EnCase Forensic

Version6.15

User'sGuide

Copyright19972009GuidanceSoftware,Inc.Allrightsreserved. EnCase,EnScript,FastBloc,GuidanceSoftwareandEnCEareregisteredtrademarksortrademarksownedbyGuidanceSoftwareinthe UnitedStatesandotherjurisdictionsandmaynotbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybeclaimedas thepropertyoftheirrespectiveowners.Productsandcorporatenamesappearinginthisworkmayormaynotberegisteredtrademarksor copyrightsoftheirrespectivecompanies,andareusedonlyforidentificationorexplanationintotheowners'benefit,withoutintentto infringe.AnyuseandduplicationofthisworkissubjecttothetermsofthelicenseagreementbetweenyouandGuidanceSoftware,Inc. ExceptasstatedinthelicenseagreementorasotherwisepermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,no partofthisworkmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical, photocopying,recording,scanningorotherwise.Productmanualsanddocumentationarespecifictothesoftwareversionsforwhichthey arewritten.Forpreviousoroutdatedversionsofthiswork,pleasecontactGuidanceSoftware,Inc.athttp://www.guidancesoftware.com. Informationcontainedinthisworkisfurnishedforinformationaluseonly,andissubjecttochangeatanytimewithoutnotice.

Contents
CHAPTER1Overview 7
EnCaseForensic ................................................................................................................................................. 8

CHAPTER2NewFeaturesinVersion6.15

11

Windows7Support.......................................................................................................................................... 12 WindowsServer2008Support ........................................................................................................................ 12 EnhancedFATParsing...................................................................................................................................... 12 FastFileTransfer.............................................................................................................................................. 14 GuardianEdge9.2Support............................................................................................................................... 14 WinMagicSecureDoc4.6Support ................................................................................................................... 14 OutsideIn8.3Support ..................................................................................................................................... 14 CREDANTMobileGuardian5.4.2Support ....................................................................................................... 14 RefreshBookmarksinEnScript ........................................................................................................................ 15 HASPSRM5.75SecurityKeyDriver ................................................................................................................. 15

CHAPTER3InstallingEnCaseForensic

17

EnCaseInstaller................................................................................................................................................ 18 InstallingSecurityKeyDrivers.......................................................................................................................... 23 TroubleshootingSecurityKeys......................................................................................................................... 23 ObtainingUpdates ........................................................................................................................................... 23 ConfiguringEnCase .......................................................................................................................................... 23 SharingConfigurationFiles .............................................................................................................................. 31 VistaExaminerSupport.................................................................................................................................... 32 Runninga32bitApplicationona64bitPlatform .......................................................................................... 32

CHAPTER4NavigatingtheEnCaseInterface

33

MainWindow................................................................................................................................................... 34 SystemCacheSettingsControl ........................................................................................................................ 64 PanesandtheirSpecificTabs........................................................................................................................... 66 NavigatingtheTreePane................................................................................................................................. 80 ModifyingtheTablePane ................................................................................................................................ 87 ModifyingtheViewPane............................................................................................................................... 112

CHAPTER5CaseManagement

115

OverviewofCaseStructure ........................................................................................................................... 116 CaseRelatedFeatures.................................................................................................................................... 121 NewCaseWizard ........................................................................................................................................... 127 UsingaCase ................................................................................................................................................... 129 OpeningaCase .............................................................................................................................................. 133 SavingaCase.................................................................................................................................................. 134 ClosingaCase................................................................................................................................................. 134

CHAPTER6WorkingwithEvidence

137

Overview........................................................................................................................................................ 138 SupportedFileSystemsandOperatingSystems ........................................................................................... 140 UsingSnapshots............................................................................................................................................. 144 GettingReadytoAcquiretheContentofaDevice........................................................................................ 144 Acquiring........................................................................................................................................................ 154 DelayedLoadingofInternetArtifacts............................................................................................................ 191 RemoteAcquisition........................................................................................................................................ 195 Hashing .......................................................................................................................................................... 202 LogicalEvidenceFiles..................................................................................................................................... 204 RecoveringFolders ........................................................................................................................................ 209 RecoveringPartitions..................................................................................................................................... 212 RestoringEvidence ........................................................................................................................................ 214 SnapshottoDBModuleSet........................................................................................................................... 219 WinEn............................................................................................................................................................. 229 WipeDrive ..................................................................................................................................................... 232

CHAPTER7SourceProcessor

237

Overview........................................................................................................................................................ 238 CollectionJobs ............................................................................................................................................... 241 Modules ......................................................................................................................................................... 251 AnalysisJobs .................................................................................................................................................. 256 Reports........................................................................................................................................................... 260 ManagingEnCasePortable ............................................................................................................................ 267

CHAPTER8AnalyzingandSearchingFiles

275

SignatureAnalysis.......................................................................................................................................... 276 EnScriptProgrammingLanguage................................................................................................................... 283 HashAnalysis ................................................................................................................................................. 284 FileHashing.................................................................................................................................................... 285 HashSets........................................................................................................................................................ 286 KeywordSearches.......................................................................................................................................... 288 EncodePreview ............................................................................................................................................. 309 Indexing ......................................................................................................................................................... 310 SearchingforEmail ........................................................................................................................................ 314 TagRecords.................................................................................................................................................... 327 AppDescriptors ............................................................................................................................................. 328

CHAPTER9ViewingFileContent

333

ViewingFiles .................................................................................................................................................. 334 FileViewers.................................................................................................................................................... 343 ViewPane ...................................................................................................................................................... 347 ViewingCompoundFiles................................................................................................................................ 350 ViewingBase64andUUEEncodedFiles ........................................................................................................ 366 NTFSCompressedFiles .................................................................................................................................. 367 GalleryTab ..................................................................................................................................................... 367

CHAPTER10BookmarkingItems

371

BookmarksOverview ..................................................................................................................................... 372 BookmarkFeatures ........................................................................................................................................ 375 CreatingaBookmark...................................................................................................................................... 382 UsingBookmarks ........................................................................................................................................... 391

CHAPTER11Reporting

411

Reporting ....................................................................................................................................................... 412 ReportUserInterface .................................................................................................................................... 412 CreatingaReportUsingtheReportTab ........................................................................................................ 414 CreatingaReportUsingCaseProcessor ........................................................................................................ 427

CHAPTER12EnScriptAnalysis

429

EnScriptAnalysis ............................................................................................................................................ 430 EnterpriseEnScriptPrograms ........................................................................................................................ 430 ForensicEnScriptCode................................................................................................................................... 440 EnScriptExampleCode .................................................................................................................................. 456 Packages......................................................................................................................................................... 462

CHAPTER13WorkingwithNonEnglishLanguages

469

WorkingwithNonEnglishLanguages............................................................................................................ 470 NonEnglishLanguageFeatures..................................................................................................................... 470 OptionsDialogFontTab................................................................................................................................. 471 ConfiguringNonEnglishLanguageSupport .................................................................................................. 474

CHAPTER14UsingLinEn

485

Introduction ................................................................................................................................................... 486 ViewingtheLicenseforLinEn ........................................................................................................................ 486 CreatingaLinEnBootDisk ............................................................................................................................. 486 ConfiguringYourLinuxDistribution............................................................................................................... 487 PerformingAcquisitionswithLinEn ............................................................................................................... 488 HashingtheSubjectDriveUsingLinEn........................................................................................................... 506

CHAPTER15EnCaseDecryptionSuite

509

Overview ........................................................................................................................................................ 510 EDSFeatures .................................................................................................................................................. 510 ProductMatrix ............................................................................................................................................... 512 UsingEDS ....................................................................................................................................................... 513 SecureStorageTab ........................................................................................................................................ 516 SecureStorageItems ..................................................................................................................................... 521 SafeBootEncryptionSupport(DiskEncryption) ............................................................................................ 522 UtimacoSafeGuardEasyEncryptionSupport................................................................................................ 526 BitLockerEncryptionSupport(VolumeEncryption) ...................................................................................... 533 WinMagicSecureDocEncryptionSupport ..................................................................................................... 540 GuardianEdgeEncryptionSupport................................................................................................................. 543 PGPWholeDiskEncryption(WDE)Support .................................................................................................. 544 CREDANTEncryptionSupport(FileBasedEncryption).................................................................................. 548

 S/MIMEEncryptionSupport .......................................................................................................................... 555 NSFEncryptionSupport................................................................................................................................. 559 LotusNotesLocalEncryptionSupport........................................................................................................... 561 WindowsKeyArchitecture ............................................................................................................................ 566 DictionaryAttack ........................................................................................................................................... 566

CHAPTER16PhysicalDiskEmulator

571

PhysicalDiskEmulator ................................................................................................................................... 572 UsingPhysicalDiskEmulator ......................................................................................................................... 572 ThirdPartyTools............................................................................................................................................ 577 BootEvidenceFilesandLiveSystemswithVMware ..................................................................................... 578 VMware/EnCasePDEFAQs............................................................................................................................ 582 PDETroubleshooting ..................................................................................................................................... 584

CHAPTER17VirtualFileSystem

585

VirtualFileSystem ......................................................................................................................................... 586 MountingEvidencewithVFS ......................................................................................................................... 586 DismounttheNetworkShare ........................................................................................................................ 594 AccessingtheShare ....................................................................................................................................... 595 ThirdPartyTools............................................................................................................................................ 597 VFSServer ...................................................................................................................................................... 600 Troubleshooting............................................................................................................................................. 604

CHAPTER18FastBlocSEModule

605

FastBlocSEModule........................................................................................................................................ 606 BackgroundInformation................................................................................................................................ 606 ProSuiteFastBlocSE/SATA/IDESupportforVista64bit ............................................................................... 607 InstallingtheFastBlocSEModule.................................................................................................................. 608 UsingtheFastBlocSEModule ....................................................................................................................... 608 DiskCaching................................................................................................................................................... 614 Troubleshooting............................................................................................................................................. 615

CHAPTER19CD/DVDModule

617

CD/DVDModule ............................................................................................................................................ 618 BurningEvidenceFilesDuringAcquisition..................................................................................................... 618 BurningLogicalEvidenceFilesDuringAcquisition......................................................................................... 621 BurningFilesandReports .............................................................................................................................. 621 BurningExistingEvidenceandLogicalEvidenceFiles.................................................................................... 626

GlossaryofTerms

627

Overview........................................................................................................................................................ 627

Support

633

TechnicalManualsandReleaseNotes........................................................................................................... 633 TechnicalSupport .......................................................................................................................................... 633 CustomerService ........................................................................................................................................... 638 MessageBoards............................................................................................................................................. 638

 Downloads ..................................................................................................................................................... 639 Training .......................................................................................................................................................... 639 ProfessionalServices...................................................................................................................................... 639

Index

641

CHAPTER 1

Overview
InThisChapter
EnCase Forensic

EnCaseForensicVersion6.15

EnCaseForensic
EnCaseForensicprovidesinvestigatorswithasingletoolcapableofconductinglargescaleand complexinvestigationsfrombeginningtoend.ItfeaturesanintuitiveGUI,superioranalytics, enhancedemail/Internetsupportandapowerfulscriptingengine. EnCaseForensicenablesyouto: Acquiredatainaforensicallysoundmannerusingsoftwarewithanunparalleledrecordin courtsworldwide InvestigateandanalyzemultipleplatformsWindows,Linux,AIX,OSX,Solarisandmore usingasingletool SaveanalysistimebyautomatingcomplexandroutinetaskswithprebuiltEnScriptmodules, suchasInitializedCaseandEventLoganalysis Findinformationdespiteeffortstohide,cloakordelete Easilymanagelargevolumesofcomputerevidence,viewingallrelevantfiles,including deletedfiles,fileslackandunallocatedspace Transferevidencefilesdirectlytolawenforcementorlegalrepresentativesasnecessary Reviewoptionsthatallownoninvestigators,suchasattorneys,toreviewevidencewithease Usereportingoptionsforquickreportpreparation

ForensicallySoundAcquisitions
EnCaseForensicproducesanexactbinaryduplicateoftheoriginaldriveormedia,thenverifiesitby generatingMD5hashvaluesforrelatedimagefilesandassigningCyclicRedundancyCheck(CRC) valuestothedata.Thesechecksandbalancesrevealwhenevidencehasbeentamperedwithor altered,helpingtokeepalldigitalevidenceforensicallysoundforuseincourtproceedings.

AdvancedProductivityFeatures
Examinerscanpreviewdatawhiledrivesorothermediaarebeingacquired.Oncetheimagefilesare created,examinerscansearchandanalyzemultipledrivesorothermediasimultaneously.EnCase Forensicalsofeaturesacaseindexer.Thispowerfultoolbuildsacompleteindexinmultiple languages,allowingforfastandeasyqueries.Indicescanalsobechainedtogethertofindkeywords commontootherinvestigations.ThisUnicodesupportedindexcontainspersonaldocuments,deleted files,filesystemartifacts,fileslack,swapfiles,unallocatedspace,emailandWebpages.Inaddition, EnCasehasextensivefilesystemsupportforanalyzingalltypesofdata.

EnScriptProgramming
EnCaseForensicfeaturesEnScriptprogrammingcapabilities.EnScript,anobjectoriented programminglanguagesimilartoJavaorC++,allowsyoutocreatecustomprogramstohelpautomate timeconsuminginvestigativetasks,suchassearchingandanalyzingspecificdocumenttypesorother laborintensiveprocessesandprocedures.Anylevelofinvestigatorcanharnessthesecapabilitiesby usingoneofForensicstools,suchastheCaseDeveloperoroneofnumerousbuiltinfiltersand conditions.

Overview

ActionableDataandReports
Onceyouhavebookmarkedrelevantdata,youcancreateareportsuitablefor: Presentationincourt Management Anotherlegalauthority

Youcanalsoexportdatainmultiplefileformatsforreview.

CHAPTER 2

New Features in Version 6.15

InThisChapter
Windows 7 Support Windows Server 2008 Support Enhanced FAT Parsing Fast File Transfer GuardianEdge 9.2 Support WinMagic SecureDoc 4.6 Support Outside In 8.3 Support CREDANT Mobile Guardian 5.4.2 Support Refresh Bookmarks in EnScript HASP SRM 5.75 Security Key Driver

12

EnCaseForensicVersion6.15

Windows7Support
EnCasesupportsrunningonWindows732bitand64bit.Thisincludes: Examiner32bitand64bit ProSuite(EnCaseDecryptionSuite,VirtualFileSystem,PhysicalDiskEmulator,andFastBloc SE)32bitand64bit 32bitand64bitservlets

ontheseversionsofWindows7: Professional Ultimate OEM Enterprise

Note: EnCase does not support analysis of Windows 7 artifacts via EnScript. Also, EnCase does not support Windows 7 BitLocker in terms of encryption support.

WindowsServer2008Support
EnCasesupportsrunningonWindowsServer200832bitand64bit.Thisincludes: Examiner32bitand64bit ProSuite(EnCaseDecryptionSuite,VirtualFileSystem,PhysicalDiskEmulator,andFastBloc SE)32bitand64bit 32bitand64bitservlets

EnhancedFATParsing
NotallimplementationsoftheFATfilesystemcanbeautomaticallydetected.Forexample,someFAT 16volumesincertainremovablemediamaybedetectedasFAT12. Toaddressthisissue,EnCaseprovidesanoptiontospecifytheFATtype(FAT12,FAT16,orFAT32) toparse.ThisoptionisincludedintheAddRawImageandAddPartitiondialogs.

New Features inVersion6.15

13

AddRawImageDialog
1. ClickFile>AddRawImage.TheAddRawImagedialogopens.

2. 3. ClicktheVolumeoptionbutton,thenselectthePartitionTypefortheFATvolumeyouare parsing. ClickOK.

AddPartitionDialog
1. 2. SelecttheDisktabinTableview,thenrightclickforadropdownmenu. Inthedropdownmenu,clickAddPartition.TheAddPartitiondialogopens.

14

EnCaseForensicVersion6.15 3. 4. SelectthePartitionTypefortheFATvolumeyouareparsing. ClickOK.

FastFileTransfer
EnCaseprovidesimprovedperformancewhentheservlettransfersfilestoEnCase.Before,EnCase sentrequeststoobtainonechunkofdata(32kb)atatime,andtransferringalargefileinvolved sendingmanyreadcommandsfromtheexaminer.Althoughextremelyrobust,combinedwith networklatency,thisprotocolcouldcausesignificantdelaysoncertainnetworks. Inthenewapproach,theexaminersendsjustonereadcommand,anderrorhandlingisdonebythe TCP/IPlayer. ThisfunctionalityisbuiltintotheEnCaseUI,andyoucanalsoaccessthisfunctionfromEnScript, whereanewoption,CopyFile,hasbeenaddedtothefileclass.Itcontainstwoparameters: Outputfile Size(optional)

Ifsizeisnotspecified,thedatafromthecurrentpositiontotheendofthefileistransferred.
Note: This is EnScript-specific and is not the default file transfer method for EnCase.

GuardianEdge9.2Support
EnCasesupportsdecryptionofencrypteddisksusingGuardianEdgeHardDiskEncryptionversion 9.2.

WinMagicSecureDoc4.6Support
EnCasesupportsdecryptionofencrypteddisksusingWinMagicSecureDocFullDiskEncryption version4.6.

OutsideIn8.3Support
EnCasenowsupportsOracleOutsideInversion8.3technologyforviewingvariousfileformats.

CREDANTMobileGuardian5.4.2Support
EnCasesupportsdecryptionofencryptedfilesusingCREDANTMobileGuardian5.4.2.

New Features inVersion6.15

15

RefreshBookmarksinEnScript
EnCasenowincludestheabilitytosavebookmarksinthebackgroundwhileanEnScriptisstill running.ThisfeatureisespeciallyusefulwithEnScriptssuchSweepEnterprisewhenusedin conjunctionwiththeCheckinservletfeature.WhiletheEnScriptisstillrunning,theusercan refreshthebookmarkviewanddatacollecteduptothatpointispopulatedandavailableforreview.

HASPSRM5.75SecurityKeyDriver
EnCasesupportstheuseoftheHASPSRM5.75securitykeydriver.ThisallowstheHASPsecuritykey tobeusedwithWindows7.
Note: Under Windows 7, install the security key driver using the HASP SRM 5.75 run-time command-line installation.

CHAPTER 3

Installing EnCase Forensic

InThisChapter
EnCase Installer Installing Security Key Drivers Troubleshooting Security Keys Obtaining Updates Configuring EnCase Sharing Configuration Files Vista Examiner Support Running a 32-bit Application on a 64-bit Platform

18

EnCaseForensicVersion6.15

EnCaseInstaller
TheEnCaseinstallercopiestheprogramanditsdriverstotheenduserscomputerorclientand initializesdriversandserviceswiththeoperatingsystem. TheinvestigatorcanselectwheretoinstalltheEnCaseExaminer.ThedefaultistheProgramFiles folder.Ifaselecteddirectoryexists,theinstalleroverwritesanyexistingprogramfiles,logs,and drivers.

MinimumRequirements
Forbestperformance,youshouldconfigureexaminationcomputerswithatleastthefollowing hardwareandsoftware: AnEnCasesecuritykey(alsoknownasadongle) Certificatesforallpurchasedmodules(knownascerts) AcurrentversionofEnCaseExaminer PentiumIV1.4GHzorfasterprocessor OneGBofRAM Windows2000,XPProfessional,or2003Server 55MBoffreeharddrivespace

EnCasealsosupportsthese64bitversionofWindows: XP Server2003 Server2008 Vista Windows7

Note: Intel Itanium processors are not supported. FastBloc SE supports only the USB interface with the 64-bit version.

InstallingtheExaminer
IfyouareusingLocalProcessing,inserttheCDandwaitforautostart.Dothisforeachclient.Ifyou areusingTerminalServices,installtheprogramusingtheAdd/Removeprogramswizardonthe applicationserver.

Theinstallationwizardopens:

Installing EnCaseForensic

19

Note: C:\Program Files\EnCase6 is the default install path.

1. 2.

Enteraninstallationpathoracceptthedefault,thenclickNext. ReadtheEnCaseForensicLicenseAgreement,clicktheIAgreecheckbox,thenclickNext.

20

EnCaseForensicVersion6.15 3. ToinstallHelpandfileviewers,clicktheircheckboxes(theyareselectedbydefault). InstallHelpinstallsthecurrentHelpfile.AfterinstallingEnCase,toviewthisfileclick Helpinthetoolbar,thenclickHelpinthecontextmenu. InstallFileViewersinstallsthecurrentversionofOutsideInviewer.Ifanearlierversion ofOutsideInwasinstalledpreviously,theEnCaseinstalleroverwritesit.

4. 5. 6. ClickNext.Aprogressbardisplaysduringinstallation. Wheninstallationfinishes,asetupcompletescreendisplays. ClickFinish.

InstalledFiles
Duringinstallation,theprogramcopiesitselfandacollectionofassociatedfilestothetargetdirectory. Theinstallerplacesastartupicononthedesktop.Inaddition,anumberoffoldersandfilesare installedinthetargetfolderduringinstallation.

CertsFolder
EnCase.pcert

Installing EnCaseForensic

21

ConfigFolder
AppDescriptors.ini FileSignatures.ini FileTypes.ini Filters.ini Keywords.ini Profiles.ini TextStyles.ini

StorageFolder
CaseReport.ini CompromiseAssessmentModule.ini DifferentialReport.ini SweepEnterpriseWEbReport.ini

ForensicEnScriptComponentFolder
CaseProcessor.EnScript FileMounter.EnScript IndexCase.EnScript ScanLocalMachine.EnScript WebmailParser.EnScript

UninstallingtheExaminer
Theuninstallerworksonlyonidenticalsoftwareversions. 1. 2. 3. 4. 5. 6. 7. Havebackupsofevidenceandcasefilespriortomakinganymodificationstoanysoftwareon anexaminationmachine. CloseanyrunningversionsofEnCase. OpenWindowsControlPanel,thendoubleclickChangeorRemovePrograms. SelecttheEnCaseversiontoremove,thenclickChange/Remove. TheEnCaseuninstallwizardrunsandthefirstscreendisplays. EnterornavigatetothesoftwareslocationintheInstallPathfield.Thedefaultis C:\Program Files\Encase6. ClickNext.Theuninstallwizardopens.

22

EnCaseForensicVersion6.15 8. ClickNext.

9. SelectUninstall,thenclickNext.Aprogressbardisplaysduringtheuninstallprocess.

10. Thelastpageoftheuninstallwizarddisplays. 11. SelectRebootLaterorRebootNow,thenclickFinish.

ReinstallingtheExaminer
Reinstallrefreshescertainfilesandsettingsandisavariationoftheinstallprogram. Reinstallcreatesanewlogfileandreinstallsthefollowingitems: Applicationfiles Registrykeys Neededuserfiles AllEnScripts
Note: If you previously modified EnScripts without placing the modified EnScripts in another folder, they are lost during reinstallation

Reinstallretainsanddoesnotchangetheseitems: Licenses Certificates Usersettings

Installing EnCaseForensic

23

InstallingSecurityKeyDrivers
Beforeyoubegin,makesureEnCaseisclosed.Donotinsertthesecuritykey(dongle)untilafteryou clickFinishinstep6. 1. 2. 3. 4. 5. 6. 7. 8. 9. InserttheinstallationCDROM. IfAutorunisenabled,thesplashscreendisplays. Clickthesecuritykeydriverslink. WhentheHASPinstallationwizarddisplays,clickNext. Whenthesummaryscreendisplays,clickNext. Whentheinstallationcompletes,clickFinish. Insertthesecuritykey. Windowsfindsthesecuritykey. StartEnCase.

Note: If you insert the security key before you click Finish, the drivers do not install properly. Reinstall the driver with the security key removed.

TroubleshootingSecurityKeys
Installationisusuallytroublefree,butifthereareproblems,gotothetroubleshootingpage http://www.guidancesoftware.com/support/articles/articles.asponourWebsite. Navigatetothemessageboardtoresearchyourproblem.

ObtainingUpdates
Whenyoureceiveyourproduct,registerwithGuidanceSoftwaretoreceiveupdates.Registrationis locatedathttps://www.guidancesoftware.com/myaccount/registration.aspxsite. Ifyouhaveanytroubleregisteringyourproduct,contactCustomerService(seepage638).Ifyouhave anytroubledownloadingtheupdatesonceregistered,contactTechnicalSupport(seepage633).

ConfiguringEnCase
YoucanconfigurevariousaspectsEnCaseaccordingtoyourneedsorpreferences.Thesesettingsare usedeachtimeyoustartEnCase.Youarenotrequiredtoopenacase. 1. ClickTools>Options.

24

EnCaseForensicVersion6.15 2. Clickthedesiredtabandchangethesettingsasneeded,thenclickOK.
Note: Some changes made to the options settings take effect only after you restart EnCase, while others take effect immediately.

TheOptionsdialogcontainsthesetabs: CaseOptions(availableonlyifacaseisopen) Global Debug NAS Colors Fonts EnScript StoragePaths

CaseOptionsTab
TheCaseOptionstabcontainssettingsthatapplytotheopencase.

Namecontainsthenameofthecaseassociatedwiththecaseoptionssetonthistab.Thecasenameis usedasthedefaultfilenamewhenthecaseissaved.Thefilenamecanbechangedwhenthefileis saved. ExaminerNamecontainsthenameoftheuseractingastheforensicexaminer. DefaultExportFoldercontainsthepathandnameofthefolderwherefilesareexported.

Installing EnCaseForensic

25

TemporaryFoldercontainsthepathandnameofthefolderwheretemporaryfilesarecreated. IndexFoldercontainstheindexfileforanyindexedfileorcollectionoffiles.

GlobalTab
TheGlobaltaboftheOptionsdialogcontainssettingsthatapplytoallcases.

AutoSaveMinutes(0=None)indicatesthenumberofminutesbetweenautomaticsavesofcasefiles. Theautomaticallysaveddataiswrittento*.CBAKfilesintheEnCase6backupdirectory. BackupFilesshowsthemaximumnumberoffilesstoredasbackupfileswhenacaseissaved.The defaultis9. UseRecycleBinforCasesdetermineswhetherbackupfilesaremovedtotherecyclebinandnot overwrittenwhenafileisautomaticallysaved. EnablePictureViewerdetermineswhetherthepictureviewerisusedforgraphicsoftheappropriate formats. EnableARTandPNGImageDisplaydetermineswhetherARTandPNGimagefilesaredisplayed. Whencorruptfilesofthesetypesareencountered,theycancausetheprogramtocrash.Thissetting enablesyoutolimittheimpactofcorruptedARTandPNGfiles.

26

EnCaseForensicVersion6.15 FlagLostFilesdetermineswhetherlostclustersaretreatedasunallocatedspace.Doingsodecreases theamountoftimerequiredtoaccesstheevidencefile.Whenselected,alllostclustersappearinthe disktabasunallocatedclusters. EnablePicturesinDocViewdetermineswhethergraphicsorimagefilesthatarenativelydisplayed byEnCasedisplayusingOracleOutsideIntechnologyintheDoctaboftheViewpane. InvalidPictureTimeout(seconds)containstheamountoftimetheprogramattemptstoreada corruptgraphicsfilebeforetimingout.Whenthereadtimesout,thecorruptfileissenttothecache andnoattemptismadetoreaditagain. DateFormatincludestheseoptions: MM/DD/YY(forexample,06/21/08) DD/MM/YY(forexample,21/06/08) Otherenablesyoutospecifyyourowndateformat. CurrentDaycontainsthecurrentdateinthespecifieddateformat.

TimeFormatincludestheseoptions: 12:00:00PMdetermineswhethera12hourclockisthebasisofthetimeformat. 24:00:00determineswhethera24hourclockisthebasisofthetimeformat. Otherenablesyoutospecifyyourowntimeformat. CurrentTimecontainsthecurrenttimeinthetimeformatselected.

ShowTruecontainsthesymbolindicatingavalueoftrueintablecolumnsdisplayedintheTabletab oftheTablepane. ShowFalsecontainsthesymbolusedindicatingavalueoffalseintablecolumnsdisplayedinthe TabletaboftheTablepane.

Installing EnCaseForensic

27

DebugTab
Thistabenablesyoutospecifydebugginginformationandoptions.

TheStartupwindowdisplaysinformationaboutthesystemandtheparticularinstanceofEnCase. Thisinformationcanbeusefulwhenyouaretroubleshootingissues. DebugLoggingdetermineswhatactionwillbetakenifEnCasecrashes.Therearethreeoptionsfor debuglogging: Off:Thisisthedefaultsetting.Nodebugloggingisperformed. Stack:ThisoptionsavesastackdumpifEnCasecrashes.Thisfilecontainsdatathatthe crashingsubsystemused,thesystem.dllsthatwereloadedatthetime,andtheversionof EnCaseused.TheinformationcapturedinaStackdumploggenerallydoesnotcontaincase specificdata,butitcan. Heap:ThisoptionsavesaheapdumpifEnCasecrashes.Thisistherecommendedoptionfor mostEnCasecrashissues.Theheapisasupersetofthestack,andalsocontainsdatafromthe processmemorythattheprogramuseswhilerunning.Thisresultsinaconsiderablylarger dumpfile(potentiallyinthegigabyterange).Notethataheapdumpwillfrequentlycontain casespecificdata,includingdatafromtheevidence.

Note: In order to debug the crash in the fastest manner, select the Heap option.

DetectFastBloccheckbox(checkedbydefault):Clearthischeckboxifadeviceishangingduring FastBlocdetection.

28

EnCaseForensicVersion6.15

ColorsTab
Thistabenablesyoutoassociatecolorswithvariouscaseelements.

DefaultColorscontainsalistofcaseelementsthatcanbeassociatedwithacolor.Doubleclickingona listedelementopenstheColorPalettedialogsoyoucanchooseandassociateacolorwiththelisted caseelement.

Installing EnCaseForensic

29

FontsTab
Thistabenablesyoutoassociatefontswithvariouscaseelements.

DefaultFontscontainsalistofcaseelementsthatyoucanassociatewithafont.Doubleclickingona listedelementopenstheFontdialogsoyoucanchooseandassociateafontwiththelistedcase element.Thefontcanbedefinedintermsof: Font Fontstyle Size Script

Thescriptattributeenablesyoutoselectthecharactersetused.

30

EnCaseForensicVersion6.15

EnScriptTab
ThistabenablesyoutospecifythelocationoftheincludefileslibraryusedbyEnScriptprograms.

ClicktheShowlinenumberscheckboxtodisplaylinenumbersinthescript. ClicktheDebugruntimeerrorscheckboxifyouwanttodebugruntimeerrors. IncludePathdisplaysthepathandnameofthefolderthatcontainstheincludefileslibrary. IntheWarninggroupbox,clickthecheckboxesforanywarningsyouwanttodisplaywhilerunninga script.

Installing EnCaseForensic

31

StoragePathsTab
TheStoragePathstabcapturespathsusedforseveralfilesusedbytheEnCaseapplication.

Thepictureshowsstoragepathdefaultsettings.Youcanchangetheindex,cache,andbackupfolders byenteringanewpathorbynavigatingtoandselectingthedesiredfolder. Inthe.inifilesbox,youcanchangean.inifolderslocationandselectwhetheritiswritable.

SharingConfigurationFiles
Customizationcanbesharedamonginvestigatorsassignedtoaninvestigation.EachoftheseINIfiles ispopulatedbycustomizationstheinvestigatormakeswhilesearchingforevidence.Thekeywordand filesignaturefilesmaybeofparticularinterest.Thesecaseelementsaredistributedbysharing.INI files.

32

EnCaseForensicVersion6.15 Theapplicationmustbeinstalledontherecipientmachines. Tosharestartupfiles: 1. ClickToolsOptionsStoragePaths. TheStoragePathstaboftheOptionsdialogdisplays. 2. DoubleclickontherowcontainingthedesiredINIfile. TheEdit<.inifilename>dialogopenscontainingthepathtotheinifile. 3. 4. Tonavigatetothe.INIfile,copythepathtothe.INIfileandpasteitintoWindowsExplorer. Copythefileanddistributeitasdesired.

VistaExaminerSupport
EnCasemustrunasanadministratorinordertoaccessthelocalVistacomputer. 1. 2. StartEnCase. VistadisplaysapromptwiththeheadingAnunidentifiedprogramwantsaccesstoyour computer:

3. ClickAllow.

Runninga32bitApplicationona64bitPlatform
Therearelimitationsinrunninga32bitapplication(forexample,EnCase,SAFE,orServlet)ona64bit platform.Youwillonlygetbasicsnapshotinformationsuchasportsorprocesses.Forfullresults,you mustruntheapplicationonthecorrectplatform.

CHAPTER 4

Navigating the EnCase Interface

InThisChapter
Main Window System Cache Settings Control Panes and their Specific Tabs Navigating the Tree Pane Modifying the Table Pane Modifying the View Pane

34

EnCaseForensicVersion6.15

MainWindow
BeginusingtheEnCaseapplicationinthemainwindow. Themainwindoworganizestheapplicationsfeatures.Featuresaccessiblefromthemainwindoware runfromthesystemmenu,thetoolbar,andvariouscontextsensitivemenusaccessedbyrightclicking afeature.Astheapplicationruns,astatusmessagedisplaysinthestatuslineatthebottomofthe window. Themainwindowconsistsofa Systemmenu Toolbar Windowcontainingpanes Statusline

Panesdivideandorganizethewindowandcontaintrees,tables,andvariousrepresentationsofthe mediaEnCaseisexamining.

Navigating the EnCaseInterface TheMainWindowasitappearsinEnCaseForensicwithanopencase.1)indicatesthesystem menu,2)thetoolbar,3)awindowpane,and4)thestatusline:

35

Themenus,commands,andiconsdisplayedinthetoolbarchangedependingonthecontextmodeof theapplication.Forexample,theLogonandLogofficonsappearinenterprisecapableapplications only.TheEditmenudoesnotappearwhentheapplicationisopenedinAcquisitionmode,which occurswhentheapplicationisopenedandcannotproperlyseeavaliddongleorappropriatelicenses. Additionalmodulesaddfunctionality,commands,andicons.

SystemMenu
ThesystemmenuorganizescommandsprovidedbytheEnCaseapplication. Thesystemmenuappearsinthemainwindow.Thesystemmenu,alongwiththerightclick,context specificmenus,providescommandstoexecuteEnCasefunctions.

36

EnCaseForensicVersion6.15 Thesystemmenucontainsthefollowingcommands: File Edit View Tools Help

Clickingacommandinthesystemmenudisplaysthecorrespondingdropdownmenu.TheEdit dropdownmenudoesnotdisplayinAcquisitionmode,althoughtheEditcommandisalwayspresent inthesystemmenu. Someofthecommandsinthedropdownmenusavailablefromthesystemmenucommandsare contextspecific.Thesecommandsdisplayinthedropdownmenusonlyiftheyareavailablewithinthe currentcontextofEnCase.

FileMenu
TheFilemenuprovidescommandsthatmanipulateapplicationfilesandglobalapplicationsettings. Youcan: Createnewcasefiles Openexistingcasefiles Savecasefilesandglobalsettings Printthecontentsoffiles Adddevicestocases Addrawimagestocases Exittheapplication

YoumayseedifferentoptionsontheFilemenu,dependingonyourcontextwithinEnCase.

TheFilemenuprovidesthefollowingcommands:

Navigating the EnCaseInterface

37

NewdisplaystheCaseOptionsdialog,whereyouspecifydetailsofthecaseyouwanttoadd. OpendisplaystheOpendialog,whereyouselectapreviouslysavedcasefile. Savesavesthepreviouslysavedcasefile,ordisplaystheSavedialog,whereyouenterthe filename,path,andfiletypeforthecasefileyouwanttosave. SaveAsdisplaystheSaveAsdialog,whereyouenterthefilename,path,andfiletypeforthecase fileunderadifferentname. SaveAlldisplaystheSaveAlldialog,whereyouenterthefilename,path,andfiletypeforboth thecasefileandEnCaseglobalsettings. PrintdisplaysaPrintdialog,whereyoudefinetheprintsettingsforthecontent(Table,Report, Code),dependingonwhatdisplaysintheTablepane.Thedialogalsoprovidestheoptiontosend outputtoaprinterorPDFfile.
Note: To display Asian language characters correctly, go to the Fonts tab of the Options dialog and select Arial Unicode MS.

PrinterSetupdisplaysthePrintSetupdialog,whereyouselectaprinterandchooseprinter settings.Theprintermustbeconnectedandfunctioningwhenyouspecifythesevalues. AddDevicedisplaystheAddDevicedialog,whereyoudefinethepreviewandacquire parametersforadevice.Thiscommandappearsinthemenuonlywhenacaseisopen. AddRawImagedisplaystheAddRawImagedialog,whereyouselectimagefilestobeaddedto theopencase.Thiscommandappearsinthemenuonlywhenacaseisopen. Exitclosestheprogram.Ifdisplaysettingsorcaseconfigurationshavechanged,youareprompted tosavethembeforeexiting.

EditMenu
TheEditmenucommandsworkwiththeobjectsandcontentinthecurrentlyselectedtab.

38

EnCaseForensicVersion6.15 Editmenucommandsarecontextspecific.Thecommandschangeasyoumovefromonetabto anotherorselectobjectsorcontentinatab.SpecificEditmenusarediscussedinsectionsdescribing thefeaturesthathaveanEditmenuassociatedwiththem.

TheEditmenushownhereprovidesthefollowingcommands: ExportdisplaystheExportdialog,whereyouselectfieldsinatabletocopyfiledataandattributes toatextfile,andspecifythepathforthefilecontainingthedata.Theexporteddatacanbe importedintoanotherapplication,suchasadatabaseorspreadsheet,andfurthersorted, formatted,oredited. Copy/UnEraseopenstheCopy/UnErasedialogforcopyingevidencefilesandfolderentriestoone ormoredestinationfiles.Useofthiscommandcreatesexactduplicatesofthesourcedataanddoes notchangetheevidencefile. CopyFoldersdisplaystheCopyFoldersdialog,whereyoucancopythecontentsofaselected folderorfolders,aswellasallorselectedfileswithinfoldersinavarietyofways.Copyingdatain thiswayretainstheoriginalfolderstructureofthesourcemediaonthedestinationmedia. BookmarkDatadisplaystheBookmarkDatadialog,whereyoucancreateanddefineanewdata bookmark. CreateaHashSetdisplaystheCreateHashSetdialogforselectedfilesalreadyhashed.Youcan nameandcategorizethehashsettobecreated. CreateLogicalEvidenceFiledisplays,foraselectedfileorcollectionofselectedfiles,theCreate LogicalEvidencedialog,soyoucancreateanewlogicalevidencefiletocontainthoseselected files. MountasNetworkSharedisplaystheMountasNetworkSharedialog,soyoucanmountan acquireddeviceasanetworkshare.ThiscommandappearsonlyiftheVirtualFileSystemmodule isinstalled. Expand/Contract,foraselectedobjectanywherealongthebranchofthetree,expandsthebranch ofthetree,orforafullyexpandedbranchofthetree,contractstheselectedbranch.

ExpandAllexpandsallbranchesofthetree. ContractAllcontractsallbranchesofthetree.

Navigating the EnCaseInterface

39

SetIncludedFoldersisatoggleswitch.ItinitiallysetsSelectAllfortheselectedobjectinatree anditsbranches.Choosingitagainclearstheselectednodes. IncludeSubFolderstogglesSelectAllfortheselectedobjectinatreeanditsbranches. IncludeSingleFoldertogglesSelectAllfortheselectedobjectinatree,ignoringitsbranches.

ViewMenu
TheViewmenuprovidescommandsthatdeterminethecontentsoftheEnCasewindowpanes. Viewmenucommands: Displayspecifictabsinthetreepane Displaytabsthatotherwisearenotdisplayed,orthatotherwisedonotnormallyappearinthe treepane Togglecontrolsthatdisplayintabbarsandthewrappingofthetoolbar Navigatebetweentabs,hidetabs,andcontrolthedisplayoftabswithorwithouttheirnames Moveanytabcontainingwindowsbacktoitsusualpositioninthemainwindow

40

EnCaseForensicVersion6.15

AppDescriptorsdisplaystheAppDescriptortabsinthetreepane,includingtheAppDescriptor HomeandAppDescriptorsHashPropertiestabs.Bydefault,thesetabsdonotnormallydisplay. ArchiveFilesdisplaystheArchiveFiletabinthetreepane.Bydefault,thistabdoesnotdisplay. CasesdisplaystheCasestabsinthetreepane,includingtheCasesHome,CasesEntries,Cases Bookmarks,CasesSearchHits,CasesRecords,CasesDevices,CasesSecureStorage,andCases Keywordstabs.Thesetabsdisplaybydefault.Usethiscommandifyoupreviouslyclosedthe Casestab. EncryptionKeysdisplaystheEncryptionKeystabinthetreepane.Thistabdisplaysbydefault. UsethiscommandifyoupreviouslyclosedtheEncryptionKeytab. EnScriptdisplaystheEnScripttabinthetreepane.Bydefault,thistabdoesnotnormallydisplay. Whenthistabdisplays,theEnScripttabintheFilterspaneisclosed. WhentheEnScripttabdisplaysintheFilterpane,theEnScriptprogramsareorganizedintoatree extendingtotheprogramsthemselves.

Navigating the EnCaseInterface

41

WhentheEnScripttabdisplaysintheTreepane,onlyfolderspopulatethetree,andtheprograms themselvesdisplayinatablewithintheTablepane. Thetablerepresentationcontainsinformationbeyondwhatisvisibleinthetreerepresentationin theFilterpane. EnScriptTypesdisplaystheEnScriptTypestabinthetreepane.Itdoesnotdisplaybydefault. FileSignaturesdisplaystheFileSignaturestabinthetreepane.Itdoesnotdisplaybydefault. FileTypesdisplaystheFileTypestabintheTreepane.Itdoesnotdisplaybydefault. FileViewersdisplaystheFileViewerstabinthetreepane.Itdoesnotdisplaybydefault. HashSetsdisplaystheHashSettabsinthetreepane,includingtheHashSetsHomeandHash SetsHashItemstabs.Theydonotdisplaybydefault. KeywordsdisplaystheKeywordstabinthetreepane.Itdoesnotdisplaybydefault. MachineProfilesdisplaystheMachineProfilestabsinthetreepane,includingtheMachine ProfilesHomeandMachineProfilesAllowedtabs.Theydonotdisplaybydefault. PackagesdisplaysthePackagestabinthetreepane.Itdoesnotdisplaybydefault. ProjectsdisplaystheProjectstabinthetreepane.Itdoesnotdisplaybydefault. SAFEsdisplaystheSAFEstabsintheTreepane,including: theSAFEsHome SAFEsNetwork SAFEsRoles SAFEsUsers SAFEsEvents Theydonotdisplaybydefault. SAFEsorCasesSubTabsdisplaysasubmenuassociatedwiththetabcurrentlydisplayed (SAFEsorCases).Inthefigureabove,theSAFEsSubTabscommanddisplaysbecausetheSAFEs tabisdisplayedintheTreeview(notshown).IfCasesweredisplayed,thenthecommandwould beCasesSubTabs. TablePanedisplaystheTablePanemenu. ViewPanedisplaystheViewPanemenu. FilterPanedisplaystheFilterpanemenu. CloseTabhidesthetabcurrentlyinuse.Oncehidden,atabcanonlyreappearifitisopenedusing thetabcommandsontheViewmenu. ShowNametogglesthedisplayofthenameofthetabcurrentlyinuse. PreviousTabselectsthetabtotheleftofthetabcurrentlyinuse.Whenthetabcurrentlyinuseis theleftmosttab,therightmosttabisselected. NextTabselectsthetabtotherightofthetabcurrentlyinuse.Whenthetabcurrentlyinuseisthe rightmosttab,theleftmosttabisselected. Autofittogglesthewrappingofthetoolbar.Thetoolbarextendstotherightbeyondthetabwhen Autofitisnotselected.WhenAutofitisselected,thetoolbarwraps,sothattheentiretoolbar displays. ResetViewputsanytabsappearinginwindowsbackintothemainwindowintheirdefault locations.

42

EnCaseForensicVersion6.15

TreePaneandTabandSubtabMenus
Subtabmenusdisplaycommandsfortabscontainedbyparenttabs. Whenatabcontainsothertabs,ithasaViewcommandthatdisplaysasubtabmenu.Thesubtab menucontainscommandsthatdisplayeachofthecontainedtabs.

Whenatabcontainsonlyoneothertab,selectingthecontainingtabisequivalenttoselectingthe containedtab.Forexample,selectingCasesSubTabsBookmarksisequivalenttoselectingCases SubTabsBookmarksSubTabsHome. Thecommandsinthesubtabmenusopentheircorrespondingtabordisplayacorrespondingsubtab menu.

TablePaneandTabBarandViewMenu
TheTablePanemenucorrespondstothetabsappearinginthetablepane.

Navigating the EnCaseInterface

43

Thetabsinthetablepanedependonthetabcurrentlyselectedinthetreepane.

TablePaneMenu
TheTablePanecommandontheViewmenudisplaystheTablePanemenu. Thetablepanecontainsacollectionofcontextsensitivetabs.Thecontextisdrivenbythetab displayedinthetreepane.Thetablepanemenuiscontextsensitiveaswell. EachofthetabsintheTablepanehasacorrespondingtabintheTablepanetabbar,anda correspondingcommandontheTablePanemenu.

TabledisplaystheTabletabinthetablepane.Itdisplaysbydefault. ReportdisplaystheReporttabinthetablepane.Itdisplaysbydefault. GallerydisplaystheGallerytabinthetablepane.Itdisplaysbydefault. TimelinedisplaystheTimelinetabinthetablepane.Itdisplaysbydefault. DiskdisplaystheDisktabinthetablepane.Itdisplaysbydefault. CodedisplaystheCodetabinthetablepane.Itdisplaysbydefault.

44

EnCaseForensicVersion6.15

ViewPaneandTabBarandViewMenu
TheViewPanemenusdisplayacommandforeachofthetabsonthetablepanetabbar. TheViewpanecontainsseveraltabs,dependingonthetabcurrentlyselectedinthetablepane.Thetab baralsoincludescontrolsthatappearintheViewpanemenu.

ViewPaneMenu
TheViewPanecommandontheViewmenudisplaystheViewPanemenu.

Navigating the EnCaseInterface

45

TheViewPanemenucontainscommandscorrespondingtothetabsdisplayedintheViewpane. ClickingoneofthesecommandsdisplaysthecorrespondingtabintheViewpane.

TextdisplaystheASCIItexttabintheViewpane. HexdisplaystheHexadecimalvaluetabintheViewpane. DocdisplaysaWindowsdocumentrepresentation(ifpossible)intheViewpane. TranscriptdisplaystheTranscripttabintheViewpane. PicturedisplaysthePicturetabintheViewpane. ReportdisplaystheReporttabintheViewpane. ConsoledisplaystheConsoletabintheViewpane. DetailsdisplaystheDetailstabintheViewpane. OutputdisplaystheOutputtabintheViewpane. LockpreventstheViewtabfromchangingthetab,basedontheentryselectedintheTablepane. Codepagetogglestheabilityfortheviewpanetodisplaythefileinformationusingthedetected CodePage.Ifnotselected,thedefaultCodePageisused. SelectionIndicatorindicatesthenumberofselecteditemsaswellasthenumberoftotalpossible items.

46

EnCaseForensicVersion6.15

FilterPaneandTabBarandViewMenu
TheFilterPanemenuandthetabbarfortheFilterpanedisplaycommandscorrespondingtothetabs appearingintheViewpane.

Navigating the EnCaseInterface

47

FilterPaneMenu
TheFilterPanecommandontheViewmenudisplaystheFilterPanemenu. TheFilterPanemenucontainscommandscorrespondingtothetabsdisplayedintheFilterpane. ClickingoneofthesecommandsdisplaysthecorrespondingtabintheFilterpane.

EnScriptdisplaystheEnScripttabintheFilterpane. FiltersdisplaystheFilterstabintheFilterpane. ConditionsdisplaystheConditionstabintheFilterpane. Displayshowsactivefilters. QueriesdisplaystheQueriestabintheFilterpane. TextStylesdisplaystheTextStylestabintheFilterpane.

AutoFit
Whenyouresizeawindowpanesometabsmaynotbeviewable.

Insteadofscrollingtothem,youmaywanttouseAutoFit.

48

EnCaseForensicVersion6.15 TherearetwowaystoimplementAutoFit: ClickViewAutoFit. RightclickinthepaneandselectAutoFit.

ToolsMenu
TheToolsmenuprovidescommandstoperformanalyticaloperations.

IndexCaseopenstheIndexCasedialog,whereyouinclude(orexclude)filesintheindexing process.Youcanselectanoisefile,whichisalistofstopwords(wordsthatwillnotbeindexed). WebmailParseropenstheWebmailParserdialog,whereyouselectthewebmailvendorswhose accountfilesaretobeparsed. CaseProcessorstartstheEnScriptCaseProcessorscript.Youcanalsostartitbyopeningthe ForensicandEnterprisetreesintheFilterpaneanddoubleclicking.Theshortcuthotkeytostartit isAlt+P. SweepEnterprisestartstheSweepEnterpriseEnScript.Youcanalsostartitbyopeningthe ForensicandEnterprisetreesintheFilterpaneanddoubleclicking.TheshortcuthotkeyisAlt+S. SearchopenstheSearchdialog,whereyouspecify: Whichfilesaresearched(allfilesorselectedfilesonly) Criteriaforkeywordsearches Toperformemailsearches Criteriaforhashing(allfilesorselectedfilesonly) Othersearchoptions LogonopenstheLogondialog,whereyoucanlogontotheenterpriseLAN. LogofflogsyouofftheenterpriseLAN.

Navigating the EnCaseInterface

49

WipeDriveopenstheWipeDrivedialog,whereyouselectmediayouwanttocompletelyerase. AfterusingWipeDrive,youmustformatthemedia. VerifyEvidenceFilesopenstheVerifyEvidenceFilesbrowser,whereyouselectevidencefilesto beverified.VerifyingcheckstheCyclicRedundancyCheck(CRC)valuestoensureevidencewas notaltered. CreateBootDiskopenstheCreateBootDiskwizardtocreateaLinEnbootdisk. MountasNetworkShareClientopenstheMountasNetworkSharedialog,whereyouspecify theIPaddressoftheservertobemounted. OptionsopenstheOptionsdialog,whereyoudefineglobalsettingsforEnCase,suchas Defaultfilelocationsforanewcase Fontsdisplayed Highlightingcolorsdisplayedinthetablepane Dateandtimeformats RefreshupdatestheEnCaseviewsbasedonthecontentofthefolderdisplayedinthelistsortrees. UsethiscommandwhenyouuseWindowstoaddfilestothefoldersofanopencase.EnCaseis notawareofthesechangesuntilyourefreshthelistsandtrees.

HelpMenu
TheHelpmenuprovidescommandsthataccessinformationandperformtasksassociatedwithusing yourEnCaseapplication. UsingtheHelpmenuyoucan: Displaythereadmehelpfile RegisteryourcopyofEnCase FindoutdetailsaboutyourcopyofEnCase Obtaininformationaboutyourlicense Learnwhatmodulesareinstalled,andotherinformation

WhatsNewdisplaystheEnCaseReleaseNotesasahelpfile. RegisterEnCasedisplaystheapplicationregistrationpage,whereyoucan: Findyourdongleserialnumber IfconnectedtotheInternet,registeryourapplication IfnotconnectedtotheInternet,findinstructionsonhowtoregisteryourcopyofEnCase

50

EnCaseForensicVersion6.15 AboutEnCasetellsyouwhichversionofEnCaseandwhichmodulesyouhaveinstalled.

Toolbar
ThetoolbarprovidesiconsforthemostfrequentlyusedEnCaseprogramfunctionality. Thetoolbardisplaysonthemainwindow.Itcontainsiconsforperformingthemostfrequenttasksin thecurrentapplicationmodeorcontext.WhenEnCaseopensinAcquisitionmode,onlytheNew, Open,Print,andRefreshiconsappearinthetoolbar.Onceacaseisopened,theAddDeviceicon appears.Whentheapplicationisanenterpriseapplication,theLogoniconappearsandoncelogged on,theLogofficondisplays.

Navigating the EnCaseInterface

51

TheMainwindowtoolbarindifferentmodesandcontexts,including1)Acquisitionmode,and,in EnCaseForensic2)beforelogginginandopeningacase,3)afterlogginginandopeningacase,4) withanacquireddeviceselectedfromtheEntriestree,and5)withanentryselectedfromthe Entriestable:

Thereisacorrespondingmenucommandforeachtoolbaricon. Whenthetoolbariswiderthanthemainwindow,thetoolbarwrapstoanotherline. Someiconsareenabledonlywhentheyareuseful,suchasPrintandRefresh. Thepanesandthetabsinthetoolbarsalsoprovidecontextdependenticonsforfunctionality.To accessthem,rightclickthemenusprovidedinthosefeatures. Acontextdependenticonanditsassociatedrightclickmenucommand,where1)isthecontextfor therightclickmenu,and2)isthecorrespondingmenucommandandtoolbaricon.TheFind commandopenstheFinddialogwhereasearchstringcanbedefinedthatsearcheswithinthe contenthighlightedintheViewpane.

NewopenstheCaseOptionsdialog,whereyoucandefineanewcase. OpenopenstheOpendialog,whereyoucanopenanexistingcase. PrintopensthePrintdialog. Refreshupdatesalistortabletoreflectchangesmadeinthefilesystemtofilesthatdrivethe EnCaseapplication.AnupdatedEnScriptorhashlibraryareexamplesofsuchfiles. SavedisplaysonceacaseisopenedandopenstheSavedialog,enablingallorselectedportionsof theevidenceassociatedwiththecasetobesearched. AddDevicedisplaysonceacaseisopenedandopenstheAddDevicedialog,enablingadeviceto bepreviewedoracquired.

52

EnCaseForensicVersion6.15 SearchdisplaystheSearchdialog,sothatevidenceassociatedwiththecasecanbesearched. LogondisplaysonlyinEnterpriseapplicationsandopenstheLogondialog,sothatyoucanlogon totheSAFE. LogoffdisplaysonlyinEnterpriseapplicationsafterasuccessfullogontotheSAFEandlogsyou offtheSAFE. Othericonsaredescribedinthecontextwheretheyappear.

Panes
MostEnCaseworkisdonefromoneofthepanesinthemaindisplay.Thecurrentdisplaycontains fourpanescontainingdifferentdataanddisplays. Theseincludethefollowing: Treepane(1)showscaseassociateddatainatreeorExplorerviewformat. Tablepane(2)presentsatabulardatalistthatvariesdependingontheactiveorselected function. Viewpane(3)displaystheselecteddatainvariousformats,dependingonthedatatypeand howtheExaminerelectstoviewit. Filterpane(4)showsfilterlists,EnScriptlists,andotherdisplayoptions.

Eachpanecanbeseparatedorundockedfromthemainwindowanddisplayedasindividual windows,ifdesired.

Navigating the EnCaseInterface

53

PanesintheAnalysisCycle
Panesdriveandorganizetheevidenceanalysiscycle. Theevidencecycleiswhereyoudefineyourexaminationofacquiredevidence.Analysisofevidenceis oftencyclical,becauseyoumayrefineselectionandprocessingasyouranalysisrequirementsevolve duringtheexamination. Panesintheanalysiscycle,where1)containerentriesselectedintheTreepanedeterminethe containedentriesthatappearintheTablepane,2)containedentriesselectedintheTablepane determinethecontentsthatappearintheViewpane,3)optionally,filters,searches,and processingdefinedintheFilterspanenarrowthecontentsorresultsoftheanalysisthatappearin theViewpane,4)resultsofthecurrentanalysiscycle,and5)subsequentrefinementsofthe analysis:

TheTreepaneprovidesyouwiththestartingpointoftheanalysis.Thisiswhereyouselectthe containerentries,suchasdevicesandfoldersthatcontaintheevidenceyouwanttoexamine. TheTablepanepresentsthecontentsoftheentriesselectedintheTreepane.Youcanrefineentriesto beexaminedhere. TheFilterspanegivesyouthemeanstosearch,filter,andautomatetheexaminationoftheentries selectedforexaminationintheTreeandTablepanes.Thisnarrowsandfocusesyouranalysiseffort. TheFilterpaneprovidestabsthatenableyoutoviewanalyticalresultsinplacesotherthantheView pane. TheViewpaneprovidesvarioustoolsthathelpyouexploreandseetheresultsoftheanalysis.Ifthe resultsoftheanalysisaresufficientforyourpurposes,theanalysiscanmoveontootheraspectsofthe investigation.Ifnot,theanalysiscanberefinedandperformedagain.

PanesasSeparateWindows
Theindividualpanesthatappearinthemainwindowcanbedisplayedinseparatewindows. Inthemainwindow,eachpanehasadraghandle.Youcandragthepaneoutsidethemainwindow andthepanewillappearinasecondarywindow.Oncethreepanesaredraggedfromthemain window,theremainingpanedoesnotdisplayadraghandleandremainsassociatedwiththemain window.Thepanescannotbedraggedbackintothemainwindow.

54

EnCaseForensicVersion6.15 Refreshingtheviewdisplayedinthemainwindowplacesallthepanesbackinthemainwindowin theirdefaultlocation. Thispictureshowspanesdisplayingassecondarywindows,withtheTreepane,Tablepane,and Filterpaneasseparatewindows.TheViewpaneappearsinthemainwindowwheretheReset viewcommandisselectedfromtheViewmenu.TheResetviewcommandputsthepanes appearinginseparatewindowsbackintothemainwindow:

PaneFeatures
Usepanefeatureswhileworkingwithpanesandtheirtabs. Eachpanecandisplaythesefeatures: Tabsandtabbar Scrollbarinthetabbarforaresizedpane Controlsinthetabbar Grabhandle

Navigating the EnCaseInterface

55

PaneFeatures,where1)isaViewpane,2)isthecurrenttab,3)isthetabbar,4)isthescrollicon fornavigatingthetabbar,sothatthetabyouwanttousecanbedisplayed,5)isthedraghandle usedtodragthepaneoutofthemainwindow,soitappearsinasecondarywindow,and6)care commandscontrollingthetabbar:

Eachpanecontainsoneormoretabs. Asthemainwindowisresized,thetabtoolbarresizescorrespondingly.Whenapaneisresizedtoa sizenotaswideasitstoolbar,thetabsarehiddenandascrolliconappears.Thescrolliconletsyou scrolltotherightorleftsoyoucanviewthehiddentabs.Youcanwrapthetabs,ratherthanhaving themhidden,byusingAutoFitonthedropdownmenuofthetabtoolbar. Thetabtoolbarmaycontaincontrolsinadditiontotabs.Thescrollbarexposesthesecontrolsandthe tabswheneitherishidden. Eachtabalsohasagrabhandleusedtomovethetaboutsidethemainwindowwhereitappearsina secondarywindow.Oncethreetabsareremovedfromthemainwindow,thelasttabinthemain windownolongerdisplaysagrabhandle,becauseitcannotberemovedfromthemainwindow.

PaneTabBarandPaneTabBarMenu
Eachpanecontainsoneormoretabs.Clickingatabdisplaysdifferentcontentinthepane.Tabsare organizedintoatabbar.Tabsmaycontainsubtabs,andtheseareorganizedbyseparatetabtoolbars. Eachtabbarhasitsownmenu.Themenudisplayswhenyourightclickthetabbar.

56

EnCaseForensicVersion6.15 Panetabbarsandtheirtabbarmenus:

AutoFittoggleswhetherthetabbardisplaysasasinglerowwithascrollbar,oriswrappedto multiplerowswhenthepaneisresized.

TabDropdownMenu
Eachtaborsubtabdisplaysthesamedropdownmenu. Thismenumanagestabsandprovidesanotherwayofmovingfromonetabtoanother.Thetab toolbarmenucommandAutoFitisalsoavailablehere. Dropdownmenu,where1)indicatesthatyouclosedatab,2)indicatesatabdisplayingonlythe icon,withthenamehidden,3)thePrevioustab,and4)theNexttab:

Navigating the EnCaseInterface

57

CloseTabhidesatabanditsassociateddata.Todisplaythedataafterclosingatab,usetheView menucommandassociatedwiththetab.Forexample,ViewCasesSubTabsSecureStorage reopenstheSecureStoragesubtab. ShowNametogglesthetextdisplayingthenameofthetab.Whenthetextishidden,theiconis stilldisplayed.Youcanshortenthecontentsofthetabbarbyhidingthenametext. PreviousTabdisplaysthetabtotheleftofthecurrenttabonthetabbar. NextTabdisplaysthetabtotherightofthecurrenttabonthetabbar. AutoFittoggleswhetherthetabbarisdisplayedasasinglerowwithascrollbar,orwrappedto multiplerowswhenthepaneisresized.

IndividualPanes
Theindividualpanesthatcomprisethemainwindoware: Treepane Tablepane Viewpane Filterspane

TreePane
TheTreepaneestablishesthecontextforallcasedataanalysis. TheTreepaneorganizesacollectionoftabsthatcontainatreespecifictothattab.Atreerepresentsthe hierarchicalstructureofarelatedcollectionofentriesorobjects. Theveryfirstobjectinatreeistheroot.Folderobjectscontainotherfolderobjects.Nonfolder, terminal,leafobjectsdonotappearinthetree.TheyappearintheTablepanewhentheircontaining folderobjectishighlighted.

58

EnCaseForensicVersion6.15 ATreePane,asawindow,alongwithits1)tabbarsandits2)tree,whereEntriesistherootofthe tree,HunterXPisadevice,Cisavolume,andtherestofthetreeconsistsoffolders.Withinthe tree,4)ApplicationDataishighlighted.Eachobjectinthetreecanconsistof5)anexpand/collapse icon,asseenwhenexpanded,6)aSetAllicon,7)acheckbox,8)acategoryicon,and9)aname:

Asingleentryorobjectinthetreeconsistsofthefollowing: Expand/Collapsedeterminesifthecontainedentriesorobjectsaredisplayedorarehidden.Where afolderobjectappearsthatdoesnothaveanExpand/Collapseicon,theentriesorobjectsit containsappearinthetableintheTablepane,insteadofthetree. SetIncludedetermineswhethertheentryorobjectandtheentriesandobjectsitcontainsappear intheTablepanewheretheentriescanbeselectedforfurtheranalysisorexploration. Checkboxenablesyoutoselecttheentryorobjectwithoutselectingtheentriesofobjectsit contains. Categoryindicatesthetypeofentry. Namecontainsanddisplaysthenameoftheentryorobject.Thenamecanbehighlighted,which indicatesthattheentriesorobjectscontainedintheentryorobjectassociatedwiththename appearintheTablepane. Clickingonanypartofaentryorobjecthighlightsit.

TablePane
TheTablepanecontainstabsthatshowyoudifferentaspectsoftheobjectsselectedintheTreepane. Selectingatabdeterminestherepresentationused.TheTabletaboftheTablepanedisplays informationabouttheseentriesinanumberedtable.ExceptfortheGallerytab,thisinformationis descriptive,ratherthantheactualcontentoftheentries.Youcanviewandfurtherexplorethecontent youselectintheTablepane.

Navigating the EnCaseInterface

59

TheTablepaneliststhedatafromtheobjectselectedintheTreepane,where1)thetabtoolbar containstabsappropriateforthetypeofdatayouselectedintheTreepane,2)thecolumnheaders showyouthevaluesyoucanuseintheanalysis(forexample,acolumnheaderforfilesisFile Type),3)thenumberedselectioncolumnwhereyouselectthetableentriestouseinoperations, and4)ahighlightedentry:

SortingaTable
YoucansortuptofivecolumnsofatableintheTablepane. Youcandothisintwoways: Doubleclickingthecolumnheader UsingtheSortcommandonthetablesdropdownmenu

Asingleredtriangleappearsinthecolumnheaderwhensortingasinglecolumn,andtoindicatethe primarysortwhenyousortbymorethanonecolumn. Tosortbymultiplecolumns,aftertheprimarysortiscreated,presstheShiftkeywhiledoubleclicking theheadersofthedesiredadditionalcolumns.Tworedtrianglesdisplayintheheaderofthesecond columnsorted.Threeredtrianglesappearforthethirdcolumnsorted,withfourinthefourth,andfive inthefifth. Atablewithfivesortedcolumns,wherethecolumnsaresortedinthefollowingorder:FileType, FileCategory,Signature,Description,andLastAccessed.

Thesemethodsworkforalltablesregardlessofwheretheyappearintheinterface,notjusttablesin theTablepane.

60

EnCaseForensicVersion6.15

FiltersPane
TheFilterspanecontainsthefollowingtabs: EnScript Filters Conditions Queries TextStyles

ThesetabsorganizeanalyticprocessesappliedtotheentriesshownintheTabletab.

Navigating the EnCaseInterface

61

FilteringEffectsintheTablePane
Whenafilterisrun,aqueryiconappearsonthemainmenubar,andthefilterresultsshowinthe Tablepane.

TheQueryiconinthetopmenubarappearswiththefilterresults.Whentheiconshowsagreen+, filteredlistsdisplay.Ifmorethanonefilterhasbeenrun,itsnameappears,withORlogic,inthetables Filtercolumn.

Whenclicked,theQueryiconchangesitsappearanceanditsassociatedlistcontents.Asyoucansee below,theiconnowhasa(minus)sign.Inthisstate,thelistshowsselectedevidencefilesand filteredfiles.

62

EnCaseForensicVersion6.15 Hereisatabledisplaywiththequeryinthe(minus)state.

ViewPane
TheViewpanecontainstabsthatdisplaydifferentviewsoftheentryhighlightedintheTablepane. TheViewpanetabsdisplaythecontentoftheentryhighlightedintheTablepaneindifferentways. Someofthetabsaremoreappropriatethanothersforcertainkindsofdata. TwoViewpanesshowingtwowaystoviewthecontent:(top)theHextaband(bottom)theText tab,where1)isthetabtoolbars,2)isthehexadecimalviewintheHextab,3)isthetextviewofthe sameobject,and4)isthetextintheTexttab.Noticethatthetextrepresentationsin3)and4)are thesame.

StatusLine
Thestatuslineprovidesdetailsonthephysicalandlogicaldrivelocationofaselection.

Thestatuslinedisplaysatthebottomofthemainwindow.

Navigating the EnCaseInterface

63

TheStatusLine,where1)isthestatusline,and2)isthecursorintheViewpane,drivingthe contentofthestatusline:

ThefilebeingexaminedinyourEnCaseapplicationdrivessomeofthestatuslinecontent.The locationofthecursorinthecontentofthefilebeingexaminedandcontentselectedbythecursoralso drivessomeofthestatuslinecontent. Thestatuslinecontentofthefilebeingexaminedincludes: Nameofthecase Nameofthedevice Nameofthevolume Pathtothefile Filename

Thestatuslinecontentrelativetothebeginningofthefilebeingexaminedincludes: Physicalsector(PS)displaysthesectornumberofthephysicalsectorrelativetothebeginning ofthephysicaldisk Logicalsector(LS)displaysthesectornumberofthelogicalsectorrelativetothebeginningof thelogicaldisk Clusternumber(CL)displaystheclusternumber

Thestatuslinecontentrelativetothelocationofthecursorwithinthefilebeingexaminedincludes: Sectoroffset(SO)displaysthenumberofsectors,inbytes,betweenthestartoftheclusterand thecurrentcursorlocation Fileoffset(FO)displaysthenumberofbytesbetweenthestartofthefileandthecurrent cursorlocation

Length(LE)displaysthelength,inbytes,ofthecontentcurrentlyselectedbythecursor Statuslineelementsfromdrivegeometry,where1)isthecontentofafilefromstarttoendoffile (EOF),2)sectors,3)clusters,4)widthofthecursor.Noticethatthephysicalsector(PS)valueand thelogicalsector(LS)sectorvaluearedifferent,butaddressthesamelocation.

64

EnCaseForensicVersion6.15

SystemCacheSettingsControl
TheWindowskernelcontainsasystemcache,managedbytheSystemCacheManager(SCM),that cachesfileinput/outputinordertoimproveperformance.ThekernelalsocontainsaBalanceSet Manager(BSM)thatbalancestheuseofRAMbetweenallrunningprocesses. TheBSMheavilyfavorsSCM,siphoningawaymemoryfromEnCasetotheextentthatitcanappear thattheoperatingsystemisfrozen.Thisissueoccursonthefollowingoperatingsystems: WindowsXP64bitedition Windows2003(all) WindowsVista(all) Windows2008(all)

Todealwiththis,EnCasecontainsadialoggivingyoutheoptiontochangetheWindowssystem cachedefaultsettings.
Note: If you are running Windows XP 32-bit edition, you will not see the System Cache dialog.

SystemCacheSettingsatFirstUsage
WhenyoufirstrunEnCase,thisdialogdisplays:

1. 2. ClickYestoallowEnCasetocorrectthesystemcachesettings.
Note: The default maximum is 80% of total physical memory.

TopreventthisdialogfromdisplayingeachtimeyoustartEnCase,clicktheDontshowme thisagaincheckbox.UponrebootingyoursystemorwheneverEnCaselaunches,the Windowscachedefaultsettingsareoverridenwithyours.

Navigating the EnCaseInterface

65

SpecifyingSystemCacheSettingsManually
1. ClickToolsOptions.

2. IntheOptionsdialog,clicktheDebugtab.Thefollowingscreendisplays.

3. IntheSystemCachegroupbox,specifythesettingsyouwant,below,thenclickOK: a. EnteraMinimumsizeforthecache.Thedefaultis1. b. EnteraMaximumsizeforthecache.Thedefaultis80%oftotalphysicalmemory.

66

EnCaseForensicVersion6.15 c. ClicktheControlledbyEnCasecheckboxforEnCasetousethespecifiedsettings. d. Ifyoudonotwanttoseethereminderaboutsystemcachesettingseachtimeyoustart EnCase,clicktheDontwarnatstartupcheckbox.EnCaseautomaticallysetsyour specifiedsettingseverytimeitlaunches. e. ClickSetDefaults. 4. ClickOK.

PanesandtheirSpecificTabs
Thepanesthatcomprisethemainwindoworganizecollectionsoftabs. Theyinclude: Treepanetabs Tablepanetabs Viewpanetabs Filterspanetabs

TreePaneTabs
TheTreepanecontainstabswithtreesdisplayingmanyoftheelementsorobjectsusedinyourEnCase application. Eachtabcontainsatreedisplayingacollectionofelementsinahierarchy.Forexample,keywordsyou defineappearintheKeywordstab.Keywordsassociatedwiththecurrentlyopenedcasesappearin theCasesKeywordstab.

Navigating the EnCaseInterface

67

Theelementsfoundinthesetreeshaveuniquedropdownmenus.TheEditmenumatchesthe dropdownmenuofthecurrentlyselectedelementorobject.

TablePaneTabs
TheTablepanedisplaystabsthatprovidedifferentviewsoftheentriesselectedintheTreepane. ThecontextestablishedbytheentriesintheTreepanedeterminewhattabsappearintheTablepane. TheTable,Report,andCodetabsappearinalmostallcontexts.Entriesthatinvolvetimecanappearin aTimelinetab.Whereimagecontentisinvolved,theGallerytabisamongthetabsthatdisplay.

68

EnCaseForensicVersion6.15 TabsthatdisplayintheTablepane,asdeterminedbytheTreetabdisplayedintheTreepane. Grayvaluesmeanthattabisavailable.Whitevaluesmeanthatthetabisnotavailable:

Contentdisplayedinthesetabsisdeterminedbyselectionsmadeinthetreeofthetabdisplayedinthe Treepane. WhentheTextStylestabdisplaysintheTreepane,andyouselecttherootoftheTextStylestree,the TabletaboftheTablepanedisplaysatablecontainingthesamefoldersdisplayedinthetree. Whenaparticularfolderisselectedinthetree,thecontentsofthatfolderappearintheTabletabofthe Tablepane.

Navigating the EnCaseInterface

69

TablePanecontext,where1)theobjectselectedinthetreeontheTextStylestaboftheTreepane determines2)thecontentdisplayedinthetableintheTabletaboftheTablepane:

TableTabColumns
Todisplayorhidetabletabcolumns: 1. 2. 3. 4. 5. Rightclickthetabletab. ClickShowColumns. Clickthecheckboxesforthecolumnsyouwanttodisplay.Bydefault,alltheboxesare checked. Clearthecheckboxesforthecolumnsyouwanttohide. ClickOK.

70

EnCaseForensicVersion6.15 Thepicturebelowshowseachcolumnheader.Inordertofitthemintothisdocument,theyare stacked.IntheEnCaseTablepane,scrollhorizontallyacrossthepanetoseethem.Youcandragand dropcolumnstoarrangethemaccordingtoyourneeds.Eachisdescribedbelow.

Nameisthenameoftheentry.Iconstotheleftofthefilenameindicatethetypeofentry,suchas device,folder,ordocument. Filterdisplaysthenameofthesavedfilteroptionsifthefilesmeetthecriteriaset. InReportindicateswhetherornottheitemappearsinthereport.Toincludethefileinareport, rightclicktheInReportcolumnandselectInReport,orselecttheentryandpressCtrl+R.To includemorethanoneentryinthereport,selecteachoneinthefirstcolumncheckbox,thenright clicktheInReportheaderandselectInReport. FileExtdisplaysafilesextension,suchas.exe,.jpg,or.doc. FileTypenamesthefiletype.ThesoftwaregeneratesthisinformationfromtheFileTypestable usingthefilesextension.WhenyourunaSignatureAnalysis,thisinformationisgeneratedfrom thefilesidentifying(header)informationinsidethefile. FileCategoryclassifiestheentryasWindows,database,picture,etc. Signatureidentifiesthefilebyheader,notfileextension.SeeAnalyzingandSearchingFileson page275formoreinformationonusingfilesignatures. Descriptiongivesashortexplanationoftheentry(alsoindicatedbytheicontotheleftofthefile name). IsDeleteddisplaysTRUEifthefileisdeletedbutnotemptiedfromtheRecycleBin. LastAccesseddisplaysthedateofthelastactivityofthefile.Afiledoesnothavetobealteredfor theLastAccesseddatetochangeonlyaccessed.Anyactivity(suchasviewing,dragging,oreven rightclicking)maychangetheLastAccesseddate.Thelastaccesseddatemayalsochangeifthe fileisaccessedbyaprogramsuchasaviruschecker. FileCreatedisarecordofwhenaparticularfilewascreatedatthatlocation.Ifafileiseditedand changedonJanuary3,thencopiedtoafloppydisketteonJanuary15,andthatfloppydisketteis acquiredonJanuary28,theentryshowsthatthefileonthefloppydiskwascreatedafteritwas lastwrittentooraccessed. LastWrittendisplaysthelastdateandtimeafilewasopened,edited,andthensaved.Ifafileis openedthenclosed,butnotaltered,theLastWrittendatedoesnotchange. EntryModifiedreferstothefileentrypointeranditsinformation,suchasfilesize.Ifafilewas changedbutitssizenotaltered,theEntryModifieddatedoesnotchange. FileDeletedshowsthedeletiontimeanddate.IfanentryinanINFO2fileonanNTFSvolume hasadeleteddate,TRUEappearsintheIsDeletedcolumn. FileAcquireddisplaysthedateandtimetheevidencefile,inwhichtheselectedfileresides,was acquired.

LogicalSizedisplaysthebytesizeofthefile.

Navigating the EnCaseInterface

71

InitializedSizeisthesizeofthefilewhenitisopened.ThisappliesonlytoNTFSfilesystems. PhysicalSizeistheclustersizeoccupiedbythefile,thatisthephysicaldiskspaceusedbythefile. Givenaclustersizeof4096bytes,thephysicalsizeofanyfilewithalogicalsizelessthan4096 byteshasaphysicalsizeof4096bytes.Afilewithjustonemorebyte,4097bytes,forexample, requirestwoclusters,or8,192bytesofphysicaldiskspace.The4095bytedifferenceinthesecond clusteriscalledslackspace. StartingExtentshowsthestartingclusterofeveryfileinthecase.Theformatdisplayedis evidencefilenumber,logicaldriveletter,clusternumber.Forexample,astartingextentof 1D224803meansthatthefileisonthesecondevidencefile(countingbeginsatzero),onthelogical D:\drive,atcluster224803. FileExtentsliststhenumberofextentsafragmentedfileoccupiesonadrive.Toviewextents, clickthecolumnvalueofthefilebeingexamined,andselecttheDetailstaboftheReportpane. YoucanalsoselectthefileinTablepane,thenselecttheFileExtentssubtab,abovetheTreepane. Permissionsdisplayssecuritysettingsofafileorfolder.TRUEindicatesasecuritysettingis applied.Toviewsecuritysettings,selecttheentryandclickontheDetailstabinthelowerpane. OryoucanselectthefileintheEntriestable,thenselecttheViewCasesSubTabsEntries SubTabsPermissionsmenutodisplaythePermissionsintheTablepane. Referencesisthenumberoftimesthefilehasbeenreferencedinthecase.Forexample,ifyou bookmarkafilethreetimes,thereferencescolumnshowsthat. PhysicalLocationthenumberofbytesintothedeviceatwhichthatunallocatedclusterbegins. Theprogramorganizesdeviceunallocatedclustersintoonevirtualfile.Itreadsthefilesystems FileAllocationTable(FAT),ortheNTFSBitmap,tocreatethisvirtualfile.Thisallowsthe examinertoefficientlyexamineunallocatedclusters. PhysicalSectorclusters.Physicalliststhestartingsectorwheretheitemresidesinunallocated space. EvidenceFileisthenameoftherootevidencefilewheretheentryinthetableresides. FileIdentifierisafiletableindexnumberstoredinthemasterfiletable.Itisauniquenumber allocatedtofilesandfoldersinanNTFSfilesystem. CodePageisthecharacterencodingtableuponwhichthefileisbased. HashValuedisplaysthehashvalueofeveryfileinthecase.YoumustruntheComputeHash Valuecommandtogeneratethisinformation. HashSetdisplaysthehashsettowhichafilebelongs.Ifnohashsetsarecreatedorimported,the columnisunpopulated. HashCategorydisplaysthehashcategorytowhichafilebelongs.Ifnohashsetsarecreatedor importedthiscolumnisunpopulated. FullPathdisplaysthefilelocationwithintheevidencefile.Theevidencefilenameisincludedin thepath. ShortNameisthenameWindowsassignsusingtheDOS8.3namingconvention. OriginalPathdisplaysinformationderivedfromtheINFO2filefordeletedfilesthatareinthe RecycleBin.Thepathiswherethedeletedfilewasoriginallystored. Thecolumnisblankforundeletedfiles. TheoriginallocationisshownforfilesintheRecycleBin. Showswhatfilehasoverwrittentheoriginalfilefordeletedandoverwrittenfiles SymbolicLinkcanprovidelinkstodirectoriesorfilesonremotedevices. IsDuplicatedisplaysTRUEifthedisplayedfileisaduplicateofanother.

72

EnCaseForensicVersion6.15 IsInternalreferenceshiddenfilestheOSusesinternallybutarehiddenfromtheuser. IsOverwrittendisplaysTRUEiftheoriginalfileisdeletedanditsspaceisoccupiedbyanother file.

FiltersPaneMenu
SelectingaFilterspanemenutabdisplaysfiltersfeatures.

ThemenuthatappearsabovetheFilterpaneshowsthesametaboptions.

Navigating the EnCaseInterface

73

ClickingatabchangesthecontentsoftheFilterspaneasfollows: EnScriptdisplaysanEnScripttreemenu. Filtersdisplaysallavailablefilters. Conditionsdisplaysallavailableconditions. Displayshowsfilters,conditionsandqueriesthatarerunning. Queriesdisplaystreemenuofavailableconditions. TextStylesprovidesaccesstoavailabletextstyles.

ViewPaneTabs
TheViewpanetabsdisplaydifferentrepresentationsoftheentriesselectedintheTablepane. WhenthetypeofviewisappropriatefortheselectedentryintheTablepane,theViewpanetabis enabled. TheViewpaneaccessesthefollowingtabs: Text Hex Doc Transcript Picture Report Console Details Output

ThetabsontheViewpanecannotbeclosed. ThetabbarfortheViewpanealsocontainscontrolsspecifictotheViewpane.Thesecontrolsinclude: LockpreventsthetabfromchangingifthefiletypeofthefileselectedintheTablepanechanges. Bydefault,theViewpanedisplaystheappropriatetabforthetypeoffileselectedintheTable pane.ThisbehaviorisoverriddenwhenLockisselected.WhenyouselectLock,thecurrently displayedtabtypeisretained,eveniftheselectedfiletypeintheTablepanechanges.For example,ifyouLocktheViewpanewiththePicturetabinviewandthenselectentriesinthe Tablepanethatdonotcontainimages,thePicturetabmayshownothing. Codepagedetermineswhetherthedetected,ratherthanthedefault,codepageisusedintabsthat displaytext. Selected/Totaldisplaysthenumberofentriesselectedasafractionofthetotalnumberofentries availableinthecurrentcase. ThecontextestablishedbyselectinganentryintheTablepanedetermineswhatcontentisdisplayed intheViewpane.TheViewpanedisplaysthecontentofoneentryfromthetable.Whileseveral entriescanbebluecheckedintheTablepane,onlyoneentrycanbehighlightedatatime.

74

EnCaseForensicVersion6.15 Viewpanecontext,where1)theTablepanecontainsatablewhereonlyoneentrycanbe,2) highlightedforfurtherexplorationin3)atabintheViewpane.4)Checkingtableentriesdoesnot drivethecontentdisplayedinthetabdisplayedintheViewpane.Therepresentationofthe highlightedcontentismadewhenyou5)selectthedesiredViewpanetab.6)TheHextabcontains arepresentationconsistingofanaddress,thenumericbytevalues,andthetextrepresentationof thosenumericbytevalues:

Navigating the EnCaseInterface

75

TextTab
TheTexttabshowsthehighlightedfileasASCIItext.

HexTab
TheHextabshowsasplitviewofafilewithhexadecimalvaluesontheleftandASCIIontheright.

DocTab
TheDoctaboftheViewpaneusesOracleOutsideIntechnologytodisplaytextinitsnativeformat.

76

EnCaseForensicVersion6.15 Thisviewertechnologyprovidesapplicationsoftwaredeveloperswithhighfidelitydocumentviewing withouthavingtousenativeapplicationsformorethan390fileformatsonWindowsplatforms.

TranscriptTab
TheTranscripttabusesOracleOutsideIntechnologytoextracttextfromafilecontainingmorethan text. TheTranscripttabdisplaysplaintextcontentpulledfromitsnonplaintextnativeformat.Thismakes itespeciallyattractiveforcreatingsweepingbookmarksinsidefilesthatarenotnormallystoredas plaintext,suchasExcelspreadsheets.

Navigating the EnCaseInterface

77

PictureTab
ThePicturetaboftheViewpanedisplaysthecontentsofanimagefile.

78

EnCaseForensicVersion6.15

ReportTab
TheReporttabdisplaysadetailedlistoffileattributesintheViewpane.

Navigating the EnCaseInterface

79

ConsoleTab
UsetheConsoletabtoviewoutputstatusmessageswhenrunningEnScriptprograms.

DetailsTab
TheDetailstabprovidesfileextentinformation. Toviewfileextents: 1. 2. 3. Openacaseanddisplayitscontents. ScrolltothefileextentscolumnintheTablepaneandclickFileExtentsinsomerow. ClicktheDetailstabintheReportspanetoviewthefileextents.

Thepicturebelowshowsthefirsteightfileextentsfromapieceofevidence.

80

EnCaseForensicVersion6.15

OutputTab
UsetheOutputtabtoobtainoutputfromvariousEnScriptprograms.

NavigatingtheTreePane
TheTreepanepresentsastructuredviewofallgatheredevidenceinaWindowslikefolderhierarchy.

Navigating the EnCaseInterface

81

UsethestructuredviewwhenexploringEntries,Bookmarks,SearchHits,Keywords,andotherviews ofevidence.Youcanaddfolderstothestructuretosuityourworkingrequirements.Notethatsome foldershaveaplussign(+)nexttothem.Clickingtheplussignopensthefolderanddisplaysits contents.

Inthepictureabove,theDocumentsandSettingsfolderisexpandedtoshowthefivefoldersit contains.Notethatthesymbolnexttotheopenfolderisasign,indicatingthefolderisexpanded.

OpeningandClosingFolderswithExpand/Contract
UsetheEditmenuorrightclickintheTreepanetouseExpand/Contracttoopenorclosethehierarchy atthepointofthehighlighteditem.

82

EnCaseForensicVersion6.15 ToopenandcloseallfoldersdisplayedintheTreepane,dooneofthefollowing: RightclickthefolderandchooseExpand/Contractfromthedropdownmenu. ClicktheExpand/Contracticon(+or). Withthefolderhighlighted,pressthespacebar.

ExpandAll
Youcanexpandallnestedfoldersbeneaththehighlightedfolderwithonemenuclick. IftheentireTreepanehierarchyisclosed,orifoneormorefoldersareopen,theentiretreecanbe expandedtodisplayallofthecontents.

Navigating the EnCaseInterface

83

UsetherightclickExpandAllcommandtoshowallofthehierarchy.StartattheEntriesroottoopen allavailablefolders.

ContractAll
Youcancloseanentiretreewithonemenuclick.Ifoneormorefoldersisexpandedbeneaththe highlighteditem,theentiretreeiscontracted. ContracttheentiretablebyopeningtheEditMenu,thenclickContractAll.

Thehierarchicaltreecontractsanddisplaysthehighlighteditemonly.

84

EnCaseForensicVersion6.15

DisplayingTreeEntryInformationforOneBranch
HighlightingisoneofthreewaystochooseitemsintheTreepane. HighlightinganiteminthetreedisplaysitscontentsintheTablepane. Highlightingatreeentry,where1)isthehighlighteditem2)arefolderobjectscontainedinthe highlighteditemintheTreepane,and3)areitemscontainedinthehighlighteditem,enumerated intheTablepane.

Highlightingdiffersfromselecting.Selecting(clickingoneormorecheckboxes)constructsacollection forprocessingbyananalyticoperationsuchasbookmarkingorhashing. Highlightingalsodiffersfromincluding.Including(clickingtodisplaythegreenpolygon)displaysall theitemsfoundintheincludedbranchofthetreefromthetoplevel,downtotheitemyouclicked.

DisplayingExpandedTreeEntryInformation
YoucanincludeallthelowerlevelsofthehierarchyofanitemfordisplayintheTabletabwitha singlemouseclick.

Navigating the EnCaseInterface

85

Youdonothavetoexplicitlyexpandthetreefolders.WhenyouclicktheSetIncludepolygoninthe Treepane,orrightclickandchooseSetIncludefromthemenu: TheSetIncludeiconofthehighlighteditemturnsgreen. Itemsonthelowerlevelsofthehierarchyarealsoincluded,asindicatedbythegreenicons. ThecontentofalltheentriesorobjectsincludedappearintheTablepane.

IftheIncludeAlliconisnotgreen,thedataassociatedwiththatitemdoesnotappearintheTable pane. Includingallisdistinctfromhighlightinginthatincludingalldisplaysalltheitemsinthebranchfrom theselectedentrytotheleafentries,whilehighlightingdisplaysonlyitemscontainedinthe highlighteditem IntheTreepane,includingallisdistinctfromselectingbecauseincludingallaffectsthecontentsofthe tablepane,whileselectingdoesnot. Initially,SetIncludedisplaystheentriesandobjectsintheTablepaneinahierarchicalorder.Sorting columnsinthetabledestroysthisorder,whichcannotberecoveredexcepttocycletheSetInclude. Usethestatuslinetoseetheparentforaparticularentryinthetable. ComparingHighlightingandSetInclude,where1)isthehighlightedentryintheTreepane,2)asit appearsintheTablepane,3)theSetIncludeentryenablingtherestoftheSetIncludeentriesinthe subtree,and4)asitdisplaysintheTablepane.Includepropagatesdownthetreefrom3),theentry initiallyincludedtotheparallelentries:

86

EnCaseForensicVersion6.15

SelectingTreeEntriesforOperations
SelectionisthewaytochoosemultipleitemsintheTreepanetomanagethem. WhilehighlightingandincludingintheTreepanedrivethecontentoftheTablepane,selectingdoes not.Selectingdetermineswhichentriesareprocessedbyanalyticoperationssuchasbookmarking, searching,filtering,andhashing. Whenyouselectanitembyclickingacheckbox,theselectionpropagatesupwardsinthehierarchyto includerelatedstructure. Selectingitemswhere1)istheitemthatyoucheckedwithamouseclick,2)isaselectedancestor thatwaspropagatedfromtheinitialselection(whoseentirecontentsareincludedinafuture operation),asindicatedbythewhitebackgroundofthecheckbox,and3)isaselectedancestorthat waspropagatedfromtheinitialselection,whosecontentsarenotincluded;asaresult,its checkboxhasagraybackground.Thearrowshowsthedirectionofthepropagation:

Navigating the EnCaseInterface

87

UsingtheDixonBox
TheDixonBoxislocatedinthetababovetheReportpaneandshowshowmanyfilesareselectedand howmanyfilesexistinthecase. Ifnofilesareselectedintheopencase,theboxlookslikethis:

Inthispicture,threeofthesame191filesareselected:

Note: To quickly select or deselect all files in a case, click the Dixon Box.

ModifyingtheTablePane
TheTablepanedisplaysthecontentsofselectedfilesandfolders.

Note: Contents of the Table pane change as you select different items in the Tree pane and when you click files in the Table pane.

ShowingColumns
Individualorgroupsofcolumnscanbeshownandhiddenfromview.

88

EnCaseForensicVersion6.15 ToshoworhidecolumnsusingShowColumns,placethecursorintheTablepaneandrightclick. ToactivateordeactivatetheTablecolumnsdialogrightclicktheTablepane,selectShowColumns andselectthedesiredcolumns.

TheShowColumnsdialog:

Note: See Table Tab Columns (on page 69) for information on all columns.

Tohidecolumns,cleartheappropriatecheckboxes,thenclickOK.

ShowingColumnsintheRecordsTab
1. SelecttheRecordsTab.

2.

Navigating the EnCaseInterface RightclickintheblankareaoftheTablepaneandselectShowColumns.

89

3. Thecolumnsdisplayinatreestructure:

HidingColumns
Youcanhideindividualcolumns.RightclickthecolumnyouwanttohideandclickHide.

90

EnCaseForensicVersion6.15 Thecolumnwherethecursorwaslocatedishidden.

AutoFitAllColumns
TheAutoFitAllfeatureexpandsthewidthofeachcolumnsonodataarehidden.

Note: The difference between Auto Fit All and Fit to Data is that with Auto Fit All, each displayed column is expanded to show its entire contents.

FittingColumnstoData
Attimes,youmaywanttoadjustthewidthofonlyonecolumn.Toviewtheentirecolumn,selectFit toData.

ResettingColumns
Torestorecolumnstotheirdefaultorder,clickReset.

Manuallyresizeacolumnbydraggingthecolumnseparator.

Navigating the EnCaseInterface

91

Tochangetheorderinwhichcolumnsdisplay,selectthecolumnheaderanddragthecolumntothe desiredlocation.

SettingaLockonColumns
UseSetLocktoscrollrightandleftinatablewhilecontinuingtoshowcertaincolumns. ColumnsarelockedontheleftsideoftheTablepane.Tolockacolumn: 1. 2. Placethecursorinacolumntobelocked. RightclickandselectSetLockinthesubmenu.

92

EnCaseForensicVersion6.15 Thelockissetonthepositionofthecolumn.Ifothercolumnsaremovedintothatposition,theytoo arelocked.Toreleasethelock: 1. 2. 3. Rightclickthelockedcolumn. SelectColumns. SelectUnlock.

ExcludingSearchHits
TheExcludeoptionhidesoneormoresearchhitsfromview.Itdoesnotdeletethemfromthecase.

Note: Excluded search hits are indicated by the international Not symbol.

Inthepicturebelow,thefilesetuplog.txtisincluded,whilethoseinrows15,16,and17are excluded.

Navigating the EnCaseInterface

93

DeletingItems
WhenusingSearchHits,deleteisconsideredasoftdeletewhichyoucanundeleteuntilthecaseis closed.Ifasearchhitremainsdeletedwhenthecaseisclosed,thehitispermanentlydeleted.Inother tabs,however,undeleteworksonlywiththelastselectiondeleted.Onceafileisclosed,deleteditems arepermanentlyremovedandcannotberecovered. Run,thenviewakeywordsearch.ThisprocessissimilartoExcludingFiles(seepage306). ViewthesearchhitsreportintheTablepanebeforeexcludingthemfromthereport. 1. Selectfilestoexclude,thenrightclicktheview,selectingeitherDeleteorDeleteAllSelected.

SelectingthelatterdisplaystheExcludeAllSelecteddialog.

2. SelecttheappropriateoptionandclickOK.Theselectedfilesaretemporarilydeleted.

Note: Viewing the report shows the concatenated results.

Filters
FiltersareEnScriptsthatmodifywhatdataaredisplayed.

94

EnCaseForensicVersion6.15
Note: There are different types of filters available depending on the tab You choose in the Tree pane. For example, the filters available for search hits are different from those available for entries.

Severalfiltersexistforfilteringoutobjectsoflittleornointeresttoaninvestigation.Filtersdonot removetheseobjectsfromthecase,theysimplyhidethemfromtheTablepane. TheFilterpaneallowsinvestigatorstorun,create,edit,ordeletefilters,conditions,andqueries.The Conditionstaballowstheusertobuildfiltersbysimplyspecifyingparameters.

Rightclickonafiltertoopenasubmenu.

UseNewtocreatefiltersbasedonsetconditionsthataremenuselectable.

Navigating the EnCaseInterface

95

Createdfiltersresideinaninitializationfile(C:\Program Files\EnCase6\Config\filters.ini).FiltersaresavedgloballywithintheEnCaseprogram.

CreatingaFilter
Newfiltersofyourowncreationcanbeaddedtothelist. DisplaytheFilterlistintheFilterpane,thencreateanewfilter. 1. RightclickthetopmostFiltericon. Asubmenudisplays.

2. ClickNewfromthedropdownmenu.

96

EnCaseForensicVersion6.15

TheNewFilterdialogdisplays.

3. EnteradescriptivenameintheFilterNamefieldandclickOK. AsourceeditordisplaysintheTablepane.

4. EnterEnScriptcodeasrequiredtoaccomplishyourtask. ThenewlycreatedfilternamedisplaysatthebottomoftheFilterpanelist. Executethenewfilterasrequiredbydoubleclickingit.

Note: You must save or compile a new or modified filter before using it.

EditingaFilter
Changeafiltersbehaviorbyeditingit.

DisplaytheFilterlistintheFilterpane,theneditit. 1. Rightclickthefilteryouwanttoedit. Adropdownmenudisplays.

Navigating the EnCaseInterface

97

2. ClickEditSource. ThefiltersourcedisplaysintheTablepane.

Note: The Table pane menu shows the Code icon selected, the text editor's menu highlights the filter you are editing, and the scrollbars allow you to maneuver in the display.

3.

Editcommandsasneeded.

RunningaFilter
Runningafilteragainstasetofevidencefilesproducesdatathatconformtothefiltersparameters. Openacasefileandselectfolderstosearch.

98

EnCaseForensicVersion6.15 1. Torunafilter,clickSelectAll(homeplate)onevidencefolders.TheTreepanethatdisplaysis similartothispicture:

2. Doubleclickafilter,orrightclickitandselectRunfromthedropdownmenuthatdisplays. Completeanydialogsthatdisplay. Whenthefilterfinishes,theTablepanedisplaysentriesthatmeetthefilterscriteria.The figurebelowshowsthefilternameandotherdataonthosefilesthatmeettherequirements (DeletedFilesinthiscase).

3. NoticethataQueryicon(below)displaysinthetopmenubar.Thisicondisplayswhen viewingafilteredlist. Clickingtheiconchangesthedisplayfromshowingthefilteredlisttoshowingallfileentries.

Navigating the EnCaseInterface

99

TheQueryiconchangeswhenclicked.Ithasaredminus()signonittoshowthefilterisoff. Thisdoesnotdeletethefilter;itonlyturnsitsdisplayeffectsoff.

CombiningFilters
Youcanrunmultiplefilters,andcombinefilterswithconditionsandqueries. Todothis,runmorethanonefilter.RunningmultiplefiltersusesORlogictoselectfiles,thusthe showsbothdeletedandselectedfiles.Anyentrythatrespondstoanyactivefilterconditionorquery appears.Thispictureshowsafilteredlistwithonefilterrunagainstit.

NotethattheentryintheIsDeletedcolumnismarkedTrue. Thispictureshowsthedisplaythatresultswhentwofilters,DeletedFilesandFilesBeforen,arerun. ThenamesofbothfiltersappearintheFiltercolumnoftheTablepane.

Asimilarresultoccursifyoucombineafilterandacondition.

100

EnCaseForensicVersion6.15

AND/ORFilterLogic
Youcantogglebetweendisplayingonlyentriesthatmatchalltheactivefilters(ANDfunctionallogic) orentriesmatchinganyoftheactivefilters(ORfunctionallogic). Whenyourunmultiplefilters,aMatchesAnyoptiondisplaysinthetoolbar:

ThisoptionemploysORlogictodisplayfiles. ToemployANDlogic,clicktheMatchesAnytoolbaroption.TheoptionchangestoMatchesAll:

ChangingFilterOrder
Filtersrunintheorderinwhichyouselectedthem.Tochangethisorder: 1. 2. 3. ClickDisplaytoshowtheactivefilters. Leftclickthefilteryouwanttomove. Whileholdingtheleftmousebuttondown,movetheselectedfiltertoanewposition.

Navigating the EnCaseInterface

101

Athreefilterlistwithallitemsselectedisshownbelow.Thenextexampleshowsthesamethreefilters inaneworder.Becauseallfiltersareselected,andthusactive,allwillberun.Theorderinwhichthey run,however,ischanged.Inthefirstexamplebelow,SelectedFilesOnlyrunsfirst,whileinthesecond example,itrunssecond.

TurningFiltersOff
Thereareseveralwaystoturnoffordisablefilters.YoucantoggletheQueryicontoalternatebetween thefilteredlistandtheunfilteredone.Thisisanallornonetoggle. WhenyouhavemorethanonefilterorconditionintheFilterspaneDisplaytab,deselectingafilter modifiestheTableviewtoshowonlyfilesthatresultfromthestillcheckeditems.Forexample,thelist inthenextexampleshowsthreeactivefilters,SelectedFilesOnly,FileExtensionandDeletedFiles,but FileExtensioniscleared.

102

EnCaseForensicVersion6.15

DeletingaFilter
RemoveafilterfromtheDisplaylistbyselectingit,rightclickingit,thenclickingDeletefromthe dropdownmenu.Asasafeguard,adialogdisplays.ClickYestocompletethedeletion.TheTablepane displayautomaticallyupdatestoreflectthechange.Thefilter,condition,orqueryisnotdeletedfrom theFilters,Conditions,orQueriestabfromwhichitwasexecuted.

ImportingFilters
Youcanimportfilterscreatedbyothersintoyourcollection. 1. 2. 3. RightclickintheFilterpane. SelectImport. NavigatetoorenterthepathwherethefilterislocatedandclickOK.

ExportingFilters
Sendyourfiltersinatextfiletoothers.

Toexportafilterfromyourcollection, 1. RightclickintheFilterpane.

2. 3. 4. SelectExport.
Note: Selecting XML Formatted exports filters in XML format.

Navigating the EnCaseInterface

103

ChecktheExportTreefieldasinthefigure. Navigatetoorenterthepathwherethefilterislocated,thenclickOK.
Note: By default, the Output File text field contains a file named export.txt. You can change the path and name.

Conditions
Conditionsaresimilartofilters.TheylimitTablepanecontent.Severalcreatedconditionsexist,and likefilters,theyvarydependingontheTreetabyouselect.Thepicturebelowshowsthedisplaywith theConditionstabselected.

104

EnCaseForensicVersion6.15

CreatingConditions
Tocreateanewcondition,rightclickafolderintheConditionstabintheFilterpane,thenselectNew.

Note: To use a filter inside a condition, click the filter tab and create a filter. Once created, click the Conditions tab and the filter displays in the properties list.

Tocreateacondition: 1. 2. EnteranameintheNamefield. RightclickMainontheconditionstreeandselectNewtoseetheNewTermdialog.

3.

Navigating the EnCaseInterface Selectaproperty,anoperator,and,ifprompted,avalueandchoice.Dependingonthe propertyandoperatorchosen,youcanalsoselect PromptforValue CaseSensitive GREP 4. 5. 6. 7. 8. 9. Toeditthesourcecode,clickEditSourceCode.

105

Repeatthestepsabovetocreateasmanytermsasyouwanttomaketheconditionasdetailed aspossible. ClickOKtosavethecondition. Tonestterms,createafolderbyrightclickingthedesiredlocationintheTreepaneand choosingNewFolder.Placethenestedtermsinsidethisfolder. Ifyouwanttochangethelogic,rightclickthetermandselectChangeLogic.Thischangesthe ANDoperatortoanOR,andviceversa. Ifyouwanttonegatethelogic,rightclickthetermandselectNot.

10. Whensatisfiedwiththelogic,clickOK.
Note: Check to make sure there are no spaces (/x20) at the end of any condition using a literal comparison such as "matches". For example, if the condition is Extension matches: "txt,rtf,doc<space>,xls", the space at the end of the doc string is not visible, and the condition will not return DOC files.

EditingConditions
Youcaneditconditionswhentherearenoopencases.

1. 2. Selectthefilter. RightclickitandselectEdit.

106

EnCaseForensicVersion6.15

TheeditwizardopensintheTablepane.

3. 4. RightclickthepropertyandselectEdittoseetheEditTermwizard. Maketheselectedchanges,thenclickOK.

RunningConditions
Torunconditions,doubleclickthem,selectanitemandrunthescriptagainstit,orrightclickand selectRun.

Navigating the EnCaseInterface

107

TheexamplebelowshowstheTablepanebeforeafilterisrun.

Threerowsareselected;7,10,and17.NotetheblankFiltercolumn. Whenaconditionisrun,theQuerybuttononthetoptabmenushowsaplus(+)sign.Theplussign indicatesthatonlyitemsthatmeetthefiltercriteriaareshown.Ifyouarerunningmultipleconditions, aMatchesAnybuttondisplays.Thisshowsresultsforallfiltersbeingrun.

Ifyouarerunningmultipleconditions,clickingtheMatchesAnybuttonchangesittoMatchesAll. Onlyitemsthatmeetallthecriteriaforthefiltersbeingrunareshown.

108

EnCaseForensicVersion6.15

Toreturntotheoriginaldisplayandseeallitems,clicktheQuerybuttontochangetheplus(+)signto aminus()sign.

ImportingConditions
Youcanimportconditionscreatedbyothers. Toimportaconditionfiltersomeoneelsehaswritten: 1. 2. 3. RightclickintheConditionpane. SelectImport. Navigatetoorenterthepathwherethefilterislocated,thenclickOK.

Navigating the EnCaseInterface

109

ExportingConditions
Exportfilterstosharethemwithotherusers.

Toexportafilterfromyourcollection: 1. 2. 3. 4. RightclickintheConditionspane. SelectExport. SelectExportTree.

Note: Selecting XML Formatted exports the file in XML format.

NavigatetoorenterthepathwherethefilterislocatedandclickOK.
Note: By default, the Output File text field contains a file named export.txt. You can change this name. You can also enter or browse to a complete export path.

Queries
Queriesallowchangingwhatisvisiblebycombiningfiltersandconditionsintooneitem.Thereare twopartstoaquery,thedisplayportionandthelogicportion.Thedisplayportionaffectsthetextand itscolor,andisusedtodenotematchesusinguserselectedfiltersandconditions.Thelogicportion actuallycontrolswhichrowsarehiddenfromtheTablepane.

110

EnCaseForensicVersion6.15

Constructaqueryusingthesamefiltersandconditionsforthedisplayandlogicsections,oruse differentfiltersandconditions.Onecaveat:thelogicportiontakesprecedence,soifarowisnota filtersandconditionsmatchusedinthelogicsection,itishiddenevenifitmayhavebeenamatchin thedisplaylogic.ThelogicportionactuallycontrolswhichrowsarehiddenfromtheTablepane. Tocreateaquery: 1. 2. Enteranameinthefield. IntheDisplaysettingsforshownitemspane,rightclickintherightpaneandselectnew. ChooseFilterorCondition. Selectthefilterorconditionfromthelist. Entertextintothetextfield.ThistextwillappearinthefiltercolumnoftheTablepane whenafilemeetsthiscriteria. ChangethecolorelementbyclickingTextColororFrameColor,thendoubleclick BackgroundandForegroundcolors,thenclickOK. 3. 4. 5. 6. 7. ChooseFilterorCondition. Selectthefilterorconditionfromthelist. Entertextintothetextfield.ThisistextwillappearinthefiltercolumnoftheTablepane whenafilemeetsthiscriteria. ChangethecolorelementbyclickingTextcolororFramecolor,thendoubleclickthe BackgroundandForegroundcolors,thenclickOK. IntheNewDisplaydialog,repeatStep4asoftenasrequired.
Note: The filters and conditions shown here will not hide rows that do not match the requirements of the selected filters. These selections simply adjust how the matches are indicated in the interface.

8. 9.

IntheConditionsforshowingitemspane,rightclickCombinations,thenselectNew. IntheNewCombinationdialog,selectfilterorcondition,thenselectthefilterorcondition fromthelistandclickOK.

Note: You do not need to enter the same filters or conditions here as entered in the display setting for shown items pane.

10. RepeatStep7asmanytimesasneeded.
Note: This is the logic for hiding rows. If, for example, an item matches a filter from the display settings for shown items pane, but it does not match the logic in the conditions for showing items pane, then the row will not be shown.

11. ThedefaultlogicfortheconditionsisAND.TochangethislogictoOR,rightclick CombinationsCombinationsChangeLogicChangeLogic. 12. ClickOK.

Note: Other operations, including exporting and importing are the same as filters and conditions.

GalleryTab
TheGallerytabisaquick,easywaytoviewimagesstoredonsubjectmedia.Theextentoffilesshown inGallerytaboftheTableviewisdeterminedbytheselectionyoumakeintheTreepane.For example,toviewimagesoftheentirecase,clicksetincludeattherootoftheCasetree. InGallery,youcanbookmarkimagesjustlikebookmarkingthemintheTabletab.

Navigating the EnCaseInterface

111

Ifsignatureanalysisisnotyetrun,Galleryviewdisplaysfilesbasedonpublishedfileextension.For example,ifaJPGfileischangedtoDLL,itdoesnotappearintheGalleryuntilyourunasignature analysis.

Note: Guidance Software suggests running a signature analysis before performing analysis in the gallery tab. See Signature Analysis (see page 276) for more information.

ViewingMoreColumns
ViewmorepicturesinGallerybyincreasingthenumberofdisplayedcolumns: 1. 2. RightclickanywhereintheGallery. SelectMoreColumns.

ViewingFewerColumns
ViewfewerpicturesinGallerybyreducingthenumberofdisplayedcolumns: 1. 2. RightclickanywhereintheGallery. SelecttheFewerColumnsmenuoption.

Therightmostcolumnishidden.

ViewingMoreRows
ViewmorepicturesinGallerybyincreasingthenumberofdisplayedrows: 1. 2. RightclickintheGallerytab. SelectMoreRows.

ViewingFewerRows
ViewfewerpicturesinGallerybydecreasingthenumberofdisplayedrows: 1. 2. Rightclickanywhereingallery. SelectFewerRows.

TimelineTab
TheTimelineisagreatresourceforlookingatpatternsoffilecreation,editing,andlastaccessedtimes.

112

EnCaseForensicVersion6.15

Youcanzoomintoasecondbysecondtimelineandzoomouttoayearbyyeartimelinebyright clickingandselectingtheappropriateoption.

Abovethecalendarareselectionboxestoquicklyandeasilyfilterwhichtypeoftimestamptodisplay: Written Accessed Modified Deleted FileAcquired

Clearingoneormoreoftheseboxeschangesthetimelinepresentation.

ModifyingtheViewPane
TheViewpaneprovidesdisplayspecificfunctionalityofitemsselectedintheTablepane.

Copy
YoucancopydataintheTextandHextabs.YoucanalsocopyRTFfromareportsoitcanbepasted intoanexternalprogramthatacceptsRTFinput. Ineithertab,selectthetext,rightclickandselectCopy.

Goto
UseGototospecifywheretomovethecursorintheViewpane. Toskiptoalocation: 1. RightclickintheViewpane.

2. 3. SelectGoto. EnterthefileoffsetintheotherfieldandclickOK.

Navigating the EnCaseInterface

113

GotocanalsointerpretselectedtextusingLittleEndianorBigEndian.Tointerpretselectedtext: 1. 2. 3. 4. HighlighttextintheViewpane. RightclicktheViewpaneandchooseGoto. ClickLittleEndiantoseetherepresentationinLittleEndian. ClickBigEndiantoseetherepresentationinBigEndian.

Find
FindworksinmosttabsoftheViewpane.Useittolocatestringswithindata. 1. 2. DisplayTextview. RightclicktheViewpane.

3. 4. 5. 6. 7. 8. 9. ClickFind. EnterastringintheExpressionfield.TouseaGREPexpression,clicktheGREPcheckbox. SelecteitherWholeDocument,FromCursor,orCurrentSelection. SelectCaseSensitiveifdesired. Choosewhethertohaveresultsappearintheoutputwindow. ClickOK. Thesystemfindstheexpressionyouentered.

CHAPTER 5

Case Management
InThisChapter
Overview of Case Structure Case Related Features New Case Wizard Using a Case Opening a Case Saving a Case Closing a Case

116

EnCaseForensicVersion6.15

OverviewofCaseStructure
Anevidencecasehasatripartitestructureconsistingofanevidencefile,acasefile,andEnCase programconfigurationfiles. Thecasefilecontainsinformationspecifictoonecase.Itcontains: Pointerstooneormoreevidencefilesorprevieweddevices Bookmarks Searchresults Sorts Hashanalysisresults Signatureanalysisreports

Note: You must create a case file before you can preview any media or analyze evidence files.

Oneofthemostpowerfulfeaturesoftheprogramisitsabilitytoorganizedifferentmediasotheycan besearchedasaunitratherthanindividually.

AdministratorCredentials
SomefeaturesofEnCase(forexample,physicaldiskaccess)areavailableonlyifyouareloggedonas anadministrator.Forthisreason,GuidanceSoftwarerecommendsthatEnCaseusersarelocalusers withWindowsadministratorcredentials. Examplesofthetypesofactivitiesrequiringadministrativeaccessare: Setup:Thesetupprogramneedsadministratorprivilegestoconfiguredevicesandservicesduring installanduninstall.OnVista,thesetupprogramneedstheseprivilegestowritefilestothe\Program Filesdirectory. ReadingLocalDevices:ToaddalocaldrivetoEnCase(theAddDevicecommand)andreaditatthe sectorlevel,WindowsrequiresthatEnCaserunsasanadministrator. ConfiguringPDE:PDEisdependentonavirtualdevicedriverthatneedstobeinstalledatthetimeof running.Thisinstallationprocessrequiresadministratorprivileges. Neutrino:Neutrinoconfiguresdevicestouseitsdevicedrivers.Theconfigurationofdevicesonthe operatingsystemrequiresadministratoraccess. EnCaseOptionsFiles:(Vistaandlateronly)TheEnCaseoptionsfilesarecurrentlysavedinthe Program Filesfolder.OnVistaandlateroperatingsystems,administratoraccessisrequiredto modifyfilesinthesefolders. WipeandRestore:Thewipeandrestorefunctionalityrequiressectorlevelaccesstodiskdrives,for whichWindowsrequiresadministratorprivileges. WriteBlocking:TosetadeviceaswriteblockedyoumustconfiguretheEnFilterdrivertowriteblock devices.Windowsrequiresadministratorprivilegestocommunicatewiththedevicedriver.

Case Management

117

CaseManagement
Beforestartinganinvestigation,giveconsiderationtohowthecaseisaccessedonceitiscreated.For example,morethanoneinvestigatormayneedtoviewtheinformation.Toaccomplishthis,evidence filescanresideonacentralserver. Creatingtemporaryexportandevidencefoldersallowsfilesegregationandcontrol.Atemporary folderholdsanytransientfilescreatedduringaninvestigation.Theexportfolderprovidesa destinationfordatacopiedfromtheevidencefile. Createanevidencefoldertostoreevidence.TempandExportfoldersarebuiltwhenacaseiscreated.

ConcurrentCaseManagement
Theprogramcanopenmorethanonecaseatatime.EachcaseappearsintheTablepane,andis analyzedindependentoftheother.

Toswitchcaseanalysisfromonecasetoanother: 1. 2. ClickViewCasesSubTabsHome. SelectacaseforanalysisfromtheTabletab.

TheDevicescolumnofthetableindicateshowmanydevicesareassociatedwiththecaseintheName column.
Note: To look at the devices associated with a particular case, highlight the case in the Table pane, then click on the Entries sub-tab below Cases.

IndexingaCase
Managingtheindexfilesassociatedwithevidencefilesinacaseisanimportantpartofcase management. Fordetailedinformation,seeIndexing(onpage310).

CaseFileFormat
Version6hasanewcasefileformat.Asaresult,casefilescreatedinversion6donotopeninprevious versions.Version6,however,doessupportcasescreatedwithversion5.

118

EnCaseForensicVersion6.15

Ifaversion5casefileisopenedinversion6,itcanbesavedaseitheraversion5oraversion6case file.YouhavethisoptionintheFileSaveAsmenu. Forexample,acaseiscreatedinversion5,thenopenedandworkedoninversion6.Toselectthe versioninwhichtosavethefile: 1. SelectFileSaveAs.

2. ExpandtheSaveastypefieldandmakeaselection. CaseFilesavesthefileasversion6. Version5CaseFilesavesthefileasversion5. BackupCaseFilesavesthefileasaversion6backupfile.

CaseBackup
Bydefault,abackupcopyofthecasefileissavedevery10minutes. Bydefault,backupfiles(.cbak)aresavedtoC:\Program Files\EnCase\Backup.Withthe exceptionoftheextension,thisfilehasthesamenameastheparentfile. Tochangethedefaultsavetime: 1. 2. SelectToolsOptionsGlobal. ChangethenumberintheAutoSavetextfield.

Selecting0disablestheautosavefunction.Thisisnotrecommended.

OptionsDialog
TheOptionsmenuallowsyoutocustomizethesoftware.

Toaccessthemenu,selectCasesOptionsfromthetoolbar.

Case Management

119

120

EnCaseForensicVersion6.15

Atabbeddialogopens.Thetabsare: CaseOptions(whenacaseisopen) Global NAS Colors Fonts EnScript StoragePaths Enterprise

Note: All fields on the Case Options tab are mandatory.

TheCaseOptionsfieldsintheillustrationshowthedefaultvalues. Nameholdsthecasename. ExaminerNameistheinvestigatorsname. DefaultExportFolderisthelocationtowhichexporteddataaresent. TemporaryFolderisthelocationtowhichtemporarydataaresent. IndexFolderisthelocationofcaseindices.

Case Management

121

CaseRelatedFeatures
Casesusetheseprocesses: Logonwizard NewCasewizard Optionsdialog CaseTimeSettingdialog

LogonWizard
TheLogonwizardcapturestheusername,password,andSAFEtouseforthecurrentsession.The userandpasswordareestablishedbytheadministrator,orthosegrantedadministratorlevel permissions. TheLogonwizarddisplaysthefollowingpages: Userspage SAFEpage

LogonWizardUsersPage
TheUserspageoftheLoginwizardcapturesthecurrentuserspasswordandusername.

Passwordcapturestheuserpassword. UsercontainstheUsertreelistingusersprivatekeysandanysubfoldersinthecurrentrootpath. AvaliduserhasamatchingpublickeyintheSAFEtheylogonto.

122

EnCaseForensicVersion6.15 RootUserObjectprovidesadditionalfunctionalitythroughadropdownmenuincluding: updatingthelistofusersdisplayed changingtherootpath commandsthatexpandorcollapsetheUsertree. UserObjectsprovidesadditionalfunctionalitythroughadropdownmenu,includingupdating thelistofusersdisplayedandchangingtherootpath.

UsersDropdownMenu
TheUsersdropdownmenuprovidesadditionalfunctionality.ThemenudisplaysfromtheUserstree intheUsersPage.

TheUpdatecommandupdatestheUserstreedisplay.Whenausersprivatekeyisaddedtothe defaultC:/Program Files/EnCase6/Keysfolderoranyotherfolderspecifiedbythecurrent rootpath,thetreedoesnotimmediatelydisplaythenewuser.Thenewuserappearswhenthe wizardisopenedagain,orwhentheUsertreeisupdated. UsetheChangeRootPathcommandtospecifyafolderthatcontainstheprivatekeysofusers otherthanthedefaultfolder.SpecifytherootpathintheBrowseforFolderdialog.TheUserstree containsonlythoseusersinthefolderspecifiedasthenewrootpath.

BrowseforFolderDialog
UsethisdialogtochangetherootpathintheUserstreeandtheSAFEtreetospecifythepathto folderscontainingkeysforusersorSAFEs.ThedefaultpathisC:/Program Files/EnCase6/Keys. TheUserstreeisbasedontheprivatekeyscontainedinthefolderdefinedbytherootpath.TheSAFE treeisbasedon.SAFEfilescontainedinthefolderdefinedbytherootpath.Bothtypesoffilesarein theC:/Program Files/EnCase6/Keysfolder.

Case Management

123

Movingthesekeyfileswhilethetreesaredisplayedrequiresarefreshtoupdatethetrees.

Pathdisplaysatreetonavigatetothefoldercontainingthekeys.

124

EnCaseForensicVersion6.15

SAFEPageoftheLogonWizard
TheSAFEpageoftheLogonwizarddeterminesifSAFEisassociatedwithandusedbythecurrent user.

SAFEcontainstheSAFEstreethatorganizesalltheSAFEsthatareinstalled.Theuserselectsa SAFEtocompletethelogon. SAFEsRootObjectprovidesadditionalfunctionalitythroughadropdownmenu,suchas editingthesettingsoftheSAFE changingtherootdirectory loggingontoaremoteSAFE additionalcommandsthatexpandorcollapsetheSAFEstree SAFEObjectsprovidesadditionalfunctionalitythroughadropdown,menusuchas editingthesettingsoftheSAFE changingtherootdirectory loggingontoaremoteSAFE

Case Management

125

SAFEDropdownMenu
TheSAFEdropdownmenuprovidesadditionalfunctionality.

EditopenstheEditSAFEDialogwhereSAFEsettingsaredefinedandremotelogonsareenabled. UpdateupdatestheUserstreedisplay.Whenausersprivatekeyisaddedtothedefault C:/Program Files/EnCase6/Keysfolderoranyotherfolderspecifiedbythecurrentroot path,thetreedoesnotimmediatelydisplaythenewuser.Thenewuserappearswhenthewizard isopenedagain,orwhentheUsertreeisupdated. UsetheChangeRootPathcommandtospecifyafolderthatcontainstheprivatekeysofusers otherthanthedefaultfolder.SpecifytherootpathintheBrowseforFolderdialog.TheUserstree containsonlythoseusersinthefolderspecifiedasthenewrootpath.

BrowseforFolderDialog
UsethisdialogtochangetherootpathusedintheUserstreeandtheSAFEtreetospecifythepathto folderscontainingkeysforusersorSAFEs.ThedefaultpathisC:/Program Files/EnCase6/Keys. TheUserstreeisbasedontheprivatekeyscontainedinthefolderdefinedbytherootpath.TheSAFE treeisbasedon.SAFEfilescontainedinthefolderdefinedbytherootpath.Bothtypesoffilesare foundintheC:/Program Files/EnCase6/Keysfolder. Movingthesekeyfileswhilethetreesaredisplayedrequiresarefreshtoupdatethetrees.

126

EnCaseForensicVersion6.15

Pathdisplaysatreetonavigatetothefoldercontainingthekeys.

EditSAFEDialog
TheEditSAFEdialogcontainssettingsthatdefineconnectionstotheSAFEandenableremotelogin.

MachineNamecontainstheIPaddresstothemachineorsubnetthatconstitutestheSAFEor SAFEsaccessedusingthenamedSAFE. RemoteSAFEdeterminesifcommunicationswiththenodewillberoutedthroughtheSAFE,so theSAFEstandsbetweentheclientandthenode.Enablingthissettingallowsyoutoprovidea valueforInboundPortandtouseitsvaluecommunicatingwiththeremoteSAFE. InboundPortdetermineswhichportisusedwhencommunicatingwiththeremoteSAFEattheIP addressspecifiedinMachineName. AttemptDirectConnectioncontainssettingsthatdeterminewhatkindofconnectionismadeto thespecifiedSAFE. NoneshouldbeenabledwhenthetargetsystemcannotestablishaconnectionwithanEEclient. ThenalltrafficisredirectedthroughtheSAFEserver.Thiscanincreasecommunicationtimes; however,itprovidestheinvestigatorwiththeabilitytoobtaindatathatisotherwisenotavailable. ClienttoNode(Local)shouldbeenabledwhentheclient(Examiner)andthenode(servlet)reside onthesamenetwork,andtheSAFEresidesonadifferentnetwork.Thisallowsdatatotransfer directlyfromthenodetotheclient,aftertheclientsuccessfullyauthenticatesthroughtheSAFE. AlsotheclientwillusetheIPaddressthatthenodebelievesithas,ratherthentheIPaddressthe SAFEhasforthenode.Inthisconfiguration,thenetworkshouldbedesignedsothatallthe companysemployeesarelocatedontheCorporateDesktopNetwork,andshouldemploy routing/NATing.

Case Management

127

ClienttoNode(SAFE)enablesNAT,whereaprivateIPaddressismappedtoapublicIPaddress. Typically,theSAFEandnoderesideonthesamesubnet,andtheclientonanother.Thisallows datatotransferdirectlyfromthenodetotheclient,aftertheclientsuccessfullyauthenticates throughtheSAFE.TheclientalsousestheIPaddressthattheSAFEbelievesthenodehas,rather thentheIPaddressthenodereportsithastoallowadirectconnectionbetweentheclientand nodemachine.Thisoptionisenabledbydefault. NodetoClientoperatessimilarlytotheClienttoNode(SAFE)mode,exceptthatthenode attemptsthedirectconnectiontotheclient.Itisusedwhenyoudesiredirectdatatransferbetween thenodeandtheclient,andthereisNATingorafirewallprohibitingthenodefromsendingdata directlytothelocalIP/defaultportoftheclient.Onceyoucheckthisoption,theClientreturn addressconfigurationboxbecomesavailabletoentertheNATedIPaddressandcustomport(for example,192.168.4.1:1545).TheClientreturnaddressboxisdisabledunlessthisoptionisselected. PrioritydeterminesthepriorityofconnectionforthisSAFE. LowmeanstheconnectiontothisSAFEwillbereconnectedafterallotherconnectionsof normalorhighpriority. NormalmeanstheconnectiontothisSAFEwillbereconnectedafterallotherconnections ofhighpriorityandbeforethoseconnectionsoflowpriority. HighmeanstheconnectiontothisSAFEwillbereconnectedbeforeallotherconnections ofmediumorlowpriority.

NewCaseWizard
TheNewCasewizardcapturesroleandcasesettings.Acaseisassociatedwithaspecificrole.Roles areestablishedbytheadministrator. TheNewCasewizardconsistsoftwopages: Rolepage CaseOptionspage

128

EnCaseForensicVersion6.15

RolePageoftheNewCaseWizard
TheRolespageoftheLoginwizardassociatesthecasebeingcreatedwitharole.Rolesareestablished bytheadministrator.
Note: Once you select a role for a case, you cannot change it.

RolescontainstheRolestree,whichorganizestherolesavailabletotheuser.Selecttherole associatedwiththecasebeingcreatedfromtheRolestree.

CaseOptionsPageoftheNewCaseWizard
TheCaseOptionspageoftheNewCaseWizardiswhereyouenterthenameofthecase,the examinersnameandpathstofoldersassociatedwiththecase.

Namecontainsthenameofthecaseassociatedwiththecaseoptionssetonthistab.Thecasename isusedasthedefaultfilenamewhenthecaseissaved.Youcanchangethisfilenamewhenyou savethecase. ExaminerNameisthenameoftheinvestigator.

Case Management DefaultExportFoldercontainsthepathtoandnameofthefolderwherefilesareexported.

129

TemporaryFoldercontainsthepathtoandnameofthefolderwheretemporaryfilesarecreated. IndexFoldercontainstheindexfileforanyindexedfileorcollectionoffiles.

AddDevice
Onceacaseisopen,addevidenceinaccordancewiththeinformationintheWorkingwithEvidence section.

UsingaCase
Acaseiscentraltoaninvestigation.Beforeyoucanaddadevice,previewcontent,oracquirecontent, youmustopenacase.Thismaybeanewcaseoranexistingcase. Onceyoucreateafile,youcanaddadevice,proceedwiththedevicepreviewandacquisition,and subsequentanalysis. UsetheCaseOptionspagetodefineacase.ThesettingsonthispagearethesameasthoseontheCase OptionstaboftheOptionsdialog. Onceacaseisopen,youcanestablishitstimezonesettings.

ModifyingCaseRelatedSettings
UsetheNewCasewizard,CaseOptionsdialogtomodifycaserelatedsettingsafterthecaseiscreated. 1. 2. Openthecase. ClickToolsOptions. TheCaseOptionstabdisplays. 3. 4. ChangethesettingsthroughthevarioustabsintheOptionsdialog. ClickOK.

Formoreinformation,seetheInstallingEnCaseForensicchapter.

TimeZoneSettings
TheEnergyPolicyActof2005(PublicLaw109058)amendstheUniformTimeActof1966by changingthestartandenddatesofdaylightsavingtimebeginningin2007.Clocksaresetaheadone houronthesecondSundayofMarch,andsetbackonehourthefirstSundayinNovember. Thisresultingextrafourweeksiscalledextendeddaylightsavingtimeperiod.EnCasesoftwareuses timezonedefinitionsstoredintheexaminersWindowsregistrytoadjustfordaylightsavingtimeand timezoneadjustments.Microsoftreleasedapatchalteringhowtheseadjustmentsarestored. TheWindowsregistrycontainsasubdirectoryofdynamicdaylightsavingstimeentriesfordifferent years.Thisallowstheoperatingsystemtoapplycurrentdaylightsavingstimesettingstonewfiles, andthecorrespondingyearsdaylightsavingstimeforolderfiles.

130

EnCaseForensicVersion6.15

Onpatchedmachines,therootentryfordaylightsavingtimesettingsisupdatedtothe2007timezone settings,andthatiscurrentlytheentryEnCasesoftwareuses.Therefore,iftheexaminermachineis patched,EnCasesoftwareusesthenew2007rulesforentrieswhosedateslieinthenewfourweek extendeddaylightsavingtimeperiod.Consequentlyallfiledates,eventhoseforpreviousyears,apply thenewdaylightsavingstimesettings. Settingthetimezonesettingsisaccomplishedtwodifferentways.Ifyouhaveanentirecasewhere youwanttouseonetimezone,youcansetthetimezonefortheentirecase.Ifyouhaveseveralpieces ofmediathatusedifferenttimezones,youwanttosetthetimezonesindividuallyforeachdevicein yourcase.

CaseFileT imeZones
SetthetimezonefortheentirecasewiththeCaseTimeSettingsdialog.

ThefeaturesoftheCaseTimeSettingsdialogare: AccountforSeasonalDaylightSavingsTimeappliesDSTrulesasdefinedbytheregistry settings.Ifyouwanttousethenew2007DSTrules,ensureyourmachineispatched. ConvertAllDatestoCorrespondtoOneTimeZoneenablestheDaylightSettingandtheTime Zonelist.Thisallowsyoutoconvertalltimestomatchonetimezone. DaylightSettingisdisabledunlessConvertAllDatestoCorrespondtoOneTimeZoneis checked.UsetheoptionbuttonstoselectStandardorDaylightSavingstimeadjustments.

Case Management

131

TimeZoneListisalsodisabledunlessConvertAllDatestoCorrespondtoOneTimeZoneis checked.Thiscapturesthetimezoneyouwanttousewithyourcase.

EvidenceFileT imeZones
UsetheTimePropertiesdialogtosetthetimezoneforeachevidencefile.

ThefeaturesoftheTimePropertiesdialogare: TimeZoneListcapturesthetimezonethesubjectdevicewassetto. DetailsproviderulesusedforthetimezoneselectedintheTimeZonelist.Theruleslistedhere populateusingDynamicDaylightSavingsTime,whichrequiresthatyourcomputerisproperly patchedinordertousethenewDSTrulesdescribedabove. UseSingleDSTOffsetspecifiesnottouseDynamicDSTandinsteadapplyasingleDSToffsetto theentiredevice.Usethisoptionwhenthesubjectmachinedidnothavetheproper2007DST patchdescribedabove. YearSelectionListisdisableduntilUseSingleDSTOffsetischecked.YoucanselectwhichDST rulestobasetheDSTadjustmenton: Use2006formachinesusingpre2007DSTrules Use2007onlyoncomputersusingthenew2007DSTrules

SettingT imeZonesSettingsforCaseFiles
1. 2. Openacase. ClickViewCasesSubTabsHome. TheopencasesappearintheTablepane. 3. RightclickthecasewhereforwhichyouwanttosetthetimezoneandthenselectModify TimeSettings. TheCaseTimeSettingsdialogdisplays. 4. Ifyouwanttoaccountforseasonaldaylightsavingstimerules,selectAccountforSeasonal DaylightSavingTime.

132

EnCaseForensicVersion6.15 5. Ifyouwanttoconvertalldatestoaparticulartimezone: a. SelectConvertAllDatestoCorrespondtoOneTimeZone. b. SelectaDaylightSetting. c. SelectaTimeZone. 6. Whenyouarefinished,clickOK.

SettingT imeZoneOptionsforEvidenceFiles
1. 2. Openacasetodisplayitscontents SelectaDevicefromtheTreepane,rightclickitandchooseModifytimezonesettings. TheTimePropertiesdialogappears. 3. SelectaTimeZonefromtheTimeZonelist. ThedetailsofthetimezoneappearintheDetailstextbox. 4. 5. IfyouwanttouseasingleDSToffset,selectUseSingleDSTOffsetandselecttheyearofthe DSTrulesyouwanttoapply. Whenyouarefinished,clickOK.

GeneralT imeZoneNotes
FAT,HFS,andCDFStimesarenotassociatedwithanytimezonewhenstoredonatarget machine.Theinvestigatorassignsatimezonetotheevidenceatthedevicelevel.This assignmentdoesnotchangedisplayeddatesunlessacasetimeissetanditisdifferentfrom thedevicetime. NTFSandHFS+timesareassociatedtoGreenwichMeanTime(GMT)whenstoredonatarget machine. SetdevicetimezonesassociatesatimezonewiththestoredFATtimes,andforNTFSdisplays thecorrectoffsetfromGMT. Note:Bydefault,alltimezonesaresettotheexaminermachinetimezone. ModifyingthecasetimezonetoconvertalltimestoonetimezonechangestheFAT,HFS,and CDFStimesifthedevicetimezoneisdifferentfromthatofthecasetimezone.AllNTFSand HFS+timesareadjustedtothecaseGMToffsetifconvertalltimesisapplied. Atthecaselevel,thedaylightsettingsrespondthisway: Ifstandardisselected,nochangeismadetoanytimes. Ifdaylightisselected,onehourisaddedtoalldisplaytimesregardlessofthetimeofyear. Theinvestigatorssystemclockdateinstandardordaylighttimeshouldhavenoeffecton displayedtimes.

FAT,HFSandCDFST imeZoneSpecifics
FAT,HFS,CDFS:Alltimesarestoredinitiallyasthesystemtimeoftheacquiredmachine.For instance,ifafileissavedat3p.m.,thetimestoredis3p.m.Thereisnotimezoneassociatedto3p.m. whenthetimeisstored.

Case Management

133

Settingthetimezoneatthedeviceorvolumelevelidentifiesthetimezoneinwhichtherecordedtimes occurred.Whentheevidenceisaddedtotheprogramitisassumedtobeintheinvestigatorslocal time. Modifyingthedeviceleveldoesnotchangetimesbecausethedevicetimezoneassociatesatimezone onlytothetimesstored.

TimeZoneExample
ThetargetcomputerhasanHFSinNewYork(5GMT). Thefileiscreatedat3p.m.Thestoredtimeinthecomputeris3p.m. Thedriveisimagedandtheinvestigatorwritesthatthecomputerdisplayedthecorrectlocal time. AninvestigatorinCaliforniaopenstheevidencefile.TheEnCaseprograminitiallyassignsa timezonetothedevicelevelof8GMTsincethatisthetimezonesettingoftheWestcoast investigatorsmachine.Thetimestilldisplays3p.m.becauseEnCasesoftwareknowsthe storedtimeis3p.m.andthelocaltimezoneoftheexamineris8GMT.

OpeningaCase
Openacasetocontinueanalysisortoreviewacase. 1. SelectFileOpen.

2. Browsetoorselectthecasefromtherecentfileslistatthebottomofthemenu,thenclick Open.

Note: You can also open a case by double clicking the case file in Windows Explorer.

134

EnCaseForensicVersion6.15

SavingaCase
Youcansaveacase: Toitscurrentfilenameandlocation:seeSavingaCaseonpage134. Withanewfilenameoranewlocation:seeSavingaCasewithaNewNameorNewLocation onpage134. Toitscurrentfilenameandlocationalongwiththeapplicationscurrentreferences,conditions, andfilters:seeSavingaCaseandtheGlobalApplicationFilesonpage134.

SavingaCase
Tosaveacase: 1. ClickFileSaveorclickSaveonthetoolbar. TheSavedialogappears. 2. 3. IfyouwanttousethecasenameasthefilenameandusethedefaultpathinMy Documents, clickSave. Youcanalsonavigatetoorenteradifferentfilenameandpath,thenclickSave.

SavingaCasewithaNewNameorNewLocation
Youcansaveanycasewithanewnameorsaveitinanewlocation. 1. ClickFileSaveAs. TheSavedialogappears. 2. 3. IfyouwanttousethecasenameorcurrentfilenameandusethedefaultpathinMy Documents,clickSave. Youcanalsonavigatetoorenteradifferentfilenameandpath,thenclickSave.

SavingaCaseandtheGlobalApplicationFiles
Youcansavetheglobalapplicationfilescontainingpreferences,conditions,andfiltersinthelocations specifiedintheStoragePathstaboftheOptionsdialog. 1. ClickFileSaveAll. TheSavedialogappears. 2. 3. IfyouwanttousethecurrentfilenameandthedefaultpathinMy Documents,clickSave. Youcanalsonavigatetoorenterthedesiredfilenameandpath,thenclickSave.

ClosingaCase
Protecttheintegrityofcasesbyclosingthemwhentheyarenotbeingworkedon.

1. 2. 3. Savetheopencase. InTreeview,placethecursoronanopencase. ClickClose.

Case Management

135

ClickYestoclosethecase.
Note: Close is also available from the dropdown menu.

CHAPTER 6

Working with Evidence

InThisChapter
Overview Supported File Systems and Operating Systems Using Snapshots Getting Ready to Acquire the Content of a Device Acquiring Delayed Loading of Internet Artifacts Remote Acquisition Hashing Logical Evidence Files Recovering Folders Recovering Partitions Restoring Evidence Snapshot to DB Module Set WinEn Wipe Drive

138

EnCaseForensicVersion6.15

Overview
EnCaseorganizesdigitalevidenceintoanassociatedcase.Digitalevidenceispreviewed,thenpossibly acquired.Onceevidenceisacquiredoraddedtoacase,itcanbeanalyzed.Thissectionfocuseson previewing,acquiring,andaddingdigitalevidencetothecase.

AdministratorCredentials
SomefeaturesofEnCase(forexample,physicaldiskaccess)areavailableonlyifyouareloggedonas anadministrator.Forthisreason,GuidanceSoftwarerecommendsthatEnCaseusersarelocalusers withWindowsadministratorcredentials. Examplesofthetypesofactivitiesrequiringadministrativeaccessare: Setup:Thesetupprogramneedsadministratorprivilegestoconfiguredevicesandservicesduring installanduninstall.OnVista,thesetupprogramneedstheseprivilegestowritefilestothe\Program Filesdirectory. ReadingLocalDevices:ToaddalocaldrivetoEnCase(theAddDevicecommand)andreaditatthe sectorlevel,WindowsrequiresthatEnCaserunsasanadministrator. ConfiguringPDE:PDEisdependentonavirtualdevicedriverthatneedstobeinstalledatthetimeof running.Thisinstallationprocessrequiresadministratorprivileges. Neutrino:Neutrinoconfiguresdevicestouseitsdevicedrivers.Theconfigurationofdevicesonthe operatingsystemrequiresadministratoraccess. EnCaseOptionsFiles:(Vistaandlateronly)TheEnCaseoptionsfilesarecurrentlysavedinthe Program Filesfolder.OnVistaandlateroperatingsystems,administratoraccessisrequiredto modifyfilesinthesefolders. WipeandRestore:Thewipeandrestorefunctionalityrequiressectorlevelaccesstodiskdrives,for whichWindowsrequiresadministratorprivileges. WriteBlocking:TosetadeviceaswriteblockedyoumustconfiguretheEnFilterdrivertowriteblock devices.Windowsrequiresadministratorprivilegestocommunicatewiththedevicedriver.

TypesofEntries
Entriesincludeevidenceandotherfiletypescontainingdigitalevidencethatareaddedtoacase. TherearefourclassesofevidencecontainingfilesthatEnCaseapplicationssupport: EnCaseEvidenceFiles(E01) LogicalEvidenceFiles(LEF/L01) Rawimages Singlefiles,includingdirectories

Thesefilesareacquiredoraddedtoacase.Beforedigitalevidencecanbeaddedtoacase,itis previewed.

Working withEvidence

139

EnCaseEvidenceFiles
EnCaseevidencefiles(E01)containthecontentsofanacquireddeviceandprovidethebasisforlater analysis. Encaseevidencefilesintegrateinvestigativemetadata,thedevicelevelhashvalue,andthecontentof anacquireddevice.Thisintegrationsimplifiesevidencehandlingandinvestigativeeffortsbykeeping thedevicelevelhashvalueandcontenttogether,andbysimplifyingtheeffortrequiredtoverifythat theevidencehasnotchangedsinceitwascollectedfromasubjectdevice. DragginganddroppinganE01fileanywhereontheEnCaseinterfaceaddsittothecurrentlyopened case.

LogicalEvidenceFiles
LogicalEvidenceFiles(LEF/L01)arecreatedfromfilesseeninaprevieworexistingevidencefile.They aretypicallycreatedafterananalysisfindssomenoteworthyevidence. WhenLEFsareverified,thestoredhashvalueofthefileiscomparedtotheentryscurrenthashvalue. Ifthehashofthecurrentcontentdoesnotmatchthestoredhashvalue,thehashisfollowedby anasterisk(*). IfnocontentfortheentrywasstoredwhencreatingtheLEF,butahashwasstored,thehashis notcomparedtotheemptyfilehash. IfnohashvaluewasstoredfortheentrywhencreatingtheLEF,nocomparisonisdone,anda newhashvalueisnotpopulated.

RawImageFiles
Rawimagefilescontainacollectionoffilesbutlacktheintegrationofmetadataandcompressionhash valuesthattheEnCaseevidencefileprovides. Beforerawimagefilescanbeacquiredtheymustbeaddedtoacase.TheLinuxddcommandis typicallyusedtoproducerawimagefiles.Rawimagefilescanbeacquiredandaddedtoacase. Duringacquisition,therawimagefilecanbehashedandcompressed.Onceacquiredrawimagefiles areincorporatedintoanEnCaseevidencefile.

SingleFiles
IndividualfilescanbeaddedtothecaseonceActivateSingleFilesisselected. AnyfiletypesupportedbyanEnCaseapplicationcanbeaddedtoacase.Youcandothisthroughthe interface,orthroughdraganddrop.Whenfilesareadded,theyappearintheviewpane. Youcanaddafoldercontainingfilestoacase.Thiscanonlybedoneusingdraganddrop.Whenyou addfolders,thefoldersappearintheentriestreeandtheentriestable.Theindividualfileswithinthe folderappearonlyontheentriestable.

140

EnCaseForensicVersion6.15

SupportedFileSystemsandOperatingSystems
Foramatrixshowingsupportedfilesystems,seetheSnapshotFileSystemsKnowledgeBasetopicofthe GuidanceSupportPortal(https://support.guidancesoftware.com/). Foramatrixshowingsupportedoperatingsystems,seetheSnapshotInformationforSupportedOSs KnowledgeBasetopicoftheGuidanceSupportPortal(https://support.guidancesoftware.com/). SupportfortheDOSEN.EXEutilitywasdropped.Youshoulddodrivetodriveandcrossovercable acquisitionsusingtheLinEnutility.

HFS+PermissionsSupport
EnCasesupportsHFS+(MacOSExtendedVolumeHardDriveFormat)permissions.

Unix/LinuxEnvironment

EnCaseusestheseabbreviationsforfileanddirectorypermissions:

Lst Fldr=List Folder Rd Data=Read File Data Crt Fl=Create Folder W Data=Write File Data Trav Fldr=Traverse Folder X FL=Execute File

Characterstotheleftofaslashwithinbracketsindicatefolderpermissions Characterstotherightofaslashwithinbracketsindicatefilepermissions

Forexample,[LstFldr/RdData][CrtFl/WData][TravFldr/XFl]=FullPermissions.

WindowsEnvironment

TheWindowsenvironmentabbreviationsforHFS+permissionsare:

Working withEvidence

141

FC=Full Control M=Modify R&X=Read Execute R=Read W=Write Sync=Contact an EnCase developer

ExtendedFileAllocationTable(exFAT)Support
EnCasecanacquiredevicesusingtheexFATfilesystem. exFATcontainsthesefilesbydefault: PrimaryFAT:identicaltootherFATfilesystems. $Boot0:VBRandassociatedsectors(forthebootloader). $Boot1:backupof$Boot0(rightafter$Boot0). $UpCase:amaptoapplyuppercasetoUnicodefilenames(identicaltoNTFS). $Bitmap:clusterallocationmap(indicateswhichclusterisinuse).

exFATalsosupportsinitializedfilesize. EnCasedetectsexFATvolumesautomatically.YoucanalsoaddanexFATvolumemanually:selectthe exFAToptionfromtheAddPartitiondialog.

EnhancedFATParsing
NotallimplementationsoftheFATfilesystemcanbeautomaticallydetected.Forexample,someFAT 16volumesincertainremovablemediamaybedetectedasFAT12. Toaddressthisissue,EnCaseprovidesanoptiontospecifytheFATtype(FAT12,FAT16,orFAT32) toparse.ThisoptionisincludedintheAddRawImageandAddPartitiondialogs.

142

EnCaseForensicVersion6.15

AddRawImageDialog
1. ClickFile>AddRawImage.TheAddRawImagedialogopens.

2. 3. ClicktheVolumeoptionbutton,thenselectthePartitionTypefortheFATvolumeyouare parsing. ClickOK.

AddPartitionDialog
1. SelecttheDisktabinTableview,thenrightclickforadropdownmenu.

2.

Working withEvidence Inthedropdownmenu,clickAddPartition.TheAddPartitiondialogopens.

143

3. 4. SelectthePartitionTypefortheFATvolumeyouareparsing. ClickOK.

FastFileTransfer
EnCaseprovidesimprovedperformancewhentheservlettransfersfilestoEnCase.Before,EnCase sentrequeststoobtainonechunkofdata(32kb)atatime,andtransferringalargefileinvolved sendingmanyreadcommandsfromtheexaminer.Althoughextremelyrobust,combinedwith networklatency,thisprotocolcouldcausesignificantdelaysoncertainnetworks. Inthenewapproach,theexaminersendsjustonereadcommand,anderrorhandlingisdonebythe TCP/IPlayer. ThisfunctionalityisbuiltintotheEnCaseUI,andyoucanalsoaccessthisfunctionfromEnScript, whereanewoption,CopyFile,hasbeenaddedtothefileclass.Itcontainstwoparameters: Outputfile Size(optional)

Ifsizeisnotspecified,thedatafromthecurrentpositiontotheendofthefileistransferred.
Note: This is EnScript-specific and is not the default file transfer method for EnCase.

144

EnCaseForensicVersion6.15

UsingSnapshots
Snapshotscollectavarietyofinformationtocreatesnapshotbookmarks.Snapshotsaretheoutputof EnScriptprograms.InEnCaseForensic,onlytheScanLocalMachineEnScriptprogramcreates snapshots.InEnCaseForensic,thefollowingEnScriptprogramscreatesnapshots: SweepEnterprise QuickSnapshot

TheSweepEnterpriseEnScriptprogramcapturesliveinformationfromaselectednetworktree withoutacaseorEnterpriselogonneededbeforerunning. TheQuickSnapshotEnScriptprogramcapturesliveinformationfromaselectedmachineassociated withadeviceinanopencase. FormoreinformationontheseEnScriptprograms,seeEnterpriseEnScriptPrograms(onpage430).

GettingReadytoAcquiretheContentofaDevice
Beforeyoucanacquirethecontentsofadevice,youmustaddthedevice,andpreviewthedevices content. Toadd,preview,oracquirethecontentofadevice,firstopenthecaseassociatedwiththedevice. Toacquirethecontentofadevice: 1. 2. UsingtheAddDevicewizard,addthedevice. UsingtheEnCasemainwindow,previewthecontentsofthedevice.

YouarereadytoacquirethecontentsofthedeviceasanEnCaseevidencefileinthecurrentlyopened case.

Previewing
Previewingisdonebeforeanacquisition,soaninvestigatorcandetermineifthedeviceshouldbe acquired.Apreviewisnotoptional,althoughtheinvestigatordeterminestheextentofthepreview. Duringapreview,thecontentofthedevicecanbeanalyzedjustasifthecontenthadbeenacquired.
Note: A write blocking device, such as the FastBloc write blocker, prevents the subject device from changing. Previewing via a crossover network cable is useful if a write blocking device is not available.

Bypreviewing,theinvestigatordoesnothavetowaittofinishanacquisitionbeforedoinga preliminaryexamination.Whilepreviewing,youcanrunkeywordsearches,createbookmarks, performCopy/UnErase,andotheranalysisfunctions.Thesesearchresultsandbookmarkscanbe savedintoacasefile,however,eachtimethecaseisopened,thesubjectmediamustbephysically connectedtotheinvestigatorsmachine.

Working withEvidence

145

PhysicalMemoryPreview
TherearerangesofmemorynottouchedbyEnCasesphysicalmemorypreview.Thisisbecausethese areasareinusebyhardwaredevicesandevenreadingthemcancauseasystemcrash.Thistypically occursnearthe4Gigabyteareaofmemory. EvidencefilescreatedfromRAMcontainbadsectorreaderrorsintheseareas.

LiveDeviceandFastBlocIndicators
IntheEntriesTablepaneandthePreviewDevicespageoftheAddDevicewizard,graphical indicatorsmarkthedevicesthatarepreviewedorblockedviaFastBlockoranotherwriteblocking device. Abluetriangleinthelowerrightcornerofthedeviceiconindicatesaprevieweddevice. AbluesquarearoundthedeviceiconindicatesthedeviceiswriteblockedbyFastBloc.

PreviewingtheContentofaDevice
Oncedevicesandevidencefilesareaddedtothecasefile,thedevicescanbepreviewedbeforethey areacquired.
Note: When a file is initially written to a multi-session CD it is assigned an offset. When the same file is changed, it is written again to the CD, as a new file in the new session, but with the same offset. Any number of revisions of the initial file are assigned the same offset. The file and all of its revisions can be viewed. Because the offset is used to associate bookmarks to the bookmarked entity, bookmarks of content on multi-session CDs will remount the first file it encounters with this offset when reopening the case.

Verifythedevicecontainingthecontenttobepreviewedwasaddedtothecase. Topreviewthecontentofadevicethatwasaddedtothecurrentlyopenedcase: 1. 2. 3. OntheTreepaneorTablepaneofthemainwindow,lookattheiconofthedevicebeing previewedtoseeifitisliveorwriteblocked. Performanyevidenceanalysisrequiredtodetermineifadeviceshouldbeacquired. Onceyouhavedeterminedthedeviceshouldbeacquired,acquireit.

146

EnCaseForensicVersion6.15

AddDeviceWizard
UsetheAddDevicewizardtoaddadeviceforlateracquisition. TheAddDevicewizardincludes: Sourcespage SessionsSourcespage(optional) ChooseDevicespage PreviewDevicespage

YoumustopenacasebeforeopeningtheAddDevicewizard.

SourcesPageoftheAddDeviceWizard
YoucanselectoneormoretypesofsourcesontheSourcespageoftheAddDeviceWizard.Youcan uselocaldrives,aPalmPilot,oranetworkcrossoverconnectionasasourcedeviceforsubsequent previewsoracquisitions.Inadditiontolocaldevices,youcanaddfoldersintendedtocontain evidencefiles.

SessionsopenstheSessionsSourcespageoftheAddDeviceWizardwhenyouclickNext. SourcesTreePaneorganizesthedevicesourcesfromwhichcontentislaterpreviewedoracquired. SourcesRootObjectcontainsthechildobjects.Thedropdownmenudisplayscommandsforthis object.Youcan: ExpandorcollapseobjectsintheSourcestree. SelectvariousobjectsintheSourcestree.

Working withEvidence

147

LocalObjectreferstolocaldevicesphysicallyconnectedtothemachine,whichcouldinclude. Floppydrive PalmPilot Removablemedia Harddrive Anothercomputer

ThedevicetypesdisplayasentriesintheTablepanewhentheobjectisselected.Dropdownmenu commandsforthisobjectdeterminehowto: ExpandorcollapseobjectsintheSourcestree SelectvariousobjectsintheSourcestree

EvidenceFilesFolderObjectcontainsfoldersaddedassourcefolderscontainingevidencefiles.The Tablepanedisplaysthesamefoldersasthetree.Dropdownmenucommandsforthisobjectletyou: Addfolders DeterminewhichobjectsappearintheSourcesTree DeterminewhichentriesareshownintheTablepanewhentheobjectisselected

EvidenceFolderObjectsrepresentseachfolderaddedasacontainerofevidencefiles.Asleafnodesof thetree,theevidencefilesdonotshowinthetree,buttheydoappearintheTablepane.Dropdown menucommandsforthisobjectletyou: Deletethefolderwhereyouopenedthedropdownmenu DeletefoldersselectedintheSourcestree DeterminewhichobjectsappearintheSourcestree DeterminewhichentriesareshownintheTablepanewhentheobjectisselected

TablePanedisplaysthechildrenofthecurrentlyselectedfolderobjectintheSourcestree.Dropdown menucommandsforthisobjectletyou: Deletethefolderwhereyouopenedthedropdownmenu Deletefoldersselectedinthetree Copytheentrywhereyouopenedthedropdownmenu Selecttheobjectonthetreethatcorrespondstotheentrywhereyouopenedthedropdown menuintheTablepane Navigatetotheparentoftheobjectcontainingtheentrywhereyouopenedthedropdown menuintheTablepane

148

EnCaseForensicVersion6.15

SessionsSourcesPageoftheAddDeviceWizard
WhenSessionsisenabled,youcanaddevidencefilestotheSourcestreeusingtheAddTextList dialogortheAddEvidenceFilesbrowser.

SessionsopenstheSessionsSourcespageoftheAddDeviceWizardwhenyouclickNext. AddTextListopenstheAddTextListdialog,whichcontainsalistofpathstoandfilenamesof evidencefilestobeaddedinbatchtotheSourcestree.YoucanuseIPaddresseswhentheservleton themachineisnotrunningontheservletsdefaultport(thesamedefaultportnumberastheSAFE, whichis4445).WhenusinganIPaddressthatdoesnotsharethesameportnumberastheSAFE,you mustappendacolonandtheportnumbertotheIPstring.

AddEvidenceFilesopenstheAddEvidenceFilesfilebrowserwhereyoucanenterthepathtoand thefilenameofanevidencefile,sotheevidencefileisaddedindividuallytotheSourcestree.The followingtypesoffilescanbeaddedusingthisfilebrowser: EvidenceFile(.E01) SafeBackFile(.001) VMwareFile(.VMDK) LogicalEvidenceFile(.L01) VirtualPCFile(.VHD)

Working withEvidence

149

SourcesTreeorganizesthefoldersusedtocontaintheevidencefilesaddedeitherasbatchfilelistsor individualfiles.Youcanorganizethefoldersinthistreehierarchicallyasdesired. SourcesRootObjectcontainsthedefaultfoldersandfoldersaddedbytheuserthatorganizethe evidencefileseitheraddedortobeaddedtotheSourcestree.Dropdownmenucommandsforthis objectletyou: Addanewfolderasachild Expandorcollapsethesubordinatetree

AnychildobjectsofthisobjectonthetreeappearinasentriesontheTablepane.Thechildrenofthis objectcanbeorganizedhierarchicallybydragginganddroppingfoldersintoeachother. CurrentSelectionisadefaultchildoftheSourcesrootobject.Itcontainsanyevidencefilesaddedto theSourcestreeduringthecurrentsessionorinvocationoftheAddDeviceWizard.Thenexttimethe AddDeviceWizardisopened,theevidencefileslistedherearemovedtotheLastSelectionfolder,and thisfolderisemptied.Thedropdownmenuonthisobjectletsyou: Deletethisobject Renamethisobject Addanewfolderasachild Expandorcollapsethesubordinatetree

AnychildobjectsofthisobjectappearasentriesontheTablepane.Youcanorganizethechildrenof thisobjecthierarchicallybydragginganddroppingfoldersintoeachother. LastSelectionisadefaultchildoftheSourcesrootobject.Itcontainsanyevidencefilesaddedtothe SourcestreeduringthepriorsessionorinvocationoftheAddDevicewizard.ThenexttimetheAdd Devicewizardisopened,theevidencefileslistedintheCurrentSelectionfolderaremovedtothis folder,andanyevidencefileslistedbeforethemoveareremovedfromthefolder.Onceadded,the evidencefilescontinuetobeusedassourcesuntiltheyareindividuallyremovedregardlessof whethertheyshowintheselectionfolders. Thedropdownmenuonthisobjectletsyou: Deletethisobject Renamethisobject Addanewfolderasachild Expandorcollapsethesubordinatetree

AnychildobjectsofthisobjectonthetreeappearasentriesontheTablepane.Youcanorganizethe childrenofthisobjecthierarchicallybydragginganddroppingfoldersintoeachother. TablePanedisplaysthechildrenofthecurrentlyselectedobjectintheSourcestreeasentriesinthe table.Dropdownmenucommandsforthisobjectletyou: Copyanentryforuseelsewhere;thecopiedentrycannotbepastedintothetable Deleteanentry Renameoreditanentry Navigatetotheparentobjectoftheobjectcontainingtheentry

150

EnCaseForensicVersion6.15

ChooseDevicesPageoftheAddDeviceWizard
Oncelocaldevicesaredefined,asubsetofthoseisselectedheresotheycanbeaddedtoacase.

DevicesTreeorganizesthedevicedefinitionstobeaddedtoacase. DevicesRootObjectcontainsthedefaultfoldersthatreflectthetypesofdevicesdefinedatthispoint. SeeAddingaDevice(onpage151). Rightclickmenucommandsforthisobjectdetermine: WhichobjectsappearintheSourcestree WhichentriesdisplayintheTablepanewhentheobjectisselected

LocalDrivesObjectcontainsthecurrentcollectionofchildinstancesoftheLocalDrivesdevicetype entriesontheTablepane.Rightclickmenucommandsforthisobjectdetermine: WhichobjectsappearintheSourcestree WhichentriesdisplayintheTablepanewhentheobjectisselected

TablePanedisplaysthechildrenofthecurrentlyselectedobjectintheSourcestreeasentriesinthe table.Rightclickmenucommandsforthisobjectletyou: ToggletheReadFileSystemColumnvalue Copyanentryforuseelsewhere,asthecopiedentrycannotbepastedintothetable Selectanentry Editanentry Navigatetotheparentobjectoftheobjectcontainingtheentry.

DeviceSelectionColumncontainsacheckboxforeachrow.Toaddadevice,clickitscheckbox,then clickNext. ReadFileSystemColumn:Ifthissettingnotselected,thefilesystemisreadinasaflatfilefromsector 0tothelastsector.Files,folders,andanyotherfilesystemarchitecturalstructureislost.

Working withEvidence

151

PreviewDevicesPageoftheAddDeviceWizard
Thispagedisplaysalistofthedeviceseligibletoadd.

TheTablepaneliststhedevicesthatareaddedbyclickingNext. TableEntryRowsdisplaythedetailsofthedevicedefinedinthatrow.Thedropdownmenuforeach rowprovidescommandsthat: ToggletheReadFileSystemsettingfortheentrywhereyouopenedthedropdownmenu Copytheentry EdittheentryincludingtheReadFileSystemvalue.Thebestmeanstoselectorenablethe ReadFileSystemisviathiseditcommand.

ReadFileSystemColumn:whenthisiscleared,thefilesystemisreadinasaflatfilefromsector0to thelastsector.Files,folders,andanyotherfilesystemarchitecturalstructureislost.

AddingaDevice
ThedevicesaddedusingtheAddDevicewizarddeterminethetypeofacquisitiontobeperformed. TheprimarydetermineristhedevicetypesetontheSourcesPageoftheAddDevicewizard.The processforaddingadevicevariesoncethedevicetypeisselected. Openacasewhereyouwanttoadddevices.Whenacaseisopen,theAddDevicebuttondisplayson themainwindowtabbar.

152

EnCaseForensicVersion6.15 1. 2. ClickAddDevice.TheSourcespageoftheAddDevicewizarddisplays.IntheSourcestree theLocalobjectisselected,andthelocaldevicetypesarelistedintheTablepane. CompletetheSourcespageoftheAddDevicewizardasneeded,andclickNext.Ifyou checkedSessionsontheSourcespageoftheAddDevicewizard,theSessionsSourcespageof theAddDevicewizarddisplays;otherwise,theChooseDevicepagedisplays. IfSessionswasselectedontheSourcespage,completetheSessionsSourcespageandclick Next.TheChooseDevicepagedisplays. CompletetheChooseDevicepageasneeded,andclickNext.ThePreviewDevicespage displays. CompletethePreviewDevicespageasneeded,andclickNext. ThedevicesdefinedandselectedontheAddDevicewizardareaddedtothecurrentlyopened case.

3. 4. 5. 6.

Thedevicesthatwereaddedtothecasecannowbepreviewedandacquired.

CompletingtheSourcesPage
TheSourcespageoftheAddDevicewizardenablesyoutodetermine: Thedevicetypesofthedevicesaddedtothecase Theevidencefilesaddedtothecase

Beforeyoubegin: Openthecase OpentheAddDevicewizardtotheSourcespage.

Note: For a local acquisition, see Acquiring a Local Drive (on page 168). For a Palm Pilot acquisition, see Acquiring a Palm Pilot (on page 178). For a network crossover acquisition, see Drive-to-Drive Acquisition Using LinEn (on page 490).

1.

Toacquireorpreviewalocaldrive: a. SelecttheLocalobjectintheSourcestree b. ClickthecheckboxforLocalDrivesintheTablepane.

2.

ToacquireorpreviewaPalmPilot: a. SelecttheLocalobjectintheSourcestree b. ConnectthePalmPilotandsetittoconsolemode c. ClickthePalmPilotcheckboxintheTablepane.

3.

Toacquireorpreviewanetworkcrossover: a. SelecttheLocalobjectintheSourcestree b. StarttheLinEncrossoverconnectionacquisition c. Ifappropriate,connectthecrossoverconnection d. ClicktheNetworkCrossovercheckboxintheTablepane.

4.

Toaddevidencefilestothecasefile,selectSessions.

TheSessionsSourcespageappearsafterclickingNext. 5. ClickNext.

Working withEvidence

153

IfSessionswasselected,theSessionsSourcespageappears;otherwise,theChooseDevices pagedisplays.

CompletingtheSessionsSourcesPage
AftertheSourcespageoftheAddDevicewizardiscompletetheSessionsSourcespageappears. Beforeyoubegin: Openthecase CompletetheSourcespageintheAddDevicewizard SelectSessions

DraganddropanevidencefilefromWindowsFileExplorertothispage. 1. Toaddalistofevidencefiles: a. ClickAddTextList. b. Enterthepathandfilenameforeachevidencefiletobeaddedusingthelist. c. ClickOK. 2. Toaddasingleevidencefileusingafilebrowser: a. ClickAddEvidenceFile. b. Browsetoorenterthepathandfilenameoftheevidencefiletobeadded. c. ClickOK. 3. Ifmoredevicesneedtobeadded,clearSessions. Ifallthedeviceshavebeenadded,clickNext. IfSessionswascleared,theChooseDevicesPageappears;otherwise,theSourcespagedisplays.

CompletingtheChooseDevicesPage
ThispagedisplaysthedevicesdefinedthatcanbeaddedtothecasebytheAddDevicewizard. Atthispointintheacquisition,thesourcedeviceswereaddedtotheAddDevicewizard. Toselectthesubsetofdevicestoadd: 1. 2. WithanentityobjectselectedintheTreepane,intheTablepaneselectthesourcestobeadded tothecasebyselectingorclearingtheDeviceSelectionColumncheckboxforeachsource. ClickNext.

ThePreviewDevicespageoftheAddDevicewizarddisplays.

154

EnCaseForensicVersion6.15

CompletingthePreviewDevicesPage
Thispagedisplaysonlytheselecteddevicesfromthoseinitiallydefined. Selectasubsetofthedefineddevicesandevidencefilessotheycanbeaddedtothecase. Toverifythatthelistofdevicestobeaddediscorrect: 1. RevieweachrowintheTablepane,andIfthedeviceattributesneedtobechanged,dothe following: a. Rightclickontherowcontainingthedevicewhoseattributesneedtobechanged,andclick Edit.TheDeviceAttributesdialogappears. b. Enterthedesiredchanges. 2. 3. Ifthedeviceshouldbeacquiredasaflatfile,clearReadFileSystem. ClickOK. ThechangesmadeintheDeviceAttributesdialogappearintheTablepane. 4. Ifthelistofdevicestobeaddediscorrectandcomplete,clickNext;otherwiseclickBackas necessarytorevisevalues.

ThedevicesdefinedintheAddDevicewizardareaddedtothecase.

Acquiring
Onceadeviceisadded,itscontentscanbeacquired.Beyondanacquisition,youcanaddEnCase evidencefilesandrawevidencefilestothecase.Rawevidencefilescanbereacquired,sothattheyare translatedintoEnCaseevidencefilescompletewithmetadataandhashvalues.PalmPilotscanalsobe acquired.TheLinEnutilityalsoletsyoudonetworkcrossoverincollaborationwithEnCaseForensic andyoucanuseLinEntoperformdisktodiskacquisitions.EnCaseevidencefilesoriginatinginother casescanbeaddedaswell. Alloftheseacquisitionsarediscussedinthissection.

TypesofAcquisitions
ThereareseveraltypesofacquisitionsthatcompriseEnCaseevidencefiles(E01)andassociatethese fileswiththecurrentlyopenedcase. Thereareseveraladditionaldigitalevidencefiletypesthatareassociatedwiththecurrentlyopened casebutdonotinvolveacquisitions,exceptwhenreacquired. Therearealsologicalevidencefiles(LEF),usuallyconstructedduringapreview. ThelocalsourcesforacquisitionscreateE01s.

Localsourcesinclude Localdrives(usingawriteblocker) PalmPilot Networkcrossover(LinEn) Localdevices(LinEndisktodisk)

Working withEvidence

155

Evidencefilesareaddedthroughtheinterface.Theevidencefilesinvolvedincludethosecreatedbya LinEndisktodiskacquisition.Youcanaddevidencefilesinitiallycreatedforothercasestothe currentlyopenedcaseaswell. AnetworkcrossoveracquisitioninvolvesbothLinEnandtheEnCaseapplication. LinEndisktodiskacquisitionscreateevidencefilessafelyintheLinuxenvironmentwithoutusinga writeblocker. Dragginganddroppingafileresultsinthefilebeingaddedasasinglefile,ratherthananevidence file.Whenanevidencefileisdraggedanddropped,itisaddedtothecaseasanevidencefile.

PerformingaTypicalAcquisition
AtypicalacquisitionconsistsoflocaldeviceacquisitionusingWindowsandaFastBlocwriteblocker.

AcquisitionWizard
UsetheAcquisitionwizardtoperformacquisitions. Beforeacquiringadevicescontent,thedevicemustbeaddedtothecaseusingtheAddDevice wizard. TheAcquisitionwizardcapturesthespecificationsfortheacquisition.Thewizardcontainsthe followingpages: AfterAcquisitionpage (Optional)Searchpage Optionspage

Eachisexplainedindetailbelow.

156

EnCaseForensicVersion6.15

AfterAcquisitionPage
UsetheAfterAcquisitionpageoftheAcquisitionwizard: Toeasetheacquisitionofsubsequentdisks Toenablesearch,hash,andsignatureanalysistolaunchautomaticallyaftertheacquisitionis completed Todeterminewhathappenstothenewimage Torestartacancelledacquisition

Acquireanotherdiskenablestheinvestigatortoworkthroughaseriesofacquisitions(typically floppydiskcontent)withoutaddinganewdeviceforeachacquisition.WhenAcquireanotherdiskis checked: Replacesourcedeviceisdisabled Search,HashandSignatureAnalysisisenabled.

Search,HashandSignatureAnalysisopenstheSearchpageoftheAcquisitionwizard,wheresearch, hashandsignatureanalysisaredefined,afterclickingNext. NewImageFileGroupcontrolsinthisgroupdeterminehowthenewlyacquiredimageissaved.The defaultisReplacesourcedrive. Donotaddexcludesthenewlyacquiredimagefromthecurrentlyopenedcase. AddtoCaseaddsthenewlyacquiredimageinthecasefileassociatedwiththedevicewherethe imagewastaken. Replaceasourcedeviceaddsthenewlyacquiredimagetothecaseandremovestheprevieweddevice wheretheacquisitionwasmade.

Working withEvidence

157

RestartAcquisitionrestartsacancelledacquisition.Iftheacquisitionwasinterrupted,butnot cancelled,thatacquisitioncannotberestarted.WhenyoucheckRestartAcquisition,Existing EvidenceFileanditsassociatedbrowsebuttonareenabled.Thefilecontainingthedatafromthe cancelledacquisitionisavailabletospeedupthecurrentacquisition.Theincompletesetcontainingthe cancelledfilecanbereplacedwithasetcontainingallthedata. ExistingEvidenceFilecontainsthepathandfilenameoftheevidencefilewhoseacquisitionwas cancelledearlier.Theexistingevidencefileisreplacedbytheacquisitioninprogress. ExistingEvidenceFileBrowseopenstheWindowsfilesystembrowsertocapturethepathand filenameoftheexistingevidencefile.

SearchPage
UsetheSearchpageoftheAcquisitionwizardto: Searchtheentirecase Defineakeywordsearch Defineanemailsearch Computehashvalues Verifyfilesignatures Identifycodepages SearchforInternethistory

Ultimately,thesesearchesandanalyseslengthentheacquisitiontime.Forlongacquisitions,these searchescanbeperformedindependentlyfromtheacquisitiononcetheacquisitioniscomplete.

SelectedItemsonlyacquiresonlythosefilesyouchecked. KeywordSearchOptionscontainscontrolsusedtodefineakeywordsearchwhilethecontentofthe deviceisacquired.

158

EnCaseForensicVersion6.15

Searchentriesandrecordsforkeywords:executesakeywordsearchwhenchecked.When unchecked,othercheckedfunctionsareperformed,butthekeywordsearchisnot.Thisallowsyouto runasignatureanalysisorahashanalysiswithoutrunningakeywordsearch.Thisoptionalso enables: Selectedkeywordsonly Searchentryslack Useinitializedsize Undeleteentriesbeforesearching SearchonlyslackareaofentriesinHashLibrary

Selectedkeywordsonlyrestrictsthenumberofkeywordsusedduringthekeywordsearchtothe numberofkeywordsspecified(showninNumberofKeywords). Searchentryslackincludesfileslackinthekeywordsearch. Useinitializedsizeusestheinitializedsizeofthedeviceduringthekeywordsearch. Undeleteentriesbeforesearchingundeletesdeletedfilesbeforetheyaresearchedforkeywords. SearchonlyslackareaoffilesinHashLibrarydetermineswhethertheslackareasofthefiles includedinthehashlibraryaresearched. HashOptionscontainscontrolsusedtocomputehashvalues. Computehashvaluedetermineswhetherahashvalueiscomputed. Recomputehashvaluedetermineswhetherahashvalueisrecomputed.Whenyourecomputethe hashvalues,theyarerecomputedevenifhashvaluesarealreadypresent. EmailSearchOptionscontainscontrolsusedtodefineanemailsearchperformedwhileacquiringthe contentofthedevice. Searchforemailperformsanemailsearch.Thisoptionalsoenablescontrolsthatdeterminethetype ofemailsought. RecovereddeleteddetermineswhetherdeletedemailthatremainsinthePSTfilesincethelast compactoperationisrecovered. Outlook(PST)includes.pstfilesinthesearch. OutlookExpress(DBX)includes.dbxfilesinthesearch. Exchange(EDB)includes.edbfilesinthesearch. Lotus(NSF)includes.nsffilesinthesearch. AOLincludesAOLemailfilesinthesearch. MBOXincludesMBOXemailfilesinthesearch. AdditionalOptionscontainscontrolsthatdetermineadditionalanalysistoperformonthecontent beingacquired.

Working withEvidence

159

Verifyfilesignaturesauthenticatesfilesignaturesduringtheacquisition. Identifycodepage:Ifyoucheckthisoption,thesoftwareattemptstodeterminethecodepageofeach file,thensavesthosecodepagesforlateruseintheviewpanewhenthefilecontentsaredisplayed. SearchforinternethistoryfindsInternethistoryfilesduringtheacquisition.

OptionsPage
TheOptionspageoftheAcquisitionwizarddefinesthemetadataandvariousaspectsoftheimage generatedbytheacquisition,whichconstitutestheEnCaseevidence.

NamecontainsthenameoftheEnCaseEvidenceFilethatcontainstheimageresultingfromthe acquisitionoftheunderlyingdevice. EvidenceNumbercontainstheinvestigatorassignednumberfortheEnCaseevidencefileproduced bytheacquisitioninprogress. NotescontainstheinvestigatorsnotesregardingthisEnCaseevidencefile. FileSegmentSizespecifiesfilesegmentsizeoftheevidencefiles.Itisusefulforcontrollingthesizeof evidencefiles. StartSectorspecifiesthefirstsectorofthecontentyouwanttoacquire. StopSectorspecifiesthelastsectorofthecontentyouwanttoacquire. PassworddeterminesiftheEnCaseevidencefileispasswordprotected,andwhatpasswordisused. EnteringapasswordenablesConfirmPassword.Thispasswordcannotbereset. BlocksizedeterminestheblocksizeofthecontentswhereCRCvaluesarecomputed.

160

EnCaseForensicVersion6.15

Errorgranularitydeterminestheportionoftheblockiszeroedoutifanerrorisencountered.Theerror granularitywillbeatthemostthesamevalueasBlocksize,oranevenfractionofBlocksize. AcquisitionMD5generatesanMD5filehash. AcquisitionSHA1generatesanSHA1filehash. Quickreacquisitionallowsyoutoquicklyreacquireinordertochangethefilesegmentsize,orto applyorremoveapassword. ReadAheadreadstheacquiredcontent,sothaterrorscanbedetectedbeforetheblockisacquired,or CRCsarecalculatedandhashed. OutputPathdeterminesthepathandfilenamewheretheEnCaseevidencefileresultingfromthe acquisitioniswritten. AlternatePathcontainsthepathandfilenameofanalternativedestinationvolumewheretheEnCase evidencefileisstoredifthefirstlocationrunsoutofdiskspace.

AcquisitionResultsDialog
Thisdialogdisplayswhileanacquisitionisperformed.

ConsolesendsthestatusmessagesdisplayedinthedialogtotheConsoletaboftheview. NotewritesthecontentsofthestatusmessageintoabookmarknotecontainingthedeviceandEnCase evidencefilebeingacquired. LogRecordaddsthestatusmessagesdisplayedtoabookmarklogrecord.

OpeningtheAcquisitionWizard
OpenthecaseassociatedwiththeEnCaseevidencefilebeforeyouacquireanEnCaseevidencefile. Thedevicefromwhichthecontentisacquiredmustalreadybeaddedtothecase.

Working withEvidence

161

1. ToreachtheEntriestree,intheTreepane,clickCasesEntriesHome. TheEntriestreedisplaysintheTreepane. 2. 3. 4. 5. IntheEntriestree,highlightthedesireddevice. Rightclickthehighlighteddeviceobject. ClickAcquire. TheAcquisitionwizardopens.

SpecifyingandRunninganAcquisition
ThiscompletescreationofanEnCaseEvidenceFile. 1. OpentheAfterAcquisitionpageoftheAcquisitionwizard.

162

EnCaseForensicVersion6.15 2. 3. Asneeded,changethedefaultsettingsontheAfterAcquisitionpageasdescribedin CompletingtheAfterAcquisitionPageoftheAcquisitionWizard. ClickNext. IfyouselectedSearch,HashandSignatureAnalysis,theSearchpageoftheAcquisition wizardappears.Otherwise,theOptionspageoftheAcquisitionwizardappears. 4. IftheSearchpagedisplayed:asneeded, ChangethedefaultsettingsontheSearchpage,describedinCompletingtheSearchPage oftheAcquisitionWizard ClickNext. TheOptionspageoftheAcquisitionwizarddisplays. 5. Asneeded: ChangethedefaultsettingsontheOptionspage,describedinCompletingtheOptions PageoftheAcquisitionWizard ClickFinished. Theacquisitionbegins. Ifthefileistobesavedinthecase,theCRCsareverified,andanyafteracquisitionprocessing isperformed. Thethreadstatusesfortheacquisition,verification,andpostprocessingisdisplayedasthe processesexecute. Oncetheprocessesarecomplete,theresultsdialogappears.Whiletheacquisitionisrunning, theacquisitioncanbecancelled(seeCancellinganAcquisition).
Note: The evidence file containing both the content of the device and its associated metadata is saved as determined by the New Evidence File on the After Acquisition page of the Acquisition Wizard.

Working withEvidence

163

CompletingtheAfterAcquisitionPageoftheAcquisitionWizard
ThispageoftheAcquisitionwizardspecifiestheactionstakenoncethecontenthasbeenacquired,but beforetheacquisitioniscompleted.

Todefineactionsaftertheacquisition: 1. Ifadditionaldisksaretobeacquiredafterthisacquisition,selectAcquireanotherdisk.When Acquireanotherdiskisacquired,theimageassociatedwiththatdiskisaddedtothecase,and theNewImageFilevalueissettoreflectthis. Ifthecontentbeingacquiredistobesearched,hashed,oranalyzedforsignatures,select Search,HashandSignatureAnalysis. ClickNext.TheSearchpageoftheAcquisitionWizarddisplays. InNewImageFile,clickontheappropriatedispositionofthefilecontainingtheacquired image. Ifyouwanttorestartacancelledacquisition:

2. 3. 4. 5.

a. SelectRestartAcquisition. b. BrowsetoorenterthefilenameandpathoftheEnCaseevidencefilecontainingthepartial
acquisitiontoberestarted.
Note: You can calculate a SHA-1 hash upon restarting the acquisition. Click the Acquisition SHA1 checkbox.

6.

ClickFinish.

IfyouselectedSearch,HashandSignatureAnalysis,theSearchpageoftheAcquisitionwizard displays;otherwise,theOptionspagedisplays.

164

EnCaseForensicVersion6.15

CompletingtheSearchPageoftheAcquisitionWizard
Thispagedefinesthesearches,hashing,andadditionalanalysisperformedaspartoftheacquisition afterthecontentisacquired. OpentheAcquisitionWizardtotheSearchpage.

Todefinetheanalysisprocessingaspartoftheacquisition: 1. Dothefollowingasrequired: Tosearchallthecontentofdevicesassociatedwiththecase,notjustthecontentofthe deviceyouareacquiring,clickSearchentirecase. Toperformakeywordsearch,clicktheSearchentriesandrecordsforkeywords checkbox,thenclickthecheckboxesfortheKeywordSearchOptionsyouwant. Tocomputeorrecomputehashvalues,clicktheappropriatecheckboxesintheHash Optionsgroupbox. Toperformanemailsearch,clicktheSearchforemailcheckbox,thenclickthecheckboxes fortheEmailSearchOptionsyouwant. Toverifyfilesignatures,inAdditionalOptions,clickVerifyFilesignatures. Toidentifycodepages,inAdditionalOptions,clickIdentifycodepages. Tosearchforinternethistoryfiles,inAdditionalOptions,clickSearchforinternet history.TheCompresensivesearchcheckboxisenabled. ClickComprehensivesearchtoincludefileslackandunallocatedspaceinyourinternet historysearch. 2. ClickNext.

TheOptionspageoftheAcquisitionwizarddisplays.

Working withEvidence

165

CompletingtheOptionsPageoftheAcquisitionWizard
ThispageoftheAcquisitionWizardspecifieshowtheEnCaseevidencefileisbuiltduringthe acquisition,andthedispositionofthatfileaftertheAcquisitioniscomplete.

TodefinehowtheEnCaseevidencefileisbuiltandoutput: 1. 2. 3. Acceptthedefaultvaluesorenterorselectalternativevalues. EnteranEvidenceNumberandNotes. Ifahashhasnotbeenrequestedyetandyouwantone: ClickAcquisitionMD5togenerateanMD5filehash(checkedbydefault). ClickAcquisitionSHA1togenerateaSHA1filehash. 4. 5. Ifyoumightrunoutofstoragespacewhereyouarestoringtheacquireddevice,specify additionalstoragebybrowsingtoorenteringapathandfilenameinAlternatePath. ClickFinish.

166

EnCaseForensicVersion6.15

Theacquisitionstarts,andtheThreadStatusLineappearsatthebottomrightcornerofthe mainwindowdisplayingthestatusofthethreadperformingtheacquisition.Youcancancel theacquisitionduringprocessing(seeCancellinganAcquisition). 6. WhentheAcquisitionResultsdialogdisplaysastatusoffinished,selectConsole,Note,orLog Record.

7. ClickOK.

TheAcquisitionResultsdialogclosesandtheacquisitioniscomplete.

CancelinganAcquisition
Youcancancelanacquisitionwhileitisrunning.Aftercanceling,theacquisitioncanberestarted. However,iftheacquisitionendswithoutbeingcancelled,youcannotrestartit.

Tocancelanacquisitionwhileitisrunning: 1. 2.

Working withEvidence

167

Atthebottomrightcornerofthemainwindow,doubleclicktheThreadStatusline.The ThreadStatusmessageboxdisplays. ClickYes. TheAcquisitionResultsdialogdisplaysshowingcancelledstatus.

3.

ClickOk.

Theacquisitioniscancelled.Youcanrestartitatalatertime.

VerifyingEvidenceFiles
VerifyEvidenceFileschecksCRCvaluesofselectedfiles.Itisawaytoensurethatevidenceisnot tamperedwith.VerifiedCRCinformationiswrittenouttoalogfile.IfaCRCverficationfails,a notificationappearsandyoucanlogtheerrortotheconsole,bookmarktab,orlogfile. Acquiretheevidencefiles. 1. 2. ClickToolsVerifyEvidenceFiles. TheVerifyEvidenceFilesfiledialogopens.

3.

Selectoneormoreevidencefiles,thenclickOpen.

168

EnCaseForensicVersion6.15 4. Whenfilesareverified,astatusreportdisplays.

AcquiringaLocalDrive
Beforeyoubegin.verifythatthelocaldrivetobeacquiredwasaddedtothecase. 1. 2. 3. 4. Toprotectthelocalmachinefromchangingwhileitscontentisbeingacquired,useawrite blocker.SeeUsingaWriteBlocker(onpage169). VerifythatthedevicebeingacquiredisshownintheTreepaneortheTablepaneaswrite protected.SeeLiveDeviceandFastBlocIndicators(onpage145). Performtheacquisition.SeeSpecifyingandRunninganAcquisition(onpage161). Thedriveisacquired.

AcquiringDeviceConfigurationOverlays(DCO)andHostProtectedAreas (HPA)
EnCaseapplicationscandetectandimageDCOand/orHPAareasonanyATA6orhigherleveldisk drive.TheseareasaredetectedusingLinEn(Linux)ortheFastBlocSEmodule.EnCaseapplications runninginWindowswithahardwarewriteblockerwillnotdetectDCOsorHPAs. EnCaseapplicationsusing FastBlocSE LinEnwhentheLinuxdistributionusedsupportsDirectATAmode

TheapplicationnowshowsifaDCOareaexistsinadditiontotheHPAareaonatargetdrive.FastBloc SEisaseparatelypurchasedcomponent. HPAisaspecialarealocatedattheendofadisk.Itisusuallyconfiguredsothecasualobservercannot seeit,anditcanonlybeaccessedbyreconfiguringthedisk.HPAandDCOareextremelysimilar:the differenceistheSET_MAX_ADDRESSbitsettingthatallowsrecoveryofaremovedHPAatreboot. Whensupported,EnCaseapplicationsseebothareasiftheycoexistonaharddrive.Formore information,seetheEnCaseModulesManual.

Working withEvidence

169

UsingaWriteBlocker
Writeblockerspreventinadvertentlyorintentionallywritingtoanevidencedisk.Theiruseis describedinthesesections: WindowsbasedAcquisitionswithFastBlocWriteBlockers AcquiringinWindowsWithoutFastBloc WindowsbasedAcquisitionswithanonFastBlocWriteBlocker

FastBlocsupportsAMD64bitarchitecture.ByreplacingtheexistingIDEandSCSIcontrollerdriver withthenewGuidancedriver,onlyreadonlyrequestsaresenttotheattachedharddrives. TheFastBlocSEModulecanbeusedwithdevicesequippedwiththePromiseSATAcards 300TX4302 300TX4 300TX2PLUS

ThereisalsosupportfortheAMDAthlon64processor,andforsystemsrunningMicrosoft WindowsXP64bitedition,andMicrosoftWindowsServer200364bitedition.

WindowsbasedAcquisitionswithFastBlocWriteBlockers
ThefollowingwriteblockersaresupportedinEnCaseForensic: FastBlocFE

170

EnCaseForensicVersion6.15 FastBloc2FEv1

FastBloc2FEv2

FastBlocLE

Working withEvidence

171

FastBloc2LE

172

EnCaseForensicVersion6.15 FastBloc3FE

Computerinvestigationsrequireafast,reliablemeanstoacquiredigitalevidence.FastBlocLabEdition (LE)andFastBlocFieldEdition(FE)(hereafterreferredtoasFastBloc)arehardwarewriteblocking devicesthatenablethesafeacquisitionofsubjectmediainWindowstoanEnCaseevidencefile.Before FastBlocwasdeveloped,noninvasiveacquisitionswereexclusivelyconductedincumbersome commandlineenvironments. ThehardwareversionsofFastBlocarenotstandaloneproducts.Whenattachedtoacomputeranda subjectharddrive,FastBlocprovidesinvestigatorswiththeabilitytoquicklyandsafelypreviewor acquiredatainaWindowsenvironment.Theunitislightweight,selfcontained,andportableforeasy fieldacquisitions,withonsiteverificationimmediatelyfollowingtheacquisition. FastBlocSEisasoftwareversionofthisproduct.

AcquiringinWindowswithoutaFastBlocWriteBlocker
NeveracquireharddrivesinWindowswithoutFastBlocbecauseWindowswritestoanylocalhard drivevisibletoit.Windowswill,forexample,putaRecycleBinfileoneveryharddrivethatitdetects andwillalsochangeLastAccesseddateandtimestampsforthosedrives. MediathatWindowscannotwritetoissafetoacquirefromwithinWindows,suchasCDROMs,write protectedfloppydiskettes,andwriteprotectedUSBthumbdrives.

Working withEvidence

173

WindowsbasedAcquisitionswithanonFastBlocWriteBlocker
EnCaseapplicationscannotrecognizethepresenceofanyharddrivewriteblockerotherthan FastBloc.Forthatreason,EnCasewillreportthatthesubjectharddriveisnotprotected,whenitmight be.UsersofnonFastBlocwriteblockersareencouragedtotesttheirequipmentandbecomefamiliar withtheircapabilities.

TableauWriteBlockerSupport
SupportfortheTableauwriteblockerdeviceenablesEnCaseto: IdentifyadeviceconnectedthroughtheTableaudeviceaswriteblocked. AccesstheHostProtectedArea(HPA)andaccess,viaremoving,theDeviceConfiguration Overlay(DCO)areaofadriveusingtheTableaudevice.
Note: EnCase does not support access of DCO areas via EnScript. By default, HPA is automatically disabled on the device.

ToaddaTableaudevice: 1. 2. 3. AttachTableauhardwarewithadeviceyouwantwriteblocked. OpenanewcaseinEnCase. ClickAddDevice.

4. SelectLocalDrives,thenclickOK.

174

EnCaseForensicVersion6.15 5. AvailableTableaudevicesdisplayintheViewpanewithabulletintheWriteBlocked column.

6. 7. SelecttheTableaudevice(s),thenclickNext.IfyoudonothaveaDCOdevice,thePreview Devicesdialogdisplays(seebelow). IfEnCasedetectsTableaublockeddeviceswithDCOinuse,theRemoveDCOAreadialog displays.

Note: This dialog displays only if you have a DCO partition on your drive. Perform the following steps only if you have a DCO partition on your drive.

8. 9.

Working withEvidence Clickthecheckboxnexttothedevice(s)whereyouwanttoremoveDCO,thenclickNext. Adialogwithastatusbardisplays.

175

10. TurnofftheTableaudevice.Leaveitoffforatleastoneminute. 11. TurntheTableaudevicebackon. 12. WhenEnCasefinishesremovingtheDCOarea,thePreviewDevicesdialogdisplays.

13. Previewthedevice(s)inEnCase. ReportinformationshowsanydeviceacquiredthroughTableauasWrite Blocked Tableau.

176

EnCaseForensicVersion6.15

PerformingaDrivetoDriveAcquisitionUsingLinEn
OnceLinEnissetup,runLinEn,chooseAcquire,thenselectthedrivetobeacquiredandthestorage path.Optionally,provideadditionalmetadata. LinEnwasconfiguredasdescribedinLinEnSetup,andautofsisdisabled(cleared). Theinvestigatoridentifiesthesubjectdrivetobeacquiredandthestoragedrivethatwillholdthe acquiredevidencefile. 1. 2. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mountit. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorunLinEn. TheLinEnMainScreendisplays.

3. ChooseAcquire.TheAcquirescreendisplays.

4. Choosethephysicaldriveorlogicalpartitionyouwishtoacquire.TheAcquireDevice<drive> dialogdisplays.

Working withEvidence

177

5.

ForthedataelementsrequestedbytheAcquiredialog,eitheracceptthedefaultwhen provided,orenteravalueorchooseoneofthealternatives(seeSpecifyingandRunningan Acquisitionsection),andthenpressEnter. TheAcquireDevicedialogrequestsadditionaldatavaluesuntilalldataelementsareentered orselected.ThentheCreatingFiledialogappears.

6.

Whentheacquisitioniscomplete,clickOK. TheLinEnmainwindowappears.Thesubjectwasacquiredandisstoredonthestoragedrive.

7. 8.

Connectthestoragedrivetoinvestigatorsmachine. AddtheEnCaseevidencefileusingtheSessionsSourcespageoftheAddDeviceWizard(see CompletingtheSessionsSourcesPage).

AcquiringaDiskRunninginDirectATAMode
IftheLinuxdistributionsupportstheATAmode,youwillseeaModeoption.Themodemustbeset beforethediskisacquired.AnATAdiskcanbeacquiredviathedrivetodrivemethod.TheATA modeisusefulforcaseswhentheevidencedrivehasaHostProtectedArea(HPA)ordrivecontrol overlay(DCO).OnlyDirectATAModecanreviewandacquiretheseareas. EnsureLinEnisconfiguredasdescribedinLinenSetupUnderSUSE(onpage487),andautofsis disabled(cleared).LinuxisrunninginDirectATAMode. 1. 2. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mountit. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsole. TheLinEnMainScreenappears. 3. SelectMode,thenselectDirectATAMode. YoucannowacquirethediskrunninginATAmode. 4. ContinuethedrivetodriveacquisitionwithStep3ofPerformingaDrivetoDrive AcquisitionUsingLinEn(onpage176).

178

EnCaseForensicVersion6.15

UserSecurityID(SID)forSingleFiles
EnCaseacquiresattributesforsinglefilesanddisplaystheminthesecolumnsinEntryview: Description:fileattributessuchasReadOnly,Hidden,System,Archive,Compressed,and Encrypted. EntryModified:thedatewhenthefilewaslastmodified. Permissions:thefilespermissionsandsecuritysettings.

AcquiringaPalmPilot
Beforeyoubegin: 1. 2. ThePalmPilotisnotyetaddedtothecase TheexaminationmachineisbootedintoWindows EnCaseisrunning PutthePalmPilotorHandspringsPDAinitscradle,andattachthecradlecabletoaUSBor serialportontheexaminationmachine. TurnonthePDA,thentoputthePDAinconsolemode: a. Ontheleftsideofthegraffitiarea,usethestylustowritealowercasecursiveLfollowed bytwodots. b. Ontherightsideofthegraffitiarea,writea2.

ThePDAisinconsolemode.

Working withEvidence

179

OntheSourcespageoftheAddDeviceWizard: 1. 2. 3. IntheTreepane,clickLocal. IntheTablepane,clickthecheckboxforPalmPilot. Ifotherdevicesaretobeacquiredinthisacquisitioncontinuedefiningdevices.See CompletingtheSourcesPage(onpage152),orclickNext.

180

EnCaseForensicVersion6.15

TheChooseDevicesdialogopens.

4. IntheTablepaneselecttheentryforthePalmPilotdeviceandanyotherdevicestobe acquiredduringthisacquisition,andclickNext. ThePreviewDevicesdialogopens. 5. IntheTablepaneselecttheentryforthePalmPilotdevice,andanyotherdevicestobe acquiredduringthisacquisition,andclickFinish. IntheCasesEntryHometabofthemainwindow,thePalmPilottobeacquireddisplays intheEntrytree. 6. RightclickthePalmPilotobjectintheEntrytree,andclickAcquire.

TheAfterAcquisitiondialogopens.

Working withEvidence

181

7. 8. ContinuetheacquisitionfromStep1ofSpecifyingandRunninganAcquisition(onpage161). WhentheAcquisitionResultsdialogcloses,theacquisitioniscomplete.

LeavingConsoleMode
Toleaveconsolemode,youmustdoasoftresetonthePalmPilot.TurningthePalmPilotoffandback ondoesnottakeitoutofconsolemode,andleavingitinconsolemodecausesthebatterytodrain fasterthanusual. Toleaveconsolemode: 1. 2. LocatethesmallholeonthebackofthePalmPilotlabeledRESET. Pressthetipofapenintothehole.

AcquisitionT imes
Initially,previewingaserialPalmPilotPDAmaybeslowbecausestandardserialportstransferdata atamaximumspeedof115kbps.ThepreviewandacquisitionofaPalmPilotVx,forexample,takes between30and40minutes.USBPalmPilotswillbefaster:inacquisitiontests,a12MBm500tookfour minutestopreviewand16minutestoacquire.However,afterthefirstkeywordsearchona previeweddevice,allotherprocessesaccessingtheevidencefilewillbefast,astheentireevidencefile iscachedinmemory.

AcquiringNonlocalDrives
TheacquisitionofnonlocaldrivesinvolvesLinEn,whichacquiresthesedrivesbyperforminga networkcrossoveracquisition.WhenyouusetheLinEnutilitytoacquireadiskthroughadisktodisk acquisition,theresultingEnCaseevidencefilemustbeaddedtothecaseusingtheAddDevice Wizard.

182

EnCaseForensicVersion6.15

WhentouseaCrossoverCable
Useacrossovercablewhenacquiringfromalaptop,RAIDs,ordrivesnotrecognizedbythehost machine.Youcanalsousethecrossovercabletopreview.

PerformingaCrossoverCablePrevieworAcquisition
MakesureyouhaveaLinEnbootdisk. 1. 2. 3. BootthesubjectmachinefromtheLinEnbootdisk. Connecttheforensicmachinetothesubjectmachineusingacrossovercable. InLinux,ensurethatthesubjectmachinehasanIPaddressassignedandaNICcardloaded appropriately:\ a. Typeifconfig eth0 b. IfnoIPaddressisassigned,assignonebytypingifconfig eth0 10.0.0.1 netmask 255.0.0.0 c. ChecktheIPaddressassignmentagainbytypingifconfig eth0 4. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsole. TheLinEnMainScreendisplays. 5. SelectServer,andpressEnter. ThemessageWaitingtoconnectdisplays.

6. 7. 8. 9. Ontheforensicmachine,specifyanIPaddressof10.0.0.1forthesubjectmachine. LaunchEnCaseontheforensicmachine. Createanewcase,oropenanexistingcase. RightclickontheDevicesobjectandclickAddDevice.

10. SelectNetworkCrossoverandclickNext. 11. SelectthephysicaldiskorlogicalpartitiontoacquireorpreviewandclickNext. 12. ClickFinish.

Working withEvidence

183

Thecontentsoftheselecteddevicereachedthroughthenetworkcrossoverconnectionarepreviewed. Toacquirethecontent,performanacquisition.SeeSpecifyingandRunninganAcquisitiononpage 161.

AcquiringDiskConfigurations
GuidanceSoftwareusesthetermdiskconfigurationinsteadofRAID.Asoftwarediskconfigurationis controlledbytheoperatingsystemsoftware,whereasacontrollercardcontrolsahardwaredisk configuration.Inasoftwarediskconfiguration,informationpertinenttothelayoutofthepartitions acrossthedisksislocatedintheregistryorattheendofthedisk,dependingontheoperatingsystem; inahardwarediskconfiguration,itisstoredintheBIOSofthecontrollercard.Witheachofthese methods,youcancreatesixdiskconfigurationtypes: Spanned Mirrored Striped RAID5 RAID10 Basic

SoftwareRAID
EnCaseapplicationssupportthesesoftwareRAIDs: WindowsNT:seeWindowsNT:SoftwareDiskConfigurationsseeWindowsNTSoftware DiskConfigurationsonpage184 Windows2000:seeDynamicDiskonpage185 WindowsXP:seeDynamicDiskonpage185 Windows2003Servers:seeDynamicDiskonpage185

184

EnCaseForensicVersion6.15

WindowsNTSoftwareDiskConfigurations
InaWindowsNTfilesystem,youcanusetheoperatingsystemtocreatedifferenttypesofdisk configurationsacrossmultipledrives.Thepossiblediskconfigurationsare: Spanned Mirrored Striped RAID5 Basic

Theinformationdetailingthetypesofpartitionsandthespecificlayoutacrossmultipledisksis containedintheregistryoftheoperatingsystem.EnCaseapplicationscanreadthisregistry informationandresolvetheconfigurationbasedonthekey.Theapplicationcanthenvirtuallymount thesoftwarediskconfigurationwithintheEnCasecase. Therearetwowaystoobtaintheregistrykey: Acquiringthedrive Backingupthedrive

Acquirethedrivecontainingtheoperatingsystem.Itislikelythatthisdriveispartofthedisk configurationset,butintheeventitisnotsuchasthediskconfigurationbeingusedforstorage purposesonlyacquiretheOSdriveandaddittothecasealongwiththediskconfigurationset drives. Tomakeabackupdiskonthesubjectmachine,useWindowsDiskManagerandselectBackupfrom thePartitionoption. Thiscreatesabackupdiskofthediskconfigurationinformation,placingthebackuponafloppydisk. YoucanthencopythefileintoyourEnCaseapplicationusingtheSingleFilesoption,oracquirethe floppydiskandaddittothecase.Thecasemusthavethediskconfigurationsetdrivesaddedtoitas well.Thissituationonlyworksifworkingwitharestoredcloneofasubjectcomputer.Itisalso possiblearegistrybackupdiskisatthelocation.

Working withEvidence

185

RightclicktheevidencefilethatcontainsthekeyandselectScanDiskConfiguration.Atthispoint,the applicationattemptstobuildthevirtualdevicesusinginformationfromtheregistrykey.

DynamicDisk
DynamicDiskisadiskconfigurationavailableinWindows2000,WindowsXPandWindows2003 Server.Theinformationpertinenttobuildingtheconfigurationresidesattheendofthediskrather thaninaregistrykey.Therefore,eachphysicaldiskinthisconfigurationcontainstheinformation necessarytoreconstructtheoriginalsetup.EnCaseapplicationsreadtheDynamicDiskpartition structureandresolvetheconfigurationsbasedontheinformationextracted. TorebuildaDynamicDiskconfiguration,addthephysicaldevicesinvolvedinthesettothecaseand, fromtheCasestab,rightclickonanyofthedevicesandchooseScanDiskConfiguration. Iftheresultingdiskconfigurationsseemincorrect,youcanmanuallyeditthemviatheEditcommand intheDevicestab.

186

EnCaseForensicVersion6.15

HardwareDiskConfiguration
Hardwarediskconfigurationscanbeacquired: asonedrive asseparatedrives

BothRaid5andRaid10canbeacquired.

DiskConfigurationSetAcquiredasOneDrive
Unlikesoftwarediskconfigurations,thosecontrolledbyhardwarecontainnecessaryconfiguration informationinthecardsBIOS.Becausethediskconfigurationiscontrolledbyhardware,EnCase cannotreconstructtheconfigurationsfromthephysicaldisks.However,sincethepertinent informationtorebuildthesetiscontainedwithinthecontroller,thecomputer(withthecontroller card)actuallyseesahardwarediskconfigurationasone(virtual)drive,regardlessofwhethertheset consistsoftwoormoredrives.Therefore,iftheinvestigatoracquiresthesetinitsnativeenvironment, thediskconfigurationcanbeacquiredasonedrive,whichistheeasiestoption.Thebestmethodfor performingsuchanacquisitionistoconductacrossovernetworkcableacquisition.
Note: The LinEn boot disc for the subject computer needs to have Linux drivers for that particular RAID controller card.

Toacquiretheset: 1. 2. 3. Keepthediskconfigurationintactinitsnativeenvironment. BootthesubjectcomputerwithanEnCaseNetworkBootDisk. LaunchtheLinEnutility.

Note: The BIOS interprets the disk configuration as one drive, so EnCase applications will as well. The investigator sees the disk configuration as one drive.

4.

Acquirethediskconfigurationasyounormallyacquireasingleharddrive,dependingonthe meansofacquisition.Parallelport,crossovernetworkcable,ordrivetodriveacquisitionis straightforward,aslongasthesetisacquiredasonedrive.

Ifthephysicaldriveswereacquiredseparately,orcouldnotbeacquiredinthenativeenvironment, EnCaseapplicationscaneditthehardwaresetmanually.

DiskConfigurationsAcquiredasSeparateDrives
Sometimesacquiringthehardwarediskconfigurationasonedriveisnotpossible,orthemethodof assemblingasoftwarediskconfigurationseemsincorrect.Editingadiskconfigurationrequiresthis information: Stripesize Startsector Lengthperphysicaldisk Whetherthestripingisrighthanded

YoucancollectthisdatafromtheBIOSofthecontrollercardforahardwareset,orfromtheregistry forsoftwaresets.

Working withEvidence

187

WhenaRAID5consistsofthreeormoredisksandonediskismissingorbad,theapplicationcanstill rebuildthevirtualdiskusingparityinformationfromtheotherdisksintheconfiguration,whichis detectedautomaticallyduringthereconstructionofhardwarediskconfigurationsusingtheScanDisk Configurationcommand. WhenrebuildingaRAIDfromthefirsttwodisks,resultsfromvalidatingparityaremeaningless, becauseyoucreatetheparitytobuildthemissingdisk. Toacquireadiskconfigurationsetasonedisk: 1. 2. 3. 4. 5. 6. Addtheevidencefilestoonecase. ViewCasesSubtabsDevices. RightclickanyevidencefilerowandselectEditDiskConfiguration. TheDiskConfigurationdialogdisplays. InDiskConfiguration,rightclickontheappropriatediskconfiguration,thenclickNew. Enterthestartsectorandsizeoftheselecteddiskconfiguration,thenclickOK.

ValidatingParityonaRAID5
TheValidateParitycommandcheckstheparityofthephysicaldisksusedtoassembletheRAID5. Thus,iftheRAID5wasrebuiltwithamissingdisk,thisfeaturewillnotwork. Tochecktheparity: 1. 2. FromtheCasestab,rightclicktheRAID5volumeicon,thenclickValidateParity. ThevalidationprocessstatusdisplaysintheThreadStatuslineatthebottomrightofthe EnCasemainwindow.

RAID10
RAID10arraysrequireatleast4drives,implementedasastripedarrayofRAID1arrays.

188

EnCaseForensicVersion6.15

AcquiringVirtualPCImages
WithMicrosoftVirtualPC2004youcanrunmultiplePCbasedoperatingsystemssimultaneouslyon oneworkstation.UserssaveimagesofthesevirtualPCsinafashionsimilartoVMware.EnCase applicationstreatMicrosoftVirtualPC2004imagesasdevicestobesubmittedtothesame investigationasphysicaldevices.VirtualPCcancreateflatandsparsefiles,bothofwhichare supportedtransparentlybyEnCaseapplications. AddVirtualPCfilesviatheAddDeviceWizard.IntheWizard,navigatetothefoldercontaining VirtualPCfiles(*.vhd)andaddthemasanEnCaseevidencefile.

CDDVDInspectorFileSupport
EnCaseapplicationssupportviewingfilescreatedusingCD/DVDInspector,athirdpartyproduct. Treatthesefilesassinglefileswhenaddingthem,aszipfiles,orascompositefileswhenusingthefile viewer.Dragsinglefilesintotheapplication.

AcquiringSlySoftCloneCDImages
YoucanaddrawCDROMimagescreatedusingSlySoftCloneCDtoacase.Whenaddingthese images,youcanspecifythepresectorbytes,postsectorbytesandstartbyteoftheimage.

AcquiringaDriveSpaceVolume
DriveSpacevolumesareonlyrecognizedassuchaftertheyareacquiredandmountedintoacase.On thestoragecomputer,mounttheDriveSpacefileasavolume,andthenacquireitagaintoseethe directorystructureandfiles. ToacquireaDriveSpacevolume: 1. 2. 3. 4. 5. 6. 7. 8. 9. AFAT16partitionmustexistontheforensicPCwhereyouwillCopy/UnerasetheDriveSpace volume.AFAT16partitioncanonlybecreatedwithaFAT16OS(suchasWindows95). RunFDISKtocreateapartition,thenexit,reboot,andformattheFAT16partitionusing format.exe. ImagetheDriveSpacevolume. AddtheevidencefiletoanewcaseandsearchforafilenamedDBLSPACE.000or DRVSPACE.000. Rightclickthefileandcopy/uneraseittotheFAT16partitiononthestoragecomputer. InWindows98,clickStartAllProgramsAccessoriesSystemToolsDriveSpace. LaunchDriveSpace. SelecttheFAT16partitioncontainingthecompressed.000file. SelectAdvanceMount.

10. SelectDRVSPACE.000andthenclickOK,notingthedriveletterassignedtoit.The CompressedVolumeFile(.000)fromthepreviousdriveisnowseenasfoldersandfilesina newlogicalvolume.

11. Acquirethisnewvolume. 12. Createtheevidencefileandaddtoyourcase. Youcannowviewthecompresseddrive.

Working withEvidence

189

AcquiringFirefoxCacheinRecords
ThisfeatureparsesMozillaFirefoxcachedata.Theparsercorrectlyextractsallavailableinformation byreadingmapfilesthatcontaininformationaboutacacheentryandwhereitislocated. WhenyouselectSearchforInternetHistoryfromtheSearchdialog,theEnCaseprogramsearchesfor specificfilesandattemptstoparsethemasMozillaFirefoxcachefiles.Whenthesearchiscomplete, thesecolumnsareshownintheTablepane: Name Filter InReport SearchHits AdditionalFields MessageSize CreationTime ProfileName URLName URLHost BrowserCacheType BrowserType LastModificationTime MessageCodePage LastAccessTime Expiration VisitCount ServerModified

ReacquiringEvidence
WhenyouhavearawevidencefilewhichoriginatedoutsideanEnCaseapplication,reacquiringit resultsinthecreationofanEnCaseevidencefilecontainingthecontentoftherawevidencefile. YoucanmoveEnCaseevidencefilesintoacaseeveniftheywereacquiredelsewhere.Thisdoesnot requireareacquisition.DragthefilesfromWindowsExploreranddropthemontheSessionsSources pageoftheAddDeviceWizard. YoumayalsowanttoreacquireanexistingEnCaseevidencefiletochangethecompressionsettingsor thefilesegmentsize.

190

EnCaseForensicVersion6.15

ReacquiringanEvidenceFile
Beforeyoubegin: EnCaseisopen Thefiletobereacquiredisincludedinthecase Thecaseisopen

1. IntheTreepane,clickCasesEntriesHome. TheEntriestreedisplaysintheTreepane. 2. Rightclickthedevicetobereacquired,andclickAcquire. TheAfterAcquisitionpageoftheAcquisitionwizarddisplays. 3. 4. Performtheacquisition(seeSpecifyingandRunninganAcquisition). Payparticularattentiontothedispositionofthefile: a. UsetheNewImageFilecontrolsontheAfterAcquisitionpage. b. ClickQuickReacquisitionontheOptionspageoftheWizard. Theevidencefileisreacquired.

AddingRawEvidenceFiles
Reacquiringarawevidencefileembedsthefilecontainingtheimageofthecontentsofadevicewith casemetadataand,optionally,thehashvalueofthatimage.

Beforeyoubegin:

Working withEvidence

191

Youhavearawimagefilethatcanbeaccessedbytheforensicmachine Acaseisopen

Toacquirearawevidencefile: 1. IntheTreepane,clickCasesEntriesHome. TheEntriestreedisplaysintheTreepane. 2. ClickFileAddRawImage. TheAddRawImagedialogdisplays. 3. Draganddroptherawimagestobeacquired TherawimagestobeaddedarelistedintheComponentFileslist. 4. AcceptthedefaultsintheAddRawImagedialogorchangethemasdesired,thenclickOK.

ADiskImageobjectappearsintheEntriestree,whichisontheCasesEntriesHometreepane.

DelayedLoadingofInternetArtifacts
EnCaseparsesInternetartifactsandrelateddataasaseparatethreadafterthecaseloads.These artifactsanddatainclude: Internetartifactrecords SelectedandInReportsettings BookmarkedInternetartifactrecords SearchhitsforInternetartifactrecords

192

EnCaseForensicVersion6.15

AprogressbaratthebottomrightoftheEnCasemainwindowshowsapproximatetimeto completion.

AtemporaryfoldernamedInternetArtifacts(Unresolved)displaysintheRecordstabandthe Refreshbuttonisactivated.ClicktheRefreshbuttontoloadInternetartifactsalreadyresolved.

Internetartifactswhichhavebeenbookmarkedresolveaftertherecordsdisplayinthetab,soyou cannotviewthemuntilthattime.However,youcanseesomebasicinformationaboutanInternet artifactthatwaspreviouslybookmarked.

Working withEvidence

193

Thepicturebelowshowsthatyoucanseethebasichierarchyandthenameoftheoriginalentry, althoughtherestofthemetadatadisplaysonlywhentherecordisfinallyresolvedandinsertedinto theRecordstab.

DelayedLoadingofInternetArtifactsFAQs
WhathappensifIcanceltheResolvingInternethitsprocess?
ThethreadstopsandtheInternetArtifacts(Resolved)foldernolongerdisplays.Anyunresolved InternetartifactsdonotdisplayintheRecordstab.Therearetwowaystoretrievetheunresolved Internetartifacts: Closeandreopenthecase. PerformanothersearchforInternetartifactsinthecase.

Note: If you save the case after cancelling the Internet artifacts resolve thread, you will not lose any hits. You can still close and reopen the case, and all the previous hits will resolve again.

WhathappensifIperformasearchforInternetartifactswhiletheResolvingInternethits processisrunning?
ThesearchforInternetartifactswillnotbeginuntiltheResolvingInternethitsprocessfinishes.
Note: This only occurs if you select the Search for Internet artifacts or Comprehensive search checkbox. If you do not select one of these options, the search thread runs simultaneously with the resolve thread.

WhathappenswithbookmarksthatpointtoInternetartifactrecordsnotyetresolved?
Thebookmarkdisplaysbasicinformation,suchastheentrynameandgenerallocationofthe bookmarkinthatentry.WhentheInternetrecordeventuallyresolves,allthemetadatafieldsarefilled inandshowintheBookmarktab.

194

EnCaseForensicVersion6.15

WillthelistofunresolvedInternetartifactsupdateintheRecordstab?
Thisisnotcurrentlysupported.TheentirelistremainsintheRecordstabuntilalltheInternetartifacts areresolved.ClickingRefreshonlyupdatestheresolvedlist,nottheunresolvedlist.

WhathappensifItrytobookmarkanunresolvedInternetartifact?
EnCasedoesnotallowthis.Anerrormessagedisplays,indicatingthatEnCasecannotbookmark anythingintheInternetArtifacts(Unresolved)folder.

WhatdoestheInternetArtifacts(Unresolved)folderdoandwhattypeofinformationdoesit provide?
ThisfolderdisplaysalistofallthestartingpointsforanypointonthediskwhereanInternetparser beginstolookforartifacts.Italsoprovidesgeneralinformationthenumberofartifacts,theentriesin whichtheyreside,andtheoffsetsintothoseentrieswheretheartifactsarelocated.

WhathappenstothesavedSelectedandInReportsettingsforInternetartifactrecords?
SelectedandInReportsettingsforrecordsunrelatedtoInternetartifacts(forexample,mounted volumes,suchasemail)remainunchangedandloadcorrectlywiththecase.However,sincethe Internetartifactsdonotyetactuallyexist,allSelectedandInReportsettingsareupdatedafterallthe Internetartifactsareresolved(orifyoucancelthethread,inwhichcaseresolvedInternetartifacts showinSelected/InReport).

Whataboutmountedvolumes(forexample,Email)thatdisplayintheRecordstab?Arethose delayloadedaswell?
No.Allmountedvolumes,suchasemail,whichresultwithrecordsintheRecordstab,arestillloaded beforethecaseopens.Sothetreestructure,Selected,andInReportsettingsareloadedbeforethecase opensandareindependentofInternetartifactresolution.

WhathappenswhenanEnScriptrunsthataccessesanyInternetartifactsandtheirrelated, unresolveddata?
EnCasehasaccesstowhateveryoucancurrentlyseeinthecase.Thismeansthescriptcanseethe unresolvedInternetartifactsfolderandthebasicinformationaboutbookmarkedrecords.Sinceallthat dataispreliminaryandeventuallywillbeupdated,resolved,orremoved,werecommendyounotrun EnScriptsthataccessInternetartifactrecordsandtheirrelateddatauntilallthedataisresolved.

Working withEvidence

195

RemoteAcquisition
SettinguptheremoteacquisitionExaminerside: 1. AddthemachineyouwanttoacquirejustasyouwouldanyotherEnterprisenode.

2. 3. ClickNext. Afteryouchoosethemachine,selectthedevicesyouwanttoacquire.

4. ClickNext.

196

EnCaseForensicVersion6.15 5. Rightclickthedeviceyouwanttoacquire,thenclickAcquire.

6. ClickNextuntilyoureachtheOptionsdialog.

Working withEvidence

197

7. 8. 9. Entertheremoteacquisitioninformation,includingavalidOutputPath. ClicktheRemoteacquisitioncheckbox. ClickNext.

198

EnCaseForensicVersion6.15 10. EnteraUsernameandPasswordfortheremoteshare.

11. ClickFinish.TheAcquiredialogdisplays.

12. ClickOK.

Working withEvidence

199

RemoteAcquisitionMonitor
UsetheRemoteAcquisitionMonitortochecktheprogressoftheacquisition. 1. DoubleclickRemoteAcquisitionMonitorandentertheappropriateinformation.

2. 3. ClickOK. Themonitorconnectstothemachineanddisplaystheacquisitionsprogress.

200

EnCaseForensicVersion6.15

SettingUptheStorageMachine
ThisisbasicWindowssharesetup. 1. IntheAcquisitionPropertiesdialog,selecttheSharingtab.

2. 3. ClicktheSharethisfolderradiobuttonandenteraSharename. ClickPermissions.

4.

Working withEvidence ThePermissionsforAcquisitiondialogdisplays.Thesesettingsvary,dependingonyour environment.

201

5. 6. Setupthepermissionsyouwant,thenclickOK. Thesharedfolderlookslikethis:

202

EnCaseForensicVersion6.15

Hashing
Youcanperformhashingbeforeorafteranacquisition,soaninvestigatorcandetermineifthedevice shouldbeacquired,orifthecontentshavechanged.Youmustrunapreviewifworkingwithinthe WindowsversionofEnCase(thisisnotnecessarywhenhashingadriveusingtheLinEnutility).
Note: If you are hashing the device locally using Windows, a write blocking device, such as the FastBloc write blocker, prevents the subject device from changing. Hashing via a crossover network cable, or locally using the LinEn utility, is useful if a write blocking device is not available.

Therearetwowaystohashadrive: UsingLinEn Hashingthesubjectdriveoncepreviewedoracquired

HashingtheSubjectDriveUsingLinEn
Thisallowstheinvestigatortoknowthehashvalueofthedrive. Beforeyoubegin: LinEnisconfiguredasdescribedinthesetuptopics autofsisdisabled Theinvestigatorhasidentifiedthesubjectdrivetobehashed

ToperformahashusingLinEn: 1. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorunLinEn. TheLinEnMainScreendisplays. 2. SelectHash. TheHashdialogdisplays. 3. Selectadrive,thenclickOK. TheStartSectordialogdisplays. 4. AcceptthedefaultorenterthedesiredStartSector,thenclickOK. TheStopSectordialogdisplays. 5. AcceptthedefaultorenterthedesiredStopSector,thenclickOK. TheHashResultsdialogdisplays. 6. Ifyouwantthehashresulttobewrittentoafile,clickYes.

Working withEvidence Ifthehashvalueistobesavedtoafile,theSaveHashValuetoaFiledialogappears; otherwise,theLinEnMainScreendisplays. 7. Enterthepathandfilenameofthefilethatwillcontainthehashvalue,thenclickOK. ThehashvalueissavedandtheLinEnMainScreendisplays.

203

Ahashvalueiscalculatedfortheselectedsectorsoftheselectedfile.Ifdesired,thishashvalueis savedtoafile.

HashingtheSubjectDriveOncePreviewedorAcquired
IfyouwanttohashadevicewithoutleavingtheWindowsoperatingsystem,youcanhashdirectly fromEnCase. Thedevicemustbepreviewedoracquired. 1. 2. OntheEntriestabontheTreepane,rightclickthedeviceyouwanttohash. SelectHash.

3. Enterthefollowing: a. SupplyaStartSector,oracceptthedefault,whichisthefirstsectorofthedevice b. SupplyaStopSector,oracceptthedefaultvalue,whichisthelastsectorofthedevice

204

EnCaseForensicVersion6.15 4. ClickOK.

5. Selectoneofthefollowingoutputformats: Consolewritestheresultsintheconsoletab Notewritestheresultsasanotebookmark LogRecordwritestheresultsasalogrecordbookmark 6. ClickOK.

LogicalEvidenceFiles
ALogicalEvidenceFile(LEF)containsacollectionofindividualfilestypicallycopiedfromasubject computerwhenpreviewing. Asyouexaminedigitalevidence,someoftheevidenceismoresignificanttotheintentofthe investigation.DuringtheanalysisoftheEnCaseevidencefile,varioussearchesareperformedtofind thesesignificantfiles.Bycopyingthesesignificantfilesintoalogicalevidencefileyoucanaccessthem withouthandlingthelargevolumecontainedinanEnCaseevidencefile. DragginganddroppingaLEFanywhereontheEnCaseinterfaceaddstheLEFtothecurrentlyopened case.

CreateLogicalEvidenceFileWizard
Usethiswizardtocreatelogicalevidencefilesassociatedwiththecurrentlyopenedcase. TheCreateLogicalEvidenceFilewizardcontainsthreedialogs: Source Output Status

Working withEvidence

205

SourceDialog

Sourceisthenameoftheparentdevicecontainingthefileorfilestoincludeinthelogicalevidence file. Filescontainsthenumberoffilesandthetotalsizeofthefileorfilestoincludeinthelogicalevidence file. TargetfolderwithinEvidenceFileisthenameofthefoldercontainingthefilesthatcomprisethe logicalevidencefile. Includecontentsoffiles:ifdisabled,onlythefilenameisknowntothelogicalevidencefile,and whenthelogicalevidencefileisopened,nodatadisplaysintheViewpane. HashFilesdetermineswhetherthefilescomprisingthelogicalevidencefilearehashedastheyareput intothelogicalevidencefile. FileinuseisusedonlywhenHashFilesisalsochecked.Itcausesthehashtobecomputedwhenyou actuallyreadthefilefromtheevidence,insteadofusingthehashthatwascalculatedpreviously. Addtoexistingevidencefiledetermineswhetherthefilescomprisingthelogicalevidencefileare addedtoanexistingevidencefile.Whenthiscontrolisenabled,EvidenceFilePathdisplays. Lockfilewhencompleteddetermineswhetherthelogicalevidencefileislockedaftercreation.

206

EnCaseForensicVersion6.15

OutputDialog
UsetheOutputdialogtospecifymetadataandoutputattributesofthelogicalevidencefile.

Namecontainsthenameofthelogicalevidencefiletobecreated. EvidenceNumbercontainstheinvestigatorsevidencenumberforthelogicalevidencefiletobe created. FileSegmentSizecontainsthefilesegmentsizeofthelogicalevidencefiletobecreated. Compressioncontainscontrolsthatdeterminethecompressionusedwhencreatingthelogical evidencefile. Nonemeansnocompressionisusedwhencreatingthelogicalevidencefile. Good:goodcompressionisusedtocreatealogicalevidencefilethatissmallerthanwhenno compressionisused,butlargerthanwhenbestcompressionisused. Best:bestcompressionisusedtocreatealogicalevidencefilethatissmallerthanonecreatedwith goodcompression. OutputPathcontainsthepathandfilenameofthelogicalevidencefiletobecreated.

Working withEvidence

207

CreatingaLogicalEvidenceFile
Openthecaseassociatedwiththelogicalevidencefileyouwanttocreate.

1. IntheTreepane,clickCases>EntriesHome. TheEntriestreedisplaysintheTreepane. 2. 3. Selectthefilesandfolderstobeassociatedwiththelogicalevidencefile. RightclicktheparentobjectontheEntrytree,andclickCreateLogicalEvidenceFile.

208

EnCaseForensicVersion6.15

TheSourcedialogoftheCreateLogicalEvidenceFilewizarddisplays.

4. Acceptthedefaultsettingsorenterdesiredvalues,thenclickNext. TheOutputsdialogoftheCreateLogicalEvidenceFilewizarddisplays.

5. 6. Entertheappropriatevalues,andenterorbrowsetothepathandfilenameofthelogical evidencefiletobecreated. ClickFinish.

7. TheStatusdialogdisplays.

Working withEvidence

209

8. ClickOK.

RecoveringFolders
Thefollowingtypesoffolderscanberecovered: FoldersonFATvolumes,asdescribedinRecoveringFoldersonFATVolumes NTFSfolders,asdescribedinRecoveringNTFSFolders UFSandEXT2/3partitions,asdescribedinRecoveringUFSandEXT2/3Volumes

210

EnCaseForensicVersion6.15

RecoverFoldersonFATVolumes
Afteraddinganevidencefiletoacase,runRecoverFoldersonallFATpartitionsbyrightclickingon eachdeviceandselectingit.ThiscommandsearchesthroughtheunallocatedclustersofaspecificFAT partitionforthedot,doubledotsignatureofadeletedfolder;whenthesignaturematches,EnCase applicationscanrebuildfilesandfoldersthatwerewithinthatdeletedfolder.

Notethatinthepicture,theC:\drivedeviceisselectedinthebackgrounddisplay.

RecoveringNTFSFolders
EnCaseapplicationscanrecoverNTFSfilesandfoldersfromUnallocatedClustersandcontinueto parsethroughthecurrentMasterFileTable(MFT)recordsforfileswithoutparentfolders.Thisis particularlyusefulwhenadrivehasbeenreformattedortheMFTiscorrupted.Recoveredfilesare placedinthegrayRecoveredFoldersvirtualfolderintherootoftheNTFSpartition. TorecoverfoldersonanNTFSpartition: 1. 2. 3. RightclickonthevolumeandselectRecoverFolders. TheRecoverFoldersmessageboxopenstoconfirmthatyouwanttoscanthevolumefor folders. ClickOKtobeginthesearchforNTFSfolders,orCanceltocanceltherequest.

4.

Working withEvidence

211

TheapplicationbeginssearchingforMFTrecordsintheUnallocatedClusters.Inthebottom righthandcorneraprogressbarindicatesthenumberofMFTrecordsfoundandthe approximatetimerequiredtocompletethesearch. AftertheapplicationlocatestheMFTrecordsintheUnallocatedClusters,apromptappears showingthenumberofentriesfound.Duplicateorfalsehitsareparsed,sothenumberof entriesthatappearsinthepromptmaybelowerthanreportedduringtherecovery. ClickOK. TheapplicationresolvestherecoveredMFTrecordstodataonthevolume,andattemptsto rebuildthefolderstructurewithchildrenfilesandfoldersunderparentfolders.Thisprocess cantakealongtime;however,theresultsgreatlybenefitexaminationsofNTFSvolumes.

5.

6. 7.

Sincerebuildingthefolderstructurecantakealongtime,youcanopttohavefasteraccesstothe recoveredfiles.IftherecoveredMFTentriesintheunallocatedspaceareNTFS4,youcanchooseto: processtheentriesforparent/childrelationships,or placeallrecoveredentriesintotheRecoveredFilesfolderimmediatelywithnofolder structure.

Thisdialogboxshowsthenumberofpassesrequiredtosorttheentries.Thisnumbermaybelarge, butmostpassesprocessinstantly.Thelengthoftimerequiredtoprocessagivengroupdependsonly onthenumberofrecordswithinthatgroup. ThischangedoesnotaffectNTFS5recoveredentries.Theseentriesareprocessedquickly,asbefore.If youchoosetoprocesstheentriesforthefolderstructure,theprogressbarindicateswhichpassis currentlyrunning.TherecoveredfolderstructureisplacedunderthevirtualRecoveredFilesfolder.

RecoveringUFSandEXT2/3Partitions
EnCaseapplicationsuseadifferentmethodforrecoveringdeletedfilesandfoldersthathavenoparent inUFSandEXT2/3partitions.Whenyoupreviewacomputeroraddanevidencefilecontainingoneof thesepartitionstoyourcase,agrayfoldercalledLostFilesisautomaticallyaddedtothetreeinthe Entriestabasachildofeachpartition. IntheMasterFileTable(MFT)inNTFS,allfilesandfoldersaremarkedasafolderorfileandas belongingtoaparent.Thefileswithinafolderarethatfolderschildren.Ifyoufirstdeletethefiles, thendeletethefolder,andthencreateanewfolder,theoriginallydeletedfilescanbelost. ThenewfoldersentryintheMFToverwritesthedeletedfoldersentry.Theoriginalparentfolderand itsentryintheMFTareoverwrittenandgone.Itschildren,however,werenotoverwrittenandtheir entriesarestillintheMFT.AswithNTFS,withUFSandEXT2/3partitions,theapplicationparsesthe MFTandfindsthosefilesthatarestilllisted,buthavenoparentdirectory.Allofthesefilesare recoveredandplacedintothegrayLostFilesfolder.

RecoveringFoldersfromaFormattedDrive
Iftheevidencefileshowsalogicalvolumebuthasnodirectorystructure,theharddrivehasprobably beenformatted.IfthisisaFATbasedsystem,EnCaseapplicationscanrecovertheoriginaldirectory structure.RightclickeachlogicalvolumeandchooseRecoverFolders.Thissearchesthroughthedrive andrecoversfolders,subfoldersandfilesfromwithinthosefoldersiftheinformationisstillavailable. YoumayoccasionallyencounteradevicecontainingafilesystemunsupportedbyEnCase.Whenthis occurs,theEntriestreedisplaysthedeviceicon,buttheEntriestableonlylistsUnallocatedClusters. Althoughthereisnowaytoviewfilestructure,itmaybepossibletoruntextsearchesthroughthe UnallocatedClusters.

212

EnCaseForensicVersion6.15

RecoveringPartitions
OccasionallyadeviceisformattedorevenFDISKedinanattempttodestroyevidence.Formattingand FDISKingaharddrivedoesnotactuallydeletedata.Formattingdeletesthestructureindicatingwhere thefoldersandfilesareonthedisk.FDISKingadrivedeletesadrivespartitioninformation.EnCase applicationscanrebuildbothpartitioninformationanddirectoryandfolderstructure.

AddingPartitions
AformattedharddriveorFDISKharddriveshouldbeacquiredusingnormalprocedures.Whenthese evidencefilesareaddedtoacase AformatteddrivedisplayslogicalvolumeswithinEnCase,buteachvolumehasonlyan UnallocatedClustersentryinthetable. AnFDISKharddrivewillnotshowlogicalvolumeinformation.Theentiredriveisdisplayed asUnusedDiskAreainthetable.

Working withEvidence

213

Torestructuretheseportionsofthedisk: 1. 2. 3. Inthefilterpane,expandEnScriptsExamples. DoubleclickCaseProcessor. CheckthecaseyouareworkingonandclickNext.

214

EnCaseForensicVersion6.15 4. 5. 6. 7. 8. 9. EnteraBookmarkFoldernameandoptionally,aFolderComment. CheckthePartitionFinderModuleintheModuleslist. ClickFinish.TheEnScriptprogramruns. WhentheEnScriptprogramfinishes,clickBookmarksintheTreepane. Inthetree,clickSetIncludedtoshowallthebookmarkstheEnScriptprogramhasfound. Notethepartitiontypeandsizeinthecomment. HighlighttheentryintheTablepane,andthenselectDisk.

10. IntheDisktab,thecursorappearsonthebookmarkedsector.RightclickandselectAdd Partition.TheAddPartitionscreendetectsthesectorsandpartitiontypeautomatically, populatingthefields. 11. ClickOKtorestorethepartition. 12. Toseethecontentsofthepartitionyoujustadded,clickEntriesintheTreepane.Thenew partitionappearsbelowthedevicetheSweepCaseEnScriptprogramwasrunagainst. 13. Ifthedrivehadmultiplepartitions,clickBookmarksintheTreepane,thenrepeattheprocess fromstep9.

DeletingPartitions
Ifapartitionwascreatedatthewrongsector,youmustdeletetheentryforthatpartitionatthesector atwhichitwascreatedontheevidencefileimageoftheharddrive. 1. 2. 3. OntheDisktaboftheTablepane,navigatetothevolumebootrecordentry,asindicatedbya pinkblock. RightclickandselectDeletePartition. ClickYestoconfirmremovalofthepartition.

TherowintheTableviewnowcontainsanentryforUnusedDiskSpaceinsteadofthenowdeleted partition.

RestoringEvidence
EnCaseapplicationsallowaninvestigatortorestoreevidencefilestopreparedmedia.Restoring evidencefilestomediatheoreticallypermitstheinvestigatortoboottherestoredmediaandviewthe subjectscomputingenvironmentwithoutalteringtheoriginalevidence.Restoringmedia,however, canbechallenging.Readthischaptercarefullybeforeattemptingarestore. Donotbootthesubjectsdrive.Donotbootyourforensicharddrivewiththesubjectdriveattached. Thereisnoneedtotouchtheoriginalmediaatall.Remember,itisstillevidence.

PhysicalversusLogicalRestoration
EnCaseallowstheinvestigatortorestoreeitheralogicalvolumeoraphysicaldrive.Alogicalvolume isavolumethatdoesnotcontainaMasterBootRecord(MBR)ortheUnusedDiskSpace.Aphysical volumecontainstheMasterBootRecordandUnusedDiskSpace.UnusedDiskSpace,however,is typicallynotaccessibletotheuser.

Working withEvidence

215

Mostoften,whencomplyingwithdiscoveryissues,onemustperformaphysicalrestore,notalogical one.Logicalrestoresarelessdesirableastheycannotbeverifiedasanexactcopyofthesubjectmedia. Whenadriveisrestoredforthepurposesofbootingthesubjectmachine,aphysicalrestoreisthe correctchoice. Whetherrestoringadrivephysicallyorlogically,restoretheevidencefilestoadriveslightlylargerin capacitythantheoriginalSubjectharddrive.Forexample,ifrestoringa2gigabyteharddriveimage, restoretheimagetoa2to4gigabyteharddrive.Restoringmediatoadrivethatissubstantially largerthanthesubjectmediacanpreventtherestoredclonefrombootingatall,possiblydefeatingthe purposeoftherestore.

PreparingtheTargetMedia
Preparationofthetargetmediawheretheimageisgoingtoberestoredisessentialforaforensically soundrestore. Thetargetmediamustbewiped. Forlogicalrestores,thetargetmediamustbeFDISKed. Forlogicalrestores,thetargetmediamustbepartitionedandformattedwiththesamefile typesystemasthevolumetoberestored(forexample,FAT32toFAT32,NTFStoNTFS,etc.). Forphysicalrestores,donotFDISK,partition,orformattheharddrive.Instead,startyour EnCaseapplicationandrestoretheimagephysicallytothetargetmedia.

PhysicalRestore
Restoringaphysicaldrivemeansthattheapplicationwillcopyeverything,sectorbysector,tothe preparedtargetdrive,therebycreatinganexactcopyofthesubjectdrive.Thetargetdriveshouldbe largerthanthesubjectharddrive.Whentherestorecompletes,itprovideshashvaluesverifyingthat thelabdriveisanexactcopyofthesubjectdrive.Ifaseparate,independentMD5hashofthelabdrive isrun,becertaintochoosetocomputethehashoveronlytheexactnumberofsectorsincludedonthe suspectsdrivesothattheMD5hashwillbeaccurate. Drive0cannotberestoredto.IfthepreparedtargetmediaisDrive0,anotherdrivemustbeaddedto thesystem,asamaster,tostoretherestoredimage. Restoredsectorscanalsobeverifiedtoconfirmthatthereisindeedasectorbysectorcopyofthe originalsubjectmedia.

216

EnCaseForensicVersion6.15

SometimestheConvertDriveGeometrysettingisavailable.Thisisentirelydependentonthedrive geometryoftheoriginaldriveincomparisontotherestoredrive.Everydriveisdefinedbyspecific CylindersHeadsSectors(CHS)drivegeometryinformation.IftheHeadsandSectorsoftheoriginal driveimagedareidenticaltothetargetrestoredrive,thenthedrivesareofthesametypeandthe ConvertDriveGeometrysettingisnotavailable.Ifthesourceandtargetdrivesareofdifferenttypes (forexample,theheadssectorssettingsaredifferent),thentheConvertDriveGeometryisavailable.

Torestoreaphysicalharddrive: 1. Installasterile,unpartitioned,unformattedrestorationdrivetoyourforensicmachine,usinga connectionotherthanIDE0.EnCaseapplicationscannotrestoreaphysicaldrivetoIDE0. Ensurethattheintendedrestorationdriveisatleastaslargeas(butpreferablylargerthan)the originalfromwhichtheimagewastakensothattherestoreddatawillneveroverwriteall sectorsonthetargetharddrive.EnCaseapplicationscanwipetheremainingsectorsofthe targetharddriveaftertheactualdatafromtheevidencefileisrestored.Wipingremaining sectorsisrecommended. LookattheacquireddriveintheReportpaneandnotetheprecisephysicaldrivegeometryof theforensicimageyouarerestoringfrom,includingCylinders,HeadsandSectors.Notethe acquisitionhashforlatercomparisonontherestoreddrive. OntheEntriestree,ontheTreepane,rightclickonthephysicaldiskyouwanttouseasthe sourceandselectRestore. Selectthedestinationdrivefromthelistofpossibledestinationdevices,thenclickNext. SelectthedrivetorestoretheimagetoandclickNext. Ifitisdisplayed,selectConvertDriveGeometry,thenclickFinish. Toconfirmtherestoretothedesignateddrive,typeYesinContinue,thenclickYestostart thephysicalrestore. Whentherestoreisfinished,averificationmessagedisplaysinformationsuchasanyreador writeerrorsandthehashvaluesforboththeevidencefileandtherestoreddrive.Thehash valuesshouldmatch.Ifthehashvaluesfromtherestoredonotmatch,restoretheevidencefile again.Itmightbenecessarytoswapthetargetmediaforcorrectresults. 8. Whenthedriveisrestored,physicallypullthepowercordfromthecomputer.

2.

3. 4. 5. 6. 7.

9.

Working withEvidence

217

Attachtherestoreddriveasneartotheoriginalconfigurationaspossible(forexample,ifthe drivewasoriginallyonIDEchannel0ontheoriginalcomputer,installitthere.)Thiswillhelp thecomputertoallocatetheoriginaldriveletters,providingthepropermappingfor.lnkfiles, etc.

10. Onolderdriveslessthan8.4GB,youmayneedtorebootusinganEnCaseBarebonesBoot Diskette,andduringthebootsequencesettheCHSsettingsoftherestorationdriveinthe CMOStothephysicaldrivegeometryoftheoriginaldrive,whichyounotedearlier.Setting thephysicaldrivegeometrywillprobablyrequireoverridingtheautodetecteddrive geometry. 11. UseLinEntocalculatethehashvalueoftherestoreddrive,andcompareittotheacquisition hashvaluetoensureitsintegrity. 12. Ifyouwanttobootthedrive,useanEnCaseBarebonesBootDiskwithFDISKcopiedtoit. RunFDISK/MBR.Therestoreddiskshouldnowbebootable.Beawarethatassoonasyou bootit,theunderlyingdatawillbealtered. NotethatdifferencesmayoccurdependingonwhetheryouarerestoringanNTFSorFAT32file system,andwhethertherestoreddriveisbeingbootedontheoriginalhardwareplatformthedrive wasacquiredfrom.EnCaseapplicationsrestoreusingoneofthefollowingmethods: withoutFastBlocSE withFastBlocSE

RestoringwithoutFastBlocSE,becausethediskdriversforWindows2000,XPand2003donotallow directdiskaccess,canbeperformedthroughtheASPIlayer.ASPIhasaproblemwithroundingoffthe lastfewsectorsthatdonotfitonthelastcylinderofadrive.Thisisthereasonwhyallsectorsare visiblewhenthedriveisread,yetwhenwritesareattemptedasmallnumberofsectorsmaybe missing.ThisisaWindows/ASPIlimitation,notEnCase.Becauseofthislimitation,youmayneedto useaslightlylargerdrivewhenperformingtherestore. IfyoupurchasedtheFastBlocSEmodule,youcanrestoretoadrivethatiscontrolledthroughFastBloc SE.WhenyourestorewithFastBlocSE,FastBlocSEreplacestheWindowsdriversandallowsdirect diskaccess,therebycircumventingtheASPIlayeranditsassociatedproblems.BecauseFastBlocSE canwritedirectlytothedisk,youcanrestoretothesamesizedrive. Drivemanufacturersalsostatethateventhoughdrivesmayappearidentical,oncepartitionedthey maynothavethesamecapacity.Ifpossible,drivesfromthesamebatchshouldbeusedsothatboth willbereadwiththesamecapacity(checkthedateonthedriveslabel).Olderharddrivesmayhave twoplatters,whilethenewerversionmayonlyhaveone,withthesingleplatterdrivehavingafew lessbytesavailable.

LogicalRestore
MediahavedifferenttypesdependingontheCHS(cylindersheadssectors)information.Thesame typemighthavedifferentcylinderssettings,buttheirheadsandsectorsinformation(theHSinCHS) willbethesame.Iftheheadssectorsinformationisdifferent,thenthemediatypediffersandyou shouldusanothertargetrestoreharddrive.Alogicalvolumemustberestoredtoavolumeofthe samesize,orlarger,andofthesametype. Toprepareforalogicalrestore,thetargetmediashouldbe: wiped FDISKed partitioned formattedpriortorestore

218

EnCaseForensicVersion6.15

Formatthetargetdrivewiththesamefiletypesystemasthevolumetoberestored(forexample, FAT32toFAT32,NTFStoNTFS,etc.). Theprocedureforrestoringalogicalvolumeisidenticaltothatofrestoringaphysicaldevice. Foralogicalvolume: 1. 2. InCaseview,rightclickonthevolume. SelectRestore.

Whenyoufinishthelogicalrestore,aconfirmationmessagedisplays.Youmustrestartthecomputer toallowtherestoredvolumetoberecognized.Notethattherestoredvolumecontainsonlythe informationthatwasinsidetheselectedpartition.

BootingtheRestoredHardDrive
Aftertherestoreoperationhasfinishedwithnoerrors,removethetargetharddrivefromthestorage systemandplaceitintoatestsystem.Switchthepoweron.Dependingonwhatoperatingsystemthe subjectran,thetestsystemshouldbootupexactlyasthesubjectcomputer. Therearequiteafewdifficultiesthatcanoccuratthisstageoftheinvestigation.Themostcommonis thatthecloneofthesubjectdrivewillnotboot.Beforetryinganythingelse,checktherestoreddisk usingFDISKandverifyitissetasanActivedrive.Ifnot,setthedriveasActive(usingtheFDISK utility)anditshouldboot. Toboottherestoredharddrive: 1. 2. 3. 4. 5. 6. 7. Ensuretheintendedrestorationdriveisatleastaslargeastheoriginalfromwhichtheimage wastaken. Installasterilerestorationdrivetoyourforensicmachine,usingaconnectionotherthanIDE0. Note:EnCasecannotrestoreaphysicaldrivetoIDE0. Createbut,donotformatasinglepartitionontherestorationdrive. UsingReportpane,notethediskgeometryoftheforensicimageofthedriveyouarerestoring from,sothephysicalgeometryusediscorrect. RestoretheforensicimageofthephysicaldrivetotherestorationdriveusingtheRestore Drivesetting. TomaketherestoreddriveactiveinWindows,rightclickMyComputerandselect ManageDiskManagement,thenrightclicktherestoreddriveandselectMakeActive. Shutdownthecomputerandattachtherestoreddriveasneartotheoriginalconfigurationas possible.Thishelpsthecomputertoallocatetheoriginaldriveletters,making.lnkfiles,etc. workbetter. RebootandsettheCHSsettingsoftherestorationdriveintheCMOStothephysicalgeometry oftheoriginaldrive,overridingtheautodetectedgeometryifnecessary.

8.

Therestoreddiskshouldnowbebootable.

IftheRestoredDiskDoesNotBoot
TheCylindersHeadsSectorsinformation(CHS)intheMasterBootRecord(MBR)fromtheimage maynotmatchtheCHSinformationoftheactualharddrive.

Working withEvidence

219

ResettheCHSinformationfortheMBR.BootwithaDOSbootdiskand,attheA:\>prompt,type FDISK/MBRtoresettheMasterBootRecord. VerifythattheMBRhasthecorrectio.sysfile.ReSYSthebootdrivewiththecorrectsysversion.For example,ifthesubjecthadWindows95B,thentheharddriveshouldhaveasyscommandperformed onitfromaWindows95Bcreatedbootdisk.AttheA:\>prompt,typeSYS C:

SnapshottoDBModuleSet
ThisscripttakessnapshotsofnodesacrossanetworkandstoresthesnapshotsinaSQLdatabase.It alsoreadsfromthedatabasetocreatereportsonthesnapshotstaken.Itallowsforminimal maintenanceonthedatabasesoyoucancontroltheamountofdatastoredaswell. ThreeEnScriptsworkwiththedatabasetoperformtheirtasks: InitializeDatabase.EnScript SnapshottoDB.EnScript SnapshotDBReports.EnScript Eachisdiscussedindetailbelow.

InitializingtheDatabase
TheInitializeDatabase.EnScript: initializesthedatabase maintainsthedatabase
Note: You must run this script first.

220

EnCaseForensicVersion6.15 1. 2. MakesureyousetupanODBCconnectionproperlyandnotedowntheinformationusedfor thatconnection. RunInitializeDatabase.EnScript.TheInitializeDatabasedialogopens:

ChoosingDatabaseSources
SelecttheDatabaseSourceOptionstabtospecifyconnectioninformationforthedatabase: DataSourceName:ThisisthenameyougavetheODBCconnectionwhenyoucreatedit. EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyousetup theODBCconnectiontouseNTAuthentication,itremembersyourusernamesoyoudonotneed toenteritmanually. EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,youmust specifyapasswordtogainaccesstothedatabase.IfyousetuptheODBCconnectiontouseNT Authentication,itremembersyourpasswordsoyoudonotneedtoenteritmanually. DBTimeoutInterval(minutes):SpecifyhowlongyouwanttowaitbeforeaDBtimeoutoccurs. Thisindicateshowlongtheprogramwaitsbeforeassumingtheconnectionisbad(thedefaultis5 minutes). ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappeningbehindthe scenes. DatabaseName:Sinceadatabasemanagementsystemcanhousemanydatabases,youmust specifytheoneyouwanttouse.

Working withEvidence

221

MaintainingtheDatabase
1. RunInitializeDatabase.EnScript.TheInitializeDatabasedialogopens:

2. SelecttheMaintenanceOptionstabtorunbasiccleaningmaintenanceonthedatabaseitself (includingdeletingdatabaserecords)andfillinthevariousfieldsorchecktheappropriate box: NoMaintenance:Usethisoptionifyouwanttoinitializethedatabase(selectedbydefault). DeleteAllRecords:Onceadatabaseiscreated,selectthisoptiontodeletetheentirecontents inthedatabase(butnotthedatabaseitself). DeleteRecordsOlderThan:Youcanautomaticallyschedulecleaningthedatabaseby selectingthisoption.Withthisoptionselected,thefollowingoptionsbecomeactiveand configurable: Days:Specifiestheageofarecordyouwanttodelete.Forexample,selecting1means youwanttodeleterecordsatleastonedayold. RunMaintenanceDaily:Thischeckboxrunsthecleanereverydayatspecifiedhoursand minutes.

222

EnCaseForensicVersion6.15

UpdatingtheDatabase
1. RunSnapshotToDB.EnScript.YouwillberequiredtologintoaSAFE.Whenyousuccessfully login,thisdialogopens:

Thisiswhereyou: specifythenodesyouwanttoscan takeasnapshot ChoosetheRoleYouWanttoAssume:inthetree,selectthespecificroleyouwanttouse whenconnectingtothenodes.

Note: Be sure to select a valid Role to enable the Next button.

ClickNetworkTreetoopenadialogwhereyoucanselectnodesaddedtotheroleviaSAFE. Lowertextbox(underNetworkTree):manuallyenterIPaddresses,hostnames,andranges here. Validrangesmustbedefinedassuch:IPAddress1IPAddress2 IPAddress2mustbegreaterthanIPAddress1;thatis,,IPAddress1isthelowestIP AddressintherangeandIPAddress2isthehighestIPAddress. 2. Onceyouspecifywhichnodestoscanforsnapshots,youmustspecifywhichdatabasetouse.

3. ClickNext.TheSnapshotDataSourceOptionsdialogopens:

Working withEvidence

223

DataSourceName:ThisisthenameyougavetheODBCconnectionwhenyoucreatedit. EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyouset uptheODBCconnectiontouseNTAuthentication,itremembersyourusernamesoyoudo notneedtoenteritmanually. EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,youmust specifyapasswordtogainaccesstothedatabase.IfyousetuptheODBCconnectiontouse NTAuthentication,itremembersyourpasswordsoyoudonotneedtoenteritmanually. DBTimeoutInterval(minutes):SpecifyhowlongyouwanttowaitbeforeaDBtimeout occurs.Thisindicateshowlongtheprogramwaitsbeforeassumingtheconnectionisbad(the defaultis5minutes). ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappeningbehind thescenes. 4. ClickNext.Ifthedatabaseconnectionissuccessful,aconfirmationmessagedisplays:

224

EnCaseForensicVersion6.15

SpecifyingDatabaseContent
UsetheProcessOptionsdialogtospecifywhatinformationtoinsertintothedatabase.

1. SelecttheappropriateSnapshotWriteOptionsbutton: SaveAllProcessestakesasnapshotofeachnodeandinsertstheseitemsintothedatabase: Process Netusers Netinterfaces Openports SaveNotApprovedOrHiddenProcessesinsertsnotapprovedorhiddenprocessesintothe database. 2. ClickFinishtobeginthescanningprocess.

Working withEvidence

225

GeneratingReportsontheDatabase
Onceyougatherdataintothedatabase,youcangeneratereports. 1. RunSnapshotDBReports.EnScript.TheSnapshotDatabaseSourceOptionsdialogopens:

DataSourceName:ThisisthenameyougavetheODBCconnectionwhenyoucreatedit. EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyouset uptheODBCconnectiontouseNTAuthentication,itremembersyourusernamesoyoudo notneedtoenteritmanually. EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,youmust specifyapasswordtogainaccesstothedatabase.IfyousetuptheODBCconnectiontouse NTAuthentication,itremembersyourpasswordsoyoudonotneedtoenteritmanually. DBTimeoutInterval(minutes):SpecifyhowlongyouwanttowaitbeforeaDBtimeout occurs.Thisindicateshowlongtheprogramwaitsbeforeassumingtheconnectionisbad(the defaultis5minutes). ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappeningbehind thescenes.

226

EnCaseForensicVersion6.15 2. ClickOK.TheSnapshotDBReportsdialogopens:

3. 4. Selectthecheckboxforthereportsyouwanttogenerate. ClickOKtobegingeneratingthereport.

UsingtheSnapshotDBReportsDialog
Thisdialoglistsreportsgeneratedfromthedatabasesnapshot.Youcanaddormodifyreports,aswell asexportreportstoafileorimportthemfromafile.

Items
Thislistboxcontainsinformationonreportsalreadygenerated.Ifyoucreateoraddareport,that reportandtheoptionsyouselectforitarestoredinthedatabase,enablingyoutoregenerateitas needed. Doubleclickaniteminthelisttomodifyit. Rightclickanitemtodeleteit.Ifyoudeleteanitemwithoutselectingitscheckbox,youmustclick OKandthenclickYesontheresultingwarningmessage.

Working withEvidence

227

Add
ClickAddtocreateanewreportdefinition.TheReportSetupdialogopens:

IntheReportNamefield,specifythenameofthereport. IntheReportOutputPathfield,specifythelocationtosavethereport. InReportType,selectthetypeofreportyouwanttogenerate: ProcessData ProcessandPortData UserData ExcelFile:SelecttooutputthereportasaMicrosoftExcelfile. HTMLFormat:SelecttooutputthereportasanHTMLfile. EditCondition...:Selecttoaddasetofconditionstoreporton.

228

EnCaseForensicVersion6.15

Modify
Selectaniteminthelist,makingsurethecheckboxiscleared,thenclickModify.TheEditReport dialogopens:

Makethemodificationsyouwant,thenclickOK.Themodificationsaresavedtothedatabase.

ExportSelectedtoFile
ClickExportSelectedToFiletoexportareportdefinitionfromthedatabase.TheExportToFile dialogopens:

ClicktheBrowsebutton tospecifywheretosavethereportdefinition,thenclickOK.

Working withEvidence

229

ImportfromFile
ClickImportfromFiletoimportareportdefinitiontothedatabase.TheImportfromFiledialog opens:

ClicktheBrowsebutton tolocatethefiletoimport,thenclickOK.

TimebetweenQueries(Minutes)
Enterorselectthenumberofminutesyouwanttopausebetweenqueries.

WinEn
WinEnisastandalonecommandlineutilitythatcapturesthephysicalmemoryonalivecomputer runningaWindowsoperatingsystem(Win2korhigher).Thephysicalmemoryimagecapturedby WinEnisplacedinastandardevidencefile,alongwiththeusersuppliedoptionsandinformation. WinEnrunsfromacommandpromptonthecomputerwhereyouwanttocapturethememory. WinEnhasaverysmallfootprintinmemory,anditistypicallyrunfromaremovabledevicesuchasa thumbdrive.AlthoughthismethodmakesminorchangestothecomputerrunningWinEn,thisisthe mosteffectivewaytocapturephysicalmemorybeforeshuttingdownacomputer.Asalways,itis recommendedthatexaminersdocumentandexplaintheirproceduresforlaterreference.

RunningWinEn
TorunWinEn,openacommandpromptonthetargetcomputer.Theuserloggedonmusthavelocal administratorprivilegesonthecomputer,andyoumuststartthecommandpromptwiththatprivilege level.Onceyouopenacommandprompt,runWinEnusingthesyntaxbelow.Itisrecommendedthat youcompresstheevidencefilethatiscreatedandsaveittoremovablemediasothatnoadditional changesaremadetothetargetcomputer. TherearethreewaystosupplynecessaryinformationtoWinEnwhenrunningfromthecommand line:

230

EnCaseForensicVersion6.15 Commandlineoptions Configurationfile Promptforvalue

CommandLineOptions
Syntax:winen<option><option>

-p <EvidencePath>*

Path and file name of the evidence file to be created (maximum 260 characters) Level of compression (0=none, 1=fast, 2=best) Examiner's name (maximum 64 characters) Name of the evidence within the evidence file (maximum 50 characters) Case number related to the evidence (maximum 64 characters) Evidence number (maximum 64 characters) Maximum file size of each evidence file segment in MB (default: 640, minimum: 1, maximum: 10737418240) Error granularity in sectors (default: 1, minimum: 1, maximum: 1024) Sectors per block for the evidence file (default: 64, minimum: 1, maximum: 1024) Turns off acquisition hashing A semicolon-delimited list of alternate paths (maximum 260 characters) Notes (maximum 32768 characters) Path to a configuration file holding variables for the program (maximum 260 characters) Help message

-d <Compress>* -e <Examiner>* -m <EvidenceName>*

-c <CaseNumber>*

-r <EvidenceNumber>* -s <MaxFileSize>

-g <Granularity>

-b <BlockSize>

-t -a <AlternatePath>

-n <Notes> -f <Configuration File>

-h

*=Requiredfield

ConfigurationFile
Youcancreateaconfigurationfiletofillinsomeorallofthevariables.Theconfigurationfileneedsto beintheformatOptionName=Value,andcanbeusedinconjunctionwithcommandlineoptions.

Working withEvidence

231

Alloftheseoptionshavethesamerestrictionsastheircommandlinecounterparts.
Note that options entered on the command line override the same option in the configuration file. This way, users can override a specific setting in the configuration file by entering the appropriate information on the command line.

Optionsfortheconfigurationfileareasfollows:
EvidencePath* Path and file name of the evidence file to be created (maximum 32768 characters) Level of compression (0=none, 1=fast, 2=best) Examiner's name (maximum 64 characters) Name of the evidence within the evidence file (maximum 50 characters) Case number related to the evidence (maximum 64 characters) Evidence number (maximum 64 characters) Maximum file size of each evidence file segment in MB (minimum: 1, maximum: 10737418240) Error granularity in sectors (minimum: 1, maximum: 1024) Sectors per block for the evidence file (minimum: 1, maximum: 1024) Compute HASH while acquiring the evidence (TRUE or FALSE) A semicolon-delimited list of alternate paths (maximum: 32768 characters) Notes (maximum: 32768 characters)

Compress* Examiner* EvidenceName*

CaseNumber*

EvidenceNumber* MaxFileSize

Granularity

BlockSize

Hash

AlternatePath

Notes

*=Requiredfield

ConfigurationFileNotes
Youcanusethepoundsign(#)asacommentdelimiter.Anythingafterapoundsignonaline isignored. Emptylinesintheconfigurationfileareignored. Optionsintheconfigurationfilearenotcasesensitive. Whitespacebeforeorafterthe<option>andbeforeorafterthe<value>isignored.White spaceinthemiddleofanoptionisretained(suchasaspacebetweenanexaminersfirstand lastname).

232

EnCaseForensicVersion6.15

PromptforValue
Theconsoleasksforanyrequired(*)values(Please enter a value for the option <option>)iftheyarenotprovidedinoneoftheformatsabove.

ErrorHandling
Theprogramchecksallvaluesenteredtomakesuretheyconformtoexpectations.Anydeviation causestheprogramtoexitorpromptforacorrectvalue.

AdditionalWinEnInformation
ProgressBar:Whiletheprocessisrunningituseshash(|)marksacrossthescreenasastatus indicator,usingthefullwidthofthescreenasthe100%mark. Cancel:Tostoptheprocesswhileitisrunning,usetheCTRL-BREAK(orCTRL-C)key combination. WinEnDriver:Atruntime,WinEndropsitsdriverfileinthesamedirectorywhereWinEnis running.ThisdriverisnamedWinEn_.sysorWinEn64_.sys. Changestotargetsystem:WhenWinEnrunsonasystem,thefollowingchangescanbe expected: Whenexecuted,WinEnloadsintomemoryonthetargetsystem.Thisisunavoidableand willtakeupapproximately2.8MBofRAM. WindowsServiceControlManagercreatesregistrykeyswhenitloadstheWinEndriver. Thesekeysaretypicallystoredin:
HKEY_LOCAL_MACHINE\SYSTEM\<ControlSet>\Enum\Root\LEGACY_WINE

N_
HKEY_LOCAL_MACHINE\SYSTEM\<ControlSet>\Services\winen_

DataiswrittentothePageFilebasedonoperatingsystemmemoryuse. RenamingWinEn:Asnotedabove,WinEnleavesremnantsonthesystemwhereitisrun.If desired,youcanrenametheWinEnexecutablesothattheremnantsareobfuscated.Renaming theexecutablealsocausestheWinEndrivertoberenamedsimilarly.

WipeDrive
Warning!This procedure completely erases media and overwrites its contents with a hexadecimal character. Invoke Wipe Drive with extreme care.
Note: Execute the Wipe Drive utility to remove all traces of any evidence files from a storage drive.

1. ClicktheWipeDriveoptionontheToolsmenu. Thedriveselectordisplays.

Working withEvidence

233

2.

Makeinitialselections,thenclickNext. TheChooseDevicesdialogdisplays.

3.

Choosethedevicetargetedforerasure,thenclickNext.

234

EnCaseForensicVersion6.15

Anoptionsdialogdisplays.TheVerifywipedsectorsboxischeckedbydefaultandtheWipe characterishex00.Iftheboxischecked,theWipeDriveprogramreadseachsectorand verifiesthatthewipecharacteriswrittenthroughout.YoucanenteranyhexvalueintheWipe characterfield.

4.

ClickFinish. TheDrivesdialogopens:

5.

EnterYesintheContinuebox,thenclickOK.

6.

Working withEvidence Thedriveiscompletelyerasedandoverwrittenwiththespecifiedhexstring.WipeDrive displaysinformationaboutthediskandtheoperation.

235

Note: You must reformat this drive in order to use it again.

CHAPTER 7

Source Processor
InThisChapter
Overview Collection Jobs Modules Analysis Jobs Reports Managing EnCase Portable

238

EnCaseForensicVersion6.15

Overview
SourceProcessorautomatesandstreamlinescommoninvestigativetasksthatcollect,analyze,and reportonevidence.UsingtheEnCaseforensicplatform,SourceProcessoranalyzesdifferenttypesof informationincases,evidencefilesandlocalmachines. SourceProcessorusesthefollowingmodulestoidentifytheinformationyouwanttogather.Theycan beconfiguredforyourspecificneeds. TheAcquisitionmoduleacquiresdrivesandmemoryfromatargetmachine. TheFileCollectormoduletakesuserspecifiedcriteriatocollectspecifictypesoffiles. TheInternetArtifactsmodulecollectsahistoryofvisitedWebsites,usercache,bookmarks, cookies,anddownloadedfiles. TheLinuxSyslogParsermodulecollectsandparsesLinuxsystemlogfilesandtheirsystem messages. ThePersonalInformationmodulecollectssensitiveinformationsuchascreditcardnumbers, SocialSecuritynumbers,telephonenumbers,andemailaddresses. TheSnapshotCollectionmodulecollectsasnapshotofpertinentmachineinformation. Capturedinformationincludesrunningprocesses,openports,loggedonusers,devicedrives, Windowsservices,andnetworkinterfaces. TheWindowsEventLogParsermodulecollectsinformationpertainingtoWindowsevents loggedintosystemlogs,includingapplication,system,andsecuritylogs. TheWTMP/UTMPLogParsermoduleparsestheUnixsystemsWTMPandUTMPfiles, whichrecordallloginactivities.

SourceProcessorworksusingcollectionandanalysisjobs.AjobinSourceProcessorconsistsofa groupofsettingsforcollectingoranalyzingspecificinformation.Onceajobiscreated,youcanmodify orcopyittocreateotherjobs. Afteracollectionjobiscompleted,youcanuseanalysisjobstoreviewthosecollectionresultsand generatereportsthatcaptureallorselectedpartsoftheanalysisinformation. SourceProcessoralsoworkswithEnCasePortable,thestandaloneproductwhichenablesyouto collectdatainthelabandinthefieldusingUSBthumbdrives.CollectionjobsarecreatedinSource ProcessorandexportedtoEnCasePortable.YouthenuseEnCasePortabletocollectevidence,which inturnisimportedbackintoSourceProcessorforanalysisandreportingontheresultsofthe collection.Formoreinformation,seeManagingEnCasePortableonpage267andtheEnCasePortable UsersGuide.

StartingtoWorkwithSourceProcessor
TostartworkingwithSourceProcessor,youmustfirstcreateanewcaseoropenanexistingcasein EnCase.Tocreateanewcase,followthestepsinEnCaseforcreatinganewcase.Fordetails,seethe CaseManagementchapteroftheEnCaseUsersGuide. TostarttoworkwithSourceProcessor: 1. 2. 3. Navigatetoyourcase. NavigatetotheEnScripttaboftheFilterspane. DoubleclickontheSourceProcessorEnPack.

4.

SourceProcessor

239

ThefirsttimeyouopenSourceProcessorinanewcase,theCaseOptionsdialogdisplays. InformationenteredhereappearsonreportsgeneratedbySourceProcessorandisstoredas partofthecollecteddataforagiventarget.Thisdialogenablesyoutochangethepre populatedcaseandexaminernames,andaddevidencedescription,ifdesired.

CaseName:Thenameofthecurrentlyselectedcaseoptions. ExaminerName:Thenameoftheexamineronthecurrentlyselectedcase. EvidenceDescription:Adescriptionoftheevidence.Thisfieldisoptional. EvidencePath:ThelocationwhereSourceProcessorstoresthesummarizedanalysisdata andtheevidencefilesafteracollection.Youmaywanttochangethedefaultevidencepath toacasespecificfolder.Thisfieldisrequired. Youonlyhavetospecifytheseoptionsoncepercase.Everynewcaseshouldhaveitsown evidencepath.Youcanaddanddeletefields,changethisinformation,andmodifythe behaviorofthisdialogusingtheSourceProcessorOptionstab.SeeSettingCaseOptionson page240. 5. ClickOK.ThemainSourceProcessorscreendisplays.

240

EnCaseForensicVersion6.15

SettingCaseOptions
WhenyoufirstopenSourceProcessorfromanewcase,youarepresentedwithaCaseOptionsdialog. Ifyouwanttoaddoptions,modifyexistingvalues,orchangewhetherafieldisrequired,youcan changecasesettingsusingtheSourceProcessorOptionstab.Caseoptioninformationappearson reportsgeneratedbySourceProcessorandisstoredaspartofthecollecteddataforagiventarget. Tospecifycaseoptions: 1. FromthemainSourceProcessordialog,clicktheOptionstab.

2. ChangetheCaseOptionssettingstomodifythevaluesorthebehaviorofthefieldsthat appearintheCaseOptionsdialog.Forexample,youmaywanttochangethedefaultvalueof theevidencedescriptionwhenrunningthesamejobagainstdifferenttargetsinacase. ClickEdittomodifyaselectedfield.TheEditboxdisplays.

Whenchecked,Requiredforcestheusertoenteravalueinthisfieldbeforerunning

acollectionjob.
NamechangesthenameofthefieldintheCaseOptionsdialog.

SourceProcessor

241

SpecifyingaValueprovidesadefaultvaluethatprepopulatesthefieldintheCase

Optionsdialog.YoucanoverridethatvalueintheCaseOptionsdialogifrequired.
EnterthedesiredinformationandclickOKtosavethevalues.TheEditboxcloses.

ClickNewtoaddanewtextfieldtotheCaseOptionsdialog.Whenthisbuttonisclicked, SourceProcessordisplaystheEditdialog,shownabove.Enterthedesiredinformation andclickOKtosavethevalues. ClickDeletetoremoveaselectedfield. ClickAddtoselectanewfieldfromtheCaseOptionsdialoginothercases.Whenthis buttonisclicked,SourceProcessoropensadialogthatshowsalltheotherfieldsinother cases.Selectthedesiredfield(s)andclickOKtoaddtoyourcurrentcase.

3. SpecifyyourEvidencePath. ThispathdetermineswhereSourceProcessorstoresthefilesgeneratedduringa collection.Thesefilesincludeboththesummarizedanalysisdataandtheevidencefiles. Makesurethedefaultevidencepathisspecificforyourcurrentcase. Thisfieldisrequired. 4. Yourchangesareautomaticallysaved.

CollectionJobs
AjobinSourceProcessorconsistsofagroupofsettingsforcollectingoranalyzingspecific information.Onceajobiscreated,youcanmodifyorcopyittocreateotherjobs. Acollectionjobusesmodulestodefinespecificinformationtobecollectedfromatarget.Modulesare preconfiguredtolookforcertainkindsofdata,suchasinformationfoundinmemory,certaintypesof files,andsoon.Youcanconfiguretheinformationcollectedbyeachmodulebyselectingaspecificset ofoptionsforeachmodule. Creatingacollectionjobfollowsthesesteps: Namethecollectionjob. Selectmodules. Setmoduleoptions. Settargetoptions.

242

EnCaseForensicVersion6.15

Whenyourunacollectionjob,specifythecollectionjobandwhatyouwanttotarget.(SeeRunninga CollectionJobonpage246). Targetscanbe Cases Evidence Localmachines

Afterajobiscompleted
OnceSourceProcessorcompletesacollectionjob,asetoffilesismadefromthatcollectionandstored inafolderintheevidencepath.ThatpathisspecifiedintheCaseOptionstab. SourceProcessorcreatesalogicalevidencefilecontainingsummaryinformationforeverytargetafter acollectionjobhasbeenperformed,withthenameofthetargetreflectedinthenameofthefile.Ifa targetsLEFisalreadyinthestoragefolderwhenanewcollectionisstarted,youhavetheoptionto collectthetargetagain.

CreatingaCollectionJob
1. OpentheCollectionJobstabfromthemainSourceProcessordialog.

2. ClickNew.TheJobCreationdialogdisplays.

SourceProcessor

243

3. Renameoracceptthedefaultname. ThedefaultjobnameisJob__[yyyy_mm_dd__hh_mm_ss].Example: Job___2009_06_24__03_42_42_PM Ajobnamecannotcontainspacesatthebeginningorendofthename,oranyofthe followingcharacters:\/:*?<>| 4. ClickNexttoopentheModuleSelectiondialog.Thisdialogshowsmodulegroupingsinthe leftpaneandsinglemoduleswithinthosegroupsintherightpane.

5. Toselectamodule,bluecheckthemodulescheckbox. Youmayselectmorethanonemodule. Toselectallthemodulesinagroup,bluecheckthatgroupsfoldernameintheleftpane.

Note: To set module options, double click the module name. Each module has its own specific set of options. See Modules on page 251 for a list of all modules and their options.

244

EnCaseForensicVersion6.15 6. ClickNexttoopentheTargetOptionsdialog.

TheCompoundFileOptionsareaprovidesoptionsforwhethercompoundfiletypeslistedin theFileTypesboxaremounted(unpacked)andscanned. Ifanyoptionotherthanthefirstoptionisselected,theFileTypesboxbecomesenabledand youcanselecthowtodetectwhichfilestomount DontMountdoesnotperformanyunpackingofcompoundfiles,sothecontentsare processedwithoutunpackinganyoftheinternalfiles. MountDetectExtensioncausesfileswithamatchingextensiontobemountedand processed.Nosignatureverificationisconducted. MountDetectSignatureresultsinasignatureanalysisbeingrunonallfilestodetermine iftheyareacompoundfileofinterest.Fileswiththecorrectsignaturearethenmounted andprocessed. Ifyouchoosetomountfiles,youaregivenfurtheroptions: MountPersistentlykeepsthecompoundfilesmountedafterthejobisrun.Thisisonly relevantforcasetargetsanddoesnotapplytoEnCasePortable. MountRecursivelymountsanycompoundfilesfoundinsideacompoundfile. 7. ClickFinishtocreatethejob.

SourceProcessor

245

CopyingaCollectionJob
1. SelectthejobyouwanttocopyintheCollectionJobstab.

2. ClickCopyJob.TheCopyJobdialogdisplays.

3. 4. EnteranewnameforthejobandclickOK.Allthesettingsfromthefirstjobaretransferredto thenewjob. Editthenewjobtomodifyitssettings.

246

EnCaseForensicVersion6.15

ModifyingaCollectionJob
1. DoubleclickthecollectionjobyouwanttomodifyintheCollectiontab.TheEditdialog displays.

2. Thetabsreflectthepreviouslyselectedsettings.ModifyasdesiredandclickOK.

DeletingaCollectionJob
Todeleteacollectionjob: 1. 2. 3. OpentheCollectionJobstabinSourceProcessor. SelectthejobyouwanttodeleteandclickDelete. Aconfirmationdialogdisplays.ClickOKtodeletethejob.

RunningaCollectionJob
Torunacollectionjob: 1. SelectthecollectionjobyouwanttorunfromtheCollectionJobstabinthemainSource Processorscreen.

2. ClickRunCollection.TheTargetSelectiondialogdisplays.

SourceProcessor

247

3. Compilealistoftargetsforyourcollectionjob. Totargetacase,selectthecasefromthelistofopencases.
SourceProcessorviewscasesasarepositoryofdevices.Inthiscontext,adevicecan

includeitemssuchasanevidencefile,aprevieweddrive(eitherthelocalmachine oraremotenode),oneormorefiles,orRAM.Targetedcasescancontaindevices havingliveconnections.Onlythoselogicalorphysicaldrivesthathavebeen mountedinthecaseareprocessed. Totargetthelocalmachine,bluecheckScanLocalMachine. TotargetanevidencefileorLEF,clickAddEvidenceFiles.TheEvidenceFilePathdialog displays.

248

EnCaseForensicVersion6.15
SelectanevidencefileyouwanttotargetforthiscollectionandclickOpen.The

TargetSelectiondialogupdatesandautomaticallyselectstheevidencefilefor processing. Ifyouarerunningajobthathasrunbefore,youaregiventheoptionofoverwritingthe previousdata.

DontOverwritepreventscollectingfromatargetthathasalreadyhadacollection

performed,preservingtheexistingdataforthisjob.
Overwritewritesovertheprevioussetofcollectionandevidencefiles,ifthat

collectionjobhasbeenalreadyperformed.
Ifyouarererunningajoborifyouredefineajobandrunitagain,theAppend

optionisavailable.Whenselected,thisoptionpreservestheexistingcontentand addstheevidencefromtheremainderofthejob. Forcasetargetsonly,checkingSelectedentriesonlymeansthatonlybluecheckedentries inthecaseareprocessed. 4. 5. ClickNext. IfSourceProcessordetectsthatanevidencefileisencrypted,theEvidenceEncryption Informationdialogdisplays.

SourceProcessor

249

Iftheevidencefileneedscredentialstobedecrypted,clickonthehyperlinkinthe

ValidCredentialcolumntoopenupthecorrectcredentialdialogforthatencryption protocol.Forexample,ifthedeviceisencryptedusingPGP,clickingonthe hyperlinkdisplaysthefollowingdialog.

Filloutthecredentialsinthedialogtounlocktheencryptedvolume. Ifyoudonotenterthecorrectcredentials,oriftheencryptionprotocolisnot

recognized,thenthisevidencefileisskipped. 6. Ifatleastoneofthecaseoptionshasnotbeengivenavalue,thecaseoptionsdialogappears. Thesevaluesbecomepartofthecaseinformationandappearonreports.

250

EnCaseForensicVersion6.15 7. ClickNext.TheJobSummarydialogappears.

8. ClickFinish.TheRunJobstatusdialogdisplays.

9. ClickStarttostartthecollection.Thestatusdialogupdatesperiodicallywithcurrent informationonthecollectionforeachtarget.

10. ClickOKwhenthejobiscompleted.

SourceProcessor

251

Modules
SourceProcessorusesmodulestocollectinformationaboutfilesandmachinesinspecificways. Mostofthesemodulescontainoptionsthatyoucanconfigureforyourspecificneeds.Tosetmodule options,doubleclickonthemodulename.

Acquisition
TheAcquisitionmodulecreatesforensicimagesofdrivesandmemoryfromatargetmachine.
Note: When using this module, make sure that you have enough storage available to hold the evidence files that are created.

Options

AcquireLogicalDevicesacquiresalllogicaldevices(lettereddrives,likeC:). AcquirePhysicalDevicesacquiresallphysicaldevices(numbereddevices,like0,1,etc.). AcquireRemovableDrivesacquiresallremovabledrives.Adriveisidentifiedasremovable bytheoperatingsystem. AcquireMemoryacquiresanimageofmachinememory. PromptatCollectionTimeshowsalistofalldevices(logical,physical,andmemory)when thejobisrun.Selectanycombinationofthosedevicesforacquisition.

Note: if you want to acquire more than one type of device, you should create separate jobs for each operation. Because EnCase runs in memory, we suggest you capture memory first.

FileCollector
TheFileCollectormoduleusesuserspecifiedcriteriatocollectspecifictypesoffiles.Forexample,you cancollectalltypesofimages(.jpg,.png,.bmp,etc.)anddocuments(.doc,.xls,.pdf,etc). OptionsconsistofasetofentryconditionsusedinthesamewayasinEnCase.Byalteringthese conditions,youcanspecifyexactlywhichfilesSourceProcessorcollects.Formoreinformation,see Conditionsonpage103.

252

EnCaseForensicVersion6.15

Options

SnapshotCollection
TheSnapshotCollectionmodulecollectsasnapshotofamachineatagiventime,includingthe runningprocesses,openports,networkcards,logoninformation,openfiles,etc.

Options

HashProcessescalculateshashvaluesfortheexecutablefilesthatwereruntocreatethe currentlyrunningprocesses. GetHiddenProcessesfindsprocessesthathavebeenhiddenfromthesystem. GetDLLscreatesalistofcurrentlyloadedDLLs. MarkLoggedonUserfindswhichoftheidentifiedusersarecurrentlyloggedon. DetectSpoofMACdetectsiftheMACaddressforanyoftheNetworkInterfacesisbeing madetolooklikeadifferentdevice.

SourceProcessor

253

PersonalInformation
ThePersonalInformationmoduleidentifiesfilescontainingthetypesofpersonalinformationlisted below.Filesareidentifiedbuttheinformationandthefileitselfarenotcollected.Reportsshowwhich fileshavepersonalinformationcontent,andwhattypeofcontentthatis.Thispreventspotentialabuse ofthiskindofdata. Creditcardnumbers Visa MasterCard AmericanExpress Discover SocialSecuritynumbers Phonenumbers Emailaddresses

Options

Usethecheckboxesatthetopofthescreentospecifywhatpersonalinformationisidentified: CreditCardsprovideoptionsforwhichmajorcreditcardnumbersarecollected. Alldetectednumbersaresubjectedtovalidationbeforebeingcollected,toprevent random16digitnumbersfrombeingidentified. CreditcardnumbervalidationisperformedusingLuhnorModulus/Mod10algorithm. Bothcardnumberswithseparators(123456789012)andwithoutseparators (123456789012)arecollected. PhoneNumbersfindsinformationcontainingU.S.andCanadianformattedphonenumbers, withandwithoutseparators. EmailAddressesidentifiesemailaddresses. SocialSecurityNumbersfindsU.S.socialsecuritynumbers,withorwithoutseparators.

Note: For more information, including the GREP expressions used, please refer to the FAQs chapter of the EnCase Portable User's Guide.

UsetheEntryConditionsectionatthebottomofthescreentospecifyormodifywhichconditionsare usedtosearchforthepersonalinformationselected.

254

EnCaseForensicVersion6.15 EntryConditionisaconditionyoudefinethatrestrictsthefilestobesearchedbythemodule. Whenthisoptionisselected,theEditbuttonisenabled.ClickEdittocreateyourown conditions.Formoreinformation,seeConditionsonpage103. DefaultConditioncausesthemoduletouseapredefinedEnCaseconditionthatcoversthe mostcommoncases. ClickingtheDefaultConditionbuttondisplaysareadonlydialogthatshowsthe preconfigureddefaultconditionsforthosedatatypes.

InternetArtifacts
TheInternetArtifactsmodulecapturesavarietyofInternetusageinformation. Therearenoconfigurableoptionsforthismodule.Selectingthemodulecapturesthefollowing information: Historycollectstheusersbrowsinghistory. Cachecollectscachedinformation,suchasthemostrecentlyrequestedWebpages. Cookiescollectsstoredcookiedata. BookmarkscollectstheusersbookmarksorfavoriteURLs. DownloadscollectsthedatatheuserhasdownloadedfromtheInternet.

LinuxSyslogParser
TheLinuxSyslogParsermodulecollectsandparsesLinuxsystemlogfilesandtheirsystemmessages. Itthenisabletoprovideinformationaboutthemachine,logfilesummaries,andlogmessages. ClickEdittomodifytheconditionsthatdeterminewhicheventparametersarecollected.

SourceProcessor

255

Options

ModuleConditionfilterswhichentriesfromtheprocessedlogfilesareexamined. EntryConditionrestrictswhichlogfilesareprocessed.

WindowsEventLogParser
TheWindowsEventLogParsermodulecollectsinformationpertainingtoWindowseventslogged intosystemlogs,includingapplication,system,andsecuritylogs. Selectfromoneofthethreeparsingoptions.YoucanselecttoparseeventlogseitherfrompreVista eventfiles(EVT),postVistaeventfiles(EVTX),orbothtypesoffilesinanylocationonthetarget. Toselectwhicheventstocollect,settheoptionsintheConditionsarea.Toenableaconditionfora particulartypeofeventlog,selectthecheckboxnexttothefiletype.ClickingtheEditbuttonnextto thenameenablesyoutomodifytheconditionsthatdeterminewhicheventparametersarecollected.

Options

Filedetectiondetermineshowthemoduledetectsauthenticeventfiles.Bydefault,filedetectionis performedbylookingforeventfilesbothbytheirextensionandbytheirfilesignature. Whenchecked,ProcessAllFilesBySignaturecausesthemoduletodetermineeventfiles basedonlybytheirfilesignature.Checkthisboxifyouthinkyoumaybedealingwithevent filelogsthatcontainanincorrectextension.

Parsingoptionsdirectwheretolookfortheeventfiles. Conditionsrestrictwhichfilestolookatandwhatentriestoparse.

256

EnCaseForensicVersion6.15 EVTConditionrestrictsindividualeventsonpropertiesparsedfromanEVTfile. EVTXConditionrestrictsindividualeventsonpropertiesparsedfromanEVTXfile. EntryConditionrestrictswhichfilesareprocessed.

WTMP/UTMPLogParser
TheWTMP/UTMPLogParsermoduleparsestheUnixsystemsWTMPandUTMPfiles,whichrecord allloginactivities.Inthemoduleanalysisreports,theWTMPUTMPLogParserprovidesinformation aboutmachine,logintype,andloginmessage. Toselectwhichlogfilestoprocess,settheoptionsintheFileConditionarea.ToenableanEntry condition,selectthecheckboxnexttothename.ClickEditnexttothecheckboxestomodifythe conditionsthatdeterminewhichfilesareprocessed.

Options

Filedetectiondetermineshowthemoduledetectsauthenticeventfiles.Bydefault,filedetectionis performedbylookingforeventfilesbothbytheirextensionandbytheirfilesignature. Whenchecked,ProcessAllFilesBySignaturecausesthemoduletodetermineeventfiles basedonlybytheirfilesignature.Checkthisboxifyouthinkyoumaybedealingwithevent filelogsthatcontainanincorrectextension.

Conditionsrestrictwhichfilestolookatandwhatentriestoparse. EntryConditionrestrictswhichlogfilesareprocessed. LogEventConditiondetermineswhichentriesfromtheprocessedlogfilesareexamined.Ifa conditionisapplied,onlythoselogentriesthatmeettheconditionarecollected.

AnalysisJobs
Analysisjobsusemodulestoviewandreportoninformationthathasbeencollectedfromthetargets incollectionjobs.

SourceProcessor

257

TheCollectedDatatabshowsyoueverythingthathasbeencollectedbySourceProcessor.Organized byjobandthenbytarget,theevidenceshownisonlytheevidencecollectedinthecurrentcase.

Toanalyzedata,followthesesteps: Bluecheckthejobsorevidencefilesyouwanttoanalyze. Selectananalysisjoborcreateanewone. Runtheanalysisjob. Usethedataviewertoviewandreportdata. Createareport.

CreatinganAnalysisJob
Tocreateananalysisjob: 1. FromtheAnalysistabinthemainSourceProcessordialog,clickNew.TheJobNamedialog displays.

2. EnterajobnameandclickOK.

258

EnCaseForensicVersion6.15 ThedefaultjobnameisJob__[yyyy_mm_dd__hh_mm_ss].Example: Job___2009_06_24__03_42_42_PM Ajobnamecannotcontainspacesatthebeginningorendofthename,oranyofthe followingcharacters:\/:*?<>| 3. ThedialogclosesandtheModuleSelectiondialogdisplays.

SelectingAnalysisModules
Afternaminganewanalysisjob,theModuleSelectiondialogdisplays:

Thisdialogshowsmodulegroupingsintheleftpaneandsinglemoduleswithinthosegroupsinthe rightpane. Ifamoduleisincludedinananalysisjob,butthereisnodataforthatmodulewhenthatjobisrun againstacollection,thatmoduleisignored.Thisenablesyoutocreategenericanalysisjobsfora varietyofcollecteddatasets. Formoreinformationabouteachspecificmodule,seeModulesonpage251. Toselectamodule: 1. Bluecheckthemodulescheckbox. Youmayselectmorethanonemodule. Toselectallthemodulesinagroup,bluecheckthatgroupsfoldernameintheleftpane. Currently,nomoduleshavespecificanalysisoptions. 2. ClickOK.

ModifyinganAnalysisJob
Tomodifyananalysisjob: 1. FromtheAnalysisJobstabinSourceProcessor,selectananalysisjob,thenclickEdit.The ModuleSelectionscreendisplays.

2. Selectthenewmodulesforthisjob,andclickOK.

SourceProcessor

259

DeletinganAnalysisJob
Todeleteananalysisjob: FromtheAnalysisJobstabinSourceProcessor,selectananalysisjob,thenclickDelete.

RunninganAnalysisJob
Torunananalysisjob: 1. FromtheCollectedDatatab,selecttheevidenceyouwanttoanalyzebyfirstselectingthejob nameintheleftpane,thenselectingtheactualevidencefilesinthetableontheright.

2. ClickRunAnalysis.TheSelectAnalysistoRundialogopens.

260

EnCaseForensicVersion6.15 3. Selecttheanalysisjobyouwant,thenclickRun.SourceProcessorrunsanalysisontheselected evidence.Whenanalysisiscomplete,thereporttabledisplays.

Reports
SourceProcessorstoresthemostrecentanalysisinmemoryinareport,soyoucanviewitmultiple timeswithoutrunningtheanalysisagain.Theseresultsonlystayactiveduringthecurrentsessionof SourceProcessor. Toviewanalysisresults,clickViewReportontheCollectedDatatab.

UsingtheDataBrowsertoAnalyzeResults
Thedatabrowserthatdisplayswhenananalysisjobiscompletedshowsallmodulesthathave analysisresults.Italsoshowsalistoftargetsthatwereanalyzed.Allanalysisdataisstoredin memory,foryourcurrentsession. Topreserveyourdata,youcancreateareportthatcapturesalldatayoudeemmeaningful.Youcan eitherprintorexportthereporttopreservethatinformation.SeeBuildingReportsonpage264.

SourceProcessor

261

Clickingahyperlinkedanalysismoduletakesyoutothetopleveltableforthatmodule.Forexample, ifyouclickInternetArtifacts,alistofdomainsvisiteddisplays:

Clickingonanybluehyperlinkwithinthetableopensupanewtabledisplayingfurtherlayersof information. Forexample,ifyouclickalinkintheMachinescolumnoftheDomainVisitstable,youseealistof machinesthatvisitedthatdomain.

262

EnCaseForensicVersion6.15

Todrilldownfurther,clickingaMachineNamedisplaysatableofURLsvisitedfromthatmachine.

Thenavigationtrailatthetopofthepageshowsthehierarchyoftablesleadingtotheoneyouare currentlyviewing.Clickanypartofthetrailtonavigatebacktoaprevioustable. Thepresenceofaconstraint,detailedatthebottomofthescreen,showsanyconstraintsthathavebeen appliedtothedisplayedinformation(seeAddingConstraintstoAnalysisDataonpage263).

DisplayingTargets
ClickingTargetListintheJobSummarypagedisplaysatableoftargetsonwhichthisanalysishas beenperformed.

Clickingonatargetnamedisplaysmoredetails.

SourceProcessor

263

Toolbar
Thetoolbaratthetopofeachpagecontainsthefollowingfunctions: Backreturnstothepreviouspage. Forwardmovesforwardonepage(ifBackhasbeenusedpreviously). Historyopensyournavigationhistory. AddSelectedToReportaddsselectedrowsonthecurrentpagetotheReportBuilder. ReportBuilderopenstheReportBuilder,whichholdsthetablesthathavebeen accumulated.Fromhereyoucangenerateaphysicalreportandaddthetablesas bookmarkstothecurrentcaseforgeneratingfuturereports(seeBuildingReportsonpage 264). Constraintchangestherestrictionsappliedtothistable. RemoveConstraintclearstherestrictions(seeAddingConstraintstoAnalysisDataon page263). Printprintsthecurrentpage.

AddingConstraintstoAnalysisData
Youcanaddconstraintstotheanalysisdatathatdisplaysinthedatabrowser. 1. 2. Fromanywhereinthedatabrowser,clickConstraint. TheConstraintsdialogdisplays,showingfieldsthatarerelevanttothatspecificanalysis.For example,theconstraintvaluesbelowapplytothePersonalInformationmodule.

264

EnCaseForensicVersion6.15 3. Entertheinformationyouwishtoseeinthetableintheappropriatetextbox.Forexample,if youonlywanttoseefilenamesthatcontainthewordCat,enterCat intheFileNametext box. Onlyonevaluecanbeenteredineachtextbox.Forexample,ifyouenter Cat and Dog, hopingtoshowinformationthatcontainsboththewordsCat andDog,SourceProcessor takesthevalueliterallyandshowsyouinformationthatcontainstheentirephraseCat and Dog.ThevalueyouenteristhestringthatSourceProcessorusestoselectthe information. Ifyouentervaluesinmultipletextboxes,SourceProcessorshowsyouonlythe informationthatcontainsallspecifiedvalues. Allnonstringfields(suchasIPaddresses,numbers,hashes,ordates)lookforexact matches.Forexample,ifyouenter80forthelocalport,SourceProcessorlooksonlyfor port80;port8080wouldnotmatchthefilterandwouldnotbedisplayed. 4. ClickOK.Thetableisdisplayedaccordingtotherestrictionsyouentered.Thecurrentcriteria areshowninthebottomleftstatusareaofthedatabrowser.
Note: To remove the restrictions, click Remove Constraint in the data browser toolbar.

BuildingReports
Reportsshowyouranalysisresults,organizedbytablesections.Tocompileareportwithselected data,youmustaddthatdataandassignittothecorrecttablesectionwithintheReportBuilder. Selecteditemsmaybeaddedtomultipletablesinareport. ThedatacompiledintheReportBuilderisonlyavailabletoyouaslongasyouhavetheDataBrowser open.Topreserveyourinformation,youcanprintorexportit. Tobuildareport: 1. 2. Inthedatabrowser,selectthedatayouwanttoaddtoatablegrouping. ClickAddSelectedtoReport.TheSetTableTitledialogdisplays.

3. 4. EnterthenameforthistableinthereportandclickOK. Repeatsteps1through3foreverytableofdatayouwanttoaddtothereport.

5.

SourceProcessor

265

TocreateareportclickReportBuilder.TheReportBuilderdisplays,showingthetablesyou havecreated,theirpath,andanyconstraints.

Tochangethetitleofanexistingtableinthereport,doubleclicktherow.TheSetTable Titledialogdisplays.Enteratitleoreditthecurrenttitle,thenclickOK. Ifdesired,reorderthelistusingdraganddrop. ClickAddtoBookmarkstoaddtheselectedtablestothecurrentcaseinEnCaseas bookmarks.ThebookmarksdisplayafteryoucloseSourceProcessor. ClickPageBreakstoinsertapagebreakaftereachtableinthereport.ClickPageBreaks againtodisablepagebreaks.Ifthemenubuttonappearswithacheckmark,pagebreaks arecurrentlybeinginserted. 6. Togeneratethereport,clickViewReport.TheSetReportNamedialogdisplays.

266

EnCaseForensicVersion6.15 7. ClickOK.Thereportdisplays.

PrintingorSavingaReport
Onceyouhavebuiltyourreport,youhavetheoptionofprintingitorsavingitasaPDFfile. Toprintorsaveareport: 1. RightclickonthereportandselectPrint.ThePrintdialogdisplays.

2. 3. Selectingtheprinteroptiondisplaysaprintdialogshowingyourspecificprinters. SelectingPDFcausesthePathfieldtobecomeenabled. a. TypeorbrowsetothepathintowhichyouwanttosavethePDFfile. b. SelectOpenfiletoopenthefileaftersaving.

4. ClickOKtoprintorsaveyourfile.

SourceProcessor

267

ExportingaSourceProcessorReport
Onceyouhavebuiltyourreport,youhavetheoptionofexportingitasaText,RTF,orHTMLfile. Toexportareport: 1. RightclickonthereportandselectExport.TheExportdialogdisplays.

Selectyourpreferredoutputformatandpathtosavetheexportedfileto. SelectOpenfiletoopenthefileaftersaving. SelectBurntoDisctocreateadiscwiththeappropriatefilesandsaveitinthedestination folder. 2. Whendone,clickOKtoexportthereport.

ManagingEnCasePortable
HowSourceProcessorandEnCasePortableWorkTogether
SourceProcessorandEnCasePortableworktogethertoenableastreamlinedandautomatedcollection ofevidence.SourceProcessorworksasthehubthroughwhichEnCasePortableisconfiguredand collecteddataisthenanalyzed.

268

EnCaseForensicVersion6.15

Theprocessforcollectionofevidencefollowsthesesteps: CreateyourcollectionjobsinSourceProcessor. ExportSourceProcessorjobstotheEnCasePortableUSBbootdevice. RunthejobsusingEnCasePortable. ImporttheevidenceyouhavecollectedbackintoSourceProcessor. AnalyzeandreportonthecollecteddatausingSourceProcessor.

ExportingSourceProcessorJobstotheEnCasePortableUSBBootDevice
OnceyouhavecreatedacollectionjobinSourceProcessor,youcanconfiguretheEnCasePortable bootdevicetoexecutethejob.WhenconfiguringtheEnCasePortableUSBbootdevicewiththenew jobs,theoldjobsontheEnCasePortabledevicearedeletedpriortocopyingthenewjobs. Inadditiontodeletingtheoldjobsandaddingthenewjobs,theexportprocessalsoupdatesthe versionofEnCaseandassociatedfilesontheEnCasePortableUSBbootdevicetomatchtheversion usedbySourceProcessor.Formoredetails,seeFAQs. ToexportacollectionjobtotheEnCasePortableUSBbootdevice,followthesestepsinSource Processor: 1. 2. 3. 4. CreateacollectionjobinSourceProcessor. InserttheEnCasePortableUSBbootdeviceintoaUSBport. NavigatetotheCollectionJobstabinSourceProcessor. ClickManagePortableDevices.TheManagePortableDevicesdialogdisplays.

5.

SourceProcessor

269

SelecttheEnCasePortabledevicesyouwanttoexportthejobsto,andclickExportJobs.The ExportJobsdialogdisplays.

6. 7. 8. SelectthejobstoexporttotheEnCasePortableUSBdevice. ClickExport.AnyexistingjobsontheEnCasePortableUSBbootdevicearedeletedwhenjobs areexported,andthejobsyouselectedarecopiedtotheEnCasePortabledevice. TheexportstatusdisplaysintheStatuswindow.

ImportingJobSettings
WhenjobsettingsareexportedtoanEnCasePortableUSBBootDevice,allexistingjobsonthedevice aredeleted.Ifyouwanttopreservejobsettingsthatareonthedevice,youmustimportthempriorto exportinganewjob.Then,whenexportinganewjobtotheEnCasePortableUSBBootDevice,youcan selecttheimportedsettingsalongwiththejob. Youmayalsowanttoimportjobsforuseonyourlocalsystemiftheyweredeletedorcreatedon anothersystem. ToimportjobsfromtheEnCasePortableUSBbootdevice,followthesestepsinSourceProcessor:

270

EnCaseForensicVersion6.15 1. 2. 3. LaunchEnCaseandruntheSourceProcessorEnScript. InsertoneormoreEnCasePortableUSBbootdevicesintoUSBports. OntheCollectionJobsorCollectedDatatabinSourceProcessor,clickManagePortable Devices.TheManagePortableDevicesdialogdisplays.

4. ClickImportJobs.TheImportJobsdialogdisplays.

5. 6. 7. 8. Intheleftpane,selectthedriveletterthatcorrespondstoyourEnCasePortableUSBboot device. Intherightpane,bluecheckthejobsthatyouwanttoimport. Repeatsteps5and6forallEnCasePortableUSBbootdevicesthatyouwanttoimportfrom. ClickImportJobs.Ifajobwiththesamenamealreadyexistsonyoursystem,aconfirmation dialogwillappear.Selecttheappropriateoption.

9.

SourceProcessor Thestatusoftheimportdisplaysonthescreen.Whenallappropriatejobshavebeen imported,clickFinish.TheimportedjobsdisplayintheCollectionJobstabinSource Processor.

271

ImportingEnCasePortableEvidenceintoSourceProcessor
AfteralljobshavebeenexecutedontheEnCasePortabledevice,youlaterimportthecollected evidencebackintoSourceProcessorforanalysisandreporting. ToimportdatafromEnCasePortableintoSourceProcessor: 1. FromSourceProcessor,opentheCollectionJobsortheCollectedDatatab.

2. ClickManagePortableDevices.TheManagePortableDevicesdialogdisplays.

272

EnCaseForensicVersion6.15 3. 4. SelecttheEnCasePortabledevicesyouwanttoimporttheevidencefrom,andclickImport Evidence. Youarepromptedtochoosewhethertodeletefilesonimport. ClickYestodeleteevidenceonthestoragedeviceafterithasbeenimportedintoSource Processor. ClickNotocontinuewithoutdeletingevidenceonthestoragedevice. 5. ReviewthestatusoftheimportintheStatuswindow.Theevidenceissavedintheevidence folderyouhavespecifiedinSourceProcessor.

Whendone,runanyanalysisjobagainsttheevidenceyouhavecollected.

PreviewingEnCasePortableDatainSourceProcessor
YoucanquicklypreviewallthedataonyourEnCasePortableUSBstoragedevicewithoutimporting itfirst.

1.

SourceProcessor FromSourceProcessor,opentheCollectionJobsorCollectedDatatab.

273

2. ClickManagePortableDevices.TheManagePortableDevicesdialogdisplays.

3. ClickPreview.SourceProcessorperformsafullanalysisofallcollectedevidencefilesonthe selecteddevicesandcreatesareportshowingthecombinedresults.Noinformationiscopied orimportedduringthisprocess. Ifyouwanttoimporttheevidenceafterpreviewingit,clickImportEvidenceontheManage PortableDevicesdialog.

4.

CHAPTER 8

Analyzing and Searching Files

InThisChapter
Signature Analysis EnScript Programming Language Hash Analysis File Hashing Hash Sets Keyword Searches Encode Preview Indexing Searching for Email Tag Records App Descriptors

276

EnCaseForensicVersion6.15

SignatureAnalysis
Therearethousandsoffiletypes,someofthemarestandardized.TheInternationalStandards Organization(ISO)andtheInternationalTelecommunicationsUnionTelecommunication StandardizationSector(ITUT)areworkingtostandardizedifferenttypesofelectronicdata. TypicalgraphicfileformatssuchasJPEG(JointPhotographicExpertsGroup)havebeenstandardized bybothorganizations.Whenafiletypeisstandardized,asignatureorrecognizableheaderusually precedesthedata.Fileheadersareassociatedwithspecificfileextensions.Signatureanalysiscompares fileheaderswithfileextensions.

FileSignatures
Fileextensionsarethecharacters(usuallythree)followingthedotinafilename(forexample, signature.doc).Theyrevealthefilesdatatype.Forexample,a.txtextensiondenotesatextfile,while .docconnotesadocumentfile.Thefileheadersofeachuniquefiletypecontainidentifyinginformation calledasignature.Allmatchingfiletypeshavethesameheader.Forexample,.BMPgraphicfileshave BM8asasignature. Atechniqueoftenusedtohidedataistoattempttodisguisethetruenatureofthefilebyrenamingit andchangingitsextension.Becausea.jpgimagefileassigneda.dllextensionisnotusuallyrecognized asapicture,comparingafilessignature,whichdoesntchange,withitsextensionidentifiesfilesthat weredeliberatelychanged.Forexample,afilewitha.dllextensionanda.jpgsignatureshouldpique aninvestigatorsinterest.
Note: The software performs the signature analysis function in the background.

FileSignatureswithSuffixes
Ashadowdirectoryisadirectorytypecontainingsymboliclinksthatpointtorealfilesinadirectory tree.Thisisusefulformaintainingsourcecodefordifferentmachinearchitectures.Youcreatea shadowdirectorycontaininglinkstotherealsource,whichyouusuallymountfromaremote machine.

Analyzing and SearchingFiles

277

TheVistaoperatingenvironmentusesshadowdirectories,andEnCasesoftwaresabilitytosuffixafile signaturetakesthesedirectoriesintoaccount.Extensionsuffixesarecreatedbyaddinganunderscore andasterisktotheendoftheextension.ThefigureshowssuchaTrueTypeextensionandsuffix(ttf_*).

ViewingtheFileSignatureDirectory
AFileSignaturetablelistssignaturestheEnCasesoftwarerecognizes.Thetableisorganizedintodata typessuchas: Database Email Internet

Toviewthetable: 1. SelectView>FileSignaturesfromthemenubar. Adirectoryoffilecategoriesdisplays.

278

EnCaseForensicVersion6.15 2. SelectafolderfromtheTreepane.AlistofthefilesignaturesinthecasedisplaysintheTable pane.

IfyoucheckSetInclude ,allfilesignaturesarelisted.

ThecolumnsintheFileSignaturedisplayare: Namedisplaysthefilenameassociatedwiththesignature. SearchExpressiondisplaysthestringorGREPexpressionusedtolocatethefilesignature. GREPistrueifthesearchtermisdefinedasaGREPexpression. CaseSensitiveindicateswhetherthesearchtermiscasesensitive. Extensionsliststhethreeletterfileextensions. Youcanaddneworeditexistingsignatures.

AddingaNewFileSignature
Afilesignaturemaynotbeinthetable.Usethisproceduretoaddanewone. Youneedtoknowthefilesignaturesearchexpression.Thisisnotnecessarilythesameasthethree letterfileextension. 1. 2. ClickView>FileSignatures.Thefilesignaturedisplaydisplays. RightclickafiletopicfolderandselectNew.

TheNewFileSignaturedialogdisplays:

Analyzing and SearchingFiles

279

3. 4. 5. 6. SelecttheSearchExpressiontab(thedefaultdisplay)andenterthesearchexpressioninthe SearchExpressionfield. Givethefilesignatureadescriptivename. SelectCaseSensitiveifappropriate. ClicktheExtensionstabandenterthefilesthreeletterextension.Youcanentermorethanone fileextensionbyseparatingthemwithasemicolon.

7. 8. 9. Addthesuffix_*tothefileextensiontoincludeitinVistaShadowDirectories.Itlookslike this:<extension>_* ClickOK. Thefilesignatureisaddedtothetable.

EditingaSignature
Usethisproceduretoeditanexistingfilesignature. 1. 2. ClickViewFileSignatures. ThefilesignaturecategorylistappearsintheTreepane.Whenyouselectacategory,its signaturecontentsappearintheTablepane.

280

EnCaseForensicVersion6.15 3. 4. RightclickasignaturefromtheTablepaneandselectEdit. AnEditselectedsignaturenamedialogdisplays.

5. ChangetheSearchExpressionandotherfieldsasdesired,thenclickOK.

PerformingaSignatureAnalysis
1. ClickSearch.

2.

Analyzing and SearchingFiles

281

ChecktheVerifyfilesignaturesboxintheAdditionalOptionsareainthelowerright,then clickStart.Thesignatureanalysisroutinerunsinthebackground.Oncompletion,asearch completedialogdisplays.Thedialogpresentssearchstatus,times,andfiledata.

Youcanviewthesesamedataintheconsole.

ViewingSignatureAnalysisResults(Part1)
ClickSetIncludeintheTreepanetodisplayallfilesinthecase.

Atthislevel,SetIncludeselectseverythingintheevidencefile. 1. 2. OrganizethecolumnsintheTablepanesothattheName,FileExt,andSignaturecolumnsare nexttoeachother. SortcolumnswithSignatureatfirstlevel,FileExtatsecondlevelandNameatthirdlevel.

282

EnCaseForensicVersion6.15

Scrollupordowntoseeallthesignatures.

ViewingSignatureAnalysisResults(Part2)
1. ClickSetIncludeintheEntriesselectionintheTreepane.

2. AlistofcasefilesandtheirassociatedfilesignatureandotherdatadisplaysintheTablepane.

3. Sortthedataifdesired.Inthiscase,theredtriangleintheNamecolumnindicatesthedisplay issortedalphabeticallybyname.

SignatureAnalysisLegend
Signatureanalysisidentifiesandorganizesfilesignatureswithreferencetowhatitfindsin: thesignaturetable thefileheader,and extensionastheyappearintheevidencefile.

MatchintheLegendcolumnindicatesdatainthefileheader,extensionandFileSignaturetableall match.

Analyzing and SearchingFiles

283

AliasmeanstheheaderisintheFileSignaturetablebutthefileextensionisincorrect,forexample,a JPGfilewitha.ttfextension. Thisindicatesafilewitharenamedextension.ThenameintheLegendcolumnbelow(nexttothe asterisk)displaysthetypeoffileindentifiedbythefilesignature.

Note: An alias is preceded by an asterisk, such as *AOL ART.

UnknownmeansneithertheheadernorthefileextensionisintheFileSignaturetable. !BadSignaturemeansthefilesextensionhasaheadersignaturelistedintheFileSignaturetable,but thefileheaderfoundinthecasedoesnotmatchtheFileSignaturetableforthatextension. Thetableshowspossibleresultsofasignatureanalysis.

EnScriptProgrammingLanguage
TheEnScriptlanguageisaprogramminglanguageandApplicationProgramInterface(API) designedtooperatewithintheEnCasesoftwareenvironment.AlthoughsimilarinmanywaystoC++ andJava,notalltheirfunctionsareavailableintheEnScriptlanguage.Classes,andtheirincluded functionsandvariables,arefoundintheEnScriptTypestabintheTreepane.
Note: The EnScript language uses the same operators and general syntax as C++, though classes and functions are different.

Ourmessageboardathttps://support.guidancesoftware.com/forum/forumdisplay.php?f=11provides additionalinformationabouttheEnScriptlanguage.

IncludedEnscriptComponents
EnCasesoftwarecomesbundledwithanumberofEnScriptprograms. TheEnCaseinstallerputstheseprogramsinthedefaultEnCasefolder.Itsaddressistypically C:\Program Files\EnCase\EnScript.Thisfolderinturncontainsfoursubfoldersvisibleby clickingEnScriptintheFilterspane.Theyare Examples Forensic Include Main

284

EnCaseForensicVersion6.15

EnterpriseusershaveanadditionalEnterprisefolder.Eachfoldercontainstheincludedirectoryand libraries.

EnScriptTypes
EnScripttypesreferenceresourcesinEnScriptlanguageclasses.Perusingtheseprovidesinformation aboutEnCaseclassesandfunctions. ToviewEnScriptTypes,clickViewEnScriptTypes.

TheTreepanecontainsalistofclasses.Doubleclickinganentryprovidesadditionaldetailforthe class.

HashAnalysis
Ahashfunctionisawayofcreatingadigitalfingerprintfromdata.Thefunctionsubstitutesor transposesdatatocreateahashvalue.Hashanalysiscomparescasefilehashvalueswithknown, storedhashvalues. Thehashvalueiscommonlyrepresentedasastringofrandomlookingbinarydatawrittenin hexadecimalnotation.Ifahashvalueiscalculatedforapieceofdata,andonebitofthatdatachanges, ahashfunctionwithstrongmixingpropertyusuallyproducesacompletelydifferenthashvalue.

Analyzing and SearchingFiles

285

Afundamentalpropertyofallhashfunctionsisthatiftwohashes(accordingtothesamefunction)are different,thenthetwoinputsaredifferentinsomeway.Ontheotherhand,matchinghashvalues stronglysuggeststheequalityofthetwoinputs.

FileHashing
Hashingcreatesadigitalfingerprintofafile.Thisfingerprintisusedtoidentifyfileswhosecontents areknowntobeofnointerest,suchasoperatingsystemfilesandthemorecommonapplication. EnCaseusesanMD5hashingalgorithm,andthatvalueisstoredintheevidencefiles.TheMD5 algorithmusesa128bitvalue.Thisraisesthepossibilityoftwofileshavingthesamevaluetoonein 3.402821038. Anymounteddrive,partition,orfilecanbehashed.Thehashvalueproducedcanbevalidatedand usedintheprogram.Bybuildingalibraryofhashvalues,theapplicationchecksforthepresenceof datawithahashvaluecontainedinthehashlibrary.Thehashvalueisdeterminedbythefiles contents.Itisindependentofthefilesname,sothefileshashvalueiscalculatedbytheprogramand identifiedasmatchingavalueinthehashlibrary,evenifthefilesnamehaschanged.

HashingaNewCase
Whenacaseisinitiallycreated,itisnothashed.Beforecomparingthecasesdatawithalibraryof knownornotablefiles,hashthecase.TheTablepanedisplaymaylooklikethis:

Openacasethatneedshashinganddisplayitscontents. 1. ClicktheSearchtab. TheSearchdialogdisplays. 2. MakeanysearchchoicesandthenselecttherequiredvaluesintheHashOptionsareaofthe dialog.

286

EnCaseForensicVersion6.15 3. ClickStart.

TheTablepanecontentschangesandshowsthenewlycreatedhashvaluesforthefiles.

HashSets
Hashsetsarecollectionsofhashvalues(representinguniquefiles)thatbelongtothesamegroup.For example,ahashsetofallWindowsoperatingsystemfilescouldbecreatedandnamedWindows SystemFiles.Whenahashanalysisisrunonanevidencefile,thesoftwareidentifiesallfilesincluded inthathashset.Thoselogicalfilescanthenbeexcludedfromlatersearchesandexaminations.This speedsupkeywordsearchesandotheranalysisfunctions.

CreatingaHashSet
AnalyzingfilesbyidentifyingandmatchingtheuniqueMD5hashvalueofeachfileisanimportant partofthecomputerforensicsprocess.Thehashlibraryfeatureallowstheinvestigatortoimportor custombuildalibraryofhashsets,enablingtheexpedientidentificationofanyfilematchesinthe examinedevidence. Computerforensicsanalystsoftencreatedifferenthashsetsofknownillegalorunapprovedimages, hackertools,ornoncompliantsoftwaretoquicklyisolateanyfilesinaninvestigationthatare includedinthatset. Hashsets,oncecreated,arekeptindefinitelyandaddedtoonacasebycasebasis.Addingnewfilesas timegoesbysavestimeandeffortinsubsequentinvestigations.
Note: When creating hash sets to identify suspect software (such as non-licensed software, steganography or counterfeiting utilities), it is important that the investigator carefully construct sets to prevent false positives.

1.

OpenthecaseandclickSearch.

2. Thesearchdialogdisplays.

Analyzing and SearchingFiles

287

3. 4. 5. IntheHashOptionsarea,checkComputeHashValues. Selectfilestobeincludedinthehashset. RightclicktheTablepaneandselectCreateHashSetfromthemenu.TheCreateHashSet dialogdisplays.

6. EnterasetNameandCategory,thenclickOK.

Note: While the Category entry can be anything, the two industry standards are Known and Notable, with the latter being assigned hash values that are of interest to the investigator.

RebuildingaHashLibrary
Toselectahashsettouseinacase,rebuildthelibrary.

288

EnCaseForensicVersion6.15

Note: Only items selected on the Hash Sets tab are included in the library.

1.

SelectViewHashSets.Alistofhashsetsdisplays.

2. 3. Selectthedesiredhashset. RightclickandselectRebuildLibraryfromthemenu.WhenRebuildcompletes,amessage indicatingthenumberofrebuiltlibrariesdisplays.

ViewingHashSearchResults
Whenfilesinacasearehashed,theyarecomparedtothelibrary,thenthehashsetandhashcategory columnspopulate. Afterrebuildingyourlibraryandhashingthecasefiles,viewtheresultsintheTablepane. 1. SelectViewHashSetsfromthemainmenu. AlistofallhashsetsappearsintheTablepane.

Ifafilewiththesamehashvalueiscontainedinthehashlibrary,itscolumnsarepopulated.

KeywordSearches
EnCaseapplicationsprovideapowerfulsearchenginetolocateinformationanywhereonphysicaland logicalmediainacurrent,opencase.Globalkeywordscanbeusedinanycase,ortheycanbemade casespecificandusedonlywithintheexistingcase. Akeywordinasearchisanexpressionusedtofindwordswithinacasethatmatchthekeyword entries.TheEnCasesearchengineacceptsanumberofoptions,andisparticularlypowerfulsearching regularexpressionswithaGREPformattedkeyword.

Analyzing and SearchingFiles

289

Note: In addition to GREP, the search can be limited by making it case sensitive and selecting particular codepages. Codepages are alphabet sets of a variety of Latin and non-Latin character sets such as Arabic, Cyrillic, and Thai.

Thekeywordsincludedinthesoftwaregiveaninvestigatortheabilitytosearch: Emailaddresses Webaddresses IPaddresses Creditcardnumbers Phonenumbers Dateswithafourdigityear

CreatingGlobalKeywords
Globalkeywordlistsshouldbeanalyzedandtargeted,thenassignedtodiscretefolders.Thesefolders areaccessiblebyanycase. 1. 2. ClickKeywordsfromtheTreepane. Thismenudisplays:

3. 4.

RightclicktheKeywordsiconintheTreepane,thenclickNewFolder. TheTreepaneofthekeywordstabchangesshowinganadditionalfolder.

5. Renamethefolderasdesired.

290

EnCaseForensicVersion6.15

AddingKeywords
Addkeywordsdirectlytoanewfolder,anexistingfolder,ortherootfolder. OpentheTreepanefromtheKeywordstab. 1. 2. RightclickakeywordentryintheTreepane. ThismenudisplaysifyouselectthemainKeywordsicon.Ifyouselectasubfolder,themenu isslightlydifferentinappearance,butfunctionsthesame.

3. 4. ClickNew. TheNewKeywordDialogdisplays.

5. Completethedialogasdescribedhere:

SearchExpressionistheactualtextbeingsearched.

Analyzing and SearchingFiles

291

Nameisthesearchexpressionnamelistedinthefolder.CaseSensitivesearchesthekeyword onlyintheexactcasespecified. GREPusesGREPsyntaxforthesearch.

Note: Previously the ANSI Latin - 1 option was called Active Code Page. Since the Active Code Page varied according to the Active Code Page running on the Examiner machine at the time, it was replaced by ANSI Latin - 1 to insure consistent search results.

ANSILatin1isthedefaultcodepage.ItsearchesdocumentsusingtheANSILatin1code page. Unicode:selectifyouaresearchingaUnicodeencodedfile.Unicodeuses16bitstorepresent eachcharacter.UnicodeonIntelbasedPCsisreferredtoasLittleEndian.TheUnicodeoption searchesthekeywordsthatappearinUnicodeformatonly.FormoredetailsonUnicode,see http://www.unicode.org.

Note: The Unicode standard attempts to provide a unique encoding number for every character, regardless of platform, computer program, or language.

BigEndianUnicode:selectifyouareinvestigatingaBigEndianUnicodeoperatingsystem (suchasaMotorolabasedMacintosh).BigEndianUnicodeusesthenonInteldataformatting scheme.BigEndianoperatingsystemsaddressdatabythemostsignificantnumbersfirst. UTF8meetstherequirementsofbyteorientedandASCIIbasedsystems.UTF8isdefinedby theUnicodeStandard.EachcharacterisrepresentedinUTF8asasequenceofuptofour bytes,wherethefirstbyteindicatesthenumberofbytestofollowinamultibytesequence.

Note: UTF-8 is commonly used in Internet and Web transmission.

UTF7encodesthefullBMPrepertoireusingonlyoctetswiththehighorderbitclear(7bit USASCIIvalues,[USASCII]).Itisdeemedamailsafeencoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.

CreatingInternationalKeywords
YoucansearchinternationalkeywordsofnonEnglishcharactersets.Thisallowsaninvestigatorto enter,search,andlocatewordswritteninJapanese,Arabic,orRussian,forexample.Keywordhitsand thedocumentdisplayintheoriginallanguage.

292

EnCaseForensicVersion6.15 1. SelecttheCodePagetabontheNewKeyworddialog.Alistofsupportedlanguagesets appears.Here,theArabicCodePageischecked:

2. ReturntotheSearchExpressiontabofthedialogandenterthekeyword.Performasearchas usual.

Resultsappearasinausualkeywordsearch.

KeywordTester
Totestasearchstringagainstaknownfile,clicktheKeywordTestertab.Enteranexpressioninthe SearchExpressionfieldandbesuretoselecttheproperkeywordoptions. 1. 2. Addanewkeyword:seeAddingKeywords(onpage290). Addanexpressionandnamethekeyword.

Analyzing and SearchingFiles Inthiscase,aGREPkeyworddesignedtocapturetelephonenumbersisentered:

293

3. 4. Selectthedesiredoptions(forexample,CaseSensitiveorGREP). SelecttheKeywordTestertab.

5. 6. Locateatestfilethatcontainsthesearchstring,entertheaddressintotheTestDatafield,and clickLoad. ThetestfileissearchedanddisplaysinthelowertaboftheKeywordTesterform.

294

EnCaseForensicVersion6.15
Note: Hits are highlighted in both text view and hex view.

LocalKeywords
Alocalkeywordisassociatedwithauniquecase,andcanbesearchedforonlywhenthatcaseisopen. Ifalocalkeywordiscreatedinonecase,andanotherisopened,thelocalkeywordisunavailable. Openacaseandpreparealistofkeywordsspecifictothiscaseonly. 1. 2. SelectViewCasesSubTabsKeywords. TheTreepanedisplays.Thisspecificdisplayshowsthelocalkeywordsfolderwithanew folderadded.

ImportingKeywords
Youcanimportkeywordsandkeywordlistsfromotherusers.Toimportakeywordlist: 1. 2. 3. RightclickakeywordfolderintheTreepane. SelectImport. EnterorbrowsetothepathofthedesiredfileandclickOK.

TheimportedlistappearsintheTreepane.

ExportingKeywords
Keywordsareexportedin.txtfileformat.Youcanexportallkeywordsatonetimeorcreatealistof selectedkeywordsfortransfer. 1. RightclickakeywordintheTablepane.

2. Inthedropdownmenu,clickExport.

Analyzing and SearchingFiles

295

3. TheExportdialogopens.

4. Toexportallkeywords,clicktheExportTree(forImport)checkbox,thenclickFinish.

296

EnCaseForensicVersion6.15 5. Tocustomizetheexport,cleartheExportTree(forImport)checkbox.Therestofthedialogis nowenabled.

a. SelectanOutputFormat. b. ClickOnlyCheckedRowstoexportonlytherowscheckedintheTablepane. c. Tospecifyarangeofrowstoexport,enterrownumbersintheStartandStopcombo

boxes.

d. Tospecifyfieldsfortheexport,clicktheappropriatecheckboxesintheFieldsgroupbox. e. EnterorbrowsetoadestinationpathfortheOutputFile.
6. ClickFinish.

SearchingEntriesforEmailandInternetArtifacts
RecordsarecreatedwhenemailorInternethistorysearchesareperformed. EnCasesearchingcanparseareasoutsideoflogicalfilecontent(unallocatedclustersandvolume slack)forInternetHistoryandaddthisdatatotheRecordstabforfurtherinvestigation. TheSearchdialogboxfeaturesanewcheckbox,Comprehensivesearch,tosupportthisfeature.When youselectSearchforInternethistory,theComprehensiveSearchboxisenabled.

Note: Selecting Comprehensive Search increases the time it takes to complete the search.

Tocreatearecord: 1. 2. 3. ClickSearch. Asearchdialogdisplays. SelectoptionsandclickStart.

4. 5.

Analyzing and SearchingFiles

297

SelectSearchforInternetHistoryandComprehensiveSearchtosearchforInternethistory (includingsearchingfileslackandunallocatedspace). Whenthesearchfinishes,clickViewCasesSubTabsRecords. Findinghistoryandcacheresultsmayrequiremovingdownthetreeseverallevels.

NewlycreatedrecordsdisplayintheTablepane.TheTreepaneshowsthetypeofrecordandthe Tablepaneshowsthefileswithinthatrecord.Ifthereareadditionaldetailsregardingafileselectedin theTablepane,clickAdditionalFieldsintheTreepanetoseethatinformation.

CommoncolumnsintheReportpaneare: Nameisthefilenameandextension. Filtershowsifafilterwasapplied. InReportisaTrueorFalseindicatoroffilespresentinareport.Tochangetheselection,enterCTRL+ R. SearchHitsindicateswhetherthefilecontainsakeywordsearchword. AdditionalFields:whenTrue,indicatesthatadditionalfieldswerefoundintherecord.Data containedintheAdditionalfieldsvariesdependingonthetypeofdataintherecord. MessageSize:themessagesizeinbytes. CreationTimeisthedateandtimethemessagewascreatedinmm/dd/yyhh:mm:ssformat.AMor PMisattachedasappropriate. ProfileNameistheownerofthemessage.

298

EnCaseForensicVersion6.15

URLNameisthenameoftheURLwherethemessageoriginated. URLHostisthenameoftheURLhostwherethemessageoriginated. BrowserCacheTypeshowstheformatinwhichcacheddataarestored.Optionsincludeimage,code, HTML,andXML. BrowserTypeisthebrowserwheretheartifactwasviewed,suchasInternetExplorerorFirefox. LastModificationTimeisthelasttimethecacheentrywasupdated. MessageCodepageisthecodepagetypeforreadingthiscacheentry. LastAccessTimeshowsthelasttimethecacheentrywasretrievedorloaded. Expirationisthetimewhenthiscachebecomesstaleandisdeletedfromthecache. VisitCountisnumberoftimesthiscacheentrywasaccessedbythebrowser. ServerModifiedisthelasttimethecacheditemwasmodifiedontheserverwhereitwascached.

MozillaFirefox3ArtifactsSupport
AsanenhancementtotheSearchforInternethistoryfunction,EnCasenowparsesFirefoxartifacts storedinaSQLitedatabaseanddisplaysthemintheRecordstab. ThetypesofFirefox3artifactsparsedare: Cookies Downloads History Bookmarks Formdata

ToparseFirefoxartifacts: 1. 2. 3. OpenacasecontainingFirefoxitems. ClickTools>Search. RunSearchforInternethistoryfromtheSearchdialogasyouwouldforothersupported browserartifacts.

4.

Analyzing and SearchingFiles ClickStart.Whenthesearchfinishes,theSearchingdialogopens.

299

5. ClickOK.TheMozillaFirefox3artifactsdisplayintheRecordstab.

Note:The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name columns. "Frecency" is a valid word used by Mozilla. Do not mistake it for "frequency." For more information, see the Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm. The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the places.sqlite file. Mozilla stores a URL's host name in reverse. EnCase displays it as such in the Rev Host Name column.

InternetHistorySearching
Currently,fivebrowsersandtwotypesofInternethistoryaresupported.Theyare: InternetExplorer,historyandcache MacintoshInternetExplorer,historyandcache Safari,historyandcache Firefox,historyandcache

300

EnCaseForensicVersion6.15 Opera,historyandcache

Note: The difference between a regular search and a search of unallocated is that keywords are added internally and marked with a special tag indicating it is for Internet history searching only.

ShowingTypedURLs
SearchforInternetHistoryshowsTypedURLsfromeachusersNTUSER.datfile.

ItlookslikethisintheRecordstab:

Analyzing and SearchingFiles

301

ComprehensiveInternetHistorySearch
AcomprehensiveInternethistorysearchdiffersfromaregularInternetsearch.Speciallytagged keywordsareaddedinternallyandthesoftwaretakesadifferentcodepaththanaregularsearch.In thiscomprehensivesearch,EnCaseexaminestheentiredevice(includingfileslackandunallocated space)forspecificmarkersthatindicateInternetartifacts.ThebasicInternethistorysearchparses knownfiletypesforInternetartifacts. ThelatestversionofEnCasesoftwareandeitherWindowsXPor2000mustbeinstalled.Beginan unallocatedspacesearchthesamewayyoubeginaregularsearch. 1. SelectComprehensiveSearchintheSearchDialog.

302

EnCaseForensicVersion6.15 2. SelectingSearchforInternetHistoryatthesametime,asshowninthepicturebelow, performsaregularInternethistorysearchinadditiontotheexhaustivesearch.

ThesefieldsareaddedtotheBrowserCacheTypefield: Audio Video XML Text

InternetSearching
ThesearchenginecansearchevidencefilesforvariousWebartifacttypes.TheInternetsearchfeature cansearchInternetExplorer,MozillaFirefox,Opera,andSafari. UsethesearchdialogforInternetsearching.ResultsareviewedontheRecordstab.Forinformationon thatprocedure,seeSearchingEntriesForEmailandInternetArtifactsandViewingRecordSearch Hits.

Analyzing and SearchingFiles

303

PerformingaSearch
Youcansearchanentirecase,anentiredevice,oranindividualfileorfolder.Forexample,when searchinginformationinunallocatedspace,suchasafileheader,selecttheUnallocatedClustersto avoidhavingtosearchtheentirecase. 1. 2. ClicktheSearchbuttononthetoolbar.TheSearchformappears. CompletethedialogandclickStart.

SeeSearchOptions(onpage303)forhelpcompletingthesearchdialog.

SearchOptions
Youcanuseanumberofoptionstocustomizeasearch.

Selecteditemsonlyrunsasearchforitemslimitedtothefiles,folders,records,ordevicesthatyou checked. Searchentriesandrecordsforkeywords:executesakeywordsearchwhenchecked.When unchecked,othercheckedfunctionsareperformed,butthekeywordsearchisnot.Thisallowsyouto runasignatureanalysisorahashanalysiswithoutrunningakeywordsearch.Thisoptionalso enables: Selectedkeywordsonly Searchentryslack Useinitializedsize Undeleteentriesbeforesearching SearchonlyslackareaofentriesinHashLibrary

304

EnCaseForensicVersion6.15

Selectedkeywordsonlyrestrictsthenumberofkeywordsusedduringthekeywordsearchtothe numberofkeywordsspecified(showninNumberofKeywords). Searchentryslacksearchestheslackareabetweentheendoflogicalfilesandtheendoftheir respectivephysicalfiles. Useinitializedsizesearchesonlytheinitializedsizeofanentry(asopposedtothelogicalorphysical size). EnCaseallowsuserstoprocesstheinitializedsizeofafilewhenconductingsearchesand copy/unerase.InitializedsizeisonlypertinenttoNTFSfilesystemsandallowsanapplicationto reservediskspaceforfutureoperations,whileenablingapplicationstoparsefilesfaster.Whencertain applicationswriteoutfiles,suchasOutlookPST/OSTs,OutlookExpressDBXsorVistaeventlogs,the applicationsetsthelogicalsizeofthefilelargerthancurrentlynecessary,toallowforexpectedfuture expansion.TheapplicationcanthensettheInitializedSizesmallersothatitonlyneedstoparsea smalleramountofdata,enablingthefiletobeloadedfaster. Ifafilehasaninitializedsizethatislessthanthelogicalsize,theOSshowsthedataareabetweenthe initializedsizeandlogicalsizeaszeros.Inactuality,thisareaofthefilemaycontainremnantsof previousfiles,similartofileslack.Bydefault,EnCasedisplays,searchesandexportstheareapastthe initializedsizeasitappearsonthedisk,notastheOSdisplaysit.Thisenablesuserstofind/seefile remnantsinthisarea.IfauserwishestoseeafileasanapplicationseesitortheOSdisplaysit,they canselectInitializedSizeintheappropriatedialog.NotethatwhenafileishashedwithinEnCase, theinitializedsizeisused.Thismeansthattheentirelogicalfileishashed,buttheareapastthe initializedsizeissettozeros.Sincethisishowanormalapplicationseesthefile,thisenablesusersto verifyfilehasheswithanotherutilitythatreadsthefileviatheOS. Undeleteentriesbeforesearchingundeletesdeletedfilespriortosearching. SearchonlyslackareaofentriesinHashLibraryisusedinconjunctionwithahashanalysis. Verifyfilesignaturesperformsasignatureanalysisduringasearch. Computehashvalueperformsahashanalysisduringasearch. Recomputehashvalueregeneratespreviouslycomputedhashvalues. SearchforEmailturnsondialogemailsearchoptions. RecoverDeletedaccessesdeletedemail. EmailTypeListprovidesoptionsforemailthatcanberecovered. VerifySignaturesperformsasignatureanalysisduringasearch.Itdetermineswhetherthefile extensionmatchesthesignatureassignedtothatfiletype. IdentifyCodepagestriestodetectthecodepageforafile. SearchforInternetHistoryrecoversWebdatacachedintheWebhistoryfile. ComprehensiveSearchsearchesforInternethistoryinunallocatedspace.

Analyzing and SearchingFiles

305

ViewingRecordSearchHits
RecordsarevirtualfilescreatedwhenemailorInternethistorysearchesareperformed. Searchingrecordsisstraightforward. 1. 2. 3. 4. 5. ClickRecordswhenthesearchfinishes. SelectSetInclude. Selectarecordthatshowsasearchhit. SelectHitsontheFilterpane. Clickkeywordfoldersonebyonetoseesearchhits.

Thenewlycreatedrecordsarenowvisible.

ViewingSearchHits
SearchhitsareorganizedbyeachkeywordappearingintheTreepane.Searchhitswithineach keywordappearintheTablepane.

306

EnCaseForensicVersion6.15

Toviewyoursearchhits: ClicktheSearchHitstabinthemenubaror ClickViewCasesSubTabsSearchHits

ExcludingFiles
Sometimesakeywordsearchreturnsmorefilesthanareusefultoreport.Hidethesefilesfromviewby excludingthem. Run,thenviewakeywordsearch. 1. 2. Selectfilestoexclude,thenrightclicktheview. SelecteitherExcludeorExcludeAllSelected.

SelectingExcludeAllSelecteddisplaysasecondoptiondialog.

3. 4.

SelecttheappropriateoptionandclickOK. Theselectedfilesdisappearfromview.

Analyzing and SearchingFiles

307

ShowingExcludedFiles
Excludedfilesarenotdeleted.Theyaremerelyhiddenfromview.Toseethemagain,selecttheShow Excludedfunction. Toshowexcludedfiles: 1. SelectShowExcluded. 2. ExcludedfilesdisplayinTableandReportview.

DeletingItems
WhenusingSearchHits,deleteisconsideredasoftdeletewhichyoucanundeleteuntilthecaseis closed.Ifasearchhitremainsdeletedwhenthecaseisclosed,thehitispermanentlydeleted.Inother tabs,however,undeleteworksonlywiththelastselectiondeleted.Onceafileisclosed,deleteditems arepermanentlyremovedandcannotberecovered. Run,thenviewakeywordsearch.ThisprocessissimilartoExcludingFiles(seepage306). ViewthesearchhitsreportintheTablepanebeforeexcludingthemfromthereport. 1. 2. Selectfilestoexclude,thenrightclicktheview. SelecteitherDeleteorDeleteAllSelected.

308

EnCaseForensicVersion6.15

SelectingthelatterdisplaystheExcludeAllSelecteddialog.

3.

SelecttheappropriateoptionandclickOK. Theselectedfilesaretemporarilydeleted.
Note: Viewing the report shows the concatenated results.

ShowingDeletedFiles
Excludedfilesarenotdeleted.Theyaremerelyhiddenfromview.Toseethemagain,selecttheShow Excludedfunction.
Note: Deleted files are stored in a temporary buffer until the file is closed, at which time the buffer and deleted files are erased.

Excludeanumberoffiles. Toreviewexcludedfiles: 1. ClickShowExcluded.

2.

Analyzing and SearchingFiles DeletedfilesdisplayinbothTablepaneandinReportpane.

309

EncodePreview
EncodePreviewletsyouapplytextencodingtothePreviewcolumnontheBookmarksandSearch Hitstab.ThisfeatureallowsnonEnglishalphabetbookmarksandsearchhitstodisplayproperlyin thePreviewcolumn.

TurningOnEncodePreview
ThepreviewcolumndisplayscertainnonEnglishlanguagesasplaintextbydefault.Whenthis happens,thetextappearsasastringofsymbolsthathavenobearingontheactualtextrepresentation. TurningonEncodePreviewdisplaystheactualtextusingthepropercharacters. ChangetheFontsTablesoptiontoaUnicodefontthatsupportsthecharactersyouintendtodisplay. ArialUnicodeMSisrecommendedbecauseofthebreadthofthecharactersincluded. 1. OpenanevidencefileandclickTextorHexintheViewpane.Thedocumentdisplays.

2. 3. Bookmarkthedesiredpassages:seeBookmarkingItems(onpage371). ClickBookmarksontheTabletaboftheTablePane. Apreviewofthebookmarkdisplays.

310

EnCaseForensicVersion6.15 4. RightclickthedesiredbookmarkandselectEncodePreview.

TheTabletabdisplaystheUnicodeinitsproperform.

Indexing
Textindexingallowsyoutoquicklyquerythetranscriptofentries.Creatinganindexbuildsalistof wordsfromthecontentsofanevidencefile.Theseentriescontainpointerstotheiroccurrenceinthe file. Therearetwosteps: GeneratinganIndex SearchinganIndex

GeneratinganIndexcreatesindexfilesassociatedwithevidencefiles.Indexcreationcanbetime consuming,dependingontheamountofevidenceyouareindexingandthecapabilitiesofyour computerhardware.Evidencefilesize,andthus,theresultantindexsizeisanimportantconsideration whenbuildinganindex.Attemptstoindexextremelylargeevidencefilescanhaveaseriousimpacton acomputersresources.

Note: For quicker index files, select a limited number of files for indexing.

QueryinganIndexprovidesthemeanstosearchfortermsinthegeneratedindex.Queryingan evidencefilesindexfortermslocatestermsmorequicklythankeywordsearching.Theindexis queriedusingseveralconditionsaccessedintheConditionstab.

Analyzing and SearchingFiles

311

GeneratinganIndex
Openacasecontainingevidencefiles. 1. Ifyouknowthefilesyouwanttospecificallyindex,selectthemintheTablepane.

2. SelectToolsIndexCase.

TheIndexCasedialogopenswiththeOptionstabselectedbydefault.

3. 4. Ifyouwantonlytoindexselectedfiles,selectSelectedEntriesOnly. Ifyouwanttoapplyaconditiononthefilestobeindexed,selectitintheConditionsbox.Any filethatmatchesthecondition(andanyotheroptionschecked)willbeindexed.

Note: You can use the condition or the Selected entries only checkbox. You cannot do both; however, you can create a condition that targets selected files matching other criteria.

312

EnCaseForensicVersion6.15 5. 6. 7. 8. 9. Ifyouwanttoincludefileswithaknownfilesignature,selectInclude:KnownFiles. Toindexwithoutregardtocase,selectIndexWithoutCaseSensitivity. Ifdesired,selectFastIndexingofNativeFiles. UsethespinboxtoSetMinimumCharacterLength. UsethespinboxtospecifyRequested%ofRAMtoCreateIndex.

10. Tosetthenoisefile,clicktheNoisefiletab.

11. SelecttheLanguageFileandifnecessary,modifythePath. 12. ClickOK. TheEvidencefilestartsindexing.Thethreadbarindicatestheestimatedremainingtimeinthe operation.TheConsoletabindicatesdiagnosticinformationastheindexprogresses.

QueryinganIndexUsingaCondition
Youcanquerytheindexusingacondition. Youmustcreateacasewithevidencefilesadded.

1.

Analyzing and SearchingFiles Theevidencefilemustalreadyhaveanindexgenerated. DisplaytheConditionstabofyourinterface,andexpandtheIndexConditionsfolderby clickingthe+nexttothefolder.

313

2. Doubleclicktheconditionyouwanttouse.AllIndexConditionsusethesamedialog.

3. 4. EnterthetermyouwanttosearchforandclickOK. Whencomplete,theTablepanelistsfilesthatmeettheconditionrequirements.

5.

TheFiltercolumnshowstheconditionthatwasrun.

314

EnCaseForensicVersion6.15

SearchingforEmail
Theprogramssearchenginecansearchvarioustypesofemailartifacts.Thisincludesmailfrom: 1. 2. Outlook(.pst)(Outlook2000&2003) OutlookExpress(.dbx) Exchange(.edb)(2000&2003) LotusNotes(.nsf)(5,6,6.5&7) AOL MBOX(Thunderbird) IntheSearchdialog,selectthedesiredEmailSearchOptions. ClickStart.

Note: In addition, clicking ToolsGSIWebmail Parser specifically searches for Netscape, Hotmail, and Yahoo! Web Mail.

WebMailParser
Webmail,includingNetscape,Hotmail,andYahooWebmailcanbesearched. OpenacasethatisthoughttocontainWebmail.

1. SelectToolsGSIWebmailParser.

Analyzing and SearchingFiles

315

2. TheWebmailparseroptionsdialogdisplays.

3.

SelecttheWebmailtypesforcollection.Optionally,asearchcanberunonlyonselectedfiles. Thesearchstatusdisplaysonthestatusbar.

4. 5. ClicktheRecordstab. TheTreepanedisplaysalistofdiscoveredfiles.

316

EnCaseForensicVersion6.15 6. OpenafoldertoviewitscontentsintheTablepane.

7. 8. ToviewthedataintheReportpane,selectafileandclickReport. Filecontentsdisplay.

Youcansaveorexportthereportasdesired.

ExtractingEmail
Theprogramssearchenginecansearchvarioustypesofemailartifacts,includingattachments.

Analyzing and SearchingFiles

317

SeeAcquisitionWizard(onpage155),PerformingaSearch(onpage303),andSearchingforEmail(on page313)foradditionalinformation. Theproceduresoutlinedinthesesectionsdiscusshowtoextractandviewbothemailandattachments.

SearchingEmail
Thisprogramfeaturedisplaysallemailsandanyassociatedattachmentsintreeview.Oncerecovered, thesecanbeviewedintheReport,Doc,orTranscripttabsoftheReportpane. 1. ClickSearch. 2. 3. TheSearchpageofthesearchwizarddisplays. SelectthedesiredemailtypesandclickStart.

4. Viewsearchprogressinthestatusbar. 5. 6. ClickOKwhenthesearchcompletedialogdisplays. ClickRecords.

318

EnCaseForensicVersion6.15 7. Aclosedtreeviewofalllocatedmailboxesdisplays.Selectingafiledisplaysonemailfiles contentsintheText,Hex,Transcript,andReporttabsoftheReporttab.Inaddition,theemail fileanditsattachmentsarelistedintheTablepane. Openthehighleveltreetoseethemailboxscontents.Emailcontainedinthemailboxisvisible intheTreepane,andbothemailandattachmentsarevisibleintheReportpane. Anenvelopeandpaperclipiconindicatesmailcontainingattachments.

8.

Afteryoufinish,youcanviewandinteractwithattachments(seeViewingAttachmentsonpage 318).

SearchingSelectedItems
Ifyouchoosetosearchselecteditems,theitemsmustbeselectedinboththeRecordsandEntriestabs. 1. BluecheckselecteditemsintheEntriesandRecordstabs.

2. IntheSearchdialogunderKeywordSearchOptions,clickSearchentriesandrecordsfor keywords.

3. ClickStart.

ViewingAttachments
Anemailattachmentisafilethatissentalongwithanemailmessage.Anattachmentcanbeencoded ornot.

Analyzing and SearchingFiles

319

Completeasuccessfulemailsearch.SeeSearchingEmail(onpage317). Emailattachmentsclearlycanhaveimportantevidentiaryvalue.Thissectioncoversviewing attachmentsintheirnativeformat. 1. ClickRecords. DiscoveredemailappearsintheTreepane.

2. Expandthehighlevelitemtoviewitscontents.

320

EnCaseForensicVersion6.15

AlistofattachmentsdisplaysintheTablepaneandthecontentsoftheattachmentdisplayin theReportpane.

Exportingto*.msg
TheExportto.msgoptionformailfilesandmailfilesattachmentsletsyoupreservethefolder structurefromtheparsedvolumedowntotheentryorentriesselected.Thisoptionisavailableforthe highlightedentryorselecteditems. PerformanemailsearchpriortoexecutingExportto.msg. 1. Selectan.msgfileanddisplayitsmailcontents.

2. 3. Selectemailfilestoexport. IntheReportpane,selectafileandrightclickit.

Analyzing and SearchingFiles

321

4. ClickExportto*.msg. TheExportEmaildialogdisplays.

5. Selectdialogoptionsasneeded: ExportSingleexportsonlytheselectedmessage. ExportAllCheckedexportsallfileschecked. PreserveFolderStructuresavesselectedemailfolderstructureinformation. OutputPathcapturesthelocationoftheexportdatafile.Thedefaultis ...\EnCase6\Export\. 6. ClickOK.

322

EnCaseForensicVersion6.15

Amessagedisplayswhentheexportfunctioncompletes.

7. 8. ViewtheentirestructuredowntotheindividualmessageintheExportfolder. Viewamessagebydoubleclickingit. Themessagetextdisplaysinreadonlyformat.Thepictureshowsatypicaltextmessage presentation.

AOLPersonalFileCabinet(PFC)Support
AOLInternetsoftwareusesthePersonalFileCabinet(PFC)tostoreandmanageemailmessagesand otherInternetaddressinformationinastructuredway,usingafoldertreeinsidethecontainer.

EnCaseparsesanddisplaysPFCdata,including: Email Emailattachments InternetFavorites Downloadlinks Variousbuddydata Variousaccessnumberdata

Analyzing and SearchingFiles

323

AfteryoumounttheAOLPFC,thestructuredisplaysinEntriesview.Envelopeswithmetadataare addedtotheRecordstabandfollowtheEntriesfolderstructure. 1. RightclickaPFCitemandclickViewFileStructure.

2. IntheViewFileStructuredialog,clickOK.

324

EnCaseForensicVersion6.15

EntriesView
ThisviewdisplaysthegeneralstructureoftheMainIndex.

Analyzing and SearchingFiles

325

RecordsView
Thisviewdisplaysdata.

326

EnCaseForensicVersion6.15

SlackTableFolder
TheSlackTablefoldercontainsdeletedemailmessagesandreferencestounusedspace.However,in rareinstanceswheretheSlackTableandtheSlackIndexhavebecomecorrupted,thedeletedemail appearsintheLostContentsfolder.

LostContentFolder
TheLostContentfoldercontainsemailmessagesthatarenolongerreferencedintheSlackTableorthe SlackIndex.
Note: If the client has not modified the Personal File Cabinet to save email to the local hard drive before signing off, AOL does not automatically back up or save email on the suspect's machine unless AOL has been installed on the system for more than four weeks (see http://help.channels.aol.com/kjump.adp?articleId=187662 for more information). Therefore, if the examiner is gathering evidence from a suspect's machine with AOL installed less than four weeks, EnCase does not report any email traffic, because the suspect's email does not reside on the local hard drive.

Analyzing and SearchingFiles

327

TagRecords
ThereisanewitemintheEntriesmenucalledTagRecord(s).Itallowsyoutotag(withabluecheck mark)allrecordswhicharedirectlyrelatedtotheselectedentry. 1. YoucanseethatbeforeapplyingTagRecord(s),norecordsinRecordsviewareselected.

2. InEntriesview,rightclickandselectTagRecord(s)fromthedropdownmenu.

328

EnCaseForensicVersion6.15 3. EnCaseloopsthroughallrecordsintheRecordstreeandtagsthoserecordswhichusethe entryselectedaboveasitscontent.

AppDescriptors
Ataverybasiclevel,appdescriptorsarethehashfilesofacomputersEXEandSYSfiles.Theywork inconjunctionwithmachineprofilesandareusedtoidentifyforbiddenorundesirablesoftwareona computersharddrive.Theyareparticularlyusefulindetectingvirusesandothermalwareandfor ensuringaspecifieddiskimageisnotchanged. TheEnCaseprogramcanidentifymaliciousprogramsviaahashanalysis.Itcomparesan applications: uniquedigitalidentification itscalculated,known,andstoredhashvalue,withthatcapturedinasnapshot.

Whenthehashvaluesmatch,theprogramreturnstheprocessname,itshashvalue,andmachine profiletowhichitbelongs.Anappdescriptorcategorizesexecutablesbyhashvalue,toenablepositive identificationofexecutablesrunningonasystem. Appdescriptorsworksinconcertwithmachineprofiles.Profilesareinventoriesofwhatshouldbe runningonaspecificmachine.Together,themachineprofileandappdescriptorletsanexaminer knowwhatshouldberunning,andwhatisrunningonaspecificcomputer.

ManuallyCreateanAppDescriptor
Torunthisfeature,youmusthavecreatedamachineprofileandyoumustknowthehashvalueofthe fileyouintendtoprocess.

1.

Analyzing and SearchingFiles ClickViewAppDescriptorstoseealistofappdescriptors.

329

2. 3. RightclickafolderintheTreepaneorafileintheTablepaneandclickNew. TheNewAppDescriptordialogopens.

4. Completethesefields: Nameismandatory,andistypicallythenameoftheworkingfile. Commentisanoptionalfieldforinvestigatorcomments. HashValueismandatoryandmustbeenteredmanually.Itcontainsthehashvalueofthe selectedfile. 5. SelectthemachineprofileinwhichtoplacethenewappdescriptorandclickOK.

330

EnCaseForensicVersion6.15

Thismethodrequiresmanualentryofthehashvalueforeachandeverynewappdescriptor.Afar betterandmoreefficientmethodistouseanEnScriptprogram. Forinformationonautomaticallycreatinganappdescriptor,SeeCreateanAppDescriptorwithan EnScriptProgram(seeCreatinganAppDescriptorwithanEnScriptProgramonpage330).

CreatinganAppDescriptorwithanEnScriptProgram
ThescriptsforcreatingappdescriptorsareScanLocalMachineandCaseProcessor. 1. RunanEnScriptprogram(forexample,ScanLocalMachine.Anoptionswizarddisplays.

2. Completethefields:

BookmarkFolderNameisthenameofthefolderinthebookmarkarea. FolderCommentisanoptionalfieldforenteringyourownnotes. SnapshotDataisamandatorycheckbox. HashProcessesischeckedbydefault. 3. 4. ClickFinish. DoubleclicktheAppDescriptorModuletoselectanoutputfile.Iftherearenofolders displayed,createanewone.

Analyzing and SearchingFiles

331

Selectingaprocessstateisoptional.IfeithertheCreateAppDescriptorsforevery.EXEand .SYSfileorCreateAppDescriptorsforeveryELFBinaryoptionisselected,SelectProcess Stateoptionsaredisabled. 5. ExecutetheselectedEnScriptprogram. Whenthescriptiscomplete,thenewlycreatedappdescriptorsareavailable. 6. Changethedisplayasfollows: a. ClickBookmarks. b. DoubleclickthenewbookmarkintheTreepane. c. SelectSnapshotsintheTablepane. d. SelectSnapshotstab.SelecttheProcessestabandtheHometabtoviewtheinformation. 7. SelectIncludeAllintheTablepanetoviewthename,hashvalue,andappdescriptordatafor thefiles.

CHAPTER 9

Viewing File Content

InThisChapter
Viewing Files File Viewers View Pane Viewing Compound Files Viewing Base64 and UUE Encoded Files NTFS Compressed Files Gallery Tab

334

EnCaseForensicVersion6.15

ViewingFiles
Filesparsedfromdevicepreviewsandacquisitionscanbeviewedinvariousformats.EnCaseForensic supportsviewingthefollowingfiles: Text(ASCIIandUnicode) Hexadecimal Doc,nativeformatsforOracleOutsideIntechnologysupportedformats Transcript,extractedcontentwithformattingandnoisesuppressed Variousimagefileformats

TheDocpaneandtheTranscriptpaneuseOracleOutsideIntechnologytodisplayhundredsof differentdocuments. Thisallowsinvestigatorstoviewdocumentswithoutowningacopyoftheapplicationinorderto viewthecontents.Italsoallowstheinvestigatortobookmarkanimageofthecontentsinsidea particularapplication(suchasadatabase),oritallowsbookmarkingexacttextinsidethedocument usingasweepingbookmark. BeyondthoseformatssupportedbytheEnCaseapplications,investigatorscanusethirdpartyviewers toextendtherangeoffilestheycanview.Oncetheinvestigatoraddstheviewertotheirenvironment andassociatesfileextensionswiththeviewer,thefilesofthattypecanbeviewed. Compoundfilescontainotherfiles.Examplesofcompoundfilesincludeemailmessagesandtheir attachmentsorzipfilesandthefilestheycontain.Viewingcompoundfilesexposestheirfilestructure. EnCaseForensiccanviewthestructureofthesetypesofcompoundfiles: OutlookExpress(DBX) Outlook(PST) Exchange2000/2003(EDB) LotusNotes(NSF)forversions4,5,and6 MacDMGFormat MacPAXFormat JungUmandHangul97and2000KoreanOfficedocuments ZipfilessuchasZIP,GZIP,andTARfiles Thumbs.dbfiles Othersnotspecified

Someaudiofiles,videofilesandcertaingraphicfileformatsarenotimmediatelyviewable;however, investigatorscanassociatethirdpartyviewerstoexaminethesefilesproperly.

CopyingandUnerasingFilesandFolders
EnCaseSoftwarerecoversandunerasesfilesonabyteperbytebasis.Thisfeatureiscalled Copy/UnErase.UsetheunerasefunctiontoviewdeletedfileswithinWindows.

ViewingFileContent

335

DeletedfilesonaFATvolumehaveahex\xE5characteratthebeginning.EnCaseapplicationsallow youtoreplacethischaracterwithoneofyourchoice.Theunderscore(_)characterisusedbydefault. TheCopy/UnErasewizardprovidessettingsforunerasingthefileandthecharacterusedtoreplace thedeletedfilecharacter.

CopyandUneraseFeatures
EnCaseapplicationsprovidethefollowingCopyandUneraseFeatures: Copy/UneraseWizard CopyFoldersDialog

Note: The Copy/Unerase functionality does not preserve folder structure, while Copy Folders functionality does.

Copy/UnEraseWizard
UsetheCopy/UnErasewizardtospecifywhatfilesareunerased,howtheyareunerased,andwhere thefilesaresavedaftertheyareunerased. TheCopy/UnErasewizardconsistsof FileSelectionpage Optionspage Destinationpage

336

EnCaseForensicVersion6.15

FileSelectionPageoftheCopy/UnEraseWizard
TheFileSelectionpageoftheCopy/UnErasewizardindicateswhetherasinglefileorasetofselected filesarebeingcopiedandunerased.Inaddition,thecharacterthatwillbeusedtoreplacethecharacter thatFATvolumesusetoindicatedeletedfilesissethere.

Fromcontainsthesettingsthatdetermineifonefileorseveralfileswillbecopiedandunerased. HighlightedFile:IfnofilesareselectedintheTablepane,choosethissettingbecauseatleastonefile isalwayshighlightedontheTablepane.Thehighlightedfilewillbecopiedandunerased. Allselectedfiles:WhenseveralfilesareselectedintheTablepane,usethissetting.Whenyouchoose thissetting,youhavetheoptiontocopyandunerasethehighlightedfile,ortheselectedfiles. Tocontainssettingstodeterminehowmanyfileswillbeoutput,whichisonlyrelevantwhenseveral fileswereselectedtobecopiedandunerased. SeparateFilesoutputseachfilebeingcopiedandunerasedtoitsownfile. Mergeintoonefilemergestheoutputofalltheselectedfilesintoonefile. ReplacefirstcharacterofFATdeletedfileswithdetermineswhichcharacterisusedtoreplacethe firstcharacterinthefilenameofdeletedfilesintheFATfilesystem.

ViewingFileContent

337

Status:Thislineindicatesifonefileorseveralfileswillbecopiedandunerased.

OptionsPageoftheCopy/UnEraseWizard
TheOptionspageoftheCopy/UnErasewizarddetermines: Theextentoftheevidencefilecopied WhethernonASCIIcharactersencounteredwillappearintheoutputtedfileorfiles WhetherdotswillreplacenonASCIIcharactersintheoutputtedfileorfiles Whethererrorsinthefileswillpausetheoperationandwaitforuserinput

SettingsonthispageinvolveRAMslack,whichisthebufferbetweenthelogicalareaandthestartof thefileslack.RAMslackissometimesreferredtoassectorslack.

Copycontainsthesettingsthatdeterminetheextentofthecontentoftheevidencefiletobecopied. LogicalFileOnly:Copy/Uneraseisperformedonthelogicalfileonly,whichdoesnotincludethefile slack. EntirePhysicalFile:Copy/Uneraseisperformedontheentirephysicalfile,whichincludesthelogical fileandfileslack. RAMandDiskSlack:Copy/UneraseisperformedonboththeRAManddiskslack.

338

EnCaseForensicVersion6.15

RAMSlackOnly:Copy/UneraseisperformedontheRAMslackonly. CharacterMaskcontainssettingsthatdeterminewhatcharactersarewrittenintothefileorfiles createdbytheCopy/UnEraseoperation. None:Nocharactersaremaskedoromittedfromthefilenamesoftheresultingfiles. DonotWriteNonASCIICharacters:NonASCIIcharactersaremasked,oromitted,fromthe filenamesoftheresultingfiles.AllcharactersexceptnonASCIIcharactersareused. ReplaceNONASCIICharacterswithDOT:NonASCIIcharactersarereplacedwithperiodsinthe filenamesoftheresultingfiles. ShowErrors:Theapplicationqueriestheuserwhenerrorsoccur.Thispreventsunattendedexecution ofthecopyanduneraseoperation.

DestinationPageoftheCopy/UnEraseWizard
TheDestinationpageoftheCopy/UnErasewizarddetermineswheretheoutputofthecopyand uneraseoperationissaved,howmanyfileswillbecreatedwhenafiletobeoutputgrowstoolarge, whethertheinitializedsizeisused,andthedestinationfoldercontainingtheoutputofthecopyand uneraseoperation.

ViewingFileContent

339

Copydisplaysthenumberoffilestobecopiedandunerased,andthetotalnumberofbytesthat comprisethefileorfilesbeingcreated. Pathcontainsthepathandfilename,withinthefilesystemoftheinvestigatorsmachine,ofthefileor filescreated. Splitfilesabovecontainsthemaximumlength,notexceeding2000MB,ofanyfilecreatedbythe Copy/Uneraseoperation.Whenthetotalnumberofbytescomprisinganoutputfileexceedsthisvalue, theadditionaloutputiscontinuedinanewfile. UseInitializedSizedeterminesifonlytheinitializedsizeofanentrywillbeused,asopposedtothe logicalsize(whichisthedefault)orthephysicalsize.ThissettingisonlyenabledforNTFSfile systems.WhenanNTFSfileiswritten,theinitializedsizecanbesmallerthanthelogicalsize,inwhich casethespaceaftertheinitializedsizeiszeroedout.

CopyFoldersDialog
UsethisdialogwhencopyingentirefoldersselectedintheTreepanewhilepreservingthefolder structure.

340

EnCaseForensicVersion6.15

SourcedisplaystheEntitiesfolderbeingcopiedandunerased. Copydisplaysthenumberoffilestobecopiedandunerased,andthetotalnumberofbytesthat comprisethefileorfilesbeingcreated. Pathcontainsthepathandfilename,withinthefilesystemoftheinvestigatorsmachine,ofthefileor filescreated. ReplacefirstcharacterofFATdeletedfileswithdetermineswhichcharacterisusedtoreplacethe firstcharacterinthefilenameofdeletedfilesintheFATfilesystem. Splitfilesabovecontainsthemaximumlength,notexceeding2000MB,ofanyfilecreatedbythecopy anduneraseoperation.Whenthetotalnumberofbytescomprisinganoutputfileexceedsthisvalue, theadditionaloutputisdirectedtoandcontinuedinanewfile. Copyonlyselectedfilesinsideeachfolder:Ifindividualfileswereselectedwithinafolderorfolders, thissettingdeterminesifonlythefilesorallthefilesinthefolderwillbecopiedandunerased. ShowErrors:Whenselected,theapplicationdoesnotquerytheuserwhenerrorsoccur.Thisallows unattendedexecutionofthecopyanduneraseoperation.

CopyingandUnerasingFiles
ToCopyandUneraseaFile
1. 2. 3. 4. 5. 6. 7. 8. 9. IntheTreepane,highlightthefoldercontainingthefileorfilestobeunerased. TheTablepanedisplaysthecontentsofthefolder. IntheTablepane,highlightthefileorselectthefilesyouwanttounerase. RightclickonthehighlightedfileandclickCopy/UnErase. TheFileSelectionpageoftheCopyandUnErasewizarddisplays. CompletetheFileSelectionpageoftheCopy/UnErasewizard.Fordetailedinstructions,see CompletingtheFileSelectionPage(onpage341). ClickNext. TheOptionspageoftheCopy/UnErasewizarddisplays. CompletetheOptionspageoftheCopy/UnErasewizard.Fordetailedinstructions,see CompletingtheOptionsPage(onpage341).

10. ClickNext. 11. TheDestinationpageoftheCopy/UnErasewizarddisplays. 12. CompletetheDestinationpageoftheCopy/UnErasewizard.Fordetailedinstructions,see CompletingtheDestinationPage(onpage341). 13. ClickFinish. 14. Thecopyanduneraseoperationexecutes.Theresultingfilesaresavedinthedirectory specifiedontheDestinationpage.

ViewingFileContent

341

CompletingtheFileSelectionPage
TheFileSelectionpageisthefirstpageoftheCopy/UnErasewizard. 1. IfseveralfileswereselectedontheTablepanebeforeyouopenedthewizard:

a. Determineifthehighlightedfile,ortheselectedfilesshouldbecopiedandunerased. b. ClickeitherHighlightedFile,orAllselectedfiles,asappropriate.
2. IfseveralfileswereselectedontheTablepanebeforeyouopenedthewizard:

c. Determineifyouwantacollectionoffilesorasinglefileastheresultofthecopyand
uneraseoperation

d. ClickeitherSeparateFiles,orMergeintoonefile,asappropriate.
3. Ifyouwanttouseacharacterotherthantheunderlinecharacterasthereplacementforthe FATfilesystemdeletedfileindicator,typethecharacterintotheReplacefirstcharacterof FATdeletedfileswithfield. ClickNext. TheOptionspageoftheCopy/UnErasewizarddisplays.

4. 5.

CompletingtheOptionsPage
TheOptionspageisthesecondpageoftheCopy/UnErasewizard. 1. 2. 3. Determinethescopeofwhatistobecopiedandunerased,andclickonthecontrolthat capturestheappropriatescope. Determinethetypeofmaskyouwanttoemployduringthecopyanduneraseoperation,and clickonthecontrolthatusesthemask. Decideifyouwantthecopyanduneraseoperationtostopwhenitencountersanerror,or continueexecutioneveniferrorsarefound.Thisisthesameasaskingifyouwantthecopy anduneraseoperationtorununattended.Forunattendedexecution,selectShowErrors; otherwise,clearShowErrors. ClickNext. TheDestinationpageoftheCopy/UnErasewizarddisplays.

4. 5.

CompletingtheDestinationPage
TheDestinationpageisthelastpageoftheCopy/UnErasewizard. 1. 2. 3. 4. 5. Ifdesired,provideapathtoandfilenamewheretheresultsoftheCopy/Uneraseoperation willbesaved. Ifdesired,changetheSplitfilesabovevalue. IfUseInitializedSizeisenabledandyouwanttouseit,selectUseInitializedSize. ClickFinish. Thecopyanduneraseoperationbegins.Asitruns,thethreadstatuslineprovidesan indicationofprogress.Whenthethreadcompletes,aresultsdialogisdisplayed.Theresults aresavedintheappropriatefolderinthefilesystemand,ifrequested,theresultsfilesare burnedontothediscinthedefaultorspecifieddirectory.
Note: The thread status line provides an indication of progress.

342

EnCaseForensicVersion6.15

CopyingandUnerasingBookmarks
YoucanCopy/Unerasebookmarkedfilesaswell.Theprocessisthesamewhethercopyingsingleor multiplebookmarks.Ifthefilewasdeletedandresidesinunallocatedspace,theCopy/UnErase wizardtriestocopytheentireunallocatedspace,sincethedatapertainingtothefileresidesthere. 1. 2. 3. 4. 5. 6. 7. 8. 9. OntheBookmarkTreetab,selectthedesiredbookmarkfolder. IntheTablepane,selectthedesiredbookmarks. RightclickintheTablepane,andselectTagSelectedFiles. ThefilesassociatedwiththedeletedbookmarksareselectedandconsolidatedontheEntries Tablepane. MovetotheEntriespane,andintheTablepane,rightclickoneoftheselectedfiles. ClickCopy/Unerase. TheFileSelectionPageoftheCopy/UnErasewizarddisplays. Continuethecopyanduneraseprocessatstep4ofCopyingandUnerasingFiles Thefilesassociatedwiththeselectedbookmarksarecopiedandunerased.

CopyingFolders

1. 2. 3.

ViewingFileContent IntheTreepane,selectthefolderorfolderstocopyandunerase.

343

Ifdesired,intheTablepaneclearanyindividualfilesthatshouldnotbecopiedandunerased. RightclickintheTablepane,thenselectCopyFolders. TheCopyFolderdialogappears.

4.

Modifythesettingsonthisdialogasdesired.Formoreinformation,seeCopyFoldersDialog (onpage339). Thecopyoperationbegins.Asitruns,thethreadstatuslineprovidesanindicationof progress.Whenthethreadcompletes,aresultsdialogappears.Theresultsaresavedinthe appropriatefolderinthefilesystem.

Note: The thread status line provides an indication of progress. You can terminate processing at the thread status line.

FileViewers
Occasionally,aninvestigatorfindsfiletypesthatEnCaseapplicationsdonothavethebuiltin capabilitiestoview,oryoumightwanttoviewafiletypeusingathirdpartytoolorprogram.Ineither situation,youmust: AddafileviewertoyourEnCaseapplication.SeeAddingaFileViewer(onpage345). Associatethefileviewersfiletypeswiththeviewer.SeeAssociatingtheFileViewersFile TypeswiththeViewer(onpage346).

FileViewerFeatures
EnCaseapplicationsprovidethefollowingfileviewerfeatures: NewFileViewersDialog ViewFileTypeDialog

NewFileViewerDialog
UsetheNewFileViewerdialogtoaddfileviewerstoyourEnCaseapplication.

344

EnCaseForensicVersion6.15

Nameisthenameofthefileviewer. MaximizeViewDialogchecktoopenthefileviewerinamaximizednewwindow. ApplicationPathcontainsthefilenameandpathtotheviewersexecutable. CommandLinecontainsareferencetotheexecutableandanyparametersusedtocustomizethe executionoftheviewer.

ViewerFileTypeDialog
TheViewerFileTypedialogassociatesfiletypeswithviewers.

Descriptionisthefiletypetobeassociatedwiththefileviewer. Extensionsisalistoffiletypestobeassociatedwiththefileviewer. Picture:checktodisplaythefileasapictureintheGallerytab. Viewercontainsoptionsselectingthetypeofviewer,andinthecaseofInstalledViewers,aspecific viewerassociatedwiththefiletypeyoudefine. ClickEnCasetoassociatethebuiltinEnCaseviewerwiththefiletypeyoudefine. ClickWindowstoassociateWindowswiththefiletypeyoudefine.

ViewingFileContent

345

ClickInstalledViewertoassociateaninstalledviewerwithafiletype.UsetheInstalledViewersTree toselectthespecificviewer. InstalledViewersTreeliststheFileViewerscurrentlyknowntoyourEnCaseapplication.

AddingaFileViewer

1. DisplaytheFileViewerstreeintheTreepane: Inthemainwindow,clickViewFileViewers,or IntheTreepane,clickFileViewers. 2. 3. 4. 5. 6. TheFileViewertreedisplays. RightclicktherootoftheFileViewerstree,andselectNew. TheNewFileViewerdialogopens. Browsetothefileviewersexecutable,makeanyotherchangestothesettingsonthedialog, andclickOK. Thefileviewerdisplaysinthefileviewertable.

346

EnCaseForensicVersion6.15

AssociatingtheFileViewer'sFileTypeswiththeViewer
WhenyouaddanewfileviewertoyourEnCaseapplication,youmustassociatethatviewersfile types.

1. DisplaytheFileViewerstreeintheTreepane: Inthemainwindow,clickViewFileTypes,or IntheTreepane,clickFileTypes. 2. TheFileTypestreedisplays.

3. 4. 5. 6. 7. 8. 9. RightclicktherootoftheFileTypestree,andselectNew. TheViewerFileTypedialogdisplays.

ViewingFileContent

347

IntheViewerbox,clickInstalledViewerandselectthefileviewertoassociatewiththefile typefromtheFileViewerstree. Enteradescriptionandthefileextensionsofthefiletypes. Ifthefileviewerdisplayspictures,checkPicture. ClickOK. Thefilesenteredarenowassociatedwiththeselectedfileviewer.

ViewPane
TheViewpaneprovidesseveralwaystoviewfilecontent: TheTexttaballowsyoutoviewfilesinASCIIorUnicodetext TheHextaballowsyoutoviewfilesasstraightHexadecimal. TheDoctabprovidesnativeviewsofformatssupportedbyOracleOutsideIntechnology. TheTranscripttabdisplaysthesameformatsastheDoctab,butfiltersoutformattingand noise,allowingyoutoviewfilesthatcannotdisplayeffectivelyintheTexttab. ThePicturetaballowsyoutoviewgraphicfiles.

InitializedSizeTextStyle
EnCasehastheabilitytochangethewayinitializedsizeinformationdisplays. InEnCaseTableview,iftheinitializedsizeofthefileislessthanthelogicalsize,theuninitilialized areaofthefiledisplaysincolor.YoucanchangethecolorusingtheColorstaboftheOptionsdialog. ThedefaultcolorisLightBlue. TochangethecolordisplayoftheInitializedSizecolumn: 1. 2. 3. ClickToolsOptions. IntheOptionsdialog,clicktheColorstab. RightclickStyleUninitialized.

348

EnCaseForensicVersion6.15 4. Tochangethecoloroftheforeground(thatis,thecolorofthetextornumbersthemselves), mouseoverForegroundandclickthecoloryouwantinthedropdownmenu.

5. 6. Tochangethebackgroundcolor,mouseoverBackgroundandclickthecoloryouwantfrom thedropdownmenu. ClickOK.

ThecolorchangelookslikethisinTextview:

ViewingFileContent

349

ItlookslikethisinHexview:

LikeanyotheroptionintheColorstab,tochoosefromawiderrangeofcolors: 1. DoubleclicktheStyleUninitializedline.TheEditStyleUninitializeddialogopens.

2. 3. 4. DoubleclickBackgroundorForeground.TheColordialogopens. Clickthecoloryouwant,thenclickOK. BackintheEditStyleUninitializeddialog,clickOK.

350

EnCaseForensicVersion6.15 5. ClickOKtoclosetheOptionsdialog.
Note: For an even greater range of colors, click Define Custom Colors in the Color dialog.

ViewingCompoundFiles
Youcanviewtheindividualcomponentsofcompoundfileswithinanevidencefile. Compoundfilesaretypicallycomprisedofmultiplelayerscontainingotherfiles.Youcanviewthese typesofcompoundfilesintheEnCaseapplication: RegistryFiles OLEFiles CompressedFiles LotusNotes MSExchange OutlookExpressemail MSOutlookemail WindowsThumbs.db AmericanOnlineARTFiles HangulKoreanOfficedocuments MacintoshPAXfiles

Note: In addition, the File Mounter EnScript program allows the examiner to select a file type (DBX, GZip, PST, Tar, Thumbs.db or Zip), provided they have a valid signature, and mount them automatically.

ViewingFileStructure
Oncefilesarepartofthecase,theycanbeviewedinvariousoutputformats.Viewingthestructureof acompoundfilerevealswhichfilescompriseit. Beforeyoubegin: 1. 2. 3. Openacase. Enablesinglefiles. TheEntriestreeontheEntriestabandEntriestabledisplay.

4.

ViewingFileContent DraganddropthefilestobeviewedintotheEntitiestableintheTablepane.

351

Toviewacompoundfile: 1. 2. 3. 4. 5. NavigatetothecompoundfiletobeviewedasitappearsintheTablepane. Rightclickthecompoundfiletobeviewed,andclickViewFileStructure. TheViewFileStructuremessageboxdisplays. ClickYes. ThecompoundfileisreplacedintheTreepaneandTablepanewithafolderandacompound volumeicon.Thefilestructureofthecompoundfiledisplays,andcomponentfilesdisplayin theviewofyourchoice.

ViewingRegistryFiles
TheWindowsregistrycontainsvaluabledatathatprovidesagreatdealofinformationaboutthesetup ofthesubjectcomputer.RegistryfilesofWindows95,98,ME,NT4.0,2000,andXPcomputerscanbe mounted. Windows95,98,andMEcomputershavetworegistryfiles.Theyarelocatedinthesystemrootfolder, whichisnormallyC:\Windows.Thefilenamesaresystem.dat anduser.dat. WindowsNT4.0,2000,andXPdividetheregistryintofourseparatefiles.Theyare: Security Software SAM System

352

EnCaseForensicVersion6.15

ThesefilesarestoredinC:\%SYSTEMROOT%\system32\config\.

ToVieworMountRegistryFiles
1. 2. 3. Navigatetotheregistryfileyouwanttoviewormount. Continuewithstep2ofViewingFileStructure(onpage350). Thefilestructureoftheregistryfiledisplays,andcomponentfilesorlayersinthecompound volumefoldercanbeopenedanddisplayedintheviewofyourchoice.

ViewingFileContent

353

ViewingOLEFiles
OLEisMicrosoftsObjectLinkingandEmbeddingtechnologyusedintheMicrosoftOfficesuiteof products.Forexample,OLEallowsanExcelspreadsheettobeseamlesslyembeddedintoaWord document.MicrosoftOfficedocumentsthatusethistechnologyarelayeredcompoundfiles.

ToVieworMountOLEFiles
1. 2. 3. NavigatetotheOLEfileyouwanttoviewormount. Continuewithstep2ofViewingFileStructure(onpage350). ThefilestructureoftheOLEfiledisplays,andcomponentfilesorlayersinthecompound volumefoldercanbeopenedanddisplayedintheviewofyourchoice.

ViewingCompressedFiles
EnCaseapplicationscanmountcompressedfilesincludingWinZip(.zip)GZip(.gz)andUnixtape archive(.tar)files.Thecontentsaredisplayedaslongasthecontainerisnotpasswordprotected.
Note: If you know the password, you can view contents of .zip and .rar files, even if they are encrypted.

Onlyonedateandtimeisshownon.gzand.tarfiles,asthecompressionprocessesdonotstoreany otherdatesortimes. .zipstorestheCreated,Modified,andAccesseddates(olderWinZipsstoreonlytheModified date,however). .rarstorestheModifieddatebydefault;itstoresAccessedandCreateddatesiftheappropriate optionsareselectedduringarchivecreation

354

EnCaseForensicVersion6.15

Note: The compression specification calls for dates called created, modified, and accessed. In most cases, these refer to: The date the file was created The date file contents were modified The date file contents were accessed

For more information, refer to documentation for the compression process you used to create the compressed file.

GZipfilesarenotlabeledbyname,onlybytheircontentfiletypeanda.gzextension.Forexample, decompressingthefiledocument.doc.gzdisplaystheuncompressed.docfile.

ToVieworMountCompressedFiles
1. 2. 3. Navigatetothecompressedfileyouwanttoviewormount. Continuewithstep2ofViewingFileStructure(onpage350). Thefilestructureofthecompressedfiledisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.

ViewingLotusNotesFiles
LotusNotesversions5,6,6.5,and7provideNSFsupport,whichallowsyoutoviewemail, appointments,andjournalentries. 1. 2. 3. Navigatetothe.NSFfileyouwanttoviewormount. Asneeded,selectCalculateunallocatedspace,thenselectFinddeletedcontent. Continuewithstep2ofViewingFileStructure(onpage350).

4.

ViewingFileContent

355

Thefilestructureoftheemail(.nsf)filedisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.Noticethe iconforthecompoundemailfilelookslikeadiskdrive,andnocompoundvolumeindicatoris addedtotheiconafteritisparsed.

ViewingMSExchangeFiles
MSExchange2000/2003.edbsupportprovidestheabilitytoviewmailboxesandemails. 1. 2. 3. 4. Navigatetothe.edbfileyouwanttoviewormount. AsneededselectCalculateunallocatedspace,thenselectFinddeletedcontent. Continuewithstep2ofViewingFileStructure(onpage350). Thefilestructureoftheemail(.edb)filedisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.Noticethat theiconforthecompoundemailfilelookslikeadiskdrive,andnocompoundvolume indicatorisaddedtotheiconafteritisparsed.

ExchangeServerSynchronization
TheMSExchangeServerstoresemailmessagesinanEDBfileonaserverwithacorrespondinglogfile namedE##.log.ThelogfileiswhereExchangestoresdatatobecommittedtotheEDBfile.Inolder Serverversions,thereisalsoacorresponding.stmfile.Whenthelogfilecontainsdatathathasnot beencommittedtotheEDBfile,theEDBfileisinaninconsistentordirtystate.EnCaseisunableto parseinconsistentEDBfiles. Tosynchronizethestructure,dothefollowing: 1. 2. 3. StoptheExchangeServerservice(ifrunning). TurnExchangeServerfileshadowingon. CopythefollowingfoldersfromtheExchangeServertoanEnCaseworkingfolder: Thebindirectorytogettheeseutil.exeprogram. ThemdbdatadirectorywhichcontainsboththeprivateandpublicEDBfiles. 4. 5. Starteseutil.exeusingtheWindowsStartRun[location]\eseutilcommand. Usetheeseutil.execommandlinetooltochecktheconsistencyofthestatefieldasfollows: [file location]\eseutil /mh [filepath]priv1.edb [file location]\eseutil /mh [filepath]pub1.edb IftheEDBfileisinaninconsistentstate,firsttrytorecover,asfollows: C:\Exchange\BIN\Eseutil.exe /r E##.ClickYestoruntherepair. Notethatthethreecharacterlogfilebasenamerepresentsthefirstlogfile. Filesaresequentiallynamed,withE##.logbeingthefirstlogfile. Runacheck(step5)ontheresultingEDBfile.Ifthefileisstillinaninconsistentstate,attemptto repairtheEDBfile.Thismayresultinthelossofsomedatacurrentlyinthe.logfiles.Runtherepairas follows:

356

EnCaseForensicVersion6.15 C:\Exchange\BIN\Eseutil.exe /p

ForadditionalinformationontheEseutilprogram,readtheMicrosoftarticleat http://support.microsoft.com/kb/272570/enus.

CleaninganEDBDatabase
TheMSExchangeServerstoresemailmessagesinanEDBfileonaserverwithacorrespondinglogfile namedE##.log.ThelogfileiswhereExchangestoresdatatobecommittedtotheEDBfile.Inolder Serverversions,thereisalsoacorresponding.stmfile.Whenthelogfilecontainsdatathathasnot beencommittedtotheEDBfile,theEDBfileisinaninconsistentordirtystate.EnCaseisunableto parseinconsistentEDBfiles. WhenanEDBfileisdirty,thereareseveralteststhatcanberunonittodeterminewhetherthefiles aremerelyoutofsync,orareinfactcorruptandunusable. Thenextsectiondiscussesthesetests.

TestinganEDBFile
ThissectiondescribeshowtodeterminewhethertheEDBdatabaseisinausablestate. AcquiretheEDBdatabase,includingtheentirebinandmdbdatafolderspriortorunningthesechecks. Makesureallcodepagesareinstalledonyourcomputer. Themdbdatafoldercontainsthepublicandprivatedatabasesandthetransactionallogswhichare mostimportantwhencleaningadatabase.TheBINfoldercontainseseutil.exe. 1. 2. Runeseutil.exefromWindowsStartRun. Usetheeseutil.execommandlinetooltochecktheconsistencyofthestatefieldasfollows: [file location]\eseutil /mh [filepath]priv1.edb [file location]\eseutil /mh [filepath]pub1.edb IftheEDBfileisinaninconsistentstate,firsttrytorecover,asfollows: C:\Exchange\BIN\Eseutil.exe /r E##.ClickYestoruntherepair. Notethatthethreecharacterlogfilebasenamerepresentsthefirstlogfile. Filesaresequentiallynamed,withE##.logbeingthefirstlogfile. Runacheck(step2)ontheresultingEDBfile.Ifthefileisstillinaninconsistentstate,attemptto repairtheEDBfile.Thismayresultinthelossofsomedatacurrentlyinthe.logfiles.Runtherepairas follows: C:\Exchange\BIN\Eseutil.exe /p ForadditionalinformationontheEseutilprogram,readtheMicrosoftarticleat http://support.microsoft.com/kb/272570/enus.

ViewingFileContent

357

ParsingaDirtyEDBFile
EnCaseprovidestheoptiontoparseadirtyEDBfile. 1. 2. 3. Runeseutil.exefromWindowsStartRun. EnCasecheckstheheaderofthedatabaseforitsstate. OpenViewFileStructure.

4. TheViewFileStructuredialogdisplays.IftheEDBfileisdirty,thedialogincludesaScan DirtyDatabaseoption:

Note: If the EDB file is not dirty, the only available option is Calculate unallocated space.

5.

ToparsethedirtyEDBfile,checktheScanDirtyDatabasecheckbox,thenclickOK.

RecoveringaDatabase
TheseinstructionsdescribehowtorecoverfromadirtyEDBdatabase. Enterthesecommands:"C:\Exchange\BIN\Eseutil.exe" /r E## [options]

358

EnCaseForensicVersion6.15

Optionsinclude: /l<path>locationoflogfiles /s<path>locationofsystemfiles /i<path>ignoremismatched/missingdatabaseattachments /d<path>locationofdatabasefiles /osuppresslogo

RepairingaDatabase
TheseinstructionsdescribehowtorepairanEDBdatabase. Enterthesecommands:"C:\Exchange\BIN\Eseutil.exe" /p <database name> [options] Optionsinclude: /s <file>setstreamingfilename /ibypassthedatabaseandstreamingfilemismatcherror /osuppresslogo /createstmcreateemptystreamingfileifmissing /grunintegritycheckbeforerepairing /t <database>settemporarydatabasename /f <name>setprefixtousefornameofreportfiles

ViewingOutlookExpressEmail
EnCaseapplicationscanreadOutlookExpress.dbxfiles.Afterthefilestructureisparsed,theEntries andRecordstablesintheTablepanelistsindividualemailsbytheirsubjectline.Therecordstable paneliststheattachments.TheViewpanedisplaysthecontentsoftheselectedemailorattachment.

ViewingFileContent

359

Deletedemailsandattachmentscanberetrievedfromunallocatedclusters.

1. 2. 3. Navigatetothe.dbxfileyouwanttoviewormount. AsneededselectCalculateunallocatedspace,thenselectFinddeletedcontent. Continuewithstep2ofViewingFileStructure(onpage350).

360

EnCaseForensicVersion6.15 4. Thefilestructureoftheemail(.dbx)filedisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.Noticethat theiconforthecompoundemailfilelookslikeadiskdrive,andnocompoundvolume indicatorisaddedtotheiconafteritisparsed.

ViewingMSOutlookEmail
TheprocessofmountingOutlook.pstfilesisidenticaltothatofOutlookExpressaspreviously described.WhenEnCaseapplicationsmountanOutlook.pstfile,messagesareviewablebyclicking onthePR_BodyfileandselectingtheTexttabintheViewpane.BecausethetextislikelyUnicode, applyaunicodetextstyletomakeiteasiertoread. Whenexpanded,thetoplevel(ortoproot)ofthe.pstfiledirectorycontainsmultiplefolders,including Inboxprops(properties) Messagestore(storage,containingthePR_PST_PASSWORDfileandotherIDs) Nametoidmap Rootfolder

TheRootfoldercontains: SearchRoot(reservedforfutureuse) TopofPersonalFolders,containingtheInbox,SentItems,andDeletedItems

Each.pstemailmessagefileappearsasafolderwithallmessagepropertieswithinthefolderaswellas anyattachments.

ViewingFileContent

361

Manyofthefieldswithinthe.pstmailfolderareduplicated,whichispartofthe.pstformat.Ifa keywordisamatchwithinacertainfield,itisduplicatedinthesecondaryfieldaswell.Created, writtenandmodifieddatesaresetbytheemailmessages.Outlookcalendarentries(created,written andmodifieddates)aresetbythecalendarapplications.

ToviewormountanMSOutlookemail: 1. 2. 3. 4. Navigatetothe.pstfileyouwanttoviewormount. Asneeded,selectCalculateunallocatedspace,thenselectFinddeletedcontent. Continuewithstep2ofViewingFileStructure(onpage350). Thefilestructureoftheemailfiledisplays,andcomponentfilesorlayersinthecompound volumefoldercanbeopenedanddisplayedintheviewofyourchoice.Noticethattheiconfor thecompoundemailfilelookslikeavolumeafteritwasmounted.

ViewingMacintosh.paxFiles
YoucanparseMacintosh.paxfilesformattedwiththecpiofileformatcanbeparsedusingViewFile Structure. 1. 2. 3. Navigatetothe.paxfileyouwanttoviewormount. Asneeded,selectCalculateunallocatedspace,thenselectFinddeletedcontent. Continuewithstep2ofViewingFileStructure(onpage350).

362

EnCaseForensicVersion6.15 4. Thefilestructureoftheemail(.PAX)filedisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.Noticethat theiconforthecompoundemailfilelookslikeadiskdrive,andnocompoundvolume indicatorisaddedtotheiconafteritisparsed.

ViewingWindowsThumbs.db
EnCaseapplicationssupportparsingtheWindowsthumbs.dbcacheforimages.Oncemountedthe thumbnailcachevolumeandtheversionappear.V2thumbnailsareinbitmapformat,whereaslater versionsaremodified.pngs.TheRootEntryfoldercontains: thecatalogfileofcachedthumbnailnames theirfullpath thecachedimagesthemselves

Thumbs.dbalsocontainsarecordoftheimagesLastWrittendate.

ToviewormountaWindowsthumbs.dbfile: 1. 2. 3. 4. Navigatetothedesiredfileinthethumbs.db. Rightclickthefile,thenclickViewFileStructure. Asneeded,selectCalculateunallocatedspace. Continuewithstep2ofViewingFileStructure(onpage350).

5.

ViewingFileContent Thefilestructureoftheemail(.PST)filedisplays,andcomponentfilesorlayersinthe compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.The compoundvolumeindicatorisaddedtothethumbs.dbfolderafteritisparsed.

363

AmericaOnline.artFiles
EnCaseapplicationssupportAmericaOnline.artformatimagesinthePictureandGallerytabs..art supportrequiresinstallationoftheInternetExplorerAOLSupportmoduleontheexaminermachine. Theinstallerisavailabletodownloadfrom http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/aolsupp.mspx.This installsthefiles: Jgaw400.dll Jgdw400.dll Jgmd4.dll Jgpl400.dll Jgsd400.dll Jgsh400.dll

Note: This update is only required for Windows 2000. Newer operating systems do not need this patch.

Viewthefileinthepictureorgalleryviewasanyotherimagefile.
Note: Occasionally corrupt .art files can cause EnCase to stop responding. If this occurs, try lowering the invalid picture timeout setting (In Global Options) or simply disable "Enable ART and PNG image display", also in Global options.

ViewingOffice2007Documents
MicrosoftOffice2007documentsarestoredintheOfficeOpenXMLfileformat,whichisacompressed fileofvariousfilesincludingXMLfilescomprisingtheentiredocument.TheEnCasesuitesupports viewingandsearchingOffice2007Word,ExcelandPowerPointdocumentfiles. EnCaseextractstextfromWord,Excel,andPowerPointdocuments.ItparsesExcelworksheetvalues aswell. 1. 2. 3. Rightclickthedesiredfile,thenclickViewFileStructure. NavigatetoanXMLfilecontainingchildnodes. Theviewerdisplaystextfromthedocument.

WhenyoubringanOffice2007file(.DOCXforexample)intoEnCaseandithasakeywordinit,you willnotseethekeywordifyouusetheTextview.ThekeyworddisplaysintheDocviewandthe Transcriptviews.

ZIPandRARArchiveFileSupport
Animportantaspectofdigitalinvestigationistheabilitytodeterminethecontentsofarchivefilesand tosearchthem,aswellasobtaininganyadditionalmetadata(forexample,archivecomments). EnCasecandecompressZIPandRARcompressedfiles.

364

EnCaseForensicVersion6.15

ZIPSupport
ToviewcontentsofaZIPfile: 1. 2. RightclickthefileinTableview. ClickViewFileStructureinthecontextmenu.

3. EnCasedecompressesthefileanddisplaysanyfileswithinitaschildrenofthetoplevelZIP file.
Note: If the file is encrypted, EnCase prompts you for a password. If multiple passwords are required, a prerequisite is to add the passwords to the Secure Storage using Enter Items > User Password prior to mounting.

EnCasesupportstheDEFLATEcompressionalgorithminthefollowingmodes: Deflate(Superfast) Deflate64(EnhancedDeflate) Implode bzip2

EnCasesupportsthesespecificationsforencryptedZIPs: AE1 AE2

Thespecificationssupplythegeneralbaselinefortheencryptionmethod.Theseencryptiontypesare implementationsofoneofthespecifications: Zip2.0centerompatible WinZipAES128/256 PKZIPAES128/192/256

EnCasesupportsZIPspecification5.2andhigher.

RARSupport
ToviewcontentsofaRARfile: 1. 2. 3. RightclickthefileinTableview. ClickViewFileStructureinthecontextmenu. EnCasedecompressesthefileanddisplaysanyfileswithinitaschildrenofthetoplevelRAR file.

ViewingFileContent
Note: If the file is encrypted, EnCase prompts you for a password. If multiple passwords are required, a prerequisite is to add the passwords to the Secure Storage using Enter Items > User Password prior to mounting.

365

EnCasesupportsthefollowingRARcompressionoptions: Store Fastest Fast Normal Good Best

Supportedformatsforencryption: AES128

RAR2.0compatible

366

EnCaseForensicVersion6.15

ViewingBase64andUUEEncodedFiles
EnCaseapplicationsautomaticallydisplayBase64andUUEencodedattachmentswhenthemailfileis mounted.Fortheseencodedfiles,youeitherperformakeywordsearchforBase64orUUE,oryou noticethatafileisencodedassuch.

ToviewBase64andUUEencodedfiles:

1. 2. 3. 4. 5.

ViewingFileContent

367

HighlightthefileintheTablepane,sothatthecontentofthefileappearsintheTexttabofthe Viewpane. Highlightthefirstcharacter,rightclick,andclickBookmarkData. TheBookmarkDatadialogdisplays. InDataType,selecteitherBase64EncodedPictureorUUEEncodedPicture. ThepicturedisplaysintheContentspane.

NTFSCompressedFiles
EnCasedecompresses,viewsandsearchesNTFScompressedfilesinrealtime,orinanonthefly mannerbydetectingacompressedfile,thenautomaticallypreparingitforanalysis. TheinvestigatorcanviewuncompressedfiledataintheDisktaboftheTablepane.

GalleryTab
TheGallerytabprovidesaquickandeasywaytoviewimagesstoredonthesubjectmedia.This includesallimagespurposelystoredaswellasthoseinadvertentlydownloadedfromtheWeb. Youcanaccessallimageswithinahighlightedfolder,highlightedvolume,ortheentirecase.Ifa folderishighlightedintheTreepane,allfilesinthefolderaredisplayedintheTablepane.Clickinga foldersSetIncludeselectsallfilesinthatfolderandfilesinanyofitssubfolders.Onceselectedonthe Tablepane,anyimagesintheselectedfilesdisplayinGallerytab. YoucanbookmarkimagesintheGallerytabanddisplaytheminthereport. TheGallerytabdisplaysfilesbasedontheirfileextensionbydefault.Forexample,ifa.jpgfilehas beenrenamedto.dll,itwillnotbedisplayedintheGallerytabuntilyourunaSignatureAnalysis(see page276).Oncethesignatureanalysisrecognizesthatthefilewasrenamedandthatthefileisactually animage,itisdisplayedintheGallerytab. EnCaseapplicationsincludebuiltincrashprotection,whichpreventscorruptedgraphicimagesfrom appearingintheGalleryorPicturetab.Thecorruptimagesarestoredincachesothattheyare recognizedthenexttimetheyareaccessed.Noattemptismadetodisplaythem.Theseimagesare cachedatthecaselevelsotheydonotattempttodisplayinthatcasefileagainuntilyouruna signatureanalysis. Youcanclearthecache.Thissettingappearsontheshortcutmenuonlyifacorruptimageis encountered.Thetimeoutdefaultsto12secondsforthethreadtryingtoreadacorruptimagefile.You canmodifythetimeoutontheGlobaltaboftheOptionsdialog.

368

EnCaseForensicVersion6.15

BookmarkinganImage
YoucanbookmarkimagesontheGallerytaboftheTablepane.

1. 2. 3. 4. 5. Selectthedesiredimageorimages. Rightclickthehighlightedimage,andclickBookmarkFile. TheBookmarkFilesdialogdisplays. Modifythesettingsasneeded,andclickOK. Theimageorimagesarebookmarked.TheyareintheTablepanewhentheBookmarktree displays.

ViewingFileContent

369

ReducingtheNumberofImagesPerRow
YoucanreducethenumberofimagesdisplayedinarowintheGallerytab.

Toreducethenumberofimagesdisplayedinarowinthegallerytab,rightclickonanyimage,then clickFewerColumns.

IncreasingtheNumberofImagesPerRow
YoucanincreasethenumberofimagesdisplayedperrowintheGallerytab.

Toincreasethenumberofimagesdisplayedperrowinthegallerytab,rightclickonanyimage,then clickMoreColumns.

370

EnCaseForensicVersion6.15

ClearingtheInvalidImageCache
Theprogramincludesbuiltincrashprotection,whichpreventscorruptedgraphicimagesfrom appearinginGalleryorPictureview.ThecorruptimagesarestoredinacachesothatEnCase recognizesthemthenexttimetheyareaccessed,anddoesnotattempttodisplaythem.Theseimages arecachedatthecaselevelsothattheimagesdonotattempttodisplayinthatcasefileagain. Beforeyoucanclearthecache,theCasestreedisplaysintheCasestaboftheTreepane.Youcanclear thecacheonlyifacorruptimageisencountered. 1. 2. RightclickontheCasesrootobjectintheCasesTree. ClickClearinvalidimagecache.

CHAPTER 10

Bookmarking Items
InThisChapter
Bookmarks Overview Bookmark Features Creating a Bookmark Using Bookmarks

372

EnCaseForensicVersion6.15

BookmarksOverview
EnCaseallowsfiles,folders,orsectionsofafile,tobemarkedandsavedforreference.Thesearecalled bookmarks.Bookmarksarestoredintheirassociatedcasefileandcanbeviewedbyselectingthe Bookmarkstab.Youcanmarkanyexistingdataorfolder.
Note: When a file is initially written to a multi-session CD it is assigned an address offset. When the file is changed, it is written again to the CD as a new file but with the same offset. Any revisions to this initial file are all assigned the same offset. The file and all its revisions can be viewed.

EnCaseprovidesthefollowingbookmarktypes: Highlighteddata Annotatesselecteddata Alsoreferredtoassweepingbookmarks Notes Allowstheusertowriteadditionalcommentsintothereport Providessometextformattingcapabilities Notbookmarksofevidence Folderinformationandstructure Annotatesthetreestructureofafolderorthedeviceinformationofspecificmedia Nocommentfeature Optionsincludeshowingdeviceinformation,suchasdrivegeometry,andthenumberof columnstouseforthetreestructure NotableFile Annotatesindividualfiles Fullycustomizable Filegroup Annotatesgroupsofselectedfiles Noabilitytocomment Snapshot ContainstheresultsofaSystemSnapshotofdynamicdataforIncidentResponseand SecurityAuditing Logrecord ContainsresultsfromlogparsingEnScriptprograms Datamark ContainstheresultsofWindowsregistryparsingEnScriptprograms

Casetimesetting

BookmarkingItems

373

ShowswhetherDaylightSavingsTimeisbeingusedontheevidencefileandwhether datesshouldbeconvertedtoasingletimezone Searchsummary Containssearchresults,times,andkeywordsforaparticularcase

Note: Case time settings bookmarks and Search summary bookmarks are created automatically.

HighlightedDataBookmarks
Thehighlighteddatabookmark,alsoknownasasweepingbookmarkoratextfragmentbookmark, canbeusedtoshowalargerexpanseoftext.Thisbookmarktypeiscreatedbyclickinganddragging text,hex,doc,ortranscriptcontentintheViewpane.

NotesBookmarks
Thenotesbookmarkgivestheinvestigatoragreatdealofflexibilitywhenaddingcommentstoa report.Thisbookmarkhasafieldreservedonlyforcommenttextandcanholdupto1000characters. Italsocontainsformattingoptionsincluding: Italics Bold Changingfontsize Changingtheindentofthetext

FolderInformation/StructureBookmarks
Usefolderinformationbookmarkstobookmarkfolderstructuresordevices.Bybookmarkingafolder structure,theentiredirectorystructureofthatfolderanditschildrencanbeshownwithinthereport orbookmarkedforlateranalysis.Individualdevices,volumes,andphysicaldiskscanbebookmarked aswell.Thisshowsimportantdevicespecificinformationinthefinalreport.
Note: This type of bookmark is useful for marking directories that contain unauthorized documents, pictures, and applications. It is also a good way to show specific information about the type of media in the case.

NotableFileBookmarks
Usenotablefilebookmarkstobookmarkindividualfiles.Thesebookmarksprovideameansof focusingtheinvestigatorsattentiononspecificfiles.

FileGroupBookmarks
Filegroupbookmarksannotateacollectionofindividualfilesselectedasagroup.Bookmarkinga collectionoffileshelpstheinvestigatororganizeevidence.

374

EnCaseForensicVersion6.15

SnapshotBookmarks

Snapshotbookmarksincludeawidevarietyofvolatiledataresultingfromrunningthevarious EnScriptprograms. InEnCaseForensic,theScanLocalMachineprogramcreatessnapshotbookmarks. Theoutputoftheprogramisalwaysbookmarked.AfterScanLocalMachineisrun,abookmark toolbardisplaysthatcontainstheHometabandtheSnapshottab.TheSnapshottabhasatoolbar associatedwithit.Thistoolbardisplaysatabcommandforeachtypeofsnapshotbookmarkcreated byoneoftheEnScriptprograms. EachtypeofsnapshotbookmarkhasaTreepaneandTablepaneassociatedwithit.Eachtable displaysdataspecifictotheclassofthesystemcomponentwhosedataisdisplayedintheTablepane. Snapshotbookmarksinclude MachinessnapshotontheHometab Openports Processes Openfiles NetworkInterfaces NetworkUsers DLLs ARP Routes

LogRecordBookmarks
Thesebookmarksarecreatedwheneverconsoleandstatusdialogmessagesaresenttoalogrecord. Acquiringadeviceisoneprocessthatoptionallysendsitsoutputstoalogrecord,whichresultsina logrecordbookmark.

BookmarkingItems

375

Datamarks
EnScriptprogramsorEnScriptmodulesthatexecutetheAddDatamarkmethodcreateadatamark. Whenadatamarkiscreatedinabookmarkfolder,thatdatamarkcanbeusedasabookmark.Each datamarkhasatabassociatedwithit.Thetabdisplayswhenyouselectthedatamarkinthe BookmarkstableontheBookmarkstaboftheTreepane.

BookmarkFeatures
Featuresthatyouusewhileworkingwithbookmarksinclude: BookmarkDatadialogforhighlighteddatabookmarks AddNoteBookmarkdialog EditFolderInformation/StructureBookmarksdialog BookmarkDatadialogforfiles

376

EnCaseForensicVersion6.15

BookmarkDataDialogforHighlightedDataBookmarks
TheBookmarkDatadialogisusedwhenmanuallycreatingabookmark.Thedialogprovidesthe meanstoaddcommentstothebookmark,determinethedatatypeofthebookmark,andtoselecta destinationfolderwherethebookmarkistobestored.

Commentcontainstextthatdescribesthebookmarkedcontent. DataTypepanedeterminesthedatatypeofthebookmarkedcontent. Typestreecontainsobjectsrepresentingthevariousformattingthatcanbeusedwhendisplaying bookmarkedcontent.

Note: Details of the content of the tree are described in Bookmark Content Data Types.

DestinationFolderdeterminesthepathtothefolderwherethebookmarkissaved. Contentsdisplaysthecontentofthebookmarkintheformatselected.

BookmarkContentDataTypes
TheTypestreeintheBookmarkDatadialogprovidesalistofsupporteddatatypes.Thedatatypesare organizedbyparentobjectsrepresentingeachclassofsupporteddatatypes.Eachspecificdatatypeis representedbyachildobject.Theformatsinterprettheunderlyingcontent.Theformatschangethe waythatthedataisbookmarked.

Text
Textisaparentobjectthatcontainschildobjectsrepresentingtheformattingthatcanbeusedwhen displayingbookmarkedcontentastext.

BookmarkingItems

377

DonotShowhidesthecontentofthebookmark.Thisworksforallunderlyingdatatypes. HighASCIIdisplaysthetextin256bitASCII. LowASCIIdisplaysthetextin128bitASCII. Hexdisplaysthetextashexadecimaldigits,ratherthancharacters. UnicodedisplaysthetextinUnicodeencoding. ROT13EncodingdecodesROT13encodedtexttoASCIItext. HTMLrendersHTMLcodedasitappearsinabrowser. HTML(Unicode)renderstheHTMLcodedasitappearsinabrowserusingUnicodeencoding.

Picture
Pictureisaparentobjectthatcontainschildobjectsrepresentingvariousfileformatsthatcanbeused whendisplayingbookmarkedcontentasapictureorgraphic. Picturedisplaysthebookmarkedcontentofthefollowingfileformats: JPG GIF EMF TIFF BMP AOL ART PSD

Thisisbasedonthefileextensionorthefilesignatureofthefilethatcontainedthebookmarked content. Base64EncodedPicturedisplaysthebookmarkedcontentinBase64(Unicode)format. UUEEncodedPicturedisplaysthebookmarkedcontentinUUEformat.

Integers
Integersisaparentobjectthatcontainschildobjectsrepresentingintegerencodingsthatcanbeused whendisplayingbookmarkedcontent. 8bitdisplaysthebookmarkedcontentas8bitintegers. 16bitdisplaysthebookmarkedcontentas16bitLittleEndianintegers. 16bitBigEndiandisplaysthebookmarkedcontentas16bitBigEndianintegers. 32bitdisplaysthebookmarkedcontentas32bitLittleEndianintegers.

378

EnCaseForensicVersion6.15

32bitBigEndiandisplaysthebookmarkedcontentas32bitBigEndianintegers. 64bitdisplaysthebookmarkedcontentas64bitLittleEndianintegers. 64bitBigEndiandisplaysthebookmarkedcontentas64bitBigEndianintegers.

Dates
Adateisaparentobjectthatcontainstheobjectsrepresentingvariousfileformatsthatcanbeused whendisplayingbookmarkedcontent. DOSDatedisplaysapacked16bitvaluethatspecifiesthemonth,day,year,andtimeofdayanMS DOSfilewaslastwrittento. DOSDate(GMT)displaysapacked16bitvaluethatspecifiesthetimeportionoftheDOSDateas GMTtime. UNIXDatedisplaysaUnixtimestampinsecondsbasedonthestandardUnixepochof01/01/1970at 00:00:00GMT. UNIXTextDatedisplaysaUnixtimestampinsecondsastextbasedonthestandardUnixepochof 01/01/1970at00:00:00GMT. HFSPlusDatedisplaysanumericvalueonaPowerMacintoshthatspecifiesthemonth,day,year, andtimewhenthefilewaslastwrittento. WindowsDate/TimedisplaysanumericvalueonaWindowssystemthatspecifiesthemonth,day, year,andtimewhenthefilewaslastwrittento. LotusDatedisplaysadatefromaLotusNotesdatabasefile.

Windows
Windowsisaparentobjectthatcontainsobjectsrepresentingthevariousfileinterpretationsthatcan beusedwhendisplayingbookmarkedcontent. PartitionEntrydisplaysthecontentofthebookmarkascharactersthatconformtotheheaderformat ofaWindowspartitionentry. DOSDirectoryEntrydisplaysthecontentofthebookmarkascharactersthatconformtotheformatof aDOSdirectoryentry. Win95InfoFileRecorddisplaysthecontentofthebookmarkascharactersthatconformtotheINFO datastructuredefinition. Win2000InfoFileRecorddisplaysthecontentofthebookmarkascharactersthatconformtothe INFO2datastructuredefinition. GUIDdisplaysthecontentofthebookmarkasstringsthatconformtotheWindowsGloballyUnique Identifier(GUID)format. SIDdisplaysthecontentofthebookmarkintheSecurityIdentifier(SID)format.

BookmarkingItems

379

Styles
UsethesetextstyleswhenworkingwithnonEnglishlanguages.Formoreinformation,seethechapter WorkingwithnonEnglishLanguages(onpage469).

AddNoteBookmarkDialog
UsetheAddNoteBookmarkdialogtoenterthenoteortextcontainedinanotebookmark.Anote bookmarkcancontainupto1000characters.Youcanformatthebookmarkcontentasawhole.Anote bookmarkcanannotateanotherexistingbookmark,oradddescriptionsofeventsyouwanttoinclude inareport.

Notescontainsupto1000characters. Showinreportwhenchecked,thecontentofthenotebookmarkappearsintheReporttaboftheTable pane. Formattingcontainstheformattingcontrolsforallcharactersthatcomprisethecontentofthenote. Boldmakesallcontentofthenoteappearinbold. Italicmakesallcontentofthenoteappearinitalics. Increasefontsizesetsthefontsizeofallthecontentofthenote. Increasetextindentsetsthetextindentofallofthetextblocksinthenote.

380

EnCaseForensicVersion6.15

BookmarkFolderInformation/StructureDialog
UsetheBookmarkFolderStructuredialogtodeterminewhetherandhowmuchdeviceinformationto includeinthefolderstructurebookmarkyouarecreating.

IncludeDeviceInformationincludesfolderstructureinformation. Columnsspecifiesthenumberofcolumnsoffolderstructureinformation. DestinationFolderdisplaystheBookmarkstree,soyoucannavigatetothedestinationfolder.

BookmarkingItems

381

BookmarkDataDialogforFiles
UsetheBookmarkDatadialogforfileswhencreatingnotablefilesandfilegroupbookmarks.The dialogletsyou: Addashortcommenttothebookmark Createafolder Addafoldercomment

BookmarkSelectedItemsappearswhenmultiplefilesareselectedontheTablepane.Whenchecked, selectedfilesarebookmarkedasoneormorefilegroupbookmarks,andtheFolderCommentfieldis disabled.WhenBookmarkSelectedItemsiscleared,onlyasinglefilewashighlightedintheTable pane,andthatsinglefileisbookmarkedasanotablefile.Anyotherselectedfilesarenotbookmarked. Createnewbookmarkfolderdetermineswhetheranewfolderiscreated,andwhetherFolderName andFolderCommentaredisplayed. FolderNamecontainsthefilenameforthenewbookmarkfolder. FolderCommentcontainsthecommentdescribingthebookmarkedfilesthatthenewfoldercontains. Commentcontainsashortcommentwhenusingthisdialogtocreateanotablefilebookmark.

382

EnCaseForensicVersion6.15

DestinationFolderdisplaystheBookmarkstreesothedestinationfoldercanbeselected.

CreatingaBookmark
Youcancreatethesetypesofbookmarks: HighlightedData Notes FolderStructure NotableFile FileGroup LogRecord

EnScriptprogramscreatethesetypesofbookmarks: Snapshot Datamarks

EnCaseapplicationscreatethesetypesofbookmarksasaresultofacquiringadevice: CaseTimeSettings SearchSummary

CreatingaHighlightedDataBookmark
YoucanselectanycontentdisplayedintheViewpaneandbookmarkit. ContentmustdisplayinataboftheViewpane.

TobookmarkhighlightedcontentdisplayedintheViewpane: 1. 2. IntheViewpane,selectthedesiredcontent. Onthehighlightedcontent,rightclickBookmarkData.

TheBookmarkDatadialogforhighlighteddatadisplays. 3. 4. 5. 6. SelecttheappropriatedatatypeintheTypestree. Enterthedesiredcomment. ClickOK.

BookmarkingItems

383

ThecommentdisplaysintheCommentcolumnofthebookmarkstable.

CreatingaNoteBookmark
Anotecancontainupto1000characters.Youcanuseanotetoannotateabookmark. Beforeyoubegin: Createthedesiredbookmark VerifythebookmarkappearsinthebookmarkstableintheTablepane

1. 2. 3. 4. IntheBookmarkstableintheTablepane,rightclickthedesiredbookmark,andclickAdd Note.TheAddNoteBookmarkdialogdisplays. Enterthetextofthenote,formatthetextasdesired,andthenchangetheAppearinreport settingasdesired ClickOK. Thenoteisaddedtothebookmarkstable.

CreatingaFolderInformation/StructureBookmark
Useafolderstructurebookmarktobookmarkafolderordevice. Beforeyoubegin:

384

EnCaseForensicVersion6.15

TheEntriestreemustdisplayinEntriestaboftheTreepane.

Tocreateafolderstructurebookmark: 1. 2. 3. 4. Rightclickthedeviceorfoldertobookmark,andclickBookmarkData.TheBookmarkFolder Structuredialogdisplays. Acceptthedefaultsettings,orenterappropriatevalues. ClickOK. YoucannowviewthefolderstructurebookmarksintheBookmarkstable.

CreatingaNotableFileBookmark
Whenyoubookmarkasinglefile,anotablefilebookmarkiscreated.

BookmarkingItems

385

Beforeyoucancreateanotablefilebookmark,oneofthefollowingisrequired: TheEntriestreemustdisplayintheEntriestaboftheTreepane. TheRecordstreemustdisplayintheRecordstaboftheTreepane.

1. 2. 3. 4. 5. 6. 7. Forthefiletobebookmarked,selectthedevicecontainingthefile. IneithertheEntriestableontheEntriespaneloftheTablepane,ortheRecordstableonthe RecordspaneloftheTablepane,selecttherowdescribingthefile. Rightclickontherowdescribingthefile. ClickBookmarkData.TheBookmarkDatadialogforfilesdisplays. AcceptthedefaultsormodifythevaluesdisplayedontheBookmarkDatadialog ClickOK. Thenotablefilebookmarkisplacedinthebookmarkstable.

386

EnCaseForensicVersion6.15

CreatingaFileGroupBookmark
AfilegroupbookmarkiscreatedifmorethanonefileisselectedintheEntriestable. Beforeyoucancreateafilegroupbookmark,oneofthefollowingisrequired: TheEntriestreemustdisplayintheEntriestaboftheTreepane. TheRecordstreemustdisplayintheRecordstaboftheTreepane.

1. 2. 3. 4. 5. 6. Forthefilestobebookmarked,highlightthedeviceorparentfoldercontainingthefiles. IneithertheEntriestableontheTablepane,ortheRecordstableontheTablepane,selectthe filesortobebookmarked. ClickBookmarkData.TheBookmarkDatadialogforfilesdisplays. AcceptthedefaultsormodifythevaluesdisplayedontheBookmarkDatadialog ClickOK. ThefilegroupbookmarksareplacedintheBookmarkstable.

CreatingaLogRecordBookmark
Logrecordbookmarksarecreatedbyaprocessstatusdialog(forexample,theAcquisitionSearch Resultsdialog)thatallowstheircontenttobesavedinalogrecord.

BookmarkingItems

387

Beforeyoucancreatealogrecordbookmark,aprocessresultsdialogmustbeopen.

1. 2. 3. Ontheprocessresultsdialog,selectLogRecord. ClickOK. ALogsentrydisplaysinthebookmarkstable.

CreatingaSnapshotBookmark
SnapshotbookmarksarecreatedbyvariousEnScriptprograms.

388

EnCaseForensicVersion6.15

Note: Before you create a snapshot bookmark, select the EnScript tab in the Filter pane.

Tocreateasnapshotbookmark: 1. OntheEnScripttree,expandtheForensicfolderanddoubleclickScanLocalMachine.The OptionspageoftheEnScriptwizarddisplays.

2. 3. 4. 5.

BookmarkingItems EnteraBookmarkFolderName,selectthedesiredmodules,andclickFinish.Adialog specifictotheselectedEnScriptprogramdisplays. CompletetheEnScriptprogramspecificdialog,andclickOK.

389

TheStatusLineshowstheprogressoftheexecutingEnScriptprogram.Whentheprogram finishes,theresultsappearintheBookmarksdisplayintheTreepaneandtheTablepane. Seetheresultingbookmarksbyexpandingthebookmarkfolderspecifiedinstep2.

CreatingaDatamarkasaBookmark
EnScriptprogramscancreatedatamarksandplacetheminanyfolder.Whendatamarksareplacedin theBookmarkfolder,theycanbeusedtocreateadatamarkanditsassociatedtabpanelcontaining datafromtheexecutionoftheEnScriptprogram. Tocreateadatamarkasabookmark,dooneofthefollowing: IntheCodepanelontheTablepane,rightclickonthecode,thenclickRun. IntheEnScriptpaneloftheFilterspane,expandthetree,anddoubleclickthedesiredEnScript programobject.

TheEnScriptprogramcreatesthedatagramasabookmarkandcreatesasubtabnamedtomatchthe nameoftheprogramthatcreatedit.Inaddition,anentryisoutputtotheOutputpaneloftheView pane.

RecordsTabBookmarkView
UsetheBookmarkViewdialogtocreatebookmarksforitemsintheRecordstab. 1. 2. SelecttheRecordstab.Ifyouwanttobookmarkonlyspecificitems,clickthecheckboxnextto thoseitemsintheTablepane. RightclickintheTablepane,thenselectBookmarkViewfromthedropdownlist.

390

EnCaseForensicVersion6.15 3. TheBookmarkViewdialogopenstotheDestinationtab.

4. 5. SelecttheBookmarkSelectItemscheckboxtobookmarkonlytheitemsyouselectedinthe Tablepane.Clearthischeckboxtobookmarkallitems. SelecttheCreatenewbookmarkfoldercheckboxifyouwantyourbookmarksina destinationotherthanthedefaultfolder.CheckingthisboxenablestheFolderNameand FolderCommentfields. Enterafoldernameand,optionally,afoldercomment. EnterabriefcommentaboutyourbookmarksintheCommentfield(optional).

6. 7.

8. SelecttheViewtab.

BookmarkingItems

391

9. AcceptthedefaultRootNameorenterameaningfulrootnameofyourown.

10. SelecttheIconscheckboxtoviewiconsinyourbookmarks. 11. ClickOK.

UsingBookmarks
Youcancreatebookmarksonentriesandrecords.Theseoperationsareavailable: Creating(seepage382) Editing(seepage391) AddingaNotebookmark(seepage383) Organizingintofolders(seepage399)

Reportscancontainbookmarksandfieldscontainingbookmarkattributes: Todeterminewhichtableentriesshouldappearinareport:seeViewingaBookmarkonthe TableReportTab(onpage402). Todeterminewhichentryfieldsshouldappearinareport:seeCustomizingaReport(onpage 404).

EditingaBookmark
Youcaneditmostbookmarks.Theparticulareditordisplayedisdeterminedbythetypeofbookmark youareediting.Seetheindividualeditdialogsforbookmarkspecificinformation.Theinstructionsin thistopicapplytoeditinganybookmarkexceptfilegroupbookmarks,whichcannotbeedited.

392

EnCaseForensicVersion6.15

Note: The content of the bookmarks table is driven by the object selected in the Tree pane.

Toeditabookmark: 1. 2. IntheBookmarkpanelintheTablepane,rightclickthedesiredbookmark,andclickEdit.The editdialogdisplays. Editthecontent,thenclickOK.

BookmarkEditingDialogs
Thesedialogsletyoueditexistinginformationenteredwhenthebookmarkswerecreated.However, forbookmarksthatwerecreatedautomatically,youcanonlyenterormodifyinformationonce.
Note: You cannot edit file group bookmarks.

TheseeditorsarenotnecessarilytheonesusedtomodifythedatainthecolumnsoftheBookmarks tableontheBookmarkspaneloftheTablepane. Thebookmarkeditdialogsinclude: EditHighlightedData EditNote EditFolderInformation/Structure EditNotableFile EditSnapshot EditLogRecord EditDatamark

EditfolderscontainingbookmarkswiththeEditFolderdialog.

BookmarkingItems

393

EditHighlightedDataBookmarksDialog
Usethisdialogtoedithighlighteddatabookmarks.

Commentcontainstextdescribingthebookmarkedcontent. DataTypecontainsthedatatypeofthebookmarkedcontent.Selectingadifferentdatatypedoesnot alterthecontentofthebookmark. Contentcontainshighlighteddatathatwasbookmarked.

Note: You cannot edit this field.

394

EnCaseForensicVersion6.15

EditNoteBookmarksDialog
Usethisdialogtoeditnotebookmarks.

Notescontainstextdescribingthebookmarkedcontent.Anotecancontainupto1000characters. Showinreport:whenchecked,thecontentofthenotebookmarkappearsinthereporttabpanelofthe Tablepane. Formattingcontainscontrolsforformattingallcharactersinthenote. Boldmakesallcontentbold. Italicmakesallcontentitalics. Increasefontsizesetsthefontsizeofallcontentinthenote. Increasetextindentsetsthetextindentofalloftextblocks.

BookmarkingItems

395

EditFolderInformation/StructureBookmarksDialog
Usethisdialogtoeditfolderinformation/structurebookmarks.

CheckIncludeDeviceInformationtoshowfolderstructureinthebookmark. Columnsdeterminesthenumberofcolumnsoffolderstructuretoshowinthebookmark.

EditNotableFileBookmarksDialog
Usethisdialogtoeditnotablefilebookmarks.

Commentcancontainupto1000characters.

396

EnCaseForensicVersion6.15

EditSnapshotBookmarksDialog
Usethisdialogtoeditsnapshotbookmarks.

Nameisthenameofthesnapshotbookmark.AnEnScriptprogramsuppliedthisnamevaluewhen thebookmarkwasoriginallycreated.Editingletsyouprovideamoremeaningfulname. Commentcontainstextdescribingthebookmarkedcontent.AnEnScriptprogramsuppliedthistext whenthebookmarkwasoriginallycreated.Editingletsyouprovidemoremeaningfulcomments.

EditLogRecordBookmarksDialog
Usethisdialogtoeditlogrecordbookmarks.

BookmarkingItems

397

Nameisthenameofthelogrecordbookmark.TheEnCaseapplicationsuppliedthisnamewhenthe bookmarkwasoriginallycreated.Editingletsyouprovideamoremeaningfulname. Commentcontainstextdescribingthebookmarkedcontent.Notextwassuppliedwhenthebookmark wasoriginallycreated.

EditDatamarksDialog
Usethisdialogtoeditdatamarksastheyappearastableentries.Datamarkscanbeusedasbookmarks whentheyarecreatedintheBookmarkfolder.

Nameisthenameofthesnapshotbookmark.TheEnScriptprogramthatcreatedthedatamark suppliedthisnamewhenthedatamarkwasoriginallycreated.Editingletsyouprovideamore meaningfulname. Commentcontainstextdescribingthebookmarkedcontent.TheEnScriptprogramthatcreatedthe datamarksuppliedthisnamevaluewhenthedatamarkwasoriginallycreated.Editingletsyou providemoremeaningfulcomments.

EditBookmarkFolderDialogs
FoldersappearintheBookmarkstreeandtheBookmarkstable.Thesefolderscontainmetadataand formattingfortheReportpanelsthatappearinboththeTablepaneandtheViewpane.
Note: The root of the Bookmarks tree is a folder.

Usethesamedialog(EditFolderDialogonpage397)toedittherootbookmarkfolderandother foldersinthebookmarkstreeandbookmarkstable.Therootbookmarkfoldercontainsdefaultreport formatting,whiletheotherfoldersdonot.

398

EnCaseForensicVersion6.15

EditFolderDialog
Usethisdialogtomodify: Foldermetadata Reportcontentsgeneratedfromtheentriesinthefolder

ThisdialogworkswithanyfolderinanyTreeorTablepane.Whenthefolderistherootfolderofa tree,defaultformattingisprovidedintheFormatfield. Youcanalsousethisdialogtocustomizethereportgeneratedforthefoldercontent.Eachfolderina treehasitsownreport.Eachfolderdefinesitsownreport.

Showinreport:checkthisboxtodisplayfoldercontentinthereport. ShowPictures:checkthisboxtodisplaypicturesinthefolderinthereport. Commentcontainstextdescribingthebookmarkedcontent. Formatcontainslabels(providedbytheapplicationorenteredmanually)andthefieldsselectedinthe Fieldslist.ThelabelComment:appearsinthereport.Squarebracketscontainafield.The)isa literal,asinanotherlabel.Everythingotherthanfieldsarelabels. Fieldscontainsthelistoffieldsyoucanincludeinthereport.Thislistvariesfromentrytoentry.

BookmarkingItems

399

Tablesdetermineswhetherthelisteddetailtablesdisplayindividuallyinthereport.

UsingaFoldertoOrganizeaBookmarksReport
Whenseveralbookmarksarecreated,theyappearinthebookmarkreportasselectedbyInReportin theBookmarkstable.Usingfoldersisawayofselectingsubsetsofbookmarkstoappearinthe bookmarksreport. Beforeyoubegin: TheBookmarkstreedisplaysintheTreepane thedestinationfolderisintheBookmarkstree

Tousefolderstoorganizebookmarks: 1. Dooneofthefollowing: Tomoveabookmarkandremoveitfromthesourcebookmarkobject,dragthebookmarkto thereportinthedestinationfolder. Tocopyabookmarkfromthesourcebookmarkobject,rightclickanddragthebookmarkto thedestinationfolder,andselectCopyHere. Thebookmarkisnowinthedestinationfolder,soitsentrynowappearsintheBookmarks tableassociatedwiththedestinationfolder. 2. SelectthedestinationfolderintheBookmarkstree.

400

EnCaseForensicVersion6.15

ThebookmarksinthefolderappearintheBookmarkstable. 3. IntheTablepane,clickReport. Thebookmarksinthefolderappearinthereport.

OrganizingBookmarks
YoucanorganizebookmarksintofoldersintheTreepane.ThesefoldersappearintheTablepane,but atableentrycannotbedraggedintoothertableentries.Instead,dragthetableentryintoafolderon theBookmarkstree.SeeUsingaFoldertoOrganizeaBookmarkReport(seeUsingaFolderto OrganizeaBookmarksReportonpage399). Organizingbookmarksinvolvethefollowingtasks: Copyingatableentryintoafolder(seepage400) Movingatableentryintoafolder(seepage401)

CopyingaTableEntryintoaFolder
YoucancopyanentryintheTablepanetoafolderintheTreepane.Copyingtheentryleavesthe entryinthetableandcreatesacopyinthetree.

Tocopyatableentryintoafolder: 1. 2. Rightclickanddragthedesiredentryintothedesiredfolder. DroptheentryonthefolderandselectCopyHere.

BookmarkingItems

401

MovingaTableEntryintoaFolderUsingtheRightClickDragMethod
Youcanmoveatableentryintoafolderusingtherightclickdrag.Thetableentryismovedfromthe tabletothetree.

1. 2. 3. Rightclickanddragthedesiredentryintothedesiredfolder. DroptheentryonthefolderandclickMoveHere. Theentryismovedtothefolderonthetreeandremovedfromthetable.

402

EnCaseForensicVersion6.15

MovingaTableEntryorFolderintoaFolderUsingtheDragMethod

1. 2. 3. Dragthedesiredentryorfolderintothenewparentfolder. Droptheentryorfolderonthenewparentfolder. Theentryismovedtothefolderonthetreeandremovedfromthetable.

BookmarkReportsandReporting
Bookmarkreportscontentcanbedefined: IntheTablepane,asdescribedinViewingaBookmarkontheTableReportTab(onpage402). Inthefoldereditor,asdescribedinCustomizingaReport(onpage404).

ViewingaBookmarkontheTableReportTab
Afteryousaveabookmark,itdisplaysontheReportpaneloftheTablepane. Makesurethecurrentlyopenedcasehasatleastonebookmarkassociatedwithit.Clickthe BookmarkstabandexpandtheviewintheTablepanetodisplaythem.

1. Selectthebookmarkfoldersyouwanttoincludeinthereport.

BookmarkingItems

403

2. ThefoldercontentsdisplayascheckedintheTablepane.Thefirsttwodataitemsareselected tobeinthereport,whilethethirdisnot.

3. 4. Toincludeabookmark,makesurethattheInReportcolumnvalueforthatbookmarkisTrue. OntheTablepanetoolbar,clickReport.ThereportdisplaysintheReportpaneloftheTable pane.

Note: To set the in report value for multiple items, select several in the table panel of the table pane, and then follow step 3.

5.

Youcannowviewthereportcontainingthebookmarkedcontentandthemetadataaboutthe bookmarks.

404

EnCaseForensicVersion6.15

CustomizingaReport
YoucancustomizeareportusingtheEditBookmarkFolderdialog.
Note: Any bookmarks that will appear in the report must be in the same folder in the Bookmarks tree.

Tocustomizeareport: 1. 2. 3. 4. 5. 6. 7. Rightclickthefoldercontainingentriesforthereport. SelectEdit.Theeditfolderdialogdisplays. UsingtheFieldslist,doubleclickeachfieldintheorderyouwantittoappearinthereport. EachfieldismovedtotheFormatlist. Enteranylabeltextneeded.ThetextdisplaysintheFormatlist. Cutandpastethetextandfieldsasneeded.OncethecontentoftheFormatlistiscorrect,click OK. OntheTablepane,clickReport. Thereportdisplayswithitscustomizedcontents.

ExcludingBookmarks
HidingallorpartsofthelistingiscalledExcluding.Youcanexcludeanynumberofbookmarksfrom theTreeandtheTablepanedisplayusingtheExcludeBookmarksfeature.

ExcludeFileBookmarks
InBookmarksview,theTreepanedisplaysthebookmarkfoldersyouhavecreatedforanopencase. YoucanpreventindividualbookmarkfilesfrombeingdisplayedintheTablepaneusingtheExclude Bookmarksfeature. Toexcludeanentirefolderofbookmarks: 1. Openthebookmarksfoldertoviewitscontents.

2.

BookmarkingItems Select(blueclickorhighlight)afile.Thepicturebelowshowsagraphicfilechecked.

405

3. 4. RightclickorpressCTRLE,thenselectExcludefromthemenu. Thedisplayreappears,buttheselectedfileisnotdisplayed.

ExcludeFolder
InBookmarksview,theTreepanedisplaysthebookmarkfoldersyouhavecreatedforanopencase. YoucanpreventbookmarkedfoldersfromdisplayingintheTablepanebyusingtheExclude Bookmarksfeature. Toexcludeanentirefolderofbookmarks: 1. 2. Select(bluecheckorhighlight)afolder. Contentsofthefolder(scal local 01.07.08 intheillustration)displayascheckedinthe Tablepane.

406

EnCaseForensicVersion6.15

Ifyoubluecheckthefolderasshownintheillustrationaboveandopenthatfolder,youwill seethattheentirecontentsareselected,asbelow:

3. RightclickthefolderyouselectedintheTreepane.Adropdownmenudisplays.

4. SelectExclude.

5.

BookmarkingItems TheTreedisplayrefreshes,andtheexcludedfolderismarkedwitharedX.

407

6. TheassociatedTableviewisalsomarkedasdeleted.

ShowExcluded
Excludedbookmarksarenotdeleted,theyarejusthiddenfromview.Itispossibletodisplaythem againifnecessary. YoucanshowexcludedfilesfromtheTreepane,theTablepanefromtheShowExcludedtooonthe toptoolbar.Regardlessofthemethodyouselect,thestepsaresimilar.

408

EnCaseForensicVersion6.15 1. IntheTreepane,selectandrightclickafolder.Thisdropdownmenudisplays:

Note: In addition to the menu, there is a toolbar button labeled Show Exclude that toggles the hidden view.

2.

SelectShowExcluded.

3.

BookmarkingItems

409

PreviouslyexcludedfilesdisplayinTableview,whileexcludedfoldersdisplayintheTree view.ExcludeddataaremarkedwitharedX.

Note: The Excluded column of the display shows which files are excluded and which are not.

CHAPTER 11

Reporting
InThisChapter
Reporting Report User Interface Creating a Report Using the Report Tab Creating a Report Using Case Processor

412

EnCaseForensicVersion6.15

Reporting
Thefinalphaseofaforensicexaminationisreportingfindings.Organizeandpresentreportsinaway thetargetaudienceunderstands.Formattingandpresentationconsiderationsshouldbeshouldbe madewhentheevidenceisfirstreceived.EnCasesoftwareisdesignedtohelpmarkandexport findingssothefinalreportisgeneratedquickly. Thesoftwareprovidesseveralmethodsforgeneratingareport.Someinvestigatorsprefertobreakup thefinalreportintoseveralsubreportsinawordprocessingprogram,withasummaryreport directingthereadertothecontents.Otherscreatepaperlessreportsonacompactdisc,usinga hyperlinkedsummaryofthesubreportsandsupportingdocumentationandfiles.

ReportUserInterface
YoucanviewreportsineithertheTablepaneorViewpane.Inreportswhichcontainbothsimpledata (forexample,NameorExtension)andcomplexdata(forexample,ExtentsorPermissions),thesimple datadisplaysatthebeginningofthereportandthecomplexdatafollows.

HereisanexampleofareportviewedintheReportstaboftheTablepane:

Reporting

413

414

EnCaseForensicVersion6.15

HereisthesamereportdisplayedintheViewpane:

CreatingaReportUsingtheReportTab
Creatingreportsisusuallyoneofthelasttasksperformedwheninvestigatingacase.WiththeEnCase application,youcancreatereportsbasedondatainanytabintheTreepane. Someofthemostcommonlycreatedreportscontainbookmarksorsearchhits. Creatingareporttypicallyinvolvesthesesteps: 1. 2. 3. 4. 5. 6. Selecttheitemstoreporton,whetherfiles,bookmarks,searchhits,orotherdata. SelectthetypeofreportyouwantusingthetabsintheTreepane. FromtheTabletabintheTablePane,enabletheitemstoshowinthereport. FromtheTabletab,switchtotheReporttab. Modifythereportasneeded. ExportthereporttoaformatviewableoutsideyourEnCaseapplication.

Reporting

415

Examplesofdifferenttypesofreportsarediscussedindetailinlatersectionsofthischapter.

EnablingorDisablingEntriesintheReport
Beforeentrydatacanbeinsertedinaformalreport,theymustbemarkedforinclusion.

ReportSingleFiles
OpenacaseanddisplayitscontentsintheTablepane. 1. Highlightthefiletoincludeinthereportorchecktheboxnexttotherecordnumber(4inthe picture).

2. PlacethecursoranywhereintheInReportcolumnandrightclickforadropdownmenu.

416

EnCaseForensicVersion6.15 3. 4. SelectInReport. TheInReportcolumnentrydisplaysablackdot.

5. ClicktheReporttabtoseeitscontents.

ReportMultipleFiles
OpenacaseanddisplayitscontentsintheTablepane. 1. Checktheboxesnexttotherecordnumberstoincludeinthereport(14inthepicture).

2. PlacethecursoranywhereintheInReportcolumnandrightclickforadropdownmenu.

3.

Reporting SelectInReportInvertSelectedItems.TheInReportcolumndisplaysblackdotsforthe selectedfiles.

417

4. ClicktheReporttabtoseeitscontents.
Note: This menu selection is an XOR switch. It toggles the status of the In Report column to include or exclude selected items.

ChangingReportSize
Tochangethepresentationsize,rightclickanywhereinthereportdisplayandselectZoomInor ZoomOut.

ViewingaBookmarkReport
OpenacaseintheTablepane. 1. ClicktheBookmarkstab.

418

EnCaseForensicVersion6.15 2. Thereportdisplays.

EmailReport
Emailrecordsarecreatedwhenyouperformanemailsearch. PerformanemailsearchasdescribedinCreatingaReportUsingtheReportTab(seepage414). 1. SelectViewCasesSubTabsRecords. TheTreeandTablepanesdisplay.TheTreepanedatashowtherecords,andtheTablepane displaystherecordscontents.ThispictureshowsthecontentsofHunterXP:

2. SelectarecordfromtheTreepane,thenclicktheReporttaboftheViewpane.

Reporting SelectinganentryfromtheTablepanedisplaysanindividualreportlikethis:

419

SecureStorageReport
1. IntheTreepane,clicktheSecureStoragetab.

2. ClickanitemintheSecureStoragetreeforwhichyouwanttogenerateareport.

3. SelecttheitemsyouwanttoincludeintheInReportcolumnoftheTablepane.IftheInReport columndoesnotdisplay,seestep5ofCreatinganAdditionalFieldsReport(onpage425).

420

EnCaseForensicVersion6.15 4. ClicktheReporttabtoview.

InternetReport
RecordsforanInternethistoryreportarecreatedwhenyouexecuteanInternetsearch. PerformasearchforInternethistoryasdescribedinCreatingaReportUsingtheReportTab(seepage 414). 1. 2. SelectViewCaseSubTabsRecords. TheTreeandTablepanesdisplay.TheTreepanedatashowtherecords,andtheTablepane displaystherecordscontents.Notethesubfolders:CacheandHistory.

3. 4. 5. SelecteitherCacheorHistorytodisplaytheircontentsintheTreepane. SelectarecordfromtheTreepane,thenclicktheReporttaboftheTablepane. ThereportdisplaysintheTableandViewpanes.

CreatingaWebMailReport
Beforeyoubegin,completetheWebMailParser(seepage314).

1. SelectthefoldertoseeitscontentsintheTablepane.

Reporting

421

2. Selectafiletoreporton,thenselecttheReporttabintheViewpane.Thereportdisplays.

AlternativeReportMethod
YoucangenerateareportintheTablepaneaswell. 1. 2. 3. SelectthefileintheTablepane. ClicktheInReportcolumntoincludetheiteminthereport. ClicktheReporttaboftheTablepanetoviewthereport.

422

EnCaseForensicVersion6.15

SearchHitsReport
Keywordsearchesrequiregoodreports.Sometimesfoundkeywordsareasignificantpartofacase. Thereareseveralpermutationsofkeywordsearchreports. 1. 2. Runastandardkeywordsearch. ClickSearchHits.

3. 4. SelectakeywordintheTablepane. ClickReport.

ResultsoftheselectedTablepanekeywordappearintheReportpane.

Reporting

423

5. SelectanitemintheTablepane. Areportcontainingthefilename,address,andthecontentsoftheTreepanekeyword displays.

6. 7. RightclickintheTablepane. IntheExportdialog,selecttheoptionsyouwant:

424

EnCaseForensicVersion6.15 OutputFormat(TEXT,RTF,HTML,orXML) OnlyCheckedRowscheckboxifyouwanttospecifycheckedrows Starttospecifyabeginningrow Stoptospecifyanendingrow Fields PathfortheOutputFile

8. ClickFinishtoexportthereporttothedesiredformatandlocation.

Savethereportsinaccordancewithlocalpolicy.

QuickEntryReport
Youmaywantaquickreportcontaininginformationregardingoneparticularfileinacase. 1. 2. Openacasewithbookmarkedfiles. Selectthefiletousetogenerateareport.

3. IntheTablepane,clickReport.Ashortreportdisplays.

Reporting

425

CreatinganAdditionalFieldsReport
TheAdditionalFieldstabisavailablewhenyouselecttheRecordstab.Dataintheadditionalfields variesdependingonthetypeofdatacontainedintherecord.YourEnCaseapplicationisopen,and youhaveacasecreatedwithevidenceinit. 1. 2. Openacasecontainingevidence. ClicktheRecordstabtomaketheAdditionalFieldstabavailable.

3. 4. IntheTablepane,selecttheentrywhereyouwanttoviewadditionalfields. ClicktheAdditionalFieldstabintheTreepane.

5. IftheInReportcolumndoesnotdisplay: a. RightclickintheTablepaneandselectShowColumns. b. SelectInReportandclickOK.

426

EnCaseForensicVersion6.15

TheInReportcolumndisplaysintheTablepane. 6. Selectthefieldsyouwanttoincludeinthereport.SeeEnablingorDisablingEntriesinthe Report(onpage415).

7. 8. ClicktheReporttabintheTablepane. Thereportisgeneratedcontainingtheenabledfields.

ExportingaReport
Onceareportisgenerated,youcansaveittoafile. 1. RightclickinthereportandclickExportfromthedropdownmenu.

2. TheExportReportdialogopens.

3. 4. 5. 6. Selecttheoutputformatyouwant(TEXT,RTF,orHTML). Enterornavigatetothedesiredoutputpath.

Reporting

427

SelectingBurntoDiscenablestheDestinationFolderbox.RightclickArchiveFilestocreatea newfolderandsavean.isofiletodisc. ClickOK.

HereisaWebpagegeneratedfromtheExportroutine.

CreatingaReportUsingCaseProcessor
YoucancreatereportsusingtheCaseProcessorEnScript. TheCaseProcessorReportGeneratorcontainsthesefeatures: EntryAttributessuchasFileGroup,NotableFiles,HighlightedData,FolderInfo,Email information,andRecords AbilitytoreportononlyitemstaggedInReport AbilitytoreportononlyselecteditemsintheRecordstab Thereportcapturestheinvestigatorsname,organizationnameandcreationdate ThereportisgeneratedasHTML,viewableoutsideofEnCase.Thedataisorganizedlikethe Tabletab,andbreaksdowneachsetofinformationbyitsevidencefile

CHAPTER 12

EnScript Analysis
InThisChapter
EnScript Analysis Enterprise EnScript Programs Forensic EnScript Code EnScript Example Code Packages

430

EnCaseForensicVersion6.15

EnScriptAnalysis
TheEnScriptlanguageisascriptinglanguageandApplicationProgramInterface(API).Itis designedtooperatewithintheEnCasesoftwareenvironment.AlthoughsimilartoANSIC++and Java,notallthefunctionsavailableintheselanguagesareavailable.TheEnScriptlanguageusesthe sameoperatorsandgeneralsyntaxasC++,thoughclassesandfunctionsaredifferent.Classes,and theirincludedfunctionsandvariables,arefoundintheEnScriptTypespanelintheTreepane.
Note: For general information on a particular element, highlight it in the Code panel and press F1 to find the element in the EnScript Types panel.

EnScriptprogramsallowinvestigatorsandprogrammerstodeveloputilitiestoautomateandfacilitate forensicinvestigations.Theprogramscanbecompiledandsharedwithotherinvestigators.A programmingbackgroundandanunderstandingofobjectorientedprogrammingarehelpfulfor codinginEnScript.

Note: For help programming with the EnScript language, you can attend a training class or visit the EnScript message board at https://support.guidancesoftware.com/forum/forumdisplay.php?f=11.

EnterpriseEnScriptPrograms
EnterpriseEnScriptprogramscontainprogramstypicallyusedwithenterprisecases.Manyofthese programsrequireaSAFEtobesetuptousethemproperly. TheavailableEnterpriseEnscriptProgramsare: DocumentIncident:usedtogenerateareportcontainingthedetailsofanincidentthatrequired investigation. MachineSurveyServletDeploy:usedtomanage,deploy,removeandinstallSAFEsandservletsto machinesonthenetwork. QuickSnapshot:usedtoquicklytakeasnapshotofamachinethatiscurrentlybeinginvestigated. RemoteAcquisitionMonitor:usedtomonitorremoteacquisitionsbetweentheservletsanda networkstoragedevice. SnapshotDifferentialReport:usedtoreportondifferencesofsnapshotstakeoveraperiodoftime. SweepEnterprise:usedtoconductthoroughexaminationsoncomputersspecifiedfromthenetwork tree. ToviewEnterpriseEnScriptprograms: 1. IntheFilterpane,clicktheEnScripttab.

2.

EnScriptAnalysis

431

OpentheEnterprisefolderfromtheEnScripttreetoseeavailablescriptslistedintheTable pane.

3. Torunascript,doubleclickitinthetable.

DocumentIncident
UseDocumentIncidenttogenerateareportcontainingdetailsofanincidentthatrequired investigation. Openacase. 1. 2. DoubleclickontheDocumentIncidentEnScriptProgram. EnterthefollowingdetailsintheGeneralInfotab:

432

EnCaseForensicVersion6.15 IncidentReferenceNumber PrimaryContact AlternateContact IncidentTiming

3. ClicktheIncidentDetailstabandenterinformationinthefollowingfields:

IncidentType OtherType Status Intent IncidentCause IncidentImpact AffectedSystems

EnScriptAnalysis

433

4. ClicktheConclusiontabandentertherecommendedcourseofactionandcomments:

5. 6. ClickOK TheProgramgeneratesareport.Clickthenameoftheincidentinthebookmarkspanelto viewthereportinthetablepane.

434

EnCaseForensicVersion6.15

MachineSurveyServletDeploy
UseMachineSurveyServletDeploytodeployservletstomachinesonthenetwork. Tousethismethodofdeployment,youwillneedthefollowing: 1. 2. 3. 4. IPaddresses,orarangeofallnodeswhereyouwanttodeploy Acommonusernameandpasswordforallnodeswhereyouwanttodeploy OpenEnCase. ClicktheEnScripttabinthefilterpane. ExpandtheEnterprisefolderbyclickingthe+nexttoit. DoubleclickMachineSurveyServletDeploy.

5.

EnScriptAnalysis Therearedifferentwaystoaddtothelistofmachinesthatwillreceivethenewservlet. Chooseoneorbothofthembelow:

435

ClickSelectMachine,thenlogontoyourSAFE,selectarole,andselectmachinesusing theNetworkTree. EnteranIPaddressorIPRange,UsernameandPasswordandClickAdd.

Note: If you enter an IP range, all machines must use the same username and password.

6. 7.

IfyouenteredanIPRangeandwanttoexcludespecificaddresses,entertheaddressinthe MachinefieldoftheExcludeMachinegroupandclickExclude. ClicktheManagementtabandselectInstallservletprocess.

Note: You can also use this program to check for or stop servlet and SAFE processes. For information on how to use these features, see the EnCase SAFE Administration Guide.

8.

ClickInstallSettings.

9. Completethedialogasappropriateusingthefollowingfunctions: Installifservletprocessnotfound:onlyinstallsaservletifoneisnotfound. AlwaysInstall:installsaservletonallmachines. WindowsServletPath:EnterorBrowsetotheservletlocationonyourmachine. LinuxServletPath:EnterorbrowsetheLinuxservletonyourmachine. CommandLineparameters:Enteranycommandlineparametersyouwanttousein conjunctionwiththeservlet. Verifyinstallation:Verifiesthattheinstallcompletessuccessfully. Retryfaileddeploys:Controlshowoftentheprogramtriestoredeployaservletona machinethatfailed. 10. ClickOK

436

EnCaseForensicVersion6.15 11. ClickontheSettingstabtosettheoutputoptions.

12. Selectanoutputoption: Bookmarks:Outputsresultstobookmarksinthecurrentcase. Excel:OutputsresultsinanExcelfile.Ifyouselectthisoption,browsetoorenteran outputfolder. 13. ClickOK. TheprogramoptionallycreatesabookmarkfoldercalledMachineSurveyRun#(Withan incrementinginteger).TheprogramalsooptionallycreatesanExcelspreadsheetcalled MachineSurvey.xlsinthefolderspecifiedabove.

QuickSnapshot
UseQuickSnapshottoquicklytakeasnapshotofamachinecurrentlybeinginvestigated.Quick Snapshotdoesnotofferadeepoptionsset,soifyouwantschedulingoptionsortheabilitytorun EnScriptprogrammoduleswhiletakingasnapshot,usetheSweepEnterpriseprogram. BeforeyourunQuickSnapshot: 1. 2. OpenEnCaseandlogon Createacase. Addadevicetothecase. DoubleclicktheQuickSnapshotEnScriptProgram. NotethemachineintheIPList,andselectanAvailableSAFEandRole.

3.

EnScriptAnalysis

437

ClickOK.NotetheIPlistdisplaysthemachinetobeinvestigatedusingQuickSnapshot.This listisforinformationpurposesonly,andyoucannotaddadditionalnodes.

ThesnapshotisplacedintheQuickSnapshotfolderinyourbookmarks.

RemoteAcquisitionMonitor
UsetheRemoteAcquisitionMonitorEnScripttomonitorremoteacquisitions.

SnapshotDifferentialReport
UsetheSnapshotDifferentialReporttocomparedifferencesinseveralsnapshotsofaparticular machine.Itquicklydetectstrendsoflivedata. Beforeyoubegin: SnapshotswerecreatedandstoredinaLogicalEvidenceFile(LEF). MicrosoftExcelmustbeinstalled. AddtheLEFcontainingthesnapsotsintoanewcase.

438

EnCaseForensicVersion6.15 1. DoubleclicktheDocumentIncidentEnScriptProgram.

2. 3. 4. 5. 6. EnterthenameofthetargetmachineandclickRetrieveSnapshots. IntheChooseSnapshotsForReportlist,selectthesnapshotsyouwanttocompare. Choosethetypesofitemstoreport. ChooseOutputOptions,andprovideanoutputpath. ClickOK.

YoucanviewresultsinEnCase,MicrosoftExcel,oranInternetbrowser,dependingontheoutput optionsyouchose.

SweepEnterprise
TheSweepEnterpriseEnScriptprogram: Collectsdatafromsomenamedsubsetofthenetworktree Savesthebookmarkeddata Optionallycreatesnapshots Runsmodulestoextractdataasbookmarksorexportedfiles

Ifyouplantorunmodules,youmustlogonandopenacase.

EnScriptAnalysis

439

Ifyouchoosetodeployaservlet,boththeWindowsservletandLinuxservletsmustbeavailableon yourmachine.TheLinuxservletmustbeavailableevenifyoudonothaveanyLinuxmachines.See theEnCaseSAFEAdministrationGuideforthepathstotheservletsonyourSAFEmachine. ToruntheSweepEnterpriseEnScript: 1. DoubleclicktheSweepEnterpriseobjectintheEnScripttreeontheFiltersPane. TheCaseOptionsdialogboxdisplays. 2. IfyouwanttochangeyouruserorSAFE: a. ClickChangeSafe. TheUserdialogboxdisplays. b. Selecttheuser,enterapassword(ifrequired),thenclickNext. TheSAFEspagedisplays. c. SelecttheSAFE,thenclickFinish. 3. IfyouwanttochangeyourRole: a. ClickChangeRole. TheRoledialogdisplays. b. SelectthedesiredroleandclickOK. TheNodetoSweeppageoftheSweepEnterprisewizardappears. 4. Tochangethemachinesswept(thosethatappearinMachines)clickNetworkTree,navigate totheappropriatelocationormachineandclickOK. TheappropriateIPaddressesappearinMachines. 5. Selectthedesiredmodule(s)torunfromtheModulesList. TheSweepOptionsdialogboxdisplays. 6. Ifservletsmustbedeployedonthemachinestobeswept: a. ClickServletOptions. TheServletOptionsdialogappears. b. ClickDeployServlet. Youcannowchangethesettings. c. Iftheusernameandpasswordmustbeupdated,enterthisinformationinUpdate MachinesUsername/Password,andclickUpdate. d. Ifmachinesinthesubtreetobesweptalreadyhaveservletsdeployed,shouldnothave servletsdeployed,orshouldnotbeswept,entertheIPaddressofthemachineinMachine, andclickExclude. 7. Ifthepathstotheservletsonyourmachinemustbechanged,enterorbrowsetothe appropriatepaths.

440

EnCaseForensicVersion6.15 8. 9. ClickOK. SweepEnterpriserunsandtheresultsappearintheBookmarktableontheBookmarkHome pane.

SweepEnterpriseSupportforLinuxDistributions
SweepEnterprisefullysupportstheseLinuxdistributions: Mandrake/Mandriva RedHat Fedora SUSE

SweepEnterpriseprovideslimitedsupportforUbuntu.

ForensicEnScriptCode
ToviewEnScriptprogramsintheEnScriptpaneloftheTreepane,clickViewEnScript. ToviewEnScriptcomponentsintheFilterpane,clickEnScriptstodisplaytheEnScriptpanel. OpenafolderfromtheEnScriptobjecttoseeavailablescriptslistedintheTablepane.

Torunascript,doubleclickitinthetable.

CaseProcessor
UseCaseProcessortorunoneormoreEnScriptmodulesagainstanopencase.

EnScriptAnalysis

441

TorunCaseProcessor,doubleclicktheprogramname.ACaseProcessorwizarddisplayswiththe nameoftheopencase.

1. 2. 3. 4. EnteraBookmarkFolderName. EnteraFolderComment(optional). ExportPathpopulateswiththedefaultexportpath. ClickNexttodisplaythemoduleselectionwizard.

442

EnCaseForensicVersion6.15 5. MakethedesiredselectionsandclickFinish.

CaseProcessorModules
EachmoduleavailableinCaseProcessorprovidesdifferentinformation: $LogfileParserparsesspecificinformationfromthe$Logfile. ActiveDirectoryInformationParserprovidesinformationaboutadirectoryinselectedformats. AOLIMInformationprovidesdatafromAOLInstantMessengerdata. AppDescriptorUtilitycreatesappdescriptorsetsstoredgloballyintheappdescriptors.inifile. CompromiseAssessmentModuleexaminesmachinesforacompromisesuchasahackorvirus. ConsecutiveSectorssearchesconsecutivesectorsfilledwiththesamecharacter,whichcharacterizes attemptstowipeadrive. CreditCardFindersearchesanentirecaseforcreditcardnumbers. EMailAddressFinderlocatesemailaddressesviaaGREPsearchandbookmarksthem.

EDSRegistryParserparsesEDSRegistryentries. EXIFViewersearchesselectedfilesfortheEXIFtagandbookmarksthem. FileFindersearchesforandbookmarksselectedfiletypes. FileReportgathersfileinformationonallorselectedfolders.

EnScriptAnalysis

443

FindProtectedFilessearchesafilesystemforfilesthatareencryptedorrequireapasswordtoopen them. HTMLCarversearchesallorselectedfilesforkeywordsinHTMLdocumentsandbookmarksthem. IMArchiveParsersearchesInstantMessengerlogfiles. KazaaLogParsersearchesacaseforKazaaDBBandDATfiles. LinkFileParserparsesallorselectedLCKfilesandretrievesselectedinformation. LinuxInitializeCaselocatesLinuxartifactsandbookmarksthem. LinuxSyslogParserparsesLinuxsyslogentriesandexportsthedatatoalocaldriveasExcelor HTML. MacInitializeCaselocatesOSXartifactsandbookmarksthem. PartitionFindersearchesunusedspacetofinddeletedvolumepartitions. RecycleBinInfoRecordFinderfindsandparsesFATINFOandNTFSINFO2files. ScanRegistryscanstheWindowsregistryandbookmarksartifacts. TimeWindowAnalysisModuleanalysesselectedeventsbetweenspecifieddates. WindowsEventLogParserparsesselectedWindowseventlogs. WindowsInitializeCaselocatesWindowsartifactsandbookmarksthem. WTMPUTMPLogFileParserparsesWTMP,UTMP,WTMPXandUTMPXfilesonUnixsystems.

ExportHashes
ThisEnScriptgeneratesSHA1andMD5hashesofselectedentrieswithinthecaseandexportsthemto acommaseparatedvalue(.csv)ortabdelimitedfile.

444

EnCaseForensicVersion6.15 1. FromtheEnScriptForensicmenu,doubleclicktheExportHashesoption.

2. TheExportHashesdialogopens.

3. Theseoptionsareselectedbydefault: HashType:MD5andSHA1 Delimiter:Comma Splitfilesafter64Klinescheckbox 4. 5. Makeanydesiredchangestothedefaults,thenenterorbrowsetoanExportPath.

Note: In the Export Path, you must specify whether to export to a .csv or .txt file.

ClickOK.

FileMounter
FileMounterisanEnScriptusedtosearchforandmountcompoundfiles,including: DBX GZip PST TAR Thumbs.db Zip

Searchescanbebyextensionorsignature,orboth.

EnScriptAnalysis

445

Note: Mounting a number of large files simultaneously can cause your system to run out of memory. Password protected files are not mounted.

1. 2.

DoubleclickFileMounter. Selectthemethodtofindthefiles.

3. 4. SelectthedesiredfiletypesandclickOK. Toviewprogress,clicktheConsoletabintheViewpane.

CompoundFiles
TheFileMounterEnScriptprogramletsyoumountallselectedcompoundfiletypes,leavingthem mountedattheconclusionoftheEnScriptprograminvestigation. Itsmainpurposeistoletyoucatalogthecontentsoftargetedcompoundfiles.Thisisalistingofitems withinthecompoundfile,nottheactualcontentsthemselves. TheEnScriptprogramfindstargetedfilesbasedontheFindFilesByandSelectedFilesoptions.It thencatalogsthefilecontentsintoaLogRecordClassbookmarkandaddsthemtotheLEFifyouselect thatoption.

446

EnCaseForensicVersion6.15

Theprogramthenperformsapreliminarykeywordsearchthatstopsafterasinglehit.Afterahit,the fileisplacedintoalistoffilesthatarethenmountedandcompletelysearched. ResultsappearintheSearchHitstabdisplay.

MountingCompoundFiles
1. 2. Selectthecompoundfilestobemounted. Selectanydesiredadditionaloptions,suchas: MakeLEF MountPersistent Search,and FindFiles 3. ClickOK.

IndexCase
Fileindexingispartoftheimprovedsearchengine.Theindexisalistofwordsintheevidencefile withpointerstotheiroccurrenceinevidence.Becausetheindexissmallerthantheoriginalevidence fileitisoptimizedforquicksearching. Tolearnmoreaboutcaseindexing,seeAnalyzingandSearchingFiles(onpage275).

ScanLocalMachine
ScanLocalMachineisanEnScriptprogramusedtorunmodulesagainstalocalmachine.Itusesmany ofthesamemodulesavailableinCaseProcessor. 1. DoubleclickScanLocalMachine.

2.

EnScriptAnalysis CompletetheoptionsasdesiredandclickFinish.Dependingonthemoduleschosen, additionaldialogsmayopen.Completethemasnecessary.

447

Note: Scan local machine searches the local examiner machine and does not search the evidence within the case. If you want to search the evidence in the case, use Case Processor.

448

EnCaseForensicVersion6.15

ThreatAnalyzer
ThisEnScriptsendsinformationonphysicalmemoryfromtargetednodesorselecteddevicesto HBGarysRespondersoftwareforthreatanalysis.Thescriptalsogeneratesareportwiththreatlevel results.
Note: Threat Analyzer analyzes physical memory only, not process memory.

1. 2.

Openacase. IntheEnScriptForensictree,doubleclickThreatAnalyzer.

3. 4. ThescriptcheckstoverifyifHBGaryResponderisinstalled. IfHBGaryResponderisnotdetected,thiserrormessagedisplays:

Note: For information about obtaining HBGary Responder, see http://www.hbgary.com/index.html.

5.

EnScriptAnalysis IfHBGaryResponderisinstalled,theThreatAnalyzerdialogopens.

449

6. Thescriptscansforphysicalmemorydevicescurrentlyloadedinthecaseanddisplaysthe devicesitdetects.

450

EnCaseForensicVersion6.15

ThetwocriteriafordetectionarethattheDriveTypeisMemoryDeviceandtheProcessIDis zero:

7. Selectthedevice(s)youwanttoanalyze,thenclickOK.

ViewingtheThreatLevelReport
1. 2. ClicktheBookmarktab,thenclickThreatLevelReport. ClicktheNameValuestab,thenexpandtheValuecolumnintheTablepane.

3. ClicktheReporttabintheViewpane.

4. Thereportshows: Nameandtypeofdevice Threatcount Maximumthreatlevel AmountofRAM

Note: A threat level of zero indicates no suspicious items were located. The threat level itself is a summation of all suspicious items found during each scan. The higher the threat level, the more likely it is that something suspicious is on the target.

EnScriptAnalysis

451

OptionsListBox

UsetheOptionsboxtoselectspecificitems(processes,objects,devices,etc.)toanalyze. ClickUseDefaultstoselectdefaultitemsintheOptionslist.

DiskCacheCheckbox
WhenyouclickDiskCache,thesystemallocatesatemporaryfileondisklargeenoughtoholdthe entirephysicalmemoryoftheanalysistargetandwritetothisfile,insteadofmaintainingitin memory.

CacheLevelSpinBox
CacheLevelcontrolsthesizeofmemoryqueriestotheremotesystem.

Thereare16levelsofcachesize,rangingfrom0(4kb)to15(128MB).

MemorySizeSpinBox
MemorySizecontrolsthemaximumamountofmemory(inbytes)usedbythereadcachingsystem.

Youcanspecifyasizefrom01GB.

LogontoSAFEButton

452

EnCaseForensicVersion6.15 1. ClickLogontoSAFE.TheLogondialogopens.

2. 3. SelecttheSAFEyouwanttouse,thenclickFinish. TheSAFEfieldpopulatesandtheNodeslistboxisenabled.

NodesListBox
Enterthenodesyouwanttoanalyze,onenodeperline.SpecifynodesbyIPaddressormachinename. Youcanalsoenterarangeofnodes,separatedbyahyphen:

EnterpriseNetworkButton

1. ClickEnterpriseNetwork.TheNetworkdialogopens.

EnScriptAnalysis

453

2. 3. Selectthenetworkyouwanttouse,thenclickOK. ClicktheLocalMachinecheckboxtoanalyzephysicalmemoryonthelocalmachine.

ChooseRoleButton
1. ClickChooseRole.TheChooseRoledialogopens.

2. Selecttheroleyouwanttouse,thenclickOK.

BookmarkFolderField

454

EnCaseForensicVersion6.15

Youmustenterafoldernameheretoprovidethescriptwithaplacetoputthevaluesreturnedbythe analysis.
Note: Folder Comment is optional.

ExportReportCheckbox

Youcanexportareporttoatabdelimitedtextfile,HTML,orboth.Browsetoanoutputlocation,or enterapathintheOutputPathfield.

Hereisanexampleofareportexportedtoatabdelimitedtextfile:

HereisanexampleofareportexportedtoHTML:

EnScriptAnalysis

455

ViewingResultsintheConsole
1. IntheTreepane,clicktheNameValuestab.

2. IntheViewpane,clicktheConsoletab.

456

EnCaseForensicVersion6.15

ViewingResultsintheTablePane
1. IntheTreepane,clicktheNameValuestab.

2. IntheTablepane,clicktheTabletab.

WebMailParser
UsetheWebMailParser(seepage314)tosearchthecaseforremnantsofWebbasedemail.

EnScriptExampleCode
IntheEnScripttreeintheFilterpane,theExamplesfoldercontainsexamplecode.Theseprogramscan serveasabaseforadditionalprogramming. TheCOMfoldercontainssampleEnScriptprogramsthatuseCOMtoprovideintegrationwithMS WindowsandMSOfficeapplications.SeetheEnScriptProgramUserManualformoreinformation.

TheEnScriptexampleprogramsinclude: CompoundFileViewer CreateIndexDirectory EnterpriseUsingEntryData EnterpriseRegistryOperations EnterpriseUsingSnapshotData FindValidIPs IndexBufferReader

EnScriptAnalysis

457

CompoundFileViewerparsescompoundfilesintotheirconstituentpartsforviewing. CreateIndexDirectorygeneratesaplaintextfilecontainingallwordsinanINDXfile. FindValidIPsfindsIPaddresses. IndexBufferReaderparsesinformationfromanindexbufferINDXfile.

COMFolderEnScriptCode
TheCOMfoldercontainssampleEnScriptcodethatusestheCOMAPIasanintegrationpointinto variousotherapplicationslikeMSOfficeortheWindowsFileSystem.Programmersusethese includestocreatenewEnScriptprograms. TheCOMfoldercontainstheseprograms: CreateWordDocument FileSystem ReadWordDocument ExcelCreateWorkbook OutlookRead

EnScriptDebugger
TheEnScriptdebuggerallowsEnScriptprogrammerstoconductruntimedebuggingoftheir programs. AfteryoucreateaprojectforthetargetEnScriptprogram,theStartDebuggingfunctionalityis enabled:

458

EnCaseForensicVersion6.15

Debuggingdisabled(noprojectforthecurrentlyselectedEnScriptprogram):

Debuggingenabled(thereisaprojectforthecurrentlyselectedEnScriptprogram). WhenyouclickStartDebugging,thedebuggerstartsandopensfournewtabsintheViewPane.

Thesetabskeeptrackof: Currentlyrunningthreads Localvariables(Locals)atthecurrentbreakpoint Librarydependencies BreakpointlocationsassociatedwiththeEnScriptprogram

Youcansetbreakpointswithinyourcode.EnScriptstopswhenitreachesabreakpointduring runtime.Usethedropdownmenutosetabreakpoint.

Ifyouprefer,youcansetbreakpointsbyclickingonthelinenumberofthecode.

EnScriptAnalysis

459

OnceyousetaBreakpoint,theStartDebuggingbuttonrunstheEnScriptprogram,whichwillstopat theBreakpoint.Whilestopped,youcananalyzetheruntimeinformationinthenewtabsintheView Pane.

HelpforEnScriptModules
TheCaseProcessor,SweepEnterprise,andScanLocalMachinescreenscontainaHelpbuttonorHelp sectionforeachavailablemodule.

460

EnCaseForensicVersion6.15

EnScriptFileMounter
TheFileMounterprogramcatalogsthecontentsofselectedcompoundfiles(forexample,.zipfiles). Thisproducesalistingoftheitemsinthecompoundfile,nottheactualfilecontents.Theprogram duplicatesthestructureofcompoundfilesintoLogRecordbookmarks. Youdefinethetypesoffilestoprocessandthecriteria.Youcanselectfiletypesbyfileextensionor signature. Youcanchoosetomountthempersistently(leavingthemmountedaftertheconclusionoftheEnScript program)ornonpersistently.Thenonpersistentoptionreturnsthemtotheirunmountedstatewhen theEnScriptFileMounterprogramcompletes.Otheroptionsinclude: TheabilitytocreateaLogicalEvidenceFile(LEF)thatincludesthecontentsofallmounted files Creatingakeywordsearchofthetargetedfiles

Allfileshavingatleastonekeywordhitwillbemountedpersistentlyandtheircorrespondingsearch hitsdisplayintheSearchHitstab. IfyouselecttheMountRecursivelycheckbox,thecontentsofeachfilemountedarecheckedagainst theFileTypesandFindFilesBysettings,andanythatpassarealsomountedandchecked.This processcantakealongtime,especiallywhenregistryhivesaretargeted.Ifspeedisaconcern,we recommendyouleavethischeckboxcleared. CertainMicrosoftOfficedocumentsareconsideredcompoundfiles.Youcanparsetheirmetadataand searchit.Forexample,youcanlocateandbookmarkMicrosoftWorddocumentmetadata(edittimes, pagenumbers,wordcounts,etc.).FileMounterbookmarksAuthorsastextandEditTimesasdates.

IncludeEnScript
TheIncludefoldercontainscommonprogramcodesharedbyotherhigherlevelEnScriptcomponents. Thesescriptsarenotexecutedindependently.Theyaremeanttobeusedorincludedinotherscripts.

EnScriptAnalysis

461

Rightnow,therearenearly100includefilesinthissoftware.Theyarestoredbydefaultin C:\Program Files\EnCase\EnCase\EnScript\Include.Theycan,however,bestoredin anotherfolderwithin...\EnScript\.AnEnScriptdevelopercreatingnewincludefilestowork withnewEnScriptcomponentcancreateanewfolderandplacethenewincludeprogramsthere. Oncethenewfolderiscreated,EnCaseapplicationsmustknowofitslocation. 1. ClickToolsOptionsEnScripttodisplaytheOptionsdialog.

462

EnCaseForensicVersion6.15 2. CompletethedialogoptionsandclickOK. CheckShowlinenumberstoshowlinenumbersinthegutterareawhenviewingor editingtextintheEnScriptcodewindow. CheckDebugruntimeerrorstoautomaticallylaunchthedebuggerwhenanerroris encounteredwhileexecutinganEnScript. ChangetheIncludePathfieldentrytoreflectthenewincludefolderlocation(s).

Addonlythefoldername,notthecompletepath. Separatemultiplefolderlocationswithasemicolon(;).

UsethecheckboxesintheWarningareatoselectwhichwarningsyoureceivewhen compilinganEnScript.

EnScriptHelp
TherearecurrentlytwosourcesofinformationaboutEnScriptprograms. HelpEnScriptHelp ViewEnScriptTypes

EnScriptTypes
EnScripttypesreferenceresourcescontainingtheEnScriptlanguageclasses.Perusingthesetypes providesinformationaboutEnCaseclassesandfunctions. ClickViewEnScriptTypes TheTreepanecontainsalistoftheclasses.SelectingtheReportpaneloftheTablepanedisplaysa readonlydescriptionoftheselectedclass.

Packages
PackagesareawaytodistributeEnScriptprogramswithoutallowingotherstoviewormodifythe code.Thisallowsforcentralizedsourcecontrol,andavoidsunwantedcodesharing.Packagesarebuilt withthe.enpackfileextensionandfunctiontoendusersexactlyasEnScriptprograms.Inadditionto blockingthecodefromendusers,youcanalsocreatelicensefilesspecifictolicensekeys,protecting youfromunwantedduplication.Thelicensefilesextensionis.EnLicense.

PackageFeatures
Featuresthatsupportthepackagesinclude: NewPackagedialog CreateLicensedialog

UsetheNewPackagedialogtocreate,buildandeditpackages.Whenbuildingoreditingpackagesthe nameofthisdialogchanges,butthetabsandsettingremainthesame.

EnScriptAnalysis

463

UsetheCreateLicensedialogtocreatelicensesforapackage.ThelicenseisassignedtheLicense Namevalueon: ThePackagetaboftheNewPackagedialog Edit<packagename>dialog TheBuilddialog.

NewPackageDialog
TheNewPackagedialogcontains: Apackagetab Apropertiestab

UsetheNewPackagedialogtocreate,build,edit,andrunpackages.

PackageTab
ThePackagetaboftheNewPackagedialogcapturesattributesrelatedtothepackage.Usethistabto create,build,andeditthepackage.

Nameisthefilenameofthepackage,asseenintheinterface. SourcePathcontainsthepathtoandfilenameoftheEnScriptsourcecodetobepackaged. OutputPathcontainsthelocationandfilenameforthenewpackageasyouwanttodistributeit. Packageoutputmusthavethe.EnPackfileextension.

464

EnCaseForensicVersion6.15

ArchiveFilecontainsthepathtoandfilenameofanarchivefilewhereyoucanstoremultiple EnScriptfiles. UseLicensedetermineswhetherotherlicenserelatedcontrolsappearonthedialog.Usethissettingif youwanttolicensethepackage. LicenseNamecontainsthefilenameofthelicensewithoutitsfileextension.Thissettingonlydisplays whenUseLicenseisselected. SecretKeyisakeyusedinconjunctionwiththelicensefiletosecurethecodewithinthepackage.This textisnotexposedtoendusersandshouldnotbegiventoendusers.

PropertiesTab
ThePropertiestaboftheNewPackagedialogcapturesattributesrelatedtotheproductbeing packaged.Usethistabtocreate,build,andeditthepackage.

ProductNameisthenameoftheEnScriptsourcecode. MajorVersionisthemajorversionnumberoftheEnScriptsourcecode. MinorVersionistheminorversionnumberoftheEnScriptsourcecode. SubVersioncontainsidentifiersforbugfixversions,patches,orbuildnumbersoftheEnScriptsource code. Descriptionisselfexplanatory. Companyisthenameofthecompanyassociatedwiththepackage. BusinessPhoneisthephonenumberofthecompanyassociatedwiththepackage. WebPageistheURLofthecompanyWebpageassociatedwiththepackage.

EnScriptAnalysis

465

CreateLicenseDialog
UsetheCreateLicensedialogtocreatealicenseassociatedwithapackage.Theassociationismadeby enteringthefilenamecontainedinLicenseFilewithoutitsextension.

LicenseFilecontainsthepathtoandthefilenameofthelicensefile. DongleListcontainsthedonglenumbersthatenablethelicense.Ifthelicenseisnotrestricted,leave thissettingblank. MajorVersioncontainsthemajorversionnumberofthesoftwarerelease. Expirescontainsthedatewhenthelicensewillexpire. #definecontainsnamesusedinthecode,definedusingthe#definedirective,whichassociatethe licensewithspecificfunctionality.Asubsetoffunctionalityisassociatedwithagivenlicense.

UsingaPackage
Apackageis Created Edited Built Run

Inaddition,oneormorelicensesarecreatedandassociatedwithapackage.

466

EnCaseForensicVersion6.15

CreatingaPackage
1. Dooneofthefollowing: ClickthePackagestab,adjacenttotheCasestabontheroottoolbaroftheTreepane. ClickViewPackages 2. 3. 4. 5. 6. RightclickonthePackagestreeintheTreepane,thenclickNew. TheNewPackagedialogdisplaysthePackagepanel. OnthePackagepanel,completethesettings,thenclickProperties. ThePropertiespaneldisplays. OnthePropertiespanel,completethesettings,thenclickOK.

Oncecreated,thepackageappearsinthePackagesTableintheTablepane.Thecolumnsinthistable containthedetailsenteredintheNewPackagedialog.

Note: Creating a package does not produce the package file. To produce the package file, see Building a Package (on page 466).

EditingaPackage
1. InthePackagetableontheTablepane,doubleclickthedesiredpackage. TheEdit<packagename>dialogdisplays. 2. Modifythesettingsasdesired,andclickOK.
Note: If you want to change the code, you will need to first modify the EnScript code source file, and then generate a new package file. You may want to alter the version numbers to reflect this.

BuildingaPackage
1. 2. 3. InthePackagetableontheTablepane,doubleclickthedesiredpackage. TheEdit<packagename>dialogdisplays. Modifythesettingsasdesired,andthenclickOK.

Thepackageisnowcreatedintheoutputpathspecified.

CreatingaLicense
Youcancreatealicensecanbecreatedindependentlyofitsassociatedpackage.Theassociationwitha packageismadewhenyoudefinethepackage.

Tocreatealicenseforapackage: 1. 2. 3. 4. 5. 6. 7. 8.

EnScriptAnalysis

467

InthePackageTableintheTablepane,rightclickthepackageandclickCreateLicense. TheCreateLicensedialogdisplays. InLicenseFile,enterorbrowsetothepathandfilename. IntheDongleList,enterthelicensekeys. InMajorVersion,selecttheappropriateversionnumber. InExpires,entertheexpirationdateofthepackage. Ifyouwanttocontrolthefeaturesetusedviathislicense,in#define,enterthe#definednames associatedwiththefeatureset. ClickOK,thenclickOKagaininthestatusmessagebox.

RunningaPackage
Createandbuildapackage(seeCreatingaPackageonpage466andBuildingaPackageonpage466). Alicensemaybeassociatedwiththepackageaswell. 1. 2. CopythecreatedlicensefiletoC:\Program Files\EnCase6\Licenses. Dooneofthefollowing: ChangerootfolderofyourEnScriptfoldertoreflectthelocationofthepackagecreated. CopythecreatedpackagetoafolderinyourcurrentEnScriptrootfolder,normally C:\Program Files\EnCase6\EnScript. 3. Ifalicenseisassociatedwiththepackage,ensurethattheinstalledsecuritykeymatchesthe key(s)enteredwhencreatingthelicense. TheEnScriptprogramisnowreadytorun. 4. IntheEnScripttreeintheEnScriptpaneloftheFilterpane,doubleclickthepackagetorunit.

CHAPTER 13

Working with NonEnglish Languages

InThisChapter
Working with Non-English Languages Non-English Language Features Options Dialog Font Tab Configuring Non-English Language Support

470

EnCaseForensicVersion6.15

WorkingwithNonEnglishLanguages
Thischaptercoversaspecializedareaofinvestigations:workingwithlanguagesotherthanEnglish. TheUnicodestandardattemptstoprovideauniqueencodingnumberforeverycharacterregardless ofplatform,computerprogram,orlanguage.Unicodeencompassesanumberofencodings.Inthis document,UnicodereferstoUTF16(Unicode16bitTransformationFormat). Currentlymorethan100Unicodecodepagesareavailable.BecauseEnCaseapplicationssupport Unicode,investigatorscansearchforanddisplayUnicodecharacters,andthussupportmore languages. Othercharactercodesbesides16bitUnicodearesupportedforworkingwithnonUnicodenon Englishlanguagetext. WorkingwithnonEnglishlanguagestypicallyinvolvesperformingthesetasks: ConfiguringnonEnglishlanguagesupport Creatingandapplyinganewtextstyle CreatingnonEnglishlanguagesearchterms BookmarkingnonEnglishlanguagetext ViewingUnicodefiles ViewingNonUnicodefiles UsingCodePagesintheTextandHextabs

NonEnglishLanguageFeatures
EnCaseForensicapplicationsprovidenonEnglishlanguagesupportthroughvariousfeatures, including: TheOptionsdialogFontstab Textstyles

Usetextstylestomodifythedisplayofcontent: Thetextpane Thetranscriptpane

TextstylesaredefinedgloballyontheTextStylestab.Whendefined,thesetextstylesarenot associatedwithacase.IntheFilterpane,youcan: Createtextstyles Edittextstyles ApplytextstylestocontentintheViewpane

Working with NonEnglishLanguages

471

OptionsDialogFontTab
TheOptionstabcontainsalistofEnCaseinterfaceelementsthatyouconfiguretosupportnonEnglish languages.Eachofthelistedelementshasfontsettingsassociatedwithit.Doubleclickanelementto opentheFontdialog,whereyouselecttheassociatedsettings.

DefaultFontscontainsthelistofinterfaceelementstobeconfigured.Doubleclicktheseinterface elementstoopentheFontdialog.SelectingaUnicodefontenablesnonEnglishlanguagetextto displayintheseinterfaceelements.

UnicodeFonts
SpecificfontsintheFontsdialogareinstalledinWindows.IfnoUnicodefontsareinstalledonyour computer,seeInstalltheUniversalFontforUnicodeathttp://office.microsoft.com/en us/help/HP052558401033.aspx.

472

EnCaseForensicVersion6.15

Unicodeinterpretsfontsas16bitwords.WhenUnicodefontsareselected,8bitcharactersetsand7 bitASCIIcharactersdonotdisplaycorrectly.Usean8bitfontsuchasCourierNewforEnglishtext. Toproperlydisplaythecharactersincertaincodepages,youshouldonlyselectaUnicodedisplay font. Charactersthatarenotsupportedbythefontorcodepagedisplayasadefaultcharacter,typically eitheradotorasquare.ModifythischaracterwhenusingtextstylesintheTextandHextabsofthe Viewpane.

TextStyles
ThedisplayofnonEnglishlanguagecontentiscontrolledbyboththetypefaceofthecontent,andthe textstyleappliedtothecontent.Atextstyleappliesvariousattributedtofonts,including: Linewrapping Linelength Replacementcharacter Readingdirection Fontcolor Classofencoding Specificencoding

TextstylesareappliedintheText,Hex,andTranscriptpanes.SeeViewingNonUnicodeFiles(on page483)andViewingUnicodeFiles(onpage482)formoreinformation. Youcancreateandedittextstyles.SeeCreatingandDefiningaNewTextStyle(onpage478)formore information. Textstylesareglobal;therefore,theyarenotassociatedwithaspecificcase,butrathercanbeapplied toanycaseaftertheyaredefined.

NewTextStylesDialog
ThisdialogisusedtodefinetextstylesthatcanbeappliedtotextdisplayedintheText,Transcriptor HextabsoftheViewpane.Thisdialogconsistsofthesetabs: TheAttributestab TheCodePagetab

Working with NonEnglishLanguages

473

NewTextStylesDialogAttributesTab
TheAttributestabcapturesthetextstyledefinition.

Nameisthenameofthetextstyle. LineWrapcontainscontrolsthatdeterminehowcontentappearsintheTextandHextabsoftheView pane. Fittopageeliminateslinebreaksindisplayedcontent,anddisplaysalltextinthewindow. LineBreaksdisplayslinebreaksinthecontent. MaxSizeignoreslinebreaksinthecontent,andwrapslinesatthevaluesetinWrapLength. WrapLengthspecifiesthelengthwherealinebreakoccurs.WhenyouselectMaxSize,linebreaks occuronlyatthevalueofthissetting. DefaultCharcontainsthecharactertousetoindicatetheencodingorcodepagecouldnotinterpret theunderlyingvalue. RTLReadingsetsthetextdisplaytoreadrighttoleft(RTL). ColorElementcontainsalistoftextelementsthatcanhaveacolorassignedtothem.Doubleclicka listelementtoeditcolorattributes.

474

EnCaseForensicVersion6.15

NewTextStylesDialogCodePageTab
TheCodePagetabletsyouselectthecodepageforthetextstyleyoudefine.

CodePagecontainssettingsthatdeterminesthecodepagetypeusedinthetextstyle. UnicodespecifiesLittleEndianUnicode.IfUTF7orUTF8isused,selectOther,notUnicode. UnicodeBigEndianspecifiesBigEndianUnicode. OtherletsyouselectfromtheCodePagelist. CodePageListcontainsalistofsupportedcodepages.

ConfiguringNonEnglishLanguageSupport
NonEnglishlanguagesupportinvolves: Configuringindividualinterfaceelements CreatingandapplyingtextstylesusedontheTextandHextabs CreatingnonEnglishkeywords

CreatingnonEnglishsearchterms BookmarkingnonEnglishtext ViewingUnicodefiles Usingcodepages

Working with NonEnglishLanguages

475

ConfiguringInterfaceElementstoDisplayNonEnglishCharacters
EnCasesupportsnonEnglishlanguageuseintheinterfaceaswellasnonEnglishlanguagecontent.

1. ClickToolsOptionsFonts. TheFontstaboftheOptionsdialogdisplays. 2. ForeachinterfaceelementlistedinDefaultFontswhereyouwanttodisplaynonEnglish: a. Doubleclicktheinterfaceelement. TheFontdialogopens. b. ChangethefonttoArialUnicodeMS,andclickOK. c. Repeatstep2buntilalltheinterfaceelementsareconfigured. 3. 4. ClickOK. TheinterfaceisnowconfiguredtodisplaynonEnglishcontent.

ConfiguringtheKeyboardforaSpecificNonEnglishLanguage
WindowsletsyouconfigureakeyboardforaspecificnonEnglishlanguage.Oncethekeyboardis configured,youneedakeyboardmaporfamiliaritywiththekeyboardlayoutofthelanguage.

476

EnCaseForensicVersion6.15

TheseinstructionsareforWindowsXP.ConfiguringWindows2000,NT,and2003issimilar.

1. ClickStartControlPanelRegionandLanguageOptions. TheRegionalOptionstaboftheRegionalandLanguageOptionsdialogdisplays. 2. 3. InStandardsandformats,selectthedesiredlanguage. SelecttheAdvancedtab. TheAdvanceddialogdisplays. 4. 5. InCodepageconversiontables,checkthedesiredcodepage. ClickOK. ThekeyboardismappedtotheselectednonEnglishlanguage.

Working with NonEnglishLanguages

477

EnteringNonEnglishContentwithoutUsingNonEnglishKeyboardMapping
WindowsprovidesacharactermapsoyoucanenternonEnglishcharacterstringswithoutremapping thekeyboard.

1. 2. 3. 4. 5. 6. ClickStartAllProgramsAccessoriesSystemToolsCharacterMap. TheCharacterMaputilitydisplays. Clickthedesiredcharacter,thenclickSelect. ThecharacterisaddedtotheCharacterstoCopybox. Repeatstep2toaddmorecharacters. ClickCopy,thenpastethecharacterswhereyouwanttousethem.

478

EnCaseForensicVersion6.15

CreatingandDefiningaNewTextStyle
TextstylesdeterminehowfilecontentsappearintheTextandHextabsoftheViewpane.

Tocreateanddefineatextstyle: 1. 2. 3. 4. 5. 6. ClickViewTextStyles.TheNewTextStyledialogdisplays. EnteraNameforthenewstyle. EnterthedesiredcharacterinDefaultCharacter. ClickRTLifthelanguageisreadrighttoleft. ClickOKifyouareusingacodeotherthanUnicodeBigEndianencoding.Otherwise,select theCodePagetab. ClickUnicodeBigEndian,thenclickOK.

IfyouaregoingtouseanonUnicodeencoding:

1. 2. 3. ClickOther. SelectanencodingfromtheCodePagelist. ClickOK.

Working with NonEnglishLanguages

479

CreatingNonEnglishKeywords
CreatingnonEnglishkeywordsisthefirststeptotakebeforesearchingnonEnglishlanguagecontent.

1. 2. RightclickandselectNewfromtherootoftheKeywordstree. TheNewKeyworddialogdisplays. a. ClickGREPandentertheGREPexpressionintoSearchExpressiontocreateaGREP search. b. UsetheCharacterMaptocreatethesearchstringifyourkeyboardisnotmappedtothe appropriatenonEnglishkeymapping.Ifmappingiscorrect,enterthedesiredSearch Expression. c. Makeanyotherselectionsasdesired.

480

EnCaseForensicVersion6.15 3. 4. 5. ClickOK. SelectthedesiredcodepagesfromtheCodePagelist. Totestthekeyword,clickKeywordTester(seeTestingaNonEnglishKeywordonpage480); otherwise,clickOK.

TestingaNonEnglishKeyword
1. OpentheNewKeyworddialoganddefinethetestedkeyword.

2. 3. 4. EnterthesearchexpressioninKeyword. EnterorbrowsetothefilecontainingthenonEnglishlanguagecontentusedtotestthe keyword. ClickLoad.

TextappearsintheTextpane. 5.

Working with NonEnglishLanguages

481

Iftextisincorrectlyrendered,selectothercodesheetsuntilthetextisrenderedcorrectly. Whenaselectedencodingisnotonethatwasselectedwhenthekeywordwasdefined,the Expressionfieldcontainsthismessage:Wrongcodepageforthisexpression. ClickHextoviewcontentinhexadecimal.Thevaluesx\ FFx\EEinthefileheaderindicates thatUnicodeisthecorrectencoding.Youmaywanttoredefinetheencodingusedforthis keyword. Thehexrepresentationoftheunderlyingtextappears.

6.

7.

TestthekeywordandclickOK.

QueryingtheIndexforNonEnglishContent
Afteryoucreateanindex,youcanuseconditionstoqueryfilesthatmightcontainnonEnglish content.

1. 2. 3. 4. 5. IntheEntriestreeandEntriestable,selectfilestosearch. ClickToolsIndexCase. IntheFilterspane,clicktheConditionstab. OpentheIndexConditionsfolderintheConditionstree. SelectthenonEnglishcontent,[forexample,IndexTerms(Umlaut)].

482

EnCaseForensicVersion6.15

BookmarkingNonEnglishLanguageText
Onceyoufindsearchresults,bookmarkthem.Bookmarksassociatetextstyleswithbookmarked content.

1. 2. 3. 4. 5. 6. 7. 8. DisplaythetextintheViewpane. Sweeporselectthedesiredtext,thenrightclickandclickBookmarkData. TheBookmarkDatadialogdisplays. EnteraComment. SelectthedesiredtextstyleinDataType. Thecontentdisplayswiththeselectedtextstyleapplied. ClickOK. Thetextisbookmarkedandthedialogcloses.

ViewingUnicodeFiles
Bydefault,EnCasedisplayscharactersinANSI(8bit)formatontheTextandHextabsinCourier Newfont.ViewingUnicodefilesproperlyrequiresmodificationstoboththeformattingandthefont. First,thefileordocumentmustbeidentifiedasUnicode.Thisisnotalwaysstraightforward.

Working with NonEnglishLanguages

483

Textfiles(.txt)containingUnicodebeginwithaUnicodehexsignature\xFF\xFE.However,word processordocumentswritteninUnicodearenotsoeasytoidentify.Typically,wordprocessor applicationshavesignaturesspecifictothedocument,makingidentificationofthefileasUnicode moredifficult.

1. 2. 3. 4. ClickTextStyles. TheTextStylestabdisplaysintheFilterpane.NoticethedefaultcharactersbetweentheASCII characters.Thesecondeightbitsofthe16bitUnicodeencodingcannotbetranslated. ClickthedesiredUnicodebasedtextstyle. ThetextdisplayedintheTextorHextabupdatestoreflectthenewencoding.

ViewingNonUnicodeFiles
Displayafileinanyencodingorcodepageafteryoudefineit. 1. 2. 3. 4. ClickTextStyleswiththetextdisplayedintheTextorHextaboftheViewpane. TheTextStylespaneappearsintheFilterpane. ClickthedesirednonUnicodebasedtextstyle. ThedisplayedtextintheTextorHextabupdatestoreflectthenewencoding.

AssociatingCodePages
NonEnglishlanguagefilescanbeassociatedwithaparticularcodepage.Acodepagelistischecked topreventusageofanunavailablecodepage(if,forinstance,afileisopenononesystem,then reopenedonanotherthatdoesnothavethecompleteset). Ifanoriginalcodepageisunavailablewhenafileisopened,thecodepageassociationisremoved. Whilethisprocessistransparent,ifyoudoopenacaseormountavolumewithamissingcodepage,a messagelistingthemissingcodepagesappears. YoucanassociatecodepagesmanuallyorautomaticallythroughWindowsidentification. Tomanuallysetthecodepage: 1. 2. ApplyaTextStylewiththedesiredcodepagetotheentry. CheckthecodepagecheckboxontheEnCasemainwindow.

484

EnCaseForensicVersion6.15

TohaveWindowsautomaticallyassociatecodepagestoentries: 1. 2. SelecttheSearchbuttonandchecktheIdentifycodepageoption. Afterthesearchcompletes,thecodepagecolumnpopulates.

Toremovetheassociation,clearthecheckbox.

CHAPTER 14

Using LinEn
InThisChapter
Introduction Viewing the License for LinEn Creating a LinEn Boot Disk Configuring Your Linux Distribution Performing Acquisitions with LinEn Hashing the Subject Drive Using LinEn

486

EnCaseForensicVersion6.15

Introduction
TheLinEnutilityrunsontheLinEnCDusingtheLinuxoperatingsystemandenablesthefollowing functions: Performingdrivetodriveacquisitions Performingcrossoveracquisitions

LinEnrunsindependentlyoftheLinuxoperatingsystemthusimprovingacquisitionspeeds,andruns in32bitmode(ratherthan16bitmode).BecauseLinuxprovidesgreaterdevicesupport,LinEncan acquiredatafromalargersetofdevices. Aswithotheroperatingsystems,topreventinadvertentdiskwrites,modificationstotheoperating systemneedtobemade.Linuxtypicallyhasafeaturecalledautofsinstalledbydefault.Thisfeature automaticallymounts,andthuswritesto,anymediumattachedtothecomputer.Instructionsinthis chapterdescribehowtodisablethisfeaturetoprotecttheintegrityofyourevidence.

ViewingtheLicenseforLinEn
LinEnmustberunning,andyoumustbeontheLinEnmainscreen. ToviewthelicenseforLinEn: 1. PressL. Thelicensedisplays. 2. PressEnter. TheLinEnmainscreendisplays.

CreatingaLinEnBootDisk
IfyouwanttorunLinEnonthesubjectmachine,youneedtocreateaLinEnbootdisk.Whenyou createaLinEnbootdisk,itisimportanttochooseaLiveLinuxdistribution,asthesetypesof distributionsaredesignedtorunstraightfromtheCDorDVDanddonotinstallthemselvesonthe subjectmachine. YoumusthaveanISOimageoftheliveLinuxdistributionyouwanttouse,suchasKnoppix.Knoppix isoneofthepopularlivedistributions.
Note: As it is not practical to modify the settings of a live Linux distribution, ensure that the live distribution does not automatically mount detected devices.

TocreateaLinEnBootdisk: 1. 2. UsingyourEnCaseapplicationontheinvestigatorsmachine,clickToolsCreateBootDisk. TheChooseDestinationdialogoftheCreateBootDiskwizarddisplays. ClickISOImage,andclickNext.TheFormattingOptionsdialogoftheCreateBootDisk wizarddisplays.

3. 4. 5.

UsingLinEn

487

ProvideapathandfilenametotheISOimageyoudownloadedearlier,optionallyclickAlter BootTable,andclickNext.TheCopyFilesdialogoftheCreateBootDiskwizarddisplays. RightclickintherightpaneoftheCopyFilespage,andclickNew.Thefilebrowseropens. EnterorselectthepathtotheLinEnexecutable,normallyc:\program files\encase6\linen,clickOK,thenclickFinish. TheCreatingISOprogressbardisplaysontheCopyFilesdialog.OncethemodifiedISOfileis created,thewizardcloses.

6.

BurntheISOfileontoablankCD/DVDusingdiscburningsoftwareofyourchoice.Forhelp withthis,refertotheinstructionsthatcamewithyoursoftware.

YounowhaveabootdisktorunLinuxandLinEnwhileyouacquirethesubjectLinuxdevice.

ConfiguringYourLinuxDistribution
BeforeLinEncanrunonLinux,youmustconfigureLinuxdistribution.DuetothenatureofLinuxand itsdistributions,onlythefollowingstandarddistributionsarediscussed: SUSE9.1 RedHat Knoppix

Note: Because of the dynamic nature of Linux distributions, we recommend that you validate your Linux environment before using it in the field.

TheprocessdescribesanidealsetupprocessthateffectivelyrunstheLinEnapplicationina forensicallysoundmanner. ManydistributionsprovideautofsasthemeansautomountinganythingattachedtotheLinux system.Itisessentialthatautofsisdisabledtopreventautomounting.

ObtainingaLinuxDistribution
ALinuxdistributioncanbeobtainedfromanyLinuxvendor. IfyouintendtouseaLinEnbootdisc,youwillneedalivedistribution,suchasKnoppix,inorderto createabootdisc.IfyouintendtorunLinEnonainstalledversionofLinuxonyourforensicmachine, werecommendusingSUSEorRedHat. FortheLinuxdistributionsdiscussedinrelationtoLinEn,obtainadistributionfromoneofthe following: ForthelatestSUSEdistribution,gototheNovellWebSite(http://www.novell.com/linux/). ForthelatestRedHatdistribution,gototheRedHatWebsite(http://www.redhat.com/). ForthelatestKnoppixdistribution,gototheKnoppixWebsite(http://www.knoppix.com/).

LinEnSetupUnderSUSE
YoumustalreadyhaveSUSEinstalledonyourLinuxmachine.

488

EnCaseForensicVersion6.15 1. 2. 3. 4. 5. 6. 7. CopytheLinEnexecutablefromC:\Program Files\EnCase6onyourWindowsmachine tothedesireddirectory,/usr/local/encaseonyourLinuxmachine. OpenacommandshellonyourLinuxmachineandrunLinEnasroot/superuser. Enterchmod 700 /usr/local/encase/linen.ThischangesthepermissionsontheLinEn executable,sothatitcanonlybeexecutedbyroot/superuser. Closethecommandshell. ClickMainMenuSystemConfigurationYaST.YetAnotherSetupTool(YaST)isused toconfigurevarioussettingsforyourLinuxoperatingsystem. OpentheRunlevelEditor. Ensurethatautofsisdisabled

LinEnSetupUnderRedHat
YoumusthaveRedHatinstalledonyourLinuxmachine. 1. 2. 3. 4. 5. 6. CopytheLinEnexecutablefromC:\Program Files\EnCase6onyourWindowsmachine tothedesireddirectory,/usr/local/encaseonyourLinuxmachine. OpenacommandshellonyourLinuxmachineandrunLinEnasroot/superuser. Enterchmod 700 /usr/local/encase/linen.ThischangesthepermissionsontheLinEn executable,sothatitcanonlybeexecutedbyroot/superuser. Closethecommandshell. ClickMainMenuSystemSettingsServerSettings. Ensurethattheautofsisdisabled.

PerformingAcquisitionswithLinEn
TheEnCaseLinEnutilityprovidesthefollowingmethodsofacquiringevidencefromasubjectdrive: Drivetodriveacquisitions Crossovercableacquisitions

Drivetodriveacquisitionsprovidethemeanstosafelypreviewandacquiredeviceswithoutusinga hardwarewriteblocker.Drivetodriveacquisitionsuseeitherthesubjectmachineortheforensic machinetoperformtheacquisitions.TheDrivetodriveacquisitionspeedcanbesignificantlyfaster thanEN.EXEandMSDOSfrompreviousversions,simplybecauseLinuxisa32bitoperatingsystem. Crossovercableacquisitionsrequirebothasubjectandforensicmachine.Thistypeofacquisitionalso negatestheneedforahardwarewriteblocker.Itmaybedesirableinsituationswherephysicalaccess tothesubjectmachinesinternalmediaisdifficultornotpractical.Thisistherecommendedmethod foracquiringlaptopsandexoticRAIDarrays.ThismethodisslowerthanaDrivetodriveacquisition becausedataistransferredoveranetworkcable,andthusisespeciallysensitivetothespeedofthe networkcardshousedinbothmachines.

UsingLinEn

489

SetupforaDrivetoDriveAcquisition
Whenasubjectdrivefromthesubjectmachinecannotbeacquiredviaacrossovercableacquisition, thesubjectdrivecanbeacquiredviaadrivetodriveacquisition.Drivetodriveacquisitionscanbe doneinthefollowingways: RunningaLinEnbootdiscontheforensicmachine RunningtheLinEnutilityfromLinuxalreadyinstalledontheforensicmachine RunningaLinEnbootdisconthesubjectmachine

Anyofthesecablescanbeusedasaharddiskcable: IDECable USBCable Firewire SATA

SCSI SetupsforDrivetodriveacquisitionswith1)theforensicmachine,runningLinEnfromtheLinEn BootDisk,connectedtothesubjectharddrive;2)theforensicmachine,bootedtoLinuxand runningLinEn,connectedtothesubjectharddrive;3)subjectmachine,runningLinEnfromthe LinEnBootDisk,connectedtothetargetharddrive:

490

EnCaseForensicVersion6.15

DrivetoDriveAcquisitionUsingLinEn
Beforeyoubegin,identifythesubjectdrivetobeacquiredandthestoragedrivetoholdtheacquired evidencefile. 1. 2. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mounttheFAT32storage partition. NavigatetothefolderwhereLinEnresidesandenter./linenintheconsole.TheLinEn MainScreendisplays.

UsingLinEn

491

Note: If there are too many drives and/or partitions to display, you will see a warning message.

492

EnCaseForensicVersion6.15 3. ClickAcquire.

4. Choosethephysicaldriveorlogicalpartitionyouwanttoacquire.TheAcquireDevice<drive> dialogdisplays.

5. 6. Enterthefullpathandfilenamefortheacquiredevidencefile,thenclickOK. Optional:Provideanalternatepathintheeventthattheoutputpathfromstep5runsoutof diskspace.

7. 8. ClickOK. Enteracasenumber,thenclickOK.

UsingLinEn

493

9. Enteranexaminername,thenclickOK.

10. Enteranevidencenumber,thenclickOK.

494

EnCaseForensicVersion6.15 11. Enteranamefortheevidencefile(maximum50characters),thenclickOK.

12. Verifythatthecurrentdateandtimestampareaccurate,thenclickOK.

13. Enterabriefnote(maximum200characters),thenclickOK.

14. Choosewhethertocompressthefile.

UsingLinEn

495

15. Choosewhethertoperformahashoftheevidencefileafteracquisition.Thetwohash algorithmsareMD5andSHA1.

16. Optional:Enterapassword.

496

EnCaseForensicVersion6.15 17. Specifythetotalsectorstoacquire,thenclickOK.Bydefault,thefieldprepopulateswiththe maximumnumberofsectorsofthedriveorpartition.

18. Specifythemaximumfilesize(inmegabytes)fortheevidencefileandsegmentfiles,thenclick OK.Bydefault,thefieldprepopulateswithamaximumsizeof640megabytes.

19. Specifytheblocksizefortheevidencefile,thenclickOK.Bydefault,thefieldprepopulates withablocksizeof64sectors.

20. Enteraleveloferrorgranularity,thenclickOK.

UsingLinEn

497

21. Enterthenumberofworkerthreads,thenclickOK.Thesethreadsperformcompressionon thebuffer.

22. Enterthenumberofreaderthreads,thenclickOK.Thesethreadsreadfromthedeviceandfill inadatabuffer.

498

EnCaseForensicVersion6.15 23. ClickYesorNotoperformhashinginitsownthread.

24. Asummaryreportdisplays.

25. Whentheacquisitioniscomplete,clickOK.TheLinEnmainwindowdisplays.Thesubjecthas beenacquiredandisstoredonthestoragedrive. 26. Connectthestoragedrivetoinvestigatorsmachine. 27. AddtheEnCaseevidencefileusingtheSessionsSourcespageoftheAddDeviceWizard,as describedinCompletingtheSessionsSourcesPage(onpage153).

LinEnCommandLine
YoucanexecuteLinEnacquisitionandhashingfromacommandline.
Note: You must use the -cl option to activate this feature.

Selecttheoperationyouwant:

-kforAcquireMode -oforHashMode

UsingLinEn

499

Note: You must choose either AcquiireMode or HashMode. LinEn will show an error if you use both.

Youcanentercommandlineoptionswithasingledashandtheshortcut(forexample,-p <Evidence Path>)orwithadoubledashandthefulltag(forexample,--EvidencePath <EvidencePath>). Duringtheacquisitionorhashingprocess,apipecharacter(|)printstotheconsoleforeachpercentage completed. TherearetwowaystoprovidenecessaryinformationtoLinEn: Commandlineoptions Configurationfile

CommandLineOptions

Shortcut
-dev <Device Path> -p <Evidence Path> Device

Full Tag

Description
Device to be either acquired or hashed Path and file name of the evidence to be created (maximum 32,768 characters) Name of evidence within the evidence file (maximum 50 characters) Case number of the evidence (maximum 64 characters) Examiner's name (maximum 64 characters) Evidence number (maximum 64 characters) A semicolon delimited list of alternate paths (maximum 32,768 characters) Notes (maximum 32,768 characters). Enclose notes in quotes (for example, "This is a note"). Maximum file size of each evidence file (in MB: minimum 1, maximum 10,485,760) Level of compression (0=none, 1=fast, 2=best) Error granularity in sectors (minimum 1, maximum 1024) Sectors per block for the evidence file (minimum 1, maximum 1024) Path to a configuration file holding variables for the program (maximum 32,768 characters)

EvidencePath

-m <Evidence Name>

EvidenceName

-c <Case Number>

CaseNumber

-x <Examiner> -r <Evidence Number> -a <Alternate Paths>

Examiner EvidenceNumber AlternatePath

-n <Notes>

Notes

-l <Max File Size>

MaxFileSize

-d <Compress> -g <Granularity>

Compress Granularity

-b <Block Size>

BlockSize

-j <Configuration File>

File

500
-t -1

EnCaseForensicVersion6.15 Shortcut
Hash SHA1 CommandLine AcquireMode HashMode

Full Tag

Description
Perform MD5 hashing on device Perform SHA-1 hashing on device Do not ask for required values, just error out Acquire the selected device Hash the selected device Help message Password protects the resulting evidence file Lets the user input the correct date/time. Must be quoted in the format "MM/dd/yy hh:mm:sstt" or "MM/dd/yy hh:mmtt" (where tt is AM or PM).

-cl -k -o -? -pw <password> -date <date/time>

-rdr <number> -wrk <number> -hsh -rerr -v

Readers Workers Hasher ReadErrors Verbose

Number of reader threads (acceptable value 1-5) Number of worker threads (acceptable value 1-20) Hash in its own thread (default: false) Print read errors to STDERR (default: false) Verbose output during acquisition or hashing (default: false) (acceptable value TRUE or FALSE [only in file])

NonInteractiveCommand
If(-cl)isset,LinEnisnoninteractive,allowingthirdpartysoftwaretouseitsownscripting If(-cl)isset,usersmustpassallLinEnsettingsviaatextfileorviacommandlinearguments

ConfigurationFile
Youcancreateaconfigurationfiletofillinsomeorallofthevariables.Theconfigurationfileneedsto beintheformatOptionName=Value.Alloftheseoptionshavethesamerestrictionsastheir commandlinecounterparts.

Optionsfortheconfigurationfileareasfollows:

UsingLinEn

501

EvidencePath EvidenceName CaseNumber Examiner EvidenceNumber AlternatePath Notes MaxfileSize Compress Granularity BlockSize Hash SHA1 Device CommandLine AcquireMode HashMode

Path and file name of the evidence to be created Name of the evidence within the evidence file Case number of the evidence Examiner's name Evidence number A semicolon delimited list of alternate paths Notes Maximum file size of each evidence file Level of compression (0=none, 1=fast, 2=best) Error granularity in sectors Sectors per block for the evidence file Turn on (TRUE) or turn off (FALSE) MD5 hashing Turn on (TRUE) or turn off (FALSE) SHA-1 hashing Device to be acquired or hashed Exit if a required variable is not filled out (TRUE or FALSE) Acquire the device chosen (TRUE or FALSE) Hash the device chosen (TRUE or FALSE)

Note: Any options specified on the command line take precedence over those in the configuration file.

Oncetheselectedoperationiscomplete,resultsprinttotheconsole.Readerrorsandreaderrorsectors showonlyifthereareactualerrors.

HashingResults
Name:<EvidenceName> Sectors:0<TotalSectors> MD5Value:<Md5Value> SHA1Value:<SHA1Value> ReadErrors:<ReadErrors>Thehashvaluemaynotbeaccurate ReadErrorSectors:<start1><stop1>,<start2><stop2>,etc.

502

EnCaseForensicVersion6.15

AcquisitionResults
<EvidenceName>acquiredto<EvidencePath> ElapsedTime:<ElapsedTime> MD5Value:<Md5Value> SHA1Value:<SHA1Value> ReadErrorSectors:<start1><stop1>,<start2><stop2>,etc.

AcquiringDeviceConfigurationOverlays(DCO)andHostProtectedAreas (HPA)
EnCaseapplicationscandetectandimageDCOand/orHPAareasonanyharddiskconformingto ATAlevel6orhigherspecifications.TheDCOandHPAareasaredetectedusingLinEn(Linux)orthe FastBlocSEmodule.TheapplicationnowshowsifaDCOareaexistsinadditiontotheHPAareaona targetdrive. FastBlocSEisaseparatelypurchasedcomponent. HPAisaspecialarealocatedattheendofadisk.Itisusuallyconfiguredsothecasualobservercannot seeit,andcanonlybeaccessedbyalowlevelreconfigurationofthedisk.HPAandDCOare extremelysimilar;thedifferenceistheSET_MAX_ADDRESSbitsettingthatallowsrecoveryofa removedHPAatreboot.Whensupported,EnCaseapplicationsseebothareasiftheycoexistonahard drive.Formoreinformation,seeHPAandDCOConfiguredDisks(onpage606).

AcquiringaDiskRunninginDirectATAMode
IftheLinuxdistributionsupportsATAmode,youwillseeaModeoption.Themodemustbeset beforethediskisacquired.AnATAdiskcanbeacquiredviathedrivetodrivemethod.TheATA modeisusefulforcaseswhentheevidencedrivehasahostprotectedarea(HPA)ordiskcontrol overlay(DCO).OnlyDirectATAModecanreviewandacquiretheseareas. LinEnisconfiguredasdescribedinLinEnSetup,andautofsisdisabled(cleared).Linuxisrunningin DirectATAMode. ToacquireadiskrunninginDirectATAMode: 1. 2. IftheFAT32storagepartitionhasnotbeenmounted,mountit. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsole. TheLinEnMainScreendisplays. 3. SelectMode,thenselectDirectATAMode. ThediskrunninginATAmodecannowbeacquired. 4. ContinuethedrivetodriveacquisitionwithStep3ofDoingaDrivetoDriveAcquisition UsingLinEn(seepage490).

UsingLinEn

503

ModeSelection
LinEnstartsupinBIOSmode.Adiskacquiredinthismodereportsonlythedisksizeasseenand translatedbytheBIOS.Asaresult,nodatacontainedinaDCOareseenorreported.TheMode selectioninLinEnprovidesasolution. NoticeDisk1inthefigure.Itshowsadisksizeof26.8GB.Ifthisisacquirednow,onlythatquantityof dataisidentified.

TheLinuxdistributioninusemustsupportDirectATAmodeforthisfunctiontowork. TotestforthepresenceofaDCO: 1. StartLinEninthenormalmanneronacomputerthatsupportsDirectATA.Themainscreen showsaModebutton.

2. EnterMtoselectMode.Asecondscreendisplaysofferingthreeacquisitionselections: BIOS ATA Cancel 3. EnterAtoselectATAMode.

504

EnCaseForensicVersion6.15

IfaDCOispresentonthedisk,theoriginalLinEnscreenreportsthecorrectdisksizeandthe correctnumberofsectors.Disk1inthefollowingillustrationshowsthetruedisksize,75.5GB.

Acquirethediskaccordingtoprotocol.

CrossoverCablePrevieworAcquisition
YouhaveaLinEnbootdisk. Theinvestigatorhasidentifiedthesubjectdrivetobeacquired. Todoacrossovercableacquisition: 1. 2. 3. BootthesourcemachinefromtheLinEnbootdisk.Takecaretoensurethesourcemachinehas anoperableopticaldriveandwillactuallybootfromaCD. Connecttheforensicmachinetothesubjectmachineusingacrossovercable. InLinux,ensurethatthesubjectmachinehasanIPaddressassignedandaNICcardloaded appropriatelybytypingifconfig eth0,thenifnoIPaddressisassigned,assignoneby typingifconfig eth0 10.0.0.1 netmask 255.0.0.0,andchecktheIPaddress assignmentagainbytypingifconfig eth0. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorunLinEn. TheLinEnMainScreendisplays. 5. SelectServer,andpressEnter.

4.

ThemessageWaitingtoconnectshoulddisplay.

UsingLinEn

505

6. 7. 8. 9.

Ontheforensicmachine,specifyanIPaddressof10.0.0.1forthesubjectmachine. LaunchEnCaseontheforensicmachine. Createanewcase,oropenanexistingcase. RightclicktheDevicesobject,andclickAddDevice.

10. SelectNetworkCrossover,andclickNext. 11. SelectthephysicaldiskorlogicalpartitiontoacquireorpreviewandclickNext. 12. ClickFinish. Thecontentsoftheselecteddevicereachedthroughthenetworkcrossoverconnectionarepreviewed. Toacquirethecontent,performanacquisitionasdescribedinSpecifyingandRunninganAcquisition

506

EnCaseForensicVersion6.15

HashingtheSubjectDriveUsingLinEn
1. NavigatetothefolderwhereLinEnresidesandenter./linenintheconsole.TheLinEn MainScreendisplays.

2. ClickHash.

3. Selectadrive,thenclickOK.TheStartSectordialogdisplays.

UsingLinEn

507

4. Specifyastartsectortohash,thenclickOK.Bydefault,thefieldprepopulateswithastart sectorof0.

5. Specifyastopsectortohash,thenclickOK.Bydefault,thefieldprepopulateswithastop sectorofthelastsectorofthedriveorpartitionbeinganalyzed.

6. 7. Selectanalgorithmtouseinperformingthehash.TheoptionsareMD5andSHA1. Ahashvalueiscalculatedfortheselectedsectors.Youcansavethishashvaluetoafile.

CHAPTER 15

EnCase Decryption Suite

InThisChapter
Overview EDS Features Product Matrix Using EDS Secure Storage Tab Secure Storage Items SafeBoot Encryption Support (Disk Encryption) Utimaco SafeGuard Easy Encryption Support BitLocker Encryption Support (Volume Encryption) WinMagic SecureDoc Encryption Support GuardianEdge Encryption Support PGP Whole Disk Encryption (WDE) Support CREDANT Encryption Support (File-Based Encryption) S/MIME Encryption Support NSF Encryption Support Lotus Notes Local Encryption Support Windows Key Architecture Dictionary Attack

510

EnCaseForensicVersion6.15

Overview
EnCaseDecryptionSuite(EDS)enablesdecryptionofencryptedfilesandfoldersbydomainusersand localusers,including: Diskandvolumeencryption MicrosoftBitLocker GuardianEdgeEncryptionPlus/EncryptionAnywhere/HardDiskEncryption UtimacoSafeGuardEasy McAfeeSafeBoot WinMagicSecureDocFullDiskEncryption PGPWholeDiskEncryption Filebasedencryption MicrosoftEncryptingFileSystem(EFS) CREDANTMobileGuardian Mountedfiles PST(MicrosoftOutlook) S/MIMEencryptedemailinPSTfiles NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)

EDSFeatures
DiskandVolumeEncryption
WhenanEvidenceFile(.E01)oranewphysicaldiskisaddedtoanewcase,theMasterBootRecord (MBR)ischeckedagainstknownsignaturestodeterminewhethertherespectivediskisencrypted. Ifthediskisencrypted,EnCaseasksforusercredentials(seetheProductMatrixonpage511fora tablelistingrequiredcredentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthedisk.Nopasswordattacksaresupported. EDSsupportsthesedisk/volumeencryptionproducts: MicrosoftBitLocker GuardianEdgeEncryptionPlus/EncryptionAnywhere/HardDiskEncryption UtimacoSafeGuardEasy McAfeeSafeBoot WinMagicSecureDocFullDiskEncryption PGPWholeDiskEncryption

EnCase DecryptionSuite

511

FileBasedEncryption
Encryptioncanbeappliedatthefileorfolderlevel.Iffilesorfoldersareencrypted,EnCaseasksfor credentials(seeProductMatrixonpage511foratablelistingrequiredcredentialsforsupported encryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthefilesorfolders. EDSsupportsthesefilebasedencryptionproducts: MicrosoftEncryptingFileSystem(EFS) CREDANTMobileGuardian

MountedFiles
EnCasecanreviewmountedfilesandsearchforencrypteddata.Ifmountedfilesareencrypted, EnCaseasksforusercredentials(seeProductMatrixonpage511foratablelistingrequired credentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthemountedfiles.Thesetypesofmountedfiles aresupported: PST(MicrosoftOutlook) NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)

512

EnCaseForensicVersion6.15

ProductMatrix
ThetablebelowshowsencryptionproductssupportedbyEDSandcredentialsyouneedtoprovidein ordertousethemwithEnCase.

Product
GuardianEdge Encryption Plus GuardianEdge Encryption Anywhere GuardianEdge Full Disk Encryption Utimaco SafeGuard Easy McAfee SafeBoot Online SafeBoot Offline CREDANT Mobile Guardian Online Mobile Guardian Offline Microsoft BitLocker Microsoft Encrypting File System (EFS) ZIP Lotus Mail S/MIME PGP Whole Disk Encryption

Password
X

User
X

Domain

Machine

Server

Path

Other

X X Algorithm

X Machine CREDANT ID

Algorithm Shield CREDANT ID

Key

Keys

X X X X

ADK requires path and passphrase ID File PFX Passphrase, ADK, WDRT

EnCase DecryptionSuite

513

UsingEDS
AnalyzeEFS
Thiscommandscansavolumefordataandprocessesit.YoucanalsorunAnalyzeEFSfromthesecure storage;inthatinstance,itrunsconsecutivelyonallvolumesinacase. 1. Rightclickthevolumeyouwanttoanalyze,thenclickAnalyzeEFSfromthedropdown menu.

514

EnCaseForensicVersion6.15 2. ThefirstAnalyzeEFSdialogdisplays.ClickNext.

3. ThesecondAnalyzeEFSdialogdisplayswiththeDocumentsandSettingsPathandRegistry Pathfieldspopulatedbydefault.Forunusualsystemconfigurations,datadisks,andother operatingsystemsthesevalueswillbeblank.Youcanmodifythemtopointtotheuserprofile foldersand/ortheregistrypath.

4. 5. ClickNexttobeginthescan.

EnCase DecryptionSuite

515

Whenthescaniscomplete,theEFSStatusdialogshowsstatisticalinformationonkeysfound anddecryptedandregistrypasswordsrecovered.

6. WhenyouaredonereviewingtheEFSstatus,clickFinish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.

EFSFilesandLogicalEvidence(L01)Files
TodecryptanencryptedEFSfileyouneedthefollowing: 1. 2. 3. 4. TheEnCaseEDSmodule Thematching$EFSstream.Thisisessential,sinceitcontainsthedecryptionkey. Amatchingunencryptedprivatekey.Thiscanbetherecoveryagentskeyorauserskey. Fileslackmightbeneededifthefilesizeisnotamultipleof16.Thisisbecausefilesare decryptedin16bytechunks.
Note: For example, a 17-byte file needs 15 bytes of slack in order to decrypt the last chunk. Otherwise, only multiples of 16 are decrypted.

ThescenariosforlogicalevidencefilesaredifferentfrompriorversionsofEnCase: 1. 2. 3. 4. Thefileisencryptedandthe$EFSstreamismissingfromthesamefolderwithintheL01:thefile cannotbedecrypted. Thefileisencryptedandthe$EFSstreamisinthesamefolder:thefilecanbedecrypted(except fortheremainderofthefile,ifany). Thefileisdecryptedandthe$EFSstreamismissing:thefileremainsdecrypted. Thefileisdecryptedandthe$EFSstreamisinthesamefolder:thefilewillbedecryptedtwice.

516

EnCaseForensicVersion6.15
Note: The workaround in case 4 is to disable EFS or delete the private key from the secure storage.

Fromversion6.11on,allthescenariosabovearehandledgracefully,becausethe$EFSstreamisadded internally. Ifthefileisencrypted,the$EFSstreamisautomaticallystoredwiththefileasmetadata. Ifthefileisdecrypted,the$EFSstreamisnotautomaticallystored,asitisnotneeded.This doesnotpreventyoufromstoringthestreambyspecificallysavingittotheLEF.

Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.

SecureStorageTab
ToorganizesecuritydatagatheredusingAnalyzeEFS,EnCaseincludesaSecureStoragetabwhich displayspasswords,keys,andotheritemsparsedfromthesystemfilesandregistry. Althoughthetabisalwayspresentintheinterface,youmustinstalltheEDSmoduletoenablemostof thefunctionality.

SecureStorageTabandEFS
TopopulatetheSecureStoragetab: 1. 2. RunAnalyzeEFS(seepage513). SelecttheSecureStoragetab.

3. ClickanitemintheSecureStoragetreetoviewitscontents.

EnterItems
EnterSyskey
YoucanenterSyskeyinformationbeforerunningtheAnalyzeEFSwizard,orafterwardsifthewizard isalreadycompleted.

1. 2. 3. RightclicktherootentryofSecureStorage.

EnCase DecryptionSuite

517

SelectEnterItemsfromthedropdownlist,thenselecttheEnterSyskeytab. SelectthelocationoftheSyskey(forexample,afilepathorafloppydisk)orenterthe passwordmanually.

4. ClickOK.

UserPassword
Ifyouknowtheuserspassword: 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheUserPasswordtab. Enterthepassword.

4. ClickOK.

IftheSyskeyisprotectedandyoudonotknowthepassword,anattackontheSAMfileforuser passwordswillnotbesuccessful.Thisisararesituation.MostWindowsmachineswillnothavea protectedSyskey.EDSincludesadictionaryattackoptiontogetpastaprotectedSyskey.Youcan obtaindictionaryfilesfromanumberofsources.Toaccesssetup,rightclicktherootofSecureStorage andselectDictionaryAttack.

518

EnCaseForensicVersion6.15

DuringtheAnalyzeEFSscanningoftheregistry,EnCasealertsyouiftheSyskeyispassword protectedorhasbeenexportedtoafloppydisk.Inthesecases,theAnalyzeEFSwizardpromptsyou toentertheSyskeypasswordand/orinsertthefloppydiskcontainingtheSyskeyorbrowsetothe Syskeyfilelocation.TheSyskeyfileiscalledstartkey.key,andyoushouldexamineanyfloppy diskscollectedatasceneforthepresenceofthisfile.IftheSyskeyfileisrecoveredonafloppydisk,it canbecopied/unerasedfromEnCasetotheexaminationmachine,andyoucanbrowsetothe startkey.key location.ThisprocessisthesameaswhenyouusethePasswordRecoveryDisk.

PasswordRecoveryDisk
WindowsXPand2003Serverenablelocaluserstocreatearecoverydiskcontainingtheirencrypted password.Thediskisdesignedtoallowuserstoresettheirpasswordiftheyforgetit,withoutlosing alloftheirEFSencryptedfilesandotherimportantsecuritycredentials.Thefileiscalled userkey.psw,andyoushouldexaminefloppydiskettesrecoveredatthesceneforthepresenceof thisfile. 1. 2. Withthefloppydiskinserted,orthefilecopiedtoaharddrive,rightclicktherootentryof SecureStorage. SelectEnterItemsfromthedropdownlist,thenselectthePasswordRecoveryDisktab.

3. 4. Clicktheoptionbutton,FileorFloppy,wherethefileislocated. Enterthepathorbrowsetoit,thenclickOK.

PrivateKeyFile
Ifthelogonpasswordisunavailable,youcanobtaintheDomainAdministratorsprivatekey(PFX). Thisalsoworksfortheuserskey.Toexportandusethekey: 1. 2. 3. AsDomainAdministrator,doubleclickC:\Windows\system32\certmgr.msctolaunch theMicrosoftManagementConsole. LocatetheCertificatesfoldercontainingtheDomainAdministratorscertificate. Rightclickthecertificate.

4. FromtheAllTasksmenu,clickExport.

EnCase DecryptionSuite

519

5. 6. 7. 8. 9. IntheCertificateExportWizard,clickNext. ClickYes,exporttheprivatekey,thenclickNext. Acceptthedefaultfortheexportfileformat,thenclickNext. Selectapathandnamethekey(thisassignsa.PFXextension),thenclickNext. Whenprompted,notethepasswordentered.

Note: The password cannot be left blank. It is needed when using the key.

10. ClickNext.Aconfirmationwindowshowsdetailsabouttheexport. 11. ClickFinishtocompletetheexport. 12. RightclicktherootentryofSecureStorage. 13. SelectEnterItemsfromthedropdownlist,thenselectthePrivateKeyFiletab. 14. Enterthepathorbrowsetoit.

15. EnterthePasswordinthenextprompt,thenclickOK. AstatusscreenconfirmssuccessfulcompletionandthePrivateKeydisplaysintheSecure Storagetab.

EnterMailCertificate
Youcanentera.PFXcertificatetousefordecryptingS/MIMEencryptedemailsfoundinPSTfiles. 1. 2. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheEnterMailCertificatetab.

520

EnCaseForensicVersion6.15 3. Enterthepathtothe.PFXcertificateandthepassword.

4. 5. ClickOK. The.PFXcertisdecryptedandstoredinSecureStorage.

AssociateSelected
Toassociate*nixuserswithvolumes: 1. 2. 3. 4. SelecttheSecureStoragetab. Clickthecheckboxnexttotheitemoritemsyouwanttoassociate. Rightclickacheckeditem. SelectAssociateSelectedfromthedropdownlist.

5. TheAssociatedialogdisplays.

EnCase DecryptionSuite

521

6. ExpandtheVolumestreeandselectthevolumesyouwanttoassociate.

7. ClickOK.

SecureStorageItems
IntheReporttaboftheViewpaneyoucanseedetailsaboutthecurrentlyselectediteminthesecure storage.TheTextandHexviewsshowtherawdata.Theseitemshavethefollowingproperties: Name Encrypted Type Subtype Password PasswordType

522

EnCaseForensicVersion6.15

Thefollowingitemsareofinterest: Aliases:TheseareSecurityIdentifiers(SIDs)thatpointtooneormoreSIDentities.Theyhavea nameandacomment. Groups:SIDsthatpointtooneormoreSIDentities.Theyhaveanameandacomment.Theseare definedgroupssuchasAdministratorsandGuests. SAMUsers:TheseareLocalUsers.ThedetailsarelistedinthereporttaboftheViewpane. Passwords:Foundandexamineraddedpasswordsappearhere. NetLogons:TheseareLocalUsers.ThedetailsarelistedinthereporttaboftheViewpane. NixUser/Group:Unixusers/groups Lotus:LotusNotes EmailCertificates:TheseareusedforS/MIMEdecryptionandsignatureverification. DiskCredentials:Persistentkeycachefordisk/volumeencryptionproducts MasterKeys:Everyuserwithaprivatekeyhasamasterkeythatprotectsit.Themasterkeyitself isencryptedwithahashoftheusersWindowspassword. PrivateKeys:UsedinthedecryptionofEFSfiles InternetExplorer(IE)Passwords:PasswordsfromIE6 PolicySecrets:TheseareLSAsecrets.Theyincludethedefaultpasswordandpasswordsfor services.Someofthesesecretsarenotpasswordsbutbinarydataplacedtherebythesystemand applications. SAMKeys/PolicyKeys/Dpapi/CERT:Forinternaluse

SafeBootEncryptionSupport(DiskEncryption)
EnCaseprovidesawayforyoutoviewSafeBootencryptedharddrivesduringaninvestigation.This featureisonlyavailabletoauserwithanEDScertenabled.
Note: If no EDS cert is found or the integration Dlls are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR only for the boot disk, always preview the boot disk first and then any other disk in a multi-disk machine configuration.

1.

UsetheAddDeviceWizardtoaddthephysicaldevice.

2.

EnCase DecryptionSuite

523

Whenprompted,selecttheappropriateencryptionalgorithmfromthelist,thenenterauser name,servername,machinename,andpasswordwheninonlinemode.

524

EnCaseForensicVersion6.15

TheSafeBootencrypteddriveisparsed. Theofflinedialogissimilar.TheOnlinecheckboxisblankandonlytheMachineName, TransferDatabasefield,andAlgorithmareavailable:

3. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoenterthemagain.

EnCase DecryptionSuite

525

Thisillustrationshowsresultsofasuccessfuldecryption.TheTreepaneshowsaSafeBoot folder,theTablepanecontainsalistofdecryptedfileswhiletheTextpaneshowscontentsofa decryptedfile.

4. Thenextfigureshowsthesamefilesastheyappearencrypted.

526

EnCaseForensicVersion6.15

SupportedSafeBootEncryptionAlgorithms
EnCasesSafeBootdecryptionfeaturesupportstheseencryptionalgorithms: AES256FIPS AES256 DES RC512Rounds RC518Rounds

UtimacoSafeGuardEasyEncryptionSupport
EnCaseprovidesawayforyoutoviewSafeGuardEasy(SGE)encryptedharddrivesduringan investigation.ThisfeatureisonlyavailabletoauserwithanEDScertenabled.
Note: If no EDS cert is found or the integration DLLs are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeGuard Easy overwrites the original MBR only for the boot disk, only the boot disk can be decrypted in EnCase.

1. 2.

UsetheAddDeviceWizardtoaddthephysicaldevice. EnCasedetectsthedeviceanddisplaysausernameandpassworddialog.

3. 4. 5. Enteravalidusernameandpasswordwheninonlinemode. ClickOK. Onceasuccessfuldecryptioniscomplete,savethecase.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoenterthemagain.

Note: If the password is empty, the Challenge/Response wizard opens. For more information, see Utimaco Challenge/Response Support on page 527.

EnCase DecryptionSuite

527

SupportedUtimacoSafeGuardEasyEncryptionAlgorithms
EnCasesUtimacoSafeGuardEasydecryptionfeaturesupportstheseencryptionalgorithms: AES192 AES256 DES 3DES

UtimacoChallenge/ResponseSupport
Utimacohasanalternatemethodfordecryptingtheirdatausingachallenge/responsecode.Oncethe codeisauthenticated,EnCasereturnsthekeyandanyadditionaldata(suchasencryptedsectors) necessarytodecryptthedata. 1. IntheSGEcredentialsdialog,enterausernamebutleavethepasswordblank.

2. ClickOK.

528

EnCaseForensicVersion6.15 3. AChallengeResponsedialogdisplayswiththechallengecodeinblue.Keepthisdialogopen whileperformingthenextsteps.

4. LoginasAdministrator.OntheWindowsStartpage,clickAll ProgramsUtimacoSafeGuardEasyResponseCodeWizard.

5. TheWelcomedialogdisplays.

EnCase DecryptionSuite

529

6. ClickNexttobegingeneratingaonetimepassword(OTP).TheAuthorizationAccountdialog displays.

530

EnCaseForensicVersion6.15 7. ClickNext.TheRemoteUserIDdialogdisplays.

8. 9. EntertheUserIDthatwasusedtoderivethechallengecode,thenclickNext. TheChallengeCodedialogdisplays.EnterthechallengecodegeneratedbyEnCasefromstep 3.

10. ClickNext.TheRemoteCommanddialogdisplays.

EnCase DecryptionSuite

531

11. SelectOnetimelogon,thenclickNext. 12. TheSummarydialogdisplayswiththeresponsecodeinblue.

532

EnCaseForensicVersion6.15 13. IntheEnCasedialogfromstep3,selectthecodelengthandentertheresponsecodetoenable decryptionoftheselectedencryptedevidence.

14. ClickOK. 15. IntheSummarydialogfromstep12,clickClosetoclosetheSafeGuardEasyResponseCode Wizard,orclickNewtogenerateanewresponsecodefromadifferentchallengecode.

UtimacoSafeGuardEasyEncryptionKnownLimitation
UtimacoSafeGuardEasytreatsamachinewithmultipleharddrivesasoneharddriveconsistingofall sectorsofallphysicalharddrives. Incontrast,EnCaseexamineseachharddriveindividually.Thiscreatesaproblem: SafeGuardEasyoverwritesonlytheMasterBootRecord(MBR)ofthebootdisk Onlythebootdiskisdetectedasencryptedandthendecrypted(giventhecorrectcredentials areentered)

ThismeansEnCasesupportforSafeGuardEasyislimitedtodecryptingonlythebootdisk,because thisistheonlydrivedetectedasencryptedbyexaminingtheMBR.

Workarounds
Therearetwoworkaroundsforthisproblem.Thefirstsolution: 1. Obtainbothdisks. TheinternaldiskholdingtheSafeGuardEasykernel(disk1) Theexternal(thatis,nonbootable)disk(disk2) 2. Openthekernelondisk1.Youcanthenaccessdisk2.

Thesecondsolution: 1. 2. 3.

EnCase DecryptionSuite

533

ObtainaSafeGuardEnterprise(SGN)kernelbackupfileofdisk1. Restoredisk1toanemptydisk. Addthenonbootablediskasdisk2.Theinformationinthenewlyrestoredkernelgivesyou accesstodisk2.

BitLockerEncryptionSupport(VolumeEncryption)
MicrosoftsBitLockerisavailableinWindowsVistaEnterpriseandUltimateforclientcomputersand WindowsServer2008.Itencryptsanentirevolumeusingoneofthreemodestostoretheencryption key: Transparentoperationmode(requiresTrustedPlatformModule[TPM]) UserAuthenticationmode(requiresTPM) USBKeymode(doesnotrequireTPM)

WhenBitLockerisenabled,alargefileiscreatedthatholdsallofunallocated(UAC)space,minus6 Gigabytes.

RecoveryKeyandRecoveryPasswordFiles
TherecoverykeyisafilewithaGUIDname(forexample,67FA344529D74AB58D0F 7F69B88D1C04.BEK). TherecoverypasswordisstoredinafilewithaGUIDname(forexampleAE15E17AC79E4D3F889F 14FBF6E0F9E.TXT). ThesekeysarematchedbyKeyProtectorGUIDintheBitLockermetadata.

534

EnCaseForensicVersion6.15

DecryptingaBitLockerEncryptedDeviceUsingRecoveryKey
1. 2. AddaBitLockerencrypteddeviceintoEnCaseusingAddDeviceordropanddrag. TheBitLockerCredentialsdialogdisplays.

3. TheRecoveryKeyoptionbuttonisselectedbydefault.Browsetothelocationoftherequired .BEKrecoverykey.

4.

EnCase DecryptionSuite BrowsetothefoldercontainingBitLockerkeysandselectthespecified.BEKfile.

535

5. ClickOK.

DecryptingaBitLockerEncryptedDeviceUsingRecoveryPassword
1. 2. AddaBitLockerencrypteddeviceintoEnCaseusingAddDeviceordropanddrag. TheBitLockerCredentialsdialogdisplays.

3. SelecttheRecoveryPasswordoptionbutton.

536

EnCaseForensicVersion6.15 4. BrowsetothefoldercontainingBitLockerkeys.

5. Findandopenthe.TXTfilethatmatchesthePasswordID.

EnCase DecryptionSuite

537

6. CopyandpastetherecoverypasswordintotheBitLockerCredentialsdialog.

7. ClickOK.

538

EnCaseForensicVersion6.15

FullVolumeEncryption(FVE)AutoUnlockMechanism
Encrypteddatavolumesaredecryptedonthefly,giventhatthebootvolumewassuccessfully decryptedby: Providingavalidrecoverykeyorrecoverypassword RunningAnalyzeEFSonthedecryptedbootvolume

Eachdatavolumehasacorrespondingregistrykey (SYSTEM\ControlSet0xx\FVEAutoUnlock\{GUID})containingthekey(AutoUnlockVolume Key,orAUVK)thatcandecrypttheVolumeMasterKeyofthatparticularvolume.Thiskeyhasan associatedGUIDmatchingtheGUIDofakeyprotectorinthedatavolumemetadata. ThepicturebelowshowsAutoUnlockregistrykeysforthreevolumes.

ThispictureshowsSecureStorageaftertheAnalyzeEFSprocess:

PhysicalRAIDEncryptionSupport
BitLockersupportsonlyphysicalRAIDs,notlogicalRAIDs.

EnCase DecryptionSuite

539

RAID1:ExampleUsingTwoPhysicalDrives
1. AddaBitLockerencryptedprimaryRAID1volumeintoEnCaseusingAddDeviceordrop anddrag.Thisprimaryvolumeconsistsof: Thebootdisk TheBitLockervolume(whichisnotencrypted) 2. 3. TheBitLockerCredentialsdialogdisplays. Providethecredentials.SeeDecryptingaBitLockerEncryptedDeviceUsingRecoveryKeyon page534orDecryptingaBitLockerEncryptedDeviceUsingRecoveryPasswordonpage535 fordetails. ClickOK.EnCasedecryptsthevolume. Addeachadditionalphysicaldiskinorder,repeatingsteps24foreachdiskasneeded.
Note: For information on acquiring and building RAIDs, see How to Acquire RAIDs (https://support.guidancesoftware.com/node/100) on the Guidance Software Support Portal.

4. 5.

RAID5:ExampleUsingThreePhysicalDrives
ToparseaRAID5drive,youmustfirstbuildtheRAIDinEnCase. 1. AddaBitLockerencryptedprimaryRAID5volumeintoEnCaseusingAddDeviceordrop anddrag.Thisprimaryvolumeconsistsof: Thebootdisk TheBitLockervolume(whichisnotencrypted) 2. AddeachadditionalphysicaldiskusingAddDeviceordropanddrag.
Note: The BitLocker Credentials dialog does not display until you finish building the RAID. For information on acquiring and building RAIDs, see How to Acquire RAIDs (https://support.guidancesoftware.com/node/100) on the Guidance Software Support Portal.

3. 4.

WhenyoufinishbuildingtheRAID,EnCasedisplaystheBitLockerCredentialsdialog. Providethecredentials.SeeDecryptingaBitLockerEncryptedDeviceUsingRecoveryKeyon page534orDecryptingaBitLockerEncryptedDeviceUsingRecoveryPasswordonpage535 fordetails. ClickOK.EnCasedecryptsallavailablevolumes.

5.

SuccessfulDecryption
Whendecryptionissuccessful,thevolumesfilesystemtypedisplaysinthefirstsector.

540

EnCaseForensicVersion6.15

UnsuccessfulDecryption
Ifdecryptionfails,FVEFSdisplaysinthefirstsector.

SavedCredentialsinSecureStorage
Aftersuccessfulauthentication,EnCasesavescredentialsinSecureStorage,soyoudonothavetore enterthemthenexttimeyouopenthesavedcase.

WinMagicSecureDocEncryptionSupport
YoucanaccesstheharddriveofasystemencryptedwithSecureDocsoftware.EnCasesupports SecureDocversion4.5andabove. TherearethreewaystoaddSecureDocdiskstoEnCase: Previewtheharddrive UsetheAddDeviceWizard DragevidencefilesintoEnCase

EnCase DecryptionSuite

541

Onceyoupreviewamachinesdiskoropenanevidencefile,theMasterBootRecord(MBR)ischecked againstknownsignaturestodeterminewhetherthediskisencrypted.TheSecureDocsignatureis WMSD.

EachSecureDocuserhasakeyfilewhichcancontainmultiplekeysencryptedusingapassword associatedwiththefile. SecureDocusershaveeitheradministratororuserprivileges. Administratorscanencrypt/decryptdrives,resetpasswords,addkeystoakeyfile,etc. Userscanonlychangetheirpasswords

AninstallerisprovidedtoplacetheseintegrationDLLsin%ENCASE%\Lib\WinMagic\SecureDoc: SDForensic.dll SDC.dll SDUser.dll

Note: The integration is supported on the 32-bit version of EnCase.

542

EnCaseForensicVersion6.15 1. WhenaddingaSecureDocdisk,Encasepromptsforthreecredentials:

a. Thepathtothefilecontainingtheuserkeys(extension.dbk) b. Thepasswordassociatedwiththekeyfile c. Thepathtotheemergencydiskfoldercorrespondingtothephysicaldiskunder

examination

2. 3. 4. Enterthecredentials,thenclickOK. Ifthecredentialsarecorrect,EnCasedecryptsthediskandparsesthefilesystemstructure. Whenyousavethecase,therangesofencryptedsectorsandtheoriginalMBRareretainedin thecasefileforprevieweddrivesaswellasevidencefiles.

ThediskviewshowsencryptedinformationintheTextandHexpanesforencrypteddrives. ThediskviewshowsdecryptedinformationintheTextandHexpanesfordecrypteddrives.

AcquiringtheDevice
Alocalacquisitionatthephysicaldevicelevelresultsinacquisitionofalldecryptedlogicalvolumes. Anenterpriseacquisitionatthephysicaldevicelevelresultsinacquisitionofallsectorsinan encryptedstate.
Note: To obtain decrypted data, perform a local acquisition on the result of the remote acquisition.

Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is decrypted by SecureDoc's filter driver during a physical acquisition.

Youcanacquireeither: Alllogicalvolumesbyacquiringatthephysicallevel Anindividuallogicalvolumebyacquiringatthelogicallevel

EnCase DecryptionSuite

543

Thecompletedacquisitioncontainsthedecryptedvolumes.Youdonotneedapasswordtoviewthe filestructure.

GuardianEdgeEncryptionSupport
EnCasesupportsthefollowingGuardianEdgeproducts: GuardianEdgeEncryptionPlus GuardianEdgeEncryptionAnywhere GuardianEdgeHardDiskEncryption

SupportedGuardianEdgeEncryptionAlgorithms
EnCasesGuardianEdgedecryptionfeaturesupportstheseencryptionalgorithms: AES128 AES256

GuardianEdgeHardDiskEncryptionKnownLimitations
AuthenticatingtoaPhysicalDriveinEnCase
WithGuardianEdgeHardDiskEncryption(GEHD)version8.6andhigher,youcannotuseclient administratorcredentialstoauthenticatetoaphysicaldriveinEnCase. Whileaddingthephysicalharddrive(asopposedtoalogicalacquisition),anauthenticationscreen displays.Ifyouentertheclientadministratoraccount,password,anddomain,theauthentication screendisplaysrepeatedlywithoutgoingtothenextstep. BecauseGEHDhasdomainlessclientadministrators,youneedtouseadefaultfieldforthedomain: 1. MakesureyouhavetheEnCaseDecryptionSuitemodulewithPCGuardiansupportinstalled (HelpAboutEnCase).

2. Inthedomainfield,enterEA#DOMAINastheclientadministratoraccount.

Formoreinformation,seeKnowledgeBasearticle00002281intheGuardianEdgeCustomerSupport Portal(https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).

DecryptingaGuardianEdgeEncryptedDeviceRunningEnCaseonaVistaOperatingSystem
ThisappliestoGuardianEdge9.2.

544

EnCaseForensicVersion6.15

IfyouuseEnCaseonaWindowsVistaoperatingsystemtodecryptaGuardianEdgeencrypteddevice, youmustdownloadthemsvcp71.dllfromMicrosoftathttp://msdn.microsoft.com/en us/library/k9a8ehy3(VS.71).aspxhttp://msdn.microsoft.com/enus/library/k9a8ehy3(VS.71).aspxand placeitintheEncase6\lib\PCGuardianGuardianEdge\EAHDdirectoryinadditontothetwo GuardianEdgedllfiles.

PGPWholeDiskEncryption(WDE)Support
SupportedSoftwareVersionsandPlatforms
PGP9.8orlater WindowsVista(all32and64bitversions) WindowsXP(SP1andSP2) Windows2000Professional(SP4) MacOS10.4and10.5

TodecryptaPGPencrypteddisk,youneedoneofthefollowing: AWholeDiskRecoveryToken(WDRT)fromthePGPUniversalServer AnAdditionalDecryptionKey(ADK)fromtheclientmachine Theuserspassphrase

Note: The PGPEnCase.dll resides in the installation folder of EnCase (typically C:\Program Files\EnCase6\lib\PGP\WDE).

ObtainingWholeDiskRecoveryTokenInformation
1. InanInternetbrowser,enterthePGPUniversalServersURLtogainaccesstothePGP UniversalAdministrationpage.IfyouarenotsureoftheURLaddress,itisdisplayedinthe PGPUniversalServerbootscreen.

2.

EnCase DecryptionSuite

545

ClicktheUserstabtogototheInternalUserspage.NotewhichuserdisplaystheRecovery iconassociatedwithausername.

3. ClicktheusernameassociatedwiththeRecoveryicon.TheInternalUserInformationpage displays.

4. 5. 6. ClicktheWholeDiskEncryptionbuttontoseethemachineassociatedwiththisuser. ClicktheWDRTicon. TheWholeDiskRecoveryTokenpagedisplays.Notethetokenkeyconsistingof29 alphanumericcharacters.

546

EnCaseForensicVersion6.15 7. InEnCase,enterthetokenkeyintheWholeDiskRecoveryTokenfieldofthePGPWhole DiskEncryptioncredentialsdialog,thenclickOK.

Note: You can enter the token key with or without dashes.

ObtainingAdditionalDecryptionKey(ADK)Information
Note: The Additional Decryption Key option is available only if you are using the x32 bit installer of EnCase.

1. 2. 3.

LogontothePGPclientworkstation. ClickStartProgramsPGPPGPDesktop. InthePGPDesktopPGPDiskwindow,clickthePGPDiskattheleftsideandselectanydisk listed.

4. TheDiskPropertiesdisplay.

EnCase DecryptionSuite

547

5. 6. IntheUserAccesssectionatthebottomofthescreen,exportthekeyasan.ascfile. InEnCase,enterthefullpathtothe.ascfileintheAdditionalDecryptionKey(ADK)Path field,aswellasthepassphraseprotectingthefile,inthePGPWholeDiskEncryption credentialsdialog.

548

EnCaseForensicVersion6.15

PGPDecryptionusingthePassphrase
1. EnterthepassphraseinthePassphrasefield.

ClickOK.

CREDANTEncryptionSupport(FileBasedEncryption)
EnCaseprovidesawayforyoutoaccessCREDANTencrypteddataonWindowsdevices. EnCaseprovidessupportforCREDANTMobileGuardian.
Note: You can obtain the CREDANT API installer from CREDANT Technical Support. Install it, then begin the examination.

EnCasereviewsyourmountedfilesandlooksforCREDANTencrypteddata(CredDB.CEFfile).Ifit findsthisdata,alogondialogdisplays.

1.

EnCase DecryptionSuite

549

Thedialogpopulateswithaknownusernameandpassword,Server,MachineID,andthe ShieldCREDANTID(SCID).CREDANTfilesareprocessedanddecryptedwithnofurther interaction,giventhatthecredentialsarecorrect.

550

EnCaseForensicVersion6.15 Theofflinedialogissimilar.TheOnlinecheckboxisblankandtheMachineIDandSCIDfieldsare unavailable.

2. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoreenterthem.

Theillustrationbelowshowsresultsofasuccessfuldecryption: TheTreepaneshowsaCREDANTfolder TheTablepanecontainsalistofdecryptedfiles TheTextpaneshowscontentsofadecryptedfile

EnCase DecryptionSuite

551

552

EnCaseForensicVersion6.15

Thenextillustrationshowsthesamefilesastheyappearunencrypted.

SupportedCREDANTEncryptionAlgorithms
EnCasesCREDANTdecryptionfeaturesupportstheseencryptionalgorithms: AES128 AES256 3DES Rijndael128 Rijndael256 Blowfish

CREDANTEncryptionSupport(OfflineScenario)
IfthemachinetobeinvestigatedisnotonthenetworkwiththeCREDANTserver,youmustobtain theCREDANTkeysandstoretheminalocationaccessibletotheExaminermachine. Beforeyoubegin:

EnCase DecryptionSuite

553

YoumustinstalltheCREDANTLibraryInstallertoruntheutilitywiththeappropriateDLLs.You canobtaintheinstallerfromCREDANTtechnicalsupport. YoumusthaveEnCaseDecryptionSuiteinstalledontheExaminerdonglethatwilldecryptthe CREDANTencrypteddata. YoumustobtaintheURLfortheCREDANTMobileGuardian(CMG)DeviceServer. YoumustobtainanAdministratorusernameandpassword.TheCREDANTadministratormust haveForensicAdministratorprivileges,asspecifiedintheCMGServerWebInterfaceforCMG v5.4andlaterservers.TheadministratormusthaveSecurityAdministratorprivilegesforthev5.3 server. YoumustobtaintheAdministratorslogindomain(forCMG6.0andlaterserversonly),the MachineIDforthetargetdevice(MUID),theShieldCREDANTID(SCID),theUsernamethatthe keymaterialisbeingdownloadedfor,andthePasswordtousetoencrypttheoutput.binfile. 1. AtacomputerthathascommunicationtotheCREDANTServer,runtheutility CEGetbundle.exefromtheWindowscommandprompt.CEGetBundle.exeissuppliedby CREDANTintheCREDANTLibraryInstaller,whichalsoinstallstheDLLsnecessaryforthe decryption.CopytheintegrationDLLsandMACfiletothetargetdeviceaswell. Supplytheparametersasfollows:CEGetBundle[L]XURLaAdminNameAAdminPwd[ DAdminDomain][dDuid][sScid][uUsername]oOutputFileoOutputFileIOutputPwd
-L URL Legacy mode for working with pre 5.4 server installs Device Server URL (for example, https://xserver.credant.com:8081/xapi) Administrator user name Administrator password Administrator domain (optional: required only if the CMG Server is configured to support multiple domains) Machine ID for the target device (also known as the Unique ID or hostname) Shield CREDANT ID (also known as DCID or Device ID) Name of the forensic administrator File to save the key material in Password to encrypt output file

2.

AdminName AdminPwd AdminDomain

MUID

SCID Username OutputFile OutputPwd

Hereisacommandexample:cegetbundleLXhttps://CredantServer:8081/xapi aAdministratorAchangeitdCredantWorkstation.Credant.localsCI7M22CU uAdministratoroC:\CredantUserKeys.biniChangeIt 3. Placethe.binfiledownloadedfromtheCREDANTserverinapathaccessiblefromthe Examinermachine.OpenEnCaseandcreateanewcaseoropenanexistingone.Youmust haveEnCaseDecryptionSuiteinstalledontheExaminermachinethatdecryptsthe CREDANTencrypteddata.

554

EnCaseForensicVersion6.15
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the target device while specifying the same output file. The keys for each user are appended to this output file.

4.

AcquireadevicewithCREDANTencryptedfiles,orloadanevidencefileintothecase.The EnterCredentialsdialogdisplays,promptingyouforonlytheUsername,Password, Server/OfflineServerFile,MachineID,andShieldCREDANTID(SCID)information.

Note: In Offline mode, the only information you must provide is the Password and Server/Offline Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).

WhenEnCasedecryptsCREDANTencryptedfiles,thekeyinformationisplacedinSecureStoragein EnCase,andsavedwiththecase.Youdonothavetoreenterthisinformation.

CREDANTFilesandLogicalEvidence(L01)Files
TodecryptanencryptedEFSfileyouneedthefollowing: 1. 2. TheEnCaseEDSmodule TheCredDb.CEFfileresidinginthefolder.Thisisessential,sinceitcontainstheinformation togettothedecryptionkey.

InEnCaseversionspriorto6.12,therearedifferentscenariosfromlogicalevidencefilesfromprior versionsofEnCase: 1. 2. 3. 4. ThefileisencryptedandtheCredDB.CEFfileismissingfromthesamefolderwithintheL01:the filecannotbedecrypted. ThefileisencryptedandtheCredDB.CEFfileisinthesamefolder:thefilecanbedecrypted. ThefileisdecryptedandtheCredDB.CEFfileismissing:thefileremainsdecrypted. ThefileisdecryptedandtheCredDB.CEFstreamisinthesamefolder:thefilewillbedecrypted twice.

Note: The workaround in case 4 is to cancel the CREDANT Credentials dialog or delete the CREDANT keys from the secure storage.

Fromversion6.12on,allthescenariosabovearehandledgracefully,becausetheCredDB.CEFfileis addedinternally. Ifthefileisencrypted,theCredDB.CEFstreamisautomaticallystoredwiththefileas metadata. Ifthefileisdecrypted,theCredDB.CEFstreamisnotautomaticallystored,asitisnotneeded. ThisdoesnotpreventyoufromstoringthestreambyspecificallysavingittotheLEF.

Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.

CREDANTEncryptionKnownLimitation
LegacymodeisnotsupportedinCREDANT6.xserver.

EnCase DecryptionSuite

555

S/MIMEEncryptionSupport
TheEnCaseS/MIMEEncryptionSupportprovidestheabilitytodecryptS/MIMEencryptedemails foundinPSTfiles.Emailsentorreceivedwiththefileextensions.pst,mboxand.edbsupportthe S/MIMEPKCS#7standard. YoumusthavePFX(PKCS12standard)certificatesinstalledpriortoparsing.PST,EDB,andMBOX mailcontainersaresupported. TodecryptS/MIMEdata: 1. 2. OpenorcreateacaseandenterSecureStorage. Rightclickonafolderintheleftpane. Adropdownmenudisplays.

3. SelectEnterItems.

556

EnCaseForensicVersion6.15

TheEnterItemsdialogdisplays.

4. 5. SelecttheEnterMailCertificatetab.
Note: The only allowed certificate format is .PFX.

EnterthepathtothePFXcertificateandthepassword,thenclickOK.

ThePFXcertisdecryptedandstoredinSecureStorage. S/MIMEdecryptionandsignatureverificationhappensinthebackground. Giventheproperpassword,thecertificateisstoredinSecureStorageunderEMailCertificatesfolder. AfteryouimporttherequiredcertificatesintoSecureStorage,youcanparsetheemailcontainerfiles usingtheViewFileStructurefeatureintheEntryView.

EnCase DecryptionSuite

557

S/MIMEEmailCertificatecontentsaredisplayedlikethisinSecureStorage:

Whenparsingiscompleteandsuccessfuladirectorylistdisplays.Intheillustration,thefolderis entitledsmime.p7m(S/MIMEdatacomesasanattachmentoftheemail).InEntriesview,thetextof theemailisshownintheTextpanewhiletheemailsattachmentsappearintheTablepane.

558

EnCaseForensicVersion6.15

ViewandworkwithcontentintheRecordstab.

TroubleshootingaFailedS/MIMEDecryption
Ifdecryptionfails,youcancompareEntriesviewwithRecordsviewtotrytofindtheerror. Entriesview:

Recordsview:

EnCase DecryptionSuite

559

DecryptingS/MIMEEmailsinanEvidenceFileCreatedinWindowsVista
YoucannotdecryptS/MIMEemailsinanevidencefilecreatedinWindowsVistausinganexaminer installedonWindowsXPorearlier.ThisisbecauseCryptoAPIonVista(CryptoNextGeneration,or CNG)isnotyetsupportedonXP. SoifanevidencefilecreatedinVistacontainsS/MIMEemails,youshouldperformtheexaminationto decryptthemonaVistamachineaswell,giventhatpropercertificatesareavailable.

NSFEncryptionSupport
TheLotusNotesemailclienthassecuritybuiltintotheproduct.Noteswasthefirstwidelyadopted softwareproducttousepublickeycryptographyforclientserverandserverserverauthentication andforencryptionofdata,anditremainstheproductwiththelargestinstalledbaseofPKIusers. TheEnCaseSuitecandecryptencryptedNSFdocumentsandsendthemtorecipientswithinthe sameDominoserver. EachserveruserhasanIDfilethatcontainsausers: encryptedprivatekey publickey passwordinformation passwordrecoveryinformation

ItalsohasanNSFfilethatrepresentstheusersmailboxin8.3formatinthedefaultpath<domino installation folder>\data\mail\<user>.nsf.

560

EnCaseForensicVersion6.15

RecoveringNSFPasswords
Toretrievetherecoverypassword,youmusthaveproperadministrativerightsontheDominoserver. 1. OpentheDominoServer.

2. Loginastheserveradministrator.

3. ClickOK.

ThepasswordIDlistdisplays.

EnCase DecryptionSuite

561

4. ClickOK. Therecoverypassworddisplays.

5. ClickOKanddefineusersauthorizedtogeneraterecoverypasswords.

LotusNotesLocalEncryptionSupport
EnCasecandecryptalocalLotusNotesusermailbox(NSFfilesuffix).Thelocalmailboxisareplicaof thecorrespondingencryptedmailboxontheDominoserver. EachDominoserveruserhasacorrespondingNSFfilerepresentingthatusersmailboxin8.3format. Thedefaultpathis<Domino Installation Folder>\Data\Mail\<user>.nsf.TheLotus Notesclientissetuptousethelocalmailbox.Synchronizationbetweenthelocalandservermailboxes occursaccordingtoareplicationscheduledeterminedbytheDominoadministrator. Encryptionofthelocalmailboxisnotmandatorybutitisadvisable,becausewithoutencryptiona personfamiliarwiththeNSFfilestructurecouldreademailwithoutneedingLotusNotes. Encryptionoccursatblocklevel.

562

EnCaseForensicVersion6.15

DeterminingLocalMailboxEncryption
Lookintheheader(thefirst0x400bytes)atoffset0x282.Ifthebyteis0x1,themailboxislocally encrypted.

ParsingaLocallyEncryptedMailbox
1. 2. ObtainthecorrespondingIDfilefromtheDominoserver.AlluserIDfilesarebackedupon theservereitherondiskasafileorintheDominodirectoryasanattachmenttoemail. ParseitusingViewFileStructure,sothattheprivatekeyisinsertedinSecureStorage.

EnCase DecryptionSuite

563

EncryptedBlock
Theexamplebelowshowsanencryptedblockatoffset0x22000:

Thedecryptionalgorithmusesaseedthatisbasedonthebasicseedfromtheheaderandtheblock offset.

564

EnCaseForensicVersion6.15

DecryptedBlock
Hereisanexampleofadecryptedobjectmapatoffset0x22000:

EnCase DecryptionSuite

565

LocallyEncryptedNSFParsingResults
AsuccessfullyparsedlocallyencryptedNSFlookslikethisinEntryview:

IfthecorrespondingIDfilecannotbeparsedsuccessfully,theSecureStorageisnotpopulatedwiththe dataneededtoparsethelocallyencryptedNSF;thus,theLotusvolumeisempty:

566

EnCaseForensicVersion6.15

WindowsKeyArchitecture
Windowshasanelaboratekeyprotectionmechanism.TheSyskeyprotectsthepolicykey,theSAM key,andothers.Thesekeysprotecttheuserspasswordhashes.

InWindows2000,however,theMasterKeyisprotectedbytheuserspasswordhashwitha mechanismthatslowsdownanyattack.TheMasterKeyprotectstheusersprivatekey.Andtheusers privatekeyprotectsakeywithinthe$EFSstreamthatallowsfordecryptionoftheEFSencryptedfile.

DictionaryAttack
Softwareimplementingthismethodnormallyusesatextfilecontainingalargenumberofpasswords andphrases.Eachistriedinturninthehopethatoneofthewordsorphrasesinthefilewilldecrypt thedatainvolved. Alargenumberofdictionaryfiles(sometimescalledwordlists)areontheInternet,oryoucancreate yourownlist.Creatingyourownlistmaybepreferableifthepersonunderinvestigationhasa particularinterest,suchasfootball. TherearefreewareutilitiesontheInternetyoucanusetocreateadictionaryfromcombinationsof letters,numbers,andcharactersuptoapredefinedlength.FreeWordlistGenerator (http://www.soft82.com/download/windows/freewordlistgenerator/)isoneexample. EDScanattackNTbaseduseraccountpasswordsandcachednetlogonpasswordsusingadictionary attack.

EnCase DecryptionSuite

567

BuiltinAttack
Specificitemsdohaveassociatedpasswords.Iftheyarenotautomaticallyretrieved,youcanuseatrial anderrormechanism.Thismayormaynotsucceed.

ItemsthatcanbeAttacked
Localusers Networkusersthatloggedon(cacheddomainusers) Syskey(passwordmodeonly) MasterKey,iftheusersSAMordomaincachecantbeaccessed(duetocorruption,account deletionorSyskeyprotection).ThisismuchslowerthanattackingtheLocal/NetworkUsers

ExternalAttack
Localuserscanbeattackedwiththirdpartytools.Therearefreewaretools,andtheirperformanceis muchgreaterthanEnCasebecausetheycanrunonmanycomputersatthesametimeand/oruse rainbowtables.EnCasecanexportthelocaluserspasswordhashesinthePWDUMPformatthatmost toolsread.ThisisdonefromtheUserList.

UserList

568

EnCaseForensicVersion6.15

TheUserListofSecureStorageshowsLocalUsers,DomainUsers,NixUsers,and/orNixGroupsfrom thelocalmachineorevidencefile.Informationsuchas: lastlogondate userSID NThash LanManagerhash

isalsoassociatedwitheachaccount

IntegratedAttack
Therearethreedifferentsourcesforwordstobetested: Internalpasswords:Thesearethepassworditemsinthesecurestorage Dictionarywords:ThedictionaryisaplaintextfilethatcanbeinANSILatin1orUTF16. Everywordneedstobeonitsownline(itcancontainanycharacter,includingspaces). Bruteforce:Automaticallygenerateswordsfromanalphabetwithalengthinagivenrange

Therearefourmutatorsthatcanbeapplied: ToggleCase:Triesalltheupper/lowercasevariations AppendDigits PrependDigits CombineWords:Thewordsarecombinedwitheachother.Forexample,ifthedictionary containsthewordsoldanddog,theresultisthesefourwords: old dog olddog dogold

BruteForceAttack
Abruteforceattackworksbytryingtoidentifyapasswordorpassphrasebytestingallpossible combinationsofthecharactersofanalphabet.Thisalpahbetisinthetextfilepointedtobythe alphabetpath.ThisisaisaplaintextfilethatcanbeinANSILatin1orUTF16,wherethefirstline usesallthecharacters.Thiscangeneratemassiveamountsofwordstotest. Anexampleofanalphabetpathisabcdefghijklmnopqrstuvwxyz01234567890(). Dependingonthesettings,adictionaryattackcantestthousandsofpasswordscontainedina dictionaryfileinaverybrieftimeframe.Itisusualtotryadictionaryattackfirstandthenprogressto abruteforceattackifthepassword(s)cannotbefound. Anyinformationconcerningthepossiblestructure/characterlengthofthepasswordhelps dramatically.

EnCase DecryptionSuite

569

CHAPTER 16

Physical Disk Emulator

InThisChapter
Physical Disk Emulator Using Physical Disk Emulator Third-Party Tools Boot Evidence Files and Live Systems with VMware VMware/EnCase PDE FAQs PDE Troubleshooting

572

EnCaseForensicVersion6.15

PhysicalDiskEmulator
TheEnCasePhysicalDiskEmulator(PDE)moduleallowsinvestigatorstomountcomputerevidence asalocaldriveforexaminationthroughWindowsExplorer.Thepowerofthisfeatureiswell articulatedinmanyforums.Mostnotably,thisallowsinvestigatorsmanyoptionsintheir examinations,includingtheuseofthirdpartytoolswithevidenceservedbytheEnCaseprogram. Wearecommittedtotheconceptofprovidinganintegratedproducttoourcustomers.Thirdparty toolscontinuetobedevelopedtocomplementthecorefunctionsandfeaturesoftheEnCaseprogram, andweencouragetheircreationanduse.PDEallowsthirdpartyaccesstoallsupportedcomputer evidenceandfilesystemformats.TheEnCaseprogramcontinuesitsevolutiontowardsbecominga serverofforensicdata,whetherinanimagefile,apreviewofanofflinecomputerorharddrive,ora livemachineonanetwork.

EvidenceFileFormatsSupportedbyEnCasePDE
EnCasePDEsupportsmountingofindividualimagefilesofharddrivesandCDs,butnotimagesor previewsofthelocalforensicmachinesharddrive.AllImagefileformatsandfilesystemsthatare supportedbytheEnCasesoftwarecanbemountedwithPDE.Inaddition,thefollowinglivecomputer forensicevidenceissupportedbyPDE: LocalmachinepreviewofCDs LocalmachinepreviewofevidenceharddrivesthroughFastBlocFEandLEhardwarewrite blockingdevices CrossovercablenetworkpreviewofharddrivesandCDs ParallelportpreviewofharddrivesandCDs EnCaseEnterpriseandFieldIntelligenceModel(FIM)livenetworkpreviewofharddrives andCDs

UsingPhysicalDiskEmulator
Note: Do not, under any circumstances, attempt to use PDE to mount EnCase images or previews of the local forensic hard drives. Windows will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.

StartingPhysicalDiskEmulator
TomountadeviceusingthePhysicalDiskEmulator,youmustaddaphysicalorlogicaldiskimageto acaseintheEntriessubtabunderCases.PDEcanonlymountphysicaldevicesorvolumes.Ifyou selectamenuitemfromanonmountablelevel,thePDEconfigurationislimitedtoclientmode.

Physical DiskEmulator

573

UsingPDE
1. Rightclickthelogicalorphysicaldrive,andselectMountasEmulatedDisk.

2. TheMountasEmulatedDiskdialogdisplays.

ConfiguringthePDEClient
PDEassignsalocalportthefirsttimeyourunPDE.Afterwardstheportnumberisdisabledandyou cannotchangeit.Toassignanewportnumber,closetheWindowssessionandrestart. PDEdoesnotuseanyotheroptionsintheServerInfotab.

574

EnCaseForensicVersion6.15

TospecifycacheandCDoptions,clicktheClientInfotab.

CacheOptions
Ifaphysicaldeviceorvolume(notaCD)isselected,decidewhethertocachedata.Bydefault,caching isdisabled.Usethewritecacheifprogramsneedtoaccessthefilesinanemulatedread/writemode. Ifcacheisenabled,changesmadebyprogramsaresenttoaseparatecachefilespecifiedonyourlocal system. 1. 2. 3. TocreateanewwritecachefileforanEnCaseDifferentialEvidenceFile,cleartheDisable cachingcheckbox. SelectCreatenewcacheintheCacheTypegroupandspecifyaWritecachepath. SelectUseexistingcacheandensuretheexistingwritecachefileisspecifiedintheWrite cachepathfield.

Ifyouchoosetouseanexistingcachepath,makesuretouseawritecachefilethatwascreatedwith theevidenceyouarecurrentlymounting. CachingisnecessaryforPDEtofunctionwithVMware.Inthisstate,Windowscachesfiledeletions andadditions.ThisisusedtobootthedrivewithVMwareasdescribedlaterinthissection.Cachingis alsonecessarywhenmountingcertainvolumetypes.

CDOptions
IfaCDismounted,theCDSessiontoviewoptionisenabledtospecifywhichsessiononamulti sessionCDshoulddisplayinWindows.ThedefaultsessionisthelastsessionontheactiveCD,which istheonenormallyseenbyWindows. 1. 2. 3. Toviewapriorsession,selectthathere. ClickOKtocontinue. IfamessagedisplayssayingthesoftwareyouareinstallinghasnotpassedtheWindowsLogo test,clickContinueAnyway.

Physical DiskEmulator ThisallowsWindowstoaddtheevidencefileasadrivewithitsowndriveletter.

575

Note: If using VMware, you need the physical device number.

VerifythattheevidencefilehasbeenmountedwithadriveletterbybrowsinginWindowsExplorer. Withthedriveletter,youcanapplythirdpartytools. Whentheshareiscreated,asharing(hand)iconappearsonthedeviceintheinterface.

MountingNonWindowsDevices
DeviceswithfilesystemsotherthanNTFSorFATcanbemountedusingPDE;however,thevolume cannotbeseenbyWindows(althoughthephysicaldevicecanbeseeninDiskManagement).The processtomountsuchadeviceisthesameasthatusedtomountanNTFSorFATdevice.

AccessingtheLocalDiskinWindowsExplorer
AftermountingthediskwithPDEintheEnCaseinterface,openWindowsExplorer.Thenewvolume isrepresentedwithaharddriveicon,assignedavolumeletter,andlabeledasalocaldisk. BrowsethemounteddriveinWindowsExplorer: Toopenhiddenfiles,EnableShowhiddenfilesandfoldersinWindowsExplorerbyselecting FolderOptionsintheToolsmenu Toviewdeletedandsystemfilesandunallocatedclusters,ortomounttheevidencefileuse theEnCaseVirtualFileSystemmodule

FilesandfoldersonthemounteddevicecanbeaccessedinWindowsinthesamemannerasifthe devicewereanadditionaldrive,althoughchangeswillbewrittentocache(ifinuse)insteadoftothe deviceitself.

SavingandDismountingtheEmulatedDisk
Ifwritecachingisenabledwhenmountingthedevice,youcansavevirtualchangesmadetothe evidencefile. 1. 2. IntheEnCaseinterface,rightclickthedrivemountedusingPDE. SelectSaveemulateddiskstate.

Thecacheissavedinthepathspecifiedforwritecaching.Eachtimeaftertheinitialsave,aninstance numberisappendedtothecachefile.Thesecachefilescanlaterbeusedtoremounttheevidenceinits savedstate,butyoumusthavealloftheprecedingcachefiles,locatedinthesamedirectory.

576

EnCaseForensicVersion6.15

Toendtheemulation: 1. 2. DoubleclicktheflashingPhysicalDiskEmulatorindicatorinthelowerrightoftheapplication window. ClickYesintheThreadStatuswindowtocancelthediskemulation.

Ifcachingisenabledwhenmountingevidence,thisscreendisplays:

ThepurposeofthefinalcacheistocreateacompressedandmergedDifferentialEvidenceFile (*.D01)containingthecacheddata.WiththeSaveEmulatedDiskStateoptionselected,thereare multiplecachefilesforthesamemountedevidencesession.Thefinalcachemergesallthesefiles.If thereisnoneedtosavethefinalfile,selectDiscardfinalcache. UsetheDifferentialEvidenceFiletoopentheevidencefileandviewtheemulateddiskwiththe cachedchangesapplied. Toapplythecacheddata: 1. 2. 3. 4. 5. 6. Rightclickthedevice. SelectMountasEmulatedDisk. ClicktheClientInfotab. CleartheDisablecachingcheckbox. SelectUseexistingcache. BrowseintheWritecachepathfieldtofindthe*.D01file. Afterthediskmounts,WindowsExplorerreflectsthecachedchanges. Whenthedeviceisdismounted,astatusscreeninformswhetherthediskwasdismounted successfully.

Physical DiskEmulator

577

ClosingandChangingtheEmulatedDisk
Tomountadifferentdrive,firstdismountthecurrentlyemulateddriveaspreviouslydescribed.You canthensetanewmountpoint.
Note: Be sure to dismount evidence that is served through PDE before exiting. A reminder message appears if you attempt to close the case or the EnCase program while evidence is mounted with PDE.

TemporaryFilesReminder
EnCaseForensic,EnterpriseandFIMallowinvestigatorstoredirecttemporaryfilestoaTemp/Trash folderonasecondaryharddriveforfastercleanupafteranexamination,andtopreventconfidential orcontrabandmaterialsfrombeingredirectedbyWindowstotheinvestigatorsowntempfolderon theoperatingsystemdrive. WhenopeningafilemountedwithPDEinWindowsExplorerwithathirdpartytool,theWindows operatingsystemcontrolsthetemporaryfilecreationontheoperatingsystemdrive,andany necessarypostexaminationcleanupismorelaborious.

ThirdPartyTools
InvestigatorswiththePDEModulecanuseWindowsExplorertobrowsethestructureofcomputer evidence.Theycanalsoutilizethirdpartytoolscapableofrequestingandinterpretingdatafrom WindowsExplorertoexamineevidenceoutsidetheEnCaseprogram.GuidanceSoftwaredoesnot certifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnotdevelopedbyGuidance Software.

UsingThirdPartyTools
Thethirdpartytoolsandviewersavailabletotheinvestigatorforforensicexaminationarenow greatlyexpandedwithEnCasePDE.Touseathirdpartytool,openthefileasfollows: 1. 2. DoubleclickafileservedbyPDEtohaveWindowsExplorerrequestandreceivethedata fromtheEnCasesoftware. Openthedatawiththeassignedprogramaccordingtothefileextension.

QuickViewPlus
ApopularviewingprogramisQuickViewPlus,whichallowstheinvestigatortoviewdozensoffile formatswithoutthenativeapplicationsinstalledontheexaminationmachine.

MalwareScanning
AcommonuseforEnCasePDEistomountcomputerevidenceforscanningforviruses,Trojans,and othermalwareprograms.First,mountthedriveorvolumefromtheevidencefilethroughPDE. InWindowsExplorer,selectthenewlymounteddrive(inthiscase,F:).Ifanantivirusprogramis installedandintegratedwithWindowsExplorer,itcanbeusedtoscanforviruses.Theprogramreads theemulateddiskpresentedtoWindowsExplorer.TheEnCaseprogramservestherequesteddatato WindowsExplorer,andthentotheprogramforscanning.

578

EnCaseForensicVersion6.15

BootEvidenceFilesandLiveSystemswithVMware
InitialPreparation
ForthePhysicalDiskEmulatortoworkproperly,VMwareversion4.5.1,build7568orlateris required.TouseVMwaretomountanevidencefile: 1. Determinetheoperatingsystemofthesubjectevidencefileusingthefollowingmethods:

a. UsetheWindowsInitializeCasemodulefromtheCaseProcessorEnScriptprogramto
determinetheoperatingsystem.

b. Checkthecontentsoftheboot.inifile,whichislocatedonthepartitionroot. c. Examinethefolderstructure,notingthefollowing:
Windows2000,XP,and2003ServerallusetheC:\Documents and Settings folder foruserprofilesandfolders. WindowsNTand2000usetheC:\WINNT folderforthesystemroot. Windows9X,XPand2003ServerusetheC:\Windowsfolderforthesystemroot. 2. 3. MountthephysicaldiskcontainingtheoperatingsystemusingPhysicalDiskEmulator.Make suretoenablecaching. Determinewhatphysicaldisknumberhasbeenassignedtoitusingoneofthesemethods: Thisinformationisprovidedwhenthedeviceismounted. SelecttheDiskManagementoptionbyrightclickingMyComputerinWindows,thenselect Manage.
Note: There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in Disk Management. If you encounter a message stating, "The specified device is not a valid physical disk device", it is most likely as a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.

NewVirtualMachineWizard
TobootevidencefilesusingVMware: 1. 2. 3. Afteryouhavegatheredtheneededinformation,launchVMware. SelectNewVirtualMachinefromtheFilemenu. AttheNewVirtualMachineWizardscreen,clickNext.

4. SelectCustom,thenclickNext.

Physical DiskEmulator

579

5. SelecttheappropriateGuestOperatingSystemradiobutton.

6. 7. SelectanoperatingsystemfromtheVersiondropdownmenutoidentifytheoperating systemversioninstalledontheevidencefile,thenNext. IntheNametheVirtualMachinedialog,enteravirtualmachinename.

Asanoption,youcanclickBrowsetochangethelocationforVMwaresconfigurationfiles. 8. ClickNext.

580

EnCaseForensicVersion6.15 9. AssigntheamountofmemoryforVMwaretouse,thenclickNext.

10. Selectthetypeofnetworktouse,thenclickNext. SelectingDonotuseanetworkconnectionisrecommendedintheeventthatthereissome typeofmalwareinstalledonthemachinetheevidencefilewascreatedfrom.

11. AcceptthedefaultsettingintheSelectI/OAdapterTypesdialog,thenclickNext.

12. SelectUseaphysicaldisk(foradvancedusers). Ignoreanysubsequentwarningmessages. 13. SelectthediskthatrepresentsthemounteddriveusingPDE.

14. AcceptthedefaultsettingofUseEntireDisk,thenClickNext.

Physical DiskEmulator

581

15. UsethedefaultdiskfilespecifiedintheSpecifyDiskFiledialog,thenclickFinish. IfthediskfileisnotrecognizedasaVirtualmachine,youcanchangethenameofthefile (takingcaretoleavethe.vmdkextension).

VMwarereturnstothemainscreen,showingthenewlycreatedvirtualmachine.

BoottheVirtualMachine
BootthevirtualmachinebystartingVMwareandperformingthefollowing: 1. ClickthelinkforStartthisvirtualmachinenexttothegreenarrow. TheevidencefileiswriteprotectedbytheEnCaseprogram,butPDEenablesawritecache thatinteractswithVMwareasifitweremountingadiskinread/writemode.

Whenthevirtualmachinestarts,theoperatingsystemisshownasiftheforensicmachinewas bootingthedrive.Itbootsinthesamemannerasthenativemachine. 2. 3. Aswithbootingrestoredharddrives,thevirtualmachinemayrequireausernameand passwordtoproceed. Sincepopups(suchasAOLInstantMessenger)maycausedriverproblems,savethestateof thevirtualmachineregularly.

582

EnCaseForensicVersion6.15

VMware/EnCasePDEFAQs
CanliveevidencebebootedwithVMware?
Livecomputerevidence(networknodesintheEnCaseEnterpriseprogramandlocalCDs)canbe mountedwithPDEbutcannotbebootedwithVMware.

WhatversionofVMwareshouldbeusedwithEnCasePDE?
PDE/VMwareintegrationiswithVMwareversion4.5andhigher.

Whywon'tVMwarerecognizeanemulated(mounted)disk?
YoumustlaunchVMwareafteremulatingthediskwithPDE,asVMwarewillnotrecognizeaphysical drivethathasbeenaddedsinceitwasstarted.Inaddition,VMwarewillnotsuccessfullyboot evidencefileswhichcontainWindowswithanondefaultIDEdriver.Thisisaknownissue. Additionalinformationisavailableat http://www.vmware.com/support/kb/enduser/std_adp?p_faqid=36.

WhatdoIdoifIseethemessage"Thefilespecifiedisnotavirtualdisk"afterrunningtheNew VirtualMachinewizard?
OccasionallyaftercompletionofthenewvirtualmachinewizardinVMware,anerrormessage(The filespecifiedisnotavirtualdisk.)maybeencountered.ThisissueiswithVMware,nottheEnCase program.RunningtheNewVirtualMachineWizardagainusuallyresolvesthisissue.

HowdoIstartaVMwaremachinewithmysavedEnCaseDifferentialFile?
Mountthediskusingtheexistingcachefile.

WhydoesVMwarenotrecognizesomephysicaldisks?
Ifyourevidenceissuccessfullymounted,butVMwarestatesthatthephysicaldiskthattheimageis mountedonisnotavalidPhysicalDisk,itmaybearesultofanonIDEdeviceonalowerPhysical Devicethantheemulateddisk.

WindowsXPkeepspoppingupwindowsaboutinstallingdriverswhenIboot.
TheEnCasePDEModuleinstallsGSIspecificIDEdriverstobeloadedinordertoemulatethediskas adrivewithinWindowswithanassigneddriveletter.AvirtualIDEcontrolleriscreatedthatcanbe seeninDeviceManager.IfWindowsisallowedtoloaddefaultIDEdrivers,themodulewillnotwork properly.Youcanpreventthisbycancelingtheattemptfromthepopupwindow.Onceyouhave bypassedthismessage,youcansavethestatesothatthenexttimethesystemisrebooted,Windows willnotattempttoloadthedriversagain.

Physical DiskEmulator

583

HowdoIrestartaVMwaresessionfromasavedstate?
VMwaressuspendandresumefeatureallowsyoutosavethecurrentstateofyourvirtualmachine, thenresumelaterwiththevirtualmachineinthesamestateitwaswhenyoustoppedit.Onceyou resumeanddoadditionalworkinthevirtualmachine,thereisnowaytoreturntothestatethevirtual machinewasinatthetimeyoususpendedit.Topreservethestateofthevirtualmachinesothatyou canreturntothesamestaterepeatedly,youwouldneedtotakeasnapshot.Instructionsforusingthe snapshotareavailableatVMwareswebsiteathttp://www.vmware.com/support/ ws45/doc/preserve_snapshot_ws.html.Thespeedofthesuspendandresumeoperationsdependson howmuchdatahaschangedwhilethevirtualmachinehasbeenrunning.Ingeneral,thefirstsuspend operationtakesabitlongerthanlatersuspendoperationsdo.Whenyoususpendavirtualmachine,a filewitha.vmssextensioniscreated.Thisfilecontainstheentirestateofthevirtualmachine.When youresumethevirtualmachine,itsstateisrestoredfromthe.vmssfile. Tosuspendavirtualmachine: 1. 2. 3. Ifyourvirtualmachineisrunninginfullscreenmode,returntowindowmodebypressing Ctrl+Alt. ClickSuspendontheVMwareWorkstationtoolbar. WhenVMwareWorkstationhascompletedthesuspendoperation,itissafetoexitVMware Workstation(ExitfromtheFilemenu).

Resumeavirtualmachineasfollows: 1. 2. StartVMwareWorkstationandchooseavirtualmachineyouhavesuspended. ClickResumeontheVMwareWorkstationtoolbar. Notethatanyapplicationsyouwererunningatthetimeyoususpendedthevirtualmachine arerunningandthecontentisthesameasitwaswhenyoususpendedthevirtualmachine. AdditionalVMwaretroubleshootingisavailablefromtheirknowledgebaseat http://www.vmware.com/support/kb/enduser/std_alp.php?

584

EnCaseForensicVersion6.15

PDETroubleshooting
PhysicalDiskEmulatorisnotlistedundermoduleswhenaccessingAboutEnCasefromtheHelp menu
Ifyouareusingcertfiles,checktoseethatthePDEcertificateislocatedintheCertdirectory (typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensurethat theprogramisnotinAcquisitionmode). Ifyouareusingcertfiles,checkthesecuritykeyIDtoensurethatitisthecorrectonefor whichthecertificatewasissued.

Icanmountadevicelocally,butcannotsetupalocalserver
AlthoughmenusexistforPDEServeroperation,itisnotcurrentlyfunctional.

AmessageisencounteredstatingthatPDEcannotremovethedevicewhenattemptingto dismountthedevicemounted
TheerrormessagemayoccurifWindowsisaccessingafileonthemounteddevice(for example,thedirectoryisopenedinWindowsExplorerorafileisopenedinathirdparty application).Toresolvetheissue,closeallWindowsapplicationsaccessingthemounted device,thenclickOK.

Anerrormessageisencounteredstatingthatyouneedtorebootyourmachine,followedbya "Rejectedconnection"message
Thisissueisduetothedevicedrivernotbeingreleasedproperly.Theonlywaytoresolvethis issueistocloseallapplications(includingtheEnCaseapplication)andreboottheforensic machine.Youshouldnotencountertheerroragainwhenthemachineisrebooted.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.

CHAPTER 17

Virtual File System

InThisChapter
Virtual File System Mounting Evidence with VFS Dismount the Network Share Accessing the Share Third-Party Tools VFS Server Troubleshooting

586

EnCaseForensicVersion6.15

VirtualFileSystem
TheVirtualFileSystem(VFS)moduleallowsinvestigatorstomountcomputerevidenceasaread only,offlinenetworkdriveforexaminationthroughWindowsExplorer.Thevalueofthisfeatureis thatitallowsinvestigatorsmultipleexaminationoptions,includingtheuseofthirdpartytoolswith evidenceservedbytheEnCaseprogram. Wearecommittedtotheconceptofprovidinganintegratedproducttoourcustomers.Thirdparty toolswillcontinuetobedevelopedtocomplementthecorefunctionsandfeaturesoftheEnCase program,andweencouragetheircreationanduse.VFSallowsthirdpartyaccesstoallcomputer evidenceandfilesystemformatssupportedbythesoftware. ForourcustomersusingtheEnCaseForensicprogram,theVFSmodulehastheaddedpowerof enablinguseofthirdpartytoolsagainstharddrivespreviewedthroughaFastBlocdeviceora crossovercable,includingdeletedfiles.ForcustomersusingtheEnCaseEnterpriseprogram,VFS allowsuseofthirdpartytoolsagainstlivemachinesonthenetworkusingbestpractices,sincethe operatingsystemisbypassed.

EvidenceFileFormatsSupportedbyVFS
VFSsupportsmountinganydatathatisvisibleinacase.Allimagefileformatsandfile systemsthataresupportedbytheEnCasesoftwarecanbemountedwithVFS.

MountingEvidencewithVFS
TheVFSModuleisabletomountcomputerevidencesupportedbytheEnCaseprogramasanoffline readonlynetworkdriveinWindowsExplorer.Youcanmountevidenceatoneoffourlevels; however,onlyonemountingpointcanbedesignatedatatime.Ifyouwanttochangethemounting point,youneedtodismounttheevidenceandmountatanewleveltoincludethedesireddevices. Thelevelswhereyoucanmountevidenceare: Caselevel:MountingfromcaselevelisnotsupportedbyVFS Disk/Devicelevel:Mountsasinglephysicaldiskordevice,withaccesstoallvolumesonthe diskordevice Volumelevel:Mountsasinglevolume/partitiononaphysicaldisk Folderlevel:Thelowestlevelyoucanmountisatthefolderlevel ThismountlevelishelpfultoexaminefilesinpathsthatexceedtheWindowslimitof264 charactersinthefullpathandnameofafile UsingtheServerextension,youcanalsomountevidencetobesharedwithotherinvestigatorsthrough thelocalareanetwork.TheVirtualFileSystemServerisdiscussedlaterinthismanual.

MountingaSingleDrive,Device,Volume,orFolder
Onlyonemountpointcanbedesignatedatatime;toincludeotherdata,amountpointmustbe selectedthatisinaparentrelationshiptobothareasofdatatobemounted.

VirtualFileSystem

587

Tomountasingledriveordeviceinacasefileorasinglevolumeorfolderonadrive,rightclickthe driveordevice,andselectMountasNetworkShare:

MountNetworkShareOptions
OntheServerInfotaboftheMountasNetworkSharewindow,mostoftheserverinfoisdisabled whenestablishingalocalserver.Theonlyexceptionisthelocalport.VFSdefaultstoestablishinga localserver,whichistheoptionusedwhenusingVFSonthelocalmachine. SinceVFSismountingtheevidenceasanetworkshareddrive,alocalportmustbeassigned.Toallow recoveryfromerrorsinWindows,suchasacrashwhileusingthirdpartytoolsasdescribedlaterin thismanual,theVFSservicerunsforthelifeoftheWindowssession.Thismeansthattheportnumber canbeassignedthefirsttimetheVFSserviceisruntomountevidence.Afterwardstheportnumberis grayedoutwiththeassignedportnumberunchangeable: 1. 2. OntheServerInfotab,setthelocalportorusethedefaultsetting. AdjusttheMax.clientsallowed,uptothemaximumnumberofclientspurchasedforVFS.
Note: To assign a new port number, the Windows session must be closed, such as through a reboot.

3. ClicktheClientInfotabtosetthevolumelettertobeassignedtothenetworksharein WindowsExplorer.

4. ThedefaultsettingallowsWindowsExplorertoassignthenextavailablevolumeletter,oryou cansetanyotherletterthatiscurrentlynotassigned.

588

EnCaseForensicVersion6.15

Assigningaspecificvolumelettercanbeusefulwhenattemptingtovirtuallyreconstructa mappednetworkdrive,suchasforadatabase: IfyoucurrentlyhavemappednetworkeddrivesorifyouletWindowsassignthedrive letter,ittakesafewsecondstoquerythesystemtofindanavailabledriveletter Ifyouspecifiedavolumeletter,anditisavailable,themountingisvirtually instantaneous Aconfirmationpopupwindowinformsyouthatthemountwassuccessful,withthevolumeletter. Thesharedhandiconappearsatthelevelyoudesignatedasthemountpointfortheshareddrive.

CompoundFiles
Manycompoundfiles,includingMicrosoftWord,Excel,OutlookExpress,andOutlookfiles,canbe mountedintheEnCaseinterface.Todothis: 1. 2. Rightclickthefile. SelectViewFileStructure. Intheexamplebelow,aMicrosoftWord.docfileismounted.Thedeviceisthenmounted withVFSatthedevicelevel.

3. Mountthecase,drive,volume,orfolderwithVFSasforasinglecase,drive,etc.byright clickingandselectingMountasNetworkShare,asdescribedaboveforsingleitems.

4.

VirtualFileSystem

589

ViewthemountedfileasafolderinWindowsExplorer,wherethecompoundfilestructure canbebrowsed.

VFSisadynamicengineandwillservethedataasitispresentedbytheEnCasesoftware. ToviewtheoriginalWorddocumentfile: 1. 2. Closethemountedcompoundfile. InWindowsExplorer,refreshthescreenusingtheF5key. Ifyouhavecurrentlyselecteddatawithinthecompoundfile,anerrormessagereportsthatthe dataisnolongeravailable,sinceitwasclosedinsideoftheEnCaseprogram. 3. Selecttheparentfolderofthefiletoviewandopenthefile.

EncryptingFileSystem
DecryptedfilescanbeviewedwithinWindowswhenyouuseVFSinconjunctionwiththeEnCase DecryptionSuite(EDS)module.Theevidencecontainingthedecryptedfilesandfolderscanbe mountedwithVFSforviewingthedecrypteddatawithinWindowsExplorer,andwiththirdparty tools. ForinformationonusingtheEDSModuletodecryptEFSprotectedfilesandfolders,seetheEDS Modulechapterofthisdocument.

RAIDs
RAIDsmountedinsidetheEnCaseprogramcanbebrowsedinWindowsExplorer.Intheexample below,asoftwareRAID5comprisedofthreedriveswasmountedandthenmadeavailablefor browsinginWindowsExplorerwithVFS.

590

EnCaseForensicVersion6.15

DeletedFiles
TheVFSmoduleallowsinvestigatorstoviewdeletedandoverwrittenfilesinWindowsExplorer. AninvestigatormaylocateafileinWindowsExplorertovieworanalyze,butfindsthatitisnot possibletoopenit.Ifafiledoesnotopen,reviewtheoriginaldataintheEnCaseinterfacetoseeifthe fileisindeedvalidandisnotcorruptedorpartiallyoverwritten.

InternalFilesandFileSystemFiles
TheEnCaseapplicationorganizessomedataondevicesintovirtuallogicalfilestoallowforbetter organizationandsearching.ExamplesincludeUnallocatedClustersandVolumeSlackonavolume, andUnusedDiskAreaonaphysicaldrive.Hiddenfilesystemfilesarealsoavailable,suchasthe $MFT,FAT,orInodeTabledirectoriesonNFTS,FAT,and*nixfilesystems.

RAMandDiskSlack
VFSservestheactuallogicalfilesondevicesalongwithvirtuallogicalfilesitorganizesfor investigators.Thephysicalfilesarenotserved,asWindowsExplorerwouldnotinteractwiththefile datacorrectlyiftheentirephysicalfilewasserved.Forinvestigators,thismeanstheRAM(sector) slackanddrive(filecluster)slackarenotavailabletothirdpartytoolsthroughVFSinWindows Explorerasasinglefile.Thereare,however,twowaystoaccessthedatainslackwiththirdparty tools: Thefirstmethodistoloadadevicewithoutparsingthefilesystem: 1. 2. 3. 4. 5. LaunchtheEnCaseapplication. Openanewcase. LoadthedevicebyclickingAddDevices. RightclickthedeviceandselectEdit. IntheDeviceAttributeswindow,clearthecheckfromtheReadFileSystembox.

VirtualFileSystem

591

WhenthedeviceisloadedintotheEnCaseprogram,thepartitionandfilesystemarenotreadand interpreted.TheentiredevicecanthenbemountedwithVFSandbeavailableforexaminationin WindowsExplorerasUnusedDiskArea,includingslackspace.

1. 2. 3. Anotheroptionistocopyonlyslackareafromevidencetotheexaminationcomputerasa logicalfile: Selectthedevice(s)whereyouwanttoexaminetheslackspace. RightclickthefileandselectCopy/UnErase.

4. SelecttheAllselectedfilesradiobuttonunderFrom,andtheMergeintoonefileradio buttonunderTo,thenclickNext.

5. 6. IntheCopysectionoftheOptionsscreen,selectRAMandDiskSlacktocopytheRAMslack (alsoknownassectorslack)andtheDiskSlack(alsoknownasclusterslack). SelecttheappropriateCharacterMaskoptionfornonASCIIcharacters,orleavethedefault andclickNext.

592

EnCaseForensicVersion6.15 7. Setthedestinationpathandthenameofthefiletocontaintheslack,thenclickNext.

8. ClickOKintheCopyingfilesdialogthatdisplaysattheendofthecopyingprocess.

VirtualFileSystem

593

Thefilecontainingtheslackfromtheevidenceisnowavailableforexaminationbythirdpartyutilities onthelocalexaminationmachine.Intheexamplebelow,afileisopeninWordPad.

OtherFileSystems
VFScanmountfilesystemsotherthanthosenativelysupportbyWindows.Belowisanexampleofa MacintoshOS/XdrivemountedwithVFS.

BelowistheWindowsrepresentationofaPalmvolumemountedinVFS.

594

EnCaseForensicVersion6.15

ext2,ext3,UFS,andOtherFileSystems
Unix,LinuxandBSDdevicescanbemountedinWindowsExplorerwithVFS.Onelimitationisthe forwardslash(/)usedin*nixfilesystems.TheforwardslashisaninvalidcharacterinWindowsand cannotbedisplayedinthefullpathforWindowsExplorer.Forthisreason,theforwardslashis representedbythehighdot(). Intheexamplebelow,the/(root)partitionisrepresentedbythehighdot.The/home partitionis representedbyhome.

Inthisexample,the/(root)partitionofaSolarisworkstationismountedandtheparentfoldername (thepartitionname)isdisplayedasthehighdot.

Note: Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the partition or folder level.

DismounttheNetworkShare
Todismountthenetworkshare,dothefollowing: 1. DoubleclickthethreadbaratthebottomrightoftheinterfacethatreadsVirtualFileSystem, thenclickYes.

2.

VirtualFileSystem

595

Intheconfirmationthattheevidencewassuccessfullydismounted,selectanystatussaving optionsandclickOK.

ChangingtheMountPoint
Youcanonlyviewonemountpointatatime.Tochangethelocationofthemountpoint,youmust closethecurrentmountpointandopenanewone.
Note: Be sure to dismount evidence that is served through VFS before closing the EnCase program. A reminder message appears if the case or the EnCase program is attempted to be closed while evidence is mounted with VFS.

AccessingtheShare
UsingtheEnCaseInterface
UniqueNameColumn
AUniqueNamecolumndisplaysinTableviewfortheVFSModule.Thecolumnidentifiesthefile namegiventoafileservedfromtheEnCaseprogramanddisplayedinWindowsExplorerthrough VFS.TheuniquenameovercomestheWindowslimitationofnotallowingmultiplefilestosharethe samefilenameassiblingsinthesameparentfolder.Thecolumnisemptywhentheevidenceisfirst mountedwithVFS,butispopulatedwhentheshareisaccessedinWindowsExplorer. WhenaninvestigatorselectsafolderinWindowsExplorer,thedataisservedbytheEnCaseprogram anddisplayedinWindowsExplorer.AsthedirectoriesarebrowsedinWindowsExplorer,thefile namesarepopulatedintheUniqueNamecolumn,soaninvestigatorcandeterminewhichfileheor sheisexamining.TheEnCaseprogramappendsapoundsign(#)totheendofduplicatefilenames withinthesamefolderinWindowsExplorer.

596

EnCaseForensicVersion6.15

UsingWindowsExplorer
AftermountingthesharednetworkdrivewithVFS,openWindowsExplorer.Thenewshareis representedwithanetworkdriveiconandassignedtheappropriatevolumeletter.Thenameofthe shareisgsisvr(forGuidanceSoftware,Inc.Server).

Severaloperationsarethenpossible,includingthefollowing: BrowsethemountedcaseandassociateddevicesinWindowsExplorer OpenhiddenanddeletedfilesifShowhiddenfilesandfoldersisenabledinWindows ExplorerusingtheFolderOptionsintheToolsmenu

UsethethumbnailviewerinWindowsExplorertoviewimagesinthemannerseenbythe originaluser

VirtualFileSystem

597

ThirdPartyTools
UsingVFS,investigatorscanexamineevidenceoutsidetheEnCaseprogrambyutilizingthirdparty toolscapableofrequestingandinterpretingdatafromWindowsExplorer.However,Guidance Softwaredoesnotcertifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnot developedbyGuidanceSoftware.

MalwareScanning
AcommonuseforVFSistomountcomputerevidencetoscanforviruses,Trojans,andothermalware programs: 1. MounttheevidencethroughVFSeitherlocallyontheexaminationmachine,orremotely throughVFSServer. Youcanmounttheevidenceatthedevice,volume,orfolderlevelsasdescribedpreviously. Thesharedhandiconindicatesthelevelofthevirtualfilesystemmount. 2. 3. InWindowsExplorer,selectthegsisvrofflinenetworkdrive. Useantivirussoftwaretoscanthefile.

Intheexamplebelow,theScanforVirusesoptionfromSymantecAntiVirusisrunbyrightclicking thedrive.

TheantivirussoftwarecanreadtheVirtualFileSystempresentedtoWindowsExplorer.Therequested dataisservedbytheEnCaseprogramtoWindowsExplorer,andthentotheprogramforscanning.In thiscase,theMyDoomviruswasfoundonthecomputerevidencemountedwithVFS.

Theexaminationreportsandlogsgeneratedbythethirdpartytoolscanthenbereviewedand includedintheinvestigatorsinvestigativereport.

598

EnCaseForensicVersion6.15

OtherToolsandViewers
Thethirdpartytoolsandviewersavailabletotheinvestigatorforforensicexaminationarenow greatlyexpandedwithVFS.Tousethem,dothefollowing: DoubleclickafileservedbyVFStoopenthedatawiththeassignedprogramaccordingtothefile extension.

AssigningFileExtensiontoaProgram
Toassignanassociatedprogramtoanextension: 1. SelectFolderOptionsfromtheWindowsExplorerToolsmenu.

2. 3. IntheFolderOptionswindow,clicktheFileTypestab. Selectthedesiredextension,andtheDetailsforsectionliststheprogramdesignatedforthat extension. Inthisexample,JPEGfilesopenwithAdobePhotoshopCS. 4. ClicktheChangebutton.

Selectorbrowsetothenewprogram.

VirtualFileSystem

599

UnixorLinuxFiles
Somefiles,likethoseinUnixandLinux,donothavefileextensions.Toviewthem: 1. 2. 3. 4. RightclickthefileandselectOpen. IntheOpenWithwindow,selectthedesiredapplicationfromtheProgramslistandclickOK. Iftheapplicationisnotlisted,clickBrowsetofindtheapplicationexecutable,orallow WindowstosearchtheInternet(ifconnected). ClickOtheriftheappropriateapplicationisnotavailable. WordPadcanopenmosttextbasedfilestoallowyoutoviewthecontents.Intheexample below,aLinuxfileisopenedwithWordPadinWindowsExplorerfromanevidencefile mountedwithVFS.

QuickViewPlus
Anotherpopularviewingprogram,QuickViewPlus,canbeusedtoviewdozensoffileformats, withoutthenativeapplicationsinstalledontheexaminationmachine.

600

EnCaseForensicVersion6.15

TemporaryFilesReminder
TheEnCaseprogramallowsinvestigatorstoredirecttemporaryfilestoaTemp/Trashfolderona secondaryharddriveforfastercleanupafteranexamination,andtopreventconfidentialor contrabandmaterialsfrombeingredirectedbyWindowstotheinvestigatorsowntempfolderonthe operatingsystemdrive. WhenafilemountedwithVFSinWindowsExplorerisopenedwithathirdpartytool,theWindows operatingsystemcontrolsthetemporaryfilecreationontheoperatingsystemdrive.Rememberto checktheWindowsTempfoldertoperformanynecessarypostexaminationcleanup.

VFSServer
TheVFSModulehasaserverextensionsothatinvestigatorscansharethemountedevidencewith otherinvestigatorsonthelocalareanetwork/intranetthroughVFS.Theextensionenablesanumberof clientstomountthenetworkshareservedbytheVFSServerthroughanetworkconnectionunder theseconditions: OnlythemachinethatisrunningtheVFSServerneedsasecuritykeyinserted AsecuritykeyisnotrequiredtoconnecttotheVFSServerandaccesstheserveddatain WindowsExplorer. Theclientmachine(s)musthavetheEnCaseprograminstalledtoaccesstheVFSclientdrivers butcanruninAcquisitionmode ThenumberofclientsthatcanconnecttotheVFSServerdependsuponthenumberofVFS Serverconnectionspurchased.ThisinformationiscontainedintheVFSCertificateor programmedintothesecuritykey. TodetermineiftheVFSServerisenabledandtoviewthenumberofavailableclientconnections,do thefollowing: SelectAboutEnCasefromtheHelpmenu. IftheVFSmoduleisnotlisted,orthenumberofclientsisnotsufficient,contactCustomerService topurchaseadditionalclients.

ConfiguringtheServer
Configuretheserverasfollows: 1. 2. 3. OntheVFSServermachine(withthesecuritykeyinserted),opentheEnCaseprogram. Openthecasefile(s). SelecttheappropriateVFSmountpointlevel:

Case Drive/device Volume Folder 4. RightclickthemountpointandselectMountasNetworkShare.

VirtualFileSystem

601

Youhavetheoptionofcreatinganetworksharefromanyofthecases,drives,orfolders withinit.Thisallowsyoutoshareonlywhatisnecessarytoothers,whilestillhavingaccessto casesanddevicesthatyoudonotwanttoshare. 5. SincethisistheVFSServermachine,selectEstablishlocalserverforthelocationontheServer Infotab.

6. 7. 8. EnteraPortnumberorusethedefaultof8177.TheServerIPAddressisgrayedoutsincethe serversIPaddressistheoneassignedtothemachinewherethemountistakingplace. NotetheservermachinesIPaddressforusewiththeclient. Setthemaximumnumberofclientswhocanconnecttotheserver,withthedefaultbeingthe maximumallowedbyyourVFSServercertificate.

SinceVFSismountingtheevidenceasanetworkedshareddrive,theservingportmustbeassigned. ToallowrecoveryfromerrorsinWindows,suchasacrashwhileusingthirdpartytoolsasdescribed previously,theVFSservicerunsforthelifeoftheWindowssessionfromthatport. TheVFSServercanalsoservethedatalocallytotheinvestigatorsmachine.Beawarethatitusesone oftheserverconnections.

RestrictAccessbyIPAddress
Bydefault,VFSServerisconfiguredtoallowaccessfromallIPaddresses.However,thepreferred methodistorestrictaccessbyIPaddress.Tospecifyarangeofmachines,dothefollowing:

602

EnCaseForensicVersion6.15 1. SelectAllowIPRangeandspecifythehighandlowIPvalues.

2. 3. 4. SelectAllowspecificIPs. RightclickintheAllowedIPsbox. SelectNewandentertheIPaddresses. EntermultipleIPaddressesbyrepeatingthisaction.YoucanalsoeditordeleteexistingIP addressesbyrightclickingAllowedIPs.

5. SelecttheClientInfotab.

VirtualFileSystem

603

Toalsomountandviewtheshareddrivelocally,leavetheMountsharelocallyboxchecked andinputaVolumeLetter. Bydefault,thevolumeletterfieldhasanasteriskinit,signifyingthatthenextavailabledrive letterwillbeused.MountingthesharelocallyusesoneofyourVFSServerconnections. Ifyouareonlyservingthesharetoremoteclients,clearMountsharelocally,andtheVolume Lettergraysout,astheshareismountedonremoteclient(s). TheVFSServermountstheshareandallowsconnectionsontheassignedport.Thesharedhandicon appearsattheVFSmountpoint.Youcancontinueyourexaminationwhileitisbeingshared. Performancedependsonthesizeandtypeoftheexaminedevidence,processingpoweroftheserver andclientmachines,andthebandwidthofthenetwork.

ConnectingtheClients
Toconnecttheclients: 1. 2. InstalltheEnCaseprogramontheclient. RebootthemachineafterinstallationforWindowstoaccesstheVFSdrivers. WhenlaunchingEnCase,itisnotnecessarytohaveasecuritykeypresent. 3. 4. 5. ClickToolsMountasNetworkShare. OntheServerInfotab,entertheServerIPAddressfortheVFSServermachine,andenterthe portnumbertheserverislisteningon. OntheClientInfotab,selecttheVolumeLettertoassigntheshare,oracceptthenextavailable letter.

Theconfirmationmessagedisplays. Ontheclientmachine,theshareisavailableinWindowsExplorerasgsisvr withtheassigneddrive letter.Thesharedcomputerevidencecanbeexaminedaspreviouslydescribed.

ClosingtheConnection
Whenaninvestigatorusingaclientmachinehascompletedtheexaminationoftheshareddrive,or anotherinvestigatorneedstousetheconnection,doubleclicktheprogressbaratthelowerrightand selectYes. Aconfirmationwindowreportsthattheevidenceisdismountedandtheconnectionclosed,andthe sharedhandiconisremoved,indicatingthatWindowsExplorerhasremovedtheshareddrive.The EnCaseprogramcanbeclosedontheclientcomputer. OntheVFSServermachine,whenallclientsarefinishedandhavedismountedtheshare,closethe VFSServerbydoubleclickingontheflashingVirtualFileSystembarinthelowerrightcornerofthe EnCaseapplicationwindow.Youwillbepromptedtodismounttheevidencefile,afterwhichyoucan closetheEnCaseprogram.

604

EnCaseForensicVersion6.15

Troubleshooting
VirtualFileSystemisnotlistedunderModules
Ifyouareusingcertfiles,checktoseethattheVFScertificateislocatedintheproperCertsdirectory (typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensurethatthe softwareisnotinAcquisitionmode).Youdonotneedtohavethesecuritykeyinstalledonamachine connectingtoaremoteVFSServer. Ifyouareusingcertfiles,thecertificatefileisissuedforaspecificsecuritykey;checkthesecuritykey IDtoensurethatitisthecorrectoneforwhichthecertificatewasissued.

Icanmountadevicelocally,butcannotsetupalocalserver
SelectAboutEnCasefromtheToolsmenuandensurethatVirtualFileSystemServerislistedunder Modules.IftheServerisnotdisplayed,youmayhavethewrongcertinstalled,oryoudonothave accesstotheServeredition.

IcannotconnecttoadevicemountedonaremoteVFSserver
ConfirmtheIPaddressandportnumberoftheRemoteServer.IftheIPaddressiscorrect,pingthe addresstoensureconnectivity. Makesurethedeviceisstillmountedontheremoteserver. Checktoseehowmanymachinesareconnectedtotheserver,anddeterminehowmanyclientsare permittedtoconnecttoaVFSServerbyselectingAboutEnCasefromtheToolsmenuonthemachine runningtheVFSServer.Determinethenumberofallowedclientsbylookingatthenumberlistednext totheVirtualFileSystemServermodule.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.

CHAPTER 18

FastBloc SE Module
InThisChapter
FastBloc SE Module Background Information ProSuite FastBloc SE/SATA/IDE Support for Vista 64-bit Installing the FastBloc SE Module Using the FastBloc SE Module Disk Caching Troubleshooting

606

EnCaseForensicVersion6.15

FastBlocSEModule
TheFastBlocSE(SoftwareEdition)moduleisacollectionofdrivecontrollertoolsdesignedtocontrol readsandwritestoadriveattachedtoacomputerthroughUSB,FireWire,SCSI,IDE,andSATA controllercardsinordertoenablethesafeacquisitionofsubjectmediafromWindowstoanEnCase evidencefile.Inaddition,aninvestigatorcanwipedevicesattachedtoacontrollercardcontrolledby theFastBlocSEmodule,orrestorethemwhilemaintainingthehashvalueofthelogicalfile. WhenFastBlocSEmoduleswriteblockingcapabilityisenabled,itensuresthatnodataarewrittento ormodifiedonawriteblockeddevice. Inthepast,conductingaforensic,noninvasiveacquisitionofaharddiskdrivewasperformedin DOS,orthroughawriteprotectinghardwaredevice.Thiswasdonetocontrolwritesbytheoperating systemtothesubjectdrive.TheFastBlocSEmoduleeliminatestheneedtohaveahardwarewrite blockerinstalledontheforensicmachineinordertoacquireEnCaseevidencefilesinaforensically soundmannerthroughWindows.

BackgroundInformation
HPAandDCOConfiguredDisks
HostProtectedArea
HarddiskscanbeconfiguredwithaHostProtectedArea(HPA).Itisdesignedtoallowvendorsto storedatasafefromuseraccess,diagnosticsorMSWindowsbackuptools.Ifpresent,thedatastored inthisareaisinaccessiblebytheoperatingsystem,BIOSorthediskitself. Knowledgeofthisareaandtheabilitytoaccessitareimportant,asthereisthepotentialfora sophisticatedusertohidedataintheHPA.TheFastBlocSEmoduleseestheHPAifitispresent,and thecontenthiddentheredisplays.Diskintegrityremainsintactwhenpreviewingandacquiringdisks withHPAs.

DeviceConfigurationOverlay
TheDeviceConfigurationOverlay(DCO),sometimescalledtheDiskConfigurationOverlay,issimilar totheHPAdiscussedabove.ItisanoptionalfeaturewithintheATAetseq.standard,andissupported bymostharddisks.LiketheHPA,itcanalsobeusedtosegmentoffaportionoftheharddiskdrive capacityfromviewbytheOSorfilesystem,usuallyfordiagnosticorrestorationpurposes. ContentsoftheDCOcancontrolbehaviorofthedrive,andoneoftheDCOfieldscontrolsthe max_sectorsdrivedata.Itcanthusbeusedtoartificiallyrestrictaccesstothefulldrive.

Architecture
BoththeHPAandtheDCOaretypicallylocatedattheendsoftheharddisk.Ifpresent,theHPAarea isplacedonthedriveaftertheDCOisconfigured.Thisgivesthedrivethreetypesofstoragethatare laidoutoneafteranotheronthedrive: Normal HPAprotected

DCOprotected

FastBlocSEModule

607

OverridingHPAandDCOSettings
ThewriteblockingfunctionalityoftheFastBlocSEmoduleisdesignedtopreventwritestoasuspect harddrivewhilepreviewing,examiningoracquiringthedeviceforforensicpurposes.TheFastBlocSE moduleallowsEnCasesoftwaretorecognizediskswithHPAandDCOregions. TheFastBlocSEmoduleautomaticallyoverridesHPAsettings,whichmakestheHPAareaofthehard diskvisibletotheinvestigator.Todothis,ittemporarilyremovestheHPAsettingsandthenreplaces them,sonopermanentdiskalterationsaremade. IfonlyaDCOispresent,itisremovedtoallowtheEnCasesoftwaretoviewthedata.IfbothHPAand DCOarepresentinanareasimultaneously,theFastBlocSEmodulefirstremovestheHPAsetting, thentheDCOsetting.TheHPAisremovedonlyifanHPAandDCOareaexistsimultaneously.
ALERT! When the EnCase software encounters a hard drive with a defined DCO, or DCO and HPA, it must permanently remove both overlays to image the entire drive. Based on the design and published specifications of DCO and HPA, there is no known way to access the entire data area without making this change. Investigators must note that although this change does not affect the data contained on the drive, it is a permanent change to the drive controller that is not affected by powering down the drive. Investigators may wish to account for this anomaly in their documentation.

ProSuiteFastBlocSE/SATA/IDESupportforVista64bit
InadditiontopreviousFastBlocSE/IDEsupport,EnCasenowsupportsFastBlocSE/IDErunningon MicrosoftWindowsVista64biteditions. Thisupdatealsoincludes: EnhancedEnFiltercapabilitytoblockIDE/SATAstoragedrivesexceptthebootdrive,in additiontoremovabledevices.Fordetails,seeWriteBlockingIDEandSATAControllerCardsin yourEnCaseUsersGuide. AnewdriverthatloadsdynamicallywhenEnCaseneedstoaccesstheDCO/HPAfeature

WriteBlockingSATAandIDEControllerCards
Note: EnCase relies on manufacturer drivers for supported controllers, so Guidance Software recommends that you obtain these drivers directly from the manufacturer. Note: FastBloc SE drivers have been updated. If you perform an upgrade install, please make sure to restart the system before using FastBloc SE.

608

EnCaseForensicVersion6.15

SupportedControllers

Controllers for DCO/HPA Access

Silicon Image 3114 RAID controller with 4 external ports Silicon Image 3114 RAID controller with 4 internal ports Promise Tech ULTRA66 PATA controller with 2 internal PATA ports Promise Tech ULTRA133TX2 PATA controller with 2 internal PATA ports Promise Tech FastTrak TX2300 SATA controller with 2 internal SATA ports Promise Tech SATA 150TX4 SATA controller with 4 internal SATA ports Promise Tech SATA 300TX2Plus SATA/PATA controller with 2 internal SATA ports and 1 internal PATA port Promise Tech SATA 300TX4302 SATA controller with 2 internal SATA ports and 2 external SATA ports

KnownLimitation
GuidanceSoftwaresupportsonlythecontrollersspecifiedinthetableaboveforDCOandHPAaccess.

InstallingtheFastBlocSEModule
Theprocessforinstallingthemoduleinvolvesafewmorestepsthantheothermodules. 1. 2. 3. 4. InstalltheFastBlocSEmoduleaslistedinInstallingtheEnCaseModules. Shutdowntheforensicmachine. InsertoneoftheIDEcontrollerslistedinFastBlocSEModuleSpecificRequirements. Turnonthecomputer.

InstallthedriversthatcamewiththeIDEcontroller.
Note: Consistent with sound computer forensic practices, test the FastBloc SE module with non-evidence media to verify the write blocking capability prior to using the device with actual evidence.

UsingtheFastBlocSEModule
WriteBlockingaUSB,FireWire,orSCSIDevice
TowriteblockaUSB,FireWire,orSCSIdevice,EnCaseinterceptsthesignalsenttoWindowswhena deviceisattachedtothecomputer.Itthenfiltersthedriverforthatdevice,enablingwriteprotection.

FastBlocSEModule

609

TherearethreemodeswhenusingtheFastblocSEmoduleonaUSB,FireWireorSCSIdevice: WriteBlocked:Awriteblockeddeviceisprotectedagainstwritingtoormodifyingfileswhen thedeviceisattachedtoaPC. FilesdeletedfromoraddedtothedeviceappearinWindowsasmodified,butthe modificationsaresavedinalocalcache,notonthedeviceitself.Thismodedoesnotprompt errorswhenattemptingtowritetothedrive. WriteProtected:Awriteprotecteddeviceisprotectedagainstwritesormodificationswhen thedeviceisattachedtoaPC. Ifwritesormodificationstothedeviceareattempted,Windowsrespondswithanerror message. None:Removeswriteblockingfromadevicepreviouslywriteblocked.

TowriteblockaUSB,FireWire,orSCSIdevice: 1. 2. Makesurenodevicesareattached. ClickTools>FastBlocSE.

610

EnCaseForensicVersion6.15 3. IntheFastBlocSEdialog,selectthePlugandPlaytab.

4. 5. ClickWriteBlocked.TheprogressbarindicatesEnCaseiswaitingforadevicetobeinserted. InserttheUSB,FireWire,orSCSIdevice.
Note: Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.

6.

ClickClose.

VerifyWriteBlock
YoucanconfirmsuccessfulwriteblockingofthedevicewhenpreviewingthedeviceintheEnCase program: 1. 2. 3. ClicktheNewicononthetoptoolbartoopenanewcaseandcompletetherequired information. ClicktheAddDeviceicon. BluecheckLocalDrivesintherightpane,thenclickNext.

FastBlocSEModule

611

IntheChooseDeviceswindow,thedeviceandvolume(ifpresent)onthewriteblocked channelhaveagreenboxaroundtheiconintheNamecolumn,andabulletappearsinthe WriteBlockedcolumnforeach.

WriteProtectingaUSB,FireWire,orSCSIDevice
FollowthestepsforWriteBlockingaUSB,FireWire,orSCSIDevice,above,butinstep3,clickWrite Protected.

RemovingWriteBlockfromaUSB,FireWire,orSCSIDevice
RemovingaUSB,FireWire,orSCSIDevice
ToremoveaUSB,FireWireorSCSIdevice: 1. UsethehardwareremovaltoolintheSystemTrayinthelowerrightcornerofthetaskbarto removethedevice. InWindows2000,thistoolisnamedUnplugorEjectHardware;inWindowsXP,Safely RemoveHardware.

2. Removethedevicephysicallywhenthewizardconfirmssaferemoval.

RemovingWriteBlockfromaDevice
1. ClickTools>FastBlocSE.

612

EnCaseForensicVersion6.15 2. 3. Selectthedevicewhereyouwanttoremovewriteblock,thenclickNone. ClickClosetocompletetheprocess.

RemovingWriteBlockfromallDevices
1. 2. IntheFastBlocSEdialog,clickClearAll. ClickClose.

WriteBlockingIDEandSATAControllerCards
TheFastBlocSEmodulewriteblocksPCIIDEandSATAcontrollercards.Tosuccessfullyprevent writesormodificationstoanIDEdevice,thecontrollerchanneliswriteblockedbeforethedeviceis attachedtothePC.WhenthechannelisprotectedwiththeGSIdriver,shutdownthemachineand attachthedevice.Onreboot,Windowswritepermissionsarerevoked.
Note: Guidance Software recommends that you obtain drivers for PCI/ATA 133 IDE cards directly from the manufacturer.

TowriteblockanIDEcontroller: 1. ClickTools>FastBlocSE.

2. SelecttheIDEAdapterstab.

FastBlocSEModule

613

3. 4. 5. 6. Inthelistofadapters,selecttheadapter(s)youwanttowriteblock,thenclickOK. Shutdowntheforensicmachine. Connectthesuspectsharddisktothecontrollerselectedinstep3. Restarttheforensiccomputer.Anydiskattachedtotheselectedadapteriswriteblockedon systemstartup.

TurningOffIDEWriteBlockProtection
Toturnoffthewriteblockprotection: 1. 2. 3. 4. 5. Shutdowntheforensiccomputer. Removethesuspectsharddisk. Repeatsteps1and2above,deselectingthewriteprotectedcontrollerinstep2. Reboottheforensicmachine. TheGSIdriverisreplacedwiththeoriginaldefaultWindowsdriver.

PreviewingaWriteBlockedDevice
Topreviewawriteblockeddevice: 1. 2. 3. Writeblockorwriteprotecttheappropriatedevicefollowingthestepsoutlinedpreviouslyin thismanual. CreateanewcaseintheEnCaseprogram. ClickAddDevice.

614

EnCaseForensicVersion6.15

IntheChooseDevicesdialog,abulletintheWriteBlockedcolumnindicatesthesubject mediaiswriteblocked.DeviceswriteblockedbytheFastBlocSEmodulealsohaveagreen squarearoundtheicon( ). 4. 5. Bluecheckawriteblockeddeviceorvolume,thenclickNext. ClickFinishinthePreviewDevicesscreentobeginpreviewingsubjectmedia.

Wiping
TheFastBlocSEmoduleallowswipingadeviceattachedtooneofthesupportedPCIIDEcontroller cardsmentionedinFastBlocSEModuleSpecificRequirements.Wipingisdoneinthesamemanneras fordrivesattacheddirectlytothemotherboard.SeeWipeDriveonpage232fordetails.

Restoring
TheFastBlocSEmodulealsoallowstherestorationofanevidencefiletoadeviceofsimilarsizeor largerattachedtooneofthesupportedPCIIDEcontrollercardspreviouslymentioned.Restorea deviceinthesamemanneraswithdrivesattacheddirectlytothemotherboard.SeeRestoring Evidenceonpage214fordetails.

DiskCaching
WhentheFastBlocSEmoduleissettowriteblock,thewritesareactuallybeingcachedtothe investigatorsharddrive.Thisdoesnotoccurwithwriteprotect,sinceWindowsgeneratesanerror ratherthanallowingtheappearanceofthewritetotakeplace.

WriteBlockValidationTestingandDiskCaching
Donotuseevidenceharddrivestoperformwriteblockingcapabilitytests.AlthoughWindowsmay appeartoallowmodificationsofthewriteblockedsubjectmedia,thisdoesnotactuallyoccur.

DiskCachingandFlushingtheCache
Toflushthewritecache,rebootthecomputerorremovethemediathatiswriteblocked.Previewthe drivewiththeEnCaseinterfaceorbrowseusingWindowsExplorertoverifythatthecacheemptied.

FastBlocSEModule

615

Troubleshooting
TheWriteBlockoptiondoesnotappearintheToolsmenu
MakesurethemodulewasinstalledasdescribedinInstallingtheEnCaseModules. SelectAboutEnCasefromtheHelpmenutoverifythattheFastBlocSEmoduleislistedinthe window. Checkthatthesecuritykeyisinthemachine.Ifthesecuritykeyisout,ornotfunctioningproperly,the EnCaseprogramwillbeinAcquisitionmode. Ifyouareusingcertfiles,thecertfilemaybetiedtoadifferentsecuritykey.Consultanadministrator todeterminetheassociatedsecuritykeyandcertfile.

WindowsandtheEnCaseprogramdonotrecognizetheattacheddevice
Checkallpoweranddataconnectionstothedevice. Checktoseeifthesubjectharddriveisspinning.Ifthedeviceisconnectedviaanexternaldrivebay, shutdownthecomputerandtryconnectingthepowerconnector(notthedataconnector)toaMolex powercabledirectlyfromthecomputer.Restartthecomputer.Ifthedrivestartsspinning,shutdown thecomputeragainandswapcables. Ifthesubjectdrivedoesnotspin,orismakingunusualsounds(whirring,clicking,etc.),thedrivemay bedefectiveandyoumaynotbeabletoacquireitbynormalmethods. Ifthesubjectdriveisspinning,checkthedatacables.Youmaywanttotryusinga40wirecableifyou areusingan80wirecable. ChecktheUSBorFireWireporttoensureproperfunctioningbyinsertingaknowngooddevice.Make suretheportisrecognizedinDeviceManager.

Windowsseesthesubjectdrive,buttheEnCaseprogramdoesnot
Ifyoucanseethephysicaldrivebutcannotseethecontentsofthedrive,theEnCaseinterfacemaybe inacquisitionmode.Thismayindicatethatthesecuritykeyisnotinstalledor(ifyouareusingcert files)isnottiedtothecertfile.RefertotheEnCaseUsersGuideforinstructionsonhowtoinstallthe securitykeydrivers. YoumayhaveacorruptversionoftheEnCaseprogram.Ifyouareusingcertfiles,makeabackupof allyourcertfiles.DownloadandreinstallthenewestversionoftheEnCasesoftware. BesuretoselectLocalDevicesinsteadofEvidenceFileswhenyoubeginthepreviewprocess. Ifatallpossible,trytoacquireonacompletelydifferentmachine.Thishelpspinpointtheproblem,as itmaybeahardwareoroperatingsystemconflict.Ifyouareusingcertfiles,besuretouseasecurity keytiedtothecertfile.

616

EnCaseForensicVersion6.15

Acquisitiontakestoolong
Iftheacquisitionstartedoutatanormalspeed,andthenrapidlydecreasedlaterintheacquisition, thereisagoodchancethattheEnCaseprogramhasencounteredbadsectorsonthesubjectdrive. Becausethesoftwarewillmakemultipleattemptsatreadingbadsectors,acquisitiontimemay increase. Enablingcompressiondramaticallyincreasesacquisitiontime. Acompletelyslowacquisitionmaybetheresultofslowerequipment. Ifyouareacquiringtoexternalmedia(thatis,thestoragemediaisanexternalharddrive)thetransfer rateswillbesignificantlyslowerthanwithadirectlyconnectedharddrive. Ifthesubjectdriveisanolderorslowermodel,theacquisitionspeedislimited. Iftheforensicmachinehasanolderorslowerstoragedrive,theacquisitionisslowedbythedrives slowwritespeed. Ifyouareacquiringanewerdrive,tryan80wirecable,asthisallowsfasterthroughput.Ensurethe FireWire/USBcableissecurelyconnectedatbothends. IfFireWireisnotavailable,useaUSB2.0connection(USB2.0isupto40timesfasterthanUSB1.0).In addition,whenusingUSB,limitanyotherCPUintensivetasksduringtheacquisition,sincethese contributetoalossoftransferspeed. UseFireWireportswheneverpossible,sincetheinterfaceisfasterthanUSB.

Acquisitionandverificationhashesdonotmatch
Theremaybeadataintegrityissuewiththecable.Tryusinga40wirecableifyouareusinga80wire cable,ashorterIDEcable,and/orashieldedIDEcableifpossible. TryusingadifferentUSBorFireWirecable.

Therearedifferenthashvalueseachtimethedriveishashed
Thisindicatesafailingdrive.Becausethenumberofsectorerrorsincreaseseachtime,hashvalues change.Sincethefirstacquisitiontypicallycontainstheleastnumberofbadsectors,usethatfilefor analysis.

Therearemultiplebadsectorsafteracquisition
Thiscanindicateadefectivedrive.Ensurethatthecablesaresecurelyconnectedtothecontrollerand thedrive. Ifthesubjectdriveisinanenclosurewhenyoutrytoacquireit,itmaybecomehotduringthe acquisition.Tryremovingthedrivefromtheenclosuretokeepitcooler,whichmayreducethe numberofsectorerrors.

CHAPTER 19

CD/DVD Module
InThisChapter
CD/DVD Module Burning Evidence Files During Acquisition Burning Logical Evidence Files During Acquisition Burning Files and Reports Burning Existing Evidence and Logical Evidence Files

618

EnCaseForensicVersion6.15

CD/DVDModule
UsetheCD/DVDModuletoburnthefollowingtoaCDorDVD: EvidenceandLogicalEvidenceFilesduringacquisition Filesandfolders,aswellasreportsfromtheEnCaseprogram ExistingEvidenceFilesandLogicalEvidenceFiles

Unlessspecifiedotherwise,filesburnedmaintainthefollowingproperties(ifavailable): EntryName(eitherentryorreport) LastWrittendate EntryCreateddate Logicalsize

Note: Consistent with sound computer forensic practices, test the CD/DVD module with non-evidence media to verify proper installation and operation prior to using it with actual evidence.

BurningEvidenceFilesDuringAcquisition
Theprocessforburninganevidencefiletoremovablemediaatthetimeofanacquisitionstartswitha preview: 1. 2. 3. 4. Createanewcaseoropenanexistingone. AddaDeviceforpreviewasdescribedintheEnCaseUsersGuide. RightclickthedeviceiconintheCasetree,thenselectAcquire. WhenyougettotheOptionsscreen,selectBurnDisc,thenclickNext.

CD/DVDModule

619

SelectingCDInformation
ToselectCDinformation,chooseappropriateoptionsfromthepreconfiguredsettingsintheCDInfo dialog.

620

EnCaseForensicVersion6.15

Joliet:ThisspecifiestheformatoftheimagetoadheretotheJolietstandard,whichallows longentrynames. UDF:ThisspecifiestheformatoftheimagetoadheretotheUDFstandard,whichisused primarilyforDVDs. Burn:ThisinitiatestheburnoftheimagetothedisconceyouclickFinish.Iftheboxis cleared,theArchiveFolderfortheimageisupdated,butnotburneduntilinitiatedbytheuser intheArchiveEntriestab.AnISOisalsocreatedfortheusertoburnatanytimewithany program. DeleteISOafterBurn:ThisdeletesthecreatedISOimagefromthetemporaryfoldersetwith thePathoptiononceitisburnedtomedia. Publisher:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhoburnedthe imagetodisc. Preparer:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhopreparedthe imageforburning. Path:ThisfieldsetsthepathforthetemporaryplacementoftheISOimagepriortobeing burned. CDBurners:Anymediaburnerrecognizedbythesystemappearsinthiswindow.Selectthe mediaburnerofyourchoice. Ifarecognizedburnerisnotlisted,theburningoptionisdisabled.Theimageproduced containstheISO9660formatwithJolietselectedbydefault.IfJolietorUDFformatsare selected,additionaltreesarebuiltforthoseformats.ISO9660allowsonlyeightcharacter(old DOS8.3)names.Nameslongerthaneightcharactersaretruncatedtothefirstfourcharacters ofthefilename,followedbyfourrandomnumbers.

Burning
Whentheinitialacquisitioniscomplete,thestatusscreendisplaysandtheburntoCDstarts,indicated byablueBurningthreaddisplayedontheEnCaseprogramstaskbar. Evidenceentriesareburnedaslongasthereisenoughroomleftonthemediumbasedonsetsegment size.Ifthereisnoroomleft,thediscisejectedandapromptappearsinstructingyoutoinsertanother disc. Evidenceentriesareverifiedontheremovablemediaaftertheyhavebeenburned.Aftertheentryis burned,astatuswindowreportstheresultsofthewriteandverification.

CD/DVDModule

621

BurningLogicalEvidenceFilesDuringAcquisition
Toburnalogicalevidencefileduringacquisition: 1. 2. 3. 4. 5. Previewthedevice. OntheEntriestab,selectthefoldersfortheLogicalEvidenceFile. RightclickandselectCreateLogicalEvidenceFile. IntheCreateLogicalEvidenceFiledialog,selectBurnDisc,thenclickNext. IntheCDInfodialog,selectoptionsasdescribedabove.

Aseparatethreadrunsforburningthelogicalevidenceentrieswhiletheyarecreated.Theburntodisc occurswhenthefirstsegmentfinishesacquiring.Tocanceltheburn,doubleclicktheblueBurning statusmessageonthebottomtaskbar.Logicalevidence,likeotherevidenceentries,isverifiedafter burned.Thestatuswindowattheendoftheprocesspresentstheverificationandacquisitionstatusfor theburnedentries.Ifthereisnoroomleftonadisc,thediscisejectedandapromptappearstoinsert anotherdisc.

BurningFilesandReports
CreateaNewImageSession
Tocreateanewimagesession: 1. 2. SelectArchiveFilesfromtheViewdropdownmenu. TocreateanewimagesessionforburningdatatoaCD/DVDfromselectedentriesorreports, rightclickintherootofArchiveFilesandselectNewImage.

622

EnCaseForensicVersion6.15

Bydefault,themoduleplacescacheditemsinC:\Program Files\EnCase6\Cache.To changetherootpath,rightclicktherootitem,selectChangeRootPath,andbrowsetoor createafolder.

Adisciconappearsinthetree,calleddiscimage1.Subsequentimagescreatedarenamed discimage2,discimage3,etc. 3. Torenameimages,rightclicktheimagefolder(orpressF2)andselectRename. AcachedimageofthisfileisstoredinC:\Program Files\EnCase6\Cachewiththefolder nameanda.cdiextension.

PreparingEntriesforBurning
Toprepareentriesforburning: 1. 2. IntheEntriestab,selecttheentriestobesenttoremovablemedia. RightclickthedesiredfolderinthetreeandselectCopyFoldersorCopy/UnErasetoopenthe standardoptionwindowsforthosefeatures.

CD/DVDModule

623

UseCopyFolderstoaddtheselectedentriestothefolder,retainingtheexistingentries.File sizesofselectedentriesretaintheoriginallogicalsizeofthefilebutnotthephysicalsize.

624

EnCaseForensicVersion6.15

UseCopy/Unerasetomaintainstructurebasedontheoptionssetintheexportmenu,suchas LogicalFile,EntirePhysicalFile,RAMandDiskSlack,etc.

3. RightclicktheArchiveFilesiconintheDestinationFolderwindowandselectNewImage. Bydefault,thisisdiscimage1.FolderscreatedpreviouslyarevisibleintheDestination Folderwindow. 4. 5. 6. 7. Selecttheappropriatefolder,thenclickFinish. ClickOKtoaddtheentriestotheArchiveFilesfolder. Toviewtheaddedentries,navigatetotheArchiveFilestabandselectthefolderthewhere yousenttheentries. RightclickinthetableandselectUpdate.

PreparingReportsforBurning
Toprepareareportforburning: 1. GotoReportviewineithertheTablePaneorViewPane.

2. RightclickinthereportpaneandselectExport.

CD/DVDModule

625

3. 4. 5. 6. IntheExportReportdialog,selectBurntoDisc. Selecttheappropriateoutputformat,DocumentorWebPage. EnterthecompletepathinthePathfieldorbrowsetotheexportlocation. SelectaDestinationFolder. Ifentriesalreadyexistinthedestinationfolder,theselectedentriesareaddedtothem. 7. ClickOKtoaddthereporttothediscimagefolder.

ThenewlyaddedreportisstoredundertheArchiveFilestabandsavedgloballysoyoucanaddtoor deletefromitatanytime.

BurningtheCreatedImageFolderstoDisc
Priortoburningadiscimage,entriesandreportscanbemovedbetweenvolumesbydraggingand droppingthemfromoneimagetoanother.Eachimagemayhaveitsownformattingandoutput options: Toaccesstheoptionwindowtovieworeditthesettings,rightclickavolumeandselectEdit. TorenameavolumerightclickandselectRename.

Toburntheimagetodisc: 1. 2. RightclicktheimagefolderandselectBurnDisc. IntheArchiveFilestab,thediscimagesappearwithentrieslistedintheTablepane.

626

EnCaseForensicVersion6.15 3. SelectappropriateoptionsfromthepreconfiguredsettingsintheCDInfodialogasdescribed above. Whentheimageisburned,astatuswindowreportstheresultsofthewrite.

BurningExistingEvidenceandLogicalEvidenceFiles
EnCaseEvidenceFilesandLogicalEvidenceFilesthatarealreadycreatedcanbeburnedtomedia fromtheEnCaseinterface.Exceptionstothisfunctionalityare:

SingleEntries Previeweddrives Mountedvolumes ddimages

SafeBackImages VMwareimages VirtualPCimages Anyothernonevidence files

ToburnanEnCaseEvidenceFileorLogicalEvidenceFiletodisc,itmustfirstbeaddedintothecase usingthestandardmethods: DragginganddroppingthefileintotheEnCaseinterface UsingAddDevice

Toburnanexistingevidenceorlogicalevidencefile: 1. 2. 3. OntheCasestab,selecttheDevicessubtab. Rightclickinthetableandselecttheimagetobeburned.Notethatonlythehighlighteddevice isburned,notselected(bluechecked)devices. RightclickonthedeviceandselectBurntoDisc.

4. ContinueasdescribedinSelectingCDInformationonpage619.

Glossary of Terms
Cluster

Overview
Thisglossaryprovidesdefinitionsofterms specifictoGuidanceSoftwareproducts,aswell asdefinitionsofstandardtechnologicalterms.

A cluster is the smallest amount of disk space that can be allocated to hold a file.

Code Page
A code page interprets a series of bits as a character.

ASCII
ASCII (American Standard Code for Information Interchange) is a character encoding based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. Most modern character codes have a historical basis in ASCII. ASCII was first published as a standard in 1967 and was last updated in 1986. It currently defines codes for 33 non-printing, mostly obsolete control characters that affect how text is processed, plus 95 printable characters.

Compound File
A file containing other file types within it. For example, a Microsoft Word file can contain text, graphics, and spreadsheet files.

Computer Forensics
The application of scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they were used for illegal or unauthorized activities.

Bookmark
Bookmarks let you annotate evidence and analytical artifacts. Files, folders, address ranges within files, collections of files or data, and even bookmarks themselves can be book marked.

Connection
The communications between the servlet and the client occur across a connection. This connection may involve communicating through the SAFE.

Burn
The process of recording data to an optical disc, such as a CD or DVD.

Cyclic Redundancy Check (CRC)

The CRC is a variation of the checksum. Its advantage is that it is order sensitive. The string "1234" and "4321" produces the same checksum, but not the same CRC.

Case File
A text file containing information specific to one case. The file includes pointers to one or more evidence files, devices, bookmarks, search results, sorts, hash analysis results, and signature analysis.

Device Configuration Overlay (DCO)

The Device Configuration Overlay (sometimes called Disk Configuration Overlay) is similar to the Host Protected Area. It is an optional feature within the ATA-6 standard and is supported by most hard disks. Like the HPA, it can also be used to segment a portion of the hard disk drive capacity from view by the OS or file system, usually for diagnostic or restoration purposes.

Checksum
A form of redundancy check for protecting the integrity of data by detecting errors. It works by adding the basic components of a message (typically the asserted bits) and storing the resulting value. Later, anyone can perform the same operation on the data, compare the result to the authentic checksum, and, if the sums match, conclude that the data was not corrupted. A major drawback to checksum is that 1234 generates the same check as 4321.

Disk Slack
This is the area between the end of the volume and the end of the device.

628

EnCaseForensicVersion6.15

EnCase Forensic
EnCase Forensic is recognized as the standard computer forensic software used by more than 15,000 investigators and 40 of the Fortune top 50 companies. EnCase Forensic provides law enforcement, government and corporate investigators reliable, court-validated technology trusted by leading agencies worldwide since 1997.

File Signature
Unique identifiers published by the International Standards Organization and the International Telecommunications Union, Telecommunication Standardization Sector (among others) to identify specific file types.

File Slack
The area between the end of a file and the end of the last cluster or sector used by that file. This area is wasted storage, so file systems using smaller clusters utilize disk space more efficiently.

Encryption
The process of encoding information to make it unreadable without a key to decode it.

EnScript Language
A programming language and Application Program Interface (API) that has been designed to operate within the EnCase environment.

Filter Pane
The Filter pane is typically located in the lowerright quadrant of the four pane display. It provides access to EnScript programs, filters, conditions, and queries. (Also see Tree Pane, View Pane, and Table Pane.)

Evidence File
The central component of the EnCase methodology is the evidence file. This file contains three basic components (header, checksum, and data blocks) that work together to provide a secure and self-checking description of the state of a computer disk at the time of analysis.

Font
A coordinated set of glyphs designed with stylistic unity. A font usually comprises an alphabet of letters, numerals, and punctuation marks.

Examiner
A general destination folder to place data copied from the evidence folder.

Globally Unique Identifier (GUID)

A GUID is a pseudo-random number used in software applications. While each generated GUID is not guaranteed to be unique, the total number of unique keys (2128 or 3.4 x 1038) is so large that the probability of the same number being generated twice is exceptionally small.

Export Folder
A general destination folder to place data copied from the evidence file.

GREP
An acronym for search Globally for lines matching the Regular Expression, and Print them. GREP is a command line utility originally written for use with the Unix operating system. The default behavior of GREP takes a regular expression on the command line, reads standard input or a list of files, and outputs the lines containing matches for the regular expression. The GREP implementation in EnCase has a smaller subset of operators than GREP used in Unix.

FastBloc
FastBloc is a collection of hardware write blockers and one software write blocker.

File Allocation Table (FAT)

Refers to a file system used primarily in DOS and Windows operating systems. There are several levels designed to cope with larger devices. FAT12 is usually used for removable media, whereas FAT16 was initially used on hard drives. FAT16 has a 2GB size limit, so FAT32 was introduced for larger hard drives. FAT32 has been superseded by the New Technology File System (see NTFS) and is the recommended file system for Windows 2000 and later.

GlossaryofTerms

629

Hash
A method used to generate a unique identifier for the data the hash value represents. There are several standardized hashing algorithms. EnCase uses the 128-bit MD5 hashing algorithm which has 2^128 unique values. This ensures that the chance of finding an identical hash value using a different data set is exceptionally small.

IPv4 specifies addresses in four eight-bit decimal numbers separated by a dot. IPv4 specifies a port number with a colon. IPv6 addresses the limitations that IPv4 has with the total number of addresses. IPv6 is typically written in eight 16-bit hexadecimal numbers, which are separated by a colon. IPv6 specifies a port number with a space.

Hash Sets
Collections of hash values for groups of files.

Keyword
A keyword is a string or expression used in searching your evidence.

Hexadecimal
A numeral system with a radix or base of 16 usually written using the symbols 0-9 and A-F or af. For example, the decimal numeral 79 whose binary representation is 01001111 can be written as 4F in hexadecimal (4 = 0100, F = 1111).

LinEn Utility
The Linux EnCase client used for disk-to-disk or cable acquisitions.

Host Protected Area (HPA)

An area of a disk designed to allow vendors to store data safe from user access, diagnostics, or backup tools. If present, data stored in this area is inaccessible by the operating system, BIOS or the disk itself.

Logical Evidence File

A specialized form of an evidence file filled with user-selectable files, as opposed to a traditional evidence file which contains the entire contents of the device. Logical Evidence files have the extension .L01.

Index
An EnCase index is a feature that allows quick access to the data in an evidence file.

Malware
Software designed to infiltrate or damage a computer system without the owner's informed consent.

Internet Protocol Address (IP)

A unique number that devices use to identify and communicate with each other on a computer network utilizing the Internet Protocol standard. Any participating network device, including: routers computers time servers printers Internet fax machines some telephones (must have its own unique address)

Mount, Mounting
The process of making a file system ready for use by the operating system, typically by reading certain index data structures from storage into memory ahead of time. The term recalls a period in the history of computing when an operator had to mount a magnetic tape or hard disk on a spindle before using it.

Network Tree
The network tree represents the hierarchical organization of the underlying network and file structure.

An IP address can also be thought of as the equivalent of a street address or a phone number.

New Technology File System (NTFS)

The standard file system of Windows NT and its descendants:

630

EnCaseForensicVersion6.15 Windows 2000 Windows XP Windows Server 2003 Windows Vista fault tolerance throughput or capacity compared to single drives

Regular Expression
A string that describes or matches a set of strings according to certain syntax rules. Many text editors and utilities use egular expressions to search and manipulate bodies of text based on certain patterns. Many programming languages support regular expressions for string manipulation. Also see GREP.

Node
A node is the machine where the servlet is installed.

Notable File Bookmarks

Bookmarks used to identify individual files containing important information to a case.

NTFS
See New Technology File System.

Root
The base of a file system's directory structure or the parent directory of a given directory.

Pane
Panes comprise the four quadrants to the interface: Tree pane Table pane View pane Filter pane

Secure Authentication For EnCase (SAFE)

The SAFE (Secure Authentication For EnCase) is a physically and logically secured server that authenticates all users and controls all access to the network devices.

Sector
A subdivision of a track of a magnetic hard disk or optical disc. A sector stores a fixed amount of data. A typical sector contains 512 bytes.

Panes contain tabs, which alter the display of the data inside the pane. Panes are resizable.

Physical Disk Emulator (PDE)

The EnCase Physical Disk Emulator lets examiners mount computer evidence as a local drive for examination in Windows Explorer. This feature allows examiners many options in their examinations, including the use of third-party tools with evidence served by EnCase.

Security Key
A uniquely programmed hardware key, sometimes referred to as a dongle, that identifies a user to EnCase software and enables access to its features.

Servlet
Servlets are EnCase services running on network workstations and servers that provide bit-level access to the machine where they reside.

Port
A virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location. The most common of these are TCP and UDP ports used to exchange data between computers on the Internet

Signature
See File Signature.

Slack
See Disk Slack and File Slack.

Redundant Array of Independent Disks (RAID)

A data storage scheme using multiple hard drives to share or replicate data among the drives. Depending on the configuration of the RAID (typically referred to as the RAID level), the benefits of RAID are: increased data integrity

Snapshot
A representation of a live running machine, including volatile computer data such as currently logged on users, registry settings, and open files.

GlossaryofTerms

631

Spyware
Refers to a broad category of malicious software designed to intercept or take partial control of a computer without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.

Unicode
An industry standard that enables text and symbols from all the world's writing systems to be consistently represented and manipulated by computers. Unicode consists of: A character repertoire An encoding methodology and set of standard character encoding A set of code charts for visual reference An enumeration of character properties such as upper and lower case A set of reference data computer files Rules for normalization, decomposition, collation and rendering

Steganography
The art and science of writing hidden messages in a way that no one except the intended recipient knows of the existence of the message; this is in contrast to cryptography, which does not disguise the existence of the message but obscures its content.

View Pane
A part of the program user interface located in the lower left quadrant of the four pane display.

Subject
The computer or media that the investigator actually examines.

Virtual File System (VFS)

The EnCase Virtual File System (VFS) lets examiners mount computer evidence as a readonly, offline network drive for examination in Windows Explorer. The value of this feature is that it allows examiners multiple examination options, including the use of third-party tools with evidence served by EnCase.

Swap File
A memory management technique where noncontiguous memory is presented to a software process as contiguous memory. Memory pages stored in primary storage are written to secondary storage, thus freeing faster primary storage for other processes in use. A swap file is also called a page file.

Virtual Machine
Software that creates a virtual environment on a computer platform so the user can run software. Several discrete execution environments reside on a single computer, each running an Operating System. This allows applications written for one OS to run on a machine with a different OS.

Table Pane
Part of the program user interface located in the upper-right quadrant of the four pane display.

Temp Folder
A folder that allows segregation and control of temporary files created in the course of an investigation. Also see Export Folder.

VMWare
A wholly owned subsidiary of EMC Corporation, it supplies much of the virtualization software available for x86 compatible computers. VMWare software runs on Windows and Linux.

Tree Pane
A part of the program user interface located in the upper left quadrant of the four pane display.

Write Blocker
A tool (software or hardware) that prevents writes to a subject device while allowing investigators to safely read from the device.

Support
GuidanceSoftwaredevelopssolutionsthatsearch,identify,recover,anddeliverdigitalinformationin aforensicallysoundandcosteffectivemanner.Sinceourfoundingin1997,wehavemovedinto networkenabledinvestigationsandenterprisewideintegrationwithothersecuritytechnologies. Thissectionprovidesinformationonoursupportforyouthrough: Technicalmanualsandreleasenotes SupportportalontheWeb,includingaccesstodownloads TechnicalSupportDepartment CustomerServiceDepartment MessageBoards Training ProfessionalServices

TechnicalManualsandReleaseNotes
GuidanceSoftwareprovidesprintedmanualsforallofourproductlines,aswellasPDFversionsof interimupdatesandreleasenotes,describingthenewfeaturesandproblemsfixed.

TechnicalSupport
GuidanceSoftwareprovidesavarietyofsupportoptions,includingphone,email,onlinesubmission forms,anuptodateknowledgebase,andamessageboard(technicalforum). SupportisavailablebetweenourUSandUKoffices24hoursaday,MondaythroughFriday, excludingpublicholidays.Callsareautomaticallyroutedtotheopenoffice.

Phone/MailSupport
USContactInfo: Hours:MondayThursday,5AM10PMPacifictime Friday:5AM7PMPacifictime 215NorthMarengoAvenue Suite250 Pasadena,CA91101 Phone:(626)2299191,ext.565 Fax:(626)2299199

634

EnCaseForensicVersion6.15

UKContactInfo: Hours:MondayFriday,6AM4PMUKtime ThamesCentral,5thFloor HatfieldRoad Slough,BerkshireUKSL11QE Phone:+44(0)1753552252,Option4 Fax:+44(0)1753552232 TollFreeNumbers: Technicalsupportisalsoavailableatthefollowingnumbers: Germany:08001814625 China:108001300976 Australia:1800750639 HongKong:800964635 NewZealand:0800450523 Japan:00531130890

OnlineSupport
GuidanceSoftwareoffersaSupportPortaltoourregisteredusers,providingtechnicalforums,a knowledgebase,abugtrackingdatabase,andanOnlineRequestform.ThePortalgivesyouaccessto allsupportrelatedissuesinonesite.Thisincludes: User,product,betatesting,andforeignlanguageforums(messageboards) KnowledgeBase BugTracker TechnicalServicesRequestform Downloadsofprevioussoftwareversions,drivers,etc. Otherusefullinks

Althoughtechnicalsupportisavailablebyemail,youwillreceivemorethorough,quickerservice whenyouusetheonlineTechnicalSupportRequestForm (https://support.guidancesoftware.com/node/381).Notethatallfieldsaremandatory,andfillingthem outcompletelyreducestheamountoftimeittakestoresolveanissue.

Support

635

IfyoudonothaveaccesstotheSupportPortal,pleaseusetheSupportPortalregistrationform (https://support.guidancesoftware.com/forum/register.php?do=signup).

Registration
Registrationrequiresyoutochooseauniqueusernameandpassword.Pleaseprovideallrequested information,includingdongleID,phone,emailaddress,organization,etc.Thishelpsusidentifyyou asaregisteredownerofEnCase. Youwillreceiveanemailwithin24hours.Youmustfollowthelinkinthatemailbeforeyoucanpost ontheforums.Untilyoudothat,youwillnothavepermissiontopost.Onceyouhaveverifiedyour emailaddress,youwillbeaddedtotheRegistrationList.Pleaseallow24businesshoursforyour accounttobeapproved. Onceyourregistrationisapproved,youcanaccesstheSupportPortal (https://support.guidancesoftware.com/).TheSupportPortalprovidesatutorialthatbrieflyoverviews thesite.

User,Product,andForeignLanguageForums
Toaccesstheforums,clicktheForumTab(https://support.guidancesoftware.com/forum/)inthe SupportPortal.

Theforumsallowregistereduserstopostquestions,exchangeinformation,andholddiscussionswith GuidanceSoftwareandotherusersintheEnCasecommunity.Differentdiscussiongroupsare availableasfollows:

636

EnCaseForensicVersion6.15

ForeignLanguageGroups French Arabic German Spanish Japanese Chinese Korean

ForumGroups UserGroup ConsultantandPractitioner ComputerForensicHardwareIssues EnScriptForum

ProductSpecificGroups EnCaseNeutrino Enterprise FieldIntelligenceModel(FIM) eDiscovery

Thesegroupsareonlyavailabletocustomerswhohavepurchasedtherespectiveproducts. Enteragroupbyclickingthegroupname.

PostingtoaGroup
Tocreateanewpost,clickthe Clickthe icon.

icontoreplytoapost,orusetheQuickReplyiconatthebottomofeachpost.

Support

637

Searching
Theforumscontainanaccumulationofovertenyearsofinformation.UsetheSearchbuttontosearch forkeywords,orclickAdvancedSearchformorespecificsearchoptions.

BugTracker
UseBugTrackertosubmitandcheckthestatusandpriorityofsubmitteddefectandenhancement requests.Itisbrokendownbyproduct,showingthecurrentnumberofbugs/enhancementsandpublic bugsforeachproduct.ToaccesstheBugTracker,clickBugTracker (https://support.guidancesoftware.com/forum/project.php)intheSupportPortal.

KnowledgeBase
Youcanfindanswerstofrequentlyaskedquestions(FAQs)andotherusefulproductdocumentation intheKnowledgeBase.YoucanalsosubmityourownarticlestohelpotherEnCaseusers. ToaccesstheKnowledgeBase,clickKnowledgeBase (https://support.guidancesoftware.com/directory)intheSupportPortal.

Fromhere,youcanbrowse,search,andwriteKnowledgeBasearticles.

OnlineTechnicalSupportRequestForm
PleaseusetheRequestFormforassistancefromaTechnicalServicesengineer.Toaccesstheform, clickRequestForm(https://support.guidancesoftware.com/node/381)intheSupportPortal.

638

EnCaseForensicVersion6.15

OtherUsefulLinks

TheSupportPortalslandingpagecontainsasectionofusefullinks,including: GuidanceSoftwareHomePage DownloadCentertodownloadsoftware,hardware,manuals,bootdisks,supportarticles,etc. MyAccounttoregisteryourdongleidtoreceiveuptodatesoftwarebyemail NVD(NationalVulnerabilityDatabase)InformationandResponses GuidanceProductVersionMatrixforcheckingcompatibilityofdifferentproductversions HardwareRecommendationsforEnCaseForensicandEnCaseEnterprise SubscribetoPublicBugs

CustomerService
PleasedirectservicequestionsandconcernstotheGuidanceSoftwareCustomerServiceDepartment: 215NorthMarengoAvenue SecondFloor Pasadena,CA91101 Phone:(626)2299191,press5MondayFriday,7:00AM5:00PMPacifictime Fax:(626)2299199 Email:customerservice@guidancesoftware.com YoucanaccessourCustomerServiceRequestFormonlineat http://www.guidancesoftware.com/support/cs_requestform.aspx.

MessageBoards
TheGuidanceSoftwaremessageboardsareresourcesforthecomputerforensicscommunityto exchangeideas,askquestions,andgiveanswers.Themessageboardsareaninvaluableresourcefor theforensicinvestigator.

Support

639

Discussionsrangefrombasicacquisitiontechniquestoindepthanalysisofencryptedfilesandmore. Thousandsofexperiencedandskilledusersareregisteredontheboards,reviewingpostseveryday, andprovidingtheirexpertiseonallGuidanceSoftwareproducts. Moreinformationaboutthemessageboards,includinginformationonhowtojointhemessageboard, islocatedathttp://www.guidancesoftware.com/support/messageboards.asp.

Downloads
Whenyoureceiveyourproduct,registerwithGuidanceSoftwaretoreceiveupdates.Registrationis locatedathttps://www.guidancesoftware.com/myaccount/registration.aspxsite. Ifyouhaveanytroubleregisteringyourproduct,contactCustomerService(seepage638).Ifyouhave anytroubledownloadingtheupdatesonceregistered,contactTechnicalSupport(seepage633).

Training
GuidanceSoftwareoffersavarietyofprofessionalcoursesforthebeginner,intermediate,and advanceduserofallitsapplications.Inadditiontoprovidingasolidgroundinginoursoftware,we alsoprovideourstudentswithacceptedbestpracticesforinvestigation,reportgenerationand evidencepreservation. GuidanceSoftwareofferscoursesforlawenforcementagencies,organizationsconcernedwith forensicsandincidentresponse,andadvancedtopicsforallusers.

ProfessionalServices
TheGuidanceSoftwareProfessionalServicesDivision(PSD)combinesworldleadingcomputer investigationsexpertswithworldleadingforensictechnologytodeliverturnkeysolutionstoforensic investigations. GuidanceSoftwarehascombineditsindustryleadingcomputerinvestigationtechnologywithateam ofthemosthighlytrainedandcapableinvestigatorsintheworldtobringyoucompleteturnkey solutionsforyourbusiness.Whenyoufaceinvestigativeissuesthatgobeyondyourinternal capabilities,ourprofessionalservicesgroupisabletorespondeitherremotelyorbycomingonsiteto providetherighttechnologyandcomputerinvestigationspersonnelforthejob.

InternalInvestigations
Theftofintellectualproperty Intrusionreconstruction Wrongfulterminationsuit

Compliance
SarbanesOxley PIIriskassessment CaliforniaSB1386

640

EnCaseForensicVersion6.15

eDiscovery
Pendinglitigation Responsiveproduction Forensicpreservation

InformationSecurity
Compromiseofsystemintegrity Policyreview Unauthorizeduse Forensiclabimplementation

Index
A
AccessingtheLocalDiskinWindowsExplorer575 AccessingtheShare595 Acquiring154 AcquiringaDiskRunninginDirectATAMode177, 502 AcquiringaDriveSpaceVolume188 AcquiringaLocalDrive168 AcquiringaPalmPilot178 AcquiringDeviceConfigurationOverlays(DCO)and HostProtectedAreas(HPA)168,502 AcquiringDiskConfigurations183 AcquiringFirefoxCacheinRecords189 AcquiringinWindowswithoutaFastBlocWrite Blocker172 AcquiringNonlocalDrives181 AcquiringSlySoftCloneCDImages188 AcquiringVirtualPCImages188 Acquisition251 AcquisitionResultsDialog160 AcquisitionTimes181 AcquisitionWizard155 AddDevice129 AddDeviceWizard146 AddNoteBookmarkDialog379 AddingaDevice151 AddingaFileViewer345 AddingaNewFileSignature278 AddingConstraintstoAnalysisData263 AddingKeywords290 AddingPartitions212 AddingRawEvidenceFiles190 AdditionalWinEnInformation232 AdministratorCredentials116,138 AfterAcquisitionPage156 AlternativeReportMethod421 AmericaOnline.artFiles363 AnalysisJobs256 AnalyzeEFS513 AnalyzingandSearchingFiles275 AND/ORFilterLogic100 AOLPersonalFileCabinet(PFC)Support322 AppDescriptors328 ASCII627 AssociateSelected520 AssociatingCodePages483 AssociatingtheFileViewer'sFileTypeswiththe Viewer346 AutoFit47 AutoFitAllColumns90

B
BackgroundInformation606 BitLockerEncryptionSupport(VolumeEncryption) 533 Bookmark627 BookmarkContentDataTypes376 BookmarkDataDialogforFiles381 BookmarkDataDialogforHighlightedData Bookmarks376 BookmarkEditingDialogs392 BookmarkFeatures375 BookmarkFolderInformation/StructureDialog 380 BookmarkReportsandReporting402 BookmarkinganImage368 BookmarkingItems371 BookmarkingNonEnglishLanguageText482 BookmarksOverview372 BootEvidenceFilesandLiveSystemswithVMware 578 BoottheVirtualMachine581 BootingtheRestoredHardDrive218 BrowseforFolderDialog122,125 BuildingaPackage466 BuildingReports264 BuiltinAttack567 Burn627 Burning620 BurningEvidenceFilesDuringAcquisition618 BurningExistingEvidenceandLogicalEvidence Files626 BurningFilesandReports621 BurningLogicalEvidenceFilesDuringAcquisition 621 BurningtheCreatedImageFolderstoDisc625

C
CancelinganAcquisition166 CaseBackup118 CaseFile627 CaseFileFormat117 CaseFileTimeZones130 CaseManagement115,117

 CaseOptionsPageoftheNewCaseWizard128 CaseOptionsTab24 CaseProcessor440 CaseProcessorModules442 CaseRelatedFeatures121 CD/DVDModule617,618 CDDVDInspectorFileSupport188 ChangingFilterOrder100 ChangingReportSize417 ChangingtheMountPoint595 Checksum627 ChooseDevicesPageoftheAddDeviceWizard 150 ChoosingDatabaseSources220 CleaninganEDBDatabase356 ClearingtheInvalidImageCache370 ClosingaCase134 ClosingandChangingtheEmulatedDisk577 ClosingtheConnection603 Cluster627 CodePage627 CollectionJobs241 ColorsTab28 COMFolderEnScriptCode457 CombiningFilters99 CommandLineOptions230 CompletingtheAfterAcquisitionPageofthe AcquisitionWizard163 CompletingtheChooseDevicesPage153 CompletingtheDestinationPage341 CompletingtheFileSelectionPage341 CompletingtheOptionsPage341 CompletingtheOptionsPageoftheAcquisition Wizard165 CompletingthePreviewDevicesPage154 CompletingtheSearchPageoftheAcquisition Wizard164 CompletingtheSessionsSourcesPage153 CompletingtheSourcesPage152 CompoundFile627 CompoundFiles445,588 ComprehensiveInternetHistorySearch301 ComputerForensics627 ConcurrentCaseManagement117 Conditions103 ConfigurationFile230 ConfigurationFileNotes231 ConfiguringEnCase23 ConfiguringInterfaceElementstoDisplayNon EnglishCharacters475 ConfiguringNonEnglishLanguageSupport474 ConfiguringtheKeyboardforaSpecificNonEnglish Language475 ConfiguringthePDEClient573 ConfiguringtheServer600 ConfiguringYourLinuxDistribution487 ConnectingtheClients603 Connection627 ConsoleTab79 ContractAll83 Copy112 CopyandUneraseFeatures335 CopyFoldersDialog339 Copy/UnEraseWizard335 CopyingaCollectionJob245 CopyingaTableEntryintoaFolder400 CopyingandUnerasingBookmarks342 CopyingandUnerasingFiles340 CopyingandUnerasingFilesandFolders334 CopyingFolders342 CreateaNewImageSession621 CreateLicenseDialog465 CreateLogicalEvidenceFileWizard204 CreatingaBookmark382 CreatingaCollectionJob242 CreatingaDatamarkasaBookmark389 CreatingaFileGroupBookmark386 CreatingaFilter95 CreatingaFolderInformation/StructureBookmark 383 CreatingaHashSet286 CreatingaHighlightedDataBookmark382 CreatingaLicense466 CreatingaLinEnBootDisk486 CreatingaLogRecordBookmark386 CreatingaLogicalEvidenceFile207 CreatingaNotableFileBookmark384 CreatingaNoteBookmark383 CreatingaPackage466 CreatingaReportUsingCaseProcessor427 CreatingaReportUsingtheReportTab414 CreatingaSnapshotBookmark387 CreatingaWebMailReport420 CreatinganAdditionalFieldsReport425 CreatinganAnalysisJob257 CreatinganAppDescriptorwithanEnScript Program330 CreatingandDefiningaNewTextStyle478 CreatingConditions104 CreatingGlobalKeywords289 CreatingInternationalKeywords291 CreatingNonEnglishKeywords479 CREDANTEncryptionKnownLimitation554 CREDANTEncryptionSupport(FileBased Encryption)548

 CREDANTEncryptionSupport(OfflineScenario) 552 CREDANTFilesandLogicalEvidence(L01)Files 554 CREDANTMobileGuardian5.4.2Support14 CrossoverCablePrevieworAcquisition504 CustomerService638 CustomizingaReport404 CyclicRedundancyCheck(CRC)627

E
EditBookmarkFolderDialogs397 EditDatamarksDialog397 EditFolderDialog398 EditFolderInformation/StructureBookmarks Dialog395 EditHighlightedDataBookmarksDialog393 EditLogRecordBookmarksDialog396 EditMenu37 EditNotableFileBookmarksDialog395 EditNoteBookmarksDialog394 EditSAFEDialog126 EditSnapshotBookmarksDialog396 EditingaBookmark391 EditingaFilter96 EditingaPackage466 EditingaSignature279 EditingConditions105 EDSFeatures510 EFSFilesandLogicalEvidence(L01)Files515 EmailReport418 EnablingorDisablingEntriesintheReport415 EnCaseDecryptionSuite509 EnCaseEvidenceFiles139 EnCaseForensic8 EnCaseInstaller18 EnCaseForensic628 EncodePreview309 EncryptedBlock563 EncryptingFileSystem589 Encryption628 EnhancedFATParsing12,141 EnScriptAnalysis429,430 EnScriptDebugger457 EnScriptExampleCode456 EnScriptFileMounter460 EnScriptHelp462 EnScriptProgrammingLanguage283 EnScriptTab30 EnScriptTypes284,462 EnScriptLanguage628 EnterItems516 EnteringNonEnglishContentwithoutUsingNon EnglishKeyboardMapping477 EnterpriseEnScriptPrograms430 ErrorHandling232 EvidenceFile628 EvidenceFileFormatsSupportedbyEnCasePDE 572 EvidenceFileFormatsSupportedbyVFS586 EvidenceFileTimeZones131 Examiner628

D
Datamarks375 Dates378 DebugTab27 DecryptedBlock564 DecryptingaBitLockerEncryptedDeviceUsing RecoveryKey534 DecryptingaBitLockerEncryptedDeviceUsing RecoveryPassword535 DecryptingS/MIMEEmailsinanEvidenceFile CreatedinWindowsVista559 DelayedLoadingofInternetArtifacts191 DelayedLoadingofInternetArtifactsFAQs193 DeletedFiles590 DeletingaCollectionJob246 DeletingaFilter102 DeletinganAnalysisJob259 DeletingItems93,307 DeletingPartitions214 DestinationPageoftheCopy/UnEraseWizard 338 DetailsTab79 DeterminingLocalMailboxEncryption562 DeviceConfigurationOverlay(DCO)627 DictionaryAttack566 DiskandVolumeEncryption510 DiskCaching614 DiskCachingandFlushingtheCache614 DiskConfigurationSetAcquiredasOneDrive186 DiskConfigurationsAcquiredasSeparateDrives 186 DiskSlack627 DismounttheNetworkShare594 DisplayingExpandedTreeEntryInformation84 DisplayingTreeEntryInformationforOneBranch 84 DocTab75 DocumentIncident431 Downloads639 DrivetoDriveAcquisitionUsingLinEn490 DynamicDisk185

 ExchangeServerSynchronization355 ExcludeFileBookmarks404 ExcludeFolder405 ExcludingBookmarks404 ExcludingFiles306 ExcludingSearchHits92 ExpandAll82 ExportFolder628 ExportHashes443 ExportingaReport426 ExportingaSourceProcessorReport267 ExportingConditions109 ExportingFilters102 ExportingKeywords294 ExportingSourceProcessorJobstotheEnCase PortableUSBBootDevice268 Exportingto*.msg320 ext2,ext3,UFS,andOtherFileSystems594 ExtendedFileAllocationTable(exFAT)Support 141 ExtractingEmail316 FontsTab29 ForensicEnScriptCode440 FullVolumeEncryption(FVE)AutoUnlock Mechanism538

G
GalleryTab110,367 GeneralTimeZoneNotes132 GeneratinganIndex311 GeneratingReportsontheDatabase225 GettingReadytoAcquiretheContentofaDevice 144 GlobalTab25 GloballyUniqueIdentifier(GUID)628 GlossaryofTerms627 Goto112 GREP628 GuardianEdge9.2Support14 GuardianEdgeEncryptionSupport543 GuardianEdgeHardDiskEncryptionKnown Limitations543

F
FastFileTransfer14,143 FastBlocSEModule605,606 FastBloc628 FAT,HFSandCDFSTimeZoneSpecifics132 FileAllocationTable(FAT)628 FileBasedEncryption511 FileCollector251 FileGroupBookmarks373 FileHashing285 FileMenu36 FileMounter444 FileSelectionPageoftheCopy/UnEraseWizard 336 FileSignature628 FileSignatures276 FileSignatureswithSuffixes276 FileSlack628 FileViewerFeatures343 FileViewers343 FilterPane628 FilterPaneandTabBarandViewMenu46 FilterPaneMenu47 FilteringEffectsintheTablePane61 Filters93 FiltersPane60 FiltersPaneMenu72 Find113 FittingColumnstoData90 FolderInformation/StructureBookmarks373 Font628

H
HardwareDiskConfiguration186 Hash629 HashAnalysis284 HashSets286,629 Hashing202 HashingaNewCase285 HashingtheSubjectDriveOncePreviewedor Acquired203 HashingtheSubjectDriveUsingLinEn202,506 HASPSRM5.75SecurityKeyDriver15 HelpforEnScriptModules459 HelpMenu49 HexTab75 Hexadecimal629 HFS+PermissionsSupport140 HidingColumns89 HighlightedDataBookmarks373 HostProtectedArea(HPA)629 HowSourceProcessorandEnCasePortableWork Together267 HPAandDCOConfiguredDisks606

I
IftheRestoredDiskDoesNotBoot218 ImportingConditions108 ImportingEnCasePortableEvidenceintoSource Processor271 ImportingFilters102 ImportingJobSettings269 ImportingKeywords294

 IncludeEnScript460 IncludedEnscriptComponents283 IncreasingtheNumberofImagesPerRow369 Index629 IndexCase446 Indexing310 IndexingaCase117 IndividualPanes57 InitialPreparation578 InitializedSizeTextStyle347 InitializingtheDatabase219 InstalledFiles20 InstallingEnCaseForensic17 InstallingSecurityKeyDrivers23 InstallingtheExaminer18 InstallingtheFastBlocSEModule608 Integers377 InternalFilesandFileSystemFiles590 InternetArtifacts254 InternetHistorySearching299 InternetProtocolAddress(IP)629 InternetReport420 InternetSearching302 Introduction486 MalwareScanning597 ManagingEnCasePortable267 ManuallyCreateanAppDescriptor328 MessageBoards638 MinimumRequirements18 ModeSelection503 ModifyingaCollectionJob246 ModifyinganAnalysisJob258 ModifyingCaseRelatedSettings129 ModifyingtheTablePane87 ModifyingtheViewPane112 Modules251 MountNetworkShareOptions587 Mount,Mounting629 MountedFiles511 MountingaSingleDrive,Device,Volume,orFolder 586 MountingCompoundFiles446 MountingEvidencewithVFS586 MountingNonWindowsDevices575 MovingaTableEntryintoaFolderUsingtheRight ClickDragMethod401 MovingaTableEntryorFolderintoaFolderUsing theDragMethod402 MozillaFirefox3ArtifactsSupport298

K
Keyword629 KeywordSearches288 KeywordTester292

N
NavigatingtheEnCaseInterface33 NavigatingtheTreePane80 NetworkTree629 NewCaseWizard127 NewFeaturesinVersion6.1511 NewFileViewerDialog343 NewPackageDialog463 NewTechnologyFileSystem(NTFS)629 NewTextStylesDialog472 NewTextStylesDialogAttributesTab473 NewTextStylesDialogCodePageTab474 NewVirtualMachineWizard578 Node630 NonEnglishLanguageFeatures470 NotableFileBookmarks373,630 NotesBookmarks373 NSFEncryptionSupport559 NTFS630 NTFSCompressedFiles367

L
LeavingConsoleMode181 LinEnCommandLine498 LinEnSetupUnderRedHat488 LinEnSetupUnderSUSE487 LinEnUtility629 LinuxSyslogParser254 LiveDeviceandFastBlocIndicators145 LocalKeywords294 LocallyEncryptedNSFParsingResults565 LogRecordBookmarks374 LogicalEvidenceFile629 LogicalEvidenceFiles139,204 LogicalRestore217 LogonWizard121 LogonWizardUsersPage121 LotusNotesLocalEncryptionSupport561

O
ObtainingaLinuxDistribution487 ObtainingAdditionalDecryptionKey(ADK) Information546 ObtainingUpdates23

M
MachineSurveyServletDeploy434 MainWindow34 MaintainingtheDatabase221 Malware629

 ObtainingWholeDiskRecoveryTokenInformation 544 OpeningaCase133 OpeningandClosingFolderswithExpand/Contract 81 OpeningtheAcquisitionWizard160 OptionsDialog118 OptionsDialogFontTab471 OptionsPage159 OptionsPageoftheCopy/UnEraseWizard337 OrganizingBookmarks400 OtherFileSystems593 OtherToolsandViewers598 OutputDialog206 OutputTab80 OutsideIn8.3Support14 OverridingHPAandDCOSettings607 Overview7,138,238,510,627 OverviewofCaseStructure116 PreparingEntriesforBurning622 PreparingReportsforBurning624 PreparingtheTargetMedia215 PreviewDevicesPageoftheAddDeviceWizard 151 Previewing144 PreviewingaWriteBlockedDevice613 PreviewingEnCasePortableDatainSource Processor272 PreviewingtheContentofaDevice145 PrintingorSavingaReport266 ProductMatrix512 ProfessionalServices639 PromptforValue232 PropertiesTab464 ProSuiteFastBlocSE/SATA/IDESupportforVista 64bit607

Q
Queries109 QueryinganIndexUsingaCondition312 QueryingtheIndexforNonEnglishContent481 QuickEntryReport424 QuickSnapshot436

P
PackageFeatures462 PackageTab463 Packages462 Pane630 PaneFeatures54 PaneTabBarandPaneTabBarMenu55 Panes52 PanesandtheirSpecificTabs66 PanesasSeparateWindows53 PanesintheAnalysisCycle53 ParsingaDirtyEDBFile357 ParsingaLocallyEncryptedMailbox562 PDETroubleshooting584 PerformingaCrossoverCablePreviewor Acquisition182 PerformingaDrivetoDriveAcquisitionUsingLinEn 176 PerformingaSearch303 PerformingaSignatureAnalysis280 PerformingaTypicalAcquisition155 PerformingAcquisitionswithLinEn488 PersonalInformation253 PGPDecryptionusingthePassphrase548 PGPWholeDiskEncryption(WDE)Support544 PhysicalDiskEmulator571,572 PhysicalDiskEmulator(PDE)630 PhysicalRAIDEncryptionSupport538 PhysicalRestore215 PhysicalversusLogicalRestoration214 Picture377 PictureTab77 Port630

R
RAID10187 RAIDs589 RAMandDiskSlack590 RawImageFiles139 ReacquiringanEvidenceFile190 ReacquiringEvidence189 RebuildingaHashLibrary287 RecordsTabBookmarkView389 RecoverFoldersonFATVolumes210 RecoveringaDatabase357 RecoveringFolders209 RecoveringFoldersfromaFormattedDrive211 RecoveringNSFPasswords560 RecoveringNTFSFolders210 RecoveringPartitions212 RecoveringUFSandEXT2/3Partitions211 RecoveryKeyandRecoveryPasswordFiles533 ReducingtheNumberofImagesPerRow369 RedundantArrayofIndependentDisks(RAID) 630 RefreshBookmarksinEnScript15 RegularExpression630 ReinstallingtheExaminer22 RemoteAcquisition195 RemoteAcquisitionMonitor199,437 RemovingWriteBlockfromaUSB,FireWire,or SCSIDevice611

 RepairingaDatabase358 ReportMultipleFiles416 ReportSingleFiles415 ReportTab78 ReportUserInterface412 Reporting411,412 Reports260 ResettingColumns90 Restoring614 RestoringEvidence214 RestrictAccessbyIPAddress601 RolePageoftheNewCaseWizard128 Root630 Runninga32bitApplicationona64bitPlatform 32 RunningaCollectionJob246 RunningaFilter97 RunningaPackage467 RunninganAnalysisJob259 RunningConditions106 RunningWinEn229 SelectingTreeEntriesforOperations86 Servlet630 SessionsSourcesPageoftheAddDeviceWizard 148 SettingaLockonColumns91 SettingCaseOptions240 SettingTimeZoneOptionsforEvidenceFiles132 SettingTimeZonesSettingsforCaseFiles131 SettingUptheStorageMachine200 SetupforaDrivetoDriveAcquisition489 SharingConfigurationFiles31 ShowExcluded407 ShowingColumns87 ShowingDeletedFiles308 ShowingExcludedFiles307 ShowingTypedURLs300 Signature630 SignatureAnalysis276 SignatureAnalysisLegend282 SingleFiles139 Slack630 Snapshot630 SnapshotBookmarks374 SnapshotCollection252 SnapshotDifferentialReport437 SnapshottoDBModuleSet219 SoftwareRAID183 SortingaTable59 SourceDialog205 SourceProcessor237 SourcesPageoftheAddDeviceWizard146 SpecifyingandRunninganAcquisition161 SpecifyingDatabaseContent224 SpecifyingSystemCacheSettingsManually65 Spyware631 StartingPhysicalDiskEmulator572 StartingtoWorkwithSourceProcessor238 StatusLine62 Steganography631 StoragePathsTab31 Styles379 Subject631 SuccessfulDecryption539 Support633 SupportedControllers608 SupportedCREDANTEncryptionAlgorithms552 SupportedFileSystemsandOperatingSystems 140 SupportedGuardianEdgeEncryptionAlgorithms 543 SupportedSafeBootEncryptionAlgorithms526 SupportedUtimacoSafeGuardEasyEncryption Algorithms527

S
S/MIMEEncryptionSupport555 SAFEDropdownMenu125 SAFEPageoftheLogonWizard124 SafeBootEncryptionSupport(DiskEncryption) 522 SavedCredentialsinSecureStorage540 SavingaCase134 SavingaCaseandtheGlobalApplicationFiles 134 SavingaCasewithaNewNameorNewLocation 134 SavingandDismountingtheEmulatedDisk575 ScanLocalMachine446 SearchHitsReport422 SearchOptions303 SearchPage157 SearchingEmail317 SearchingEntriesforEmailandInternetArtifacts 296 SearchingforEmail314 SearchingSelectedItems318 Sector630 SecureAuthenticationForEnCase(SAFE)630 SecureStorageItems521 SecureStorageReport419 SecureStorageTab516 SecureStorageTabandEFS516 SecurityKey630 SelectingAnalysisModules258 SelectingCDInformation619

 SwapFile631 SweepEnterprise438 SystemCacheSettingsatFirstUsage64 SystemCacheSettingsControl64 SystemMenu35 UsingaCase129 UsingaFoldertoOrganizeaBookmarksReport 399 UsingaPackage465 UsingaWriteBlocker169 UsingBookmarks391 UsingEDS513 UsingLinEn485 UsingPhysicalDiskEmulator572 UsingSnapshots144 UsingtheDataBrowsertoAnalyzeResults260 UsingtheDixonBox87 UsingtheEnCaseInterface595 UsingtheFastBlocSEModule608 UsingtheSnapshotDBReportsDialog226 UsingThirdPartyTools577 UsingWindowsExplorer596 UtimacoChallenge/ResponseSupport527 UtimacoSafeGuardEasyEncryptionKnown Limitation532 UtimacoSafeGuardEasyEncryptionSupport526

T
TabDropdownMenu56 TablePane58,631 TablePaneandTabBarandViewMenu42 TablePaneMenu43 TablePaneTabs67 TableTabColumns69 TableauWriteBlockerSupport173 TagRecords327 TechnicalManualsandReleaseNotes633 TechnicalSupport633 TempFolder631 TemporaryFilesReminder577,600 TestingaNonEnglishKeyword480 TestinganEDBFile356 Text376 TextStyles472 TextTab75 ThirdPartyTools577,597 ThreatAnalyzer448 TimeZoneExample133 TimeZoneSettings129 TimelineTab111 Toolbar50 ToolsMenu48 Training639 TranscriptTab76 TreePane57,631 TreePaneandTabandSubtabMenus42 TreePaneTabs66 Troubleshooting604,615 TroubleshootingaFailedS/MIMEDecryption558 TroubleshootingSecurityKeys23 TurningFiltersOff101 TurningOffIDEWriteBlockProtection613 TurningOnEncodePreview309 TypesofAcquisitions154 TypesofEntries138

V
ValidatingParityonaRAID5187 VerifyingEvidenceFiles167 VFSServer600 ViewMenu39 ViewPane62,347,631 ViewPaneandTabBarandViewMenu44 ViewPaneMenu44 ViewPaneTabs73 ViewerFileTypeDialog344 ViewingaBookmarkontheTableReportTab402 ViewingaBookmarkReport417 ViewingAttachments318 ViewingBase64andUUEEncodedFiles366 ViewingCompoundFiles350 ViewingCompressedFiles353 ViewingFewerColumns111 ViewingFewerRows111 ViewingFileContent333 ViewingFileStructure350 ViewingFiles334 ViewingHashSearchResults288 ViewingLotusNotesFiles354 ViewingMacintosh.paxFiles361 ViewingMoreColumns111 ViewingMoreRows111 ViewingMSExchangeFiles355 ViewingMSOutlookEmail360 ViewingNonUnicodeFiles483 ViewingOffice2007Documents363 ViewingOLEFiles353

U
Unicode631 UnicodeFonts471 UninstallingtheExaminer21 UnsuccessfulDecryption540 UpdatingtheDatabase222 UserSecurityID(SID)forSingleFiles178 UsersDropdownMenu122

 ViewingOutlookExpressEmail358 ViewingRecordSearchHits305 ViewingRegistryFiles351 ViewingSearchHits305 ViewingSignatureAnalysisResults(Part1)281 ViewingSignatureAnalysisResults(Part2)282 ViewingtheFileSignatureDirectory277 ViewingtheLicenseforLinEn486 ViewingUnicodeFiles482 ViewingWindowsThumbs.db362 VirtualFileSystem585,586 VirtualFileSystem(VFS)631 VirtualMachine631 VistaExaminerSupport32 VMWare631 VMware/EnCasePDEFAQs582

W
WebMailParser314,456 WhentouseaCrossoverCable182 Windows378 Windows7Support12 WindowsEventLogParser255 WindowsKeyArchitecture566 WindowsNTSoftwareDiskConfigurations184 WindowsServer2008Support12 WindowsbasedAcquisitionswithanonFastBloc WriteBlocker173 WindowsbasedAcquisitionswithFastBlocWrite Blockers169 WinEn229 WinMagicSecureDoc4.6Support14 WinMagicSecureDocEncryptionSupport540 WipeDrive232 Wiping614 WorkingwithEvidence137 WorkingwithNonEnglishLanguages469,470 WriteBlockValidationTestingandDiskCaching 614 WriteBlocker631 WriteBlockingaUSB,FireWire,orSCSIDevice 608 WriteBlockingIDEandSATAControllerCards612 WriteProtectingaUSB,FireWire,orSCSIDevice 611 WTMP/UTMPLogParser256

Z
ZIPandRARArchiveFileSupport363