pa m EAM REALM end Name Aamineslrators Li 1532504 Property
32. B Other enables you to specify your own time format Current Time contains the current time in the time format selected Show True contains the symbol indicating a value of true in table columns displayed in the Table tab of the Table pane Show False contains the symbol used indicating a value of false in table columns displayed in the Table tab of the Table pane Installing EnCase Forensic 35 Backup Files contain the maximum number of files stored as backup files when a case is saved Debug Logging contains the various settings that determine where debugging is logged Color Tab This tab enables you to associate colors with various case elements Colors Default Colors Bookmark Search Hit Index Query Hit Code Comments Style Logical Style Slack Style Report Logical Style Report Slack Filter Frame Filter Text Figure 2 Default Colors contains a list of case elements that can be associated with a color Double clicking on a listed element opens the Color Palette dialog so you can choose and associate a color with the listed case element 36 EnCase Forensic Version 6 11 User s Guide Fonts Tab of the Options Dialog This tab enables you to associate fonts with various case elements Installing EnCase Forensic 37 Default Fonts contains a list of case elements that you can associate with a font Double clicking on a listed element opens the Font dialog so you can choose and associa
33. Codepage MW 1 40659 1 ooo Sree EP rm enm yr fiessees rrt Dw D uE Dw D uE Dw uE t oOrCe reece see mte E 110 amp 5 2 8 F 8 2 8 1 F F E B 4 B 8 7 8 8 B C 94 E F1 As 3 9 4 2 8 BGs Br e tt nnn n ht Bener ener Owen 220GuE Dw D uE Dw Q uE t oQrQrsseettm eee eee eee 5 Z B F Beesleeseen nnn nnn nnn Oo aj I L Status Line The status line provides details on the physical and logical drive location of a selection The status line displays at the bottom of the main window Figure 17 The Status Line where 1 is the status line and 2 is the cursor in the View pane driving the content of the status line 2 1 Case 12222333331 GSI DOC 102033 10 0 36 21 E 1 070306 145010x0409 ini P570 LS 70 CL70 SO 000 FOO LE 1 Navigating the EnCase Interface 97 The file being examined in your EnCase application drives some of the status line content The location of the cursor in the content of the file being examined and content selected by the cursor also drives some of the status line content The status line content of the file being examined includes E Name of the case E Name of the device E Name of the volume B Path to the file m Filename The status line content relative to the beginning of the file being examined includes B Physical sector PS displays the sector number of the physical sector relative to the beginning of the physical disk B Logical s
34. D U 2 5 141231000 6B FO 17 78 1B DE 85 F El AS F8 47 7C 15 DF C 4F 70 79 12 42 C2 89 46 SA 92 15 64 07 09 k x P amp Big Thumb Big Thumb Unallocated Clusters PS 314453 LS 314453 CL 4907 SO 209 FO 141231313 LE 4 To view your search hits B Click the Search Hits tab in the menu bar or B Click View Cases Sub TabsSearch Hits Exclude Files Sometimes a keyword search returns more files than are useful to report Hide these files from view by excluding them Run then view a keyword search 1 Select files to exclude then right click the view 2 Select either Exclude or Exclude AII Selected Analyzing and Searching Files 361 v Show Excluded Show Deleted Delete Delete Delete All Selected Ctrl Delete Exclude Ctrl E Exclude All Selected Ctri Shift E Export Tag File Ctrl T View Search Hits Bookmark Selected Items Show Columns Column gt Sort gt Select Item Space Go to Parent Selecting Exclude All Selected displays a second option dialog x Start From C Root Folder 2 items Current Folder 2 items Cancel 3 Select the appropriate option and click OK The selected files disappear from view Show Excluded Files Excluded files are not deleted They are merely hidden from view To see them again select the Show Excluded function To show excluded files 1 Select Sho
35. Device H Log Record Total Sectors 32 256 Read errors 0 Write errors 0 Verify errors 0 Cancel You must reformat this drive in order to use it again Verifying Evidence Files Verify Evidence Files checks CRC values of selected files It is a way to ensure that evidence is not tampered with Verified CRC information is written out to a log file If a CRC verfication fails a notification appears and you can log the error to the console bookmark tab or log file Acquire the evidence files 1 Click Tools Verify Evidence Files The Verify Evidence Files file browser appears Verify Evidence Files 2 x Look in C3 Evidence 3 rpm My Recent Documents Desktop My Documents ww Pr My Computer JBig Thumb Case Big Thumb E01 bootfloppy EO1 V6 Hunter XP Forensic Case A Hunter XP EO1 E kill linux Little Thumb Case Little Thumb E01 Lotus Notes LO1 S suse 8 2 with Reiser FS ED1 Suse 8 2 with Reiser FS E02 a DITE Fie name Class1 01 Places Files of type Evidence File J Cancel ly za 2 Select one or more evidence files and click Open 522 EnCase Forensic Version 6 11 User s Guide When files are verified a status report appears Verify Evidence Files Creating a LinEn Boot Disc You have a copy of a Linux distribution See Creating a LinEn Boot Disc on page 47 for more information Using EnCase To
36. Dy index dat m 104 03 31 02 06 16 29AM E DOK Records LAS D index dat LI 104 03 31 02 06 16 27AM Goo B Hunter XP C 4 O adswrapper is 6266 06 04 02 05 15 23PM oG B c CJ 5 g arrow_yi 1 iF 108 06 04 02 05 19 13PM EO C Internet Explorer Windows LJ 6 JL adsEnd 1 js 33 06 04 02 05 15 26PM FOIS History C 7 D index dat lt 138 OGG Cache C 8 usediets 1 gf 0915 05 14 02 10 00 16AM C 9 uswomenctrI 1 oi 763 05 14 02 10 00 16AM CJ 10 expedia 1 gif 871 05 14 02 10 00 16AM CJ 11 i pan swest on south 1 aiF 89 06 04 02 05 35 39PM CJ 12 O hotmail 7 3 css 493 03 31 02 06 34 15AM CJ 13 G btn_zoomnotch 2 aif 6 06 04 02 05 35 40PM DJ 14 G icon_maps_large 1 gif 170 06 04 02 05 35 05PM CJ 15 i Grey_Rebuild 1 gif 9768 06 04 02 05 41 31PM 1 amp CE Innin mi 11 cif 243 mani in mos Text zz Hex iu Doc i Transcript E Picture Report C Console T Details G Output C Lock MP Codepage RT 3 4 gt EnSeript Q Hits T Filters E conditions Queries A Text Styles 87278 E Sg EnScript 88000 z e6028 Enterprise 88044 Examples 88066 Forensic 88088 Indude 88110 8813 Main 88154 88176 88198 00 00 00 00 00 00 00 00 00 8822000 00 00 00 00 00 00 00 OO 00 OO OO O0 00 00 00 00 00 OO 00 00 00 8824200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8826400 00 00 00 00 00 00 O0 OO 00 OO OO O0 OO O0 00 OO DO OO 00 00 00 8828600 00 00
37. Edit Condition Make the modifications you want then click OK The modifications are saved to the database Export Selected to File Click Export Selected To File to export a report definition from the database The Export To File dialog opens Export To File Export File 270 EnCase Forensic Version 6 11 User s Guide Click the Browse button LJ to specify where to save the report definition then click OK Import from File Click Import from File to import a report definition to the database The Import from File dialog opens Import From File Import File Click the Browse button LJ to locate the file to import then click OK Time between Queries Minutes Enter or select the number of minutes you want to pause between queries Time Between Queries Minutes WinEn WinEn is a standalone command line utility that captures the physical memory on a live computer running a Windows operating system Win2k or higher The physical memory image captured by WinEn is placed in a standard evidence file along with the user supplied options and information WinEn runs from a command prompt on the computer where you want to capture the memory WinEn has a very small footprint in memory and it is typically run from a removable device such as a thumb drive Although this method makes minor changes to the computer running WinEn this is the most effective way to capture physica
38. Hardware Recommendations Subscribe to public bugs Read more 202 reads the University of Teesside UK The Support Portal s landing page contains a section of useful links including B Guidance Software Home Page m Download Center download software hardware manuals boot disks support articles etc E My Account register your dongle id to receive up to date software by email m NVD National Vulnerability Database Information and Responses E Guidance product Version Matrix check compatibility of different product versions B Hardware Recommendations hardware recommendations for EnCase Forensic and EnCase Enterprise E Subscribe to Public Bugs Guidance Software 543 Customer Service The Guidance Software Customer Services Department is staffed by highly trained friendly staff capable of resolving any problem regarding your order Hours and contact information are listed below Phone 626 229 9191 Fax 626 229 9199 Email customerservice guidancesoftware com Internet http www guidancesoftware com support cs_requestform aspx Hours Monday through Friday 6 00 a m to 5 00 p m Pacific Time Training Guidance Software offers a variety of professional courses for the beginner intermediate and advanced user of all its applications In addition to providing a solid grounding in our software we also provide our students with accepted best practices for investigation report generation and eviden
39. Hex displays the text as hexadecimal digits rather than characters Unicode displays the text in Unicode encoding ROT 13 Encoding decodes ROT 13 encoded text to ASCII text HTML renders HTML coded as it appears in a browser HTML Unicode renders the HTML coded as it appears in a browser using Unicode encoding Picture Picture is a parent object that contains child objects representing various file formats that can be used when displaying bookmarked content as a picture or graphic Picture displays the bookmarked content of the following file formats mg JPG B GIF E EMF m TIFF E BMP B AOL B ART m PSD This is based on the file extension or the file signature of the file that contained the book marked content Base64 Encoded Picture displays the bookmarked content in Base64 Unicode format UUE Encoded Picture displays the bookmarked content in UUE format Bookmarking Items 409 Integers Integers is a parent object that contains child objects representing integer encodings that can be used when displaying bookmarked content 8 bit displays the bookmarked content as 8 bit integers 16 bit displays the bookmarked content as 16 bit Little Endian integers 16 bit Big Endian displays the bookmarked content as 16 bit Big Endian integers 32 bit displays the bookmarked content as 32 bit Little Endian integers 32 bit Big Endian displays the bookmarked content as 32 bit Big Endian integers 64 bit displays the bookmarked
40. Search expression GREP Symbols wFFFF Unicode character xFF Hex character Name Any character Phone Numbers Any number 0 9 Repeat zero or one time Repeat at least once Case Sensitive IV Unicode Az A ae z Repeat zero times IV GREP Unicode Big Endian XYZ Either X Y or Z YZ Neither X nor Y nor Z IV Active Code Page urF amp ju Literal character ab Group ab together for UrFz m n Repeat m to n times Unicode View alb Either a or b 0000 002F 003A FFFF 0028 40 1 0020 0029 0020 0020 002D 40 1 4 0000 002F 003A FFFF iri zi 3 Select the desired options for example Case Sensitive or GREP Analyzing and Searching Files 349 4 Select the Keyword Tester tab Edit Phone Numbers ose D Ve V Tog o Iz Arabic Windows Iz Baltic D05 Ez Baltic 150 Iz Baltic Windows Ez Central European DOS Ez Central European 150 E cbocunerts and sensi of Load d 5 Locate a test file that contains the search string enter the address into the Test Data field and click Load The test file is searched and displays in the lower tab of the Keyword Tester form Note Hits are highlighted in both text view and hex view Edit Phone Numbers Ez Arabic Windows Ez Baltic DOS Ez Baltic 150 Iz Baltic Windows Ez Central European DOS Ez Central European 150 hl EnCase File Report lt hl gt lt table cl
41. The shortcut hot key is Alt S Search opens the Search dialog where you determine which files are searched define keyword searches perform email searches hash computing and O OF 0 0 O0 other search options 78 EnCase Forensic Version 6 11 User s Guide Logon opens the Logon wizard where you can log on to the enterprise LAN Logoff logs you off the enterprise LAN Wipe Drive opens the Wipe Drive wizard where you select media you want to completely erase After using Wipe Drive you must format the media Verify Evidence Files opens the Verify Evidence Files browser where you select files to be verified Verifying checks the Cyclical Redundancy Check CRC values to ensure evidence was not altered Create Boot Disk opens the Create Boot Disk wizard to create a LinEn boot disk Mount as Network Share Client opens the Mount as Network Share dialog where you specify the IP address of the server to be mounted Options opens the Options dialog where you define global settings for EnCase such as default file locations for a new case fonts to use O O ru highlighting colors seen in the table pane O date and time formats Refresh updates the EnCase views based on the content of the folder displayed in the lists or trees Use this command when you use Windows to add files to the folders of an open case EnCase is not aware of these changes until you refresh the lists and trees Help Menu The Help menu provides co
42. The changes made in the Device Attributes dialog appear in the Table pane 4 Ifthe list of devices to be added is correct and complete click Next otherwise click Back as necessary to revise values The devices defined in the Add Device wizard are added to the case Acquiring Once a device is added its contents can be acquired Beyond an acquisition you can add EnCase evidence files and raw evidence files to the case Raw evidence files can be reacquired so that they are translated into EnCase evidence files complete with metadata and hash values Palm Pilots can also be acquired The LinEn utility also lets you do network crossover in collaboration with EnCase Field Intelligence Model and you can use LinEn to perform disk to disk acquisitions EnCase evidence files originating in other cases can be added as well All of these acquisitions are discussed in this section Working with Evidence 197 Types of Acquisitions There are several types of acquisitions that comprise EnCase evidence files E01 and associate these files with the currently opened case There are several additional digital evidence file types that are associated with the currently opened case but do not involve acquisitions except when reacquired There are also logical evidence files LEF usually constructed during a preview The local sources for acquisitions create E01s Local sources include B Local drives using a write blocker B Palm Pilot E Netwo
43. The installer places a startup icon on the desktop In addition a number of folders and files are installed in the target folder during installation Certs Folder m EnCase pcert Config Folder B AppDescriptors ini B FileSignatures ini B FileTypes ini E Filters ini E Keywords ini B Profiles ini B TextStyles ini Storage Folder m CaseReport ini E Compromise Assessment Module ini DifferentialReport ini E SweepEnterpriseWEbReport ini Forensic EnScript Component Folder B Case Processor EnScript E File Mounter EnScript E Index Case EnScript E Scan Local Machine EnScript E Webmail Parser EnScript 26 EnCase Forensic Version 6 11 User s Guide Uninstalling the Examiner The uninstaller works only on identical software versions m Have backups of evidence and case files prior to making any modifications to any software on an examination machine An update of the program is also required B Close any running versions of the EnCase program insert the software s installation media and wait for the installer to come online 1 Open Windows Control Panel and double click Change or Remove Programs 2 Select the EnCase version being removed and click Change Remove The EnCase uninstall wizard runs and the first screen displays 3 Enter or navigate to the software s location in the Install Path field The default is C Program FilesNEncase6 4 Click Next The EnCase uninstall wizard runs EnCase v6 4 SOFTWARE
44. oe Entries 1 ago In File File File p Is Last Boc Name Filter Report Ext Type Category Signature Description Deleted eem BOL C BA 1 L Quota ifl poor File Invalid Cluster Hidd onos HO s Dbx Files BA 2 Quota Q Tim File Stream System iw Gzip Tar Evid P en d d non RA 31D Quota O Copy UnErase File Stream System Loar 8A 4 Ly objId Copy OBSS Copy Folders x Mi S obiid o LL Bookmark Data Ctrl B Source Mi 6 D Reparse Bookmark Folder Structure Irhumbs dbiExtend EAD Reparse R Copy 7 Files 392 bytes Activate Single Files C Program Files EnCase Export al Create Hash Set ake p Create Logical Evidence File Replace first character of FAT deleted files with Analyze EFS Split files above MB Mount as Network Share so a Expand Contract Space TE Copy only selected files inside each Folder Expand Al Iv Show Errors Contract All T Burn to Disc Set Included Folders Num 4 Destination Folder Include Sub Folders Shift Num Lie Archive Files Inglude Single Folder Ctrl Num Status Completed Console Start 10 08 06 07 16 05PM Stop 10 08 06 07 16 05PM T Note Log Record 292 EnCase Forensic Version 6 11 User s Guide 1 In the Tree pane select the folder or folders to copy and unerase 2 If desired in the Table pane clear any individual files that should not be copied and unerased 3 Right click in the Table pane
45. when complying with discovery issues one must perform a physical restore not a logical one Logical restores are less desirable as they cannot be verified as an exact copy of the subject media When a drive is restored for the purposes of booting the subject machine a physical restore is the correct choice Whether restoring a drive physically or logically restore the evidence files to a drive slightly larger in capacity than the original Subject hard drive For example if restoring a 2 gig hard drive image restore the image to a 2 to 4 gig hard drive Restoring media to a drive that is substantially bigger than the subject media can prevent the restored clone from booting at all possibly defeating the purpose of the restore Preparing the Target Media Preparation of the target media where the image is going to be restored is essential for a forensically sound restore m The target media must be wiped B For logical restores the target media must be FDISKed B For logical restores the target media must be partitioned and formatted with the same file type system as the volume to be restored e g FAT32 to FAT32 NTFS to NTFS etc B For physical restores do not FDISK partition or format the hard drive Instead start your EnCase application and restore the image physically to the target media Working with Evidence 255 Physical Restore Restoring a physical drive means that the application will copy everything sector by s
46. 0 exe e exe Eg Table Report E Gallery Timeline ty Code 2 2 Page 1 1 Case 1 D 1 DRIVER drive setup exe 2 Case 1 D 1 DRIVER drive usbest drive 2 0 exe 432 EnCase Forensic Version 6 11 User s Guide To use folders to organize bookmarks 1 Doone of the following To move a bookmark and remove it from the source bookmark object drag the bookmark to the report in the destination folder To copy a bookmark from the source bookmark object right click and drag the bookmark to the destination folder and select Copy Here The bookmark is now in the destination folder so its entry now appears in the Bookmarks table associated with the destination folder 2 Select the destination folder in the Bookmarks tree The bookmarks in the folder appear in the Bookmarks table 3 Inthe Table pane click Report The bookmarks in the folder appear in the report Organizing Bookmarks You can organize bookmarks into folders in the Tree pane These folders appear in the Table pane but a table entry cannot be dragged into other table entries Instead drag the table entry into a folder on the Bookmarks tree see Using a Folder to Organize a Bookmark Report see Using a Folder to Organize a Bookmarks Report on page 431 Organizing bookmarks involve the following tasks Copying a table entry into a folder on page 433 Moving a table entry into a folder see Moving a Ta
47. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8830800 00 00 00 00 00 00 OO OO 00 OO OO O0 00 O0 00 00 DO OO 00 00 00 8833000 00 00 00 00 00 DO 00 OO 00 OO DO OO OO 00 OO 00 00 00 DO 00 00 8835200 00 00 00 00 00 00 OO OO 00 OO OO O0 00 O0 OO OO DO OO 00 00 00 8837400 00 00 00 00 00 00 00 OO 00 OO DO OO OO O0 00 00 00 OO DO 00 00 8839600 00 00 00 00 00 OO OO OO 00 OD OO O0 OO O0 00 OO DO OO 00 00 00 8841800 00 00 00 00 00 DO 00 00 O0 OO DO OO OO 00 00 OO 00 OO DO 00 00 8844000 00 00 00 00 00 OO OO 00 00 OO OO OO OO 00 OO DO OO OO OO OO DO l zi Q VS Test CaselHunter XP C WINDOWS system32 config systemprofile Local SettingslTemporary Internet Files Content IES UFK38B83 wuv3is 1 tgz PS 898387 LS 898324 CL 224581 SO 000 FO 0 LE 88211 354 EnCase Forensic Version 6 11 User s Guide Common columns in the Report pane are Name is the file name and extension Filter shows if a filter was applied In Report is a True or False indicator of files present in a report To change the selection enter CTRL R Search Hits indicates whether the file contains a keyword search word Additional Fields when True indicates that additional fields were found in the record Data contained in the Additional fields varies depending on the type of data in the record Message Size the message size in bytes Creation Time is the date and time the message was created in mm dd yy hh mm ss fo
48. 07 01 12 12 16AM 01 07 01 12 25 06AM 01 28 05 08 05 08AM 01 28 05 08 05 02AM 01 28 05 08 04 58AM 01 28 05 08 05 04AM 01 28 05 08 04 52AM 01 28 05 08 05 24AM 01 28 05 08 04 46AM 01 28 05 08 05 10AM 01 28 05 08 04 48AM 01 28 05 08 04 42AM 01 28 05 08 05 28AM 01 28 05 08 05 14AM 01 28 05 08 04 44AM 01 28 05 08 04 56AM 01 28 05 08 05 18AM 01 28 05 08 05 20AM 01 28 05 08 05 32AM 01 28 05 08 04 50AM Note that the entry in the Is Deleted column is marked True This second figure shows the display that results when two filters Deleted Files and Files Before n are run The names of both filters appear in the Filter column of the Table pane E Tabte amp Report EZ Gallery Timeline Ba Disk 1 Code toro ux Deleted written mm CJ 1 HARDBALL PRC Yes 11 09 00 12 09 14PM 05 14 02 11 34 12AM 3 2 Dy MINEHUNT PRC Yes 11 09 00 12 09 14PM 05 14 02 11 34 12AM CJ 3 O PUZZLE PRC Yes 11 09 00 12 09 14PM 05 14 02 11 34 12AM CJ 4 D Giraffe prc Yes 11 09 00 12 09 14PM 05 14 02 11 34 12AM CJ 8 O SUBHUNT PRC Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 6 O HOTSYNC HLP Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 7 O HsaPr di Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM C 8 O HOTSYNC CNT Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM LJ 9 O hslog20 dll Yes 11 09 00 12 09 16PM 05 14 02 11 34
49. 0j F SERL TT d Y jy PSTest od al KU WpdeAM QW 4C ORAOAQO G exON etvs ZU gYvyo AX IRE Y Ca f8 6C V CED a cC DANY L5 Indexing BEX kijCb oD CM W E 2M0 8 y EVID Cesos y61W7 CEU jvOLeH s HHS 5087 MAD kefe Wh e CEMICEM ORO Y 3p F Mv o My internet serch o00008ftC o6 Ai se OVIDD 0 Us Y Oe Mu SG CH gH AB29OlenZ amp UGL4 QE Su YenEIciN a M JeSt BEa q FIO e yoedfzeiz 25M D ERI GO Hy Kerneres ooo0ce eje E boto amp M SO E O TH ZK y 3C v AE ONS GAZ Ev ADi Si dApoeR Lo DI E tbls OYRYn 6 E BORUP g lota 00000c2 G amp U qT8 0095395 CUD SUN ES faal A_ CIM amp VBOY AERA GEVFYX Ore jfaze30 AguEQGO DIV amp A QAYT vor EWES A z x re Outsdein poog Cic vp amp i a0 f et 1O KO E nd SUcOrtia TOSHGA iA TgEo 600 WAXD OO0an2 O WY SIKS Tte P SUPPE y Sefebeot rryeton ek AC tene volet VARAR aec jy SmokeTest CESUITZUNTCEUESUUYS 1 0 Q 0 0000 FOO t 3 390 EnCase Forensic Version 6 11 User s Guide Supported SafeBoot Encryption Algorithms EnCase s SafeBoot decryption feature supports these encryption algorithms m AES256 FIPS m AES256 m DES B RC5 12 Rounds B RC5 18 Rounds CREDANT Encryption Support File Based Encryption EnCase provides a way for you to access CREDANT encrypted data on Windows devices You can obtain the CREDANT API installer from CREDANT Technical Support http Awww credant com EnCase
50. 11 User s Guide Check the Verify file signatures box in the Additional Options area in the lower right then click Start The signature analysis routine runs in the background On completion a search complete dialog appears The dialog presents search status times and file data sear 03 Status Completed Console Start 06 27 2007 12 35 19 PM Stop 06 27 2007 12 35 36 PM Note Time 0 00 17 Files 13 685 Log Record Cancel You can view these same data in the console B Text Sl Hex Ry Doc Mj Transcript E picture Report a4 Searching Status Completed Start 09 07 07 10 37 078M Stop 09 07 07 10 37 098M Time 0 00 02 Files 65 Records 2 Files scanned 53 Signature mismatches 0 Search Hits 469 Added Search Hits 0 Viewing Signature Analysis Results Part 1 Click Set Include in the Tree pane to display all files in the case t s App Descriptors gt EnScr 4 gt X t3 Home Beokmarks Q4 B eFile Extents Permissio4 gt Boo i At this level Set Include selects everything in the evidence file 1 Organize the columns in the Table pane so that the Name File Ext and Signature columns are next to each other 2 Sort columns with Signature at first level File Ext at second level and Name at third level Analyzing and Searching Files 335 Scroll up or down to see all the signatures
51. 12AM CJ 10 CendMgr dl Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 11 O cmos21 0LL Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 12 O DATCNZO DLL Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 13 D addcn30 dl Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM CJ 14 O BAKCN20 DLL Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM 15 3 HOTSYNC EXE Yes 11 09 00 12 09 16PM 05 14 02 11 34 12AM Navigating the EnCase Interface 135 A similar result would occur if you were to combine a filter and a condition AND OR Filter Logic You can toggle between displaying only entries that match all the active filters AND functional logic or entries matching any of the active filters OR functional logic When you run multiple filters a Matches Any option displays in the toolbar edit 7X Delete Sf Query This option employs OR logic to display files To employ AND logic click the Matches Any toolbar option The option changes to Matches All edit X Delete SF Query T matches all Changing Filter Order Filters run in the order in which you selected them To change this order 1 Click Display to show the active filters 2 Left click the filter you want to move 3 While holding the left mouse button down move the selected filter to a new position 136 EnCase Forensic Version 6 11 User s Guide A three filter list with all items selected is shown below The next example shows the same three filters
52. 229 Rebuild a Hash Library 338 Recover Folders on FAT Volumes 244 Recovering a Database 301 Recovering Folders 243 Recovering Folders from a Formatted Drive 246 Recovering NSF Passwords 377 Recovering NTFS Folders 244 Recovering Partitions 246 Recovering UFS and EXT2 3 Partitions 246 Reducing the Number of Images Per Row 316 Redundant Array of Independent Disks RAID 524 Reference Manuals and Release Notes 528 Regular Expression 524 549 EnCase Forensic Version 6 11 User s Guide Reinstalling the Examiner 28 Remote Acquisition 231 Remote Acquisition Monitor 233 481 Repairing a Database 302 Report Multiple Files 439 Report Single Files 438 Reporting 437 Resetting Columns 125 Restoring Evidence 250 Role Page of the New Case Wizard 165 Root 524 Running a 32 bit Application on a 64 bit Platform 43 Running a Filter 132 Running a Package 504 Running Conditions 142 Running WinEn 267 S S MIME Encryption Support 389 SAFE Page of the Logon Wizard 160 SAFE Right Click Menu 160 SafeBoot Encryption Support Disk Encryption 381 SafeBoot Setup 379 380 Saving a Case 174 Saving a Case and the Global Application Files e 174 Saving a Case With a New Name or New Location 174 Scan Local Machine 490 Search Hits Report 444 Search Options 352 Search Page 197 Searching Email 366 368 Searching Entries for Email
53. 2b until all the interface elements are configured 3 Click OK Working with Non English Languages 467 The interface is now configured to display non English content Configuring the Keyboard for a Specific Non English Language Windows lets you configure a keyboard for a specific non English language Once the keyboard is configured you need a keyboard map or familiarity with the keyboard layout of the language These instructions are for Windows XP Configuring Windows 2000 NT and 2008 is similar My Documents LY Control Panel A 3 My Recent Documents gt zm Switch to Classic View e My Pictures L My music See Also a Ws My Computer Windows Update J My Network Places Help and Support 3 o Other Control Panel Set Program Acc Defaults Options Provides optic ve computer ad E 2 Printers and Fax accounts Q9 Help and Support J9 seach I Run Pick a category Fy oS Printers and Other Hardware User Accounts Appearance and Themes Network and Internet Connections Date Time Lanquage and Regional Options Add or Remove Programs Accessibilil Security Center e A Je e e QV tS Regional and Language Options 2x Regional Options Languages Advanc Standards and formats This option affects how some programs format numbers currencies dates and time Select an item to match its preferences or click Customize to choos
54. 3 IM F Quickreacquisition Read ahead Working with Evidence 205 Name contains the name of the EnCase Evidence File that contains the image resulting from the acquisition of the underlying device Evidence Number contains the investigator assigned number for the EnCase evidence file produced by the acquisition in progress Notes contains the investigator s notes regarding this EnCase evidence file File Segment Size specifies file segment size of the evidence files It is useful for controlling the size of evidence files Start Sector specifies the first sector of the content you want to acquire Stop Sector specifies the last sector of the content you want to acquire Password determines if the EnCase evidence file is password protected and what password is used Entering a password enables Confirm Password This password cannot be reset Block size determines the block size of the contents where CRC values are computed Error granularity determines the portion of the block is zeroed out if an error is encountered The error granularity will be at the most the same value as Block size or an even fraction of Block size Quick reacquisition allows you to quickly reacquire in order to change the file segment size or to apply or remove a password Read Ahead reads the acquired content so that errors can be detected before the block is acquired or CRCs are calculated and hashed Output Path determines the path
55. 342 05 31 06 04 LA zj Unallocated Clusters U T5A2048 1 530 tHt LA zj Unallocated Clusters U T5A2048 1 540 tHt 14 Z Unallocated Clusters Class3CA2048 1 430 U 6 LO Bomb disti gt E Text Gitex kaj Doc 2 Transcript ES Picture Report 4 5 Enscript F Fit4 Little Thumb Little Thumb Unallocated Clusters a 53g EnScript 73 Enterprise 48 1 430 Examples 3 Forensic Include Main Yv 4 b E Little ThumbALittle Unallocated Clusters PS 13574 L5 13574 CL 1691 SO 495 FO 5147631 LE 8 2 Select a keyword in the Table pane 3 Click Report 452 EnCase Forensic Version 6 11 User s Guide Results of the selected Table pane keyword appear in the Report pane Dates with 4 digit year Little Thumb Dates with 4 digit year Page 1 1 Little Thumb Little Thumb Unallocated Clusters 05 31 06 2 Little ThumbLittle Thumb Unallocated Clusters 48 1 530 3 Little ThumbLittle Thumb Unallocated Clusters 48 1 540 4 Little ThumbLittle Thumb Unallocated Clusters 48 1 430 4 Selectan item in the Table pane An report containing the file name address and the contents of the Tree pane keyword displays t E Text amp lHex 3 Doc E Picture 4 Little Thumb ittle Thumb Unallocated Clusters a 48 1 540 5 Right click in the Table pane 6 Complete the dialog and click OK Reporting 453 Check the fields to display in the repor
56. 5 21 1861619204 450663806 4267828160 500 SDOIIE SystemCertificates BOOS My BDO Windows pb Themes OLJC3 Cookies Using the Dixon Box The Dixon Box is located in the tab above the Report pane and shows how many files are selected and how many files exist in the case If no files are selected in the open case the box looks like this C 0 191 In this picture three of the same 191 files are selected wan Note To quickly select or deselect all files in a case click the Dixon Box 122 Modifying the Table Pane EnCase Forensic Version 6 11 User s Guide The Table pane displays the contents of selected files and folders File Edit View Tools Help iNew 23 Open ig save Print Add Device Qy search J Logon Refresh E cases Sr EnScript Types x Report EZ Galery Timeline fZ Disk 4 Code Home Entries I Bookmarks Q Search Hits 34 Hac E Ee m3 2 m nd ofeFile Extents Permissions JReferenc4 gt 1 O desktop ini ini 08 22 03 07 55 07AM_ 08 22 03 07 55 07AM 07 09 04 11 29 46PM dat 08 22 03 07 55 07AM 08 22 03 07 55 07AM_ 07 09 04 11 29 46PM y i 45 EnScript T Filters Conditions Queries A Text Styles Local Settings al O 2 3 index dat og Application Data GOOG History Lo Histery IES Lo Ten
57. 6 11 User s Guide O On the main window click View gt File Types or O On the Tree pane click File Types The File Types tree appears Right click on the root of the File Types tree and select New The Viewer File Type dialog appears In the Viewer box click Installed Viewer and select the file viewer to associate with the file type from the File Viewers tree Enter a description and the file extensions of the file types If the file viewer displays pictures check Picture Click OK The files entered are now associated with the selected file viewer View Pane The View pane provides several ways to view file content 8 The Text tab allows you to view files in ASCII or Unicode text E The Hex tab allows you to view files as straight Hexadecimal B The Doc tab provides native views of formats supported by Oracle Outside In technology The Transcript tab displays the same formats as the Doc tab but filters out formatting and noise allowing you to view files that cannot display effectively in the Text tab B The Picture tab allows you to view graphic files Viewing File Content 297 Viewing Compound Files You can view the individual components of compound files within an evidence file Compound files are typically comprised of multiple layers containing other files You can view these times of compound files in the EnCase application E Registry Files B OLE Files E Compressed Files B Lotus Notes B MS E
58. 80 04 08 GO 00 03 00 00 80 05 08 00 00 00 80 06 08 00 00 03 00 00 80 07 08 00 00 00 80 08 08 00 00 O3 00 00 80 09 10 00 00 00 80 Oa 10 00 00 03 00 00 80 Ob 10 00 00 00 80 Oc 10 00 00 03 00 00 80 Od 10 00 00 00 80 Oe 10 00 00 03 00 00 80 Of 10 00 00 00 80 10 10 00 00 03 00 00 80 11 10 00 00 00 80 12 10 00 00 03 00 00 80 13 10 00 00 00 80 14 10 O0 00 03 00 00 80 15 10 00 00 00 80 01 10 00 00 04 00 00 80 02 10 00 00 00 80 03 10 00 00 04 00 00 80 04 10 00 00 00 80 05 10 00 00 04 00 00 80 06 10 00 00 00 80 07 10 00 00 04 00 00 80 08 10 00 00 00 80 05 10 00 00 04 00 00 80 Oa 10 00 00 00 80 Ob 10 00 00 UE 04 00 00 80 Oc 10 00 00 00 80 0d 10 00 00 NH cus o o o oo oo o o o o PEPEPEPE o o o HRP PN o oOooooooooooooooo00o0 OR 4 QOO OO 00dO0d0d0ownr ooooooooooooooo ooo0o0o0o0o0oo0oooo0oo o A o o o o o o A o o Viewing File Content 325 Locally Encrypted NSF Parsing Results A successfully parsed locally encrypted NSF looks like this in Entry view B 6C XE 80c H QPc ANH 3596 Ref x E ASKE ds fL gm eee orte tenet aeE2 3 ordeo lia Me QS SR 128M M ee c e 0NSSysAdmin 1 topics uu iE s GRO Ar Oe Arte tmpid idet 4gGQF 1ea 48GPc r e MemostdNotesLtr Truet 1Fw Backup of newly registered ID file for Circus Teodorovich d Cino7CN Circus Teodorovich Ozdomino7 domino7 circus teodorovich domino7 local Lotus Notes Re 2 SMIE Emall Snge Fles cteodoro Strong
59. 96 08 02 BIG PROBLEM BA B BA 96 0 1 SMELLS BAD B BA 96 08 13 BIG PROBLEMS B BA 96 10 13 95 Y GOOD B BA 96 10 1 B BA 96 10 21 3 MORE MAY BE B BA 96 10 26 B BA 96 10 31 95 GOOD B BA 96 11 B BA 86 11 03 Y GOOD B BA 96 11 23 B BA 96 12 01 B BA 964 243 B BA 9612 15 v GOOD B BA 97 03 01 B BA 97 03 14 SLOW B BA 97 03 27 BBA S 4 24 O BOY 16 000 B BF 97 01 04 B BF 97 01 05 3 GOOD BOY B BF 97 01 11 95396 B BF 97 0 36895 B BF 97 01 17 96895 B BF 97 01 24 96896 B BF 97 01 28 95836 B BF 97 02 03 95836 B BF 97 0 ROM VK PD 6 OZ B BF 97 03 06 96 B BF 97 03 09 B BF 97 03 12 B BF 97 03 13 B BF 3 14 4 OZ ia 190 B BF 97 03 20 B BF 97 03 24 on 3 29 B BF 97 03 25 96 S BJ SE 4 01 S BJ 96 05 31 B DH 96 04 01 amp B DH 96 04 07 amp B DH 96 04 09 amp B DH 96 04 11 amp B DH 96 04 18 amp B DH 96 04 26 amp B DH 96 04 29 amp B DH 95 04 30 amp B DH 96 05 07 amp B DH 96 05 10 amp B DH 96 05 16 amp J B DH 96 05 23 amp B DH 96 05 27 amp B DH 96 05 31 amp B DH 96 05 04 amp B DH 96 06 06 amp B DH 95 06 10 amp B DH 96 0614 amp B DH 96 06 20 amp 340 FOR 2 OZ OF POT B H 96 07 01 amp B DH 96 07 07 8 B DH 96 07 13 8 B DH 96 07 18 amp B DH 96 07 24 amp B DH 96 0 7 29 amp B DH 96 07 30 amp B DH 96 08 04 amp B DH 96 08 13 amp B DH 960814 amp 660 FROM RV B H 96 08 18 amp
60. Accessories gt System Tools gt Character Map The Character Map utility appears Click the desired character then click Select The character is added to the Characters to Copy box Repeat step 2 to add more characters Click Copy Paste the characters where you want to use them Creating and Defining a New Text Style Text styles determine how file contents appear in the Text and Hex tabs of the View pane Fle Edt View Toot Meb UE App Descnptors 4 Archive Files T EnScnpt Types A Elle Signatures Al Fife Types I Fite Viewers X Hash Sets Keywords Y Machine Profiles dw Packages DS Projects d gares coves Suo Tots Table Pane View Pane Biter Pane X Close Tab Bf Show Name 4 Previous Tab Next Tob Chr Ct Shift Tab Cti Tab SA ax Amaan aps Color Demart Lagen Screen Shack Screen Ure Wrap luogka Report xu Sek Report f the trode tem beme se c0 nw Ambue Code Page Code Paga G Unicode es 1 x 06 C Unicode Big Ercan E C other 3 4 4 a SP a OP Er Ee C CL C CITOR XM 9 nw Attrutes Code Page 12 j Contrai European Mac 469 470 EnCase Forensic Version 6 11 User s Guide To create and define a text style 1 Click View Text Styles The New Text Style dialog appears Enter a Name for the new style Enter the desired character in Default Character Click RTL if
61. Allow Prarmissons JFCLBA 951 f 01 yn Bob Hunter 5 1 5 21 1223272121 1580010091 854245790 1004 Preperir ener Name mone Li 551 5 21 122327 2021 1500018831 054245390 513 Property Group 113 114 The Console Tab EnCase Forensic Version 6 11 User s Guide Use the Console tab to view output status messages when running EnScript programs 3 Text amp lHex kaj Doc 3 Transcript E Picture Report Details Gl 4 02 21 07 02 21707 02 21707 02 21707 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 02 21 07 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 04 20 08PM 02 21 07 04 20 08PM Info 02 21 07 04 20 08PM Warn mium The Details Tab Info Info Info Warn Info Warn Info Warn Info Info Info Warn Info Info Warn Info Warn Info Warn File File File File File File File File File File File File File File File File File File File File File Mounter Script started a Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Mounter Lib Lib Lib Lib Lib Lib Lib Lib Lib Lib Li
62. BMP No BMP Bitmap Image Picture 540 i MoGs00x BMP No BMP Bitmap Image Picture NI 541 I P4G6106 BMP No BMP BitmapImage Picture NI 542 al MOGSDOBX BMP Mo BMP BitmapImage Picture 543 i OkG700 BMP No BMP Bitmap Image Picture M 544 3 Moc9000 BMP No BMP Bitmap Image Picture A 545 8 BBS No BBS Bulletin Board Text Document 546 ad ATG1100 BMP Mo BMP BitmapImage Picture 2 Place the cursor anywhere in the In Report column and right click for a drop down menu Cl In Report Ctrl R In Report Invert Selected Items Ctrl Shift R A3 Copy Ctrl C E Export Copy UnErase rr Bookmark Data Ctrl B Activate Single Files Create Hash Set View File Structure Analyze EFS Show Columns Column Sort gt Select Item Space 3 Go to Parent BkSp 3 Select In Report Invert Selected Items In the Table view In Report column the selected files change to True 4 Click the Report tab to see its contents Reporting 447 Note This menu selection is an XOR switch It changes the status of the In Report column to the opposite of what it was Changing Report Size To change the presentation size right click anywhere in the report display and select Zoom In or Zoom Out BA Copy Ctrl C a Export Zoom Out Num Viewing a Bookmark Report Open a case in the Table pane 1 Click the Bookmarks panel The report appears E Table i Gallery Timelin
63. Bug Tracker tab https support guidancesoftware com forum project php in the Support Portal Home Forum Knowledge Base Y Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer Y Buas iN on Features 45 04 30 2008 Public Bugs EnCase Forensic niente ic Uc Knowledge Base You can find answers to Frequently Asked Questions FAQs and other useful product documentation in the Knowledge Base You can also submit your own articles to help other EnCase users To access the Knowledge Base click on the Knowledge Base tab https support guidancesoftware com directory in the Support Portal Home Forum Knowledge Base Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer v 542 EnCase Forensic Version 6 11 User s Guide From here you can browse search and write Knowledge Base articles Online Technical Support Request Form Please use the Technical Support Request Form to request assistance from a Technical Services engineer To access the form click on the Technical Support Request Form https support guidancesoftware com node 381 in the Support Portal Home Forum Knowledge Base Y Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer v Other useful links sharren redmond Home Forum Knowledge Base Y Bug Tracker MyProfile Request Form Support Portal Tutorial Log Out Administer w
64. CA OF 7C A3 AZ 54 45 8D DO 12 CO AZ B6 BO EE 2D F8 OC 8E 23 6F 90 Fl 6A 13 4D D yDO TEOD Ac T i 5 o0 j Mx 141231420 9A 6B AD 34 8D 8D 04 6D BS DF F8 l6 3A EA AC 71 C7 ES OS SA EO 6B D3 SF BC 28 D2 C4 34 71 ik 4 m Be oqQp Z k M 0 4q 0141231450 40 C4 C8 BD 32 CC CA BS F6 03 CF BF 6D 7F 65 97 D8 75 AO B3 A6 3B 8B 9C ZF 9D 7D AO FB FC AR4ZifpS izme Gu 2 lt e 0 141231480 BC 6D OF lC 65 Al E6 ES 55 34 00 DD 42 14 37 C7 9D 70 ZA 4E 83 lE 9B 85 97 E3 F5 BS 08 9F ha e seU4 YB 7CUp Nf 86 Y 0141231510C2 97 80 83 02 88 49 92 49 OF D9 43 EE ll 7F BS 12 F8 86 68 95 AB 03 41 E 9F 51 9F A3 3A ef I I UCi Du sthe AgYOYE 0141231540 3D 46 4B AS CE 46 B3 20 98 CB SA 3C 92 37 El 14 30 7C 12 A8 C6 FS FC AE FE 48 OF 30 82 8C FReiF Z 7 0 EG ObH 0 0141231570 70 A3 BB 31 19 DO AE 35 D4 B6 SF 99 03 CC 3B D3 DC 65 1E 30 7F 37 83 45 38 F4 DB 7C Bl 55 pin l Deshqo I dte o7 FESS U 141231600 5C 10 AS C2 94 Fl B2 BS FC 40 16 CA 1D F2 84 44 16 B3 92 AC SE 96 OB 3A 6B 19 AS D6 6D D6 Y n g D 3 2 k Gnd 0141231630 2D 2B D6 7E DS lE 66 DF Bl 09 28 95 8E 8E EB 8C F2 E6 2C D6 CF A OS 3B EO 6E 3E F6 F4 87 t f6 228 de Gig an gt adt 141231660D93 AC A 36 54 SF 06 37 93 AZ BE AE F6 56 B3 DS Bl E 24 F5 23 75 BD FA AB SA AA 06 DO 20 U S6T 7 c3556V i OfuM Zi D l0141231690D 90 34 B4 35 FO EZ 08 7A 98 7E 4F EB Ol E6 SD D3 7E DO 28 B3 D9 OO F SF AC 03 DF 08 7D n 58 z 0 aD
65. Case Ctrl cases i ial Webmail Parser The Index Case dialog appears 2x Options Noise file Selected entries only Exclude Name Exclude Extension Include Known Files Include Internal Files If you want only to index selected files select Selected Entries Only If you want to include files with a known file signature select Include Known Files If you want to include internal files that are part of the NTFS file system select Internal Files If you want to exclude any file names a Right click in the Exclude Name list and select New b Enter the name of the file and click OK 368 EnCase Forensic Version 6 11 User s Guide 7 If you want to exclude files by a particular file extension a Right click in the Exclude Extension list and select New b Enter the name of the file extension and click OK 8 To set the noise file click the Noise File tab 2x Options Noise file Language LY Dutch Dutch noise nld LY English UK noise eng LF English US noise enu LY French French noise fra LY German German noise deu LY Italian Italian noise ita LY Neutral noise dat LY Spanish Modern noise esn LY Swedish Default noise sve Path CAWINDOWSYSystem32Ynoise enu ml N 9 Select the Language File and if necessary modify the Path 10 Click OK The Evidence file starts indexing The thread bar indicates the estimated remaining time in the op
66. DLLs and MAC file to the target device as well 394 EnCase Forensic Version 6 11 User s Guide Supply the parameters as follows CEGetBundle L XURL aAdminName AAdminPwd DAdminDomain dDuid sScid uUsername oOutputFile oOutputFile IOutputPwd E Legacy mode for working with pre 5 4 server installs L URL Device Server URL e g https xserver credant com 8081 xapi Administrator user name AdminPwd Administrator password AdminDomain Administrator domain optional required only if the CMG Server is configured to support multiple domains MUID Machine ID for the target device also known as the Unique ID or hostname SCID Shield CREDANT ID also known as DCID or Device ID Name of the forensic administrator OutputFile File to save the key material in OutputPwd Password to encrypt output file Here is a command example cegetbundle L X https CredantServer 8081 xapi a Administrator Achangeit d CredantWorkstation Credant local sCI7M22CU u Administrator o C V CredantUserKeys bin iChangelt 3 Place the bin file downloaded from the CREDANT server in a path accessible from the Examiner machine Open EnCase and create a new case or open an existing one You must have EnCase Decryption Suite installed on the Examiner machine that decrypts the CREDANT encrypted data Note In legacy mode you must execute this utility for each user targeted for investigation on the target device while speci
67. Data File 2 xi Search expression Extensions Search expression GREP Symbols wFFFF Unicode character xFF Hex character Name Any character Rencode Software Data File Any number 0 9 Repeat zero or one time Repeat at least once A z A through Z x Repeat zero times IV Case Sensitive Iv GREP XYZ Either X Y or Z xYZ Neither X nor Y nor Z i Literal character ab Group ab together for m n Repeat m to n times yiew alb Either a or b 57 4F 48 00 52 43 2D 3 Change the Search Expression and other fields as desired and click OK Performing a Signature Analysis To begin a signature analysis click Search RV oo x I Selected entries ont somes t Selectedrecodsor y i Records r Keyword Search Options Email Search Options Search each entry for keywords V Search for email Search each record for keywords Recovered deleted Selected keywords only keywords V Outlook PST Iv Search file slack Outlook Express DBX Use initialized size IV Exchange EDB Undelete files before searching v Lotus NSF Search only slack area of fies in Hash Library Iv aor P Had Options v MBOX IV Compute hash value Additional Options 3 I Recompte hash values v verify file signatures i Identify codepages Search for internet history 334 EnCase Forensic Version 6
68. Device Wizard In the Wizard navigate to the folder containing Virtual PC files vhd and add them as an EnCase evidence file CD DVD Inspector File Support EnCase applications support viewing files created using CD DVD Inspector a third party product Treat these files as single files when adding them as zip files or as composite files when using the file viewer Drag single files into the application Acquiring SlySoft CloneCD Images You can add raw CD ROM images created using SlySoft CloneCD to a case When adding these images you can specify the pre sector bytes post sector bytes and start byte of the image Working with Evidence 231 Acquiring a DriveSpace Volume DriveSpace volumes are only recognized as such after they are acquired and mounted into a case On the storage computer mount the DriveSpace file as a volume and then acquire it again to see the directory structure and files To acquire a DriveSpace volume 1 10 11 12 A FAT16 partition must exist on the forensic PC where you will Copy Unerase the DriveSpace volume A FAT16 partition can only be created with a FAT16 OS such as Windows 95 Run FDISK to create a partition then exit reboot and format the FAT16 partition using format exe Image the DriveSpace volume Add the evidence file to a new case and search for a file named DBLSPACE 000 or DRVSPACE 000 Right click the file and copy unerase it to the FAT16 partition on
69. E Rijndael 256 E Blowfish CREDANT Encryption Support Offline Scenario If the machine to be investigated is not on the network with the CREDANT server you must obtain the CREDANT keys and store them in a location accessible to the Examiner machine Before you begin You must install the CREDANT Library Installer to run the utility with the appropriate DLLs You can obtain the installer from CREDANT technical support You must have EnCase Decryption Suite installed on the Examiner dongle that will decrypt the CREDANT encrypted data You must obtain the URL for the CREDANT Mobile Guardian CMG Device Server You must obtain the Administrator username and password The CREDANT administrator must have Forensic Administrator privileges as specified in the CMG Server Web Interface for CMG v5 4 and later servers The administrator must have Security Administrator privileges for the v5 3 server You must obtain the Administrator s login domain for CMG 6 0 and later servers only the Machine ID for the target device MUID the Shield CREDANT ID SCID the Username that the key material is being downloaded for and the Password to use to encrypt the output bin file 1 At a computer that has communication to the CREDANT Server run the utility CEGetbundle exe from the Windows command prompt CEGetBundle exe is supplied by CREDANT in the CREDANT Library Installer which also installs the DLLs necessary for the decryption Copy the
70. EnCase Forensic Version 6 11 User s Guide App Descriptors At a very basic level app descriptors are the hash files of a computer s EXE and SYS files They work in conjunction with machine profiles and are used to identify forbidden or undesirable software on a computer s hard drive They are particularly useful in detecting viruses and other malware and for ensuring a specified disk image is not changed The EnCase program can identify malicious programs via a hash analysis It compares an application s B unique digital identification B its calculated known and stored hash value with that captured in a snapshot When the hash values match the program returns the process name its hash value and machine profile to which it belongs An app descriptor categorizes executables by hash value to enable positive identification of executables running on a system App descriptors works in concert with machine profiles Profiles are inventories of what should be running on a specific machine Together the machine profile and app descriptor lets an examiner know what should be running and what is running on a specific computer Manually Create App Descriptor To run this feature you must have created a machine profile and you must know the hash value of the file you intend to process 1 Click View gt App Descriptors to see a list of app descriptors File Edit View Tools Help ijNew 2 Open bal Save Print 9 Add Device Q Search 3
71. EnCase Interface 125 Hiding Columns You can hide individual columns Right click the column you want to hide and click Hide A View Search Hits Bookmark Selected Items ES show Columns Column Hide Ctrl H Sort Set Lock Select Item Space Reset T Goto Parent BkSp Fit to Data ELLE Auto Fit All The column in which the cursor was located is hidden Auto Fit All Columns The Auto Fit All feature expands the width of each column so no data are hidden Ae Miew Search Hits Bookmark Selected Items ES Show Columns Column Hide Ckrl H Sort gt Set Lock Select Item Space Reset F Go to Parent BkSp Fit to Data Note The difference between Auto Fit All and Fit to Data is that with Auto Fit All each displayed column is expanded to show its entire contents Fitting Columns to Data At times you may want to adjust the width of only one column To view the entire column select Fit to Data A View Search Hits Bookmark Selected Items ES Show Columns Column Hide Ctrl H Sort gt Set Lock Select Item Space Reset F Go to Parent BkSp Auto Fit All Note If a column contains too much data widen the column by clicking Fit to Data in the Column submenu 126 EnCase Forensic Version 6 11 User s Guide Resetting Columns Restore columns to their default order and width by using reset Manually resize a column by dragging the column separator
72. EnCase Temp RUNSYSP BAT 5 Split files above MB 640 Use initialized Size 0 files lt Back Finish Cancel Copy displays the number of files to be copied and unerased and the total number of bytes that comprise the file or files being created Path contains the path and filename within the file system of the investigator s machine of the file or files created Split files above contains the maximum length not exceeding 2000MB of any file created by the Copy Unerase operation When the total number of bytes comprising an output file exceeds this value the additional output is continued in a new file Use Initialized Size determines if only the initialized size of an entry will be searched as opposed to the logical size which is the default or the physical size This setting is only enabled for NTFS file systems When an NTFS file is written the initialized size can be smaller than the logical size in which case the space after the initialized size is zeroed out 286 EnCase Forensic Version 6 11 User s Guide Copy Folders Dialog Use this dialog when copying entire folders selected in the Tree pane while preserving the folder structure Copy Folders x GWrgemiedtnsenEgat al Copy only selected files inside each Folder lv Viewing File Content 287 Source displays the Entities folder being copied and unerased Copy displays the number of files to be copied and unerased and the to
73. GU DU ER see epe GR Cede st dente 182 Getting Ready to Acquire the Content of a Device sssssssssseeeeneneeereenenerneenen 183 Previewing ssaese 183 Live Device and FastBloc Indicators ccsescssesssesessseessseteesesesesnsnenesessscsceceseeesssseeeceseeeeneneseseseanenenes 184 Previewing the Content of a Device ssssssseeeseeeeeeeeeeneneneneette tenente 184 Add Device Wizard orori toe tme eee tette epe Se We rob Vp i terres cetedus 185 Sources Page of the Add Device Wizard ssssssssessssseeeeeeeeene i 186 Sessions Sources Page of the Add Device Wizard 188 Choose Devices Page of the Add Device Wizard ssssssssssssseeeeeeeeenenenenen 190 Preview Devices Page of the Add Device Wizard 192 Adding a Devices sei Une Ae eene IE AIR ete tete ieri estt 193 Completing the Sources Pages narom seen a E T 194 Completing the Sessions Sources Page ecscssesssesesceeeeseeteesesesesnensesessssscececeeeseenesesesesnsnensnenesseeeees 195 Completing the Choose Devices Page eene 195 Completing the Preview Devices Bageri iNet eiiie odini aneas aaia EE eai aant EEEE 196 AA CQqUITIDB esoo Tiia e aE RITE AFE LEE OaE E S eS EEUU D NE AESA TEE Ei aE 196 Types ot ACGUISH OMS i riets ossoa are REO OIN ENTE UR SEMPER e I EET E EEEE R 197 Doing a Typical Acquisition Moree tiesne oiai e ee en TE e tee ode o epu Piet tertie te ise inet 197 Acquisito Wizard c5 ois ciam tok ons nee
74. Internet browser depending on the output options you chose 490 EnCase Forensic Version 6 11 User s Guide Sweep Enterprise The Sweep Enterprise EnScript program Collects data from some named subset of the network tree B Saves the bookmarked data E Optionally create snapshots E Runs modules to extract data as bookmarks or exported files If you plan to run modules you must log on and open a case if you choose to deploy a servlet both the Windows servlet and Linux servlets must be available on your machine The Linux servlet must be available even if you do not have any Linux machines See the EnCase Enterprise Administrator Manual for the paths to the servlets on your SAFE machine To run the Sweep Enterprise EnScript program 1 Double click on the Sweep Enterprise object in the EnScript tree on the Filters Pane The Case Options page of the Sweep Enterprise wizard appears 2 If you need to change your user or SAFE a Click Change Safe The User page of the Logon wizard appears b Select the user enter a password if required then click Next The SAFEs page of the Logon wizard appears c Select the SAFE then click Finish 3 If you need to change your Role a Click Change Role The Role dialog appears b Select the desired role and click OK The Node to Sweep page of the Sweep Enterprise wizard appears 4 If you need to change the machines swept those that appear in Machines click Network Tree navigate to the ap
75. LinEn Main Screen appears 5 Select Server and press Enter 224 EnCase Forensic Version 6 11 User s Guide The message Waiting to connect appears 1 Connect this computer to the client 2 Run EnCase on the client click Add Devices Waiting to connect 6 On the forensic machine specify an IP address of 10 0 0 1 for the subject machine 7 Launch the EnCase application on the forensic machine 8 Create a new case or open an existing case 9 Right click on the Devices object and click Add Device 10 Select Network Crossover and click Next 11 Select the physical disk or logical partition to acquire or preview and click Next 12 Click Finish The contents of the selected device reached through the network crossover connection are previewed To acquire the content perform an acquisition see Specifying and Running an Acquisition Working with Evidence 225 Acquiring Disk Configurations Guidance Software uses the term disk configuration instead of RAID A software disk configuration is controlled by the operating system software whereas a controller card controls a hardware disk configuration In a software disk configuration information pertinent to the layout of the partitions across the disks is located in the registry or at the end of the disk depending on the operating system in a hardware disk configuration it is stored in the BIOS of the controller card With each of these methods 6 disk co
76. LinEn Utility The Linux EnCase client used for disk to disk or cable acquisitions Logical Evidence File A specialized form of an evidence file filled with user selectable files as opposed to a traditional evidence file which contains the entire contents of the device Logical Evidence files have the extension L01 M Malware Software designed to infiltrate or damage a computer system without the owner s informed consent Mount Mounting The process of making a file system ready for use by the operating system typically by reading certain index data structures from storage into memory ahead of time The term recalls a period in the history of computing when an operator had to mount a magnetic tape or hard disk on a spindle before using it N Network Tree The network tree represents the hierarchical organization of the underlying network and file structure New Technology File System NTFS The standard file system of Windows NT and its descendants m Windows 2000 E Windows XP E Windows Server 2003 m Windows Vista Node A node is the machine where the servlet is installed Notable File Bookmarks Bookmarks used to identify individual files containing important information to a case NTFS See New Technology File System P Pane Panes comprise the four quadrants to the interface E Tree pane E Table pane B View pane B Filter pane Panes contain tabs which alter the display of the data in
77. New Folder Expand Contract Space Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num Note In addition to the menu there is a toolbar button labeled Show Exclude that toggles the hidden view 2 Select Show Excluded 442 EnCase Forensic Version 6 11 User s Guide Previously excluded files appear in Table view while exclude folders appear in the Tree view Excluded data are marked with a red X Se EnCase Enterprise Training File Edit View Tools Help L New 5 Open lal Save lt 3 Print e Add Device Q Search 33 Logon Refresh f Edit 9 Add Note gt Delete PI Show Excluded cases x EE Table Report Ez Gallery Timeline f Disk 4 Code i i4 Bookmark Home Entries L Bookmarks QQ Search Hi ibl k File Group 16 896 Jay s Bookmarks Pip NoName dont Bookmarks E Highlighted Data 16 914 33 Jay s Bookmarks Pip NoName OG Jay s Bookmarks k Highlighted Data 16 961 33 Jay s BookmarkslPip NoName Pipe Bomb Data E Highlighted Data 17 154 33 Jay s Bookmarks Pip NoName C3 Graphics E Highlighted Data 17 592 34 Jay s Bookmarks Pip NoName Lone Additional Graphics ace 4 File Group 92 160 180 Jay s BookmarkslPip NoName JQ seal local 01 07 08 1 File Group 98 816 193 Jay s Bookmarks Pip NoName 1 File Group 98 816 193 Jay s Bookmarks Pip NoName 1 File Group 127 488 249 Jay s Bookmarks Pip NoName k F
78. Non English Characters The EnCase application supports non English language use in the interface as well as for non English language content Fe E vew Tad Heb oo NET Search 3 Lon Case Options Global NAS Colors Fonts EnScript Storage Paths Enterprise Name Wipe Drive Case l Verify Evidence Files Examiner Name J Create Boot Disk fa s Mount as Network Share Client Default Export Folder Write block IDE channel C Program Files EnCaseS Export Write block USB Firewire SCSI drive Temporary Folder c Program Files EnCaseS Temp 1 Pe Options Bl Refres FS Cancel ME Le 00 4 D Font style Case Options Global NAS Colors Fonts EnScript Storage Paths Enterprise enda z Default Fonts Angsana New EET IE Status Bar and Tabs 2 Hp AngsanaUPC Z fitaic p Arabic Transparent Bold E Dialog Boxes O Arial Bold Italic E Trees e O Arial Black Ez Tables xl Ez Report Title Ez Report Fixed gt Sample Ez File viewers Ez Script Editor Script Western x Cancel 1 Click Tools gt Options gt Fonts The Fonts tab of the Options dialog appears 2 For each interface element listed in Default Fonts where you want to display non English a Double click the interface element The Font dialog opens b Change the font to Arial Unicode MS and click OK c Repeat step
79. Non English Language Support 465 458 EnCase Forensic Version 6 11 User s Guide Working with Non English Languages This chapter covers a specialized area of investigations working with languages other than English The Unicode standard attempts to provide a unique encoding number for every character regardless of platform computer program or language Unicode encompasses a number of encodings In this document Unicode refers to UTF 16 Unicode 16 bit Transformation Format Currently more than 100 Unicode code pages are available Because EnCase applications support Unicode investigators can search for and display Unicode characters and thus support more languages Other character codes besides 16 bit Unicode are supported for working with non Unicode non English language text Working with non English languages typically involves performing these tasks E Configuring non English language support B Creating and applying a new text style B Creating non English language search terms E Bookmarking non English language text m Viewing Unicode files m Viewing Non Unicode files B Using Code Pages in the Text and Hex tabs Working with Non English Languages 459 Non English Language Features EnCase Enterprise applications provide non English language support through various features including The Options dialog Fonts tab B Text styles Use text styles to modify the display of content B The text pane B The transcrip
80. PM kJ Share this folder Other Places Y Details Y 240 EnCase Forensic Version 6 11 User s Guide Hashing You can perform hashing before or after an acquisition so an investigator can determine if the device should be acquired or if the contents have changed You must run a preview if working within the Windows version of EnCase this is not necessary when hashing a drive using the LinEn utility Note If you are hashing the device locally using Windows a write blocking device such as the FastBloc write blocker prevents the subject device from changing Hashing via a crossover network cable or locally using the LinEn utility is useful if a write blocking device is not available There are two ways to hash a drive m Hashing the subject drive using LinEn m Hashing the subject drive once previewed or acquired Hashing the Subject Drive Using LinEn This allows the investigator to know the hash value of the drive Before you begin B LinEn is configured as described in the setup topics B autofs is disabled B The investigator has identified the subject drive to be hashed To perform a hash using LinEn 1 Navigate to the folder where LinEn resides and type 1inen in the console to run LinEn The LinEn Main Screen appears 2 Select Hash The Hash dialog appears 3 Select a drive then click OK The Start Sector dialog appears 4 Accept the default or enter the desired Start Sector and then click OK The S
81. RD deste e es RII n a ee RU 198 After Acquisition Page octo e e RE i EH RR dbs SEX T GU Ie n a e ee reri senate 199 Search Page ce env Hein ete P Pre ER EATUR rette Eit en ia 201 OPtLONs P 204 Acquisition Results Dialog sse tenente nenne nennen 206 Opening the Acquisition Wizard seen nennen 207 Specifying and Running an Acquisition ssssssssssseeeeeeeeeennnnn nennen 208 Completing the After Acquisition Page of the Acquisition Wizard 209 Completing the Search Page of the Acquisition Wizard c cccscseseeseeseseeeseteteesesesneneneneseseenenenes 210 Completing the Options Page of the Acquisition Wizard ssssssssssseeeeeeen 212 Canceling an Acquisition iste eie ipo de tete debe ie E aie eed tel ied 213 Acquiring a Local Drives eee er ee Eire per beg ele ERE ES EE E Ee te te ER ERR 214 Acquiring Device Configuration Overlays DCO and Host Protected Areas HPA 214 Using a Write Blocket 5 eee aen nie Pene SE t geriet e n ee RE EE EE EN 215 Windows based Acquisitions with FastBloc Write Blockers s sess 215 Acquiring in Windows Without a FastBloc Write Blocker ssssssseeeeeeeee 217 Windows based Acquisitions with a non FastBloc Write Blocker sss 217 Performing a Drive to Drive Acquisition Using LinEn sees 218 Acquiring a Disk Running in Direct ATA Mod
82. Signature analysis identifies and organizes file signatures with reference to what it finds in E the signature table B the file header and B extension as they appear in the evidence file Match in the Legend column indicates data in the file header extension and File Signature table all match Alias means the header is in the File Signature table but the file extension is incorrect for example a JPG file with a ttf extension This indicates a file with a renamed extension The name in the Legend column below next to the asterisk displays the type of file indentified by the file signature Note An alias is preceded by an asterisk such as AOL ART Unknown means neither the header nor the file extension is in the File Signature table Bad Signature means the file s extension has a header signature listed in the File Signature table but the file header found in the case does not match the File Signature table for that extension The table shows possible results of a signature analysis Signature Analysis Table FileName Signature Table Header Entry Legend ball jpg FF DSFFE1 yaya Match leftshop gif 4A 47 04 0E JG AOL ART Alias flagfileph 5B 77 6D 71 wma Unknown userinfo bag 41 4F 4C 20 AOL IBad Signature Analyzing and Searching Files 337 EnScript Programming Language The EnScript language is a programming language and Application Program Interface APT designed to operate within the EnCase softwar
83. Structure Activate Single Files reate Hash Set Recover Folders Create Logical Evidence File Restore Hash Scan Disk Configuration Scan for LYM Verify File Integrit d Acquire N Modify time zone settings Mount as Network Share Rename F2 Expand Contract Space Expand Al act Al Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num 6 Click Next until you reach the Options dialog xi Name Case Number SEVEN OF NINE 10 0 36 39 0 SEVEN_OF_NINE 10 0 36 39 0 Notes Eile Segment Size MB Compression 640 Burn Disc C None Start Sector Stop Sector Good Slower Smaller 63 488375999 zi C Best Slowest Smallest Password Confirm Password Block size Sectors Error granularity Sectors 64 zd 64 ES IV Generateimage hash Quick reacquisiticn M Read ahead Output Path praxis Acquisition SEVEN_OF_NINE 10 0 36 39 0 E01 E 7 Enter the remote acquisition information including a valid Output Path 8 Click the Remote acquisition check box 9 Click Next Working with Evidence 237 10 Enter a Username and Password for the remote share Remote Acquisition Credentials Pee ooo 12 Click OK Remote Acquisition Monitor Use the Remote Acquisition Monitor to check the progress of the acquisition 1 Double click Remote Acquisition Monitor and enter th
84. Styles Content displayed in these tabs is determined by selections made in the tree of the tab displayed in the Tree pane When the Text Styles tab displays in the Tree pane and you select the root of the Text Styles tree the Table tab of the Table pane displays a table containing the same folders displayed in the tree When a particular folder is selected in the tree the contents of that folder appear in the Table tab of the Table pane Navigating the EnCase Interface 101 Figure 20 Table Pane context where 1 the object selected in the tree on the Text Styles tab of the Tree pane determines 2 the content displayed in the table in the Table tab of the Table pane o o E Report Code i 3 SAFEs A Text Styles 4 gt x IEE Table SOA Text Styles Fite In Loge I50 Latin Report og ISO Latin Colors o0 Low Bit ASCII DIE RTL Unicode LOOB Unicode AY ISO Latin FTP A ISO Latin 120 A ISO Latin amp 100 A ISO Latin amp 80 A ISO Latin 60 A ISO Latin 40 102 EnCase Forensic Version 6 11 User s Guide Table Tab Columns Table tab columns are activated or deactivated by right clicking the table tab selecting Show Columns and selecting desired columns By default all columns are se
85. Support sse ntes 465 Configuring Interface Elements to Display Non English Characters sss 466 Configuring the Keyboard for a Specific Non English Language sss 467 Entering Non English Content without Using Non English Keyboard Mapping 468 Creating and Defining a New Text Style sssssssssssssssseeeeeeeeenenn nenne eene 469 Creating Non English Keywords sse nennen 471 EnCase Forensic Version 6 11 User s Guide Contents Testing a Non English Keyword sse tenentes 473 Querying the Index for Non English Content seen 474 Bookmarking Non English Language Text sse 475 Viewing Unicode Files a eere eame ed ette le are E e te eie ste eiu gre 476 Miewing Non Unicode Files 4 nee eerte ge erede edente rnit rere A EE 477 Associating Code Pages sonet ni ese eed egenis eten eie ritibus ete iti oe dts 477 CHAPTER 13 EnScript Analysis 479 EnSctipE Analysis 5otctedbotn ted fend nutre stetur bus Coe Dru 480 Enterprise EnScript Programs ccccccssscscsssesesescseseseenensnscseseseseseseseseeseeseececessesesesesesesenessseeeceeeeeeeesesees 481 Document Incident dice tt ete hom elem eign on uet e e tetera rp n terns 482 Machine Survey Servlet Deploy sse tenente 484 Q uick Snapshot ned ttm ttem hee i P ne I ne he teo rs e A neni eedem 488
86. The case name is used as the default filename when the case is saved The filename can be changed when the file is saved Examiner Name contains the name of the user acting as the investigator Default Export Folder contains the path and name of the folder where files are exported Temporary Folder contains the path and name of the folder where temporary files are created Installing EnCase Forensic 33 Index Folder contains the index file for any indexed file or collection of files Global Tab The Global tab of the Options dialog contains settings that apply to all cases Te MM ES Global Auto Save Minutes 0 None 10 Use Recycle bin For cases JV Enable Picture Viewer v Enable ART and PNG image display Flag Lost Files Enable Pictures in Doc View Invalid picture timeout seconds 12 Show True Show False Backup files 9 Debug Logging C off Stack C Heap Date Format MMIDDIYY C ppjMM YY Current Day 04 10 07 C Other MMjddlvy M Time Format 12 00 00PM C 24 00 00 Current Time C Other hh i mm sstt D1 55 21PM 34 EnCase Forensic Version 6 11 User s Guide Auto Save Minutes 0 None contains the number of minutes that constitute the interval between automatic saves of case files The automatically saved data is written to CBAK files Use Recycle Bin for Cases determines whether backup files are moved to the recycle bin and not overwritten when a
87. To do a crossover cable acquisition 1 2 3 Boot the subject machine from the LinEn boot disk Connect the forensic machine to the subject machine using a crossover cable In Linux ensure that the subject machine has an IP address assigned and a NIC card loaded appropriately by typing ifconfig eth0 then if no IP address is assigned assign one by typing ifconfig ethO 10 0 0 1 netmask 255 0 0 0 and check the IP address assignment again by typing ifconfig eth0 Navigate to the folder where LinEn resides and type linen in the console to run LinEn The LinEn Main Screen displays Using LinEn 57 5 Select Server and press Enter The message Waiting to connect should display 1 Connect this computer to the client 2 Run EnCase on the client click Add Deuices Maiting to connect 6 Specify an IP address of 10 0 0 1 on the forensic machine for the subject machine 7 Launch the EnCase application on the forensic machine 8 Create a new case or open an existing case 9 Right click on the Devices object and click Add Device 10 Select Network Crossover and click Next 11 Select the physical disk or logical partition to acquire or preview and click Next 12 Click Finish The contents of the selected device reached through the network crossover connection are previewed To acquire the content perform an acquisition as described in Specifying and Running an Acquisition 58 EnCase Fore
88. Types aj L Bookmarks E Text T LE Do not Show L E High ASCII Ej Low ascii LE Hex Unicode E ROT 13 Encoding El HTML CE HTML Unicode Li Picture REX p Case 3 D05 1 DRIVER 4 Comment contains text that describes the book marked content Data Type pane determines the data type of the book marked content Types tree contains objects representing the various formatting that can be used when displaying book marked content Note Details of the content of the tree is described in Bookmark Content Data Types Destination Folder determines the path to the folder where the bookmark is saved Contents displays the content of the bookmark in the format selected Bookmark Content Data Types The Types tree in the Bookmark Data dialog provides a list of supported data types The data types are organized by parent objects representing each class of supported data types Each specific data type is represented by a child object The formats interpret the underlying content The formats change the way that the data is bookmarked 408 EnCase Forensic Version 6 11 User s Guide Text Text is a parent object that contains child objects representing the formatting that can be used when displaying bookmarked content as text Do not Show hides the content of the bookmark This works for all underlying data types High ASCII displays the text in 256 bit ASCII Low ASCII displays the text in 128 bit ASCII
89. United States and other jurisdictions and may not be used without prior written permission All other marks and brands may be claimed as the property of their respective owners Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies and are used only for identification or explanation into the owners benefit without intent to infringe Any use and duplication of this material is subject to the terms of the license agreement between you and Guidance Software Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act no part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise Product Manuals and Documentation are specific to the software versions for which they are written For previous or outdated manuals product release information contact Guidance Software at http www guidancesoftware com http www guidancesoftware com Specifications and information contained in this manual are furnished for informational use only and are subject to change at any time without notice Protected by U S Patent Nos 7 168 000 and 6 792 545 Patents Pending in the U S and other countries Guidance Software 537 Support Guidance Software develops solutions that sea
90. Version 6 4 www guidancesoftware com Install Path C Program Files EnCase6 Cancel Installing EnCase Forensic 27 5 Click Next Page 2 of the uninstall wizard displays Installation Folder SOFTWARE Select ReInstall to reinstall EnCase to the selected location or select Uninstall to Remove EnCase from the selected Location C Reinstall Uninstall Reminder Write blocking done through Fastbloc SE will be removed if present during the uninstall process lt Back Cancel 6 Select Uninstall and click Next Progress shows on the dialog 7 When the completion notification displays click Finish 28 EnCase Forensic Version 6 11 User s Guide Software is removed and page 3 of the uninstall wizard displays Installation Folder i x En a MU J SOFTWARE oe E uA q EnCase Version 6 4 www guidancesoftware com To replace some files that are in use the system will need to be rebooted C Reboot Later Reboot Now Gancel 8 Select Reboot Later or Reboot Now and click Finish Reinstalling the Examiner Note Reinstall does not overwrite existing user files Reinstall refreshes certain files and settings and is a variation of the install program Reinstall creates a new log file and reinstalls the following items B Application files E Registry keys B User files that do not exist Installing EnCase Forensic 29 Installing Security Keys NAS provides licensing to the cli
91. a true value in the Additional Fields column in the Table Pane File Edit view Tools Help ijNew 2 Open bal Save Print 9 Add Device Q Search 3 Logon d Refresh E cases x E Table Report f Disk 4S Code Q Search Hits T n mu Tet 283 Home Po Arrival Time Log Additional Fields g Eo To lt Han_Lecter hotmail com gt LJ 3 38 Subject samples J 4 38 Client Submit Time 01 08 01 04 27 09PM CJ 8 G Transport Message J 6 18 Body Type Plain OF 18 Code Page 1252 Os 18 Transport Message Og Creation Time 4 Ifthe In Report column is not shown enable it a Right click in the Table pane and select Show Columns b Select In Report and click OK The In Report column appears in the Table panel 5 Select the fields you want to include in the report See Enabling or Disabling Entries in the Report on page 445 6 Click the Report Panel in the View pane The report is generated containing the enabled fields Exporting a Report Once a report is generated you can save it to a file Place the cursor in the report 1 Right click and click Export The Export Report dialog appears asking for output information Select the appropriate output format Enter or navigate to the desired output path The newly created report document is saved to a file 456 EnCase Forensic Version 6 11 User s Guide Here s a web page generated from th
92. ai 5 Sunse C si 6 Water li Copy UnErase L Bookmark Data Ctrl B8 o aime o la 2bmp Oo CJ i Winter B Export rui eerta Activate Single Files Create Hash Set O i D bmp O ig 2 Z bmp CJ ug 3 3 bmp View File Structure m E Analyze EFS X IP Goto Parent BkSp E Fewer Columns Ctrl Num i More Columns CoN CJ j 4 Blue hills jpg al 5 Sunset jpg CJ al 6 Water lilies jpa Fewer Rows Shift Num More Rows Shift Num Select Item Space CJ ai 7 winter jpg To reduce the number of images displayed in a row in the gallery tab m Right click on any image on the Gallery tab and click Fewer Columns Increasing the Number of Images Per Row You can increase the number of images displayed per row in the Gallery tab C Bb D Lbme O fa C2 2 bme C3 iab 3 bmp O il Blue hi ag 5 Sunse C ail 6 Water li Copy UnErase CJ Lal C Winter LT Bookmark Data Ctrl B As M3 Copy a Export rss n Activate Single Files Create Hash Set View File Structure Analyze EFS T Goto Parent BkSp c d c o wW 2 5 wW 3 0 GE o e Co wW s o we Co d CO E Fewer Columns Ctrl Num yi ES More Columns Ctri Num EC Fewer Rows Shift N
93. amp Entries TT Bookmarks Quo Name re Hed E Home agsFile Extents f Permissions 4 p 012 Jioll Jl isb JI aac yo alll doc doc Word Document BC Entry rS Text I OL e S2MB Thumb drive Jones Case 4 amp Hex ggPicture Report 7 Console g Details Lock 0 0 F Fiters Conditions 4 p JsaeJl J l Sus bs JI zsl oe oJJia Sosbedl suse el perdi e Joed J l Sua bs dl Sasls sobs ol odes gb Su odes Sus bo JI se9s olustlds s e5sadl se bsleJ Jg JessueJI JI i359 op es pd loJ c ep elJbJl owe Jis JI oed e5eo ole Goad eb sJg JJoJI sob Ibl godo yyw Sgdled os b JI sa29 gules 5k a b cvs aoa 5 C9l a vill LEE wae dol E Email Examinations cz C General Filters io Filter by Date Filters by size EHE Hash Filters ai Print Snnnl Files 7 Results appear as in a usual keyword search gt 348 EnCase Forensic Version 6 11 User s Guide Keyword Tester To test a search string against a known file click the Keyword Tester tab Enter an expression in the Search Expression field and be sure to select the proper keyword options 1 Adda new keyword see Adding Keywords on page 344 2 Add an expression and name the keyword In this case a GREP keyword designed to capture telephone numbers is entered Edit Phone Numbers E A34 xl Search expression Code Page Keyword teste
94. by others Encryption is used to protecting information in many kinds of systems including computers networks the Internet mobile telephones and so forth EnCase has the ability to decrypt a variety of encrypted documents including those using symmetric and asymmetric keys The commercial encryption keys that EnCase currently supports includes Lotus NSF PC Guardian Encryption Plus PC Guardian Encryption Plus Utimaco Safe Guard Easy Credant and SafeBoot 382 EnCase Forensic Version 6 11 User s Guide NSF Encryption Support The Lotus Notes email client has security built into the product Notes was the first widely adopted software product to use public key cryptography for client server and server server authentication and for encryption of data and it remains the product with the largest installed base of PKI users The EnCaseQ Suite can decrypt encrypted NSF documents and send them to recipients within the same Domino server Each server user has an ID file that contains a user s B encrypted private key B public key E password information B password recovery information It also has an NSF file that represents the user s mailbox in 8 3 format in the default path domino installation folder data mail lt user gt nsf Analyzing and Searching Files 383 Recovering NSF Passwords To retrieve the recovery password you must have proper administrative rights on the Domino server 1 Open the Domino Server
95. check to open the file viewer in a maximized new window Application Path contains the filename and path to the viewer s executable Command Line contains a reference to the executable and any parameters used to customize the execution of the viewer Viewer File Type Dialog The Viewer File Type dialog associates file types with viewers vever e Description Extensions Picture Viewer EnCase E File Viewers E Ta C Windows File Viewerl Installed Viewer gt gt Cancel 294 EnCase Forensic Version 6 11 User s Guide Description is the file type to be associated with the file viewer Extensions is a list of file types to be associated with the file viewer Picture check to display the file as a picture in the Gallery tab Viewer contains options selecting the type of viewer and in the case of Installed Viewers a specific viewer associated with the file type you define Click EnCase to associate the built in EnCase viewer with the file type you define Click Windows to associate Windows with the file type you define Click Installed Viewer to associate an installed viewer with a file type Use the Installed Viewers Tree to select the specific viewer Installed Viewers Tree lists the File Viewers currently known to your EnCase application Adding a File Viewer to Your EnCase Application Figure 30 File Edit View Tools Help
96. content as 64 bit Little Endian integers 64 bit Big Endian displays the bookmarked content as 64 bit Big Endian integers Dates A date is a parent object that contains the objects representing various file formats that can be used when displaying bookmarked content DOS Date displays a packed 16 bit value that specifies the month day year and time of day an MS DOS file was last written to DOS Date GMT displays a packed 16 bit value that specifies the time portion of the DOS Date as GMT time UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of 01 01 1970 at 00 00 00 GMT UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix epoch of 01 01 1970 at 00 00 00 GMT HFS Plus Date displays a numeric value on a Power Macintosh that specifies the month day year and time when the file was last written to Windows Date Time displays a numeric value on a Windows system that specifies the month day year and time when the file was last written to Lotus Date displays a date from a Lotus Notes database file 410 EnCase Forensic Version 6 11 User s Guide Windows Windows is a parent object that contains objects representing the various file interpretations that can be used when displaying bookmarked content Partition Entry displays the content of the bookmark as characters that conform to the header format of a Windows partition entry DOS Directory Entry display
97. device or to acquire it to an evidence file you need the target s user name password and domain to parse the disk in EnCase A message box displays asking for the user ID password and domain If this information is unavailable you can still view the volumes in the Tree pane but the contents remain encrypted x Username umm Pestecrd eR Analyzing and Searching Files 385 The Domain can be a DNS name Once a Logical Evidence File or a new Physical Disk is added to a new case the master boot record is checked against known signatures to determine if the disk is encrypted or not If the disk is encrypted you are asked for user credentials which consists of username password and domain When these are entered the disk is decrypted Note Utimaco and PC Guardian need only a user ID and a password The domain name is unnecessary After successful parsing of an encrypted evidence the symmetric encryption key is stored in the case once the case is saved When this case is reopened the user is not asked to provide credentials and the decryption is done using the stored key SafeBoot Setup EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation Prior to any decryption however the SafeBoot installer available from Guidance Software Technical Support Support Portal https support guidancesoftware com must be installed This section describes that process The following files and folders
98. disk is added to the case and the New Image File value is set to reflect this 2 If the content being acquired is to be searched hashed or analyzed for signatures select Search Hash and Signature Analysis 210 EnCase Forensic Version 6 11 User s Guide 3 Click Next The Search page of the Acquisition Wizard appears 4 In New Image File click on the appropriate disposition of the file containing the acquired image 5 If you want to restart a cancelled acquisition a Select Restart Acquisition b Browse to or enter the filename and path of the EnCase evidence file containing the partial acquisition to be restarted 6 Click Next If you selected Search Hash and Signature Analysis the Search page of the Acquisition wizard appears otherwise the Options page appears Completing the Search Page of the Acquisition Wizard This page defines the searches hashing and additional analysis performed as part of the acquisition after the content is acquired Before you begin Open the Acquisition Wizard to the Search page Search F Search entire case M Keyword Search Options IV Search each entry For keywords Search each record For keywords selected keywords only I Search file slack Use initialized size Undelete files before searching Search only slack area of files in Hash Library 6 keywords Hash Options Compute hash value E Recompute hash values M Email S
99. es sos 00300 Feeeeoeeeeee Ra PPP PL l t S e D0400 t 6e tt LOO sesessesehRori II ERR RR IR ohh I eee ee eee egt Ipse 2002 04 25 01 52 46 2002 04 25 01 52 46 a A Ed D0900 ss sss onn m eee I reet III ESO Meo eC beh ses onn pee hh Hh he hh n nnn ehh hh hhimiiiiiimiimiiimiiim immi 01100 0 33333 Pt IHRER Hn Orn Cn ie HELLE Firmware Version E SLE ELA a e rne BROGe eee ee TT EXEC _ 8 eee s Peg le 4 1 DU OD 01600 8B3796 tsrs EET TEETE 0000000000000000000000000000000000000g x ser g 01700 settee eee e te e emll ssas q2 S B RNS Sbr 8 0456789 CD 1800 EFGHIJSTUVUXYZcdefghijstuvuxyzf ti u mickugy ig Oar pg 2 AL i Az CE RO DDOx pUUAASaRece en5 8So 01900 wide st ttt tte I III nn te eee eee eee eee lle at age 2 B is 3R5 brE 4ath e treat 02000 56789 CDEFCHIJSTUVUXYZcdefghijstuvuxyz f p tH R Sva Ee Enig 223 pT i ARECE RO 000xpUUASaAs ce 02100 amp 56888 sidjg nnn jxYRt if n pads Bn 4 t o YLY 38 F 346i8 D x x c O utd D C 02200 H sDeq0 amp Y8 B o4kC amp E y vhYG8 SLD 1i gGeeus 3 17 RuCg d 7ga8 V S w UMK I z kD m 2300 Y L sg Rn i aD86JC FsL8 D0 DSNhUFx R q t 21 27 2jgttinYA D HeJc oE sVen Me Tu Beq n 02400 Siag C5 jOokRuY A g h cide 4 f lt 3 B X ghSZ n A tivi c leyzt 1k R e8 n pZi
100. file is automatically saved Enable Picture Viewer determines whether the picture viewer is used for graphics of the appropriate formats Enable ART and PNG Image Display determines whether ART and PNG image files are displayed When these files are corrupted they can cause the program to crash so this setting enables you to limit the impact of corrupted ART and PNG files Flag Lost Files determines whether lost clusters are treated as unallocated space Doing so decreases the amount of time required to access the evidence file When selected all lost clusters appear in the disk tab as unallocated clusters Enable Pictures in Doc View determines whether pictures that are natively displayed by EnCase display using Oracle Outside In technology in the Doc tab of the View pane Invalid Picture Timeout seconds contains the amount of time the program attempts to read a corrupt image file before timing out When the read times out the corrupt file is sent to the cache and no attempt is made to read it again Date Format includes these options E MM DD YY for example 06 21 08 E DD MM YY for example 21 06 08 B Other enables you to specify your own date format Current Day contains the current date in the specified date format Time Format includes these options B 12 00 00PM determines whether a twelve hour clock is the basis of the time format B 24 00 00 determines whether a twenty four hour clock is the basis of the time format
101. filename of the evidence file to be added c Click OK 3 If more devices need to be added clear Sessions If all the devices have been added click Next If Sessions was cleared the Choose Devices Page appears otherwise the Sources page appears Completing the Choose Devices Page This page displays the devices defined that can be added to the case by the Add Device wizard At this point in the acquisition the source devices were added to the Add Device wizard To select the subset of devices to add 1 With an entity object selected in the Tree pane in the Table pane select the sources to be added to the case by selecting or clearing the Device Selection Column checkbox for each source 2 Click Next The Preview Devices page of the Add Device wizard appears 196 EnCase Forensic Version 6 11 User s Guide Completing the Preview Devices Page This page displays only the selected devices from those initially defined Select a subset of the defined devices and evidence files so they can be added to the case To verify that the list of devices to be added is correct 1 Review each row in the Table pane and If the device attributes need to be changed do the following a Right click on the row containing the device whose attributes need to be changed and click Edit The Device Attributes dialog appears b Enter the desired changes 2 If the device should be acquired as a flat file clear Read File System 3 Click OK
102. folder Drop the entry or folder on the new parent folder The entry is moved to the folder on the tree and removed from the table Bookmark Reports and Reporting Bookmark reports content can be defined E In the Table pane as described in View a Bookmark on the Table Report Pane see Viewing a Bookmark on the Table Report Tab on page 436 section B In the folder editor as described in the Customizing a Report on page 437 section 436 EnCase Forensic Version 6 11 User s Guide Viewing a Bookmark on the Table Report Tab After you save a bookmark it appears on the Report panel of the Table pane Before you begin Make sure the currently opened case has at least one bookmark associated with it Click the Bookmarks tab and expand the view in the Table pane to display them To view a bookmark report on the Report panel of the Table pane 1 Select the bookmark folders you want to include in the report Q Search Hits Z3 Records E Devices 4 gt EE I Bookmarks GoM Jay s Bookmarks ONE Currency Documents DAC Pipe Bomb Data FEY scal local 01 07 08 The folder contents appear checked in the Table pane The first two data items are selected to be in the report the third is not Bookmark uli m Type Excluded Report I 1 Highlighted Data False True M 2 Highlighted Data False True l4 3 Note False False 2 To include a bookmark make sure that the In Report column v
103. for the highlighted entry or selected items 376 EnCase Forensic Version 6 11 User s Guide Exporting to msg Perform an email search prior to executing Export to msg 1 Select an msg file and display its mail contents amp 3 Home Entries rr Bookmarks Q Search Hits Name Devices Secure Storage M7 1 Guidance Software Detected Potential Junk Mail Keywords MF 2 2 MSN Hotmail test T Additional Fields amp 3 3 test i cse encrypted pst aj M 4 53 Timesheets c M 5 2 Payroll Reminder Timesheets amp Vacation Request Forms Due 12 15 04 BOMO Root folder OMG Top of Personal Folders 6 RE Training HO Inbox mi Logic Test M 4 gt 2 Select email files to export 3 In the Report pane select a file and right click it N 43 Copy Ctrl C Lr Bookmark Data Ctrl B gg Export RI Tag Selected Files Ctrl shift T BT Tag File Ctrl T SS show Columns Export To msg Column gt Sort Select Item Space Go to Parent 4 Click Export to msg The Export Email dialog appears Export Email x Export Email C Export Single Export All Checked IV Preserve Folder Structure Output Path C Program Files EnCase6 Export E Cancel 5 Select dialog options as needed O Export Single exports only the selected message O Export All Checked exports all files checked O Preserve Fol
104. i _PPDES 3 PNG 8 9 2 app descriptor utilit L MP2D6 TMP 10 L app descriptor scan EJIEJ EJ EJ EJ E ED EL 11 7 app descriptor scan Open a case that needs hashing and display its contents 1 Click the Search tab The Search dialog appears 2 Make any search choices and then select the required values in the Hash Options area of the dialog 3 Click Start Hash Options IV Compute hash value IV Recompute hash values 340 EnCase Forensic Version 6 11 User s Guide The Table pane contents changes and shows the newly created hash values for the files Hash Hame Value L FurBall BMP d01b79c3aafe3462297a2ae8b57c87b1 L Table View BMP amp 86c121180451b6b23871eaae88c871c HashSearchScreen eae437730f85f08c8456172b56c891e3 buttonSearch bmp fib2186d8feaco4b9b64d245c987c741 HashFinished Searc 06afb63e5039043f0168e85fb4d25037 i _PPDES 3 PNG 2 app descriptor utilit Hash Sets Hash sets are collections of hash values representing unique files that belong to the same group For example a hash set of all Windows operating system files could be created and named Windows System Files When a hash analysis is run on an evidence file the software identifies all files included in that hash set Those logical files can then be excluded from later searches and examinations This speeds up keyword searches and other analysis function
105. in the folder specified as the new root path Browse for Folder Dialog Use this dialog to change the root path in the Users tree and the SAFE tree to specify the path to folders containing keys for users or SAFEs The default path is C Program Files EnCase6 Keys The Users tree is based on the private keys contained in the folder defined by the root path The SAFE tree is based on SATE files contained in the folder defined by the root path Both types of files are in the C Program Files EnCase6 Keys folder Moving these key files while the trees are displayed requires a refresh to update the trees Change Root Path Cache O Certs Config O EnScript EnScripts Export C3 Hash Sets Help Index B Keys License x Folder Keys Make New Folder Cancel A BRE Path displays a tree to navigate to the folder containing the keys Case Management 161 SAFE Page of the Logon Wizard The SAFE page of the Logon wizard determines if SAFE is associated with and used by the current user x SAFE Erg SAFEs 9 Doc SAFE RD SAFE _ RD1 SAFE cows SAFE contains the SAFEs tree that organizes all the SAFEs that are installed The user selects a SAFE to complete the logon SAFEs Root Object provides additional functionality through a right click menu such as O editing the settings of the SAFE O changing the root d
106. in the picture or gallery view as any other image file Occasionally corrupt art files can cause EnCase to stop responding If this occurs try lowering the invalid picture timeout setting In Global Options or simply disable Enable ART and PNG image display also in Global options Viewing File Content 315 Viewing Office 2007 Documents Microsoft s Office 2007 documents are stored in the Office Open XML file format This is a zip file of various XML documents describing the entire document The EnCaseQ suite supports viewing Office 2007 Word Excel and PowerPoint document files EnCase extracts text from Word Excel and PowerPoint documents It parses Excel worksheet values as well Right click the desired file then click View File Structure 1 Navigate to an XML file containing child nodes 2 The viewer displays text from the document 316 EnCase Forensic Version 6 11 User s Guide Viewing Base64 and UUE Encoded Files EnCase applications automatically display Base64 and UUE encoded attachments when the mail file is mounted For these encoded files you either perform a keyword search for Base64 or UUE or you notice that a file is encoded as such Viewing File Content 317 amp l Hex Lad Doc 3 Transcript E Picture Report PA console 33 Details c Output C Lock A Codepage C 0 8500 s EnScript ff Filters D048825044t Type text plain charset iso 8859 1 Content Transfer Encoding quoted printable pim EnScri
107. information about a directory in selected formats AOL IM Information provides data from AOL Instant Messenger data App Descriptor Utility creates app descriptor sets stored globally in the appdescriptors ini file Compromise Assessment Module examines machines for a compromise such as a hack or virus Consecutive Sectors searches consecutive sectors filled with the same character which characterizes attempts to wipe a drive Credit Card Finder searches an entire case for credit card numbers E Mail Address Finder locates email addresses via a GREP search and bookmarks them EDS Registry Parser parses EDS Registry entries EXIF Viewer searches selected files for the EXIF tag and bookmarks them File Finder searches for and bookmarks selected file types File Report gathers file information on all or selected folders Find Protected Files searches a file system for files that are encrypted or require a password to open them HTML Carver searches all or selected files for keywords in HTML documents and bookmarks them IM Archive Parser searches Instant Messenger log files Kazaa Log Parser searches a case for Kazaa DBB and DAT files Link File Parser parses all or selected LCK files and retrieves selected information Linux Initialize Case locates Linux artifacts and bookmarks them Linux Syslog Parser parses Linux syslog entries and exports the data to a local drive as Excel or HTML EnScript Analysis 495 Mac Initialize Case loc
108. instead apply a single DST offset to the entire device Use this option when the subject machine did not have the proper 2007 DST patch described above Year Selection List is disabled until Use Single DST Offset is checked You can select which DST rules to base the DST adjustment on O Use 2006 for machines using pre 2007 DST rules O Use 2007 only on computers using the new 2007 DST rules Setting Time Zones Settings for Case Files 1 Opena case 2 Click View Cases Sub Tabs Home The open cases appear in the Table pane 6 Case Management 173 Right click the case where for which you want to set the time zone and then select Modify Time Settings The Case Time Settings dialog displays If you want to account for seasonal daylight savings time rules select Account for Seasonal Daylight Saving Time If you want to convert all dates to a particular time zone a Select Convert All Dates to Correspond to One Time Zone b Select a Daylight Setting c Select a Time Zone When you are finished click OK Setting Time Zone Options for Evidence Files 1 2 Open a case to display its contents Select a Device from the Tree pane right click it and choose Modify time zone settings The Time Properties dialog appears Select a Time Zone from the Time Zone list The details of the time zone appear in the Details text box If you want to use a single DST offset select Use Single DST Offset and select the ye
109. is analyzed independent of the other File Edi View Tools Help 1j New 5 Open jg Save lt j Print Se Add Device Q Search a Refresh 4p y Cases x E Table Report t Code A Home te Entries 4p Name Devices Path u Lc A Case 01 case 2 y Case 1 2 Case 1 Case To switch case analysis from one case to another 1 Click View gt Cases Sub Tabs gt Home 2 Select a case for analysis from the Table tab The Devices column of the table indicates how many devices are associated with the case in the Name column Note To look at the devices associated with a particular case highlight the case in the Table pane then click on the Entries sub tab below Cases Indexing a Case Managing the index files associated with evidence files in a case is an important part of case management For detailed information see Indexing on page 365 154 EnCase Forensic Version 6 11 User s Guide Case File Format Version 6 has a new case file format As a result case files created in version 6 do not open in previous versions Version 6 however does support cases created with version 5 If a version 5 case file is opened in version 6 it can be saved as either a version 5 or a version 6 case file You have this option in the File Save As menu For example a case is created in version 5 then opened and worked on in version 6 To select the version in which to save the file 1 Se
110. items of information are required B the stripe size Bi start sector B length per physical disk B whether the striping is right handed or not You can collect this data from the BIOS of the controller card for a hardware set or from the registry for software sets Fic Edt Viw Tode Hop inw Bore el eee Pint Za adinei G ea g Refresh P Tey case X lable Report 2 usk lt Loe P aa Esul Simal Pominje T Ni E E Heme Fy Scaueaten n s 4 F p E rassen c E wsssctt Flan Se mm ou T Creete Mi Ceviz e Tanzel LOD Doves tripo Sec un E 7 Bid Dstt iege T Bigit Hended Spiny Fic Edt View Toos Heb ipee pO mod Sem PHL mu Ali vine Q Sanli gi Pre iyCcoos x 3 si gropen js Galo y Gy reins Usk 4 Code z antris Fle Fle Sytzre fe ints a Sane ne Le a gt 1 E mpss co we 2 f mzsscu x c 123 msez ouge fjas ENTE LL d coe on gt i When a RAID 5 consists of three or more disks and one disk is missing or bad the application can still rebuild the virtual disk using parity information from the other disks in the configuration which is detected automatically during the reconstruction of hardware disk configurations using the Scan Disk Configuration command When rebuilding a RAID from the first two disks results from validating parity are meaningless because you create the parity to build the missing disk To acquire a disk configuration set as one disk
111. lets you provide a more meaningful name Comment contains text describing the bookmarked content No text was supplied when the bookmark was originally created Edit Datamarks Dialog Use this dialog to edit datamarks as they appear as table entries Datamarks can be used as bookmarks when they are created in the Bookmark folder x Name Ji Comment a E Cancel Bookmarking Items 429 Name is the name of the snapshot bookmark The EnScript program that created the datamark supplied this name when the datamark was originally created Editing lets you provide a more meaningful name Comment contains text describing the bookmarked content The EnScript program that created the datamark supplied this name value when the datamark was originally created Editing lets you provide more meaningful comments Edit Bookmark Folder Dialogs Folders appear in the Bookmarks tree and the Bookmarks table These folders contain metadata and formatting for the Report panels that appear in both the Table pane and the View pane Note The root of the Bookmarks tree is a folder The same dialog see Edit Folder Dialog is used to edit the root bookmark folder and other folders in the Bookmarks tree and Bookmarks table The root bookmark folder contains default report formatting while the other folders do not 430 EnCase Forensic Version 6 11 User s Guide Edit Folder Dialog Use this dialog to modify B folder metadata B report conten
112. no directory structure the hard drive has probably been formatted If this is a FAT based system EnCase applications can recover the original directory structure Right click on each logical volume and choose Recover Folders This searches through the drive and recovers folders subfolders and files from within those folders if the information is still available You may occasionally encounter a device containing a file system unsupported by EnCase When this occurs the Entries tree displays the device icon but the Entries table only lists Unallocated Clusters Although there is no way to view file structure it may be possible to run text searches through the Unallocated Clusters Recovering Partitions Occasionally a device is formatted or even FDISKed in an attempt to destroy evidence Formatting and FDISKing a hard drive does not actually delete data Formatting deletes the structure indicating where the folders and files are on the disk FDISKing a drive deletes a drive s partition information EnCase applications can rebuild both partition information and directory and folder structure Working with Evidence 251 Adding Partitions A formatted hard drive or FDISK hard drive should be acquired using normal procedures When these evidence files are added to a case B A formatted drive displays logical volumes within EnCase but each volume has only an Unallocated Clusters entry in the table E An FDISK hard drive will not show logical
113. of Viewing File Structure The file structure of the email edb file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Notice that the icon for the compound email file looks like a disk drive and no compound volume indicator is added to the icon after it is parsed Exchange Server Synchronization The MS Exchange Server stores email messages in an EDB file on a server with a corresponding log file named E log The log file is where Exchange stores data to be committed to the EDB file In older Server versions there is also a corresponding stm file When the log file contains data that has not been committed to the EDB file the EDB file is in an inconsistent or dirty state EnCase is unable to parse inconsistent EDB files To synchronize the structure do the following 1 2 3 Stop the Exchange Server service if running Turn Exchange Server file shadowing on Copy the following folders from the Exchange Server to an EnCase working folder O The bin directory to get the eseutil exe program O The mdbdata directory which contains both the private and public EDB files 304 EnCase Forensic Version 6 11 User s Guide 4 Start eseutil exe using the Windows Start Run location Veseutil command 5 Use the eseutil exe command line tool to check the consistency of the state field as follows O file location Veseutil mh filepath privl edb
114. of these tabs B The Attributes tab B The Code Page tab New Text Styles Dialog Attributes Tab The Attributes tab captures the text style definition New Text Style Logical Screen Wrap Length Working with Non English Languages 463 Name is the name of the text style Line Wrap contains controls that determine how content appears in the Text and Hex tabs of the View pane Fit to page eliminates line breaks in displayed content and displays all text in the window Line Breaks displays line breaks in the content Max Size ignores line breaks in the content and wraps lines at the value set in Wrap Length Wrap Length specifies the length where a line break occurs When you select Max Size line breaks occur only at the value of this setting Default Char contains the character to use to indicate the encoding or code page could not interpret the underlying value RTL Reading sets the text display to read right to left RTL Color Element contains a list of text elements that can have a color assigned to them Double click a list element to edit color attributes 464 EnCase Forensic Version 6 11 User s Guide New Text Styles Dialog Code Page Tab The Code Page tab lets you select the code page for the text style you define aix Allibues Code Page Code Page Code Page e gt Name Code 1 E Arabic 664 4 C Unicode Big Endian 2g st M sr 3184 dint 35 wa 6
115. package Business Phone is the phone number of the company associated with the package Web Page is the URL of the company Web page associated with the package Create License Dialog Use the Create License dialog to create a license associated with a package The association is made by entering the filename contained in License File without its extension x License File C Program Files EnCase6 License License EnLicense js Dongle List Major Version 000000000 7 Expires 01 01 20 define Cancel EnScript Analysis 509 License File contains the path to and the filename of the license file Dongle List contains the dongle numbers that enable the license If the license is not restricted leave this setting blank Major Version contains the major version number of the software release Expires contains the date when the license will expire f define contains names used in the code defined using the define directive which associate the license with specific functionality A subset of functionality is associated with a given license Using a Package A package is B Created E Edited B Built E Run In addition one or more licenses are created and associated with a package Creating a Package To create a package 1 Doone of the following O Click the Packages tab adjacent to the Cases tab on the root toolbar of the Tree pane O Click View gt Packages 2 Right click on the Packages tree in the Tree pane
116. panel to view the report in the table pane Machine Survey Servlet Deploy Use Machine Survey Servlet Deploy to deploy servlets to machines on the network To use this method of deployment you will need the following E IP addresses or a range of all nodes where you want to deploy E A common username and password for all nodes where you want to deploy To deploy servlets using Machine Survey Servlet Deploy 1 Open the EnCase Program 2 Click the EnScript tab in the filter pane 3 Expand the Enterprise folder by clicking the next to it EnScript Analysis 485 4 Double click Machine Survey Servlet Deploy Machines Management settings IPs enter one ipjrange per line Add New Machine Add Select Machine Machine Username Password Exclude IPs enter one ip per line Exclude Machine Exclude Machine cms 5 There are different ways to add to the list of machines that will receive the new servlet Choose one or both of them below O Click Select Machine then log on to your SAFE select a role and select machines using the Network Tree O Enter an IP address or IP Range Username and Password and Click Add If you prefer to specify an IP range using Classless Inter Domain Routing CIDR you can enter it Note If you enter an IP range all machines must use the same username and password 6 If you entered an IP Range and want to exclude specific addresses
117. program read the Microsoft article at http support microsoft com kb 272570 en us http support microsoft com kb 272570 en us 306 EnCase Forensic Version 6 11 User s Guide Recovering a Database These instructions describe how to recover from a dirty EDB database Enter these commands C Exchange BIN Eseutil exe r E44 options Options include 1 lt path gt location of log files s lt path gt location of system files i lt path gt ignore mismatched missing database attachments d path location of database files Oo OF 0 0 O0 o suppress logo Repairing a Database These instructions describe how to repair an EDB database Enter these commands C Exchange BIN Eseutil exe p database name gt options Options include s lt file gt set streaming file name i bypass the database and streaming file mismatch error o suppress logo createstm create empty streaming file if missing g run integrity check before repairing t database settemporary database name Oo O 0 O 0 0 O0 lt name gt set prefix to use for name of report files Viewing File Content 307 Viewing Outlook Express Email EnCase applications can read Outlook Express dbx files After the file structure is parsed the Entries and Records tables in the Table pane lists individual emails by their subject line The records table pane lists the attachments The
118. records for keywords Selected items only 40 Entries 2 Records Keyword Search Options Search entries and records for keywords 9 keywords Search entry slack C use initialized size C Undelete entries before searching Search only slack area of entries in Hash Library 3 Click Start 374 EnCase Forensic Version 6 11 User s Guide Viewing Attachments An email attachment is a file that is sent along with an email message An attachment can be encoded or not Complete a successful email search See Searching Email on page 371 Email attachments clearly can have important evidentiary value This section covers viewing attachments in their native format 1 Click Records Discovered email appears in the Tree pane Bon ogg Records Bou f Internet and Email s One dbx s Outbox dbx s Sent Items dbx Os Six dbx s gt Three dbx Gs encrypted pst s gt Five dbx s Four dbx s Inbox dbx SO OOOO OOO 2 Expand the high level item to view its contents Analyzing and Searching Files 375 A list of attachments appears in the Table pane and the contents of the attachment appear in the Report pane Additional Fields Hog Records FS dou Z Internet and Email gt see One dbx D0 A RE Searching For Multiple Keywords at One Time using V4 12a o0 Message D0 Testing D0 A nightly report ee es 2i File Edit View Tools
119. restore to the designated drive type Yes in Continue and then click Yes to start the physical restore When the restore is finished a verification message displays information such as any read or write errors and the hash values for both the evidence file and the restored drive The hash values should match If the hash values from the restore do not match restore the evidence file again It might be necessary to swap the target media for correct results When the drive is restored physically pull the power cord from the computer Attach the restored drive as near to the original configuration as possible e g if the drive was originally on IDE channel 0 on the original computer install it there This will help the computer to allocate the original drive letters providing the proper mapping for nk files etc On older drives less than 8 4 GB you may need to reboot using an EnCase Barebones Boot Diskette and during the boot sequence set the CHS settings of the restoration drive in the CMOS to the physical drive geometry of the original drive which you noted earlier Setting the physical drive geometry will probably require overriding the auto detected drive geometry Use LinEn to calculate the hash value of the restored drive and compare it to the acquisition hash value to ensure its integrity If you want to boot the drive use an EnCase Barebones Boot Disk with FDISK copied to it Run FDISK MBR The restored disk should now be
120. right click the restored drive and select Make Active Shut down the computer and attach the restored drive as near to the original configuration as possible This helps the computer to allocate the original drive letters making lnk files etc work better Reboot and set the CHS settings of the restoration drive in the CMOS to the physical geometry of the original drive overriding the auto detected geometry if necessary The restored disk should now be bootable If the Restored Disk Does Not Boot The Cylinders Heads Sectors information CHS in the Master Boot Record MBR from the image may not match the CHS information of the actual hard drive Reset the CHS information for the MBR Boot with a DOS boot disk and at the A gt prompt type FDISK MBR to reset the Master Boot Record Verify that the MBR has the correct io sys file Re SYS the boot drive with the correct sys version For example if the subject had Windows 95B then the hard drive should have a sys command performed on it from a Windows 95B created boot disk At the A gt prompt type SYS C 260 EnCase Forensic Version 6 11 User s Guide Snapshot to DB Module Set This script takes snapshots of nodes across a network and stores the snapshots in a SOL database It also reads from the database to create reports on the snapshots taken It allows for minimal maintenance on the database so you can control the amount of data stored as well Three EnScripts wo
121. software They are stored by default in C Program Files EnCase EnCase EnScript Include They can however be stored in another folder within EnScript An EnScript developer creating new include files to work with new EnScript component can create a new folder and place the new include programs there Once the new folder is created EnCase applications must know of its location 1 Click Tools Options EnScript to see the Options dialog Ce o4 Case Options Global NAS Colors Fonts EnScript storage Paths Enterprise Include Path include 2 Change the Include Path field entry to reflect the new include folder location Note Add only the folder name not the complete path EnScript Analysis 505 EnScript Help There are currently two sources of information about EnScript programs Help gt EnScript Help B View gt EnScript Types EnScript Types EnScript types reference resources containing the EnScript language classes Perusing these types provides information about EnCase classes and functions Click View gt EnScript Types The Tree pane contains a list of the classes Selecting the Report panel of the Table pane displays a read only description of the selected class Packages Packages are a way to distribute EnScript programs without allowing others to view or modify the code This allows for centralized source control and avoids unwanted code sharing Packages are built
122. tenente nennen E tenent 395 EFS Fil s and Logical Evidence 1 O1 Files iet et teen tetti onte tete engen 399 CHAPTER 10 Bookmarking Items 401 Bookmarks OVERVIEW 2o enmep nid esetativep eee bed eret gane esee anota eps 402 Highlighted Data Bookmarks cccccccesesssesseeseseseeceeeseesesesesesesnensesessscscececeeesensnesesesesssnenenenensaeses 403 Notes Bookmarks ette EEE E orate oteiaid ere etit EERE 403 Folder Information Structure Bookmarks eese ener enne tenr eene tn eren ne nee 404 Notable File Bookmarks reete e eee ma ie rtr etr ipee tes 404 File Group Bookmarks inte tede tem een de et d E iter catendee 404 Snapshot Bookmarks eie ttt be ei tete ete ep aefutidute in tte ener tetas 405 Log Record Bookmarks sssssssseeeeeee RE nennen nennen 405 rini cp 406 Bookmark Fe t res u rere he ote Ae rn RR d esie e egi a ke i er Reid pan 406 Bookmark Data Dialog for Highlighted Data Bookmarks sess 407 Bookmark Content Data Types ee tete ter A tort eee io eoe used e exe d ERROR 407 M m 408 lu eibi ER 408 ucl ET 409 Dates ris ntm netiis sen dicet Hr c ALME Ue iiti Duvet De adig 409 MUndows2ns aea ente epe EE TD d EDD T 410 bau pM D C EN 410 Add Note Bookmark Dialog sse tenente 411 Bookmark Folder Information Structure Dialog sse eee eene 412 Bookmark Data Dialog for Files
123. the Copy and UnErase wizard appears 4 Complete the File Selection page of the Copy UnErase wizard For detailed instructions see Completing the File Selection Page 5 Click Next The Options page of the Copy UnErase wizard appears 6 Complete the Options page of the Copy UnErase wizard For detailed instructions see Completing the Options Page 7 Click Next The Destination page of the Copy UnErase wizard appears 8 Complete the Destination page of the Copy UnErase wizard For detailed instructions see Completing the Destination Page 9 Click Finish The copy and unerase operation executes The resulting files are saved in the directory specified on the Destination page Completing the File Selection Page The File Selection page is the first page of the Copy UnErase wizard 1 Ifseveral files were selected on the Table pane before you opened the wizard a Determine if the highlighted file or the selected files should be copied and unerased b Click either Highlighted File or All selected files as appropriate 2 Ifseveral files were selected on the Table pane before you opened the wizard a Determine if you want a collection of files or a single file as the result of the copy and unerase operation b Click either Separate Files or Merge into one file as appropriate 3 If you want to use a character other than the underline character as the replacement for the FAT file system deleted file indicator typ
124. the same capacity If possible drives from the same batch should be used so that both will be read with the same capacity check the date on the drive s label Older hard drives may have 2 platters while the newer version may only have one with the single platter drive having a few less bytes available 258 EnCase Forensic Version 6 11 User s Guide Logical Restore Media have different types depending on the CHS cylinders heads sectors information The same type might have different cylinders settings but their heads and sectors information the HS in CHS will be the same If the heads sectors information is different then the media type differs and you should us another target restore hard drive A logical volume must be restored to a volume of the same size or larger and of the same type To prepare for a logical restore the target media should be B wiped m FDISKed B partitioned B formatted prior to restore Format the target drive with the same file type system as the volume to be restored e g FAT32 to FAT32 NTFS to NTFS etc The procedure for restoring a logical volume is identical to that of restoring a physical device For a logical volume 1 In Case view right click on the volume 2 Select Restore When you finish the logical restore a confirmation message displays You must restart the computer to allow the restored volume to be recognized Note that the restored volume contains only the information
125. tosca ico Continue Type the wrd Vox t eer ee Hash EQ2022C7A9001917F7190A99270220A0 ee hs 7198A59278250AB eror ex Caneel 256 EnCase Forensic Version 6 11 User s Guide To restore a physical hard drive 1 SU OIN CBE uem 10 11 12 Install a sterile unpartitioned unformatted restoration drive to your forensic machine using a connection other than IDE 0 EnCase applications cannot restore a physical drive to IDE 0 Ensure that the intended restoration drive is at least as large as but preferably larger than the original from which the image was taken so that the restored data will never overwrite all sectors on the target hard drive EnCase applications can wipe the remaining sectors of the target hard drive after the actual data from the evidence file is restored Wiping remaining sectors is recommended Look at the acquired drive in the Report pane and note the precise physical drive geometry of the forensic image you are restoring from including Cylinders Heads and Sectors Note the acquisition hash for later comparison on the restored drive On the Entries tree on the Tree pane right click on the physical disk you wish to use as the source and select Restore Select the destination drive from the list of possible destination devices and click Next Select the drive to restore the image to and click Next If itis displayed select Convert Drive Geometry and then click Finish To confirm the
126. used to define an email search performed while acquiring the content of the device Search for email performs an email search This option also enables controls that determine the type of email sought Recovered deleted determines whether deleted email that remains in the PST file since the last compact operation is recovered Working with Evidence 203 Outlook PST includes pst files in the search Outlook Express DBX includes dbx files in the search Exchange EDB includes edb files in the search Lotus NSF includes nsf files in the search AOL includes AOL email files in the search MBOX includes MBOX email files in the search Additional Options contains controls that determine additional analysis to perform on the content being acquired Verify file signatures authenticates file signatures during the acquisition Identify codepage If you check this option the software attempts to determine the codepage of each file then saves those codepages for later use in the view pane when the file contents are displayed Search for internet history finds Internet history files during the acquisition 204 EnCase Forensic Version 6 11 User s Guide Options Page The Options page of the Acquisition wizard defines the metadata and various aspects of the image generated by the acquisition which constitutes the EnCase evidence 8 0 f 3 05 o eo AT 9 s LJ Confirm Password a s e
127. volume information The entire drive is displayed as Unused Disk Area in the table 252 EnCase Forensic Version 6 11 User s Guide wa 2d xd x Ecc Working with Evidence 253 To restructure these portions of the disk 1 2 3 4 5 6 7 8 10 11 12 13 In the filter pane expand EnScripts Examples Double click Case Processor Check the case you are working on and click Next Enter a Bookmark Folder name and optionally a Folder Comment Check the Partition Finder Module in the Modules list Click Finish The EnScript program runs When the EnScript program finishes click Bookmarks in the Tree pane In the tree click Set Included to show all the bookmarks the EnScript program has found Note the partition type and size in the comment Highlight the entry in the Table pane and then select Disk In the Disk tab the cursor appears on the bookmarked sector Right click and select Add Partition The Add Partition screen detects the sectors and partition type automatically populating the fields Click OK to restore the partition To see the contents of the partition you just added click Entries in the Tree pane The new partition appears below the device the Sweep Case EnScript program was run against If the drive had multiple partitions click Bookmarks in the Tree pane then repeat the process from step 9 Deleting Partitions If a partition was created at the wrong sector you must delete th
128. were selected to be copied and unerased Separate Files outputs each file being copied and unerased to its own file Merge into one file merges the output of all the selected files into one file Replace first character of FAT deleted files with determines which character is used to replace the first character in the filename of deleted files in the FAT file system Status This line indicates if one file or several files will be copied and unerased Viewing File Content 283 Options Page of the Copy UnErase Wizard The Options page of the Copy UnErase wizard determines B The extent of the evidence file copied Whether non ASCII characters encountered will appear in the outputted file or files E Whether dots will replace non ASCII characters in the outputted file or files E Whether errors in the files will pause the operation and wait for user input Settings on this page involve RAM slack which is the buffer between the logical area and the start of the file slack RAM slack is sometimes referred to as sector slack Options e Copy M Character Mask Logical File Only None Entire Physical File C Do not Write Non ASCII Characters C RAM and Disk Slack C Replace Non ASCII Characters With DOT C RAM Slack Only P SE iow Errors lt Back Cancel 284 EnCase Forensic Version 6 11 User s Guide Copy contains the settings that determine the extent of the content of the evidence file to be copied
129. will hold the acquired evidence file 1 If the FAT32 storage partition to be acquired has not been mounted mount it 2 Navigate to the folder where LinEn resides and type 1inen in the console to run LinEn The LinEn Main Screen appears Code Type Sectors Systen DiskO dev hda Linux 78165360 Sectors Size 37 3GB devvhdal Linux 82 Linux Swap 1020096 498 1MB 7devvhdaZ Linux 83 Linux EXTZ 20972448 10 0GB deu hda3 Linux 83 Linux EXT2 9766512 4 7GB Zdevvhdat Linux oc FAT32X 46406304 22 16B devvhddi Linux deu hdd2 Linux Disk5 devvhdd Linux 234375120 Sectors devshdd3 Linux Size 111 8GB dev sdal Linux 00 0C FAT32X 40965750 19 5GB 00 0C FAT32X 61432560 29 3GB oc FAT32X 65529135 31 2GB Disk9 dev sda Linux 64000 Sectors FAT16 64448 31 5MB 3 Choose Acquire The Acquire screen appears 4 Choose the physical drive or logical partition you wish to acquire The Acquire Device lt drive gt dialog appears Working with Evidence 219 Path and file name eg Folden Name For the data elements requested by the Acquire dialog either accept the default when provided or enter a value or choose one of the alternatives see Specifying and Running an Acquisition section and then press Enter The Acquire Device dialog requests additional data values until all data elements are entered or selected Then the Creating File dialog appears When the acquisition is complete click OK The LinEn main window appears The sub
130. william Schimmel Concep jpg JPEG Picture O 6 gj Catalog 7 D matt Zips william Schimmel COTER jpg JPEG Picture E Text Hex Lad Doc j Transcript E Report G Console 53 Details G Output C Lock Codepage fi 20 1311 314 EnCase Forensic Version 6 11 User s Guide To view or mount a Windows thumbs db file Navigate to the desired file in the thumbs db Right click the file then click View File Structure As needed select Calculate unallocated space p oc m B Continue with step 2 of Viewing File Structure The file structure of the email PST file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice The compound volume indicator is added to the thumbs db folder after it is parsed America Online art Files EnCase applications support America Online art format images in the Picture and Gallery tabs art support requires installation of the Internet Explorer AOL Support module on the examiner machine The installer is available to download from http www microsoft com technet prodtechnol windows2000serv downloads aolsupp mspx http www microsoft com technet prodtechnol windows2000serv downloads aolsupp mspx This installs the files 8 Jgaw400 dll 8 Jgdw400 dll B Jgmd4 dll 8 Jgpl400 dll B Jgsd400 dll E Jgsh400 dll This update is only required for Windows 2000 Newer operating systems do not need this patch View the file
131. with the enpack file extension and function to end users exactly as EnScript programs In addition to blocking the code from end users you can also create license files specific to license keys protecting you from unwanted duplication The license files extension is EnLicense Package Features Features that support the packages include E New Package dialog E Create License dialog Use the New Package dialog to create build and edit packages When building or editing packages the name of this dialog changes but the panels and setting remain the same Use the Create License dialog to create licenses for a package The license is assigned the License Name value on B The Package panel of the New Package dialog B Edit package name gt dialog B The Build dialog 506 EnCase Forensic Version 6 11 User s Guide New Package Dialog The New Package dialog contains B A package panel B A properties panel Use the New Package dialog to create build edit and run packages Package Panel The Package panel of the New Package dialog captures attributes related to the package Use this panel to create build and edit the package New Package Packagel C Program Files EnCase6 EnScript EnScript C Program Files EnCase6 EnScript EnPack v EnScript Analysis 507 Name is the file name of the package as seen in the interface Source Path contains the path to and filename of the EnScript source cod
132. your collection 1 Right click in the Conditions pane 2 Select Export 3 Select Export Tree Note Selecting XML Formatted exports the file in XML format 4 Navigate to or enter the path where the filter is located and click OK Note By default the Output File text field contains a file named export txt You can change this name You can also enter or browse to a complete export path Navigating the EnCase Interface 145 Queries Queries allow changing what is visible by combining filters and conditions into one item There are two parts to a query the display portion and the logic portion The display portion affects the text and its color and is used to denote matches using user selected filters and conditions The logic portion actually controls which rows are hidden from the Table pane Construct a query using the same filters and conditions for the display and logic sections or use different filters and conditions One caveat the logic portion takes precedence so if a row is not a filters and conditions match used in the logic section it is hidden even if it may have been a match in the display logic The logic portion actually controls which rows are hidden from the Table pane To create a query 1 Entera name in the field 2 In the Display settings for shown items pane right click in the right pane and select new O Choose Filter or Condition O Select the filter or condition from the list O Enter text into t
133. 06 01 11 49 58PM 01 28 05 08 05 10AM CJ 9 al Fedreserveandtrea Yes 01 06 01 11 49 58PM 01 28 05 08 04 48AM C 10 _ORDER JPG Yes 01 06 01 11 50 04PM 01 28 05 08 04 42AM C 11 aij seriainumbers ipg Yes 01 06 01 11 50 04PM 01 28 05 08 05 28AM C 12 sl raisednoteten jpg Yes 01 07 01 12 01 00AM 01 28 05 08 05 14AM 13 3 Counterfeit finepri Yes 01 07 01 12 06 08AM 01 28 05 08 04 44AM C 14 E Mellon GIF Yes 01 07 01 12 11 58AM O1 28 05 08 04 56AM C3 15 i EAL 1 GIF Yes 01 07 01 12 12 00AM 01 28 05 08 05 18AM C 16 i EAL 2 GIF Yes 01 07 01 12 12 10AM 01 28 05 08 05 20AM CJ 17 i TRONG GIF Yes 01 07 01 12 12 16AM 01 28 05 08 05 32AM O 18 GA RANK2 JPG Yes 01 07 01 12 25 06AM 01 28 05 08 04 50AM The Query icon in the top menu bar appears with the filter results When the icon shows a green filtered lists appear If more than one filter has been run its name appears with ORed logic in the table s Filter column When clicked the Query icon changes its appearance and its associated list contents As you can see below the icon now has a sign In this state the list show selected evidence files and filtered files Ee Navigating the EnCase Interface 95 Here is a table display with the query in the state hate Fiker EF ud 8 mm LAB WINK GIF No 04 30 00 03 18 06PM 01 28 05 08 04 36AM o2 ud OLDBACK JPG No 04 30 00 03 22 34PM 01 28 05 08 04 32AM L3 3 i NEw
134. 1027 C AR45667 txt __ Load 34 E French Canadian DOS 863 v Text amp lHex p gt gt 5 CB gt El Text sc Hex OOMMNFE 14 04 3E 04 31 04 40 04 3E 04 35 04 20 00 43 04 42 ip gt l gt t 5t CCB a 1904 40 04 3E 04 20 00 0A 00 e gt o uu E Keyword Code Page Dobpoe yrpo Name Code Expression imi Arabic 864 864 Wrong codepage for this expression 2 E Arabic ASMO 708 708 8 E Arabic DOS 720 A 4 E Arabic 50 28596 Test data Hits 0 8 Arabic Mac 10004 CARA5867 txt f teas 8 E Arabic Windows 1256 x To test a non English language keyword do the following 1 Enter the search expression in Keyword 2 Enter or browse to the file containing the non English language content used to test the keyword 3 Click Load Text appears in the Text pane 4 If text is incorrectly rendered select other code sheets until the text is rendered correctly When a selected encoding is not one that was selected when the keyword was defined the Expression field contains this message Wrong codepage for this expression 5 Click Hex to view content in hexadecimal The values x FFx EE in the file header indicates that Unicode is the correct encoding You may want to redefine the encoding used for this keyword The hex representation of the underlying text appears 6 Testthe keyword and click OK 474 EnCase Forensic Version 6
135. 11 User s Guide Querying the Index for Non English Content After you create an index files that might contain non English content can be queried using conditions To query for non English language content Rg EnScript T Filters conditions z Queries A Text Styles E Conditions Files File Extents c Index Conditions HIKE Files Containing Index Terms Recommended f Files Containing Index Terms Case Sensitive f Files Containing Index Terms GREP slower f Files Containing Index Terms Within 5 Words tx Files Containing Index Terms Ordered within 5 Words t Files Containing Index Terms Stemming f Files Containing Index Terms Diacritic Match Z Files Containing Index Terms Umlaut Files Containing Index Terms Exact Match t Files Containing Index Terms Any distance HE Email Examinations Filter by Date Filter by size General Conditions In the Entries tree and Entries table select files to search Click Tools Index Case In the Filters pane click the Conditions tab Open the Index Conditions folder in the Conditions tree oU YN Select the non English content for example Index Terms Umlaut Working with Non English Languages Bookmarking Non English Language Text Once you find search results bookmark them Bookmarks associate text styles with bookmarked content amp lHex hoc Transcript Picture 5 Report CJ Console 3 D
136. 2003 and Vista operating systems If not installed as a service you must Run as Administrator 20 EnCase Forensic Version 6 11 User s Guide Send to HBGary Responder EnScript This EnScript passes a memory object gathered by EnCase to HBGary s Responder software EnScript drops the physical evidence device information byte for byte into a flat file and sends it to Responder CHAPTERS Installing EnCase Forensic The EnCase Installer 21 Installing Security Keys 29 Troubleshooting Security Keys 29 Obtaining Updates 30 Configuring Your EnCase Application 30 Sharing Configuration Files 40 Vista Examiner Support 40 Running a 32 bit Application on a 64 bit Platform 43 22 EnCase Forensic Version 6 11 User s Guide The EnCase Installer The EnCase installer copies the program and its drivers to the end user s computer or client and initializes drivers and services with the operating system The investigator can select where to install the EnCase Examiner The default is the Program Files folder If a selected directory exists the installer overwrites any existing program files logs and drivers Minimum Requirements For best performance examination computers should be configured with at least the following hardware and software E An EnCase security key also known as a dongle E Certificates for all purchased modules known as certs B A current version of EnCase Examiner B Pentium IV 1 4 GHz or faster process
137. 28 05 08 04 46AM CJ 8 Ll portraits ipg LL DeltedFies Yes 01 06 01 11 49 58PM 01 28 05 08 05 10AM gifedreserveandtrea Deleted Files Yes 01 06 01 11 49 58PM_ 01 28 05 08 04 48AM m LJ e G G E C 10 _ORDER JPG Clete Files Yes Oi 06j0111 50 04PM 01 28 05 08 04 42AM Lang ad serialnumbers jpg Deleted Files Yes 01 06 01 11 50 04PM 01 28 05 08 05 28AM LJ 12 a raisednoteten jpa Deleted Files Yes 01 07 01 12 01 00AM 01 28 05 08 05 14AM LJ 13 E Counterfeit _finepri Deleted Files Yes 01 07 01 12 06 08AM 01 28 05 08 04 44AM C 14 Mellon GIF LL DeletedFies_ Yes 01 07 01 12 11 58AM 01 28 05 08 04 56AM CJ 15 j _EAL 1 GIF Deleted Files Yes 01 07 01 12 12 00AM_ 01 28 05 08 05 18AM C3 16 A _EAL 2 GIF LL DebtedFies Yes 01 07 01 12 12 10AM_ 01 28 05 08 05 20AM CJ 17 gl TRONG GIF LL DeletedFies Yes 01 07 01 12 12 16AM_ 01 28 05 08 05 32AM L3 18 lz RANK2 JPG Deleted Files Yes 01 07 01 12 25 06AM 01 28 05 08 04 50AM 3 Notice that a Query icon below appears in the top menu bar This icon appears when a filtered list is displayed Clicking the icon changes the display from showing the filtered list to showing all file entries Foxy The Query icon changes when clicked It has a red sign on it to show the filter is off
138. 3 Creating a Logical Evidence File 242 Creating a Notable File Bookmark 411 Creating a Notes Bookmark 409 415 Creating a Package 502 Creating a Report Using Case Processor 449 Creating a Report Using the Report Tab 437 Creating a Snapshot Bookmark 414 Creating a Webmail Report 442 Creating an Additional Fields Report 447 Creating and Defining a New Text Style 463 Creating Conditions 139 Creating Global Keywords 339 Creating International Keywords 342 Creating Non English Keywords 465 CREDANT Encryption Support File Based Encryption 384 CREDANT Encryption Support Offline Scenario 387 Customer Service 534 Customizing a Report 415 428 430 Cyclical Redundancy Check CRC 520 D Datamarks 399 Dates 402 Decrypted Block 320 Deleting a Filter 137 Deleting Items 128 357 Deleting Partitions 249 Destination Page of the Copy UnErase Wizard 281 Determining Local Mailbox Encryption 318 Device Configuration Overlay DCO 520 Disabling Microsoft Windows Vista User Account Control 41 Disk Configuration Set Acquired as One Drive 224 Disk Configurations Acquired as Separate Drives 225 Disk Encryption Support 378 Disk Slack 520 Displaying Expanded Tree Entry Information 119 546 Displaying Tree Entry Information for One Branch 118 Document Incident 476 Doing a Crossover Cable Preview or Acquisition 55 Doing a Drive to Dr
139. 30 Open a Case 173 Opening and Closing Folders with Expand Contract 116 Opening the Acquisition Wizard 203 Options 514 Options Page 200 Options Page of the Copy UnErase Wizard 279 Organizing Bookmarks 425 Overview 177 Overview of Case Structure 151 P Package Features 498 Package Panel 499 Packages 498 Pane 523 Pane Features 86 Pane Tab Bar and Pane Tab Bar Menu 87 Panes 82 Panes and their Specific Tabs 98 Panes as Separate Windows 84 Panes in the Analysis Cycle 83 Guidance Software Parsing a Locally Encrypted Mailbox 318 Performing a Crossover Cable Preview or Acquisition 219 Performing a Drive to Drive Acquisition Using LinEn 213 Performing a Search 352 366 Performing a Signature Analysis 329 Performing Acquisitions with LinEn 49 Physical Disk Emulator PDE 523 Physical Restore 251 Physical vs Logical Restoration 250 Picture 401 Port 523 Preparing the Target Media 250 Preview Devices Page of the Add Device Wizard 189 Previewing 181 Previewing the Content of a Device 182 Professional Services 535 Prompt for Value 270 Properties Panel 500 Q Queries 145 Querying an Index Using a Condition 361 Querying the Index for Non English Content 468 Quick Entry Report 446 Quick Snapshot 481 R RAID 10 226 Raw Image Files 179 Reacquiring an Evidence File 229 Reacquiring Evidence
140. 502 sing a Write Blocker 210 4 4 Gye CECI C G cic Guidance Software Using Bookmarks 415 Using EnCase Tools 507 Using LinEn 45 Using Snapshots 180 Using the Dixon Box 121 Using the Snapshot DB Reports Dialog 264 V Validating Parity on a RAID 5 226 Verifying Evidence Files 513 View Menu 66 View Pane 96 292 525 View Pane Menu 74 View Pane Tabs 106 Viewer File Type Dialog 289 Viewing a Bookmark on the Table Report Tab e 415 428 429 Viewing a Bookmark Report 440 Viewing Attachments 367 368 Viewing Base64 and UUE Encoded Files 312 Viewing Compound Files 293 Viewing Compressed Files 298 Viewing Fewer Columns 146 Viewing Fewer Rows 147 Viewing File Content 273 Viewing File Structure 293 Viewing Files 274 Viewing Hash Search Results 338 Viewing Lotus Notes Files 299 Viewing Macintosh pax Files 307 Viewing More Columns 146 Viewing More Rows 147 Viewing MS Exchange Files 299 Viewing MS Outlook Email 306 Viewing Non Unicode Files 471 Viewing Office 2007 Documents 310 Viewing OLE Files 297 Viewing Outlook Express Email 303 Viewing Record Search Hits 354 Viewing Registry Files 295 Viewing Search Hits 355 Viewing Signature Analysis Results Part 1 330 Viewing Signature Analysis Results Part 2 331 Viewing the File Signature Directory 325 Viewing the License for LinEn 46 Viewing Unicode
141. 60 FD 01 3B CD 63 F4 55 7A SE Fl 35 A8 88 OE E6 55 B3 92 C8 l2 BS 64 3B 99 21 07 CB 77 ES SA M c UzZhs aU1 E nd t Ev z 141231090589 15 F8 E3 94 BC 2F 1B 58 96 95 6F AD 04 DC B3 81 A 7B OO 33 4F 81 B 9D BO ZF DA ES 9D e Q X o 8 300 D n 14123112028 27 D3 D9 El 28 37 14 65 22 AC D9 40 6D 50 17 CO BE 4F 51 30 9E 88 67 EZ 2A 24 06 B4 EA UA 7 e GnP WOQOZ g 014123115064 BZ 8B lC 23 1B E9 7D DA 95 ES B3 63 AC 1D SF CD OB F9 OS DE C8 C7 67 1F 80 46 78 11 74 fice ep Btn PEG EF xt 141231180 8F 62 C6 99 1D CC FE 90 Al 2B 66 SD 98 86 OF 45 91 F8 SA FC 28 EE 8A 1A 52 97 FD ES 14 98 IbET IpD 4f t E sZ iSR 141231210 EF 63 FZ AA 7C 28 AB Cl 4C A4 59 2B AC C3 AO ll 2B D9 C8 EE 6F EF B4 AF DA 6D 9D 89 SE D ic LmY4 Rioi nDuZx 0141231240 45 0l E5 A Cl 68 04 BA 89 42 70 75 AS 67 43 CO DS AS BS CO 87 Bl OD 48 1C E9 44 7A 91 C7 E ih tBpu gCAg Att H Dz 0141231270 A4 B6 D OB 6A 38 81 ZE A4 Cl SA OB D6 41 CF DO BB Cl l 4E 18 95 41 43 AS 9A OF 4C 24 4E wTU j8 n z A D N ACYi L N 0141231300 89 50 EO 80 3C B9 4C 56 B6 SE B2 62 sc B FD 94 6E 10 EA AZ 17 11 45 06 DA BE AE P LVT bole EN n c dz 0141231330 A2 61 78 lE 68 EE CS 6A 55 4D BZ DF D9 60 BE 84 AF E4 SC EF 05 F3 FO 92 Dl DC BS 6E 94 33 ax hil3UM B X 0141231360 A3 CD 76 66 2F 50 63 F9 66 4D 91 22 C6 03 53 DF 10 87 E4 38 EB 6B 2B 02 D6 7E DC 3E 6F C ivt Pc flD E SB t 8 k gt o 14123139079 7F 3B
142. 64 53 4a cl d2 ca e9 cd Oa 0 Ga 15 7d ae 1c 21 d3 c8 c4 63 75 5 16 04 de 1b e0 7 26 bc 14 b6 c3 5 b2 07 ca bb 96 0 d2 3 2b 09 d4 b7 aa 7a 68 fa 86 2b Sd 6 d Oe 3 Oe 7a 88 2d 49 fd 6c 59 66 b2 Oc 9c ef 12 df 82 ba 79 7f fd 48 aS 87 99 ca 9a 26 Oa 7b 87 05 c7 7f bl e9 77 e8 a2 3f bc 1d c9 c2 dl 1c Be 5 4e 72 e6 df w cY f N Z8Nra5 2 Cc 99 92 62 bb a2 65 ed bb d3 68 a7 e2 50 7f da b cei hs P 84 12 73 f6 72 f2 61 23 5c be e6 54 47 07 B5 s r a X sTG 78 61 d4 42 92 02 be d0 c3 01 60 04 6 22 04 xa B r B 8 3a 14 d3 22 al 6 dO cd 48 85 84 c4 ec 15 32 b H e7 7c 58 3e a3 9c cl Oe 61 b6 04 48 05 Ze 63 bd 85 c9 B8 e8 a3 dz a7 97 8b 25 ab a8 bO Se c0 d8 39 75 e2 Oe 09 4 cS e0 Sb e2 2f b4 d3 68 b2 07 69 8 8b 99 07 68 b2 83 20 be 79 cb 8d 05 1a be fe b3 9d 46 4b ae Sc 37 7a 8b 8f 33 57 be 7d 96 72 92 FK a7z 3W r f 72 37 0 d2 e3 a4 d8 7a 8d a2 bO d2 d1 16 3d yjr786 xu2z 13 6c Bb 79 93 af 96 20 34 ca 50 fe 2 d9 6 3e Cb 5b ae 75 9b 41 07 ac 34 cf 9a 52 82 5 05 d4 7 04 92 25 32 36 91 cl 54 ba 60 e2 Gc Be 8c ab amp T amp 18G 90 97 6b bc 88 35 32 ac 07 13 64 dd 2c b2 Bd 8c k 52 df G 6 7b 38 39 82 dd 42 20 53 04 b4 9c f9 b6 f2 b9 89 B S c g5 6b 2 84 cl 8d 16 dc 39 3a 87 41 56 a7 al 01 Ek 09 AVS 23 ab Se 7e 2 02 b6 8a 5a 25 41 d d7 4d 51 a8 5 4152 amp A0xMQ 15 51 a2 dd 24 31 2e fe 30 b9 Se 74 50 3 07 ee Qe 1 p0 t
143. 78 69 66 00 00 49 49 ZA 00 08 00 OO OO 09 OO OF 01 00024 02 00 O6 OO OO OO 7A OO OO OO 10 Ol O2 OO 13 00 OO OO 80 00 OO OO 12 0l 00048 03 00 Ol OO OO OO Ol OO OO OO 1A Ol OS OO O1 OO OO OO AO OO OO OO 1B Ol 0007205 00 Ol OO OO OO AS OO OO OO 28 Ol 03 OO 01 OO OO OO O2 OO OO 00 32 01 00096 o2 00 14 OO 00 OO BO 00 OO OO 13 O2 03 00 Ol 00 OO OO Ol OO 00 O0 69 87 iid 0012004 00 Ol OO O0 00 C4 OO OO OO SE 05 00 DO 43 61 6E 6F 6E 00 43 61 6E 6F e Canon Cano 00144 6E 20 SO 6F 77 65 72 53 68 6F 74 20 47 32 00 00 00 00 OO OO OO OO 00 00 00168 00 00 OO OO B4 00 OO OO 01 OO OO OO B4 OO OO OO 01 OO OO OO 32 30 30 32 00192 3A 30 34 3A 32 35 20 30 31 3A 35 32 3A 34 36 00 1B 00 9A 82 05 00 Ol OO 04 25 01 52 46 5 00216 00 00 56 03 00 00 9D 82 OS 00 Ol OO OO OO SE 03 00 OO 00 90 OF 00 04 OO VereD iiit Ies 0024000 00 30 32 31 30 03 90 02 00 14 00 00 OO OE OZ 00 00 04 90 O2 00 14 OO 0210 D 55t Dei 0026400 00 22 O2 OO OO Ol 91 OF OO 04 OO OO OO Ol OZ 03 OO OZ 91 OS OO Ol OO jeemeeeeteeeeeet enn jooZ8800 OO SE 03 OO OO Ol 92 OA OO Ol OO OO OO 46 03 00 OO OZ 92 OS OO OL OO t ses PILLE eres 0031200 00 4E 03 00 OO O4 92 OA 00 Ol OO OO OO 66 03 00 OO OS 92 OF 00 O1 OO N s 00336 00 00 6E 03 OO 00 06 92 05 00 01 OO OO OO 76 03 00 OO OF 92 03 00 01 OO n 00360 00 00 OS OO 00 OO 09 92 03 00 O1 OO OO OO OO OO OO OO OA 92 OS OO 01 OO esses 00384 00 00 7E 03 00 OO 7C 92 07 OO C2 Ol OO OO 86 03 00 00 86 92 07 00 08 01 00408 00 00 36 O2 OO OO OO
144. 7973B060D9FED48C026 Cancel 242 EnCase Forensic Version 6 11 User s Guide 5 Select one of the following output formats O Console writes the results in the console tab O Note writes the results as a note bookmark O Log Record writes the results as a log record bookmark 6 Click OK Logical Evidence Files A Logical Evidence File LEF contains a collection of individual files typically copied from a subject computer when previewing As you examine digital evidence some of the evidence is more significant to the intent of the investigation During the analysis of the EnCase evidence file various searches are performed to find these significant files By copying these significant files into a logical evidence file you can access them without dealing with the large volume contained in an EnCase evidence file Dragging and dropping a LEF anywhere on the EnCase interface adds the LEF to the currently opened case Working with Evidence 243 Create Logical Evidence File Wizard Use the Create Logical Evidence File Wizard to create logical evidence files associated with the currently opened case Before a logical evidence file can be created open the case associated with it and select the associated files you want to acquire The Create Logical Evidence File wizard contains the following pages B Sources page B Outputs page Create Logical Evidence File Create Logical Evidence File 244 E
145. 8826290AYARAARAAAE4QklN A gAAAAAAHAAAP A LL 4 L 4 4 14 SSEL SLES BDC BBBBAD SSIES ISELSIELLE Gn TOL 048826379 h ghhhAA LL LLL E ELLE E LEE E LEE ELE EEEPIPOBAARAPE FL EL E LE E LL E E LL B ILL SILLS z O4882646BAAADEJJTQIAAAAAAAQAAAAAQAAAKAAAAJAAAAAADhCSUOECQAAAAAMIWAAAAEAAACAAAAA dAAAAYAAAK Select All 048826557 ewAYAAH ZP gABBKRk1GAAECAQBIARGAAP ACdGaWxlIHdyaXROZW4gYnkg QURvYnUgUGhvdC9zaG9wq gh Find 0488266464 4aDEFEbZ2I1LACSAAAAAAL bAIQADAgGICAKIDAKIDBELCgsR FOSMDASVCGBMTFRMTGBEMDAwMDAwRDAw 048826735wMD AMD AwMD AuMDAwMDAwMDAwMDAENCwsNDgOQ Dg4QFA40DhQUDqg4O0DhQRDAwMDAwREQuHMD AwMDBEMD AwMDAWMD 048826824 AwMDAwMDAwMDAwMDAwMDAwMDAwM SAAEQgAdACAAVEiAAIRAQMRAf dAAQACP EATSAAAEFAQEBAQEBAAAAAAAA 048826913AAMAAQIEBQYHCAkK CwEAAQUBAQEBAQEAAAAAAAAAAQACAwQFBgcICQoLEARBBAEDAgQCBQcGCAUDDDMBAAIRAwQ 048827002nEjEF QVFhEyJxgTIGFJGhsUIjJBVSwWIzNHKCOUMHJZITSOHxY3MlFqKygyZEklRkRcKjdDYXOlXiZfKz hMPT 048827091dePzRieUpIWOlcTUSPSltcXV5fVWZnaGlqaZxtbn9jdHVZ2d3h5ent8fX5 cRAAICAQIEBAME BQYHBwYFNQEAAhE 048827180DITESBEFRYXEiEwUygZEUObFCISFSOfAzJGLhcoKSQlMVY3MOSSUGFqRygwcm NcLSRINUoxdkRVUZdGXi8r Ew9 048827269N14 NGlKSFCJXEl0TOpbXFleXlUmZZhpamtsbW5vYnNOdXZ3eH 16e3x ahAvDAQACEQMRADSA4FOmTuYWuNGov 048827358KUqKrvtcbNJDWanPBLLnGMAmzZqgqMDJtKYZIlQ qabBLfgfih3Xuqt2ASOaOKUSOYxEidDtXigRJNDdJtSO0Kfok 048827447 CURlROd460jS6YhPj3WkoAOqWuqy 2sEowobCsCS22gWpiFdfUOIDnAnERJTVcoFWbawAgQnlcCxgpwp7dE0JUq3 048827536 00CAKeTEIZwQo0rK 2zFoidsHAdlANqaXu
146. 8f John Doe 8 keymaster Cancel Password captures the user password User contains the User tree listing users private keys and any subfolders in the current root path A valid user has a matching public key in the SAFE they log on to Root User Object provides additional functionality through a right click menu including O updating the list of users displayed O changing the root path O commands that expand or collapse the User tree User Objects provides additional functionality through a right click menu including updating the list of users displayed and changing the root path Users Right Click Menu The Users right click menu provides additional functionality The menu displays from the Users tree in the User s Page Update Ctrl U Change Root Path Expand Contract Space Expand All Contract All 160 EnCase Forensic Version 6 11 User s Guide The Update command updates the Users tree display When a user s private key is added to the default C Program Files EnCase6 Keys folder or any other folder specified by the current root path the tree does not immediately display the new user The new user appears when the wizard is opened again or when the User tree is updated Use the Change Root Path command to specify a folder that contains the private keys of users other than the default folder Specify the root path in the Browse for Folder dialog The Users tree contains only those users
147. AO OF OO 04 OO OO OO 30 31 30 30 01 AO 03 00 Ol 00 0043200 OO Ol OO OO OO OZ AO O3 OO O1 OO OO OO 80 OZ 00 OO 03 AO 03 00 O1 00 00456 00 00 EO Ol OO OO OS AO 04 OO Ol OO OO OO 58 O5 00 OO OE AZ OS OO O1 00 i LC 00480 00 00 48 O5 OO OO OF A2 OS OO 01 OO OO OO 50 OS OO OO 10 AZ 03 OO O1 OO Heeeegeeeeee peseseqises 0050400 00 OZ 00 OO OO 17 A2 03 00 Ol OO OO OO OZ OO 00 OO 00 AS OF OO Ol OO jette Im Kem E ee 00S28 00 oO 03 00 OO OO OO OO OO OO 32 30 30 32 3A 30 34 3A 32 35 20 30 31 3A 2002 04 25 01 0055235 32 3A 34 36 00 32 30 30 32 3A 30 34 3A 32 35 20 30 31 3A 35 32 3A 34 52 46 2002 04 25 01 52 4 00576 36 00 oO 00 OO OO OO OO OO OO OO OO 00 OO 00 OO 00 OO OO OO OO OO OO OO j6eeeeeeeeeeeeettmmmn 0060000 00 oO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO jeeeeeeeeeeecieeemm e n 0062400 00 00 00 OO 00 00 OO OO OO OO OO OO 00 OO OO OO OO OO OO OO 00 00 00 0064800 00 00 OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO 00 OO 00 OO 00 00672 00 00 00 00 OO OO OO OO OO OO 00 00 OO OO 00 OO OO OO OO OO OO OO 00 00 00696 00 00 00 00 00 00 OO OO OO OO OO OO OO 00 OO 00 OO 00 OO OO OO 00 OO 00 00720 00 00 oO 00 OO OO OO OO OO OO OO 00 OO OO OO OO OO OO OO OO OO OO 00 00 00744 00 00 OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO 00 00768 00 OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO 00 00792 00 00 00 OO OO OO OO OO OO OO 00 OO OO 00 OO OO OO OO OO OO OO OO OO 00 Navigat
148. Acquisition in LinEn 1 To acquire or preview a local drive a Select the Local object in the Sources tree b Click the checkbox for Local Drives in the Table pane 2 To acquire or preview a Palm Pilot a Select the Local object in the Sources tree b Connect the Palm Pilot and set it to console mode c Click the Palm Pilot checkbox in the Table pane 3 To acquire or preview a network crossover a Select the Local object in the Sources tree b Start the LinEn crossover connection acquisition c If appropriate connect the crossover connection d Click the Network Crossover checkbox in the Table pane 4 To add evidence files to the case file select Sessions The Sessions Sources page appears after clicking Next 5 Click Next If Sessions was selected the Sessions Sources page appears otherwise the Choose Devices page appears Working with Evidence 195 Completing the Sessions Sources Page After the Sources page of the Add Device wizard is complete the Sessions Sources page appears Before you begin E Open the case E Complete the Sources page in the Add Device wizard B Select Sessions Drag and drop an evidence file from Windows File Explorer to this page 1 Toadda list of evidence files a Click Add Text List b Enter the path and filename for each evidence file to be added using the list c Click OK 2 To adda single evidence file using a file browser a Click Add Evidence File b Browse to or enter the path and
149. BACK JPG No 04 30 00 03 22 36PM 01 28 05 08 04 30AM LJ 4 _ORTRAIT JPG Deleted Files Yes 04 30 00 04 19 38PM 01 28 05 08 05 08AM LABS a KSHIFT JPG Deleted Files Yes 04 30 00 04 19 46PM 01 28 05 08 05 02AM LJ 6 dl microprinting jpg Deleted Files Yes 04 30 00 04 19 48PM 01 28 05 08 04 58AM BJ I _UMBERS JPG Deleted Files Yes 04 30 00 04 19 54PM 01 28 05 08 05 04AM io a a linesmoire jpg Deleted Files Yes 04 30 00 04 19 56PM 01 28 05 08 04 52AM o s al EAL JPG Deleted Files Yes 04 30 00 04 20 00PM 01 28 05 08 05 24AM AA 10 i new100back JPG Miu bogusbill jpg M 12 bogusbill1 jpg LJ 13 j bogusbillstamped jpg C 14 j BINION GIF LJ 15 1 28 50 GIF No 01 05 01 11 27 22PM 01 28 05 08 04 26AM No 01 06 01 10 51 48PM 01 28 05 08 04 18AM No 01 06 01 10 52 22PM 01 28 05 08 04 22AM No 01 06 01 10 53 08PM 01 28 05 08 04 24AM No 01 06 01 11 11 52PM 01 28 05 08 04 16AM No 01 06 01 11 13 36PM 01 28 05 08 04 12AM LJ 16 a Fedreserveandtrea Deleted Files Yes O1 06 01 11 49 58PM 01 28 05 08 04 46AM LJ 17 dl Fedreserveandtrea Deleted Files Yes 01 06 01 11 49 58PM 01 28 05 08 04 48AM LJ 18 a portrait1 jpg Deleted Files Yes 01 06 01 11 49 58PM 01 28 05 08 05 10AM LJ 19 ORDER JPG Deleted Files Yes 01 06 01 11 50 04PM 01 28 05 08 04 42AM LJ 20 dl serialnumbers jpg Deleted Files Yes 01 06 01 11 50 04PM 01 28 05 08 05 28AM I LAE Il
150. Case Forensic Version 6 11 User s Guide Contents viii Exchange Server Synchronization sse nnne eene 303 Cleaning an EDB Database sese tenete nennen nennen 304 Testing an EDB FIE i2 stante ier Uere bon HOO sedie itbe tudo 305 Recovering a Database ni stetibaotere tq besorgt bete edili etui tracer a 306 Repairing aiDatabase uui tete getthidebeseretidegenmetide eser tunt E S 306 Viewing Outlook Express Emails iteraties ioaea e nee E eaa tenete enne 307 Viewing MS Outlook Emil ettet eei e ete tee ertet E E EERE 310 Viewing Macintosh pax Files onoaiia ia E E RE EERE Ra 311 Viewing Windows Thumbs db 2 sese nn en EEEE ERa 313 America Online art Files ee eee os emen e ee e eerte n e p ba ense 314 Viewing Office 2007 Documents scossone AE Erie ea aE nennen tenent 315 Viewing Base64 and UUE Encoded Files sse tenen 316 INTES Compressed Files m Rer ee ee ete iR We E e tnde tn eed 318 cs MP M 318 Bookmarking anlage isnan eto nere E ete ihe Gor Die ee e e tra Orte egt Fede 319 Reducing the Number of Images Per Row ctiirte diiin aiii 320 Increasing the Number of Images Per Row nnne 320 Clearing the Invalid Image Caches iniinis enen a aana Eea S Era EEE Ea eaan 321 Lotus Notes Local Encryption Support ccccccccsescsssessstesesesesesnensnessscececeseeesenssesesesesnsnensnesssssseceseeenenenes 321 Determining Local Mailbox Encryption
151. DOMINO Do IBM Domino Administrator Server Hee DELE Lr Wi j NT52 Use Directory on arent Server E z Tools gt B Messaging gt BG Replication Directory gt Policies b S Web b amp Monitoring Configuration gt amp Health Monitoring Efl Cluster gt Ofline Services b L amp Cettificates b CJ Miscellaneous ract Recovery Password gt cy Registration gt B Policies gt amp Hosted org gt a Server gt DB2Sev 3 Click OK 384 EnCase Forensic Version 6 11 User s Guide The password ID list appears Choose ID File to Recover Look in E people emer S3 cstrong id 21x z E cteodore id fj clast id f cteodoro id igwashing id E crsaabs id ff gwashing id E cstrengt id SB qwashing__ id Repme emend OO Files of type ib Fies j Cancel 04 18 2007 05 08 14 PM 5594 bytes 4 Click OK The recovery password appears IBM Domino Administrator x Recovery information created on 02 08 2006 10 29 09 AM Recovery information accepted on 04 18 2007 05 08 14 PM Your recovery password is 0f42d127d0aa2e4c 5 Click OK and define users authorized to generate recovery passwords Disk Encryption Support This feature provides the ability to view and parse encrypted disks and files protected by PC Guardian Edge Encryption Anywhere PC Guardian Edge Encryption Plus or Utimaco SafeGuard Easy in both 32 and 64 bit systems After previewing the encrypted
152. DriveSpace Volume 227 Acquiring a Local Drive 209 Acquiring a Palm Pilot 215 Acquiring Device Configuration Overlays DCO and Host Protected Areas HPA 53 210 Acquiring Disk Configurations 221 Acquiring Firefox Cache in Records 228 Acquiring in Windows Without a FastBloc Write Blocker 213 Acquiring Non local Drives 219 Acquiring SlySoft CloneCD Images 226 Acquiring Virtual PC Images 226 Acquisition Results Dialog 202 Acquisition Times 219 Acquisition Wizard 194 366 Add Device 166 Add Device Wizard 182 Add Note Bookmark Dialog 404 Adding a Device 188 189 Adding a File Viewer to Your EnCase Application 288 290 Adding a New File Signature 327 Adding Keywords 340 343 Adding Partitions 247 Adding Raw Evidence Files 230 Additional WinEn Information 270 After Acquisition Page 195 Alternative Report Method 443 America Online art Files 310 Analyzing and Searching Files 323 490 AND OR Filter Logic 135 App Descriptors 372 ASCII 519 Associating Code Pages 471 Associating the File Viewer s File Types with the Viewer 288 291 Authentication 381 Auto Fit 76 Auto Fit All Columns 125 B Bookmark 519 Bookmark Content Data Types 400 Bookmark Data Dialog for Files 406 Bookmark Data Dialog for Highlighted Data Bookmarks 400 Bookmark Editing Dialogs 417 Bookmark Features 399 Bookmark Folder Information Structure Dial
153. E EA EE ERE reS RERE ESEE aeiia 290 Completing the Destination Page c cccesescssessseseeseeesensteesesesesnenenesesesesnenenessssseeseceseeeseneneneseseananenes 290 Copying and Unerasing Bookmarks cccccccssssessssseeseseteesesesesnenenesessseececeseeeseneneseseseeneneneneseseanenenes 290 Copying Folders eee a RR HR RE RETE IHR UR FH GR ERIT ada eria 291 AC ioe cdas cules cs tars dats oa ckieetoasaonevh cd Cetaed AARNE ots E eonsn Shah Pestebab dbs nsbatos edabage sh sadeoee 292 Pile Viewer Features eiie te du eod bre irt tb vbi EIE ope tien 292 New File Viewer Dialog ied tbe etie be retulisse nt eee iea EST 293 Viewer File Ty pe Dialog oii iiien oret nete mene vie t Pi bestes 293 Adding a File Viewer to Your EnCase Application seen 294 Associating the File Viewer s File Types with the Viewer sse 295 BAI a S tals Suen EE EEEE OTE EETA T RESE EE E E E 296 Viewing Compound Files eere ne EEEE RERE AEE E RAEE TE EE EE R too 297 Viewing File Str ctute xiis eei redeem ee ni E EREE EAEE E EEE 297 Viewing Registry Files ceti ette et etti etae nid atucatietel eee ed uie 299 Viewing OBE TFIess nnreneeteniitubenmalitiiseeodnrntaticbete terio uli eie R REE 301 Viewing Compressed Fles serien Minties ihinrere inn ettet aree eg a ti edite 302 Viewing Lotus Notes Fesses iieii detnr Ge Detur en EE TE E e tei oem va itr 303 Viewing MS Exchange Tiles eet iso teen Dg ett tre aute nO eret e ita E eene 303 En
154. EF that includes the contents of all mounted files E Creating a keyword search of the targeted files All files having at least one keyword hit will be mounted persistently and their corresponding search hits display in the Search Hits tab Certain Microsoft Office documents are considered compound files You can parse their metadata and search it For example you can locate and bookmark Microsoft Word document metadata edit times page numbers word counts etc File Mounter bookmarks Authors as text and Edit Times as dates File Mounter Keyword Search on Mounted Files Search files using keywords Keyword Options Run over selected files only Mount Persistant S Eile Types EC Keywords Search Case ANSI Find Files By By ace ip ero expression SREP sensitive Latin 1 Mf amp Gzip FOG credit cards E O Signature M amp pst 3 OE Internet CO Both gt TAR OG IP Addresses Kf Thumbs db LAGS Other M9 zip Kf 2K xP Reg Mi 9x ME Reg y Extension Create LEF Make LEF LEF Path Output Options Bookmark Folder Name Log Folder name 504 EnCase Forensic Version 6 11 User s Guide Include EnScript The Include folder contains common program code shared by other higher level EnScript components These scripts are not executed independently They are meant to be used or included in other scripts Right now there are nearly 100 include files in this
155. EnCase Forensic Version 6 11 User s Guide Guidance SOFTWARE Copyright 2008 Guidance Software Inc All rights reserved EnCase EnScript FastBloc Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission All other marks and brands may be claimed as the property of their respective owners No part of this document may be copied or reproduced without the written permission of Guidance Software Inc Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies and are used only for identification or explanation into the owners benefit without intent to infringe Any use and duplication of this material is subject to the terms of the license agreement between you and Guidance Software Inc Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act no part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise Product manuals and documentation are specific to the software versions for which they are written For previous or outdated manuals product release information contact Guidance Software Inc at http www guidance
156. EnCase Forensic Version 6 11 User s Guide To remove the association clear the check box Code In File File File Name Page Filter iine Ext Type Categoty Signatu P 37 3 byl iul yo alil 1200 txt Text Document o 38 D RES fH doc 1262 doc Word Document Document LJ 39 byl amp ul yo alii 1282 doc Word Document Document 40 Role Effects attach 1262 xls MS Excel Spreads Document Spreads HN C 41 O sarbanes MZ1 doc 1262 doc Word Document Document 42 D Der optimistische A 1262 doc Word Document Document C 43 O Der optimistische A 12524 doc Word Document Document C 44 D REME doc 1262 doc Word Document Document CJ 48 D Lb JI est yo alil 1262 doc Word Document Document CJ 48 G UpCase 1252 LJ 47 S Boot 1262 Lj 48 D Dg82 txt 20127 txt Text Document xi 4 C Console Details dl Output Lock ff Codepage KG Click Console 33 Details ul Output C Lock Codepage C 4 ims Code In File File File Signa Page Report Ext Type Category P 37 D byl ixl yo Vala 1200 txt Text Document o 38 IS SEV doc 1252 doc Word Document Document LJ 39 byl dat yo Lala 1282 doc Word Document Document CJ 40 Q Role Effects attach 1252 xls MS Excel Spreads Document Spreads LJ 41 sarbanest MZ1 doc 1252 doc Wo
157. Encryption Keys ay EnScript File Signatures Keywords J Home A Entries T Bookmarks a Search Hits E Devices ep Secure Storage Keywords Additional Fields There are two ways to implement Auto Fit B Click View gt Auto Fit E Right click in the pane and select Auto Fit Navigating the EnCase Interface 77 Tools Menu The Tools menu provides commands to perform analytical operations z gt Qo Index Case Ctrl I Webmail Parser Search Logon Wipe Drive Verify Evidence Files Create Boot Disk Mount as Network Share Client Write block IDE channel Write block LISB Firewire SCSI drive Options Mext Location Ctrl Down Prev Location Ctrl Up Refrest FS Index Case opens the Index Case dialog where you include or exclude files in the indexing process You can select a noise file which is a list of stop words words that will not be indexed Webmail Parser opens the Webmail Parser dialog where you select the webmail vendors whose account files are to be parsed Case Processor starts the EnScript Case Processor script You can also start it by opening the Forensic and Enterprise trees in the Filter pane and double clicking The shortcut hot key to start it is Alt P Sweep Enterprise starts the EnScript Sweep Enterprise EnScript script You can also start it by opening the Forensic and Enterprise trees in the Filter pane and double clicking
158. File Path contains the path and filename of the logical evidence file where the selected files will be added The Outputs Page of the Create Logical Evidence File Use the Outputs page of the Create Logical Evidence File wizard to specify the metadata and output attributes of the logical evidence file to be created Create Logical Evidence File 246 EnCase Forensic Version 6 11 User s Guide Name contains the name of the logical evidence file to be created Evidence Number contains the investigator s evidence number for the logical evidence file to be created File Segment Size contains the file segment size of the logical evidence file to be created Compression contains controls that determine the compression used when creating the logical evidence file None means no compression is used when creating the logical evidence file Good good compression is used to create a logical evidence file that is smaller than when no compression is used but larger than when best compression is used Best best compression is used to create a logical evidence file that is smaller than one created with good compression Output Path contains the path and filename of the logical evidence file to be created Creating a Logical Evidence File Before you begin Open the case associated with the logical evidence file to be created in EnCase E L ee eia cals f eun CJowaes terse Borage tems cfe Ctt jme Am
159. File signatures Identify codepages IV Search for internet history IV Comprehensive Search These fields are added to the Browser Cache Type field B Audio B Video EB XML E Text Internet Searching The search engine can search evidence files for various Web artifact types The Internet search feature can search Internet Explorer Mozilla Firefox Opera and Safari Use the search dialog for Internet searching Results are viewed on the Records tab For information on that procedure see Searching Entries For Email and Internet Artifacts and Viewing Record Search Hits Analyzing and Searching Files 357 Performing a Search You can search an entire case an entire device or an individual file or folder For example when searching information in unallocated space such as a file header select the Unallocated Clusters to avoid having to search the entire case 1 Click the Search button on the tool bar The Search form appears 2 Complete the dialog and click Start See Search Options on page 357 for help completing the search dialog Search Options You can use a number of options to customize a search Search Selected items only 829 Entries 0 Records Keyword Search Options Email Search Options C Search entries and records for keywords C Search for email 10 keywords Hash Options C Compute hash value Additional Options C verify file signatures Cl Identify codepages Search for internet
160. Files 470 Viewing Windows Thumbs db 309 Virtual File System VFS 525 Virtual Machine 526 551 EnCase Forensic Version 6 11 User s Guide Vista Examiner Support 40 VMWare 526 W Web Mail Parser 365 Webmail Parser 491 When to use a Crossover Cable 219 Windows 403 Windows NT Software Disk Configurations 222 Windows based Acquisitions with a non FastBloc Write Blocker 213 Windows based Acquisitions with FastBloc Write Blockers 211 WinEn 18 266 Wipe Drive 510 Working with Evidence 177 Working with Non English Languages 403 451 452 Write Blocker 526 Guidance Software 552
161. Files Any number 0 9 if Repeat zero or one time Repeat at least once 4 2 A through Z x Repeat zero times vz Either x or Z xYz Neither X nor Y nor Z M Literal character ab Group ab together for IV Case Sensitive GREP m n Repeat m to n times View alb Either a or b 4D 50 33 3 Select the Search Expression tab the default display and enter the search expression in the Search Expression field 4 Give the file signature a descriptive name 5 Select Case Sensitive if appropriate 332 EnCase Forensic Version 6 11 User s Guide Click the Extensions tab and enter the file s three letter extension You can enter more than one file extension by separating them with a semicolon New File Signature 24 xl Search expression Extensions Extensions delimiter mp3 n Add the suffix _ to the file extension to include it in Vista Shadow Directories It looks like this extension Click OK The file signature is added to the table Editing a Signature Use this procedure to edit an existing file signature 1 Click View gt File Signatures The file signature category list appears in the Tree pane When you select a category its signature contents appear in the Table pane Right click a signature from the Table pane and select Edit Analyzing and Searching Files 333 An Edit selected signature name dialog appears Edit Rencode Software
162. Help iNew 23 Open gl save Gj Print e Add Device Q Search 3 Logon 3 Ref E Cases x able Report E Gallery Disk iy Code SHome T entries I Bookmarks Q Search Hits 44 Records Name lt potion mm zm Subject Gestion To a Devices Zf secure Storage Keywords C 1 RE search resultsr True False False RE search results r 05 15 2003 03 30 05 15 2003 03 30 Sharren Redmond 3 Home T Additional Fields 2 RE Tony Balzanto True False False RE Tony Balzanto 05 15 2003 01 20 05 15 2003 01 20 Dave Morris dave Gon One dbx 3 fyi physical location True False False fyiphysicallocation 05 13 2003 09 05 13 2003 09 QA Team QATe DC 1 j RE Searching for Multiple Keywords at One Time using LJ 4 Q RE Guidance Softw True False False RE Guidance Softw 05 12 2003 11 05 12 2003 11 33 Brian Kettering bri OL1 Message LJ 5 i RE Nicolas Fausett True False False RE Nicolas Fausett 05 12 2003 10 12 05 12 2003 10 12 Dave Morris dave Oo Testing 6 Builds True False False Builds 05 09 2003 09 05 09 2003 09 29 QA Team QATea DQ nightly report 7 Q RE r
163. Iittp knoppix com http knoppix com website Using LinEn 49 LinEn Set Up Under SUSE You must already have SUSE installed on your Linux machine 1 6 7 Copy the LinEn executable from C Program Files EnCase6 on your Windows machine to the desired directory usr local encase on your Linux machine Open a command shell on your Linux machine Enter chmod 777 usr local encase linen This changes the permissions on the LinEn executable so that it can be executed by everyone Close the command shell Click Main Menu System Configuration YaST Yet Another Setup Tool YaST is used to configure various settings for your Linux operating system Open the Runlevel Editor Ensure that autofs is disabled LinEn Set Up Under Red Hat You must have Red Hat installed on your Linux machine 1 Copy the LinEn executable from C Program Files EnCase6 on your Windows machine to the desired directory usr local encase on your Linux machine Open a command shell on your Linux machine Enter chmod 777 usr local encase linen This changes the permissions on the LinEn executable so that it can be executed by anyone Close the command shell Click Main Menu System Settings Server Settings Ensure that the autofs is disabled 50 EnCase Forensic Version 6 11 User s Guide Performing Acquisitions with LinEn The EnCase LinEn utility provides the following methods of acquiring evidence from a subject
164. Index Case Management 167 Role Page of the New Case Wizard The Roles page of the Login wizard associates the case being created with a role Roles are established by the administrator Note Care should be taken here because once a role is selected for a case it cannot be changed E S Roles SS All Access fs IkjhgFds Lex amp No search L amp Access Subnet A Roles contains the Roles tree which organizes the roles available to the user Select the role associated with the case being created from the Roles tree 168 EnCase Forensic Version 6 11 User s Guide Case Options Page of the New Case Wizard The Cases Options page of the New Case Wizard is where you enter the name of the case the examiner s name and paths to folders associated with the case Case Options x Name x Examiner Name Temp Default Export Folder C Program Files EnCase6 Export ml Temporary Folder C Program Files EnCase6 Temp E Index Folder C Program Files EnCase 6 Index B lt Back Cancel Name contains the name of the case associated with the case options set on this tab The case name is used as the default filename when the case is saved You can change this filename when you save the case Examiner Name is the name of the investigator Default Export Folder contains the path to and name of the folder where files are exported Temporary Folder contains the path to a
165. Logical File Only Copy Unerase is performed on the logical file only which does not include the file slack Entire Physical File Copy Unerase is performed on the entire physical file which includes the logical file and file slack RAM and Disk Slack Copy Unerase is performed on both the RAM and disk slack RAM Slack Only Copy Unerase is performed on the RAM slack only Character Mask contains settings that determine what characters are written into the file or files created by the Copy UnErase operation None No characters are masked or omitted from the filenames of the resulting files Do not Write Non ASCII Characters Non ASCII characters are masked or omitted from the filenames of the resulting files All characters except non ASCII characters are used Replace NON ASCII Characters with DOT Non ASCII characters are replaced with periods in the filenames of the resulting files Show Errors The application queries the user when errors occur This prevents unattended execution of the copy and unerase operation Viewing File Content 285 Destination Page of the Copy UnErase Wizard The Destination page of the Copy UnErase wizard determines where the output of the copy and unerase operation is saved how many files will be created when a file to be output grows too large whether the initialized size is used and the destination folder containing the output of the copy and unerase operation x Copy 1 Files 76 bytes C
166. Logon E Refresh 5 App Descriptors C3 case 4 XI Report 8 Code Lf Hash Properties Name Filter UM EJ oe sj App Descriptors 1 Gar me JE AIX 2988 e 5 3 idi 3 ELF Files L Mac os x 4 l aixmibd s E NetWare LJ 5 E aixmibd HCE Solaris 6 biod FHL Windows 7 E biod 8 cron Ad gt 2 Right click a folder in the Tree pane or a file in the Table pane and click New Analyzing and Searching Files 379 A New App Descriptor dialog appears New App Descriptor x Name iTunes Comment Shipping with OS X 10 4 8 Hash Value k435jk45j64h56g4567gjkh56g7jk567 Machine Profiles Name Comment M aixs 3 j MacOSX 10 4 8 j Netware 5 1 SP8 j NetWare 6 SP5 j Netware 6 5 SPS j RedHat ws 3 0 L calavieo 29 bit Cancel URA ON oe BIBI om 3 Complete these fields O Name is mandatory and is typically the name of the working file O Comment is an optional field for investigator comments O Hash Value is mandatory and must be entered manually It contains the hash value of the selected file 4 Select the machine profile in which to place the new app descriptor and click OK This method requires manual entry of the hash value for each and every new app descriptor A far better and more efficient method is to use an EnScript progra
167. Mware File VMDK E Logical Evidence File L01 m Virtual PC File VHD Sources Tree organizes the folders used to contain the evidence files added either as batch file lists or individual files You can organize the folders in this tree hierarchically as desired Sources Root Object contains the default folders and folders added by the user that organize the evidence files either added or to be added to the Sources tree Right click menu commands for this object lets you Working with Evidence 189 E Adda new folder as a child B Expand or collapse the subordinate tree Any child objects of this object on the tree appear in as entries on the Table pane The children of this object can be organized hierarchically by dragging and dropping folders into each other Current Selection is a default child of the Sources root object It contains any evidence files added to the Sources tree during the current session or invocation of the Add Device Wizard The next time the Add Device Wizard is opened the evidence files listed here are moved to the Last Selection folder and this folder is emptied The right click menu on this object lets you E Delete this object Em Rename this object E Adda new folder as a child B Expand or collapse the subordinate tree Any child objects of this object appear as entries on the Table pane You can organize the children of this object hierarchically by dragging and dropping folders into each other Last S
168. Name 3 Right Click or press CTRL E then select Exclude from the menu The display reappears but the selected file is not displayed Bookmarking Items 439 Exclude Folder In Bookmarks view the Tree pane displays the bookmark folders you have created for an open case You can prevent bookmarked folders from being displayed in the Table pane using the Exclude Bookmarks feature Before running this option bookmarks must have been created in the open case Exclude an entire folder of bookmarks as follows 1 Select blue check or highlight a folder Contents of the folder scal local 01 07 08 inthe illustration appear checked in the Table pane E3 cases Keywords x Q Search Hits i Records f Devices 4 cog Bookmarks E OIc3 Jay s Bookmarks DE Currency Documents og Pipe Bomb Data I scal local 01 07 08 If you blue check the folder as shown in the illustration above then open that folder you ll see that the entire contents are selected as below E Tabte Report E2 Gallery 2 Timeline tZ Code Bookmark Excluded In Notable Comment Type Report EF File Report Mi 2 HTML Carver HTML Files with Keywords EE 3 Snapshots Snapshot 2 Right click the folder you selected in the Tree pane 440 EnCase Forensic Version 6 11 User s Guide A menu appears d Copy Ctrl C ff Show Excluded BA Show Deleted X Del
169. ODE minem Lc SSeS Oates ea Eres tex Lose SD transcrot Else Tmeoet E console GB Deisis QA output ite BZ Codenoge C0 EESE Cures Writers UE Consens Posno ooto Tis is an email wan attacments Regards Richard B 2g EnScript C GED reens C Evdence qo FieTest GHEE PheneDataTests BED Should Coole D O Should Mave Error BED Shad Not Carole T Teneoata jg Compete Diagnostic 1 Credantfrerypton Jy Decoding Test Ag DesiEreryption H g EDS Erat jog FleTest jg FSTest Mg Indexing LA Internet search jg Keywords jag Lena jig Outsideln g SafeSoot ncrypton L Le smokaTest O emai thlSngle Flez Encrypted Signed with Att th txtiVBOX Encrypted Signed with Att emime p2m Alternate Body Encrypted Signed with Att th txti PS 2 LS 2 CL 2 SO 317 FOO LE 1 EFS Files and Logical Evidence LO1 Files To decrypt an encrypted EFS file you need the following p c m n The EnCase EDS module The EFS stream This is essential since it contains the decryption key A matching unencrypted private key This can be the recovery agent s key or a user s key File slack might be needed if the file size is not a multiple of 16 This is because files are decrypted in 16 byte chunks 400 EnCase Forensic Version 6 11 User s Guide For example a 17 byte file needs 15 bytes of slack in order to decrypt the last chunk Otherwise only multiples of 16 are decrypted In EnCase version 6 11 there are different scenarios from prior versio
170. OSSOIONINSTALLED A later version of s is already installed on the this machine The setup cannot 0475 continue OK 0K Cancel Cancel Password Password 1100 Setup Initialization Error 1101 s 0570 llO02 s Setup is preparing the s which will quide you through the program setup process Pl O66Sease wait 1103 Checking Operating System ion 1104 Checking Windows R Installer Version 0760 1105 Configuring Windows Installer 1106 C guring s 1107 Setup has completed configuring 0855the Windows Installer on your system The system needs to be restarted in order to continue wit 0950h the installation Please click Restart to reboot the system 1108 s 1150 Setup has detecte l045d an incompatible version of Windows Please click OK and verify that the target system is runn ll40ing either Windows 95 or later version or Windows NT 4 0 Service Pack 6 or later version l235before relaunching the installation ll5l Error writing to the temporary location ll52 Error e l330xtracting s to the temporary location 1153 Error reading setup initialization file 1154 Inst Examples Forensic Include Cj Information Assurance You can separate each pane from the main window and display them as individual windows Navigating the EnCase Interface 83 Panes in the Analysis Cycle Panes drive and organize the evidence analysis cycle The evidence cycle is where you define your investigation of acquired evidence Analysis of evidence is cyclical because
171. Open C Program Files CREDANT CMG Enterprise Edition Server Web Interface 5 4 conf context properties b Enable the Forensic Administrator type admin type forensic true c From the Start menu stop and restart the server Web interface The new role shows in the place where you configure administrator accounts S MIME Encryption Support The EnCase S MIME Encryption Support provides the ability to decrypt S MIME encrypted emails found in PST files Email sent or received with the file extensions pst mbox and edb support the S MIME PKCS 7 standard The mail attachment must meet the PKCS 12 standard and you must have PFX certificates installed PST EDB and MBOX mail containers are supported 396 EnCase Forensic Version 6 11 User s Guide To decrypt S MIME data 1 Open or create a case and enter Secure Storage 2 Right click on a folder in the left pane A drop down menu displays File Edit View Tools Help New OF Open lal save Print Add Device Q Search 3 Logon Refresh cases x E3Home Te Entries L Bookmarks Q Search Hits Records f Devices F Secure Storage gt Lom beare Storage Dictionary Attack Analyze EFS User List Enter Items Set Induded Folders Num Indude Sub Folders Shift Num Indude Single Folder Ctri Num 3 Select Enter Items The Enter Items dialog displays 2x User password Enter Syskey Password Recovery Disk l Pr
172. Or you can select the file in the Entries table then select the View Cases Sub Tabs Entries Sub Tabs Permissions menu to display the Permissions in the Table pane References is the number of times the file has been referenced in the case For example if you bookmark a file three times the references column shows that Physical Location the number of bytes into the device at which that unallocated cluster begins The program organizes device unallocated clusters into one virtual file It reads the file system s File Allocation Table FAT or the NTFS Bitmap to create this virtual file This allows the examiner to efficiently examine unallocated clusters Physical Sector clusters Physical lists the starting sector where the item resides in unallocated space Evidence File is the name of the root evidence file where the entry in the table resides File Identifier is a file table index number stored in the master file table It is a unique number allocated to files and folders in an NTFS file system Code Page is the character encoding table upon which the file is based Hash Value displays the hash value of every file in the case You must run the Compute Hash Value command to generate this information Hash Set displays the hash set to which a file belongs If no hash sets are created or imported the column is unpopulated Hash Category displays the hash category to which a file belongs If no hash sets are created or import
173. P Tz ROCK Be Bade 47 pf2U OO X1 xXJ6 PI Ah 3 966 c00 2Y 6Yv903 2 J C o00004042 Oi J H 9 VV O 2y S amp Ar 0S Au L ER C1 SCp Ae nj OJO 38An C S RS CCOGeS aZ ka web U xQ e Ore Cj pE Shed fiot Compie o00004aim2P 404 TcE ANE2IY MGabad D4 lO iFV SROEEIC HAZ ZPA MIE FOS MG HGy B IA pOGPPeh gV HD z4 ss Po iar 9 LE Temedate 000005 x x C SQ naY 6 486 4f SYpe4p tH Y P eG Auf PAN MOE Yi 2600 4G 0 co055 oy ta u av Ee YAx Et elo YY sek SNPOUPF Blak E Jogo D A Aia feb d wort OAA YS g b nt C JMSpe wutv i IC Cx HC lt 6 SCALE CEG P PO x Ne ox Ay Credaetfnar ypton 2 Alpi Geel nach aU 72b O T BLES 6 D GbDsfiepYz CE OuanU 09M q o ACOG CAO UPE H xyaAdOREANAIYYMAAL Ay Decoding Test ooo006ttuO oxf O Ox H YCY 840 0Spz RN p i D zx z 1 Iv eNSIOH EB Ci AD t D gBtis jAh pa uENO dso O nKCOXO738 FzaYvl ee Lag DekEnaryeton B EIDV Zr i r IE CPPP tao 201 xQA SAW vr AIL Og tica Sea VeoOWP 6Y cm SE Jo Z QS en d la Ava EE s EDS e b i H d a Lage F ist GANE gp 90 AV AE w D n 1 2 dr BUZKO 6BEKLIMSRAIDAAL iq x oO ASS YaenpdwrsHSWoBIKoersjaBO lt 3 Ero Esser des Q J 85 SCeUC NOZA B OO MH C ODIANCreo ces EQ Octa YO Je2 0E54 5 GO L2mE Erg TqS Mit 10 g FieTeit ORAL 10700023 Onlz Al Un xvorty w aV Zitr DAYU87 e6 6 cea Z fni R Ce 56d d S e
174. Pd i 99 1d 02 24 d3 05 be 7d 95 1d 38 97 d9 6f ad b9 56 8 d e7 01 fe b5 17 Ga bc 73 Sc 80 82 4b 31 bO dd 88 pp j see K1 38 2f Sc 86 cb ce e3 Oc 80 34 8d b4 4b d2 99 e2 8 X 18 4 KOv 3f e3 b7 38 6d b2 10 el ac d de 98 9a 11 4 Ge 8m b B n 8 72 23 2 dO ce 2 7a 1 3d fb 60 d5 6f 26 ed 82 Od 85 fb B z osi 33 a e7 The decryption algorithm uses a seed that is based on the basic seed from the header and the block offset 324 EnCase Forensic Version 6 11 User s Guide Decrypted Block Here is an example of a decrypted object map at offset 0x22000 Address 0x02C8CB44 e Columns 16 06 20 00 00 00 00 06 01 00 00 OO OO 00 00 00 00 00 01 89 a6 f f 00 00 00 00 OO OO 00 00 00 00 4c 05 00 O0 00 00 00 00 ec 04 00 00 00 00 00 00 4d 02 00 00 00 00 00 00 18 02 00 00 00 00 00 00 01 00 00 80 01 08 00 00 17 02 00 00 OO 00 00 00 1d 02 00 00 00 00 00 00 01 00 OO 80 02 00 00 00 le 02 00 00 00 00 00 00 O1 OO OO 80 OS 00 00 00 02 00 00 80 02 O8 00 00 O2 00 00 BO OS OB 00 00 00 00 80 04 OB 00 00 00 00 80 05 OB 00 00 00 00 80 06 08 00 00 00 00 80 07 08 00 00 00 00 80 08 08 00 00 00 80 Oa OB 00 00 00 00 80 Oc 08 00 00 00 00 80 Od 08 00 00 00 00 80 Oe 08 00 00 00 00 80 O 08 00 00 00 00 80 10 08 00 00 00 00 80 11 08 00 00 00 00 80 12 08 00 00 00 00 80 13 08 00 00 01 00 00 80 Ob 08 00 00 00 BO Oc 08 00 00 03 00 00 80 01 08 00 00 00 80 02 08 00 00 03 00 00 80 O3 08 00 00 00
175. RE E E eb E E 339 Hash a New GCaSe cu diee deve d tbe eo E EE EREE E p re RE 339 HaslhiSetSsanto radit serbe etr t cates told attt di A d tutum d AR our icd oet 340 Greate a Hash Seti condis asralilegeteniitubeniatiibgee darte tuii Di eie HRK 340 Reb ild a Hash Library enn basta entend eret nba acti eret d re e ts 342 Viewing Hash Search Results tee Eesti beim tet eimi gebe 342 Keyword Searches q estare ihid etnies uti patet E aE Drei iU eias 343 Contents Creating Global Keywords essent nennen 344 Adding Keywords ee etie me iiie te a ia ER gere eo eset E EAE 344 Creating International Keywords sse 347 Keyword Testere Cecair aieeaa a ae putat atum aE EE a n atomi e ces 348 Local Keywords esetelitbetacen sat ntti tate Desete iste teris eit A E 350 Import KGyWOZdS tenet aser aote tuti Gasp reitibg eiatulii deseris tertie attin ubera 350 EXDOEIUGVWOFGS gereit e ertene e ea EE E atari bibas E tears ditus rnit si 350 Searching Entries for Email and Internet Artifacts sss 352 Internet History Searching 4e trae teer die n e e enr e ER ere teer ete 355 Comprehensive Internet History Search cccccsesesseseseseseeseseeensteesesesesnsneesessssseeeeseeenenenesesesesnenenes 355 Internet Searching ie aet tee diete e e eelenm pr oe tr tete di eiii e 356 Performing a Search c d Rie et eter n et tor a desti rait ie 357 Search Optionsz eee eet sakes E onde vty hele epa ero eee sod sted RU SUNT
176. Remote Acquisition Monitor ccccccccsccsecsesesenenenstsnseseseseseseseeeesececsescscseecscsesesesenanssssseseseseseneneeeees 488 Snapshot Differential Repoft een eite ge io ten E E E E 489 Sweep Emter prisen E X 490 Forensic EnScript COGS sese een teet n epe a ea T D SSH ERU P RU Re RU IRSE 491 Case ProcessoOE osea eR xor a rie n POP Deere ro EE Qr Doe rre UNE ERE Deed 492 Case Processor Modules x i pen iet eg e een eese tie otio ten a doing 494 FileMOuntet si am e eoe REB eH epe ene iati Aet iniri rta 495 Compound Files 2 esee equ eee dedita Aetius 497 Mounting Compound Files sse tenente 497 Index Case 5 eie teu eei ede tienes une tim edita 497 Scan Eocal Machine 55 aa me E RR RR eT RENE UR IET TO EH etae 498 Webmail Parseiru soe ee Re eU DOOR RHODE UU EE EIU dett ct d 498 EnSetipt Example Cod6 zn ee eu REDE er GS REED denter oe ECRIRE AIRE REIR dS RA 499 COM Folder EnScript Code ee nete eeD nen uite tee ti tente ru rit 499 EnScript Debugset eitis drei NOI RT eee s Fen a e RENI TEE Reni eerte ette 500 Help for EnScript Modules sse tente nennen 502 EnScript File Monter in doeet n re acon RAIN He ee E o on E Eee Eee 503 Include EnScript aceite dette i e tron on p e ee Ee Fe P RS ED fata tastes 504 j rasisda l MEM X M st deers 505 EnScript Types aner E Enea 505 hec D P 505 Package Feat tes i ceci beieetiitei ie Bo i od tria d
177. Run us New Insert X Delete Delete Adjust Rows gf Export Import Rename F2 i New Folder Expand Contract Space Expand All Contract All 1 Select the filter 2 Right click it and select Edit The edit wizard opens in the Table pane Edit MySelectedFiles Conditions Filters Source Code Name MySelectedFiles ECT jo Main Loy it Selected Gen 3 Right click the property and select Edit to see the Edit Term wizard 142 EnCase Forensic Version 6 11 User s Guide 4 Make the selected changes and click OK Edit Term j BodyContains S Name b InReport S FullPath b IsFolder b IsSelected S Extension S FileType S Category S Signature S Description Ej e IsSelected Ep Running Conditions To run conditions double click them select an item and run the script against it or right click and select Run The example below shows the Table pane before a filter is run O drwtsn32 log Q user dmp Cy HTML Help O hhcolreg dat Cz Media Index O wmplbrary v 0 12 Navigating the EnCase Interface 143 Three rows are selected 7 10 and 17 Note the blank Filter column Running a condition changes the display several ways First the top tab menu displays the condition name and display tabs Notice the sign on both icons in the figure below mySelectedFiles OF Display The second change is that files to which the filt
178. S Sector A subdivision of a track of a magnetic hard disk or optical disc A sector stores a fixed amount of data A typical sector contains 512 bytes Secure Authentication For EnCase SAFE The SAFE Secure Authentication For EnCase is a physically and logically secured server that authenticates all users and controls all access to the network devices Security Key A uniquely programmed hardware key sometimes referred to as a dongle that identifies a user to EnCase software and enables access to its features Servlet Servlets are EnCase services running on network workstations and servers that provide bit level access to the machine where they reside Signature See File Signature Slack See Disk Slack and File Slack Snapshot A representation of a live running machine including volatile computer data such as currently logged on users registry settings and open files Spyware Refers to a broad category of malicious software designed to intercept or take partial control of a computer without the informed consent of that machine s owner or legitimate user While the term taken literally suggests software that surreptitiously monitors the user it has come to refer more broadly to software that subverts the computer s operation for the benefit of a third party Steganography The art and science of writing hidden messages in a way that no one except the intended recipient knows of the existence
179. S Desktop T App Descriptor C Documents and Settings jay reidy TS Desktop SF Project C Documents and Settings jay reidy TS Desktop Ey Machine Profile C Program Files EnCase6 Config Profiles ini The picture shows storage path default settings You can change the index cache and backup folders by entering a new path or by navigating to and selecting the desired folder In the ini files box you can change an ini folder s location and select whether it is writable 40 EnCase Forensic Version 6 11 User s Guide Sharing Configuration Files Customization can be shared among investigators assigned to an investigation Each of these INI files is populated by customizations the investigator makes while searching for evidence The keyword and file signature files may be of particular interest These case elements are distributed by sharing INI files The application must be installed on the recipient machines To share startup files 1 Click Tools Options Storage Path The Storage Path tab of the Options dialog displays 2 Double click on the row containing the desired INI file The Edit ini file name dialog opens containing the path to the ini file 3 To navigate to the INI file copy the path to the INI file and paste it into Windows Explorer 4 Copy the file and distribute it as desired Vista Examiner Support EnCase must run as an administrator in order to access the local Vista computer
180. Saving Time Yes No Convert all dates to correspond to one time zone 1 V5 Test Case Hunter XP C AOL Instant MessengervAIM exe 2 v5 Test Case Hunter XPXCWiberfil sys 3 V5 Test Case Hunter XP C boot ini The report displays in the Report panel of the Table Pane Creating an Additional Fields Report The Additional Fields panel is available when you select the Records panel Data in the additional fields varies depending on the type of data contained in the record Your EnCase application is open and you have a case created with evidence in it Open a case containing evidence 1 Click the Records panel to make the Additional Fields panel available File Edit Yiew Tools Help iNew E3 Open bel save Gy print e Add Device Q Search 3 Logon Refresh S cases x E rabie Report L Gallery isk Code Search Hits Z3Records f 4 gt T In Search Additional a E ad fe Nane citer Report Hits Fields T Additional Fields 1 amp samples z Bou ofa Records L1 2 i plan attached n HOC Jeff s 1 2g gt see Famished4u S Inbox dbx gt se Outbox dbx HD see Famished4u gt BAD_fake id foste gt see Sent Items dbx 4 4 gt 2 In the Table pane select the entry where you want to view additional fields 3 Click the Additional Fields panel in the Tree pane Reporting 455 Note Additional fields are only available on entries showing
181. Script e EnScript Types d File Signatures 1A File Types El File Viewers Hash Sets Keywords Machine Profiles Packages Projects SAFEs A Text Styles wg eee s Cases Sub Tabs gt Table Pane gt View Pane id Filter Pane id X Close Tab Ctrl F4 EVI Show Name 4 Previous Tab Ctrl Shift Tab gt Next Tab Ctrl Tab Ll Auto Fit 86 EnCase Forensic Version 6 11 User s Guide Pane Features Use pane features while working with panes and their tabs Each pane can display these features E Tabs and tab bar E Scrollbar in the tab bar for a resized pane B Controls in the tab bar B Grab handle Figure 10 Pane Features where 1 is a View pane 2 is the current tab 3 is the tab bar 4 is the scroll icon for navigating the tab bar so that the tab you want to use can be displayed 5 is the drag handle used to drag the pane out of the main window so it appears in a secondary window and 6 care commands controlling the tab bar 3l output J Lock Each pane contains one or more tabs As the main window is resized the tab toolbar resizes correspondingly When a pane is resized to a size not as wide as its toolbar the tabs are hidden and a scroll icon appears The scroll icon lets you scroll to the right or left so you can view the hidden tabs You can wrap the tabs rather than having them hidden by using AutoFit on the right click menu of the tab toolbar The tab toolbar may c
182. Sources Name Comment X3 c3 Local 1 a Local Drives N DOG Evidence Files G Palm Pilot OB C Program Filesteng io 3 Sr Network Crossover D3 c3 C Documents and Working with Evidence 187 B Floppy drive B Palm Pilot E Removable media m Hard drive B Another computer The device types appear as entries in the Table pane when the object is selected Right click menu commands for this object determine how to B Expand or collapse objects in the Sources tree E Select various objects in the Sources tree Evidence Files Folder Object contains folders added as source folders containing evidence files The Table pane displays the same folders as the tree The right click menu commands for this object let you B Add folders E Determine which objects appear in the Sources Tree E Determine which entries are shown in the Table pane when the object is selected Evidence Folder Objects represents each folder added as a container of evidence files As leaf nodes of the tree the evidence files do not show in the tree but they do appear in the Table pane The right click menu commands for this object let you m Delete the folder where you opened the right click menu E Delete folders selected in the Sources tree 8 Determine which objects appear in the Sources tree E Determine which entries are shown in the Table pane when the object is selected Table Pane displays the children of the curr
183. The Windows registry contains valuable data that provides a great deal of information about the setup of the subject computer Registry files of Windows 95 98 ME NT 4 0 2000 and XP computers can be mounted Windows 95 98 and ME computers have two registry files They are located in the system root folder which is normally C Wind ows The filenames are system dat and user dat Windows NT 4 0 2000 and XP divide the registry into four separate files They are B Security B Software E SAM E System These files are stored in C N SYSTI EMROOTS system32 config 300 EnCase Forensic Version 6 11 User s Guide B Home Bookmarks Q Search Hits of3 Records pm Devices sp Secure Storage Keywords f Report E5 Gallery Timeline f Disk ig Code ere Entries Dm Documents and Settings BOO Cy Administrator HDL all Users Logical Filter TOOG Mesias NTUSER DAT oD OG Application Data E ntuser dat LOG a Conv ure O ldentities seri p C Microsoft ntuser ini a Export Cookies ae o0 Desktop Copy UnErase DL Favorites I Bookmark Data Ctrl B This file has a NTRegistery signature Continue parsing View File Structure Send To Calculate unallocated space 7 Analyze EFS e ES show Columns SHUSTER Cancel Column Dp se NTRegistry Sort SDD PROTO HIV Select Item Space ES Appevent
184. This does not delete the filter it only turns its display effects off rawr 134 Combining Filters EnCase Forensic Version 6 11 User s Guide You can run multiple filters and combine filters with Conditions and Queries To do this run more than one filter Running multiple filters uses OR logic to select files thus the shows both deleted and selected files Any entry that responds to any active filter condition or query appears The first figure shows a filtered list with one filter run against it Name Filter Is Deleted Last Written PN File Created la ORTRAIT JPG d KSHIFT JPG aid microprinting jpg al UMBERS JPG ai linesmoire jpg xd EAL JPG d portraiti jpg d Fedreserveandtrea ORDER JPG ail serialnumbers jpa d raisednoteten jpg Deleted Files ail fedreserveandtrea Deleted Files E Counterfeit finepri Deleted Files ad Mellon GIF d EAL 1 GIF d EAL 2 GIF ll TRONG GIF lal RANK2 JPG Deleted Files Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 04 30 00 04 19 38PM 04 30 00 04 19 46PM 04 30 00 04 19 48PM 04 30 00 04 19 54PM 04 30 00 04 19 56PM 04 30 00 04 20 00PM 01 06 01 11 49 58PM 01 06 01 11 49 58PM 01 06 01 11 49 58PM 01 06 01 11 50 04PM 01 06 01 11 50 04PM 01 07 01 12 01 00AM 01 07 01 12 06 08AM 01 07 01 12 11 58AM 01 07 01 12 12 00AM 01 07 01 12 12 10AM 01
185. Tree pane d Report E Gallery Timeline ig Code Bookmark m m Page Show Entry Type aey EIL Break Picture Selected c 1 Q Search Summary 2 Q Case Time Settings EPI LI NN 4 C3 snap 4 Copy Snapshot bookmarks BE J Note Acquire Status Co A specific J Add Note Insert bookmark edit X Delete Delete Delete All Selected Ctrl Delete dialo g Adjust Rows Ef Export BT Tag File Ctrl T Summary Bookmark Rename F2 ES show Columns Column Sort gt Select Item To edit a bookmark 1 In the Bookmark panel in the Table pane right click the desired bookmark and click Edit The appropriate edit dialog appears 2 Editthe content in the edit dialog 3 Click OK 424 EnCase Forensic Version 6 11 User s Guide Bookmark Editing Dialogs These dialogs let you edit existing information entered when the bookmarks were created However for bookmarks that were created automatically you can only enter or modify information once Note File group bookmarks cannot be edited These editors are not necessarily the ones used to modify the data in the columns of the Bookmarks table on the Bookmarks panel of the Table pane The bookmark edit dialogs include E Edit Highlighted Data B Edit Note B Edit Folder Information Structure B Edit Notable File E Edit Snapshot B Edit Log Record E Edit Datamark Folders contain
186. View pane displays the contents of the selected email or attachment Deleted emails and attachments can be retrieved from unallocated clusters 308 EnCase Forensic Version 6 11 User s Guide M Bookmarks Cl Search Hits c dRecords f Devices A Secure Storage Keywords E Report L Galery Timeline Z Disk iy Code Name Copy UnErase Bookmark Data CtB 2 Q RE Timeline Problem Q RE Schwab Issues 4 Q RE 5 RE The vote is in 6 jj Read Crossover searches are still not c 7 Q reiser fs 8 3 question gp Transcript EE Picture Report C Console 33 deta se Five db a OL iQ Read Crossover searches a O1 public key again P DEB Message Dj Public key ring again ge Gzip Tar Evidence d Thumbs db Report E Gallery Disk Code G confirmed bug fixes Attachments RE Timeline Problem Q RE Schwab Issues 2j RE i Tet glHex Si Transcrip E Picture E Report C console Details GP Output Lock E Codepage fH 20 169 Attachment Confirmed and 20 Closed Contents ii 1157 1092 1134 1 Navigate to the dbx file you want to view or mount 2 As needed select Calculate unallocated space then select Find deleted content 3 Continue with step 2 of Viewing File Structure Viewing File Content 309 The file structure of t
187. WinEn driver to be renamed similarly CHAPTER 8 Viewing File Content Viewing Files 278 File Viewers 292 View Pane 296 Viewing Compound Files 297 Viewing Base64 and UUE Encoded Files 316 NTFS Compressed Files 318 Gallery Tab 318 Lotus Notes Local Encryption Support 321 278 EnCase Forensic Version 6 11 User s Guide Viewing Files Files parsed from device previews and acquisitions can be viewed in various formats EnCase Enterprise supports viewing the following files B Text ASCII and Unicode E Hexadecimal E Doc native formats for Oracle Outside In technology supported formats B Transcript extracted content with formatting and noise suppressed E Various image file formats The Doc pane and the Transcript pane use Oracle Outside In technology to display hundreds of different documents This allows investigators to view documents without owning a copy of the application in order to view the contents It also allows the investigator to bookmark an image of the contents inside a particular application such as a database or it allows bookmarking exact text inside the document using a sweeping bookmark Beyond those formats supported by the EnCase applications investigators can use third party viewers to extend the range of files they can view Once the investigator adds the viewer to their environment and associates file extensions with the viewer the files of that type can be viewed Compound files contain o
188. Window Begin using the EnCase application in the main window The main window organizes the application s features Features accessible from the main window are run from the system menu the toolbar and various right click menus As the application runs a status message displays in the status line at the bottom of the window The main window consists of a E System menu E Toolbar E Window containing panes B Status line Panes divide and organize the window and contain trees tables and data in various representations Figure 4 The Main Window as it appears in EnCase Enterprise with an open case 1 indicates the system menu 2 the toolbar 3 a window pane and 4 the status line File Edit view Tools Help iNew 2 Open lal Save cj Print Add Device Cl Search 3 Logon F Logoff 3 Refresh JE Table amp Report EZ Gallery 3 Timeline fois a gt In a Name Filter 1 070306_1450 ne ca 33 e ODDoccDppccDPDODU Navigating the EnCase Interface 61 The menus commands and icons displayed in the toolbar change depending on the context configuration of the application The Logon and Logoff icons for example appear in enterprise capable applications only The Edit menu does not appear when the application is opened in acquisition
189. Z Report C Console 33 Details J Output C Lock C Codepage C 0 0 i E Ensio 43 EnScript Q Hits T Filters Conditions aiet 0 tHt S 00 KOA tHt 0 0 tHt 10 70 tHt 0 0 0e 02 D i cM6 Es U quCICgx tAc o U603 gene EnScript 099 0 sSQrCi nXiQ0 f qt Yu amp los p2 L1ys kY p O1RAR GN 1 tn C N A4 1x X9 m J96 e S 06 7 OlT 02 68 j yObO6 u0 1 XDI E ALL CurrentResults 182 C d 4 2 s Q N AvS bF WR Uoe jK UiP of i4 1 D D _ gt 7 a 0 0 k ElIR odi Dy6 SO s i9Ex KDb s d ee Gs 7 0 Evidence 1cb 3 Ri4OvOE 0SY 6 p z RF Y 8f A amp o x 3B O t YSeUft6 1 06 m ruiszYv6 UP Paz L R fr dP fi d j6 G 80 P gD3 FieTest 264wS75v34 m O 4E4 CI f L14 gq A8 htj 96 z ICw pfjo9S C n amp ee S7TA Z c T s 6 j8 E o h ijIOUG mep jW sCEd3 fOy tpG sccuP b PhoneDataTests 2d p0 x C 4180 tHt 1 0 HHT 1N L 2 A 5 AC B B 7 6 E 0 D 44 AB AE 7 1 8 9 E E 7 0 E A 1 D 5 10k 4 7 1 VMH cr Should Compile 396 0 s o f t E n h a n c e d Cryptographic P rovider v 1 00 Y tHt O0 0 tHt 0 tHt 0 Should Have Error 42f D X BoOTA G hae 19 s 4bY 4E1 fie 08O SI L1Z xt 8oel f CE amp ck 6 L187 Nae R F 9 3isyL1 UY N q zu amp i Shou
190. a License You can create a license can be created independently of its associated package The association with a package is made when you define the package To create a license for a package 1 Inthe Package Table in the Table pane right click the package and click Create License The Create License dialog appears In License File enter or browse to the path and filename In the Dongle List enter the license keys In Major Version select the appropriate version number cov ome x UN In Expires enter the expiration date of the package 6 EnScript Analysis 511 If you want to control the feature set used via this license in define enter the defined names associated with the feature set 7 Click OK and then click OK again in the status message box Running a Package Create and build a package A license may be associated with the package as well To run a package 1 Copy the created license file to C Program Files EnCase6 Licenses 2 Doone of the following O Change root folder of your EnScript folder to reflect the location of the package created O Copy the created package to a folder in your current EnScript root folder normally C Program Files EnCase6 EnScript 3 Ifa license is associated with the package ensure that the installed security key matches the key s entered when creating the license The EnScript program is now ready to run 4 In the EnScript tree in the EnScript panel of the Filter pan
191. a Po b e CE PE D e Lee EXE Heu Rud 77 Help Meni s ime HORRORE E EASON EE Tek o BEIDE Ee ENS ERIS RATS 78 JTOOIDaEo S et an n LEER ERES EEUU SEE AEE SEENI AE EET 80 Panes ee cette nhe tetenndcet tne len eism n eie aM ios 82 Panes in the Analysis Cycle cccccscesessssssescssseececeeensesesesesesnensnesessscecsceeeeensnesesesesnsnensnesssssseseseeseenenes 83 Panes as Separate Windows sse tenente tenente 84 Pane Fe at reszz e eren cnet RR IR EVE EEH TRAE REEF RETE UXER ETHER REED XR Lye Flap oto 86 Pane Tab Bar and Pane Tab Bar Menu seen nne entente ette tene eene tenn enn 87 Tab Right Click MENU niunt deo nci ignei epi bre b Yir HERD ri UE He 88 Individual Pares ente ito tlie bi n eed be bna vb etie Patios ege 88 Tree Pane unen ei min ile tei Hp iv Hei PEG ries 89 Table PaE IER e t eitis ee beet diee e deba eb boi b e i te eo o ai db d 91 Sorina Table eee eret tees sus ORE ER E EGRE D ERR Eee FOYER REESE 92 Filters Io PERRA RR c E 93 Filtering Effects in Table Pansier orrori rinine EEEE AE EEEE AEE EE E a 94 View Panen EE E EEA eot eee hr eure ede dede EE 96 Status nez ep a nee tise dts optatis aeree p rH OR 96 Panes and their Specific Tabssa2i5 abere mto hien te teli etu tree e dieto Grates 98 Tree Pane Tabs eati emanibautaiibanmteigoetathibutunmndiiitedog 99 Table Patie Tabsz i eorr etta bete reidit beati netta initia bebes ere edes 99 TableTab Golimmmngxssss sette DR eget alivibi a
192. ab Keywords associated with the currently opened cases appear in the Cases Keywords tab The elements found in these trees have unique right click menus The Edit menu matches the right click menu of the currently selected element or object App Descriptors Home EnScript Types App Descriptors Hash Properties File Signatures Archive Files File Types Cases Home File Viewers Cases Entries Home Hash Sets Home Cases Entries File Extents Hash Sets Hash Items Cases Entries Permissions Keywords Cases Entries References Machine Profiles Home Cases Entries Hash Properties Machine Profiles Allowed Cases Bookmarks Home Packages Cases Search Hits Home Projects Cases Search Hits Hash Properties SAFEs Home Cases Records Home SAFEs Network Cases Records Additional Fields SAFEs Roles Cases Devices Home SAFEs Users Cases Devices Acquisition Info SAFEs Events Cases Devices Sources Text Styles Cases Devices Subjects Cases Devices Read Errors Cases Devices Missing Sectors Cases Devices Disk Elements Cases Devices CRC Errors Cases Secure Storage Cases Keywords Encryption Keys EnScript Table Pane Tabs The Table pane displays tabs that provide different views of the entries selected in the Tree pane The context established by the entries in the Tree pane determine w
193. age sia o Ore To create a folder structure bookmark 1 Right click the device or folder to bookmark and click Bookmark Data The Bookmark Folder Structure dialog appears 2 Accept the default settings or enter appropriate values 3 Click OK You can now view the folder structure bookmarks in the Bookmarks table of the Table pane 418 EnCase Forensic Version 6 11 User s Guide Creating a Notable File Bookmark When you bookmark a single file a notable file bookmark is created Before you can create a notable file bookmark one of the following is required The Entries tree must display in the Entries panel of the Tree pane E The Records tree must display in the Records panel of the Tree pane I Oman tm bnt or To create a notable file bookmark 1 For the file to be bookmarked select the device containing the file 2 Ineither the Entries table on the Entries panel of the Table pane or the Records table on the Records panel of the Table pane select the row describing the file 3 Right click on the row describing the file 4 Click Bookmark Data The Bookmark Data dialog for files appears 5 Accept the defaults or modify the values displayed on the Bookmark Data dialog 6 Click OK The notable file bookmark is placed in the Bookmarks table of the Table pane Bookmarking Items 419 Creating a File Group Bookmark A file group bookmark is created if more than one file is selected in the Entries table B
194. al Standards Organization ISO and the International Telecommunications Union Telecommunication Standardization Sector ITU T are working to standardize different types of electronic data Typical graphic file formats such as JPEG Joint Photographic Experts Group have been standardized by both organizations When a file type is standardized a signature or recognizable header usually precedes the data File headers are associated with specific file extensions Signature analysis compares file headers with file extensions File Signatures File extensions are the characters usually three following the dot in a filename e g signature doc They reveal the file s data type For example a txt extension denotes a text file while doc connotes a document file The file headers of each unique file type contain identifying information called a signature All matching file types have the same header For example BMP graphic files have BM8 as a signature A technique often used to hide data is to attempt to disguise the true nature of the file by renaming it and changing its extension Because a jpg image file assigned a dll extension is not usually recognized as a picture comparing a file s signature which doesn t change with its extension identifies files that were deliberately changed For example a file with a dll extension and a jpg signature should pique an investigator s interest Note The software performs the signature analysi
195. alue for that bookmark is TRUE Bookmarking Items 437 3 On the Table pane toolbar click Report The report appears in the Report panel of the Table pane E Table Gallery 3 Timeline fZ Disk ig Code Pipe Bomb Data Jay s Bookmarks Pipe Bomb Data Page 1 1 Bonnie and Clyde Bonnie and ClydeXPIPEBOMB TXT Extremely dangerous Nea nt AT 1zXO zDn c m ny qi T Ly ES 2 Bonnie and Clyde Bonnie and ClydeXPIPEBOMB TXT This is Jay s bookmark from Bonnie and Clyde case HOW TO MAKE A POWERFUL PIPE BOMB This pipe bomb is extremely powerful and should b e used with extreme caution This bomb is very nice and EXTREMELY powerful though It packs quite a punch especially nestled on someone s engine block Ingredients 4 AP VC pipe The longer the more powerful I recommend about 5 inches 2 Two ends preferably brass These are the things that screw on to the end of the pipe 3 Black powder qun powder 4 drill 5 Cannon F use 6t inches long 6 Iron bits and pieces denotes optional Instructions Use the drill to make a hole in the middle of the PVC pipe a hole as big as the width o f the fuse Put one end on one end of the pipe tighten it nicely and then pour as much black powder in there as will fit Now securely fasten the other end on the other side and insert the fuse Place light and run Options Bury the bomb about six inches underground and light I once did th
196. ame and use the default path in My Documents click Save 3 You can also navigate to or enter a different filename and path and click Save Case Management 177 Saving a Case and the Global Application Files You can save the global application files containing preferences conditions and filters in the locations specified in the Storage Paths tab of the Options dialog 1 Click File gt Save All The Save dialog appears 2 If you want to use the current file name and the default path in My Documents click Save 3 You can also navigate to or enter the desired filename and path and click Save Close Case Protect the integrity of cases by closing them when they are not being worked on 1 Save the open case 2 In Tree view place the cursor on an open case 3 Click Close Click Yes to close the case Note Close is also available from the right click menu CHAPTER 7 Working with Evidence Overview 179 Supported File Systems and Operating Systems 182 Using Snapshots 182 Getting Ready to Acquire the Content of a Device 183 Acquiring 196 Remote Acquisition 235 Hashing 240 Logical Evidence Files 242 Recovering Folders 247 Recovering Partitions 250 Restoring Evidence 254 Snapshot to DB Module Set 260 WinEn 270 180 EnCase Forensic Version 6 11 User s Guide Overview The EnCase application organizes digital evidence into an associated case Digital evidence is previewed then possibly acq
197. and Internet Artifacts 347 Searching for Email 364 366 Searching Selected Items 368 Sector 524 Secure Authentication For EnCase SAFE 524 Security Key 524 Selecting Tree Entries for Operations 120 Send to HBGary Responder EnScript 19 Send To HBGary Responder EnScript 504 Servlet 524 Sessions Sources Page of the Add Device Wizard 185 Setting a Lock on Columns 126 Guidance Software Setting Time Zone Options for Evidence Files 171 Setting Time Zones Settings for Case Files 170 Setting Up the Storage Machine 234 Setup for a Drive to Drive Acquisition 50 Sharing Configuration Files 40 Show Deleted Files 358 Show Excluded 434 Show Excluded Files 356 Showing Columns 123 Signature 524 Signature Analysis 146 314 324 Signature Analysis Legend 332 Single Files 179 Slack 524 Snapshot 524 Snapshot Bookmarks 398 Snapshot Differential Report 482 Snapshot to DB Module Set 18 255 Software RAID 221 Sorting a Table 92 Sources Page 240 Sources Page of the Add Device Wizard 183 Specifying and Running an Acquisition 204 Specifying Database Content 261 Spyware 524 Status Line 96 Steganography 525 Storage Paths Tab 39 Styles 403 Subject 525 Support 528 Supported Encryption Algorithms 387 Supported File Systems and Operating Systems 179 Supported SafeBoot Encryption Algorithms 384 Swap File 525 Swe
198. and filename where the EnCase evidence file resulting from the acquisition is written Alternate Path contains the path and filename of an alternative destination volume where the EnCase evidence file is stored if the first location runs out of disk space 206 EnCase Forensic Version 6 11 User s Guide Acquisition Results Dialog This dialog displays while an acquisition is performed xi Status Completed Console Start 09 15 06 05 49 30PM Stop 09 15 06 05 49 32PM Note Time 0 00 02 Name D Log Record Path C Program Files EnCase6 D17 E01 GUID C679CD1A6FAC4F41B52F944914187922 Acquisition Hash 6E46EFEDO2CSED635B9C59A94F40B9CA Cancel Console sends the status messages displayed in the dialog to the Console tab of the view Note writes the contents of the status message into a bookmark note containing the device and EnCase evidence file being acquired Log Record adds the status messages displayed to a bookmark log record Working with Evidence 207 Opening the Acquisition Wizard Before you begin Open the case associated with the EnCase evidence file before you acquire an EnCase evidence file The device from which the content is acquired must already be added to the case Prerequisite Open Case it3Home Entries L Bookmarks Q Search Hits dRecords Devices SA secure Storage Keywords Dos E Table E Report Ez Gallery 5 Timeline g Disk 4g Code n miis
199. and the entries and objects it contains appear in the Table pane where the entries can be selected for further analysis or exploration Checkbox enables you to select the entry or object without selecting the entries of objects it contains Category indicates the type of entry Name contains and displays the name of the entry or object The name can be highlighted which indicates that the entries or objects contained in the entry or object associated with the name appear in the Table pane Clicking on any part of a entry or object highlights it Navigating the EnCase Interface 91 Table Pane The Table pane contains tabs that show you different aspects of the objects selected in the Tree pane Selecting a tab determines the representation used The Table tab of the Table pane displays information about these entries in a numbered table Except for the Gallery tab this information is descriptive rather than the actual content of the entries You can view and further explore the content you select in the Table pane Figure 14 The Table pane lists the data from the object selected in the Tree pane where 1 the tab toolbar contains tabs appropriate for the type of data you selected in the Tree pane and 2 the column headers show you the values you can use in the analysis for example a column header for files is File Type 3 the numbered selection column where you select the table entries to use in operations and 4 a highlighted entr
200. and then click New The New Package dialog appears displaying the Package panel 3 On the Package panel complete the settings and then click Properties The Properties panel appears 4 On the Properties panel complete the settings and then click OK 510 EnCase Forensic Version 6 11 User s Guide Once created the package appears in the Packages Table in the Table pane The columns in this table contain the details entered in the New Package dialog EH Table Report Code In Major Minor Sub Source Output License Secret n Report Version Version Version Path Path Name Key C 1 9 Package 7 7 7 C Pr Cir License P Name Note Creating a package does not produce the package file To produce the package file see Building a Package Editing a Package 1 Inthe Package table on the Table pane double click on the desired package The Edit package name gt dialog appears 2 Modify the settings as desired and click OK Note If you want to change the code you will need to first modify the EnScript code source file and then generate a new package file You may want to alter the version numbers to reflect this Building a Package 1 Inthe Package table on the Table pane double click on the desired package The Edit package name gt dialog appears 2 Modify the settings as desired and then click OK The package is now created in the output path specified Creating
201. ane 1 Inthe View pane select the desired content 2 Onthe highlighted content right click Bookmark Data The Bookmark Data dialog for highlighted data appears 3 Select the appropriate data type in the Types tree 4 Enter the desired comment 5 Click OK The comment appears in the Comment column of the Bookmarks table 416 EnCase Forensic Version 6 11 User s Guide Creating a Notes Bookmark A note can contain up to 1000 characters You can use a note to annotate a bookmark Before you begin B Create the desired bookmark E Verify the bookmark it appears in the Bookmarks table in the Table pane usd Preview Comment Eo B E s price Length Name Filter 11 u Dems i ESOT deesse E e oce Add Note one O 5 2j Logs Show Excluded r L3 7 4 Q Case Time Settings o setup exe C3 drive g 2 File Group Show Deleted C1 7 File Group Delete Delete Delete All Selected Ctri Delete Exclude Ctrl E Exclude All Selected Ctrl shift E Adjust Rows Export Tag File Ctrl T Summary Bookmark Rename F2 Show Columns Column Sort Select Item Space Bookmark Preview Comment Type ma Io 2 2 CO 3 Q Search summary 4 Q Case Time settings 5 2j Logs go File Group File Group 8 Note T487 Search To create a notes bookmark Add Not
202. anel Microsoft Windows v Details Continue User Account Control helps stop unauthorized changes to your computer 5 Click Continue 6 In the Turn User Account Control On or Off window clear the option for Use User Account Control UAC to help protect your computer then click OK GO v 43 Search 0 0 0 EJ User Accounts Turn User Account Control On or Off Turn on User Account Control UAC to make your computer more secure User Account Control UAC can help prevent unauthorized changes to your computer We recommend that you leave UAC turned on to help protect your computer Use User Account Control UAC to help protect your computer e J eme Installing EnCase Forensic 43 7 A message displays prompting you to restart your computer to apply these changes Click Restart Now or Restart Later to close the User Accounts Task window Microsoft Windows You must restart your computer to apply these changes Before restarting save any open files and close all programs Rene Running a 32 bit Application on a 64 bit Platform There are limitations in running a 32 bit application for example EnCase SAFE or Servlet on a 64 bit platform You will only get basic snapshot information such as ports or processes For full results you must run the application on the correct platform Introduction 45 Viewing the License for LinEn 46 Creating a LinEn Boot Disc 47 Configu
203. anize a Bookmarks Report Bookmarking Items 431 When several bookmarks are created they appear in the bookmark report as selected by In Report in the Bookmarks table Using folders is a way of selecting subsets of bookmarks to appear in the bookmarks report Before you begin B The Bookmarks tree displays in the Tree pane B the destination folder is in the Bookmarks tree Bras Cases lome ries ear a Records evices 2 cure Storage eywords H Entri Bookmarks Q Search Hits Records D S Secure St Keyword T Tabie Regort St Galery QiTmeine D Disk 4 Code Bookmark Type Preview Comment Page Break Show Entry Picture Selected File Offset Length Name Filter In Report 1 2 D 3 Q Search Summary q Case Time Settings Bj Logs File Group SOC Bookmarks am Oe D Ts ra Re rag O kg Drag 4 File Group 4 File Group eo o o nm o m File Group LIO ID D OOO s af at aq qt at setup exe drive setup exe el ee 551 7 5255 ooooc usbest drive 2 0 exe Show Entry File TLI PPROEEE Bookmark z Page So Bookmarks ES Preview Comment Break coe 1 1 18 File Group e g File Group In ile Picture Selected Offset Length Name Fiker Report 4 Ext 0 setup exe exe 2 0 usbest drive 2
204. ar of the DST rules you want applied When you are finished click OK 174 EnCase Forensic Version 6 11 User s Guide General Time Zone Notes B FAT HFS and CDFS times are not associated with any time zone when stored on a target machine The investigator assigns a time zone to the evidence at the device level This assignment does not change displayed dates unless a case time is set and it is different from the device time E NTFS and HFS times are associated to Greenwich Mean Time GMT when stored on a target machine B Set device time zones associates a time zone with the stored FAT times and for NTFS displays the correct offset from GMT Note By default all time zones are set to the examiner machine time zone Modifying the case time zone to convert all times to one time zone changes the FAT HFS and CDFS times if the device time zone is different from that of the case time zone All NTFS and HFS times are adjusted to the case GMT offset if convert all times is applied m At the case level the daylight settings respond this way O Ifstandard is selected no change is made to any times O If daylight is selected one hour is added to all display times regardless of the time of year O The investigator s system clock date in standard or daylight time should have no effect on displayed times FAT HFS and CDFS Time Zone Specifics FAT HFS CDFS All times are stored initially as the system time of the acquired mac
205. ardless of whether the set consists of two or more drives Therefore if the investigator acquires the set in its native environment the disk configuration can be acquired as one drive which is the easiest option The best method for performing such an acquisition is to conduct a crossover network cable acquisition Note The LinEn boot disc for the subject computer needs to have Linux drivers for that particular RAID controller card To acquire the set 1 Keep the disk configuration intact in its native environment 2 Bootthe subject computer with an EnCase Network Boot Disk 3 Launch the LinEn utility Note The BIOS interprets the disk configuration as one drive so EnCase applications will as well The investigator sees the disk configuration as one drive 4 Acquire the disk configuration as you would normally acquire a single hard drive depending on the means of acquisition Parallel port crossover network cable or drive to drive acquisition is straightforward as long as the set is acquired as one drive If the physical drives were acquired separately or could not be acquired in the native environment EnCase applications can edit the hardware set manually Working with Evidence 229 Disk Configurations Acquired as Separate Drives Sometimes acquiring the hardware disk configuration as one drive is not possible or the method of assembling a software disk configuration seems incorrect To edit a disk configuration several
206. are included in the SafeBoot installer file 1 Unzip the file s content s to C Program Files EnCase6 Lib SafeBoot Technology SafeBoot directory of the EnCase install directory This is the default path and directory You may change it if necessary File Folder Name SHA 1 Hash pAlgs folder blank PT EE n 1 eee err 2 eee eee SbAdmDILdll 78659b65f2lactebcb280d1 5209542274 ceab3b1b66484b84d51e6583a6b7c224db109379 700991691016593cb609604343b720f5 26012501533a80d9d4a3 162064260544c59ad06 SbDbMer dll Sef700de3942a1 16b42977938220927 4be9524es2760e9814e86679e0221513821a7950 xml af495a2020da74234063080724b996ce 712 97381235210dae61 110672 88220 474311 ba065677 862107026a88623dfcl 147725420822 c143265024f6ac592ca4dbcb82505202b563561b 41b604432d48bb9429217734e50ec9bd 3250382c222fd385bb4920ces6687b8b72667c08 0 07cec042008320627252020767802 2 69189524991573ac7d 300dc4dc6d7f61fc9da SbUserObj dll 4643 5 3ca9323995b0d9b38520be092 c e41b68f98c676bbal7c718bb8b8b0c2afba3d7 SbXferDb dll 8 95dd835c581 5c54e 234d41e2c8934 1 c45d17317a3 25d7b18970e2b93ed1a872 34 62b533c9084280cbf28c7123351cb786 626f63013af6f2d2593820d711a642f350f426fb Qi 09059cb56947364d32675b4901a89093 3e1797a1272c91991a94 00641 c4452bc544025 Q ToolSafeBootToolexe 40dd4495f25003478feb33af73c6446a 9c7flas sdc4blcclf32a6229d97706274427119 sbTokens SbTokenPwd dll Of60b78d7cfcb825a318ca6741903161 40130899b6c0d0314c68489b30d67cd4b863db8e
207. are is please to announce our new collaboration forensic solution for government users called EnCase Guidance Product Version Matrix New forensic lab opened at Lab Edition e Hardware Recommendations the University of Teesside Subscribe to public bugs UK Read more 202 reads Registration Registration requires you to choose a unique username and password Please provide all requested information including dongle ID phone e mail address organization etc This helps us identify you as a registered owner of EnCase You will receive an email within 24 hours You must follow the link in that email before you can post on the forums Until you do that you will not have permission to post Once you have verified your email address you will be added to the Registration List Please allow 24 business hours for your account to be approved Once your registration is approved you can access the Support Portal https support guidancesoftware com You can use the Support Portal Tutorial for a brief overview of the site Home Forum Knowledge Base Y Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer v 540 EnCase Forensic Version 6 11 User s Guide User product and foreign language forums To access the forums click on the Forum Tab https support guidancesoftware com forum in the Support Portal Home Knowledge Base Y Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Ad
208. arks search results sorts hash analysis results and signature analysis 527 Checksum A form of redundancy check for protecting the integrity of data by detecting errors It works by adding the basic components of a message typically the asserted bits and storing the resulting value Later anyone can perform the same operation on the data compare the result to the authentic checksum and if the sums match conclude that the data was not corrupted A major drawback to checksum is that 1234 generates the same check as 4321 Cluster A cluster is the smallest amount of disk space that can be allocated to hold a file Code Page A code page interprets a series of bits as a character Compound File A file containing other file types within it For example a Microsoft Word file can contain text graphics and spreadsheet files Computer Forensics The application of scientific method to digital media to establish factual information for judicial review This process often involves investigating computer systems to determine whether they were used for illegal or unauthorized activities Connection The communications between the servlet and the client occur across a connection This connection may involve communicating through the SAFE 528 EnCase Forensic Version 6 11 User s Guide Cyclical Redundancy Check CRC The CRC is a variation of the checksum Its advantage is that it is order sensitive The stri
209. ash set to be created Create Logical Evidence File displays for a selected file or collection of selected files the Create Logical Evidence wizard so you can create a new logical evidence file to contain those files Mount as Network Share displays the Mount as Network Share dialog so you can mount an acquired device as a network share This command appears only if the Virtual File System module is installed Expand Contract for a selected object anywhere along the branch of the tree expands the branch of the tree or for a fully expanded branch of the tree contracts the branch Expand All expands all branches of the tree Contract AII contracts all branches of the tree Set Included Folders is a toggle switch It initially sets Select All for the selected object in a tree and its branches Choosing it again clears the selected nodes Include Sub Folders toggles Select All for the selected object in a tree and its branches Include Single Folder toggles Select All for the selected object in a tree ignoring its branches Copy UnErase The Copy UnErase command recovers and unerases files with byte per byte precision To initiate Copy UnErase 1 Click Edit gt Copy UnErase 2 Select the file or files to copy 3 Select whether to have each recovered file appear in a new file or to merge them to a single file 8 9 Navigating the EnCase Interface 65 Enter a replacement character for erased FAT table entries The def
210. ass header cellpadding l cellspacing 1 gt lt tr gt lt td colSpan 1 gt Case Thumb lt td gt lt td colSpan 1 gt Time 09 27 06 09 35 38AM td lt tr gt lt table gt lt table class folder cellpadding 2 cells pacing 2 gt lt tr gt lt td class folder colspan 7 ThunbiThunb Drive lt td gt tr Ij lt tr gt lt th gt FileName lt th gt lt th gt Description lt th gt lt th gt Bookmarks lt th gt lt th gt Size lt th gt Created lt th gt th Last Accessed lt th gt lt th gt Last Written lt th gt lt tr gt lt t p pan l class 350 EnCase Forensic Version 6 11 User s Guide Local Keywords A local keyword is associated with a unique case and can be searched for only when that case is open If a local keyword is created in one case and another is opened the local keyword is unavailable Open a case and prepare a list of keywords specific to this case only 1 Select View Cases Sub Tabs Keywords The Tree pane appears with a display something like this This specific display shows the local keywords folder with a new folder added T b DO Keywords Log Folderi Import Keywords You can import keywords and keyword lists from other users To import a keyword list 1 Right click a keyword folder in the Tree pane 2 Select Import 3 Enter or browse to the path of the desired file and click OK The imported list appears in the Tree pane Export Keywords Keywords are expo
211. at ir iners ete EPIS LU Diet Ersten 505 New Package Dialog 5 itttes aniio iiid ed piti t Ra iH ies etii eb iae ben 506 Package Panel Murr eten ao ie tt bicis ostio ibtd veil etie bra Pelei een 506 PropertiesPanel aont deat bep ibis Dto bebe te tb ipod leet e Een 507 Create License Dialog eee EGER HEISE ERO DERE SOR HE ER E bea HERE 508 Using a PACK ae nr eee ente oem eta e o ien rede i e ie i eroe ee pee 509 Creating a Package o nearest e ted te ere iR gite tee eee i en eben ide 509 Editing a Package ie eret ta Pere uidere i re t ne ride vv Per rt 510 BULGING a Package i sores ia sett d etel e oS delen etel d S 510 Creating a license oriens err imer d er PORE HS RE S Fe EET I SEFERE sE Sa ro re EE EEEHEERUE akt 510 R unning a Package 4 i store eate b eie eti seid ded Sur Un eda o een 511 Send To HBGary Responder EnScript ccccsscsescssssseeesseesesesesnsneessscseecesesesenenesesssesnsnenenesessseeeeceeeenenes 511 xii Contents CHAPTER 14 Using EnCase Tools 515 IKO 07 1 X 516 Tools Men eeror i A i E E ETE OA AEON ERAEN AE E A EE 517 EnScript Programs Shortcut Submenu essere en een nennen 518 MWapeDEVeuiiaieetisitu praeerat toit E E a a aquest in aposatiud deti ris shoe crs 518 Mentyins Eviderice Piles c5 eet data tefte ide tail aeu telii eset sd uites tudi dot etes 521 Creating a LINEN Boot Disc enen enne 522 Dionto c EE 523 CHAPTER 15 Glossary of Terms 525 CHAPTER 16 Guidance Softwa
212. ates OS X artifacts and bookmarks them Partition Finder searches unused space to find deleted volume partitions Recycle Bin Info Record Finder finds and parses FAT INFO and NTFS INFO2 files Scan Registry scans the Windows registry and bookmarks artifacts Time Window Analysis Module analyses selected events between specified dates Windows Event Log Parser parses selected Windows event logs Windows Initialize Case locates Windows artifacts and bookmarks them WTMP UTMP Log File Parser parses WIMP UTMP WTMPX and UTMPX files on Unix systems File Mounter File Mounter is an EnScript used to search for and mount compound files including m DBX E GZip E PST m TAR E Thumbs db E Zip Searches can be by extension or signature or both Note Mounting a number of large files simultaneously can cause your system to run out of memory Note Password protected files are not mounted 496 EnCase Forensic Version 6 11 User s Guide Double click File Mounter Select the method to find the files File Mounter This script will search through the case For compound files and mount them Run over selected files only C Both r Find Files By Extension Signature Bookmark Folder Name File Mounter File Types J dbx gzip J pst C tar CNT reg 95 reg C Thumbs db D zip cab J pfc nsf stf Select the desired file types and click OK To view progress clic
213. ation repiaceqURmt var ntind 2 window open 7 heights 1 with menubareno retiableseo Miebaeeno scrolbarseno stahe no Jocibareno manbaa Jocatioreno wHind closed Ch ngelf eO Hotmad Forward MSN Home iito Mg man com 1HMOQOR0 1 241 IMG http 64 4 20 24 format vertical separator gfiMy MSH http Dg men com 1HNO00901042 IMG http 084 4 20 24Afcemat vertical separatce gf Metal http 164 4 20 24Aormat vertical separator of Search tetp Jy msn Com HVGOORO 243 IMG http 64 4 20 24format vertical veparstor gf Shopping Htp Ag men cont HMGODROT 244 IMG Mtp 64 4 20 24cemat vertical separater of Mamey Hto Jg men comi HMODSOT245 IMD Ntp 64 4 20 24 5 rmat vertical separator People AChat Http Aa min comIHNGOOSOL245 MG ltt NGA 4 20 24 20 rmn 116340 http Aig min convIHNODAAOUBT MG http 64 4 20 24A at gf MG itg i4 4 20 24 dosc EN gf herp iw 1 414 law 4 hotmail msn com cgebintiogout cumboks f IMG http A64 4 20 24 tr Search the Wed MG http 064 4 20 24Agn hv 129836 off giam J caebithmhorm cumbassF 123135523449 MOSTAR 490 449914162 IMG ttp 064 4 20 24 menu of off separator gfinpox ept HoT MaL cumboss FODODODOD 99 208339 549894991010 IMG Htp 064 4 20 24 menu of cn sepanitor gf cmpo4 cg be compose curmbar F 1231 355235 a7 208139 639644991416 MG tetp 64 4 20 20 menu on of separator gf dires Book eg bin ad resses curmbovsF 173135523 208339454904049914 MG itp KE4 4 20 24 menu o
214. ault is an underscore Click Next To determine what is to be Copy UnErased do one of the following a If only the logical files are to be Copy UnErased click Logical Files Only b If the entire physical file is to be Copy UnErased click Entire Physical File c IF RAM and Disk slack are to be Copy UnErased click RAM and Disk Slack d If only RAM slack is to be Copy UnErased click RAM Slack Only To determine which mask will be applied to the filenames of Copy UnErased content do one of the following a For no masking click None b If non ASCII characters are to be masked click Do not write non ASCII character c Ifa dot is to be substituted for non ASCII characters click Replace non ASCII characters with DOT If errors are to be included click Select Show Errors and then click Next If a destination folder other than Export is to be used select a destination folder 10 Click Finish 66 EnCase Forensic Version 6 11 User s Guide View Menu The View menu provides commands that determine the contents of the EnCase window panes View menu commands m Display specific tabs in the tree pane E Display tabs that otherwise are not displayed or that otherwise do not appear in the tree pane Toggle controls that appear in tab bars and the wrapping of the tool bar E Navigate between tabs hide tabs and control the display of tabs with or without their names E Move any tab containing windows back to their us
215. b Lib Lib Lib Lib Lib Lib Lib Lib Lib Mounting Case l Jeff s 1 Mounting Case l Jeff s 1 Could Not Mount DATAl1 C Mounting Case l Jeff s 1 Could Not Mount SYS1 C Mounting Case l Jeff s 1 Could Not Mount _USER1 Mounting Case lXJeff s 1 Mounting Case l Jeff s 1 Mounting Case l Jeff s 1 Could Not Mount _USINES Mounting Case l Jeff s 1 Mounting Case l Jeff s 1 Could Not Mount Photosh Mounting Case l Jeff s 1 Could Not Mount ADOAPTL Mounting Case l Jeff s 1 Could Not Mount ADOFREl Mounting Case l Jeff s 1 Could Not Mount HANDLER v b The Details tab provides file extent information To view file extents 1 Opena case and display its contents 2 Scroll to the file extents column in the Table pane and click File Extents in some row 3 Click the Details tab in the Reports pane to view the file extents The figure below shows the first eight file extents from a piece of evidence 3 E Text amp lHex Lodi Doc 3 Transcript E Picture Report el Console al Output O tock E cod Late File Extents EL n ET u il 52 411 16 26 834 432 8 192 13 087 4 E 64 187 4 32 863 744 2 048 16 031 1 33 104 651 4 53 581 312 2 048 26 147 1 E 115 663 4 59 219 456 2 048 28 900 1 E 143 947 4 73 700 864 2 048 35 971 1 eg 160 491 12 82 171 392 5 144 40 107 3 7 164 671 12 84 311 552 5 144 41 152 3 8 165 475 28 84 723 200 14 336 41 353 7 Navigating t
216. be PhotoShop psd pdd BBPS xO0 x01 x00 No Yes No let ae Cj 10 Adobe Photoshop A atn xOO XO0 x00 x0C No Yes No Lang Z Adobe Photoshop C aco x00 x01 4x00 No Yes No am 7 WI AES rm A Lec ca as sa ma he Ji Hunter XP Hunter XP C PS 1659279 LS 1659216 CL 414804 SO 000 FOO LE 1 If Set Include is checked all file signatures are listed The columns in the File Signature display are Name displays the file name associated with the signature Search Expression displays the string or GREP expression used to locate the file signature GREP is true if the search term is defined as a GREP expression Case Sensitive indicates whether the search term is case sensitive Analyzing and Searching Files 331 Extensions lists the three letter file extensions You can add new or edit existing signatures Adding a New File Signature A file signature may not be in the table Use this procedure to add a new one You need to know the file signature search expression This is not necessarily the same as the three letter file extension To add a file signature to the table 1 Click View File Signatures The file signature display appears 2 Right click a file topic folder and select New The New File Signature dialog appears New File Signature 34 xl Search expression Extensions Search expression GREP Symbols MP3 wFFFF Unicode character xFF Hex character Name i Any character MP3 Music
217. ble Entry into a Folder Using the Right Click Drag Method on page 434 Copying a Table Entry into a Folder Bookmarking Items 433 You can copy an entry in the Table pane to a folder in the Tree pane Copying the entry leaves the entry in the table and creates a copy in the tree El Table Bookmark Preview Comm Type Sono Ar kS m Oa roce nzle amp es Drop e O 3 Q Search Summary 4 Q Case Time Settings Move Here 4 O 5 j Logs NM RN ZE Right click and after Drag E Table oo ee Preview Comm H02 Oia Fono o 2 52 tood 3 Q Search Summary OO 4 Q Case Time Settings eo 5 2j Logs SOD Gad777 SOO File Finder See 0 5 Log Local Machine To copy a table entry into a folder 1 2 Drop the entry on the folder and select Copy Here Right click and drag the desired entry into the desired folder 434 EnCase Forensic Version 6 11 User s Guide Moving a Table Entry into a Folder Using the Right Click Drag Method You can move a table entry into a folder using the right click drag The table entry is moved from the table to the tree 3 Home 5 Entries Q Search Hits of Records J Devices ga Secure Storage Keywords Go CJ y Bookmarks M DD MT Drop Se Copy Here Cancel a
218. bootable Be aware that as soon as you boot it the underlying data will be altered Working with Evidence 257 Note that differences may occur depending on whether you are restoring an NTFS or FAT32 file system and whether the restored drive is being booted on the original hardware platform the drive was acquired from EnCase applications restore using one of the following methods m Without FastBloc SE B With FastBloc SE Restoring without FastBloc SE because the disk drivers for Windows 2000 XP and 2003 do not allow direct disk access can be performed through the ASPI layer ASPI has a problem with rounding off the last few sectors that do not fit on the last cylinder of a drive This is the reason why all sectors are visible when the drive is read yet when writes are attempted a small number of sectors may be missing This is a Windows ASPI limitation not EnCase Because of this limitation you may need to use a slightly larger drive when performing the restore If you purchased the FastBloc SE module you can restore to a drive that is controlled through FastBloc SE When you restore with FastBloc SE FastBloc SE replaces the Windows drivers and allows direct disk access thereby circumventing the ASPI layer and its associated problems Because FastBloc SE can write directly to the disk you can restore to the same size drive Drive manufacturers also state that even though drives may appear identical once partitioned they may not have
219. box dbx LOJ Bonnie and Clyde 2 Select a record from the Tree pane then click the Report panel of the Report pane Selecting an entry from the Table pane displays an individual report like this E Text amp lHex LajDoc A Transcript ESI Picture CJ console 33 Details a output C Lo4 Name Re Web Page a Additional Fields Subject Re Web Page Client Submit Time 06 03 02 10 38 00AM Creation Time 06 03 02 10 38 00AM To Billy Ray lt billyray150 hotmail com gt From Bob lt chaser1191 hotmail com gt looks ok but there are no photos Original Message From Billy Ray To chaser1191 r 22 2002 9 02 AM Subject Web Page Bob am attempting to send you the page but not sure Billy Attachments Hunter XP Hotmail Sent Items dbxXRe Web Page _ afi Reporting 449 Internet Report Records for an Internet history report are created when you execute an Internet search Perform an email search as described in the Creating a Report Using the Report Tab chapter 1 Select View Case Sub Tabs Records The Tree and Table panes appear The Tree pane data show the records and the Table pane displays the record s contents Note the subfolders Cache and History Goog c ono Internet Explorer Windows DLJE3 Cache Log History 2 Select either Cache or History to display their contents in the Table pane 3 Select a record from the Tree pane then click the Report panel
220. button displays on the main window tab bar 1 Click Add Device The Sources page of the Add Device wizard appears In the Sources tree the Local object is selected and the local device types are listed in the Table pane Complete the Sources page of the Add Device wizard as needed and click Next If you checked Sessions on the Sources page of the Add Device wizard the Sessions Sources page of the Add Device wizard appears Otherwise the Choose Device page appears If Sessions was selected on the Sources page complete the Sessions Sources page and click Next The Choose Device page appears Complete the Choose Device page as needed and click Next The Preview Devices page appears Complete the Preview Devices page as needed and click Next The devices defined and selected on the Add Device wizard are added to the currently opened case The devices that were added to the case can now be previewed and acquired 194 EnCase Forensic Version 6 11 User s Guide Completing the Sources Page The Sources page of the Add Device wizard enables you to determine m The device types of the devices added to the case m The evidence files added to the case Before you begin B Open the case B Open the Add Device wizard to the Sources page Note For a local acquisition see Acquiring a Local Drive Note For a Palm Pilot acquisition see Acquiring a Palm Drive Note For a network crossover acquisition see Doing a Drive to Drive
221. button are enabled The file containing the data from the cancelled acquisition is available to speed up the current acquisition The incomplete set containing the cancelled file can be replaced with a set containing all the data Existing Evidence File contains the path and filename of the evidence file whose acquisition was cancelled earlier The existing evidence file is replaced by the acquisition in progress Existing Evidence File Browse opens the Windows file system browser to capture the path and filename of the existing evidence file Working with Evidence 201 Search Page Use the Search page of the Acquisition wizard to Search the entire case Define a keyword search Define an email search Verify file signatures E E B E Compute hash values ij E Identify codepages E Search for internet history Ultimately these searches and analyses lengthen the acquisition time For long acquisitions these searches can be performed independently from the acquisition once the acquisition is complete Search Selected items only 829 Entries 0 Records Keyword Search Options Email Search Options C Search entries and records for keywords C Search for email or 10 keywords Hash Options C Compute hash value Additional Options C verify file signatures Cl Identify codepages Search for internet history Comprehensive Search 202 EnCase Forensic Version 6 11 User s Guide Selected Items only acquires only thos
222. ce preservation Guidance Software offers courses for law enforcement agencies organizations concerned with forensics and incident response and advanced topics for all users 544 EnCase Forensic Version 6 11 User s Guide Professional Services The Guidance Software Professional Services Division PSD combines world leading computer investigations experts with world leading forensic technology to deliver turnkey solutions to forensic investigations Guidance Software has combined its industry leading computer investigation technology with a team of the most highly trained and capable investigators in the world to bring you complete turnkey solutions for your business When you face investigative issues that go beyond your internal capabilities our professional services group is able to respond either remotely or by coming on site to provide the right technology and computer investigations personnel for the job Internal Investigations B Theft of intellectual property B Intrusion reconstruction m Wrongful termination suit Compliance B Sarbanes Oxley m PII risk assessment B California SB 1386 eDiscovery B Pending litigation B Responsive production B Forensic preservation Information Security E Compromise of system integrity B Policy review B Unauthorized use B Forensic lab implementation Index 6 64 Bit EnCase Servlet 19 A Acquiring 193 Acquiring a Disk Running in Direct ATA Mode e 53 215 Acquiring a
223. ce tbo th ideas tette t sepe ates beate ib oae ES 102 Contents Filters Pane Menu cv de reete tense eee de td eater e ei ve dre e ee 105 View Pane Tabs ee Sete e pon aduer v E E e etre eee ee E 106 The Text labs Astorii aet etii rie deste Rt etd TL Netus 109 The Eex Tabioinsematiti estet etra iig tertie mrt d eon EU o Putat dtd E 110 The DOC Tabitesotendiitetaseteliitbaetnthdubeteredidu entered ud etus libet donetur 111 Phe Transcript Tab fesse ties oor aeta it Sese usted Beserteelfido ferai t etre etes 112 The Picture Tabris timene eee Disonttidtog E EE E A AEE iieri S 112 The Report Tab enitn e eere eR delete Om RA A S e R 113 The Console Tab nat edem d elem hag ae e d tetera dpt or SHEER 114 The Details Tabi nee een re er UR rte ei te ep e idum 114 The Output T b een atte teet de eire de rete t n edem dete oed tense 115 Navigating the Tree Dang dec e een di n ade rede DR Et a Feet Pr REED Kd 115 Opening and Closing Folders with Expand Contract sse 116 Exparid AU arei eset tefte tee Keen SEI NETT DOSE E RN QN KC Urt e EV E RET URN 116 Contract AIL one dei tete tete ta eei t Gg paca te at SEI UG dp e a pen canarias sees 117 Displaying Tree Entry Information for One Branch sese 118 Displaying Expanded Tree Entry Information seen 119 Selecting Tree Entries for Operations enne enne 120 Using the Dixon BOX cete oe e Ie rue slim len e ERE Ee Hei eei tere 121 Modifying t
224. ch and set back one hour the first Sunday in November This resulting extra four weeks is called extended daylight saving time period EnCase software uses time zone definitions stored in the examiner s Windows registry to adjust for daylight saving time and time zone adjustments Microsoft released a patch altering how these adjustments are stored The Windows registry contains a subdirectory of dynamic daylight savings time entries for different years This allows the operating system to apply current daylight savings time settings to new files and the corresponding year s daylight savings time for older files On patched machines the root entry for daylight saving time settings is updated to the 2007 time zone settings and that is currently the entry EnCase software uses Therefore if the examiner machine is patched EnCase software uses the new 2007 rules for entries whose dates lie in the new four week extended daylight saving time period Consequently all file dates even those for previous years apply the new daylight savings time settings Setting the time zone settings is accomplished two different ways If you have an entire case where you want to use one time zone you can set the time zone for the entire case If you have several pieces of media that use different time zones you want to set the time zones individually for each device in your case Case Management 171 Case File Time Zones Set the time zone for the entire ca
225. ck Snapshot Folder under the Bookmarks tab Cancel The Snapshot is created and placed in the Quick Snapshot folder in your bookmarks Remote Acquisition Monitor Use the Remote Acquisition Monitor EnScript Program to monitor remote acquisitions EnScript Analysis 489 Snapshot Differential Report Use the Snapshot Differential Report to compare differences in several snapshots of a particular machine It quickly detects trends of live data Before you begin m Snapshots were created and stored in a Logical Evidence File LEF B Microsoft Excel must be installed E Add the LEF containing the snapsots into a new case 1 Double click the Document Incident EnScript Program x Retrieve Snapshots Options Target Machine Choose Snapshots For Report 10 0 36 21 O d 11 22 06 12 03 33PM GSI DO J 11 22 06 12 03 51PM GSI DO ees O B 11 22 06 12 04 51PM GSI DO Items to Report IV Processes IV Open Ports v DLLs M Output Options IV Excel v HTML IV Bookmark Snapshots Output Folder Path C Program Files EnCase6 Export e Cancel Enter the name of the target machine and click Retrieve Snapshots In the Choose Snapshots For Report list select the snapshots you want to compare 2 3 4 Choose the types of items to report 5 Choose Output Options and provide an output path 6 Click OK You can view results in the EnCase program Microsoft Excel or an
226. closed a tab 2 indicates a tab displaying only the icon with the name hidden 3 the Previous tab and 4 the Next tab 3 Cases 33 Encryption Keys x I Home t Entries LL Bogle b Hil dc 1T Devices z x X Close Tab Ctrl F4 BA Show Name 4 Previous Tab Ctrl Shift Tab gt Next Tab Ctrl Tab Ll Auto Fit Close Tab hides a tab and its associated data To display the data after closing a tab use the View menu command associated with the tab for example View gt Cases Sub Tabs gt Secure Storage reopens the Secure Storage sub tab Show Name toggles the text displaying the name of the tab When the text is hidden the icon is still displayed You can shorten the contents of the tab bar by hiding the name text Previous Tab displays the tab to the left of the current tab on the tab bar Next Tab displays the tab to the right of the current tab on the tab bar Auto Fit toggles whether the tab bar is displayed as a single row with a scrollbar or wrapped to multiple rows when the pane is resized Individual Panes The individual panes that comprise the main window are B Tree pane Table pane E View pane B Filters pane Navigating the EnCase Interface 89 Tree Pane The Tree pane establishes the context for all case data analysis The Tree pane organizes a collection of tabs that contain a tree specific to that tab A tree represents the hierarchical structur
227. conditions for showing items pane then the row will not be shown 11 The default logic for the conditions is AND To change this logic to OR right click Combinations gt Combinations Change Logic gt Change Logic 12 Click OK Note Other operations including exporting and importing are the same as filters and conditions Gallery Tab The Gallery tab is a quick easy way to view images stored on subject media The extent of files shown in Gallery tab of the Table view is determined by the selection made in the Tree pane For example to view images of the entire case set include at the root of the Case tree In Gallery you can bookmark images just like bookmarking them in the Table tab If signature analysis is not yet run Gallery view displays files based on published file extension For example if a JPG file is changed to DLL it does not appear in the Gallery until a signature analysis is run Note Running a signature analysis is suggested before performing analysis in the gallery tab See the Signature Analysis on page 327 section of this manual for more information Viewing More Columns View more pictures in Gallery by increasing the number of displayed columns 1 Right click anywhere in Gallery 2 Select More Columns Viewing Fewer Columns View fewer pictures in Gallery by reducing the number of displayed columns 1 Right click anywhere in Gallery 2 Select the Fewer Columns menu option The r
228. cradle cable to a USB or serial port on the examination machine 2 Turn on the PDA then to put the PDA in console mode a On the left side of the graffiti area use the stylus to write a lowercase cursive L followed by two dots b On the right side of the graffiti area write a 2 The PDA is in console mode 4 2 On the Sources page of the Add Device Wizard 1 Inthe Tree pane click Local 2 In the Table pane click the checkbox for Palm Pilot 3 Ifother devices are to be acquired in this acquisition continue defining devices see Completing the Sources Page or click Next Working with Evidence 221 The Choose Devices page of the Add Device Wizard displays Add Device ST C 1 Local Drives Evidence Files M Palm Pilot C C Program FilesEnC 3 Se Network Crossover CitEvidence Files Choose Devices m On the Choose Devices Page in the Table pane select the entry for the Palm Pilot device and any other devices to be acquired during this acquisition and click Next The Preview Devices page of the Add Device Wizard appears On the Preview Devices Page in the Table pane select the entry for the Palm Pilot device and any other devices to be acquired during this acquisition and click Finish 222 EnCase Forensic Version 6 11 User s Guide In the Cases Entry Home tab of the main window the Palm Pilot to be acquired appears in the Entry tree
229. cripts listed in the Table pane soi Eg EnScript EH Enterprise Examples g Document Incident Hy Machine Survey Servlet Deploy Leg Quick Snapshot Ag Remote Acquisition Monitor Lig Snapshot Differential Report Lag Sweep Enterprise E Examples Te Forensic EHG Include GHG Main 3 To run a script double click it in the table 482 EnCase Forensic Version 6 11 User s Guide Document Incident Use Document Incident to generate a report containing details of an incident that required investigation Open a case 1 Double click on the Document Incident EnScript Program 2 Enter the following details in the General Info tab Oo Incident Reference Number Primary Contact Alternate Contact Incident Timing EnScript Analysis 3 Click the Incident Details tab and enter information in the following fields o Oo OF OF 0 0 O Incident Type Other Type Status Intent Incident Cause Incident Impact Affected Systems C Other C Hacking via public network J Hacking from internal private network C Theft 483 484 EnCase Forensic Version 6 11 User s Guide 4 Click the Conclusion tab and enter the recommended course of action and comments Document Incident 21x General Info Incident Details Conclusion Recommended Course of Action Is Comments 5 Click OK The Program generates a report Click the name of the incident in the bookmarks
230. d preview or acquire the content of a device first open the case associated with the device To acquire the content of a device 1 Using the Add Device wizard add the device 2 Using the EnCase main window preview the content of the device You are ready to acquire the contents of the device as an EnCase evidence file in the currently opened case Previewing Previewing is done before an acquisition so an investigator can determine if the device should be acquired A preview is not optional although the investigator determines the extent of the preview During a preview the content of the device can be analyzed just as if the content had been acquired Note A write blocking device such as the FastBloc write blocker prevents the subject device from changing Previewing via a crossover network cable is useful if a write blocking device is not available By previewing the investigator does not have to wait to finish an acquisition before doing a preliminary examination While previewing you can run keyword searches create bookmarks perform Copy UnErase and other analysis functions These search results and bookmarks can be saved into a case file however each time the case is opened the subject media must be physically connected to the investigator s machine 184 EnCase Forensic Version 6 11 User s Guide Live Device and FastBloc Indicators In the Entries Table pane and the Preview Devices page of the Add Device wiza
231. d to run straight from the CD or DVD and do not install themselves on the subject machine You must have an ISO image of the live Linux distribution you want to use such as Knoppix Knoppix is one of the popular live distributions Note As it is not practical to modify the settings of a live Linux distribution ensure that the live distribution does not automatically mount detected devices To create a LinEn Boot disc 1 Using your EnCase application on the investigator s machine click Tools Create Boot Disc The Choose Destination page of the Create Boot Disk wizard displays Click ISO Image and click Next The Formatting Options page of the Create Boot Disk wizard displays Provide a path and filename to the ISO image you downloaded earlier optionally click Alter Boot Table and click Next The Copy Files page of the Create Book Disk wizard displays Right click in the right pane of the Copy Files page and click New The file browser opens Enter or select the path to the LinEn executable normally c program files encase6 linen click OK then click Finish The Creating ISO progress bar displays on the Copy Files page Once the modified ISO file is created the wizard closes Burn the ISO file onto a blank CD DVD using the burning software of your choice For help with this refer to the instructions that came with your software You now have a boot disc to run Linux and LinEn while you acquire the subject Linux
232. der Structure saves selected email folder structure information Analyzing and Searching Files 377 O Output Path captures the location of the export data file The default is EnCase6 Export Click OK A message appears when the export function completes Email Export E x Status Completed IV Console Start 07 23 2007 11 03 53 AM Stop 07 23 2007 11 03 53 AM Note Time 0 00 00 Successful export email count 1 Log Record Failed export email count 0 Cancel View the entire structure down to the individual message in the Export folder View a message by double clicking it The message text appears in read only form The figure shows a typical text message presentation Subject Guidance Software Detected Potential Junk Mail Dear querty guidancesoftware com Guidance Software s junk mail protection service has detected some suspicious email messages since your last visit and directed them to your Guidance Software Message Center You can inspect your suspicious email at http login postini com exec login email querty guidancesoftware com Suspicious email is kept for 14 days after which it will be automatically deleted Please visit your Guidance Software Message Center to delete unwanted messages and check for valid email For help accessing and configuring your Guidance Software Message Center http www postini com services help html Thank You Guidance Software 378
233. ders The Tree pane that appears is similar to this illustration em x i Home fe Entries LL Bookmarks Q Search Hits 4 Of Home ote Fie Extents Permissions Ci1Refe gt DE Entri eoo goo oO Te anister Fireball File S008 lyde SOG Work C3 Homemade Explosives files Ssg Money BOI Bts Navigating the EnCase Interface 133 2 Double click a filter or right click it and select Run from the drop down menu that appears Complete any dialogs that appear When the filter finishes the Table pane displays entries that meet the filter s criteria The figure below shows the filter name and other data on those files that meet the requirements Deleted Files in this case EE Table Report J Galery Timeline fJ Disk g Code Is Last i File d els Fiter Delete written Created CJ 1 oRTRAIT JPG elated Files Yes 04 30 00 04 19 38PM_ 01 28 05 08 05 08AM CJ 2 aay _KSHIFT IPG LL DeltedFles Ss Ves 04 30 0004 19 46PM 01 28 05 08 05 02AM L 3 i microprinting jpg DeletedFies Yes 04 30 00 04 19 48PM 01 28 05 08 04 58AM E UMBERS JPG LL DebtedFles Yes 04 30 00 04 19 54PM_ 01 28 05 08 05 04AM sl linesmoire jpa Deleted Files Yes 04 30 00 04 19 56PM_ 01 28 05 08 04 52AM LJ 6 ig EAL IPG Deleted Files Yes 04 30 00 04 20 00PM_ 01 28 05 08 05 24AM gifedreserveandtrea Deleted Files Yes 01 06 01 11 49 58PM_ 01
234. device 48 EnCase Forensic Version 6 11 User s Guide Configuring Your Linux Distribution Before LinEn can run on Linux you must configure Linux distribution Due to the nature of Linux and its distributions only the following standard distributions are discussed m SUSE 9 1 E Red Hat E Knoppix Note Because of the dynamic nature of Linux distributions It is recommended that you validate your Linux environment before using it in the field The process describes an ideal setup process that effectively runs the LinEn application in a forensically sound manner Many distributions provide autofs as the means auto mounting anything attached to the Linux system It is essential that autofs is disabled to prevent auto mounting Obtaining a Linux Distribution A Linux distribution can be obtained from any Linux vendor If you intend to use a LinEn boot disc you will need a live distribution such as Knoppix in order to create a boot disc If you intend to run LinEn on a installed version of Linux on your forensic machine we recommend using SUSE or Red Hat For the Linux distributions discussed in relation to LinEn obtain a distribution from one of the following E For the latest SUSE distribution go to the http www novell com linux http www novell com linux website E For the latest Red Hat distribution go to the http www redhat com http www redhat com website B For the latest Knoppix distribution go to the
235. dit Menu The Edit menu commands work with the objects and content in the currently selected tab Edit menu commands are context specific changing as you move from one tab to another or select objects or content in a tab Specific Edit menus are discussed in sections describing the features that have an Edit menu associated with them Edit E Export Copy UnErase Copy Folders T Bookmark Data Ctrl B Create Hash Set Create Logical Evidence File Mount as Network Share Expand Contract Space Expand All Contract All Set Included Folders Num Include Sub Folders ShiFt Num Include Single Folder Ckrl Num 64 EnCase Forensic Version 6 11 User s Guide The Edit menu shown here provides the following commands Export displays the Export dialog where you select fields in a file to copy data to a text file and specify the path for the file containing the data Copy UnErase starts the Copy UnErase wizard for copying evidence files and folder entries to one or more destination files This command does not change the evidence file Copy Folders displays the Copy Folders dialog where you can process the content of a selected folder or folders in a variety of ways Bookmark Data displays the Bookmark Data dialog where you can create and define a new data bookmark Create a Hash Set displays the Create Hash Set dialog for selected files already hashed You can name and categorize the h
236. drive B Drive to drive acquisitions E Crossover cable acquisitions Drive to drive acquisitions provide the means to safely preview and acquire devices without using a hardware write blocker Drive to drive acquisitions use either the subject machine or the forensic machine to perform the acquisitions The Drive to drive acquisition speed can be significantly faster than EN EXE and MS DOS from previous versions simply because Linux is a 32 bit operating system Crossover cable acquisitions require both a subject and forensic machine This type of acquisition also negates the need for a hardware write blocker however it lends itself to situations where access to the subject machine s drive are difficult or not practical This is the recommended method for acquiring laptops and exotic RAID arrays This method is slower than a Drive to drive acquisition because data is transferred over a network cable and thus is especially sensitive to the speed of the network cards housed in both machines Setup for a Drive to Drive Acquisition When a subject drive from the subject machine cannot be acquired via a crossover cable acquisition the subject drive can be acquired via a drive to drive acquisition Drive to drive acquisitions can be done in the following ways m Running a LinEn boot disc on the forensic machine m Running the LinEn utility from Linux already installed on the forensic machine m Running a LinEn boot disc on the subject machine An
237. duties epit di esie 172 Setting Time Zones Settings for Case Files c cccsesssseeseseeceeeesnsneesesesseeececeeeenenesesesessanenenenesssssees 172 Setting Time Zone Options for Evidence Files 173 General Time Zone Notes nee ee rrt te e iaceo ib EHI ae ee eee eto reel eerta 174 FAT HFS and CDFS Time Zone Specifics ssssssssssssseeeeeeeeenene nete 174 Time Zone Example z een one med n e ie e i EE REE T OE R 175 Open Gase oce etes eee et ird ie ire e nter e evi ti ee Ire eee vea 175 DAVIN Ga CASE arator en dat ali er agir d EE Grp PEOR eite ti te PER oes 176 DAVING A CASE PEE 176 Saving a Case With a New Name or New Location eene 176 Saving a Case and the Global Application Files sss 177 lose Case zoo T E bibs oracle E E a ah att undi puto ntt ts es dd uctus ede cU oet 177 Contents CHAPTER 7 Working with Evidence 179 DV CL VICW sapai E aed ale EREE L EE AEE ERE E RENNET E dee bed E RE eai 180 Jypes oE Entries o eve e EA E E E E E R ERE 180 EnCase Evidence Files ete e e Pr EE OR S EI E EA eE 180 Logical Evidence Tiles i aor tiere ne Doe eturebies etae pibe ades 181 Raw Image Piles 2nd esoteltibietethdebeteretidue tute dqeheserdi od ente te tetto tes 181 Simele FICS sri sity stent tti eser titetute lids esca ud egt eso reel ata fueril Tre vnde dies 181 Supported File Systems and Operating Systems sssssssssseeeeseneneeeee eene 182 Using Snapshots serei eren tem aom m OE GO
238. dy generated If you create or add a report that report and the options you select for it are stored in the database enabling you to regenerate it as needed Double click an item in the list to modify it Right click an item to delete it If you delete an item without selecting its check box you must click OK and then click Yes on the resulting warning message Add Click Add to create a new report definition The Report Setup dialog opens Report Setup Report Name Report Output Path Report Type S Process Data O Process AndPortData O User Data Excel File J HTML Format Edit Condition In the Report Name field specify the name of the report In the Report Output Path field specify the location to save the report In Report Type select the type of report you want to generate O Process Data O Process and Port Data O User Data Working with Evidence 269 Excel File Select to output the report as a Microsoft Excel file HTML Format Select to output the report as an HTML file Edit Condition Select to add a set of conditions to report on Modify Select an item in the list making sure the check box is cleared then click Modify The Edit Report dialog opens Edit Report Report Setup Report Name Report Output Path C Program Files EnCase6 10 0 12 Export Report Type S Process Data O Process And PortData O User Data Excel File HTML Format
239. e eee eene 219 Acquiring a PalmPilot ssi eerta eoe aote ed amiet edeteliitisdens 220 EnCase Forensic Version 6 11 User s Guide Contents vi Leaving Console M ge isiru ett ederet tr ete ea eie te ort eei aee ee o botas 222 ACQUISITION TIMES on 223 AcquiringNonslocal DEVES esien Bester ete cen Peer doeet eed iar HO ede 223 When to use a Crossover Cable sss nnne nennen 223 Performing a Crossover Cable Preview or Acquisition sse 223 Acquiring Disk Configurations tenen nennen nnne 225 Software AID onis gerere tes eter bed emeret eg ere to ne esent ie peteret iler ar tee pepe 225 Windows NT Software Disk Configurations sse 226 Dynamic Disk nero redo er dO Rid dien aere i 227 Hardware Disk Configuration ccccsesesssesseseseseseeceseeesesesesesesesnsnsnesessssecececeeenensnesesesesnsnensnenesssesees 228 Disk Configuration Set Acquired as One Drive 228 Disk Configurations Acquired as Separate Drives 229 Validating Parity on a RAID D wits cis secs ene ense tede rte a n ek Ree ein uo 230 RAID TO saei abe cider No oi oris ect tab css dein dente TO ne la ace te ap eet n o 230 Acquiring Virtual PC Images xa ethic eet eee esed eie ten edel t d Besse 230 CD DVD Inspector File Support tertie troie tete to foto testate dones ao 230 Acquiring SlySoft CloneCD Images cccccscssesssssessscesessteesesesssnsnsnesescscseeseseeesssssceseseeee
240. e This setting appears on the shortcut menu only if a corrupt image is encountered The timeout defaults to 12 seconds for the thread trying to read a corrupt image file You can modify the timeout on the Global tab of the Options dialog Bookmarking an Image Viewing File Content 319 You can bookmark images on the Gallery tab of the Table pane Figure 31 43 Copy ii 3 3 bmp M all 4 Blue hi i Export Copy UnErase Activate Single Files Create Hash Set View File Structure Analyze EFS 5 Go to Parent Ef Fewer Columns More Columns Fewer Rows More Rows Select Item BkSp Ctrl Num Ctri Num Shift Num Shift Num Space A ig 5 Sunse C aaj 6 Water li Bookmark Files Bookmark Selected Items Create new bookmark folder Folder Name HH Folder Comment Lx Cancel 1 Select the desired image or images xl Comment Destination Folder Bookmarks 2 Right click the highlighted image and click Bookmark File The Bookmark Files dialog appears 3 Modify the settings as needed and click OK The image or images are bookmarked They are in the Table pane when the Bookmark tree displays 320 EnCase Forensic Version 6 11 User s Guide Reducing the Number of Images Per Row You can reduce the number of images displayed in a row in the Gallery tab G ag 4 Blue hi C
241. e double click the package to run it Send To HBGary Responder EnScript This EnScript passes a memory object gathered by EnCase to HB Gary s Responder software 1 Select the physical memory to send EnCase Enterprise Training File Edit View Tools Help L New 2 Open bel Save lt j Print Wy Start Debugging Ad Dices x E Home Q Search Hits en Secure Storage as File Extents amp Permissions Eon Entries gt RAM o E NtfsisEC2007 1 em GS002 192 168 11 128 RAM 512 EnCase Forensic Version 6 11 User s Guide 2 Click ToolsSend To Responder He d Index Case Ctrl I 4 webmail Parser d Case Processor Alt P D Sweep Enterprise Alt S P Kama To Responder Alt R i Compile Project F7 hg Start Debugging F5 2 Compile Ctrl F9 P Run F9 153 Create Project Q Search a Logon Wipe Drive Verify Evidence Files 3 Create Boot Disk s gt Mount as Network Share Client Write block IDE channel Write block USB Firewire SCSI drive 3 Options Refrest 3 EnScript drops the physical evidence device information byte for byte into a flat file and sends it to Responder Here is an example of the file viewed in Windows Explorer Mame Size Type Date Modified E G5002 192 168 11 128 RAM memDump 523 760 KB MEMDUMP File 4 10 2008 2 05 PM EnScript Analysis 513 If you specify a device or file other than a physical memory drive an error messa
242. e your own formats Russian Sami Inari Finland Sami Lule Norway Sami Lule Sweden Sami Northern Finland Sami Northem Norway Sami Northern Sweden Sami Skolt Finland Sami Southern Norway Sami Southern Sweden Sanskrit Serbian Cyrillic Serbian Cyrillic Bosnia and Herzegovina Serbian Latin Serbian Latin Bosnia and Herzegovina Slovak Slovenian Spanish Argentina Spanish Bolivia Spanish Chile Spanish Colombia Customize f such as news and Cancel Apply Regional and Language Options 21x idvanced Language for non Unicode programs This system setting enables non Unicode programs to display menus and dialogs in their native language It does not affect Unicode programs but it does apply to all users of this computer Select a language to match the language version of the non Unicode programs you want to use Russian Y Code page conversion tables IBM EBCDIC Cyrilic Russian IBM EBCDIC Turkish 7 20924 IBM EBCDIC Latin 1 Open System 1047 Euro 20932 JIS X 0208 1990 amp 0212 1990 20936 Simplified Chinese GB2312 21025 IBM EBCDIC Cyiilic Serbian Bulgarian xl Default user account settings Apply all settings to the current user account and to the default user profile Lok canca Apr To configure the keyboard for a specific language 1 Cl
243. e Bookmark Notes N 1487 Search Show in report p Formatting I Bold Increase font size points B b Italic Increase text indent 1 4 inch t Ole cx 1 Inthe Bookmarks table in the Table pane right click the desired bookmark and click Add Note The Add Note Bookmark dialog appears 2 Enter the text of the note format the text as desired and then change the Appear in report setting as desired 3 Click OK The note is added to the Bookmarks table on the Bookmarks panel in the Table pane Bookmarking Items 417 Creating a Folder Information Structure Bookmark Use a folder structure bookmark to bookmark a folder or device Before you begin The Entries tree must display in Entries panel of the Tree pane Heme En bockmarks A Soschits of2Records D Omwes Sp Secure Storage Keywords Dee Me frees boc vs o m y Gomer D ove U coy OD k Image d Sirge Fims amp tle Iman X cose Coiote ookmark folder Structure x Delete Al Selected Cukelete FF inchado Device Information Destination Folder f bon Comes u Copyfur rase D odmak Dura cuia Create Mash Set Yew Ple Structure ipaha BFS Bl Seow Coke Cohgre Sort Select tems Sox F GotoParent dip A sewchies Zirecords Joevees Vi secure storage Keywords Hone EL WjReen aswy Tmin i Code lS mmm fem Sew tty Fie b fh fis Break Picture Selected One ot v nee Report bt Tyee 7a Us 4 GE T JEL JEL 0 Ont Im
244. e E Hon Temporary Internet Files DLJ C3 My Documents DL NetHood on PrintHood x E Text amp lHex Bh Doc A transcript E Picture Report EJ Console Details 4 Name index dat File Ext dat Description File Archive Last Accessed 08 22 03 07 55 07 AM File Created 08 22 03 07 55 07 AM Last Written 08 22 03 12 38 43AM Entry Modified 08 22 03 08 00 41 AM File Acquired 07 09 04 11 29 46PM Logical Size 15 384 Initialized Size 16 384 Physical Size 16 384 Starting Extent 3C C51977 File Extents 1 Permissions References 0 Physical Location 212 930 048 Dhweical Sartor A15 870 a P Es Bay EnScript C3 Enterprise 2j Examples Forensic Include EnScript L Big Case Fiske C Documents and Settings Default User Local SettingslHistorylHistory IESlindex dat PS 415879 LS 415816 CL51977 SO 000 FOO LE 1 Note Contents of the Table pane change as different items are selected in Tree pane and when files are clicked in the Table pane Navigating the EnCase Interface 123 Showing Columns Individual or groups of columns can be shown and hidden from view To show or hide columns using the Show Columns place the cursor in the Table pane and right click This menu option appears below To activate or deactivate the Table columns dialog right click the Table pane select Show Columns and select the desired columns Miew Search Hits Bookmark Selected Items C
245. e Export routine C Demo_Report html Microsoft Internet Explorer Oj x File Edit View Favorites Tools Help aN CEE gt ix a A 79 Search in Address ecug Ee Links gt Snagit E S M Name C Description Volume Sector 63 3318335 1 6GB File Acquired 07 05 02 11 10 09PM Logical Size 8 192 Tnitialized Size 8 192 Physical Size 8 192 Starting Extent 0C C414804 File Extents 2 References 0 Physical Location 849 550 848 Physical Sector 1 659 279 Evidence File Hunter XP File Identifier 0 Code Page 0 Full Path Case 1 Hunter XP C Onginal Path Hunter XP C Creating a Report Using Case Processor You can create reports using the Case Processor EnScript program The Case Processor Report Generator contains these features B Entry Attributes such as File Group Notable Files Highlighted Data Folder Info Email information and Records B Ability to report on only items tagged In Report E Ability to report on only selected items in the Records tab B The report captures the investigator s name organization name and creation date B The report is generated as HTML viewable outside of EnCase The data is organized like the Table tab and breaks down each set of information by its evidence file CHAPTER 12 Working with Non English Languages Working with Non English Languages 458 Non English Language Features 459 The Options Dialog Font Tab 460 Configuring
246. e K Disk Code Pipe Bomb Data Jay s Bookmarks Pipe Bomb Data Page 1 1 Bonnie and Clyde Bonnie and Clyde PIPEBOMB TXT Extremely dangerous Nes nk S40 z O 6200 c m ny T T yE 2 Bonnie and Clyde Bonnie and Clyde PIPEBOMB TXT This is Jay s bookmark from Bonnie and Clyde case HOW TO MAKE A POWERFUL PIPE BOMB This pipe bomb is extremely powerful and should b e used with extreme caution This bomb is very nice and EXTREMELY powerful though It packs quite a punch especially nestled on someone s engine block Ingredients 1 AP VC pipe The longer the more powerful I recommend about 5 inches rm Two ends preferably brass These are the things that screw on to the end of the pipe 3 Black powder qun powder 4 A drill 5 Cannon F use 6t inches long 6 Iron bits and pieces denotes optional Instructions Use the drill to make a hole in the middle of the PVC pipe a hole as big as the width o f the fuse Put one end on one end of the pipe tighten it nicely and then pour as much black powder in there as will fit Now securely fasten the other end on the other side and insert the fuse Place light and run Options Bury the bomb about six inches underground and light I once did this and it sent debris 20 feet in every direction Place on the engine block of car to destroy it Try electric detonation with an electric match Put iron bits in the black powder to make it lethal Remember If t
247. e Windows Disk Manager and select Backup from the Partition option This creates a backup disk of the disk configuration information placing the backup on a floppy disk You can then copy the file into your EnCase application using the Single Files option or acquire the floppy disk and add it to the case The case must have the disk configuration set drives added to it as well This situation only works if working with a restored clone of a subject computer It is also possible a registry backup disk is at the location Right click the evidence file that contains the key and select Scan Disk Configuration At this point the application attempts to build the virtual devices using information from the registry key Working with Evidence 227 File Edit view Tools Help iNew open lal Save Gy Print e Add Device Q Search 2 Refresh jac E Home M Bookmarks Q Search Hits 3Records fo Devices P secu4 gt afsFile Extents Permissions I References LY Hash Properties Bon Entries LOJ NT4 4 Disk Key di NT4 4 SoftRaid di sf Export DoL183 NT4 4 SoftRaid d2 LODS NT4 4 SoftRaid d3 XK cose p Copy UnErase Copy Folders rr Bookmark Data Ctrl B Bookmark Folder Structure Activate Single Files Create Hash Set Recover Folders Create Logical Evidence File BR Acquire Restore Hash Scan Disk Configuration Dynamic Disk Dynamic Disk is a disk configurat
248. e appropriate information Remote Acquisition Monitor 238 EnCase Forensic Version 6 11 User s Guide 2 Click OK 3 The monitor connects to the machine and displays the acquisition s progress r List Acquisitions Setting Up the Storage Machine This is basic Windows share setup 1 In the Acquisition Properties dialog select the Sharing tab Acquisition Properties ixl Working with Evidence 239 2 Click the Share this folder radio button and enter a Share name 3 Click Permissions 4 The Permissions for Acquisition dialog displays These settings vary depending on your environment Permissions for Acquisition 2 xj Share Pemissions Group or user names Authenticated Users ok ces sw 5 Setup the permissions you want then click OK 6 The shared folder looks like this Ge Acquisition gx Ele gdt View Favorites Tools Help ay Qa O JO search Folders E Address je C Documents and Settings Joshua Desktop Acquisition gt B Go Name Size T Date Modified File and Folder Tasks a SEVEN OF NINE 10 0 36 39 0 E01 655 350KB EnCase Image File 12 26 2007 3 04PM E m E SEVEN OF NINE 10 0 36 39 0 02 655 336KB E02File 12 26 2007 3 05 PM e va eee SEVEN OF NINE 10 0 36 39 0 E03 655 338KB E03Fie 12 26 2007 3 07 PM 9 uen this folder to the E SEVEN OF NINE 10 0 36 39 0 04 655 360KB E04File 12 26 2007 3 07
249. e entry for that partition at the sector at which it was created on the evidence file image of the hard drive To delete a partition 1 Onthe Disk tab of the Table pane navigate to the volume boot record entry as indicated by a pink block 2 Right click and select Delete Partition 3 Click Yes to confirm the removal of the partition The row in the Table view now contains an entry for Unused Disk Space instead of the now deleted partition 254 EnCase Forensic Version 6 11 User s Guide Restoring Evidence EnCase applications allow an investigator to restore evidence files to prepared media Restoring evidence files to media theoretically permits the investigator to boot the restored media and view the subject s computing environment without altering the original evidence Restoring media however can be challenging Read this chapter carefully before attempting a restore DO NOT boot up the Subject s drive Do not boot up your forensic hard drive with the Subject drive attached There is no need to touch the original media at all Remember it is still evidence Physical vs Logical Restoration EnCase allows the investigator to restore either a logical volume or a physical drive A logical volume is a volume that does not contain a Master Boot Record MBR or the Unused Disk Space A physical volume contains the Master Boot Record and Unused Disk Space Unused Disk Space however is typically not accessible to the user Most often
250. e environment Although similar in many ways to C and Java not all their functions are available in the EnScript language Classes and their included functions and variables are found in the EnScript Types tab in the Tree pane Note The EnScript language uses the same operators and general syntax as C though classes and functions are different Our message board at https messageboards guidancesoftware com forumdisplay php f 11 https messageboards guidancesoftware com forumdisplay php f 11 provides additional information about the EnScript language Included Enscript Components EnCase software comes bundled with a number of EnScript programs The EnCase installer puts these programs in the default EnCase folder Its address is typically C Program Files EnCase EnScript This folder in turn contains four subfolders visible by clicking EnScript in the Filters pane They are m Examples B Forensic B Include B Main Enterprise users have an additional Enterprise folder Each folder contains the include directory and libraries 338 EnCase Forensic Version 6 11 User s Guide EnScript Types EnScript types reference resources in EnScript language classes Perusing these provides information about EnCase classes and functions To view EnScript Types click View EnScript Types EE rabie Report t Code hane ZA Comment us 4 1 Acquisiti
251. e files you checked Keyword Search Options contains controls used to define a keyword search while the content of the device is acquired Search entries and records for keywords executes a keyword search when checked When unchecked other checked functions are performed but the keyword search is not This allows you to run a signature analysis or a hash analysis without running a keyword search This option also enables B Selected keywords only B Search entry slack Use initialized size B Undelete entries before searching B Search only slack area of entries in Hash Library Selected keywords only restricts the number of keywords used during the keyword search to the number of keywords specified shown in Number of Keywords Search entry slack includes file slack in the keyword search Use initialized size uses the initialized size of the device during the keyword search Undelete entries before searching undeletes deleted files before they are searched for keywords Search only slack area of files in Hash Library determines whether the slack areas of the files included in the hash library are searched Hash Options contains controls used to compute hash values Compute hash value determines whether a hash value is computed Recompute hash value determines whether a hash value is recomputed When you recompute the hash values they are recomputed even if hash values are already present Email Search Options contains controls
252. e formatting controls for all characters that comprise the content of the note Bold makes all content of the note appear in bold Italic makes all content of the note appear in italics Increase font size sets the font size of all the content of the note Increase text indent sets the text indent of all of the text blocks in the note 412 EnCase Forensic Version 6 11 User s Guide Bookmark Folder Information Structure Dialog Use the Bookmark Folder Structure dialog to determine whether and how much device information to include in the folder structure bookmark you are creating Bookmark Folder Structure xi J Include Device Information Destination Folder H Bookmarks od Columns 3 Cancel B Include Device Information includes folder structure information Columns specifies the number of columns of folder structure information 8 Destination Folder displays the Bookmarks tree so you can navigate to the destination folder Bookmarking Items 413 Bookmark Data Dialog for Files Use the Bookmark Data dialog for files when creating notable files and file group bookmarks The dialog lets you B add a short comment to the bookmark E create a folder B add a folder comment Bookmark Data Iv Comment Ej Folder Mame Folder Comment 414 EnCase Forensic Version 6 11 User s Guide Bookmark Selected Items appears when multiple files are selected on the Table pane When checked selected files are bo
253. e name and password when in online mode Enter Credentials x SafeBoot Security System Username Password Server Machine Name Transfer Database Algorithm AES256 FIPS z AES256 DES xl x m 388 EnCase Forensic Version 6 11 User s Guide The SafeBoot encrypted drive will be parsed The offline dialog is similar The Online check box is blank and only the Machine Name Transfer Database field and Algorithm are available Enter Credentials xi SafeBoot Security System Online Username Password Server Machine Name GUIDSBCLIENT Transfer Database Y EFS SAFEBOOT GUIDSBCLIENT SC Algorithm 7 AES256 FIPS z m DES Z x e 3 Save the case once a successful decryption is complete The credentials entered in the dialog are stored in Secure Storage eliminating the need to enter them again Analyzing and Searching Files 389 This illustration shows results of a successful decryption The Tree pane shows a SafeBoot folder the Table pane contains a list of decrypted files while the Text pane shows contents of a decrypted file Pie tdt View Tods Keb Ie CZ Open ll Save ca Print we Add Device Q search 3 Logon T Logoff 3 sese C Acqure DlReport i Gatery Toere Wowk code pen P EEE 2s s mm O 3 System Volume Information Reparse c DE biere OOD Fetes P PronecotiTests Sodi Corpie OO Should rave roc D Should hot Coole
254. e of a related collection of entries or objects The very first object in a tree is the root Folder objects contain other folder objects Non folder terminal leaf objects do not appear in the tree They appear in the Table pane when their containing folder object is highlighted Figure 13 A Tree Pane as a window along with its 1 tab bars and its 2 tree where Entries is the root of the tree Hunter XP is a device C is a volume and the rest of the tree consists of folders In the tree 4 Application Data is highlighted Each object in the tree can consist of 5 an Expand Collapse icon as seen when expanded 6 a Set All icon 7 a Checkbox 8 a Category icon and 9 a Name Tree Pane 49 Keywords J SAFEs o x Home T Bookmarks Q Search 4 gt B sFile Extents Jj Permissions 14 gt G6 9 Se gG Extend Ey Extend DE AOL Instant Messenger SDE Documents and Settings HE All Users xig Bob Hunter o 1 Application Data EY Cookies IE Desktop 90 EnCase Forensic Version 6 11 User s Guide A single entry or object in the tree consists of the following Expand Collapse determines if the contained entries or objects are displayed or are hidden Where a folder object appears that does not have an Expand Collapse icon the entries or objects it contains appear in the table in the Table pane instead of the tree Set Include determines whether the entry or object
255. e presents facsimiles of selected data It varies depending on selections B Filter pane shows filter lists Figure 7 Panes as they appear in the main wndow showing 1 Tree pane 2 Table pane 3 View pane 4 Filter pane E3 cases Pa Encryption Keys 1 EnScript gt EnScript Types File Signatures AlFile Types E3lFile Viewers H4 x C Report E Gallery Timeline I Disk 4 Home M Bookmarks Q Search Hits Z3Records fj Devices VP secure Storage Keywords Name Filter 2leFile Extents Permissions References L Hash Properties obo d GSI DOC 102033 10 0 36 21 E Cj ENSCRIPTPATH Reports IE STORAGEPATH gG Svstem32 Lock VT Codepage C3 Reports a Setup exe Setup ini C3 STORAGEPATH C3 System32 Tools O 0x0409 ini dog Entries 409 a Autorun Ext 3P 1070306 1450 Config cac 409 3 EnCase R eDiscov Config C ENSCRIPTPATH instmsia exe instmsiw exe e D ISScriptt 1 Msi J Tools Release Notes doc I Audio Track 2 l0095from the choices below REBOOTMESSAGE The installer must restart your system to complete confi lKOol9S0quring the Windows Installer service Click Yes to restart now or No if you plan to restart la lKo285ter ONUPGRADE This setup will perform an upgrade of s Do you want to continue LATERVERS I
256. e sent to a log record Acquiring a device is one process that optionally sends its outputs to a log record which results in a log record bookmark 406 EnCase Forensic Version 6 11 User s Guide Datamarks EnScript programs or EnScript modules that execute the Add Datamark method create a datamark When a datamark is created in a bookmark folder that datamark can be used as a bookmark Each datamark has a tab associated with it The tab displays when you select the datamark in the Bookmarks table on the Bookmarks tab of the Tree pane lass MainClass void Main CaseClass c RegValueClass rvi rv SetValue l RegValueClass DWORD BookmarkFolderClass folderic BookmarkRoot newnmarks if folder folder A ddDatamarki rv In Datamark B Tabe Report Bookmark Features Features that you use while working with bookmarks include E Bookmark Data dialog for highlighted data bookmarks E Add Note Bookmark dialog B Edit Folder Information Structure Bookmarks dialog m Bookmark Data dialog for files Bookmarking Items 407 Bookmark Data Dialog for Highlighted Data Bookmarks The Bookmark Data dialog is used when manually creating a bookmark The dialog provides the means to add comments to the bookmark determine the data type of the bookmark and to select a destination folder where the bookmark is to be stored Bookmark Data E x Comment iz Cancel Data Type Destination Folder gl
257. e software give an investigator the ability to search E Email addresses m Web addresses m IP addresses B Credit card numbers B Phone numbers E Dates with a four digit year 344 EnCase Forensic Version 6 11 User s Guide Creating Global Keywords Global keyword lists should be analyzed and targeted then assigned to discrete folders These folders are accessible by any case 1 Click Keywords from the Tree pane This menu appears e Mew Insert T Bookmark Data Ctrl B af Export Import Add Keyword List 43 Copy Tree Ctrl C a New Folder Expand Contract Space Expand All Contract All Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num 2 Right click the Keywords icon in the Tree pane and click New Folder The Tree pane of the keywords tab changes showing an additional folder SDL Keywords Log Folderi 3 Rename the folder as desired Adding Keywords Add keywords directly to a new folder an existing folder or the root folder Open the Tree pane from the Keywords tab 1 Right click a keyword entry in the Tree pane This menu appears if the main Keywords icon is selected If a sub folder is selected the menu is slightly different in appearance but functions the same Analyzing and Searching Files 345 o gt Keywerd Lr Bookmark Data Ctrl B a Export Import Add Keyword List A3 Copy Tree Ct
258. e tabs displayed in the View pane Clicking one of these commands displays the corresponding tab in the View pane m x Cr D IT I oO qm X ranscript Tt Picture Report Console Details Q l YD AS utput ock odepage 0 26233 EDI Text displays the ASCII text tab in the View pane Hex displays the Hexadecimal value tab in the View pane Doc displays a Windows document representation if possible in the View pane Transcript displays the Transcript tab in the View pane Picture displays the Picture tab in the View pane Report displays the Report tab in the View pane Console displays the Console tab in the View pane Details displays the Details tab in the View pane Output displays the Output tab in the View pane Lock prevents the View tab from changing the tab based on the entry selected in the Table pane Codepage toggles the ability for the view pane to display the file information using the detected Code Page If not selected the default Code Page is used Selection Indicator indicates the number of selected items as well as the number of total possible items Navigating the EnCase Interface 75 The Filter Pane and its Tab Bar and View Menu The Filter Pane menus display a command for each of the tabs that appear on the Filter pane tab bar The Filter Pane menu and the tab bar for the Filter pane display commands corresponding to the tabs appearing in the View pane View Tools He
259. e the character into the Replace first character of FAT deleted files with field 4 Click Next The Options page of the Copy UnErase wizard appears 290 EnCase Forensic Version 6 11 User s Guide Completing the Options Page The Options page is the second page of the Copy UnErase wizard 1 Determine the scope of what is to be copied and unerased and click on the control that captures the appropriate scope 2 Determine the type of mask you want to employ during the copy and unerase operation and click on the control that uses the mask 3 Decide if you want the copy and unerase operation to stop when it encounters an error or continue execution even if errors are found This is the same as asking if you want the copy and unerase operation to run unattended For unattended execution select Show Errors otherwise clear Show Errors 4 Click Next The Destination page of the Copy UnErase wizard appears Completing the Destination Page The Destination page is the last page of the Copy UnErase wizard 1 If desired provide a path to and filename where the results of the Copy Unerase operation will be saved 2 If desired change the Split files above value 3 If Use Initialized Size is enabled and you want to use it select Use Initialized Size 4 Click Finish The copy and unerase operation begins As it runs the thread status line provides an indication of progress When the thread completes a results dialog is display
260. e to be packaged Output Path contains the to and filename of the package or package to be created Use License determines whether other license related controls appear on the dialog Use this setting if you want to license the package License Name contains the filename of the license without its file extension This setting only displays when Use License is selected Secret Key is a key used in conjunction with the license file to secure the code within the package This text is not exposed to end users and should not be given to end users Properties Panel The Properties panel of the New Package dialog captures attributes related to the product being packaged This panel is used to create build and edit the package Package Properties Product Name Product Name Major Version Minor Version Sub Version 7 7 ES 7 Description This finds all Forms of digital media Company Guidance Software Inc Business Phone 626 229 9191 Web Page www guidancesoftware com 508 EnCase Forensic Version 6 11 User s Guide Product Name is the name of the EnScript source code Major Version is the major version number of the EnScript source code Minor Version is the minor version number of the EnScript source code Sub Version contains identifiers for bug fix versions patches or build numbers of the EnScript source code Description is self explanatory Company is the name of the company associated with the
261. e viewed any time by selecting the Bookmarks tab You can mark any existing data or folder Note When a file is initially written to a multi session CD it is assigned an address offset When the file is changed it written again to the CD as a new file but with the same offset Any revisions to this initial file are all assigned the same offset The file and all its revisions can be viewed EnCase provides the following bookmark types m Highlighted data O Annotates selected data O Also referred to as sweeping bookmarks E Notes O Allows the user to write additional comments into the report O Provides some text formatting capabilities O Not bookmarks of evidence E Folder information and structure O Annotates the tree structure of a folder or the device information of specific media O No comment feature O Options include showing device information such as drive geometry and the number of columns to use for the tree structure E Notable File O Annotates individual files O Fully customizable E File group O Annotates groups of selected files O Noability to comment B Snapshot O Contains the results of a System Snapshot of dynamic data for Incident Response and Security Auditing Bookmarking Items 403 B Log record O Contains results from log parsing EnScript programs E Datamark O Contains the results of Windows registry parsing EnScript programs E Case time setting O Shows whether Daylight Savings Time is being used on the ev
262. eadwindate True False False RE readwindate 05 09 2003 08 56 05 09 2003 08 56 Michele Roter mic CDG try this Cj 8 Q readwindate True False False readwindate 05 09 2003 08 47 05 09 2003 08 47 Shawn McCreight I OC1 4 bugs that were looked at tonight O38 M 9 Q RE Bug Report True False False RE Bug Report 05 09 2003 07 41 05 09 2003 07 41 Sharren Redmond LOL RE Do you remember entering in an issue that had to c 10 RE another bug True False False RE another bug 05 09 2003 07 24 05 09 2003 07 24 Jeffrey Misner lt jef L O 3 d list for shawn another bug True False False RE another bug 05 09 2003 06 07 05 09 2003 06 07 Jeffrey Misner lt jef LOCI Description of bugs C 12 Q RE Guidance Softw True False False RE Guidance Softw 05 09 2003 06 06 05 09 2003 06 06 Dave Morris dave on reports using priority 13 4j RE Searching for M True False False 05 08 2003 11 ono Message O 14 Q RE Searching for M True False False RE Searching For M 05 08 2003 09 05 08 2003 09 Jason Cantrell jas DC qa stuph LJ 15 Q RE why does Enca True False False RE why does Enca 05 07 2003 08 05 07 2003 08 24 Sharren Redmond HOT di for release notes info 16 2 RE Issues 983 True False False RE Issues 983 05 02 2003 09 05 02 2003 09 Bill Siebert bill sieb DG reports e EnScript bug True False False RE EnScriptbug
263. earch Options Search for email Recovered deleted Outlook PST J Outlook Express DB Exchange EDB Lotus WSF F zol MBOX r Additional Options IV Verify File signatures Identify codepages Search for internet history lt Back Cancel Working with Evidence 211 To define the analysis processing as part of the acquisition 1 Do the following as required O To search all the content of devices associated with the case not just the content of the device being acquired click Search entire case O To perform a keyword search click the appropriate controls in the Keyword Search Options To perform an email search click the appropriate controls in Email Search Options O To compute or recompute hash values click the appropriate controls in Hash Options To verify file signatures in Additional Options click Verify File signatures O To identify codepages in Additional Options click Identify codepages To search for internet history files in Additional Options click Search for internet history 2 Click Next The Options page of the Acquisition wizard appears 212 EnCase Forensic Version 6 11 User s Guide Completing the Options Page of the Acquisition Wizard This page of the Acquisition Wizard specifies how the EnCase evidence file is built during the acquisition and the disposition of that file after the Acquisition is complete Name Ev
264. eck this box to produce comments on what is happening behind the scenes Database Name Since a database management system can house many databases you must specify the one you want to use Working with Evidence 265 4 Click Next If the database connection is successful a confirmation message displays Test Database Lx Specifying Database Content Use the Process Options dialog to specify what information to insert into the database Process Options 266 EnCase Forensic Version 6 11 User s Guide 1 Select the appropriate Snapshot Write Options button Save All Processes takes a snapshot of each node and inserts these items into the database O Process O Net users O Net interfaces O Open ports Save Not Approved Or Hidden Processes inserts not approved or hidden processes into the database 2 Click Finish to begin the scanning process Generating Reports on the Database Once you gather data into the database you can generate reports 1 Run Snapshot DB Reports EnScript The Snapshot Database Source Options dialog opens Snapshot Database Source Options Data Source Name Enter User Name Not Needed If Using NT Authentication sa Enter Password Not Needed If Using NT Authentication DB Timeout Interval minutes 5 Show Queries in Console x Cm Data Source Name This is the name you gave the ODBC connection when you created it Enter Us
265. ector LS displays the sector number of the logical sector relative to the beginning of the logical disk m Cluster number CL displays the cluster number The status line content relative to the location of the cursor within the file being examined includes E Sector offset SO displays the number of sectors in bytes between the start of the cluster and the current cursor location B File offset FO displays the number of bytes between the start of the file and the current cursor location E Length LE displays the length in bytes of the content currently selected by the cursor 98 EnCase Forensic Version 6 11 User s Guide Figure 18 Status line elements from drive geometry where 1 is the content of a file from start to end of file EOF 2 sectors 3 clusters 4 width of the cursor Notice that the physical sector PS value and the logical sector LS sector value are different but address the same location Panes and their Specific Tabs The panes that comprise the main window organize collections of tabs They include m Tree pane tabs m Table pane tabs B View pane tabs E Filters pane tabs Navigating the EnCase Interface 99 Tree Pane Tabs The Tree pane contains tabs with trees displaying many of the elements or objects used in your EnCase application Each tab contains a tree displaying a collection of elements in a hierarchy For example keywords you define appear in the Keywords t
266. ector to the prepared target drive thereby creating an exact copy of the subject drive The target drive should be larger than the subject hard drive When the restore completes it provides hash values verifying that the lab drive is an exact copy of the subject drive If a separate independent MD5 hash of the lab drive is run be certain to choose to compute the hash over only the exact number of sectors included on the suspect s drive so that the MD5 hash will be accurate Drive 0 cannot be restored to If the prepared target media is Drive 0 another drive must be added to the system as a master to store the restored image Restored sectors can also be verified to confirm that there is indeed a sector by sector copy of the original subject media Sometimes the Convert Drive Geometry setting is available This is entirely dependent on the drive geometry of the original drive in comparison to the restore drive Every drive is defined by specific Cylinders Heads Sectors CHS drive geometry information If the Heads and Sectors of the original drive imaged are identical to the target restore drive then the drives are of the same type and the Convert Drive Geometry setting is not available If the source and target drives are of different types for example the heads sectors settings are different then the Convert Drive Geometry is available C E wpe revanea epos n tact Tat ed dueroy al rfomaton en F cet wpod cor Deve D Label Hie
267. ed When the EnScript tab appears in the Filter pane the EnScript programs are organized into a tree extending to the programs themselves When the EnScript tab appears in the Tree pane only folders populate the tree and the programs themselves appear in a table in the Table pane The table representation contains information beyond what is visible in the tree representation in the Filter pane EnScript Types displays the EnScript Types tab in the tree pane It does not display by default File Signatures displays the File Signatures tab in the tree pane It does not display by default File Types displays the File Types tab in the Tree pane It does not display by default File Viewers displays the File Viewers tab in the tree pane It does not display by default Hash Sets displays the Hash Set tabs in the tree pane which includes the Hash Sets Home and Hash Sets Hash Items tabs They do not display by default Keywords displays the Keywords tab in the tree pane It does not display by default Machine Profiles displays the Machine Profiles tabs in the tree pane which includes the Machine Profiles Home and Machine Profiles Allowed tabs They do not display by default Packages displays the Packages tab in the tree pane It does not display by default Projects displays the Projects tab in the tree pane It does not display by default Navigating the EnCase Interface 69 SAFEs displays the SAFEs tabs in the Tree pane which i
268. ed The results are saved in the appropriate folder in the file system and if requested the results files are burned onto the disc in the default or specified directory Note The thread status line provides an indication of progress Copying and Unerasing Bookmarks You can Copy Unerase bookmarked files as well The process is the same whether copying single or multiple bookmarks If the file was deleted and resides in unallocated space the Copy UnErase wizard tries to copy the entire unallocated space since the data pertaining to the file resides there 1 On the Bookmark Tree tab select the desired bookmark folder 2 In the Table pane select the desired bookmarks Viewing File Content 291 Right click in the Table pane and select Tag Selected Files The files associated with the deleted bookmarks are selected and consolidated on the Entries Table pane Move to the Entries pane and in the Table pane right click one of the selected files Click Copy Unerase The File Selection Page of the Copy UnErase wizard appears Continue the copy and unerase process at step 4 of Copying and Unerasing Files The files associated with the selected bookmarks are copied and unerased Copying Folders E M Bookmarks Q SearchHits dRecords fZ Devices P Secure Storage Keywords E Table Report E Gallery Timeline ig Code
269. ed it is important to ensure the installed program is up to date See the Downloads topic in the EnCase Enterprise Administration Guide for more information on obtaining software updates Configuring Your EnCase Application You can configure various aspects of the EnCase application according to your needs or preferences These settings are used each time you start EnCase You are not required to open a case When a case is open a Cases Options tab displays in the Options dialog Installing EnCase Forensic 31 To configure EnCase 1 Click Tools Options The Options dialog appears 2 Click the desired tab and change the settings as needed then click OK Note Some changes made to the options settings take effect when you restart EnCase Some take effect immediately The Options dialog contains the following tabs Case Options Global Colors Fonts EnScript Programs 00 0 00 iu Storage Paths The Case Options tab displays only when a case is open 32 EnCase Forensic Version 6 11 User s Guide Case Options Tab The Case Options tab contains settings that apply to the open case options NN 2 4 Case Options Mame onnie and Clyde Examiner Name jpr Default Export Folder C Program Files EnCase6 Export BI Temporary Folder C Program Files EnCase6 Temp m Index Folder C Program Files EnCase6 Index l Name contains the name of the case associated with the case options set on this tab
270. ed in the folder defined by the root path The SAFE tree is based on SATE files contained in the folder defined by the root path Both types of files are found in the C Program Files l EnCase6 Keys folder Moving these key files while the trees are displayed requires a refresh to update the trees Browse For Folder Change Root Path Cache D Certs Config E C EnScript O EnScripts O Export Hash Sets Help Index O Keys License x Folder Keys Make New Folder Cancel Al xl Path displays a tree to navigate to the folder containing the keys Case Management 163 Edit SAFE Dialog The Edit SAFE dialog contains settings that define connections to the SAFE and enable remote login Edit Doc SAFE Client return address pK emen 164 EnCase Forensic Version 6 11 User s Guide Machine Name contains the IP address to the machine or subnet that constitutes the SAFE or SAFEs accessed using the named SAFE Remote SAFE determines if communications with the node will be routed through the SAFE so the SAFE stands between the client and the node Enabling this setting allows you to provide a value for Inbound Port and to use its value communicating with the remote SAFE Inbound Port determines which port is used when communicating with the remote SAFE at the IP address specified in Machine Name Attempt Direct Connection contains settin
271. ed this column is unpopulated Full Path displays the file location within the evidence file The evidence file name is included in the path Navigating the EnCase Interface 105 Short Name is the name Windows assigns using the DOS 8 3 naming convention Original Path displays information derived from the INFO2 file for deleted files that are in the Recycle Bin The path is where the deleted file was originally stored O The column is blank for undeleted files O The original location is shown for files in the Recycle Bin O Shows what file has overwritten the original file for deleted and overwritten files Symbolic Link can provide links to directories or files on remote devices Is Duplicate displays TRUE if the displayed file is a duplicate of another Is Internal references hidden files the OS uses internally but are hidden from the user Is Overwritten displays TRUE if the original file is deleted and its space is occupied by another file Filters Pane Menu Selecting a Filters pane menu tab displays filters features View Tools Help Ej App Descriptors db Archive Files m Cases L Encryption Keys 4 EnScript ES EnScript Types Z File Signatures ial File Types amp l File Viewers 3j Hash Sets Keywords Machine Profiles Packages Projects J SAFEs 7 lt Text Styles oa gE Cases Sub Tabs gt Table Pane gt View Pane gt Filter Pane EnScript Filters BI show Name 2 Conditions 4 Pr
272. efore you can create a file group bookmark one of the following is required The Entries tree must display in the Entries panel of the Tree pane B The Records tree must display in the Records panel of the Tree pane TROU Name Filter Report Ext File File File easy Desd EHOW e Entries o iT GORNER Tyee ae Folder gt e sos ag amp 2 E unallocated c pir File Unalloca Copy lUnErase Copy Folders x Bookmark Folder Structure I Bookmark Selected Items Comment Activate Single Files pm Create Hash Set Create new bookmark folder Create Logical Evidence File EEA Destination Folder I Bookmarks Mount as Network Share Show Columns der EN Column Sort Select Item Space Go to Parent BkSp z e eee Bookmark Type 1 QQ Search Summary Q Case Time Settings Show Entry File Preview Comment SERT Offset tenet f File Group Al af af af id Fe rae To create group file bookmarks 1 For the files to be bookmarked highlight the device or parent folder containing the files 2 Ineither the Entries table on the Table pane or the Records table on the Table pane select the files or to be bookmarked 3 Click Bookmark Data The Bookmark Data dialog for files appears 4 Accept the defaults or modify the values displayed on the Bookmark Data dialog 5 Click OK The file group bookmarks are placed
273. eing previewed to see if it is live or write blocked 2 Perform any evidence analysis required to determine if a device should be acquired 3 Once you have determined the device should be acquired acquire it Working with Evidence 185 Add Device Wizard Use the Add Device wizard to add a device for later acquisition The Add Device wizard includes E Sources page B Sessions Sources page optional E Choose Devices page B Preview Devices page You must open a case before the Add Device wizard can be opened 186 EnCase Forensic Version 6 11 User s Guide Sources Page of the Add Device Wizard You can select one or more types of sources on the Sources page of the Add Device Wizard Local drives a Palm Pilot or a network crossover connection can be used as a source device for subsequent previews or acquisitions In addition to local devices you can add folders intended to contain evidence files Sessions opens the Sessions Sources page of the Add Device Wizard when Next is clicked Sources Tree Pane organizes the device sources from which content is later previewed or acquired Sources Root Object contains the child objects The right click menu displays commands for this object You can B Expand or collapse objects in the Sources tree B Select various objects in the Sources tree Local Object refers to local devices physically connected to the machine which could include xi Sessions EFOC
274. election is a default child of the Sources root object It contains any evidence files added to the Sources tree during the prior session or invocation of the Add Device wizard The next time the Add Device wizard is opened the evidence files listed in the Current Selection folder are moved to this folder and any evidence files listed before the move are removed from the folder Once added the evidence files continue to be used as sources until they are individually removed regardless of whether they show in the selection folders The right click menu on this object lets you m Delete this object E Rename this object B Adda new folder as a child E Expand or collapse the subordinate tree Any child objects of this object on the tree appear as entries on the Table pane You can organize the children of this object hierarchically by dragging and dropping folders into each other Table Pane displays the children of the currently selected object in the Sources tree as entries in the table Right click menu commands for this object let you B Copy an entry for use elsewhere the copied entry cannot be pasted into the table E Delete an entry B Rename or edit an entry B Navigate to the parent object of the object containing the entry 190 EnCase Forensic Version 6 11 User s Guide Choose Devices Page of the Add Device Wizard Once local devices are defined a subset of those are selected here so they can be added to a case Choose Device
275. eme care Note Execute the Wipe Drive utility to remove all traces of any evidence files from a storage drive To wipe a drive 1 Click the Wipe Drive option on the Tools menu The drive selector displays Using EnCase Tools 519 Wipe Drive Iz SESSIONS ee tfc tocabves 2 Make initial selections and click Next The Choose Devices screen displays Choose Devices Windows xr e ea es a i E 3 Choose the device targeted for erasure and click Next 520 EnCase Forensic Version 6 11 User s Guide An options dialog displays The Verify wiped sectors box is checked by default and the Wipe character is hex 00 If the box is checked the Wipe Drive program reads each sector and verifies that the wipe character is written throughout You can enter any hex value in the Wipe character field IV Verify wiped sectors Wipe character hex 00 lt Back Cancel 4 Click Finish The Drives dialog opens x This will destroy all information on Device H Label NO NAME Continue Type the word Yes Yes Cancel 5 Enter Yes in the Continue box and click OK Using EnCase Tools 521 The drive is completely erased and overwritten with the specified hex string Wipe Drive displays information about the disk and the operation Wipe Drive X Status Completed Tl Console Start 10 12 06 11 51 32AM Stop 10 12 06 11 52 10AM T Note Time 0 00 38
276. en Esos PEM DAMM C Sedul 7 Som Debt gt nite uc X IA jme dr der pire Coi ye em Dtesmru do et Comet m teens 3 M traten att Avada id 508 arp oie oae p QM ien Den eled On Cnet gt Caiete am T xe cm m io LL fum See dy of ofer Cox fe menan To create a snapshot bookmark 1 On the EnScript tree expand the Forensic folder and double click Scan Local Machine The Options page of the EnScript wizard appears 2 Enter a Bookmark Folder Name select the desired modules and click Finish A dialog specific to the selected EnScript program appears 3 Complete the EnScript program specific dialog and click OK 422 EnCase Forensic Version 6 11 User s Guide The Status Line shows the progress of the executing EnScript program When the program finishes the result appear in the Bookmarks display in the Tree pane and the Table pane 4 Seethe resulting bookmarks by expanding the bookmark folder specified in step 2 Creating a Datamark as a Bookmark EnScript programs can create datamarks and place them in any folder When datamarks are placed in the Bookmark folder they can be used to create a datamark and its associated tab panel containing data from the execution of the EnScript program To create a datamark as a bookmark do one of the following B In the Code panel on the Table pane right click on the code and click Run B n the EnScript panel of the Filters pane expand the tree a
277. enc nefiLOTUS Volume Root Folder Top of Information Store Sinbox Fw B PS 7343 LS 7343 CL 7343 SO 060 FOO LE 1 326 EnCase Forensic Version 6 11 User s Guide If the corresponding ID file cannot be parsed successfully the Secure Storage is not populated with the data needed to parse the locally encrypted NSF thus the Lotus volume is empty ase Enterprise Training F e Edt View Tools Help New J Open rd Save c Prnt se Add Device Search SJ Logon Sil Refresh XX Cose LS acqure E Home 20 Fie Extents Permissions iiReferences LY Hash Properts gt BoE Entries SoA Snge Fies BODES cteodoro Strong enc nsf og e LOTUS Volume ist quee Ebo DB troecrct Brice iReport C console MB Detsis Output D tox coders Oon Qus T res US co Empty File T GED Temeoata f amp Complete Diagnostic Ay CredantEncrypton Ag Decoding Test jig OskEncypton 2m Lay Email CHAPTER 9 Analyzing and Searching Files Signature Analysis 327 EnScript Programming Language 337 Hash Analysis 338 File Hashing 339 Hash Sets 340 Keyword Searches 343 Encode Preview 363 Indexing 365 Generating an Index 367 Searching for Email 369 App Descriptors 378 Encryption Support 381 EFS Files and Logical Evidence LO1 Files 399 328 EnCase Forensic Version 6 11 User s Guide Signature Analysis There are thousands of file types some of them are standardized The Internation
278. enter the address in the Machine field of the Exclude Machine group and click Exclude 7 Click the Management tab and select Install servlet process Note You can also use this program to check for or stop servlet and SAFE processes For information on how to use these features see the EnCase Enterprise Administrator Manual 486 EnCase Forensic Version 6 11 User s Guide 8 Click Install Settings Ue X Install Options Install if servlet process not Found C Always Install Windows Servlet Path C Setup exe m Linux Servlet Path Command Line parameters verify installation Retry Failed deploys every 24 ai hours Cancel 9 Complete the dialog as appropriate using the following functions O Install if servlet process not found only installs a servlet if one is not found Always Install installs a servlet on all machines Windows Servlet Path Enter or Browse to the servlet location on your machine Linux Servlet Path Enter or browse the Linux servlet on your machine O OF 0 cu Command Line parameters Enter any command line parameters you want to use in conjunction with the servlet LI Verify installation Verifies that the install completes successfully Retry failed deploys Controls how often the program tries to redeploy a servlet on a machine that failed 10 Click OK EnScript Analysis 487 11 Click on the Settings tab to set the output options Machine Survey a
279. ently selected folder object in the Sources tree The right click menu commands for this object let you E Delete the folder where you opened the right click menu E Delete folders selected in the tree B Copy the entry where you opened the right click menu m Select the object on the tree that corresponds to the entry where you opened the right click menu in the Table pane E Navigate to the parent of the object containing the entry where you opened the right click menu in the Table pane 188 EnCase Forensic Version 6 11 User s Guide Sessions Sources Page of the Add Device Wizard When Sessions is enabled you can add evidence files to the Sources tree using the Add Text List dialog or the Add Evidence Files browser xl IV Sessions Add Text List Add Evidence Files be Sources Name Comment L Last Selection 1 5 Local Drives LO Current Selection Back Cancel Sessions opens the Sessions Sources page of the Add Device Wizard when you click Next Add Text List opens the Add Text List dialog which contains a list of paths to and filenames of evidence files to be added in batch to the Sources tree Add Evidence Files opens the Add Evidence Files file browser where you can enter the path to and the filename of an evidence file so the evidence file is added individually to the Sources tree The following types of files can be added using this file browser E Evidence File E01 E SafeBack File 001 E V
280. ents eliminating the need for security keys on client machines however you must still install the security key drivers for your SAFE machine Before you begin ensure your EnCase application is closed To install your security keys 1 Insert the installation CD ROM If autorun is enabled the splash screen appears Click the security key drivers link Click Next when HASP installation wizard displays Click Finish when the installation is complete 2 3 4 5 Click Next when the summary displays 6 7 Insert the security key and Windows will find the security key 8 Open the EnCase application Note If the security key is inserted before clicking Finish the drivers will not be installed properly Remedy this condition by reinstalling the driver with the security key removed Troubleshooting Security Keys Installation is usually trouble free but if there are problems with installation go to the troubleshooting page http www guidancesoftware com support articles articles asp http www guidancesoftware com support articles articles asp on our Web site Navigate to the message board to research your problem 30 EnCase Forensic Version 6 11 User s Guide Obtaining Updates Version 6 is the latest and most current version of the software suite Updates containing new and upgraded features however are published on a regular basis To protect your chain of custody and to ensure you have the latest updates install
281. enu The Export Configuration screen displays 8 Click Browse to specify the SDB file s storage location 9 We recommend using the computer name as the SDB file name 10 On the Export Configuration screen select Include all users in the configuration then click OK An Export Configuration dialog displays 11 Repeat steps 7 10 for all other computers you want to decrypt Analyzing and Searching Files 387 Authentication Modify the SDMCFG INI File Before performing an online authentication modify the file from the SafeBoot server 1 Open SDMCFG INI file with a text editor and if the line exists change the value of AuthType 1 to AuthType 0 If AuthType is set to 1 communication between the SafeBoot server and EnCase is encrypted and the online authentication process is hindered 2 If the line does not exist in the file enter AuthType 0 to the end of the file SafeBoot Encryption Support Disk Encryption EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation This feature is only available to a user with an EDS cert enabled Note If no EDS cert is found the physical device will mount but the encrypted file structure cannot be parsed Use EnCase to perform SafeBoot Encryption as follows 1 Use the Add Device Wizard to add the device or volume 2 When prompted select the appropriate encryption algorithm from the list then enter a user name server name machin
282. ep Enterprise 483 System Menu 61 T Tab Right Click Menu 88 Table Pane 91 525 Table Pane Menu 72 Table Pane Tabs 99 Table Tab Columns 102 123 Technical Support 529 Temp Folder 525 Testing a Non English Keyword 467 550 Testing an EDB File 301 Text 401 Text Styles 455 The Console Tab 114 The Details Tab 114 The Doc Tab 111 The EnCase Installer 21 The Filter Pane and its Tab Bar and View Menu 75 The Hex Tab 110 The Main Window 60 The Options Dialog 154 514 The Options Dialog Font Tab 454 The Output Tab 115 The Outputs Page of the Create Logical Evidence File 241 The Picture Tab 112 The Report Tab 113 The Table Pane and its Tab Bar and View Menu 7 The Text Tab 109 The Transcript Tab 112 The Tree Pane and its Tab and Sub Tab Menus 70 The View Pane and its Tab Bar and View Menu 73 Time Zone Example 173 Time Zone Settings 168 Timeline Tab 147 Toolbar 80 508 Tools Menu 77 509 Training 534 Tree Pane 89 525 Tree Pane Tabs 99 Troubleshooting Security Keys 29 Turning Filters Off 136 Turning On Encode Preview 358 Types of Acquisitions 193 Types of Entries 178 c Jnicode 525 Jnicode Fonts 455 ninstalling the Examiner 26 pdating the Database 258 sers Right Click Menu 158 sing a Case 167 sing a Folder to Organize a Bookmarks Report 415 424 425 sing a Package
283. er Name Not Needed If Using NT Authentication Specify a user name If you set up the ODBC connection to use NT Authentication it remembers your user name so you do not need to enter it manually Enter Password Not Needed If using NT Authentication Like your user name you must specify a password to gain access to the database If you set up the ODBC connection to use NT Authentication it remembers your password so you do not need to enter it manually DB Timeout Interval minutes Specify how long you want to wait before a DB timeout occurs This indicates how long the program waits before assuming the connection is bad the default is 5 minutes Working with Evidence 267 Show Queries in Console Check this box to produce comments on what is happening behind the scenes Database Name Since a database management system can house many databases you must specify the one you want to use 2 Click OK The Snapshot DB Reports dialog opens Snapshot DB Reports Time Between Queries Minutes 0 3 Select the check box for the reports you want to generate 4 Click OK to begin generating the report 268 EnCase Forensic Version 6 11 User s Guide Using the Snapshot DB Reports Dialog This dialog lists reports generated from the database snapshot You can add or modify reports as well as export reports to a file or import them from a file Items This list box contains information on reports alrea
284. er applies appear in the Condition column In this case we ran a filter looking for files that had any date before 21 September 2006 You can change the date and time in these files The Table view looks like this after the filter is run t E Table Report L Gallery 2 Timeline f Disk iy Code Name Filter gt MachineKeys MySelectedFiles kal A D user dmp Z 3 Pbk Column numbers are changed but the file selected names and the condition name appear as in the picture above To return to the original display click the MySelectedFiles tab to change the sign to a sign f MyselectedFiles m Display All original files reappear with the filter in the field displayed on only those files which meet the parameters To hide the filter name select the Display tab and change it to a sign Importing Conditions You can import conditions created by others To import a condition filter someone else has written 1 Right click in the Condition pane 2 Select Import 3 Navigate to or enter the path where the filter is located and click OK 144 EnCase Forensic Version 6 11 User s Guide Exporting Conditions Export filters to share them with other users Jv Export Tree For Import Fields E Name E Filter F Only Checked Rows 3 In Report Start JV XML Formatted Output File export xml E Back Cancel To export a filter from
285. eration The Console tab indicates diagnostic information as the index progresses vagjDoc i Transcript SJ Picture Report 7 Details 4 50AM Info Index Script started SOAM Info Index Indexing device Bonnie and Clyde SOAM Info Index Indexed 12 files 115 560 bytes 50AM Info Index All files were indexed successfully 50AM Info Index Script completed in 0 seconds Analyzing and Searching Files 369 Searching for Email The program s search engine can search various types of email artifacts This includes mail from E Outlook pst Outlook 2000 amp 2003 E Outlook Express dbx B Exchange edb 2000 amp 2003 B Lotus Notes nsf 5 6 6 5 amp 7 B AOL MBOX Thunderbird 1 Inthe Search dialog select the desired Email Search Options 2 Click Start Search Selected items only 0 Entries 2 Records Keyword Search Options Email Search Options Search entries and records for keywords Search for email 9 keywords Recovered deleted v Search entry slack v Outlook PST use initialized size C Outlook Express DBX C Undelete entries before searching v Exchange EDB C Search only slack area of entries in Hash Library Lotus NSF AOL Hash Options MBOX C Compute hash value Additional Options iv verify File signatures Identify codepages C Search for internet history Note In addition click
286. es for the folder structure the progress bar indicates which pass is currently running The recovered folder structure is placed under the virtual Recovered Files folder 250 EnCase Forensic Version 6 11 User s Guide Recovering UFS and EXT2 3 Partitions EnCase applications use a different method for recovering deleted files and folders that have no parent in UFS and EXT2 3 partitions When you preview a computer or add an evidence file containing one of these partitions to your case a gray folder called Lost Files is automatically added to the tree in the Entries tab as a child of each partition In the Master File Table MFT in NTFS all files and folders are marked as a folder or file and as belonging to a parent The files within a folder are that folder s children If you first delete the files then delete the folder and then create a new folder the originally deleted files can be lost The new folder s entry in the MFT overwrites the deleted folder s entry The original parent folder and its entry in the MFT are overwritten and gone Its children however were not overwritten and their entries are still in the MFT As with NTFS with UFS and EXT2 3 partitions the application parses the MFT and finds those files that are still listed but have no parent directory All of these files are recovered and placed into the gray Lost Files folder Recovering Folders from a Formatted Drive If the evidence file shows a logical volume but has
287. estigation If not the analysis can be redefined and performed again 84 EnCase Forensic Version 6 11 User s Guide Panes as Separate Windows The individual panes that appear in the main window can be displayed in separate windows In the main window each pane has a drag handle You can drag the pane outside the main window and the pane will appear in a secondary window Once three panes are dragged from the main window the remaining pane does not display a drag handle and remains associated with the main window The panes cannot be dragged back into the main window Refreshing the view displayed in the main window places all the panes back in the main window in their usual location Navigating the EnCase Interface 85 Figure 9 Panes appearing as secondary windows showing the Tree pane Table pane and Filter pane as separate windows The View pane appears in the main window where the Reset view command is selected from the View menu The Reset view command puts the panes appearing in separate windows back into the main window derne NN e PaE Q hes Y ries L0 4g EnScript E cases T Encryption Keys x Enterprise fm i Entries TL Bookme4 b Cases iai A Cases Include Information Assurance Main ZuEnCase Enterprise Training File Edit View Tools Help L new DG App Descriptors Delete Update 2 Archive Files Report a Console a3 Details Ge Output tock E Codepage 1 Cases 35 Encryption Keys 32 En
288. et up the ODBC connection to use NT Authentication it remembers your password so you do not need to enter it manually DB Timeout Interval minutes Specify how long you want to wait before a DB timeout occurs This indicates how long the program waits before assuming the connection is bad the default is 5 minutes Show Queries in Console Check this box to produce comments on what is happening behind the scenes Database Name Since a database management system can house many databases you must specify the one you want to use 262 EnCase Forensic Version 6 11 User s Guide Maintaining the Database 1 Run Initialize Database EnScript The Initialize Database dialog opens Initialize Database Database Source Options Maintenance Options No Maintenance Delete All Records Delete Records Older Than 0 o a Cane 2 Select the Maintenance Options tab to run basic cleaning maintenance on the database itself including deleting database records and fill in the various fields or check the appropriate box No Maintenance Use this option if you want to initialize the database selected by default Delete All Records Once a database is created select this option to delete the entire contents in the database but not the database itself Delete Records Older Than You can automatically schedule cleaning the database by selecting this option With this option selected the followin
289. etails G Output C Lock C Codepage C 0 82027 bd EzRhB b WD GOG DEF HAB Select All Find Od Qu Od Que ZF x Bookmark Data o aA Cancel o zl Cancel Data Type Destination Folder Data Type Destination Folder L ISO Latin FTP a LIJ Bookmarks amp RTL Unicode A LT Bookmarks HE ISO Latin ERTL 40 HE ISO Latin Colors RTL 60 HO Low Bit ASCII E RTL 80 GHEY RTL Unicode LE RTL 100 8j Unicode HE RTL 120 E Text Style EV RTL FTP 3 Unicode Text e HHO Unicode Unicode Text Text Style Unicode Text Unicode Text zl L Non Unicode ll Jb asbl ib yo cats r gabal giso goal D t t X a De Re Rett A a Fiber goal gage ploall Liall Jl isb Jl dash yo ual Jb ll z all tall lo pagal 3 9 yo dsl Sal Ss dab Jl 2429 olio dager Sito gll gb Il 2923 Se eee islab Jo JI gb B6 pa 32a M go Mhl aic T Vu ped EN LT NAM i Abo JE ASS coa dl cili alaiall 033 c all abu Jo J slo JE AS ow dl dab JI 292 alll s de sitiall Jui 3529 dy Jl dass 53 il a 985 09 ipao I culo LY To bookmark non English language text 1 Display the text in the View pane 2 Sweep or select the desired text then right click and click Bookmark Data The Bookmark Data dialog appears 3 Enter a Comment 4 Select the desired text style in Data Type 476 EnCase Forensic Version 6 11 User s Guide The content appears w
290. ete Delete Delete All Selected Ctri Delete a Export EVI Tag Selected Files Ctrl Shift T ET Tag File Ctrl T A View Search Hits Bookmark Selected Items LI Show Excluded Show Deleted Exclude Ctrl E Exclude All Selected Ctrl Shift E SS show Columns Column Sort d Select Item Space 2 Go to Parent BkSp Selecting the latter displays the Exclude All Selected dialog x r Start From C Root Folder 2 items Current Folder 2 items Cancel 2 Select the appropriate option and click OK The selected files are temporarily deleted Note Viewing the report shows the concatenated results Navigating the EnCase Interface 129 Filters Filters are EnScripts that modify what data are displayed Note There are different types of filters available depending on the tab chosen on the Tree pane For example the filters available for search hits are different from those available for entries Several filters exist for filtering out objects of little or no interest to an investigation Filters do not remove these objects from the case they simply hide them from the Table pane The Filter pane allows investigators to run create edit or delete filters conditions and queries The Conditions tab allows the user to build filters by simply specifying parameters Conditions 2 Queries 44 gt F Filters Ley Search File Permissions Windows Ly Search File Permi
291. ete Delete Delete All Selected Ctri Delete Exclude Ctrl E Exclude All Selected Ctrl Shift E a Export Tag File Ctrl T A View Search Hits Bookmark Selected Items SS Show Columns Column gt Sort b Select Item Space 5j Go to Parent 3 Select Exclude The Tree display reappears but the excluded folder is marked with a red X Home TE Entries Q Search Hits 2344 gt rore Som Bookmarks OB Jay s Bookmarks Pipe Bomb Data DLJ c3 Graphics AAI scal local 01 07 08 The associated Table view is also marked as deleted Bookmark Bookmark Bookmark T e Start Sector M 1 C File Report A 2 Sy HTML Carver A 3 df Snapshots amp 4 El Highlighted Data 933 376 1 823 Bookmarking Items 441 Show Excluded Excluded bookmarks are not deleted they are merely hidden from view It is possible to display them again if necessary You can show excluded files from the Tree pane the Table pane from the Show Excluded too on the top toolbar Regardless of the method you select the steps are similar 1 In the Tree pane select and right click a folder This dropdown menu displays ef Edit Enter J Add Note Insert X Delete Delete Delete All Selected Ctrl Delete Adjust Rows E Export E Tag File Ctrl T LJ Encode Preview Summary Bookmark Exclude Ctrl E Exclude All Selected Ctrl Shift E L Show Excluded X Rename F2 i3
292. ets This allows an investigator to enter search and locate words written in Japanese Arabic or Russian for example Keyword hits and the document display in the original language 1 Select the Code Page tab on the New Keyword dialog A list of supported language sets appears Here the Arabic Code Page is checked Li Search expression Code Page Keyword tester Code Page Preview Code Page Name Valid Code resssg 01 AA 1 SI Arabic Windows Yes 1256 23456789 Q ABCDEFGHIJKLMNO Cj 2 amp Baltic DOS Yes 775 PQRSTUVWXYZTY o 3 Baltic 150 Yes 28594 s dde stuvwxyz 4 Ez Baltic Windows Yes 1257 i d HE ooh Eg LAB HB Central European DOS Yes 852 gren og E Central European ISO Yes 28592 Totas UG ten tae 7 Ez Central European Mac Yes 10029 965 nella lb Ode SEIS WF yoyo X D 8 i Central European Windows Yes 1250 bbE 3 3 38J8p0o C 9 Croatian Mac Yes 10082 mem doy L3 10 E Cyrillic DOS Yes 866 LAE a Cyrillic ISO Yes 28595 GB 12 E Cyrillic KOI8 R Yes 20866 2 Return to the Search Expression tab of the dialog and enter the keyword Perform a search as usual File Edit View Tools Help new 5 Open jd Save lt j Print Z Add Device Q Search ig Refresh pap Edt Delete Ey Cases x rj Table Report ast Gallery dd Timeline Disk ig Code QyHome
293. evious Tab Ctrl Shift Tab 2 Display gt Next Tab Ctrl Tab l Queries A Text Styles lt Cl Auto Fit Reset view 106 EnCase Forensic Version 6 11 User s Guide The menu that appears above the Filter pane shows the same tab options These are described here i 5 EnScript Q Hits T Filters fS Conditions 2 Queries Text Styles un Clicking a tab changes the contents of the Filters pane as follows E EnScript displays an EnScript tree menu B Filters displays all available filters B Conditions displays all available conditions Display shows filters conditions and queries that are running B Queries displays tree menu of available conditions B Text Styles provides access to available text styles View Pane Tabs The View pane tabs display different representations of the entries selected in the Table pane When the type of view is appropriate for the selected entry in the Table pane the View pane tab is enabled E Text Hex i oo V3 Transcript E Picture E Report EJ Console 33 Details 2 Output tock E Codepage T 2 40659 Navigating the EnCase Interface 107 The View pane accesses the following tabs B Text m Hex E Doc B Transcript B Picture B Report E Console B Details E Output The tabs on the View pane cannot be closed The tab bar for the View pane also contains controls specific to the View pane These controls include Lock prevents the tab from changing
294. ex tab contains a representation consisting of an address the numeric byte values and the text representation of those numeric byte values Report Gallery Timeline 2 Disk Name Filter O 1 Extend O 2 Documents and Set O WA 3 O Evidence Mi 4 export e O 5 Incomplete 6 Inetpub LJ 7 C3 Msc 8 Msocache 9 NVIDIA C 10 3 Program Files J 11 g RECYCLER c 12 C Reports J 13 C3 System Volume Info C 14 temp ooog oo oo oo oL oo oo o0 oo f z 02800 00 00 00 cs 40 00 00 00 kg OSGCD 1A 93 81 2D F2 C6 01 CD nn ez nn 0842D FZ C6 Ol 00 00 00 00 00 BE eee e 11225 01 53 00 77 00 65 00 65 S wrere 14073 00 65 00 20 00 31 00 30 s e 1 0 16834 00 37 00 34 00 38 00 50 4 7 4 8 P 1i 19600 00 02 00 A0 00 8C 00 O0 p e p 22440 Dl 22 94 2D F2 C6 01 40 aH n az gH n 25200 00 00 00 CC 00 00 00 00 i e 28065 00 70 00 45 00 6E 00 74 e p 30830 00 2D 00 31 00 37 00 2D 0 Navigating the EnCase Interface The Text Tab The Text tab shows the highlighted file as ASCII text amp lHex fho Transcript Picture Report Console 33 Details G Output Lock C Codepage 0 11477 lDOlOD Peete eee hmm f eee tee t eZ Canon Canon PowerShot G2otttt tte t eee ee eee nn ten 2027 04 25 0 00200 1 52 46 E yeeneeeee v rrr nn 0210 0
295. f end gf Options cg brioptions curmborsF 1231355234 200339464060d 499101G tiaia vascrpt CaliPaneHelp Ym CreateMag Hm IMG Htp 04 4 20 24 spacer gf MG http NEL 420 24 1 s GME tip MEL 4 20 24 spacer gf chaser 191 hotmal com Tp oweseegt GAWIN Quick Address List MG ttp 064 4 20 24 st gr tilyray150 Cc Havasengt GAWIN Bice Jnvancret GAWD Amechments Tools Spel Check sctionary Thesaurus Rich Text Edtor ON Copy Message to Sent Folder gt From John Datst John Detsitidgudancescfware com gt gt To thaser 191 hotmad com gt gt Subject Bank Name Accturt and Routing Numbers gt Date Mon 3 Jun 2002 13 12 02 4700 gt gt Bark of America gt 14321 24927 gt 294812318 gt gt Plaase don hurt het Reporting 451 Search Hits Report Keyword searches require good reports Sometimes found keywords are a significant part of a case There are several permutations of keyword search reports Run a standard keyword search 1 Click Search Hits The four pane display shows results of the search Anew G3 Open la Save cdjPrint Se Add Device Q Search Logon Refresh 7X Delete _ Show Excluded Show Deleted x C Report E5 Gallery Timeline fZ Disk 4 M Bookmarks A Search 4 togo Q Search Hits EHO i Little Thumb og Al Email Addresses og Al Web Addresses Log AITIP Addresses D j Credit Card s og Phone Numbers og Dates with 4 digit y Preview O 1 jUnalocated Clusters
296. fter 5 JU Bookmarks mumm Bookmark Type 0B eoO Gz peas 095 go CT ead Gd eoO Gd gore oo File Finder Lon Local Machine E Table Bookmark Type Preview Comm 016 0O 2 2 O 3 Q Search Summary Q Case Time Settings 5 2j Logs m c sf es NN Right click and Drag a Table Preview Comrr 1151 DL 21682 O 3 Q Search Summary 4 Q Case Time Settings L 5 2j Logs To move a table entry into a folder using the right click drag method 1 Right click and drag the desired entry into the desired folder 2 Drop the entry on the folder and click Move Here The entry is moved to the folder on the tree and removed from the table Bookmarking Items 435 Moving a Table Entry or Folder into a Folder Using the Drag Method Home E Entries sj Table ga Preview Commr SoD Boo Ar KS m B 21 Deal lee D 2 ez Drop I IJ Q Search Summary E Q Case Time Settings 5 2j Logs p TIL 6 Drag after sj Table or fT IBeokm A 2o m ar tae Preview Comm SH 1 0002 O10 CUO O 212 go Td O 3 QQ Search Summary oe IE Q Case Time Settings GDC a SOO Gil Finder See C 6 Loo Local Machine 1 Drag the desired entry or folder into the new parent
297. fying the same output file The keys for each user are appended to this output file Acquire a device with CREDANT encrypted files or load an evidence file into the Case The Enter Credentials dialog displays prompting you for only the Username Password Server Offline Server File Machine ID and Shield CREDANT ID SCID information Note In Offline mode the only information you must provide is the Password and Server Offline Server File full path and filename to the bin file downloaded using the CEGetBundle exe utility Analyzing and Searching Files 395 When EnCase decrypts CREDANT encrypted files the key information is placed in Secure Storage in EnCase and saved with the case You do not have to re enter this information Enabling the Forensic Administrator Role on the CREDANT Server To enable the Forensic Administrator role on the server you must change settings as described below These instructions assume that the CREDANT installation folder is C Program Files CREDANT 1 Enable the Web interface for EnCase to download the encryption keys a Open C Program Files CREDANT CMG Enterprise Edition Device Server 1 2 conf context properties b Make sure the forensic method is enabled service forensic enable true Stop and restart the device server from the Start menu Click Start CMG EE Device Server Stop Device Server Service then Start Device Server Service 1 Add the Forensic Administrator role a
298. g 270 Evidence File 520 Evidence File Time Zones 170 Examiner 520 Exchange Server Synchronization 299 Exclude File Bookmarks 431 Exclude Files 128 355 357 Exclude Folder 432 Excluding Bookmarks 431 Excluding Search Hits 127 Expand All 116 Export Folder 520 Export Keywords 345 Export to msg 370 Exporting a Machine Profile from the SafeBoot Server 380 Exporting a Report 448 Exporting Conditions 144 Exporting Filters 137 Exporting to msg 370 Extracting Email 366 F FastBloc 521 FAT HFS and CDFS Time Zone Specifics 172 File Allocation Table FAT 521 File Group Bookmarks 397 File Hashing 335 File Menu 62 File Mounter 488 File Selection Page of the Copy UnErase Wizard 27 File Signature 521 File Signatures 324 File Signatures with Suffixes 325 File Slack 521 File Viewer Features 288 File Viewers 288 Filter Pane 521 Filter Pane Menu 76 Filtering Effects in Table Pane 94 Filters 129 Filters Pane 93 Filters Pane Menu 105 Find 148 Fitting Columns to Data 125 547 EnCase Forensic Version 6 11 User s Guide Folder Information Structure Bookmarks 397 Font 521 Fonts Tab of the Options Dialog 36 Forensic EnScript Code 484 G Gallery Tab 146 314 General Time Zone Notes 172 Generating an Index 362 Generating Reports on the Database 262 Getting Ready to Acquire the Co
299. g 7jHe 8 E sige 10 c 113 E Cent 12 3e 5 Name Code THEE Ars 2 fel Arat 3 dg ara Code Page 4 ges C Unicode 6 a Unicode Binden 6 5 A C Other E Balt 8 E Bat 9 S Bat 10 cer jg 12 zi e J Name Code 1 5 Arabic 864 864 2 i Arabic ASMO 708 708 3 5 Arabic DOS 720 Code Page 4 Arabic 50 28596 C Unicode 6 i Arabic Mac 10004 C Unicode Big Endian 6 Arabic Windows 1256 E OD 7 Baltic DOS 776 SS SSS 8 S Baltic SO 28594 9 Baltic Windows 1267 10 Central European DOS 852 11 S Central European ISO 28592 12 E Central European Mac 10029 Code Page contains settings that determines the code page type used in the text style Unicode specifies Little Endian Unicode If UTF 7 or UTF 8 is used select Other not Unicode Unicode Big Endian specifies Big Endian Unicode Other lets you select from the Code Page list Code Page List contains a list of supported code pages Working with Non English Languages 465 Configuring Non English Language Support Non English language support involves B Configuring individual interface elements B Creating and applying text styles used on the Text and Hextabs m Creating non English keywords B Creating non English search terms E Bookmarking non English text E Viewing Unicode files E Using code pages 466 EnCase Forensic Version 6 11 User s Guide Configuring Interface Elements to Display
300. g options become active and configurable O Days Specifies the age of a record you want to delete For example selecting 1 means you want to delete records at least one day old O Run Maintenance Daily This check box runs the cleaner every day at specified hours and minutes Working with Evidence 263 Updating the Database 1 Run Snapshot To DB EnScript You will be required to log into a SAFE When you successfully log in this dialog opens Select the Role and Machine Name or IP Options SAFE Choose The Role You Want To Assume User E S Roles Total Connections 100 g Active Connections 1 Connections To Use 1 Remediation Allowed Yes Snapshot Allowed Yes SAFE Version Network Tree Enter IP addresses or machine names on separate lines Enter ranges on separate lines and delimit the start and stop address with a dash Example localhost 192 168 5 5 192 168 0 16 192 168 0 64 192 168 1 1 192 168 3 255 FdO0 0 1000 20 0 0 0 100 Cancel This is where you O specify the nodes you want to scan O take a snapshot Choose the Role You Want to Assume in the tree select the specific role you want to use when connecting to the nodes Be sure to select a valid Role to enable the Next button Click Network Tree to open a dialog where you can select nodes added to the role via SAFE Lower text box under Network Tree manually enter IP addresses hostnames and ranges here O Valid ranges
301. ge displays Lj L3 r r LJ L3 Lj LJ I EJLEJ EJ EX EXIEI I EHE oon OO 0 tk WN 10 Se C sa D S E BN Se H Saw I s Sa K sL Sa M saN Sa 0 See P Q See R a S Se T PN Invalid Drive type o o coccoccccoccocOcoccococoo coodocooiuiu U d HBGary Responder does not support analyzing Windows Vista memory dump CHAPTER 14 Using EnCase Tools E Toolbar 516 E Tools Menu 517 516 EnCase Forensic Version 6 11 User s Guide Toolbar The toolbar contains icons for the most frequently used EnCase functions When you open EnCase in acquisition mode only the New Open Print and Refresh icons display in the toolbar When you open a case the Add Device icon displays There is a corresponding menu command for each toolbar icon When the toolbar is wider than the main window the toolbar wraps to another line Some of the icons are enabled only when they are useful such as Print and Refresh The panes and the tabs in the toolbars also display context dependent icons accessed from right click menus New opens the Case Options wizard for defining a new case Open displays a dialog for opening an existing case Print opens the Print dialog Refresh updates a list or table to reflect changes in the file system Save opens the Save dialog Add Device opens the Add Device wizard Search opens the Search dialog so you can search evidence associated with the case Othe
302. gs that determine what kind of connection is made to the specified SAFE None should be enabled when the target system cannot establish a connection with an EE client Then all traffic is redirected through the SAFE server This can increase communication times however it provides the investigator with the ability to obtain data that is otherwise not available Client to Node Local should be enabled when the client Examiner and the node servlet reside on the same network and the SAFE resides on a different network This allows data to transfer directly from the node to the client after the client successfully authenticates through the SAFE Also the client will use the IP address that the node believes it has rather then the IP address the SAFE has for the node In this configuration the network should be designed so that all the company s employees are located on the Corporate Desktop Network and should employ routing NATing Client to Node SAFE enables NAT where a private IP address is mapped to a public IP address Typically the SAFE and node reside on the same subnet and the client on another This allows data to transfer directly from the node to the client after the client successfully authenticates through the SAFE The client also uses the IP address that the SAFE believes the node has rather then the IP address the node reports it has to allow a direct connection between the client and node machine This option is enabled b
303. h A comprehensive Internet history search differs from a regular Internet search Specially tagged keywords are added internally and the software takes a different code path than a regular search In this comprehensive search EnCase examines the entire device including file slack and unallocated space for specific markers that indicate Internet artifacts The basic Internet history search parses known file types for Internet artifacts The latest version of EnCase software and either Windows XP or 2000 must be installed Begin an unallocated space search the same way you begin a regular search 1 Select Comprehensive Search in the Search Dialog 356 EnCase Forensic Version 6 11 User s Guide Selecting Search for Internet History at the same time as shown in the figure performs a regular Internet history search in addition to the exhaustive search OOOO 04 Selected items only 65 Entries 1 Record gt Keyword Search Options M Email Search Options IV Search entries and records for keywords Search for email Selected keywords only 18 keywords Recovered deleted JV Search entry slack Outlook PST Use initialized size F outlook Express DEP Undelete entries before searching Exchange EDB Search only slack area of entries in Hash Library F Lotus NSF m Hash Options I AOU Compute hash value Mmeo Recompute hash values r Additional Options IV verify
304. hat tabs appear in the Table pane The Table Report and Code tabs appear in almost all contexts Entries that involve time can appear in a Timeline tab Where image content is involved the Gallery tab is among the tabs that display 100 EnCase Forensic Version 6 11 User s Guide Figure 19 Tabs that display in the Table pane as determined by the Tree tab displayed in the Tree pane Gray values mean that tab is available for use White values mean that the tab is not available for use Selected Tree Pane Panel Table Pane Panels Table Report Gallery Timeline Code App Descriptor Home App Descriptor Properties Archive Files Cases Home Cases Entries Home Si Cases Entries File Extends Cases Entries Permissions Cases Entries References Cases Entries Hash Properties Cases Bookmarks Home Cases Search Hits Home Cases Search Hits Hash Properties Cases Records Home Ee Cases Records Additional Fields Cases Devices Home Cases Devices Acquisition Info Cases Devices Sources Cases Devices Subjects Cases Devices Read Errors Cases Devices Missing Sectors Cases Devices Disk Elements Cases Devices CRC Errors Cases Secure Storage Cases Keywords Encryption Keys EnScript EnScript Types File Signatures File Types File Viewers Hash Sets Home Hash Sets Hash Items Keywords Machine Profiles Home Machine Profiles Allowed Packages Projects SAFEs Home SAFEs Hetwork SAFEs Roles SAFEs Users SAFEs Events Text
305. he Domino administrator Encryption of the local mailbox is not mandatory but it is advisable because without encryption a person familiar with the NSF file structure could read email without needing Lotus Notes Encryption occurs at block level 322 EnCase Forensic Version 6 11 User s Guide Determining Local Mailbox Encryption Look in the header the first 0x400 bytes at offset 0x282 If the byte is Ox1 the mailbox is locally encrypted 0000240 0000250 0000260 0000270 0000280 0000290 00002A0 00002B0 00002C0 00002D0 coooooooococ Parsing a Locally Encrypted Mailbox 1 Obtain the corresponding ID file from the Domino server All user ID files are backed up on the server either on disk as a file or in the Domino directory as an attachment to email 2 Parse it using View File Structure so that the private key is inserted in Secure Storage E Export Copy UnErase Lr Bookmark Data Ctrl B Activate Single Files Create Hash Set L View File Structure Go To Overwriting File A i J Copy Ctrl C Show Columns Column Sort Select Item Space f Go to Parent BkSp Viewing File Content 323 Encrypted Block The example below shows an encrypted block at offset 0x22000 Address 0x02C8CB44 2 Columns 16 Se cc 65 dc 2e 0 17 1 da 73 d7 b7 8c a7 48 00 leU a R sx GSH b7 68 05 01 7e dd 5 7 ab a9 97 94 08 9 fc d2 h Y 6 O 54 04 69 82
306. he EnCase Interface 115 The Output Tab Use the Output tab to obtain output from various EnScript programs i E Text Hex LAjDoc i Transcript E picture Report C console 33 Details ul gt _ Gi Output 1 E GSI AOLIMEnterpriseModule 537 4 MainClass could not be f Navigating the Tree Pane The Tree pane presents a structured view of all gathered evidence in a Windows like folder hierarchy Use the structured view when exploring Entries Bookmarks Search Hits Keywords and other views of evidence You can add folders to the structure to suit your working requirements Note that some folders have a plus sign next to them Clicking the plus sign opens the folder and displays its contents oom f Entries HOC f Hunter xp BDO C DOLE Extend o0 AOL Instant Messenger Documents and Settings Ey l Users Jic Bob Hunter Ic Default User E LocalService gt NetworkService og Hunter Pics HD My Music amp O C3 Program Files EO ye RECYCLER amp D IC System Volume Information BDO WINDows D0 we E 116 EnCase Forensic Version 6 11 User s Guide In the figure above the Documents and Settings folder is expanded to show the five folders it contains Note that the symbol next to the open folder is a sign indicating the folder is expanded Opening and Closing Folders with Expand Contract Use the Edit menu or right click in the Tree pane to use Expand Contract to o
307. he Table Pane sse tentent nennen tenente 122 Showing Columns ets eie edet e pe idee imet ii fret i tbe de deet Hes ob tse Ud 123 Hiding Columns isien noii te tete eee i diede ri de Eee eden idee ie eet 125 Auto TIE ATE Co litmis jeep e e IUE NH enDi aE IE RETO CHIEDI REL 125 Fitting Columns to Data des uem ele ORI ls ees esten e n epe eee epa eode 125 Resetting Columns iie UH ARN OD TED D UH tee e eee tette tite 126 Setting a LOCK on Columns ient ter i n gne EAE SEE Ton e Eee e rode ctun 126 Excluding Search FtS i iie ettet eel a e ed n e eee ee Heide 127 Ip SITAME haba Ga ea ave 128 ig a ta ered 129 Creating a Filter iecore eigo vata sade Hn i n D ee HE re daca vada Ca eri caters 130 Editing a PIer ione ite I phi ete breit eteludiie aed eiii fiiius 131 Running a Filter iiien i aia den diio bete bendi E a d ente cities 132 Combining Filters non rh eh ooi d irse a ED LR i aiea ao a 134 AINND OR FiltetLoele aai ttis bid eb eh etie ile ees tie Hobo ais aaen totis siete 135 Changing Filter Ordet usb Heidi sdb HE THIS RE Ge EH ties 135 Turning Filters Off teret cree eoe Ee reuera eese stet ape e EYE Uere ve aug ee e RES REEE UR 136 Deleting a Filter ect een rore RR E EAT RTE EEEE T 137 Importing Piltets eee tnter E EEEE E E EEEE RAEE ER EEEE 137 Exporting EMIefs ere ee E EAI E EAA VERB estos TENTER E 137 CONOS s oe d E EA EE EE EEEE ed reet EAA 138 Creating Co
308. he email dbx file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Notice that the icon for the compound email file looks like a disk drive and no compound volume indicator is added to the icon after it is parsed 310 EnCase Forensic Version 6 11 User s Guide Viewing MS Outlook Email The process of mounting Outlook pst files is identical to that of Outlook Express as previously described When EnCase applications mount an Outlook pst file messages are viewable by clicking on the PR Body file and selecting the Text tab in the View pane Because the text is likely Unicode apply a unicode text style to make it easier to read When expanded the top level or top root of the pst file directory contains multiple folders including B Inbox props properties B Message store storage containing the PR PST PASSWORD file and other IDs B Name to id map E Root folder The Root folder contains B Search Root reserved for future use B Top of Personal Folders containing the Inbox Sent Items and Deleted Items Each pst email message file appears as a folder with all message properties within the folder as well as any attachments Many of the fields within the pst mail folder are duplicated which is part of the pst format If a keyword is a match within a certain field it is duplicated in the secondary field as well Created written and modified date
309. he text field This text will appear in the filter column of the Table pane when a file meets this criteria O Change the color element by clicking Text Color or Frame Color then double click Background and Foreground colors then click OK 3 Choose Filter or Condition 4 Select the filter or condition from the list 5 Enter text into the text field This is text will appear in the filter column of the Table pane when a file meets this criteria 6 Change the Color element by clicking Text color or Frame color then double click the Background and Foreground colors then click OK 7 In the New Display dialog repeat Step 4 as often as required Note The filters and conditions shown here will not hide rows that do not match the requirements of the selected filters These selections simply adjust how the matches are indicated in the interface 8 In the Conditions for showing items pane right click Combinations and select New 9 In the New Combination dialog select filter or condition then select the filter or condition from the list and click OK Note You do not need to enter the same filters or conditions here as entered in the display setting for shown items pane 146 EnCase Forensic Version 6 11 User s Guide 10 Repeat Step 7 as many times as needed Note This is the logic for hiding rows If for example an item matches a filter from the display settings for shown items pane but it does not match the logic in the
310. hen LEFs are verified the stored hash value of the file is compared to the entry s current hash value B If the hash of the current content does not match the stored hash value the hash is followed by an asterisk If no content for the entry was stored when creating the LEF but a hash was stored the hash is not compared to the empty file hash B If no hash value was stored for the entry when creating the LEF no comparison is done and a new hash value is not populated Raw Image Files Raw image files contain a collection of files but lack the integration of metadata and compression hash values that the EnCase evidence file provides Before raw image files can be acquired they must be added to a case The Linux dd command is typically used to produce raw image files Raw image files can be acquired and added to a case During acquisition the raw image file can be hashed and compressed Once acquired raw image files are incorporated into an EnCase evidence file Single Files Individual files can be added to the case once Activate Single Files is selected Any file type supported by an EnCase application can be added to a case You can do this through the interface or through drag and drop When files are added they appear in the view pane You can add a folder containing files to a case This can only be done using drag and drop When you add folders the folders appear in the entries tree and the entries table The individua
311. hine For instance if a file is saved at 3 p m the time stored is 3 p m There is no time zone associated to 3 p m when the time is stored Setting the time zone at the device or volume level identifies the time zone in which the recorded times occurred When the evidence is added to the program it is assumed to be in the investigator s local time Modifying the device level does not change times because the device time zone associates a time zone only to the times stored Case Management 175 Time Zone Example B The target computer has an HFS in New York 5 GMT B The file is created at 3 p m The stored time in the computer is 3 p m B The drive is imaged and the investigator writes that the computer displayed the correct local time B Aninvestigator in California opens the evidence file The EnCase program initially assigns a time zone to the device level of 8 GMT since that is the time zone setting of the West coast investigator s machine The time still displays 3 p m because EnCase software knows the stored time is 3 p m and the local time zone of the examiner is 8 GMT Open a Case Open a case to continue analysis or to review a case 1 Select File Open File Edit View Tools Help i3 New 4 Open Ctrl O lal Save Ctrl S Save As il Save all Ctrl Shift 5 c3 Print Printer Setup Ge Add Device Add Raw Image Exit Alt F4 0 C Documents and SettingsYjay reidy TSYDesktopiThumb Ct
312. his MainClass Size 184 c CaseClass Size 3376 Name EnScript 2 v6 58 Ust NamelistClass Size 32 Name Rg dialogbox MyDialog Size 1763 Name Step M O M 322 Stren StreamClass Size 48 Ref 2 3 rebld RebuldClass Size 64 Ref 2 now DateClass 17 08 07 22 36 02 UTC i start vint 1187390162 0x46c622d2 entryroot EntryClass Size 92 Name FOLDER entry EntryClass Size 92 Name Hunter XP FOLDER 502 EnCase Forensic Version 6 11 User s Guide Help for EnScript Modules The Case Processor Sweep Enterprise and Scan Local Machine screens contain a Help button or Help section for each available module EnCase File Report EnCase File Report EnScript Analysis 503 EnScript File Mounter The File Mounter program catalogs the contents of selected compound files for example zip files This produces a listing of the items in the compound file not the actual file contents The program duplicates the structure of compound files into Log Record bookmarks You define the types of files to process and the criteria You can select file types by file extension or signature You can choose to mount them persistently leaving them mounted after the conclusion of the EnScript program or non persistently The non persistent option returns them to their unmounted state when the EnScript File Mounter program completes Other options include E The ability to create a Logical Evidence File L
313. his is used correctly it can be as pow erful as a hand grenade Also light this in the correct place or else it could make your lif e miserable The report is retained 448 EnCase Forensic Version 6 11 User s Guide Email Report Email records are created when you perform an email search Perform an email search as described in the Creating a Report Using the Report Tab chapter 1 Select View Case Sub Tabs Records A display of the Tree and Table panes appear The Tree pane data show the records and the Table pane displays the record s contents The figure shows the contents of Hunter XP 3 Home GERS M Bookmarks C4 Name Fiter T ted h eae tes iHome 9 Additional Fields C 1 e Folders dbx Ponga Records LJ 2 Bily dbx Son f Hunter xP 3 s chaser1191 D se Folders dbx HD s Billy dbx ED sw chaser1191 HO See Hotmail Sent Items dbx ED e Outbox dbx N S Hotmail Sent Item s Outbox dbx 6 chaser1191 7 Se Hotmail Deleted It L a SOs chaser1191 8 Se Deleted Items dbx HO s Hotmail Deleted Items dbx LJ 9 se 3do software tools D0 s gt Deleted Items dbx Ld 10 Se Hotmail Bank Infor D se 3do software tools dbx J 11 ee Bank Information dbx os Hotmail Bank Information dbx 12 se Hotmail Inbox dbx o0 See Bank Information dbx HD Se Hotmail In
314. history Comprehensive Search 358 EnCase Forensic Version 6 11 User s Guide Selected items only runs a search for items limited to the files folders records or devices that you checked Search entries and records for keywords executes a keyword search when checked When unchecked other checked functions are performed but the keyword search is not This allows you to run a signature analysis or a hash analysis without running a keyword search This option also enables E Selected keywords only B Search entry slack B Use initialized size E Undelete entries before searching E Search only slack area of entries in Hash Library Selected keywords only restricts the number of keywords used during the keyword search to the number of keywords specified shown in Number of Keywords Search entry slack searches the slack area between the end of logical files and the end of their respective physical files Use initialized size searches only the initialized size of an entry as opposed to the logical or physical size Note Initialized size is only pertinent to NTFS file systems when a file is opened if the initialized size is smaller than the logical size the space after the initialized size is zeroed out Thus searching the initialized size searches only data a user would see in a file Undelete entries before searching undeletes deleted files prior to searching Search only slack area of entries in Hash Library is used in c
315. hows the concatenated results Analyzing and Searching Files 363 Show Deleted Files Excluded files are not deleted They are merely hidden from view To see them again select the Show Excluded function Note Deleted files are stored in a temporary buffer until the file is closed at which time the buffer and deleted files are erased Exclude a number of files To review excluded files 1 Click Show Excluded Deleted files reappear in both Table pane and in Report pane Encode Preview Encode Preview lets you apply text encoding to the Preview column on the Bookmarks and Search Hits tab This feature allows non English alphabet bookmarks and search hits to display properly in the Preview column Turning On Encode Preview The preview column displays certain non English languages as plain text by default When this happens the text appears as a string of symbols that have no bearing on the actual text representation Turning on Encode Preview displays the actual text using the proper characters Change the Fonts Tables option to a Unicode font that supports the characters you intend to display Arial Unicode MS is recommended because of the breadth of the characters included 1 Openan evidence file and click Text or Hex in the View pane The document appears ires amp lHex aa Do Ar anscript E Picture Report gt ooo llle s ld Jil yc ell 006 alll ss V 240 vlilo aluo cuyas ubin Sh F acljo ai
316. ick Start Control Panel Region and Language Options The Regional Options tab of the Regional and Language Options dialog appears 2 In Standards and formats select the desired language 3 Select the Advanced tab The Advanced dialog appears 4 In Code page conversion tables check the desired code page 468 EnCase Forensic Version 6 11 User s Guide 5 Click OK The keyboard is mapped to the selected non English language Entering Non English Content without Using Non English Keyboard Mapping Windows provides a character map so you can enter non English character strings without remapping the keyboard EnCase v6 0a EnCase v6 0e EnCase v6 00 EnCase v6 0p Internet Explorer MSN Outlook Express amp PowerDVD s Remote Assistance e Windows Media Player 3 Windows Messenger Synchronize iE Tour Windows XP 4 Windows Explorer A WordPad E e v a G Set Program Access and Defaults eS Windows Catalog Help and Support Run fan d Accessibilty v e Communications Entertainment au C Microsoft Interactive Training e n Tools e CD Address Book E sneott 8 Cj Calculator E Startup Command Prompt l an VMware I Notepad BY EnCase Y Pant ET EnCase v5 9t Program Compatibility Wizard Cases AjFile Types ZjlFile Viewers A Text Styles X vices en Secure Storage Ke e Com Keywo
317. ide 2 Click Edit Source The filter source appears in the Table pane B Table Report 2 Gallery Timeline f Disk f Deleted Files T Differing Initialized Size 7 Find files between any dates T NewFilter lass MainClass DateClass bDate aDate NameListClass List String Name bool Include UserCancel MainClass Listi new NameListClass List Created new NameListClass List Written new NameListClass List Accessed new NameListClass List Modified new NameListClass List Deleted aDate Nowi bDate Nowi DialogClass dialog MainWindow Files between n dates new DateEditClass dialog Show files with any date on or after DialogClass NEXT DialogClas new DateEditClass dialog Show files with any date on or before DialogClass SAME DialogCl new ListEditClass dialog Dates to filter on DialogClass SAME DialoqClass NEXT 180 if dialog Execute SystemClass CANCEL UserCancel true Note The Table pane menu shows the Code icon selected the text editor s menu highlights the filter you are editing and the scroll bars allow you to maneuver in the display 3 Edit commands as needed Filter behavior changes Running a Filter Running a filter against a set of evidence files produces data that conform to the filters parameters Open a case file and select folders to search 1 Run a filter by clicking Select All home plate on evidence fol
318. idence Number J D Notes File Segment Size MB Compression 640 Burn Disc I Thane Start Sector Stop Sector Good Slower Smaller 0 855 Best Slowest Smallest Password Confirm Password Block size Sectors Error granularity Sectors 64 E 64 IV Generate image hash F Quick reacquisition Read ahead Output Path D E01 E Alternate Path cows To define how the EnCase evidence file is built and output 1 2 3 4 Accept the default values or enter or select alternative values Enter an Evidence Number and Notes If a hash has not been requested yet and one is desired click Generate image Hash If you might run out of storage space where you are storing the acquired device specify additional storage by browsing to or entering a path and filename in Alternate Path Click Finish The acquisition starts and the Thread Status Line appears at the bottom right corner of the main window displaying the status of the thread performing the acquisition You can cancel the acquisition during processing see Cancelling an Acquisition When the Acquisition Results dialog displays a status of finished select Console Note or Log Record Click OK Working with Evidence 213 The Acquisition Results dialog closes and the acquisition is complete Canceling an Acquisition You can cancel an acquisition while an Acquisition is running After canceling the Acquisition can be restarted If however the acqu
319. idence file and whether dates should be converted to a single time zone B Search summary O Contains search results times and keywords for a particular case Note Case time settings bookmarks and Search summary bookmarks are created automatically Highlighted Data Bookmarks The highlighted data bookmark also known as a sweeping bookmark or a text fragment bookmark can be used to show a larger expanse of text This bookmark type is created by clicking and dragging text hex doc or transcript content in the View pane Notes Bookmarks The notes bookmark gives the investigator a great deal of flexibility when adding comments to a report This bookmark has a field reserved only for comment text and can hold up to 1000 characters It also contains formatting options including m italics B bold B changing font size B changing the indent of the text 404 EnCase Forensic Version 6 11 User s Guide Folder Information Structure Bookmarks Use folder information bookmarks to bookmark folder structures or devices By bookmarking a folder structure the entire directory structure of that folder and its children can be shown within the report or bookmarked for later analysis Individual devices volumes and physical disks can be bookmarked as well This shows important device specific information in the final report Note This type of bookmark is useful for marking directories that contain unauthorized documents pictures and applicati
320. if the file type of the file selected in the Table pane changes By default the View pane displays the appropriate tab for the type of file selected in the Table pane This behavior is overridden when Lock is selected When you select Lock the currently displayed tab type is retained even if the selected file type in the Table pane changes For example if you Lock the View pane with the Picture tab in view and then select entries in the Table pane that do not contain images the Picture tab may show nothing Codepage determines whether the detected rather than the default codepage is used in tabs that display text Selected Total displays the number of entries selected as a fraction of the total number of entries available in the current case The context established by selecting an entry in the Table pane determines what content is displayed in the View pane The View pane displays the content of one entry from the table While several entries can be blue checked in the Table pane only one entry can be highlighted at a time 108 EnCase Forensic Version 6 11 User s Guide Figure 21 View pane context where 1 the Table pane contains a table where only one entry can be 2 highlighted for further exploration in 3 a tab in the View pane 4 Checking table entries does not drive the content displayed in the tab displayed in the View pane The representation of the highlighted content is made when you 5 select the desired View pane tab 6 The H
321. ightmost column is hidden Navigating the EnCase Interface 147 Viewing More Rows View more pictures in Gallery by increasing the number of displayed rows 1 Right click in the Gallery tab 2 Select More Rows Viewing Fewer Rows View fewer pictures in Gallery by decreasing the number of displayed rows 1 Right click anywhere in gallery 2 Select Fewer Rows Timeline Tab The Timeline is a great resource for looking at patterns of file creation editing and last accessed times You can zoom in to a second by second timeline and zoom out to a year by year timeline by right clicking and selecting the appropriate option 1234567891011121 2 3 4 5 6 7 8 9 101112 aon nf CO P9 Above the calendar are selection boxes to quickly and easily filter which type of time stamp to display E Written B Accessed E Modified E Deleted B File Acquired BA Written I Accessed f Modified T Deleted 4 File Acquired E Tabe Report Gallery 23 Code lu2sdadasu6sZoBug odbi2his2 344 CuCZUBuOuIle 148 EnCase Forensic Version 6 11 User s Guide Clearing one or more of these boxes changes the timeline presentation Modifying the View Pane The View pane provides display specific functionality of items selected in the Table pane Copy You can copy data in the Text and Hex tabs You can also copy RTF from a report so it can be pasted into an external program that accepts RTF input In e
322. ile Group 130 048 254 Jay s Bookmarks Pip NoName Highlighted Data 932 387 1 821 Jay s Bookmarks Pip NoName 1 File Group 946 176 1 848 Jay s Bookmarks Pip NoName File Group 946 176 1 848 Jay s Bookmarks Pip NoName ul Note Jay s Bookmarks Pip NoName Note The Excluded column of the display shows which files are excluded and which are not CHAPTER 11 Reporting Reporting 443 a Creating a Report Using the Report Tab 444 a Creating a Report Using Case Processor 456 444 EnCase Forensic Version 6 11 User s Guide Reporting The final phase of a forensic examination is reporting findings Organize and present reports in a way the target audience understands Formatting and presentation considerations should be should be made when the evidence is first received EnCase software is designed to help mark and export findings so the final report is generated quickly The software provides several methods for generating a report Some investigators prefer to break up the final report into several sub reports in a word processing program with a summary report directing the reader to the contents Others create paperless reports on a compact disc using a hyperlinked summary of the subreports and supporting documentation and files Creating a Report Using the Report Tab Creating reports is usually one of the last tasks performed when investigating a case With the EnCase application you can create re
323. ime of analysis Examiner A general destination folder to place data copied from the evidence folder Export Folder A general destination folder to place data copied from the evidence file F FastBloc FastBloc is a collection of hardware write blockers and one software write blocker File Allocation Table FAT Refers to a file system used primarily in DOS and Windows operating systems There are several levels designed to cope with larger devices FAT12 is usually used for removable media whereas FAT16 was initially used on hard drives FAT16 has a 2GB size limit so FAT32 was introduced for larger hard drives FAT32 has been superseded by the New Technology File System see NTFS and is the recommended file system for Windows 2000 and later File Signature Unique identifiers published by the International Standards Organization and the International Telecommunications Union Telecommunication Standardization Sector among others to identify specific file types File Slack The area between the end of a file and the end of the last cluster or sector used by that file This area is wasted storage so file systems using smaller clusters utilize disk space more efficiently Filter Pane The Filter pane is typically located in the lower right quadrant of the four pane display It provides access to EnScript programs filters conditions and queries Also see Tree Pane View Pane and Table Pane Font
324. in a new order Because all filters are selected and thus active all will be run The order in which they run however is changed In the first example below Selected Files Only runs first while in the second example it runs second 2 EnScript f Filters fS Conditions Display Queries A Text 4 P Text Frame bene Color Color S5 1 fS Selected Files Only F Default B Default F Default B Default NI 2 Y Deleted Files F Default B Default F Default B Default Mi 3 Y Yahoo Mail Pages F Default B Default F Default B Default 4 b 3 4 EnScript T Filters Conditions M Display 2 Queries A Text 4 b Text Frame Nans Color Color NI 1 T Deleted Files F Default B Default F Default B Default MI 2 12 selected Files Only F Default B Default F Default B Default S 3 Y Yahoo Mail Pages F Default B Default F Default B Default 4 b Turning Filters Off There are several ways to turn off or disable filters You can toggle the Query icon to alternate between the filtered list and the unfiltered one This is an all or none toggle When you have more than one filter or condition in the Filters pane Display tab deselecting a filter modifies the Table view to show only files that result from the still checked items For example the list in the next example shows three active filters Selected Files Only File Extension and Deleted Files but File Extension is unchecked AZ EnScript f F
325. in the Bookmarks table of the Table pane 420 EnCase Forensic Version 6 11 User s Guide Creating a Log Record Bookmark Log record bookmarks are created by a process status dialog for example the Acquisition Search Results dialog that allows their content to be saved in a log record Before you can create a log record bookmark a process results dialog must be open x Status Completed Console Start 09 21 06 10 51 08PM Stop 09 21 06 10 51 09PM Note Time 0 00 01 Name Disk Image v Log Record Path C Program Files EnCase6 Disk Image EO1 GUID CA6118DC8937B64F8D093D57E77CD2C9 Acquisition Hash 458447B7E436D230EECC17386CO02FB04 Cancel ases Home e Entries Bookmarks Q Search Hits Z3Records fZ Devices P Secure Storage Keywords tz Table x Bookmark Page Show eo eee Type Maced A Picture S x bp Ole O 1 Q Search Summary too O 2 Q Case Time Settings poo 3 2 toss To create a log record bookmark 1 On the process results dialog select Log Record 2 Click OK A Logs entry appears in the Bookmarks table in the Table pane Creating a Snapshot Bookmark Bookmarking Items 421 Snapshot bookmarks are created by various EnScript programs Note Before you can create a snapshot bookmark display the EnScript panel in the Filter pane Fe ER Vw Toc bite y gan Sere PE Zp ACen seed Qui
326. inated outside an EnCase application reacquiring it results in the creation of an EnCase evidence file containing the content of the raw evidence file You can move EnCase evidence files into a case even if they were acquired elsewhere This does not require a reacquisition Just drag the files from Windows Explorer and drop them on the Sessions Sources page of the Add Device Wizard You may also want to reacquire an existing EnCase evidence file to change the compression settings or the file segment size Reacquiring an Evidence File Before you begin B Your EnCase application is open B The file to be reacquired is included in the case B The case has been opened xi F samo arere come ermer ina iet fal Se tre LE Dein mat x cC xij B P r r t r i i F moate m r I taa nadons e r f ramets te tatae mete r LI Orem E 2 C r D Sach arty dh na of e rh bry r T PI aw face FF Gnd en Saab E prera a fe E pir RI r Comoe hah vd P vete epa Peeve r T7 Merthy cobran Hehe Dene nw grt Ger Sew tor riene ary 7 Messe a EL T F wa Cm Cred amara E C3 Coed te Ure Ceci To reacquire an evidence file 1 Inthe Tree pane click Cases Entries Home The Entries tree appears in the Tree pane 2 Right click the device to be reacquired and click Acquire The After Acquisition page of the Acquisition wizard appears 3 Perform the acquisition see Specifying and Running an Acquis
327. inekeys Contract All You can close an entire tree with one menu click If one or more folders is expanded beneath the highlighted item the entire tree is contracted Contract the entire table by opening the Edit Menu then click Contract All Expand Contract Space Expand All Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num The hierarchical tree contracts and displays the highlighted item only BOO te Entries 118 EnCase Forensic Version 6 11 User s Guide Displaying Tree Entry Information for One Branch Highlighting is one of three ways to choose items in the Tree pane Highlighting an item in the tree displays its contents in the Table pane Figure 22 Highlighting a tree entry where 1 is the highlighted item 2 are folder objects contained in the highlighted item in the Tree pane and 3 are items contained in the highlighted item enumerated in the Table pane don Entries SOC fg Gs1 Doc 102033 10 0 36 21 1 SD C DIE Extend DE Documents and Settings SOME Administrator C3 Application Data E Cookies Desktop c Favorites gG Local Settings C3 My Documents E NetHood C3 PrintHood Cj Recent gG SendTo Cj Start Menu OG Templates DOE All Users amp O 3C darrell cardenas DOE david locke amp O C3 Default User OES jeffrey misner IE LocalService DLJ NetworkService DE Evidence
328. ing Tools gt GSI gt Webmail Parser specifically searches for Netscape amp Hotmail and Yahoo Web Mail 370 EnCase Forensic Version 6 11 User s Guide Web Mail Parser Web mail including Netscape Hotmail and Yahoo Web mail can be searched Open a case that is thought to contain Webmail 1 Select Tools GSI Webmail Parser Tools Help a GSI lal Index Case Ctrl I 4 Webmail Parser The Webmail parser options dialog appears Webmail MES Webmail Types S Netscape Web Mail S Hotmail Web Mail S Yahoo Web Mail Run on selected File Only Cancel 2 Select the Webmail types for collection Optionally a search can be run only on selected files The search status displays on the status bar Parsing webmail 0 01 02 3 Click the Records tab The Tree pane displays a list of discovered files Pa Encryption Keys J SAFEs x S Entries Bookmarks OX Search Hits 4 gt 33 Additional Fields og Records togig Fiske amp oafgc oG Netscape Ej Hotmail E Yahoo 4 Open a folder to view its contents in the Table pane Name addtional Subject CJ 1 3 242 1 htm Re FAKE ID FAKE O 2 3 9st htm e Re Fake ID s O3 G 3 e 1 htm Re GO TO WW I3 4 C compose 1 htm los mainentrance 1 htm 5 To view the data in the Report pane select a file and click Report Analyzing and Searching Files 371 File c
329. ing XML Formatted exports filters in XML format 3 Check the Export Tree field as in the figure 4 Navigate to or enter the path where the filter is located and click OK Note By default the Output File text field contains a file named export txt This can be changed and a complete export path can be entered or navigated to Conditions Conditions are similar to filters They limit Table pane content Several created conditions exist and like filters they vary depending on the chosen Tree tab The first figure below shows the display when the Conditions tab is selected Q His T Filters K Conditions Queries AV Text Styles 4 gt He Conditions Files H Email Examinations References Conditions File Extents EHO General Conditions Filter by Date Filter by size H Hash Conditions H5 Print Spool Files i Signature Conditions Permissions Conditions Navigating the EnCase Interface 139 Creating Conditions To create a new condition right click a folder in the Conditions tab in the Filter pane and select New Conditions Fiters Source Code Note To use a filter inside a condition create the filter by first clicking the filter tab and creating a filter Once created click the Conditions tab and the filter appears in the properties list 140 EnCase Forensic Version 6 11 User s Guide To create a condition 1 Entera name in the Name field 2 Right click Main on the co
330. ing bookmarks are edited with the Edit Folder Dialog Bookmarking Items 425 Edit Highlighted Data Bookmarks Dialog Use this dialog to edit highlighted data bookmarks Edit Highlighted Data xj Comment usbest exe zi EHI Data Type L E Types n oe Text LEJ Do not Show L E High ASCII LE Low ASCII Eg Hex E Unicode L ROT 13 Encoding LE HTML LE HTML Unicode Gey Picture bd Case 5DX1 DRIVER drive i usbest exe Comment contains text describing the bookmarked content Data Type contains the data type of the bookmarked content Selecting a different data type does not alter the content of the bookmark Content contains highlighted data that was bookmarked Note You cannot edit this field 426 EnCase Forensic Version 6 11 User s Guide Edit Note Bookmarks Dialog Use this dialog to edit notes bookmarks Notes Note to be edited IV Show in report Formatting 7 Bold Increase Font size points o v Italic Increase text indent 1 4 inch o Cancel Notes contains text describing the bookmarked content A note can contain up to 1000 characters Show in report when checked the content of the note bookmark appears in the report tab panel of the Table pane Formatting contains controls for formatting all characters in the note Bold makes all content bold Italic makes all content italics Increase font size sets the font size of al
331. ing the Acquisition wizard 208 EnCase Forensic Version 6 11 User s Guide Specifying and Running an Acquisition This completes creation of an EnCase Evidence File Before you begin Open the After Acquisition page of the Acquisition wizard xj A mri ier ture A Lr sentie ma x Cc E HH oman Acte meter dh f Seth Pn ard patum edes Ext rae ares enn tm ate LOI uas m rtt ae r aao Come rate then hohen nite r Pie segrare Sus 980 men ins s den p ponte C msa Jur nho dt urna d Pn rh Ln r teest comtan ft nce _ mese d em ab a d f 3 Wc sena Pd f d Compute Fa chr D emt the ptm ees f m r NEL d BaO terpeuetr uten Tegeta rma retay fe f a P crete tw 7 r ame tem ao c 4 E m E e 7mm cu mran Senn an To specify and run the acquisition 1 As needed change the default settings on the After Acquisition page as described in Completing the After Acquisition Page of the Acquisition Wizard 2 Click Next If you selected Search Hash and Signature Analysis the Search page of the Acquisition wizard appears Otherwise the Options page of the Acquisition wizard appears 3 Ifthe Search page appeared as needed O Change the default settings on the Search page described in Completing the Search Page of the Acquisition Wizard O Click Next The Options page of the Acquisition wizard appears 4 As needed O Change the default settings on the Options page described in Com
332. ing the EnCase Interface 111 The Doc Tab The Doc tab of the View pane uses Oracle Outside In technology to display text in its native format This viewer technology provides application software developers with high fidelity document viewing without having to use native applications for more than 390 file formats on Windows platforms 3 Text amp lHex 3 Transcript E Picture Report E Console Details Gl gt SAT OMT qm ODER REG BALANCE DEBT AMOUNT CREO 96 06 08 95 10 21 112 EnCase Forensic Version 6 11 User s Guide The Transcript Tab The Transcript tab uses Oracle Outside In technology to extract text from a file containing more than text The Transcript tab displays plain text content pulled from its non plain text native format This makes it especially attractive for creating sweeping bookmarks inside files that are not normally stored as plain text such as Excel spreadsheets i E Text amp lHex Lail Doc E Picture E Report CI Console Details G gt Valued Gateway Client Bob Microsoft Excel 9 3 5 30 0 O 0 O H B HHP GHGS 6 maaaaaano000 O O 0 05 0000000ACCT TYPE ACCT NAME ENTRY DATE QTY ORDER REG BALANCE DEBIT AMOUNT CREDIT AMOUNT ENDI DE COMMENTSV BEG MONTH BAL MONTH END BAL BEG YEAR BAL YEAR END BAL B BA 96 05 2 124 195963 200 FROM MO B BA 96 05 27 96 100 FROM MO B BA 96 06 06 200 FROM MO E 108 5 100 FROM MO B BA 96 07 29 196 GOOD B BA
333. ion Using LinEn sse 51 Acquiring Device Configuration Overlays DCO and Host Protected Areas HPA 54 Acquiring a Disk Running in Direct ATA Mode eee eene 54 Mode S5electi l 1 iet ce nati A teet dotis atte e IAT i E EIA 55 Doing a Crossover Cable Preview or Acquisition sssseseseeeeneneneerrne enne 56 Hashing the Subject Drive Using LinEn ssssssseseeeeeeeeneeeeneneeneenenentn tenete 58 CHAPTER 5 Navigating the EnCase Interface 59 The Main WiIDndOWssi te qe uet t aditu CC 60 System MENU m does 61 File Menti unen eite e re eite etre die Salen dt isis 62 FAME e CH O OR 63 hr M Qn 64 Miew Metke ED 66 The Tree Pane and its Tab and Sub Tab Menus sss eene nenne 70 The Table Pane and its Tab Bar and View Menu sese eere nnne nen n 71 Table Pane Menu einn em e anit sue shee timete etti eps 72 The View Pane and its Tab Bar and View Menu sees 73 View Pane Men see e e Re E OE Le e e ireeiiiisee a as a ereet 74 The Filter Pane and its Tab Bar and View Menu 0 cccccccccessseessecesscecsceceseceeseecesscecseceseccsseceeeeenaecnes 75 Filter Pane Meriib is eee tbe herr ee bo Goede era ee oe E e ORA E EP e e DRE Heu a 76 Pose UTE EE 76 Tools Melton eee tee E Gies tarte o eade e ec ee to Gaels dee pe o
334. ion available in Windows 2000 Windows XP and Windows 2003 Server The information pertinent to building the configuration resides at the end of the disk rather than in a registry key Therefore each physical disk in this configuration contains the information necessary to reconstruct the original setup EnCase applications read the Dynamic Disk partition structure and resolve the configurations based on the information extracted To rebuild a Dynamic Disk configuration add the physical devices involved in the set to the case and from the Cases tab right click on any one of the devices and choose Scan Disk Configuration If the resulting disk configurations seem incorrect you can manually edit them via the Edit command in the Devices tab 228 EnCase Forensic Version 6 11 User s Guide Hardware Disk Configuration Hardware disk configurations can be acquired B Asone drive B As separate drives Both Raid 5 and Raid 10 can be acquired Disk Configuration Set Acquired as One Drive Unlike software disk configurations those controlled by hardware contain necessary configuration information in the card s BIOS Because the disk configuration is controlled by hardware EnCase cannot reconstruct the configurations from the physical disks However since the pertinent information to rebuild the set is contained within the controller the computer with the controller card actually sees a hardware disk configuration as one virtual drive reg
335. irectory O logging on to a remote SAFE O additional commands that expand or collapse the SAFEs tree SAFE Objects provides additional functionality through a right click menu such as O editing the settings of the SAFE O changing the root directory O logging on to a remote SAFE SAFE Right Click Menu The SAFE right click menu provides additional functionality T Edit Enter Update Ctrl U Change Root Path 162 EnCase Forensic Version 6 11 User s Guide Edit opens the Edit SAFE Dialog where SAFE settings are defined and remote logons are enabled Update updates the Users tree display When a user s private key is added to the default C Program Files l EnCase6 Keys folder or any other folder specified by the current root path the tree does not immediately display the new user The new user appears when the wizard is opened again or when the User tree is updated Use the Change Root Path command to specify a folder that contains the private keys of users other than the default folder Specify the root path in the Browse for Folder dialog The Users tree contains only those users in the folder specified as the new root path Browse for Folder Dialog Use this dialog to change the root path used in the Users tree and the SAFE tree to specify the path to folders containing keys for users or SAFEs The default path is C Program Files EnCase6 Keys The User s tree is based on the private keys contain
336. is and it sent debris 20 feet in every direction Place on the engine block of car to destroy it Try electric detonation with an electric match Put iron bits in the black powder to make it lethal Remember If this is used correctly it can be as pow erful as a hand grenade Also light this in the correct place or else it could make your lif e miserable Note To set the in report value for multiple items select several in the table panel of the table pane and then follow the sub step in step 2 The report containing the bookmarked content and the metadata about the bookmarks can now be viewed Customizing a Report You can customize a report using the Edit Bookmark Folder dialog Note Any bookmarks that will appear in the report must be in the same folder in the Bookmarks tree To customize a report 1 2 Right click the folder containing entries for the report Select Edit The edit folder dialog appears Using the Fields list double click each field in the order you want it to appear in the report Each field is moved to the Format list Enter any label text needed The text appears in the Format list Cut and paste the text and fields as needed Once the content of the Format list is correct click OK 438 EnCase Forensic Version 6 11 User s Guide 6 On the Table pane click Report The report appears with its customized contents Excluding Bookmarks Hiding all or parts of the listing is cal
337. is checked This captures the time zone you want to use with your case 172 EnCase Forensic Version 6 11 User s Guide Evidence File Time Zones Use the Time Properties dialog to set the time zone for each evidence file Time Zone GMT 06 00 Saskatchewan GMT 07 00 Arizona GMT 07 00 Chihuahua La Paz Mazatlan New GMT 07 00 Chihuahua La Paz Mazatlan Old GMT 07 00 Mountain Time LIS amp Canada GMT 08 00 Pacific Time LIS amp Canada GMT 08 00 Tijuana Baja CaliFornia GMT 09 00 Alaska GMT 10 00 Hawaii GMT 11 00 Midway Island Samoa GMT 12 00 International Date Line West Time Properties E xi Details GMT 08 00 Pacific Time US amp Canada 2006 Time Zone Bias 480 Daylight Bias 60 Standard Bias 0 Daylight start Sunday Week 1 of Month 4 Hour 2 Standard start Sunday Week 5 of Month 10 Hour 2 2007 Time Zone Bias 480 Daylight Bias 60 Standard Bias 0 x JV Use single DST offset 2006 2007 bd Cancel The features of the Time Properties dialog are Time Zone List captures the time zone the subject device was set to Details provide rules used for the time zone selected in the Time Zone list The rules listed here populate using Dynamic Daylight Savings Time which requires that your computer is properly patched in order to use the new DST rules described above Use Single DST Offset specifies not to use Dynamic DST and
338. isition ends without being cancelled you cannot restart it lt lt 0 x I 5 5 43 Tye Notes File Segment Sze VB Cemeression 640 a T Buen Oise C Nore Start Sector Step Sector Good Slower Smaller o v az GEES CE EMO CIT 34 a a a P Aequi 0 0 01 27 elapsed 1 15 00 romairing G F canerstemagabach I r i oa Cee Output Path a No DED 2j Akernate Path xi sak Frith ome St ONEI O5 04 598M Ny are Sto 09 0206 05 05 494M I Noe Tene 0 00 50 Name Large T Log Record 7 Path C Documents and Setungs Case 8724 My Documents i arge EOL Double Click Gum Acquiring 0 1 15 00 QD soan Cx JI To cancel an acquisition while it is running 1 At the bottom right corner of the main window double click the Thread Status Line The Thread Status message box appears 2 Click Yes The Acquisition Results dialog appears displaying cancelled status 3 Click Ok The acquisition is cancelled You can restart it at a later time 214 EnCase Forensic Version 6 11 User s Guide Acquiring a Local Drive Before you begin The local drive to be acquired was added to the case 1 To protect the local machine from changing while its content is being acquired use a write blocker see Using a Write Blocker then verify that the device being acquired is shown in the Tree pane or the Table pane as write protected see Live Device and FastBloc Indicators 2 Perform the acquisition see S
339. iters 8 Conditions 72 Display 2 Queries Text 4 Text Frame aam axa l Color c amp amp f 1 Iz Selected Files Only F Defauit B Default F Default B Defauk G2 fS File Extension F Default B Default F Default B Defauk 3 Y Deleted Fies F Default B Default F Default B Defauk SSS 24 Navigating the EnCase Interface 137 Deleting a Filter You can remove a filter from the Display list by selecting it right clicking it and then clicking Delete from the drop down menu As a safeguard a dialog displays Click Yes to complete the deletion The Table pane display automatically updates to reflect the change The filter condition or query is not deleted from the Filters Conditions or Queries tab from which it was executed Importing Filters Filters others create can be imported into your collection and used To import a filler someone else has written 1 Right click in the Filter pane 2 Select Import 3 Navigate to or enter the path where the filter is located and click OK Exporting Filters Send your filters in a text file to others NES x v Export Tree far Import fields E Name v XML Formatted EJ Filter F Only Checked Rows E In Report Start 1 Stop 17 Active Rows 17 Output File export xml l 138 EnCase Forensic Version 6 11 User s Guide To export a filter from your collection 1 Right click in the Filter pane 2 Select Export Note Select
340. ith the selected text style applied 5 Click OK The text is bookmarked and the dialog closes Viewing Unicode Files By default EnCase displays characters in ANSI 8 bit format on the Text and Hex tabs in Courier New font Viewing Unicode files properly requires modifications to both the formatting and the font First the file or document must be identified as Unicode This is not always straightforward Text files txt containing Unicode begin with a Unicode hex signature xFF xFE Word processor documents written in Unicode however are not so easy to identify Typically word processor applications have signatures specific to the document making identification of the file as Unicode more difficult 000 ypT h i s iS a unicode document written using notepad in phain text before 000 This is a unicode document written usin A RTL 120 080 g notepad in plain text after LA RTL FTP HE Unicode A Unicode 40 Select LA Unicode 60 LA Unicode 80 LA Unicode 100 LA Unicode 120 LA Unicode FTP HA Text Style LA Unicode Text HA Unicode Text L A Non Unicode Figure 32 To view Unicode files do the following 1 Click Text Styles The Text Styles tab appears in the Filter pane Notice the default characters between the ASCII characters The second eight bits of the 16 bit Unicode encoding cannot be translated 2 Click the desired Unicode based text style The text displayed in the Text
341. ither tab select the text right click and select Copy Goto Use Goto to specify where to move the cursor in the View pane To skip to a location 1 Right click in the View pane 2 Select Goto 3 Enter the file offset in the other field and click OK Goto can also interpret selected text using Little Endian or Big Endian To interpret selected text 1 Highlight text in the View pane 2 Right click the View pane and choose Goto 3 Click Little Endian to see the representation in Little Endian 4 Click Big Endian to see the representation in Big Endian Navigating the EnCase Interface 149 Find Find works in most tabs of the View pane Use it to locate strings within data To find a string 1 Display Text view 2 Right click the View pane x Expression EZ Search J Case Sensitive C all Files I arp Whole Document Results in Output window C From Cursor C Current Selection Cancel Click Find Enter a string in the Expression field To use a GREP expression check the GREP option Select either Whole Document From Cursor or Current Selection Select Case Sensitive if desired Choose whether to have results appear in output pane Click OK oN 9 p Oo The system finds the expression you entered CHAPTER 6 Case Management Overview of Case Structure 151 Case Related Features 157 New Case Wizard 166 Using a Case 169 Open a Case 175 Saving a Case176
342. ition 4 Pay particular attention to the disposition of the file a Use the New Image File controls on the After Acquisition page 234 EnCase Forensic Version 6 11 User s Guide b Click Quick Reacquisition on the Options page of the Wizard The evidence file is reacquired Adding Raw Evidence Files Reacquiring a raw evidence file embeds the file containing the image of the contents of a device with case metadata and optionally the hash value of that image Before you begin B You have a raw image file that can be accessed by the forensic machine m A case is open 3 Fie BS J tew J Qpen tri kd e Cubs Save As F sme Cu shit s d on Printer Setup Se Add Devic Add Raw Image OF te AF Q C Documents and Settings david Jocke TS1My Documents Case 6 1 C Documents and Settingsidavid locke TS My Documents Case S t2 amp C Documents and Settings david locke TS My DocumenisiCase 3 Cuts 2 C Documents and Settings david Joche TS My Documents Case 9 cue 4 C Documents and Settings david locke TS My Documents Case 2 Cuts C Documents and Settings david locke TS1My Documents Case 1 ule To acquire a raw evidence file 1 Inthe Tree pane click Cases gt Entries gt Home The Entries tree appears in the Tree pane 2 Click File gt Add Raw Image The Add Raw Image dialog appears 3 Drag and drop the raw images to be acquired The raw images to be added are listed in the Component Files list 4 Accep
343. its tab display Mounting Compound Files 1 Select the compound files to be mounted 2 Select any desired additional options such as O MakeLEF O Mount Persistent O Search and O Find Files 3 Click OK Index Case File indexing is part of the improved search engine The index is a list of words in the evidence file with pointers to their occurrence in evidence Because the index is smaller than the original evidence file it is optimized for quick searching To learn more about case indexing see the Analyzing and Searching see Analyzing and Searching Files on page 327 sections 498 Scan Local Machine EnCase Forensic Version 6 11 User s Guide Scan Local Machine is an EnScript program used to run modules against a local machine 1 Double click Scan Local Machine It uses many of the same modules available in Case Processor 2 Complete the options as desired and click Finish Depending on the modules chosen additional dialogs may appear open Complete them as necessary Bookmark Folder Name ScanLocalMachine Folder Comment Test the File Finder Module IV Snapshot Data J Detect Spoofed MAC Hash Processes Get Hidden Processes Mark Logged On Users Get DLLs Search File Slack Export Path C Program Files EnCase6 Export m Compound File Mount options Don t Mount Fast C Mount Detect Extension Slow C Mount Detect Signature Slowest OOOO 04 Modules Double C
344. ivate Key File Enter Mail Certificate Path Password 4 Select the Enter Mail Certificate tab The only allowed certificate format is PFX Analyzing and Searching Files 397 5 Enter the path to the PFX certificate and the password then click OK Enter Items The PFX cert is decrypted and stored in Secure Storage 398 EnCase Forensic Version 6 11 User s Guide S MIME decryption and signature verification happens in background Given the proper password the certificate is stored in Secure Storage under E Mail Certificates folder After you import the required certificates into Secure Storage you can parse the email container files using the View File Structure feature in the Entry View S MIME contents are displayed like this prior to decryption B8 EnCase Enterprise Training lal xli File Edit View Tools Help iNew 2g Open led Save print Add Device Q Search 3 Logon d Refresh X Delete enses x E rabie Report 7i code f Devices Ef secure storage o Name Encrypted Type l SubType Id hd CJ 1 83 Eel Certificates S Mime Certificates 74953150 2086943385 7562812 2224302 Br ap eee E Mail Certificates S Mme Certificates H 1 1 3774953150 2086943385 756 B EMail Certificates I rc c m NR RN ER CR c w amp lHex LajDoc Transcript E picture
345. ive Acquisition Using LinEn 51 Doing a Typical Acquisition 194 Dynamic Disk 223 E Edit Bookmark Folder Dialogs 422 Edit Datamarks Dialog 421 Edit Folder Dialog 423 Edit Folder Information Structure Bookmarks Dialog 419 Edit Highlighted Data Bookmarks Dialog 418 Edit Log Record Bookmarks Dialog 421 Edit Menu 63 Edit Notable File Bookmarks Dialog 420 Edit Note Bookmarks Dialog 419 Edit SAFE Dialog 162 Edit Snapshot Bookmarks Dialog 420 Editing a Bookmark 415 416 Editing a Filter 131 Editing a Package 503 Editing a Signature 328 Editing Conditions 141 EFS Files and Logical Evidence LO1 Files 393 Email Report 441 Enabling or Disabling Entries in the Report 438 448 Enabling the Forensic Administrator Role on the CREDANT Server 389 EnCase Evidence Files 178 EnCase Examiner Support for Microsoft Vista 19 EnCase Forensic 520 Encode Preview 358 Encrypted Block 319 Encryption 520 Encryption Support 375 EnScript Analysis 473 474 EnScript Debugger 493 EnScript Example Code 492 EnScript File Mounter 496 EnScript Help 498 EnScript Programming Language 333 EnScript Programs Shortcut Submenu 510 EnScript Tab 38 Guidance Software EnScript Types 334 498 EnScript amp Language 520 Entering Non English Content without Using Non English Keyboard Mapping 462 Enterprise EnScript Programs 180 475 Error Handlin
346. ject was acquired and is stored on the storage drive Connect the storage drive to investigator s machine Add the EnCase evidence file using the Sessions Sources page of the Add Device Wizard see Completing the Sessions Sources Page Acquiring a Disk Running in Direct ATA Mode If the Linux distribution supports the ATA mode you will see a Mode option The mode must be set before the disk is acquired An ATA disk can be acquired via the drive to drive method The ATA mode is useful for cases when the evidence drive has a Host Protected Area HPA or drive control overlay DCO Only Direct ATA Mode can review and acquire these areas LinEn is been configured as described in Linen Setup and autofs is disabled cleared Linux is running in Direct ATA Mode If the FAT32 storage partition to be acquired has not been mounted mount it 2 Navigate to the folder where LinEn resides and type 1inen in the console The LinEn Main Screen appears 220 EnCase Forensic Version 6 11 User s Guide 3 Select Mode then select Direct ATA Mode You can now acquire the disk running in ATA mode 4 Continue the drive to drive acquisition with Step 3 of Doing a Drive toDrive Acquisition Using LinEn Acquiring a Palm Pilot Before you begin The Palm Pilot is not yet added to the case B The examination machine is booted into Windows B Your EnCase application is running 1 Putthe Palm Pilot or Handsprings PDA in its cradle and attach the
347. k OK when the search complete dialog appears Click Records sear hE 03 Status Completed Console Start 06 27 2007 12 35 19 PM Stop 06 27 2007 12 35 36 PM Note Time 0 00 17 Files 13 685 Log Record Cancel A closed tree view of all located mailboxes appears Selecting a file displays one mail file s contents in the Text Hex Transcript and Report tabs of the Report tab In addition the email file and its attachments are listed in the Table pane Open the high level tree to see the mailbox s contents Email contained in the mailbox is visible in the Tree pane and both email and attachments are visible in the Report pane An envelope and paperclip icon indicates mail containing attachments Analyzing and Searching Files 373 After you finish you can view and interact with attachment see Viewing Attachments on page 374 files Searching Selected Items If you choose to search selected items the items must be selected in both the Records and Entries tabs 1 Blue check selected items in the Entries and Records tabs TL Bookmarks Q Search Hits 3Records 4 gt e File Extents Permissions T1Referen4 gt HOM Entries lie Ba 9M Single Files Se 2 0000000 00000 nn 2007 hwp Homa Compound Volume A Entries M Bookmarks Q Search Hits 58 Additional Fields Sog of Records Om LDR 3 Single Files 2 In theSearch dialog under Keyword Search Options click Search entries and
348. k Windows File Archive X 92 EnCase Forensic Version 6 11 User s Guide Sorting a Table You can sort up to five columns of a table in the Table pane You can do this in two ways 8 Double clicking on the column header B Using the Sort command on the table s right click menu A single red triangle appears in the column header when sorting a single column and to indicate the primary sort when you sort by more than one column To sort by multiple columns after the primary sort press the shift key while double clicking the desired additional column headers Two red triangles appear in the header of the second column sorted Three red triangles appear for the third column sorted with four in the fourth and five in the fifth Figure 15 A table with five sorted columns where the columns are sorted in the following order File Type File Category Signature Description and Last Accessed aed n aan nas t Descrigtion t nm uan L3 19 rnd File Archive 04 30 07 03 18 33PM 09 10 06 11 59 3 l L01 File Archive 04 30 07 03 18 36PM_ 09 13 06 05 21 36 Folder 05 17 07 09 19 03AM 09 10 06 11 59 3 These methods work for all tables regardless of where they appear in the interface not just tables in the Table pane Navigating the EnCase Interface 93 Filters Pane The Filters pane contain the following tabs E EnScript E Filters E Conditions E Queries B Text Styles These tabs organi
349. k the Console tab in the View panel t z Text amp lHex Eo A Transcript E Picture Report Details G Output Lock Mf Codepag4 gt 10 10 06 03 07 16PM Info File Mounter Lib Mounting V6 Hunter XP Forensic Hunter XP C RECYCLER 4 10 10 06 03 07 16PM Warn File Mounter Lib Could Not Mount Df935 zip Probably Corrupted Fil l0 10 06 03 07 16PM Info File Mounter Lib Mounting V6 Hunter XP Forensic Hunter XP C WINDOUWS l0 10 06 03 07 16PM Warn File Mounter Lib Could Not Mount wuv3is ll tgz Probably Corrupted 10 10 06 03 07 17PM Info File Mounter 5 file s mounted 10 10 06 03 07 17PM Info File Mounter Script completed in 1 seconds EnScript Analysis 497 Compound Files The File Mounter EnScript program lets you mount all selected compound file types leaving them mounted at the conclusion of the EnScript program investigation Its main purpose is to let you catalog the contents of targeted compound files This is a listing of items within the compound file not the actual contents themselves The EnScript program finds targeted files based on the Find Files By and Selected Files options It then catalogs the file contents into a LogRecordClass bookmark and adds them to the LEF if you select that option The program then performs a preliminary keyword search that stops after a single hit After a hit the file is placed into a list of files that are then mounted and completely searched Results appear in the Search H
350. l Write block USB Firewire SCSI drive 156 EnCase Forensic Version 6 11 User s Guide A tabbed dialog appears The tabs are E Case Options when a case is open m Global B NAS Colors B Fonts B EnScripte B Storage Paths B Enterprise Case Management 157 Note All fields on the Case Options tab are mandatory The Case Options fields in the illustration show the default values m Name holds the case name B Examiner Name is the investigator s name Default Export Folder is the location to which exported data are sent Temporary Folder is the location to which temporary data are sent B Index Folder is the location of case indices Case Related Features Cases use these processes B Logon wizard E New Case wizard 8 Options dialog B Case Time Setting dialog 158 EnCase Forensic Version 6 11 User s Guide Logon Wizard The Logon wizard captures the user name password and SAFE to use for the current session The user and password are established by the administrator or those granted administrator level permissions The Logon wizard displays the following pages E Users page B SAFE page Jane Doe John Doe keymaster SA saFEs 3 Doc SAFE 3 RD SAFE 3 RD1 SAFE Case Management 159 Logon Wizard Users Page The Users page of the Login wizard captures the current user s password and user name Logon 0X Password 1 User 5 98 Users 89 Jane Doe
351. l content in the note Increase text indent sets the text indent of all of text blocks Edit Folder Information Structure Bookmarks Dialog Use this dialog to edit folder information structure bookmarks Edit Folder Information x V Include Device Information Columns 3 Cancel Bookmarking Items 427 Check Include Device Information to show folder structure in the bookmark Columns determines the number of columns of folder structure to show in the bookmark Edit Notable File Bookmarks Dialog Use this dialog to edit notable file bookmarks Edit Notable File x Comment Cancel Comment can contain up to 1000 characters Edit Snapshot Bookmarks Dialog Use this dialog to edit snapshot bookmarks Edit Snapshots XI Comment Snapshot Cancel Name is the name of the snapshot bookmark An EnScript program supplied this name value when the bookmark was originally created Editing lets you provide a more meaningful name Comment contains text describing the bookmarked content An EnScript program supplied this text when the bookmark was originally created Editing lets you provide more meaningful comments 428 EnCase Forensic Version 6 11 User s Guide Edit Log Record Bookmarks Dialog Use this dialog to edit log record bookmarks x Name Comment Name is the name of the log record bookmark The EnCase application supplied this name when the bookmark was originally created Editing
352. l files within the folder appear only on the entries table 182 EnCase Forensic Version 6 11 User s Guide Supported File Systems and Operating Systems What s new in this release B Support for the Novell File System B UFS2 File System m Mac DMG image files m Updated NTFS Parser GUID partition tables as implemented according to the Intel Extensible Firmware Interface EFI are also supported Support for the DOS EN EXE utility was dropped so you should now do drive to drive and crossover cable acquisitions using the LinEn utility Using Snapshots Snapshots collect a variety of information to create snapshot bookmarks Snapshots are the output of EnScript programs In EnCase Forensic only the Scan Local Machine EnScript program creates snapshots In EnCase Enterprise the following EnScript programs create snapshots B Sweep Enterprise B Quick Snapshot The Sweep Enterprise EnScript program captures live information from a selected network tree without a case or Enterprise logon needed before running The Quick Snapshot EnScript program captures live information from a selected machine associated with a device in an open case For more information on these EnScript programs see Enterprise EnScript Programs on page 481 Working with Evidence 183 Getting Ready to Acquire the Content of a Device Before you can acquire the contents of a device you must add the device and preview the device s content To ad
353. l memory before shutting down a computer As always it is recommended that examiners document and explain their procedures for later reference Working with Evidence 271 Running WinEn To run WinEn open a command prompt on the target computer The user logged on must have local administrator privileges on the computer and you must start the command prompt with that privilege level Once you open a command prompt run WinEn using the syntax below It is recommended that you compress the evidence file that is created and save it to removable media so that no additional changes are made to the target computer There are three ways to supply necessary information to WinEn when running from the command line E Command line options E Configuration file B Prompt for value 272 EnCase Forensic Version 6 11 User s Guide Command Line Options Syntax winen option option p lt EvidencePath gt Path and file name of the evidence file to be created maximum 32768 characters d lt Compress gt Level of compression 0 none 1 fast 2 best e lt Examiner gt Examiner s name maximum 64 characters m lt EvidenceName gt Name of the evidence within the evidence file maximum 50 characters c lt CaseNumber gt Case number related to the evidence maximum 64 characters r lt EvidenceNumber gt s lt MaxFileSize gt Evidence number maximum 64 characters Maximum file size
354. ld Not Compile 4c8b p a sN P UA ES4JAapwALIO OV U 4 4KDp i G p 34F 1 4D y6 A NUEXDO96 M p Cy oe 8uOfiV ie amp 6 O CD J amp IILNC 18m amp y8Z Z TYp HE TempData 561ncq QLEstilyo X 610 O ceZi7UX 2 j O oUAErE 8VOZEX lt 1 F aN wd 6 OsecD 96 SIFF YbA E Uc LI2 c NO Q cY Y CE o R ay m yc I t Complete Diagnostic 5fa gt cQ 22_AfQm B6 4 p 1 S6 7 MERE od l WN04 O3CE CE x Li Ligc CiiPa oi f Ups JEHAUxz Yi qfaX w y H 8v y MAQ _60j I g CredantEncryption 693R S4ljt z ECE f ctl yCD Zi x amp R SK 9sI Yo yiy c ADDI 8EU I 6 vdE O U3Sp0 g Die p ja amp AEoT Z g Q i p 36 Oqg kc Svipu F Xo n Decoding Test 72e8ur9XO 8EQ zu DA R 4n5 U8 V V zd N 7 48 DQOA Oa DiZ dii ceAS 638 YSAZB APO Br CEwfipvDxD BOYVY A T gt tg DiskEncryption TcSp pi amp ossp GABZSuil D348 amp ZET w ECT1CER CE Jfiy ExO PWE 4p t Cvj O Y B A OC1xU OS6 pB Ch amp E H g EDS DA Hos O SJItiOxRW t X I2 12107 OG W6 8EmiTGAS U4fr uA 006 Gi Ge Zu6Ss Y mPZh K M H N KE y 4F 7 Email 8f7 i2 iNI SM 6 8 6 HAYGUSH tE60 7 H Ne amp I C1 preso L W O n f4 t 8 o K 8N S 9CPbX2Ie22 78 6ol 4 ZM Q350l 8Sc O AF Zot g FileTest 990459 OK i V 07 040 GxAOD UY gt G EL R SOLEATI YNO U608 E C O C OE H 9 N I B
355. le pane Gallery Tab The Gallery tab provides a quick and easy way to view images stored on the subject media This includes all images purposely stored as well as those inadvertently downloaded from the Web You can access all images within a highlighted folder highlighted volume or the entire case If a folder is highlighted in the Tree pane all files in the folder are displayed in the Table pane Clicking a folder s Set Include selects all files in that folder and files in any of its subfolders Once selected on the Table pane any images in the selected files display in Gallery tab You can bookmark images in the Gallery tab and display them in the report The Gallery tab displays files based on their file extension by default For example if a jpg file has been renamed to dll it WILL NOT be displayed in the Gallery tab until you run a Signature Analysis on page 327 Once the signature analysis recognizes that the file was renamed and that the file is actually an image it is displayed in the Gallery tab EnCase applications include built in crash protection which prevents corrupted graphic images from appearing in the Gallery or Picture tab The corrupt images are stored in cache so that they are recognized the next time they are accessed No attempt is made to display them These images are cached at the case level so they do not attempt to display in that case file again until you run a signature analysis You can clear the cach
356. lect File gt Save As Save As _2 x Save in O Evidence gt Q2 rri My Recent Documents E Desktop 2 My Documents Wr e Big Case Case Bonnie and Clyde Case Class1 Case Fiske Case Case V5 Test Case Case V6 Hunter XP Forensic Case My Computer e My Network File name vs Test Case Case Places Save as type Version 5 Case File Case Cancel ersion 5 Case File Case Backu Case File cbak Expand the Save as type field and make a selection O Case File saves the file as version 6 O Version 5 Case File saves the file as version 5 O Backup Case File saves the file as a version 6 backup file Case Management 155 Case Backup By default a backup copy of the case file is saved every 10 minutes By default backup files cbak are saved to C Program Files EnCase Backup With the exception of the extension this file has the same name as the parent file To change the default save time 1 Select Tools Options Global 2 Change the number in the Auto Save text field Selecting 0 disables the auto save function This is not recommended The Options Dialog The Options menu allows you to customize the software To access the menu select Cases Options from the toolbar Tools Help Q Search 3 Logon Wipe Drive Verify Evidence Files J Create Boot Disk eq Mount as Network Share Client Write block IDE channe
357. lected The figure below shows each column header In order to fit them into the document they are stacked In the EnCase Table pane you scroll horizontally across the pane to see them You can drag and drop columns to arrange them according to your needs Each is described below Navigating the EnCase Interface 103 Name is the name of the entry Icons to the left of the filename indicate the type of entry such as device folder or document Filter displays the name of the saved filter options if the files meet the criteria set In Report indicates whether or not the item appears in the report To include the file in a report right click the In Report column and select In Report or select the entry and press Ctrl R To include more than one entry in the report select each one in the first column checkbox then right click the In Report header and select In Report File Ext displays a file s extension such as exe jpg or doc File Type names the file type The software generates this information from the File Types table using the file s extension When you run a Signature Analysis this information is generated from the file s identifying header information inside the file File Category classifies the entry as Windows database picture etc Signature identifies the file by header not file extension See Analyzing and Searching Files for more information on using file signatures Description gi
358. led Excluding You can exclude any number of bookmarks from the Tree and the Table pane display using the Exclude Bookmarks feature Exclude File Bookmarks In Bookmarks view the Tree pane displays the bookmark folders you have created for an open case You can prevent individual bookmark files from being displayed in the Table pane using the Exclude Bookmarks feature Before running this option bookmarks must have been created in the open case Exclude an entire folder of bookmarks as follows 1 Open the bookmarks folder to view its contents 2 Select blue click or highlight a file The illustration below shows a graphic file checked i E able Report E Gallery Timeline f Disk 3 Code oranda Booka Salad TTE poemat M1 H File Group 16 896 33 Jay s Bookmarks Pip NoName E Highlighted Data 17 592 34 Jay s Bookmarks Pip NoName Lj 3 H File Group 946 176 1 848 Jay s Bookmarks Pip NoName IC 4 Highlighted Data 932 387 1 821 Jay s Bookmarks Pip NoName EE 1 File Group 98 816 193 Jay s Bookmarks Pip NoName L416 4 File Group 127 488 249 Jay s Bookmarks Pip NoName oA 1 File Group 946 176 1 848 Jay s Bookmarks Pip NoName Os H File Group 92 160 180 Jay s Bookmarks Pip ANoName J 9 8 File Group 130 048 254 Jay s Bookmarks Pip NoName Lj 10 1 File Group 98 816 193 Jay s Bookmarks Pip NoName O 11 Highlighted Data 17 154 33 Jay s Bookmarks Pip No
359. les before searching Lotus NSF Search only slack area of fies in Hash Library Iv aor E l F Meox I Compute hash value Additional Options TT Recompte hash values v Verify file signatures Identify codepages Search for internet history 2 In the Hash Options area check Compute Hash Values 3 Select files to be included in the hash set 4 Right click the Table pane and select Create Hash Set from the menu The Create Hash Set dialog appears x Name 10 BMBs Category Selected Graphics Cancel 5 Enter a set Name and Category and click OK A hash set is created Note While the Category entry can be anything the two industry standards are Known and Notable with the latter being assigned hash values that are of interest to the investigator 342 EnCase Forensic Version 6 11 User s Guide Rebuild a Hash Library To select a hash set to used in a case rebuild the library Note Only items selected on the Hash Sets tab are included in the library 1 Select View gt Hash Sets A list of hash sets appears Report iy Code Name Filter Category resor Report 3 Experimental No Known NM yj BMP Files I know about Mo Pictures 2 Select the desired hash set 3 Right click and select Rebuild Library from the menu When Rebuild completes a message indicating the number of rebuilt libraries appears Rebuild Library x e 1 2 hash se
360. lications components and processes with a limited privilege but have elevation potential for specific administrative tasks and application functions To disable UAC you must be logged on with a credential that is a member of the local administrator group 1 From the Start menu select Control Panel Internet Internet Explorer zy E mail el Windows Mail ai Welcome Center Documents Backup Status and Configuration Pictures Windows Media Player Music Small Business Resources Search E Windows Fax and Scan Recent Bene Windows Meeting Space Computer E ay Windows Photo Gallery Network Windows Live Messenger Download Connect To Windows Update Control Panel Default Programs Help and Support 42 EnCase Forensic Version 6 11 User s Guide 2 In the Control Panel Home window enter UAC in the search field The User Accounts option automatically displays under the search field Control Panel Home User Accounts Turn User Account Control UAC on or off Classic View Search Windows Help and Support for UAC Can t find it See how to improve search results User Accounts S Turn User Account Control UAC on or off Search Windows Help and Support for UAC Can t find it See how to improve search results 4 The User Account Control message displays prompting you to continue or cancel If you started this action continue Rg User Accounts Control P
361. lick For options _ LogFile Parser a G Active Directory Information Parser AOL IM Information C App Descriptor Utility C Compromise Assessment Module C Consecutive Sectors EXIF Viewer S File Finder J File Report _ Find Protected Files C HTML Carver IM Archive Parser Kazaa Log Parser J Link File Parser J Linux Initialize Case Linux SysLog Parser Selected Modules 1 teca Note Scan local machine searches the local examiner machine and does not search the evidence within the case If you want to search the evidence in the case use Case Processor Webmail Parser Use the Webmail Parser to search the case for remnants of Web based email EnScript Analysis 499 EnScript Example Code In the EnScript tree in the Filter pane the Examples folder contains example code These programs can serve as a base for additional programming The COM folder contains sample EnScript programs that use COM to provide integration with MS Windows and MS Office applications See the EnScript Program User Manual for more information The EnScript example programs include Compound File Viewer B Create Index Directory B Enterprise Using Entry Data B Enterprise Registry Operations B Enterprise Using Snapshot Data B Find Valid IPs B Index Buffer Reader Compound File Viewer parses compound files into their constituent parts for viewing Create Index Directory ge
362. lity 522 Live Device and FastBloc Indicators 181 Local Keywords 345 Locally Encrypted NSF Parsing Results 321 Log Record Bookmarks 398 Logical Evidence File 523 Logical Evidence Files 178 238 Logical Restore 254 Logon Wizard 157 Logon Wizard Users Page 158 Lotus Notes Local Database Encryption 18 Lotus Notes Local Encryption Support 317 Machine Survey Servlet Deploy 478 Maintaining the Database 257 Malware 523 Manually Create App Descriptor 373 Minimum Requirements 22 Mode Selection 54 Modifying Case Related Settings 167 Modifying the Table Pane 122 Modifying the View Pane 148 Mount Mounting 523 Mounting Compound Files 490 548 Moving a Table Entry into a Folder Using the Right Click Drag Method 425 427 Moving a Table Entry or Folder into a Folder Using the Drag Method 428 N Navigating the EnCase Interface 59 Navigating the Tree Pane 115 Network Tree 523 New Case Wizard 164 New Features 17 New File Viewer Dialog 289 New Package Dialog 499 New Technology File System NTFS 523 New Text Styles Dialog 456 New Text Styles Dialog Attributes Tab 456 New Text Styles Dialog Code Page Tab 458 Node 523 Non English Language Features 453 Notable File Bookmarks 397 523 Notes Bookmarks 397 NSF Encryption Support 376 NTFS e 523 NTFS Compressed Files 314 O Obtaining a Linux Distribution 48 Obtaining Updates
363. located Clusters In the bottom right hand corner a progress bar indicates the number of MFT records found and the approximate time required to complete the search 5 After the application locates the MFT records in the Unallocated Clusters a prompt appears showing the number of entries found Duplicate or false hits are parsed so the number of entries that appears in the prompt may be lower than reported during the recovery 6 Click OK 7 The application resolves the recovered MFT records to data on the volume and attempts to rebuild the folder structure with children files and folders under parent folders This process can take a long time however the results greatly benefit examinations of NTFS volumes Since rebuilding the folder structure can take a long time you can opt to have faster access to the recovered files If the recovered MFT entries in the unallocated space are NTFS4 you can choose to E process the entries for parent child relationships or B place all recovered entries into the Recovered Files folder immediately with no folder structure This dialog box shows the number of passes required to sort the entries This number may be large but most passes process instantly The length of time required to process a given group depends only on the number of records within that group This change does not affect NTFS5 recovered entries These entries are processed quickly as before If you choose to process the entri
364. lp El App Descriptors 3b Archive Files im Cases 34 Encryption Keys 3 EnScript e EnScript Types Z Eile Signatures 1A File Types E File Viewers j Hash Sets Keywords E Machine Profiles y Packages Projects 3 SAFEs A Text Styles 2 Cases Sub Tabs d Table Pane gt view Pane p Filter Pane Rg EnScript f Filters RI Show Name E Conditions 4 Previous Tab Ctrl Shift Tab Display gt Next Tab Ctrl Tab l Queries A Text Styles C Auto Fit Reset view 76 EnCase Forensic Version 6 11 User s Guide Filter Pane Menu The Filter Pane command on the View menu displays the Filter Pane menu The Filter Pane menu contains commands corresponding to the tabs displayed in the Filter pane Clicking one of these commands displays the corresponding tab in the Filter pane A Text Styles EnScript displays the EnScript tab in the Filter pane Filters displays the Filters tab in the Filter pane Conditions displays the Conditions tab in the Filter pane Display shows active filters Queries displays the Queries tab in the Filter pane Text Styles displays the Text Styles tab in the Filter pane Auto Fit When you resize a window pane some tabs may not be viewable Va Encryption Keys EnScrip4 P X CL Bookmarks Q Search Hits i Record 4 gt Additional Fields Instead of scrolling to them you may want to use Auto Fit IE f App Descriptors Archive Files x L
365. ly written using the symbols 0 9 and A F or a f For example the decimal numeral 79 whose binary representation is 01001111 can be written as 4F in hexadecimal 4 0100 F 1111 530 EnCase Forensic Version 6 11 User s Guide Host Protected Area HPA An area of a disk designed to allow vendors to store data safe from user access diagnostics or backup tools If present data stored in this area is inaccessible by the operating system BIOS or the disk itself Index An EnCase index is a feature that allows quick access to the data in an evidence file Internet Protocol Address IP A unique number that devices use to identify and communicate with each other on a computer network utilizing the Internet Protocol standard Any participating network device including B routers B computers E time servers B printers B Internet fax machines B some telephones must have its own unique address An IP address can also be thought of as the equivalent of a street address or a phone number IPv4 specifies addresses in four eight bit decimal numbers separated by a dot IPv4 specifies a port number with a colon IPv6 addresses the limitations that IPv4 has with the total number of addresses IPv6 is typically written in eight 16 bit hexadecimal numbers which are separated by a colon IPv6 specifies a port number with a space K Keyword A keyword is a string or expression used in searching your evidence L
366. m For information on automatically creating an app descriptor See Create App Descriptors with an EnScript Program see Create an App Descriptor with an EnScript Program on page 379 380 EnCase Forensic Version 6 11 User s Guide Create an App Descriptor with an EnScript Program The scripts for creating app descriptors are Scan Local Machine and Case Processor 1 Run an EnScript program such as Scan Local Machine An options wizard appears Bookmark Folder Name 852 Folder Comment Snapshot Data J Detect Spoofed MAC v Hash Processes Get Hidden Processes Mark Logged On Users J Get DLLs Search File Slack Export Path C Program Files EnCase6 Export ES Compound File Mount options Don t Mount Fast C Mount Detect Extension Slow C Mount Detect Signature Slowest OOOO 04 Modules Double Click For options C LogFile Parser C Active Directory Information Parser C AOL IM Information S App Descriptor Utility C Compromise Assessment Module C Consecutive Sectors J EXIF Viewer C File Finder C File Report C Find Protected Files J HTML Carver C IM Archive Parser C Kazaa Log Parser C Link File Parser J Linux Initialize Case J Linux SysLog Parser Selected Modules 1 teen 2 Complete the fields Bookmark Folder Name is the name of the folder in the bookmark area Li O Folder Comment is an optional field for entering you
367. menus display commands for tabs contained by parent tabs When a tab contains other tabs it has a View command that displays a sub tab menu The sub tab menu contains commands that display each of the contained tabs View Ej App Descriptors 4b Archive Files amp Cases By Encryption Keys g EnScript S EnScript Types Z File Signatures 1A File Types z IE Cases a Encryption Keys File viewers J Home ie Entries Q Search Hits 3Records f Devices P Secure Storage Keywords Hash Sets Keywords Machine Profiles Packages Projects SAFEs Text Styles Memes 5ub Tabs DE lt a amp ty i3 Home gt D Entries Table Pane LT Bookmarks View Pane q Search Hits Filter Pane x53 Records E Devices X Close Tab Ctri F4 A Secure Storage BI Show Name Keywords 4 Previous Tab Ctrl Shift Tab as gt Next Tab Ctrl Tab Auto Fit Reset view When a tab contains only one other tab selecting the containing tab is equivalent to selecting the contained tab For example selecting Cases Sub Tabs gt Bookmarks is equivalent to selecting Cases Sub Tabs gt Bookmarks Sub Tabs gt Home The commands in the Sub Tab menus open their corresponding tab or display a corresponding Sub Tab menu Navigating the EnCase Interface The Table Pane and its Tab Bar and View Menu
368. minister v The forums allow registered users to post questions exchange information and hold discussions with Guidance Software and other users in the EnCase community Different discussion groups are available as follows Foreign Language Groups B French B Arabic B German B Spanish B Japanese B Chinese E Korean Forum Groups E User Group B Consultant and Practitioners Computer Forensic Hardware Issues B EnScript Forum Product Specific Groups only available to customers who have purchased the respective products B Neutrino B Enterprise B FIM E eDiscovery Enter a Group by clicking on the Group name EnCase User s Grou r Exchange information and tips with other EnCase users Guidance Software 541 Posting to a Group To create a new post click the IP New Thread icon Click the Ws Post RED icon to reply to a post or use the Quick Reply icon at the bottom of each post ua 713 Searching The forums contain an accumulation of over ten years of information Use the Ed button to search for keywords or click Advanced Search for more specific search options Seach Show Threads Show Posts Advanced Search Bug Tracker Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement requests It is broken down by product showing the current number of bugs enhancements and public bugs for each product To access the Bug Tracker click on the
369. mmands that access information and perform tasks associated with using your EnCase application Using the Help menu you can B display the readme help file E register your application E find out about your application B get information about your license B learn what modules are installed and other information Help G K Help F1 EnScript Help What s New Register EnCase About EnCase Navigating the EnCase Interface 79 What s New displays the EnCase Release Notes as a help file Register EnCase displays the application registration page where you can m Find your dongle serial number If connected to the Internet register your application B If not connected to the internet find instructions on how to register your application About EnCase tells you which version of EnCase and which modules you have installed 80 EnCase Forensic Version 6 11 User s Guide Toolbar The toolbar provides icons for the most frequently used EnCase program functionality The toolbar displays on the main window It contains icons for performing the most frequent tasks in the current application mode or context When EnCase opens in acquisition mode only the New Open Print and Refresh icons appear in the toolbar Once a case is opened the Add Device icon appears When the application is an enterprise application the Logon icon appears and once logged on the Logoff icon displays Figure 5 The Main Window To
370. mp Servlet Management 12 Select an output option O Bookmarks Outputs results to bookmarks in the current case O Excel Outputs results in an Excel file If you select this option browse to or enter an output folder 13 Click OK The program will optionally create a bookmark folder called Machine Survey Run With an incrementing integer The program will also optionally create an Excel spreadsheet called MachineSurvey xls in the folder specified above 488 EnCase Forensic Version 6 11 User s Guide Quick Snapshot Use Quick Snapshot to quickly take a snapshot of a machine currently being investigated Quick Snapshot does not offer a deep options set so if you want scheduling options or the ability to run EnScript program modules while taking a snapshot use the Sweep Enterprise program Before you run Quick Snapshot E Open EnCase and log on E Create a case E Add a device to the case To create a quick snapshot 1 Double click the Quick Snapshot EnScript Program 2 Note the machine in the IP List and select an Available SAFE and Role 3 Click OK Note the IP list displays the machine to be investigated using Quick Snapshot This list is for information purposes only and you cannot add additional nodes Quick Snapshot x IP List Available SAFEs 10 0 36 21 B SAFEs L Doc SAFE Roles bs Roles amp All Access No search L S Access Subnet 4 Snapshots will be placed in Qui
371. mus ertet ae Ea e eea E E n E e E aedi 430 Contents Using a Folder to Organize a Bookmarks Report sss 431 Organizing Bookmarks eee eben ere nere eb SH evite eo ea ee eret ron dieere nene 432 Copying a Table Entry into a Folders triosi eene nennen 433 Moving a Table Entry into a Folder Using the Right Click Drag Method 434 Moving a Table Entry or Folder into a Folder Using the Drag Method sss 435 Bookmark Reports and Reporting ccccesesescssessseseeseseeensesesesesesnensnesesescscececeeesenenesesesesnsneneneneassesees 435 Viewing a Bookmark on the Table Report Tab ssssssssssseeeeeeene eene 436 Customizing a Report etse eet dte ei epe Erg n ATEA o IE RERE eie 437 Excluding BOOKMARKS asics eh aoo em tem m Eo er ete P e A ser ER Ert dene 438 Exclude File Bookmarks eet tente e meteor ite ere ert ete ed 438 ExcludeEold6E eed ien oom i ep d ad ap dp ere eade e Eres detti 439 SHOW EX CHIC edt Re e ede fte ades au iiti mte re tut 441 CHAPTER 11 Reporting 443 Reporting ts 444 Creating a Report Using the Report Tab ccccesesessssssesesseseeessnsnenesessscececeeeenssesesesesnenenenesesseseeeseeeneneies 444 Enabling or Disabling Entries in the Report sse eee 445 Report Simgle Piles cot ced eee treu ple een ib dio avis deem reote t dre ded 445 Report Multiple Piles ix endete tente eigo amb ten en gelo s
372. must be defined as such IPAddress1 IPAddress2 O IPAddress2 must be greater than IPAddress1 that is IPAddress1 is the lowest IP Address in the range and IPAddress2 is the highest IP Address 2 Once you specify which nodes to scan for snapshots you must specify which database to use 264 EnCase Forensic Version 6 11 User s Guide 3 Click Next The Snapshot Data Source Options dialog opens Snapshot Data Source Options Data Source Name SnapshotToDB Enter User Name Not Needed If Using NT Authentication sa Enter Password Not Needed If Using NT Authentication DB Timeout Interval minutes 5 Show Queries in Console Data Source Name This is the name you gave the ODBC connection when you created it Enter User Name Not Needed If Using NT Authentication Specify a user name If you set up the ODBC connection to use NT Authentication it remembers your user name so you do not need to enter it manually Enter Password Not Needed If using NT Authentication Like your user name you must specify a password to gain access to the database If you set up the ODBC connection to use NT Authentication it remembers your password so you do not need to enter it manually DB Timeout Interval minutes Specify how long you want to wait before a DB timeout occurs This indicates how long the program waits before assuming the connection is bad the default is 5 minutes Show Queries in Console Ch
373. n Linux or the FastBloc SE module EnCase applications running in Windows with a hardware write blocker will not detect DCOs or HPAs The application now shows if a DCO area exists in addition to the HPA area on a target drive FastBloc SE is a separately purchased component HPA is a special area located at the end of a disk It is usually configured so the casual observer cannot see it and can only be accessed by reconfiguring the disk HPA and DCO are extremely similar the difference is the SET MAX ADDRESS bit setting that allows recovery of a removed HPA at reboot When supported EnCase applications see both areas if they coexist on a hard drive For more information see the EnCase Modules Manual Acquiring a Disk Running in Direct ATA Mode If the Linux distribution supports ATA mode you will see a Mode option The mode must be set before the disk is acquired An ATA disk can be acquired via the drive to drive method The ATA mode is useful for cases when the evidence drive has a host protected area HPA or drive control overlay DCO Only Direct ATA Mode can review and acquire these areas LinEn is configured as described in LinEn Setup and autofs is disabled unchecked Linux is running in Direct ATA Mode To acquire a disk running in Direct ATA Mode 1 Ifthe FAT32 storage partition to be acquired has not been mounted mount the FAT32 storage partition 2 Navigate to the folder where LinEn resides and type linen in the con
374. n 6 11 User s Guide Unicode select if you are searching a Unicode encoded file Unicode uses 16 bits to represent each character Unicode on Intel based PCs is referred to as Little Endian The Unicode option searches the keywords that appear in Unicode format only For more details on Unicode see http www unicode org Note The Unicode standard attempts to provide a unique encoding number for every character regardless of platform computer program or language Big Endian Unicode select if you are investigating a Big Endian Unicode operating system such as a Motorola based Macintosh Big Endian Unicode uses the non Intel data formatting scheme Big Endian operating systems address data by the most significant numbers first UTF 8 meets the requirements of byte oriented and ASCII based systems UTF 8 is defined by the Unicode Standard Each character is represented in UTF 8 as a sequence of up to four bytes where the first byte indicates the number of bytes to follow in a multi byte sequence Note UTF 8 is commonly used in Internet and Web transmission UTF 7 encodes the full BMP repertoire using only octets with the high order bit clear 7 bit US ASCII values US ASCII It is deemed a mail safe encoding Note UTF 7 is mostly obsolete and is used when searching older Internet content Creating International Keywords Analyzing and Searching Files 347 You can search international keywords of non English character s
375. n as a flat file from sector 0 to the last sector Files folders and any other file system architectural structure is lost 192 EnCase Forensic Version 6 11 User s Guide Preview Devices Page of the Add Device Wizard This page displays a list of the devices eligible to add x Write Read Name Label Access Sectors Size Blocked File System TEN HL DT ST ASPI 854 1 7MB lt Back Cancel Table Pane lists the devices that are added by clicking Next Table Entry Rows display the details of the device defined in that row The right click menu for each row provides commands that B Toggle the Read File System setting for the entry where you opened the right click menu B Copy the entry m Edit the entry including the Read File System value The best means to select or enable the Read File System is via this edit command Read File System Column when deselected the file system is read in as a flat file from sector 0 to the last sector Files folders and any other file system architectural structure is lost Working with Evidence 193 Adding a Device The devices added using the Add Device wizard determine the type of acquisition to be performed The primary determiner is the device type set on the Sources Page of the Add Device wizard The process for adding a device varies once the device type is selected Open a case where you want to add devices When a case is open the Add Device
376. n understanding of object oriented programming are helpful for coding in EnScript Note For more detailed information on the EnScript programs included with the EnCase application refer to the EnCase Programs User Manual Note For additional help in programming with the EnScript language you can attend a training class or visit the EnScript message board EnScript Analysis 481 Enterprise EnScript Programs Enterprise EnScript programs contain programs typically used with enterprise cases Many of these programs require a SAFE to be set up to properly use them The available Enterprise Enscript Programs are Document Incident used to generate a report containing the details of an incident that required investigation Machine Survey Servlet Deploy used to manage deploy remove and install SAFEs and servlets to machines on the network Quick Snapshot used to quickly take a snapshot of a machine that is currently being investigated Remote Acquisition Monitor used to monitor remote acquisitions between the servlets and a network storage device Snapshot Differential Report used to report on differences of snapshots take over a period of time Sweep Enterprise used to conduct thorough examinations on computers specified from the network tree To view Enterprise EnScript programs 1 Inthe Filter pane click EnScript to display the EnScript panel 2 Open the Enterprise folder from the EnScript tree to see available s
377. nCase Forensic Version 6 11 User s Guide Sources Page Use the Sources Page of the Create Logical Evidence File Wizard to specify source files that will comprise the logical evidence file being created Create Logical Evidence File x Target folder within Evidence File JV Include contents of files v Hash Files v Include contents of folder files JV Add to existing evidence File Lock file when completed Evidence File Path s Cancel Source is the name of the parent device containing the file or files to include in the logical evidence file Files contains the number of files and the total size of the file or files to include in the logical evidence file Target folder within Evidence File is the name of the folder containing the files that comprise the logical evidence file Include contents of files if disabled only the filename is known to the logical evidence file and when the logical evidence file is opened no data displays in the View pane Hash Files determines whether the files comprising the logical evidence file are hashed as they are put into the logical evidence file Add to existing evidence file determines whether the files comprising the logical evidence file are added to an existing evidence file When this control is enabled Evidence File Path appears Lock file when completed determines whether the logical evidence file is locked after creation Working with Evidence 245 Evidence
378. ncludes the SAFEs Home SAFEs Network SAFEs Roles SAFEs Users O SAFEs Events They do not display by default Lun cu SAFEs or Cases Sub Tabs displays a sub menu associated with the tab currently displayed SAFEs or Cases In the figure above the SAFEs Sub Tabs command displays because the SAFEs tab is displayed in the Tree view not shown If Cases were displayed then the command would be Cases Sub Tabs Table Pane displays the Table Pane menu View Pane displays the View Pane menu Filter Pane displays the Filter pane menu Close Tab hides the tab currently in use Once hidden a tab can only reappear if it is opened using the tab commands on the View menu Show Name toggles the display of the name of the tab currently in use Previous Tab selects the tab to the left of the tab currently in use When the tab currently in use is the leftmost tab the rightmost tab is selected Next Tab selects the tab to the right of the tab currently in use When the tab currently in use is the rightmost tab the leftmost tab is selected Autofit toggles the wrapping of the toolbar The toolbar extends to the right beyond the tab when Autofit is not selected When Autofit is selected the toolbar wraps so that the entire toolbar displays Reset View puts any tabs appearing in windows back into the main window in their usual locations 70 EnCase Forensic Version 6 11 User s Guide The Tree Pane and its Tab and Sub Tab Menus Sub Tab
379. nd double click the desired EnScript program object The EnScript program creates the datagram as a bookmark and creates a sub tab named to match the name of the program that created it In addition an entry is output to the Output panel of the View pane Using Bookmarks You can create bookmarks on entries and records These operations are available E Creating see Creating a Bookmark see Creating a Bookmark on page 414 E Editing see Editing Bookmarks see Editing a Bookmark on page 423 B Extending by adding a note bookmark see Creating a Notes Bookmark on page 416 E Organizing into folders see Using Folders to Organize a Bookmark Report see Using a Folder to Organize a Bookmarks Report on page 431 Reports can contain bookmarks and fields containing bookmark attributes B To determine which table entries should appear in a report see Viewing a Bookmark on the Table Report Tab on page 436 B To determine which entry fields that should appear in a report see Customizing a Report on page 437 Bookmarking Items 423 Editing a Bookmark You can edit most bookmarks The particular editor displayed is determined by the type of bookmark you are editing See the individual edit dialogs for bookmark specific information The instructions in this topic apply to editing any bookmark except file group bookmarks which cannot be edited Note The contents of the Bookmarks table is driven by the object selected in the
380. nd name of the folder where temporary files are created Index Folder contains the index file for any indexed file or collection of files Add Device Once a case is open add evidence in accordance with the information in the Working with Evidence section Case Management 169 Using a Case A case is central to an investigation Before you can add a device preview content or acquire content you must open a case This may be a new case or an existing case Once you create a file you can add a device proceed with the device preview and acquisition and subsequent analysis Use the Case Options page to define a case The settings on this page are the same as those on the Case Options tab of the Options dialog Once a case is open you can establish its time zone settings Modifying Case Related Settings Use the New Case wizard Case Options dialog to modify case related settings after the case is created 1 Open the case 2 Click Tools Options The Case Options tab displays 3 Change the settings through the various tabs in the Options dialog 4 Click OK For more information see the Installation of EnCase Enterprise chapter 170 EnCase Forensic Version 6 11 User s Guide Time Zone Settings The Energy Policy Act of 2005 Public Law 109 058 amends the Uniform Time Act of 1966 by changing the start and end dates of daylight saving time beginning in 2007 Clocks are set ahead one hour on the second Sunday of Mar
381. nditions osten Eate qe ap irati pen pd egt E E E 139 Editing Conditions cet etare attese eed tedio tetendit antedios nd fete titel atn 141 Running Conditionsosn dioi paetund teta agpo redd atetetidi aser efr fi ied aged od cee 142 Importing CondiBors 1 starea e EE EEE E E tien terii Dd iwraietie etus 143 Exporting Conditions on mans etundtoo detinet ag Beer dirette fidele Ted dU ote 144 Ou 145 Galery Tabor RR bre he te EI rei RD ritiro edis idtm 146 EnCase Forensic Version 6 11 User s Guide Contents Viewing More Columms ret teet ee rre e bises e eie ipe ee t ee e eei ee eiue 146 Viewing Fewer Columns eee erm ite tens eere rei ie dee treten eeepc es 146 Viewing More ROWS erre ng eroe etie deg eire fe see E e er ise iin en erre ion 147 Viewing Fewer ROWS ss 355 nepos eret aget ene ee ati p Or eb RESI res e HERR 03008 147 Tmelne Tab ente erre nbeaenm deve er dene avete age ert ate soestbons esque 147 Moditying the View Dane o eerie teens eter nen iiedettatiiu qve dni aste atti avrei o ed 148 CODY E E E EE emet R GERE E E O E vie di mte elerdis esses aevi pui os 148 Cu osteo 148 E dxsee 149 CHAPTER 6 Case Management 151 Overview of Case Structure x t ette aoe e a eE ht teo itae iere he cede dieron 152 Case Management m mtem i E e eie s rp hee enero eae repre d en 152 Concurrent Case Management cccccccccccccccscssseeieensnesscscscscscsesescsesesenssesnscscsesesessse
382. nditions tree and select New to see the New Term dialog x Function Name Value a Prompt for value Properties Operator Case Sensitive S Name has a value S FullPath has no value GREP b IsFolder equal to b IsSelected not equal to S Path greater than S Examiner greater than or equal to S ExportFolder less than S TemporaryFolder less than or equal to S IndexFolder Contains GUID Matches b InReport Find uu Edit Source Code e Name Compare 0 3 Select a property an operator and if prompted a value and choice Depending on the property and operator chosen you can also select O Prompt for Value O Case Sensitive O GREP 4 To edit the source code click Edit Source Code 5 Repeat the steps above to create as many terms as you want to make the condition as detailed as possible 6 Click OK to save the condition 7 To nest terms create a folder by right clicking the desired location in the Tree pane and choosing New Folder Place the nested terms inside this folder 8 If you want to change the logic right click the term and select Change Logic This changes the AND operator to an OR and vice versa 9 If you want to negate the logic right click the term and select Not 10 When satisfied with the logic click OK Navigating the EnCase Interface 141 Editing Conditions Conditions can be opened and edited when there are no open cases b
383. ned and portable for easy field acquisitions with on site verification immediately following the acquisition FastBloc SE is a software version of this product Acquiring in Windows Without a FastBloc Write Blocker Never acquire hard drives in Windows without FastBloc because Windows writes to any local hard drive visible to it Windows will for example put a Recycle Bin file on every hard drive that it detects and will also change Last Accessed date and time stamps for those drives Media that Windows cannot write to is safe to acquire from within Windows such as CD ROMs write protected floppy diskettes and write protected USB thumb drives Windows based Acquisitions with a non FastBloc Write Blocker EnCase applications cannot recognize the presence of any hard drive writeblocker other than FastBloc For that reason EnCase will report that the subject hard drive is not protected when it might be Users of non FastBloc writeblockers are encouraged to test their equipment and become familiar with their capabilities 218 EnCase Forensic Version 6 11 User s Guide Performing a Drive to Drive Acquisition Using LinEn Once LinEn is set up run LinEn choose Acquire then select the drive to be acquired and the storage path Optionally provide additional metadata LinEn was configured as described in LinEn Setup and autofs is disabled cleared The investigator identifies the subject drive to be acquired and the storage drive that
384. neneseseseanenenes 230 Acquiring a DriveSpace VoluMe mesio eaer iniii tenete nennen 231 Acquiring Firefox Cache in R cords sihan iite ea EE enne 232 Reacquiring Evidence eie arr E oe ede iari rented e D o teret 233 Reacquiring an Evidence Filetin aes insine e E E e aai ERE nennen eren 233 Adding Raw Evidence Files eee Deed eei idee irr ibo e ESES OR Aaaa TETTES 234 Remote ACQUISIUOD si entrepris HRERIIRUN Era E oee k T rE EEES E C benscenta TE Eaa Tie drei ien 235 Remote Acquisition Monitor sese eene enne nnne nnne 237 Setting Up the Storage Machine nennen 238 gba 240 Hashing the Subject Drive Using LinEn seesseesssseeeeeeneneneertete enne 240 Hashing the Subject Drive Once Previewed or Acquired sss 241 Logical Evidence Files tenete eti eere e idee e eret qus ep de opea 242 Create Logical Evidence File Wizard sssssssssssssseeeeeeeneneeeneneneeneenenennnn 243 Sources l age isiedietesduoeiponinondieletelutamie e ended ubi dubie etri ibus 244 The Outputs Page of the Create Logical Evidence File see 245 Creating a Logical Evidence File sse 246 Recovering Folders tete ed eee d ted ed eb epe te Eb dne hpe d reete ibas ERES 247 Recover Folders on FAT Volumes sse tenentes 248 Recovering NTFS Fold ts eee dere ie eoi e etin bete eese ete tue hee eit 248 Recovering UFS and EXT2 3 Partitions sssess
385. nerates a plain text file containing all words in an INDX file FindValidIPs finds IP addresses Index Buffer Reader parses information from an index buffer INDX file COM Folder EnScript Code The COM folder contains sample EnScript code that uses the COM API as an integration point into various other applications like MS Office or the Windows File System Programmers use these includes to create new EnScript programs The COM folder contains these programs B Create Word Document m File System B Read Word Document B Excel Create Workbook B Outlook Read 500 EnCase Forensic Version 6 11 User s Guide EnScript Debugger The EnScript debugger allows EnScript programmers to conduct runtime debugging of their programs After you create a project for the target EnScript program the Start Debugging functionality is enabled EnCase Enterprise Training File Edit view Help iL New eB Open lal Save Print I Compile D gt Run be Add Device QQ Search a Logon Re Debugging disabled no project for the currently selected EnScript program EnCase Enterprise Training File Edit View Tools Help L3jNew open ig save print p Start Debuaginpl gt Add Device Q Search 3 Logon 3 R Enni Debugging enabled there is a project for the currently selected EnScript program When you click Start Debugging the debugger starts and opens four new tabs in the View Pane locals Breakpoints Cl Dependencies Ou
386. nfiguration types can be created E Spanned B Mirrored E Striped E RAID 5 B RAID 10 B Basic Software RAID EnCase applications support these software RAIDs m Window NT see Windows NT Software Disk Configuration E Windows 2000 see Dynamic Disks E Windows XP see Dynamic Disks E Windows 2003 Servers see Dynamic Disks 226 EnCase Forensic Version 6 11 User s Guide Windows NT Software Disk Configurations In a Windows NT file system you can use the operating system to create different types of disk configurations across multiple drives The possible disk configurations are B Spanned B Mirrored B Striped m RAID 5 E Basic The information detailing the types of partitions and the specific layout across multiple disks is contained in the registry of the operating system EnCase applications can read this registry information and resolve the configuration based on the key The application can then virtually mount the software disk configuration within the EnCase case There are two ways to obtain the registry key B Acquiring the drive B Backing up the drive Acquire the drive containing the operating system It is likely that this drive is part of the disk configuration set but in the event it is not such as the disk configuration being used for storage purposes only acquire the OS drive and add it to the case along with the disk configuration set drives To make a backup disk on the subject machine us
387. ng 1234 and 4321 produces the same checksum but not the same CRC D Device Configuration Overlay DCO The Device Configuration Overlay sometimes called Disk Configuration Overlay is similar to the Host Protected Area It is an optional feature within the ATA 6 standard and is supported by most hard disks Like the HPA it can also be used to segment a portion of the hard disk drive capacity from view by the OS or file system usually for diagnostic or restoration purposes Disk Slack This is the area between the end of the volume and the end of the device E EnCase Forensic EnCase Forensic is recognized as the standard computer forensic software used by more than 15 000 investigators and 40 of the Fortune top 50 companies EnCase Forensic provides law enforcement government and corporate investigators reliable court validated technology trusted by leading agencies worldwide since 1997 Encryption The process of encoding information to make it unreadable without a key to decode it EnScript amp Language A programming language and Application Program Interface APT that has been designed to operate within the EnCase environment Evidence File The central component of the EnCase methodology is the evidence file This file contains three basic components header checksum and data blocks that work together to provide a secure and self checking description of the state of a computer disk at the t
388. ns New Insert I Bookmark Data Ctr B af Export Import Add Keyword List 43 Copy Tree Ctrl C C3 New Folder Expand Contract Space Expand All Contract All Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctri Num xrv Bc e i Disk Cleanup 4 Disk Defragmenter 39 Files and Settings Transfer Wizard LA Scheduled Tasks security Center S System Information B System Restore ter Map CIT lx Characters to copy Advanced view U 0021 Exclamation Mark Search expression Code Page Keywffid tester GREP Symbols wFFFF Unicode character Search expression 4 Mame o WwFF Hex character m Any character Any number 0 9 Case Sensitivi I Unicode Repeat zero or one F GREP Unicode Big Endia m g Repeat at least once Iv Active Code Pag UTF8 A Z A through Z E Repeat zero times TUTE XYZ Either X Y or Z Unicode View XYZ Neither X nor Y nor Z Literal character 0414 0434 041E 043E 0411 0431 0420 0440 Group ab together for 041E 043E 0415 0435 0020 0423 0443 0422 0442 0420 0440 D41E 043E Working with Non English Languages To enter non English content using the Character Map utility 1 Click Start gt All Programs gt
389. ns UNIX Or Windows Y Unique Files by Hash f Yahoo Mail Pages LY Yahoo Web Mail Pages 2 Click New from the drop down menu The New Filter dialog appears E 1 EnScript YY Filters E Conditions Display 7 Queries Text Styles an D T Fir Ly Le gg Export Import LP New Folder Y LT Expand Contract Space LY Expand All LY Contract All Y Hotmail Web Mail Pages f Netscape Web Mail Pages f OLK Folders Containing Attachments HY Search File Permissions UNIX Or Windows Y Unique Files by Hash f Yahoo Mail Pages LY Yahoo Web Mail Pages Navigating the EnCase Interface 131 Enter a descriptive name in the Filter Name field and click OK A source editor appears in the Table pane lass MainClass bool MainiEntryClass entry return true Enter EnScript code as required to accomplish your task The newly created filter name appears at the bottom of the Filter pane list Execute the new filter as required by double clicking it Editing a Filter Change a filter s behavior by editing it Display the Filter list in the Filter pane then edit it Edit a filter as follows Right click the filter you want to edit A drop down menu appears gt Run T Edit Enter zi Y Mew Insert X Delete Delete gg Export Import Rename F2 L New Folder 132 EnCase Forensic Version 6 11 User s Gu
390. ns when adding EFS files to a logical evidence L01 case The file is encrypted and the EFS stream is missing from the same folder within the L01 the file cannot be decrypted The file is encrypted and the EFS stream is in the same folder the file can be decrypted except for the remainder of the file if any The file is decrypted and the EFS stream is missing the file remains decrypted 1 The file is decrypted and the EFS stream is in the same folder the file will be decrypted twice The workaround in this case is to disable EFS or delete the private key from the secure storage From version 6 11 on all the scenarios above are handled gracefully because the EFS stream is added internally E If the file is encrypted the EFS stream is automatically stored with the file as metadata E If the file is decrypted the EFS stream is not automatically stored as it is not needed This does not prevent you from storing the stream by specifically saving it to the LEF If an encrypted file is decrypted and added this is noted and displayed in the report CHAPTER 10 Bookmarking Items Bookmarks Overview 401 Bookmark Features 406 Creating a Bookmark 414 Using Bookmarks 422 402 EnCase Forensic Version 6 11 User s Guide Bookmarks Overview EnCase allows files folders or sections of a file to be marked and saved for reference These are called bookmarks Bookmarks are stored in their associated case file and can b
391. nsic Version 6 11 User s Guide Hashing the Subject Drive Using LinEn This allows the investigator to know the hash value of the drive LinEn is configured as described in the setup topics and autofs is disabled The investigator has identified the subject drive to be hashed To perform a hash using LinEn 1 Navigate to the folder where LinEn resides and type linen in the console The LinEn Main Screen displays Select Hash The Hash dialog displays Select a drive and click OK The Start Sector dialog displays Accept the default or enter the desired Start Sector and click OK The Stop Sector dialog displays Accept the default or enter the desired Stop Sector and click OK The Hash Results dialog displays If you want the hash result to be written to a file click Yes If you are saving the hash value to a file the Save Hash Value to a File dialog displays otherwise the LinEn Main Screen displays Enter the path and filename of the file that will contain the hash value and click OK The hash value is saved and the LinEn Main Screen displays A hash value is calculated for the selected sectors of the selected file You can save this hash value to a file CHAPTER 5 Navigating the EnCase Interface The Main Window 60 Panes and their Specific Tabs 98 Navigating the Tree Pane 115 Modifying the Table Pane 122 Modifying the View Pane 148 60 EnCase Forensic Version 6 11 User s Guide The Main
392. ntent of a Device 180 Global Tab 33 Globally Unique Identifier GUID 521 Glossary of Terms 517 Goto 148 GREP 521 GUID 521 Guidance Software 527 H Hardware Disk Configuration 224 Hash 522 Hash a New Case 335 Hash Analysis 334 Hash Sets 336 522 Hashing 236 Hashing the Subject Drive Once Previewed or Acquired 237 Hashing the Subject Drive Using LinEn 57 236 Help for EnScript Modules 495 Help Menu 78 Hexadecimal 522 Hiding Columns 124 Highlighted Data Bookmarks 396 Host Protected Area HPA 522 If the Restored Disk Does Not Boot 255 Import Keywords 345 Importing Conditions 143 Importing Filters 137 Include EnScript 497 Included Enscript Components 333 Increasing the Number of Images Per Row 316 Index 522 Index Case 490 Indexing 152 360 Indexing a Case 152 Guidance Software Individual Panes 88 Initializing the Database 256 Installed Files 25 Installing EnCase Forensic 21 Installing Security Keys 29 Installing the Examiner 23 Integers 402 Internet History Searching 350 Internet Protocol Address IP 522 Internet Report 442 Internet Searching 351 Introduction 15 45 K Keyword 522 Keyword Searches 339 Keyword Tester 343 L Leaving Console Mode 218 LEF EFS Encryption Enhancement 17 Legal Notification 527 LinEn Set Up Under Red Hat 48 LinEn Set Up Under SUSE 48 LinEn Uti
393. nterface 81 L New 23 Open lal Save lt j Print A Add Device Q Search 3 Logon CF Logoff E Refresh SB Find BookmarkData Ctrl B Export Copy Ctrl C Go To Ctrl G i Select All Ckrl A Find Ctrl F New displays the Case Options wizard where a new case is defined Open displays the Open dialog where you can open an existing case Print displays the Print dialog Refresh updates a list or table to reflect changes made in the file system to files that drive the EnCase application Save displays once a case is opened the Save dialog Add Device displays once a case is opened the Add Device wizard so that a device can be previewed or acquired Search displays the Search dialog so that evidence associated with the case can be searched Logon displays the Logon dialog so that you can log on to the SAFE This icon only appears in enterprise applications Logoff logs you off the SAFE This icon only appears after you have logged on to the SAFE Other icons are described in the context where they appear 82 EnCase Forensic Version 6 11 User s Guide Panes Most EnCase work is done from one of the panes in the main display The current display contains four panes containing different data and displays These include the following B Tree pane shows case associated data in a tree format m Table pane presents a tabular data list that varies depending on various selections B View pan
394. oa trortat gt 02500 2 0i 4n P GmRtl xd quR 3 Pe Z n Z tR 46e KzO ExOOT 8 0 tU r WE WOE ung Do WAISN 02600 cb 84 Feu m Rave k zC SE 2Ufp zeQp D 29 Z iB eDsS32 q 1 sQ KIn l u5G a 02700 ZqY Z l68 E GOZ4Vi Z D Hj n E D D x G 6 REE f 3 AV t 6adad OBi 6 lt 1a dekOlpx ki 02800 9 gt q BRUO qODEs Lae RI amp Ugh N ON pUD g t1 qR Q n v f 1 Zp C B v iVmpx e G81Rg 02300 eu amp e 2 DG G 2 N SD pr q 8 2040 a r 3266 DUMZ c1 C y ig D NMYIS 14 1X p 4B x X f 03000 4k SbFI Z P i O q IA f Ve KAxUv G h amp c T D i p AKZIG V Lq H 2fR Q2035 3 2 7 A uae 03100 ri li Y h I 34 Qg Y 8 ui68 SAY WU 3Gq E hD YIl asOij BoFU4 Dy U D E 7 sthiiSAgUii Os e n 03200 s s n z 8933 p R O hW e Ex d D I U 346Xp lo Go vy 3 amp kD EgBn f e 6 ciiOu0 UB Bde S 03300 VjTwURS I rn LgZan ti h n bc toma BRC 6 36 cVxneQle qUagaS amp 58UD z C D D sp y amp xF 00000 Moya pExif II wenn co ce i ha hh vetta 109 110 EnCase Forensic Version 6 11 User s Guide The Hex Tab The Hex tab shows a split view of a file with hexadecimal values on the left and ASCII on the right joooo0 8 FF El 15 FE 45
395. ocated in the lower left quadrant of the four pane display Glossary of Terms 533 Virtual File System VFS The EnCase Virtual File System VFS lets examiners mount computer evidence as a read only offline network drive for examination in Windows Explorer The value of this feature is that it allows examiners multiple examination options including the use of third party tools with evidence served by EnCase Virtual Machine Software that creates a virtual environment on a computer platform so the user can run software Several discrete execution environments reside on a single computer each running an Operating System This allows applications written for one OS to run on a machine with a different OS VMWare A wholly owned subsidiary of EMC Corporation it supplies much of the virtualization software available for x86 compatible computers VMWare software runs on Windows and Linux W Write Blocker A tool software or hardware that prevents writes to a subject device while allowing investigators to safely read from the device CHAPTER 16 Guidance Software E Legal Notification 535 E Support 537 536 EnCase Forensic Version 6 11 User s Guide Legal Notification CEIC EnCase eDiscovery Suite EnCase Enterprise EnCase Enterprise AIRS EnCase Forensic EnCE EnScript FastBloc Guidance Software Neutrino Snapshot and WaveShield are registered trademarks or trademarks owned by Guidance Software in the
396. of the message this is in contrast to cryptography which does not disguise the existence of the message but obscures its content Subject The computer or media that the investigator actually examines Swap File A memory management technique where non contiguous memory is presented to a software process as contiguous memory Memory pages stored in primary storage are written to secondary storage thus freeing faster primary storage for other processes in use A swap file is also called a page file T Table Pane Part of the program user interface located in the upper right quadrant of the four pane display Temp Folder A folder that allows segregation and control of temporary files created in the course of an investigation Also see Export Folder Tree Pane A part of the program user interface located in the upper left quadrant of the four pane display U Unicode An industry standard that enables text and symbols from all the world s writing systems to be consistently represented and manipulated by computers Unicode consists of B A character repertoire E An encoding methodology and set of standard character encoding B A set of code charts for visual reference B Anenumeration of character properties such as upper and lower case B A set of reference data computer files B Rules for normalization decomposition collation and rendering V View Pane A part of the program user interface l
397. of each evidence file segment in MB default 640 minimum 1 maximum 10737418240 g lt Granularity gt Error granularity in sectors default 1 minimum 1 maximum 1024 b lt BlockSize gt Sectors per block for the evidence file default 64 minimum 1 maximum 1024 Compute HASH while acquiring the evidence default TRUE values TRUE or FALSE a lt AlternatePath gt A semicolon delimited list of alternate paths maximum 32768 characters n lt Notes gt Notes maximum 32768 characters f lt Configuration File gt h Path to a configuration file holding variables for the program maximum 32768 characters Help message Required field Working with Evidence 273 Configuration File You can create a configuration file to fill in some or all of the variables The configuration file needs to be in the format Opt ionName Value and can be used in conjunction with command line options All of these options have the same restrictions as their command line counterparts Note that options entered on the command line will override the same option in the configuration file This way users can override a specific setting in the configuration file by entering the appropriate information on the command line Options for the configuration file are as follows EvidencePath Path and file name of the evidence file to be created maxim
398. of the Report pane The report displays in the Report pane Creating a Webmail Report Complete the Webmail Parser 1 Select the folder to see its contents in the Table pane 2 Select a file to report on then select the Report tab of the Report pane The report displays Q 9 a een owe d doma Dus M SE ieu composef 1 htm z Fwd Bank Name jj Quick Address List 20 24finsert gffpilyray150 ctionary Thesaurus Rich Text Editor ON Copy Message to Sert 450 EnCase Forensic Version 6 11 User s Guide Alternative Report Method You can generate a report in the Table pane as well 1 Select the file in the Table pane 2 Click the In Report column to include the item in the report 3 Click the Report panel of the Table pane to view the report irae ngon nens rco Hotmail Kree PONa Pox Name composet tem Ad tonal Fields Subyect Fod Bark Name Account and Routing Numbers txValues2 eite URL URL substingD ndis T URL subsbing ndesValureT ele URL URL substring us 1 var inder OTY A FeO at UB 18 else ARB 77 e AE d nCcoluess U t echarsetes uten URL URL 4 URL v document location href window location mplace URL var wind window open heights widthre izableeno Atiebareno scrolibarrsno statuseno fooibareno menubreno Jocationeno wind closed eite d t charsetis ute URL URL ater T if URL document location href window loc
399. og 405 Bookmark Reports and Reporting 428 Bookmarking an Image 315 Bookmarking Items 358 395 Bookmarking Non English Language Text 469 Bookmarks Overview 395 Booting the Restored Hard Drive 254 Browse for Folder Dialog 159 161 Building a Package 503 Burn 519 C Canceling an Acquisition 209 Case Backup 154 Case File 519 Case File Format 153 Case File Time Zones 169 Case Management 151 152 Case Options Page of the New Case Wizard 166 Case Options Tab 32 Case Processor 485 Case Processor Modules 487 Case Related Features 156 CD DVD Inspector File Support 226 Changing Filter Order 135 Changing Report Size 440 Checksum 519 Choose Devices Page of the Add Device Wizard 187 Choosing Database Sources 257 Cleaning an EDB Database 300 Clearing the Invalid Image Cache 317 Close Case 175 Cluster 519 Code Page 519 Color Tab 35 COM Folder EnScript Code 492 Combining Filters 134 Command Line Options 267 545 EnCase Forensic Version 6 11 User s Guide Completing the After Acquisition Page of the Acquisition Wizard 205 Completing the Choose Devices Page 192 Completing the Destination Page 286 Completing the File Selection Page 285 Completing the Options Page 286 Completing the Options Page of the Acquisition Wizard 208 Completing the Preview Devices Page 192 Completing the Search Page of the Acquisition Wi
400. okmarked as one or more file group bookmarks and the Folder Comment field is disabled When Bookmark Selected Items is cleared only a single file was highlighted in the Table pane and that single file is bookmarked as a notable file Any other selected files are not bookmarked Create new bookmark folder determines whether a new folder is created and whether Folder Name and Folder Comment are displayed Folder Name contains the filename for the new bookmark folder Folder Comment contains the comment describing the bookmarked files that the new folder contains Comment contains a short comment when using this dialog to create a notable file bookmark Destination Folder displays the Bookmarks tree so the destination folder can be selected Creating a Bookmark You can create these types of bookmarks E Highlighted Data E Notes B Folder Structure Notable File B File Group E Log Record EnScripte programs create these types of bookmarks B Snapshot m Datamarks EnCase applications create these types of bookmarks as a result of acquiring a device E Case Time Settings B Search Summary 415 Bookmarking Items Creating a Highlighted Data Bookmark You can select any content displayed in the View pane and bookmark it Content must display in a tab of the View pane ccO X I Case MOOSI CAINEA 95 16 L5 16 CL 16 50 947 FO 90 LESIO To bookmark highlighted content displayed in the View p
401. olbar in Different Modes and Contexts showing 1 Acquisition mode and the rest in EnCase Enterprise 2 before logging in and opening a case 3 after logging in and opening a case 4 with an acquired device selected from the Entries tree and 5 with an entry selected from the Entries table Oo iNew 3 Open C3 Print E Refresh e ijNew LZ Open print 3 Logon 2 Refresh e new 3 Open ig Save Print a Add Device Q Search Logon 3 Logoff ai Refresh o ijNew open lg save amp Print Add Device Q search 3 Logon F Logoff 3 Refresh X close f Acquire o L New 23 Open bal Save lt j Print e Add Device Q Search E Logon CT Logoff a Refresh SS Acquire There is a corresponding menu command for each toolbar icon When the toolbar is wider than the main window the toolbar wraps to another line Some icons are enabled only when they are useful such as Print and Refresh The panes and the tabs in the toolbars also provide context dependent icons for functionality accessed through context dependent right click menus provided in those features Figure 6 A Context dependent Icon and Its Associated Right Click Menu Command where 1 is the context for the right click menu and 2 is the corresponding menu command and toolbar icon The Find command opens the Find dialog where a search string can be defined that searches within the content highlighted in the View pane Navigating the EnCase I
402. ols 523 Options Use the Options dialog to customize the software See the chapter The Options Dialog on page 155 for complete information on this topic 1 Click Tools Options The Options dialog opens C Program Files EnCase6 Export C Program Files EnCase6 Temp C Program Files EnCase6 Index 2 Click on a tab to make changes to settings 3 When you are finished making the changes to tabs click OK CHAPTER 15 Glossary of Terms Glossary of Terms A ASCII ASCII American Standard Code for Information Interchange is a character encoding based on the English alphabet ASCII codes represent text in computers communications equipment and other devices that work with text Most modern character codes have a historical basis in ASCII ASCII was first published as a standard in 1967 and was last updated in 1986 It currently defines codes for 33 non printing mostly obsolete control characters that affect how text is processed plus 95 printable characters B Bookmark Bookmarks let you annotate evidence and analytical artifacts Files folders address ranges within files collections of files or data and even bookmarks themselves can be book marked Burn The process of recording data to an optical disc such as a CD or DVD C Case File A text file containing information specific to one case The file includes pointers to one or more evidence files devices bookm
403. olumn Sort Select Item Space Go to Parent The Show Columns dialog looks like this x Fields RN Name Kf Preview A Hit Text Kf Entry Selected NI File Offset Kf Length Wi Filter M In Report NI File Ext Nf File Type Cancel Note See Table Tab Columns on page 102 for information on all columns To hide columns clear the appropriate check boxes then click OK 124 EnCase Forensic Version 6 11 User s Guide Showing Columns in the Records Tab 1 Select the Records Tab A Entries M Bookmarks Q Search Hits T Additional Fields Sog 2 amp 3 Records Loni a _D A S Single Files 2 Right click in the blank area of the Table pane and select Show Columns Lr Bookmark Data Ctrl B gg Export VI Tag Selected Files Ctrl Shift T E Tag File Ctrl T ES show Columns E Copy Ctrl C Column Sort Select Item Space 3 The columns display in a tree structure Show Columns show Columns 5 08 Nodes OK Common email fields 1 58 Name CE Common phone fields f 2 Filter KC Common internet fields Ej 3 58 In Report CJ e Common SIM fields M 4 58 Search Hits Cac Local mE I 5 B Additional Fields e Entry Fields 6 E Common email Fields CE Other pA 7 3 Common phone fields 8 le Common internet fields 9 ie Common SIM Fields 10 C5 Local fields 11 ie Entry fields 12 Cj Other Navigating the
404. om view It does not delete them from the case 43 Copy Ctrl C BA Show Excluded RT Show Deleted X Delete Delete Delete All Selected Ctrl Delete Exclude Ctrl E Exclude All Selected Ctrl Shift E Ef Export MT Tag File Ctrl T iew Search Hits Bookmark Selected Items Show Columns Column gt Sort b Select Item Space 3 Go to Parent BkSp Note Excluded search hits are indicated by the international Not symbol In the figure below the file setuplog txt is included while those in rows 15 16 and 17 are excluded C 14 setuplog txt 15 L setupact log C 16 setupact log 17 L LAYOUT PNF 128 EnCase Forensic Version 6 11 User s Guide Deleting Items When using Search Hits delete is considered a soft delete which you can undelete until the case is closed If a search hit remains deleted when the case is closed the hit is permanently deleted In other tabs however undelete works only with the last selection deleted Once a file is closed deleted items are permanently removed and cannot be recovered Run then view a keyword search This process is similar to the Exclude Files on page 360 feature View the search hits report in the Table pane before excluding them from the report 1 Select files to exclude then right click the view selecting either Delete or Delete AII Selected 43 Copy Ctrl C X Del
405. onClass e Acquisition details LJ 2 g AlowedClass LABS Rg AppDescriptorClass e Application descriptor LJ 4 Rg ApplicationClass e Application plug in La 2 ArrayClass Use asthe return type of a fu e O 6 Ag ArrayEditClass e Edit an array of values LAN 4 BatchClass e This object creates connectio 8 BookmarkClass A bookmark 9 BookmarkFolderClass Abookmark folder CJ 16 S BookmarkReferenc Bookmark reference Aa gt bool 8 bit boolean Can hold the v C 12 ButtonClass Apush button L3 13 E byte 8 bit unsigned int C 14 g CaseClass Contains global case data C 15 CDCacheltemClass LJ 16 gt char 16 bit unsigned character C 17 4 CheckBoxClass Checkbox of 4 b The Tree pane contains a list of classes Double clicking an entry provides additional detail for the class Hash Analysis A hash function is a way of creating a digital fingerprint from data The function substitutes or transposes data to create a hash value Hash analysis compares case file hash values with known stored hash values The hash value is commonly represented as a string of random looking binary data written in hexadecimal notation If a hash value is calculated for a piece of data and one bit of that data changes a hash function with strong mixing property usually produces a completely different hash value A fundamental property of all hash functions is that if two hashe
406. one of the formats above Error Handling The program checks all values entered to make sure they conform to expectations Any deviation causes the program to exit or prompt for a correct value Additional WinEn Information B Progress Bar While the process is running it uses hash marks across the screen as a status indicator using the full width of the screen as the 10076 mark B Cancel To stop the process while it is running use the CTRL BREAK or CTRL C key combination m WinEn Driver At run time WinEn drops its driver file in the same directory where WinEn is running This driver is named WinEn sys or WinEn64 sys E Changes to target system When WinEn runs on a system the following changes can be expected O When executed WinEn loads into memory on the target system This is unavoidable and will take up approximately 2 8 MB of RAM O Windows Service Control Manager creates registry keys when it loads the WinEn driver These keys are typically stored in HKEY_LOCAL_MACHINE SYSTEM lt ControlSet gt Enum Root LEGACY WIN EN HKEY LOCAL MACHINE SYSTEM lt ControlSet gt Services winen_ O Data is written to the PageFile based on operating system memory use Working with Evidence 275 Renaming WinEn As noted above WinEn leaves remnants on the system where it is run If desired you can rename the WinEn executable so that the remnants are obfuscated Renaming the executable also causes the
407. onjunction with a hash analysis Verify file signatures performs a signature analysis during a search Compute hash value performs a hash analysis during a search Recompute hash value regenerates previously computed hash values Search for Email turns on dialog email search options Recover Deleted accesses deleted email Email Type List provides options for email that can be recovered Verify Signatures performs a signature analysis during a search It determines whether the file extension matches the signature assigned to that file type Analyzing and Searching Files 359 Identify Codepages tries to detect the code page for a file Search for Internet History recovers Web data cached in the Web history file Comprehensive Search searches for Internet history in unallocated space Viewing Record Search Hits Records are virtual files created when email or Internet history searches are performed Searching records is straightforward Click Records when the search finishes Select Set Include Select a record that shows a search hit Select Hits on the Filter pane Foe w m dc Click keyword folders one by one to see search hits The newly created records are now visible Te De tar tou DW Fres Donos jose Tet Sem 360 EnCase Forensic Version 6 11 User s Guide Viewing Search Hits Search hits are organized by each keyword appearing in the Tree pane Search hits within each keyword appear in the Table pane
408. only mode which occurs when the application is opened on a machine that does not have a dongle or appropriate licenses Additional functionality modules add commands and icons System Menu The system menu organizes commands provided by the EnCase application The system menu appears in the main window The system menu along with the right click context specific menus provides commands to execute application functionality Fie Edit View Tools Help The system menu contains the following commands E File m Edit m View E Tools E Help When clicked the commands in the system menu display the corresponding menu The Edit menu does not display in acquisition mode although the Edit command always displays in the system menu Some of the commands in the menus displayed by the system menu commands are context dependent Context dependent commands appear in the menus but are disabled unless the current application context makes them available 62 EnCase Forensic Version 6 11 User s Guide File Menu The File menu provides commands that manipulate application files and global application settings You can create new case files open existing case files save case files and global settings add devices to cases E B E E print the contents of files E E add raw images to cases u exit the application File Mew Open Ctrl O Save Ctrl S Save As Save All Ctrl Shift S Print Printer Setup
409. ons It is also a great way to show specific information about the type of media in the case Notable File Bookmarks Use notable file bookmarks to bookmark individual files These bookmarks provide a means of focusing the investigator s attention on specific files File Group Bookmarks File group bookmarks annotate a collection of individual files selected as a group Bookmarking a collection of files helps the investigator organize evidence Bookmarking Items 405 Snapshot Bookmarks Snapshot bookmarks include a wide variety of volatile data resulting from running the various EnScript programs In EnCase Forensic the Scan Local Machine program creates snapshot bookmarks The output of the program is always bookmarked After Scan Local Machine is run a bookmark toolbar displays that contains the Home tab and the Snapshot tab The Snapshot tab has a toolbar associated with it This toolbar displays a tab command for each type of snapshot bookmark created by one of the EnScript programs Each type of snapshot bookmark has a Tree pane and Table pane associated with it Each table displays data specific to the class of the system component whose data displayed in the Table pane Snapshot bookmarks include B Machines snapshot on the Home tab E Open ports B Processes B Open files E Network interfaces E Network users B DLLs Log Record Bookmarks These bookmarks are created whenever console and status dialog messages ar
410. onse and comprehensive forensic level analysis of information found anywhere on a computer These products are scalable platforms that integrate seamlessly with existing systems to create an investigative infrastructure LEF EFS Encryption Enhancement 17 WinEn 18 Snapshot to DB Module Set 19 Lotus Notes Local Database Encryption 19 EnCase Examiner Support for Microsoft Vista 19 64 Bit EnCase Servlet 19 Send to HBGary Responder EnScript 20 18 EnCase Forensic Version 6 11 User s Guide LEF EFS Encryption Enhancement There were different scenarios from previous EnCase versions for adding EFS files to a logical evidence L01 case 1 The file is encrypted and the EFS stream is missing from the same folder within the L01 the file cannot be decrypted 2 The file is encrypted and the EFS stream is in the same folder the file can be decrypted except for the remainder of the file if any 3 The file is decrypted and the EFS stream is in the same folder the file will be decrypted twice The file is decrypted and the EFS stream is missing the file remains decrypted 4 The file is decrypted and the EFS stream is in the same folder the file will be decrypted twice All of the above scenarios are now handled gracefully because the EFS stream is added internally WinEn WinEn is a standalone command line utility that captures the physical memory on a live computer running a Windows operating system Windows 2000 or highe
411. ontain controls in addition to tabs The scrollbar exposes these controls as well as tabs when either is hidden Navigating the EnCase Interface 87 Each tab also has a grab handle used to move the tab outside the main window where it appears in a secondary window Once three tabs are removed from the main window the last tab in the main window no longer displays a grab handle because it cannot be removed from the main window Pane Tab Bar and Pane Tab Bar Menu Each pane contains one or more tabs Clicking a tab displays different content in the pane Tabs are organized into a tab bar Tabs may contain sub tabs and these are organized by separate tab toolbars Each tab bar has its own menu The menu displays when you right click the tab bar Figure 11 Pane Tab Bars and their Tab Bar Menus The tab bars have been darkened where the menu can be displayed The tabs have their own menus Tabs were closed on the second tab bar to shorten it LE Cases Auto Fit toggles whether the tab bar displays as a single row with a scrollbar or wrapped to multiple rows when the pane is resized 88 EnCase Forensic Version 6 11 User s Guide Tab Right Click Menu Each tab or sub tab displays the same right click menu This menu manages tabs and provides another way of moving from one tab to another The tab toolbar menu command Auto Fit is also available here Figure 12 The right click menu where 1 indicates that you
412. ontents appear 3 Text Gre Fy Doc H Transcript EJ Picture i4 Name Compose 7 Search Hits No Additional Fields Yes ty yahoo com IMG html BUTTON PAD1 PREFIX html this id html IMG html BUTTON IMAGE PREFIX html this id html IMG i html BUTTON PAD PREFIX html this id html amp IMG imageChooser images k link IMG image You can save or export the report as desired Extracting Email The program s search engine can search various types of email artifacts including attachments See Acquisition Wizard on page 198 Performing a Search on page 357 and Searching for Email on page 369 for additional information The procedures outlined in these sections discuss how to extract and view both email and attachments 372 EnCase Forensic Version 6 11 User s Guide Searching Email This program feature displays all emails and any associated attachments in tree view Once recovered these can be viewed in the Report Doc or Transcript tabs of the Report pane 1 Click Search The Search page of the search wizard appears Select the desired email types and click Start Email Search Options I Search for email Recovered deleted IV Outlook PST v Outlook Express DBX Exchange EDB Lotus NSF AOL v MBOX View search progress in the status bar Clic
413. or E One GB of RAM B Windows 2000 XP Professional or 2003 Server W 55 MB of free hard drive space The program also supports the 64 bit version of Windows Note Intel Itanium processors are not supported Note FastBloc SE supports only the USB interface with the 64 bit version Installing EnCase Forensic 23 Installing the Examiner If you are using Local Processing install the program by inserting the CD into a player and waiting for autostart Do this for each client If are using Terminal Services install the program using the Add Remove programs wizard on the application server Once installation begins a wizard displays EnCase v6 4 Version 6 4 www guidancesoftware com Install Path C Program Files EnCase6 p Note C Program FilesNEnCase6 is the install path default 1 Enteran installation path or accept the default and click Next 2 Read and agree with the EnCase License Agreement and click Next 3 Click Next 24 EnCase Forensic Version 6 11 User s Guide Installation Folder x Guidance SOFTWARE EnCase Version 6 4 www guidancesoftware com To replace some files that are in use the system will need to be rebooted C Reboot Later Reboot Now Gancel 4 Select Reboot Later or Reboot Now and click Finish Installing EnCase Forensic 25 Installed Files During installation the program copies itself and a collection of associated files to the target directory
414. or Hex tab is updated to reflect the new encoding Working with Non English Languages 477 Viewing Non Unicode Files Display a file in any encoding or code page after you define it To view non Unicode files 1 Click Text Styles with the text displayed in the Text or Hex tab of the View pane The Text Styles pane appears in the Filter pane 2 Click the desired non Unicode based text style The displayed text in the Text or Hex tab updates to reflect the new encoding Associating Code Pages Non English language files can be associated with a particular code page A code page list is checked to prevent usage of an unavailable code page if for instance a file is open on one system then reopened on another that does not have the complete set If an original code page is unavailable when a file is opened the code page association is removed While this process is transparent if you do open a case or mount a volume with a missing code page a message listing the missing code pages appears You can associate code pages manually or automatically through Windows identification To manually set the code page 1 Apply a Text Style with the desired code page to the entry 2 Check the code page check box on the EnCase main window To have Windows automatically associate code pages to entries 1 Select the Search button and check the Identify code page option 2 After the search completes the code page column populates 478
415. pecifying and Running an Acquisition The drive is acquired Acquiring Device Configuration Overlays DCO and Host Protected Areas HPA EnCase applications can detect and image DCO and or HPA areas on any ATA 6 or higher level disk drive These areas are detected using LinEn Linux or the FastBloc SE module EnCase applications running in Windows with a hardware write blocker will not detect DCOs or HPAs EnCase applications using B FastBloc SE E LinEn when the Linux distribution used supports Direct ATA mode The application now shows if a DCO area exists in addition to the HPA area on a target drive FastBloc SE is a separately purchased component HPA is a special area located at the end of a disk It is usually configured so the casual observer cannot see it and it can only be accessed by reconfiguring the disk HPA and DCO are extremely similar the difference is the SET MAX ADDRESS bit setting that allows recovery of a removed HPA at reboot When supported EnCase applications see both areas if they coexist on a hard drive For more information see the EnCase Modules Manual Working with Evidence 215 Using a Write Blocker Write blockers prevent inadvertently or intentionally writing to an evidence disk Their use is described in these sections E Windows based Acquisitions with FastBloc Write Blockers B Acquiring in Windows Without FastBloc m Windows based Acquisitions with a non FastBloc Write Blocker FastBloc sup
416. pen or close the hierarchy at the point of the highlighted item To open and close all folders displayed in the Tree pane do one of the following m Right click the folder and choose Expand Contract from the right click menu E Click the Expand Contract icon or 8 With the folder highlighted press the space bar Edit View Tools Help a Export CopyJUnErase Copy Folders Lr Bookmark Data Ctrl B Bookmark Folder Structure Create Hash Set Create Logical Evidence File Analyze EFS Mount as Network Share Expand All Contract All Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num Expand All You can expand all nested folders beneath the highlighted folder with one menu click If the entire Tree pane hierarchy is closed or if one or more folders are open the entire tree can be expanded to display all of the contents Expand Contract Space Contract Al Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num Navigating the EnCase Interface 117 Use the right click Expand All command to show all of the hierarchy Start at the Entries root to open all available folders ooo fe Entries eon 2 Hunter XP EOD C DIE Extend DE AOL Instant Messenger HD Documents and Settings sou All Users oG Application Data SOO Microsoft gt Crypto 3B dss Log Machinekeys gt RSA OE Mach
417. pleting the Options Page of the Acquisition Wizard O Click Finished The acquisition begins If the file is to be saved in the case the CRCs are verified and any after acquisition processing is performed Working with Evidence 209 The thread statuses for the acquisition verification and post processing is displayed as the processes execute Once the processes are complete the results dialog appears While the acquisition is running the acquisition can be cancelled see Cancelling an Acquisition Note The evidence file containing both the content of the device and its associated metadata is saved as determined by the New Evidence File on the After Acquisition page of the Acquisition Wizard Completing the After Acquisition Page of the Acquisition Wizard This page of the Acquisition wizard specifies the actions taken once the content has been acquired but before the acquisition is completed Before you begin Open the Acquisition wizard to the After Acquisition page After Acquisition 7 x Acquire another disk Search Hash and Signature Analysis New Image File C Do not add C Add to Case Replace source device Restart Acquisition Existing Evidence File Back Cancel To define actions after the acquisition 1 If additional disks are to be acquired after this acquisition select Acquire another disk When Acquire another disk is acquired the image associated with that
418. ports AMD 64 bit architecture By replacing the existing IDE and SCSI controller driver with the new Guidance driver only read only requests are sent to the attached hard drives The FastBloc SE Module can be used with devices equipped with the Promise SATA cards m 300 TX4302 m 300 TX4 m 300 DOPLUS There is also support for the AMD Athlon 64 processor and for systems running Microsoft Windows XP 64 bit edition and Microsoft Windows Server 2003 64 bit edition Windows based Acquisitions with FastBloc Write Blockers The following write blockers are supported in EnCase Enterprise v6 0 Figure 25 FastBloc FE 216 EnCase Forensic Version 6 11 User s Guide Figure 26 FastBloc 2 FE v1 Working with Evidence 217 Figure 29 FastBloc 2 LE Computer investigations require a fast reliable means to acquire digital evidence FastBloc Lab Edition LE and FastBloc Field Edition FE hereafter referred to as FastBloc are hardware write blocking devices that enable the safe acquisition of subject media in Windows to an EnCase evidence file Before FastBloc was developed noninvasive acquisitions were exclusively conducted in cumbersome command line environments The hardware versions of FastBloc are not standalone products When attached to a computer and a subject hard drive FastBloc provides investigators with the ability to quickly and safely preview or acquire data in a Windows environment The unit is lightweight self contai
419. ports based on data in any tab in the Tree pane Some of the most commonly created reports contain bookmarks or search hits Creating a report typically involves these steps Select the items to report on whether files bookmarks search hits or other data Select the type of report you want using the tabs in the Tree pane From the Table tab in the View Pane enable the items to show in the report From the Table tab switch to the Report tab Modify the report as needed 9v Qr e S qe ik Export the report to a format viewable outside your EnCase application Examples of different types of reports are discussed in detail in later sections of this chapter Reporting 445 Enabling or Disabling Entries in the Report Before entry data can be inserted in a formal report they must be marked for inclusion C Report E2 Galery 2 Timeline f Disk Code File In File Mame Ext Report Description Type LANI Ly bookmarks htm htm No File Invalid Cluster Arc Web Page 14 Ly bookmarks htm htm No File Invalid Cluster Arc Web Page L3 15 5 bookmarks html html Yes File Deleted Overwritte Web Page Report Single Files Open a case and display its contents in the Table pane 1 Highlight the file to include in the report or check the box next to the record number 542 in the figure Report Galery Timeline pm Disk 4g Code Nane Eite E ed uh M LJ 539
420. prise HE Examples EHG Forensic ig Case Processor g File Mounter Index Case g Scan Local Machine Lag Webmail Parser Include zl To run a script double click it in the table 492 EnCase Forensic Version 6 11 User s Guide Case Processor Use Case Processor to run one or more EnScript modules against an open case To run Case Processor double click the program name A Case Processor wizard appears with the name of the open case Case Processor Kf v6 Hunter XP Forensic CaseProcessor C Program Files EnCase6 Export Ead Enter a Bookmark Folder Name Enter a Folder Comment optional Export Path populates with the default export path a I dpas DES Click Next to display the module selection wizard EnScript Analysis 493 5 Make the desired selections and click Finish Case Processor C LogFile Parser O Active Directory Information Pa C AOL IM Information J App Descriptor Utility C Compromise Assessment Module O Consecutive Sectors O Credit Card Finder E Mail Address Finder O EDS Registry Parser O EXIF Viewer I File Finder O File Report O Find Protected Files HTML Carver 494 EnCase Forensic Version 6 11 User s Guide Case Processor Modules Each module available in Case Processor provides different information Logfile Parser parses specific information from the Logfile Active Directory Information Parser provides
421. propriate subtree or machine and click OK The appropriate IP addresses appear in Machines 5 Review the available modules listed in Case Processor Modules in Forensic EnScript Programs then select the desired modules to run if any from the Modules List EnScript Analysis 491 The Sweep Options page of the Sweep Enterprise wizard appears 6 Ifservlets need to be deployed on the machines to be swept a Click Servlet Options The Servlet Options dialog appears b Click Deploy Servlet You can now change the settings c If the username and password must be updated enter this information in Update Machine s Username Password and click Update d If machines in the subtree to be swept already have servlets deployed should not have servlets deployed or should not be swept enter the IP address of the machine in Machine and click Exclude 7 Ifthe paths to the servlets on your machine must be changed enter or browse to the appropriate paths 8 Click OK Sweep Enterprise runs and the results appear in the Bookmark table on the Bookmark Home panel Forensic EnScript Code To view EnScript programs in the EnScript panel of the Tree pane click View EnScript To view EnScript components in the Filter pane click EnScripts to display the EnScript panel Open a folder from the EnScript object to see available scripts listed in the Table pane 5 Enscript Q Hits T Fitters amp Conditions 4 gt E7 EnScript a Enter
422. pt 048825133 Heres one NextPart 001 0006 OlBF33AC 44D403CO0 Content Type text html c 048825222harset iso 8859 1 Content Transfer Encoding quoted printable lt DOCTYPE HTML PUBLIC 048825311 W3C DTD W3 HTML EN gt lt HTML gt lt HEAD gt lt META content 3Dtext html charset 3Diso 83 f 04882540059 1 http equiv 3DContent Type gt lt META content 3D MSHTML 4 72 3110 7 name 3DGENERAT GHO Enterprise E Forensic 0488254890R lt HEAD gt lt BODY bgColor 3Dfffffff lt DIV gt lt FONT color 3D 000000 size 3D2 Heres one Ag Case Process 048825578 lt FONT gt lt DIV gt lt BODY gt lt HTML gt 2 NextPart 001 0006 OlBF33AC 44D403C0 2 N O48825667extPart 000 0005 OlBF33AC 44D403C0 Content Type image jpeg name vll jpg Content T if File Mounter 048825756ransfer Encoding base64 Content Disposition attachment filename vll jpq Iis 4 Index Case Qe Scan tocal Ctri B 048825845AQSkZJRgABAgEASABIAAD 7Q4MUGhvdG9zaG9wIDMuMAA4QklNARKAAAAAAHgACWAAAEg SARAAAACZwJA 43 7 048825934 gMGAIlIfAwUpA wAAQAAASwBLAAAAAAL6QlgASwALQWqXuwAJgIBAQEAGAAB JwSAAQABAAAAAAAAAAAAAA T Bookmark Dat 048826023AAAAAAAARAAAAAAAAAAAAARAAARAAAIAAAAABATEDOAAAAA4 CKINAPOARAAAABAASAAAAAFAAQBIAAAAA SAT C ce 048826112JTQPZAAAAAAAIAAAAAAAAAAA4QEINBAOAAAAA AAEAADhCSUOnEAAAAAAACGABAAAAAAAAAAI4QkINA UA 9 EPON 048826201gALZZmAAEAbGZmAAYAARAAAAAEA LZZmAAEAoZuaAAYAAAAAAAEAMgAAAAEAWgAAAAYAAAAAAAEANQAAAAE 43 Copy O4
423. r The physical memory image captured by WinEn is placed in a standard evidence file along with the user supplied options and information WinEn runs from a command prompt on the computer where you want to capture the memory WinEn has a very small footprint in memory and it is typically run from a removable device such as a thumb drive Although this method makes minor changes to the computer running WinEn this is the most effective way to capture physical memory before shutting down a computer New Features 19 Snapshot to DB Module Set This script takes snapshots of nodes across a network and stores the snapshots in a SOL database It also reads from the database to create reports on the snapshots taken It allows for minimal maintenance on the database so that you can control the amount of data stored Three EnScripts work with the database to perform their tasks B Initialize Database EnScript m Snapshot to DB EnScript m Snapshot DB Reports EnScript Lotus Notes Local Database Encryption EnCase can now decrypt a local Lotus Notes user mailbox NSF file suffix The local mailbox is a replica of the corresponding encrypted mailbox on the Domino server EnCase Examiner Support for Microsoft Vista EnCase Examiner now supports the Windows Vista operating system EnCase must run as an administrator to access the local Vista computer 64 Bit EnCase Servlet EnCase now includes a servlet for the 64 bit versions of Windows XP
424. r icons display depending on their context There is always a corresponding menu command Tools Menu Using EnCase Tools 517 The Tools menu at the top of the display contains commands for various utility programs Qo He 7 amp Index Case Ctrl I Webmail Parser Search Logon Wipe Drive Verify Evidence Files Create Boot Disk Mount as Network Share Client Write block IDE channel Write block USB Firewire SCSI drive 3 Options Next Location Ctrl Down Prev Location Ctrl Up ai Refresh FS 518 EnCase Forensic Version 6 11 User s Guide EnScript Programs Shortcut Submenu The shortcut submenu contains shortcuts to EnScript programs that are designated in the Tools Menu Plugin The Tools Menu program is in the EnScript panel of the Filter pane You can modify it to include additional shortcuts from the tools menu The EnScript Program Shortcuts and the EnScript Program that Provide the Related Command Functionality T a4 EnScript Enterprise EHG Examples z Include C Forensic Lag Tools Menu Plugin Tools Wl Index Case Ctrl I 4 Webmail Parser a Search 3 Logon Wipe Drive Verify Evidence Files J Create Boot Disk X Options a Refresh Wipe Drive Warning This procedure completely erases media and overwrites its contents with a hexadecimal character Invoke Wipe Drive with extr
425. r own notes O Snapshot Data is a mandatory checkbox O Hash Processes is checked by default 3 Click Finish 4 Select then double click the App Descriptor Module to select an output file If there are no folders displayed create a new one Analyzing and Searching Files 381 App Descriptor Utility x Select Output App Descriptor Folder Select Process State gt sj App Descriptors C NOPROFILE Common C NOTFOUND o My App Descriptors C NOTAPPROVED EXE Files C APPROVED 2j SYS Files z b Create App descriptors for every EXE and SYS file Create App descriptors for every ELF binary Group Common app desciptors Cancel Selecting a process state is optional If either the Create App Descriptors for every EXE and SYS file or Create App Descriptors for every ELF Binary option is selected Select Process State options are disabled 5 Execute the selected EnScript program When the script is complete the newly created app descriptors are available 6 Change the display as follows a Click Bookmarks b Double click the new bookmark in the Tree pane c Select Snapshots in the Table pane d Select Snapshots tab Select the Processes tab and the Home tab to view the information 7 Select Include All in the Table pane to view the name hash value and app descriptor data for the files Encryption Support Encryption is the process of converting data into a format that cannot be read
426. raisednoteten jpg Deleted Files Yes 01 07 01 12 01 00AM 01 28 05 08 05 14AM LJ 22 Il Counterfeit finepri Deleted Files Yes 01 07 01 12 06 08AM 01 28 05 08 04 44AM Laz rl Mellon GIF Deleted Files Yes 01 07 01 12 11 58AM 01 28 05 08 04 56AM O 24 gl EAL 1 GIF Deleted Files Yes 01 07 01 12 12 00AM 01 28 05 08 05 18AM LJ 25 a EAL 2 GIF Deleted Files Yes 01 07 01 12 12 10AM 01 28 05 08 05 20AM LJ 26 a _TRONG GIF Deleted Files Yes 01 07 01 12 12 16AM 01 28 05 08 05 32AM LJ 27 il RANK2 JPG Deleted Files Yes 01 07 01 12 25 06AM 01 28 05 08 04 50AM LJ 28 C3 Bits No 01 28 05 08 04 42AM 01 28 05 08 04 40AM 96 EnCase Forensic Version 6 11 User s Guide View Pane The View pane contains tabs that display different views of the entry highlighted in the Table pane The View pane tabs display the content of the entry highlighted in the Table pane in different ways Some of the tabs are more appropriate than others for certain kinds of data Figure 16 Two View panes showing two ways to view the content top the Hex tab and bottom the Text tab where 1 are the tab toolbars 2 is the hexadecimal view in the Hex tab and 3 is the text view of the same object and 4 is the text in the Text tab Notice that the text representations in 3 and 4 are the same E Text ag doc WS Transcript HA Picture E Report FA Console 33 Details GJ outpu
427. rch identity recover and deliver digital information in a forensically sound and cost effective manner Since our founding in 1997 we have moved into network enabled investigations enterprise wide integration with other security technologies This section provides information on our support for you through E Reference manuals and release notes Support portal on the Web including access to downloads 8 Technical Support Department E Customer Service Department E Message Boards B Training B Professional Services Reference Manuals and Release Notes Guidance Software provides printed manuals for all of our product line as well as PDF versions of interim updates and Release Notes describing the new features and problems fixed Read this manual to understand the product and its use Before acquiring live evidence run several test acquisitions and try different processes for examining files 538 EnCase Forensic Version 6 11 User s Guide Technical Support Guidance Software provides a variety of support options including phone e mail online submission forms an up to date knowledge base and a message board technical forum Support is available from Sunday 7 00 PM through Friday 6 00 PM Pacific Time Monday 3 00 AM to Saturday 1 00 PM GMT This excludes public holidays in the United States and the United Kingdom during respective business hours Phone mail support US Contact Info 215 North Marengo Avenue Sui
428. rd graphical indicators mark the devices that are previewed or blocked via Fast Block or another write blocking device A blue triangle in the lower right corner of the device icon indicates a previewed device A blue square around the device icon indicates the device is write blocked by FastBloc In File File Is File Reporti Ext Type ciis Signature Description Filter Mame Deleted La 0 Physical Disk 312500000 Sectors 149GB 32 MA D Volume Sector 0 853 1 7MB FastBloc Previewed Device Previewing the Content of a Device Once devices and evidence files are added to the case file the devices can be previewed before they are acquired Note When a file is initially written to a multi session CD it is assigned an offset When the same file is changed it is written again to the CD as a new file in the new session but with the same offset Any number of revisions of the initial file are assigned the same offset The file and all of its revisions can be viewed Because the offset is used to associate bookmarks to the bookmarked entity bookmarks of content on multi session CDs will remount the first file it encounters with this offset when reopening the case Verify the device containing the content to be previewed was added to the case To preview the content of a device that was added to the currently opened case 1 Onthe Tree pane or Table pane of the main window look at the icon of the device b
429. rd Document Document LJ 42 Der optimistische A 1252 doc Word Document Document C3 43 Q Der optimistische A doc Word Document Document O 44 D FERAE doc 1252 doc Word Document Document LJ 48 byl yo Vala 1282 doc Word Document Document L1 46 UpCase 1252 C 47 E Boot 1252 L3 48 D Dg82 txt 20127 tt Text Document d 4 CHAPTER 13 EnScript Analysis EnScript Analysis 479 Enterprise EnScript Programs 481 EnScript Example Code 499 Packages 505 Send To HBGary Responder EnScript 511 480 EnCase Forensic Version 6 11 User s Guide EnScript Analysis The EnScript language is a scripting language and Application Program Interface API It is designed to operate within the EnCase software environment Although similar to ANSI C and Java not all the functions available in these languages are available The EnScript language uses the same operators and general syntax as C though classes and functions are different Classes and their included functions and variables are found in the EnScript Types panel in the Tree pane Note For general information on a particular element highlight it in the Code panel and press F1 to find the element in the EnScript Types panel EnScript programs allow investigators and programmers to develop utilities to automate and facilitate forensic investigations The programs can be compiled and shared with other investigators A programming background and a
430. re 535 Eegal Notification ndn ede Re DROIT RR ODORE ERIT IR DEDERAT IDEE e Re 536 Esso sesnetst 537 Reference Manuals and Release Notes sse entente trennen trennen 537 Technical Support ettet IRURE ER D AIEO I SATB VR late ives teres 538 C stomier SeTVICO 41 c oue etos et ue ei oeste Toe eoe s e Coe eoe sel Poet AR P eo Tuve eL oeste Dope ve A 543 TTaitutig eise heise eso ti Nili oid oi tnit Hits oisi es cepi bleibt c P i o ote os 543 Professional Services epe aire inepte i p tir e RUE E EH BE Cet Spe isar S itoen rias 544 Index 945 xiii CHAPTER 1 Introduction E Introduction 15 16 EnCase Forensic Version 6 11 User s Guide Introduction Thank you for purchasing your Guidance Software application You now own the world s leading technology for computer and enterprise investigation This application is just one of the many court validated Guidance Software solutions used by government agencies corporate organizations and law enforcement investigators around the world Guidance Software solutions provide an enterprise investigative infrastructure that enables corporations government and law enforcement agencies to conduct effective digital investigations respond promptly to large scale data collection needs and take decisive action in response to external attacks Guidance Software products have changed the landscape by providing complete immediate resp
431. reviews your mounted files and looks for CREDANT encrypted data If it finds this data a logon dialog displays 1 The dialog populates with a known user name and password Server Machine ID and the Shield CREDANT ID SCID CREDANT files are processed and decrypted with no further interaction CredentV5 2 1 163 BlowFish HD xi Credant Mobile Guardian credentials IV Online Username Password Al Server https 10 0 40 68 8081 xapi Offline Server File Path Machine ID tt vm1 Email Credent local Shield CREDANT ID CI TM22CU TN Analyzing and Searching Files 391 The offline dialog is similar The Online check box is blank and the Machine ID and SCID fields are unavailable CredentV5 2 1 163 BlowFish HD LI serate Machine ID Shield GREDATT TD x 99 2 Save the case once a successful decryption is complete The credentials entered in the dialog are stored in Secure Storage eliminating the need to re enter them 392 EnCase Forensic Version 6 11 User s Guide The illustration below shows results of a successful decryption E The Tree pane shows a CREDANT folder m The Table pane contains a list of decrypted files B The Text pane shows contents of a decrypted file Fie Et Mem Took reo bed sme Sree endzone A semen en eee LS x Eines cines lasery STmene Qos 5 code row Uinnis temet Records Cores Secure tone Pietra d Permssons i References LY nesh Propertes boae tene
432. ring Your Linux Distribution 48 Performing Acquisitions with LinEn 50 Hashing the Subject Drive Using LinEn 58 46 EnCase Forensic Version 6 11 User s Guide Introduction The LinEn utility runs on the Linux operating system and facilitates the following functions B Performing drive to drive acquisitions B Performing crossover acquisitions LinEn runs independently of the Linux operating system thus improving acquisition speeds and runs in 32 bit mode rather than 16 bit mode Because Linux provides greater device support LinEn can acquire data from a larger set of devices As with other operating systems to prevent inadvertent disk writes modifications to the operating system need to be made Linux typically has a feature called autofs installed by default This feature automatically mounts and thus writes to any medium attached to the computer Instructions in this chapter describe how to disable this feature to protect the integrity of your evidence Viewing the License for LinEn LinEn must be running and you must be on the LinEn main screen To view the license for LinEn 1 Press L The license displays 2 Press Enter The LinEn main screen displays Using LinEn 47 Creating a LinEn Boot Disc If you want to run LinEn on the subject machine you need to create a LinEn boot disc When you create a LinEn boot disc it is important to choose a Live Linux distribution as these types of distributions are designe
433. rk crossover LinEn B Local devices LinEn disk to disk Evidence files are added through the interface The evidence files involved include those created by a LinEn disk to disk acquisition You can add evidence files initially created for other cases to the currently opened case as well A network crossover acquisition involves both LinEn and the EnCase application LinEn disk to disk acquisitions create evidence files safely in the Linux environment without using a write blocker Dragging and dropping a file results in the file being added as a single file rather than an evidence file When an evidence file is dragged and dropped it is added to the case as an evidence file Doing a Typical Acquisition A typical acquisition consists of local device acquisition using Windows and a FastBloc write blocker 198 EnCase Forensic Version 6 11 User s Guide Acquisition Wizard Use the Acquisition wizard to perform acquisitions Before acquiring a device s content the device must be added to the case using the Add Device wizard The Acquisition wizard captures the specifications for the acquisition The wizard contains the following pages B After Acquisition page Optional Search page E Options page Each is explained in detail below m c 5 omm Working with Evidence 199 After Acquisition Page Use the After Acquisition page of the Acquisition wizard B to ease the acqui
434. rk with the database to perform their tasks O Initialize Database EnScript O Snapshot to DB EnScript O Snapshot DB Reports EnScript Each is discussed in detail below Initializing the Database The Initialize Database EnScript O initializes the database O maintains the database You must run this script first Working with Evidence 261 1 Make sure you set up an ODBC connection properly and note down the information used for that connection 2 Run Initialize Database EnScript The Initialize Database dialog opens Initialize Database PS Database Source Options Maintenance Options Data Source Name SnapshotToDB Enter User Name Not Needed If Using NT Authentication sa Enter Password Not Needed If Using NT Authentication DB Timeout Interval minutes s E v Show Queries in Console Database Name Snap v6 Choosing Database Sources Select the Database Source Options tab to specify connection information for the database Data Source Name This is the name you gave the ODBC connection when you created it Enter User Name Not Needed If Using NT Authentication Specify a user name If you set up the ODBC connection to use NT Authentication it remembers your user name so you do not need to enter it manually Enter Password Not Needed If using NT Authentication Like your user name you must specify a password to gain access to the database If you s
435. rl 1 1 C Documents and Settings jay reidy TS Desktop Hunter XP Ctrl 2 2 C Evidence V6 Hunter XP Forensic Ctrl 3 3 C DOCUME 1 JAYREI 1 TS Desktop HUNTER 1 Ctrl 4 4 C Documents and Settings jay reidy TS My Documents Hunter XP Ctrl 5 2 Browse to or select the case from the recent files list at the bottom of the menu and click Open Note You can also open a case by double clicking the case file in Windows Explorer 176 EnCase Forensic Version 6 11 User s Guide Saving a Case You can save a case B To its current filename and location see Saving a Case on page 176 in this document E With a new filename or a new location see Saving a Case with a New Name or New Location on page 176 in this document B To its current filename and location along with the application s current references conditions and filters see Saving a Case and the Global Application Files on page 176 in this document Saving a Case To save a case 1 Click File Save or click Save on the toolbar The Save dialog appears 2 If you want to use the case name as the file name and use the default path in My Documents click Save 3 You can also navigate to or enter a different filename and path and click Save Saving a Case With a New Name or New Location You can save any case with a new name or save it in a new location 1 Click File Save As The Save dialog appears 2 If you want to use the case name or current file n
436. rl C c New Folder Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctrl Num 2 Click New The New Keyword Dialog appears SI x Search expression Code Page Keyword tester Search expression bomb GREP Symbols TwFFFF Unicode character xFF Hex character Name Any character Any number 0 9 Bomb 7 Repeat zero or one time pi A Repeat at least once Case Sensitive Unicode A z A through Z z Repeat zero times GREP Unicode Big Endian XYZ Either X Y or Z X Z Neither X nor Y nor Z JV ANSI Latin 1 urra X Literal character tab Group ab together for ute m n Repeat m to n times alb Either a or b Unicode View 0042 0062 004F 006F 004D Q06D 0042 0062 3 Complete the dialog as described here Search Expression is the actual text being searched Name is the search expression name listed in the folder Case Sensitive searches the keyword only in the exact case specified GREP uses GREP syntax for the search Note Previously the ANSI Latin 1 option was called Active Code Page Since the Active Code Page varied according to the Active Code Page running on the Examiner machine at the time it was replaced by ANSI Latin 1 to insure consistent search results ANSI Latin 1 is the default code page It searches documents using the ANSI Latin 1 code page 346 EnCase Forensic Versio
437. rmat AM or PM is attached as appropriate Profile Name is the owner of the message URL Name is the name of the URL where the message originated URL Host is the name of the URL host where the message originated Browser Cache Type shows the format in which cached data are stored Options include image code HTML and XML Browser Type is the browser where the artifact was viewed such as Internet Explorer or Firefox Last Modification Time is the last time the cache entry was updated Message Codepage is the code page type for reading this cache entry Last Access Time shows the last time the cache entry was retrieved or loaded Expiration is the time when this cache becomes stale and is deleted from the cache Visit Count is number of times this cache entry was accessed by the browser Server Modified is the last time the cached item was modified on the server where it was cached Analyzing and Searching Files 355 Internet History Searching Currently five browsers and two types of Internet history are supported They are B Internet Explorer history and cache Macintosh Internet Explorer history and cache E Safari history and cache E Firefox history and cache B Opera history and cache Note The difference between a regular search and a search of unallocated is that keywords are added internally and marked with a special tag indicating it is for Internet history searching only Comprehensive Internet History Searc
438. rt Sensitive LOLE Application Data a Application No No No LOD Archive C Application Data No No No PHB Code Archive No No No DI Database Code No No No D0 G Document Database No No No o0 G Email Cz Document No No No Hole Font C Email No No No rot meme Font No No No ono n C3 Internet No No No oe EU a Multimedia No No No gt Picture No No No cj Windows No No No s Hunter XPlHunter XP C PS 1659279 LS 1659216 CL 414804 SO 000 FOO LE 1 2 Select a folder from the Tree pane The figure shows Document types selected A list of the file signatures in the case appears in the Table pane iNew Open la Save print e Add Device Q Search J Logon Refresh i Qe EnScript Types 4 X E Table Report ig Code 5 91 4 File Signatures Name Extensions A Seach ERNEA se Fitter L9 1C Application ression eporl ensitive Application Data L 1 43D Meta File 3dmf 3DMF No No Yes LBE Archive og G 64LAN Image File l64 64LAN ID No No Yes pogi Code L3 33 Z 64NET Image File n64 C64 No No Yes gt Database 4 Adobe Encapsulate eps xC5 xDO xD3 xc6 No Yes No Tero o Document 5 4 Adobe FilmStrip File filmstrip RAND Mo No Yes b 9 Email j 6 Adobe Font afm StartFontMetrics No No Yes rero Font Lj 7 Adobe Illustrator ai IPS Adobe No No Yes DL Internet C 8 4 Adobe PDF pdf PDF No Yes Yes eg G Multimedia c Picture og G Ado
439. rted in txt file format You can export all keywords at one time or create a list of selected keywords for transfer 1 Right click a keyword in the Table pane 2 Select Export Complete the dialog Export Tree For Import J XML Formatted Only Checked Rows Start 1 zi Stop Output File Analyzing and Searching Files Fields CO Name LJ Filter LJ In Report C File Ext O File Type O File Category O Signature CO Description O Is Deleted export txt jal 3 Check Export Tree for Import and click OK Note To export a txt file into Excel do not select Export Tree Check XML Formatted to export table rows or the tree structure to an XML formatted file 351 352 EnCase Forensic Version 6 11 User s Guide Searching Entries for Email and Internet Artifacts Records are created when email or Internet history searches are performed EnCase searching can parse areas outside of logical file content unallocated clusters and volume slack for Internet History and add this data to the Records tab for further investigation The Search dialog box features a new checkbox Comprehensive search to support this feature When you select Search for Internet history the Comprehensive Search box is enabled Search Selected items only 829 Entries 0 Records Keyword Search Options Email Search Options C Search entries and records for keywords C Search for email 10 keywords Hash Option
440. s Create a Hash Set Analyzing files by identifying and matching the unique MD5 hash value of each file is an important part of the computer forensics process The hash library feature allows the investigator to import or custom build a library of hash sets enabling the expedient identification of any file matches in the examined evidence Computer forensics analysts often create different hash sets of known illegal or unapproved images hacker tools or non compliant software to quickly isolate any files in an investigation that are included in that set Hash sets once created are kept indefinitely and added to on a case by case basis Adding new files as time goes by saves time and effort in subsequent investigations Note When creating hash sets to identify suspect software such as non licensed software steganography or counterfeiting utilities it is important that the investigator carefully construct sets to prevent false positives Analyzing and Searching Files 341 1 Open the case and click Search The search dialog appears x Selected entries only B500 Fies Selected records oni I Records r Keyword Search Options gt f Emal Search Options Search each entry for keywords V Search for email Search each record for keywords Recovered deleted Selected keywords only P keywords IV Outlook PST R Search file slack v Outlook Express DBX Use intialzed size IV Exchange EDB Undelete fi
441. s BOG Anne 10 0241 cao Bees OTE mamen i o donna Fd OCC Erted Fies Credant i OC meon aog ase Pres tec tret Does Report I Conie I deisi Out C Lok C Codepage C 086 Gecrypted me successfully Good Jobt poe Cap 4535 AS OG VE arse Red E CQ T axis POY 4 peo G6 Ofisant c voint teg JAyty piot mias Eo YS MERO eie poje dN ANGE PIEH JPAD Wb Ae gu 2 36 y A OKO VOUS PV aH 18d e seSagfeo Wind 269 168 o Grd D atl 90 B2 0 KiS D A OAE BtgindtEA INE qadEwONT GeOB25_ E Ax ceci IDZA RMY KC bartiseul 745 iryCadpw P DOM COO Nue sL f Glires Tr aD traoo renee Tjon come oes A ount Orok C cedeoage Lione 0 THO TRO w Si SoUcjs VY I p SOE EMOT iNOS A S OE VR AMS Ris AA Ca qr el PEN HW saneta o0 OAS S as etort indt cuvolenr Fea Agi poet ei elo Y NES SO it exse uina Sparte P D sis gu Ey AS END iga Sav maa 20 Ormae 182 e seSoagrbo m ine 269 1581 s dvd cSpuetsyhAB2 O 565 Ca BA B n EA IE qm tEsUri BeGbC 1 08 Ax oes elo z5 20 RMy KC pieu aS uc G pw P n oC M Tm f if oft Ay Sreten al 5 MI qm L emat IQAWINGE 10 0 34 1 r Credantlenerypted notepad be PS 2245 15 2245 C 1711 50000 FOO LE Analyzing and Searching Files 393 Supported Encryption Algorithms EnCase s CREDANT decryption feature supports these encryption algorithms E AES128 E AES256 m 3DES m Rijndael 128
442. s Windows 312 399 989 149GB ASPI 854 1 7MB Windows 4 005 856 1 9GB ASPI 312 500 000 149GB ASPI 4 005 888 1 9GB Working with Evidence 191 Devices Tree organizes the device definitions to be added to a case Devices Root Object contains the default folders that reflect the types of devices defined at this point in the Add Device see Adding a Device on page 192 process Right click menu commands for this object determine m Which objects appear in the Sources tree B Which entries display in the Table pane when the object is selected Local Drives Object contains the current collection of child instances of the Local Drives device type entries on the Table pane Right click menu commands for this object determine E Which objects appear in the Sources tree E Which entries display in the Table pane when the object is selected Table Pane displays the children of the currently selected object in the Sources tree as entries in the table Right click menu commands for this object let you E Toggle the Read File System Column value B Copy an entry for use elsewhere as the copied entry cannot be pasted into the table m Select an entry B Edit an entry B Navigate to the parent object of the object containing the entry Device Selection Column contains a check box for each row To add a device click its checkbox then click Next Read File System Column If this setting not selected the file system is read i
443. s C Compute hash value Additional Options C Verify file signatures Identify codepages Search For internet history Comprehensive Search Note Selecting Comprehensive Search increases the time it takes to complete the search To create a record 1 Click Search A search dialog appears 2 Select options and click Start 3 Select Search for Internet History and Comprehensive Search to search for Internet history including searching file slack and unallocated space 4 When the search finishes click View Cases Sub Tabs Records Finding history and cache results may require moving down the tree several levels Analyzing and Searching Files 353 Newly created records display in the Table pane The Tree pane shows the type of record and the Table pane shows the files within that record If there are additional details regarding a file selected in the Table pane click Additional Fields in the Tree pane to see that information lol xl File Edit View Tools Help iNew Open gl Save Print Add Device Q Search 3 Logon 3 Refresh E cases Keywords X E Table JReport E Gallery Disk iy code Girone Te Entries U Bookmarks Q Search Hits 43Records f Devices Name Fiter la geach PS RS Centon a V Secure Storage Keywords C 1 O wueis 1 tgz e 88211 03 31 02 06 16 46AM Xd Home Additional Fields G 2
444. s was acquired Logical Size displays the byte size of the file Initialized Size is the size of the file when it is opened This applies only to NTFS file systems 104 EnCase Forensic Version 6 11 User s Guide Physical Size is the cluster size occupied by the file that is the physical disk space used by the file Given a cluster size of 4096 bytes the physical size of any file with a logical size less than 4096 bytes has a physical size of 4096 bytes A file with just one more byte 4097 bytes for example requires two clusters or 8 192 bytes of physical disk space The 4095 byte difference in the second cluster is called slack space Starting Extent shows the starting cluster of every file in the case The format displayed is evidence file number logical drive letter cluster number For example a starting extent of 1D224803 means that the file is on the second evidence file counting begins at zero on the logical D drive at cluster 224803 File Extents lists the number of extents a fragmented file occupies on a drive To view extents click the column value of the file being examined and select the Details tab of the Report pane You can also select the file in Table pane then select the File Extents sub tab above the Tree pane Permissions displays security settings of a file or folder TRUE indicates a security setting is applied To view security settings select the entry and click on the Details tab in the lower pane
445. s B Go to Parent BkSp console Ej Control Panel BOO accessibility HoE Appearance EQ Colors z oO o Logical oG Current E Size Do cursors C 8 CI NrUsER DAT ntuser dat LOG ntuser ini To view or mount registry files 1 Navigate to the registry file you want to view or mount 2 Continue with step 2 of Viewing File Structure The file structure of the registry file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Viewing File Content 301 Viewing OLE Files OLE is Microsoft s Object Linking and Embedding technology used in the Microsoft Office suite of products For example OLE allows an Excel spreadsheet to be seamlessly embedded into a Word document Microsoft Office documents that use this technology are layered compound files A Home Bookmarks Search Hits 5 Records Devices 2E Secure Storage Keywords a f Report i Galery Timeline fZ Disk 4g Code 5 TT z bone ree pies Wm a m SD Single Filesi Bone Di ddo 43 Copy Ctrl C a Export Copy UnErase Lr Bookmark Data Ctrl B View File Structure x This file has a Exchange Database signature Continue parsing Send To Analyze EFS J Calculate unallocated space Show Columns dor sema 3 do 13 d doc Cancel Column gt Gorg Compound Volume Sort gt
446. s according to the same function are different then the two inputs are different in some way On the other hand matching hash values strongly suggests the equality of the two inputs Analyzing and Searching Files 339 File Hashing Hashing creates a digital fingerprint of a file This fingerprint is used to identify files whose contents are known to be of no interest such as operating system files and the more common application EnCase uses an MD5 hashing algorithm and that value is stored in the evidence files The MD5 algorithm uses a 128 bit value This raises the possibility of two files having the same value to one in 3 40282 x 10 Any mounted drive partition or file can be hashed The hash value produced can be validated and used in the program By building a library of hash values the application checks for the presence of data with a hash value contained in the hash library The hash value is determined by the file s contents It is independent of the file s name so the file s hash value is calculated by the program and identified as matching a value in the hash library even if the file s name has changed Hash a New Case When a case is initially created it is not hashed Before comparing the case s data with a library of known or notable files hash the case The Table pane display may look like this Hash e Value Mame 4 gj HashSearchscreen 5 lal buttonsearch bmp 6 HashFinished Searc 7
447. s 16 bit words When Unicode fonts are selected 8 bit character sets and 7 bit ASCII characters do not display correctly Use an 8 bit font such as Courier New for English text To properly display the characters in certain code pages you should only select a Unicode display font Characters that are not supported by the font or code page display as a default character typically either a dot or a square Modify this character when using text styles in the Text and Hex tabs of the View pane Text Styles The display of non English language content is controlled by both the type face of the content and the text style applied to the content A text style applies various attributed to fonts including B Line wrapping B Line length m Replacement character E Reading direction B Font color E Class of encoding B Specific encoding Text styles are applied in the Text Hex and Transcript panes See Viewing Non Unicode Files and Viewing Unicode Files for more information You can create and edit text styles See Creating and Defining a New Text Style for more information Text styles are global therefore they are not associated with a specific case but rather can be applied to any case after they are defined 462 EnCase Forensic Version 6 11 User s Guide New Text Styles Dialog This dialog is used to define text styles that can be applied to text displayed in the Text Transcript or Hex tabs of the View pane This dialog consists
448. s are set by the email messages Outlook calendar entries created written and modified dates are set by the calendar applications Viewing File Content 311 Home t Entries Bookmarks Q Search Hits Z3Records Devices VD SecureStorage Keywords LL Heme PE M i Report E Gallery Timeline fZ Disk ig Code SOM e Entries gt B og E zs Dbx Files s Gzip Tar Evidence XR 1d Thumbs db Logic extend NE Logical Filter In File File 3 Singe Files gt Size Report Ext Type uu E BACKUP PST Ga Copy Ctrl C af Export View File Structure xj Copy UnErase This file has a PST signature Continue parsing LL Bookmark Data Ctri B IV Calculate unallocated space Create Hash Set IV Find deleted content evrom tai Send To c Analyze EFS ES show Columns Column b SoG PST Test File pst Sort gt eoo ie PST Hei Select Item Space ro e idi s 5 Go to Parent BkSp Ll lessage store To 9 name to id map BDO Root Folder BG Search Root OG SPAM Search Folder 2 Top of Personal Folders FA 1st Floor Kitchen Sink 2 Avaya Phones 2 DC reboots complete Deleted Items G Domain Controllers upd HOWE To view or mount an MS Outlook email 1 Navigate to the pst file you want to view or mount 2 Asneeded select Calculate unallocated space then select Find deleted content 3 Contin
449. s function in the background Analyzing and Searching Files 329 File Signatures with Suffixes A shadow directory is a directory type containing symbolic links that point to real files in a directory tree This is useful for maintaining source code for different machine architectures You create a shadow directory containing links to the real source which you usually mount from a remote machine The Vista operating environment uses shadow directories and EnCase software s ability to suffix a file signature takes these directories into account Extension suffixes are created by adding an underscore and asterisk to the end of the extension The figure shows such a TrueType extension and suffix ttf Edit True Type Font 31 xl Search expression Extensions Extensions delimiter ttf tbl ktF Viewing the File Signature Directory A File Signature table lists signatures the EnCase software recognizes The table is organized into data types such as B database B email B Internet 330 EnCase Forensic Version 6 11 User s Guide To view the table 1 Select View gt File Signatures from the menu bar A directory of file categories appears New O3 Open pj save c Prit Se Add Device Q Search 3 Logon Refresh i E cases Sy EnScrip4 gt x Report ig Code I 00 S File Signatures Name Extensions S peach In GREP Case Filter OO Application expression Repo
450. s included appear in the Table pane If the Include All icon is not green the data associated with that item does not appear in the Table pane Including All is distinct from highlighting in that Including All displays all the items in the branch from the selected entry to the leaf entries while highlighting displays only items contained in the highlighted item In the Tree pane including all is distinct from selecting because including all affects the contents of the table pane while selecting does not Initially Set Include displays the entries and objects in the Table pane in a hierarchical order Sorting columns in the table destroys this order which cannot be recovered except to cycle the Set Include Use the status line to see the parent for a particular entry in the table 120 EnCase Forensic Version 6 11 User s Guide Figure 23 Comparing Highlighting and Set Include where the contents of 1 the highlighted entry in the Tree pane as 2 it appears in the Table pane and where the content of the 3 Set Include entry that enables the rest of the Set Include entries in the subtree as 4 it displays in the Table pane Include propagates down the tree from 3 the entry initially included to the parallel entries
451. s the content of the bookmark as characters that conform to the format of a DOS directory entry Win95 Info File Record displays the content of the bookmark as characters that conform to the INFO data structure definition Win2000 Info File Record displays the content of the bookmark as characters that conform to the INFO2 data structure definition GUID displays the content of the bookmark as strings that conform to the Windows Globally Unique Identifier GUID format SID displays the content of the bookmark in the Security Identifier SID format Styles Use these text styles when working with non English languages For more information see Working with non English Languages on page 457 elsewhere in this document Bookmarking Items 411 Add Note Bookmark Dialog Use the Add Note Bookmark dialog to enter the note or text contained in a note bookmark A note bookmark can contain up to 1000 characters You can format the bookmark content as a whole A note bookmark can annotate another existing bookmark or add descriptions of events you want to include in a report Add Note Bookmark x Notes Babble Case 467 IV Show in report Formatting Increase font size points Iv Bold Italic Increase text indent 1 4 inch 0 Cancel Notes contains up to 1000 characters Show in report when checked the content of the note bookmark appears in the Report tab of the Table pane Formatting contains th
452. se Forensic Version 6 11 User s Guide The New Keyword dialog appears 2 Dothe following on the New Keyword dialog a Click GREP and enter the GREP expression into Search Expression to create a GREP search b Use the Character Map to create the search string if your keyboard is not mapped to the appropriate non English key mapping If mapping is correct enter the desired Search Expression c Make any other selections as desired d Doone of the following to test the keywords If you use another code page other than the currently selected one click Code Page and proceed to Step 3 Click Keyword Tester then execute Step 4 to test a keyword 3 Click OK The dialog closes 4 Dothe following a Select the desired code pages from the Code Page list b Click Keyword Tester to test the keyword otherwise click OK 5 Testthe keyword using the instructions in Testing a Non English Language Keyword section and click OK The dialog closes Working with Non English Languages 473 Testing a Non English Keyword Open the New Keyword dialog and define the tested keyword Search expression Code Page Keyword tester Keyword Code Page Motpae yrpo Name Code al aaen 28 Cyrillic KOI8 U 21868 C4 E4J CE EEJ C1 E1 D0 FOjCE EEycs 99 Cyrillic Mac 0007 E5 20 D3 F3 D2 F2 D0 F0 CE EE zj 31 I Cyrillic Windows 1251 32 g Estonian ISO 28603 Test data 33 S Ext Alpha Lowercase 2
453. se with the Case Time Settings dialog Case Time Settings i xj IV Account for seasonal Daylight Saving Time IV Convert all dates to correspond to one time zone Time Zone GMT Casablanca Monrovia Reykjavik GMT Greenwich Mean Time Dublin Edinburgh Lisbon London GMT 01 00 Amsterdam Berlin Bern Rome Stockholm Vienna GMT 01 00 Belgrade Bratislava Budapest Ljubljana Prague GMT 01 00 Brussels Copenhagen Madrid Paris GMT 01 00 Sarajevo Skopje Warsaw Zagreb GMT 01 00 West Central Africa GMT 02 00 Amman GMT 02 00 Athens Bucharest Istanbul GMT 02 00 Beirut GMT 02 00 Cairo GMT 02 00 Harare Pretoria GMT 02 00 Helsinki Kyiv Riga Sofia Tallinn Vilnius Lenin Daylight Setting Standard C Daylight Cancel The features of the Case Time Settings dialog are Account for Seasonal Daylight Savings Time applies DST rules as defined by the registry settings If you want to use the new 2007 DST rules ensure your machine is patched Convert All Dates to Correspond to One Time Zone enables the Daylight Setting and the Time Zone list This allows you to convert all times to match one time zone Daylight Setting is disabled unless Convert All Dates to Correspond to One Time Zone is checked Use the option buttons to select Standard or Daylight Savings time adjustments Time Zone List is also disabled unless Convert All Dates to Correspond to One Time Zone
454. sensseeeseseeeeeeeseseaes 153 la ING EG 153 Case File Format e scettr n tire te ten a detto ita vi esee ug tees ederent 154 CSC ipM P PE0 155 TheXOptions Dialog net et tete rese eid eden e diae tU M CD a 155 Case Related Feat fes dec ee pee ere o eeu e D i i given ase era ig dpades 157 Logon Wizard 5 sse Ee ERR t see Het etust tied eerte eerta 158 Logon Wizard Users Page eee Eee seti tese tili e tui eset 159 Users Right Click Menu eee ete eie reete HI e eere hotte rides 159 Browse for Folder Dialog sse tenete nennen 160 SAFE Page of the Logon Wizard tenete nennen 161 SAFE Right Clck Menu eee eue nre HER He Toei t ELE Ee EEEE ETETE 161 Browse or Folder Dialog cies em eene Re rises pte e n ep eerie titi eode 162 Edit SABE Dialoge EUR ROT HI IDE RE IS IU EI REDE SE rp eene deae 163 New Case Wizard siosio ro etie e REDE EH een Gr HIR RE ITE iei e ees staves 166 Role Page of the New Case Wizard sse tenente 167 Case Options Page of the New Case Wizard sse 168 BAA DEVICER M 168 SING A CASE XX M 169 Modifying Case Related Settings sss tenen nnne 169 TimeZone Seting Siei einen dase iane aA si tase R EREE aE E ne R TEAS iE E eee Sten Taaie 170 Case Fil Time ZONES iiber ei oido i aan priore a e ei ERR Ge HEREIN 171 Evidence File Time ZONES nacidos iaaio aan aaan e tidie tb
455. seseeeeeeeett enne nene 250 Recovering Folders from a Formatted Drive sss 250 Recovering Paron arei 250 Adding Partitions ee etti reve e ene ie i e REEE OEE et Pe ve eee e bag 251 Deleting Partitions sss aic estet pene ag ede M eO Ed etu ali d aere Seed odo 253 Restoring BVIdencex teo decernit etenietdrate te titre Dra tidi Data tn dite a 254 Physical vs Logical Restoration tenent eene nene 254 Preparing the Target Medi ii epit ese rentes E E E E prodire m re sr E 254 Physical Restore ed astu petet ete rang etuneti a AGT e ER tumet dat ape te ed ones 255 Logical R stOre esit tt aei dde d eee Gt bie ore di Ee e hier deed n 258 Booting the Restored Hard Drive c cccccscessssesseseessceeeneteesesesesnsnsnesescssseesecesessseseeseseeenenenesesesnsnenenes 258 Contents If the Restored Disk Does Not Boot ssssssseeeeeereenenennen nennen nennen 259 Snapshot to DB Module S bire prore eee tree tette tione tita te bono to tete itti eei TS 260 Imtializing the Database rte redet ere HU etoile de fuese tree nido isdeale 260 Choosing Database Sources sse eene tenente tenente 261 Maintaining the Database se teinededene tinere engrais eben ferie 262 Updating the Database rene fere eb esee ente Deseo dile tere ken E ai 263 Specifying Database Comten acsi gcse ieie aeeie aE tenente nennen tenent 265 Generating Reports on the Database cccccc
456. shdd2 Linux Disk5 devvhdd Linux 234375120 Sectors 3 7deu hdd3 Linux Size 111 8GB dev sdal Linux 00 0C FAT32X 40965750 19 5GB 00 0C FAT32X 61432560 29 3GB 00 0C FAT32X 65529135 31 2GB Disk9 dev sda Linux 64000 Sectors Size 31 2MB 80 04 FAT16 64448 31 5MB 3 Select Acquire The Acquire screen displays 4 Choose the physical drive or logical partition you wish to acquire Using LinEn 53 The Acquire Device drive dialog displays Path and file name eg Folden Name For the data elements requested by the Acquire dialog either accept the default or enter a value or choose one of the alternatives as described in Specifying and Running an Acquisition Press Enter The Acquire Device dialog requests additional data values until all data elements have been entered or selected Then the Creating File dialog displays When the acquisition is complete click OK The LinEn main window displays The subject has been acquired and is stored on the storage drive Connect the storage drive to investigator s machine Add the EnCase evidence file using the Sessions Sources page of the Add Device Wizard as described in Completing the Sessions Sources Page 54 EnCase Forensic Version 6 11 User s Guide Acquiring Device Configuration Overlays DCO and Host Protected Areas HPA EnCase applications can detect and image DCO and or HPA areas on any ATA 6 or higher level disk drive These areas are detected using LinE
457. side the pane Panes are resizable Physical Disk Emulator PDE The EnCase Physical Disk Emulator lets examiners mount computer evidence as a local drive for examination in Windows Explorer This feature allows examiners many options in their examinations including the use of third party tools with evidence served by EnCase Glossary of Terms 531 Port A virtual data connection that can be used by programs to exchange data directly instead of going through a file or other temporary storage location The most common of these are TCP and UDP ports used to exchange data between computers on the Internet R Redundant Array of Independent Disks RAID A data storage scheme using multiple hard drives to share or replicate data among the drives Depending on the configuration of the RAID typically referred to as the RAID level the benefits of RAID are B increased data integrity B fault tolerance B throughput or capacity compared to single drives Regular Expression A string that describes or matches a set of strings according to certain syntax rules Many text editors and utilities use egular expressions to search and manipulate bodies of text based on certain patterns Many programming languages support regular expressions for string manipulation Also see GREP Root The base of a file system s directory structure or the parent directory of a given directory 532 EnCase Forensic Version 6 11 User s Guide
458. signature of a deleted folder when the signature matches EnCase applications can rebuild files and folders that were within that deleted folder Se EnScript Types x E3Home T Bookmarks 3 Search Hits 34 af File Extents Permissions Referenc lt 4 too te Entries a Hopf Jeff s 1 2g lt a Lo E Export GHD Oost Id Copy Folders Lr Bookmark Data Ctrl B 4 Bookmark Folder Structure v v Copy UnErase Activate Single Files Create Hash Set Create Logical Evidence File d Acquire Restore Hash Analyze EFS Note that in the figure the C drive device is selected in the background display Recovering NTFS Folders EnCase applications can recover NTFS files and folders from Unallocated Clusters and continue to parse through the current Master File Table MFT records for files without parent folders This is particularly useful when a drive has been reformatted or the MFT is corrupted Recovered files are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition To recover folders on an NTFS partition 1 Right click on the volume and select Recover Folders 2 The Recover Folders message box opens to confirm that you want to scan the volume for folders 3 Click OK to begin the search for NTFS folders or Cancel to cancel the request Working with Evidence 249 4 The application begins searching for MFT records in the Unal
459. sition of subsequent disks B to enable search hash and signature analysis to launch automatically after the acquisition is completed B to determine what happens to the new image E to restart a cancelled acquisition After Acquisition sting Evidence File 200 EnCase Forensic Version 6 11 User s Guide Acquire another disk enables the investigator to work through a series of acquisitions typically floppy disk content without adding a new device for each acquisition When Acquire another disk is checked E Replace source device is disabled B Search Hash and Signature Analysis is enabled Search Hash and Signature Analysis opens the Search page of the Acquisition wizard where search hash and signature analysis are defined after clicking Next New Image File Group controls in this group determine how the newly acquired image is saved The default is Replace source drive Do not add excludes the newly acquired image from the currently opened case Add to Case adds the newly acquired image in the case file associated with the device where the image was taken Replace a source device adds the newly acquired image to the case and removes the previewed device where the acquisition was made Restart Acquisition restarts a cancelled acquisition If the acquisition was interrupted but not cancelled that acquisition cannot be restarted When you check Restart Acquisition Existing Evidence File and its associated browse
460. slu4ENLpZuJHOCuajiuHaCUDJbtsaSDprA513CfwVfno q7PQhfjl 0488276256qWrry anlhuheljuCIl zFCurfNBBFhfLj4t 8xhLYSua lClpIDHyXaj8 X qVJxtatrcSXSdsmSI 1e3 85U 048827714rvhEieEfllZuSVboOpfXH7o4tCkx kuxcn7UBW4gWeXDvNwSASTRzjEdlqYzGQBibDVJolLdg HiUTcYUGsUnlEF 4 amp Case 1 Jeff s 1 2q C Unallocated Clusters PS 1171147 LS 1171084 CL 145825 SO 495 FO 48825839 LE 1 Ctrl C Ctrl G Ctrl A Ctr F Bookmar Comment a Cancel Data Type Destination Folder bel Types LIJ Bookmarks EHG Picture LE Picture LE Base64 Encoded Picture LEJ ULE Encoded Picture Integers Dates Windows Styles Case 1 Jeff s 1 2g C Unallocated Clusters To view Base64 and UUE encoded files 1 Highlight the file in the Table pane so that the content of the file appears in the Text tab of the View pane 2 Highlight the first character right click and click Bookmark Data 318 EnCase Forensic Version 6 11 User s Guide The Bookmark Data dialog appears 3 In Data Type select either Base64 Encoded Picture or UUE Encoded Picture The picture displays in the Contents pane NTFS Compressed Files EnCase decompresses views and searches NTFS compressed files in real time or in an on the fly manner by detecting a compressed file then automatically preparing it for analysis The investigator can view uncompressed file data in the Disk tab of the Tab
461. software com Specifications and information contained in this manual are furnished for informational use only and are subject to change at any time without notice Contents CHAPTER 1 Introduction Trt od UctOnmY deo S Dose Les ett dieere tM eft Etude o A iUe CHAPTER 2 New Features Snapshot to DB Module Set tenentem Lotus Notes Local Database Encryption tenentes EnCase Examiner Support for Microsoft Vista ccccesesessssssesssceseceeeeeneesesesesnensnesesssesceseeeeesneneseseseanens 64 Bit EnCase Servlet iuncta eap t ht ierat ed p e robe ted dud E Send to HBGary Responder EnScript ccsccscsssescssssssssstesesesesesnsenessscsceceeeeesesesesesesesnesneseassseceeseeensseeeees CHAPTER 3 Installing EnCase Forensic The EnCase Installer eter dite iesietebeid aep pied eben ebrii Ea EAT RAEE Saati is Minimum Requirements eis iesi eissii er inienn i eia ea nne n Se a EE E EA E EES E EEn aaeei Installing the Examiner endete rete ee eere irre E E e eret eee e E Installed Files era Seen ei ee ro ERR EE HERR RERO Uninstalling the Examiner ei renei iria PERE EEE nenne enne eren Rernstalling the Examiner eee ete me tee tein e e pe e eese e e ehe eee Installing Security Keys acce cemere ee ete a rated vetas ir ode dei teres Troubleshooting Security Keys enseli eremo e e eaa a oaa aE poete nie dosi iro d ide Obtains Updates ccs btiseeteitettintetiitre bati Betreiber slit i es Configuring Your EnCase Application
462. sole The LinEn Main Screen displays 3 Select Mode then select Direct ATA Mode The disk running in ATA mode can now be acquired 4 Continue the drive to drive acquisition with Step 3 of Doing a Drive toDrive Acquisition Using LinEn Using LinEn 55 Mode Selection LinEn starts up in BIOS mode A disk acquired in this mode reports only disk size seen by the BIOS As a result no data contained in a DCO are seen or reported The Mode selection in LinEn provides a solution Notice Disk1 in the figure It shows a disk size of 26 8 GB If this is acquired now only that quantity of data is identified The Linux distribution in use must support Direct ATA mode for this function to work To test for the presence of a DCO 1 Start LinEn in the normal manner on a computer that supports Direct ATA The main screen shows a Mode button 2 Enter M to select Mode A second screen displays offering three acquisition selections E BIOS m ATA E Cancel 3 Enter A to select ATA Mode 56 EnCase Forensic Version 6 11 User s Guide If a DCO is present on the disk the original LinEn screen reports the correct disk size and the correct number of sectors Disk1 in the following illustration shows the true disk size 75 5 GB ee ao pe Acquire the disk according to protocol Doing a Crossover Cable Preview or Acquisition You have a LinEn boot disk The investigator has identified the subject drive to be acquired
463. sscsssssesssesseesnetesesesesnsnsnesessssscececeeeenenesesesesnsnensnenessseeees 266 Using the Snapshot DB Reports Dialog ssssseeeeeeneneneeerne eene eene 268 WINEN ar A 270 IR nning WIDE eee dit nd ie ate eer d e cse tiom torre ee et tein na set da eel eb eds 271 Command Line OpOonS ziiitee edere ne di eti ee tei e eese tag 272 Conf tat oni File ste e eet eet tosta a geb uie Fuge v v tie epo 273 Configuratiori File INOteS v5 eror tere it pto i aed ea e eene 274 Prompt fOr D H PM 274 Error Handling eer etaient tae iple edid tees eU DERE R EFI ru ge 274 Additional WinEn Information sese nennen tenes 274 CHAPTER 8 Viewing File Content 277 Viewing Files 286 coli AS uoa medinm Oe ee HUM bon en etes rib ri eid 278 Copying and Unerasing Files and Folders essere 279 Copy and Unerase Features sse eene nennen enne nnne 279 Copy UnExrase Wizard aese e ee PRESA Hire etre ioi eee 280 File Selection Page of the Copy UnErase Wizard essen 281 Options Page of the Copy UnErase Wizard essen 283 Destination Page of the Copy UnErase Wizard 285 Copy Folders Dialog zte uet te rH ROO RAE REID UH RE 286 Copying and Unerasing Files entes cosa d eda muere ERO REEL ERE ETETEA 288 Completing the File Selection Page sse nennen 289 Completing the Options Pag s rossini eiris i aar aiT EE
464. ssions UNIX LY OLK Folders Containing Attachments y Yahoo Web Mail Pages LY Hotmail Web Mail Pages LY Netscape Web Mail Pages LY Hotmail Pages LY Yahoo Mail Pages LY Deleted Files LF Files after n date LY Files before n date LYF Filter ANY after n date Y Filter ANY before n date LY Find Mixed Types Y Find files between any dates LY Unique Files by Hash Right click on a filter to open a sub menu j Edit Source gt Run Sf Edit Enter a Mew Insert X Delete Delete E Export Import Rename F2 i New Folder Use New to create filters based on set conditions that are menu selectable Created filters reside in an initialization file C Program Files V EnCase6 Config filters ini Filters are saved globally within the EnCase program 130 EnCase Forensic Version 6 11 User s Guide Creating a Filter New filters of your own creation can be added to the list Display the Filter list in the Filter pane then create a new filter 1 Right click topmost Filter icon A sub menu appears E 4 EnScript T Filters KE Conditions Display 2 Queries A Text Styles E T Fire y gi x Export Y Import FT LJ New Folder LT Expand Contract Space LY Expand All LY Contract All Y Hotmail Web Mail Pages f Netscape Web Mail Pages f OLK Folders Containing Attachments f Search File Permissio
465. t Mi Lock E Codepage RJ 1 40659 1 0o08 00 oO OO Ol OO OO OO OO 10 OO OO Ol OO OO OO 10 OO OO OO 28 O1 OO OO 28 01 OO lo a p v v v6 6668 iai Saa l 02700 00 0 0 00 OC 29 00 OO OO OO Ol OO AO OO SE OO 00 OO 00 OO OB 29 00 00 OO OO teres j DQenpeeeeegeeee 05401 00 AE 9B FB 75 C6 0l 82 77 AE 9B FB 75 C6 01 82 77 AE 9B FB 75 C6 01 OB Dw amp O uE DweO uE DweO uE 08174 AO 6 1 72 C7 01 00 00 00 OO 00 00 00 OO OO 00 00 OO OO OO 00 00 00 OO OO 10 t oQrQeeeeeeeeeeeeeeeeeeeei 10800 00 00 00 26 Ol 7B 00 35 00 32 00 38 00 46 00 38 00 32 00 38 00 31 00 2D OO 46 6 5 2 8 F 8 2 8 1 F j13500 46 00 45 00 42 00 2D 00 34 00 42 00 38 00 37 00 2D 00 38 00 38 00 42 00 43 00 F E B 4 B 8 7 8 8 E C 1622D 00 39 00 45 00 46 00 41 00 33 00 39 00 34 00 32 00 38 00 33 00 36 00 33 00 7D 9 E F A 3 9 4 2 8 3 6 37 18900 00 00 OC 29 00 00 00 00 Ol 00 68 00 52 00 OO O0 00 00 OB 29 00 00 00 00 Ol 00 D Qe Sie wie 21682 77 AE 9B FB 75 C6 0l 82 77 AE 9B FB 75 C6 0l 82 77 AE 9B FB 75 C6 01 OB 74 AO DTwe amp Q uE DweO uE DweO uE t 2436F 51 72 C7 01 00 O0 OO 00 o0 OO OO O0 OO OO OO O0 OO 00 00 OO OO 00 O0 10 OO OO jo rGeees eee tmm mmn j27000 00 08 O02 7B OO 35 00 32 00 38 00 46 00 38 00 7E 00 31 00 00 00 00 00 OO OO OO 5 2 8 F Beetle nnn 229700 00 00 00 00 00 00 10 OO 00 00 O2 00 00 OO ee E Tex amp lHex hno WE Transcript E Picture E Report 7 console 33 details GP Output E Lock C
466. t and designate an output location and file name in the Output File field TTT 6 6hhhlX Export Tree For Import Fields A Name Only Checked Rows S Preview Start AM Hit Text 14 Entry Selected Stop LJ File Offset 14 LJ Length Active Rows O Filter 1 J In Report Output File C Documents and Settings jay reidy TS3Desktoplexpc 5 eme A delimited text file is created Save the reports in accordance with local policy Quick Entry Report Often a quick report containing information regarding one particular file in a case is needed Start by opening a case that has bookmarked files then locating the file you want to report on 1 Select the file to use to generate a report E Table C Report E Gallery Timeline Disk 4 Code Name Hon NX Description d LANI Kk bookmarks htm htm Mo File Invalid Cluster Arc Web Page LJ 14 Ly bookmarks htm htm No File Invalid Cluster Arc Web Page ie 5 bookmarks html html Yes File Deleted Overwritte Web Page 2 In the View pane click Report 454 EnCase Forensic Version 6 11 User s Guide A short report displays Table Ez Gallery 2 Timeline pisk 9 Code Bookmarks Page 1 Search Summary Hits First Searched Last Searched Search Text 7722 11 09 06 12 32 14AM 11 09 06 12 33 08AM DOS 249 11 09 06 12 32 14AM 11 09 06 12 33 08AM Bomb Case Time Settings Account for seasonal Daylight
467. t corrupt and unusable The next section discusses these tests Viewing File Content 305 Testing an EDB File This section describes how to determine whether the EDB database is in a usable state Acquire the EDB database including the entire bin and mdbdata folders prior to running these checks Make sure all codepages are installed on your computer The mdbdata folder contains the public and private databases and the transactional logs which are most important when cleaning a database The BIN folder contains eseutil exe 1 Run eseutil exe from WindowsStart5 Run 2 Use the eseutil exe command line tool to check the consistency of the state field as follows O file location eseutil mh filepath privl edb O file location eseutil mh filepath publ edb If the EDB file is in an inconsistent state first try to recover as follows O c Exchange BIN Eseutil exe r E Click Yes to run the repair Note that the three character log file base name represents the first log file Files are sequentially named with E log being the first log file Run a check step 2 on the resulting EDB file If the file is still in an inconsistent state attempt to repair the EDB file This may result in the loss of some data currently in the log files Run the repair as follows O c Exchange BIN Eseutil exe p For additional information on the Eseutil
468. t pane Text styles are defined globally on the Text Styles tab When defined these text styles are not associated with a case In the Filter pane you can B Create text styles B Edit text styles E Apply text styles to content in the View pane 460 EnCase Forensic Version 6 11 User s Guide The Options Dialog Font Tab This Options tab contains a list of EnCase interface elements that you configure to support non English languages Each of the listed elements has font settings associated with it Double clicking an element opens the Font dialog where you select the associated settings Ce 0o Case Options Global NAS Colors Fonts EnScript Storage Paths Enterprise Default Fonts S Status Bar and Tabs Iz Dialog Boxes Ez Trees Ez Tables Ez Report Title Ez Report Fixed Iz File viewers Ez Script Editor Default Fonts contains the list of interface elements to be configured Double clicking on these interface elements opens the Font dialog Selecting a Unicode font enables non English language text to display in these interface elements Working with Non English Languages 461 Unicode Fonts Specific fonts in the Fonts dialog are installed in Windows If no Unicode fonts are installed on your computer see Install the Universal Font for Unicode at http office microsoft com en us help HP052558401033 aspx http office microsoft com en us help HP052558401033 aspx Unicode interprets fonts a
469. t the defaults in the Add Raw Image dialog or change them as desired then click OK A Disk Image object appears in the Entries tree which is on the Cases gt Entries gt Home tree pane Working with Evidence 235 Remote Acquisition Setting up the remote acquisition Examiner side 1 Start by adding the machine you want to acquire just as you would any other Enterprise node Add Device Vlin2k3 x32 Cube251 MKR Win2k3SP2 x32 Cube251D Robby Win2k3 x32 Cube251M TBE WiinVistaEnterprise x32 Cube251C Tiktok FreeBSD 6 2 Cube251C Erasmus MacOS X Cube251C Voltron Win2k3SP2 x64 Cube251C Gnut WinXPSP2 Cube251C Bishop WinZkNODE Cube251D R202 SlackWare 12Node Cube25 1D Gort MacOS 9 Cube251D KITT alo 2 Click Next 3 After you choose the machine select the devices you want to acquire Choose Devices as F sa SEVEN OF NINE 10 0 36 39 C SEVEN OF NINE 10 0 36 39 E 976 773 168 465 868 E SEVEN_OF_NINE 10 0 86 39 3 976 773 168 465 868 E GEVEN OF NINE 10 0 36 39 4 976 773 168 465 8GB SEVEN OF NINE 10 0 36 39 5 976 773 168 465 868 i SEVEN_OF_NINE 10 0 36 39 6 976 773 168 465 8GB 4 Click Next 236 EnCase Forensic Version 6 11 User s Guide 5 Right click the device you want to acquire then click Acquire Ea Export X Close Delete Copy UnErase Copy Folders Lr Bookmark Data Ctrl B Bookmark Folder
470. tal number of bytes that comprise the file or files being created Path contains the path and filename within the file system of the investigator s machine of the file or files created Replace first character of FAT deleted files with determines which character is used to replace the first character in the filename of deleted files in the FAT file system Split files above contains the maximum length not exceeding 2000 MB of any file created by the copy and unerase operation When the total number of bytes comprising an output file exceeds this value the additional output is directed to and continued in a new file Copy only selected files inside each folder If individual files were selected within a folder or folders this setting determines if only the files or all the files in the folder will be copied and unerased Show Errors When selected the application does not query the user when errors occur This allows unattended execution of the copy and unerase operation 288 EnCase Forensic Version 6 11 User s Guide Copying and Unerasing Files FAN occi COME pese To copy and unerase a file 1 Inthe Tree pane highlight the folder containing the file or files to be unerased The Table pane displays the contents of the folder 2 In the Table pane highlight the file or select the files you want to unerase Viewing File Content 289 3 Right click on the highlighted file and click Copy UnErase The File Selection page of
471. te 250 Pasadena CA 91101 Phone 1 626 229 9191 Option 4 Fax 626 229 9199 UK Contact Info Thames Central 5th Floor Hatfield Road Slough Berkshire UK SL1 1QE Phone 44 0 1753552252 Option 4 Fax 44 0 1753552232 Toll Free Numbers Germany 0 800 181 4625 China 10 800 130 0976 Australia 1 800 750 639 Hong Kong 800 96 4635 New Zealand 0 800 45 0523 Japan 00 531 13 0890 Online support Guidance Software offers a Support Portal to our registered users providing technical forums a knowledge base a bug tracking database and an Online Request form The Portal gives you access to all support related issues in one site This includes B User product Beta Testing and foreign language forums message boards E Knowledge Base 8 Bug Tracker B Technical Services Request Form Guidance Software 539 E Downloads of previous software versions drivers etc B Other Useful Links Although technical support is available by e mail you will receive more thorough quicker service when you use the online Technical Support Request Form https support guidancesoftware com node 381 Note that all fields are mandatory and filling them out completely reduces the amount of time it takes to resolve an issue If you do not have access to the Support Portal please use the Support Portal registration form https support guidancesoftware com forum register php do signup ucl al ee rec Ts lo ws jme lh L
472. te a font with the listed case element The font can be defined in terms of m Font B Font style E Size B Script The script attribute enables you to select the character set used 38 EnCase Forensic Version 6 11 User s Guide EnScript Tab This tab enables you to specify the location of the include files library used by EnScript programs Options Case Options Global NAS Colors Fonts EnScript Storage Paths Enterprise Include Path include Include Path displays the path and name of the folder that contains the include files library Installing EnCase Forensic 39 Storage Paths Tab The storage paths tab captures paths used for several files used by the EnCase application Options 0l Storage Paths Index Folder C Documents and Settingsijay reidy TS Desktopi Index el Record Cache Folder C Documents and Settings jay reidy TSYDesktopiParseCache a Case Backup C Documents and Settings jay reidy TSYDesktopYBackup Kl INI Files Name writable f Keyword C Documents and Settings jay reidy TS Desktop A Text Style C Documents and Settings jay reidy TS Desktop f File Signature C Documents and Settings jay reidy TS Desktop 5f File Type C Documents and Settings jay reidy TS Desktop 5f File Viewer C Documents and Settings jay reidy TS Desktop Ey Security ID C Documents and Settings jay reidy TS Desktop Sf Package C Documents and Settings jay reidy T
473. ten date oo Mie Entries y ag a 1 s Dbx Files s Gzip Tar Evidence amp Log Extend MB Thumbs db gt I Extend 3 Thumbs98 db oo E Thumbnail Cache Volume V2 OO Re ENG m O 4 8g Thumbs db m In File File File Name Filter Ext sd em Signature 3 14 By Secure SDS 1E SS UpCase 1 Thumbs98 db 1 dh Davadew Matahase Database 17 Thumbs98 db encr a Copy Arke 1E Thumbs Xp db gf Export ase Database 15 Q Thumbs_2k db aH ase Database 2C 35 MFT Allocation Bitmap Copy UnErase 021 BI unallocated Clusters L Bookmark Data Ctrl B L ico iestructure eee This File has a Structured signature Continue parsing Send To Calculate unallocated space Analyze EFS Column Sort Select Iter LT Goto Parent Show Columns m Space i E Table Report E Galery gt Timeline Disk ig Code i In File File File ra gte Report Ext Type Category O 1 D mate Zips willam SchimmellschimOS jpg JPEG Picture r G 2 D matt Zips william Schimmelischim01 jpg JPEG Picture 3 bal D matt Zips william SchimmellDolphin jpg JPEG Picture i Dmattizips william Schimmel DCOTE jpg JPEG Picture Lan ul D matt Zips
474. that was inside the selected partition Booting the Restored Hard Drive After the restore operation has finished with no errors remove the target hard drive from the storage system and place it into a test system Switch the power on Depending on what operating system the subject ran the test system should boot up exactly as the subject computer There are quite a few difficulties that can occur at this stage of the investigation The most common is that the clone of the subject drive will not boot Before trying anything else check the restored disk using FDISK and verify it is set as an Active drive If not set the drive as Active using the FDISK utility and it should boot Working with Evidence 259 To boot the restored hard drive 1 Ensure the intended restoration drive is at least as large as the original from which the image was taken Install a sterile restoration drive to your forensic machine using a connection other than IDE 0 Note EnCase cannot restore a physical drive to IDE 0 Create but do not format a single partition on the restoration drive Using Report pane note the disk geometry of the forensic image of the drive you are restoring from so the physical geometry used is correct Restore the forensic image of the physical drive to the restoration drive using the Restore Drive setting To make the restored drive active in Windows right click My Computer and select Manage gt Disk Management and then
475. the language is read right to left Gh me coats Na Click OK if you are using a code other than Unicode Big Endian encoding Otherwise select the Code Page tab 6 Click Unicode Big Endian then click OK A new text style is created and defined If you are going to use a non Unicode encoding 1 Click Other 2 Select an encoding from the Code Page list 3 Click OK Working with Non English Languages 471 Creating Non English Keywords Creating non English keywords is the first step to take before searching non English language content New Bookmark Data sf Export Import Add Keyword List 43 Copy Tree New Folder Expand Contract Expand All Contract All Set Included Folders Num Include Sub Folders Shift Num Include Single Folder Ctri Num New Keyword E Croatian Mac E Cyrillic 00S E Cyrillic S0 Cyrillic KOI8 R I Cyrillic KOI8 U Iz Cyrillic Mac Iz Cyrillic Windows Ez Estonian 50 E Ext Alpha Lowercase Ez French Canadian DO3 Iz German 145 New Keyword Search expression Code Page Kepwordtester 28 5 Cyrillic KO18 U 0 S Cyrillic Mac M E Cyrillic Windows I2 Estonian ISO 33 Ext Alpha Lowercase M French Canadian DOS To create a non English language keyword 1 Right click and select New from the root of the Keywords tree 472 EnCa
476. the storage computer In Windows 98 click Start and select All Programs Accessories gt System Tools DriveSpace Launch DriveSpace Select the FAT16 partition containing the compressed 000 file Select Advance Mount Select DRVSPACE 000 and then click OK noting the drive letter assigned to it The Compressed Volume File 000 from the previous drive is now seen as folders and files in a new logical volume Acquire this new volume Create the evidence file and add to your case You can now view the compressed drive 232 EnCase Forensic Version 6 11 User s Guide Acquiring Firefox Cache in Records This feature parses Mozilla Firefox cache data The parser correctly extracts all available information by reading map files that contain information about a cache entry and where it is located When you select Search for Internet History from the Search dialog the EnCase program searches for specific files and attempts to parse them as Mozilla Firefox cache files When the search is complete these columns are shown in the Table pane E Name m Filter B In Report B Search Hits B Additional Fields E Message Size B Creation Time m Profile Name m URL Name m URL Host E Browser Cache Type E Browser Type B Last Modification Time m Message Code Page B Last Access Time B Expiration B Visit Count B Server Modified Working with Evidence 233 Reacquiring Evidence When you have a raw evidence file which orig
477. then select Copy Folders The Copy Folder dialog appears 4 Modify the settings on this dialog as desired For more information see Copy Folders Dialog on page 286 The copy operation begins As it runs the thread status line provides an indication of progress When the thread completes a results dialog appears The results are saved in the appropriate folder in the file system Note The thread status line provides an indication of progress You can terminate processing at the thread status line File Viewers Occasionally an investigator finds file types that EnCase applications do not have the built in capabilities to view or you might want to view a file type using a third party tool or program In either situation you must B Add a file viewer to your EnCase application See Adding a File Viewer to your EnCase Application on page 294 E Associate the file viewer s file types with the viewer See Associating the File Viewer s File Types with the Viewer on page 295 File Viewer Features EnCase applications provide the following file viewer features E New File Viewers Dialog E View File Type Dialog Viewing File Content 293 New File Viewer Dialog Use the New File Viewer dialog to add file viewers to your EnCase application New File Viewer x Name File Yiewer1 Maximize View Window Application Path Command Line trie Cancel Name is the name of the file viewer Maximize View Dialog
478. ther files Examples of compound files include email messages and their attachments or zip files and the files they contain Viewing compound files expose their file structure EnCase Enterprise can view the structure of these types of compound files 8 Outlook Express DBX E Outlook PST E Exchange 2000 2003 EDB B Lotus Notes NSF for versions 4 5 and 6 m Mac DMG Format B Mac PAX Format JungUm Korean Office documents E Zip files such as ZIP GZIP and TAR files E Thumbs db files B Others not specified Viewing File Content 279 Some audio files video files and certain graphic file formats are not immediately viewable however investigators can associate third party viewers to examine these files properly Copying and Unerasing Files and Folders EnCase Software recovers and unerases files on a byte per byte basis This feature is called Copy UnErase Use the unerase function to view deleted files within Windows Deleted files on a FAT volume have a hex VxE5 character at the beginning EnCase applications allow you to replace this character with one of your choice The underscore _ character is used by default The Copy UnErase wizard provides settings for unerasing the file and the character used to replace the deleted file character Copy and Unerase Features EnCase applications provide the following Copy and Unerase Features E Copy Unerase Wizard E Copy Folders Dialog Note The Copy Unerase functionalit
479. top Sector dialog appears 5 Accept the default or enter the desired Stop Sector and then click OK The Hash Results dialog appears Working with Evidence 241 6 If you want the hash result to be written to a file click Yes If the hash value is to be saved to a file the Save Hash Value to a File dialog appears otherwise the LinEn Main Screen appears 7 Enter the path and filename of the file that will contain the hash value and then click OK The hash value is saved and the LinEn Main Screen appears A hash value is calculated for the selected sectors of the selected file If desired this hash value is saved to a file Hashing the Subject Drive Once Previewed or Acquired If you want to hash a device without leaving the Windows operating system you can hash directly from EnCase The device must be previewed or acquired 1 On the Entries tab on the Tree pane right click the device you want to hash 2 Select Hash La X Start Sector Stop Sector J 2503871 Cancel 3 Enter the following a Supply a Start Sector or accept the default which is the first sector of the device b Supply a Stop Sector or accept the default value which is the last sector of the device 4 Click OK OOOO LL LS Status Completed M Console Start 05 24 07 09 09 13AM Stop 05 24 07 09 09 30AM M Note Time 0 00 17 Name Jeff s 1 2g V Log Record Start Sector 0 Stop Sector 2 503 871 Hash Value 8CBEGBEBCFC58
480. tput C Lock E coder Name These tabs keep track of B currently running threads E local variables Locals at the current breakpoint B library dependencies B breakpoint locations associated with the EnScript program You can set breakpoints within your code EnScript stops when it reaches a breakpoint during runtime Use the right click menu to set a breakpoint Siisol Namelienflass Tisti x9 Toggle Breakpoint Dm Toggle Bookmark Ctrl Shift X E kJ Next Bookmark Ctrl Shift N se er EnScript Analysis If you prefer you can set breakpoints by left clicking on the line number of the code Table Pane Ej Table E Report i Gallery 9 Timeline f Disk 3 Case Processor gt v6 StepMOM Rg NSF Parser 3 v6 Adv Ke 4 P X 1144 void Main CaseClass c ES 1145 1146 ifi c 1147 CLog Fatali You must have an open case 1148 A1150 NameListClass List ers TyDialo ialogbox ty Stream StreamClass Strm rebuild RebuildClass rebld 5 dialogbox FolderName MFT record Attrib vw Ei pni Z 501 Once you set a Breakpoint the Start Debugging button runs the EnScript program which will stop at the Breakpoint While stopped you can analyze the runtime information in the new tabs in the View Pane View Pane i E Console T petsis Z Threads EalLocale Breakpoints CF Dependencies GP Output C Lock E Codepsoe E 4 38378 4P Name T Value 4g t
481. trsu ii oisi tinte ne tite ie mete a s a RE ne la Lipsio bei Ip ir a EU 378 Manually Create App D sciptof i heremieten i nennen nennen 378 Create an App Descriptor with an EnScript Program ccccccsesessssessseseeseeeeeseteteesesesnsneenesesesnenenes 380 Encryption Support Leur ete vein EEEE IS ore eee HY dee eer er desi Een esa 381 NSF Encrypt ow SUpport erenn M 382 Recovering NSF Passwords eese EEEE EEA EE E 383 Disk Encryption SUpport iee reani er te ren e rena ie eren ge tre ie Po E eee E bioustoreraeeraee 384 SateBoot Seti piss kets itetve denote oi bera eden ee bue sete re E ee e e Y areas RUE 385 Exporting a Machine Profile from the SafeBoot Server cccccsssscssssseestetesesesesnsnesesessseeceseeeeseseeeees 386 ANuthentiCatiori dte es EAEE EE E ettet tete udis i ti s mtulie tuoi eet 387 SafeBoot Encryption Support Disk Encryption sse 387 Supported SafeBoot Encryption Algorithms sssssseeseeeeeeeenen nennen 390 CREDANT Encryption Support File Based Encryption ssseesssseeeeeee 390 Supported Encryption Algorithms sse tenete nene nnne 393 CREDANT Encryption Support Offline Scenario sse 393 EnCase Forensic Version 6 11 User s Guide Contents Enabling the Forensic Administrator Role on the CREDANT Server sss 395 S MIME Encryption Support sssseeseeeeeeeeeeneeennenenenenentt
482. ts are now in the hash library Viewing Hash Search Results When files in a case are hashed they are compared to the library then the hash set and hash category columns populate After rebuilding your library and hashing the case files view the results in the Table pane 1 Select View gt Hash Sets from the main menu A list of all hash sets appears in the Table pane EE Tabe Report iy Code In Report v3 Experimental No Known Nf 2 BMP Files I know about No Pictures Category Name Filter If a file with the same hash value is contained in the hash library its columns are populated Analyzing and Searching Files 343 Keyword Searches EnCase applications provide a powerful search engine to locate information anywhere on physical and logical media in a current open case Global keywords can be used in any case or they can be made case specific and used only within the existing case A keyword in a search is an expression used to find words within a case that match the keyword entries The EnCase search engine accepts a number of options and is particularly powerful searching regular expressions with a GREP formatted keyword Note In addition to GREP the search can be limited by making it case sensitive and selecting particular codepages Codepages are alphabet sets of a variety of Latin and non Latin character sets such as Arabic Cyrillic and Thai The keywords included in th
483. ts generated from the entries in the folder This dialog works with any folder in any Tree or Table pane When the folder is the root folder of a tree default formatting is provided in the Format field You can also use this dialog to customize the report generated for the folder content Each folder in a tree has its own report Each folder defines its own report Edit Bookmark Folder X Mame IV Showinreport V Show Pictures Comment Format lt lt Fields Tables Comment Comment Bookmark Index O 3S File Extents Index FullPath O 38 Permissions Comment O 33 References Bookmark Type Preview Comment Page Break Show Picture Entry Selected File Offset Length Name Filkor zi Cancel Show in report check this box to display folder content in the report Show Pictures check this box to display pictures in the folder in the report Comment contains text describing the bookmarked content Format contains labels provided by the application or entered manually and the fields selected in the Fields list The label Comment appears in the report Square brackets contain a field The is a literal as in another label Everything other than fields are labels Fields contains the list of fields you can include in the report This list varies from entry to entry Tables determines whether the listed detail tables display individually in the report Using a Folder to Org
484. u must associate that viewer s file types 3d App Descriptors b Archive Files t e Cases 35 Encryption Keys EnScript Types l File Viewers ay EnScripts Z Eile Signatures L A File Types JC al File Types E File Viewers Loc Mal A News Mj Hash Sets BODOG Code Keywords LODE Archi EP Export M ODE I tess 4 Machine Profiles oue Comr Import Ww Packages OB Datal L New Folder Proj DO Docu B HD Inter Expand Contract Space ed Lom Misc Expand All A Text Styles oic Multir Contract All J Cases Sub Tabs DB Pictur c Table Pane d x1 Wind Set Included Folders Num View Pane Include Sub Folders Shift Num Filter Pane Include Single Folder Ctrl Num BA Show Name T b Next Tab Ctrl Tab Description Borges C Auto Fit Reset view Extensions r bor Iv Picture Viewer C EnCase j File Viewers C Windows 5 f Installed Viewer gt gt Cancel al Report ay Code Name Filter moa Exterfions Viewer Picture 1 O Mail EnCase 2 Code EnCase 3 O Archive EnCase 4 E Communication EnCase 5 C3 Database EnCase 6 Document EnCase 7 Internet EnCase 8 Misc EnCase 9 C5 Multimedia EnCase 10 Picture EnCase 11 windows EnCase O 12 A Borges 1 Display the File Viewers tree in the Tree pane 296 EnCase Forensic Version
485. ual position in the main window View Ej App Descriptors 3 Archive Files gy Cases LA Encryption Keys 4 EnScript Sr EnScript Types Z File Signatures Al File Types File Viewers Hash Sets Keywords Machine Profiles Packages Projects SAFEs Text Styles 3 v E a A ai SAFEs Sub Tabs Table Pane View Pane Filter Pane Close Tab Ctrl F4 Show Name Previous Tab Ctrl Shift Tab Next Tab Ctrl Tab Auto Fit Reset view Navigating the EnCase Interface 67 68 EnCase Forensic Version 6 11 User s Guide App Descriptors displays the App Descriptor tabs in the tree pane which includes the App Descriptor Home and App Descriptors Hash Properties tabs By default these tabs are not displayed Archive Files displays the Archive File tab in the tree pane This tab does not display by default Cases displays the Cases tabs in the tree pane which includes the Cases Home Cases Entries Cases Bookmarks Cases Search Hits Cases Records Cases Devices Cases Secure Storage and Cases Keywords tabs These tabs display by default Use this command if you previously closed the Cases tab Encryption Keys displays the Encryption Keys tab in the tree pane This tab displays by default Use this command if you previously closed the Encryption Key tab EnScript displays the EnScript tab in the tree pane This tab does not display by default When this tab displays the EnScript tab in the Filters pane is clos
486. ue with step 2 of Viewing File Structure The file structure of the email file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Notice that the icon for the compound email file looks like a volume after it was mounted Viewing Macintosh pax Files You can parse Macintosh pax files formatted with the cpio file format can be parsed using View File Structure 1 Navigate to the pax file you want to view or mount 2 Asneeded select Calculate unallocated space then select Find deleted content 312 EnCase Forensic Version 6 11 User s Guide Continue with step 2 of Viewing File Structure The file structure of the email PAX file displays and component files or layers in the compound volume folder can be opened and displayed in the view of your choice Notice that the icon for the compound email file looks like a disk drive and no compound volume indicator is added to the icon after it is parsed Viewing Windows Thumbs db Viewing File Content 313 EnCase applications support parsing the Windows thumbs db cache for images Once mounted the thumbnail cache volume and the version appear V2 thumbnails are in bitmap format whereas later versions are modified pngs The Root Entry folder contains E the catalog file of cached thumbnail names E their full path B the cached images themselves Thumbs db also contains a record of the image s Last Writ
487. uired Once evidence is acquired or added to a case it can be analyzed In this section we focus on previewing acquiring and adding digital evidence to the case Types of Entries Entries include evidence and other file types containing digital evidence that are added to a case There are four classes of evidence containing files that EnCase applications support m EnCase Evidence Files E01 B Logical Evidence Files LEF L01 m Raw images E Single files including directories These files are acquired or added to a case Before digital evidence can be added to a case it is previewed EnCase Evidence Files EnCase evidence files E01 contain the contents of an acquired device and provide the basis for later analysis Encase evidence files integrate investigative metadata the device level hash value and the content of an acquired device This integration simplifies evidence handling and investigative efforts by keeping the device level hash value and content together and by simplifying the effort required to verify that the evidence has not changed since it was collected from a subject device Dragging and dropping an E01 file anywhere on the EnCase interface adds it to the currently opened case Working with Evidence 181 Logical Evidence Files Logical Evidence Files LEF L01 are created from files seen in a preview or existing evidence file They are typically created after an analysis finds some noteworthy evidence W
488. ulish 266 2 Bookmark the desired passages see Bookmarking Items on page 401 364 EnCase Forensic Version 6 11 User s Guide Click Bookmarks on the Table tab of the Table Pane A preview of the bookmark appears A Tabie Report EZ Gallery 2 Timeline i Code Bookmark Type O 1 Q Search Summary O 2 Q Case Time Setti LJ 8 2 Logs C 4 Highlighted Data F 9F 9 B D B amp C J1 AJ 7 D F X Arabic Unicode File ist Hn Right click the desired bookmark and select Encode Preview Preview Comment BI Encode Preview Summary Bookmark Rename F2 SS show Columns Column Sort Select Item Space The Table tab displays the Unicode in its proper form E Table E Report Ez Gallery Timeline 2 Code Bookmark Preview Comment Type t Q Search Summary Q Case Time Setti 2j Logs Bj 2B oa CJ 4 E Highlighted Data all gt gt Mall gull s Sold ILS asl Jacl uliamiledl 9 ale Arabic Unicode File IKT w Analyzing and Searching Files 365 Indexing Text indexing allows you to quickly query the transcript of entries Creating an index builds a list of words from the contents of an evidence file These entries contain pointers to their occurrence in the file There are two steps B Generating an Index B Searching an Index Generating an Index creates index files associated
489. um 4 W iai More Rows Shift Num Select Item Space To increase the number of images displayed per row in the gallery tab E Right click on any image in the Gallery tab then click More Columns Viewing File Content 321 Clearing the Invalid Image Cache The program includes built in crash protection which prevents corrupted graphic images from appearing in Gallery or Picture view The corrupt images are stored in a cache so that EnCase recognizes them the next time they are accessed and does not attempt to display them These images are cached at the case level so that the images do not attempt to display in that case file again Before you can clear the cache the Cases tree displays in the Cases tab of the Tree pane You can clear the cache only if a corrupt image is encountered 1 Right click on the Cases root object in the Cases Tree 2 Click Clear invalid image cache Lotus Notes Local Encryption Support EnCase can decrypt a local Lotus Notes user mailbox NSF file suffix The local mailbox is a replica of the corresponding encrypted mailbox on the Domino server Each Domino server user has a corresponding NSF file representing that user s mailbox in 8 3 format The default path is bomino Installation Folder gt Data Mail lt user gt nsf The Lotus Notes client is set up to use the local mailbox Synchronization between the local and server mailboxes occurs according to a replication schedule determined by t
490. um 32768 characters Compress Level of compression 0 none 1 fast 2 best Examiner Examiner s name maximum 64 characters EvidenceName Name of the evidence within the evidence file maximum 50 characters CaseNumber Case number related to the evidence maximum 64 characters EvidenceNumber Evidence number maximum 64 characters MaxFileSize Maximum file size of each evidence file segment in MB minimum 1 maximum 10737418240 Granularity Error granularity in sectors minimum 1 maximum 1024 BlockSize Sectors per block for the evidence file minimum 1 maximum 1024 Hash Compute HASH while acquiring the evidence TRUE or FALSE AlternatePath A semicolon delimited list of alternate paths maximum 32768 characters Notes Notes maximum 32768 characters Required field 274 EnCase Forensic Version 6 11 User s Guide Configuration File Notes E You can use the pound sign as a comment delimiter Anything after a pound sign on a line is ignored E Empty lines in the configuration file are ignored B Options in the configuration file are not case sensitive E White space before or after the option and before or after the value is ignored White space in the middle of an option is retained such as a space between an examiner s first and last name Prompt for Value The console asks for any required values Please enter a value for the option lt option gt if they are not provided in
491. v ue kd e EE uid 446 Changing Report Size io sene heit ise eee etitm Hee rede itle eire erit 447 Viewing a Bookmark Report nnne nennen nnne tenens 447 Email Report iz isses RA sedi mieoe tee onte UN eerta tpe EH ect 448 Internet Report eci esee eoe epe ie nd d Ro ee HUS e D E AE S DREE 449 Creating a Webmail Report sane eene Re GR RE RE PUR oe IERI EH ert ete 449 Alternative Report Method airsan ii eee eie e ed eter Hn D Do eiae 450 Search Hits RepoRts e eese es Edi EEEE EE Ea lee tes L aa E A OEEO EEE EE S TE 451 QUICK Entry Reports eneo ai ae mete RUD ERE e ERR HR UU 453 Creating an Additional Fields Report ssssssssssssssseeeeeeene eene 454 o rojasiar s Mr jveja M 455 Creating a Report Using Case Processor c ccscssssssssseseseseeeneneseseesescsesesescecsesesesesensnsseseseseseneseneneseeeees 456 CHAPTER 12 Working with Non English Languages 457 Working with Non English Languages sseessssseeeeeeeeeenneee enne nnne 458 Non English Language Features tete roter ertet ee n tonos tent aR stances 459 The Options Dialog Font Tab sse nnne nennen 460 Uriicode Fonts etie oreet tete miii n ede i mie e o ties EET 461 TOXU SEV OS Tm 461 New Text Styles Dialog riius ieties tieepiene tires pen inet rte i tibiis 462 New Text Styles Dialog Attributes Tab 462 New Text Styles Dialog Code Page Tab ene 464 Configuring Non English Language
492. ves a short explanation of the entry also indicated by the icon to the left of the file name Is Deleted displays TRUE if the file is deleted but not emptied from the Recycle Bin Last Accessed displays the date of the last activity of the file A file does not have to be altered for the Last Accessed date to change only accessed Any activity such as viewing dragging or even right clicking may change the Last Accessed date The last accessed date may also change if the file is accessed by a program such as a virus checker File Created is a record of when a particular file was created at that location If a file is edited and changed on January 3 then copied to a floppy diskette on January 15 and that floppy diskette is acquired on January 28 the entry shows that the file on the floppy disk was created after it was last written to or accessed Last Written displays the last date and time a file was opened edited and then saved If a file is opened then closed but not altered the Last Written date does not change Entry Modified refers to the file entry pointer and its information such as file size If a file was changed but its size not altered the Entry Modified date does not change File Deleted shows the deletion time and date If an entry in an INFO2 file on an NTFS volume has a deleted date TRUE appears in the Is Deleted column File Acquired displays the date and time the evidence file in which the selected file reside
493. w Excluded EVf Show Excluded Excluded files reappear in Table and Report view 362 EnCase Forensic Version 6 11 User s Guide Deleting Items When using Search Hits delete is considered a soft delete which you can undelete until the case is closed If a search hit remains deleted when the case is closed the hit is permanently deleted In other tabs however undelete works only with the last selection deleted Once a file is closed deleted items are permanently removed and cannot be recovered Run then view a keyword search This process is similar to Exclude Files on page 360 View the search hits report in the Table pane before excluding them from the report 1 Select files to exclude then right click the view 2 Select either Delete or Delete AII Selected 43 Copy Ctrl C X Delete Delete Delete All Selected Ctrl Delete af Export EVI Tag Selected Files Ctrl Shift T B TagFile Ctrl T Miew Search Hits Bookmark Selected Items CI Show Excluded CI Show Deleted Exclude Ctrl E Exclude All Selected Ctrl Shift E SS Show Columns Column Sort d Select Item Space 5 Go to Parent BkSp Selecting the latter displays the Exclude All Selected dialog x Start From C Root Folder 2 items Current Folder 2 items Cancel 3 Select the appropriate option and click OK The selected files are temporarily deleted Note Viewing the report s
494. wiase 357 Viewing Record Search Elts e de e eed ocn dist ie iU cote datos 359 Viewing Seateh FAS e M 360 Excl deFil s oe ne toes ene ee dti e eO EE EA sore toe cei dried 360 Show Excluded Elesin ute one eie DIR pet ee tete hash Meat Pre suena 361 Deleting Items stone e Ee De er etg Bee eod ire ri eee Ted 362 Show Deleted Files s iei e Ee esee lee i e e Assesses 363 Encode Preview 5o pee ANE eee cls Ae pee teneret dte ed unite 363 Turning On Encode Preview sse EAE R L tenente nnne 363 Indexing iatis sesesiites tenes ittedienes iere teer Dre E E e o Y bo vnus eae teris eure etud 365 Querying an Index Using a Condition cccccccccscseessnetesesesssnsnsnesessssseeceseeenenesceseseeeneenesesesesnenenes 366 Generating arin Ox sc seco ecd RETE IIT Ee etre EAE HOD ER EET EE EEES ER 367 Searching for Emailed ae RR et ERREUR T GER IDEE Hoe aai oai EIER 369 Web Mail Parser voi X 370 Extracting Email 45a denitro e ee e HA RON RERO II e Ne eee He inire 371 Searching Email ect e e es rath duce bt gua oei S P cba tes cuba Paget TIPO ET pee EP IHE 372 Searching Selected Items aote eme tee ione e e een a Uie n ee eerie en shades 373 Viewing Attachments ote tende digest Hen Ede e ARR ta TE Ope re HA WAR dass ea eeu 374 EXPO CO t MSE eie e enorit eroe pud diei orbe id ipid ea ei epe ipid iso Hoe ios 375 Exporting to msg aiite tete aime oto ipit ip ie Retrait id Eti redet efie 376 App Deserrpto
495. will be faster in acquisition tests a 12MB m500 took four minutes to preview and 16 minutes to acquire However after the first keyword search on a previewed device all other processes accessing the evidence file will be fast as the entire evidence file is cached in memory Acquiring Non local Drives The acquisition of non local drives involves LinEn which acquires these drives by performing a network crossover acquisition When you use the LinEn utility to acquire a disk through a disk to disk acquisition the resulting EnCase evidence file must be added to the case using the Add Device Wizard When to use a Crossover Cable Use a crossover cable when acquiring from a laptop RAIDs or drives not recognized by the host machine You can also use the crossover cable to preview Performing a Crossover Cable Preview or Acquisition You have a LinEn boot disk The investigator identifies the subject drive to be acquired 1 Boot the subject machine from the LinEn boot disk 2 Connect the forensic machine to the subject machine using a crossover cable 3 In Linux ensure that the subject machine has an IP address assigned and a NIC card loaded appropriately V a Type ifconfig eth0 b If no IP address is assigned assign one by typing ifconfig ethO 10 0 0 1 netmask 255 0 0 0 c Check the IP address assignment again by typing ifconfig eth0 4 Navigate to the folder where LinEn resides and type 1inen in the console The
496. with evidence files Index creation can be time consuming depending on the amount of evidence you are indexing and the capabilities of your computer hardware Evidence file size and thus the resultant index size is an important consideration when building an index Attempts to index extremely large evidence files can have a serious impact on a computer s resources Note For quicker index files select a limited number of files for indexing Querying an Index provides the means to search for terms in the generated index Querying an evidence file s index for terms locates terms more quickly than keyword searching The index is queried using several conditions accessed in the Conditions tab 366 EnCase Forensic Version 6 11 User s Guide Querying an Index Using a Condition You can query the index using a condition B A Case must be created with Evidence files added B The evidence file must already have an index generated 1 Display the Conditions tab of your interface and expand the Index Conditions folder by clicking the next to the folder a EnScript T Filters iz Queries A Text Sty 4 gt B Conditions HHO Files Email Examinations EHG Index Conditions _ Files Containing Index Terms Recommended ts Files Containing Index Terms Case Sensitive f Files Containing Index Terms GREP slower f Files Containing Index Terms Within 5 Words fE Files Containing Index Terms Ordered within 5 Words
497. xchange E Outlook Express email MS Outlook email E Windows Thumbs db B American Online ART Files m Hangul Korean Office documents B Macintosh PAX files Note In addition the File Mounter EnScript program allows the examiner to select a file type DBX GZip PST Tar Thumbs db or Zip provided they have a valid signature and mount them automatically Viewing File Structure Once files are part of the case they can be viewed in various output formats Viewing the structure of a compound file reveals which files comprise it Before you begin 1 Opena case 2 Enable single files 3 The Entries tree on the Entries tab and Entries table are displayed 298 EnCase Forensic Version 6 11 User s Guide 4 Drag and drop the files to be viewed into the Entities table in the Table pane LIII 00000000000 E Fe o we h ee itm corem ee ee er x ome aC Eilts Lem iiem Deme com To view a compound file 1 Navigate to the compound file to be viewed as it appears in the Table pane 2 Right click the compound file to be viewed and click View File Structure The View File Structure message box appears 3 Click Yes The compound file is replaced in the Tree pane and Table pane with a folder and a compound volume icon The file structure of the compound file displays and component files display in the view of your choice Viewing Registry Files Viewing File Content 299
498. y Table Pane 3 Gallery Timeline f Disk 4g Code Filter Description O 1 5 Hunter Pics Ink Link Windows File Archive 2 amp Removable Disk C Mo Ink Link Windows File Archive 3 e Sabrina Dewercs Ink Mo Ink Link Windows File Archive 4 amp 9 session log Ink Mo Ink Link Windows File Archive 5 e download Ink Mo Ink Link Windows File Archive O 6 amp 9 Hunter log Ink Mo Ink Link Windows File Archive 7 amp 9 X Drive txt Ink No Ink Link Windows File Archive G 8 e Sample Pictures Ink No Ink Link Windows File Archive 9 e Q309521 log Ink No Ink Link Windows File Archive 10 Sa WINDOWS Ink No Ink Link Windows File Archive 11 amp 101 0174 IMG JPG No Ink Link Windows File Archive O 12 ca 103 0396 IMG JPG No Ink Link Windows File Archive 13 amp Christina Detsiwt Ink No Ink Link Windows File Archive 14 Desktop ini No ini Initialization Windows File Hidden System Ar 15 amp X Drive txt 2 Ink No Ink Link Windows File Archive 16 amp Special Interests No Ink Link Windows File Archive 17 amp 101 0184 IMG JPG Mo Ink Link Windows File Archive 18 amp Sabrina and Christi Mo Ink Link Windows File Archive LJ 19 amp Chaser1191 Ink Mo Ink Link Windows File Archive 20 amp 9 receive Ink Mo Ink Lin
499. y default Node to Client operates similarly to the Client to Node SAFE mode except that the node attempts the direct connection to the client It is used when you desire direct data transfer between the node and the client and there is NATing or a firewall prohibiting the node from sending data directly to the local IP default port of the client Once you check this option the Client return address configuration box becomes available to enter the NATed IP address and custom port e g 192 168 4 1 1545 The Client return address box is disabled unless this option is selected Case Management 165 Priority determines the priority of connection for this SAFE O Low means the connection to this SAFE will be reconnected after all other connections of normal or high priority O Normal means the connection to this SAFE will be reconnected after all other connections of high priority and before those connections of low priority O High means the connection to this SAFE will be reconnected before all other connections of medium or low priority 166 EnCase Forensic Version 6 11 User s Guide New Case Wizard The New Case wizard captures role and case settings A case is associated with a specific role Roles are established by the administrator The New Case wizard consists of two pages E Role page E Case Options page L S Access Subnet A Case Options C Program Files EnCase6 Export C Program Files EnCase6
500. y displays the Gallery tab in the table pane It displays by default Timeline displays the Timeline tab in the table pane It displays by default Disk displays the Disk tab in the table pane It displays by default Code displays the Code tab in the table pane It displays by default Navigating the EnCase Interface 73 The View Pane and its Tab Bar and View Menu The View Pane menus display a command for each of the tabs on the table pane tab bar The View pane contains several tabs depending on the tab currently selected in the table pane The tab bar also includes controls that appear in the View pane menu View El App Descriptors 3b Archive Files t3 Cases 35 Encryption Keys M EnScript Se EnScript Types Z File Signatures Al File Types El File viewers Yi Hash Sets Keywords y Machine Profiles i E Text amp lHex Pno WA transcript Eb Picture Report CI Console 33 Details G Output C Lock Y Codepage MM 20 26233 SAFEs Sub Tabs Table Pane View Pane u E x er Filter Pane e Close Tab Ctrl F4 Show Name Previous Tab Ctrl Shift Tab Next Tab Ctrl Tab anscript m Report Tm onsole E amp d Ln b tr Ej amp 0 Auto Fit Reset view RAOL Li Co 20 26233 74 EnCase Forensic Version 6 11 User s Guide View Pane Menu The View Pane command on the View menu displays the View Pane menu The View Pane menu contains commands corresponding to th
501. y does not preserve folder structure while Copy Folders functionality does 280 EnCase Forensic Version 6 11 User s Guide Copy UnErase Wizard Use the Copy UnErase wizard to specify what files are unerased how they are unerased and where the files are saved after they are unerased The Copy UnErase wizard consists of B File Selection page B Options page E Destination page Viewing File Content 281 File Selection Page of the Copy UnErase Wizard The File Selection page of the Copy UnErase wizard indicates whether a single file or a set of selected files are being copied and unerased In addition the character that will be used to replace the character that FAT volumes use to indicate deleted files is set here Copy UnErase o E Alliselected Ales C Merge inte ane File 282 EnCase Forensic Version 6 11 User s Guide From contains the settings that determine if one file or several files will be copied and unerased Highlighted File If no files are selected in the Table pane choose this setting because at least one file is always highlighted on the Table pane The highlighted file will be copied and unerased All selected files When several files are selected in the Table pane use this setting When you choose this setting you have the option to copy and unerase the highlighted file or the selected files To contains settings to determine how many files will be output which is only relevant when several files
502. y of these cables can be used as a hard disk cable B IDE Cable m USB Cable B Firewire B SATA m SCSI Using LinEn 51 Figure 3 Setups for Drive to drive acquisitions with 1 the forensic machine running LinEn from the LinEn Boot Disk connected to the subject hard drive 2 the forensic machine booted to Linux and running LinEn connected to the subject hard drive 3 subject machine running LinEn from the LinEn Boot Disk connected to the target hard drive 9 Doing a Drive to Drive Acquisition Using LinEn Once LinEn is set up run LinEn choose Acquire then select the drive to be acquired and the storage path Optionally provide additional metadata Configure LinEn as described in LinEn Setup and verify that autofs is disabled unchecked The investigator has identified the subject drive to be acquired and the storage drive that will hold the acquired evidence file 52 EnCase Forensic Version 6 11 User s Guide 1 Ifthe FAT32 storage partition to be acquired has not been mounted mount the FAT32 storage partition 2 Navigate to the folder where LinEn resides and type linen in the console to run LinEn The LinEn Main Screen displays Code Type Sectors Disk0 dev hda Linux 78165360 Sectors Size 37 3GB 7devvhdal Linux 82 Linux Swap 1020096 498 1HMB deu hda2 Linux 83 Linux EXT2 20972448 10 0GB deu hda3 Linux 83 Linux EXT2 9766512 4 7GB PAPA T EC Linux oc FAT32X 46406304 22 1GB devvhddi Linux dev
503. you will redefine selection and processing as your analysis requirements evolve during the investigation Figure 8 Panes in the Analysis Cycle where 1 container entries selected in the Tree pane determine the contained entries that appear in the Table pane 2 contained entries selected in the Table pane determine the contents that appear in the View pane 3 optionally filters searches and processing defined in the Filters pane narrow the contents or results of the analysis that appear in the View pane 4 results of the current analysis cycle and 5 subsequent refinements of the analysis I The tree pane provides you with the starting point of the analysis This is where you select the container entries such as devices and folders that contain the evidence you want to examine The Table pane presents the contents of the entries selected in the Tree pane You can refine entries to be examined here The Filters pane gives you the means to search filter and automate the examination of the entries selected for examination in the Tree and Table panes This narrows and focuses your analysis effort The Filter pane provides tabs that enable you to view analytical results in places other than the View pane The View pane provides various tools that help you explore and see the results of the analysis If the results of the analysis are sufficient for your purposes the analysis can move on to other aspects of the inv
504. zard 206 Completing the Sessions Sources Page 191 Completing the Sources Page 190 Compound File 519 Compound Files 489 Comprehensive Internet History Search 350 Computer Forensics 520 Concurrent Case Management 152 Conditions 138 Configuration File 269 Configuration File Notes 270 Configuring Interface Elements to Display Non English Characters 460 Configuring Non English Language Support 459 Configuring the Keyboard for a Specific Non English Language 461 Configuring Your EnCase Application 30 Configuring Your Linux Distribution 47 Connection 520 Contract All 117 Copy 148 Copy and Unerase Features 275 Copy Folders Dialog 282 288 Copy UnErase 64 Copy UnErase Wizard 276 Copying a Table Entry into a Folder 425 426 Copying and Unerasing Bookmarks 286 Copying and Unerasing Files 284 Copying and Unerasing Files and Folders 275 Copying Folders 287 Create a Hash Set 336 Create an App Descriptor with an EnScript Program 374 Create License Dialog 501 Create Logical Evidence File Wizard 239 Creating a Bookmark 407 415 Creating a Datamark as a Bookmark 415 Creating a File Group Bookmark 412 Creating a Filter 130 Guidance Software Creating a Folder Information Structure Bookmark 410 Creating a Highlighted Data Bookmark 408 Creating a License 503 Creating a LinEn Boot Disc 46 514 Creating a Log Record Bookmark 41
505. ze analytic processes applied to the entries shown in the Table tab Conditions 2 Queries 44 gt E F Filters iy Search File Permissions Windows F Search File Permissions UNIX Y OLK Folders Containing Attachments Yahoo Web Mail Pages Y Hotmail Web Mail Pages Y Netscape Web Mail Pages Y Hotmail Pages Y Yahoo Mail Pages Y Deleted Files YF Files after n date Y Files before n date YF Filter ANY after n date Y Filter ANY before n date Y Find Mixed Types Y Find files between any dates LY Unique Files by Hash 94 EnCase Forensic Version 6 11 User s Guide Filtering Effects in Table Pane When a filter is run a query icon appears on the main menu bar and the filter results show in the Table pane A Query E Tabte Z Report E Gallery Timeline f Disk 1 Code Nane ux id udin d m CJ 1 baa oRTRAIT JPG Yes O4 30 0004 19 38PM 01 28 05 D8 05 08AM CJ 2 baal _KSHIFT 3PG Yes 04 30 00 04 19 46PM 01 28 05 08 05 02AM 3 bl microprinting jpg Yes 04 30 00 04 19 48PM 01 28 05 08 04 58AM CJ 4 baal _UMBERS IPG Yes 04 30 00 04 19 54PM 01 28 05 08 05 04AM CJ 5 linesmoire jpg Yes 04 30 00 04 19 56PM 01 28 05 08 04 52AM CJ 6 ll _EAL 1PG Yes 04 30 00 04 20 00PM_ 01 28 05 08 05 24AM CJ 7 al fedreserveandtrea Yes 01 06 01 11 49 58PM 01 28 05 08 04 46AM CJ 8 G portraits jpg Yes 01
Download Pdf Manuals
Related Search