File000132

Module XIX – Forensic Investigation
Using Encase

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Verizon to Use Guidance Software’s
EnCase eDiscovery on a Pay-Per-Use Basis
Source: http://www.tmcnet.com/

EC-Council
Official Licensed Content
Provided by EnCase to EC-Council

EC-Council
Module Objective
• Evidence Files
• Verifying the File’s Integrity
• Hashing
• Configuring EnCase
• Searching
• Bookmarks
• Viewing the Recovered Files
• Master Boot Record
• NTFS Starting Point
• Hash Values
• Signature Analysis
• Email Recovery
This module will familiarize you with:

EC-Council
Module Flow
Evidence File
Configuring EnCase
Hashing
Bookmarks
Searching
Verifying the File’s Integrity Master Boot Record
Viewing the Recovered Files
Hash Values
Signature Analysis
E-mail Recovery
NTFS Starting Point

EC-Council
Evidence File
Evidence file is the core component in EnCase
The file can be referred as a forensic image file
It is widely known throughout the law enforcement and computer security
industries
• Header
• Checksum
• Data blocks
• Footer
It consists of:

EC-Council
Verifying Evidence Files
After burning the discs, run Verify Evidence Files on each disc to
verify that the burn was thorough and that the evidence file segment
is intact

EC-Council
Evidence File Format
Each Evidence file is an exact, sector by sector copy of a floppy or hard disk
Every byte of the file is verified using 32-bit CRC, which makes it virtually
impossible to tamper with the evidence once it has been acquired
EnCase compresses large disk into a small size reducing up to 50% of the
disk’s size

EC-Council
Verifying the Evidence File
Integrity
Whenever an evidence file is added to the case, EnCase will begin
verifying integrity of the drive for corruption, bad sectors etc.

EC-Council
Hashing
EnCase calculates MD5 Hash when it acquires a physical drive or
logical drive

EC-Council
Acquiring Image
Click File -> Add Raw Images to acquire images
To acquire USB image, the USB drive should not be connected to the forensic
computer prior to the boot process
Select the device type to make an image

EC-Council
Configuring EnCase
Click Tools > Options to configure EnCase in various settings

EC-Council
EnCase Options Screen

EC-Council
EnCase Screens
TREE PANE
TABLE PANE
FILTER PANEVIEW PANE

EC-Council
View Menu
Various utilities can be launched using View menu

EC-Council
Device Tab
Device tab shows information about the currently selected device

EC-Council
Viewing Files and Folders
Files Folders

EC-Council
Bottom Pane
Bottom pane

EC-Council
Viewers in View Pane
Text
Hex
Doc
Transcript
Picture
Report
Console
Details

EC-Council
Status Bar

EC-Council
Status Bar (cont’d)
• PS physical sector number
• Logical sector number
• Cluster number
• Sector offset
• File offset
• Length
Status bar provides the sector’s details for a
selected file:

EC-Council
Searching
EnCase provides powerful searching capabilities
Keywords searches can be performed at a logical level (file level) or physical
level (byte by byte)

EC-Council
Searching (cont’d)
EnCase has the following advanced search capabilities to find the
information of investigative importance:
• Concurrent search
• Proximity search
• Internet and email search
• Email address search
• Global Regular Expressions Post (GREP) search
• File finder
• Search options include:
• Case sensitive
• GREP
• RTL reading
• Active code-page

EC-Council
Keywords
Keyword must be added before you can start searching
They are saved in keywords.ini file
They can be added based on what you are investigating
For example, you might want to add keywords such as:
• kill, suicide, cheat, Swiss bank, San Francisco etc.

EC-Council
Keywords: Screenshot

EC-Council
Adding Keywords
Right click Keyword and select New

EC-Council
Grouping
Keywords can be grouped for organizing the search terms
Right click in Keyword > select New Folder and type the folder’s
name

EC-Council
Add Multiple Keywords
Right click the Folder > Keyword list

EC-Council
Starting the Search
Searches can be carried out using file/folder or entire drive
Check the keywords that needs to be searched
Click Search button

EC-Council
Search Hits Tab
Search Hits Tab reveals the search listings

EC-Council
Search Hits

EC-Council
Bookmarks
EnCase allows files, folders, or
sections of a file to be bookmarked
for easy reference
Click View > Cases Sub-Tabs >
Bookmark

EC-Council
Creating Bookmarks
Bookmarks can be created by clicking ‘New Folder’ in right click
menu

EC-Council
Adding Bookmarks
Right click on any file > Bookmark Data

EC-Council
Bookmarking Selected Data
Highlight the text and select Bookmark Data

EC-Council
Recovering Deleted Files/folders
in FAT Partition
Right-click FAT drive and select Recover Folders

EC-Council
Recovering Deleted Files/folders
in FAT Partition (cont’d)

EC-Council
Viewing Recovered Files
Select the Recovered Folder to view the deleted files/folders

EC-Council
Recovering Folders in NTFS
EnCase searches the unallocated clusters in Master File Table (MFT) to
recover the files/folders
Use the same method as FAT system to recover the files
This process can be slow and may take 60 minutes (1 hour) for 100 GB hard
drive

EC-Council
Recovering Folders in NTFS
(cont’d)
Right-click on the volume and select
Recover Folders
Choose OK to begin the search for
NTFS folders

EC-Council
Master Boot Record
Master Boot Record (MBR) resides at the first sector (Sector 0)
Sector Offset (SO 446) contains the partition table
MBR allows 4 entries:
• Each entry is 16 bytes long
• Partition entries range from (LE 64 – Hex 55 AA)

EC-Council
Master Boot Record (cont’d)
Select Sectors (SO 446 – LE 64)
Right-click and select Bookmark
Select Windows > Partition Entry
Enter a name to bookmark

EC-Council
Bookmark Data
Partition table

EC-Council
NTFS Starting Point

EC-Council
Viewing Disk Geometry
Highlight the case and click Report in the bottom View pane

EC-Council
Recovering the Deleted
Partitions
• Search for the following in the unused disk area:
• MSWIN4.1 (FAT Partition)
• NTFS (NTFS Partition)
• Look manually at the disk end of the first volume
Two ways to check for deleted
partitions:

EC-Council
Recovering the Deleted
Partitions (cont’d)
To delete the partition, right-
click and select it
Right-click the area to recover and select Add
Partition

EC-Council
Hash Values

EC-Council
Creating Hash Sets
Select the files to be included in the hash set
Right-click > Create Hash Set

EC-Council
MD5 Hash
EnCase can create a hash value (digital fingerprint) for any file in the case
It uses 128 bit MD5 algorithm
Hash sets are a collection of hash files
Chances of two files having the same hash is 2128 which is nearly
impossible

EC-Council
Creating Hash
Click Search > Select
Compute hash value
This will create hash for every
allocated file

EC-Council
Viewers
EnCase can use external viewers to view files
Viewers makes a copy of a file to the temporary folder before
launching the file
Encase uses the following viewers:
• External viewer
• Program registered in Windows
• EnCase viewer
• Timeline

EC-Council
Viewers (cont’d)
Click viewers in View menu > File viewers
Create new viewer and enter the application path

EC-Council
Signature Analysis
ISO and ITU work to standardize the types of electronic data
For the standardized file types, a signature or header is stored along with the
data
Applications use the header to correctly parse the data
You can view the file signature to identify the data even though its extension
has been renamed
Example: jennifer.exe  jennifer.dll

EC-Council
Signature Analysis (cont’d)
Select View menu > File Signatures

EC-Council
Signature Analysis (cont’d)
You can search using signature analysis

EC-Council
Viewing the Results

EC-Council
Copy/UnErase Files or Folders
Encase provides a feature to recover and unerase files byte-per-byte
Right-click a file/folder > select Copy/UnErase

EC-Council
E-mail Recovery
• Documents and Settings[username]Local SettingsApplication
DataIdentities[userid]MicrosoftOutlook Express
Default path for Outlook Express 5/6 in Windows
XP is:
• Inbox.mbx
• Outbox.mbx
• Sent Items.mbx
• Deleted Items.mbx
• Drafts.mbx
Outlook mailbox filenames are as follows:
View the above files in EnCase

EC-Council
Reporting
The final stage of the forensic analysis is reporting
Report must be easy to understand and should cover in-depth information
about the evidence
Click the Report in Bookmarks menu

EC-Council
Final Report

EC-Council
IE Cache Images

EC-Council
Summary
Evidence file is the core component in EnCase
Each Evidence file is an exact, sector by sector copy of a floppy or hard disk
EnCase calculates MD5 Hash when it acquires a physical drive or logical drive
EnCase provides powerful searching capabilities
EnCase allows files, folders, or sections of a file to be bookmarked for easy reference
EnCase searches unallocated clusters in Master File Table (MFT) to recover files/folders
EnCase can create a hash value (digital fingerprint) for any file in the case

EC-Council

File000132

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a File000132

Semelhante a File000132 (20)

Mais de Desmond Devendran

Mais de Desmond Devendran (20)

Último

Último (20)

File000132