version6 E n C a s e速
F o r e n s i c Quick Start Guide
Thank you for purchasing EnCase速 Forensic version 6. This guide provides additional information on resources, products and services to support your day-to-day operations.
B O X
C O N T
q This Quick Start/Reference Guide contains: n Overview n Support and Resources
EnCase Forensic q q q q q q
EnCase Forensic software CD EnCase Forensic User Manual EnCase Modules Manual (Corporate Deluxe version only) Aladdin HASP HL USB security key (dongle) Crossover cable Guidance Software lanyard
Download Latest Updates
In order to download product updates and other resources you must register your copy of EnCase with us online. You can register within EnCase under the Help menu or by visiting www.guidancesoftware.com.
E N T S
O V E R V
Buttons explained ITEM
Creates a new case. The examiner must specify the case name, the examiner’s name, and the export and temp folders.
Opens an existing case. Browse to a .Case file and click Open.
Saves the currently open case ﬁles. If a case has not been saved before, the case ﬁle must be named, then saved.
Prints the currently active panel to the speciﬁed printer. It is possible to print any panel from the Cases panel to the Timeline panel and more.
Click this button to add either a device (to be previewed) or an evidence ﬁle of previously acquired media. Cases can hold both “live” devices and evidence ﬁles.
Click this button to search for Keywords, Internet History, and Email, as well as to perform File Signature and Hash Analysis.
I E W
Right Pane Panels Explained ITEM
The Table panel contains all the attributes of a particular entry. The examiner can review ﬁle information by ﬁle extension, ﬁle name, last accessed time, physical size, and many other criteria. Examiners can sort by any column simply by double-clicking the column header.
The Report panel reports the information it has about the current ﬁle, folder, volume, or disk selected in the right pane, such as date and time stamps and ﬁle permissions. From the Bookmark panel, the Report panel provides documentation of all evidence that the examiner has bookmarked during the investigation. The report is a compilation of all bookmarks within the case.
The Gallery panel is a quick and easy way to view any and all images stored on the subject media. It is possible to view all images within a folder, a volume, or the entire case.
The Timeline panel is a great resource for looking at patterns of ﬁle activity. The Timeline panel displays date and time stamps for ﬁle creation, last written, last accessed, and entry modiﬁed.
The Disk panel is a graphic representation of the sectors of the evidence ﬁle. For each ﬁle selected in the Table panel, the Disk panel displays where that ﬁle resides in the evidence ﬁle.
Shows the code that comprises an EnScript® program or filter.
Left Pane Panels explained ITEM
The Cases panel contains the currently open cases.
The Entries panel shows the devices associated with a highlighted case and the file structure in Windows® Explorer-type tree format.
The Bookmarks panel contains bookmarked evidence, such as bookmarked ﬁles, bookmarked images, bookmarked text fragments, customized “note” bookmarks, and more. Bookmarked items can be dragged from one bookmark folder to another by the examiner.
Search hits generated from keyword searches are placed in the Search Hits panel. Each keyword triggers the creation of a folder of the same name under the Search Hits panel. Keyword hits are then placed in their corresponding folder.
From this panel, the user can view the results of Internet History and Email searches (browser cache, history, email and attachments). Use Gallery to view images from Browser Cache.
The Devices panel displays devices information regarding the devices in a case: acquisition notes, the examiner’s name, the acquisition and veriﬁcation hash values, and more.
This panel allows the user to extract username and password information from encrypted ﬁles when the EnCase EDS module is used.
Keywords allow the examiner to search a single case or all open cases with words, phrases and even hex strings. Keywords can be entered as case-sensitive, UTF7, UTF8, and more. A separate Keywords panel opens for each case so that the user can isolate keyword lists to certain cases.
Archive Files This panel is used for Archiving evidence files to CDs or DVDs. Encryption Keys
This panel is used to create, view, and modify encryption keys.
The EnScript Types panel is a reference resource for coding EnScript programs, containing a complete list of all EnScript program types.
This panel is where EnScript programs can be reviewed, added, edited, and deleted. EnScript programs are small programs or macros that are designed to automate forensic procedures. EnScript programs can access and manipulate almost all areas of the the EnCase Forensic interface, from searching to creating bookmarks to putting information in the report.
File signatures are the unique hex header signature associated with ﬁle types. For example, an industry- standard JPEG image has the hex header signature of \xFF\xD8\xFF[\xFE\xE0]\x00. From this panel, file signatures can be added, edited and deleted.
File types are used to categorize file extensions in order to provide easy identification or grouping of files in EnCase Forensic; a great deal of extensions are already categorized in this panel.
File viewers are associations that EnCase uses between ﬁle types and applications to open files outside of EnCase. For example, EnCase cannot natively view AVI ﬁles (video). Thus an examiner would set up an association between a “viewer,” such as Windows Media Player, and the AVI ﬁle type.
Hash sets are a collection of hash values of ﬁles that belong to the same application. For example, if the C:\Windows folder is hashed on a “clean” system, the resulting collection of hash values could be labeled “Windows Hash Set”. From this panel, Hash Sets can be added, edited and deleted.
Text Styles are used to change the way text is displayed and is helpful in viewing non-English languages. EnCase Forensic ships with several default text styles, but more can be added.
Lower Pane Panels explained ITEM
The Text panel is for viewing text in the highlighted ﬁle above. The Text panel contains the output of the data in the selected Text Style, for the currently selected ﬁle. Portions of the text can be bookmarked or exported by “sweeping” (clicking and dragging), right clicking and choosing to either bookmark or export the highlighted data.
The Hex panel contains the data, in hex format, of the currently selected ﬁle. The right pane displays the text of the corresponding hex characters.
The Doc panel is used to view file content as if it was being viewed through the application that created the file natively. For instance, a Microsoft Excel entry will be shown in the Doc panel with cells and values displayed.
The Transcript panel is used to view file content of entries while suppressing formatting and other document noise to improve searching and viewing capabilities.
The Picture panel displays the highlighted ﬁle as an image. If the ﬁle is not an image, then the Picture tab will be grayed-out. EnCase Forensic can natively display GIF, JPG, BMP, and TIFF ﬁles.
The Report panel displays the attributes of the currently selected ﬁle. The data shown is the same data as what is the Table panel, but displayed in a report format in addition to the security attributes (if NTFS).
The Console panel displays output from EnScript programs that send output to the Console panel upon execution.
The Output panel is used to by EnScript programs to display debug information for troubleshooting code.
The Codepage panel allows you to associate a codepage with a selected file.
The Filters panel is where the examiner can quickly and easily create and edit ﬁlters. When a ﬁlter is activated, only the ﬁles that ﬁt the ﬁlter criteria, such as “Pictures only” or “Files Accessed After February, 2003 only” are displayed.
The Queries panel combines the functionality of ﬁlters together, creating customized, powerful queries that drastically reduce the time taken to navigate ﬁles. For example, to view only log ﬁles, mail ﬁles, and all DOC, TXT, WP, and HTML ﬁles, use the Compound Filter Query to combine the separate ﬁlters into one complex query.
Navigation explained ITEM
The “All Files” button, the “home-plate” shaped trigger next to the check box with each folder, is an invaluable navigation tool for the EnCase Forensic interface. For whatever folder the “All Files” button is activated (green), in the active view on the right (Table, Timeline, Gallery, Report or Code view), all ﬁles and all folders within that particular folder will be displayed. In this way, it is possible to see ﬁles of many folders at once, not simply one folder at a time.
The “Lock” check box is used to lock the selected view when scrolling through ﬁles. For example, if the “Lock” is checked on the Hex view, switching to a graphic image in the Table view above will not automatically switch the lower-pane to the Picture view.
Case Management Before starting a case, it is important to create case organization guidelines. Consider how case ﬁles and evidence ﬁles will be organized on the hard drive. Most examiners have a large hard drive dedicated to evidence ﬁle storage, the “Storage” drive. They might put all evidence ﬁles into folders for each case they are working on. For example, if an examiner was working three cases, he might have a d:\smith folder, a d:\potter folder, and a d:\jones folder. If you organize each case into a folder named after the subject, such as d:\jones, then your Default Export folder and Temporary folder might be d:\jones\export and d:\jones\temp, respectively. Booting a Subject computer safely: n
Conﬁrm the subject computer is off. Pull the power cord plug from behind the back of the computer if unsure.
Open the computer and inspect the inside for unusual connections or conﬁgurations. It is not unheard of for a computer to house a disconnected hard drive.
Disconnect the power cables to all the resident hard drives.
Insert the EnCase Boot Disk and turn on the computer.
Run the CMOS setup routine to ensure that the computer is set to boot from the floppy drive.
Verify that the computer is set to boot from the floppy drive by looking at the boot order settings.
Exit the BIOS and save changes.
Allow the computer to continue to boot from the ﬂoppy. In certain instances the computer’s ﬂoppy drive may not be functional due to dust, wear or other reasons. Conﬁrm that a boot from the ﬂoppy is possible.
Power off the computer and reconnect the disk drive power cables.
Confirm the EnCase Boot Disk is still in the floppy drive and turn on the computer and allow the computer to boot to the floppy drive.
Methods of Acquisition, Equipment Needed Network Cable Acquisition n
ENBD Crossover network cable n A supported PCI NIC or PCMCIA NIC for the Subject computer n Subject computer and examiner’s computer n
Process: Install the supported NIC into the Subject PC. Attach the crossover network cable to the two computers. Boot the Subject computer with the ENBD and choose “Auto”. Power on the examiner’s PC into Windows and launch EnCase software. Click the Add Device button and specify the “Network Crossover” option. The remote computer should be seen. Preview and acquire. FastBloc®2 Write-Blocking Device Acquisitions n
FastBloc®2 Lab Edition or Field Edition n The Subject media (IDE hard drive) Process: Attach the Subject HD to the FastBloc2 write-blocking device and the FastBloc2 write-blocking device to the examiner’s computer. Power up into Windows and launch EnCase Forensic. Click the Add Device button and specify the “Local Drives” option. Select the FastBloc2 write-blocking device. Preview and acquire. Palm PDA Acquisition n n
Subject Palm PDA and cradle Examiner’s computer
Process: Put Palm in “Console mode”. Place Palm in cradle. Power on examiner’s computer into Windows and launch EnCase Forensic. Click the Add Device button. Select the “Palm Pilot” option. The Palm will be seen. Preview and acquire.
ACQUISITION OPTIONS 1. Enter the Name of the target system, unique Evidence number and detailed Notes.
NOTE: After the acquisition, you cannot change the information entered, therefore, take extreme care in what you enter.
2. By default, the Start Sector is set at 0 and Stop Sector is set at the last sector of the target machine’s hard drive. The ability to change the start and stop sector is indispensable when dealing with 10
damaged hard drives or when you have limited amount of storage space while acquiring a server. 3. Select the appropriate compression based on your speed concerns and desired ﬁle size. 4. For increased security, you may enter a Password. However, if you forget the password, there is no way to access the evidence ﬁles. 5. By default, EnCase Forensic will split the evidence File Segment Size into 640 MB segments, making it convenient to back up the evidence ﬁles to CD-R. This value may be set between 1 MB – 2000 MB. 6. It is recommended that the Generate Image Hash checkbox be checked for all systems acquired. This will generate a MD5 hash of the target system to ensure the integrity of the evidence. The Read Ahead option caches blocks of data ahead of time so that they are available for commands in the process, decreasing acquisition time. The size of the block is dependent on the value of the Block size (Sectors) option. 7. Granularity speciﬁes the number of sectors within a block of data containing a read error to be zeroed out, from the default of 64 sectors incrementally down to 1. The size of the block is dependent on the value of the Block size (Sectors) option. The Block size determines the number of sectors to use to generate a CRC value. 8. To prevent cross-contamination, it is recommended to use a unique folder for each case with export and temp subfolders. When acquiring a device, make sure that the correct Output Path is shown in this box for storage of evidence files. An Alternate Path can be specified ahead of time if the Output Path runs out of space during the acquisition. 11
Beginning Investigations n
Recover Folders: The Recover Folders command works only on FAT16 and FAT32 evidence ﬁles. This command searches the unallocated clusters of the FAT partition for the “dot, double-dot” signature of a deleted folder. When the signature matches, EnCase Forensic can rebuild the ﬁles and folders that were within that folder, recovering potentially gigs of data.
Signature Analysis: A signature analysis compares a ﬁle’s extension to the ﬁle’s hex header signature. File types each have their own extension and many have standardized ﬁle signatures. If the ﬁle extension does not match the ﬁle’s signature, there is a good chance that that ﬁle has been tampered with in an attempt to hide evidence. One of the ﬁrst tasks an examiner should run, therefore, is a Signature Analysis to quickly locate possibly suspect ﬁles.
Hash Analysis: By using the MD5 hash algorithm, it is possible to generate a “digital ﬁngerprint” of any ﬁle. By comparing this hash value to hash values in hash sets in the examiner’s hash library, it is possible to expeditiously categorize “Known” and “Notable” ﬁles, allowing the examiner to identify suspect ﬁles. A hash analysis is a crucial step early in an investigation. The more complete the examiner’s hash library, the more effective the analysis.
EnScript® Programs Main EnScript programs are used to launch additional EnScript modules. Case Processor is used against mounted devices or evidence files. Some of the available EnScript modules included within EnCase Forensic are: n
File Finder: Recovers JPG, GIF, BMP, EMF ﬁles, etc., putting all results under the Bookmark panel within the case.
Initialize Case: Captures critical information about an investigation and the evidence being examined, including user information, user settings, system settings, installed software and more.
Additional EnScript programs include Scan Registry, Windows Event Log Parser, Credit Card Finder, Partition Finder, HTML Parser and EDS Registry.
S U P P O R T 14
R E S
Training and Certification
U.K. Technical Support
+44 (0) 175 355 2252 Europe.email@example.com option 4
Toll-free International Numbers Germany
Visit http://www.guidancesoftware.com for in-depth information and resources.
Other Resources: EnCase Legal Journal: http://www.guidancesoftware.com/downloads/Legal_Journal_July_06.pdf Guidance Software white-papers: http://www.guidancesoftware.com/support/resources.asp
O U R C E S 15
ÂŠ2006 Guidance Software, Inc. All Rights Reserved. Guidance Software and the Guidance Software logo are trademarks, and EnCase, EnScript and FastBloc are registered trademarks of Guidance Software, Inc. All other trademarks are the properties of their respective owners.