Professional Documents
Culture Documents
Version 6.18
User's Guide
Copyright 1997-2010 Guidance Software, Inc. All rights reserved. EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.
Contents
Overview
EnCase Enterprise .............................................................................................................................................. 8 How EnCase Enterprise Works ........................................................................................................................... 8 EnCase Enterprise Components ......................................................................................................................... 8
11
PGP 10 Whole Disk Encryption (WDE) Support ............................................................................................... 12 Enhanced CREDANT Support ........................................................................................................................... 12 GuardianEdge Hard Disk and Symantec Endpoint Encryption Support ........................................................... 12 Windows 7 BitLocker and BitLocker to Go Support ......................................................................................... 12 Windows 7 SAFE Support ................................................................................................................................. 12 Windows Server 2008 R2 SAFE Support .......................................................................................................... 12 Enhanced Oracle Outside In Technology Support ........................................................................................... 12 ext3 Support..................................................................................................................................................... 12 Enhanced S/MIME Encryption Support ........................................................................................................... 13 National Software Reference Library (NSRL) Hash Sets RDS Support .............................................................. 13 Enhanced Rights Management Services (RMS) Support .................................................................................. 13 Enhanced EnCase Help Menu .......................................................................................................................... 13
15
EnCase Installer ................................................................................................................................................ 16 Installing Security Key Drivers .......................................................................................................................... 20 Obtaining Updates ........................................................................................................................................... 20 Configuring EnCase .......................................................................................................................................... 21 Sharing Configuration (INI) Files ...................................................................................................................... 32 Vista Examiner Support .................................................................................................................................... 33 Running a 32-bit Application on a 64-bit Platform .......................................................................................... 34 System Cache Setting Control .......................................................................................................................... 34
37
Overview .......................................................................................................................................................... 38 System Menu Bar ............................................................................................................................................. 38 Toolbar ............................................................................................................................................................. 43 Panes Overview................................................................................................................................................ 44 Tree Pane ......................................................................................................................................................... 45 Table Pane ........................................................................................................................................................ 50 View Pane ........................................................................................................................................................ 58 Filter Pane ........................................................................................................................................................ 65 Status Bar ......................................................................................................................................................... 76
Case Management
77
Overview of Case Structure ............................................................................................................................. 78 Case Related Features ..................................................................................................................................... 82 New Case Wizard ............................................................................................................................................. 87 Using a Case ..................................................................................................................................................... 89 Opening a Case ................................................................................................................................................ 93 Saving a Case.................................................................................................................................................... 94 Closing a Case .................................................................................................................................................. 95
97
Overview .......................................................................................................................................................... 98 Supported File Systems and Operating Systems............................................................................................ 100 Machine Profiles ............................................................................................................................................ 103 Using Snapshots ............................................................................................................................................. 107 Getting Ready to Acquire the Content of a Device ........................................................................................ 107 Acquiring ........................................................................................................................................................ 117 WinAcq........................................................................................................................................................... 155 Multi-Threaded Acquisition ........................................................................................................................... 159 Delayed Loading of Internet Artifacts ............................................................................................................ 161 Remote Acquisition ........................................................................................................................................ 164 Hashing .......................................................................................................................................................... 171 Logical Evidence Files ..................................................................................................................................... 173 Recovering Folders......................................................................................................................................... 176 Recovering Partitions ..................................................................................................................................... 178 Restoring Evidence......................................................................................................................................... 180 Snapshot to DB Module Set ........................................................................................................................... 184 WinEn ............................................................................................................................................................. 194 Wipe Drive ..................................................................................................................................................... 198
Source Processor
201
Overview ........................................................................................................................................................ 202 Collection Jobs ............................................................................................................................................... 208 Modules ......................................................................................................................................................... 218 Analysis Jobs .................................................................................................................................................. 232 Reports ........................................................................................................................................................... 241 Managing EnCase Portable ............................................................................................................................ 244
253
Signature Analysis .......................................................................................................................................... 254 EnScript Programming Language ................................................................................................................... 261 Hash Analysis ................................................................................................................................................. 262 File Hashing .................................................................................................................................................... 263 Hash Sets ........................................................................................................................................................ 264 Keyword Searches .......................................................................................................................................... 267 Encode Preview.............................................................................................................................................. 288 Indexing ......................................................................................................................................................... 290 Searching for Email ........................................................................................................................................ 294 Tag Records .................................................................................................................................................... 306 App Descriptors ............................................................................................................................................. 307
311
Viewing Files .................................................................................................................................................. 312 File Viewers .................................................................................................................................................... 319 View Pane ...................................................................................................................................................... 322 Viewing Compound Files ................................................................................................................................ 325 Viewing Base64 and UUE Encoded Files ........................................................................................................ 336 NTFS Compressed Files .................................................................................................................................. 337 Gallery Tab ..................................................................................................................................................... 337
Bookmarking Items
341
Bookmarks Overview ..................................................................................................................................... 342 Bookmark Features ........................................................................................................................................ 345 Creating a Bookmark ...................................................................................................................................... 352 Using Bookmarks............................................................................................................................................ 361 Copying Selected Items from One Folder to Another .................................................................................... 379
Reporting
381
Reporting ....................................................................................................................................................... 382 Report User Interface..................................................................................................................................... 382 Creating a Report Using the Report Tab ........................................................................................................ 384 Creating a Report Using Case Processor ........................................................................................................ 398
EnScript Analysis
399
EnScript Analysis ............................................................................................................................................ 400 Enterprise EnScript Programs ........................................................................................................................ 400 Forensic EnScript Code................................................................................................................................... 410 EnScript Example Code .................................................................................................................................. 426 Enhanced EnScript Tab................................................................................................................................... 432 Packages ......................................................................................................................................................... 432
439
Working with Non-English Languages ............................................................................................................ 440 Non-English Language Features ..................................................................................................................... 440 Options Dialog Font Tab ................................................................................................................................. 441 Configuring Non-English Language Support .................................................................................................. 444
Using LinEn
457
Introduction ................................................................................................................................................... 458 Viewing the License for LinEn ........................................................................................................................ 458 Creating a LinEn Boot Disk ............................................................................................................................. 458 Configuring Your Linux Distribution ............................................................................................................... 459 Performing Acquisitions with LinEn ............................................................................................................... 460 LinEn Evidence Verification and Status Reporting ......................................................................................... 477 Hashing the Subject Drive Using LinEn........................................................................................................... 480 LinEn Manual Page ......................................................................................................................................... 482
485
Overview ........................................................................................................................................................ 486 EDS Features .................................................................................................................................................. 486 Product Matrix ............................................................................................................................................... 488 Using EDS ....................................................................................................................................................... 489 Secure Storage Tab ........................................................................................................................................ 492 Secure Storage Items ..................................................................................................................................... 497 SafeBoot Encryption Support (Disk Encryption) ............................................................................................ 498 Utimaco SafeGuard Easy Encryption Support ................................................................................................ 502 BitLocker Encryption Support (Volume Encryption) ...................................................................................... 509 WinMagic SecureDoc Encryption Support ..................................................................................................... 517 GuardianEdge Encryption Support ................................................................................................................ 519 PGP Whole Disk Encryption (WDE) Support .................................................................................................. 522 CREDANT Encryption Support (File-Based Encryption) .................................................................................. 526 S/MIME Encryption Support .......................................................................................................................... 532 NSF Encryption Support ................................................................................................................................. 537 Lotus Notes Local Encryption Support ........................................................................................................... 539 Windows Rights Management Services (RMS) Support ................................................................................ 544 Windows Key Architecture ............................................................................................................................ 549 Dictionary Attack ........................................................................................................................................... 549
553
Physical Disk Emulator ................................................................................................................................... 554 Using Physical Disk Emulator ......................................................................................................................... 554 Third-Party Tools ............................................................................................................................................ 559 Boot Evidence Files and Live Systems with VMware ..................................................................................... 560 VMware/EnCase PDE FAQs ............................................................................................................................ 564 PDE Troubleshooting ..................................................................................................................................... 566
567
Virtual File System ......................................................................................................................................... 568 Mounting Evidence with VFS ......................................................................................................................... 568 Dismount the Network Share ........................................................................................................................ 577 Accessing the Share ....................................................................................................................................... 577 Third-Party Tools ............................................................................................................................................ 579 VFS Server ...................................................................................................................................................... 582 Troubleshooting ............................................................................................................................................. 586
FastBloc SE Module
589
FastBloc SE Module ........................................................................................................................................ 590 Background Information ................................................................................................................................ 590 ProSuite FastBloc SE/SATA/IDE Support for Vista 64-bit ............................................................................... 591 Installing the FastBloc SE Module .................................................................................................................. 592 Using the FastBloc SE Module........................................................................................................................ 593 Disk Caching ................................................................................................................................................... 598 Troubleshooting ............................................................................................................................................. 599
CD/DVD Module
603
CD/DVD Module ............................................................................................................................................. 604 Burning Evidence Files During Acquisition ..................................................................................................... 604 Burning Logical Evidence Files During Acquisition ......................................................................................... 606 Burning Files and Reports .............................................................................................................................. 607 Burning Existing Evidence and Logical Evidence Files .................................................................................... 612
Glossary of Terms
613
Support
619
Technical Support .......................................................................................................................................... 619 Customer Service ........................................................................................................................................... 620 Professional Services ...................................................................................................................................... 620 Technical Manuals and Release Notes ........................................................................................................... 621 Online Support ............................................................................................................................................... 621 Training .......................................................................................................................................................... 625
Index
627
CHAPTER 1
Overview
In This Chapter
EnCase Enterprise How EnCase Enterprise Works EnCase Enterprise Components
EnCase Enterprise
EnCase Enterprise provides complete network visibility, immediate response and comprehensive, forensic-level analysis of servers and workstations anywhere on a network. It is a scalable platform that integrates seamlessly with your existing systems to create an enterprise investigative infrastructure. You can tailor EnCase Enterprise to meet your unique needs, including automation of time-consuming investigative processes, auditing endpoints for sensitive information, and eDiscovery. Using EnCase Enterprise, you can: Securely investigate/analyze many machines simultaneously over the LAN/WAN at the disk and memory level Acquire data in a forensically sound manner, using software that has an unparalleled record in courts worldwide Limit incident impact and eliminate system downtime with immediate response capabilities Investigate and analyze multiple platformsWindows, Linux, AIX, OS X, Solaris and more using a single tool Efficiently collect only potentially relevant data upon EnCase eDiscovery requests Proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections Identify fraud, security events and employee integrity issues wherever they take place, then investigate/remediate with immediacy and without alerting targets Identify and remediate zero-day events, injected dlls, rootkits and hidden/rogue processes
EnCase Enterprise works by combining these components into one overall system that delivers an enterprise-class, investigative infrastructure. This single tool integrates seamlessly with your existing systems to give you immediate access to comprehensive information on computers across the entire network in a secure fashion. In addition to complete network transparency, EnCase Enterprise also enables you to remediate any security event as it is identified.
Overview
The SAFE communicates with Examiners and target nodes using 128 bit AES encrypted data streams to protect inter-component communication.
EnCase Examiner
The EnCase Examiner client is based on the standalone version of the EnCase Forensic computer investigative suite of tools. The servlet allows the Examiner to remotely discover, preview, and acquire data. The network capability of the EnCase Examiner contains these basic functions: Adding and listing the SAFE clients available on the network Providing logon access to the SAFE for those clients Adding and listing network devices connected to each of the SAFE clients
You can create folders below each SAFE client and place network devices into those folders.
Servlets
Servlets run on the target machine or machines accessed by an investigator through the SAFE. The servlet runs as a process or service with administrative privileges on each target machine; thus, the servlet has access to the entire machine at the bit level. The servlet accepts commands from the Examiner client. These requests are signed by the SAFE server and verified by the network device. The servlet is signed by the SAFE server private key and contains the SAFE server public key.
Note: By default, this service uses port 4445 to listen for commands from the SAFE server, but you can specify another port. The SAFE and servlets must run on the same port.
Use Check-In servlets when your organization must establish an Internet connection outside your network visibility. To investigate machines using the Check-In servlet, use the Sweep Enterprise or other EnScript programs. This technology also overcomes issues of limited network visibility within your organization, such as using Network Address Translation (NAT), where private IP addresses are mapped to a public IP address.
10
EnCase Enterprise Version 6.18 Depending on your network topology, network operating system, and management tools, you can use the following platforms to distribute the servlets: Windows NT and 2000: logon scripts IBM Tivoli: push technology HP Open View: push technology Microsoft SMS: push technology CA Unicenter TNG: push technology Symantec Ghost Console: push technology
Enterprise Connection
Enterprise Connection is a secure virtual connection that is established between the Examiner and target machines. The number of concurrent connections controls the number of machines that can be analyzed simultaneously.
Snapshots
Snapshots allow you to capture dynamic data that cannot be captured using ordinary forensic methods. Here are several examples of dynamic data you can capture using snapshots: Open Ports: Provides several attributes regarding the open ports, even if they are hidden. Processes: Provides extensive information regarding open processes. Values can be combined into App Descriptors and grouped together into machine profiles. Two examples are process ID and process hash value. Open Files: Provides attributes such as the file name, process ID, file ID, and file path for every file currently open on the machine. Network Interfaces: Provides the network interface name, IP address associated with it, the subnet mask, and the MAC address. Networked Users: Provides a list of user accounts on the machine, including those that are logged on and which domain they are logged into. It also provides the Secure ID (SID) of each user and the accessed time. DLLs: Similar to Processes, and provided for use by App Descriptors to create machine profiles. The interface also indicates if the DLL has been injected and the number of instances in use.
CHAPTER 2
12
13
CHAPTER 3
16
EnCase Installer
The EnCase installer copies the program and its drivers to the end user's computer or client and initializes drivers and services with the operating system. You can specify where to install EnCase. The default is the Program Files folder. If you used the selected directory for an previous installation of EnCase, the installer overwrites any existing program files, logs, and drivers.
Minimum Requirements
For best performance, you should configure examination computers with at least the following hardware and software: An EnCase security key (also known as a dongle) Certificates for all purchased modules (known as certs) A current version of EnCase Examiner Pentium IV 1.4 GHz or faster processor One GB of RAM Windows 2000, XP Professional, or 2003 Server 55 MB of free hard drive space
EnCase also supports these 64-bit version of Windows: XP Server 2003 Server 2008 Server 2008 R2 with the following applications and modules: Examiner 32-bit and 64-bit ProSuite 32-bit and 64-bit, consisting of these modules: EnCase Decryption Suite (EDS) Virtual File System (VFS) Physical Disk Emulator (PDE) FastBloc SE Servlets 32-bit and 64-bit Vista Windows 7
Note: Intel Itanium processors are not supported. FastBloc SE supports only the USB interface with the 64-bit version.
17
1. 2.
Enter an installation path or accept the default, then click Next. Read the EnCase License Agreement, click the I Agree checkbox, then click Next.
18
4. 5. 6.
Click Next. A progress bar displays during installation. When installation finishes, a setup complete screen displays. Click Finish.
19
9.
Select Uninstall, then click Next. A progress bar displays during the uninstall process.
10. The last page of the uninstall wizard displays. 11. Select Reboot Later or Reboot Now, then click Finish.
Reinstall retains and does not change these items: Licenses Certificates User settings
20
4. 5. 6. 7. 8.
When the HASP installation wizard displays, click Next. When the summary screen displays, click Next. When the installation completes, click Finish. Insert the security key into the computer. Windows finds the security key. Start EnCase.
Obtaining Updates
When you receive your product, register with Guidance Software to receive updates. Registration is located at https://www.guidancesoftware.com/myaccount/registration.aspx site. If you have trouble registering your product, contact Customer Service on page 619. If you have trouble downloading the updates once registered, contact Technical Support (see page 619).
21
Configuring EnCase
You can configure various aspects of EnCase according to your needs or preferences. These settings are used each time you start EnCase. You are not required to open a case. 1. Click Tools > Options.
2.
Click the desired tab and change the settings as needed, then click OK.
Note: Some changes made to the options settings take effect only after you restart EnCase, while others take effect immediately.
The Options dialog contains these tabs: Case Options (available only if a case is open) Global Debug NAS Colors Fonts EnScript Storage Paths Enterprise
22
Name: The case name is the default filename when you save the case. You can change the filename when you save the file. Examiner Name is the name of the forensic examiner. Default Export Folder is the path and name of the folder where files are exported. Temporary Folder is the path and name of the folder where temporary files are created. Index Folder is the file for any indexed file or collection of files.
23
Global Tab
The Global tab of the Options dialog contains settings that apply to all cases.
Auto Save Minutes (0 = None) indicates the number of minutes between automatic saves of case files. Automatically saved data is written to *.CBAK files in the EnCase6 backup directory. Backup Files shows the maximum number of files stored as backup files when you save a case. The default is 9. Use Recycle Bin for Cases determines whether the current case file is moved to the Recycle Bin or overwritten when you save the file manually. Show True indicates a value of true in table columns displayed in the Table tab of the Table pane. Show False indicates a value of false in table columns displayed in the Table tab of the Table pane. Flag Lost Files determines whether lost clusters are treated as unallocated space. This decreases the amount of time required to access the evidence file. When selected, all lost clusters display in the Disk tab as unallocated clusters. Enable Picture Viewer uses the picture viewer for graphics of the appropriate formats. Enable ART Image Display determines whether ART image files are displayed. When corrupt files of this type are encountered, they can cause the program to crash. This setting enables you to limit the impact of corrupted ART files.
24
EnCase Enterprise Version 6.18 Invalid Picture Timeout (seconds) indicates the amount of time the program attempts to read a corrupt graphics file before timing out. When the read times out, the corrupt file is sent to the cache and no attempt is made to read it again. Enable Pictures in Doc View displays graphics or image files using Oracle's Outside In technology in the Doc tab of the View pane. Date Format includes these options: MM/DD/YY (for example, 06/21/08) DD/MM/YY (for example, 21/06/08) Other enables you to specify your own date format. Current Day displays the current date in the specified date format.
Time Format includes these options: 12:00:00PM uses a 12 hour clock for the time format. 24:00:00 uses a 24 hour clock for the time format. Other enables you to specify your own time format. Current Time displays the current time in the specified time format.
Change Code Page opens the Global Code Page dialog, where you can specify a different code page. The default is Western European (Windows).
25
Debug Tab
Use this tab to specify debugging information and options.
The Startup window displays information about the system and the particular instance of EnCase. This information can be useful when you are troubleshooting issues. Debug Logging determines what action is taken if EnCase crashes. There are three options: Off: No debug logging is performed (default). Stack: This option saves a stack dump if EnCase crashes. This file contains data that the crashing subsystem used, the system .dlls that were loaded at the time, and the version of EnCase. The information captured in a Stack dump log generally does not contain case specific data, but it can. Heap: This option saves a heap dump if EnCase crashes. It is the recommended option for most EnCase crash issues. The heap is a superset of the stack, and also contains data from process memory the program uses while running. This results in a considerably larger dump file (potentially in the gigabyte range). Note that a heap dump frequently contains case specific data, including data from the evidence.
Note: For quickest debugging of the crash, select the Heap option.
Detect FastBloc checkbox (checked by default): Clear this checkbox if a device is hanging during FastBloc detection.
26
NAS Tab
Use the NAS tab in conjunction with Network Authentication Server to distribute licenses.
Select the Network Authentication Server checkbox to use the NAS license management system. Create User Key... opens the Create User Key dialog. User Key Path specifies the location of the license file. Server Key Path specifies the location of the SAFE public key file. Server Address is the IP address of the Network Authentication Server. If you are using a port other than 4445, provide the port with the address (for example, 192.168.1.34:5656). Last internal error message displays the most recently generated error message.
Note: System managers can distribute version 5 licenses from a version 6 NAS SAFE.
27
Colors Tab
This tab enables you to associate colors with various case elements.
Double click a listed element to open the Edit dialog, which shows the current background and foreground colors. Foreground refers to the color of text or numbers.
28
EnCase Enterprise Version 6.18 To change colors, double click Background or Foreground in the Edit dialog. A Color dialog opens, where you can make a new color selection.
Fonts Tab
Use this tab to apply fonts to various case elements.
29
Default Fonts contains a list of case elements where you can apply fonts. Double click an item in the list to open the Font dialog.
A preview of the options you select displays in the Sample box. Use the Script dropdown menu to select a character set. Western is the default.
EnScript Tab
Use this tab to specify options for specifics used by EnScript programs.
30
Click the Show line numbers checkbox to display line numbers in the gutter area when viewing or editing text in the EnScript code window. Click the Debug runtime errors checkbox to automatically launch the debugger when an error is encountered while executing an EnScript. Include Path displays the name of the folder containing the include files. The default folder is C:\Program Files\EnCase\EnScript\Include; however, you can store include files in a diferent folder within ...\EnScript\. Add only the folder name, not the complete path. Separate multiple folder locations with a semicolon
In the Warning group box, click the checkboxes to select which warnings you want to display while running a script.
31
The picture shows storage path default settings. You can change the index, cache, and backup folders by entering a new path or navigating to and selecting the desired folder. In the INI Files box, you can change an .ini folder's location and select whether it is writable. For more information, see Sharing Configuration (INI) Files on page 32.
Enterprise Tab
This tab contains logon settings and servlet connections to the machines being examined. These settings apply globally to any user on a specific machine, but not the network.
32
Private Key Caching determines how long a private key is retained. When a user first logs on, he is authenticated against a private key. After logging off, he can log on again without re-entering a password for as long as the private key is cached. When the user closes the application, private key caching is lost. Auto Reconnect Attempts determines how many times the application attempts to connect to the servlet on a particular machine. Auto Reconnect Intervals determines the interval between each attempt to reconnect after a previous attempt fails.
Installing EnCase Enterprise To share startup files: Click Tools 1. 2. Options and select the Storage Paths tab.
33
Double click the row containing the desired INI file. The Edit <.ini file name> dialog containing the path to the INI file opens.
3. 4. 5.
Enter the path of the INI file you want to use. The Writable checkbox is selected by default. Clear it if you do not want the file to be writable. Click OK.
3.
Click Allow.
34
To deal with this, EnCase contains a dialog giving you the option to change the Windows system cache default settings.
Note: If you are running Windows XP 32-bit edition, you will not see the System Cache dialog.
Installing EnCase Enterprise 2. In the Options dialog, click the Debug tab. The following screen displays.
35
3.
In the System Cache group box, specify the settings you want, below, then click OK: a. Enter a Minimum size for the cache. The default is 1. b. Enter a Maximum size for the cache. The default is 80% of total physical memory. c. Click the Controlled by EnCase checkbox for EnCase to use the specified settings. d. If you do not want to see the reminder about system cache settings each time you start EnCase, click the Don't warn at startup checkbox. EnCase automatically sets your specified settings every time it launches. e. Click Set Defaults.
4.
Click OK.
CHAPTER 4
38
Overview
All EnCase features are accessed from the main EnCase window. The components of this window are: System menu bar Toolbar Four panes Tree Table View Filter Status bar (GPS bar on left/status on right)
The functions available for a menu selection may change depending upon your current task.
39
File Menu
The File menu commands manipulate application files and global application settings: New creates a new case. Open opens a previously saved case file. Save saves the current file. Save As saves the current case file under a different name. Save All saves the current file information for both the case file and in EnCase global settings. Print defines the print settings and enables you to output to a printer or .PDF file.
Note: To display Asian language characters correctly, go to Tools > Fonts > Options and select Arial Unicode MS.
Printer Setup selects a printer and defines printer settings. The printer must be connected and functioning when you specify these values. Add Device defines the preview and acquisition parameters for a device. This appears only when a case is open. Add Raw Image enables you to select image files to be added to the open case. This appears only when a case is open. Exit closes the program. If display settings or case configurations have changed, you are prompted to save before exiting.
Edit Menu
The Edit menu commands work on the objects and content in the currently selected tab: Export copies file data and attributes to a text file with a name and location of your choice. The exported data can be imported into another application, such as a database or spreadsheet. Copy/UnErase enables you copy recovered files and folders to one or more destination files. Files are copied in a flat folder structure. Copy Folders copies the contents of selected folders to a destination. The original structure is retained. Bookmark Data creates and defines a data bookmark. Tag Records {research and document} Activate Single Files enables you to add individual files to a case. Create Hash Set creates and categorizes a hash set for selected files that have already been hashed. Create Logical Evidence File enables you to create a new logical evidence file to contain selected files. Mount as Network Share mounts an acquired device as a network share. This appears when the Virtual File System module is installed. Expand/Contract expands or contracts the selected branch in the tree pane. Expand All expands all branches of the tree. Contract All contracts all branches of the tree. Set Included Folders selects all objects in a tree and its branches. If all objects are selected, this command clears all nodes.
40
EnCase Enterprise Version 6.18 Include Sub Folders selects all objects in a tree and its branches. Include Single Folder selects all objects in a tree, without its branches.
View Menu
The View menu commands provide access to every tab and sub-tab in the Tree pane. Unless otherwise noted, tabs are not shown by default. App Descriptors displays the App Descriptor tabs: Home Hash Properties Archive Files displays the Archive File tab. Cases displays the Cases tabs, shown by default. Home Entries Bookmarks Search Hits Records Devices Secure Storage Keywords Encryption Keys displays the Encryption Keys tab, shown by default. EnScript displays the EnScript tab. EnScript Types displays the EnScript Types tab. File Signatures displays the File Signatures tab. File Types displays the File Types tab. File Viewers displays the File Viewers tab. Hash Sets displays the Hash Set tabs: Home Hash Items Keywords displays the Keywords tab in the tree pane. Machine Profiles displays the Machine Profiles tabs: Home Allowed Packages displays the Packages tab. Projects displays the Projects tab.
The EnCase Interface SAFEs displays the SAFEs tabs: Home Network Roles Users Events Text Styles displays the Text Styles tab.
41
SAFEs/Cases Sub- Tabs displays, in menu form, the sub-tabs currently available in the tree pane. The commands are the same regardless of how they are accessed. Table Pane displays, in menu form, the tabs currently shown in the table pane tab bar. View Pane displays, in menu form, the tabs currently shown in the view pane tab bar. Filter Pane displays, in menu form, the tabs currently shown in the filter pane tab bar. Close Tab hides the tab currently in use. You can show it again by using the tab commands on the view menu. Show Name toggles the display of the name of the tab currently in use. Previous Tab selects the tab to the left of the current tab. When the leftmost tab is in use, the rightmost tab is selected. Next Tab selects the tab to the right of the current tab. When the rightmost tab is in use, the leftmost tab is selected. Autofit adjusts how the toolbar wraps. When Autofit is not selected, the commands extend beyond the right boundary of the tree pane. When Autofit is selected, the toolbar wraps and displays all commands Reset View restores all defaults.
Tools Menu
The Tools menu commands enable you to perform analytical operations: Index Case includes or excludes files in the indexing process. See Indexing on page 290. Webmail Parser selects the Webmail vendors whose account files are to be parsed. See Web Mail Parser on page 294. Case Processor starts the EnScript Case Processor Enscript. Sweep Enterprise starts the Sweep Enterprise EnScript. Send to Responder sends the selected devices or notes to the HBGary Responder software for threat analysis. See Threat Analyzer on page 417. Search specifies: files to be searched keyword search criteria email searches hashing criteria other search options Logon/Logoff logs you on or off of the enterprise LAN.
42
EnCase Enterprise Version 6.18 Wipe Drive selects media you want to completely erase. Verify Evidence Files selects evidence files to be verified using the hash and the Cyclic Redundancy Check (CRC) values. Create Boot Disk creates a LinEn boot disk. See Creating a LinEn Boot Disk on page 458. Mount as Network Share Client specifies the IP address of the server to be mounted. FastBloc SE write blocks a USB, FireWire, or SCSI device using FastBloc SE. See Using the FastBloc SE Module on page 592. Options defines global settings for EnCase: The Case Options tab enables you to modify the default values for the case. This tab only displays when you have a case open. The Global tab enables you to select options that establish the following global configuration settings for a case: Auto Save enables you to determine how frequently EnCase automatically backs up your data. AutoSaved data is saved in the Backup folder where you installed EnCase. Use Recycle bin for cases moves the prior .CASE files to the Recycle bin rather than permanently deleting them. Show True/ Show False settings define the data that displays in Table view when a condition is true or false. Enable Picture Viewer allows pictures to be displayed in various views. Enable ART and PNG image display enables you to exclude these images. Invalid Picture Timeout indicates how long it will take before EnCase stops trying to read a corrupted image file. Enable Pictures in Doc View enables you to view pictures in the Doc tab of the View pane. Date/Time Formats provides formatting options for date and time display. Flag Lost Files, when checked, tags all lost clusters in Disk view with a yellow block and question mark. When cleared, lost clusters are treated as unallocated space. Debug is used by Technical Services to help solve abnormal EnCase behavior. NAS is used in Enterprise installations and contains all of the settings needed to enable multiple copies of EnCase to authenticate using a single hardware key. This is typically used in lab environments with multiple examiners using multiple copies of EnCase. Colors changes the colors for various elements of the interface. Double click a color bar to display options. Fonts changes the fonts for viewing convenience or to accommodate unicode or foreign language character sets. To view unicode, you need to have the Ariel Unicode MS TTF true type font installed. EnScript provides options for EnScript usage, including specifying the location of the EnScript libraries folder. Storage Paths configures the location of files used to store, back up, and establish global settings. Network paths may be used for global usage. Enterprise is used by EnCase Enterprise users. Refresh updates the views and shows any newly added content.
43
Help Menu
The Help menu commands access information and perform tasks associated with running EnCase. Help opens the EnCase User's Guide in help format. EnScript Help opens the EnScript help for EnScript commands. What's New displays the most current EnCase Release Notes. Online Support provides a link to Guidance Software Online Support. Register EnCase displays the application registration page, where you can: Find your dongle serial number Learn how to register online Learn how to register offline About EnCase tells you the version of EnCase and modules you have installed.
Toolbar
The toolbar appears below the system menu bar and provides options for frequently used functionality. You can access many of these commands by right clicking and opening a context menu. Some or all of these options are available, depending on your current task: New defines a new case. Open opens an existing case. Save saves your current work. Print provides print options and enables you to print. Add Device enables a device to be previewed or acquired. Search searches for evidence associated with the case. Logon enables you to log on to the SAFE. Logoff logs you off the SAFE. Refresh updates the list or table to reflect recent changes. Close removes the currently selected device. This only appears when a case has been loaded. Acquire acuires the currently selected device. This only appears when a case has been loaded.
44
Panes Overview
The process of examining acquired evidence is cyclical in nature: Select the evidence folders or devices you want to examine. Examine the contents of the evidence files. Search, filter, or automate the evidence you are working with. Analyze a single piece of evidence more deeply. Continue refining and analyzing the evidence set until examination is complete.
This cyclical process is reflected in the relationship among the four panes of the EnCase interface. These work interactively and change depending on what is being done in other panes. The Tree pane shows evidence associated with a case in a hierarchical tree format. The Table pane displays the selected evidence in a tabular data list. This display varies when you select different viewing functions. The Filter pane provides tools to filter the evidence, run EnScripts, and choose other display options. The View pane displays whatever is selected in the Table pane. This data can be viewed in various formats, depending on the data type.
45
Tabs are organized in tab bars. If a tab contains sub-tabs, they are organized by separate tab bars. The scroll icon in the tab bar enables you to see tabs that may be hidden by the current width of the pane. Each tab bar has its own context menu that displays when you right click the tab bar. This menu enables you to perform certain functions on the tab bar.
Sorting Tables
You can sort up to five columns of any table, in any pane: 1. 2. 3. 4. 5. Double click the column header to set the current sort order. A red triangle appears in the column header. This indicates the primary sort order. While pressing the shift key, double click the next column you wish to sort. The column with the secondary sort order displays a double red triangle. To sort another column, press the shift key and double click again. The third column to be sorted displays a triple red triangle. To reverse the sort order, double click the column a second time. You can sort up to five columns in this way.
You can also use the Sort command on the table's dropdown menu to adjust sorting.
Once all three panes are undocked, the remaining pane does not display any drag handles. Panes can be dragged back into the main window. Click Reset View in the View menu to replace all panes into one window in their default location.
Tree Pane
The Tree pane presents a structured view of all gathered evidence in a Windows-like folder hierarchy. Using the options available within the tab and sub-tab structure, you use the Tree pane to find and select the evidence you want to examine more closely in the Table pane.
46
Tab
App Descriptors
Sub-Tab
Home
Sub-Tab
Description
Displays the hash files of a computer's EXE and SYS files. See App Descriptors on page 307. Displays whether the selected object is part of a hash set and whether the object has been categorized. Causes the list of currently opened cases to display in the Table pane.
Hash Properties
Cases
Home
Entries
Home
Shows the devices associated with the case currently selected in the Table pane. Lists the number of extents a fragmented file occupies on a drive Shows the security settings associated with the currently selected entry. If an item is bookmarked, shows the number of times the object is referred to. More information can be found in the View pane, under Cases > Entries > References. Displays whether the selected object is part of a hash set and whether the object has been categorized. Displays all saved bookmarks.
File Extents
Permissions
References
Hash Properties
Bookmarks
Home
47
Sub-Tab
Description
Shows results of keyword searches in the Table pane. Displays whether the selected object is part of a hash set and whether the object has been categorized. Displays records such as Internet artifacts and email. Shows additional details regarding a file selected in the Table pane. Shows the physical devices associated with the current case. Provides acquisition information for the currently selected device. Displays the list of sources for a device. Sources are the original locations of an entry or set of entries. This is currently only applicable for devices stemming from LEFs. Displays the list of subjects for a device. Subjects can be set for a LEF to add information about the data contained in the LEF. This is currently only applicable for devices stemming from LEFs. Shows sectors that encountered read errors when acquiring the device. Shows missing sectors caused because one or more segments of the evidence file set are missing. Provides information about the device configuration in a RAID system. Disk elements may contain LVM components as well. Shows any CRC errors encountered while verifying a particular block of data in the evidence file. To organize security data gathered using Analyse EFS, this tab displays passwords, keys, and other items parsed from the system files and registry. See Secure Storage Tab.
Hash Properties
Records
Home
Additional Fields
Devices
Home
Acquisition Info
Sources
Subjects
Read Errors
Missing Sectors
Disk Elements
CRC Errors
Secure Storage
48
Sub-Tab
Description
Shows all previously-defined keywords in the currently opened cases. For EnCase Enterprise usage, this tab provides a way to create and manage encryption keys. Closes the EnScript tab in the Filters pane and shows the EnScript programs in the Table pane. The information shown in the table pane is more extensive than shown in the filter pane. Displays a list of EnScript classes and provides detailed information about each one. Shows a table of file signatures organized by data types such as database, application, document, etc. Shows a table of file types organized by type of file such as game, document, internet, etc. Shows all currently installed file viewers.
EnScript Types
File Signatures
File Types
Displays a list of hash sets currently included in the library. Shows the list of items contained within the currently selected hash set. Shows all keywords, organized in a folder structure.
Hash Items
Keywords
Machine Profiles
Home
Show a listing of existing machine profiles. Shows additional software that may be allowed into a machine profile. Shows all packages of bundled EnScript programs. Shows a list of projects used in EnScript programming.
Allowed
Packages
Projects
SAFEs
Home
Shows all the SAFEs currently configured. Shows the configuration of the netowrk on the currently selected SAFE. Only
Network
49
Users
Events
Text Styles
Expand/Collapse displays or hides any contained objects. A minus sign (-) indicates the object is fully expanded; a plus sign (+) indicates that it contains further objects. Set Include displays the contents of the selected folder or device, and all children of the folder or device, in the Table pane. Use CTRL-click to select multiple objects. Checkbox selects the contents of the selected folder, as well as all of its contents.
50
EnCase Enterprise Version 6.18 Category indicates the type of object. Name is the name of the object. If the name is highlighted, the content it contains is displayed in the Table pane. Clicking on any part of an entry or object highlights it. There are three ways to choose items in the Tree pane: Highlighting displays the contents of the highlighted folder in the Table pane.at the first level only. If the highlighted folder has sub-folders, those are listed in the Table pane list. However, any contents of the sub-folders are not displayed. Including adds the contents of every included object to your Table pane list, including any sub-folders that may exist and their contents. Clicking Set Include beside a folder name turns the icon green and automatically adds the contents of that folder and all its sub-folders into the list in the Table pane. Selecting an object indicates you wish to perform an action on the contents of this object, such as bookmarking, filtering, or finding its hash value. Clicking the checkbox beside any object's name, causes a blue check to appear. Selecting an object does not change whether an item is viewed in the Table pane or not. Selecting an item in the Tree pane selects that item and all its children. Selecting an item in the Table pane selects only that item.
Table Pane
The Table pane contains information about the files and entries contained in the objects you have selected in the Tree pane. The Table pane tabs provide a variety of ways of learning more about this data. Except for when using the Gallery tab, the information you see in the Table pane describes rather than portrays the actual contents of the evidence. To view the evidence directly, select the entry in the Table pane to view it in the View pane.
Table Tab
The Table tab content is shown in rows and columns. You can manipulate these columns and refine what data is being displayed in a number of ways.
51
A context menu is accessible by right clicking on any cell. The options available on the context menu vary depending on the column, row, and value of the cell contents.
52
EnCase Enterprise Version 6.18 Entry Modified indicates when the administrative data for the file was last altered for NTFS and Linux. File Deleted shows the deletion time and date of files associated with a Recycle Bin record. File Acquired displays the date and time the evidence file (where the selected file resides) was acquired. Logical Size displays the size of the file in bytes. Initialized Size is the size of the initialized file, in bytes. This applies only to NTFS file systems. Physical Size is the cluster size occupied by the file, that is, the physical disk space used by the file. Given a cluster size of 4096 bytes, the physical size of any file with a logical size less than 4096 bytes has a physical size of 4096 bytes. A file with just one more byte, 4097 bytes, for example, requires two clusters, or 8,192 bytes of physical disk space. The 4095 byte difference in the second cluster is called slack space. Starting Extent shows the starting cluster of every file in the case. The format displayed is evidence file number, logical drive letter, cluster number. For example, a starting extent of 1D224803 means that the file is on the second evidence file (counting begins at zero), on the logical D:\ drive, at cluster 224803. File Extents lists the number of extents a fragmented file occupies on a drive. To view extents, select the file in Table pane, then select the Cases > Entries > File Extents subtab in the Tree pane. Permissions displays security settings of a file or folder. TRUE indicates a security setting is applied. To view security settings, click the cell, then click the Details tab in the View pane. References is the number of times the file has been referenced in the case. For example, if you bookmark a file three times, the references column shows that. Physical Location is the number of bytes into the device where that entry begins. Physical Sector lists the starting sector where the entry resides. Evidence File is the name of the evidence file where the entry in the table resides. File Identifier is a file table index number stored in the master file table. It is a unique number allocated to files and folders in an NTFS file system. Code Page is the character encoding table on which the file is based. Hash Value displays the hash value of every file in the case. You must run the Compute Hash Value command to generate this information. Hash Set displays the hash set to which a file belongs. If the file does not match a value in the hash library, the column is unpopulated. Hash Category displays the hash category to which a file belongs. If the file does not match a value in the hash library, the column is unpopulated. Hash Properties displays whether the object is part of a hash set and whether that file is notable or known. TRUE indicates that the file is part of a hash set. To view the details, select the column, and click Details in the View pane. Full Path displays the file location within the evidence file. The evidence file name is included in the path, as is the case name. Short Name is the name Windows assigns using the DOS 8.3 naming convention. Unique Name is used to display the name for files mounted with the VFS module in Windows Explorer.
The EnCase Interface Original Path displays information derived from the INFO2 file for deleted files in the Recycle Bin. The path is where the deleted file was originally stored. The column is blank for files that do not have a Recycle Bin entry. The original location is shown for files in the Recycle Bin. Symbolic Link provides information regarding file links in multiple file systems. Is Duplicate displays TRUE if several circumstances are present: The entry resides on a LEF If the displayed file is a duplicate of another, that is, not the first instance of the file. For example, if three files have the same hash value, in two of those files the Is Duplicate column is marked. Is Internal displays hidden files the OS uses internally but are hidden from the user (such as the $MFT on an NTFS volume). Is Overwritten displays TRUE if the original file is deleted and its space is occupied by another file.
53
Manipulating Columns
The Table pane scrolls horizontally, but there are various ways you can move and reconfigure the columns to suit your needs: You can drag and drop columns to change their positions. Manually resize a column by dragging the column separator. To restore columns to their default order, right click in the column, click Column, then Reset.
Showing/Hiding columns
To display or hide columns in the Table pane: 1. 2. 3. Right click the column and click Show Columns. Clear the checkboxes for the columns you want to hide. By default, all the boxes are checked.
Note: To hide a single column, right click in the column, click Column, then Hide.
Click OK.
Sorting columns
You can sort columns up to six layers deep. To sort by a column, double click the column heading. To implement a secondary sort, hold down the shift key and double click the column heading.
54
Report Tab
The Report tab generates a quick report for files currently being shown in the Table Pane. This report can be exported as a text, .rtf, or .html file for further manipulation. To export, right click in the report pane and click Export. To include entries in the report, right click inside the In Report column and select In Report. To toggle all values (for example, to include all entries in the report that are currently turned off), select In Report - Invert Selected Items. When the In Report column is turned off for all entries, the Report tab only displays a hierarchical tree view of the folders in the Table pane. If items are selected, the table shows up at the end of the report.
55
Gallery Tab
The Gallery tab enables you to view the images selected in the Tree pane in a thumbnail view. If signature analysis is not yet run, the Gallery view displays files based on their file extension. For example, if a JPG file is changed to DLL, it does not appear in the Gallery until you run a signature analysis. See Signature Analysis on page 254.
Timeline Tab
The Timeline tab enables you to graphically view dates and times of computer use. Using this tab, you can see all times that a file was: Created Written Accessed Modified Deleted Acquired
Each dot on the timeline represents a file. The position of the dot indicates the time that file was accessed. So a file may display numerous times within the grid. Clicking any dot in the timeline view causes the file represented by that dot to display in the View pane. Clearing one or more of these boxes removes that time for the presentation. If you select a dot and change the scale of time, that dot stays in focus in the new resolution.
56
EnCase Enterprise Version 6.18 You can zoom in or out to different scales of time by using the +/- keys on your number pad, or right clicking on a box and selecting Higher Resolution or Lower Resolution. Different scales of time that are available are: Year: The year displays at the top of each group of monthly columns; days are shown in rows. Month: The monthly view shows days of the week, and hour of access. Week: The weekly view shows Monday through Sunday, with Monday's date shown at the top of the column. Day: The daily view displays with hourly increments. Hour: The hourly view breaks down computer usage to the minute. Each column reflects one hour, and each row is equal to one minute. Minute: The minute view breaks down computer usage to the second. Each column reflects one minute, and each row is equal to one second.
You can find selections for modifying the legend colors under Options.
57
Disk Tab
The Disk tab shows a graphic representation of the media you are viewing, and enables you to see files and folders in terms of where the data physically appears on the media. Use the Disk view in conjunction with the View pane to examine specific clusters and observe fragmentation of files. The file selected in the table is highlighted in the Disk view, as dark blue squares. Allocated sectors are shown in light blue Unallocated sectors are shown in grey.
58
Code Tab
The Code tab displays the source code of EnScripts and filters when editing or creating in the Table pane.
View Pane
The View pane enables you to examine the content of the highlighted Table pane entry in a variety of ways. Using the tabs, you can examine specific evidence items in detail. You can also copy some viewed information and export it for use in other applications.
Text Tab
The Text tab shows the highlighted file as ASCII text.
The EnCase Interface To copy text from this tab, select the text, right click and select Copy.
59
Hex Tab
The Hex tab shows a split view of a file with the address and hexadecimal values on the left and ASCII on the right. To copy text from this tab, select the text, right click and select Copy.
60
Doc Tab
The Doc tab displays text in its native format. The viewer technology supports more than 390 file formats.
Transcript Tab
The Transcript tab extracts text from a file containing more than text. The transcript view is useful for creating bookmarks inside files that are not normally stored as plain text, such as Excel spreadsheets.
61
Picture Tab
The Picture tab of the View pane displays the contents of an image file.
62
Report Tab
The Report tab displays a detailed list of attributes in report format.
63
Console Tab
Use the Console tab to view output status messages when running EnScript programs. EnCase also writes to the console.
Details Tab
The Details tab provides file extent, permissions, references, and hash property information. To view file extents: 1. 2. 3. Open a case and display its contents. Scroll to the file extents column in the Table pane and click File Extents in any row. Click the Details tab in the Reports pane to view the file extents.
64
Output Tab
Use the Output tab to obtain output from various EnScript programs.
Controls
The tab bar for the View pane also contains controls specific to the View pane. When selected, these controls perform the following actions: Lock prevents the tab from changing if the file type of the file selected in the Table pane changes. For example, if you lock the View pane with the Hex tab in view, you can avoid having to change the focus of the View pane every time you view a pictue in the Gallery view. Codepage determines whether the detected, rather than the default, codepage is used in tabs that display text. This functionality only works if you have previously opted to identify the codepage in the Search dialog. Selected/Total displays the number of entries you have selected out of a total number of entries available in the current case. This indicator does not refer specifically to the view pane, but instead acts as a global control. You can quickly select or deselect all items in a case by selecting or deselecting this control. This control is sometimes called the Dixon box.
65
Filter Pane
The Filter pane enables you to filter and refine the list of entries shown in the Table tab. This is done by the creating and running filters, conditions, and queries. The Filter pane contains the following tabs: EnScript displays a list of available EnScripts, organized in tree form. Hits displays the search hits for a file without leaving the Entries tab of the Tree pane. Filters displays available filters. Conditions displays available conditions. Display shows currently running filters, conditions and queries. Queries displays available queries. Text Styles enables you to create, edit, and apply text styles to content in the View pane.
EnScript Tab
The EnScript tab provides access to all available EnScript programs. See EnScript Analysis on page 399 for a detailed description of EnScript and EnScript programs.
66
Hits Tab
This tab displays when the Search Hits tab in the Tree pane is not selected. When you are looking at entries in cases, use the Hits tab in the Filter pane to view the search hits for a file without leaving the Entries tab of the Tree Pane.
Filters Tab
Filters are EnScripts that modify what data is displayed in the Table pane. Filters do not remove any items from the case; they simply hide them from the Table pane. Depending on what tab is currently selected in the Tree pane, different types of filters are available. For example, the filters available for search hits are different from those available for entries.
Clicking the Query button causes the non-filtered evidence to reappear in the Table pane. When you are viewing both filtered and unfiltered evidence, the Query button displays with a red minus sign to indicate the query is not applied.
The filters and conditions being run display in the Filter column of all items that match the filtering criteria. For example, if filtering for all files after a certain date, all files that match that criteria show a Files after n date filter in the Filter column.
67
When a subsequent filter or condition is applied, it also displays in the Filter column of all items that match the second filter criteria. For example, if filtering for all files that have been deleted, Deleted Files shows on all files that have been deleted (but do not match the first criteria).
For all items that meet both criteria (in this example, have a date after "n" and have been deleted), both filters display in the Filter column.
You can toggle between seeing only items that match all your filtering criteria (AND functional logic), and items that match any of your filtering criteria (OR functional logic), by clicking the Matches All/Matches Any button on the toolbar. The label on the button shows you its current state: If you are seeing all items that match any filtering criteria, the button shows Matches Any:
If you are seeing only items that match all filtering criteria, the button shows Matches All:
Creating a Filter
In addition to using the filters already provided, you can create your own filters.
Note: You need a working knowledge of EnScript to make a new filter. If you do not have this working knowledge, you may be able to create a condition to perform the same function. See Creating Conditions on page 70.
68
EnCase Enterprise Version 6.18 1. 2. In the Filter pane, click the Filters tab. Right click the root level Filters icon in the content area and click New. The New Filter dialog displays.
3.
Enter a descriptive name in the Filter Name field and click OK. A source editor displays in the Table pane.
4.
Enter EnScript code as required to accomplish your task. The newly created filter displays at the bottom of the filters list.
Editing a Filter
You can change an existing filter's behavior by editing it. 1. 2. In the Filter pane, click the Filters tab. Right click the filter you wish to edit area and click Edit Source. The existing code displays in the Table pane.
Note: To edit the name of the filter, click Edit; the Edit dialog for the filter displays.
3.
69
Deleting a Filter
To permanently delete a filter, right click it in the Filters tab and click Delete. As a safeguard, a dialog displays. Click Yes to complete the deletion.
Exporting a Filter
You can send a filter as a text file to others. To export a filter: 1. 2. 3. Right click in the Filter pane, with the Filters tab selected. Select Export. Navigate to or enter the path where the exported filter file should be created, then click OK.
Importing a Filter
You can import filters created by others into your collection. 1. 2. 3. Right click in the Filter pane, with the Filters tab selected. Select Import. Navigate to or enter the path where the filter is located and click OK.
Conditions Tab
Conditions are similar to filters in that they limit Table pane content. Both conditions and filters are EnScript codes that perform a filtering process on your data. The difference between filters and conditions is that creating a condition does not require that you can program in EnScript. Through a special interface you can create them without coding directly in EnScript. Several predefined conditions come with EnCase. Like filters, they vary depending on the Tree tab you select. To see how conditions affect the data in the Table pane, see Filtering Behavior in the Table Pane on page 66.
70
Creating Conditions
1. To create a new condition, right click a folder in the Conditions tab in the Filter pane, then select New. The New Condition wizard displays.
2. 3.
In the Conditions tab, enter a name in the Name field. Right click Main on the conditions tree and select New. The New Term dialog displays.
4.
Select a property, an operator, and, if appropriate, a value and choice. Depending on the property and operator chosen, other options appear, including Prompt for Value Case Sensitive GREP
5. 6.
If you want to edit the source code directly, click Edit Source Code. To nest terms, create a folder by right clicking on the parent condition folder in the Tree pane and choosing New Folder. Place the nested terms inside the parent folder.
71
If you want to change the AND/OR logic within the condition, right click the term and select Change Logic. This changes the AND operator to an OR, and vice versa. If you want to negate the logic of a term, right click the term and select Not. To use a filter inside a condition, click the Filters tab and create a filter. Once created, click the Conditions tab and the filter displays in the properties list.
10. Repeat the steps above to create as many terms as you want to make the condition as detailed as possible. 11. Click OK to save the condition.
Note: For any condition using a literal comparison (such as Matches), make sure there are no spaces at the end of any value string. For example, if the condition is Extension matches: "txt,rtf,doc ,xls," the space at the end of the doc string makes the condition invalid and the condition does not return DOC files.
Editing Conditions
1. 2. In the Filter pane, open the Conditions tab and select the condition you want to edit.
Note: You can edit conditions when there are no open cases.
Right click the condition and select Edit. The edit wizard opens.
72
EnCase Enterprise Version 6.18 3. Right click the property and select Edit to see the Edit Term wizard.
4.
Make the selected changes to the terms or source code, then click OK.
Exporting Conditions
You can send a condition as a text file to others. To export a condition: 1. 2. 3. Right click in the Filter pane, with the Conditions tab selected. Select Export. Navigate to or enter the path where the exported condition file should be created, then click OK.
Importing Conditions
You can import conditions created by others into your collection. 1. 2. 3. Right click in the Filter pane, with the Conditions tab selected. Select Import. Navigate to or enter the path where the condition is located and click OK.
Reporting on Conditions
The Report tab provides a plain text representation of the condition. When in an Edit dialog for a condition, the Report tab displays a text representation of the condition. You can print or export this report by right clicking within this tab and selecting Print or Export.
Display Tab
The Display tab shows you what filters and conditions you have currently running.
73
Queries Tab
The Queries tab enables you to create queries, which are combinations of two or more filters or conditions into one item.
74
Creating a Query
1. Right click the Queries tab in the Filter pane, then click New in the dropdown menu. The New Query dialog displays.
2. 3.
Enter a name for the query in the Name field. Right click In the Display settings for shown items area, then click New in the dropdown menu. The New Display dialog displays.
a. Click Filters or Conditions. b. Select a filter or condition from the list. c. Enter text in the Text field. This text displays in the filter column of the Table pane when a file meets the specified criteria.
75
d. To change the color element, click Text Color or Frame Color. The Edit Text Color dialog displays.
e. Double click Background or Foreground to see a color selection dialog. Select the color for the background or foreground and click OK. f. When you are finished selecting colors, click Close on the Edit Text Color dialog. 4. To add more filters or conditions to the query, repeat step 3 as needed.
Editing a Query
To edit a query: 1. 2. 3. 4. Right click the query, then click Edit in the dropdown menu. Select the row to edit, then right click. In the dropdown menu, select the action you want to perform ( Edit, New, Delete, etc.). Make the needed changes, then click OK.
Deleting a Query
To delete a query: 1. 2. Right click the query and click Delete in the dropdown menu. In the Delete dialog, click Yes.
76
Status Bar
The status bar displayed at the bottom of the main window is divided into two sections: the GPS area, and the status area. The GPS area displays on the left of the status bar, and provides detailed information on the location of the item currently selected in your Table pane, as well as about the sectors and clusters of the file itself.
The GPS area of the status bar includes: Name of the case Name of the device Name of the volume Path to the file Filename
The status bar also shows sector and cluster information about the file being examined: Physical sector (PS) displays the sector number of the physical sector relative to the beginning of the physical disk. Logical sector (LS) displays the sector number of the logical sector relative to the beginning of the logical disk. Cluster number (CL) displays the cluster number.
The information relative to the location of the cursor within the file being examined includes: Sector offset (SO) displays the number of sectors, in bytes, between the start of the cluster and the start of the current cursor location. File offset (FO) displays the number of bytes between the start of the file and the start of the current cursor location. Length (LE) displays the length, in bytes, of the content currently selected by the cursor.
When one or more processes are being run, their progress is shown on the right side of the status bar. Double clicking on a process name brings up a dialog that enables you to cancel without completing the process.
CHAPTER 5
Case Management
In This Chapter
Overview of Case Structure Case Related Features New Case Wizard Using a Case Opening a Case Saving a Case Closing a Case
78
Note: You must create a case file before you can preview any media or analyze evidence files.
One of the most powerful features of the program is its ability to organize different media so they can be searched as a unit rather than individually.
Administrator Credentials
Some features of EnCase (for example, physical disk access) are available only if you are logged on as an administrator. For this reason, Guidance Software recommends that EnCase users are local users with Windows administrator credentials. Examples of the types of activities requiring administrative access are: Setup: The setup program needs administrator privileges to configure devices and services during install and uninstall. On Vista, the setup program needs these privileges to write files to the \Program Files directory. Reading Local Devices: To add a local drive to EnCase (the Add Device command) and read it at the sector level, Windows requires that EnCase run as an administrator. Configuring PDE: PDE is dependent on a virtual device driver that needs to be installed at the time of running. This installation process requires administrator privileges. Neutrino: Neutrino configures devices to use its device drivers. The configuration of devices on the operating system requires administrator access. EnCase Options Files (Vista and later only): The EnCase options files are currently saved in the Program Files folder. On Vista and later operating systems, administrator access is required to modify files in these folders. Wipe and Restore: The wipe and restore functionality requires sector-level access to disk drives, for which Windows requires administrator privileges. Write Blocking: To set a device as write blocked you must configure the EnFilter driver to write block devices. Windows requires administrator privileges to communicate with the device driver.
Case Management
79
Case Management
Before starting an investigation, give consideration to how the case is accessed once it is created. For example, more than one investigator may need to view the information. To accomplish this, evidence files can reside on a central server. Creating temporary export and evidence folders allows file segregation and control. A temporary folder holds any transient files created during an investigation. The export folder provides a destination for data copied from the evidence file. Create an evidence folder to store evidence. Temp and Export folders are built when a case is created.
To switch case analysis from one case to another: 1. 2. Click View Cases Sub-Tabs Home.
The Devices column of the table indicates how many devices are associated with the case in the Name column.
Note: To look at the devices associated with a particular case, highlight the case in the Table pane, then click the Entries sub-tab below Cases.
Indexing a Case
Managing the index files associated with evidence files in a case is an important part of case management. For detailed information, see Indexing (on page 290).
80
EnCase Enterprise Version 6.18 For example, a case is created in version 5, then opened and worked on in version 6. To select the version in which to save the file: 1. Select File Save As.
2.
Expand the Save as type field and make a selection. Case File saves the file as version 6. Version 5 Case File saves the file as version 5. Backup Case File saves the file as a version 6 backup file.
Case Backup
By default, a backup copy of the case file is saved every 10 minutes. By default, backup files (.cbak) are saved to C:\Program Files\EnCase\Backup. With the exception of the extension, this file has the same name as the parent file. To change the default save time: 1. 2. Select Tools Options Global.
Note: Selecting 0 disables the autosave function. Guidance Software recommends you not do this.
Options Dialog
The Options menu allows you to customize the software.
Case Management To access the menu, select Cases Options from the toolbar.
81
A tabbed dialog opens. The tabs are: Case Options (when a case is open) Global NAS Colors Fonts EnScript Storage Paths Enterprise
82
EnCase Enterprise Version 6.18 The Case Options fields in the illustration show the default values. Name holds the case name. Examiner Name is the investigator's name. Default Export Folder is the location to which exported data are sent. Temporary Folder is the location to which temporary data are sent. Index Folder is the location of case indices.
Logon Wizard
The Logon wizard captures the user name, password, and SAFE to use for the current session. The user and password are established by the administrator, or those granted administrator level permissions. The Logon wizard displays the following pages: Users page SAFE page
Password captures the user password. User contains the User tree listing users' private keys and any subfolders in the current root path. A valid user has a matching public key in the SAFE they log on to.
Case Management Root User Object provides additional functionality through a dropdown menu including: Updating the list of users displayed Changing the root path Commands that expand or collapse the User tree. User Objects provides additional functionality through a dropdown menu, including updating the list of users displayed and changing the root path.
83
The Update command updates the Users tree display. When a user's private key is added to the default C:/Program Files/EnCase6/Keys folder or any other folder specified by the current root path, the tree does not immediately display the new user. The new user appears when the wizard is opened again, or when the User tree is updated. Use the Change Root Path command to specify a folder that contains the private keys of users other than the default folder. Specify the root path in the Browse for Folder dialog. The Users tree contains only those users in the folder specified as the new root path.
84
EnCase Enterprise Version 6.18 Moving these key files while the trees are displayed requires a refresh to update the trees.
SAFE contains the SAFEs tree that organizes all the SAFEs that are installed. Select a SAFE to complete the logon. SAFEs Root Object provides additional functionality through a dropdown menu, such as: Editing the settings of the SAFE. Changing the root directory. Logging on to a remote SAFE. Additional commands that expand or collapse the SAFEs tree
Case Management SAFE Objects provides additional functionality through a dropdown, menu such as: Editing the settings of the SAFE. Changing the root directory. Logging on to a remote SAFE.
85
Edit opens the Edit SAFE Dialog where SAFE settings are defined and remote logons are enabled. Update updates the Users tree display. When a user's private key is added to the default C:/Program Files/EnCase6/Keys folder or any other folder specified by the current root path, the tree does not immediately display the new user. The new user appears when the wizard is opened again, or when the User tree is updated. Use the Change Root Path command to specify a folder that contains the private keys of users other than the default folder. Specify the root path in the Browse for Folder dialog. The Users tree contains only those users in the folder specified as the new root path.
86
EnCase Enterprise Version 6.18 Moving these key files while the trees are displayed requires a refresh to update the trees.
Change Root Path displays a tree to navigate to the folder containing the keys.
Machine Name contains the IP address to the machine or subnet that constitutes the SAFE or SAFEs accessed using the named SAFE. Remote SAFE determines if communications with the node are routed through the SAFE, so the SAFE stands between the client and the node. Enabling this setting allows you to provide a value for Inbound Port and to use its value communicating with the remote SAFE.
Case Management
87
Inbound Port determines which port is used when communicating with the remote SAFE at the IP address specified in Machine Name. Attempt Direct Connection contains settings that determine what kind of connection is made to the specified SAFE. Enable None when the target system cannot establish a connection with an EE client. Then all traffic is redirected through the SAFE server to increase communication times. It also provides the investigator the ability to obtain data otherwise not available. Enable Client to Node (Local) when the client (Examiner) and the node (servlet) reside on the same network, and the SAFE resides on a different network. This allows data to transfer directly from the node to the client, after the client successfully authenticates through the SAFE. Also, the client will use the IP address that the node believes it has, rather than the IP address the SAFE has for the node. In this configuration, design the network so that all the companys employees are located on the corporate desktop network, and employ routing/NATing. Client to Node (SAFE) enables NAT, where a private IP address is mapped to a public IP address. Typically, the SAFE and node reside on the same subnet, and the client on another. This way, data transfers directly from the node to the client, after the client successfully authenticates through the SAFE. The client also uses the IP address that the SAFE believes the node has, rather then the IP address the node reports it has to allow a direct connection between the client and node machine. This option is enabled by default. Node to Client operates similarly to the Client to Node (SAFE) mode, except that the node attempts the direct connection to the client. Use it when you want direct data transfer between the node and the client, and there is NATing or a firewall prohibiting the node from sending data directly to the local IP/default port of the client. Once you check this option, the Client return address configuration box becomes available to enter the NATed IP address and custom port (for example, 192.168.4.1:1545). Priority enables you to throttle a servlet's resource usage for the thread that controls the connection-but not the servlet process itself--when conducting a preview, acquisition, or sweep. The options are Low, Normal, or High. This feature is useful for investigating machines when the examination is very sensitive, or with production servers constantly running CPU-intensive processes.
88
Roles contains the Roles tree, which organizes the available roles. Select the role associated with the case you are creating.
Name contains the name of the case associated with the case options set on this tab. The case name is used as the default filename when the case is saved. You can change this filename when you save the case. Examiner Name is the name of the investigator.
Case Management Default Export Folder contains the path to and name of the folder where files are exported.
89
Temporary Folder contains the path to and name of the folder where temporary files are created. Index Folder contains the index file for any indexed file or collection of files.
Add Device
Once a case is open, add evidence in accordance with the information in the Working with Evidence section.
Using a Case
A case is central to an investigation. Before you can add a device, preview content, or acquire content, you must open a case. This may be a new case or an existing case. Once you create a file, you can add a device, proceed with the device preview and acquisition, and subsequent analysis. Use the Case Options page to define a case. The settings on this page are the same as those on the Case Options tab of the Options dialog. Once a case is open, you can establish its time zone settings.
The Case Options tab displays. 3. 4. Change the settings through the various tabs in the Options dialog. Click OK.
90
EnCase Enterprise Version 6.18 On patched machines, the root entry for daylight saving time settings is updated to the 2007 time zone settings, and that is currently the entry EnCase software uses. Therefore, if the examiner machine is patched, EnCase software uses the new 2007 rules for entries whose dates lie in the new four week extended daylight saving time period. Consequently all file dates, even those for previous years, apply the new daylight savings time settings. Setting the time zone settings is accomplished two different ways. If you have an entire case where you want to use one time zone, you can set the time zone for the entire case. If you have several pieces of media that use different time zones, you want to set the time zones individually for each device in your case.
The features of the Case Time Settings dialog are: Account for Seasonal Daylight Savings Time applies DST rules as defined by the registry settings. If you want to use the new 2007 DST rules, ensure your machine is patched. Convert All Dates to Correspond to One Time Zone enables the Daylight Setting and the Time Zone list. This allows you to convert all times to match one time zone. Daylight Setting is disabled unless Convert All Dates to Correspond to One Time Zone is checked. Use the option buttons to select Standard or Daylight Savings time adjustments. Time Zone List is also disabled unless Convert All Dates to Correspond to One Time Zone is checked. This captures the time zone you want to use with your case.
Case Management
91
The features of the Time Properties dialog are: Time Zone List captures the time zone the subject device was set to. Details provide rules used for the time zone selected in the Time Zone list. The rules listed here populate using Dynamic Daylight Savings Time, which requires that your computer is properly patched in order to use the new DST rules described above. Use Single DST Offset is available for time zones with different settings, depending on the year. For example, in 2007 the United States changed the date for switching to and from Daylight Savings Time; therefore, there are different rules for 2006 and before, and 2007 and after. By default EnCase applies the proper rules for these changes. You can, however, apply only one rule set across the board. For example, you could have evidence from 2008 but with the 2006 rules applied because the original user did not install Windows updates. Note that this does not apply one DST to the entire device. Year Selection List is disabled until Use Single DST Offset is checked. You can select which DST rules to base the DST adjustment on: Use 2006 for machines using pre-2007 DST rules Use 2007 only on computers using the new 2007 DST rules
The open cases appear in the Table pane. 3. Right click the case where you want to set the time zone, then select Modify Time Settings. The Case Time Settings dialog displays. 4. If you want to account for seasonal daylight savings time rules, select Account for Seasonal Daylight Saving Time.
92
EnCase Enterprise Version 6.18 5. If you want to convert all dates to a particular time zone: a. Select Convert All Dates to Correspond to One Time Zone . b. Select a Daylight Setting. c. Select a Time Zone. 6. When you are finished, click OK.
Case Management
93
Setting the time zone at the device or volume level identifies the time zone in which the recorded times occurred. When the evidence is added to the program it is assumed to be in the investigator's local time. Modifying the device level does not change times because the device time zone associates a time zone only to the times stored.
Opening a Case
Open a case to continue analysis or to review a case. 1. Select File Open.
2.
Browse to or select the case from the recent files list at the bottom of the menu, then click Open.
Note: You can also open a case by double clicking the case file in Windows Explorer.
94
Saving a Case
You can save a case: To its current filename and location: see Saving a Case on page 94. With a new filename or a new location: see Saving a Case with a New Name or New Location on page 94. To its current filename and location along with the application's current references, conditions, and filters: see Saving a Case and the Global Application Files on page 94.
Saving a Case
To save a case: 1. Click File Save or click Save on the toolbar. The Save dialog appears. 2. 3. If you want to use the case name as the file name and use the default path in My Documents, click Save. You can also navigate to or enter a different file name and path, then click Save.
The Save dialog appears. 2. 3. If you want to use the case name or current file name and use the default path in My Documents, click Save. You can also navigate to or enter a different file name and path, then click Save.
The Save dialog appears. 2. 3. If you want to use the current file name and the default path in My Documents, click Save. You can also navigate to or enter the desired file name and path, then click Save.
Case Management
95
Closing a Case
Protect the integrity of cases by closing them when they are not being worked on. 1. 2. 3. Save the open case. In Tree view, place the cursor on an open case. Click Close.
CHAPTER 6
98
Overview
EnCase organizes digital evidence into an associated case. Digital evidence is previewed, then possibly acquired. Once evidence is acquired or added to a case, it can be analyzed. This section focuses on previewing, acquiring, and adding digital evidence to the case.
Administrator Credentials
Some features of EnCase (for example, physical disk access) are available only if you are logged on as an administrator. For this reason, Guidance Software recommends that EnCase users are local users with Windows administrator credentials. Examples of the types of activities requiring administrative access are: Setup: The setup program needs administrator privileges to configure devices and services during install and uninstall. On Vista, the setup program needs these privileges to write files to the \Program Files directory. Reading Local Devices: To add a local drive to EnCase (the Add Device command) and read it at the sector level, Windows requires that EnCase run as an administrator. Configuring PDE: PDE is dependent on a virtual device driver that needs to be installed at the time of running. This installation process requires administrator privileges. Neutrino: Neutrino configures devices to use its device drivers. The configuration of devices on the operating system requires administrator access. EnCase Options Files (Vista and later only): The EnCase options files are currently saved in the Program Files folder. On Vista and later operating systems, administrator access is required to modify files in these folders. Wipe and Restore: The wipe and restore functionality requires sector-level access to disk drives, for which Windows requires administrator privileges. Write Blocking: To set a device as write blocked you must configure the EnFilter driver to write block devices. Windows requires administrator privileges to communicate with the device driver.
Types of Entries
Entries include evidence and other file types containing digital evidence that are added to a case. There are four classes of evidence containing files that EnCase applications support: EnCase Evidence Files (E01) Logical Evidence Files (LEF/L01) Raw images Single files, including directories
These files are acquired or added to a case. Before digital evidence can be added to a case, it is previewed.
99
Single Files
Individual files can be added to the case once you select Activate Single Files. You can add any file type supported by an EnCase application to a case. Do this using the interface, or drag and drop. When files are added, they appear in the View pane. You can add a folder containing files to a case. You must use drag and drop to do this. When you add folders, the folders appear in the entries tree and the entries table. The individual files within the folder appear only on the entries table.
100
Unix/Linux Environment
Characters to the left of a slash within brackets indicate folder permissions Characters to the right of a slash within brackets indicate file permissions
For example, [Lst Fldr/Rd Data][Crt Fl/W Data][Trav Fldr/X Fl]= Full Permissions.
Windows Environment
Working with Evidence The Windows environment abbreviations for HFS+ permissions are:
FC=Full Control M=Modify R&X=Read Execute R=Read W=Write Sync=Contact an EnCase developer
101
exFAT also supports initialized file size. EnCase detects exFAT volumes automatically. You can also add an exFAT volume manually: select the exFAT option from the Add Partition dialog.
102
2. 3.
Click the Volume option button, then select the Partition Type for the FAT volume you are parsing. Click OK.
3. 4.
Select the Partition Type for the FAT volume you are parsing. Click OK.
103
This feature is accessed from EnScript. There is a new function called CopyFile added to the file class. It contains two parameters: Output file Size (optional)
If size is not specified, the data from the current position to the end of the file is transferred.
Sample Code
bool copyExample(ConnectionClass& conn) { HostFileClass file(conn); LocalFileClass outFile(); bool ok = true;
if (ok = file.Open(Input.dat")) { if (ok = outFile.Open("Output.dat", LocalFileClass::WRITE)) ok = file.CopyFile(outFile); outFile.Close(); } file.Close(); return ok;
Machine Profiles
Machine Profiles are descriptions of computers and the permitted (or prohibited) software resident in the computer. Most profiles are of the first type and are compilations of executables and other software. A typical use of a machine profile is to establish a standard desktop. If, for example, a company or department wants to ensure computer integrity by allowing only specific software, a machine profile is created. Another use for a machine profile is determining the existence of inappropriate resident software. When a profile of malware such as spyware or viruses is compared with a disk's contents, these unwanted programs are immediately identified.
104
You can customize machine profiles to meet individual needs. The EnCase software includes a number of machine profiles for standard computers. The profiles already resident in the software are: Windows 2003 Server Enterprise with no service pack Windows 2003 Server Enterprise with Service Pack 1 Windows 2003 Server Standard with Service Pack 1 Windows 2000 Server with Service Pack 4 Windows 2000 Pro with Service Pack 4 Windows XP Pro with Service Pack 2 Red Hat WS Linux 3.0 SUSE Linux 9.3 SUSE Enterprise Server 9 Solaris 8, 32 bit Solaris 8, 64 bit Solaris 9, 32 bit Solaris 9, 64 bit
A list of existing machine profiles displays in the Table tab of the Table pane.
When you finish viewing, you can edit or create new machine profiles.
105
Create app descriptors for the new software and display the machine profiles list. 1. 2. 3. Right click anywhere in the machine profiles list in the Table pane and select New. The New Machine Profile dialog displays. The Name and Comment fields are blank. Enter a name and an optional comment in the appropriate fields and click OK.
4.
The New Machine Profile dialog closes and the new profile displays in the list. It is row 14 in the picture below.
106
2.
To sort the list, double click the number column in the right pane and scroll to the top of the window. The version of the selected app descriptor displays in the right pane.
3. 4.
Scroll down in the right pane and select app descriptors to include in the new profile. When you are finished, click OK.
107
Using Snapshots
Snapshots collect a variety of information to create snapshot bookmarks. Snapshots are the output of EnScript programs. In EnCase Forensic, only the Scan Local Machine EnScript program creates snapshots. In EnCase Enterprise, the following EnScript programs create snapshots: Sweep Enterprise Quick Snapshot
The Sweep Enterprise EnScript captures live information from a selected network tree without a case or Enterprise logon needed before running. The Quick Snapshot EnScript captures live information from a selected machine associated with a device in an open case. For more information on these EnScript programs, see Enterprise EnScript Programs (on page 400).
You are ready to acquire the contents of the device as an EnCase evidence file in the currently opened case.
Previewing
Previewing is done before an acquisition, so an investigator can determine if the device should be acquired. A preview is not optional, although the investigator determines the extent of the preview. During a preview, the content of the device can be analyzed just as if the content had been acquired.
Note: A write blocking device, such as the FastBloc write blocker, prevents the subject device from changing. Previewing via a crossover network cable is useful if a write blocking device is not available.
By previewing, you do not have to wait to finish an acquisition before doing a preliminary examination. While previewing, you can run keyword searches, create bookmarks, perform Copy/UnErase, and other analysis functions. You can save these search results and bookmarks into a case file; however, each time you open the case, you must physically connect the subject media to the investigator's machine.
108
Verify the device containing the content to be previewed was added to the case.
Working with Evidence To preview the content of a device that was added to the currently opened case: 1. 2. 3. On the Tree pane or Table pane of the main window, look at the icon of the device you are previewing to see if it is live or write blocked. Perform any evidence analysis required to determine if a device should be acquired. Once you have determined the device should be acquired, acquire it.
109
You must open a case before opening the Add Device wizard.
110
Click Next to open the Sessions Sources dialog of the Add Device wizard. Sources Tree Pane organizes the device sources from which content is later previewed or acquired. Sources Root Object contains the child objects. The dropdown menu displays commands for this object. You can: Expand or collapse objects in the Sources tree. Select various objects in the Sources tree.
Local Object refers to local devices physically connected to the machine, which could include: Floppy drive Palm Pilot Removable media Hard drive Another computer
The device types display as entries in the Table pane when you select the object. Dropdown menu commands for this object determine how to: Expand or collapse objects in the Sources tree. Select various objects in the Sources tree.
Evidence Files Folder Object contains folders added as source folders containing evidence files. The Table pane displays the same folders as the tree. Dropdown menu commands for this object let you: Add folders. Determine which objects appear in the Sources tree. Determine which entries display in the Table pane when you select the object.
Evidence Folder Objects represents each folder added as a container of evidence files. As leaf nodes of the tree, the evidence files do not show in the tree, but they do appear in the Table pane. Dropdown menu commands for this object let you: Delete the folder where you opened the dropdown menu. Delete folders selected in the Sources tree. Determine which objects appear in the Sources tree. Determine which entries display in the Table pane when the object is selected.
Table Pane displays the children of the currently selected folder object in the Sources tree. Dropdown menu commands for this object let you: Delete the folder where you opened the dropdown menu. Delete folders selected in the tree. Copy the entry where you opened the dropdown menu. Select the object on the tree that corresponds to the entry where you opened the dropdown menu in the Table pane. Navigate to the parent of the object containing the entry where you opened the dropdown menu in the Table pane.
111
Click Next to openthe Sessions Sources dialog of the Add Device wizard. Add Text List opens the Add Text List dialog, which contains a list of paths to and filenames of evidence files to be added in batch to the Sources tree. You can use IP addresses when the servlet on the machine is not running on the servlet's default port (the same default port number as the SAFE, which is 4445). When using an IP address that does not share the same port number as the SAFE, you must append a colon and the port number to the IP string.
Add Evidence Files opens the Add Evidence Files file browser where you can enter the path to and the filename of an evidence file, so the evidence file is added individually to the Sources tree. The following types of files can be added using this file browser: Evidence file (.E01) SafeBack file (.001) VMware file (.VMDK) Logical Evidence file (.L01) Virtual PC file (.VHD)
Sources Tree organizes the folders used to contain the evidence files added either as batch file lists or individual files. You can organize the folders in this tree hierarchically as desired.
112
Sources Root Object contains the default folders and folders added that organize the evidence files either added or to be added to the Sources tree. Dropdown menu commands for this object let you: Add a new folder as a child Expand or collapse the subordinate tree
Any child objects of this object on the tree appear in as entries on the Table pane. You can organize the children of this object hierarchically by dragging and dropping folders into each other. Current Selection is a default child of the Sources root object. It contains any evidence files added to the Sources tree during the current session. The next time you open the Add Device wizard, the evidence files listed here are moved to the Last Selection folder, and this folder is emptied. The dropdown menu on this object lets you: Delete this object. Rename this object. Add a new folder as a child. Expand or collapse the subordinate tree.
Any child objects of this object appear as entries on the Table pane. You can organize the children of this object hierarchically by dragging and dropping folders into each other. Last Selection is a default child of the Sources root object. It contains any evidence files added to the Sources tree during the prior session. The next time you open the Add Device wizard, the evidence files listed in the Current Selection folder are moved to this folder, and any evidence files listed before the move are removed from the folder. Once added, the evidence files continue to be used as sources until they are individually removed regardless of whether they show in the selection folders. The dropdown menu on this object lets you: Delete this object. Rename this object. Add a new folder as a child. Expand or collapse the subordinate tree.
Any child objects of this object on the tree appear as entries on the Table pane. You can organize the children of this object hierarchically by dragging and dropping folders into each other. Table Pane displays the children of the currently selected object in the Sources tree as entries in the table. Dropdown menu commands for this object let you: Copy an entry for use elsewhere; the copied entry cannot be pasted into the table. Delete an entry. Rename or edit an entry. Navigate to the parent object of the object containing the entry.
113
Devices Tree organizes the device definitions to be added to a case. Devices Root Object contains the default folders that reflect the types of devices defined at this point. See Adding a Device (on page 114). Right click menu commands for this object determine: Which objects appear in the Sources tree Which entries display in the Table pane when you select the object
Local Drives Object contains the current collection of child instances of the Local Drives device type entries on the Table pane. Right click menu commands for this object determine: Which objects appear in the Sources tree Which entries display in the Table pane when you select the object
Table Pane displays the children of the currently selected object in the Sources tree as entries in the table. Right click menu commands for this object let you: Toggle the Read File System column value Copy an entry for use elsewhere, as you cannot paste the copied entry into the table Select an entry Edit an entry Navigate to the parent object of the object containing the entry.
Device Selection Column contains a checkbox for each row. To add a device, click its checkbox, then click Next. Read File System Column: If you do not select this setting, the file system is read in as a flat file from sector 0 to the last sector. Files, folders, and any other file system structure is lost.
114
When you click Next, the Table pane lists the devices that are added. Table Entry Rows display the details of the device defined in that row. The dropdown menu for each row provides commands that: Toggle the Read File System setting for the entry where you opened the dropdown menu. Copy the entry. Edit the entry including the Read File System value.
Read File System Column: when you clear this, the file system is read in as a flat file from sector 0 to the last sector. Files, folders, and any other file system structure is lost.
Adding a Device
The devices added using the Add Device wizard determine the type of acquisition to be performed. The primary determiner is the device type set on the Sources dialog of the Add Device wizard. The process for adding a device varies once the device type is selected. Open a case where you want to add devices. When a case is open, the Add Device button displays on the main window tab bar.
1. 2.
Click Add Device. The Sources dialog of the Add Device wizard displays. In the Sources tree the Local object is selected, and the local device types are listed in the Table pane. Complete the Sources dialog as needed, then click Next. If you checked Sessions on the Sources dialog, the Sessions Sources dialog of the Add Device wizard displays; otherwise, the Choose Device dialog displays.
115
If you selected Sessions on the Sources dialog, complete the Sessions Sources dialog and click Next. The Choose Device dialog displays. Complete the Choose Device dialog as needed, then click Next. The Preview Devices dialog displays. Complete the Preview Devices dialog as needed, then click Next. The devices defined and selected in the Add Device wizard are added to the currently opened case. You can now preview and acquire these devices.
Before you begin: Open the case Open the Add Device wizard to the Sources dialog.
Note: For a local acquisition, see Acquiring a Local Drive (on page 134). For a Palm Pilot acquisition, see Acquiring a Palm Pilot (on page 143). For a network crossover acquisition, see Drive-to-Drive Acquisition Using LinEn (on page 462).
1.
To acquire or preview a local drive: a. Select the Local object in the Sources tree. b. Click the checkbox for Local Drives in the Table pane.
2.
To acquire or preview a Palm Pilot: a. Select the Local object in the Sources tree. b. Connect the Palm Pilot and set it to console mode. c. Click the Palm Pilot checkbox in the Table pane.
3.
To acquire or preview a network crossover: a. Select the Local object in the Sources tree. b. Start the LinEn crossover connection acquisition. c. If appropriate, connect the crossover connection. d. Click the Network Crossover checkbox in the Table pane.
4. 5.
To add evidence files to the case file, select Sessions, then click Next. The Sessions Sources dialog displays.
116
Drag and drop an evidence file from Windows File Explorer to this dialog. 1. To add a list of evidence files: a. Click Add Text List. b. Enter the path and filename for each evidence file to be added using the list. c. Click OK. 2. To add a single evidence file using a file browser: a. Click Add Evidence File. b. Browse to or enter the path and filename of the evidence file to be added. c. Click OK. 3. 4. If more devices need to be added, clear the Sessions checkbox. If all the devices have been added, click Next. If you cleared the Sessions checkbox, the Choose Devices dialog displays; otherwise, the Sources dialog displays.
Working with Evidence To verify that the list of devices to be added is correct: 1. Review each row in the Table pane, and If the device attributes need to be changed, do the following:
117
a. Right click the row containing the device whose attributes need to be changed, and click Edit. The Device Attributes dialog appears. b. Enter the desired changes. 2. 3. 4. 5. If the device should be acquired as a flat file, clear the Read File System column. Click OK. The changes made in the Device Attributes dialog appear in the Table pane. If the list of devices to add is correct and complete, click Next; otherwise, click Back as necessary to revise values. The devices defined in the Add Device wizard are added to the case.
Acquiring
Once you add a device its contents can be acquired. Beyond an acquisition, you can add EnCase evidence files and raw evidence files to the case. You can reacquire raw evidence files, so that they are translated into EnCase evidence files complete with metadata and hash values. You can also acquire Palm Pilots. Using the LinEn utility, you can perform network crossover in collaboration with EnCase Enterprise, and you can use LinEn to perform disk-to-disk acquisitions. You can add EnCase evidence files originating in other cases as well. All of these acquisitions are discussed in this section.
Types of Acquisitions
Several types of acquisitions comprise EnCase evidence files (E01) and associate these files with the case currently open. There are several additional digital evidence file types that are associated with the case currently open but which do not involve acquisitions, except when reacquired. There are also logical evidence files (LEF), usually constructed during a preview. The local sources for acquisitions create E01s. Local sources include Local drives (using a write blocker) Palm Pilot Network crossover (using LinEn) Local devices (LinEn disk-to- disk)
Add evidence files through the interface. The evidence files involved include those created by a LinEn disk-to-disk acquisition. You can add evidence files initially created for other cases to the case currently open as well. A network crossover acquisition involves both LinEn and EnCase.
118
LinEn disk-to-disk acquisitions create evidence files safely in the Linux environment, without using a write blocker. Dragging and dropping a file results in adding the file as a single file, rather than an evidence file. When you drag and drop an evidence file, it is added to the case as an evidence file.
Acquisition Wizard
Before acquiring a device's content, you must add the device to the case using the Add Device wizard. The Acquisition wizard captures the specifications for the acquisition. The wizard contains the following dialogs: After Acquisition dialog Search dialog (optional) Options dialog
Use the After Acquisition dialog of the Acquisition wizard: To ease the acquisition of subsequent disks To enable search, hash, and signature analysis to launch automatically after the acquisition is completed To determine what happens to the new image To restart a cancelled acquisition
Working with Evidence Acquire another disk enables you to work through a series of acquisitions (typically floppy disk content) without adding a new device for each acquisition. When you check Acquire another disk: Replace source device is disabled Search, Hash and Signature Analysis is enabled.
119
Search, Hash and Signature Analysis opens the Search dialog, where you define search, hash and signature analysis. New Image File Group: controls in this group determine how the newly acquired image is saved. The default is Replace source drive. Do not add excludes the newly acquired image from the case current open. Add to Case adds the newly acquired image in the case file associated with the device where the image was taken. Replace a source device adds the newly acquired image to the case and removes the previewed device where the acquisition was made. Restart Acquisition restarts a cancelled acquisition. If the acquisition was interrupted, but not canceled, that acquisition cannot be restarted. When you check Restart Acquisition, Existing Evidence File and its associated browse button are enabled. The file containing the data from the cancelled acquisition is available to speed up the current acquisition. You can replace the incomplete set containing the canceled file with a set containing all the data. Existing Evidence File contains the path and filename of the evidence file whose acquisition was canceled earlier. The existing evidence file is replaced by the acquisition in progress. Existing Evidence File Browse opens the Windows file system browser to capture the path and filename of the existing evidence file.
Search Dialog
Use the Search dialog of the Acquisition wizard to: Search the entire case Define a keyword search Define an email search Compute hash values Verify file signatures Identify codepages Search for Internet history
120
Ultimately, these searches and analyses lengthen the acquisition time. For long acquisitions, you can perform these searches independently from the acquisition once the acquisition is complete.
Selected Items only acquires only those files you checked. Keyword Search Options contains controls used to define a keyword search while the content of the device is acquired. Search entries and records for keywords: executes a keyword search when checked. When cleared, other checked functions are performed, but the keyword search is not. This allows you to run a signature analysis or a hash analysis without running a keyword search. This option also enables: Selected keywords only Search entry slack Use initialized size Undelete entries before searching Search only slack area of entries in Hash Library
Selected keywords only restricts the number of keywords used during the keyword search to the number of keywords specified in Number of Keywords. Search entry slack includes file slack in the keyword search. Use initialized size uses the initialized size of the device during the keyword search. Undelete entries before searching undeletes deleted files before they are searched for keywords. Search only slack area of files in Hash Library determines whether the slack areas of the files included in the hash library are searched. Hash Options contains controls used to compute hash values.
Working with Evidence Compute hash value determines whether a hash value is computed.
121
Recompute hash value determines whether a hash value is recomputed. When you recompute hash values, they are recomputed even if hash values are already present. Email Search Options contains controls used to define an email search performed while acquiring the content of the device. Search for email performs an email search. This option also enables controls that determine the type of email sought. Recovered deleted determines whether deleted email that remains in the PST file since the last compact operation is recovered. Outlook (PST) includes .pst files in the search. Outlook Express (DBX) includes .dbx files in the search. Exchange (EDB) includes .edb files in the search. Lotus (NSF) includes .nsf files in the search. AOL includes AOL email files in the search. MBOX includes MBOX email files in the search. Additional Options contains controls that determine additional analysis to perform on the content being acquired. Verify file signatures authenticates file signatures during the acquisition. Identify codepage: If you check this option, the software attempts to determine the codepage of each file, then saves those codepages for later use in the view pane when the file contents are displayed. Search for internet history finds Internet history files during the acquisition.
122
Options Dialog
The Options dialog of the Acquisition wizard defines the metadata and various aspects of the image generated by the acquisition, which constitutes the EnCase evidence.
Name contains the name of the EnCase evidence file that contains the image resulting from the acquisition of the underlying device. Evidence Number contains the investigator-assigned number for the EnCase evidence file produced by the acquisition in progress. Notes contains the investigator's notes regarding this EnCase evidence file. File Segment Size specifies file segment size of the evidence files. Start Sector specifies the first sector of the content you want to acquire. Stop Sector specifies the last sector of the content you want to acquire. Password determines if the EnCase evidence file is password protected, and what password is used. Entering a password enables Confirm Password. This password cannot be reset. Block size determines the block size of the contents where CRC values are computed. Error granularity determines what portion of the block is zeroed out if an error is encountered. The error granularity is at the most the same value as Block size, or an even fraction of Block size. Acquisition MD5 generates an MD5 file hash. Acquisition SHA1 generates an SHA-1 file hash. Quick reacquisition allows you to quickly reacquire in order to change the file segment size, or to apply or remove a password. Read Ahead reads the acquired content in order to detect errors before the block is acquired, or CRCs are calculated and hashed.
Working with Evidence Output Path determines the path and filename where the EnCase evidence file resulting from the acquisition is written.
123
Alternate Path contains the path and filename of an alternative destination volume where the EnCase evidence file is stored if the first location runs out of disk space.
Console sends the status messages displayed in the dialog to the Console tab of the view. Note writes the contents of the status message into a bookmark note containing the device and EnCase evidence file being acquired. Log Record adds the status messages displayed to a bookmark log record.
In the Entries tree, select the device you want, then right click. In the dropdown menu, click Acquire.
4.
124
125
To define actions after the acquisition: 1. If additional disks are to be acquired after this acquisition, select Acquire another disk. When you acquire another disk, the image associated with that disk is added to the case, and the New Image File value is set to reflect this. If the content being acquired is to be searched, hashed, or analyzed for signatures, select Search, Hash and Signature Analysis . Click Next. The Search dialog displays. In New Image File, click the appropriate disposition of the file containing the acquired image. If you want to restart a canceled acquisition:
2. 3. 4. 5.
a. Select Restart Acquisition. b. Browse to or enter the filename and path of the EnCase evidence file containing the partial
acquisition to be restarted.
Note: You can calculate a SHA-1 hash upon restarting the acquisition. Click the Acquisition SHA1 checkbox.
6.
Click Finish.
If you selected Search, Hash and Signature Analysis , the Search dialog displays; otherwise, the Options dialog displays.
126
To define the analysis processing as part of the acquisition: 1. Do the following as required: To search all the content of devices associated with the case--not just the content of the device you are acquiring--click the Search entire case checkbox. To perform a keyword search, click the Search entries and records for keywords checkbox, then click the checkboxes for the Keyword Search Options you want. To compute or recompute hash values, click the appropriate checkboxes in the Hash Options group box. To perform an email search, click the Search for email checkbox, then click the checkboxes for the Email Search Options you want. To verify file signatures, in Additional Options click Verify File signatures. To identify codepages, in Additional Options click Identify codepages. To search for Internet history files, in Additional Options, click Search for internet history. The Comprehensive search checkbox is enabled. Click Comprehensive search to include file slack and unallocated space in your Internet history search. 2. Click Next.
127
To define how the EnCase evidence file is built and output: 1. 2. 3. Accept the default values or enter or select alternative values. Enter an Evidence Number and Notes. If a hash has not been requested yet and you want one: Click Acquisition MD5 to generate an MD5 file hash (checked by default). Click Acquisition SHA1 to generate a SHA-1 file hash. 4. 5. If you might run out of storage space where you are storing the acquired device, specify additional storage by browsing to or entering a path and filename in Alternate Path. Click Finish. The acquisition begins, and the Thread Status Line displays at the bottom right corner of the main window displaying the status of the thread performing the acquisition. You can cancel the acquisition during processing: see Cancelling an Acquisition on page 128. When the acquisition results dialog displays completed status, select Console, Note, or Log Record.
6.
7.
Click OK.
128
Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, the acquisition can be restarted. However, if the acquisition ends without being canceled, you cannot restart it. To cancel an acquisition while it is running: 1. At the bottom right corner of the main window, double click the Thread Status line. The Thread Status message box displays.
2.
Click Yes. The Acquisition Results dialog displays showing canceled status.
3.
Click Ok.
Working with Evidence 3. The Verify Evidence Files file dialog opens.
129
4. 5.
Select one or more evidence files, then click Open. When files are verified, a status report displays.
Note: Verify Evidence Files works differently from Verify File Integrity in the way it handles CRC issues. Verify Evidence Files verifies the evidence file part by part (header, volume, data, etc.) and stops if there is a CRC issue on any one of the parts. Verify File Integrity verifies the evidence file sector by sector and stops only if there is a CRC issue for the entire evidence file.
Supported Hardware
HP 9000 server family with HP PA-8900 processors
130
Additional Resources
Installing HP-UX Applications (http://docs.hp.com/en/5990-8144/ch07s01.html#babjhibf) swinstall(1M) (http://docs.hp.com/en/B3921-60631/swinstall.1M.html)
To install the HP-UX servlet: 1. 2. Place the GSIservl.depot file in any directory on your HP-UX machine. This file is found in the base EnCase installation directory. At a command prompt, type swinstall -s /<location>/GSIservl.depot
3.
Working with Evidence 4. Click Enter. The installation screen displays and begins searching for installation files.
131
5.
When it appears in the list, select GSIservl by highlighting the green box and clicking the spacebar.
Note: Be sure to select the top level file. If you accidentally drill down and only select to install a part of the package the servlet will not work.
6.
To mark the file for installation, navigate to the Actions menu and select Mark for Install.
a. Use Tab to move up to the menu bar. b. Use the arrow keys to move back and forth. c. Use the Enter key to pull down a menu item or select a menu item.
132
Note: You cannot install a file without marking it for installation first. If you receive an error message, go back and perform the steps to mark the file for installation.
7. 8.
Click Enter. The file now shows as Partial in the Marked? column. To install the file, navigate to the Actions menu and select Install.
Working with Evidence 9. Click Enter. The installation analysis dialog displays.
133
10. When analysis is complete, click OK. The installation screen displays.
11. Click Done when installation is complete. 12. Navigate to the File menu and click Exit.
134
To run the HP-UX servlet: 1. 2. Navigate to the /opt/encase directory. Type ./enhpux -d in the command line to start the servlet. -d starts the servlet up as a daemon -h shows help instructions and other switches
Note: After a system reboot, you must restart the servlet manually; however, a system administrator can create a shell script that restarts the servlet when the system reboots.
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
EnCase applications can detect and image DCO and/or HPA areas on any ATA-6 or higher-level disk drive. These areas are detected using LinEn (Linux) or the FastBloc SE module. EnCase applications running in Windows with a hardware write blocker will not detect DCOs or HPAs. This applies to EnCase applications using: FastBloc SE LinEn when the Linux distribution used supports Direct ATA mode
The application now shows if a DCO area exists in addition to the HPA area on a target drive. FastBloc SE is a separately purchased component. HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot see it, and it can only be accessed by reconfiguring the disk. HPA and DCO are extremely similar: the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at reboot. When supported, EnCase applications see both areas if they coexist on a hard drive.
135
FastBloc supports AMD 64-bit architecture. By replacing the existing IDE and SCSI controller driver with the new Guidance driver, only read-only requests are sent to the attached hard drives. The FastBloc SE Module can be used with devices equipped with these Promise SATA cards: 300 TX4302 300 TX4 300 TX2PLUS
There is also support for the AMD Athlon 64 processor, for systems run ning Microsoft Windows XP 64-bit edition, and for Microsoft Windows Server 2003 64-bit edition.
136
FastBloc 2 FE v2
137
FastBloc 2 LE
FastBloc 3 FE
138
Computer investigations require a fast, reliable means to acquire digital evidence. FastBloc Lab Edition (LE) and FastBloc Field Edition (FE) (hereafter referred to as FastBloc) are hardware write blocking devices that enable the safe acquisition of subject media in Windows to an EnCase evidence file. Before FastBloc was developed, non invasive acquisitions were exclusively conducted in cumbersome command line environments. The hardware versions of FastBloc are not standalone products. When attached to a computer and a subject hard drive, FastBloc provides investigators with the ability to quickly and safely preview or acquire data in a Windows environment. The unit is lightweight, self contained, and portable for easy field acquisitions, with on site verification immediately following the acquisition. FastBloc SE is a software version of this product.
To add a Tableau device: 1. 2. 3. Attach Tableau hardware with a device you want write blocked. Open a new case in EnCase. Click Add Device.
139
5.
Available Tableau devices display in the View pane with a bullet in the Write Blocked column.
6. 7.
Select the Tableau device(s), then click Next. If you do not have a DCO device, the Preview Devices dialog displays (see below). If EnCase detects Tableau blocked devices with DCO in use, the Remove DCO Area dialog displays.
140
8. 9.
Click the checkbox next to the device(s) where you want to remove DCO, then click Next. A dialog with a status bar displays.
10. Turn off the Tableau device. Leave it off for at least one minute. 11. Turn the Tableau device back on. 12. When EnCase finishes removing the DCO area, the Preview Devices dialog displays.
Working with Evidence Report information shows any device acquired through Tableau as Write Blocked Tableau.
141
142
EnCase Enterprise Version 6.18 3. Choose Acquire. The Acquire dialog displays.
4.
Choose the physical drive or logical partition you want to acquire. The Acquire Device <drive> dialog displays.
5.
For the data elements requested by the Acquire dialog, either accept the default when provided, enter a value, or choose one of the alternatives (see Specifying and Running an Acquisition on page 124), then press Enter. The Acquire Device dialog requests additional data values until you enter or select all data elements. Then the Creating File dialog displays. When the acquisition is complete, click OK. The LinEn main screen displays. The subject was acquired and is stored on the storage drive. Connect the storage drive to investigator's machine.
6. 7. 8. 9.
10. Add the EnCase evidence file using the Sessions Sources dialog of the Add Device wizard. See Completing the Sessions Sources Dialog on page 115.
Working with Evidence Ensure LinEn is configured as described in Linen Setup Under SUSE (on page 459), and autofs is disabled (cleared). Linux is running in Direct ATA Mode. 1. 2. 3. 4. 5. If the FAT32 storage partition to be acquired has not been mounted, mount it. Navigate to the folder where LinEn resides and type ./linen in the console. The LinEn main screen displays. Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATA mode. Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive Acquisition Using LinEn (on page 141).
143
144
EnCase Enterprise Version 6.18 2. Turn on the PDA, then, to put the PDA in console mode: a. On the left side of the graffiti area, use the stylus to write a lowercase cursive "L" followed by two dots. b. On the right side of the graffiti area, write a "2". 3. The PDA is now in console mode.
On the Sources dialog of the Add Device wizard: 1. 2. 3. In the Tree pane, click Local. In the Table pane, click the checkbox for Palm Pilot. If other devices are to be acquired in this acquisition continue defining devices. See Completing the Sources Dialog on page 115, or click Next.
145
5. 6. 7. 8. 9.
In the Table pane select the entry for the Palm Pilot device and any other devices to be acquired during this acquisition, then click Next. The Preview Devices dialog opens. In the Table pane select the entry for the Palm Pilot device, and any other devices to be acquired during this acquisition, then click Finish. In the Cases Entry in the Entry tree. Home tab of the main window, the Palm Pilot to be acquired displays
Right click the Palm Pilot object in the Entry tree, then click Acquire.
11. Continue the acquisition from Step 1 of Specifying and Running an Acquisition (on page 124). 12. When the Acquisition Results dialog closes, the acquisition is complete.
146
Acquisition Times
Initially, previewing a serial Palm Pilot PDA may be slow because standard serial ports transfer data at a maximum speed of 115 kbps. The preview and acquisition of a Palm Pilot Vx, for example, takes between 30 and 40 minutes. USB Palm Pilots are faster: in acquisition tests, a 12MB m500 took four minutes to preview and 16 minutes to acquire. However, after the first keyword search on a previewed device, all other processes accessing the evidence file are fast, because the entire evidence file is cached in memory.
147
8. 9.
On the forensic machine, specify an IP address of 10.0.0.1 for the subject machine. Launch EnCase on the forensic machine.
10. Create a new case, or open an existing case. 11. Right click the Devices object and click Add Device. 12. Select Network Crossover and click Next. 13. Select the physical disk or logical partition to acquire or preview and click Next. 14. Click Finish. The contents of the selected device reached through the network crossover connection are previewed. To acquire the content, perform an acquisition. See Specifying and Running an Acquisition on page 124.
148
Software RAID
EnCase applications support these software RAIDs: Windows NT: see Windows NT Software Disk Configurations on page 148 Windows 2000: see Dynamic Disk on page 150 Windows XP: see Dynamic Disk on page 150 Windows 2003 Servers: see Dynamic Disk on page 150
149
The information detailing the types of partitions and the specific layout across multiple disks is contained in the registry of the operating system. EnCase applications can read this registry information and resolve the configuration based on the key. The application can then virtually mount the software disk configuration within the EnCase case. There are two ways to obtain the registry key: Acquiring the drive Backing up the drive
Acquire the drive containing the operating system. It is likely that this drive is part of the disk configuration set, but in the event it is notsuch as the disk configuration being used for storage purposes onlyacquire the OS drive and add it to the case along with the disk configuration set drives. To make a backup disk on the subject machine, use Windows Disk Manager and select Backup from the Partition option. This creates a backup disk of the disk configuration information, placing the backup on a floppy disk. You can then copy the file into your EnCase application using the Single Files option, or you can acquire the floppy disk and add it to the case. The case must have the disk configuration set drives added to it as well. This situation only works if you are working with a restored clone of a subject computer. It is also possible a registry backup disk is at the location. Right click the evidence file that contains the key and select Scan Disk Configuration. At this point, the application attempts to build the virtual devices using information from the registry key.
150
Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP and Windows 2003 Server. The information pertinent to building the configuration resides at the end of the disk rather than in a registry key. Therefore, each physical disk in this configuration contains the information necessary to reconstruct the original setup. EnCase applications read the Dynamic Disk partition structure and resolve the configurations based on the information extracted. To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case and, from the Cases tab, right click any of the devices and choose Scan Disk Configuration. If the resulting disk configurations seem incorrect, you can manually edit them via the Edit command in the Devices tab.
To acquire the set: 1. 2. 3. Keep the disk configuration intact in its native environment. Boot the subject computer with an EnCase Network Boot Disk. Launch the LinEn utility.
Note: The BIOS interprets the disk configuration as one drive, so EnCase applications will as well. The investigator sees the disk configuration as one drive.
4.
Acquire the disk configuration as you normally acquire a single hard drive, depending on the means of acquisition. Parallel port, crossover network cable, or drive-to-drive acquisition is straightforward, as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native environment, EnCase applications can edit the hardware set manually.
151
You can collect this data from the BIOS of the controller card for a hardware set, or from the registry for software sets. When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can still rebuild the virtual disk using parity information from the other disks in the configuration, which is detected automatically during the reconstruction of hardware disk configurations using the Scan Disk Configuration command. When rebuilding a RAID from the first two disks, results from validating parity are meaningless, because you create the parity to build the missing disk. To acquire a disk configuration set as one disk: 1. 2. Add the evidence files to one case. Click View Cases Subtabs Devices.
3. 4.
Right click any evidence file row and select Edit Disk Configuration. The Disk Configuration dialog displays.
152
EnCase Enterprise Version 6.18 5. 6. In Disk Configuration, right click the appropriate disk configuration, then click New. Enter the start sector and size of the selected disk configuration, then click OK.
RAID-10
RAID-10 arrays require at least 4 drives, implemented as a striped array of RAID-1 arrays.
153
A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpace volume. A FAT16 partition can only be created with a FAT16 OS (such as Windows 95). Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using format.exe. Image the DriveSpace volume. Add the evidence file to a new case and search for a file named DBLSPACE.000 or DRVSPACE.000. Right click the file and copy/unerase it to the FAT16 partition on the storage computer. In Windows 98, click Start Launch DriveSpace. Select the FAT16 partition containing the compressed .000 file. Select Advance Mount. All Programs Accessories System Tools DriveSpace.
10. Select DRVSPACE.000, then click OK, noting the drive letter assigned to it. The Compressed Volume File (.000) from the previous drive is now seen as folders and files in a new logical volume. 11. Acquire this new volume. 12. Create the evidence file and add to your case. You can now view the compressed drive.
154
Reacquiring Evidence
When you have a raw evidence file which originated outside an EnCase application, reacquiring it results in the creation of an EnCase evidence file containing the content of the raw evidence file. You can move EnCase evidence files into a case even if they were acquired elsewhere. This does not require a reacquisition. Drag the files from Windows Explorer and drop them on the Sessions Sources dialog of the Add Device wizard. You may also want to reacquire an existing EnCase evidence file to change the compression settings or the file segment size.
To acquire a raw evidence file: 1. In the Tree pane, click Cases Entries Home. The Entries tree displays in the Tree pane.
Working with Evidence 2. Click File Add Raw Image. The Add Raw Image dialog displays.
155
3. 4. 5.
Drag and drop the raw images to be acquired. The raw images to be added are listed in the Component Files list. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK. A Disk Image object appears in the Entries tree, which is in the Cases pane. Entries Home tree
WinAcq
WinAcq is a standalone multi-threaded command line utility that captures physical and logical acquisitions of specified devices. Designed to run on a Windows operating system (Windows 2000 or higher), WinAcq allows you to specify the target device by volume letter or device number. WinAcq creates a standard EnCase evidence file (*.E01) that you can direct to a specified path. WinAcq's advantages include: Faster acquisition due to multi-threading. Ease of use: WinAcq requires minimal training for field investigators. Elimination of previous limits on the number of devices EnCase can preview.
Running WinAcq
To run WinAcq, open a command prompt on the target computer. You must have local administrator rights. Once you open a command prompt, run WinAcq using the syntax below. You can only acquire one item at a time, and you can only store to a single path. You cannot acquire a logical and a physical device at the same time.
156
WinAcq provides enhanced performance with multi-threading during evidence creation. The acquisition engine used in WinAcq now runs with a minimum of three threads: Reader threads allow you to control how many threads are reading from the source device. You can specify one to five reader threads. Worker threads allow you to control data compression calculation. You can specify one to 20 worker threads. The Hashing thread performs the hash function separately to enhance performance.
Note: Performance can degrade if you select too many threads. Identify the optimal number of threads for your particular hardware.
There are three ways to supply necessary information to WinAcq when running from the command line: Using command line options Using a configuration file Prompting for a value
Explanation
*Path and filename for resulting evidence file (maximum 32768 characters). *Name of the evidence within the evidence file (maximum 50 characters). *Case number related to the evidence (maximum 64 characters). *Examiner's name (maximum 64 characters). *Evidence number (maximum 64 characters). *Compression level (0=none, 1=fast, 2=best; default: 0). Semicolon delimited list of alternate paths (maximum 32768 characters). Notes (maximum 32768 characters). Maximum file size of each evidence file segment in MB (default: 640, minimum 1, maximum 10485760). Sectors per block for the evidence file (default: 64, minimum 1, maximum 1024).
-m <EvidenceName>
-c <CaseNumber>
-a <AlternatePaths>
-n <Notes> -s <MaxFileSize>
-b <BlockSize>
157
-f <ConfigurationFile>
-t
-1
-v
-wrk <Workers>
-rdr <Readers>
-vol <VolumeName>
-cdrom
-h
Note the following: Options with an asterisk (*) are required. Physical drives need only -dev <DeviceNumber>. Volumes need only -vol <VolumeName>. CD-ROMs need both -dev <DeviceNumber> and -cdrom.
Configuration File
You can create a configuration file to fill in some or all of the variables. Keep in mind the following: The configuration file needs to be in the format <Variable>=<Value>. The variable name is equivalent to options in the command line. Enter comments with a leading pound sign (#). Content of the configuration file is not case sensitive.
158
EvidencePath*
Path and filename for resulting evidence file (maximum 32768 characters). Name of the evidence within the evidence file (maximum 50 characters). Case number related to the evidence (maximum 64 characters). Examiner's name (maximum 64 characters). Evidence number (maximum 64 characters). Compression level (0=none, 1=fast, 2=best; default: 0). Semicolon delimited list of alternate paths (maximum 32768 characters). Notes (maximum 32768 characters). Maximum file size of each evidence file segment in MB (default: 640, minimum 1, maximum 10485760). Error granularity in sectors (default: 1, minimum 1, maximum 1024). Sectors per block for the evidence file (default: 64, minimum 1, maximum 1024). Compute MD5 hash while acquiring the evidence (default: true). Compute SHA1 hash while acquiring the evidence (default: false). Turns on verbose reporting; provides a count of sectors imaged versus total sectors (default: false). Number of worker threads (default: 10, minimum 1, maximum 20). Number of reader threads (default: 5, minimum 1, maximum 5).
EvidenceName*
CaseNumber*
Examiner*
EvidenceNumber*
Compress*
AlternatePath
Notes MaxFileSize
Granularity
BlockSize
Workers
Readers
Working with Evidence Hasher (true or false) DeviceNumber Hash in a separate thread (default:false). Number of the physical device to acquire (can be used with -cdrom). Letter of the logical volume to acquire (cannot be used with -cdrom). Used with the DeviceNumber option to specify that the source is a CD-ROM.
159
VolumeName
Status
During acquisition a pipe character (|) displays in the console as a status indicator, using the full width of the screen to designate 100% completion. If you choose the Verbose option, instead of pipe characters the console displays <CurrentSector>/<TotalSectors>.
Multi-Threaded Acquisition
There are four parts to acquisition: Reading a number of sectors from the device. Compressing the sectors that were read. Hashing the sectors that were read. Writing the compressed data to an evidence file.
Since compression takes the most time in an acquisition, having multiple reader and compression threads speeds the process significantly and uses more processing power. You can use up to five reader threads and up to 20 worker (compression) threads, but only one hashing thread and one writing thread. In addition, you can perform hashing in its own thread or in the writing thread. Hashing in its own thread works best on faster machines; if you have a slower machine, perform hashing in the writing thread.
Note: You can use multi-threading only for local acquisitions.
160
Note: If you are not performing a local acquisition, these options are disabled.
EnScript Interface
EnScript multi-threading options are in EvidenceFileClass. The declaration is: bool Acquire (DeviceClass Device, const String &Path, uint Options=0, uint readers=1, uint workers=5, bool hasher=false) As in the EnCase interface, the options are: Readers (1-5 available; default: 1) Workers (1-20 available; the default is 5) Hasher (true or false; the default is false)
Note: If you are not performing a local acquisition, these values are ignored.
For more information, see EnScript Help, available from the EnCase Help menu.
161
A progress bar at the bottom right of the EnCase main window shows approximate time to completion.
162
A temporary folder named Internet Artifacts (Unresolved) displays in the Records tab and the Refresh button is activated. Click the Refresh button to load Internet artifacts already resolved.
Internet artifacts which have been bookmarked resolve after the records display in the tab, so you cannot view them until that time. However, you can see some basic information about an Internet artifact that was previously bookmarked. The picture below shows that you can see the basic hierarchy and the name of the original entry, although the rest of the metadata displays only when the record is finally resolved and inserted into the Records tab.
163
Note: If you save the case after cancelling the Internet artifacts resolve thread, you will not lose any hits. You can still close and reopen the case, and all the previous hits will resolve again.
What happens if I perform a search for Internet artifacts while the Resolving Internet hits process is running?
The search for Internet artifacts will not begin until the Resolving Internet hits process finishes.
Note: This only occurs if you select the Search for Internet artifacts or Comprehensive search checkbox. If you do not select one of these options, the search thread runs simultaneously with the resolve thread.
What happens with bookmarks that point to Internet artifact records not yet resolved?
The bookmark displays basic information, such as the entry name and general location of the bookmark in that entry. When the Internet record eventually resolves, all the metadata fields are filled in and show in the Bookmark tab.
Will the list of unresolved Internet artifacts update in the Records tab?
This is not currently supported. The entire list remains in the Records tab until all the Internet artifacts are resolved. Clicking Refresh only updates the resolved list, not the unresolved list.
What does the Internet Artifacts (Unresolved) folder do and what type of information does it provide?
This folder displays a list of all the starting points for any point on the disk where an Internet parser begins to look for artifacts. It also provides general information the number of artifacts, the entries in which they reside, and the offsets into those entries where the artifacts are located.
What happens to the saved Selected and In Report settings for Internet artifact records?
Selected and In Report settings for records unrelated to Internet artifacts (for example, mounted volumes, such as email) remain unchanged and load correctly with the case. However, since the Internet artifacts do not yet actually exist, all Selected and In Report settings are updated after all the Internet artifacts are resolved (or if you cancel the thread, in which case resolved Internet artifacts show in Selected/In Report).
164
What about mounted volumes (for example, Email) that display in the Records tab? Are those delay loaded as well?
No. All mounted volumes, such as email, which result with records in the Records tab, are still loaded before the case opens. So the tree structure, Selected, and In Report settings are loaded before the case opens and are independent of Internet artifact resolution.
What happens when an EnScript runs that accesses any Internet artifacts and their related, unresolved data?
EnCase has access to whatever you can currently see in the case. This means the script can see the unresolved Internet artifacts folder and the basic information about bookmarked records. Since all that data is preliminary and eventually will be updated, resolved, or removed, we recommend you not run EnScripts that access Internet artifact records and their related data until all the data is resolved.
Remote Acquisition
Setting up the remote acquisition Examiner side: 1. Add the machine you want to acquire just as you would any other Enterprise node.
2.
Click Next.
Working with Evidence 3. After you choose the machine, select the devices you want to acquire.
165
4. 5.
Click Next. Right click the device you want to acquire, then click Acquire.
166
EnCase Enterprise Version 6.18 6. Click Next until you reach the Options dialog.
7. 8. 9.
Enter the remote acquisition information, including a valid Output Path. Click the Remote acquisition checkbox. Click Next.
Working with Evidence 10. Enter a Username and Password for the remote share.
167
168
2. 3.
Click OK. The monitor connects to the machine and displays the acquisition's progress.
169
2. 3.
Click the Share this folder radio button and enter a Share name. Click Permissions.
170
EnCase Enterprise Version 6.18 4. The Permissions for Acquisition dialog displays. These settings vary, depending on your environment.
5. 6.
Set up the permissions you want, then click OK. The shared folder looks like this:
171
Hashing
You can perform hashing before or after an acquisition, so an investigator can determine if the device should be acquired, or if the contents have changed. You must run a preview if working within the Windows version of EnCase (this is not necessary when hashing a drive using the LinEn utility).
Note: If you are hashing the device locally using Windows, a write blocking device, such as FastBloc write blocker, prevents the subject device from changing. Hashing via a crossover network cable, or locally using the LinEn utility, is useful if a write blocking device is not available.
There are two ways to hash a drive: Using LinEn Hashing the subject drive once previewed or acquired
To perform a hash using LinEn: 1. 2. 3. 4. 5. 6. 7. 8. 9. Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn. The LinEn main screen displays. Select Hash. The Hash dialog displays. Select a drive, then click OK. The Start Sector dialog displays. Accept the default or enter the desired Start Sector, then click OK. The Stop Sector dialog displays. Accept the default or enter the desired Stop Sector, then click OK. The Hash Results dialog displays. If you want the hash result to be written to a file, click Yes. If the hash value is to be saved to a file, the Save Hash Value to a File dialog displays; otherwise, the LinEn main screen displays. Enter the path and filename of the file to contain the hash value, then click OK. The hash value is saved and the LinEn main screen displays.
A hash value is calculated for the selected sectors of the selected file. If desired, this hash value can be saved to a file.
172
3.
Enter the following: a. Supply a Start Sector, or accept the default, which is the first sector of the device. b. Supply a Stop Sector, or accept the default value, which is the last sector of the device.
4.
Click OK.
5.
Select one of the following output formats: Console writes the results in the console tab. Note writes the results as a note bookmark. Log Record writes the results as a log record bookmark.
6.
Click OK.
173
Source Dialog
Source is the name of the parent device containing the file or files to include in the Logical Evidence File. Files contains the number of files and the total size of the file or files to include in the Logical Evidence File. Target folder within Evidence File is the name of the folder containing the files that comprise the Logical Evidence File.
174
Include contents of files: if disabled, only the file name is known to the Logical Evidence File, and when the Logical Evidence File is opened, no data displays in the View pane. Hash Files determines whether the files comprising the Logical Evidence File are hashed. File in use is used only when Hash Files is also checked. It causes the hash to be computed when you actually read the file from the evidence, instead of using the hash that was calculated previously. Add to existing evidence file determines whether the files comprising the Logical Evidence File are added to an existing evidence file. When this control is enabled, Evidence File Path displays. Lock file when completed determines whether the Logical Evidence File is locked after creation.
Output Dialog
Use the Output dialog to specify metadata and output attributes of the Logical Evidence File.
Name contains the name of the Logical Evidence File to be created. Evidence Number contains the investigator's evidence number. File Segment Size contains the file segment size. Compression contains controls that determine the compression used when creating the Logical Evidence File. None means no compression is used when creating the Logical Evidence File. Good: good compression is used to create a Logical Evidence File that is smaller than when no compression is used, but larger than when best compression is used. Best: best compression is used to create a Logical Evidence File that is smaller than one created with good compression. Output Path contains the path and filename of the Logical evidence File.
175
Select the files and folders to be associated with the Logical Evidence File. Right click the parent object on the Entry tree, then click Create Logical Evidence File.
4.
The Source dialog of the Create Logical Evidence File wizard displays.
176
EnCase Enterprise Version 6.18 5. Accept the default settings or enter desired values, then click Next. The Outputs dialog of the Create Logical Evidence File wizard displays.
6. 7.
Enter the appropriate values, and enter or browse to the path and file name of the Logical Evidence File to be created. Click Finish. The Status dialog displays.
8.
Click OK.
Recovering Folders
The following types of folders can be recovered: Folders on FAT volumes, as described in Recovering Folders on FAT Volumes on page 177. NTFS folders, as described in Recovering NTFS Folders on page 177. UFS and EXT2/3 partitions, as described in Recovering UFS and EXT2/3 Partitions on page 178.
177
Note that in the picture, the C:\ drive device is selected in the background display.
5.
6. 7.
178
Since rebuilding the folder structure can take a long time, you can opt to have faster access to the recovered files. If the recovered MFT entries in the unallocated space are NTFS4, you can choose to: process the entries for parent/child relationships, or place all recovered entries into the Recovered Files folder immediately with no folder structure.
This dialog box shows the number of passes required to sort the entries. This number may be large, but most passes process instantly. The length of time required to process a given group depends only on the number of records within that group. This change does not affect NTFS5 recovered entries. These entries are processed quickly, as before. If you choose to process the entries for the folder structure, the progress bar indicates which pass is currently running. The recovered folder structure is placed under the virtual Recovered Files folder.
Recovering Partitions
Occasionally a device is formatted or even FDISKed in an attempt to destroy evidence. Formatting and FDISKing a hard drive does not actually delete data. Formatting deletes the structure indicating where the folders and files are on the disk. FDISK deletes a drive's partition information. EnCase can rebuild both partition information and directory and folder structure.
179
Adding Partitions
A formatted hard drive or FDISK hard drive should be acquired using normal procedures. When these evidence files are added to a case: A formatted drive displays logical volumes in EnCase, but each volume has only an Unallocated Clusters entry in the table. An FDISK hard drive does not show logical volume information. The entire drive is displayed as Unused Disk Area in the table.
To restructure these portions of the disk: 1. 2. 3. 4. 5. 6. 7. 8. 9. In the filter pane, expand EnScripts Double click Case Processor. Check the case you are working on and click Next. Enter a Bookmark Folder name and, optionally, a Folder Comment. Check the Partition Finder Module in the Modules list. Click Finish. The EnScript program runs. When the EnScript program finishes, click Bookmarks in the Tree pane. In the tree, click Set Include to show all the bookmarks the EnScript program has found. Note the partition type and size in the comment. Highlight the entry in the Table pane, then select Disk. Examples.
10. In the Disk tab, the cursor appears on the bookmarked sector. Right click and select Add Partition. The Add Partition dialog detects the sectors and partition type automatically, populating the fields. 11. Click OK to restore the partition. 12. To see the contents of the partition you just added, click Entries in the Tree pane. The new partition appears below the device the Sweep Case EnScript was run against. 13. If the drive had multiple partitions, click Bookmarks in the Tree pane, then repeat the process from step 9.
Deleting Partitions
If a partition was created at the wrong sector, you must delete the entry for that partition at the sector where it was created on the evidence file image of the hard drive. 1. 2. 3. On the Disk tab of the Table pane, navigate to the volume boot record entry, indicated by a pink block. Right click and select Delete Partition. Click Yes to confirm removal of the partition.
The row in the Table view now contains an entry for Unused Disk Space instead of the partition just deleted.
180
Restoring Evidence
EnCase allows an investigator to restore evidence files to prepared media. Restoring evidence files to media theoretically permits the investigator to boot the restored media and view the subject's computing environment without altering the original evidence. Restoring media, however, can be challenging. Read this section carefully before attempting a restore. Do not boot the subject's drive. Do not boot your forensic hard drive with the subject drive attached. There is no need to touch the original media at all. Remember, it is still evidence.
Physical Restore
Restoring a physical drive means the application will copy everything, sector-by-sector, to the prepared target drive, thereby creating an exact copy of the subject drive. The target drive should be larger than the subject hard drive. When the restore completes, it provides hash values verifying that the lab drive is an exact copy of the subject drive. If a separate, independent MD5 hash of the lab drive is run, be certain to choose to compute the hash over only the exact number of sectors included on the suspect's drive so that the MD5 hash will be accurate.
181
You cannot restore to Drive 0. If the prepared target media is Drive 0, you must add another drive to the system, as a master, to store the restored image. Restored sectors can also be verified to confirm that there is indeed a sector by sector copy of the original subject media. Sometimes the Convert Drive Geometry setting is available. This is entirely dependent on the drive geometry of the original drive in comparison to the restore drive. Every drive is defined by specific Cylinders-Heads-Sectors (CHS) drive geometry information. If the heads and sectors of the original drive imaged are identical to the target restore drive, then the drives are of the same type and the Convert Drive Geometry setting is not available. If the source and target drives are of different types (for example, the heads-sectors settings are different), then the Convert Drive Geometry is available. To restore a physical hard drive: 1. Install a sterile, unpartitioned, unformatted restoration drive to your forensic machine, using a connection other than IDE 0. EnCase cannot restore a physical drive to IDE 0. Ensure that the intended restoration drive is at least as large as (but preferably larger than) the original from which the image was taken, so that the restored data will never overwrite all sectors on the target hard drive. EnCase can wipe the remaining sectors of the target hard drive after the actual data from the evidence file is restored. Wiping remaining sectors is recommended. Look at the acquired drive in the Report pane and note the precise physical drive geometry of the forensic image you are restoring from, including cylinders, heads, and sectors. Note the acquisition hash for later comparison on the restored drive. In the Entries tree on the Tree pane, right click the physical disk you want to use as the source and select Restore.
2.
3.
4. 5. 6. 7. 8.
Select the destination drive from the list of possible destination devices, then click Next. Select the drive to restore the image to, then click Next. If it is displayed, select Convert Drive Geometry, then click Finish. To confirm the restore to the designated drive, enter Yes in Continue, then click Yes to start the physical restore. When the restore is finished, a verification message displays information such as any read or write errors and the hash values for both the evidence file and the restored drive. The hash values should match. If the hash values from the restore do not match, restore the evidence file again. It might be necessary to swap the target media for correct results. When the drive is restored, physically pull the power cord from the computer.
9.
182
EnCase Enterprise Version 6.18 10. Attach the restored drive as near to the original configuration as possible (for example, if the drive was originally on IDE channel 0 on the original computer, install it there.) This will help the computer allocate the original drive letters, providing the proper mapping for .lnk files, etc. 11. On older drives less than 8.4 GB, you may need to reboot using an EnCase Barebones Boot Diskette, and during the boot sequence set the CHS settings of the restoration drive in the CMOS to the physical drive geometry of the original drive, which you noted earlier. Setting the physical drive geometry will probably require overriding the auto-detected drive geometry. 12. Use LinEn to calculate the hash value of the restored drive, and compare it to the acquisition hash value to ensure its integrity. 13. If you want to boot the drive, use an EnCase Barebones Boot Disk with FDISK copied to it. Run FDISK /MBR. The restored disk should now be bootable. Be aware that as soon as you boot it, the underlying data is altered.
Note that differences may occur depending on whether you are restoring an NTFS or FAT32 file system, and whether the restored drive is being booted on the original hardware platform the drive was acquired from. EnCase applications restore using one of the following methods: Without FastBloc SE With FastBloc SE
Restoring without FastBloc SE, because the disk drivers for Windows 2000, XP and 2003 do not allow direct disk access, can be performed through the ASPI layer. ASPI has a problem with rounding off the last few sectors that do not fit on the last cylinder of a drive. This is the reason why all sectors are visible when the drive is read, yet when writes are attempted a small number of sectors may be missing. This is a Windows/ASPI, not EnCase, limitation. Because of this limitation, you may need to use a slightly larger drive when performing the restore. If you purchased the FastBloc SE module, you can restore to a drive that is controlled through FastBloc SE. When you restore with FastBloc SE, FastBloc SE replaces the Windows drivers and allows direct disk access, circumventing the ASPI layer and its associated problems. Because FastBloc SE can write directly to the disk, you can restore to the same size drive. Drive manufacturers also state that even though drives may appear identical, once partitioned they may not have the same capacity. If possible, drives from the same batch should be used so that both will be read with the same capacity (check the date on the drive's label). Older hard drives may have two platters, while the newer version may only have one, with the single platter drive having somewhat fewer bytes available.
Logical Restore
Media have different types depending on the CHS (Cylinders-Heads-Sectors) information. The same type might have different cylinders settings, but their heads and sectors information (the HS in CHS) are the same. If the heads-sectors information is different, then the media type differs and you should use another target restore hard drive. A logical volume must be restored to a volume of the same size or larger, and of the same type.
Working with Evidence To prepare for a logical restore, the target media should be: Wiped FDISKed Partitioned Formatted prior to restore
183
Format the target drive with the same file-type system as the volume to be restored (for example, FAT32 to FAT32, NTFS to NTFS, etc.). The procedure for restoring a logical volume is identical to that of restoring a physical device. For a logical volume: 1. 2. In Case view, right click the volume. Select Restore.
When you finish the logical restore, a confirmation message displays. You must restart the computer to allow the restored volume to be recognized. Note that the restored volume contains only the information that was inside the selected partition.
Create, but do not format, a single partition on the restoration drive. Using the Report pane, note the disk geometry of the forensic image of the drive you are restoring from, so the physical geometry is correct. Restore the forensic image of the physical drive to the restoration drive using the Restore Drive setting. To make the restored drive active in Windows, right click My Computer and select Manage Disk Management, then right click the restored drive and select Make Active. Shut down the computer and attach the restored drive as near to the original configuration as possible. This helps the computer allocate the original drive letters, making .lnk files, etc. work better. Reboot and set the CHS settings of the restoration drive in the CMOS to the physical geometry of the original drive, overriding the auto-detected geometry if necessary.
8.
184
1.
Make sure you set up an ODBC connection properly and note down the information used for that connection.
Working with Evidence 2. Run Initialize Database.EnScript. The Initialize Database dialog opens:
185
186
2.
Select the Maintenance Options tab to run basic cleaning maintenance on the database itself (including deleting database records) and fill in the various fields or check the appropriate box: No Maintenance: Use this option if you want to initialize the database (selected by default). Delete All Records: Once a database is created, select this option to delete the entire contents in the database (but not the database itself). Delete Records Older Than: You can automatically schedule cleaning the database by selecting this option. With this option selected, the following options become active and configurable: Days: Specifies the age of a record you want to delete. For example, selecting "1" means you want to delete records at least one day old. Run Maintenance Daily: This checkbox runs the cleaner every day at specified hours and minutes.
187
This is where you: Specify the nodes you want to scan Take a snapshot Choose the Role You Want to Assume text box: in the tree, select the specific role you want to use when connecting to the nodes.
Note: Be sure to select a valid Role to enable the Next button.
Click Network Tree to open a dialog where you can select nodes added to the role via SAFE. Lower text box (under Network Tree): manually enter IP addresses, hostnames, and ranges here. Valid ranges must be defined as such: IPAddress1 "-" IPAddress2 IPAddress2 must be greater than IPAddress1; that is, IPAddress1 is the lowest IP Address in the range and IPAddress2 is the highest IP Address. 2. Once you specify which nodes to scan for snapshots, you must specify which database to use.
188
EnCase Enterprise Version 6.18 3. Click Next. The Snapshot Data Source Options dialog opens:
Data Source Name: This is the name you gave the ODBC connection when you created it. Enter User Name (Not Needed If Using NT Authentication) : Specify a user name. If you set up the ODBC connection to use NT Authentication, it remembers your user name so you do not need to enter it manually. Enter Password (Not Needed If using NT Authentication) : Like your user name, you must specify a password to gain access to the database. If you set up the ODBC connection to use NT Authentication, it remembers your password so you do not need to enter it manually. DB Timeout Interval (minutes): Specify how long you want to wait before a DB timeout occurs. This indicates how long the program waits before assuming the connection is bad (the default is 5 minutes). Show Queries in Console: Check this box to produce comments on what is happening behind the scenes. 4. Click Next. If the database connection is successful, a confirmation message displays:
189
1.
Select the appropriate Snapshot Write Options button: Save All Processes takes a snapshot of each node and inserts these items into the database: Process Net users Net interfaces Open ports Save Not Approved Or Hidden Processes inserts not approved or hidden processes into the database.
2.
190
EnCase Enterprise Version 6.18 1. Run Snapshot DB Reports.EnScript. The Snapshot Database Source Options dialog opens:
Data Source Name: This is the name you gave the ODBC connection when you created it. Enter User Name (Not Needed If Using NT Authentication) : Specify a user name. If you set up the ODBC connection to use NT Authentication, it remembers your user name so you do not need to enter it manually. Enter Password (Not Needed If using NT Authentication) : Like your user name, you must specify a password to gain access to the database. If you set up the ODBC connection to use NT Authentication, it remembers your password so you do not need to enter it manually. DB Timeout Interval (minutes): Specify how long you want to wait before a DB timeout occurs. This indicates how long the program waits before assuming the connection is bad (the default is 5 minutes). Show Queries in Console: Check this box to produce comments on what is happening behind the scenes.
Working with Evidence 2. Click OK. The Snapshot DB Reports dialog opens:
191
3. 4.
Select the check box for the reports you want to generate. Click OK to begin generating the report.
Items
This list box contains information on reports already generated. If you create or add a report, that report and the options you select for it are stored in the database, enabling you to regenerate it as needed. Double click an item in the list to modify it. Right click an item to delete it. If you delete an item without selecting its checkbox, you must click OK, then click Yes on the resulting warning message.
192
Add
Click Add to create a new report definition. The Report Setup dialog opens:
In the Report Name field, specify the name of the report. In the Report Output Path field, specify the location to save the report. In Report Type, select the type of report you want to generate: Process Data Process and Port Data User Data Excel File: Select to output the report as a Microsoft Excel file. HTML Format: Select to output the report as an HTML file. Edit Condition...: Select to add a set of conditions to report on.
Modify
Select an item in the list, making sure the checkbox is cleared, then click Modify. The Edit Report dialog opens:
Working with Evidence Make the modifications you want, then click OK. The modifications are saved to the database.
193
194
WinEn
WinEn is a standalone command line utility that captures physical memory on a live computer running a Windows operating system (Win2k or higher). The physical memory image captured by WinEn is placed in a standard evidence file, along with user-supplied options and information. WinEn runs from a command prompt on the computer where you want to capture the memory. WinEn has a very small footprint in memory, and it is typically run from a removable device such as a thumb drive. Although this method makes minor changes to the computer running WinEn, this is the most effective way to capture physical memory before shutting down a computer. As always, it is recommended that examiners document and explain their procedures for later reference.
Running WinEn
To run WinEn, open a command prompt on the target computer. The user logged on must have local administrator privileges on the computer, and you must start the command prompt with that privilege level. Once you open a command prompt, run WinEn using the syntax below. It is recommended that you compress the evidence file that is created and save it to removable media so that no additional changes are made to the target computer. There are three ways to supply necessary information to WinEn when running from the command line: Command line options Configuration file Prompt for value
195
-c <CaseNumber>*
-r <EvidenceNumber>* -s <MaxFileSize>
-g <Granularity>
-b <BlockSize>
-t -a <AlternatePath>
-h
* = Required field
196
Configuration File
You can create a configuration file to fill in some or all of the variables. The configuration file needs to be in the format OptionName=Value, and can be used in conjunction with command line options. All of these options have the same restrictions as their command line counterparts.
Note that options entered on the command line override the same option in the configuration file. This way, users can override a specific setting in the configuration file by entering the appropriate information on the command line.
CaseNumber*
EvidenceNumber* MaxFileSize
Granularity BlockSize
Hash
AlternatePath
Notes
* = Required field
197
Error Handling
The program checks all values entered to make sure they conform to expectations. Any deviation causes the program to exit or prompt for a correct value.
198
Wipe Drive
Warning! This procedure completely erases media and overwrites its contents with a hexadecimal character. Invoke Wipe Drive with extreme care. Execute the Wipe Drive utility to remove all traces of any evidence files from a storage drive. 1. Click the Wipe Drive option on the Tools menu. The drive selector displays.
2.
Make initial selections, then click Next. The Choose Devices dialog displays.
199
3.
Choose the device targeted for erasure, then click Next. An options dialog displays. The Verify wiped sectors box is checked by default and the Wipe character is hex 00. If the box is checked, the Wipe Drive program reads each sector and verifies that the wipe character is written throughout. You can enter any hex value in the Wipe character field.
4.
200
5. 6.
Enter "Yes" in the Continue box, then click OK. The drive is completely erased and overwritten with the specified hex string. Wipe Drive displays information about the disk and the operation.
CHAPTER 7
Source Processor
In This Chapter
Overview Collection Jobs Modules Analysis Jobs Reports Managing EnCase Portable
202
Overview
Source Processor automates and streamlines common investigative tasks that collect, analyze, and report on evidence. Using the EnCase forensic platform, Source Processor analyzes different types of information in cases, evidence files and local machines. Source Processor uses the following modules to identify the information you want to gather. They can be configured for your specific needs. The Acquisition module acquires drives and memory from a target machine. The Snapshot module collects a snapshot of pertinent machine information. Captured information includes running processes, open ports, logged on users, device drives, Windows services, and network interfaces. The Personal Information module collects information containing personal information. This module searches all document, database, and internet files and identifies Visa, MasterCard, American Express, and Discover card numbers, as well as Social Security numbers. The Internet Artifacts module collects a history of visited Web sites, user cache, bookmarks, cookies, and downloaded files. The File Processor module provides a way to review and collect specific types of files. From within the File Processor module, you can elect to find data using keywords or hash sets, or find picture data. You can also configure your own collection sets using an entry conditions dialog. When used with EnCase Portable, you can triage information as it is being collected. You can then decide what files, if any, to collect. The Linux Syslog Parser module collects and parses Linux system log files and their system messages. The Windows Event Log Parser module collects information pertaining to Windows events logged into system logs, including application, system, and security logs. The WTMP/UTMP Log Parser module parses the Unix systems' WTMP and UTMP files, which record all login activities.
Source Processor works using collection and analysis jobs. A job in Source Processor consists of a group of settings for collecting or analyzing specific information. Once a job is created, you can modify or copy it to create other jobs. After a collection job is completed, you can use analysis jobs to review those collection results and generate reports that capture all or selected parts of the analysis information. Source Processor also works with EnCase Portable, the standalone product that enables you to collect data in the lab and in the field using USB thumb drives. Collection jobs are created in Source Processor and exported to EnCase Portable. Some EnCase Portable jobs can be configured to triage the information as it comes in, so you can choose exactly what information you want to collect. Once EnCase Portable collects the evidence, it in turn is imported back into Source Processor for analysis and reporting on the results. For more information, see Managing EnCase Portable on page 244 and the EnCase Portable User's Guide.
Source Processor
203
Case Name: The name of the currently selected case. Examiner Name: The name of the examiner on the currently selected case. Evidence Path: The location where Source Processor stores the summarized analysis data and the evidence files after a collection. You may want to change the default evidence path to a case specific folder. This field is required. You can add and delete fields, change this information, and modify the behavior of this dialog using the Source Processor Options tab. See Setting Case Options on page 204.
204
EnCase Enterprise Version 6.18 5. Click OK. The main Source Processor screen displays.
Source Processor To modify the values or the behavior of the fields in the Case Options dialog: 1. From the main Source Processor dialog, click the Options tab.
205
2.
Change or add options in the Case Options area: Click Edit to modify a selected field. The Edit box displays, populated with the current values. Change the values as desired, and click OK to save. Click New to add a new text field to the Case Options dialog. The following dialog displays.
When checked, Required forces the user to enter a value in this field before running a collection job. Name sets the name that is displayed for the field. Specifying a Value provides a default value that prepopulates the field. You can override that value, if required. Enter the desired information and click OK to save the values. The dialog closes.
206
EnCase Enterprise Version 6.18 Click Delete to remove a selected field. Click Saved to select a field from the Case Options in other cases. When this button is clicked, Source Processor opens a dialog that shows all the optional fields in other cases. Select the desired field(s) and click OK to add to your current case.
Specify your Evidence Path. This path determines where Source Processor stores the files generated during a collection. These files include both the summarized analysis data and the evidence files. Make sure the default evidence path is specific for your current case. This field is required. 3. Click Close. Your changes are automatically saved.
Source Processor
207
EnCase Portable NAS settings are configured on the Source Processor Options tab. These options do not override the EnCase NAS settings that are set in global options. After these configuration settings are entered, select the Use Network Authentication Security (NAS) checkbox on the Export Jobs dialog to run EnCase Portable using NAS. 1. From the main Source Processor dialog, click the Options tab.
2.
Enter configuration options in the Portable NAS Options area: User Key Path specifies the location of the NAS key file. Server Key Path specifies the location of the SAFE public key file. Server Address is the name or IP address of the Network Authentication Server. If you are using a port other than 4445, provide the port with the address (for example, 192.168.1.34:5656).
208
EnCase Enterprise Version 6.18 3. When exporting jobs to the EnCase Portable device, check the Use Network Authentication Server (NAS) checkbox to have the EnCase Portable device use the NAS license rather than the security key.
The prepared USB device can now run EnCase Portable. Simply start EnCase Portable in the same way as when you have a security key.
Collection Jobs
A job in Source Processor consists of a group of settings for collecting or analyzing specific information. Once a job is created, you can modify or copy it to create other jobs. A collection job uses modules to define specific information to be collected from a target. Modules are preconfigured to look for certain kinds of data, such as information found in memory, certain types of files, and so on. You can configure the information collected by each module by selecting a specific set of options for each module. Creating a collection job follows these steps: Name the collection job Select modules Set module options Set target options
When you run a collection job, specify the collection job and what you want to target. (See Running a Collection Job on page 213). Targets can be Cases Evidence files Local machines
Source Processor
209
210
EnCase Enterprise Version 6.18 2. Click New. The Create Collection Job dialog displays.
3.
Rename or accept the default name. The default job name is Job__[yyyy_mm_dd__hh_mm_ss]. Example: Job___2009_06_24__03_42_42_PM A job name cannot contain spaces at the beginning or end of the name, or any of the following characters: \ / : * ? " < > |
4.
Click Next to open the Module Selection dialog. This dialog shows module groupings in the left pane and single modules within those groups in the right pane.
5.
To select a module, blue check the module's checkbox. You may select more than one module. To select all the modules in a group, blue check that group's folder name in the left pane. If a module has the ability to display results as they are being scanned, a dot appears in the Triage Enabled column beside the module's name.
Source Processor 6. Most modules have their own specific set of options that should be configured before continuing. Open the module options by double clicking the module name. See Modules on page 217 for a list of all modules and their options. 7. Click Next to open the Target Options dialog.
211
The Compound File Options area provides options for whether compound file types selected in the File Types box are mounted (unpacked) and scanned. If any option other than the first option is selected, you can select how to detect which files to mount and select the specific file types to process: Do not mount does not perform any unpacking of compound files, so the files are processed without unpacking any of the internal content. Mount - detect extension causes files with a matching extension to be mounted and processed. No signature verification is conducted. Mount - detect signature results in a signature analysis being run on all files to determine if they are a compound file of interest. Files with the correct signature are then mounted and processed. If you choose to mount files, you are given further options: Mount persistently keeps the compound files mounted after the job is run. This is only relevant for case targets and does not apply to EnCase Portable. Mount recursively mounts any compound files found inside a compound file. The File Types checkboxes let you select which of the supported compound file types you want to process. 8. Click Finish to create the job.
212
2.
3. 4.
Enter a new name for the job and click OK. All the settings from the first job are transferred to the new job. Edit the new job to modify its settings.
Source Processor
213
2.
The tabs reflect the previously selected settings. Modify the name, module selections, module options, and target options as desired and click OK.
214
EnCase Enterprise Version 6.18 2. Click Run Collection. The Run Collection Job dialog displays.
3.
Compile a list of targets for your collection job. To target a case, select the case from the list of open cases. Source Processor views cases as a repository of devices. In this context, a device can include items such as an evidence file, a previewed drive (either the local machine or a remote node), one or more files, or RAM. Targeted cases can contain devices having live connections. Only those logical or physical drives that have been mounted in the case are processed. To target the local machine, blue check Scan Local Machine. To target an evidence file (.E01) or logical evidence file (.L01), click Add Evidence Files. The Evidence File Path dialog displays.
Source Processor Select an evidence file you want to target for this collection and click Open. The Target Selection dialog updates and automatically selects the evidence file for processing.
215
If you are running a job that has run before, you are given the option of overwriting the previous data. Don't Overwrite prevents collecting from a target that has already had a collection performed, preserving the existing data for this job. Overwrite writes over the previous set of collection and evidence files, if that collection job has been already performed. If you are re-running a job or if you redefine a job and run it again, the Append option is available. When selected, this option preserves the existing content and adds the evidence from the remainder of the job. For case targets only, checking Selected entries only means that only blue checked entries in the case are processed. 4. 5. Click Next. If Source Processor detects that an evidence file is encrypted, the following dialog displays.
If the evidence file needs credentials to be decrypted, click the link in the Valid Credential column to open the correct credential dialog for that encryption protocol. For example, if the device is encrypted using PGP, clicking on the hyperlink displays the following dialog.
216
Fill out the credentials in the dialog to unlock the encrypted volume. If you do not enter the correct credentials, or if the encryption protocol is not recognized, then this evidence file is skipped. If a volume (for example a C: or D: drive) is encrypted, a subsequent dialog displays when you click the Credential Setup link. For example, clicking Invalid Credential in the screenshot above displays the following Volume Encryption dialog.
6.
The case options dialog displays and prompts you to accept or change the case information. These values become part of the case information and appear on reports.
217
8.
Click Finish. The Run Job status dialog displays and updates periodically with current information on the collection for each target.
218
Modules
Source Processor uses modules to collect information about files and machines in specific ways. Most of these modules contain options that you can configure for your specific needs. To set module options, double click the module name. Most modules are collection modules that work with Source Processor or EnCase Portable to gather and collect information into an evidence (.E01) or logical evidence (.L01) file. The File Processor module also provides you with the option to review your information as it is being scanned on a target machine. This ability to triage your data in real time only works in conjunction with EnCase Portable. See File Processor on page 222.
Acquisition
The Acquisition module creates forensic images of drives and memory from a target machine.
Note: When using this module, make sure that you have enough storage available to hold the evidence files that are created.
Acquire
Logical Devices acquires all logical devices (lettered drives, like C:). Physical Devices acquires all physical devices (numbered devices, like 0, 1, etc.). Removable Drives acquires all removable drives. A drive is identified as removable by the operating system. Memory acquires an image of machine memory (RAM). Prompt at Collection Time shows a list of all devices (logical, physical, and memory) when the job is run. Select any combination of those devices for acquisition.
Note: if you want to automatically acquire more than one type of device, you should create separate jobs for each operation. Because EnCase runs in memory, Guidance Software suggests you capture memory first.
Source Processor
219
Evidence File
File Segment Size (MB) specifies file segment size of the evidence files being acquired. Use this to control the size of evidence files. Block Size (Sectors) determines the block size of the contents where CRC values are computed. The minimum value is 64 sectors. Error Granularity (Sectors) determines how much of the block is zeroed out if an error is encountered. The error granularity is at the most the same value as Block size.
Compression
None does not compress the evidence files. Good provides some compression in size. Best provides the maximum amount of compression. This option may take longer than the other compression options.
Calculate Hashes
Acquisition MD5 calculates the MD5 file hash of the acquired files. Acquisition SHA1 calculates the SHA-1 file hash of the acquired files.
Checking Verify acquisition causes the job to verify the hash values of the acquired evidence files. This adds time to the running of the job.
220
When done, both the original and the verification hash values are shown in the analysis tables and on the reports.
Snapshot
The Snapshot module collects a snapshot of a machine at a given time, including the running processes, open ports, network cards, logon information, open files, and user information.
Note: The Snapshot module does not work with EnCase Portable when EnCase Portable is used to boot a computer, as there are no running processes to collect.
The following options can be set in this module: Hash Processes calculates hash values for the executable files that were run to create the currently running processes. Get Hidden Processes identifies processes that have been hidden from the operating system. Get DLLs retrieves and collects a list of currently loaded DLLs.
Source Processor
221
Mark Logged on User finds and marks which of the identified users are currently logged on. Detect Spoofed MAC detects if the MAC address for any of the Network Interfaces is being set to a value other than the default value.
Personal Information
The Personal Information module collects information about files containing personal information. By default, this module searches all document, database, and internet files and identifies files containing the types of personal information listed below. Files are identified but the information and the file itself are not collected. Reports show which files have personal information content, and what type of content that is. This prevents potential abuse of this kind of data. When used with EnCase Portable, the Personal Information module provides you with the ability to triage the scanned data as it is being gathered and either stop a job as soon as you find the information you are seeking, or cancel a job that does not look like it will prove useful.
Credit Cards
These options enable you to select which major credit card numbers are identified. All detected numbers are subjected to validation to prevent random16-digit numbers from being identified. Credit card number validation is performed using Luhn or Modulus/Mod 10 algorithm. Both card numbers with separators (1234-5678-9012) and without separators (123456789012) are identified.
Phone Numbers
These options find information containing U.S. and Canadian formatted phone numbers, with and without separators. You can select whether to search for numbers with and without area codes.
Miscellaneous
Email addresses identifies email addresses. Social security numbers finds U.S. social security numbers, with or without separators.
Note: For more information, including the GREP expressions used, please refer to the FAQs chapter of the EnCase Portable User's Guide.
222
Results
There are two ways to handle the output results of your processing: Generate Report finds everything that is responsive and creates a report that provides statistics for the personal information that was found. The personal information itself is not reproduced in the report. You can select this option for either Source Processor or EnCase Portable collections. Triage (Portable only) enables you to review the evidence as it is being collected. When used in EnCase Portable, this allows you to triage the information as it is being gathered. You can then review your information in real time, specifically select the information you want to examine further, and save that information as a logical evidence file (LEF). See the EnCase Portable User's Guide for more information. Prompt when run (Portable only) prompts you, each time the job is run in EnCase Portable, to select whether to generate a report or triage the job. If the job is run in Source Processor, the prompt does not appear and a report is generated by default.
Entry Condition
Use the entry condition to specify or modify which conditions are used to search for the personal information selected. By default, the entry condition is set to only search files that match the document, database, or internet file category.
Internet Artifacts
The Internet Artifacts module captures a variety of Internet usage information. There are no configurable options for this module. Selecting the module captures the following information: History collects the user's browsing history. Cache collects cached information, such as the most recently requested Web pages. Cookies collects stored cookie data. Bookmarks collects the user's bookmarks or favorite URLs. Downloads collects the data the user has downloaded from the Internet.
Source Processor
223
File Processor
The File Processor module is a multipurpose module that enables you to select from four types of file processing, then choose how you want to handle the final results. In addition to collecting gathered information, when used with EnCase Portable, the File Processor module also provides you with the unique option to view evidence as it is being collected and either stop a job as soon as you find the information you are seeking, or cancel a job that does not look like it will prove useful.
The four types of file processing available in the File Processor module are: Metadata processing enables you to specify the types of files you are searching for, using a set of entry conditions. Keyword finder provides a way to find information based on a list of entered keywords, and also lets you refine the search with an entry condition. This option allows GREP expressions, whole word, and case sensitive searching. Hash finder searches for files by comparing their hash values to hash values found in either a new or pre-existing hash set. This option allows you to create a new hash set or use a preexisting set, and also lets you refine the search with an entry condition. Picture finder searches for files identified with a file category of 'picture.' This option lets you limit the number of files that are returned, and limit the minimum size of the pictures. In addition, you can add entry conditions to further refine your search.
There are two ways to handle the results of your processing: Collect all responsive collects everything that is responsive and creates an evidence file for further analysis. When you select this option, jobs that include this module automatically complete the collection and save it as an evidence file. You can select this option for either Source Processor or EnCase Portable collections. Triage (Portable only) enables you to review the evidence as it is being collected. When used in EnCase Portable, this allows you to triage the information as it is being gathered. You can then review your information in real time, specifically select the information you want to examine further, and save that information as a logical evidence file (LEF). See the EnCase Portable User's Guide for more information.
224
To configure the File Processor module, select one of the processing types, and choose one of the ways to handle the results. Click Next to display the options screen for the processing type you have selected.
Metadata
The metadata processing option in the File Processor module enables you to collect specific types of files using entry conditions. For example, you can collect all types of images (.jpg, .png, .bmp, etc.) and documents (.doc, .xls, .pdf, etc). Create your set of entry conditions in the same way as you would in EnCase. By altering these conditions, you can specify exactly which files your job collects.
Keyword Finder
The Keyword Finder processing option in the File Processor module lets you create a list of keywords for searching documents on a target machine.
Note: This module searches the transcript of files supported by the Outside In viewer technology. This differs from the keyword searching in EnCase in that this method locates keyword hits inside of files (such as .docx or .xlsx files) that would not be found by a raw search of the file.
Source Processor After clicking Next in the File Processor module, the Keyword Finder options dialog displays:
225
Adding a List of Keywords To compile a list of keywords, click Add Keyword List. The Add Keyword List dialog displays.
1. Add the keywords you want to use. 2. If the keywords should be considered as GREP expressions, or searched for with case sensitivity or as whole words, select the appropriate checkbox. 3. Click OK.
226
Importing Keywords To import a list of keywords that has been exported from EnCase, click Import. The Import Keywords dialog displays.
Browse to the keywords file location, select a file, and click OK. Editing Keywords If you want to edit a keyword in the Keyword Finder, select it in the options dialog and click Edit. The Edit Keywords dialog displays:
1. Add the common name you wish to associate with the keyword expression, if any. 2. Change your keyword options as desired. 3. Click OK. Exporting Keywords To export the list of keywords you have compiled, click Export on the Keyword Finder dialog. The Export Keywords dialog displays.
Enter the new filename and click OK. The export file can be used in EnCase or Source Processor.
227
To specify which files are processed by the Keyword Finder, click Entry Condition in the Keyword Finder options dialog to open a conditions dialog. By default, the entry condition restricts processing to files where the category matches 'Document.'
Hash Finder
The Hash Finder processing option in the File Processor module lets you search for files with a particular hash value on the target machine. Hash values are stored in hash sets that can be identified by a name and category. Hash sets can be added to the module from the following sources: A hash set created from a folder When created this way, you can assign a name and category to assign to the set A hash set available in EnCase Existing .hash files have a category if one was specified The name of the hash set is the name of the .hash file When the Hash Finder option is used in a job, the hash sets are kept in their original location and also copied to the EnCase Portable USB device.
228
After clicking Next in the File Processor module, the Hash Finder options dialog displays:
The hash sets displayed, if any, are taken from the Hash Sets folder in the current EnCase installation. You can select from an existing hash set in this list, or create a new set. Creating a Hash Set To compile a hash set, click Create Hash Set. The Create Hash Sets from Folder dialog displays.
Enter or browse to the folder containing the files you want to create a hash set from. The Hash Set Name is automatically populated using the name of the folder. You can change its name if you want. If desired, enter a category for this hash set. Click OK. Source Processor creates a .hash file from the files in the selected folder, saves it to the EnCase Hash Sets folder, and adds it to the Hash Finder options list. Customization To further specify your results, click Entry Condition to open up a conditions dialog. When done setting your options, click Finish.
Source Processor
229
Picture Finder
Use the Picture Finder processing option in the File Processor module to search for pictures on a target machine. This module returns files that match the file category of 'picture' in EnCase. After clicking Next in the File Processor module, the Picture Finder options dialog displays:
To limit the number of pictures returned, clear the Display All Pictures checkbox and adjust the number in the Limit Number of Pictures option. The default is set to gather all pictures above 10KB in size. If you want to change the minimum size of the picture files returned, adjust the Minimum Size of Pictures option. You can select whether to find pictures only by extension or by using the file signature. By extension finds all files by category, as determined by the file extension (for example, jpg, bmp, or png). When By file signature is selected, EnCase Portable checks the file signature of the entry to see if it is a picture. This enables the collection of images that have been renamed with a different extension. If Prompt at collection time is selected, a dialog displays when you are running the job, giving you the choice to search by file extension or by file signature. When done setting your options, click Finish. Customization To specify which files are processed by the Picture Finder, click Entry Condition in the Picture Finder options dialog to open up a conditions dialog. The Picture Finder module only returns files that match the file category of 'picture' in EnCase. Although additional options can be specified in the entry condition, this particular parameter cannot be modified.
230
Use Entry Condition to create a condition that restricts which Linux Syslog files are processed. Use Module Condition to specify syslog conditions that can filter by host name, process, message, and so on.
Source Processor
231
File detection determines how the module detects authentic event files. By default, file detection is performed by looking for event files with a proper extension, then verifying their signature to prevent processing incorrect files. When checked, Process all files by signature causes the module to determine event files based only by their file signature. Check this box if you think you may be dealing with event file logs that contain an incorrect extension.
Select from one of the three parsing options to direct where to look for the event files. You can select to parse event logs either from pre-Vista event files (EVT), post-Vista event files (EVTX), or both types of files in any location on the target. Conditions restrict which files to look at and what entries to parse. Entry condition lets you filter which files are processed based on their entry properties. EVT condition restricts individual events on properties parsed from an EVT file (Event ID, Event Type, Source, etc.) EVTX condition restricts individual events on properties parsed from an EVTX file (Event ID, Process ID, Thread ID, etc.)
To enable a condition, select the checkbox next to the condition type. Clicking Edit next to the name enables you to modify the condition.
File detection determines how the module detects authentic event files. By default, file detection is performed by looking for event files with a proper extension, then verifying their signature to prevent processing incorrect files. When checked, Process all files by signature causes the module to determine event files based only by their file signature. Check this box if you think you may be dealing with event file logs that contain an incorrect extension.
Conditions restrict which files to look at and what entries to parse. Entry condition restricts which log files are processed. Log event condition determines which entries from the processed log files are examined. If a condition is applied, only those log entries that meet the condition are collected.
To enable an entry condition, select the checkbox next to the name. Click Edit next to the checkboxes to modify the conditions that determine which files are processed.
232
Analysis Jobs
Analysis jobs use modules to view and report information that has been collected from targets. The Collected Data tab shows you everything that has been collected by Source Processor. Organized by job and then by target, the evidence shown is the evidence located in the evidence path specified in Source Processor.
The basic steps for running an analysis on a job are: Creating the analysis job. You can also use the default analysis job that will analyze all modules within a collection job. Selecting the jobs or evidence files you want to analyze. Choosing and running an analysis job against the selected collection jobs. Using the data viewer to view and report data. Creating a report.
Source Processor
233
2.
The default job name is Job__[yyyy_mm_dd__hh_mm_ss]. For example: Job___2009_06_24__03_42_42_PM A job name cannot contain spaces at the beginning or end of the name, or any of the following characters: \ / : * ? " < > |
234
EnCase Enterprise Version 6.18 3. Enter a job name and click Next. The Create Analysis Job/Module Selection dialog displays.
This dialog shows module folders in the left pane and single modules within those folders in the right pane. If a module is included in an analysis job, but there is no data for that module when that job is run against a collection, that module is ignored. This is so that you can create generic analysis jobs for a variety of collected data sets. For more information about each specific module, see Modules on page 217. 4. Blue check the module's checkbox. You may select more than one module. Analysis modules do not have user configurable settings. To select all the modules in a group, blue check that group's folder name in the left pane. 5. When done, click Finish.
Note: Analysis jobs may list available modules not listed in collection jobs. These modules are identified as legacy modules so you can analyze data that was collected in previous versions of Source Processor using modules that no longer exist.
Source Processor
235
2.
3.
Select the analysis job you want, then click Run. Source Processor runs analysis on the selected evidence. When analysis is complete, the data browser displays.
236
Clicking a hyperlinked analysis module takes you to the top level table for that module. For example, if you click Internet Artifacts, a list of domains visited displays:
Clicking on any blue hyperlink within the table opens up a new table displaying further layers of information.
Source Processor For example, if you click a link in the Machines column of the Domain Visits table, you see a list of machines that visited that domain.
237
To drill down further, clicking a Machine Name displays a table of URLs visited from that machine.
The navigation trail at the top of the page shows the hierarchy of tables leading to the one you are currently viewing. Click any part of the trail to navigate back to a previous table. The presence of a constraint, detailed at the bottom of the screen, shows any constraints that have been applied to the displayed information (see Adding Constraints to Analysis Data on page 239).
Displaying Targets
Clicking Target List in the Job Summary page displays a table of targets on which this analysis has been performed.
238
EnCase Enterprise Version 6.18 Add Machine Info includes sub-tables containing specific machine data to the report.
Clicking on a target name displays more details about that target and collection.
Toolbar
The toolbar at the top of each page contains the following functions:
Back returns to the previous page. Forward moves forward one page (if Back has been used previously). History opens your navigation history. Add Selected To Report adds selected rows on the current page to the Report Builder. Report Builder opens the Report Builder, which holds the tables that have been accumulated. From here you can generate a physical report and add the tables as bookmarks to the current case for generating future reports (see Building Reports on page 241). Constraint changes the restrictions applied to this table. Remove Constraint clears the restrictions (see Adding Constraints to Analysis Data on page 239).
Source Processor 2. Click the Target list link. A table of targets on which this analysis has been performed displays.
239
3.
Select the targets you want to add to the report, then click Add Machine Info. For all selected targets, sub-tables containing relevant machine information are automatically chosen and added directly into the report builder.
3.
Enter the information you wish to see in the table in the appropriate text box. For example, if you only want to see filenames that contain the word Cat, enter Cat in the Filename text box. Only one value can be entered in each text box. For example, if you enter Cat and Dog, hoping to show information that contains both the words Cat and Dog, Source Processor takes the value literally and shows you information that contains the entire phrase Cat and Dog.
240
EnCase Enterprise Version 6.18 If you enter values in multiple text boxes, Source Processor shows you only the information that contains all specified values. All non-string fields (such as IP addresses, numbers, hashes, or dates) look for exact matches. For example, if you enter 80 for the local port, Source Processor looks only for port 80; port 8080 would not match the filter and would not be displayed. 4. Click OK. The table is displayed according to the restrictions you entered. The current criteria are shown in the bottom left status area of the data browser.
Note: To remove the restrictions, click Remove Constraint in the data browser toolbar.
2. 3.
Edit the job name and open the Module Selection tab to select new modules for this job, as desired. When done, click OK.
2.
Source Processor 3. Select the new job and click Edit to modify the existing module selection as desired. You may select more than one module. Analysis modules do not have user configurable settings.
241
To select all the modules in a group, blue check that group's folder name in the left pane. 4. When done, click Finish.
Reports
Source Processor stores the most recent analysis in memory in a report, so you can view it multiple times without running the analysis again. These results only stay active during the current session of Source Processor. To view analysis results, click View Report on the Collected Data tab.
Building Reports
Reports show your analysis results, organized in tables. To compile a report with selected data, you must add that data and assign a name to the table that is going to hold the selected data. Selected items may be added to a report multiple times. The data compiled in the Report Builder is only available to you as long as you have the data browser open. To preserve your information, you can print or export it. To build a report: 1. 2. In the data browser, select the data you want to add to a report. Click Add Selected to Report. The Set Table Title dialog displays.
3. 4.
Enter the name for this table in the report and click OK. Repeat steps 1 through 3 for every table of data you want to add to the report.
242
EnCase Enterprise Version 6.18 5. To create a report click Report Builder. The Report Builder displays, showing the tables you have created, their path, and any constraints.
To change the title of an existing table in the report, double click the row. The Set Table Title dialog displays. Enter a title or edit the current title, then click OK. To change the order of the sections, drag and drop the rows to the appropriate position in the list. Click Add to Bookmarks to add the selected tables to the current case in EnCase as bookmarks. The bookmarks display after you close Source Processor. Click Page Breaks to insert a page break after each table in the report. Click Page Breaks again to disable page breaks. If the menu button appears with a check mark, page breaks are currently being inserted. 6. To generate the report, click View Report. The Set Report Name dialog displays.
243
Selecting Printer displays a print dialog showing your specific printers. Selecting PDF file causes the path field to become enabled. Type or browse to the path into which you want to save the PDF file. Select Open file to open the file after saving.
244
Select your preferred output format and path to save the exported file to. Select Open file to open the file after saving. Select Burn to Disc to create a CD or DVD with the appropriate files and save it in the destination folder. See Exporting a Report in the Reporting chapter. 2. When done, click OK to export the report.
Source Processor Import the evidence you have collected back into Source Processor Analyze and report on the collected data using Source Processor
245
246
EnCase Enterprise Version 6.18 4. Select one or more EnCase Portable devices for the exported jobs, and click Export Jobs. The Export Jobs dialog displays.
5.
Select the jobs to export to the bootable security key. Check the Use Arial Unicode font checkbox to change the default display font. This may be required to correctly display such languages as Arabic, Korean, and Chinese in your EnCase Portable jobs. Do not select this option if you are only using Western European languages. Check the Use Network Authentication Server (NAS) checkbox if you want EnCase Portable to use NAS for licensing instead of the security key. See Licensing through NAS on page 206.
6.
Click Export. Any existing jobs on the bootable security key are deleted when jobs are exported. Any jobs you selected and any other necessary files (such as hash sets) are copied to the bootable security key. Additional required fields are also updated. The export status displays in the Status window.
7.
8.
Source Processor
247
4.
Select one or more devices and click Import Jobs. The Import Jobs From EnCase Portable Devices dialog displays.
5. 6. 7.
In the left pane, select the drive letter that corresponds to your bootable security key. In the right pane, blue check the jobs that you want to import. Repeat steps 5 and 6 for all bootable security keys that you want to import from.
248
EnCase Enterprise Version 6.18 8. 9. Click Import Jobs. If a job with the same name already exists on your system, a confirmation dialog will appear. Select the appropriate option. The status of the import displays on the screen. When all selected jobs have been imported, click Finished. The imported jobs display in the Collection Jobs tab in Source Processor.
To import data from EnCase Portable into Source Processor: 1. From Source Processor, open the Collection Jobs or the Collected Data tab.
Source Processor 2. Click Manage EnCase Portable Devices. The Manage EnCase Portable Devices dialog displays, showing all EnCase Portable devices currently plugged in.
249
3. 4.
Select one or more USB storage devices you want to import the evidence from, and click Import Evidence. You are prompted to choose whether to delete files on import. Click Yes to delete evidence on the storage device after it has been imported into Source Processor. Click No to continue without deleting evidence on the storage device.
5.
Review the status of the import in the Status window. The evidence is saved in the evidence folder you have specified in Source Processor.
When done, run an analysis job against the evidence you have collected to view the data.
250
2.
Click Manage EnCase Portable Devices. The Manage EnCase Portable Devices dialog displays.
3.
Source Processor 4.
251
Click Preview. Source Processor performs a full analysis of all collected evidence files on the selected devices and creates a report showing the combined results. No information is copied or imported during this process. You can browse the previewed data and create a report if desired. If you want to import the evidence after previewing it, click Import Evidence on the Manage Portable Devices dialog.
5. 6.
CHAPTER 8
254
Signature Analysis
There are thousands of file types, some of them are standardized. The International Standards Organization (ISO) and the International Telecommunications Union - Telecommunication Standardization Sector (ITU-T) are working to standardize different types of electronic data. Typical graphic file formats such as JPEG (Joint Photographic Experts Group) have been standardized by both organizations. When a file type is standardized, a signature or recognizable header usually precedes the data. File headers are associated with specific file extensions. Signature analysis compares file headers with file extensions.
File Signatures
File extensions are the characters (usually three) following the dot in a file name (for example, signature.doc). They reveal the file's data type. For example, a .txt extension denotes a text file, while .doc connotes a document file. The file headers of each unique file type contain identifying information called a signature. All matching file types have the same header. For example, .BMP graphic files have BM8 as a signature. A technique often used to hide data is to attempt to disguise the true nature of the file by renaming it and changing its extension. Because a .jpg image file assigned a .dll extension is not usually recognized as a picture, comparing a files signature, which doesn't change, with its extension identifies file s that were deliberately changed. For example, a file with a .dll extension and a .jpg signature should pique an investigator's interest.
Note: The software performs the signature analysis function in the background.
255
The Vista operating environment uses shadow directories, and EnCase software's ability to suffix a file signature takes these directories into account. Extension suffixes are created by adding an underscore and asterisk to the end of the extension. The figure shows such a TrueType extension and suffix (ttf_*).
To view the table: 1. Select View > File Signatures from the menu bar. A directory of file categories displays.
256
EnCase Enterprise Version 6.18 2. Select a folder from the Tree pane. A list of the file signatures in the case displays in the Table pane.
The columns in the File Signature display are: Name displays the file name associated with the signature. Search Expression displays the string or GREP expression used to locate the file signature. GREP is true if the search term is defined as a GREP expression. Case Sensitive indicates whether the search term is case sensitive. Extensions lists the three-letter file extensions. You can add new or edit existing signatures.
Analyzing and Searching Files The New File Signature dialog displays:
257
3. 4. 5. 6.
Select the Search Expression tab (the default display) and enter the search expression in the Search Expression field. Give the file signature a descriptive name. Select Case Sensitive if appropriate. Click the Extensions tab and enter the file's three letter extension. You can enter more than one file extension by separating them with a semicolon.
7. 8. 9.
Add the suffix _* to the file extension to include it in Vista Shadow Directories. It looks like this: <extension>_* Click OK. The file signature is added to the table.
Editing a Signature
Use this procedure to edit an existing file signature. 1. 2. Click View File Signatures.
The file signature category list displays in the Tree pane. When you select a category, its signature contents display in the Table pane.
258
EnCase Enterprise Version 6.18 3. 4. Right click a signature from the Table pane and select Edit. An Edit selected signature name dialog displays.
5.
Change the Search Expression and other fields as desired, then click OK.
259
Check the Verify file signatures box in the Additional Options area in the lower right, then click Start. The signature analysis routine runs in the background. On completion, a search complete dialog displays. The dialog presents search status, times, and file data.
At this level, Set Include selects everything in the evidence file. 1. 2. Organize the columns in the Table pane so that the Name, File Ext, and Signature columns are next to each other. Sort columns with Signature at first level, File Ext at second level and Name at third level.
260
2.
A list of case files and their associated file signature and other data displays in the Table pane.
3.
Sort the data if desired. In this case, the red triangle in the Name column indicates the display is sorted alphabetically by name.
Match in the Legend column indicates data in the file header, extension and File Signature table all match.
261
Alias means the header is in the File Signature table but the file extension is incorrect, for example, a JPG file with a .ttf extension. This indicates a file with a renamed extension. The name in the Legend column below (next to the asterisk) displays the type of file indentified by the file signature.
Note: An alias is preceded by an asterisk, such as *AOL ART.
Unknown means neither the header nor the file extension is in the File Signature table. !Bad Signature means the file's extension has a header signature listed in the File Signature table, but the file header found in the case does not match the File Signature table for that extension. The table shows possible results of a signature analysis.
Our message board at https://support.guidancesoftware.com/forum/forumdisplay.php?f=11 provides additional information about the EnScript language.
262
Enterprise users have an additional Enterprise folder. Each folder contains the include directory and libraries.
EnScript Types
EnScript types reference resources in EnScript language classes. Perusing these provides information about EnCase classes and functions. To view EnScript Types, click View EnScript Types.
The Tree pane contains a list of classes. Double clicking an entry provides additional detail for the class.
Hash Analysis
A hash function is a way of creating a digital fingerprint from data. The function substitutes or transposes data to create a hash value. Hash analysis compares case file hash values with known, stored hash values. The hash value is commonly represented as a string of random-looking binary data written in hexadecimal notation. If a hash value is calculated for a piece of data, and one bit of that data changes, a hash function with strong mixing property usually produces a completely different hash value.
263
A fundamental property of all hash functions is that if two hashes (according to the same function) are different, then the two inputs are different in some way. On the other hand, matching hash values strongly suggests the equality of the two inputs.
File Hashing
Hashing creates a digital fingerprint of a file. This fingerprint is used to identify files whose contents are known to be of no interest, such as operating system files and the more common application. EnCase uses an MD5 hashing algorithm, and that value is stored in the evidence files. The MD5 algorithm uses a 128-bit value. This raises the possibility of two files having the same value to one in 3.40282 1038. Any mounted drive, partition, or file can be hashed. The hash value produced can be validated and used in the program. By building a library of hash values, the application checks for the presence of data with a hash value contained in the hash library. The hash value is determined by the files contents. It is independent of the files name, so the files hash value is calculated by the program and identified as matching a value in the hash library, even if the files name has changed.
Open a case that needs hashing and display its contents. 1. Click the Search tab. The Search dialog displays. 2. Make any search choices, then select the required values in the Hash Options area of the dialog.
264
The Table pane contents changes and shows the newly created hash values for the files.
Hash Sets
Hash sets are collections of hash values (representing unique files) that belong to the same group. For example, a hash set of all Windows operating system files could be created and named Windows System Files. When a hash analysis is run on an evidence file, the software identifies all files included in that hash set. Those logical files can then be excluded from later searches and examinations. This speeds up keyword searches and other analysis functions.
Analyzing and Searching Files 1. 2. Open the case and click Search. The search dialog displays.
265
3. 4. 5.
In the Hash Options area, check Compute Hash Values. Select files to be included in the hash set. Right click the Table pane and select Create Hash Set from the menu. The Create Hash Set dialog displays.
6.
Note: While the Category entry can be anything, the two industry standards are Known and Notable, with the latter being assigned hash values that are of interest to the investigator.
266
1.
Select View
2. 3.
Select (blue check) the desired hash set. Right click and select Rebuild Library from the menu. When Rebuild completes, a message indicating the number of rebuilt libraries displays.
If a file with the same hash value is contained in the hash library, its columns are populated.
267
Keyword Searches
EnCase applications provide a powerful search engine to locate information anywhere on physical and logical media in a current, open case. Global keywords can be used in any case, or they can be made case-specific and used only within the existing case. A keyword in a search is an expression used to find words within a case that match the keyword entries. The EnCase search engine accepts a number of options, and is particularly powerful searching regular expressions with a GREP formatted keyword.
Note: In addition to GREP, the search can be limited by making it case sensitive and selecting particular codepages. Codepages are alphabet sets of a variety of Latin and non-Latin character sets such as Arabic, Cyrillic, and Thai.
The keywords included in the software give an investigator the ability to search: Email addresses Web addresses IP addresses Credit card numbers Phone numbers Dates with a four digit year Social Security numbers
Note that if you are searching for a number and an application stores the number in a different format, EnCase will not find it. For example, in Excel, if a Social Security number is entered without dashes as 612029229, Excel stores it in double precision 64-bit format as 00008096693DC241.
268
3. 4.
Right click the Keywords icon in the Tree pane, then click New Folder. The Tree pane of the keywords tab changes, showing an additional folder.
5.
269
Adding Keywords
Add keywords directly to a new folder, an existing folder, or the root folder. Open the Tree pane from the Keywords tab. 1. 2. Right click a keyword entry in the Tree pane. This menu displays if you select the main Keywords icon. If you select a subfolder, the menu is slightly different in appearance, but functions the same.
3. 4.
270
EnCase Enterprise Version 6.18 5. Complete the dialog as described here: Search Expression is the actual text being searched. Name is the search expression name listed in the folder. Case Sensitive searches the keyword only in the exact case specified. GREP uses GREP syntax for the search.
Note: Previously the ANSI Latin - 1 option was called Active Code Page. Since the Active Code Page varied according to the Active Code Page running on the Examiner machine at the time, it was replaced by ANSI Latin - 1 to insure consistent search results.
ANSI Latin - 1 is the default code page. It searches documents using the ANSI Latin - 1 code page. Unicode: select if you are searching a Unicode encoded file. Unicode uses 16 bits to represent each character. Unicode on Intel-based PCs is referred to as Little Endian. The Unicode option searches the keywords that appear in Unicode format only. For more details on Unicode, see http://www.unicode.org.
Note: The Unicode standard attempts to provide a unique encoding number for every character, regardless of platform, computer program, or language.
Big-Endian Unicode: select if you are investigating a Big-Endian Unicode operating system (such as a Motorola-based Macintosh). Big-Endian Unicode uses the non-Intel data formatting scheme. Big- Endian operating systems address data by the most significant numbers first. UTF-8 meets the requirements of byte-oriented and ASCII-based systems. UTF-8 is defined by the Unicode Standard. Each character is represented in UTF-8 as a sequence of up to four bytes, where the first byte indicates the number of bytes to follow in a multi-byte sequence.
Note: UTF-8 is commonly used in Internet and Web transmission.
UTF-7 encodes the full BMP repertoire using only octets with the high-order bit clear (7 bit US-ASCII values, [US-ASCII]). It is deemed a mail-safe encoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.
271
2.
Return to the Search Expression tab of the dialog and enter the keyword. Perform a search as usual.
272
Keyword Tester
To test a search string against a known file, click the Keyword Tester tab. Enter an expression in the Search Expression field and be sure to select the proper keyword options. 1. 2. Add a new keyword: see Adding Keywords (on page 268). Add an expression and name the keyword. In this case, a GREP keyword designed to capture telephone numbers is entered:
3. 4.
Select the desired options (for example, Case Sensitive or GREP). Select the Keyword Tester tab.
5. 6.
Locate a test file that contains the search string, enter the address into the Test Data field, and click Load. The test file is searched and displays in the lower tab of the Keyword Tester form.
273
Local Keywords
A local keyword is associated with a unique case, and can be searched for only when that case is open. If a local keyword is created in one case, and another is opened, the local keyword is unavailable. Open a case and prepare a list of keywords specific to this case only. 1. 2. Select View Cases Sub-Tabs Keywords.
The Tree pane displays. This specific display shows the local keywords folder with a new folder added.
Importing Keywords
You can import keywords and keyword lists from other users. To import a keyword list: 1. 2. 3. Right click a keyword folder in the Tree pane. Select Import. Enter or browse to the path of the desired file and click OK.
274
Exporting Keywords
Keywords are exported in .txt file format. You can export all keywords at one time or create a list of selected keywords for transfer. 1. 2. Right click a keyword in the Table pane. In the dropdown menu, click Export.
3.
4.
To export all keywords, click the Export Tree (for Import) checkbox, then click Finish.
275
To customize the export, clear the Export Tree (for Import) checkbox. The rest of the dialog is now enabled.
a. Select an Output Format. b. Click Only Checked Rows to export only the rows checked in the Table pane. c. To specify a range of rows to export, enter row numbers in the Start and Stop combo
boxes.
d. To specify fields for the export, click the appropriate checkboxes in the Fields group box. e. Enter or browse to a destination path for the Output File.
6. Click Finish.
2. 3. 4.
Right click and drag the items to the destination folder in the tree. Release the mouse button. Click Copy Selected Items Here from the dropdown menu.
276
The Search dialog features a new checkbox, Comprehensive search, to support this feature. When you select Search for Internet history, the Comprehensive Search box is enabled.
Note: Selecting Comprehensive Search increases the time it takes to complete the search.
To create a record: 1. 2. 3. 4. 5. Click Search. A search dialog displays. Select options and click Start. Select Search for Internet History and Comprehensive Search to search for Internet history (including searching file slack and unallocated space). When the search finishes, click View Cases Sub-Tabs Records.
Analyzing and Searching Files Finding history and cache results may require moving down the tree several levels.
277
Newly created records display in the Table pane. The Tree pane shows the type of record and the Table pane shows the files within that record. If there are additional details regarding a file selected in the Table pane, click Additional Fields in the Tree pane to see that information.
Common columns in the Report pane are: Name is the file name and extension. Filter shows if a filter was applied. In Report is a True or False indicator of files present in a report. To change the selection, enter CTRL + R. Search Hits indicates whether the file contains a keyword search word. Additional Fields: when True, indicates that additional fields were found in the record. Data contained in the Additional fields varies depending on the type of data in the record. Message Size: the message size in bytes. Creation Time is the date and time the message was created in mm/dd/yy hh:mm:ss format. AM or PM is attached as appropriate. Profile Name is the owner of the message. URL Name is the name of the URL where the message originated. URL Host is the name of the URL host where the message originated.
278
Browser Cache Type shows the format in which cached data are stored. Options include image, code, HTML, and XML. Browser Type is the browser where the artifact was viewed, such as Internet Explorer or Firefox. Last Modification Time is the last time the cache entry was updated. Message Codepage is the code page type for reading this cache entry. Last Access Time shows the last time the cache entry was retrieved or loaded. Expiration is the time when this cache becomes stale and is deleted from the cache. Visit Count is number of times this cache entry was accessed by the browser. Server Modified is the last time the cached item was modified on the server where it was cached.
To parse Firefox artifacts: 1. 2. 3. 4. Open a case containing Firefox items. Click Tools > Search. Run Search for Internet history from the Search dialog as you would for other supported browser artifacts. Click Start. When the search finishes, the Searching dialog opens.
Analyzing and Searching Files 5. Click OK. The Mozilla Firefox 3 artifacts display in the Records tab.
279
Note:The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name columns. "Frecency" is a valid word used by Mozilla. Do not mistake it for "frequency." For more information, see the Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm. The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the places.sqlite file. Mozilla stores a URL's host name in reverse. EnCase displays it as such in the Rev Host Name column.
Note: The difference between a regular search and a search of unallocated is that keywords are added internally and marked with a special tag indicating it is for Internet history searching only.
280
Analyzing and Searching Files It looks like this in the Records tab:
281
282
EnCase Enterprise Version 6.18 2. Selecting Search for Internet History at the same time, as shown in the picture below, performs a regular Internet history search in addition to the exhaustive search.
These fields are added to the Browser Cache Type field: Audio Video XML Text
Internet Searching
The search engine can search evidence files for various Web artifact types. The Internet search feature can search Internet Explorer, Mozilla Firefox, Opera, and Safari. Use the search dialog for Internet searching. Results are viewed on the Records tab. For information on that procedure, see Searching Entries For Email and Internet Artifacts and Viewing Record Search Hits.
283
Performing a Search
You can search an entire case, an entire device, or an individual file or folder. For example, when searching information in unallocated space, such as a file header, select the Unallocated Clusters to avoid having to search the entire case. 1. 2. Click the Search button on the tool bar. The Search form appears. Complete the dialog and click Start.
See Search Options (on page 283) for help completing the search dialog.
Search Options
You can use a number of options to customize a search.
Selected items only runs a search for items limited to the files, folders, records, or devices that you checked. Search entries and records for keywords: executes a keyword search when checked. When unchecked, other checked functions are performed, but the keyword search is not. This allows you to run a signature analysis or a hash analysis without running a keyword search. This option also enables: Selected keywords only Search entry slack Use initialized size Undelete entries before searching Search only slack area of entries in Hash Library
284
Selected keywords only restricts the number of keywords used during the keyword search to the number of keywords specified (shown in Number of Keywords). Search entry slack searches the slack area between the end of logical files and the end of their respective physical files. Use initialized size searches only the initialized size of an entry (as opposed to the logical or physical size). EnCase allows users to process the initialized size of a file when conducting searches and copy/unerase. Initialized size is only pertinent to NTFS file systems and allows an application to reserve disk space for future operations, while enabling applications to parse files faster. When certain applications write out files, such as Outlook PST/OSTs, Outlook Express DBXs or Vista event logs, the application sets the logical size of the file larger than currently necessary, to allow for expected future expansion. The application can then set the Initialized Size smaller so that it only needs to parse a smaller amount of data, enabling the file to be loaded faster. If a file has an initialized size that is less than the logical size, the OS shows the data area between the initialized size and logical size as zeros. In actuality, this area of the file may contain remnants of previous files, similar to file slack. By default, EnCase displays, searches and exports the area past the initialized size as it appears on the disk, not as the OS displays it. This enables users to find/see file remnants in this area. If a user wishes to see a file as an application sees it or the OS displays it, they can select Initialized Size in the appropriate dialog. Note that when a file is hashed within EnCase, the initialized size is used. This means that the entire logical file is hashed, but the area past the initialized size is set to zeros. Since this is how a normal application sees the file, this enables users to verify file hashes with another utility that reads the file via the OS. Undelete entries before searching undeletes deleted files prior to searching. Search only slack area of entries in Hash Library is used in conjunction with a hash analysis. Verify file signatures performs a signature analysis during a search. Compute hash value performs a hash analysis during a search. Recompute hash value regenerates previously computed hash values. Search for Email turns on dialog email search options. Recover Deleted accesses deleted email. Email Type List provides options for email that can be recovered. Verify Signatures performs a signature analysis during a search. It determines whether the file extension matches the signature assigned to that file type. Identify Codepages tries to detect the code page for a file. Search for Internet History recovers Web data cached in the Web history file. Comprehensive Search searches for Internet history in unallocated space.
285
286
To view your search hits: Click the Search Hits tab in the menu bar or Click View Cases Sub-Tabs Search Hits
Excluding Files
Sometimes a keyword search returns more files than are useful to report. Hide these files from view by excluding them. Run, then view a keyword search. 1. 2. Select files to exclude, then right click the view. Select either Exclude or Exclude All Selected.
3. 4.
Select the appropriate option and click OK. The selected files disappear from view.
287
2.
Deleting Items
When using Search Hits, delete is considered a soft delete which you can undelete until the case is closed. If a search hit remains deleted when the case is closed, the hit is permanently deleted. In other tabs, however, undelete works only with the last selection deleted. Once a file is closed, deleted items are permanently removed and cannot be recovered. Run, then view a keyword search. This process is similar to Excluding Files (see page 286). View the search hits report in the Table pane before excluding them from the report. 1. 2. Select files to exclude, then right click the view. Select either Delete or Delete All Selected.
288
3.
Select the appropriate option and click OK. The selected files are temporarily deleted.
Note: Viewing the report shows the concatenated results.
Exclude a number of files. To review excluded files: 1. 2. Click Show Excluded. Deleted files display in both Table pane and in Report pane.
Encode Preview
Encode Preview lets you apply text encoding to the Preview column on the Bookmarks and Search Hits tab. This feature allows non-English alphabet bookmarks and search hits to display properly in the Preview column.
Analyzing and Searching Files 1. Open an evidence file and click Text or Hex in the View pane. The document displays.
289
2. 3.
Bookmark the desired passages: see Bookmarking Items (on page 341). Click Bookmarks on the Table tab of the Table Pane. A preview of the bookmark displays.
4.
290
Indexing
Text indexing allows you to quickly query the transcript of entries. Creating an index builds a list of words from the contents of an evidence file. These entries contain pointers to their occurrence in the file. There are two steps: Generating an Index Searching an Index
Generating an Index creates index files associated with evidence files. Index creation can be time consuming, depending on the amount of evidence you are indexing and the capabilities of your computer hardware. Evidence file size, and thus, the resultant index size is an important consideration when building an index. Attempts to index extremely large evidence files can have a serious impact on a computer's resources.
Note: For quicker index files, select a limited number of files for indexing.
Querying an Index provides the means to search for terms in the generated index. Querying an evidence file's index for terms locates terms more quickly than keyword searching. The index is queried using several conditions accessed in the Conditions tab.
Generating an Index
Open a case containing evidence files. 1. If you know the files you want to specifically index, select them in the Table pane.
291
The Index Case dialog opens with the Options tab selected by default.
3. 4.
If you want only to index selected files, select Selected Entries Only. If you want to apply a condition on the files to be indexed, select it in the Conditions box. Any file that matches the condition (and any other options checked) will be indexed.
Note: You can use the condition or the Selected entries only checkbox. You cannot do both; however, you can create a condition that targets selected files matching other criteria.
5. 6. 7. 8. 9.
If you want to include files with a known file signature, select Include: Known Files. To index without regard to case, select Index Without Case Sensitivity. If desired, select Fast Indexing of Native Files. Use the spin box to Set Minimum Character Length. Use the spin box to specify Requested % of RAM to Create Index.
292
EnCase Enterprise Version 6.18 10. To set the noise file, click the Noise file tab.
11. Select the Language File and if necessary, modify the Path. 12. Click OK. The Evidence file starts indexing. The thread bar indicates the estimated remaining time in the operation. The Console tab indicates diagnostic information as the index progresses.
293
2.
Double click the condition you want to use. All Index Conditions use the same dialog.
3. 4.
Enter the term you want to search for and click OK. When complete, the Table pane lists files that meet the condition requirements.
5.
294
Note: In addition, clicking Tools GSI Hotmail, and Yahoo! Web Mail.
Analyzing and Searching Files 2. The Webmail parser options dialog displays.
295
3.
Select the Webmail types for collection. Optionally, a search can be run only on selected files. The search status displays on the status bar.
4. 5.
Click the Records tab. The Tree pane displays a list of discovered files.
6.
7.
To view the data in the Report pane, select a file and click Report.
296
Extracting Email
The program's search engine can search various types of email artifacts, including attachments. See Acquisition Wizard (on page 118), Performing a Search (on page 283), and Searching for Email (on page 294) for additional information. The procedures outlined in these sections discuss how to extract and view both email and attachments.
Searching Email
This program feature displays all email and any associated attachments in tree view. Once recovered, these can be viewed in the Report, Doc, or Transcript tabs of the Report pane.
297
2. 3.
The Search page of the search wizard displays. Select the desired email types and click Start.
4.
5. 6.
7.
A closed tree view of all located mailboxes displays. Selecting a file displays one mail file's contents in the Text, Hex, Transcript, and Report tabs of the Report tab. In addition, the email file and its attachments are listed in the Table pane. Open the high level tree to see the mailbox's contents. Email contained in the mailbox is visible in the Tree pane, and both email and attachments are visible in the Report pane. An envelope and paper clip icon indicates mail containing attachments.
8.
After you finish, you can view and interact with attachments (see "Viewing Attachments" on page 298).
298
2.
In the Search dialog under Keyword Search Options, click Search entries and records for keywords.
3.
Click Start.
Viewing Attachments
An email attachment is a file that is sent along with an email message. An attachment can be encoded or not. Complete a successful email search. See Searching Email (on page 296). Email attachments clearly can have important evidentiary value. This section covers viewing attachments in their native format. 1. Click Records.
Analyzing and Searching Files Discovered email appears in the Tree pane.
299
2.
Expand the high level item to view its contents. A list of attachments displays in the Table pane and the contents of the attachment display in the Report pane.
300
Exporting to *.msg
The Export to .msg option for mail files and mail files attachments lets you preserve the folder structure from the parsed volume down to the entry or entries selected. This option is available for the highlighted entry or selected items. Perform an email search prior to executing Export to .msg. 1. Select an .msg file and display its mail contents.
2. 3.
Select email files to export. In the Report pane, select a file and right click it.
4.
Analyzing and Searching Files 5. Select dialog options as needed: Export Single exports only the selected message. Export All Checked exports all files checked. Preserve Folder Structure saves selected email folder structure information. Output Path captures the location of the export data file. The default is ...\EnCase6\Export\. 6. Click OK. A message displays when the export function completes.
301
7. 8.
View the entire structure down to the individual message in the Export folder. View a message by double clicking it. The message text displays in read only format. The picture shows a typical text message presentation.
302
After you mount the AOL PFC, the structure displays in Entries view. Envelopes with metadata are added to the Records tab and follow the Entries folder structure. 1. Right click a PFC item and click View File Structure.
2.
303
Entries View
This view displays the general structure of the Main Index.
304
Records View
This view displays data.
305
Note: If the client has not modified the Personal File Cabinet to save email to the local hard drive before signing off, AOL does not automatically back up or save email on the suspect's machine unless AOL has been installed on the system for more than four weeks (see http://help.channels.aol.com/kjump.adp?articleId=187662 for more information). Therefore, if the examiner is gathering evidence from a suspect's machine with AOL installed less than four weeks, EnCase does not report any email traffic, because the suspect's email does not reside on the local hard drive.
306
Tag Records
There is a new item in the Entries menu called Tag Record(s). It allows you to tag (with a blue check mark) all records which are directly related to the selected entry.
1.
You can see that before applying Tag Record(s), no records in Records view are selected.
2.
In Entries view, right click and select Tag Record(s) from the dropdown menu.
Analyzing and Searching Files 3. EnCase loops through all records in the Records tree and tags those records which use the entry selected above as its content.
307
App Descriptors
At a very basic level, app descriptors are the hash files of a computer's EXE and SYS files. They work in conjunction with machine profiles and are used to identify forbidden or undesirable software on a computer's hard drive. They are particularly useful in detecting viruses and other malware and for ensuring a specified disk image is not changed. EnCase can identify malicious programs via a hash analysis. It compares an application's: Unique digital identification Calculated, known, and stored hash value, with that captured in a snapshot.
When the hash values match, the program returns the process name, its hash value, and machine profile to which it belongs. An app descriptor categorizes executables by hash value, to enable positive identification of executables running on a system. App descriptors works in concert with machine profiles. Profiles are inventories of what should be running on a specific machine. Together, the machine profile and app descriptor lets an examiner know what should be running, and what is running on a specific computer.
308
2. 3.
Right click a folder in the Tree pane or a file in the Table pane and click New. The New App Descriptor dialog opens.
Analyzing and Searching Files 4. Complete these fields: Name is mandatory, and is typically the name of the working file. Comment is an optional field for investigator comments.
309
Hash Value is mandatory and must be entered manually. It contains the hash value of the selected file. 5. Select the machine profile in which to place the new app descriptor and click OK.
This method requires manual entry of the hash value for each and every new app descriptor. A far better and more efficient method is to use an EnScript program. For information on automatically creating an app descriptor, See Create an App Descriptor with an EnScript Program (see "Creating an App Descriptor with an EnScript Program" on page 309).
2.
Complete the fields: Bookmark Folder Name is the name of the folder in the bookmark area. Folder Comment is an optional field for entering your own notes. Snapshot Data is a mandatory checkbox. Hash Processes is checked by default.
3.
Click Finish.
310
EnCase Enterprise Version 6.18 4. Double click the App Descriptor Module to select an output file. If there are no folders displayed, create a new one.
Selecting a process state is optional. If either the Create App Descriptors for every .EXE and .SYS file or Create App Descriptors for every ELF Binary option is selected, Select Process State options are disabled. 5. Execute the selected EnScript program. When the script is complete, the newly created app descriptors are available. 6. Change the display as follows: a. Click Bookmarks. b. Double click the new bookmark in the Tree pane. c. Select Snapshots in the Table pane. d. Select Snapshots tab. Select the Processes tab and the Home tab to view the information. 7. Select Include-All in the Table pane to view the name, hash value, and app descriptor data for the files.
CHAPTER 9
312
Viewing Files
You can view files parsed from device previews and acquisitions in various formats. EnCase Enterprise supports viewing the following files: Text (ASCII and Unicode) Hexadecimal Doc: native formats for Oracle Outside In technology supported formats Transcript: extracted content with formatting and noise suppressed Various image file formats
The Doc pane and the Transcript pane use Oracle Outside In technology to display hundreds of different documents. This allows you to view documents without owning a copy of the application in order to view the contents. It also allows you to bookmark an image of the contents inside a particular application (such as a database), or it allows bookmarking exact text inside the document using a sweeping bookmark. Beyond those formats supported by EnCase, you can use third-party viewers to extend the range of viewable files. Once you add the viewer to your environment and associate file extensions with the viewer, you can view the files of that type. Compound files contain other files. Examples of compound files include email messages and their attachments or .zip files and the files they contain. Viewing compound files exposes their file structure. EnCase Enterprise can view the structure of these types of compound files: Outlook Express (DBX) Outlook (PST) Exchange 2000/2003 (EDB) Lotus Notes (NSF) for versions 4, 5, and 6 Mac DMG Format Mac PAX Format JungUm and Hangul 97 and 2000 Korean Office documents Zip files such as ZIP, GZIP, and TAR files Thumbs.db files Others not specified
Some audio files, video files and certain graphic file formats are not immediately viewable; however, you can associate third-party viewers to examine these files properly.
313
Note: The Copy/Unerase functionality does not preserve folder structure, while Copy Folders functionality does.
Copy/UnErase Wizard
Use the Copy/UnErase wizard to specify what files are unerased, how they are unerased, and where files are saved after they are unerased. The Copy/UnErase wizard includes: 1. A File Selection dialog An Options dialog A Destination dialog Click Edit > Copy/UnErase.
2.
314
From contains settings that determine if one file or several files are copied and unerased. Highlighted File: If no files are selected in the Table pane, choose this setting because at least one file is always highlighted on the Table pane. The highlighted file will be copied and unerased. All selected files: When several files are selected in the Table pane, use this setting. It gives you the option to copy and unerase the highlighted file or selected files. To contains settings to determine how many files to output. This is only relevant when you select several files to be copied and unerased. Separate Files outputs each file being copied and unerased to its own file. Merge into one file merges the output of all selected files into one file. Replace first character of FAT deleted files with determines which character is used to replace the first character in the filename of deleted files in the FAT file system.
315
Settings on this page involve RAM slack, which is the buffer between the logical area and the start of the file slack. RAM slack is sometimes referred to as sector slack.
Copy contains settings that determine the content of the evidence file to be copied. Logical File Only: Copy/Unerase is performed on the logical file only, not including the file slack. Entire Physical File: Copy/Unerase is performed on the entire physical file, including the logical file and file slack. RAM and Disk Slack: Perform Copy/Unerase on both the RAM and disk slack. RAM Slack Only: Perform Copy/Unerase on the RAM slack only. Character Mask contains settings that determine what characters are written into the file or files created by Copy/UnErase. None: No characters are masked or omitted from the filenames of the resulting files. Do not Write Non-ASCII Characters: Non-ASCII characters are masked, or omitted, from the filenames of the resulting files. All characters except non-ASCII characters are used. Replace NON-ASCII Characters with DOT: Non-ASCII characters are replaced with periods in the filenames of the resulting files.
316
Show Errors: The application queries the user when errors occur. This prevents unattended execution of the copy and unerase operation.
Copy displays the number of files to be copied and unerased, and the total number of bytes of the file or files created. Path contains the path and filename, in the file system of the investigator's machine, of the file or files created. Split files above contains the maximum length, not exceeding 2000MB, of any file created by Copy/Unerase. When the total number of bytes in an output file exceeds this value, the additional output continues in a new file. Use Initialized Size determines if only the initialized size of an entry is used, as opposed to the logical size (which is the default) or the physical size. This setting is only enabled for NTFS file systems. When an NTFS file is written, the initialized size can be smaller than the logical size, in which case the space after the initialized size is zeroed out.
317
Source displays the folder to copy and unerase. Copy displays the number of files to copy and unerase, and the total number of bytes in the file or files created. Path contains the path and filename, in the file system of the investigator's machine, of the file or files created. Replace first character of FAT deleted files with determines which character is used to replace the first character in the filename of deleted files in the FAT file system.
318
Split files above contains the maximum length, not exceeding 2000 MB, of any file created by copy and unerase. When the total number of bytes in an output file exceeds this value, the additional output is continued in a new file. Copy only selected files inside each folder: If individual files are selected within a folder or folders, only those files are copied and unerased. Show Errors: When selected, the application does not query the user when errors occur. This allows unattended execution of the copy and unerase operation.
10. Click Next. 11. The Destination dialog of the Copy/UnErase wizard displays. 12. Complete the Destination dialog. For detailed instructions, see Destination Dialog of the Copy/UnErase Wizard (on page 316). 13. Click Finish. 14. The copy and unerase operation executes. The resulting files are saved in the directory specified in the Destination dialog.
Viewing File Content 3. Right click in the Table pane, then click Tag Selected Files from the dropdown menu.
319
4. 5. 6. 7. 8.
The files associated with the deleted bookmarks are selected and consolidated in the Table pane. In the Table pane, right click one of the selected files, then click Copy/Unerase from the dropdown menu. The File Selection dialog of the Copy/UnErase wizard opens. Continue the copy and unerase process at step 4 of Copying and Unerasing Files (see page 318). The files associated with the selected bookmarks are copied and unerased.
File Viewers
Occasionally, you find file types that EnCase does not have built-in capabilities to view, or you might want to view a file type using a third party tool or program. In either situation, you must: Add a file viewer to EnCase. See Adding a File Viewer (on page 321). Associate the file viewer's file types with the viewer. See Associating the File Viewer's File Types with the Viewer (on page 322).
320
Name is the name of the file viewer. Maximize View Dialog: check this box to open the file viewer in a maximized new window. Application Path contains the filename and path to the viewer's executable. Command Line contains a reference to the executable and any parameters used to customize the viewer.
321
Description is the file type to associate with the file viewer. Extensions is a list of file types to associate with the file viewer. Picture: check this box to display the file as a picture in the Gallery tab. Viewer contains options selecting the type of viewer, and in the case of Installed Viewers, a specific viewer associated with the file type you define. Click EnCase to associate the built-in EnCase viewer with the file type you define. Click Windows to associate Windows with the file type you define. Click Installed Viewer to associate an installed viewer with a file type. Use the installed viewers tree to select the specific viewer. Installed viewers tree lists the file viewers currently known to EnCase.
322
View Pane
The View pane provides several ways to view file content: On the Text tab, you can view files in ASCII or unicode text On the Hex tab, you can view files as straight hexadecimal. The Doc tab provides native views of formats supported by Oracle Outside In technology. The Transcript tab displays the same formats as the Doc tab, but filters out formatting and noise, allowing you to view files that cannot display effectively in the Text tab. On the Picture tab, you can view graphic files.
323
In the Options dialog, click the Colors tab. Right click Style - Uninitialized. To change the color of the foreground (that is, the color of the text or numbers themselves), mouse over Foreground and click the color you want in the dropdown menu.
5.
To change the background color, mouse over Background and click the color you want from the dropdown menu.
324
Like any other option in the Colors tab, to choose from a wider range of colors: 1. Double click the Style - Uninitialized line. The Edit "Style - Uninitialized" dialog opens.
2.
Viewing File Content 3. 4. 5. Click the color you want, then click OK. Back in the Edit "Style - Uninitialized" dialog, click OK. Click OK to close the Options dialog.
Note: For an even greater range of colors, click Define Custom Colors in the Color dialog.
325
Note: In addition, the File Mounter EnScript program allows you to select a file type (DBX, GZip, PST, Tar, Thumbs.db or Zip), provided they have a valid signature, and mount them automatically.
To view a compound file: 1. 2. 3. 4. In the Table pane, navigate to the compound file to be viewed. Right click the compound file to view, then click View File Structure. The View File Structure message box displays. Click Yes.
326
EnCase Enterprise Version 6.18 5. The compound file is replaced in the Tree pane and Table pane with a folder and a compound volume icon. The file structure of the compound file displays, and component files display in the view of your choice.
327
Only one date and time is shown on .gz and .tar files, as the compression processes do not store any other dates or times. .zip stores the created, modified, and accessed dates (older versions of WinZip store only the modified date, however). .rar stores the modified date by default; it stores accessed and created dates if the appropriate options are selected during archive creation.
For more information, refer to documentation for the compression process you used to create the compressed file.
GZip files are not labeled by name, only by their content file type and a .gz extension. For example, decompressing the file document.doc.gz displays the uncompressed .doc file.
328
329
Use the eseutil.exe command line tool to check the consistency of the state field as follows: [file location]\eseutil /mh [filepath]priv1.edb [file location]\eseutil /mh [filepath]pub1.edb
If the EDB file is in an inconsistent state, first try to recover, as follows: C:\Exchange\BIN\Eseutil.exe /r E##. Click Yes to run the repair. Note that the three-character log file base name represents the first log file. Files are sequentially named, with E##.log being the first log file. Run a check (step 2) on the resulting EDB file. If the file is still in an inconsistent state, attempt to repair the EDB file. This may result in the loss of some data currently in the .log files. Run the repair as follows: C:\Exchange\BIN\Eseutil.exe /p For additional information on the Eseutil program, read the Microsoft article at http://support.microsoft.com/kb/272570/en-us.
330
4.
The View File Structure dialog displays. If the EDB file is dirty, the dialog includes a Scan Dirty Database option:
Note: If the EDB file is not dirty, the only available option is Calculate unallocated space.
5.
To parse the dirty EDB file, check the Scan Dirty Database checkbox, then click OK.
Recovering a Database
These instructions describe how to recover from a dirty EDB database. Enter these commands: "C:\Exchange\BIN\Eseutil.exe" /r E## [options]
Viewing File Content Options include: /l<path> - location of log files /s<path> - location of system files /i<path> - ignore mismatched/missing database attachments /d<path> - location of database files /o - suppress logo
331
Repairing a Database
These instructions describe how to repair an EDB database. Enter these commands: "C:\Exchange\BIN\Eseutil.exe" /p <database name> [options] Options include: /s <file> - set streaming file name /i - bypass the database and streaming file mismatch error /o - suppress logo /createstm - create empty streaming file if missing /g - run integrity check before repairing /t <database> - set temporary database name /f <name> - set prefix to use for name of report files
332
When expanded, the top level (or top root) of the .pst file directory contains multiple folders, including: Inbox props (properties) Message store (storage, containing the PR_PST_PASSWORD file and other IDs) Name-to-id-map Root folder
The Root folder contains: Search Root (reserved for future use) Top of Personal Folders, containing the Inbox, Sent Items, and Deleted Items
Each .pst email message file appears as a folder with all message properties within the folder as well as any attachments. Many of the fields within the .pst mail folder are duplicated, which is part of the .pst format. If a keyword is a match within a certain field, it is duplicated in the secondary field as well. Created, written, and modified dates are set by the email messages. Outlook calendar entries (created, written, and modified dates) are set by the calendar applications. To view or mount an MS Outlook email: 1. 2. 3. 4. Navigate to the .pst file you want to view or mount. As needed, select Calculate unallocated space, then select Find deleted content. Continue with step 2 of Viewing File Structure (on page 325). The file structure of the email file displays, and you can open and view component files or layers in the compound volume folder. Note that the icon for the compound email file looks like a volume after it is mounted.
Viewing File Content Thumbs.db also contains a record of the images last written date. To view or mount a Windows thumbs.db file: 1. 2. 3. 4. 5. Navigate to the desired file in the thumbs.db. Right click the file, then click View File Structure. As needed, select Calculate unallocated space. Continue with step 2 of Viewing File Structure (on page 325).
333
The file structure of the email (.PST) file displays, and you can open and view component files or layers in the compound volume folder. The compound volume indicator is added to the thumbs.db folder after it is parsed.
Note: This update is only required for Windows 2000. Newer operating systems do not need this patch.
View the file in the picture or gallery view as any other image file.
Note: Occasionally corrupt .art files can cause EnCase to stop responding. If this occurs, try lowering the invalid picture timeout setting (In Global Options) or simply disable Enable ART and PNG image display, also in Global options.
When you bring an Office 2007 file (.docx, for example) into EnCase and it has a keyword in it, you will not see the keyword if you use the Text view. The keyword displays in the Doc and Transcript views.
334
ZIP Support
To view contents of a ZIP file: 1. 2. Right click the file in Table view. Click View File Structure in the context menu.
3.
EnCase decompresses the file and displays any files within it as children of the top level ZIP file.
Note: If the file is encrypted, EnCase prompts you for a password. If multiple passwords are required, a prerequisite is to add the passwords to the Secure Storage using Enter Items > User Password prior to mounting.
EnCase supports the DEFLATE compression algorithm in the following modes: Deflate (Superfast) Deflate 64 (Enhanced Deflate) Implode bzip2
The specifications supply the general baseline for the encryption method. These encryption types are implementations of one of the specifications: Zip 2.0 centerompatible WinZip AES 128/256 PKZIP AES 128/192/256
335
RAR Support
To view contents of a RAR file: 1. 2. 3. Right click the file in Table view. Click View File Structure in the context menu. EnCase decompresses the file and displays any files within it as children of the top level RAR file.
Note: If the file is encrypted, EnCase prompts you for a password. If multiple passwords are required, a prerequisite is to add the passwords to the Secure Storage using Enter Items > User Password prior to mounting.
EnCase supports the following RAR compression options: Store Fastest Fast Normal Good Best
336
337
Highlight the file in the Table pane, so that the content of the file appears in the Text tab of the View pane. Highlight the first character, right click, and click Bookmark Data. The Bookmark Data dialog displays. In Data Type, select either Base64-Encoded Picture or UUE Encoded Picture. The picture displays in the Contents pane.
Gallery Tab
The Gallery tab provides a quick and easy way to view images stored on the subject media. This includes all images purposely stored as well as those inadvertently downloaded from the Web. You can access all images within a highlighted folder, highlighted volume, or the entire case. If a folder is highlighted in the Tree pane, all files in the folder display in the Table pane. Clicking a folder's Set Include selects all files in that folder and files in any of its subfolders. Once selected on the Table pane, any images in the selected files display in the Gallery tab. You can bookmark images in the Gallery tab and display them in a report. The Gallery tab displays files based on their file extension by default. For example, if a .jpg file has been renamed to .dll, it will not be displayed in the Gallery tab until you run a Signature Analysis (see page 254). Once the signature analysis recognizes the file was renamed and that the file is actually an image, it displays in the Gallery tab. EnCase includes built-in crash protection, which prevents corrupted graphic images from displaying in the Gallery or Picture tab. The corrupt images are stored in a cache so they are recognized the next time they are accessed. No attempt is made to display them until you run a signature analysis. You can clear the cache. This setting appears on the shortcut menu only if a corrupt image is encountered. The timeout defaults to 12 seconds for the thread trying to read a corrupt image file. You can modify the timeout on the Global tab of the Options dialog. See Clearing the Invalid Image Cache on page 339 for details.
338
Bookmarking an Image
You can bookmark images on the Gallery tab of the Table pane.
1. 2. 3. 4. 5.
Select the desired image or images. Right click the highlighted image, then click Bookmark File. The Bookmark Files dialog opens. Modify the settings as needed, then click OK. The image or images are bookmarked. They are in the Table pane when the Bookmark tree displays.
339
To reduce the number of images displayed in a row in the gallery tab, right click any image, then click Fewer Columns.
To increase the number of images displayed per row in the gallery tab, right click any image, then click More Columns.
340
CHAPTER 10
Bookmarking Items
In This Chapter
Bookmarks Overview Bookmark Features Creating a Bookmark Using Bookmarks Copying Selected Items from One Folder to Another
342
Bookmarks Overview
EnCase allows files, folders, or sections of a file, to be marked and saved for reference. These are called bookmarks. Bookmarks are stored in their associated case file and can be viewed by selecting the Bookmarks tab. You can mark any existing data or folder.
Note: When a file is initially written to a multi-session CD it is assigned an address offset. When the file is changed, it is written again to the CD as a new file but with the same offset. Any revisions to this initial file are all assigned the same offset. The file and all its revisions can be viewed.
EnCase provides the following bookmark types: Highlighted data Annotates selected data Also referred to as sweeping bookmarks Notes Allows the user to write additional comments into the report Provides some text formatting capabilities Not bookmarks of evidence Folder information and structure Annotates the tree structure of a folder or the device information of specific media No comment feature Options include showing device information, such as drive geometry, and the number of columns to use for the tree structure Notable File Annotates individual files Fully customizable File group Annotates groups of selected files No ability to comment Snapshot Contains the results of a System Snapshot of dynamic data for Incident Response and Security Auditing Log record Contains results from log parsing EnScript programs Datamark Contains the results of Windows registry parsing EnScript programs
Bookmarking Items Case time setting Shows whether Daylight Savings Time is being used on the evidence file and whether dates should be converted to a single time zone Search summary Contains search results, times, and keywords for a particular case
Note: Case time settings bookmarks and Search summary bookmarks are created automatically.
343
Notes Bookmarks
The notes bookmark gives the investigator a great deal of flexibility when adding comments to a report. This bookmark has a field reserved only for comment text and can hold up to 1000 characters. It also contains formatting options including: Italics Bold Changing font size Changing the indent of the text
344
Snapshot Bookmarks
Snapshot bookmarks include a wide variety of volatile data resulting from running the various EnScript programs. In EnCase Forensic, the Scan Local Machine program creates snapshot bookmarks. The output of the program is always bookmarked. After Scan Local Machine is run, a bookmark toolbar displays that contains the Home tab and the Snapshot tab. The Snapshot tab has a toolbar associated with it. This toolbar displays a tab command for each type of snapshot bookmark created by one of the EnScript programs. Each type of snapshot bookmark has a Tree pane and Table pane associated with it. Each table displays data specific to the class of the system component whose data is displayed in the Table pane. Snapshot bookmarks include Machines snapshot on the Home tab Open ports Processes Open files Network Interfaces Network Users DLLs ARP Routes
Bookmarking Items
345
Datamarks
EnScript programs or EnScript modules that execute the Add Datamark method create a datamark. When a datamark is created in a bookmark folder, that datamark can be used as a bookmark. Each datamark has a tab associated with it. The tab displays when you select the datamark in the Bookmarks table on the Bookmarks tab of the Tree pane.
Bookmark Features
Features that you use while working with bookmarks include: Bookmark Data dialog for highlighted data bookmarks Add Note Bookmark dialog Edit Folder Information/Structure Bookmarks dialog Bookmark Data dialog for files
346
Comment contains text that describes the book marked content. Data Type pane determines the data type of the book marked content. Types tree contains objects representing the various formatting that can be used when displaying book marked content.
Note: Details of the content of the tree are described in Bookmark Content Data Types.
Destination Folder determines the path to the folder where the bookmark is saved. Contents displays the content of the bookmark in the format selected.
Text
Text is a parent object that contains child objects representing the formatting that can be used when displaying bookmarked content as text. Do not Show hides the content of the bookmark. This works for all underlying data types.
Bookmarking Items High ASCII displays the text in 256-bit ASCII. Low ASCII displays the text in 128-bit ASCII. Hex displays the text as hexadecimal digits, rather than characters. Unicode displays the text in Unicode encoding. ROT 13 Encoding decodes ROT 13 encoded text to ASCII text. HTML renders HTML coded as it appears in a browser. HTML (Unicode) renders the HTML coded as it appears in a browser using Unicode encoding.
347
Picture
Picture is a parent object that contains child objects representing various file formats that can be used when displaying bookmarked content as a picture or graphic. Picture displays the bookmarked content of the following file formats: JPG GIF EMF TIFF BMP AOL ART PSD
This is based on the file extension or the file signature of the file that contained the book marked content. Base64 Encoded Picture displays the bookmarked content in Base64 (Unicode) format. UUE Encoded Picture displays the bookmarked content in UUE format.
Integers
Integers is a parent object that contains child objects representing integer encodings that can be used when displaying bookmarked content. 8-bit displays the bookmarked content as 8-bit integers. 16-bit displays the bookmarked content as 16-bit Little-Endian integers. 16-bit Big Endian displays the bookmarked content as 16-bit Big-Endian integers. 32-bit displays the bookmarked content as 32-bit Little-Endian integers. 32-bit Big Endian displays the bookmarked content as 32-bit Big-Endian integers.
348
64-bit displays the bookmarked content as 64-bit Little-Endian integers. 64-bit Big Endian displays the bookmarked content as 64-bit Big-Endian integers.
Dates
A date is a parent object that contains the objects representing various file formats that can be used when displaying bookmarked content. DOS Date displays a packed 16-bit value that specifies the month, day, year, and time of day an MSDOS file was last written to. DOS Date (GMT) displays a packed 16-bit value that specifies the time portion of the DOS Date as GMT time. UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of 01/01/1970 at 00:00:00 GMT. UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix epoch of 01/01/1970 at 00:00:00 GMT. HFS Plus Date displays a numeric value on a Power Macintosh that specifies the month, day, year, and time when the file was last written to. Windows Date/Time displays a numeric value on a Windows system that specifies the month, day, year, and time when the file was last written to. Lotus Date displays a date from a Lotus Notes database file.
Windows
Windows is a parent object that contains objects representing the various file interpretations that can be used when displaying bookmarked content. Partition Entry displays the content of the bookmark as characters that conform to the header format of a Windows partition entry. DOS Directory Entry displays the content of the bookmark as characters that conform to the format of a DOS directory entry. Win95 Info File Record displays the content of the bookmark as characters that conform to the INFO data structure definition. Win2000 Info File Record displays the content of the bookmark as characters that conform to the INFO2 data structure definition. GUID displays the content of the bookmark as strings that conform to the Windows Globally Unique Identifier (GUID) format. SID displays the content of the bookmark in the Security Identifier (SID) format.
Bookmarking Items
349
Styles
Use these text styles when working with non-English languages. For more information, see the chapter Working with non-English Languages (on page 439).
Notes contains up to 1000 characters. Show in report when checked, the content of the note bookmark appears in the Report tab of the Table pane. Formatting contains the formatting controls for all characters that comprise the content of the note. Bold makes all content of the note appear in bold. Italic makes all content of the note appear in italics. Increase font size sets the font size of all the content of the note. Increase text indent sets the text indent of all of the text blocks in the note.
350
Include Device Information includes folder structure information. Columns specifies the number of columns of folder structure information. Destination Folder displays the Bookmarks tree, so you can navigate to the destination folder.
Bookmarking Items
351
Bookmark Selected Items appears when multiple files are selected on the Table pane. When checked, selected files are bookmarked as one or more file group bookmarks, and the Folder Comment field is disabled. When Bookmark Selected Items is cleared, only a single file was highlighted in the Table pane, and that single file is bookmarked as a notable file. Any other selected files are not bookmarked. Create new bookmark folder determines whether a new folder is created, and whether Folder Name and Folder Comment are displayed. Folder Name contains the filename for the new bookmark folder. Folder Comment contains the comment describing the bookmarked files that the new folder contains.
352
Comment contains a short comment when using this dialog to create a notable file bookmark. Destination Folder displays the Bookmarks tree so the destination folder can be selected.
Creating a Bookmark
You can create these types of bookmarks: Highlighted Data Notes Folder Structure Notable File File Group Log Record
EnCase applications create these types of bookmarks as a result of acquiring a device: Case Time Settings Search Summary
Bookmarking Items To bookmark highlighted content displayed in the View pane: 1. 2. In the View pane, select the desired content. On the highlighted content, right click Bookmark Data. The Bookmark Data dialog for highlighted data displays. 3. 4. 5. 6. Select the appropriate data type in the Types tree. Enter the desired comment. Click OK. The comment displays in the Comment column of the bookmarks table.
353
1. 2. 3. 4.
In the Bookmarks table in the Table pane, right click the desired bookmark, and click Add Note. The Add Note Bookmark dialog displays. Enter the text of the note, format the text as desired, then change the Appear in report setting as desired Click OK. The note is added to the bookmarks table.
354
To create a folder structure bookmark: 1. 2. 3. 4. Right click the device or folder to bookmark, and click Bookmark Data. The Bookmark Folder Structure dialog displays. Accept the default settings, or enter appropriate values. Click OK. You can now view the folder structure bookmarks in the Bookmarks table.
Bookmarking Items
355
1. 2. 3. 4. 5. 6. 7.
For the file to be bookmarked, select the device containing the file. In either the Entries table on the Entries panel of the Table pane, or the Records table on the Records panel of the Table pane, select the row describing the file. Right click the row describing the file. Click Bookmark Data. The Bookmark Data dialog for files displays. Accept the defaults or modify the values displayed on the Bookmark Data dialog Click OK. The notable file bookmark is placed in the bookmarks table.
356
1. 2. 3. 4. 5. 6.
For the files to be bookmarked, highlight the device or parent folder containing the files. In either the Entries table on the Table pane, or the Records table on the Table pane, select the files or to be bookmarked. Click Bookmark Data. The Bookmark Data dialog for files displays. Accept the defaults or modify the values displayed on the Bookmark Data dialog Click OK. The file group bookmarks are placed in the Bookmarks table.
Bookmarking Items
357
1. 2. 3.
On the process results dialog, select Log Record. Click OK. A Logs entry displays in the bookmarks table.
358
Note: Before you create a snapshot bookmark, select the EnScript tab in the Filter pane.
To create a snapshot bookmark: 1. On the EnScript tree, expand the Forensic folder and double click Scan Local Machine. The Options page of the EnScript wizard displays.
Bookmarking Items 2. 3. 4. 5. Enter a Bookmark Folder Name, select the desired modules, and click Finish. A dialog specific to the selected EnScript program displays. Complete the EnScript program specific dialog, and click OK. The Status Line shows the progress of the executing EnScript program. When the program finishes, the results appear in the Bookmarks display in the Tree pane and the Table pane. See the resulting bookmarks by expanding the bookmark folder specified in step 2.
359
The EnScript program creates the datagram as a bookmark and creates a subtab named to match the name of the program that created it. In addition, an entry is output to the Output panel of the View pane.
360
EnCase Enterprise Version 6.18 3. The Bookmark View dialog opens to the Destination tab.
4. 5.
Select the Bookmark Select Items checkbox to bookmark only the items you selected in the Table pane. Clear this checkbox to bookmark all items. Select the Create new bookmark folder checkbox if you want your bookmarks in a destination other than the default folder. Checking this box enables the Folder Name and Folder Comment fields. Enter a folder name and, optionally, a folder comment. Enter a brief comment about your bookmarks in the Comment field (optional).
6. 7.
361
9.
Accept the default Root Name or enter a meaningful root name of your own.
10. Select the Icons checkbox to view icons in your bookmarks. 11. Click OK.
Using Bookmarks
You can create bookmarks on entries and records. These operations are available: Creating (see page 352) Editing (see page 361) Adding a Note bookmark (see page 353) Organizing into folders (see page 369)
Reports can contain bookmarks and fields containing bookmark attributes: To determine which table entries should appear in a report: see Viewing a Bookmark on the Table Report Tab (on page 372). To determine which entry fields should appear in a report: see Customizing a Report (on page 374).
362
Editing a Bookmark
You can edit most bookmarks. The particular editor displayed is determined by the type of bookmark you are editing. See the individual edit dialogs for bookmark specific information. The instructions in this topic apply to editing any bookmark except file group bookmarks, which cannot be edited.
Note: The content of the bookmarks table is driven by the object selected in the Tree pane.
To edit a bookmark: 1. 2. In the Bookmark panel in the Table pane, right click the desired bookmark, and click Edit. The edit dialog displays. Edit the content, then click OK.
These editors are not necessarily the ones used to modify the data in the columns of the Bookmarks table on the Bookmarks panel of the Table pane.
Bookmarking Items The bookmark edit dialogs include: Edit Highlighted Data Edit Note Edit Folder Information/Structure Edit Notable File Edit Snapshot Edit Log Record Edit Datamark
363
364
Data Type contains the data type of the bookmarked content. Selecting a different data type does not alter the content of the bookmark. Content contains highlighted data that was bookmarked.
Note: You cannot edit this field.
Notes contains text describing the bookmarked content. A note can contain up to 1000 characters. Show in report: when checked, the content of the note bookmark appears in the report tab panel of the Table pane. Formatting contains controls for formatting all characters in the note. Bold makes all content bold. Italic makes all content italics. Increase font size sets the font size of all content in the note. Increase text indent sets the text indent of all of text blocks.
Bookmarking Items
365
Check Include Device Information to show folder structure in the bookmark. Columns determines the number of columns of folder structure to show in the bookmark.
366
Name is the name of the snapshot bookmark. An EnScript program supplied this name value when the bookmark was originally created. Editing lets you provide a more meaningful name. Comment contains text describing the bookmarked content. An EnScript program supplied this text when the bookmark was originally created. Editing lets you provide more meaningful comments.
Bookmarking Items
367
Name is the name of the log record bookmark. EnCase supplied this name when the bookmark was originally created. Editing lets you provide a more meaningful name. Comment contains text describing the bookmarked content. No text was supplied when the bookmark was originally created.
Name is the name of the snapshot bookmark. The EnScript program that created the datamark supplied this name when the datamark was originally created. Editing lets you provide a more meaningful name. Comment contains text describing the bookmarked content. The EnScript program that created the datamark supplied this name value when the datamark was originally created. Editing lets you provide more meaningful comments.
Use the same dialog (Edit Folder Dialog on page 367) to edit the root bookmark folder and other folders in the bookmarks tree and bookmarks table. The root bookmark folder contains default report formatting, while the other folders do not.
368
This dialog works with any folder in any Tree or Table pane. When the folder is the root folder of a tree, default formatting is provided in the Format field. You can also use this dialog to customize the report generated for the folder content. Each folder in a tree has its own report. Each folder defines its own report.
Show in report: check this box to display folder content in the report. Show Pictures: check this box to display pictures in the folder in the report. Comment contains text describing the bookmarked content. Format contains labels (provided by the application or entered manually) and the fields selected in the Fields list. The label "Comment:" appears in the report. Square brackets contain a field. The ")" is a literal, as in another label. Everything other than fields are labels. Fields contains the list of fields you can include in the report. This list varies from entry to entry.
Bookmarking Items Tables determines whether the listed detail tables display individually in the report.
369
To use folders to organize bookmarks: 1. Do one of the following: To move a bookmark and remove it from the source bookmark object, drag the bookmark to the report in the destination folder. To copy a bookmark from the source bookmark object, right click and drag the bookmark to the destination folder, and select Copy Here. The bookmark is now in the destination folder, so its entry now displays in the Bookmarks table associated with the destination folder.
370
EnCase Enterprise Version 6.18 2. Select the destination folder in the Bookmarks tree. The bookmarks in the folder display in the Bookmarks table. 3. In the Table pane, click Report. The bookmarks in the folder display in the report.
Organizing Bookmarks
You can organize bookmarks into folders in the Tree pane. These folders appear in the Table pane, but a table entry cannot be dragged into other table entries. Instead, drag the table entry into a folder on the Bookmarks tree. See Using a Folder to Organize a Bookmark Report (see "Using a Folder to Organize a Bookmarks Report" on page 369). Organizing bookmarks involve the following tasks: Copying a table entry into a folder (see page 370) Moving a table entry into a folder (see page 371)
To copy a table entry into a folder: 1. 2. Right click and drag the desired entry into the desired folder. Drop the entry on the folder and select Copy Here.
Bookmarking Items
371
Moving a Table Entry into a Folder Using the Right Click Drag Method
You can move a table entry into a folder using the right click drag. The table entry is moved from the table to the tree.
1. 2. 3.
Right click and drag the desired entry into the desired folder. Drop the entry on the folder and click Move Here. The entry is moved to the folder on the tree and removed from the table.
372
Moving a Table Entry or Folder into a Folder Using the Drag Method
1. 2. 3.
Drag the desired entry or folder into the new parent folder. Drop the entry or folder on the new parent folder. The entry is moved to the folder on the tree and removed from the table.
Bookmarking Items 1. Select the bookmark folders you want to include in the report.
373
2.
The folder contents display as checked in the Table pane. The first two data items are selected to be in the report, while the third is not.
3. 4.
To include a bookmark, make sure that the In Report column value for that bookmark is True. On the Table pane toolbar, click Report. The report displays in the Report panel of the Table pane.
Note: To set the in report value for multiple items, select several in the table panel of the table pane, then follow step 3.
5.
You can now view the report containing the bookmarked content and the metadata about the bookmarks.
374
Customizing a Report
You can customize a report using the Edit Bookmark Folder dialog.
Note: Any bookmarks that will appear in the report must be in the same folder in the Bookmarks tree.
To customize a report: 1. 2. 3. 4. 5. 6. 7. Right click the folder containing entries for the report. Select Edit. The edit folder dialog displays. Using the Fields list, double click each field in the order you want it to appear in the report. Each field is moved to the Format list. Enter any label text needed. The text displays in the Format list. Cut and paste the text and fields as needed. Once the content of the Format list is correct, click OK. On the Table pane, click Report. The report displays with its customized contents.
Excluding Bookmarks
Hiding all or parts of the listing is called Excluding. You can exclude any number of bookmarks from the Tree and the Table pane display using the Exclude Bookmarks feature.
Bookmarking Items 2. Select (blue click or highlight) a file. The picture below shows a graphic file checked.
375
3. 4.
Right click or press CTRL-E, then select Exclude from the menu. The display reappears, but the selected file is not displayed.
Exclude Folder
In Bookmarks view, the Tree pane displays bookmark folders you created for an open case. You can prevent bookmarked folders from displaying in the Table pane by using the Exclude Bookmarks feature. To exclude an entire folder of bookmarks: 1. 2. Select (blue check or highlight) a folder. Contents of the folder (scal local 01.07.08 in the illustration) display as checked in the Table pane.
376
If you blue check the folder as shown in the illustration above and open that folder, you will see that the entire contents are selected, as below:
3.
Right click the folder you selected in the Tree pane. A dropdown menu displays.
4.
Select Exclude.
Bookmarking Items 5. The Tree display refreshes, and the excluded folder is marked with a red X.
377
6.
Show Excluded
Excluded bookmarks are not deleted, they are just hidden from view. It is possible to display them again if necessary. You can show excluded files from the Tree pane, the Table pane from the Show Excluded too on the top toolbar. Regardless of the method you select, the steps are similar.
378
EnCase Enterprise Version 6.18 1. In the Tree pane, select and right click a folder. This dropdown menu displays:
Note: In addition to the menu, there is a toolbar button labeled Show Exclude that toggles the hidden view.
2.
Bookmarking Items 3. Previously excluded files display in Table view, while excluded folders display in the Tree view. Excluded data are marked with a red X.
379
Note: The Excluded column of the display shows which files are excluded and which are not.
2. 3. 4.
Right click and drag the items to the destination folder in the tree. Release the mouse button. Click Copy Selected Items Here from the dropdown menu.
CHAPTER 11
Reporting
In This Chapter
Reporting Report User Interface Creating a Report Using the Report Tab Creating a Report Using Case Processor
382
Reporting
The final phase of a forensic examination is reporting findings. Organize and present reports in a way the target audience understands. Formatting and presentation considerations should be should be made when the evidence is first received. EnCase software is designed to help mark and export findings so the final report is generated quickly. The software provides several methods for generating a report. Some investigators prefer to break up the final report into several sub-reports in a word processing program, with a summary report directing the reader to the contents. Others create paperless reports on a compact disc, using a hyperlinked summary of the subreports and supporting documentation and files.
Reporting Here is an example of a report viewed in the Reports tab of the Table pane:
383
384
Reporting
385
2.
Place the cursor anywhere in the In Report column and right click for a dropdown menu.
3.
Select In Report.
386
EnCase Enterprise Version 6.18 4. The In Report column entry displays a black dot.
5.
2.
Place the cursor anywhere in the In Report column and right click for a dropdown menu.
Reporting 3. Select In Report Invert Selected Items. The In Report column displays black dots for the selected files.
387
4.
388
Email Report
Email records are created when you perform an email search. Perform an email search as described in Creating a Report Using the Report Tab (see page 384). 1. Select View Cases Sub-Tabs Records.
The Tree and Table panes display. The Tree pane data show the records, and the Table pane displays the record's contents. This picture shows the contents of Hunter XP:
2.
Select a record from the Tree pane, then click the Report tab of the View pane.
Reporting Selecting an entry from the Table pane displays an individual report like this:
389
2.
Click an item in the Secure Storage tree for which you want to generate a report.
3.
Select the items you want to include in the In Report column of the Table pane. If the In Report column does not display, see step 5 of Creating an Additional Fields Report (on page 396).
390
Internet Report
Records for an Internet history report are created when you execute an Internet search. Perform a search for Internet history as described in Creating a Report Using the Report Tab (see page 384). 1. 2. Select View Case Sub-Tabs Records.
The Tree and Table panes display. The Tree pane data show the records, and the Table pane displays the record's contents. Note the subfolders: Cache and History.
3. 4. 5.
Select either Cache or History to display their contents in the Tree pane. Select a record from the Tree pane, then click the Report tab of the Table pane. The report displays in the Table and View panes.
Reporting
391
2.
Select a file to report on, then select the Report tab in the View pane. The report displays.
392
393
3. 4.
394
Results of the selected Table pane keyword appear in the Report pane.
5.
Select an item in the Table pane. A report containing the file name, address, and the contents of the Tree pane keyword displays.
6.
Reporting 7. In the Export dialog, select the options you want: Output Format (TEXT, RTF, HTML, or XML) Only Checked Rows checkbox if you want to specify checked rows Start to specify a beginning row Stop to specify an ending row Fields Path for the Output File
395
8.
Click Finish to export the report to the desired format and location.
396
EnCase Enterprise Version 6.18 3. In the Table pane, click Report. A short report displays.
3. 4.
In the Table pane, select the entry where you want to view additional fields. Click the Additional Fields tab in the Tree pane.
5.
If the In Report column does not display: a. Right click in the Table pane and select Show Columns. b. Select In Report and click OK.
Reporting The In Report column displays in the Table pane. 6. Select the fields you want to include in the report. See Enabling or Disabling Entries in the Report (on page 385).
397
7. 8.
Click the Report tab in the Table pane. The report is generated containing the enabled fields.
Exporting a Report
Once a report is generated, you can save it to a file. 1. Right click in the report and click Export from the dropdown menu.
2.
398
EnCase Enterprise Version 6.18 3. 4. 5. 6. Select the output format you want (TEXT, RTF, or HTML). Enter or navigate to the desired output path. Selecting Burn to Disc enables the Destination Folder box. Right click Archive Files to create a new folder and save an .iso file to disc. Click OK.
CHAPTER 12
EnScript Analysis
In This Chapter
EnScript Analysis Enterprise EnScript Programs Forensic EnScript Code EnScript Example Code Enhanced EnScript Tab Packages
400
EnScript Analysis
The EnScript language is a scripting language and Application Program Interface (API). It is designed to operate within the EnCase software environment. Although similar to ANSI C++ and Java, not all the functions available in these languages are available. The EnScript language uses the same operators and general syntax as C++, though classes and functions are different. Classes, and their included functions and variables, are found in the EnScript Types panel in the Tree pane.
Note: For general information on a particular element, highlight it in the Code panel and press F1 to find the element in the EnScript Types panel.
EnScript programs allow investigators and programmers to develop utilities to automate and facilitate forensic investigations. The programs can be compiled and shared with other investigators. A programming background and an understanding of object-oriented programming are helpful for coding in EnScript.
Note: For help programming with the EnScript language, you can attend a training class or visit the EnScript message board at https://support.guidancesoftware.com/forum/forumdisplay.php?f=11.
EnScript Analysis To view Enterprise EnScript programs: 1. 2. In the Filter pane, click the EnScript tab. Open the Enterprise folder from the EnScript tree to see available scripts listed in the Table pane.
401
3.
Document Incident
Use Document Incident to generate a report containing details of an incident that required investigation. Open a case. 1. 2. Double click the Document Incident EnScript. Enter the following details in the General Info tab: Incident Reference Number Primary Contact Alternate Contact Incident Timing
402
3.
Click the Incident Details tab and enter information in the following fields: Incident Type Other Type Status Intent Incident Cause Incident Impact Affected Systems
EnScript Analysis 4. Click the Conclusion tab and enter the recommended course of action and comments:
403
5. 6.
Click OK The Program generates a report. Click the name of the incident in the bookmarks panel to view the report in the table pane.
404
EnCase Enterprise Version 6.18 4. Double click Machine Survey Servlet Deploy.
5.
There are different ways to add to the list of machines that will receive the new servlet. Choose one or both of them below: Click Select Machine, then log on to your SAFE, select a role, and select machines using the Network Tree. Enter an IP address or IP Range, Username and Password and Click Add.
Note: If you enter an IP range, all machines must use the same username and password.
6. 7.
If you entered an IP Range and want to exclude specific addresses, enter the address in the Machine field of the Exclude Machine group and click Exclude. Click the Management tab and select Install servlet process.
Note: You can also use this program to check for or stop servlet and SAFE processes. For information on these features, see the EnCase SAFE Administration Guide.
405
9.
Complete the dialog as appropriate using these functions: Install if servlet process not found: only installs a servlet if one is not found. Always Install: installs a servlet on all machines. Windows Servlet Path: Enter or browse to the servlet location on your machine. Linux Servlet Path: Enter or browse to the Linux servlet on your machine. Command Line parameters: Enter any command line parameters you want to use in conjunction with the servlet. Verify installation: Verifies that the install completes successfully. Retry failed deploys: Controls how often the program tries to redeploy a servlet on a machine that failed.
10. Click OK. 11. Click the Settings tab to set the output options.
406
EnCase Enterprise Version 6.18 12. Select an output option: Bookmarks: Outputs results to bookmarks in the current case. Excel: Outputs results in an Excel file. If you select this option, browse to or enter an output folder. 13. Click OK.
The program optionally creates a bookmark folder called Machine Survey Run # (With an incrementing integer). The program also optionally creates an Excel spreadsheet called MachineSurvey.xls in the folder specified above.
Quick Snapshot
Use Quick Snapshot to quickly take a snapshot of a machine currently being investigated. Quick Snapshot does not offer a deep options set, so if you want scheduling options or the ability to run EnScript program modules while taking a snapshot, use the Sweep Enterprise program. Before you run Quick Snapshot: 1. 2. Open EnCase and log on Create a case. Add a device to the case. Double click the Quick Snapshot EnScript Program. Note the machine in the IP List, and select an Available SAFE and Role.
EnScript Analysis 3.
407
Click OK. Note the IP list displays the machine to be investigated using Quick Snapshot. This list is for information purposes only, and you cannot add additional nodes.
408
EnCase Enterprise Version 6.18 1. Double click the Document Incident EnScript Program.
2. 3. 4. 5. 6.
Enter the name of the target machine and click Retrieve Snapshots. In the Choose Snapshots For Report list, select the snapshots you want to compare. Choose the types of items to report. Choose Output Options, and provide an output path. Click OK.
You can view results in EnCase, Microsoft Excel, or an Internet browser, depending on the output options you chose.
Sweep Enterprise
The Sweep Enterprise EnScript program: Collects data from some named subset of the network tree Saves the bookmarked data Optionally create snapshots Runs modules to extract data as bookmarks or exported files
If you plan to run modules, you must log on and open a case.
EnScript Analysis
409
If you choose to deploy a servlet, both the Windows servlet and Linux servlets must be available on your machine. The Linux servlet must be available even if you do not have any Linux machines. See the EnCase SAFE Administration Guide for the paths to the servlets on your SAFE machine. To run the Sweep Enterprise EnScript: 1. Double click the Sweep Enterprise object in the EnScript tree on the Filters Pane. The Case Options dialog displays. 2. If you want to change your user or SAFE: a. Click Change Safe. The User dialog displays. b. Select the user, enter a password (if required), then click Next. The SAFEs page displays. c. Select the SAFE, then click Finish. 3. If you want to change your Role: a. Click Change Role. The Role dialog displays. b. Select the desired role and click OK. The Node to Sweep page of the Sweep Enterprise wizard appears. 4. To change the machines swept (those that appear in Machines) click Network Tree, navigate to the appropriate location or machine and click OK. The appropriate IP addresses appear in Machines. 5. Select the desired module(s) to run from the Modules List. The Sweep Options dialog displays. 6. If servlets must be deployed on the machines to be swept: a. Click Servlet Options. The Servlet Options dialog appears. b. Click Deploy Servlet. You can now change the settings. c. If the username and password must be updated, enter this information in Update Machine's Username/Password, and click Update. d. If machines in the subtree to be swept already have servlets deployed, should not have servlets deployed, or should not be swept, enter the IP address of the machine in Machine, and click Exclude. 7. If the paths to the servlets on your machine must be changed, enter or browse to the appropriate paths.
410
EnCase Enterprise Version 6.18 8. 9. Click OK. Sweep Enterprise runs and the results appear in the Bookmark table on the Bookmark Home pane.
EnScript Analysis
411
Case Processor
Use Case Processor to run one or more EnScript modules against an open case. To run Case Processor, double click the program name. A Case Processor wizard displays with the name of the open case.
1. 2. 3. 4.
Enter a Bookmark Folder Name. Enter a Folder Comment (optional). Export Path populates with the default export path. Click Next to display the module selection wizard.
412
EnCase Enterprise Version 6.18 5. Make the desired selections and click Finish.
EnScript Analysis
413
Find Protected Files searches a file system for files that are encrypted or require a password to open them. HTML Carver searches all or selected files for keywords in HTML documents and bookmarks them. IM Archive Parser searches Instant Messenger log files. Kazaa Log Parser searches a case for Kazaa DBB and DAT files. Link File Parser parses all or selected LCK files and retrieves selected information. Linux Initialize Case locates Linux artifacts and bookmarks them. Linux Syslog Parser parses Linux syslog entries and exports the data to a local drive as Excel or HTML. Mac Initialize Case locates OS X artifacts and bookmarks them. Partition Finder searches unused space to find deleted volume partitions. Recycle Bin Info Record Finder finds and parses FAT INFO and NTFS INFO2 files. Scan Registry scans the Windows registry and bookmarks artifacts. Time Window Analysis Module analyses selected events between specified dates. Windows Event Log Parser parses selected Windows event logs. Windows Initialize Case locates Windows artifacts and bookmarks them. WTMP - UTMP Log File Parser parses WTMP, UTMP, WTMPX and UTMPX files on Unix systems.
Export Hashes
This EnScript generates SHA-1 and MD5 hashes of selected entries within the case and exports them to a comma separated value (.csv) or tab delimited file. 1. From the EnScript Forensic menu, double click the Export Hashes option.
414
3.
These options are selected by default: Hash Type: MD5 and SHA-1 Delimiter: Comma Split files after 64K lines checkbox
4. 5.
Make any desired changes to the defaults, then enter or browse to an Export Path.
Note: In the Export Path, you must specify whether to export to a .csv or .txt file.
Click OK.
File Mounter
File Mounter is an EnScript used to search for and mount compound files, including: DBX GZip PST TAR Thumbs.db Zip
1.
415
3. 4.
Select the desired file types and click OK. To view progress, click the Console tab in the View pane.
Compound Files
The File Mounter EnScript program lets you mount all selected compound file types, leaving them mounted at the conclusion of the EnScript program investigation. Its main purpose is to let you catalog the contents of targeted compound files. This is a listing of items within the compound file, not the actual contents themselves. The EnScript program finds targeted files based on the Find Files By and Selected Files options. It then catalogs the file contents into a LogRecordClass bookmark and adds them to the LEF if you select that option. The program then performs a preliminary keyword search that stops after a single hit. After a hit, the file is placed into a list of files that are then mounted and completely searched. Results appear in the Search Hits tab display.
416
Index Case
File indexing is part of the improved search engine. The index is a list of words in the evidence file with pointers to their occurrence in evidence. Because the index is smaller than the original evidence file it is optimized for quick searching. To learn more about case indexing, see Analyzing and Searching Files (on page 253).
EnScript Analysis 2. Complete the options as desired and click Finish. Depending on the modules chosen, additional dialogs may open. Complete them as necessary.
417
Note: Scan local machine searches the local examiner machine and does not search the evidence within the case. If you want to search the evidence in the case, use Case Processor.
Threat Analyzer
This EnScript sends information on physical memory from targeted nodes or selected devices to HBGary's Responder software for threat analysis. The script also generates a report with threat level results.
Note: Threat Analyzer analyzes physical memory only, not process memory.
418
EnCase Enterprise Version 6.18 1. 2. Open a case. In the EnScript Forensic tree, double click Threat Analyzer.
3. 4.
The script checks to verify if HBGary Responder is installed. If HBGary Responder is not detected, this error message displays:
5.
EnScript Analysis 6. The script scans for physical memory devices currently loaded in the case and displays the devices it detects.
419
The two criteria for detection are that the Drive Type is Memory Device and the Process ID is zero:
7.
420
3.
4.
The report shows: Name and type of device Threat count Maximum threat level Amount of RAM
Note: A threat level of zero indicates no suspicious items were located. The threat level itself is a summation of all suspicious items found during each scan. The higher the threat level, the more likely it is that something suspicious is on the target.
Use the Options box to select specific items (processes, objects, devices, etc.) to analyze.
EnScript Analysis
421
When you click Disk Cache, the system allocates a temporary file on disk large enough to hold the entire physical memory of the analysis target and write to this file, instead of maintaining it in memory.
1.
2. 3.
Select the SAFE you want to use, then click Finish. The SAFE field populates and the Nodes list box is enabled.
422
1.
2. 3.
Select the network you want to use, then click OK. Click the Local Machine checkbox to analyze physical memory on the local machine.
EnScript Analysis
423
1.
2.
You must enter a folder name here to provide the script with a place to put the values returned by the analysis.
Note: Folder Comment is optional.
424
You can export a report to a tab delimited text file, HTML, or both. Browse to an output location, or enter a path in the Output Path field.
425
2.
426
2.
EnScript Analysis The EnScript example programs include: Compound File Viewer Create Index Directory Enterprise Using Entry Data Enterprise Registry Operations Enterprise Using Snapshot Data Find Valid IPs Index Buffer Reader
427
Compound File Viewer parses compound files into their constituent parts for viewing. Create Index Directory generates a plain text file containing all words in an INDX file. FindValidIPs finds IP addresses. Index Buffer Reader parses information from an index buffer INDX file.
EnScript Debugger
The EnScript debugger allows EnScript programmers to conduct runtime debugging of their programs. After you create a project for the target EnScript program, a Start Debugging option displays on the toolbar:
When you click Start Debugging, the debugger starts and opens four new tabs in the View Pane.
428
These tabs keep track of: Currently running threads Local variables (Locals) at the current breakpoint Library dependencies Breakpoint locations associated with the EnScript program
You can set breakpoints in your code. EnScript stops when it reaches a breakpoint during runtime. Use the dropdown menu to set a breakpoint.
If you prefer, you can set breakpoints by clicking on the line number of the code.
Once you set a breakpoint, the Start Debugging button runs the EnScript program, which stops at the Breakpoint. While stopped, you can analyze the runtime information in the new tabs in the View pane.
EnScript Analysis
429
430
All files having at least one keyword hit are mounted persistently and their corresponding hits display in the Search Hits tab. If you select the Mount Recursively checkbox, the contents of each file mounted are checked against the File Types and Find Files By settings, and any that pass are also mounted and checked. This process can take a long time, especially when registry hives are targeted. If speed is a concern, Guidance Software recommends you leave this checkbox cleared. Certain Microsoft Office documents are considered compound files. You can parse their metadata and search it. For example, you can locate and bookmark Microsoft Word document metadata (edit times, page numbers, word counts, etc.). File Mounter bookmarks Authors as text and Edit Times as dates.
Include EnScript
The Include folder contains common program code shared by other higher-level EnScript components. These scripts are not executed independently. They are meant to be used or included in other scripts. Right now, there are nearly 100 include files in this software. They are stored by default in C:\Program Files\EnCase\EnCase\EnScript\Include. They can, however, be stored in another folder within ...\EnScript\. An EnScript developer creating new include files to work with new EnScript component can create a new folder and place the new include programs there. Once the new folder is created, EnCase applications must know of its location.
EnScript Analysis 1. Click Tools Options EnScript to display the Options dialog.
431
432
EnCase Enterprise Version 6.18 2. Complete the dialog options and click OK. Check Show line numbers to show line numbers in the gutter area when viewing or editing text in the EnScript code window. Check Debug runtime errors to automatically launch the debugger when an error is encountered while executing an EnScript. Change the Include Path field entry to reflect the new include folder location(s). Add only the folder name, not the complete path. Separate multiple folder locations with a semi-colon (;). Use the checkboxes in the Warning area to select which warnings you receive when compiling an EnScript.
EnScript Help
There are currently two sources of information about EnScript programs. Help View EnScript Help EnScript Types
EnScript Types
EnScript types reference resources containing the EnScript language classes. Perusing these types provides information about EnCase classes and functions. Click View EnScript Types
The Tree pane contains a list of the classes. Selecting the Report panel of the Table pane displays a read-only description of the selected class.
Packages
Packages are a way to distribute EnScript programs without allowing others to view or modify the code. This allows for centralized source control, and avoids unwanted code sharing. Packages are built with the .enpack file extension and function to end users exactly as EnScript programs. In addition to blocking the code from end users, you can also create license files specific to license keys, protecting you from unwanted duplication. The license files extension is .EnLicense.
EnScript Analysis
433
Package Features
Features that support the packages include: New Package dialog Create License dialog
Use the New Package dialog to create, build and edit packages. When building or editing packages the name of this dialog changes, but the tabs and setting remain the same. Use the Create License dialog to create licenses for a package. The license is assigned the License Name value on: The Package tab of the New Package dialog Edit <package name> dialog The Build dialog.
Use the New Package dialog to create, build, edit, and run packages.
434
Package Tab
The Package tab of the New Package dialog captures attributes related to the package. Use this tab to create, build, and edit the package.
Name is the file name of the package, as seen in the interface. Source Path contains the path to and file name of the EnScript source code to be packaged. Output Path contains the location and file name for the new package as you want to distribute it. Package output must have the .EnPack file extension. Archive File contains the path to and file name of an archive file where you can store multiple EnScript files. Use License determines whether other license related controls appear on the dialog. Use this setting if you want to license the package. License Name contains the filename of the license without its file extension. This setting only displays when Use License is selected. Secret Key is a key used in conjunction with the license file to secure the code within the package. This text is not exposed to end users and should not be given to end users.
EnScript Analysis
435
Properties Tab
The Properties tab of the New Package dialog captures attributes related to the product being packaged. Use this tab to create, build, and edit the package.
Product Name is the name of the EnScript source code. Major Version is the major version number of the EnScript source code. Minor Version is the minor version number of the EnScript source code. Sub Version contains identifiers for bug fix versions, patches, or build numbers of the EnScript source code. Description is self-explanatory. Company is the name of the company associated with the package. Business Phone is the phone number of the company associated with the package. Web Page is the URL of the company Web page associated with the package.
436
License File contains the path to and the filename of the license file. Dongle List contains the dongle numbers that enable the license. If the license is not restricted, leave this setting blank. Major Version contains the major version number of the software release. Expires contains the date when the license will expire. #define contains names used in the code, defined using the #define directive, which associate the license with specific functionality. A subset of functionality is associated with a given license.
EnScript Analysis
437
Using a Package
A package is Created Edited Built Run
In addition, one or more licenses are created and associated with a package.
Creating a Package
1. Do one of the following: Click the Packages tab, adjacent to the Cases tab on the root toolbar of the Tree pane. Click View 2. 3. 4. 5. 6. Packages Right click the Packages tree in the Tree pane, then click New. The New Package dialog displays the Package panel. On the Package panel, complete the settings, then click Properties. The Properties panel displays. On the Properties panel, complete the settings, then click OK.
Once created, the package appears in the Packages Table in the Table pane. The columns in this table contain the details entered in the New Package dialog.
Note: Creating a package does not produce the package file. To produce the package file, see Building a Package (on page 438).
Editing a Package
1. In the Package table on the Table pane, double click the desired package. The Edit <package name> dialog displays. 2. Modify the settings as desired, and click OK.
Note: If you want to change the code, you first need to modify the EnScript code source file, then generate a new package file. You may want to alter the version numbers to reflect this.
438
Building a Package
1. 2. 3. In the Package table on the Table pane, double click the desired package. The Edit <package name> dialog displays. Modify the settings as desired, then click OK.
Creating a License
You can create a license can be created independently of its associated package. The association with a package is made when you define the package. To create a license for a package: 1. 2. 3. 4. 5. 6. 7. 8. In the Package Table in the Table pane, right click the package and click Create License. The Create License dialog displays. In License File, enter or browse to the path and filename. In the Dongle List, enter the license keys. In Major Version, select the appropriate version number. In Expires, enter the expiration date of the package. If you want to control the feature set used via this license, in #define, enter the #defined names associated with the feature set. Click OK, then click OK again in the status message box.
Running a Package
Create and build a package (see Creating a Package on page 437 and Building a Package on page 438). A license may be associated with the package as well. 1. 2. Copy the created license file to C:\Program Files\EnCase6\Licenses. Do one of the following: Change root folder of your EnScript folder to reflect the location of the package created. Copy the created package to a folder in your current EnScript root folder, normally C:\Program Files\EnCase6\EnScript. 3. If a license is associated with the package, ensure that the installed security key matches the key(s) entered when creating the license. The EnScript program is now ready to run. 4. In the EnScript tree in the EnScript panel of the Filter pane, double click the package to run it.
CHAPTER 13
440
Use text styles to modify the display of content: The text pane The transcript pane
Text styles are defined globally on the Text Styles tab. When defined, these text styles are not associated with a case. In the Filter pane, you can: Create text styles Edit text styles Apply text styles to content in the View pane
441
Default Fonts contains the list of interface elements to be configured. Double click these interface elements to open the Font dialog. Selecting a Unicode font enables non-English language text to display in these interface elements.
Unicode Fonts
Specific fonts in the Fonts dialog are installed in Windows. If no Unicode fonts are installed on your computer, see "Install the Universal Font for Unicode" at http://office.microsoft.com/enus/help/HP052558401033.aspx.
442
Unicode interprets fonts as 16-bit words. When Unicode fonts are selected, 8-bit character sets and 7bit ASCII characters do not display correctly. Use an 8-bit font such as Courier New for English text. To properly display the characters in certain code pages, you should only select a Unicode display font. Characters that are not supported by the font or code page display as a default character, typically either a dot or a square. Modify this character when using text styles in the Text and Hex tabs of the View pane.
Text Styles
The display of non-English language content is controlled by both the type face of the content, and the text style applied to the content. A text style applies various attributed to fonts, including: Line wrapping Line length Replacement character Reading direction Font color Class of encoding Specific encoding
Text styles are applied in the Text, Hex, and Transcript panes. See Viewing Non-Unicode Files (on page 453) and Viewing Unicode Files (on page 452) for more information. You can create and edit text styles. See Creating and Defining a New Text Style (on page 448) for more information. Text styles are global; therefore, they are not associated with a specific case, but rather can be applied to any case after they are defined.
443
Name is the name of the text style. Line Wrap contains controls that determine how content appears in the Text and Hex tabs of the View pane. Fit to page eliminates line breaks in displayed content, and displays all text in the window. Line Breaks displays line breaks in the content. Max Size ignores line breaks in the content, and wraps lines at the value set in Wrap Length. Wrap Length specifies the length where a line break occurs. When you select Max Size, line breaks occur only at the value of this setting. Default Char contains the character to use to indicate the encoding or code page could not interpret the underlying value. RTL Reading sets the text display to read right-to-left (RTL). Color Element contains a list of text elements that can have a color assigned to them. Double click a list element to edit color attributes.
444
Code Page contains settings that determines the code page type used in the text style. Unicode specifies Little-Endian Unicode. If UTF-7 or UTF-8 is used, select Other, not Unicode. Unicode Big-Endian specifies Big-Endian Unicode. Other lets you select from the Code Page list. Code Page List contains a list of supported code pages.
Working with Non-English Languages Creating non-English search terms Bookmarking non-English text Viewing Unicode files Using code pages
445
1.
Click Tools
Options
Fonts.
The Fonts tab of the Options dialog displays. 2. For each interface element listed in Default Fonts where you want to display non-English: a. Double click the interface element. The Font dialog opens. b. Change the font to Arial Unicode MS, and click OK. c. Repeat step 2b until all the interface elements are configured. 3. 4. Click OK. The interface is now configured to display non-English content.
446
1.
Click Start
Control Panel
The Regional Options tab of the Regional and Language Options dialog displays. 2. 3. In Standards and formats, select the desired language. Select the Advanced tab. The Advanced dialog displays. 4. 5. In Code page conversion tables, check the desired code page. Click OK. The keyboard is mapped to the selected non-English language.
447
1. 2. 3. 4. 5. 6.
Click Start
All Programs
Accessories
System Tools
Character Map.
The Character Map utility displays. Click the desired character, then click Select. The character is added to the Characters to Copy box. Repeat step 2 to add more characters. Click Copy, then paste the characters where you want to use them.
448
To create and define a text style: 1. 2. 3. 4. 5. 6. Click View Text Styles. The New Text Style dialog displays.
Enter a Name for the new style. Enter the desired character in Default Character. Click RTL if the language is read right-to-left. Click OK if you are using a code other than Unicode Big-Endian encoding. Otherwise, select the Code Page tab. Click Unicode Big-Endian, then click OK.
Working with Non-English Languages If you are going to use a non-Unicode encoding: 1. 2. 3. Click Other. Select an encoding from the Code Page list. Click OK.
449
1.
Right click and select New from the root of the Keywords tree.
450
EnCase Enterprise Version 6.18 2. The New Keyword dialog displays. a. Click GREP and enter the GREP expression into Search Expression to create a GREP search. b. Use the Character Map to create the search string if your keyboard is not mapped to the appropriate non-English key mapping. If mapping is correct, enter the desired Search Expression. c. Make any other selections as desired. 3. 4. 5. Click OK. Select the desired code pages from the Code Page list. To test the keyword, click Keyword Tester (see Testing a Non-English Keyword on page 450); otherwise, click OK.
2.
Working with Non-English Languages 3. 4. Enter or browse to the file containing the non-English language content used to test the keyword. Click Load. Text appears in the Text pane. 5. If text is incorrectly rendered, select other code sheets until the text is rendered correctly. When a selected encoding is not one that was selected when the keyword was defined, the Expression field contains this message: Wrong codepage for this expression.
451
6.
Click Hex to view content in hexadecimal. The values x\ FFx\EE in the file header indicates that Unicode is the correct encoding. You may want to redefine the encoding used for this keyword. The hex representation of the underlying text appears.
7.
1. 2. 3. 4. 5.
In the Entries tree and Entries table, select files to search. Click Tools Index Case. In the Filters pane, click the Conditions tab. Open the Index Conditions folder in the Conditions tree. Select the non-English content, [for example, Index Terms (Umlaut)].
452
1. 2. 3. 4. 5. 6. 7. 8.
Display the text in the View pane. Sweep or select the desired text, then right click and click Bookmark Data. The Bookmark Data dialog displays. Enter a Comment. Select the desired text style in Data Type. The content displays with the selected text style applied. Click OK. The text is bookmarked and the dialog closes.
453
1. 2. 3. 4.
Click Text Styles. The Text Styles tab displays in the Filter pane. Notice the default characters between the ASCII characters. The second eight bits of the 16-bit Unicode encoding cannot be translated. Click the desired Unicode-based text style. The text displayed in the Text or Hex tab updates to reflect the new encoding.
454
To have Windows automatically associate code pages to entries: 1. 2. Select the Search button and check the Identify code page option. After the search completes, the code page column populates.
455
CHAPTER 14
Using LinEn
In This Chapter
Introduction Viewing the License for LinEn Creating a LinEn Boot Disk Configuring Your Linux Distribution Performing Acquisitions with LinEn LinEn Evidence Verification and Status Reporting Hashing the Subject Drive Using LinEn LinEn Manual Page
458
Introduction
The LinEn utility runs on the LinEn CD using the Linux operating system and enables the following functions: Performing drive-to-drive acquisitions Performing crossover acquisitions
LinEn runs independently of the Linux operating system thus improving acquisition speeds, and runs in 32-bit mode (rather than 16-bit mode). Because Linux provides greater device support, LinEn can acquire data from a larger set of devices. As with other operating systems, to prevent inadvertent disk writes, modifications to the operating system need to be made. Linux typically has a feature called autofs installed by default. This feature automatically mounts, and thus writes to, any medium attached to the computer. Instructions in this chapter describe how to disable this feature to protect the integrity of your evidence.
To create a LinEn Boot disk: 1. 2. Using your EnCase application on the investigator's machine, click Tools The Choose Destination dialog of the Create Boot Disk wizard displays. Create Boot Disk.
Click ISO Image, and click Next. The Formatting Options dialog of the Create Boot Disk wizard displays.
Using LinEn 3. 4. 5.
459
Provide a path and filename to the ISO image you downloaded earlier, optionally click Alter Boot Table, and click Next. The Copy Files dialog of the Create Boot Disk wizard displays. Right click in the right pane of the Copy Files page, and click New. The file browser opens. Enter or select the path to the LinEn executable, normally c:\program files\encase6\linen, click OK, then click Finish. The Creating ISO progress bar displays on the Copy Files dialog. Once the modified ISO file is created, the wizard closes.
6.
Burn the ISO file onto a blank CD/DVD using disc burning software of your choice. For help with this, refer to the instructions that came with your software.
You now have a boot disk to run Linux and LinEn while you acquire the subject Linux device.
Note: Because of the dynamic nature of Linux distributions, we recommend that you validate your Linux environment before using it in the field.
The process describes an ideal setup process that effectively runs the LinEn application in a forensically sound manner. Many distributions provide autofs as the means auto-mounting anything attached to the Linux system. It is essential that autofs is disabled to prevent auto-mounting.
460
Drive-to-drive acquisitions provide the means to safely preview and acquire devices without using a hardware write blocker. Drive-to-drive acquisitions use either the subject machine or the forensic machine to perform the acquisitions. The Drive-to-drive acquisition speed can be significantly faster than EN.EXE and MS- DOS from previous versions, simply because Linux is a 32-bit operating system. Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also negates the need for a hardware write blocker. It may be desirable in situations where physical access to the subject machine's internal media is difficult or not practical. This is the recommended method for acquiring laptops and exotic RAID arrays. This method is slower than a Drive-to-drive acquisition because data is transferred over a network cable, and thus is especially sensitive to the speed of the network cards housed in both machines.
Using LinEn
461
Any of these cables can be used as a hard disk cable: IDE Cable USB Cable Firewire SATA
SCSI Setups for Drive-to-drive acquisitions with 1) the forensic machine, running LinEn from the LinEn Boot Disk, connected to the subject hard drive; 2) the forensic machine, booted to Linux and running LinEn, connected to the subject hard drive; 3) subject machine, running LinEn from the LinEn Boot Disk , connected to the target hard drive:
462
Using LinEn
Note: If there are too many drives and/or partitions to display, you will see a warning message.
463
3.
Click Acquire.
464
EnCase Enterprise Version 6.18 4. Choose the physical drive or logical partition you want to acquire. The Acquire Device <drive> dialog displays.
5. 6.
Enter the full path and file name for the acquired evidence file, then click OK. Optional: Provide an alternate path in the event that the output path from step 5 runs out of disk space.
7.
Click OK.
465
9.
466
EnCase Enterprise Version 6.18 11. Enter a name for the evidence file (maximum 50 characters), then click OK.
12. Verify that the current date and time stamp are accurate, then click OK.
13. Enter a brief note (maximum 200 characters), then click OK.
467
15. Choose whether to perform a hash of the evidence file after acquisition. The two hash algorithms are MD5 and SHA1.
468
EnCase Enterprise Version 6.18 17. Specify the total sectors to acquire, then click OK. By default, the field prepopulates with the maximum number of sectors of the drive or partition.
18. Specify the maximum file size (in megabytes) for the evidence file and segment files, then click OK. By default, the field prepopulates with a maximum size of 640 megabytes.
19. Specify the block size for the evidence file, then click OK. By default, the field prepopulates with a block size of 64 sectors.
Using LinEn 20. Enter a level of error granularity, then click OK.
469
21. Enter the number of worker threads, then click OK. These threads perform compression on the buffer.
22. Enter the number of reader threads, then click OK. These threads read from the device and fill in a data buffer.
470
EnCase Enterprise Version 6.18 23. Click Yes or No to perform hashing in its own thread.
25. When the acquisition is complete, click OK. The LinEn main window displays. The subject has been acquired and is stored on the storage drive. 26. Connect the storage drive to investigator's machine. 27. Add the EnCase evidence file using the Sessions Sources dialog of the Add Device wizard. See Completing the Sessions Sources Dialog on page 115.
Using LinEn
471
Note: You must choose either AcquiireMode or HashMode. LinEn will show an error if you use both.
You can enter command line options with a single dash and the shortcut (for example, -p <Evidence Path>) or with a double dash and the full tag (for example, --EvidencePath <EvidencePath>). During the acquisition or hashing process, a pipe character (|) prints to the console for each percentage completed. There are two ways to provide necessary information to LinEn: Command line options Configuration file
Full Tag
Description
Device to be either acquired or hashed Path and file name of the evidence to be created (maximum 32,768 characters) Name of evidence within the evidence file (maximum 50 characters) Case number of the evidence (maximum 64 characters) Examiner's name (maximum 64 characters) Evidence number (maximum 64 characters) A semicolon delimited list of alternate paths (maximum 32,768 characters) Notes (maximum 32,768 characters). Enclose notes in quotes (for example, "This is a note"). Maximum file size of each evidence file (in MB: minimum 1, maximum 10,485,760) Level of compression (0=none, 1=fast, 2=best)
-m <Evidence Name>
EvidenceName
-n <Notes>
Notes
MaxFileSize
-d <Compress>
Compress
472
-b <Block Size>
BlockSize
File
Using LinEn
473
Configuration File
You can create a configuration file to fill in some or all of the variables. The configuration file needs to be in the format OptionName=Value. All of these options have the same restrictions as their command line counterparts. Options for the configuration file are:
EvidencePath EvidenceName CaseNumber Examiner EvidenceNumber AlternatePath Notes MaxfileSize Compress Granularity BlockSize Hash SHA1 Device CommandLine AcquireMode HashMode Path and file name of the evidence to be created Name of the evidence within the evidence file Case number of the evidence Examiner's name Evidence number A semicolon delimited list of alternate paths Notes Maximum file size of each evidence file Level of compression (0=none, 1=fast, 2=best) Error granularity in sectors Sectors per block for the evidence file Turn on (TRUE) or turn off (FALSE) MD5 hashing Turn on (TRUE) or turn off (FALSE) SHA-1 hashing Device to be acquired or hashed Exit if a required variable is not filled out (TRUE or FALSE) Acquire the device chosen (TRUE or FALSE) Hash the device chosen (TRUE or FALSE)
Note: Any options specified on the command line take precedence over those in the configuration file.
Once the selected operation is complete, results print to the console. Read errors and read error sectors show only if there are actual errors.
474
Hashing Results
Name: <EvidenceName> Sectors: 0-<TotalSectors> MD5 Value: <Md5Value> SHA1 Value: <SHA1Value> Read Errors: <ReadErrors> The hash value may not be accurate Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Acquisition Results
<EvidenceName> acquired to <EvidencePath> Elapsed Time: <ElapsedTime> MD5 Value: <Md5Value> SHA1 Value: <SHA1Value> Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
EnCase applications can detect and image DCO and/or HPA areas on any hard disk conforming to ATA level6 or higher specifications. The DCO and HPA areas are detected using LinEn (Linux) or the FastBloc SE module. The application now shows if a DCO area exists in addition to the HPA area on a target drive. FastBloc SE is a separately purchased component. HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot see it, and can only be accessed by a low level reconfiguration of the disk. HPA and DCO are extremely similar; the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at reboot. When supported, EnCase applications see both areas if they coexist on a hard drive. For more information, see HPA and DCO Configured Disks (on page 590).
Using LinEn The LinEn Main Screen displays. 3. Select Mode, then select Direct ATA Mode. The disk running in ATA mode can now be acquired. 4. Continue the drive-to-drive acquisition with Step 3 of Doing a Drive-to-Drive Acquisition Using LinEn (see page 462).
475
Mode Selection
LinEn starts up in BIOS mode. A disk acquired in this mode reports only the disk size as seen and translated by the BIOS. As a result, no data contained in a DCO are seen or reported. The Mode selection in LinEn provides a solution. Notice Disk1 in the figure. It shows a disk size of 26.8 GB. If this is acquired now, only that quantity of data is identified.
The Linux distribution in use must support Direct ATA mode for this function to work. To test for the presence of a DCO: 1. Start LinEn in the normal manner on a computer that supports Direct ATA. The main screen shows a Mode button.
476
EnCase Enterprise Version 6.18 2. Enter 'M' to select Mode. A second screen displays offering three acquisition selections: BIOS ATA Cancel 3. Enter 'A' to select ATA Mode. If a DCO is present on the disk, the original LinEn screen reports the correct disk size and the correct number of sectors. Disk1 in the following illustration shows the true disk size, 75.5 GB.
4.
Using LinEn The LinEn Main Screen displays. 5. Select Server, and press Enter. The message Waiting to connect should display.
477
6. 7. 8. 9.
On the forensic machine, specify an IP address of 10.0.0.1 for the subject machine. Launch EnCase on the forensic machine. Create a new case, or open an existing case. Right click the Devices object, and click Add Device.
10. Select Network Crossover, and click Next. 11. Select the physical disk or logical partition to acquire or preview and click Next. 12. Click Finish. The contents of the selected device reached through the network crossover connection are previewed. To acquire the content, perform an acquisition as described in Specifying and Running an Acquisition
478
Evidence Verification
Verify menu option
1.
2. 3.
Enter the path and name of the evidence file to be verified. Select OK, then press Enter.
Using LinEn 4. The Acquire Device dialog asks if you want to verify the evidence file.
479
5. 6.
Select Yes, then press Enter. Verification displays on the same status screen as the acquisition.
Status Reporting
The status screen contains a Verify option indicating whether the evidence file will be verified after acquisition. The status bar at the bottom of the screen displays the number of bytes read and written, as well as percent complete. After acquisition, the Acquisition Completed dialog shows compression percentage.
480
2.
Click Hash.
Using LinEn 3. Select a drive, then click OK. The Start Sector dialog displays.
481
4.
Specify a start sector to hash, then click OK. By default, the field prepopulates with a start sector of 0.
5.
Specify a stop sector to hash, then click OK. By default, the field prepopulates with a stop sector of the last sector of the drive or partition being analyzed.
6. 7.
Select an algorithm to use in performing the hash. The options are MD5 and SHA1. A hash value is calculated for the selected sectors. You can save this hash value to a file.
482
Using LinEn 3. In the UI, select the Help button, then press Enter.
483
4.
CHAPTER 15
486
Overview
EnCase Decryption Suite (EDS) enables decryption of encrypted files and folders by domain users and local users, including: Disk and volume encryption Microsoft BitLocker GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption Utimaco SafeGuard Easy McAfee SafeBoot WinMagic SecureDoc Full Disk Encryption PGP Whole Disk Encryption File based encryption Microsoft Encrypting File System (EFS) CREDANT Mobile Guardian Mounted files PST (Microsoft Outlook) S/MIME encrypted email in PST files NSF (Lotus Notes) Protected storage (ntuser.dat) Security hive Active Directory 2003 (ntds.dit)
EDS Features
Disk and Volume Encryption
When an Evidence File (.E01) or a new physical disk is added to a new case, the Master Boot Record (MBR) is checked against known signatures to determine whether the respective disk is encrypted. If the disk is encrypted, EnCase asks for user credentials (see the Product Matrix on page 487 for a table listing required credentials for supported encryption products). If the correct credentials are entered, EnCase decrypts the disk. No password attacks are supported. EDS supports these disk/volume encryption products: Microsoft BitLocker GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption Utimaco SafeGuard Easy McAfee SafeBoot WinMagic SecureDoc Full Disk Encryption PGP Whole Disk Encryption
487
Mounted Files
EnCase can review mounted files and search for encrypted data. If mounted files are encrypted, EnCase asks for user credentials (see Product Matrix on page 487 for a table listing required credentials for supported encryption products). If the correct credentials are entered, EnCase decrypts the mounted files. These types of mounted files are supported: PST (Microsoft Outlook) NSF (Lotus Notes) Protected storage (ntuser.dat) Security hive Active Directory 2003 (ntds.dit)
488
Product Matrix
The table below shows encryption products supported by EDS and credentials you need to provide in order to use them with EnCase. Product
GuardianEdge Encryption Plus GuardianEdge Encryption Anywhere GuardianEdge Full Disk Encryption Utimaco SafeGuard Easy McAfee SafeBoot Online SafeBoot Offline CREDANT Mobile Guardian Online X X
Password
X
User
X
Domain
Machine
Server
Path
Other
Algorithm
X Machine CREDANT ID X
Mobile Guardian Offline Microsoft BitLocker Microsoft Encrypting File System (EFS) ZIP Lotus Mail S/MIME PGP Whole Disk Encryption
Key
Keys
X X X X ADK requires path and passphrase ID File PFX Passphrase, ADK, WDRT
489
Using EDS
Analyze EFS
This command scans a volume for data and processes it. You can also run Analyze EFS from the secure storage; in that instance, it runs consecutively on all volumes in a case. 1. Right click the volume you want to analyze, then click Analyze EFS from the dropdown menu.
490
EnCase Enterprise Version 6.18 2. The first Analyze EFS dialog displays. Click Next.
3.
The second Analyze EFS dialog displays with the Documents and Settings Path and Registry Path fields populated by default. For unusual system configurations, data disks, and other operating systems these values will be blank. You can modify them to point to the user profile folders and/or the registry path.
491
When the scan is complete, the EFS Status dialog shows statistical information on keys found and decrypted and registry passwords recovered.
6.
When you are done reviewing the EFS status, click Finish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
The scenarios for logical evidence files are different from prior versions of EnCase: 1. 2. 3. 4. The file is encrypted and the $EFS stream is missing from the same folder within the L01: the file cannot be decrypted. The file is encrypted and the $EFS stream is in the same folder: the file can be decrypted (except for the remainder of the file, if any). The file is decrypted and the $EFS stream is missing: the file remains decrypted. The file is decrypted and the $EFS stream is in the same folder: the file will be decrypted twice .
492
From version 6.11 on, all the scenarios above are handled gracefully, because the $EFS stream is added internally. If the file is encrypted, the $EFS stream is automatically stored with the file as metadata. If the file is decrypted, the $EFS stream is not automatically stored, as it is not needed. This does not prevent you from storing the stream by specifically saving it to the LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
3.
493
Enter Items
Enter Syskey
You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the wizard is already completed. 1. 2. 3. Right click the root entry of Secure Storage. Select Enter Items from the dropdown list, then select the Enter Syskey tab. Select the location of the Syskey (for example, a file path or a floppy disk) or enter the password manually.
4.
Click OK.
User Password
If you know the user's password: 1. 2. 3. Right click the root entry of Secure Storage. Select Enter Items from the dropdown list, then select the User Password tab. Enter the password.
4.
Click OK.
494
If the Syskey is protected and you do not know the password, an attack on the SAM file for user passwords will not be successful. This is a rare situation. Most Windows machines will not have a protected Syskey. EDS includes a dictionary attack option to get past a protected Syskey. You can obtain dictionary files from a number of sources. To access setup, right click the root of Secure Storage and select Dictionary Attack. During the Analyze EFS scanning of the registry, EnCase alerts you if the Syskey is password protected or has been exported to a floppy disk. In these cases, the Analyze EFS wizard prompts you to enter the Syskey password and/or insert the floppy disk containing the Syskey or browse to the Syskey file location. The Syskey file is called startkey.key, and you should examine any floppy disks collected at a scene for the presence of this file. If the Syskey file is recovered on a floppy disk, it can be copied/unerased from EnCase to the examination machine, and you can browse to the startkey.key location. This process is the same as when you use the Password Recovery Disk.
3. 4.
Click the option button, File or Floppy, where the file is located. Enter the path or browse to it, then click OK.
EnCase Decryption Suite 4. From the All Tasks menu, click Export.
495
5. 6. 7. 8. 9.
In the Certificate Export Wizard, click Next. Click Yes, export the private key, then click Next. Accept the default for the export file format, then click Next. Select a path and name the key (this assigns a .PFX extension), then click Next. When prompted, note the password entered.
Note: The password cannot be left blank. It is needed when using the key.
10. Click Next. A confirmation window shows details about the export. 11. Click Finish to complete the export. 12. Right click the root entry of Secure Storage. 13. Select Enter Items from the dropdown list, then select the Private Key File tab. 14. Enter the path or browse to it.
15. Enter the Password in the next prompt, then click OK. A status screen confirms successful completion and the Private Key displays in the Secure Storage tab.
496
EnCase Enterprise Version 6.18 3. Enter the path to the .PFX certificate and the password.
4. 5.
Click OK. The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected
To associate *nix users with volumes: 1. 2. 3. 4. Select the Secure Storage tab. Click the checkbox next to the item or items you want to associate. Right click a checked item. Select Associate Selected from the dropdown list.
497
6.
Expand the Volumes tree and select the volumes you want to associate.
7.
Click OK.
498
The following items are of interest: Aliases: These are Security Identifiers (SIDs) that point to one or more SID entities. They have a name and a comment. Groups: SIDs that point to one or more SID entities. They have a name and a comment. These are defined groups such as Administrators and Guests. SAM Users: These are Local Users. The details are listed in the report tab of the View pane. Passwords: Found and examiner added passwords appear here. Net Logons: These are Local Users. The details are listed in the report tab of the View pane. Nix User/Group: Unix users/groups Lotus: Lotus Notes Email Certificates: These are used for S/MIME decryption and signature verification. Disk Credentials: Persistent key cache for disk/volume encryption products Master Keys: Every user with a private key has a master key that protects it. The master key itself is encrypted with a hash of the users Windows password. Private Keys: Used in the decryption of EFS files Internet Explorer (IE) Passwords: Passwords from IE 6 Policy Secrets: These are LSA secrets. They include the default password and passwords for services. Some of these secrets are not passwords but binary data placed there by the system and applications. SAM Keys/Policy Keys/Dpapi/CERT: For internal use
1.
499
When prompted, select the appropriate encryption algorithm from the list, then enter a user name, server name, machine name, and password when in online mode.
500
The SafeBoot encrypted drive is parsed. The offline dialog is similar. The Online checkbox is blank and only the Machine Name, Transfer Database field, and Algorithm are available:
3.
Save the case once a successful decryption is complete. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to enter them again.
501
This illustration shows results of a successful decryption. The Tree pane shows a SafeBoot folder, the Table pane contains a list of decrypted files while the Text pane shows contents of a decrypted file.
4.
The next figure shows the same files as they display encrypted.
502
1. 2.
Use the Add Device wizard to add the physical device. EnCase detects the device and displays a username and password dialog.
3. 4. 5.
Enter a valid username and password when in online mode. Click OK. Once a successful decryption is complete, save the case. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to enter them again.
Note: If the password is empty, the Challenge/Response wizard opens. For more information, see Utimaco Challenge/Response Support on page 503.
503
2.
Click OK.
504
EnCase Enterprise Version 6.18 3. A Challenge Response dialog displays with the challenge code in blue. Keep this dialog open while performing the next steps.
4.
Log in as Administrator. On the Windows Start page, click All Programs Utimaco SafeGuard Easy Response Code Wizard.
505
6.
Click Next to begin generating a one time password (OTP). The Authorization Account dialog displays.
506
EnCase Enterprise Version 6.18 7. Click Next. The Remote User ID dialog displays.
8. 9.
Enter the User ID that was used to derive the challenge code, then click Next. The Challenge Code dialog displays. Enter the challenge code generated by EnCase from step 3.
EnCase Decryption Suite 10. Click Next. The Remote Command dialog displays.
507
11. Select One time logon, then click Next. 12. The Summary dialog displays with the response code in blue.
508
EnCase Enterprise Version 6.18 13. In the EnCase dialog from step 3, select the code length and enter the response code to enable decryption of the selected encrypted evidence.
14. Click OK. 15. In the Summary dialog from step 12 , click Close to close the SafeGuard Easy Response Code Wizard, or click New to generate a new response code from a different challenge code.
This means EnCase support for SafeGuard Easy is limited to decrypting only the boot disk, because this is the only drive detected as encrypted by examining the MBR.
Workarounds
There are two workarounds for this problem. The first solution: 1. Obtain both disks. The internal disk holding the SafeGuard Easy kernel (disk 1) The external (that is, non-bootable) disk (disk 2) 2. Open the kernel on disk 1. You can then access disk 2.
EnCase Decryption Suite The second solution: 1. 2. 3. Obtain a SafeGuard Enterprise (SGN) kernel backup file of disk 1. Restore disk 1 to an empty disk.
509
Add the non-bootable disk as disk 2. The information in the newly restored kernel gives you access to disk 2.
When BitLocker is enabled, a large file is created that holds all of unallocated (UAC) space, minus 6 Gigabytes.
Note: EnCase also supports Windows 7 BitLocker to Go.
510
3.
The Recovery Key option button is selected by default. Browse to the location of the required .BEK recovery key.
EnCase Decryption Suite 4. Browse to the folder containing BitLocker keys and select the specified .BEK file.
511
5.
Click OK.
3.
512
EnCase Enterprise Version 6.18 4. Browse to the folder containing BitLocker keys.
EnCase Decryption Suite 5. Find and open the .TXT file that matches the Password ID.
513
6.
Copy and paste the recovery password into the BitLocker Credentials dialog.
7.
Click OK.
514
Each data volume has a corresponding registry key (SYSTEM\ControlSet0xx\FVEAutoUnlock\{GUID}) containing the key (AutoUnlock Volume Key, or AUVK) that can decrypt the Volume Master Key of that particular volume. This key has an associated GUID matching the GUID of a key protector in the data volume metadata. The picture below shows AutoUnlock registry keys for three volumes.
This picture shows Secure Storage after the Analyze EFS process:
515
4. 5.
3. 4.
When you finish building the RAID, EnCase displays the BitLocker Credentials dialog. Provide the credentials. See Decrypting a BitLocker Encrypted Device Using Recovery Key on page 510 or Decrypting a BitLocker Encrypted Device Using Recovery Password on page 511 for details. Click OK. EnCase decrypts all available volumes.
5.
516
Successful Decryption
When decryption is successful, the volume's file system type displays in the first sector.
Unsuccessful Decryption
If decryption fails, FVE-FS displays in the first sector.
517
Once you preview a machine's disk or open an evidence file, the Master Boot Record (MBR) is checked against known signatures to determine whether the disk is encrypted. The SecureDoc signature is WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password associated with the file. SecureDoc users have either administrator or user privileges: Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc. Users can only change their passwords.
An installer is provided to place these integration DLLs in %ENCASE%\Lib\WinMagic\SecureDoc: SDForensic.dll SDC.dll SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
518
EnCase Enterprise Version 6.18 1. When adding a SecureDoc disk, Encase prompts for three credentials:
a. The path to the file containing the user keys (extension .dbk). b. The password associated with the key file. c. The path to the emergency disk folder corresponding to the physical disk under
examination.
2. 3. 4.
Enter the credentials, then click OK. If the credentials are correct, EnCase decrypts the disk and parses the file system structure. When you save the case, the ranges of encrypted sectors and the original MBR are retained in the case file for previewed drives as well as evidence files.
The disk view shows encrypted information in the Text and Hex panes for encrypted drives. The disk view shows decrypted information in the Text and Hex panes for decrypted drives.
Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is decrypted by SecureDoc's filter driver during a physical acquisition.
You can acquire either: All logical volumes by acquiring at the physical level An individual logical volume by acquiring at the logical level
519
The completed acquisition contains the decrypted volumes. You do not need a password to view the file structure.
To decrypt, you need a cert file for your dongle to activate the EDS module in EnCase. For Encryption Plus/Encryption Anywhere, you also need: The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in your EnCase installation The EPcrypto.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in your EnCase installation Username Password
For Hard Disk Encryption, you also need: The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in your EnCase installation The EAECC.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in your EnCase installation Username Password Domain
Upon previewing an encrypted device or adding a physical evidence file of an encrypted device, EnCase prompts for the credentials. Once the correct credentials are added, the file and folder structure of the device displays unencrypted.
520
Affected dialogs which previously displayed the text "GuardianEdge" now show it as "GuardianEdge/Symantec," as in this example:
The following dlls are required to decrypt an SEE encrypted device on a 64-bit examiner machine: EAECC.dll EPCL.dll
Place these dlls in the Lib\PC Guardian-Guardian Edge\EAHD folder of your EnCase installation.
Note: The version of the EAECC.dll must match the product version of SEE.
521
In addition to the above, you may need to install the following if they are not already present on the system: GEHD 9.4.1/SEE 7.0.4: msvcp71.dll and msvcr71.dll GEHD 9.5.0/SEE 7.0.5: msvcp80.dll and msvcr80.dll (these must match the EnCase platform: 32 or 64-bit) GEHD 9.5.1/SEE 7.0.6: msvcp80.dll and msvcr80.dll (these must match the EnCase platform: 32 or 64-bit)
You can obtain the dll library you need from the SEE installation folders on the client machine.
2.
For more information, see Knowledge Base article 00002281 in the GuardianEdge Customer Support Portal (https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU ).
522
EnCase Enterprise Version 6.18 For GuardianEdge Encryption Plus: PC Guardian-Guardian Edge\EPHD\EPCL32.dll PC Guardian-Guardian Edge\EPHD\EPcrypto.dll
To decrypt a PGP encrypted disk, you need one of the following: A Whole Disk Recovery Token (WDRT) from the PGP Universal Server An Additional Decryption Key (ADK) from the client machine The user's passphrase
Note: The PGPEnCase.dll resides in the installation folder of EnCase (typically C:\Program Files\EnCase6\lib\PGP\WDE).
523
2.
Click the Users tab to go to the Internal Users page. Note which user displays the Recovery icon associated with a user name.
3.
Click the user name associated with the Recovery icon. The Internal User Information page displays.
4. 5.
Click the Whole Disk Encryption button to see the machine associated with this user. Click the WDRT icon.
524
EnCase Enterprise Version 6.18 6. The Whole Disk Recovery Token page displays. Note the token key consisting of 28 alphanumeric characters.
7.
In EnCase, enter the token key in the Whole Disk Recovery Token field of the PGP Whole Disk Encryption credentials dialog, then click OK.
Note: You can enter the token key with or without dashes.
1. 2. 3.
Log on to the PGP client workstation. Click Start Programs PGP PGP Desktop. In the PGP Desktop - PGP Disk window, click the PGP Disk at the left side and select any disk listed.
525
5. 6.
In the User Access section at the bottom of the screen, export the key as an .asc file. In EnCase, enter the full path to the .asc file in the Additional Decryption Key (ADK) Path field, as well as the passphrase protecting the file, in the PGP Whole Disk Encryption credentials dialog.
526
Click OK.
EnCase reviews your mounted files and looks for CREDANT-encrypted data (CredDB.CEF file). If it finds this data, a logon dialog displays.
527
The dialog populates with a known user name and password, Server, Machine ID, and the Shield CREDANT ID (SCID). CREDANT files are processed and decrypted with no further interaction, given that the credentials are correct.
528
EnCase Enterprise Version 6.18 The offline dialog is similar. The Online checkbox is blank and the Machine ID and SCID fields are unavailable.
2.
Save the case once a successful decryption is complete. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to re-enter them.
The illustration below shows results of a successful decryption: The Tree pane shows a CREDANT folder The Table pane contains a list of decrypted files
EnCase Decryption Suite The Text pane shows contents of a decrypted file
529
The next illustration shows the same files as they appear unencrypted.
530
1.
531
Supply the parameters as follows: CEGetBundle [-L] XURL -aAdminName -AAdminPwd [DAdminDomain] [-dDuid] [-sScid] [-uUsername] -oOutputFile -oOutputFile -IOutputPwd
-L URL Legacy mode for working with pre 5.4 server installs Device Server URL (for example, https://xserver.credant.com:8081/xapi) Administrator user name Administrator password Administrator domain (optional: required only if the CMG Server is configured to support multiple domains) Machine ID for the target device (also known as the Unique ID or hostname) Shield CREDANT ID (also known as DCID or Device ID) Name of the forensic administrator File to save the key material in Password to encrypt output file
MUID
Here is a command example: cegetbundle -L -X"https://CredantServer:8081/xapi" a"Administrator" -Achangeit -d"CredantWorkstation.Credant.local" -sCI7M22CU u"Administrator" -o"C:\CredantUserKeys.bin" -iChangeIt 3. Place the .bin file downloaded from the CREDANT server in a path accessible from the Examiner machine. Open EnCase and create a new case or open an existing one. You must have EnCase Decryption Suite installed on the Examiner machine that decrypts the CREDANT-encrypted data.
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the target device while specifying the same output file. The keys for each user are appended to this output file.
4.
Acquire a device with CREDANT encrypted files, or load an evidence file into the case. The Enter Credentials dialog displays, prompting you for only the Username, Password, Server/Offline Server File, Machine ID, and Shield CREDANT ID (SCID) information.
Note: In Offline mode, the only information you must provide is the Password and Server/Offline Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
When EnCase decrypts CREDANT encrypted files, the key information is placed in Secure Storage in EnCase, and saved with the case. You do not have to re-enter this information.
532
In EnCase versions prior to 6.12, there are different scenarios from logical evidence files from prior versions of EnCase: 1. 2. 3. 4. The file is encrypted and the CredDB.CEF file is missing from the same folder within the L01: the file cannot be decrypted. The file is encrypted and the CredDB.CEF file is in the same folder: the file can be decrypted. The file is decrypted and the CredDB.CEF file is missing: the file remains decrypted. The file is decrypted and the CredDB.CEF stream is in the same folder: the file will be decrypted twice.
Note: The workaround in case 4 is to cancel the CREDANT Credentials dialog or delete the CREDANT keys from the secure storage.
From version 6.12 on, all the scenarios above are handled gracefully, because the CredDB.CEF file is added internally. If the file is encrypted, the CredDB.CEF stream is automatically stored with the file as metadata. If the file is decrypted, the CredDB.CEF stream is not automatically stored, as it is not needed. This does not prevent you from storing the stream by specifically saving it to the LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
EnCase Decryption Suite 2. Right click a folder in the left pane. A dropdown menu displays.
533
3.
4.
534
EnCase Enterprise Version 6.18 5. Enter the path to the PFX certificate and the password, then click OK.
The PFX cert is decrypted and stored in Secure Storage. S/MIME decryption and signature verification happens in the background. Given the proper password, the certificate is stored in Secure Storage under E-Mail Certificates folder. After you import the required certificates into Secure Storage, you can parse the email container files using the View File Structure feature in the Entry View. S/MIME Email Certificate contents are displayed like this in Secure Storage:
535
When parsing is complete and successful a directory list displays. In the illustration, the folder is entitled smime.p7m (S/MIME data comes as an attachment of the email). In Entries view, the text of the email is shown in the Text pane while the email's attachments appear in the Table pane.
536
Records view:
537
It also has an NSF file that represents the user's mailbox in 8.3 format in the default path <domino installation folder>\data\mail\<user>.nsf.
538
2.
3.
539
5.
540
541
Encrypted Block
The example below shows an encrypted block at offset 0x22000:
The decryption algorithm uses a seed that is based on the basic seed from the header and the block offset.
542
Decrypted Block
Here is an example of a decrypted object map at offset 0x22000:
543
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated with the data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty:
544
There are two ways to decrypt RMS protected files: At the volume level At the file level using View File Structure
For versions of Windows prior to Vista, you must install Microsoft Windows Rights Management Services Client 1.0 (SP2) before running the RMS standalone installer.
Note: When decrypting RMS protected files, it is important to enter correct credentials. Since EnCase attempts to decrypt RMS protected documents even when you enter incorrect credentials, for large PST files of several GB there could be a long wait--up to several hours--before learning the credentials you entered did not work. So it is crucial to enter correct RMS credentials in the first place.
545
Double click the executable to begin installation. The Windows RMS Library Installer dialog opens.
2. 3.
If more than one version of EnCase is listed, select the version you want to target. Click Finish. If the installation is successful, this message displays:
4.
Click OK.
546
2.
3. 4.
Enter a Username and Password, then click OK. EnCase decrypts RMS protected files in the volume.
EnCase stores the credentials you entered, so the next time you do not need to enter them again.
547
MSO
1. Right click the MSO-protected file (that is, a Word document created with Office 2003) you want to decrypt, then click View File Structure. This dialog opens:
2. 3.
Select the Find RMS Content checkbox, then click OK. The RMS credentials dialog opens:
4. 5.
Enter a Username and Password, then click OK. EnCase decrypts RMS protected files in the volume.
EnCase stores the credentials you entered, so the next time you do not need to enter them again.
OPC
1. Right click the OPC-protected file (that is, a Word document created with Office 2007) you want to decrypt, then click View File Structure. This dialog opens:
2.
548
2. 3.
Select the Find RMS Content checkbox, then click OK. The RMS credentials dialog opens:
4.
549
In Windows 2000, however, the Master Key is protected by the use rs password hash with a mechanism that slows down any attack. The Master Key protects the users private key. And the users private key protects a key within the $EFS stream that allows for decryption of the EFS encrypted file.
Dictionary Attack
Software implementing this method normally uses a text file containing a large number of passwords and phrases. Each is tried in turn in the hope that one of the words or phrases in the file will decrypt the data involved. A large number of dictionary files (sometimes called word lists) are on the Internet, or you can create your own list. Creating your own list may be preferable if the person under investigation has a particular interest, such as football. There are freeware utilities on the Internet you can use to create a dictionary from combinations of letters, numbers, and characters up to a predefined length. Free Wordlist Generator (http://www.soft82.com/download/windows/free-wordlist-generator/) is one example. EDS can attack NT based user account passwords and cached net logon passwords using a dictionary attack.
550
Built-in Attack
Specific items do have associated passwords. If they are not automatically retrieved, you can use a trial and error mechanism. This may or may not succeed.
External Attack
Local users can be attacked with third party tools. There are freeware tools, and their performance is much greater than EnCase because they can run on many computers at the same time and/or use rainbow tables. EnCase can export the local users password hashes in the PWDUMP format that most tools read. This is done from the User List.
551
User List
The User List of Secure Storage shows Local Users, Domain Users, Nix Users, and/or Nix Groups from the local machine or evidence file. Information such as: last logon date user SID NT hash LanManager hash
Integrated Attack
There are three different sources for words to be tested: Internal passwords: These are the password items in the secure storage Dictionary words: The dictionary is a plain text file that can be in ANSI-Latin1 or UTF16. Every word needs to be on its own line (it can contain any character, including spaces). Brute force: Automatically generates words from an alphabet with a length in a given range
552
There are four mutators that can be applied: Toggle Case: Tries all the upper/lower case variations Append Digits Prepend Digits Combine Words: The words are combined with each other. For example, if the dictionary contains the words "old" and "dog", the result is these four words: old dog olddog dogold
CHAPTER 16
554
555
Using PDE
1. Right click the logical or physical drive, and select Mount as Emulated Disk.
2.
556
Cache Options
If a physical device or volume (not a CD) is selected, decide whether to cache data. By default, caching is disabled. Use the write cache if programs need to access the files in an emulated read/write mode. If cache is enabled, changes made by programs are sent to a separate cache file specified on your local system. 1. 2. 3. To create a new write cache file for an EnCase Differential Evidence File, clear the Disable caching checkbox. Select Create new cache in the Cache Type group and specify a Write cache path. Select Use existing cache and ensure the existing write cache file is specified in the Write cache path field.
If you choose to use an existing cache path, make sure to use a write cache file that was created with the evidence you are currently mounting. Caching is necessary for PDE to function with VMware. In this state, Windows caches file deletions and additions. This is used to boot the drive with VMware as described later in this section. Caching is also necessary when mounting certain volume types.
557
CD Options
If a CD is mounted, the CD Session to view option is enabled to specify which session on a multisession CD should display in Windows. The default session is the last session on the active CD, which is the one normally seen by Windows. 1. 2. 3. To view a prior session, select that here. Click OK to continue. If a message displays saying the software you are installing has not passed the Windows Logo test, click Continue Anyway. This allows Windows to add the evidence file as a drive with its own drive letter.
Verify that the evidence file has been mounted with a drive letter by browsing in Windows Explorer. With the drive letter, you can apply third-party tools. When the share is created, a sharing (hand) icon appears on the device in the interface.
Files and folders on the mounted device can be accessed in Windows in the same manner as if the device were an additional drive, although changes will be written to cache (if in use) instead of to the device itself.
558
The cache is saved in the path specified for write caching. Each time after the initial save, an instance number is appended to the cache file. These cache files can later be used to remount the evidence in its saved state, but you must have all of the preceding cache files, located in the same directory. To end the emulation: 1. 2. Double click the flashing Physical Disk Emulator indicator in the lower right of the application window. Click Yes in the Thread Status window to cancel the disk emulation.
The purpose of the final cache is to create a compressed and merged Differential Evidence File (*.D01) containing the cached data. With the Save Emulated Disk State option selected, there are multiple cache files for the same mounted evidence session. The final cache merges all these files. If there is no need to save the final file, select Discard final cache. Use the Differential Evidence File to open the evidence file and view the emulated disk with the cached changes applied. To apply the cached data: 1. 2. 3. 4. Right click the device. Select Mount as Emulated Disk. Click the Client Info tab. Clear the Disable caching checkbox.
Physical Disk Emulator 5. 6. Select Use existing cache. Browse in the Write cache path field to find the *.D01 file. After the disk mounts, Windows Explorer reflects the cached changes. When the device is dismounted, a status screen informs whether the disk was dismounted successfully.
559
Third-Party Tools
Investigators with the PDE Module can use Windows Explorer to browse the structure of computer evidence. They can also utilize third-party tools capable of requesting and interpreting data from Windows Explorer to examine evidence outside of EnCase. Guidance Software does not certify the performance or accuracy of results obtained through any tools not developed by Guidance.
560
Malware Scanning
A common use for EnCase PDE is to mount computer evidence for scanning for viruses, Trojans, and other malware programs. First, mount the drive or volume from the evidence file through PDE. In Windows Explorer, select the newly mounted drive (in this case, F:). If an antivirus program is installed and integrated with Windows Explorer, it can be used to scan for viruses. The program reads the emulated disk presented to Windows Explorer. EnCase serves the requested data to Windows Explorer, then to the program for scanning.
a. Use the Windows Initialize Case module from the Case Processor EnScript to determine
the operating system.
b. Check the contents of the boot.ini file, which is located on the partition root. c. Examine the folder structure, noting the following:
Windows 2000, XP, and 2003 Server all use the C:\Documents and Settings folder for user profiles and folders. Windows NT and 2000 use the C:\WINNT folder for the system root. Windows 9X, XP and 2003 Server use the C:\Windows folder for the system root. 2. 3. Mount the physical disk containing the operating system using Physical Disk Emulator. Make sure to enable caching. Determine what physical disk number is assigned to it using one of these methods: This information is provided when the device is mounted. Select the Disk Management option: right click My Computer in Windows, then select Manage.
Note: There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in Disk Management. If you encounter a message stating "The specified device is not a valid physical disk device," it is most likely a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, blue screens if it detects multiple instances of the same drive. Use only evidence files of other machines.
561
5.
6. 7.
Select an operating system from the Version drop-down menu to identify the operating system version installed on the evidence file, then click Next. In the Name the Virtual Machine dialog, enter a virtual machine name.
562
As an option, you can click Browse to change the location for VMware's configuration files. 8. 9. Click Next. Assign the amount of memory for VMware to use, then click Next.
10. Select the type of network to use, then click Next. Selecting Do not use a network connection is recommended in the event that there is some type of malware installed on the machine the evidence file was created from.
11. Accept the default setting in the Select I/O Adapter Types dialog, then click Next.
Physical Disk Emulator Ignore any subsequent warning messages. 13. Select the disk that represents the mounted drive using PDE. 14. Accept the default setting of Use Entire Disk, then Click Next. 15. Use the default disk file specified in the Specify Disk File dialog, then click Finish. If the disk file is not recognized as a Virtual machine, you can change the name of the file (taking care to leave the .vmdk extension).
563
VMware returns to the main screen, showing the newly created virtual machine.
564
When the virtual machine starts, the operating system is shown as if the forensic machine was booting the drive. It boots in the same manner as the native machine. 2. 3. As with booting restored hard drives, the virtual machine may require a user name and password to proceed. Since popups (such as AOL Instant Messenger) can cause driver problems, save the state of the virtual machine regularly.
What do I do if I see the message "The file specified is not a virtual disk" after running the New Virtual Machine wizard?
After completing the new virtual machine wizard in VMware, you may receive an error message ("The file specified is not a virtual disk."). This issue is with VMware, not EnCase. Running the new virtual machine wizard again usually resolves this issue.
565
To resume a virtual machine: 1. 2. Start VMware Workstation and choose a virtual machine you have suspended. Click Resume on the VMware Workstation toolbar. Note that any applications you were running when you suspended the virtual machine are running and the content is the same as when you suspended the virtual machine. You can obtain additional VMware troubleshooting information from their knowledge base at http://www.vmware.com/support/kb/enduser/std_alp.php?
566
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help menu
If you are using cert files, check to see that the PDE certificate is located in the Cert directory (typically C:\Program Files\EnCase6\Certs). Make sure the security key is installed and working properly (check the title bar to ensure that the program is not in Acquisition mode). If you are using cert files, check the security key ID to verify it is the correct one issued for the certificate.
A message is encountered stating that PDE cannot remove the device when attempting to dismount the device mounted
The error message may occur if Windows is accessing a file on the mounted device (for example, the directory is opened in Windows Explorer or a file is opened in a third-party application). To resolve the issue, close all Windows applications accessing the mounted device, then click OK.
An error message is encountered stating that you need to reboot your machine, followed by a "Rejected connection" message
This issue is due to the device driver not being released properly. The only way to resolve this issue is to close all applications (including the EnCase application) and reboot the forensic machine. You should not encounter the error again when the machine is rebooted.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 17
568
569
570
EnCase Enterprise Version 6.18 3. Click the Client Info tab to set the volume letter to be assigned to the network share in Windows Explorer.
4.
The default setting allows Windows Explorer to assign the next available volume letter, or you can set any other letter that is currently not assigned. Assigning a specific volume letter can be useful when attempting to virtually reconstruct a mapped network drive, such as for a database: If you currently have mapped networked drives or if you let Windows assign the drive letter, it takes a few seconds to query the system to find an available drive letter If you specified a volume letter, and it is available, the mounting is virtually instantaneous
A confirmation popup window informs you that the mount was successful, with the volume letter. The "shared hand" icon appears at the level you designated as the mount point for the shared drive.
Compound Files
You can mount many compound files, including Microsoft Word, Excel, Outlook Express, and Outlook files, in the EnCase interface. To do this: 1. 2. Right click the file. Select View File Structure. In the example below, a Microsoft Word .doc file is mounted. The device is then mounted with VFS at the device level.
571
3. 4.
To mount the case, drive, volume, or folder with VFS as for a single case, drive, etc., right click and select Mount as Network Share, as described above for single items. View the mounted file as a folder in Windows Explorer, where the compound file structure can be browsed.
VFS is a dynamic engine and will serve the data as it is presented by the EnCase software. To view the original Word document file: 1. 2. Close the mounted compound file. In Windows Explorer, refresh the screen using the F5 key. If you have currently selected data within the compound file, an error message reports that the data is no longer available, since it was closed inside EnCase. 3. Select the parent folder of the file to view and open the file.
572
RAIDs
RAIDs mounted inside EnCase can be browsed in Windows Explorer. In the example below, a software RAID 5 comprised of three drives was mounted, then made available for browsing in Windows Explorer with VFS.
Deleted Files
The VFS module allows investigators to view deleted and overwritten files in Windows Explorer. An investigator may locate a file in Windows Explorer to view or analyze, but finds that it is not possible to open it. If a file does not open, review the original data in the EnCase interface to see if the file is indeed valid and is not corrupted or partially overwritten.
Virtual File System The first method is to load a device without parsing the file system: 1. 2. 3. 4. 5. Launch the EnCase application. Open a new case. Load the device by clicking Add Devices. Right click the device and select Edit. In the Device Attributes window, clear the check from the Read File System box.
573
When the device is loaded into EnCase, the partition and file system are not read and interpreted. The entire device can then be mounted with VFS and be available for examination in Windows Explorer as Unused Disk Area, including slack space.
1. 2. 3.
Another option is to copy only slack area from evidence to the examination computer as a logical file: Select the device(s) where you want to examine the slack space. Right click the file and select Copy/UnErase.
574
EnCase Enterprise Version 6.18 4. Select the All selected files radio button under From, and the Merge into one file radio button under To, then click Next.
5. 6.
In the Copy section of the Options screen, select RAM and Disk Slack to copy the RAM slack (also known as sector slack) and the Disk Slack (also known as cluster slack). Select the appropriate Character Mask option for non-ASCII characters, or leave the default and click Next.
7.
Set the destination path and the name of the file to contain the slack, then click Next.
Virtual File System 8. Click OK in the Copying files dialog that displays at the end of the copying process.
575
The file containing the slack from the evidence is now available for examination by third-party utilities on the local examination machine. In the example below, a file is open in WordPad.
576
In this example, the / (root) partition of a Solaris workstation is mounted and the parent folder name (the partition name) is displayed as the high-dot.
Note: Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the partition or folder level.
577
2.
In the confirmation that the evidence was successfully dismounted, select any status saving options and click OK.
578
When an investigator selects a folder in Windows Explorer, the data is served by EnCase and displayed in Windows Explorer. As the directories are browsed in Windows Explorer, the file names populate in the Unique Name column, so an investigator can determine which file he or she is examining. EnCase appends a pound sign (#) to the end of duplicate file names in the same folder in Windows Explorer.
Several operations are then possible, including the following: Browse the mounted case and associated devices in Windows Explorer Open hidden and deleted files if Show hidden files and folders is enabled in Windows Explorer using the Folder Options in the Tools menu
Virtual File System Use the thumbnail viewer in Windows Explorer to view images in the manner seen by the original user
579
Third-Party Tools
Using VFS, investigators can examine evidence outside EnCase by utilizing third-party tools capable of requesting and interpreting data from Windows Explorer. However, Guidance Software does not certify the performance or accuracy of results obtained through any tools not developed by Guidance.
Malware Scanning
A common use for VFS is to mount computer evidence to scan for viruses, Trojans, and other malware programs: 1. Mount the evidence through VFS either locally on the examination machine, or remotely through VFS Server. You can mount the evidence at the device, volume, or folder levels as described previously. The "shared hand" icon indicates the level of the virtual file system mount. 2. 3. In Windows Explorer, select the gsisvr offline network drive. Use antivirus software to scan the file.
In the example below, the Scan for Viruses option from Symantec AntiVirus is run by right clicking the drive.
580
The antivirus software can read the Virtual File System presented to Windows Explorer. The requested data is served by EnCase to Windows Explorer, then to the program for scanning. In this case, the MyDoom virus was found on the computer evidence mounted with VFS.
The examination reports and logs generated by the third-party tools can then be reviewed and included in the investigator's investigative report.
2. 3.
In the Folder Options window, click the File Types tab. Select the desired extension, and the Details for section lists the program designated for that extension.
Virtual File System In this example, JPEG files open with Adobe Photoshop CS. 4. Click the Change button.
581
582
WordPad can open most text-based files to allow you to view the contents. In the example below, a Linux file is opened with WordPad in Windows Explorer from an evidence file mounted with VFS.
QuickView Plus
Another popular viewing program, QuickView Plus, can be used to view dozens of file formats, without the native applications installed on the examination machine.
VFS Server
The VFS Module has a server extension so that investigators can share the mounted evidence with other investigators on the local area network/intranet through VFS. The extension enables a number of clients to mount the network share served by the VFS Server through a network connection under these conditions: Only the machine that is running the VFS Server needs a security key inserted A security key is not required to connect to the VFS Server and access the served data in Windows Explorer. The client machine(s) must have EnCase installed to access the VFS client drivers but can run in Acquisition mode
Virtual File System The number of clients that can connect to the VFS Server depends upon the number of VFS Server connections purchased. This information is contained in the VFS Certificate or programmed into the security key.
583
To determine if the VFS Server is enabled and to view the number of available client connections, do the following: Select About EnCase from the Help menu. If the VFS module is not listed, or the number of clients is not sufficient, contact Customer Service to purchase additional clients.
6. 7.
Enter a Port number or use the default of 8177. The Server IP Address is grayed out since the server's IP address is the one assigned to the machine where the mount is taking place. Note the server machine's IP address for use with the client.
584
EnCase Enterprise Version 6.18 8. Set the maximum number of clients who can connect to the server, with the default being the maximum allowed by your VFS Server certificate.
Since VFS is mounting the evidence as a networked shared drive, the serving port must be assigned. To allow recovery from errors in Windows, such as a crash while using third-party tools as described previously, the VFS service runs for the life of the Windows session from that port. The VFS Server can also serve the data locally to the investigator's machine. Be aware that it uses one of the server connections.
2. 3. 4.
Select Allow specific IPs. Right click in the Allowed IPs box. Select New and enter the IP addresses.
Virtual File System 5. To enter multiple IP addresses, repeat steps 3 and 4. To edit or delete existing IP addresses, right click Allowed IPs.
585
6. 7.
Select the Client Info tab. To also mount and view the shared drive locally, leave the Mount share locally box checked and input a volume Letter. By default, the volume letter field displays an asterisk, indicating that the next available drive letter will be used. Mounting the share locally uses one of your VFS Server connections. If you are only serving the share to remote clients, clear Mount share locally. The Volume Letter is disabled.
The VFS Server mounts the share and allows connections on the assigned port. The shared hand icon displays at the VFS mount point. You can continue your examination while it is shared. Performance depends on the size and type of the examined evidence, processing power of the server and client machines, and the bandwidth of the network.
On the Server Info tab, enter the Server IP Address for the VFS Server machine, and enter the port number the server is listening on. On the Client Info tab, select the Volume Letter to assign the share, or accept the next available letter.
586
The confirmation message displays. On the client machine, the share is available in Windows Explorer as gsisvr with the assigned drive letter. The shared computer evidence can be examined as previously described.
Troubleshooting
Virtual File System is not listed under Modules
If you are using cert files, check to see that the VFS certificate is located in the proper Certs directory (typically C:\Program Files\EnCase6\Certs). Make sure the security key is installed and working properly (check the title bar to ensure that the software is not in Acquisition mode). You do not need to have the security key installed on a machine connecting to a remote VFS Server. If you are using cert files, the certificate file is issued for a specific security key. Check the security key ID to verify it is the correct one issued for the certificate.
587
Check to see how many machines are connected to the server, and determine how many clients are permitted to connect to a VFS Server by selecting About EnCase from the Tools menu on the machine running the VFS Server. Determine the number of allowed clients by looking at the number listed next to the Virtual File System Server module.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 18
FastBloc SE Module
In This Chapter
FastBloc SE Module Background Information ProSuite FastBloc SE/SATA/IDE Support for Vista 64-bit Installing the FastBloc SE Module Using the FastBloc SE Module Disk Caching Troubleshooting
590
FastBloc SE Module
The FastBloc SE (Software Edition) module is a collection of drive controller tools designed to control reads and writes to a drive attached to a computer through USB, FireWire, SCSI, IDE, and SATA controller cards in order to enable the safe acquisition of subject media from Windows to an EnCase evidence file. In addition, an investigator can wipe devices attached to a controller card controlled by the FastBloc SE module, or restore them while maintaining the hash value of the logical file. When FastBloc SE module's write blocking capability is enabled, it ensures that no data are written to or modified on a write blocked device. In the past, conducting a forensic, non-invasive acquisition of a hard disk drive was performed in DOS, or through a write protecting hardware device. This was done to control writes by the operating system to the subject drive. The FastBloc SE module eliminates the need to have a hardware write blocker installed on the forensic machine in order to acquire EnCase evidence files in a forensically sound manner through Windows.
Background Information
HPA and DCO Configured Disks
Host Protected Area
Hard disks can be configured with a Host Protected Area (HPA). It is designed to allow vendors to store data safe from user access, diagnostics or MS Windows backup tools. If present, the data stored in this area is inaccessible by the operating system, BIOS or the disk itself. Knowledge of this area and the ability to access it are important, as there is the potential for a sophisticated user to hide data in the HPA. The FastBloc SE module sees the HPA if it is present, and the content hidden there displays. Disk integrity remains intact when previewing and acquiring disks with HPAs.
FastBloc SE Module
591
Architecture
Both the HPA and the DCO are typically located at the ends of the hard disk. If present, the HPA area is placed on the drive after the DCO is configured. This gives the drive three types of storage that are laid out one after another on the drive: Normal HPA protected DCO protected
592
Supported Controllers
Controllers for DCO/HPA Access
Silicon Image 3114 RAID controller with 4 external ports Silicon Image 3114 RAID controller with 4 internal ports Promise Tech ULTRA66 PATA controller with 2 internal PATA ports Promise Tech ULTRA133TX2 PATA controller with 2 internal PATA ports Promise Tech FastTrak TX2300 SATA controller with 2 internal SATA ports Promise Tech SATA 150TX4 SATA controller with 4 internal SATA ports Promise Tech SATA 300TX2Plus SATA/PATA controller with 2 internal SATA ports and 1 internal PATA port Promise Tech SATA 300TX4302 SATA controller with 2 internal SATA ports and 2 external SATA ports
Known Limitation
Guidance Software supports only the controllers specified in the table above for DCO and HPA access.
FastBloc SE Module
593
To write block a USB, FireWire, or SCSI device: 1. 2. Make sure no devices are attached. Click Tools > FastBloc SE.
594
EnCase Enterprise Version 6.18 3. In the FastBloc SE dialog, select the Plug and Play tab.
4. 5.
Click Write Blocked. The progress bar indicates EnCase is waiting for a device to be inserted. Insert the USB, FireWire, or SCSI device.
Note: Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
6.
Click Close.
FastBloc SE Module In the Choose Devices window, the device and volume (if present) on the write blocked channel have a green box around the icon in the Name column, and a bullet appears in the Write Blocked column for each.
595
In Windows 2000, this tool is named Unplug or Eject Hardware; in Windows XP, Safely Remove Hardware.
2.
Remove the device physically when the wizard confirms safe removal.
596
EnCase Enterprise Version 6.18 2. 3. Select the device where you want to remove write block, then click None. Click Close to complete the process.
597
3. 4. 5. 6.
In the list of adapters, select the adapter(s) you want to write block, then click OK. Shut down the forensic machine. Connect the suspect's hard disk to the controller selected in step 3. Restart the forensic computer. Any disk attached to the selected adapter is write blocked on system startup.
598
Wiping
The FastBloc SE module allows wiping a device attached to one of the supported PCI IDE controller cards mentioned in FastBloc SE Module Specific Requirements. Wiping is done in the same manner as for drives attached directly to the motherboard. See Wipe Drive on page 197 for details.
Restoring
The FastBloc SE module also allows the restoration of an evidence file to a device of similar size or larger attached to one of the supported PCI IDE controller cards previously mentioned. Restore a device in the same manner as with drives attached directly to the motherboard. See Restoring Evidence on page 180 for details.
Disk Caching
When the FastBloc SE module is set to write block, the writes are actually being cached to the investigator's hard drive. This does not occur with write protect, since Windows generates an error rather than allowing the appearance of the write to take place.
FastBloc SE Module
599
Troubleshooting
The Write Block option does not appear in the Tools menu
Make sure the module is installed as described in Installing the FastBloc SE Module on page 592. Select About EnCase from the Help menu to verify that the FastBloc SE module is listed in the window. Check that the security key is in the machine. If the security key is missing or not functioning properly, EnCase opens in Acquisition mode. If you are using cert files, the cert file may be tied to a different security key. Contact an administrator to determine the associated security key and cert file.
600
Be sure to select Local Devices instead of Evidence Files when you begin the preview process. If possible, try to acquire on a completely different machine. This helps pinpoint the problem, as it may be a hardware or operating system conflict. If you are using cert files, be sure to use a security key tied to the cert file.
There are different hash values each time the drive is hashed
This indicates a failing drive. Because the number of sector errors increases each time, hash values change. Since the first acquisition typically contains the least number of bad sectors, use that file for analysis.
FastBloc SE Module If the subject drive is in an enclosure when you try to acquire it, it may become hot during the acquisition. Try removing the drive from the enclosure to keep it cooler, which may reduce the number of sector errors.
601
CHAPTER 19
CD/DVD Module
In This Chapter
CD/DVD Module Burning Evidence Files During Acquisition Burning Logical Evidence Files During Acquisition Burning Files and Reports Burning Existing Evidence and Logical Evidence Files
604
CD/DVD Module
Use the CD/DVD Module to burn the following to a CD or DVD: Evidence and Logical Evidence Files during acquisition Files and folders, as well as reports from the EnCase program Existing Evidence Files and Logical Evidence Files
Unless specified otherwise, files burned maintain the following properties (if available): Entry Name (either entry or report) Last Written date Entry Created date Logical size
Note: Consistent with sound computer forensic practices, test the CD/DVD module with non-evidence media to verify proper installation and operation prior to using it with actual evidence.
CD/DVD Module
605
Selecting CD Information
To select CD information, choose appropriate options from the preconfigured settings in the CD Info dialog.
Joliet: This specifies the format of the image to adhere to the Joliet standard, which allows long entry names. UDF: This specifies the format of the image to adhere to the UDF standard, which is used primarily for DVDs. Burn: This initiates the burn of the image to the disc once you click Finish. If the box is cleared, the Archive Folder for the image is updated, but not burned until initiated by the user in the Archive Entries tab. An ISO is also created for the user to burn at any time with any program. Delete ISO after Burn: This deletes the created ISO image from the temporary folder set with the Path option once it is burned to media. Publisher: This optional field allows you to specify the name of the person who burned the image to disc. Preparer: This optional field allows you to specify the name of the person who prepared the image for burning.
606
Path: This field sets the path for the temporary placement of the ISO image prior to being burned. CD Burners: Any media burner recognized by the system appears in this window. Select the media burner of your choice. If a recognized burner is not listed, the burning option is disabled. The image produced contains the ISO9660 format with Joliet selected by default. If Joliet or UDF formats are selected, additional trees are built for those formats. ISO9660 allows only eight-character (old DOS 8.3) names. Names longer than eight characters are truncated to the first four characters of the file name, followed by four random numbers.
Burning
When the initial acquisition is complete, the status screen displays and the burn to CD starts, indicated by a blue Burning thread displayed on the EnCase taskbar. Evidence entries are burned as long as there is enough room left on the medium based on set segment size. If there is no room left, the disc is ejected and a prompt appears instructing you to insert another disc. Evidence entries are verified on the removable media after they have been burned. After the entry is burned, a status window reports the results of the write and verification.
607
A separate thread runs for burning the logical evidence entries while they are created. The burn to disc occurs when the first segment finishes acquiring. To cancel the burn, double click the blue Burning status message on the bottom task bar. Logical evidence, like other evidence entries, is verified after burned. The status window at the end of the process presents the verification and acquisition status for the burned entries. If there is no room left on a disc, the disc is ejected and a prompt appears to insert another disc.
608
By default, the module places cached items in C:\Program Files\EnCase6\Cache. To change the root path, right click the root item, select Change Root Path, and browse to or create a folder.
A disc icon appears in the tree, called discimage1. Subsequent images created are named discimage2, discimage3, etc. 3. To rename images, right click the image folder (or press F2) and select Rename. A cached image of this file is stored in C:\Program Files\EnCase6\Cache with the folder name and a .cdi extension.
CD/DVD Module
609
Use Copy Folders to add the selected entries to the folder, retaining the existing entries. File sizes of selected entries retain the original logical size of the file but not the physical size.
610
Use Copy/Unerase to maintain structure based on the options set in the export menu, such as Logical File, Entire Physical File, RAM and Disk Slack, etc.
3.
Right click the Archive Files icon in the Destination Folder window and select New Image. By default, this is discimage1. Folders created previously are visible in the Destination Folder window.
4. 5. 6. 7.
Select the appropriate folder, then click Finish. Click OK to add the entries to the Archive Files folder. To view the added entries, navigate to the Archive Files tab and select the folder the where you sent the entries. Right click in the table and select Update.
CD/DVD Module 2. Right click in the report pane and select Export.
611
3. 4. 5. 6.
In the Export Report dialog, select Burn to Disc. Select the appropriate output format, Document or Web Page. Enter the complete path in the Path field or browse to the export location. Select a Destination Folder. If entries already exist in the destination folder, the selected entries are added to them.
7.
The newly added report is stored under the Archive Files tab and saved globally so you can add to or delete from it at any time.
To burn the image to disc: 1. 2. Right click the image folder and select Burn Disc. In the Archive Files tab, the disc images appear with entries listed in the Table pane.
612
EnCase Enterprise Version 6.18 3. Select appropriate options from the preconfigured settings in the CD Info dialog as described above. When the image is burned, a status window reports the results of the write.
SafeBack Images VMware images Virtual PC images Any other non-evidence files
To burn an EnCase Evidence File or Logical Evidence File to disc, it must first be added into the case using the standard methods: Dragging and dropping the file into the EnCase interface Using Add Device
To burn an existing evidence or logical evidence file: 1. 2. 3. On the Cases tab, select the Devices subtab. Right click in the table and select the image to be burned. Note that only the highlighted device is burned, not selected (blue-checked) devices. Right click on the device and select Burn to Disc.
4.
Glossary of Terms
Cluster
Overview
This glossary provides definitions of terms specific to Guidance Software products, as well as definitions of standard technological terms.
A cluster is the smallest amount of disk space that can be allocated to hold a file.
Code Page
A code page interprets a series of bits as a character.
ASCII
ASCII (American Standard Code for Information Interchange) is a character encoding based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. Most modern character codes have a historical basis in ASCII. ASCII was first published as a standard in 1967 and was last updated in 1986. It currently defines codes for 33 non-printing, mostly obsolete control characters that affect how text is processed, plus 95 printable characters.
Compound File
A file containing other file types within it. For example, a Microsoft Word file can contain text, graphics, and spreadsheet files.
Computer Forensics
The application of scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they were used for illegal or unauthorized activities.
Bookmark
Bookmarks let you annotate evidence and analytical artifacts. Files, folders, address ranges within files, collections of files or data, and even bookmarks themselves can be bookmarked.
Connection
The communications between the servlet and the client occur across a connection. This connection may involve communicating through the SAFE.
Burn
The process of recording data to an optical disc, such as a CD or DVD.
Case File
A text file containing information specific to one case. The file includes pointers to one or more evidence files, devices, bookmarks, search results, sorts, hash analysis results, and signature analysis.
Checksum
A form of redundancy check for protecting the integrity of data by detecting errors. It works by adding the basic components of a message (typically the asserted bits) and storing the resulting value. Later, anyone can perform the same operation on the data, compare the result to the authentic checksum, and, if the sums match, conclude that the data was not corrupted. A major drawback to checksum is that 1234 generates the same check as 4321.
Disk Slack
This is the area between the end of the volume and the end of the device.
614
EnCase Forensic
EnCase Forensic is recognized as the standard computer forensic software used by more than 15,000 investigators and 40 of the Fortune top 50 companies. EnCase Forensic provides law enforcement, government and corporate investigators reliable, court-validated technology trusted by leading agencies worldwide since 1997.
File Signature
Unique identifiers published by the International Standards Organization and the International Telecommunications Union, Telecommunication Standardization Sector (among others) to identify specific file types.
File Slack
The area between the end of a file and the end of the last cluster or sector used by that file. This area is wasted storage, so file systems using smaller clusters utilize disk space more efficiently.
Encryption
The process of encoding information to make it unreadable without a key to decode it.
EnScript Language
A programming language and Application Program Interface (API) that has been designed to operate within the EnCase environment.
Filter Pane
The Filter pane is typically located in the lowerright quadrant of the four pane display. It provides access to EnScript programs, filters, conditions, and queries. (Also see Tree Pane, View Pane, and Table Pane.)
Evidence File
The central component of the EnCase methodology is the evidence file. This file contains three basic components (header, checksum, and data blocks) that work together to provide a secure and self-checking description of the state of a computer disk at the time of analysis.
Font
A coordinated set of glyphs designed with stylistic unity. A font usually comprises an alphabet of letters, numerals, and punctuation marks.
Examiner
A general destination folder to place data copied from the evidence folder.
Export Folder
A general destination folder to place data copied from the evidence file.
GREP
An acronym for search Globally for lines matching the Regular Expression, and Print them. GREP is a command line utility originally written for use with the Unix operating system. The default behavior of GREP takes a regular expression on the command line, reads standard input or a list of files, and outputs the lines containing matches for the regular expression. The GREP implementation in EnCase has a smaller subset of operators than GREP used in Unix.
FastBloc
FastBloc is a collection of hardware write blockers and one software write blocker.
Glossary of Terms
615
Hash
A method used to generate a unique identifier for the data the hash value represents. There are several standardized hashing algorithms. EnCase uses the 128-bit MD5 hashing algorithm which has 2^128 unique values. This ensures that the chance of finding an identical hash value using a different data set is exceptionally small.
IPv4 specifies addresses in four eight-bit decimal numbers separated by a dot. IPv4 specifies a port number with a colon. IPv6 addresses the limitations that IPv4 has with the total number of addresses. IPv6 is typically written in eight 16-bit hexadecimal numbers, which are separated by a colon. IPv6 specifies a port number with a space.
Hash Sets
Collections of hash values for groups of files.
Keyword
A keyword is a string or expression used in searching your evidence.
Hexadecimal
A numeral system with a radix or base of 16 usually written using the symbols 0-9 and A-F or af. For example, the decimal numeral 79 whose binary representation is 01001111 can be written as 4F in hexadecimal (4 = 0100, F = 1111).
LinEn Utility
The Linux EnCase client used for disk-to-disk or cable acquisitions.
Index
An EnCase index is a feature that allows quick access to the data in an evidence file.
Malware
Software designed to infiltrate or damage a computer system without the owner's informed consent.
Mount, Mounting
The process of making a file system ready for use by the operating system, typically by reading certain index data structures from storage into memory ahead of time. The term recalls a period in the history of computing when an operator had to mount a magnetic tape or hard disk on a spindle before using it.
Network Tree
The network tree represents the hierarchical organization of the underlying network and file structure.
An IP address can also be thought of as the equivalent of a street address or a phone number.
616
EnCase Enterprise Version 6.18 Windows XP Windows Server 2003 Windows Vista throughput or capacity compared to single drives
Regular Expression
A string that describes or matches a set of strings according to certain syntax rules. Many text editors and utilities use egular expressions to search and manipulate bodies of text based on certain patterns. Many programming languages support regular expressions for string manipulation. Also see GREP.
Node
A node is the machine where the servlet is installed.
NTFS
See New Technology File System.
Root
The base of a file system's directory structure or the parent directory of a given directory.
Pane
Panes comprise the four quadrants to the interface: Tree pane Table pane View pane Filter pane
Sector
A subdivision of a track of a magnetic hard disk or optical disc. A sector stores a fixed amount of data. A typical sector contains 512 bytes.
Panes contain tabs, which alter the display of the data inside the pane. Panes are resizable.
Security Key
A uniquely programmed hardware key, sometimes referred to as a dongle, that identifies a user to EnCase software and enables access to its features.
Servlet
Servlets are EnCase services running on network workstations and servers that provide bit-level access to the machine where they reside.
Port
A virtual data connection that can be used by programs to exchange data directly, instead of going through a file or other temporary storage location. The most common of these are TCP and UDP ports used to exchange data between computers on the Internet
Signature
See File Signature.
Slack
See Disk Slack and File Slack.
Snapshot
A representation of a live running machine, including volatile computer data such as currently logged on users, registry settings, and open files.
Glossary of Terms
617
Spyware
Refers to a broad category of malicious software designed to intercept or take partial control of a computer without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.
Unicode
An industry standard that enables text and symbols from all the world's writing systems to be consistently represented and manipulated by computers. Unicode consists of: A character repertoire An encoding methodology and set of standard character encoding A set of code charts for visual reference An enumeration of character properties such as upper and lower case A set of reference data computer files Rules for normalization, decomposition, collation and rendering
Steganography
The art and science of writing hidden messages in a way that no one except the intended recipient knows of the existence of the message; this is in contrast to cryptography, which does not disguise the existence of the message but obscures its content.
View Pane
A part of the program user interface located in the lower left quadrant of the four pane display.
Subject
The computer or media that the investigator actually examines.
Swap File
A memory management technique where noncontiguous memory is presented to a software process as contiguous memory. Memory pages stored in primary storage are written to secondary storage, thus freeing faster primary storage for other processes in use. A swap file is also called a page file.
Virtual Machine
Software that creates a virtual environment on a computer platform so the user can run software. Several discrete execution environments reside on a single computer, each running an Operating System. This allows applications written for one OS to run on a machine with a different OS.
Table Pane
Part of the program user interface located in the upper-right quadrant of the four pane display.
Temp Folder
A folder that allows segregation and control of temporary files created in the course of an investigation. Also see Export Folder.
VMWare
A wholly owned subsidiary of EMC Corporation, it supplies much of the virtualization software available for x86 compatible computers. VMWare software runs on Windows and Linux.
Tree Pane
A part of the program user interface located in the upper left quadrant of the four pane display.
Write Blocker
A tool (software or hardware) that prevents writes to a subject device while allowing investigators to safely read from the device.
Support
Guidance Software develops solutions that search, identify, recover, and deliver digital information in a forensically sound and cost effective manner. Since our founding in 1997, we have moved into network enabled investigations and enterprise wide integration with other security technologies. This section provides information on our support for you through: Technical Support Customer Service Professional Services Technical manuals and release notes Online support Training
Technical Support
Telephone technical support is available 24 hours a day, excluding weekends and holidays. All technical support calls are automatically routed to the open US or UK office: 10 PM Sunday 7 PM Friday, US Pacific time (6 AM Monday 3 AM Saturday, UK time). US Office hours: MondayThursday 5 AM10 PM Pacific time, Friday 5 AM7 PM Pacific time Ph: (626) 229-9191, Option 4 Fax: (626) 229-9199 215 North Marengo Avenue, Suite 250 Pasadena, CA 91101 UK Office hours: MondayFriday 6 AM4 PM UK time Ph: +44 (0) 175-355-2252, Option 4 Fax: +44 (0) 175-355-2232 Thames Central, 5th Floor Hatfield Road Slough, Berkshire UK SL1 1QE Telephone technical support is also available at the following numbers: Germany: 0-800-181-4625 China: 10-800-130-0976 Australia: 1-800-750-639 Hong Kong: 800-96-4635 New Zealand: 0-800-45-0523 Japan: 00-531-13-0890
620
Customer Service
Please direct service questions to the Guidance Software Customer Service Department: MondayFriday 7 AM5 PM Pacific time Phone: (626) 229-9191, press 5 Fax: (626) 229-9199 Email: customerservice@guidancesoftware.com 215 North Marengo Avenue, Suite 250 Pasadena, CA 91101 You can access our Customer Service Request Form online at http://www.guidancesoftware.com/support/cs_requestform.espx.
Professional Services
The Guidance Software Professional Services Division (PSD) combines world-leading computer investigations experts with world-leading forensic technology to deliver turnkey solutions to forensic investigations. Guidance Software has combined its industry-leading computer investigation technology with a team of the most highly trained and capable investigators in the world to bring you complete turnkey solutions for your business. When you face investigative issues that go beyond your internal capabilities, our professional services group is able to respond either remotely or by coming on site to provide the right technology and computer investigations personnel for the job.
Internal Investigations
Theft of intellectual property Intrusion reconstruction Wrongful termination suit
Compliance
Sarbanes-Oxley PII risk assessment California SB 1386
eDiscovery
Pending litigation Responsive production Forensic preservation
Information Security
Compromise of system integrity Policy review Unauthorized use Forensic lab implementation
Support
621
Online Support
Guidance Software offers a Support Portal to our registered users, providing technical forums, a knowledge base, a bug tracking database, and an Online Request form. The Portal gives you access to all support-related issues in one site. This includes: User, product, beta testing, and foreign language forums (message boards) Knowledge Base Bug Tracker Technical Services Request form Downloads of previous software versions, drivers, etc. Other useful links
Although technical support is available by email, you will receive more thorough, quicker service when you use the online Technical Support Request Form (https://support.guidancesoftware.com/node/381). Note that all fields are mandatory, and filling them out completely reduces the amount of time it takes to resolve an issue. If you do not have access to the Support Portal, please use the Support Portal registration form (https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registration requires you to choose a unique username and password. Please provide all requested information, including dongle ID, phone, email address, organization, etc. This helps us identify you as a registered owner of EnCase.
622
You will receive an email within 24 hours. You must follow the link in that email before you can post on the forums. Until you do that, you will not have permission to post. Once you have verified your email address, you will be added to the Registration List. Please allow 24 business hours for your account to be approved. Once your registration is approved, you can access the Support Portal (https://support.guidancesoftware.com/). The Support Portal provides a tutorial that briefly overviews the site.
The forums allow registered users to post questions, exchange information, and hold discussions with Guidance Software and other users in the EnCase community. Different discussion groups are available as follows: Foreign Language Groups French Arabic German Spanish Japanese Chinese Korean
Forum Groups User Group Consultant and Practitioner Computer Forensic Hardware Issues EnScript Forum
Product Specific Groups EnCase Neutrino Enterprise Field Intelligence Model (FIM) eDiscovery
These groups are only available to customers who have purchased the respective products.
623
Posting to a Group
To create a new post, click the Click the icon.
icon to reply to a post, or use the Quick Reply icon at the bottom of each post.
Searching
The forums contain an accumulation of over ten years of information. Use the Search button to search for keywords, or click Advanced Search for more specific search options.
Bug Tracker
Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement requests. It is broken down by product, showing the current number of bugs/enhancements and public bugs for each product. To access the Bug Tracker, click Bug Tracker (https://support.guidancesoftware.com/forum/project.php) in the Support Portal.
Knowledge Base
You can find answers to frequently asked questions (FAQs) and other useful product documentation in the Knowledge Base. You can also submit your own articles to help other EnCase users.
624
To access the Knowledge Base, click Knowledge Base (https://support.guidancesoftware.com/directory) in the Support Portal.
From here, you can browse, search, and write Knowledge Base articles.
Message Boards
The Guidance Software message boards are resources for the computer forensics community to exchange ideas, ask questions, and give answers. The message boards are an invaluable resource for the forensic investigator. Discussions range from basic acquisition techniques to in-depth analysis of encrypted files and more. Thousands of experienced and skilled users are registered on the boards, reviewing posts every day, and providing their expertise on all Guidance Software products. More information about the message boards, including information on how to join the message board, is located at http://www.guidancesoftware.com/support/messageboards.asp http://www.//guidancesoftware.com/support/messageboards.asp.
Downloads
When you receive your product, register with Guidance Software to receive updates. Registration is located at https://www.guidancesoftware.com/myaccount/registration.aspx site. If you have any trouble registering your product, contact Customer Service on page 619. If you have any trouble downloading the updates once registered, contact Technical Support (see page 619).
Support
625
The Support Portal's landing page contains a section of useful links, including: Guidance Software Home Page Download Center to download software, hardware, manuals, boot disks, support articles, etc. My Account to register your dongle id to receive up to date software by email NVD (National Vulnerability Database) Information and Responses Guidance Product Version Matrix for checking compatibility of different product versions Hardware Recommendations for EnCase Forensic and EnCase Enterprise Subscribe to Public Bugs
Training
Guidance Software offers a variety of professional courses for the beginner, intermediate, and advanced user of all its applications. In addition to providing a solid grounding in our software, we also provide our students with accepted best practices for investigation, report generation and evidence preservation. Guidance Software offers courses for law enforcement agencies, organizations concerned with forensics and incident response, and advanced topics for all users.
Index
A
Accessing the Local Disk in Windows Explorer 557 Accessing the Share 577 Acquiring 117 Acquiring a Disk Running in Direct ATA Mode 142, 474 Acquiring a DriveSpace Volume 152 Acquiring a Local Drive 134 Acquiring a Palm Pilot 143 Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) 134, 474 Acquiring Disk Configurations 148 Acquiring Firefox Cache in Records 153 Acquiring in Windows without a FastBloc Write Blocker 138 Acquiring Non-local Drives 146 Acquiring SlySoft CloneCD Images 152 Acquiring Virtual PC Images 152 Acquisition 218 Acquisition Results Dialog 123 Acquisition Times 146 Acquisition Wizard 118 Add Device 89 Add Device Wizard 109 Add Note Bookmark Dialog 349 Adding a Device 114 Adding a File Viewer 322 Adding a New File Signature 256 Adding Constraints to Analysis Data 239 Adding Keywords 269 Adding Machine Information to Reports 238 Adding Partitions 179 Adding Raw Evidence Files 154 Additional WinEn Information 197 Administrator Credentials 78, 98 After Acquisition Dialog 118 Alternative Report Method 391 America Online .art Files 333 Analysis Jobs 232 Analyze EFS 489 Analyzing and Searching Files 253 AOL Personal File Cabinet (PFC) Support 302 App Descriptors 307 ASCII 613 Associate Selected 496 Associating Code Pages 454 Associating the File Viewer's File Types with the Viewer 322
B
Background Information 590 BitLocker Encryption Support (Volume Encryption) 509 Bookmark 613 Bookmark Content Data Types 346 Bookmark Data Dialog for Files 351 Bookmark Data Dialog for Highlighted Data Bookmarks 346 Bookmark Editing Dialogs 362 Bookmark Features 345 Bookmark Folder Information/Structure Dialog 350 Bookmark Reports and Reporting 372 Bookmarking an Image 338 Bookmarking Items 341 Bookmarking Non-English Language Text 452 Bookmarks Overview 342 Boot Evidence Files and Live Systems with VMware 560 Boot the Virtual Machine 563 Booting the Restored Hard Drive 183 Browse for Folder Dialog 83, 85 Building a Package 438 Building Reports 241 Built-in Attack 550 Burn 613 Burning 606 Burning Evidence Files During Acquisition 604 Burning Existing Evidence and Logical Evidence Files 612 Burning Files and Reports 607 Burning Logical Evidence Files During Acquisition 606 Burning the Created Image Folders to Disc 611
C
Canceling an Acquisition 128 Case Backup 80 Case File 613 Case File Format 79 Case File Time Zones 90 Case Management 77, 79 Case Options Page of the New Case Wizard 88 Case Options Tab 22
Case Processor 411 Case Processor Modules 412 Case Related Features 82 CD/DVD Module 603, 604 CD-DVD Inspector File Support 152 Changing Filter Order 73 Changing Report Size 387 Changing the Mount Point 577 Checksum 613 Choose Devices Dialog of the Add Device Wizard 113 Choosing Database Sources 185 Cleaning an EDB Database 328 Clearing the Invalid Image Cache 340 Closing a Case 95 Closing and Changing the Emulated Disk 559 Closing the Connection 586 Cluster 613 Code Page 613 Code Tab 58 Collection Jobs 208 Colors Tab 27 COM Folder EnScript Code 427 Command Line Options 156, 195 Completing the After Acquisition Dialog of the Acquisition Wizard 125 Completing the Choose Devices Dialog 116 Completing the Options Dialog of the Acquisition Wizard 127 Completing the Preview Devices Dialog 116 Completing the Search Dialog of the Acquisition Wizard 125 Completing the Sessions Sources Dialog 116 Completing the Sources Dialog 115 Compound File 613 Compound Files 415, 570 Comprehensive Internet History Search 281 Computer Forensics 613 Concurrent Case Management 79 Conditions Tab 69 Configuration File 157, 196 Configuration File Notes 197 Configuring EnCase 21 Configuring Interface Elements to Display NonEnglish Characters 445 Configuring Non-English Language Support 444 Configuring the Keyboard for a Specific Non-English Language 446 Configuring the PDE Client 556 Configuring the Server 583 Configuring Your Linux Distribution 459 Connecting the Clients 585 Connection 613
Copy and Unerase Features 313 Copy Folders Dialog 317 Copy/UnErase Wizard 313 Copying a Collection Job 212 Copying a Table Entry into a Folder 370 Copying an Analysis Job 240 Copying and Unerasing Bookmarks 318 Copying and Unerasing Files 318 Copying and Unerasing Files and Folders 312 Copying Selected Items from One Folder to Another 275, 379 Create a New Image Session 607 Create License Dialog 436 Create Logical Evidence File Wizard 173 Creating a Bookmark 352 Creating a Collection Job 209 Creating a Datamark as a Bookmark 359 Creating a File Group Bookmark 356 Creating a Filter 67 Creating a Folder Information/Structure Bookmark 354 Creating a Hash Set 264 Creating a Highlighted Data Bookmark 352 Creating a License 438 Creating a LinEn Boot Disk 458 Creating a Log Record Bookmark 357 Creating a Logical Evidence File 175 Creating a Machine Profile 105 Creating a Notable File Bookmark 355 Creating a Note Bookmark 353 Creating a Package 437 Creating a Query 74 Creating a Report Using Case Processor 398 Creating a Report Using the Report Tab 384 Creating a Snapshot Bookmark 357 Creating a Web Mail Report 391 Creating an Additional Fields Report 396 Creating an Analysis Job 233 Creating an App Descriptor with an EnScript Program 309 Creating and Defining a New Text Style 448 Creating Conditions 70 Creating Global Keywords 268 Creating International Keywords 271 Creating Non-English Keywords 449 CREDANT Encryption Known Limitation 532 CREDANT Encryption Support (File-Based Encryption) 526 CREDANT Encryption Support (Offline Scenario) 530 CREDANT Files and Logical Evidence (L01) Files 532 Crossover Cable Preview or Acquisition 476
Customer Service 620 Customizing a Report 374 Cyclic Redundancy Check (CRC) 613
D
Datamarks 345 Dates 348 Debug Tab 25 Decrypted Block 542 Decrypting a BitLocker Encrypted Device Using Recovery Key 510 Decrypting a BitLocker Encrypted Device Using Recovery Password 511 Decrypting S/MIME Email Messages in an Evidence File Created in Windows Vista 537 Delayed Loading of Internet Artifacts 161 Delayed Loading of Internet Artifacts FAQs 163 Deleted Files 572 Deleting a Collection Job 213 Deleting a Filter 69 Deleting a Query 75 Deleting an Analysis Job 241 Deleting Items 287 Deleting Partitions 179 Destination Dialog of the Copy/UnErase Wizard 316 Determining Local Mailbox Encryption 539 Device Configuration Overlay (DCO) 613 Dictionary Attack 549 Disk and Volume Encryption 486 Disk Caching 598 Disk Caching and Flushing the Cache 599 Disk Configuration Set Acquired as One Drive 150 Disk Configurations Acquired as Separate Drives 151 Disk Slack 613 Disk Tab 57 Dismount the Network Share 577 Display Tab 72 Document Incident 401 Drive-to-Drive Acquisition Using LinEn 462 Dynamic Disk 150
E
Edit Bookmark Folder Dialogs 367 Edit Datamarks Dialog 367 Edit Folder Dialog 368 Edit Folder Information/Structure Bookmarks Dialog 365 Edit Highlighted Data Bookmarks Dialog 363 Edit Log Record Bookmarks Dialog 366 Edit Menu 39 Edit Notable File Bookmarks Dialog 365
Edit Note Bookmarks Dialog 364 Edit Snapshot Bookmarks Dialog 366 Editing a Bookmark 362 Editing a Filter 68 Editing a Machine Profile 106 Editing a Package 437 Editing a Query 75 Editing a Signature 257 Editing Conditions 71 Editing the SAFE Dialog 86 EDS Features 486 EFS Files and Logical Evidence (L01) Files 491 Email Report 388 Enabling or Disabling Entries in the Report 385 EnCase Decryption Suite 485 EnCase Enterprise 8 EnCase Enterprise Components 8 EnCase Evidence Files 99 EnCase Examiner 9 EnCase Installer 16 EnCase Forensic 614 Encode Preview 288 Encrypted Block 541 Encrypting File System 571 Encryption 614 Enhanced CREDANT Support 12 Enhanced EnCase Help Menu 14 Enhanced EnScript Tab 432 Enhanced FAT Parsing 101 Enhanced Oracle Outside In Technology Support 13 Enhanced Physical Drive Preview 108 Enhanced Rights Management Services (RMS) Support 14 Enhanced S/MIME Encryption Support 13 EnScript Analysis 399, 400 EnScript Debugger 427 EnScript Example Code 426 EnScript File Mounter 429 EnScript Help 432 EnScript Programming Language 261 EnScript Tab 29, 65 EnScript Types 262, 432 EnScript Language 614 Enter Items 493 Entering Non-English Content without Using NonEnglish Keyboard Mapping 447 Enterprise Connection 10 Enterprise EnScript Programs 400 Enterprise Tab 31 Error Handling 197 Evidence File 614
Evidence File Formats Supported by EnCase PDE 554 Evidence File Formats Supported by VFS 568 Evidence File Time Zones 91 Evidence Verification 478 Examiner 614 Exchange Server Synchronization 328 Exclude File Bookmarks 374 Exclude Folder 375 Excluding Bookmarks 374 Excluding Files 286 Export Folder 614 Export Hashes 413 Exporting a Filter 69 Exporting a Report 397 Exporting a Source Processor Report 244 Exporting Conditions 72 Exporting Keywords 274 Exporting Source Processor Jobs to the Bootable Security Key 245 Exporting to *.msg 300 ext2, ext3, UFS, and Other File Systems 576 ext3 Support 13 Extended File Allocation Table (exFAT) Support 101 Extracting Email 296
Fonts Tab 28 Forensic EnScript Code 410 Full Volume Encryption (FVE) AutoUnlock Mechanism 514
G
Gallery Tab 55, 337 General Time Zone Notes 92 Generating an Index 290 Generating Reports on the Database 189 Getting Ready to Acquire the Content of a Device 107 Global Tab 23 Globally Unique Identifier (GUID) 614 Glossary of Terms 613 GREP 614 GuardianEdge Encryption Support 519 GuardianEdge Hard Disk and Symantec Endpoint Encryption Support 12, 520 GuardianEdge Hard Disk Encryption Known Limitations 521
H
Hardware Disk Configuration 150 Hash 615 Hash Analysis 262 Hash Finder 227 Hash Sets 264, 615 Hashing 171 Hashing a New Case 263 Hashing the Subject Drive Once Previewed or Acquired 172 Hashing the Subject Drive Using LinEn 171, 480 Help for EnScript Modules 429 Help Menu 43 Hexadecimal 615 HFS+ Permissions Support 100 Highlighted Data Bookmarks 343 Hits Tab 66 Host Protected Area (HPA) 615 How EnCase Enterprise Works 8 How Source Processor and EnCase Portable Work Together 244 HPA and DCO Configured Disks 590 HP-UX Servlet Support 129
F
Fast File Transfer 102 FastBloc SE Module 589, 590 FastBloc 614 FAT, HFS and CDFS Time Zone Specifics 92 File Allocation Table (FAT) 614 File Based Encryption 487 File Group Bookmarks 343 File Hashing 263 File Menu 39 File Mounter 414 File Processor 223 File Selection Dialog of the Copy/UnErase Wizard 314 File Signature 614 File Signatures 254 File Signatures with Suffixes 254 File Slack 614 File Viewer Features 319 File Viewers 319 Filter Pane 65, 614 Filtering Behavior in the Table Pane 66 Filters Tab 66 Finding View Pane Content 64 Folder Information/Structure Bookmarks 343 Font 614
I
If EnCase Reports GuardianEdge/Symantec EAHD dlls Cannot be Opened 12, 520 If the Restored Disk Does Not Boot 184 Importing a Filter 69 Importing Conditions 72
Importing EnCase Portable Evidence into Source Processor 248 Importing Job Settings 247 Importing Keywords 273 Include EnScript 430 Included Enscript Components 261 Increasing the Number of Images per Row 339 Index 615 Index Case 416 Indexing 290 Indexing a Case 79 Initial Preparation 560 Initialized Size Text Style 323 Initializing the Database 184 Installing EnCase Enterprise 15 Installing Security Key Drivers 20 Installing the Examiner 17 Installing the FastBloc SE Module 592 Installing the HP-UX Servlet 130 Integers 347 Internal Files and File System Files 572 Internet Artifacts 222 Internet History Searching 279 Internet Protocol Address (IP) 615 Internet Report 390 Internet Searching 282 Introduction 458
Logon Wizard Users Dialog 82 Lotus Notes Local Encryption Support 539
M
Mac OS X 10.5 Leopard Support 134 Machine Profiles 103 Machine Survey Servlet Deploy 403 Maintaining the Database 186 Malware 615 Malware Scanning 579 Managing EnCase Portable 244 Manipulating Columns 53 Manually Create an App Descriptor 308 Metadata 224 Minimum Requirements 16 Mode Selection 475 Modifying a Collection Job 213 Modifying an Analysis Job 240 Modifying Case Related Settings 89 Modules 218 Mount Network Share Options 569 Mount, Mounting 615 Mounted Files 487 Mounting a Single Drive, Device, Volume, or Folder 569 Mounting Compound Files 416 Mounting Evidence with VFS 568 Mounting Non-Windows Devices 557 Moving a Table Entry into a Folder Using the Right Click Drag Method 371 Moving a Table Entry or Folder into a Folder Using the Drag Method 372 Mozilla Firefox 3 Artifacts Support 278 Multi-Threaded Acquisition 159 Multi-Threading Options in the Interface 160
K
Keyword 615 Keyword Finder 224 Keyword Searches 267 Keyword Tester 272
L
Leaving Console Mode 146 Licensing through NAS 206 LinEn Command Line 471 LinEn Evidence Verification and Status Reporting 477 LinEn Manual Page 482 LinEn Setup Under Red Hat 460 LinEn Setup Under SUSE 460 LinEn Utility 615 Linux Syslog Parser 230 Live Device and FastBloc Indicators 108 Local Keywords 273 Locally Encrypted NSF Parsing Results 543 Log Record Bookmarks 344 Logical Evidence File 615 Logical Evidence Files 99, 173 Logical Restore 182 Logon Wizard 82
N
NAS Tab 26 National Software Reference Library (NSRL) Hash Sets RDS Support 13 Network Tree 615 New Case Wizard 87 New Features in Version 6.18 11 New File Viewer Dialog 320 New Package Dialog 433 New Technology File System (NTFS) 615 New Text Styles Dialog 442 New Text Styles Dialog Attributes Tab 443 New Text Styles Dialog Code Page Tab 444 New Virtual Machine Wizard 561 Node 616 Non-English Language Features 440 Notable File Bookmarks 343, 616
Notes Bookmarks 343 NSF Encryption Support 537 NTFS 616 NTFS Compressed Files 337
O
Obtaining a Linux Distribution 459 Obtaining Additional Decryption Key (ADK) Information 524 Obtaining Updates 20 Obtaining Whole Disk Recovery Token Information 523 Online Support 621 Opening a Case 93 Opening the Acquisition Wizard 123 Options Dialog 80, 122 Options Dialog Font Tab 441 Options Dialog of the Copy/UnErase Wizard 314 Organizing Bookmarks 370 Other File Systems 575 Other Tools and Viewers 580 Output Dialog 174 Overriding HPA and DCO Settings 591 Overview 7, 38, 98, 202, 486, 613 Overview of Case Structure 78
Picture Finder 229 Port 616 Possible Master File Table Inconsistencies with Acquisition 146 Preparing Entries for Burning 608 Preparing Reports for Burning 610 Preparing the Target Media 180 Preview Devices Dialog of the Add Device Wizard 114 Previewing 107 Previewing a Write Blocked Device 598 Previewing Devices over 2 Terabytes in Size 109 Previewing EnCase Portable Data in Source Processor 250 Previewing the Content of a Device 108 Printing or Saving a Report to PDF 243 Product Matrix 488 Professional Services 620 Prompt for Value 159, 197 Properties Tab 435 ProSuite FastBloc SE/SATA/IDE Support for Vista 64-bit 591
Q
Queries Tab 73 Querying an Index Using a Condition 293 Querying the Index for Non-English Content 451 Quick Entry Report 395 Quick Snapshot 406
P
Package Features 433 Package Tab 434 Packages 432 Pane 616 Panes Overview 44 Parsing a Dirty EDB File 329 Parsing a Locally Encrypted Mailbox 540 PDE Troubleshooting 566 Performing a Crossover Cable Preview or Acquisition 147 Performing a Drive-to-Drive Acquisition Using LinEn 141 Performing a Search 283 Performing a Signature Analysis 258 Performing a Typical Acquisition 118 Performing Acquisitions with LinEn 460 Personal Information 221 PGP 10 Whole Disk Encryption (WDE) Support 12 PGP Decryption using the Passphrase 526 PGP Whole Disk Encryption (WDE) Support 522 Physical Disk Emulator 553, 554 Physical Disk Emulator (PDE) 616 Physical RAID Encryption Support 515 Physical Restore 180 Physical versus Logical Restoration 180 Picture 347
R
RAID-10 152 RAIDs 572 RAM and Disk Slack 572 Raw Image Files 99 Reacquiring an Evidence File 154 Reacquiring Evidence 154 Rebuilding a Hash Library 266 Records Tab Bookmark View 359 Recovering a Database 330 Recovering Folders 176 Recovering Folders from a Formatted Drive 178 Recovering Folders on FAT Volumes 177 Recovering NSF Passwords 537 Recovering NTFS Folders 177 Recovering Partitions 178 Recovering UFS and EXT2/3 Partitions 178 Recovery Key and Recovery Password Files 509 Reducing the Number of Images per Row 339 Redundant Array of Independent Disks (RAID) 616 Regular Expression 616 Reinstalling the Examiner 19
Remote Acquisition 164 Remote Acquisition Monitor 168, 407 Removing Write Block from a USB, FireWire, or SCSI Device 595 Repairing a Database 331 Report Multiple Files 386 Report Single Files 385 Report Tab 54 Report User Interface 382 Reporting 381, 382 Reporting on Conditions 72 Reports 241 Restoring 598 Restoring Evidence 180 Restrict Access by IP Address 584 RMS Decryption at the File Level 546 RMS Decryption at the Volume Level 546 RMS Protected Email in PST 548 RMS Standalone Installer 544 Roles Dialog of the New Case Wizard 88 Root 616 Running a 32-bit Application on a 64-bit Platform 34 Running a Collection Job 213 Running a Package 438 Running an Analysis Job 235 Running the HP-UX Servlet 133 Running WinAcq 155 Running WinEn 194
S
S/MIME Encryption Support 532 SAFE (Secure Authentication For EnCase) 9 SAFE Dialog of the Logon Wizard 84 SAFE Dropdown Menu 85 SafeBoot Encryption Support (Disk Encryption) 498 Saved Credentials in Secure Storage 516 Saving a Case 94 Saving a Case and the Global Application Files 94 Saving a Case with a New Name or New Location 94 Saving and Dismounting the Emulated Disk 558 Scan Local Machine 416 Search Dialog 119 Search Hits Report 392 Search Options 283 Searching Email 296 Searching Entries for Email and Internet Artifacts 275 Searching for Email 294 Searching Selected Items 298 Sector 616
Secure Authentication For EnCase (SAFE) 616 Secure Storage Items 497 Secure Storage Report 389 Secure Storage Tab 492 Secure Storage Tab and EFS 492 Security Key 616 Selecting CD Information 605 Servlet 616 Servlets 9 Sessions Sources Dialog of the Add Device Wizard 111 Setting Case Options 204 Setting Time Zone Options for Evidence Files 92 Setting Time Zones Settings for Case Files 91 Setting Up the Storage Machine 169 Setup for a Drive-to-Drive Acquisition 461 Sharing Configuration (INI) Files 32 Show Excluded 377 Showing Deleted Files 288 Showing Excluded Files 287 Showing Typed URLs 280 Signature 616 Signature Analysis 254 Signature Analysis Legend 260 Single Files 99 Slack 616 Snapshot 220, 616 Snapshot Bookmarks 344 Snapshot Differential Report 407 Snapshot to DB Module Set 184 Snapshots 10 Software RAID 148 Source Dialog 173 Source Processor 201 Sources Dialog of the Add Device Wizard 109 Specifying and Running an Acquisition 124 Specifying Database Content 189 Specifying System Cache Settings Manually 34 Spyware 617 Starting Physical Disk Emulator 554 Starting to Work with Source Processor 203 Status 159 Status Bar 76 Status Reporting 479 Steganography 617 Storage Paths Tab 31 Styles 349 Subject 617 Successful Decryption 516 Support 619 Supported Controllers 592 Supported CREDANT Encryption Algorithms 530
Supported File Systems and Operating Systems 100 Supported GuardianEdge Encryption Algorithms 519 Supported SafeBoot Encryption Algorithms 502 Supported Utimaco SafeGuard Easy Encryption Algorithms 503 Swap File 617 Sweep Enterprise 408 System Cache Setting Control 34 System Menu Bar 38
T
Table Pane 50, 617 Table Tab 50 Table Tab Columns 51 Tableau Write Blocker Support 138 Tag Records 306 Technical Manuals and Release Notes 621 Technical Support 619 Temp Folder 617 Temporary Files Reminder 559, 582 Testing a Non-English Keyword 450 Testing an EDB File 329 Text 346 Text Styles 442 Text Styles Tab 75 The EnCase Interface 37 Third-Party Tools 559, 579 Threat Analyzer 417 Time Zone Example 93 Time Zone Settings 89 Timeline Tab 55 Toolbar 43 Tools Menu 41 Training 625 Tree Pane 45, 617 Tree Pane Content 49 Tree Pane Tabs 46 Troubleshooting 586, 599 Troubleshooting a Failed S/MIME Decryption 536 Turning Off IDE Write Block Protection 597 Turning On Encode Preview 288 Turning Specific Filters Off 73 Types of Acquisitions 117 Types of Entries 98
User Security ID (SID) for Single Files 143 Users Dropdown Menu 83 Using a Case 89 Using a Folder to Organize a Bookmarks Report 369 Using a Package 437 Using a Write Blocker 135 Using Bookmarks 361 Using EDS 489 Using LinEn 457 Using Physical Disk Emulator 554 Using Snapshots 107 Using the Data Browser to Analyze Results 236 Using the EnCase Interface 577 Using the FastBloc SE Module 593 Using the Snapshot DB Reports Dialog 191 Using Third-Party Tools 559 Using Windows Explorer 578 Utimaco Challenge/Response Support 503 Utimaco SafeGuard Easy Encryption Known Limitation 508 Utimaco SafeGuard Easy Encryption Support 502
V
Validating Parity on a RAID-5 152 Verifying Evidence Files 128 VFS Server 582 View Menu 40 View Pane 58, 322, 617 View Pane Tabs 58 Viewer File Type Dialog 321 Viewing a Bookmark on the Table Report Tab 372 Viewing a Bookmark Report 387 Viewing Attachments 298 Viewing Base64 and UUE Encoded Files 336 Viewing Compound Files 325 Viewing Compressed Files 326 Viewing File Content 311 Viewing File Structure 325 Viewing Files 312 Viewing Hash Search Results 266 Viewing Lotus Notes Files 327 Viewing Machine Profiles 104 Viewing Macintosh .pax Files 332 Viewing MS Exchange Files 327 Viewing MS Outlook Email 331 Viewing Non-Unicode Files 453 Viewing Office 2007 Documents 333 Viewing OLE Files 326 Viewing Options in the Gallery Tab 55 Viewing Outlook Express Email 331 Viewing Record Search Hits 285 Viewing Registry Files 326
U
Unicode 617 Unicode Fonts 441 Uninstalling the Examiner 18 Unsuccessful Decryption 516 Updating the Database 187
Viewing Search Hits 285 Viewing Signature Analysis Results (Part 1) 259 Viewing Signature Analysis Results (Part 2) 260 Viewing the File Signature Directory 255 Viewing the License for LinEn 458 Viewing Unicode Files 453 Viewing Windows Thumbs.db 332 Virtual File System 567, 568 Virtual File System (VFS) 617 Virtual Machine 617 Vista Examiner Support 33 VMWare 617 VMware/EnCase PDE FAQs 564
W
Web Mail Parser 294, 426 When to use a Crossover Cable 146 WinAcq 155 Windows 348 Windows 7 BitLocker and BitLocker to Go Support 13 Windows 7 SAFE Support 13 Windows Event Log Parser 230 Windows Key Architecture 549 Windows NT Software Disk Configurations 148 Windows Rights Management Services (RMS) Support 544 Windows Server 2008 R2 SAFE Support 13 Windows-based Acquisitions with a non-FastBloc Write Blocker 138 Windows-based Acquisitions with FastBloc Write Blockers 135 WinEn 194 WinMagic SecureDoc Encryption Support 517 Wipe Drive 198 Wiping 598 Working with Evidence 97 Working with Non-English Languages 439, 440 Write Block Validation Testing and Disk Caching 599 Write Blocker 617 Write Blocking a USB, FireWire, or SCSI Device 593 Write Blocking IDE and SATA Controller Cards 596 Write Protecting a USB, FireWire, or SCSI Device 595 WTMP/UTMP Log Parser 231
Z
ZIP and RAR Archive File Support 334