Page 1

version6 E n C a s e速

F o r e n s i c Quick Start Guide 


Thank you for purchasing EnCase速 Forensic version 6. This guide provides additional information on resources, products and services to support your day-to-day operations.

B O X 

C O N T


q This Quick Start/Reference Guide contains: n Overview n Support and Resources

EnCase Forensic q q q q q q

EnCase Forensic software CD EnCase Forensic User Manual EnCase Modules Manual (Corporate Deluxe version only) Aladdin HASP HL USB security key (dongle) Crossover cable Guidance Software lanyard

Download Latest Updates

In order to download product updates and other resources you must register your copy of EnCase with us online. You can register within EnCase under the Help menu or by visiting www.guidancesoftware.com.

E N T S 


O V E R V 


Buttons explained ITEM

DESCRIPTION

New

Creates a new case. The examiner must specify the case name, the examiner’s name, and the export and temp folders.

Open

Opens an existing case. Browse to a .Case file and click Open.

Save

Saves the currently open case files. If a case has not been saved before, the case file must be named, then saved.

Print

Prints the currently active panel to the specified printer. It is possible to print any panel from the Cases panel to the Timeline panel and more.

Add Device

Click this button to add either a device (to be previewed) or an evidence file of previously acquired media. Cases can hold both “live” devices and evidence files.

Search

Click this button to search for Keywords, Internet History, and Email, as well as to perform File Signature and Hash Analysis.

I E W 


Right Pane Panels Explained ITEM

DESCRIPTION

Table

The Table panel contains all the attributes of a particular entry. The examiner can review file information by file extension, file name, last accessed time, physical size, and many other criteria. Examiners can sort by any column simply by double-clicking the column header.

Report

The Report panel reports the information it has about the current file, folder, volume, or disk selected in the right pane, such as date and time stamps and file permissions. From the Bookmark panel, the Report panel provides documentation of all evidence that the examiner has bookmarked during the investigation. The report is a compilation of all bookmarks within the case.

Gallery

The Gallery panel is a quick and easy way to view any and all images stored on the subject media. It is possible to view all images within a folder, a volume, or the entire case.

Timeline

The Timeline panel is a great resource for looking at patterns of file activity. The Timeline panel displays date and time stamps for file creation, last written, last accessed, and entry modified.

Disk

The Disk panel is a graphic representation of the sectors of the evidence file. For each file selected in the Table panel, the Disk panel displays where that file resides in the evidence file.

Code

Shows the code that comprises an EnScript® program or filter.

Left Pane Panels explained ITEM

DESCRIPTION

Cases

The Cases panel contains the currently open cases.

Entries

The Entries panel shows the devices associated with a highlighted case and the file structure in Windows® Explorer-type tree format.




Bookmarks

The Bookmarks panel contains bookmarked evidence, such as bookmarked files, bookmarked images, bookmarked text fragments, customized “note” bookmarks, and more. Bookmarked items can be dragged from one bookmark folder to another by the examiner.

Search Hits

Search hits generated from keyword searches are placed in the Search Hits panel. Each keyword triggers the creation of a folder of the same name under the Search Hits panel. Keyword hits are then placed in their corresponding folder.

Records

From this panel, the user can view the results of Internet History and Email searches (browser cache, history, email and attachments). Use Gallery to view images from Browser Cache.

Devices

The Devices panel displays devices information regarding the devices in a case: acquisition notes, the examiner’s name, the acquisition and verification hash values, and more.

Secure Storage

This panel allows the user to extract username and password information from encrypted files when the EnCase EDS module is used.

Keywords

Keywords allow the examiner to search a single case or all open cases with words, phrases and even hex strings. Keywords can be entered as case-sensitive, UTF7, UTF8, and more. A separate Keywords panel opens for each case so that the user can isolate keyword lists to certain cases.

Archive Files This panel is used for Archiving evidence files to CDs or DVDs. Encryption Keys

This panel is used to create, view, and modify encryption keys.




EnScript® Types

The EnScript Types panel is a reference resource for coding EnScript programs, containing a complete list of all EnScript program types.

EnScript®

This panel is where EnScript programs can be reviewed, added, edited, and deleted. EnScript programs are small programs or macros that are designed to automate forensic procedures. EnScript programs can access and manipulate almost all areas of the the EnCase Forensic interface, from searching to creating bookmarks to putting information in the report.

File Signatures

File signatures are the unique hex header signature associated with file types. For example, an industry- standard JPEG image has the hex header signature of \xFF\xD8\xFF[\xFE\xE0]\x00. From this panel, file signatures can be added, edited and deleted.

File Types

File types are used to categorize file extensions in order to provide easy identification or grouping of files in EnCase Forensic; a great deal of extensions are already categorized in this panel.

File Viewers

File viewers are associations that EnCase uses between file types and applications to open files outside of EnCase. For example, EnCase cannot natively view AVI files (video). Thus an examiner would set up an association between a “viewer,” such as Windows Media Player, and the AVI file type.

Hash Sets

Hash sets are a collection of hash values of files that belong to the same application. For example, if the C:\Windows folder is hashed on a “clean” system, the resulting collection of hash values could be labeled “Windows Hash Set”. From this panel, Hash Sets can be added, edited and deleted.

Text Styles

Text Styles are used to change the way text is displayed and is helpful in viewing non-English languages. EnCase Forensic ships with several default text styles, but more can be added.




Lower Pane Panels explained ITEM

DESCRIPTION

Text

The Text panel is for viewing text in the highlighted file above. The Text panel contains the output of the data in the selected Text Style, for the currently selected file. Portions of the text can be bookmarked or exported by “sweeping” (clicking and dragging), right clicking and choosing to either bookmark or export the highlighted data.

Hex

The Hex panel contains the data, in hex format, of the currently selected file. The right pane displays the text of the corresponding hex characters.

Doc

The Doc panel is used to view file content as if it was being viewed through the application that created the file natively. For instance, a Microsoft Excel entry will be shown in the Doc panel with cells and values displayed.

Transcript

The Transcript panel is used to view file content of entries while suppressing formatting and other document noise to improve searching and viewing capabilities.

Picture

The Picture panel displays the highlighted file as an image. If the file is not an image, then the Picture tab will be grayed-out. EnCase Forensic can natively display GIF, JPG, BMP, and TIFF files.

Report

The Report panel displays the attributes of the currently selected file. The data shown is the same data as what is the Table panel, but displayed in a report format in addition to the security attributes (if NTFS).

Console

The Console panel displays output from EnScript programs that send output to the Console panel upon execution.

Output

The Output panel is used to by EnScript programs to display debug information for troubleshooting code.

Codepage

The Codepage panel allows you to associate a codepage with a selected file.




Filters

The Filters panel is where the examiner can quickly and easily create and edit filters. When a filter is activated, only the files that fit the filter criteria, such as “Pictures only” or “Files Accessed After February, 2003 only” are displayed.

Queries

The Queries panel combines the functionality of filters together, creating customized, powerful queries that drastically reduce the time taken to navigate files. For example, to view only log files, mail files, and all DOC, TXT, WP, and HTML files, use the Compound Filter Query to combine the separate filters into one complex query.

Navigation explained ITEM

DESCRIPTION

“All Files”

The “All Files” button, the “home-plate” shaped trigger next to the check box with each folder, is an invaluable navigation tool for the EnCase Forensic interface. For whatever folder the “All Files” button is activated (green), in the active view on the right (Table, Timeline, Gallery, Report or Code view), all files and all folders within that particular folder will be displayed. In this way, it is possible to see files of many folders at once, not simply one folder at a time.

Lock-box

The “Lock” check box is used to lock the selected view when scrolling through files. For example, if the “Lock” is checked on the Hex view, switching to a graphic image in the Table view above will not automatically switch the lower-pane to the Picture view.




Case Management Before starting a case, it is important to create case organization guidelines. Consider how case files and evidence files will be organized on the hard drive. Most examiners have a large hard drive dedicated to evidence file storage, the “Storage” drive. They might put all evidence files into folders for each case they are working on. For example, if an examiner was working three cases, he might have a d:\smith folder, a d:\potter folder, and a d:\jones folder. If you organize each case into a folder named after the subject, such as d:\jones, then your Default Export folder and Temporary folder might be d:\jones\export and d:\jones\temp, respectively. Booting a Subject computer safely: n

Confirm the subject computer is off. Pull the power cord plug from behind the back of the computer if unsure.

n

Open the computer and inspect the inside for unusual connections or configurations. It is not unheard of for a computer to house a disconnected hard drive.

n

Disconnect the power cables to all the resident hard drives.

n

Insert the EnCase Boot Disk and turn on the computer.

n

Run the CMOS setup routine to ensure that the computer is set to boot from the floppy drive.

n

Verify that the computer is set to boot from the floppy drive by looking at the boot order settings.

n

Exit the BIOS and save changes.

n

Allow the computer to continue to boot from the floppy. In certain instances the computer’s floppy drive may not be functional due to dust, wear or other reasons. Confirm that a boot from the floppy is possible.

n

Power off the computer and reconnect the disk drive power cables.

n

Confirm the EnCase Boot Disk is still in the floppy drive and turn on the computer and allow the computer to boot to the floppy drive.




Methods of Acquisition, Equipment Needed Network Cable Acquisition n

ENBD Crossover network cable n A supported PCI NIC or PCMCIA NIC for the Subject computer n Subject computer and examiner’s computer n

Process: Install the supported NIC into the Subject PC. Attach the crossover network cable to the two computers. Boot the Subject computer with the ENBD and choose “Auto”. Power on the examiner’s PC into Windows and launch EnCase software. Click the Add Device button and specify the “Network Crossover” option. The remote computer should be seen. Preview and acquire. FastBloc®2 Write-Blocking Device Acquisitions n

FastBloc®2 Lab Edition or Field Edition n The Subject media (IDE hard drive) Process: Attach the Subject HD to the FastBloc2 write-blocking device and the FastBloc2 write-blocking device to the examiner’s computer. Power up into Windows and launch EnCase Forensic. Click the Add Device button and specify the “Local Drives” option. Select the FastBloc2 write-blocking device. Preview and acquire. Palm PDA Acquisition n n

Subject Palm PDA and cradle Examiner’s computer

Process: Put Palm in “Console mode”. Place Palm in cradle. Power on examiner’s computer into Windows and launch EnCase Forensic. Click the Add Device button. Select the “Palm Pilot” option. The Palm will be seen. Preview and acquire.

ACQUISITION OPTIONS 1. Enter the Name of the target system, unique Evidence number and detailed Notes.

NOTE: After the acquisition, you cannot change the information entered, therefore, take extreme care in what you enter.

2. By default, the Start Sector is set at 0 and Stop Sector is set at the last sector of the target machine’s hard drive. The ability to change the start and stop sector is indispensable when dealing with 10


damaged hard drives or when you have limited amount of storage space while acquiring a server. 3. Select the appropriate compression based on your speed concerns and desired file size. 4. For increased security, you may enter a Password. However, if you forget the password, there is no way to access the evidence files. 5. By default, EnCase Forensic will split the evidence File Segment Size into 640 MB segments, making it convenient to back up the evidence files to CD-R. This value may be set between 1 MB – 2000 MB. 6. It is recommended that the Generate Image Hash checkbox be checked for all systems acquired. This will generate a MD5 hash of the target system to ensure the integrity of the evidence. The Read Ahead option caches blocks of data ahead of time so that they are available for commands in the process, decreasing acquisition time. The size of the block is dependent on the value of the Block size (Sectors) option. 7. Granularity specifies the number of sectors within a block of data containing a read error to be zeroed out, from the default of 64 sectors incrementally down to 1. The size of the block is dependent on the value of the Block size (Sectors) option. The Block size determines the number of sectors to use to generate a CRC value. 8. To prevent cross-contamination, it is recommended to use a unique folder for each case with export and temp subfolders. When acquiring a device, make sure that the correct Output Path is shown in this box for storage of evidence files. An Alternate Path can be specified ahead of time if the Output Path runs out of space during the acquisition. 11


Beginning Investigations n

Recover Folders: The Recover Folders command works only on FAT16 and FAT32 evidence files. This command searches the unallocated clusters of the FAT partition for the “dot, double-dot” signature of a deleted folder. When the signature matches, EnCase Forensic can rebuild the files and folders that were within that folder, recovering potentially gigs of data.

n

Signature Analysis: A signature analysis compares a file’s extension to the file’s hex header signature. File types each have their own extension and many have standardized file signatures. If the file extension does not match the file’s signature, there is a good chance that that file has been tampered with in an attempt to hide evidence. One of the first tasks an examiner should run, therefore, is a Signature Analysis to quickly locate possibly suspect files.

n

Hash Analysis: By using the MD5 hash algorithm, it is possible to generate a “digital fingerprint” of any file. By comparing this hash value to hash values in hash sets in the examiner’s hash library, it is possible to expeditiously categorize “Known” and “Notable” files, allowing the examiner to identify suspect files. A hash analysis is a crucial step early in an investigation. The more complete the examiner’s hash library, the more effective the analysis.

EnScript® Programs Main EnScript programs are used to launch additional EnScript modules. Case Processor is used against mounted devices or evidence files. Some of the available EnScript modules included within EnCase Forensic are: n

File Finder: Recovers JPG, GIF, BMP, EMF files, etc., putting all results under the Bookmark panel within the case.

n

Initialize Case: Captures critical information about an investigation and the evidence being examined, including user information, user settings, system settings, installed software and more.

n

Additional EnScript programs include Scan Registry, Windows Event Log Parser, Credit Card Finder, Partition Finder, HTML Parser and EDS Registry.

12


NOTES:

13


S U P P O R T 14

&

R E S


Contact Information

Phone

E-mail

Headquarters

626-229-9191

info@guidancesoftware.com

Sales

ext. 563

sales@guidancesoftware.com

Technical Support

ext. 565

technicalsupport@guidancesoftware.com

Customer Service

ext. 564

customerservice@guidancesoftware.com

Training and Certification

ext. 566

training@guidancesoftware.com

Professional Services

ext. 210

servicesdivision@guidancesoftware.com

U.K. Technical Support

+44 (0) 175 355 2252 Europe.support@guidancesoftware.com option 4

Toll-free International Numbers Germany

0-800-181-4625

Australia

1-800-750-639

New Zealand

0-800-45-0523

Japan

00-531-13-0890

asiapacsupport@guidancesoftware.com

Hong Kong

800-96-4635

asiapacsupport@guidancesoftware.com

China

10-800-130-0976

asiapacsupport@guidancesoftware.com

Visit http://www.guidancesoftware.com for in-depth information and resources.

Other Resources: EnCase Legal Journal: http://www.guidancesoftware.com/downloads/Legal_Journal_July_06.pdf Guidance Software white-papers: http://www.guidancesoftware.com/support/resources.asp

O U R C E S 15


Š2006 Guidance Software, Inc. All Rights Reserved. Guidance Software and the Guidance Software logo are trademarks, and EnCase, EnScript and FastBloc are registered trademarks of Guidance Software, Inc. All other trademarks are the properties of their respective owners.

16

80-06-00060 11/06

tee  

teera mata

Advertisement