Encase
Content
Guidance Software, Inc.
215 N. Marengo Ave., Suite 250 Pasadena, CA 91101 Tel: (626) 229-9191 Fax: (626) 229-9199 e-mail: [email protected] web: www.GuidanceSoftware.com
EnCase® Forensic v7 Essentials
EnCase® Forensic v7 Essentials Training OnDemand – v7.04.01i (06.06.2012) Copyright ©2012, Guidance Software, Inc.
EnCase is a trademark of Guidance Software, Inc. All rights reserved. No part of this publication may be copied without the express written permission of Guidance Software, Inc. 215 N. Marengo Ave., Suite 250, Pasadena, CA 91101
GUIDANCE SOFTWARE | Training
Guidance Software Training
World-Class Training... Flexible Options
Features & Benefits
Guidance Software Training
The best training available on critical, real-world issues. Corporations and government agencies use EnCase® software solutions to search, collect, preserve and analyze digital information for the purposes of computer forensics and enterprise investigations, as well as information assurance, e-discovery collection, data loss prevention, compliance with mandated regulations, and more. Guidance Software Training courses and programs help organizations maximize their use of EnCase products. Guidance Software offers world-class training in enterprise investigations, such as e-discovery and computer security incident response; and in forensic investigations, including all aspects of law enforcement and government examinations. As the volume and sophistication of digital investigations continue to increase, investigators and examiners can stay ahead of the curve and maintain departmental efficiency by taking advantage of high-level, extensive curriculum, and affordable packages. Guidance Software has created multiple training options to help ensure your team remains up-todate and certified on the most current practices in digital investigations.
-
Structured management, budgeting and reduction of training expenses Qualify for CPE credits on all classroom courses Attendance at all courses, including EnCase® Training OnDemand, qualifies for training hours earned towards EnCE® certification or renewal Train in one of our state-of-the-art facilities, at one of our Authorized Training Partners throughout the world, or our EnCE®-certified instructors can come to you Customize a course to suit your organization’s needs Enroll in one of our online courses with EnCase® Training OnDemand Enhance professional standing by participating in one or both of our certification programs: the EnCase® Certified Examiner (EnCE®) or EnCase® Certified eDiscovery Practitioner (EnCEP®)
EnCase® Annual Training Passport
Keep your staff up-to-date with the latest techniques and allow for improved planning. Organizations must ensure that their investigative staff is properly trained to handle the continually evolving landscape of computer investigations. Budget burdens and scheduling conflicts may limit the amount of training your staff receives. Guidance Software’s Annual Training Passport allows you to pay one discounted, flat rate for up to two years of unlimited training for your staff. No other company offers training this extensive at such a deep discount.
EnCase® Annual Passport Fees per student
http://www.guidancesoftware.com /computer-forensics-trainingcertifications.htm
Program
One Year Annual Training Passport Two Year Annual Training Passport One Year upgrade Two Year upgrade
For More Info...
Please contact Guidance Software Training at: [email protected] or call 626-229-9191 Ext. 566
Price U S D $5,500 $10,000 $3,500 $7,000
Price G B P £3,437.50 £6,250.00 £2,187.50 £4,375.00
Details, terms and conditions of the program and upgrade options can be viewed at: http://www.guidancesoftware.com/computer-forensics-training-annual-training-passport.htm
Guidance Training Option Program (GTO)
Take advantage of maximum flexibility in scheduling and course selection. Organizations must constantly train investigative personnel to maintain the broad-based, changing skill set required for today’s digital investigations. With increasing caseloads, personnel changes and unpredictable schedules, meeting this obligation can prove challenging. Guidance Software has developed a solution that addresses these challenges at a practical price. Groups can purchase five or more classes at a reduced rate and use those training seats in the way that best suits your needs.
Program
GTO (5-seat minimum)
U S D (per seat) $2,095
G B P (per seat) £1,309.38
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at [email protected] or 626-229-9191 ext. 566.
www.guidancesoftware.com
GUIDANCE SOFTWARE | Training
Training Facilities
Los Angeles, CA (Pasadena, CA) 215 North Marengo Avenue Suite 250 Pasadena, CA 91101 Washington, DC (Dulles, VA) 21000 Atlantic Boulevard Suite 750 Dulles, VA 20166 Chicago, IL (Rosemont, IL) 9450 West Bryn Mawr Avenue Suite 200 Rosemont, IL 60018 Houston, TX 1300 Post Oak Boulevard Suite 550 Houston, TX 77056 London, UK (Slough) Thames Central, 5th Floor Hatfield Road, Slough, Berkshire UK SL1 1QE We also have Authorized Training Partners all over the world For a complete listing visit: http://www.guidancesoftware.com/ computer-forensics-training-partners. html
EnCase® Mobile Training Courses
If your organization needs EnCase® training, but does not have a computer training laboratory or a travel budget, this program is designed for you. Guidance Software brings all the necessary equipment and materials to your site and our instructor conducts the course. This program is ideal for organizations with limited travel budgets, as well as those who need to train a number of employees at the same time, but cannot afford to have so many of their personnel away. Students receive the same high-quality instruction as they would at a Guidance Software training facility. The pricing is the same as our regular instructor-led courses with the following additional charges:
Program
Training Instructor Fee - 1 instructor / up to 12 students Training Instructor Fee - 2 instructors / 13 to 24 students Standard Shipping U.S. Standard Shipping International
Price U S D $4,500 $9,000 $500 $800
Price G B P £2,812.50 £5,625.00 £500.00
For a complete list of mobile options call Guidance Software Training at 626-229-9191 ext. 566 or visit our website at: http://www.guidancesoftware.com/computer-forensics-training-mobile-onsite.htm
EnCase® Certified Computer Examiner (EnCE®) Certification Bootcamp
The EnCE® certification has become the gold standard for digital examiners. With this program, students can prepare for certification while learning how to maximize their use of EnCase® software and solutions. The bundle provides all required training and test preparation for EnCE® certification. Students participating in this bootcamp take advantage of three courses: the EnCase® OnDemand Computer Forensics I, EnCase® OnDemand Computer Forensics II, and the EnCase® EnCE® Prep course, which is taken in the classroom. On the final afternoon of the EnCE® Prep course, the EnCE® written examination will be administered to the students in a monitored, timed environment.
EnCE Certification Bootcamp
®
Price U S D $4,485
Price G B P £2,803.13
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at [email protected] or 626-229-9191 ext. 566. Our Customers
Guidance Software’s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance, technology, defense, energy, pharmaceutical, manufacturing and retail. Our EnCase® customer base includes more than 100 of the Fortune 500 and more than half of the Fortune 50, including: Allstate, Chevron, Ford, General Electric, Honeywell, Northrop Grumman, Pfizer, UnitedHealth Group and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to eDiscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase® Enterprise platform is used by more than sixty percent of the Fortune 100, and thousands attend Guidance Software’s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from Law Technology News, KMWorld, Government Security News, and Law Enforcement Technology.
©2012 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
www.guidancesoftware.com
T FS 0130-11019
ENCASE® FORENSIC V7 ESSENTIALS TRAINING ONDEMAND CONTENTS
GETTING STARTED WITH ENCASE ............................................................................................................................. 1
EnCase® Forensic v7.................................................................................................................................................................. 1 Now Included Standard In EnCase v7 ................................................................................................................................... 2 Encryption Support ................................................................................................................................................................... 3 Major Improvements In EnCase v7 ........................................................................................................................................ 3 Installing EnCase Forensic v7 .................................................................................................................................................. 4 Installing the Cert File .............................................................................................................................................................. 9 Running EnCase ...................................................................................................................................................................... 10
ENCASE® CONCEPTS ................................................................................................................................................. 15
EnCase® Forensic ..................................................................................................................................................................... 15 Forensically Sound Acquisitions ........................................................................................................................................... 15 Forensic Workflow .................................................................................................................................................................. 16 EnCase® Evidence .Ex01 and .Lx01 v2 .................................................................................................................................. 16 Case File.................................................................................................................................................................................... 18 EnCase® Configuration Files .................................................................................................................................................. 18 EnScript® Programs ................................................................................................................................................................. 20 Filters and Conditions ............................................................................................................................................................ 21 EnCase v7 Application Folder Locations ............................................................................................................................. 22 EnCase v7 Graphical User Interface ..................................................................................................................................... 26 View Menus ............................................................................................................................................................................. 29
HOW TO CREATE A CASE .......................................................................................................................................... 33
Case Management ................................................................................................................................................................... 33 New Case.................................................................................................................................................................................. 35 Working with Cases ................................................................................................................................................................ 39 Saving Your Case .................................................................................................................................................................... 42 Case Backup Dashboard......................................................................................................................................................... 44 Use Current Case..................................................................................................................................................................... 47 Create a Custom Backup ........................................................................................................................................................ 48 Specify Case File ...................................................................................................................................................................... 50 Specify Backup Location ........................................................................................................................................................ 51 Restoring from Backup ........................................................................................................................................................... 52 Deleting a Backup ................................................................................................................................................................... 55 Changing Case Backup Settings ............................................................................................................................................ 56 EnCase Global Configuration Settings ................................................................................................................................. 57 Hash Library and Analysis .................................................................................................................................................... 64 Working with Hash Libraries ................................................................................................................................................ 65 Opening a Hash Library ......................................................................................................................................................... 66 Modifying Category and Tags for Multiple Hash Sets....................................................................................................... 68 New Hash Library................................................................................................................................................................... 69 Add Hash Sets ......................................................................................................................................................................... 71 Case Hash Library ................................................................................................................................................................... 72 Importing EnCase Legacy Hash Sets .................................................................................................................................... 75
ADDING EVIDENCE TO A CASE................................................................................................................................. 79
New Method to Add Evidence .............................................................................................................................................. 79 Add Evidence File ................................................................................................................................................................... 83 Evidence Tab ............................................................................................................................................................................ 85 Navigating the EnCase Evidence .......................................................................................................................................... 87 Right-click ................................................................................................................................................................................ 92 Additional Views .................................................................................................................................................................... 92
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ii
EnCase® Forensic v7 Essentials Training OnDemand
Organizing Columns .............................................................................................................................................................. 96 Other Table Pane Views ......................................................................................................................................................... 96 Bookmarking in Evidence View ........................................................................................................................................... 97 Timeline View ......................................................................................................................................................................... 99 Disk View............................................................................................................................................................................... 100 View Pane .............................................................................................................................................................................. 101 Status Bar ............................................................................................................................................................................... 108
PROCESSING EVIDENCE FILES ................................................................................................................................ 113
Evidence Processor ............................................................................................................................................................... 113 Determine the Time Zone Setting ....................................................................................................................................... 114 Configuring Time Zone Settings ......................................................................................................................................... 118 Preparing the Evidence to Process...................................................................................................................................... 120 Managing Evidence Processor Settings ............................................................................................................................. 122 Using the Processor Settings Toolbar ................................................................................................................................. 122 Evidence Processing Tasks .................................................................................................................................................. 125 Recover Folders ..................................................................................................................................................................... 125 File Signature Analysis......................................................................................................................................................... 126 Protected File Analysis ......................................................................................................................................................... 126 Thumbnail Creation ............................................................................................................................................................. 126 Hash Analysis ....................................................................................................................................................................... 126 Expand Compound Files ..................................................................................................................................................... 127 Find E-mail ............................................................................................................................................................................ 127 Find Internet Artifacts .......................................................................................................................................................... 127 Search for Keywords ............................................................................................................................................................ 128 Additional Methods for Entering Keywords .................................................................................................................... 132 Index Text and Metadata ..................................................................................................................................................... 134 Modules.................................................................................................................................................................................. 136 Processing a Live Device...................................................................................................................................................... 141 Evidence Processor Threading Model ................................................................................................................................ 142
VIEWING INDEX AND SEARCH RESULTS ............................................................................................................... 147
Search Types .......................................................................................................................................................................... 147 Index Searches ....................................................................................................................................................................... 147 Creating a Search Query ...................................................................................................................................................... 148 Save the search results.......................................................................................................................................................... 151 Continue the investigation .................................................................................................................................................. 153 Find Related........................................................................................................................................................................... 156 Viewing Keyword Search Results....................................................................................................................................... 161 Raw Searches ......................................................................................................................................................................... 164 Tag Searches .......................................................................................................................................................................... 166 Search Summary ................................................................................................................................................................... 166
PROCESSED EVIDENCE RESULTS ............................................................................................................................ 169
File Types ............................................................................................................................................................................... 169 File Signatures ....................................................................................................................................................................... 170 Adding / Editing a File Type ............................................................................................................................................... 177 Processed Evidence .............................................................................................................................................................. 177 Compound (Compressed Archive) Files ........................................................................................................................... 178 Internet Artifacts ................................................................................................................................................................... 181 Analyzing the Internet Artifacts ......................................................................................................................................... 184 Evidence Processor Modules ............................................................................................................................................... 192 Creating a Hash Set .............................................................................................................................................................. 195 Adding Hash Values to a Hash Set .................................................................................................................................... 197
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Contents
iii
E-MAIL RESULTS ...................................................................................................................................................... 201
Displaying E-mail Threads .................................................................................................................................................. 208 Show Conversation ............................................................................................................................................................... 209 Show Related Messages........................................................................................................................................................ 211 Deduplicating Messages....................................................................................................................................................... 212
BOOKMARKING AND TAGGING YOUR FINDINGS ................................................................................................ 215
Bookmarking Data for Reports ............................................................................................................................................ 215 Bookmarking a Single Item .................................................................................................................................................. 219 Bookmark Multiple Items .................................................................................................................................................... 221 Note Bookmark...................................................................................................................................................................... 223 Tags ......................................................................................................................................................................................... 226 Creating Tags ......................................................................................................................................................................... 226 Tagging Multiple Evidence Items ....................................................................................................................................... 230 Using the Tag Pane and Column ........................................................................................................................................ 232 Tagging in the Search View ................................................................................................................................................. 235 Hiding a Tag .......................................................................................................................................................................... 235 Deleting Tags ......................................................................................................................................................................... 236
REPORTING .............................................................................................................................................................. 239
Using Report Templates ....................................................................................................................................................... 239 Formatting Report Templates .............................................................................................................................................. 243 Report Styles .......................................................................................................................................................................... 245 Viewing a Report................................................................................................................................................................... 247 Case Archiving and Portability ........................................................................................................................................... 250
APPENDIX A – INDEX QUERIES ............................................................................................................................... 255
Creating a Search Query....................................................................................................................................................... 255 Fields in Index Queries ......................................................................................................................................................... 264 Index Query Logic................................................................................................................................................................. 265 Unifying Search Results ....................................................................................................................................................... 265
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 1 Getting Started with EnCase
ENCASE® FORENSIC V7
EnCase Forensic v7 (EnCase v7) is the next advancement in computer forensics technology, workflow, and best practices. With powerful automation capabilities, streamlined user interface, and optimized case management, EnCase v7 will transform how you perform investigations. Just a few of the paradigm-shifting features are: Intuitive, streamlined interface Powerful processing capabilities Find evidence faster with unified search Review e-mail the way you want it Smartphone acquisition Quick case access Increased scalability
At the core of EnCase v7 is our commitment to robust file and operating system support. With version 7, you will be able to investigate more file and operating systems than ever before.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
2
EnCase® Forensic v7 Essentials Training OnDemand
Leveraging the indexing engine from our EnCase® Command Center (EnCase® eDiscovery and EnCase® Cybersecurity) products, you will now have search results across multiple types of files all in one location, including files, e-mail, instant message (IM) conversations, Smartphones, etc. Dramatically change the workflow through the product to improve efficiency through automation Harness the power of indexing and searching versus browsing for the “needle” of evidence in the ever-increasing volume of the digital “haystack” Use the index to build relationships between items throughout EnCase v7, including items from EnScript® processing and Smartphone acquisitions Increase the usability of the software to find evidence faster
Figure 1-1 New workflow in EnCase v7
NOW INCLUDED STANDARD IN ENCASE V7
The EnCase Forensic modules are now all included in v7, including: Smartphone support EnCase® Decryption Suite (EDS) – Provides the ability to decrypt supported full disk and volume encryption and encrypted registry entries EnCase® Physical Disk Emulator (PDE) Module – Mount evidence files, including deleted files, as a virtual physical disk on your computer EnCase® Virtual File System (VFS) Module – Mount evidence files as an offline network share in your Windows® operating system EnCase® FastBloc Software Edition (SE) – Software write blocker ensures that no writes occur to a removable device during preview or acquisition
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
3
ENCRYPTION SUPPORT
EnCase v7 supports the following encryption products. Vendor
Check Point
Product
Check Point Full Disk Encryption (formerly Pointsec PC) Mobile Guardian
Supported Versions
6.3.1 up to 7.4
64-bit Support
Yes
CREDANT
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8 7 and 8 9.2.2 , 9.3.0, 9.4.0, 9.5.0, 9.5.1 4.5, 6 (Windows and Macintosh) Vista, 7 4.5, 5.5
No
GuardianEdge Encryption Plus/Anywhere GuardianEdge Hard Disk Encryption
No Yes
McAfee
SafeBoot
No
Microsoft Sophos
BitLocker and BitLocker To Go SafeGuard Easy (formerly Utimaco) PGP Whole Disk Encryption Endpoint Encryption
Yes Yes
Symantec Symantec
9.8, 9.9, 10 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 8.0 4.5, 4.6
Yes Yes
WinMagic
SecureDoc Full Disk Encryption
No
MAJOR IMPROVEMENTS IN ENCASE V7
In addition to the enhanced workflow, you will notice a number of improvements in the functionality of EnCase v7: No longer will you have to wait for a case to open. File system, e-mail, and other compound structures will now have their structures cached out to disk, so you are no longer restricted in the amount of memory you have on disk when viewing large amounts of data. o EnCase v7 will be able to bring these items into memory as needed when navigating through the case.
You can now mark files with user-defined tags to help remember important information about the file. These tags can be used later for filtering and reporting. We have streamlined the number of configuration items; for example the view for configuring file types, file signature, and file viewers have been combined into File Types.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
4
EnCase® Forensic v7 Essentials Training OnDemand
We have made the configuration settings accessible at the time that you are accessing that area; for example Text Styles are now set in the text pane itself. We’ve separated EnCase v7 configuration settings from user settings. This allows us to update the delivered configuration files while leaving your files untouched. The Evidence Processor helps automate your work in preparing for an investigation. Viewing and working with e-mail is easier in EnCase v7. Searching is more powerful and has a new index engine. There are new templates for customize reports. Smartphone support is included. New file system and file type support: o o o o EXT4, including Linux Software RAID 1 and 10 Arrays for Ubuntu version 9.1 and version 10.04 HFSX Microsoft® Office 2010 support Check Point®/Pointsec™
INSTALLING ENCASE FORENSIC V7
To install EnCase v7: 1. Obtain the most current installation file available or insert the EnCase ® Forensic installation DVD into your drive
If the installation does not auto start from the DVD, browse to locate and run Setup.exe
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
5
2.
The welcome page of the install wizard appears
Note that the bottom right corner of the dialog displays the version of EnCase that will be installed into this path first, followed automatically by EnCase v7
Figure 1-2 Welcome screen of installation wizard
3. 4.
Click Next> If the folder does not yet exist, click Yes
Figure 1-3 Click “Yes” to create a new folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
6
EnCase® Forensic v7 Essentials Training OnDemand
5.
If you are upgrading, click OK or Cancel to go back and change the installation folder.
Figure 1-4 Select option to change installation folder
6. 7.
Following is a license agreement page for EnCase Forensic Read and acknowledge your acceptance of the license agreement by clicking Next>
Figure 1-5 License Agreement
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
7
8.
The next window offers to install additional properties if it is a first-time installation with no security key drivers installed NOTE: If this is the first installation of EnCase® software, remove any dongles and check the box next to Install HASP Drivers to install or upgrade the drivers needed for the EnCase® dongles.
9.
Click Next>
Figure 1-6 Installation path
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
8
EnCase® Forensic v7 Essentials Training OnDemand
o
You should see that the setup has completed successfully
Figure 1-7 Successful installation
10. You may be notified that your system should be rebooted; to ensure the registration of certain DLLs and enable the drivers, etc., it is strongly encouraged to reboot at this time 11. Make the reboot selection and click Finish
With the program successfully installed, the shortcut to EnCase v7 will appear on your Desktop.
Figure 1-8 Program icon
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
9
INSTALLING THE CERT FILE
The next step is to install the cert files. If you have cert files to install, those files need to be copied into the Certs folder. By default the location is: C:\Program Files\EnCase7\Certs
NOTE: With Windows 7 and Vista, you will need to copy the cert files onto your hard drive from the Internet and then copy them into the C:\Program Files\EnCase7\Certs directory. The security permissions of Windows 7 and Vista prevent direct copying from e-mail or the Internet into C:\Program Files.
Figure 1-9 Install cert files into the Certs folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
10
EnCase® Forensic v7 Essentials Training OnDemand
RUNNING ENCASE
Double-click on the EnCase v7 icon on your Desktop to run EnCase for the first time. Please take a moment to register you EnCase v7.
Figure 1-10 Register EnCase Forensic v7
Follow the instructions on the webpage, depending if you have Internet connectivity
Figure 1-11 Register EnCase Forensic v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
11
EnCase will open to the Home screen.
Figure 1-12 EnCase Forensic v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
12
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
13
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
14
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 2 EnCase® Concepts
ENCASE® FORENSIC
EnCase Forensic v7 (EnCase v7) provides investigators with a single tool for conducting largescale and complex investigations from beginning to end. It features superior analytics, enhanced e-mail/Internet support, and a powerful scripting engine. With EnCase v7 you can: Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide Investigate and analyze data from multiple platforms – Windows, Linux, AIX, OS X, Solaris, and more – using a single tool Find information despite efforts to hide, cloak, or delete Easily manage large volumes of computer evidence, viewing all relevant files, including deleted files, file slack, and unallocated space Transfer evidence files directly to law enforcement or legal representatives as necessary Review options that allow non-investigators, such as attorneys, to review evidence with ease Use reporting options for quick report preparation
FORENSICALLY SOUND ACQUISITIONS
EnCase v7 produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 and/or SHA1 hash values for related image files and assigning Cyclic Redundancy Check (CRC) values to the data (when no compression is used). These checks and balances reveal any inconsistencies with acquired data. EnCase v7 maintains the reliability and functionality of previous versions while simplifying usage, adding powerful new features, and significantly increasing performance. EnCase v7 is accessible to several types of users: Those responsible for collecting evidence Forensic examiners and analysts Forensic examiners who develop and use EnScript ® code to automate repetitive or complex tasks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
16
EnCase® Forensic v7 Essentials Training OnDemand
FORENSIC WORKFLOW
EnCase v7 facilitates the forensic workflow process through the: 1. 2. 3. Preview and processing of case data Analysis of evidence Reporting of findings
ENCASE® EVIDENCE .EX01 AND .LX01 V2
EnCase v7 has new evidence file (.Ex01) and logical evidence file (.Lx01) formats.. The existing EnCase® evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format. Many of the central design principles of the E01 format have been retained. The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC (when no compression is used), and all of the source data stored in the file is hashed with the MD5 and/or SHA1 algorithms if requested by the user. The Ex01 enhancements do not affect features of the file, such as those that have been relied upon by many courts to rule on the acceptance of the file as a container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data. The new Ex01 format introduces the following capabilities: Support for encryption of the data Ability to use different compression algorithms Improved support for multi-threaded acquisitions where sectors can be out of order Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills) Alignment considerations to improve efficiency and performance Improved support for resuming acquisitions Internal improvements of the data structures
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
17
E01 had the ability of using a “soft” password, meaning that the data itself was not encrypted. Ex01 encrypts the data symmetrically, using AES-256 by default. The encryption key for this can be protected with: A password that generates a symmetric key An asymmetric key pair Both of the above
Figure 2-1 New EnCase® evidence file format
For instruction on acquiring digital evidence, please consider one or more of the following courses:
Course
First Responder with EnCase® Forensic, Tableau, and EnCase® Portable EnCase® Computer Forensics I EnCase® Portable Configuration and Examinations
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/comput er-forensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
18
EnCase® Forensic v7 Essentials Training OnDemand
CASE FILE
In prior versions of EnCase, the case file is a text file that contains information specific to one case. In EnCase v7, a case is no longer contained within a single file, but is stored within a folder containing many components. The case contains pointers to any number of evidence files or previewed devices, bookmarks, search results, sorts, hash analysis results, signature analysis reports, etc. Before media can be previewed or evidence files analyzed, a case file must be created when you run EnCase. The case cannot be simultaneously accessed by more than one examiner at a time. In EnCase v7, the default location for saving the case files is the User Data folder.
Verifying an Evidence File Automatically
Whenever an evidence file is added to a case, EnCase v7 will begin to verify the integrity of the entire disk image in the background. This is usually quite fast for small (removable devices) evidence files, but can take longer for hard disk evidence files. You may begin the examination while the verification occurs.
ENCASE® CONFIGURATION FILES
Prior to EnCase v7
In prior versions of EnCase, configuration files were contained in a series of initialization (.INI) files that contained global settings for EnCase. These files contained the signature table, file types, file viewers, filters, global keywords, etc. These files applied global configurations to every case and evidence file used within the EnCase® environment. They were stored (by default) in the folder where EnCase is installed, usually C:\Program Files\EnCase6\Config.
Configuration Changes in EnCase v7
In EnCase v7, there are major changes in the way EnCase stores configuration settings. These changes were necessary to better support the Windows operating systems (specifically Vista and Windows 7) protocols in regards to user and application data management. Windows guidelines encourage all user data to be stored in specific locations to facilitate better system security and a better customer experience (customers can go to one place to find their data). Likewise, Windows encourages applications to put volatile data in an Application data area, so that it is clear to you what data is part of an application and what data is considered user data. An additional benefit of these changes in v7 is the resolution of a long-standing issue with updating .ini files. In prior versions, if you modified your FileTypes.ini file, you would not receive updates to those files from Guidance Software as they would write over your custom configuration.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
19
Configuration Files Locations
The following location list defines the areas used by EnCase v7 and gives a brief description of which types of files should reside in which location:
User Data
(C:\Users\<username>\My Documents \EnCase)
o
This folder is for user-created files that are not necessarily EnCase-version or installation specific. Files like case files and EnScript® files would default to this folder.
User Application Data
(C:\Users\<username>\AppData\Roaming\EnCase1)
o
This folder is for configuration files and user temp files that pertain to a specific user and installation folder of EnCase (Window sizes, fonts, etc.)
Global Application Data
(C:\Users\Default\AppData\Roaming\<EnCase-1>)
o
This folder contains files that are for the configuration of EnCase regardless of the user (NAS settings, etc.)
Program Files Folder
o
This folder contains files that are created by the installer and are unmodified by the application
Shared Files Folder
o
This folder can be pointed to a folder where you keep shared files (EnScript® modules, Searches, Conditions, File Types, Text Styles, and Keys)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
20
EnCase® Forensic v7 Essentials Training OnDemand
ENSCRIPT® PROGRAMS
EnScript programs are saved in two or three directories: The EnScript modules shipped with EnCase continue to be stored in the C:\Program Files\EnCase7\EnScript folder Your EnScript programs are now stored in your user folder under C:\Users\<userfolder>\EnCase\EnScript You can also specify a shared folder to be able to browse to your EnScript® library
You now run your EnScript modules from the toolbar drop-down instead of the former tree control in the lower right pane.
Figure 2-2 EnScript toolbar
When you select Run… or Edit…, you are presented with a file selection dialog that allows for easy browsing to all of the default locations via an EnCase tree on the left side. NOTE: On operating systems prior to Windows Vista, this functionality will not be available and you will need to manually navigate to the EnCase v7-shipped EnScript folder or your shared folders.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
21
FILTERS AND CONDITIONS
Filters and conditions were previously all saved in a single .ini file in the C:\Program Files\EnCase6\Config directory. In EnCase v7, filters and conditions are now being saved in individually named files with the extension .EnFilter or.EnCondition, respectively. The filters you create are saved in a separate folder from the EnCase delivered filters. This allows you to create and edit you own filters and removes the need for overwriting similarly named filters or the wholesale loss of your filters when there is an EnCase update. The functions for selecting and creating filters are the same as EnScript modules.
File Viewers
There are no default viewers shipped with EnCase v7, so any viewers you add will be saved in an .ini file that only exists in your user directory.
Text Styles
Text styles are split into separate files and are viewable by you in a settings dialog that separates your user entries from the Guidance Software delivered entries with tabs.
File Types Combined with Signatures
File Types and File Signatures are combined into a single table. These are handled as two or three separate settings files; your user settings will override the shipped and shared settings. In this case a new column is displayed that shows you the items that have been modified by you. When you change an item or create new items, these items are identifiable by the User Modified column. If you want to get back the default settings for an item, select the item and then choose Reset to Default to get the Guidance Software default settings for the item.
Figure 2-3 File Types View
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
22
EnCase® Forensic v7 Essentials Training OnDemand
ENCASE V7 APPLICATION FOLDER LOCATIONS
Application Folder
This folder contains files created by the EnCase installer that are not modified by EnCase. Windows 7 and Windows Vista default path: \Program Files\EnCase7 Windows XP: \Program Files\EnCase7
Folder Name
Certs Condition Config Drivers EnScript Filter Help Lib License Mobile Noise Template ViewLib
Description
License certificates Default conditions Application configuration options Application drivers Default EnScript programs Default filters Help files Application library files EnLicense files Mobile phone drivers Default noise file for the Index Default case templates Outside in libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
23
User Data
The following are user-created files that are not necessarily EnCase-version or installation specific: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Backup: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Folder Name
Condition EnScript Filter Keys Keyword Logs Search Template
Description
User-defined conditions User-defined EnScript modules User-defined filters Encryption keys User-defined keyword searches Console logs User-defined searches User-defined case templates
Case Folder
This folder contains all files that make up an EnCase v 7 case: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\<Case Name> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\<Case Name>
Item
Corrupt Pictures E-mail Export Results Searches Tags Temp <Case Name>.Case
Description
Corrupt pictures E-mail thread database Default case export folder Results of search queries Keyword search results (non-Evidence Processor) Tag database Default case temp folder EnCase case file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
24
EnCase® Forensic v7 Essentials Training OnDemand
Evidence Cache
This folder contains the cache, index, and keywords results for a device that are created by the EnCase® Evidence Processor: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\Evidence Cache\<Hash> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\Evidence Cache\<Hash>
Item
Device Cache DeviceIndex Searches
Description
Device caches Device index Keyword search results (Evidence Processor)
User Application Data
This folder contains configuration files and temporary user files associated with a specific user and EnCase installation folder. Windows 7 and Windows Vista path: \Users\<Username>\App Data\Roaming\EnCase\EnCase7-<#> Windows XP: \Documents and Settings\<Username>\Application Data\EnCase\EnCase7-<#>
Folder
Config
Description
User-edited application configuration files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
25
Global Application Data
This folder contains files that are used to configure EnCase v7 regardless of the user: Windows 7 and Windows Vista path:
o
\ProgramData\EnCase\EnCase7-<#>
Windows XP:
o o
\Documents and Settings\All Users\Application Data\EnCase \Documents and Settings\All Users\Application Data\EnCase\EnCase7-<#> NOTE: \Users\All Users\AppData = \ProgramData
Item
Logos Config ParseCache Storage
Description
Default report logo NAS and other global configuration files Parse cache files EnScript configuration files
Shared Files
This is a folder location in which you store shared files, such as EnScript programs, searches, conditions, keys, file types, text styles, and so forth. Windows 7 and Windows Vista path: <User Defined> Windows XP: <User Defined>
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
26
EnCase® Forensic v7 Essentials Training OnDemand
ENCASE V7 GRAPHICAL USER INTERFACE
The significant changes to the Graphical User Interface (GUI) are detailed as follows.
Web Browser-like Tabs
The new tabs are used as destinations for information, such as browsing file entries, searching the index, and configuration. You can choose the tabs that you would like to have visible, and you can have multiple instances of certain types of tabs open, which allows the browsing and searching of multiple items.
Figure 2-4 Browser-like tabs
What’s New in EnCase v7 versus v6
There are several changes to the GUI for EnCase v7 that improve the workflow and efficiency of computer forensic examinations.
Bottom Right Pane Removed – There is no longer a general-purpose, bottom right-hand
pane. This gives you more control over what you are viewing and dramatically reduces the number of tabs you need to navigate.
Main Application Tool Bar Removed – The old text menu bar with applications was
removed. There are now top-level, drop-down menus that provide greater flexibility.
Figure 2-5 Top-level, drop-down menus
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
27
New Side Bar Menu – Each pane now has a side bar menu for common functions, such
as Conditions, Filters, and Tags.
Figure 2-6 Side bar menus
Flexible Pane Layouts – Rather than the static four panes of v6, you can set a preferred
layout for each view:
o o o o
Table Tree-Table Traeble Tree
Figure 2-7 Flexible pane layouts
Floating Box for Text – If the data in a table cell is truncated by the column size, hovering
over it will display the content in a floating box.
Figure 2-8 Floating text box
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
28
EnCase® Forensic v7 Essentials Training OnDemand
Tabs for Multi-dimensional Cell Data – The bottom pane contains tabs for multidimensional data, such as Fields, Permissions, Hash Set Properties, and File Extents. This is different from the single Additional Details tab in v6, and the tabs are available regardless of what cell is currently highlighted.
Figure 2-9 Multi-dimensional cell data tabs
Drop-down Menus – In contrast to the trees in v6, you now have drop-down menus for
selecting functions; for example:
o
Text Styles – Now available via a drop-down menu in the TextHexTranscript
view
o
Filters – Now available via a drop-down in the View Pane top menu bar.
Figure 2-10 Drop-down menus
Configuration Settings – The configuration items are now accessible where they are
needed. For example, you can create and/or select keywords at the time the search is executed, such as under Raw Search All…
Figure 2-11 Configuration
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
29
VIEW MENUS
The following is a summary of the major changes in the EnCase v7 GUI.
EnCase v6 Function
Archive Files Cases Encryption Keys File Signatures File Types File Viewers Hash Sets Keywords EnScript Filters Conditions Display Queries Text Styles
EnCase v7 Location
Removed Cases drop-down menu Accessed where used Removed (merged with File Types) Accessed where used; View drop-down menu Accessed where used Accessed where used; View drop-down menu Accessed where used; Entries Keyword Search toolbar item To EnScript drop-down To Filter drop-down on Entries, Records, Search Results To Condition drop-down on Entries, Records, Search Results To individual Filter tabs No longer a function in EnCase To drop-down above Text/Hex/etc., view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
30
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
31
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
32
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 3 How to Create a Case
One of the most powerful features of EnCase® v7 is its ability to organize different types of media together, so that they can be indexed and searched as a unit rather than individually. This process saves time and allows you to concentrate on examining the evidence.
CASE MANAGEMENT
Before starting an investigation and acquiring media, consider how the case will be accessed once it has been created. It may be necessary for more than one investigator to view the information simultaneously. In such an instance the evidence files should be placed on a central file server and copies of the case file should be placed on each investigator’s computer (since case files cannot be accessed by more than one person at a time). The EnCase® Forensic methodology strongly recommends that you use a second hard drive, or at least a second partition on the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an entire hard drive or partition rather than individual folders to ensure that all of the temporary, suspect-related data is destroyed. This will aid in deflecting any claims of cross contamination by the opposing counsel if the forensic hard drive is used in other cases. Of course the evidence in the EnCase® evidence files is always protected from crosscontamination. One method of organization is to create a folder for each case and to place the associated case file and evidence files in that folder. Reports and evidence copies can then be placed in the same folder or in subfolders. Create a Cases folder on your evidence drive for case management.
Figure 3-1 Creating the folder structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
34
EnCase® Forensic v7 Essentials Training OnDemand
Start EnCase v7.
Figure 3-2 EnCase v7
The Home page, like all pages within EnCase, is divided into several sections, each with a specific set of functions. In descending order, they are as follows:
Application Toolbar Appears below the title bar and provides drop-down menus to
major functionality. The menus and their selections are primarily static throughout your investigation. The menus and their selections are discussed in more detail later in this lesson.
Tabs Similar to tabs in Internet browsers, each top-level tab displays a
page that groups EnCase functionality. When you open EnCase for the first time, only the Home tab is available.
Tab Toolbar These components include the back and forward arrows, which
function the same as in any standard browser as well as various viewing options that allow you to resize the panel dimensions to whatever best suits your needs. This toolbar also contains menus and buttons that are specific to the selected tab.
Page body The Page body varies, depending on the tab that you are viewing.
The Home page consists of labels that identify the product, case, functionality available, and sections that identify categories of EnCase components and contain links to the features or actions belonging to each category.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
35
NEW CASE
To start a new case, click on the New Case link.
Figure 3-3 New case
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
36
EnCase® Forensic v7 Essentials Training OnDemand
The Case Options dialog box will appear, allowing for the selection of the Base case and evidence cache folders for the new case. By default, paths to your user directory are displayed. The investigator should change these paths to those specific to the case in order to segregate case data.
Figure 3-4 Creating a new case
A. Case Template
When you create a new case, you will see a list of available templates (these are .CaseTemplate files). EnCase supplies several predefined templates whose names appear in this box along with any saved templates. To select a template: Click on a name from the case Templates list to select it. In the previous figure, the #2 Forensic template is selected.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
37
Although you can configure a new case completely from scratch, Guidance Software recommends using a template as it simplifies the case-creation process. Each case template contains a uniquely configured set of the following: Case info items with default values Bookmark folders and notes Tag names Report template User-defined report styles
You can also create your own templates by saving any case as a template. Afterwards, the new template will appear in the Templates list and will be available for future use. If you intend to create a number of cases with a similar structure, it makes sense to save one of them as a template and use it to generate the other cases.
B. Case Information Case info – Case info items are user-configurable, name-value pairs that document
information about the current case. These items are primarily used to insert user-definable information into a report. To update a value, double-click on the row. To create case info items, use the New button above the table to generate as many namevalue pairs as you need.
Figure 3-5 Case Information for Report
C. Case Name Name –Text string you enter to identify the case file. In EnCase v7, a case is no longer
contained within a single file, but is stored within a folder containing many components. The name specified in this field will be used to name the case folder as well as components contained within that folder.
Full Case Path – The folder in which the case file is stored. This field is not writable.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
38
EnCase® Forensic v7 Essentials Training OnDemand
D. Case Folders Base Case folder – This is the location where the case folder will be created. By default
EnCase uses a folder under your My Documents folder.
Primary evidence cache – EnCase v7 uses cache files to speed up application responsiveness,
enhance stability, and provide scalability across large data sets. The primary evidence cache folder is the location where EnCase will save and/or access these files. Cache files may be created in advance through the Evidence Processor and you can simply point to a folder that contains this data. Although there is an evidence cache for each device in a case, the evidence cache does not need to be stored with the evidence files. If cache files have not been created for a device, they will be stored in this folder when the Evidence Processor is run.
Secondary evidence cache – EnCase allows you to specify a secondary location where a
previously created evidence cache can be found. This allows you to specify a folder on a network share or other location where cache files may be stored. Unlike the primary evidence cache folder, EnCase will only read previously created files from this location. All new cache files will be stored in the Primary evidence cache folder.
E. Backup settings Backup every 30 minutes – By default, EnCase will back up your case every 30 minutes.
Since backups can take a significant amount of time, they occur in a background thread, allowing you to continue with your work. Concerning the case backup:
Can be canceled at any time, like any other background thread Stops silently if the case is closed If interrupted, continues at a later time, resuming where it left off (not copying the unchanged files again) Runs on this schedule: o o o Every 30 minutes while a case is open When a case is opened, if that case has not been opened for more than 30 minutes 30X minutes after the case is opened, if the case has not been opened for X minutes where X is less than 30
Stops if the Evidence Processor is running Does not run if the Evidence Processor is already running Disables the automated backup timer while running
Maximum case backup size (GB) – By default, EnCase will allocate a maximum of 50GB of
space for the case backup files
Backup location – This is the location where the backup files saved. By default EnCase uses a
folder under your My Documents/CaseBackup folder.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
39
The last backup folder location, maximum amount of disk space, and enable/disable backup are saved in the global settings and are automatically populated when you create a new case. Click OK to apply the case options. To aid you, these constraints are checked: If you create a case with backup disabled, a dialog asks if you are sure you want to disable backup for this case. A warning displays if the backup location is not a valid path Choosing a backup and case folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the case. Choosing a backup and evidence folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the evidence cache.
The Home tab will then display a page for this particular case with the case name displayed at the top. This case page lists hyperlinks to many common EnCase features and you can use it as the main landing page for this case. You are now ready to begin building your case.
WORKING WITH CASES
Use the Case menu and the Case selections on the Case Home page to work with the parameters of and perform actions on your case. Following are a list of basic operations for working with a case. Use the menu items on the Case menu and the links beneath the Case section on the Case panel for these operations.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
40
EnCase® Forensic v7 Essentials Training OnDemand
Case Selections Save (Ctrl-S) Saves the current case file. The default suffix for a case file is *.Case;
the default suffix for a backup case file is *.cbak.
Save As... Used to save and rename the current case file or create a copy of the
case file with a different name.
Create Package (Ctrl-P) Creates a case package file for portability with the evidence. Case Backup Accesses the Case Backup dashboard. Save As Template... Used to save the case as an EnCase template to use with new cases.
The extension for a case template file is *.CaseTemplate.
Close Closes the active case file. Open... Opens an existing case file. (Note that you can have more than one
case file active at a time.)
New Case... Opens the Case Options dialog so that you can create a new case file. Options... Allows you to edit the Case Options for the active case. Hash Libraries... Displays the Hash Libraries dialog, which provides a list of hash
libraries and hash sets used in the current case and allows you to change libraries or enable and disable hash libraries and sets.
If you need to update the Case options later, they are available under the Case menu.
Figure 3-6 Accessing case options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
41
Make any required changes to the case information and click OK. NOTE: You cannot change the information contained in the Name or Case path fields; this information in displayed for reference purposes only and is read only.
Figure 3-7 Case Options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
42
EnCase® Forensic v7 Essentials Training OnDemand
SAVING YOUR CASE
Click on the Save link on the Home page to save your case.
Figure 3-8 Case Home
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
43
Notice that several folders were created in the case folder:
EvidenceCache – Storing cache files and containers for processed evidence Email – E-mail processing folder Documents – Default folder for documents Searches – Default folders for saving Search queries Export – Default folder for exporting evidence Tags – Tags storage Temp – Default temporary folder for file viewing
Later, other folders will be created during process:
CorruptPictures – Holds corrupt pictures during the thumbnails creation process Results – Stores the results of index queries
Figure 3-9 Default case folders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
44
EnCase® Forensic v7 Essentials Training OnDemand
Create a folder named “LocalEvidence” and copy the TDurden.Ex01 evidence file from the EnCase Essentials OnDemand distribution website into the folder.
Figure 3-10 EnCase Essentials evidence
CASE BACKUP DASHBOARD
The Case Backup dashboard is the management interface for interacting with all backups for a particular case. The dialog shows a list of all available case backups in a tree format and sorts them by type (types are described in the following section). To modify case backup options, click CaseCase BackupUse Current Case.
Figure 3-11 Case Backup options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
45
The Case Backup menu opens a backup folder location and displays the case backup dashboard. The dashboard’s input is the folder location, which comes from three possible locations. The Case Backup menu allows you to obtain the backup folder location from:
Use Current Case: Uses the backup folder location from the currently open and active
case
Specify Case File: Reads from and uses the backup folder location from an unopened
case file through an open file dialog
Specify Backup Location: Uses the backup folder location specified by the user through
a folder dialog
For each case backup, the dashboard displays these columns: Name Created Size (in bytes, KB, MB, GB, etc.) Custom name (if available) Comment (if available)
Figure 3-12 Case Backup dashboard
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
46
EnCase® Forensic v7 Essentials Training OnDemand
The dashboard shows a list of all available case backups in a tree format and sorts them by type. Daily, weekly, and monthly backups are created as a result of aging scheduled backups. The backup types and their aging attributes are:
Custom: This is a user-created backup where you can provide a custom name and
comments. Custom backups are retained until explicitly deleted.
Scheduled: A scheduled backup is created when you open a new case or schedule a backup manually using the Create Scheduled option. Daily: Every scheduled backup that is closest to that day’s local midnight time is copied
and stored as a daily backup.
Weekly: Every daily backup that is closest to that week’s Sunday local midnight time is
copied and stored as a weekly backup.
Monthly: Every daily backup that is closest to that month’s first day at local midnight
time of the next month is copied and stored as a monthly backup.
By default, the database stores a maximum of: 48 scheduled backups Seven daily backups Five weekly backups
Monthly backups are kept until the maximum size allowed is exceeded. Oldest monthly backups are deleted to stay under the maximum size allowed.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
47
USE CURRENT CASE
1. Click CaseCase BackupUse Current Case and the dashboard displays. To create a scheduled backup click Create Scheduled.
Figure 3-13 Backup – Current Case
2.
The Create Scheduled Backup dialog displays.
Figure 3-14 Case Scheduled Backup
3.
Click OK. The Created Scheduled Backup progress bar displays.
Figure 3-15 Create Scheduled Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
48
EnCase® Forensic v7 Essentials Training OnDemand
4.
After the backup is scheduled, the Create Scheduled Backup dialog closes. To verify that the backup was scheduled, click the Scheduled folder in the Backups directory.
Figure 3-16 Scheduled Backup
CREATE A CUSTOM BACKUP
1. Click CaseCase BackupUse Current Case and the dashboard displays. To create a custom backup click Create Custom.
Figure 3-17 Create Custom Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
49
2.
The Create Custom Backup dialog displays.
Figure 3-18 Create Custom Backup Dialogue
3. 4.
Enter a custom name and, if desired, a comment, then click OK. To verify that the custom backup was created, click the Custom folder in the Backups directory.
Figure 3-19 Custom Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
50
EnCase® Forensic v7 Essentials Training OnDemand
SPECIFY CASE FILE
Specify Case File reads from and uses the backup folder location from an unopened case file.
1. With no case open, click CaseCase BackupSpecify Case File.
Figure 3-20 Specify Case File…
1.
The Open File dialog displays.
Figure 3-21 Open Case File
2.
Select the case file you want then click Open. The dashboard displays for the case file you selected.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
51
3.
If you desire to restore a backup, select a backup file and click Restore.
Figure 3-22 Restore Case Backup
SPECIFY BACKUP LOCATION
To specify a backup location click CaseCase BackupSpecify Backup Location. 1. The Browse for FolderCase Backup Location dialog displays.
Figure 3-23 Browse for Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
52
EnCase® Forensic v7 Essentials Training OnDemand
2. 3.
Navigate to the location you want for the backup, then click OK. The Case Backup Folder is displayed. Click OK.
Figure 3-24 Confirm case backup folder
RESTORING FROM BACKUP
Restoring from backup restores the following types of data: Case file Everything in the case folder, except: o o o Export folder Temp folder Evidence files (.E01, .L01, .Ex01, and .Lx01)
Primary evidence cache (only those evidence caches referenced in the case) Secondary evidence cache (only those evidence caches referenced in the case) Dates, times, and sizes for all files.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
53
How to Restore from Backup
Click CaseCase BackupSpecify Case File or Specify Backup Location. 1. 2. 3. With no case open, select the case you want to back up then click Open to display the dashboard In the dashboard, select the folder in the Backups directory, which contains the backup you want to restore. Blue-check one (and only one) backup then click Restore.
Figure 3-25 Restore backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
54
EnCase® Forensic v7 Essentials Training OnDemand
4.
The Restore Backup dialog displays. Click either Restore to original case locations (default) or Restore to new locations, then click Next>.
Figure 3-26 Create Custom
If you click Restore to original case locations, the Name, Location, and Full Case Path fields populate automatically and you cannot edit them. All other options are disabled. if you click Restore to new locations, the Name, Location, and Full Case Path fields populate and you cannot edit them. However all other options are enabled, and you can change any of them. When you are done, click Finish.
5.
NOTE: Restoring will overwrite the contents of the selected Case directory.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
55
DELETING A BACKUP
To delete a backup go to the dashboard using any of the options in the CaseCase Backup dropdown menu. From the Backups directory, open the folder containing the backup you want to delete. 1. Blue-check the backup or backups you want to delete, then click Delete.
Figure 3-27 Delete selected backups
2.
A warning message displays:
Figure 3-28 Create Custom
3.
To continue, click OK. The selected backups are deleted.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
56
EnCase® Forensic v7 Essentials Training OnDemand
CHANGING CASE BACKUP SETTINGS
To change case backup settings, a case must be open: 1. 2. Click Case > Case Backup > Use Current Case On the dashboard, click Change Settings The Change Case Backup Settings dialog displays
Figure 3-29 Create Custom
3.
You can make these changes: Enable or disable Backup every 30 minutes Maximum case backup size (GB) Backup location
4.
Make the changes you want, then click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
57
ENCASE GLOBAL CONFIGURATION SETTINGS
EnCase configuration settings that are global may be found by selecting ToolsOptions….
Figure 3-30 Global configuration settings available in the Options window
The Options tab can modify the EnCase core configuration The Global tab allows various features to be changed, including the Auto Save Feature, picture, and timeout options The Date tab allows you to set the format for date and time stamps The NAS tab contains all of the settings needed to enable the network authentication of the EnCase® dongle if on a server instead of the local machine The Colors tab provides the ability to set the color scheme for different elements of the EnCase® interface The Fonts tab can alter screen fonts typically used for foreign-language support The Shared Files tab provides the ability to set the path to where user and application data is stored as well as the evidence and cache folders The Debug tab is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
58
EnCase® Forensic v7 Essentials Training OnDemand
Global
This tab allows you to select options that establish the global-configuration settings for a case.
Figure 3-31 Options window – Global tab
Picture Options
Enable Picture Viewer – This option allows pictures to be displayed in various views. Enable ART image display – This option provides you with the ability to not display files
with these characteristics, which if corrupted, may cause an Internet browser like Internet Explorer to crash.
Invalid Picture Timeout – This option enables EnCase to stop trying to read a corrupted
image file. Instead the file is cached so that EnCase will not attempt to read it in the future. The default is 12 seconds.
Force ordered rendering in Gallery – This new option for EnCase v7 was added to force
the rendering of pictures in the Gallery to be in order from top left to bottom right. Checking this box forces the order rendering, while turning the option off makes EnCase render small pictures immediately and queue up the longer/bigger pictures.
o
This option is off by default because the Gallery view flows better from a userinterface perspective. However some users like to go to the Gallery view and scroll down one row at a time to see the pictures show up in order from left to right. This option was created for those users.
Code Page
Code Page – Set the default code page for text viewing.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
59
Additional Options
Show True / Show False – This option defines the data that will appear in a Table column, indicating whether a condition is true or false. It is best to set these items to something that can be easily understood (such as “Yes” for true and “No” for false) rather than retain the default settings of bullet for “true” and blank for “false.” Default Char – The character used for non printable values, such as 00h, 01h, 02h, etc. Flag Lost Files – This option is unchecked by default, which means that lost clusters are
treated as unallocated space, decreasing the amount of time required to access the evidence file through a case file. If this option is checked, EnCase will tag all lost clusters in Disk view (indicated by yellow blocks with a question mark). This option must be set before an evidence file is added to the case.
Detect FastBloc – Detect legacy FastBloc for write blocking during evidence acquisition. Don’t verify evidence when opened – Open evidence without verifying acquisition hash
and CRC.
Date
This tab allows you to configure the date and time displays, including displaying the time zone on dates.
Date Format includes these options:
MM/DD/YY (for example, 06/21/08) DD/MM/YY (for example, 21/06/08) Other enables you to specify your own date format Current Day displays the current date in the specified date format
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
60
EnCase® Forensic v7 Essentials Training OnDemand
Time Format includes these options: 12:00:00PM uses a 12-hour clock for the time format 24:00:00 uses a 24-hour clock for the time format Other enables you to specify your own time format Current Time displays the current time in the specified time format
Figure 3-32 Options window – Date tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
61
NAS NAS (Network Authentication Server) – This option allows multiple copies of EnCase to
authenticate to a single hardware key. This is typically used in lab environments with multiple examiners and multiple copies of EnCase.
Figure 3-33 Options window – NAS tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
62
EnCase® Forensic v7 Essentials Training OnDemand
Colors
This tab allows you to change the colors for different elements of the EnCase interface.
Figure 3-34 Options window – Colors tab
Fonts
This option allows you to alter fonts for viewing convenience and to accommodate the special font requirements of some foreign languages to display correctly.
Figure 3-35 Options window – Fonts tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
63
Shared Paths
This option allows you to specify the folder for shared files, such as the filetypes.ini file, EnScript modules, filters, searches, conditions, and keywords.
Figure 3-36 Options window – Shared Paths tab
Debug
This option is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem.
Figure 3-37 Options window – Debug Path tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
64
EnCase® Forensic v7 Essentials Training OnDemand
HASH LIBRARY AND ANALYSIS
Analyzing a large set of files, by identifying and matching the unique hash value of each file, is an important part of the computer forensics process. Using the hash library feature of EnCase v7, you can import or custom build a library of hash sets, allowing you to identify file matches in the examined evidence. Computer forensics analysts often create different hash sets of known illicit images, hacker tools, or non-compliant software to quickly isolate known “bad” files in evidence. Hash sets are distributed and shared among users and agencies in multiple formats. These formats include NSRL, EnCase hash sets, Bit9, and others. Until recently, the hash set standard to identify a file was the MD5 hash calculation. Large hash distribution sets, such as the NSRL set, are now distributed using the SHA-1 hash calculation. EnCase will offer continued support for MD5 hash sets from old versions of EnCase and other products as well as the new SHA-1 hash format sets. EnCase uses an extensible format for hash sets that allows: Storing metadata along with the hash value in field form Support of MD5, SHA-1, and additional hash formats within the same file structure The association of tags with items in the hash set
Hashing Features
EnCase v7 contains several new and expanded hashing features: A versatile user interface for hash library management: you can create hash sets and libraries, import and export hash libraries, query hash sets, and view hash sets or individual hash items Hash libraries can contain multiple hash sets and each set can be enabled or disabled You can create as many hash libraries or hash sets as you want If a hash belongs to multiple sets, every match will be reported Each case can use up to two different hash libraries at the same time You can save individual hashes in a separate folder without placing them in a specific hash set or hash library (for example, you may want to retain a hash of an item for later use without committing it to a particular hash set or library)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
65
WORKING WITH HASH LIBRARIES
A hash library is a folder containing the file-based, database-like structure in which EnCase stores hash sets. To work with hash libraries, click on ToolsManage Hash Library… on the Application Toolbar.
Figure 3-38 Managing hash library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
66
EnCase® Forensic v7 Essentials Training OnDemand
OPENING A HASH LIBRARY
From the Manage Hash Library dialog you can manage any existing hash libraries or create a new one. You use its toolbar to: Create a new hash library or edit an existing library Create new hash sets within a library or edit an existing hash set within a library Import and export hash sets from one library to another Query a hash library for a particular value
NSRL
You may wish to use a centralized hash library or one already created. Guidance Software, Inc. has converted the National Software Reference Library (NSRL) RDS 2.32 March 2011 (http://www.nsrl.nist.gov/Downloads.htm) hash set into the EnCase v7 format. You can obtain the converted hash set from the EnCase Support Portal (https://support.guidancesoftware.com/) Download the converted NSRL hash sets from the EnCase Support Portal at: https://support.guidancesoftware.com/
Place them in a directory that it easily accessible and usable, such as: C:\Program Files\EnCase7\Hash Libraries\NSRL Hash Library
Figure 3-39 NSRL Hash Library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
67
To open a hash library, click Open Hash Library and browse to the directory from the Manage Hash Library panel toolbar.
Figure 3-40 NSRL hash library
Browse to C:\Program Files\EnCase7\Hash Libraries\NSRL Hash Library and click OK.
Figure 3-41 NSRL hash library in EnCase v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
68
EnCase® Forensic v7 Essentials Training OnDemand
MODIFYING CATEGORY AND TAGS FOR MULTIPLE HASH SETS
Rather than modifying each matching file set individually, you can now change the category and tags for multiple hash sets in a hash library. In the Manage Hash Library dialog, blue-check the appropriate hash sets and then select Edit Multiple.
Figure 3-42 Edit multiple hash sets
The Edit Multiple dialog displays.
Figure 3-43 Edit Multiple hash sets – category and tags
Select whether you want to change the existing category or tag on the hash sets, then enter the new value in the text box.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
69
NEW HASH LIBRARY
To create a new hash library, do the following within the Manage Hash Library interface: 1. On the Manage hash library panel toolbar, click New hash library
Figure 3-44 New Hash Library
2.
Browse for a directory or create a new folder to hold the hash library
Figure 3-45 Browse for Hash Library
NOTE: If you use an existing folder, it must be empty (otherwise, the contents of the folder will be deleted). 3. Provide a name for the hash library (for example, “Hash Library #1”)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
70
EnCase® Forensic v7 Essentials Training OnDemand
4.
Click OK
Figure 3-46 Hash library created
If you wish to import hash sets from another library, select Import Hash Sets from the toolbar. You can then browse to a library and select individual sets to import, such as importing the NSRL library into your new Hash Library #1. NOTE: Ctrl+Space Bar will select all of the hash sets.
Click Finish to import the hash sets; for now, click Cancel. NOTE: With 11 GBs of hash sets, importing the NSRL RDS will take a long time.
Figure 3-47 Import Hash Sets
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
71
ADD HASH SETS
We will add new hash sets to the current hash library after running the EnCase Evidence Processor.
Figure 3-48 New Hash Set
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
72
EnCase® Forensic v7 Essentials Training OnDemand
CASE HASH LIBRARY
Your case can have up to two hash libraries. From the case Home screen, click on Hash Libraries.
Figure 3-49 Hash Libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
73
To select a hash library, click on Change Hash Library. Browse to the Primary hash library and click OK.
Figure 3-50 Change hash library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
74
EnCase® Forensic v7 Essentials Training OnDemand
The Primary hash library will now be enabled and ready for use with the Evidence Processor. You can also select a Secondary hash library.
Figure 3-51 Case Hash Libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
75
IMPORTING ENCASE LEGACY HASH SETS
EnCase v7 has an EnScript program to import hash sets from prior versions of EnCase. From the Tools menu, select Import EnCase Legacy Hash Sets… to run the EnScript module.
Figure 3-52 Manage Hash Library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
76
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
77
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
78
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 4 Adding Evidence to a Case
NEW METHOD TO ADD EVIDENCE
Add Device in EnCase® v6
In EnCase v6, the Add Devices wizard allowed you to do the following:
Preview devices (local and enterprise) Preview physical and process memory (local and enterprise) Preview via a crossover cable Add image files (including E01s, L01s, Safeback, vmdk, etc.) Preview a Palm device
New Add Evidence Function in EnCase® v7
Again, for instruction on acquiring digital evidence please consider attending one or more of the following courses:
Course
First Responder with EnCase Forensic, Tableau, and EnCase® Portable
®
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/computerforensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
EnCase Computer Forensics I EnCase® Portable Configuration and Examinations
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
80
EnCase® Forensic v7 Essentials Training OnDemand
In EnCase v7, functionality that was in EnCase v6 Add Devices wizard is split into separate menus. These menus are accessed from the Add Evidence button on the Home page or the drop-down menu.
Figure 4-1 Add Evidence
The Add Evidence window appears for the Case.
Figure 4-2 Add Evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
81
The new menus are:
Add Local Device – Initiate the process of adding a local device attached directly to your
local computer. This can be the main system drive, removable drive write blocked with FastBloc SE, or a device attached through a Tableau write blocker.
Figure 4-3 New EnCase v7 Add Local Device interface
Add Evidence File – Specify an evidence file to add to the active case. This can be an
EnCase evidence file (E01) or logical evidence file (L01).
Add Raw Image – Add a raw or dd image file of a physical device to the active case.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
82
EnCase® Forensic v7 Essentials Training OnDemand
Acquire Smartphone – Acquires a Smartphone. After clicking the Acquire Smartphone
link, the dialog allows you to specify the device type and the kinds of data that you want to collect into an evidence file. o EnCase supports both iOS 5.0 and iOS 5.1 for iPhone and iPad devices. The supported features are the same for all iOS versions, from iOS version 3.0 through 5.1.
Figure 4-4 New EnCase v7 Smartphone interface
Add Crossover Preview – Crossover-cable acquisitions require both a subject and
forensic machine. This type of acquisition also negates the need for a hardware write blocker. It may be desirable in situations where physical access to the subject machine ’s internal media is difficult or not practical. This is the recommended method for acquiring Macintosh laptops (or others with difficult hard drive removal) and exotic RAID arrays. This option allows you to preview a machine acquired through a crossover-cable acquisition. NOTE: Guidance Software is no longer supporting legacy Palm devices.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
83
ADD EVIDENCE FILE
For this course, we will add the TDurden.Ex01 evidence file. There are two methods, select the Add Evidence menu or hyperlink.
Figure 4-5 Add Evidence hyperlink and menu
Or, if the Add Evidence hyperlink was selected, click on Add Evidence File.
Figure 4-6 Add evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
84
EnCase® Forensic v7 Essentials Training OnDemand
Browse to the TDurden.Ex01 evidence file that you copied to the examination drive and click Open.
Figure 4-7 Selecting the evidence file
EnCase v7 will then add the device to the case Evidence tab and automatically begin the verification process of the evidence file hash value and CRCs, unless you specifically choose the option to not verify evidence files (certainly not recommended).
Figure 4-8 Added evidence verifying
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
85
When completed, save your case.
Figure 4-9 Saving your case
EVIDENCE TAB
The Evidence tab allows you to browse selected devices as in previous versions of EnCase® software (EnCase). To browse a single item of evidence, click on the hyperlink in the Name column. Click on TDurden. EnCase will parse the Master File Table (MFT) and allow you to browse the file structure.
Figure 4-10 Click the hyperlink for the evidence device
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
86
EnCase® Forensic v7 Essentials Training OnDemand
If you desire to open two or more devices, blue-check the evidence and click Open.
Figure 4-11 Open Selected Evidence
To remove evidence, blue-check the device and click Remove Selected Evidence.
Figure 4-12 Remove Selected Evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
87
NAVIGATING THE ENCASE EVIDENCE
When you load evidence, the Evidence tab will open a Tree-Table view for evidence browsing as familiar to EnCase® software users. The Evidence browsing screen is divided into three sections: Tree Pane (left pane) Table Pane (right pane) View Pane (bottom pane)
The selections in the Tree Pane affect the Table Pane; the selections in the Table Pane affect the View Pane.
Figure 4-13 Browsing evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
88
EnCase® Forensic v7 Essentials Training OnDemand
You can change the split of the screen with the Split Mode button and select the preferredviewing screen based on the investigation you are conducting.
Figure 4-14 Split Mode
Table – Table in top pane and View in bottom pane (no Tree view) Tree-Table – Default view with Tree in left pane, Table in right pane and, View in bottom
pane); this is the traditional EnCase® Entries view
Traeble – Table in top pane and View in bottom pane with the ability browse the folder
structure in the Name column
Tree – Tree in left pane and View in right pane (no Table view)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
89
Tree Pane / Evidence View
Within the Tree view you have a tree-structured view of the evidence. It presents each evidence file as a folder that contains additional folders. Only evidence files and the folders contained within them are displayed in this view. Individual files are displayed in the Table Pane (discussed later). The arrows can be used to expand and contract the tree structure just as they are used in Windows® Explorer.
Figure 4-15 Collapsing a folder structure
There are three methods used within EnCase v7 to focus on specific files or folders. These methods have different purposes:
Highlighting a folder displays the entries within that folder in the Table Pane (this is used for viewing information only).
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
90
EnCase® Forensic v7 Essentials Training OnDemand
The Set Included Folders option method (sometimes called the “polygon” or “home plate”) displays all the entries, files, and folders for that folder and all subfolders in the Table Pane. It overrides the highlighting option. It is activated by clicking on the polygon next to the tree of the folder name in the Tree Pane in the EvidenceViewing (Entry) view and in any other views displaying a similar folder structure. This is used for viewing information only. When a folder is included, the other folders are grayed out. All files and folders within the folder and subfolders are displayed in the Table Pane. To deactivate this function, click on the Set Include Option icon again or click twice on another include icon.
Figure 4-16 “Set including” a folder structure
The blue-check or Select for future action method is used for designating files or folders on which to perform an analysis operation, such as a keyword search. This can be implemented from a variety of views. It is activated by clicking on the square next to the tree of the entry name in any view.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
91
In the following example, several folders have been selected. These folders have a white background within the blue-checked square ( ) indicating that all entries within the folder have been selected. If there is a gray background within the blue-checked square ( ), it indicates not all entries within the folder have been selected. The Selected box above the Table Panes indicates how many entries have been selected. To deselect all entries, click within this Selected box to remove the blue-check and to remove blue-checks from elements of the EvidenceViewing(Entry) view and the Table Pane.
Figure 4-17 Blue-checking entries and the Selected box
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
92
EnCase® Forensic v7 Essentials Training OnDemand
RIGHT-CLICK
Veteran users of previous versions of EnCase are trained to right-click on an object in the Tree Pane to bring up a context menu with many selection options. Also, there is a drop-down menu on the far right side of the menu bar.
Figure 4-18 The new drop-down menu in EnCase v7
ADDITIONAL VIEWS
Within the Tree Pane there are many views that can be accessed for different purposes. All of these views may be accessed through the tabs available above the Tree Pane or through the View menu. Any tabs not displayed above the Tree Pane will be displayed by selection through the View menu.
Figure 4-19 ViewCases menu
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
93
Table Pane
By default the Table Pane is in the Table view. Within this view are the subfolders and files that are contained within the folder(s) and highlighted or included (Set Included Folders) in the Tree Pane. Highlighting or including (Set Included Folders) a folder affects the display in the Table Pane as previously explained. The highlighting and Set Included Folders features are intended to view desired files and folders in the Table Pane. If there are one or more folders designated with the include feature, the highlighting feature will not change the number of files/folders displayed in the Table Pane. This differs from the Selected box located to the right of the pointed box. This is intended to select with a blue-check the files and folders on which to perform certain operations, including but not limited to searching, copying, and exporting. With the Set Included Folders feature activated, the select operation will not alter the number of files/folders displayed in the Table Pane. The Table view in the Table Pane displays many columns of information about the displayed entries:
Name identifies the file/folder/volume, etc., in the evidence file. Tag displays the tag(s) placed by you on an entry. File Ext displays the entry’s extension, which initially determines whether this entry is
displayed in the Gallery view.
Logical Size specifies the file size as the operating system addresses the file. Item Type identifies the type of evidence, such as Entry (file or folder), Email, Record, or
Document.
Category indicates the category of the file from the File Type table. File Type (formerly Signature) displays signature of a Match or an Alias (renamed
extension).
Signature Analysis the results of a file signature analysis. File Types Tag displays the Unique Tag (from the File Types table) for the entry after a
file signature analysis (this column can be activated from the Show Columns drop-down menu) This column was formerly called the “Signature Tag.”
Last Accessed displays the last accessed date/time. This typically reflects the last time the
operating system or any compliant application touched the file (such as viewing, dragging, or right-clicking). Entries on FAT volumes do not have a last-accessed time.
File Created typically reflects the date/time the file/folder was created at that location. A
notable exception to this is the extraction of files/folders from a ZIP archive. Those objects will carry the created date/time as they existed when the objects were placed in the archive.
Last Written reflects the date/time the file was last opened, edited, and then saved. This
corresponds to the Modified time in Windows with which users are familiar.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
94
EnCase® Forensic v7 Essentials Training OnDemand
Is Picture displays true if the file is an image.
NOTE: The display depends on how the Show True/False options were set in the ToolsOptionsGlobal menu.
Code Page displays the character encoding table upon which the file is based. MD5 displays a 128-bit value for a file entry generated by a hash analysis process. SHA1 displays the SHA-1 hash value for a file entry generated by a hash analysis process. Item Path identifies the location of the file within the evidence file, including the
evidence file name and a volume identifier.
Description describes the condition of the entry – whether it is a file or folder, deleted, or
deleted/overwritten.
Protected indicates if the file is identified as an encrypted or password-protected file
during the Evidence Processing.
Protection complexity provides details on the file’s protection. Is Deleted displays True if the entry is in a deleted state; blank if it is not. Entry Modified indicates when the administrative data for the file was last altered for
NTFS and Linux.
File Deleted displays the deleted date/time if the file is documented in the Recycle Bin’s
Info2 file.
File Acquired identifies the date/time the evidence file in which this entry resides was
acquired.
Initialized Size indicates the size of the file when it is opened; applies only to NTFS file
systems.
Physical Size specifies the size of the storage areas allocated to the file. Starting Extent identifies the starting cluster of the entry. File Extents displays the cluster fragments allocated to the file. Click within this column for an entry and then click on the Details tab in the View Pane to see the cluster
fragments.
Permissions shows security settings of a file or folder in the View Pane. Physical Location displays the number of bytes into the device at which the data for an
entry begins.
Physical Sector lists the sector number into the device at which the data for an entry
begins.
Evidence File displays where the entry resides. File Identifier displays an index number for a Master File Table (NTFS) or an Inode Table
(Linux/UNIX).
GUID indicates the Global Unique Identifier for the entry; to enable tracking throughout
the examination process.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
95
Hash Sets displays if a file belongs to one or more hashsets, generated by including hash
sets in a hash library in a hash analysis process.
Short Name displays the name Windows gives the entry, using the DOS 8.3 naming
convention.
VFS Name is used to display the name for files mounted with the EnCase® Virtual File
System (VFS) module in Windows Explorer. This replaces the Unique Name column in previous versions of EnCase.
Original Path displays information derived from data in the Recycle Bin. For files within
the Recycle Bin, this column shows where they originated when they were deleted. For deleted/overwritten files, this column shows the file that has overwritten the original.
Symbolic Link displays data pertaining to the equivalent of a Windows Shortcut in Linux
and UNIX.
Is Duplicate displays True (Yes) if the displayed file is a duplicate of another. Is Internal indicates whether the file is an internal system file, such as the $MFT on an
NTFS volume.
Is Overwritten indicates if the first or more clusters of an entry has been overwritten by a
subsequent object.
You can use the Show Columns drop-down menu on dialog box to hide or show columns from your Table Pane.
Figure 4-20 Show Columns
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
96
EnCase® Forensic v7 Essentials Training OnDemand
ORGANIZING COLUMNS
Table columns may be rearranged in any order just as is done in Microsoft® Excel. Click and hold down on the column heading then drag and drop it into its new location. Columns may be sorted by up to five layers deep. To sort by a particular column, double-click on the column heading. To institute a sub-sort, hold down the Shift key and double-click on the column heading. Columns may be locked on the left side of the Table view so that when you scroll to the right of the Table view, the initial columns are still visible. To lock a column, right-click on the column heading, select Columns, and select Set Lock. The lock is instituted on the position of the column. If other columns are moved into that position, they are locked. To release the lock, right-click on the column, select Columns, and then Unlock.
OTHER TABLE PANE VIEWS
Gallery
The Gallery view displays images in a thumbnail view. These images are displayed (by default) based on their extension. The Signature Analysis function enables files to be analyzed to see if they were renamed to disguise their existence on the media. To reduce the increase of the number of images displayed at any one file, right-click in the Gallery and select Fewer/More Columns/Rows.
Figure 4-21 Gallery view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
97
BOOKMARKING IN EVIDENCE VIEW
While browsing or following a lead in the Evidence view, should you find evidence you wish to bookmark for inclusion in your final report, blue-check the entry (entries). Use the Bookmark menu to select Single item… (Ctrl-B) or Selected items… (Ctrl-Shift-B) as appropriate.
Figure 4-22 Bookmarking selected items
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
98
EnCase® Forensic v7 Essentials Training OnDemand
Place the evidence bookmarks in the appropriate folder of your case report template or you can create a new folder. NOTE: If you bookmark several files (Ctrl+Shift+B), you are not able to add a Bookmark comment. If wish to add a comment to an individual file, then bookmark that Single File (Ctrl+B).
Figure 4-23 Bookmarking selected images
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
99
TIMELINE VIEW
The Timeline view shows patterns of different types of dates and times. You can zoom in (higher resolution) to a second-by-second timeline and zoom out (lower resolution) to a year-by-year timeline.
Figure 4-24 Timeline view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
100
EnCase® Forensic v7 Essentials Training OnDemand
DISK VIEW
The Disk view allows viewing of files and folders in terms of where the data appeared on the media. Placement of clusters and/or sectors and fragmentation of files may be observed.
Figure 4-25 Select “Disk View…”
EnCase v7 has a new Auto Extents option in Disk view. When you select a sector, it autohighlights all of the extents that make up the file. This is different behavior from EnCase v6 (you had to double-click on the sector), and currently you can turn it off with the checkbox. Click on the Evidence tab to return to the entries browsing.
Figure 4-26 Auto Extents – Disk View
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
101
VIEW PANE
The View Pane displays the contents of the item highlighted in the Table Pane. The View Pane has default settings that should be understood. Initially the View Pane defaults to the Fields view. You can undock the View Pane for dual monitors.
Figure 4-27 Undock the View Pane
To return the View Pane to the main EnCase v7 interface, close the View Pane.
Figure 4-28 Close the undocked View Pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
102
EnCase® Forensic v7 Essentials Training OnDemand
Fields
The Fields tab provides you with a table of the metadata (data about the file) for the entry. In EnCase v7, all of the fields are able to be searched in an Index query.
Figure 4-29 DOCX file in the View Pane – Fields tab
Text
The following screenshot displays a document file in Text view.
Figure 4-30 Document file in the View Pane – Text tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
103
Although the text is readable, its format can be improved by altering the text style from the Text Styles menu in the View Pane.
Figure 4-31 Changing text style for View Pane
By default, EnCase v7 includes two Unicode and two ASCII code pages:
Unicode - Fit to page Unicode - Line breaks at 120 characters ASCII (Western European) - Fit to page ASCII (Western European) - Line breaks at 120 characters
Click New to create a new text style. Give it a name, such as “German – Line Breaks,” and then select the line Wrap or Line Breaks. The changes will be displayed immediately in the View Pane. Click on the Code Page tab to select the code page.
Figure 4-32 Creating a new text style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
104
EnCase® Forensic v7 Essentials Training OnDemand
Click OK to save the new text style.
Figure 4-33 Selecting the code page
Click OK to have the new code page available.
Figure 4-34 New text style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
105
The new text style is now applied to the Text tab in the View Pane
Figure 4-35 Text tab in View Pane
Doc
Here is the same document file displayed in Doc view where it is converted to appear as in the authoring application, Microsoft® Word.
Figure 4-36 DOC file in the View Pane – Doc tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
106
EnCase® Forensic v7 Essentials Training OnDemand
Transcript
The Transcript tab displays the extracted text from the file. This is the searchable text when conducting a Transcript search with the Index, such as Microsoft® 2007 and 2010 files, including .docx, xlsx, and pptx.
Figure 4-37 DOCX file in the View Pane – Transcript tab
Permissions
The Permissions tab displays the security permissions for a file, including the name and security identification number (SID) of the user(s) who have permission to read, write, and execute a file.
Figure 4-38 DOCX file in the View Pane – Permissions tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
107
Picture
EnCase checks the contents of the file highlighted in the Table Pane to see if it is an image that can be decoded internally. If so, EnCase will provide the ability for you to select the Picture view in the View Pane and display the image.
Figure 4-39 Picture view in View Pane
If numerous files highlighted in the Table Pane are images, EnCase v7 will default to the Picture view for subsequent images. If a Microsoft Word document is then highlighted, EnCase v7 will change the default view in the View Pane to Text. If you wish to have every highlighted item displayed in Hex or Text view, you need only click on the square beside Lock to lock that view. To unlock the view, remove the blue-check from the box.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
108
EnCase® Forensic v7 Essentials Training OnDemand
Hex
The following screenshot displays the same picture viewed in hexadecimal.
Figure 4-40 Viewing a picture in the View Pane as Hex
STATUS BAR
It is important to be aware of your current positioning within the case, especially when documenting the location of evidence found in unallocated space. The status bar found at the bottom of the screen will provide that information.
Figure 4-41 Location of status bar
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
109
The abbreviations represent:
PS LS CL SO FO LE
Physical sector number Logical sector number Cluster number Sector offset – The distance in bytes from the beginning of the sector File offset – The distance in bytes from the beginning of the file Length – The number in bytes of the selected area
The status bar also shows the full path of the item highlighted. If a deleted/overwritten file is highlighted, it indicates the overwriting file. Full-path information is available on all tabs that have the Item Path column (Entries, Records, Search Results, and Bookmarks, as examples). The sector information is available on the Entries and Disk views.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
110
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
111
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
112
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 5 Processing Evidence Files
EVIDENCE PROCESSOR
After adding evidence to a case and confirming that the data is valid and browsable, the first task you undertake is to run the EnCase® Evidence Processor. The Evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data. Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data. After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation. Evidence Processor functions fall into two categories: Preparation Processing
Before using the Evidence Processor: There must be evidence in your case to process If you are previewing a device, you must acquire that device prior to processing or as part of the processing You should confirm that time zone settings for the evidence are configured properly NOTE: EnCase® v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
114
EnCase® Forensic v7 Essentials Training OnDemand
DETERMINE THE TIME ZONE SETTING
B
Before running the core tasks of the EnCase Evidence Processor, you should confirm the time zone setting of the device. This information is found in the SYSTEM registry hive for Windows 2000, XP, Vista, and 7. The SYSTEM hive is located in C:\Windows\System32\Config.
Figure 5-1 SYSTEM hive
To view the data in the SYSTEM hive, use the View File Structure feature in EnCase v7. With the SYSTEM hive selected in the Table Pane, right-click on the file or use the Entries drop-down menu. Select EntriesView File Structure.
Figure 5-2 View File Structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
115
EnCase v7 will read the header of the file to detect if it can be processed. You have the option to calculate the unallocated space of the compound file and find deleted content. Click OK to begin the parsing process.
Figure 5-3 View File Structure – Continue parsing
EnCase v7 will scan and parse the registry file and then build a cache file. This allows the file structure of the registry to be written to disk rather than stored in RAM as in previous versions of EnCase.
Figure 5-4 Creating cache file for the registry hive
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
116
EnCase® Forensic v7 Essentials Training OnDemand
When the parsing is completed, a plus icon (+) will appear and the file name will become a hyperlink, indicating it is a processed compound file. Double-click on the file to open the file cache for examination.
Figure 5-5 Double-click on hyperlinked file name
The time zone setting is stored at: HKEY_LOCAL_MACHINE\System\ControlSet001\Control\TimeZoneInformation\ TimeZoneKeyName
Browse the registry file to that location to find the text string with time zone. On the TDurden evidence, it is set to Pacific Standard Time.
Figure 5-6 Time zone information in registry
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
117
Check to confirm the dynamic Daylight Time disabled is off (indicated by Hex 00 00 00 00). This means daylight saving time is indeed utilized for this device.
Figure 5-7 Daylight Savings
Use the back button to return to the main Evidence tab.
Figure 5-8 Back to Evidence tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
118
EnCase® Forensic v7 Essentials Training OnDemand
CONFIGURING TIME ZONE SETTINGS
To configure time zone settings: 1. Go to the main Evidence tab
A list of your devices displays in the Table Pane
Figure 5-9 Back to the main Evidence tab
2. 3. 4.
Right-click on the TDurden evidence file Right-click on Device in the context drop-down menu Click Modify time zone settings...
The Case Time Settings dialog appears
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
119
5.
To aaccount for daylight savings time, select the Pacific Time (US & Canada) time zone, and click OK NOTE: The daylight saving time start-and-end dates changed in 2007. You have the ability to choose which version to apply.
Figure 5-10 Changing the time zone setting
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
120
EnCase® Forensic v7 Essentials Training OnDemand
PREPARING THE EVIDENCE TO PROCESS
Now that you have the evidence added and the time zone set, you can process the evidence. As a reminder, oonce you have added evidence to your case, you must: Acquire the evidence (if not already acquired). Select the evidence that you intend to run through the Evidence Processor. You can add options in the Evidence Processor as you continue an investigation. For example, you may want to run certain options in the beginning, such as file signature and hash analysis, then later add other options, such as parsing compound files. You can select additional options on subsequent Evidence Processor runs, however, you cannot remove previously run options. You need to run certain options at a particular time. For example, you must run Recover Folders in the initial processing step. Options you must run in a specific step are marked with a flag icon. An option with a lock icon indicates settings for that option cannot be changed. You can run modules over and over again with different settings each time. The results of each run are added to the case. You cannot process previously processed and unprocessed evidence together. Also, previously processed evidence must be processed with the same options in order for it to be processed together. All evidence processed at one time must use the same settings.
To acquire and/or run select evidence through the Evidence Processor in a single operation, select Process Evidence… from the Add Evidence menu.
Figure 5-11 Process Evidence…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
121
It will take a few moments to initialize the Evidence Processor and you will see the status in the bottom right corner. You can run the Evidence Processor using a template with saved or preconfigured settings or you can select the analytic tools to enable and customize their settings prior to running it. If additional evidence becomes available at a later date, you can always rerun the same options on that data. The Evidence Name pane contains checkboxes for acquiring and processing evidence. Note that you must acquire previewed evidence before you can process it. Initially, the checkboxes in the Evidence Name pane are cleared. Check the boxes for the evidence you want to acquire and/or process. If you have already acquired an item of evidence named in the list, you do not need to check the Acquire box for that item. In the following example, we acquire devices “1” and “RAM” by checking their boxes under Acquire and set them up for processing by checking their boxes under Process.
Figure 5-12 Example of acquiring and processing evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
122
EnCase® Forensic v7 Essentials Training OnDemand
MANAGING EVIDENCE PROCESSOR SETTINGS
The lower left pane of the Evidence Processor dialog contains a table with the following elements: A toolbar A list of the Evidence Processor tasks A checkbox that allows you to enable (or disable) each task
Use this pane to choose the processor settings to run and to configure their settings.
USING THE PROCESSOR SETTINGS TOOLBAR
File and edit settings for the Evidence Processor selections pane are located in its toolbar.
Figure 5-13 Evidence Processor toolbar
Setting Split Mode Save Settings Load Settings Edit
Description
Change the display format of the options pane Save the current selection of settings as an Evidence Processor template Load a saved template to run against the current data Edit the options for a selected task in the window results and changing the layout of the Evidence Processor panels
Drop-down side menu Allows you to perform actions, such as printing the
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
123
Click the Process check box for the TDurden evidence file to enable the Evidence Processor Task list.
Figure 5-14 Enable the Evidence Processor
A major benefit of the Evidence Processor is that its settings do not require your interaction during operation. Functions with the lock cannot be changed or disabled. Functions with the red flag cannot be run at a future time on the evidence if they are not selected initially. The following evidence processing functions are available:
Recover folders – Recover files that have been deleted or corrupted on FAT and
NTFS volumes
File signature analysis – Determine if the extension of a file has been altered and whether
or not the extension matches the file type as specified by the file’s header
Protected file analysis – Identify encrypted and password-protected files with the
Passware Encryption Analyzer
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
124
EnCase® Forensic v7 Essentials Training OnDemand
Thumbnail creation – Creates image thumbnails for faster display in the EnCase ® GUI Hash analysis – Generate MD5 and/or SHA1 hash values for files and compare against
your case Hash Library
Expand compound files – Expand compound and compressed files, such as ZIP, RAR,
GZ, and Windows registry archives
Find email – Extract individual messages from e-mail archive files, such as PST
(Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, and MBOX.
Find internet artifacts – Collect Internet-related artifacts, such as browser histories and
cached web pages. You also have the option to search unallocated space for the Internet artifacts.
Search for keywords – Search raw (not transcript) text for specific keywords. Index text and metadata – Create an index for when you need to search for keywords in
compound files (Microsoft Office 2007 and 2010) and across large amounts of data. You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file (which does not index specific and common words).
The Evidence Processor contains numerous useful features: The simultaneous processing of multiple devices The convenience of acquiring devices right from the Evidence Processor Saving sets of Evidence Processor options as templates to be run with little or no modification at a later date The ability to be run from the command line On-screen instructions that guide you through the use of each setting Automatic processing of the results from any EnScript modules according to the current processor settings (Index, Keyword search, etc.)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
125
EVIDENCE PROCESSING TASKS
Use the Evidence Processor pane to select the processing tasks to configure and run. To select an option, click its Enable checkbox: If a task name is listed in a blue font, click on its task name to configure it If a task name is listed in a black font, no further configuration is necessary
Figure 5-15 Evidence Processor tasks
RECOVER FOLDERS
Running the Recover Folders task on FAT partitions will search through the unallocated clusters of a specific FAT partition for the “dot, double -dot” signature of a deleted folder. When the signature matches, EnCase v7 can rebuild files and folders that were within the deleted folder. This task can recover NTFS files and folders from unallocated clusters and continue to parse through the current Master File Table (MFT) records for files without parent folders. This operation is particularly useful when a drive has been reformatted or the MFT is corrupted. Recovered files are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
126
EnCase® Forensic v7 Essentials Training OnDemand
FILE SIGNATURE ANALYSIS
A common technique used to hide data and disguise the true nature of a file is to rename the file and change its extension; for example, renaming an image file with a .jpg extension to a file with a .dll extension, which is not associated with a graphics file. This process will determine whether the extension of a file has been modified and whether it matches the type of file that is specified by the file’s header bytes. The process is not userconfigurable and is always enabled because it is necessary to support other operations within EnCase v7.
PROTECTED FILE ANALYSIS
Encrypted and password-protected files are frequently good ways to hide data. The Evidence Processor’s protected file analysis process uses the Passware Encryption Analyzer (http://www.lostpassword.com/encryption-analyzer.htm) to identify these types of files and information about the application used to protect them. Starting with Passware 11.7, you can export the index and known passwords as a dictionary used for decrypting protected files. Using this feature requires a valid installation of the Passware Kit.
THUMBNAIL CREATION
By default, the Evidence Processor generates thumbnails for all image files and stores them as part of the cache. Because thumbnails are smaller and load faster, generating thumbnails significantly improves the speed with which you can work with pictures in EnCase v7.
HASH ANALYSIS
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in hexadecimal notation. In EnCase v7, it is the result of a hash function run against any mounted drive, partition, file, or chunk of data. The most common uses for hashes are to: Identify when a chunk of data changes, which frequently indicates evidence tampering Verify that data has not changed in which case the hash should be the same both before and after the verification Compare a hash value against a library of known good and bad hashes, seeking a match
The Evidence Processor’s hash analysis setting allows you to create MD5 and SHA-1 hash values for files, so that you can later use them for the reasons specified previously. When you click the Hash Analysis hyperlinked name, the Edit Settings dialog appears, allowing you to check whether to run either or both of these hashing algorithms.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
127
EXPAND COMPOUND FILES
Use this setting to expand archive files, including .zip and .rar files, and/or registry archives. For archive files, EnCase v7 will extract the compressed or archived files and process them, according to the other Evidence Processor settings that you have chosen. This includes nested archive files or zip files within a zip file.
FIND E-MAIL
Select this setting to extract individual messages from e-mail archives. To select the e-mail archive types to search for messages: 1. 2. 3. Click Find Email Click the e-mail archive file types whose messages you want to examine and click OK Check the Search for Additional Lost or Deleted Items box for a search for deleted e-mails
After processing is completed, EnCase v7 can analyze the component files extracted from the archives, according to the other Evidence Processor settings you selected.
Thread E-mail
By default, the Evidence Processor performs a thread analysis on e-mail messages that it processes. Once your evidence has been processed, you can track the different e-mail threads and communication patterns among senders and receivers of the messages with the Show conversation and Show related messages e-mail features.
FIND INTERNET ARTIFACTS
Choose this Evidence Processor setting to find Internet-related artifacts, such as browser histories and cached web pages. You can also use this setting to search for Internet artifacts of various types within unallocated space.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
128
EnCase® Forensic v7 Essentials Training OnDemand
SEARCH FOR KEYWORDS
Use this option to run a raw keyword search during the processing. Once you enable Search for Keywords by checking its box, the keyword list for the current case is displayed in the right panel. NOTE: For faster results, it is recommended that the Raw Keyword search function outside the Evidence Processor be used. However the search function is provided to allow more automated processing before analysis.
Figure 5-16 Raw text search with keywords
To edit the keyword settings, click Search for keywords. The Edit keyword list dialog appears.
Figure 5-17 Edit keywords dialog
In the dialog, use the checkboxes and toolbar items to: Add a keywords list to a file Add new keywords Edit keywords Delete keywords Specify where and how to search Change the layout of the keyword table
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
129
New Keyword
To add a new keyword, click New in the Edit keyword dialog. The New Keyword dialog appears.
Figure 5-18 New Keyword dialog
1. 2.
Search Expression – Enter your search expression in this box. It may be a simple
keyword, phrase, or a GREP expression. If you intend to search for keywords using a different character set, you may need to change the code page. In that case, click the Code Page tab, scroll through the list, and check the code page Name you want.
3.
Name – Although not required, you may enter a descriptive name that will help you
remember what the search expression is intended to search for. This is very useful with GREP search expressions and foreign language searches.
4.
Case Sensitive – EnCase v7 will locate the keyword regardless of the individual
characters’ case unless this box is checked. If checked, EnCase v7 will only locate the keyword if the case sensitivity is the same as the search expression entered.
5.
GREP – The GREP option must be selected when utilizing GREP search characters. GREP
is used to narrow the search, limit false-positive search hits, and in those cases where only certain portions of the keyword being sought are known.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
130
EnCase® Forensic v7 Essentials Training OnDemand
6.
ANSI Latin 1 – This default option will search for characters contained within the ANSI
Latin-1 code page, which is the default code page for the Microsoft Windows operating system. In earlier versions of EnCase® software, this option was called “Active Code Page.” Since the active code page varied according to the active code page enabled on your computer, this option was replaced by ANSI Latin-1 to ensure consistent results.
7.
Unicode – Unicode was developed in direct response to foreign language character sets.
Most MS Office products use Unicode as does Windows 2000, XP, Vista, and 7. Enabling both ANSI Latin-1 and Unicode options will locate both ASCII and Unicode characters. However selecting the Unicode option alone (without the ANSI Latin-1 option or appropriate code page selected) will find data stored in Unicode only. For more details on Unicode, please see http://www.unicode.org.
Figure 5-19 Example of plain text
Figure 5-20 Example of Unicode
8.
Unicode Big-Endian – Non-Intel based data formatting scheme that stores multiplebyte numerical values with the most significant byte values first, which is the reverse of little Endian.
9.
UTF-8 – UTF stands for Universal Character Set Transformation Format. Applications
have several options for how they encode Unicode. The most common encoding is UTF-8, which is the 8-bit form of Unicode. This option offers foreign language support.
10. UTF-7 – UTF-7 is a special format that encodes Unicode characters within US-ASCII in a way that all mail systems can accommodate. 11. Whole Word – EnCase v7will locate the keyword as a whole word not within a larger word (i.e., Chris not Christopher)
When finished, click OK to save the keyword in your case.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
131
Other Keyword Search Options Search entry slack – This option tells EnCase v7 to search the slack area, which exists
between the end of the logical data to the end of the physical file for all items searched.
Use initialized size – This option tells EnCase v7 to search only the initialized size of an entry
as opposed to the logical or physical size. When a file is opened on the NTFS file system, if the initialized size is smaller than the logical size, the space after the initialized size is zeroed out. Searching the initialized size searches only data a user would see within a file.
Undelete entries before searching – This option will logically “undelete” deleted files prior
to searching. If a file is deleted, EnCase v7 and other tools can determine if the assigned starting cluster is not currently assigned to another file (if it is assigned, then the file is deemed deleted/overwritten). The unallocated clusters after the starting cluster may or may not belong to the deleted file. Choosing this option assumes that the unallocated clusters after the starting cluster do belong to the deleted file. This is the same assumption made when copying out a deleted file. Choosing this option will find a keyword fragmented between the starting cluster and the subsequent unallocated cluster. If determining the presence of a keyword on the media is critical to an investigation, you should also search for portions of the keyword, including utilizing GREP search expressions for fragments of the keyword.
Search only slack area of entries in Hash Library – This option is used in conjunction with a
hash analysis. If a file is identified from the hash library, then it will not be searched. However the slack area behind the file (as described previously) will be searched. If this option is turned off, EnCase v7 will ignore the hash analysis.
Figure 5-21 Search options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
132
EnCase® Forensic v7 Essentials Training OnDemand
ADDITIONAL METHODS FOR ENTERING KEYWORDS
Add Keyword List
To add a list of keywords, as opposed to adding one keyword at a time, select Add Keyword List. Keyword lists can be entered from the keyboard or pasted from a text document with one search expression and a line return per line. Options can be selected for all keywords and modified later if needed. Example keywords include:
Fälschung Policemen Invoice Fälschungen account
Figure 5-22 Add Keyword List screen
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
133
You can edit individual keywords to add code pages.
Figure 5-23 Code Pages
When completed with the keyword editing, click OK.
Figure 5-24 Current keyword options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
134
EnCase® Forensic v7 Essentials Training OnDemand
INDEX TEXT AND METADATA
Choose this selection to create a searchable index of the data in the case. Creating an index will allow you to instantly search for terms in a variety of ways. You can adjust parameters for index creation, such as the minimum word length to index or whether to use a noise file (a file containing specific words to ignore). Compared to keyword searches that search on the raw text, index searches will search on the transcript output of the file, which is critical for Microsoft Office 2007 and 2010 files. Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times. Guidance Software, Inc. recommends always indexing your case data. EnCase supports indexing text in slack bytes and unallocated space. As you select options for indexing within the Evidence Processor, you can choose to include text identified in file slack and unallocated space, defined below. This increases the total time for indexing text, but you could find the value of the indexed text to be worth the investment of time and resources.
File slack – The area between the end of a file and the end of the last cluster or sector
used by that file.
Unallocated space – The sectors that are not associated with an allocated file—the free
space of a disk or volume.
Figure 5-25 Index text and metadata
Unallocated space consists of either unwritten-to sectors or previously written-to sectors that no longer have historical attribution data associated with them. All these sectors are aggregated into Unallocated Clusters. Unallocated Clusters are then divided into multiple sections, and these sections are indexed with shared metadata. If a word at the end of one section of text spans to another section of text, that word is skipped and not included in the indexed sections of text.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
135
The Evidence Processor uses identification processes to identify and differentiate ASCII, UTF-8/16/32 encodings as well as a number of East Asian and western codepages. The Evidence Processor uses built-in intelligence to index any text residing in slack and unallocated space. NOTE: Indexing with East Asian script support is recommended, especially when Index Slack and Unallocated is enabled. The additional processing enabled by this option prevents meaningless strings that are otherwise identified as Unicode strings with Asian characters from being added to the index.
Sectors that are not assigned to any partition scheme fall under Unused Disk Area. The Evidence Processor handles these sectors and Unallocated Clusters similarly. The following procedure provides the steps for including slack bytes and unallocated space when indexing text. After you have selected the evidence you want to acquire and process with the Evidence Processor, select the Index text checkbox and click Index text. The Edit Settings dialog displays. 1. 2. 3. 4. 5. 6. If you want to use a noise file, specify or browse to the filepath of your noise file Set the minimum word length (1-128 characters) for indexed text Select the checkbox for index slack and unallocated If you want to index only the slack area of either known items or all items in the hash library, select the corresponding checkbox To index using East Asian script support, select the corresponding checkbox Click OK
Personal Information
Credit Cards – Search document, database, and Internet files as categorized by the
EnCase® File Types for the following credit card number formats: Visa, MasterCard, American Express, and Discover
o
Utilizes credit-card industry algorithms to validate the credit card number with about 90% accuracy
Phone Numbers – Search document, database, and Internet files as categorized by the
EnCase File Types for phone numbers with and/or without the area code
Email – Search document, database, and Internet files as categorized by the EnCase File
Types for e-mail addresses
Social Security Numbers – Search document, database, and Internet files as categorized
by the EnCase File Types for nine-digit United States Social Security numbers
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
136
EnCase® Forensic v7 Essentials Training OnDemand
MODULES
The Evidence Processor has the ability to run add-in modules during processing. Some modules will ship as part of EnCase v7 and you can add your own modules as well. Click on the Modules folder to open it and access additional evidence processing features. You should select the modules that are relevant to your case. The modules will add additional time to your processing, depending on the size of the evidence and the type of module selected as well as the module settings. Searching the unallocated clusters for evidence fragments, for example, will increase the processing time. NOTE: As best practice, you should not enable all modules by default. We will outline the essential function of each module.
Click on the hyperlinked name of the module to configure the settings.
Figure 5-26 Evidence Processor Modules
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
137
System Info Parser – Report on the core system information for Linux and Windows,
including:
o o o o o o o o o o o
Startup routine (Linux only) User activity (Linux only) Operating system Hardware Software Accounts/users Network information Shared/mapped drives USB Devices Network Shares Advanced : Windows Registry – – – – – – Time zone setting Auto start Hardware User activity User defined keys Networking and other autorun When you select the System Info option in the Evidence Processor, you can search NetShare and USB registry information in the Records tab. You can see the UNC path visit history, the history of connected devices, and you can correlate USB devices to their drive letters.
IM Parser – Search for Instant Messenger artifacts from MSN®, Yahoo®, and AOL Instant
Messenger clients. These artifacts include messages and buddy-list contents. It also allows you to select where to search from several general location categories.
o
All or selected files, and/or Unallocated Clusters
File Carver – Search evidence for file fragments based on a specific set of parameters,
such as known file size and file o The EnCase File Carver function automatically checks file headers for file length information and uses the actual number of bytes carved, by default. This produces more accurate carved files. When there is no file length information in the header, the footer or the default length is used. This additional parsing is not user configurable. Search all or selected files, file slack, and/or unallocated clusters for deleted or embedded files by header
o
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
138
EnCase® Forensic v7 Essentials Training OnDemand
o
Over 300 file types are supported for carving, including carving HTML files and webmail by keywords Running the File Carver in Evidence Processor gives you three options; you can select from either the full file types table, from the optimized file types table, or from both. Optimized file types include:
– – – – – –
o
Compound document file Outlook personal folder Audio Video Interleave Flash video files Enhanced Metafile Graphic Microsoft bitmap format
o
When the File Carver finishes, you can see the files carved and optionally export the files for review.
Windows Event Log Parser – Locate and parse Windows Event Logs
o
Parse EVT and EVTX files, including filtering by type of event
Windows Artifact Parser – Report on Windows artifacts, including
o o o o
Link files Recycle Bin files MFT (NTFS Master File Table) transactions All or selected files, and/or unallocated clusters
Unix Login – Search UNIX log files for specific events Linux Syslog Parser – Search Linux syslog files for specific events Snapshot – (Live preview of devices only) – Running processes, open ports, logged on
users, etc.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
139
For now, select System Info Parser and Windows Artifacts Parser.
Figure 5-27 EnCase Evidence Processor
After finishing the EnCase Evidence Processor configuration, click OK. The time acquired to complete the processing depends on the size of evidence and the processing options selected. More processing power, RAM, disk I/O, etc., will affect the speed. NOTE: With the options selected in the example, it will take several hours to fully process the evidence dependent upon your machine’s processor, RAM, hard drives, etc . However you can continue to browse, examine, and bookmark the evidence as you would with prior versions of EnCase.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
140
EnCase® Forensic v7 Essentials Training OnDemand
You will see the Evidence Processor running in the lower right corner and you can continue your analysis of the evidence when it processes.
Figure 5-28 EnCase Evidence Processor running
As the modules are processed, you will see the status change.
Figure 5-29 EnCase Evidence Processor running – Modules
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
141
PROCESSING A LIVE DEVICE
The EnCase Evidence Processor also can process live devices. This allows you to bypass acquiring evidence before and directly process the evidence. All options are available for all processing except for Index text. The following procedure provides the steps for processing devices from a device preview. From the Home tab of an open case, click Add Evidence. The Add Evidence screen displays. Click Add Local Device… or Add Crossover Preview... The Add Device dialog displays.
Figure 5-30 Add live device
1.
Select the checkboxes of the devices you want to add to the preview and click Finish
The Evidence tab displays with a preview of the chosen devices
2.
In the Evidence tab, click Process Evidence
The Evidence Processor dialog displays.
3. 4. 5.
Under Process, select the checkboxes for the live devices you want to process Review and, if necessary, modify the current processing options Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
142
EnCase® Forensic v7 Essentials Training OnDemand
EVIDENCE PROCESSOR THREADING MODEL
The EnCase Evidence Processor has improved threading capabilities. Please see the diagram for more detail.
Figure 5-31 EnCase Evidence Processor threading model
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
143
Figure 5-32 EnCase Evidence Processor – evidence cache and index
Figure 5-33 Evidence Cache folder structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
144
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
145
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
146
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 6 Viewing Index and Search Results
EnCase® v7 provides core enhancements to searching, such as: The ability to search across multiple types of data, including files, e-mail, and Internet history, as well as view the results on a single screen A powerful index search capability The ability to search based on user-customized tags
SEARCH TYPES
There are three principal methods of searching through evidence in EnCase v7:
Index searches – Evidence data is indexed through the EnCase® Evidence Processor prior
to searching
Raw searches – Searches based on non-indexed, raw data Tag searches – Searches based on user-defined tags
INDEX SEARCHES
Using the Evidence Processor, you create an index, a list of words from the contents of a device. The index entries contain pointers to the occurrences of the specific word on the device. There are two steps to using indexes: Generating an index (covered in the previous Processing Evidence Files lesson) Searching an index
Generating an index creates index files associated with devices. Creating an index can be time consuming, depending on the amount of evidence you are indexing as well as the capabilities of your computer hardware. Evidence file size, and thus the resultant index size, is an important consideration when building an index. Attempts to index extremely large evidence files can tax a computer's resources.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
148
EnCase® Forensic v7 Essentials Training OnDemand
You generate a search index early in the EnCase v7 workflow sequence as follows:
Make sure that your case contains the device you want to index As you may recall from a prior lesson, click Process Evidence from the Evidence menu
o
The Evidence Processor displays; this dialog contains the selection for indexing text
Follow the instructions detailed in the Processing Evidence Files lesson
During the creation of an index, the transcript text of the file is extracted using Outside In technology, and then the text is broken into words that are added to the index. Unlike raw keyword searches, indexing is done against the transcript content of the file so that text contained in compound files, such as Microsoft Office 2007 and 2010 files, can be properly identified. Although EnCase v7 does not create a transcript of slack space and unallocated space, they are processed and broken into words in the best manner possible so that EnCase v7 can find hits in those areas also. Index searching (queries) allows you to rapidly search for terms in the generated index and it is the recommended type of search in EnCase v7.
CREATING A SEARCH QUERY
Once your case has been indexed, keyword searched, tagged, or any combination of the three, you can then search for desired information. To create a unified search do the following: 1. Go to the Home screen and click the Search button.
Figure 6-1 New Search…
2. 3.
In the Index window, enter the keyword(s) to query the Index, such as “Tyler.” A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term. This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
149
4.
EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters. At any time you can double-click on a query term and it will show the show the information about that term Click on the Play button to run the query.
5.
Figure 6-2 New Search interface
For examples of index query options, see the Appendix A – Index Queries at the end of this manual. EnCase v7 will run the query display the results in the Table Pane of the Search view. You can review the file entries that contain the search term; for example, the webpage search[1].htm displays as follows.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
150
EnCase® Forensic v7 Essentials Training OnDemand
The Index query hits are displayed in yellow in the Transcript tab of the View Pane. Use the Next Hit button to view the search hit in a large file. NOTE: Raw Keyword search hits can be viewed in the Text tab.
Figure 6-3 Search result
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
151
SAVE THE SEARCH RESULTS
You can save the results of the search for future quick access in the Results view. Click on the Searches drop-down menu and select Save As…
Figure 6-4 Save Search Result
The default location is the Search folder under your case.
Figure 6-5 Saving search result
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
152
EnCase® Forensic v7 Essentials Training OnDemand
When appropriate, you can switch over to the Results tab to view the saved results.
Figure 6-6 Results tab
The saved search is available for analysis.
Figure 6-7 Results tab – saved search
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
153
CONTINUE THE INVESTIGATION
Returning to the Search view, you can switch over to the Doc view to see the webpage in HTML.
Figure 6-8 Doc view
To see the file in the context of the evidence, click on Go to file.
Figure 6-9 Go to file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
154
EnCase® Forensic v7 Essentials Training OnDemand
You will be taken to the Entries view of the Search Results tab to analyze the evidence in context.
Figure 6-10 File in context of entries
You can bookmark the evidence from either the Search, Results or the Evidence view.
Figure 6-11 Bookmark in Results view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
155
You can add a comment to the bookmarked evidence and have the ability to use previous comments to save time.
Figure 6-12 Bookmark comments
Choose the folder in the case template to add the evidence or create a new folder. It will default to the last-selected folder to save time, so you don’t have to selec t the destination folder for each bookmark.
Figure 6-13 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
156
EnCase® Forensic v7 Essentials Training OnDemand
Use the Back button to return to the Search Results view of the query results.
Figure 6-14 Back to Search Results query
FIND RELATED
New to EnCase v7 is the Find related button, allowing you to find related files and folders by name or by time. In this instance, in the Results view you found a link file called “Nasty.lnk,” showing that the user knew the folder or file was on the computer system and made an affirmative act by manually opening the folder or file. This would be a good artifact to bookmark and investigative lead to follow.
Figure 6-15 Bookmark the evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
157
Click on Find related by name….
Figure 6-16 Find related by name…
The name will appear in a new Index query. Click on the hyperlink below the Index window to see the results in the Table Pane.
Figure 6-17 Index query
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
158
EnCase® Forensic v7 Essentials Training OnDemand
Shorten the text query to ”Nasty” to see additional related items of evidence. Click on the hyperlink to see the results in the Table Pane.
Figure 6-18 Query for “Nasty”
When you find a file you wish to investigate further, use the Go to file button to view it in the context of the Evidence folder structure.
Figure 6-19 Go to file
In this case, the file was located because it is in the folder called “Nasty.” As you can see, the index allows searching on both file content and metadata.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
159
If the file is a picture, you can use the Picture view in the View Pane to show the image.
Figure 6-20 Gallery view
You can look at the Permissions tab to see that tyler.durden has access permission for the file.
Figure 6-21 File permissions
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
160
EnCase® Forensic v7 Essentials Training OnDemand
And then you may wish to add the evidence to your report template with a bookmark on all of the files.
Figure 6-22 Bookmarking selected files
NOTE: If you bookmark several files, you are not able to add a Bookmark comment. If wish to add a comment, then bookmark a Single File.
Figure 6-23 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
161
VIEWING KEYWORD SEARCH RESULTS
Once your case has been keyword searched for raw text, you can then search for desired information. 1. Click the Search button on the Home page
Figure 6-24 Search view
2.
Click on the Keywords button to view the search results.
Figure 6-25 Keywords
3.
Click on the hyperlink for the desired keyword to display the results in the Table Pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
162
EnCase® Forensic v7 Essentials Training OnDemand
You can review the file entries that contain the search term; for example, the document called “Fälschungen.doc” displays as is shown in the following screenshot. “Fälschungen” means “counterfeiting” in German. Use the Next Hit button to view the search hit in a large file.
Figure 6-26 Search result
To see the file in the context of the evidence, click on Go to file.
Figure 6-27 Go to file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
163
You will be taken to the Entries view of the Search tab to analyze the evidence in context.
Figure 6-28 File in context of entries
Use the Back button to return to the Search view.
Figure 6-29 Back to Search query
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
164
EnCase® Forensic v7 Essentials Training OnDemand
RAW SEARCHES
Although index searching is the recommended type of search, there may be times when you want to perform a search across the raw contents of a device. In those cases, you can perform a keyword or non-indexed search on your case data. Because keyword searching only searches the raw binary form of a file, some content may not be discovered if it is compressed or obfuscated. To perform a raw keyword search on your data, make sure that your case contains the device that you want to search. For information, see the Search for Keywords option of the Evidence Processor. In addition to keyword searching using the Evidence Processor, you can also initiate a raw keyword search of one or more devices from the Evidence tab. To initiate a search in this manner, follow these steps: 1. 2. 3. Navigate to the Evidence tab and then to the top level of the tab (using the View dropdown menu on the tab toolbar) Select the device or devices that you wish to search using the checkboxes on the left side of the table Select Raw Search All from the tab toolbar
Figure 6-30 New Keyword Search All Entries…
4.
Select a previously run search or create a new search
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
165
5.
Add the keywords and options that you wish to use just like in the Evidence Processor and select OK
Figure 6-31 Edit Keywords dialog
Case and Evidence Keywords
Keyword searches that are not initiated from the Evidence Processor are stored with the case and are case specific. Keyword searches that are conducted with the Evidence Processor are stored with the device’s cache files and can be used with any number of cases.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
166
EnCase® Forensic v7 Essentials Training OnDemand
TAG SEARCHES
EnCase v7 also provides the capability to search for instances of a particular tag that you have created. Suppose you create a collection of three tags associated with pieces of evidence, one of which is named “Submit to National Child Victim Identification Program.” You can search through your evidence for all instances of that tag and the result set that displays will consist only of evidence with that tag. You can also tag files in this view. For more information, see Lesson 9, Bookmarking and Tagging Your Findings.
Figure 6-32 Tag Searches
SEARCH SUMMARY
To see a description of all active search criteria click the Summary tab.
Figure 6-33 Search Summary
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
167
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
168
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 7 Processed Evidence Results
FILE TYPES
When an evidence file is opened in EnCase® v7, the file system contained on the device is parsed and displayed for browsing in the EvidenceViewing (Entry) tab. Files may be navigated and viewed in the table area of the Table Pane. EnCase v7 displays files, folders, and other objects on the media, including those that are deleted or overwritten, by maintaining invalid starting cluster addresses as well as other attributes or characteristics. The Description column provides information regarding the object’s attributes, status (allocated or deleted), and other details dependent upon what the entry represents. To remove unnecessary complexity in EnCase v7, the File Types, File Viewers, and File Signatures tables in previous versions of EnCase® software are now contained in one location, the File Types view. Click on the View menu and select File Types.
Figure 7-1 File Types and Entry Description column
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
170
EnCase® Forensic v7 Essentials Training OnDemand
FILE SIGNATURES
As stated previously, the File Signatures table has been incorporated into File Types in EnCase v7. There are thousands of file types. Some file types have been standardized. The International Standards Organization (ISO) and the International Telecommunications Union, Telecommunication Standardization Sector (ITU-T) are working to standardize different types of electronic data. Typical graphical images, such as the JPEG (Joint Photographic Experts Group), have been standardized by both of these organizations. When file types become standardized, a signature or header that programs can recognize usually precedes the data. File headers are the first few bytes of a file and are associated with specific file extensions. File extensions are the three or four characters that follow the last dot in a filename. They reveal the type of data that the file represents. If one were to see a .TXT extension, a data type of text would be expected. Many programs rely specifically on the extension to reflect the proper data type. Windows, for example, associates file types with applications programs by use of file extensions. Some users have been known to change file extensions to hide the true nature of the files. A JPEG (image file) that has an incorrect extension, such as .DLL, will not be recognized by most programs as a picture.
Figure 7-2 File Types
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
171
By default EnCase v7 displays graphic files, such as that mentioned in the previous example, in the Gallery view based on their extensions. By running the file signature analysis process, EnCase v7 compares the file’s signature with the extension of the file, and then compares bo th with the File Types table to determine if the file extension has been changed. This process is essential to properly identify and classify files on a subject’s hard drive.
File Types table contains the following information about each type of file:
Name (required) – Name of the file type Extensions (Extensions or Header required) – Extension(s) of the file type Category (required) – The category of the file (used for the Entry Description) Viewer (required) – The default viewer if the file is opened from EnCase v7 Header Signature (Extensions or Header required) – Header associated with the file
type; may be a keyword string or GREP expression
Header GREP – True or false for correct searching/analysis Header Case Sensitive – True or false for correct searching/analysis Footer Signature – If available; used for file carving Footer GREP – True or false for correct searching/analysis Footer Case Sensitive – True or false for correct searching/analysis Unique Tag – Allows filtering for the file type tag (signature) with a unique tag name for
the file type
Default Length – 0 unless changed by user User Defined – If you edit or create a new a file type, it will be marked True as user
defined (this will prevent it from being overwritten when an update is released by Guidance Software)
Disabled – Check the box to disable the File Type for file signature analysis
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
172
EnCase® Forensic v7 Essentials Training OnDemand
Before a File Signature Analysis is run with the Evidence Processor, the Evidence tab Entry columns will display the following:
Signature Analysis
o
Blank
File Type
o
Blank
Figure 7-3 Before file Signature Analysis
You can also run the File Signature and Hash Analysis independent of the Evidence Processor. Select the desired files and choose the Entries drop-down menu. Select Hash\Sig Selected…
Figure 7-4 Hash\Sig Selected Files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
173
Select the options for hashing and file signatures and click OK.
Figure 7-5 Hash\Sig Selected Options
After Signature Analysis, the columns will display the results of the analysis:
Signature Analysis
o
Displays the results of a Signature Analysis
–
Match
Signature matches a File Type Header and the Extension is included in the extensions for that File Type Signature does not match any File Type Header, but there is a File Type that matches the extension A .txt file with data at the beginning of the file not defined as a header within the File Signatures table is identified as a Match
–
Alias
Signature matches a File Type Search Expression Header, but the extension is not included in the extensions for that File Type
–
Bad Signature
Signature does not match any File Type Header, but there is a matching File Type Extension
–
Unknown
Signature does not match any File Type Header and there is no matching File Type Extension
File Type (formerly Signature)
o If Signature Analysis records a Match or Alias, EnCase v7 will display the File Type property of the File Type associated with the Signature Analysis
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
174
EnCase® Forensic v7 Essentials Training OnDemand
Now that the columns are aligned, start examining the file signatures. Use the Set Included Folders option to display all entries in the Table view. Sort the columns in the following order:
First level – Signature Analysis Second level – File Type Third level – Name
The arrows on each column heading should appear as they are displayed in the following screenshot. NOTE: Shift-double-click to enable secondary sorts.
Figure 7-6 After File Signature Analysis
To examine the signatures, scroll up or down while viewing the Signature column.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
175
You can bookmark discovered evidence items. Blue-check the entries, right-click, and choose BookmarkSelected Items… You can also use the Bookmark drop-down on the menu bar.
Figure 7-7 BookmarkSelected Items…
Choose the appropriate Destination Folder in the Report template.
Figure 7-8 Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
176
EnCase® Forensic v7 Essentials Training OnDemand
You can also activate the File Type Tag column to aid in your investigation. This will show you the Unique Tag for the File Type validated in the File Signature Analysis.
Figure 7-9 File Type Tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
177
ADDING / EDITING A FILE TYPE
It is likely you will need to edit something within the File Types table or you may need to create a new entry within the table. The following example shows you how to edit an entry in the table. You would use the same steps in adding a new entry. Edit a signature by selecting directly within the appropriate row and clicking Edit. Click on the New button above the File Types table to add a new entry.
Figure 7-10 Editing a File Type
PROCESSED EVIDENCE
The processed evidence will be found under the Records view.
Figure 7-11 Records view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
178
EnCase® Forensic v7 Essentials Training OnDemand
COMPOUND (COMPRESSED ARCHIVE) FILES
In EnCase® v6, mounted compound (compressed archive) files were held in memory, so you could have access to all the data in the case at once. However when you tried to mount numerous large archive files, you would run into system limitations. This would also cause the case file to open very slowly as the archive files were mounted into RAM. In EnCase v7 you are able to view all available archives found and processed in the EnCase® Evidence Processor. As a reminder, we selected the Expand compound files task with the Archives as a file type.
Figure 7-12 Evidence Processor – Expand compound files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
179
The processed compound files are in the Records view, where you can browse individual files under the Archive folder.
Figure 7-13 Records view
The way to search and view data across multiple archives is through a Search using an Index query and viewed through the Search tab.
Figure 7-14 Records view – Archive folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
180
EnCase® Forensic v7 Essentials Training OnDemand
The compressed files are displayed under the Archive folder where they can be sorted and browsed for an examination. Click on the blue hyperlinked name of the archive to open it for review.
Figure 7-15 Archive folder
You can open the compound file and view the contents. In this case, it is a steganography program, which you may wish to Bookmark as relevant evidence.
Figure 7-16 Browsing Archive file
Use the Back button to return to the Record view.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
181
INTERNET ARTIFACTS
To review the processed Internet artifacts, select the Internet folder in the Tree Pane and then the Internet hyperlink in the Table Pane.
Figure 7-17 Accessing processed Internet artifacts
The Internet browsers with discovered and processed artifacts will be displayed in folders, such Internet Explorer and Mozilla as shown in the following figure. If applicable, those artifacts that are recovered and cannot be associated with a specific browser are placed in an Unknown Browser folder.
Figure 7-18 Internet artifacts organized by browser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
182
EnCase® Forensic v7 Essentials Training OnDemand
Currently, six browsers are supported. They are: Internet Explorer Macintosh Internet Explorer Safari Firefox Opera Chrome
NOTE: The difference between a regular search for Internet artifacts and a search of Internet artifacts in the unallocated clusters, is that keywords are added internally and marked with a special tag indicating that it is for Internet history searching only.
Internet Explorer 9 Support
EnCase supports Internet Explorer 9 bookmarks, parsing all Internet Explorer 9 artifacts, including: Bookmarks Cookies Downloads Keyword searches History Login data Cache Visited links Web data
This gives you the option to search allocated or unallocated files for these Internet Explorer 9 artifacts. When processing is finished, you can also view and search inside Internet history items for these artifacts.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
183
Google Chrome Internet Artifacts
EnCase v7 includes support for parsing these Google Chrome Internet artifacts:
Term
History Cookies
Definition
A list of Web sites recently visited. This typically consists of Web sites, usage, and time related data. A list of recent authentication and session data for sites with persistent usage. This typically consists of Web site, expiration times, and site-specific cookie data. A list of recently cached files. A list of recently downloaded files, typically consisting of Web sites, file names, location, size, and date. A list of recent keyword searches. This typically consists of search terms and the search result page. A list of login data. This typically consists of Web sites, username, password, and SSL information. A list of top Web sites such as Web site information, rank, thumbnails, and redirect information.
Cache Downloads Keyword Search Login Data Top Sites
NOTE: EnCase does not currently provide the ability to recover Google Chrome Internet artifacts from unallocated clusters.
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in a SQLite database and displays them in the Records tab. The types of Firefox 8 artifacts parsed are: Bookmarks Cookies Downloads Keyword Searches History Form Data Cache Visited Links Web Data NOTE: The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name columns.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
184
EnCase® Forensic v7 Essentials Training OnDemand
“Frecency” is a valid word used by Mozilla. Do not mistake it for “frequency.” For more information, see the Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm. The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the places.sqlite file. Mozilla stores a URL’s host name in reverse. EnCase displays it as such in the Rev Host Name column.
Enhanced Firefox 10 and IE 9 Browsing History Support
EnCase now recovers more browsing history from Firefox 10 and Internet Explorer 9. This provides up to three weeks of browsing history and can result in recovering thousands of cookies, downloads, bookmarks, and website visits. System time will not be changed to mimic the time span on the system being acquired to ensure valid data is recovered.
ANALYZING THE INTERNET ARTIFACTS
The Internet artifacts are organized into categories. You can bookmark the relevant evidence found to be included within the report.
Cookies – Text file stored on a hard drive by the web browser;may be used for
authentication, shopping, preferences, etc. NOTE: You can sort on the Name column to make the examination more efficient.
Figure 7-19 Internet cookies
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
185
Bookmarks – Also known as “Favorites” or “Internet shortcuts”
Figure 7-20 Bookmarks – Internet Shortcut
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
186
EnCase® Forensic v7 Essentials Training OnDemand
Cache – Files are written to the hard drive to increase the in loading speed of frequently
visited web pages
o
Code – Downloaded code from visited websites, including animated GIFs
Figure 7-21 Internet Cache – Code
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
187
o
XML – Extensible Markup Language pages visited by the browser
Figure 7-22 Internet Cache – XML
o
HTML – Hypertext Markup Language of visited web pages. Best viewed in the
Doc view. Placeholders for images are depicted by the box with the “X.”
Figure 7-23 Internet Cache – HTML
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
188
EnCase® Forensic v7 Essentials Training OnDemand
o
Image – Best viewed in the Gallery view for quick review. The Timeline view will
assist with tracking user activity; the Table view contains the URL (Uniform Recourse Link) of the source website and date/time stamps, also available in the Report tab of the Review Pane.
Figure 7-24 Internet Cache – ImageGallery
o
Text – Text from visited web pages
Figure 7-25 Internet Cache – Text
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
189
History – Record of the browsing through the web browser
o
Daily History – URLs from browsing as stored in the Daily History record, including
Windows Explorer browsing by the user
Figure 7-26 Internet History – Daily History
o
Weekly History – URLs from browsing as stored in the Daily History record
Figure 7-27 Internet History – Weekly History
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
190
EnCase® Forensic v7 Essentials Training OnDemand
o
Visited Link – Website URL (Uniform Recourse Link) visited by browser
Figure 7-28 Internet History – Visited Link
o
Typed URL – URLs typed directly into the browser by the user as stored in the user’s
NTUSER.DAT registry type. This is strong evidence of a deliberate act by the user.
Figure 7-29 Internet History – Typed URL
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
191
Downloads (Mozilla) – Files downloaded via the browser
Figure 7-30 Internet artifacts – Downloads
Use the Back button to return to the Records view
Figure 7-31 Back to Records
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
192
EnCase® Forensic v7 Essentials Training OnDemand
EVIDENCE PROCESSOR MODULES
The results of the Evidence Processor modules are also under the Records tab. Select the Evidence Processor Module Results. The results are divided into categories:
Entries – Files and folders on the file system Records – Evidence extracted, such as registry entries, link files, etc.
Click on the hyperlinked name to examine the results.
Figure 7-32 Evidence Processor Modules
Results – Modules
The results are organized according to the module name as shown in the following screenshot of a deleted image in the Recycle Bin.
Figure 7-33 Windows Artifacts Parser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
193
Click on the hyperlinked name to examine the multidimensional data, such as V12.jpg. The parsed record is displayed and can be included in a report as a bookmark.
Figure 7-34 Parsed Recycle Bin record
Use the Back button to return to the Evidence Processor Module results.
Figure 7-35 Back to Results
The Windows Artifact Parser includes other artifacts, such as the Link Parser.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
194
EnCase® Forensic v7 Essentials Training OnDemand
Click on the name to view the parsed link file.
Figure 7-36 Link Parser
You can bookmark relevant evidence, such as the user accessing the Nasty folder containing previously bookmarked evidence items.
Figure 7-37 Bookmark comments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
195
Place the bookmark into the appropriate Destination Folder.
Figure 7-38 Bookmark Destination Folder
CREATING A HASH SET
Hash sets (which contain the individual hash entries) are located within hash libraries. There are two steps to creating a hash set. The first step is to create an empty hash set within a library, and the second is to add information to it. To create a hash, you perform the following steps: 1. Click ToolsManage Hash Library
Figure 7-39 Manage Hash Library…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
196
EnCase® Forensic v7 Essentials Training OnDemand
2. 3.
Make sure that you either browse and point to an existing hash library or create a new one (this is the hash library to which you will add the hash set) On the Manage Hash Library panel toolbar, click New Hash Set
Figure 7-40 New Hash Set
4.
Enter a Hash Set Name and information for Hash Set Category and Hash Set Tags
Figure 7-41 Enter specific set information
5.
Click OK and click OK again when you are prompted to add the new hash set.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
197
The new hash set is listed under Existing Hash Sets in the Manage Hash Library panel.
Figure 7-42 Newly created hash set
ADDING HASH VALUES TO A HASH SET
Once you have created a hash set within a library, you can add information to it. The steps for adding hash values to a hash set are as follows: 1. 2. 3. 4. 5. 6. Add the device or evidence from which you want to generate a hash value to a case Hash the files on the device by using the hashing feature of the Evidence Processor Go to the table of evidence files or images whose hashes you want to add to the hash set On the Evidence tab under the Entries table, expand the Entries view In the Table tab, check those entries whose hash values you want to add to the hash set In the Tab toolbar, click the Entries drop-down menu (indicated by a red arrow), and select Add to Hash Library...
The Add to Hash Library Panel displays
7.
Choose the Hash Library to which to add the hash items by using the Hash Library Type drop-down menu
Select the Primary or Secondary hash library if they are defined or you can select Other and browse to a library
8. 9.
Once you have selected a library, select one or more previously created hash sets from the Existing Hash Sets window On the Add to Hash Library panel Fields list, select the fields you want to add to the hash library for the selected items
Some fields are added by default, however, you can add other optional fields, depending on your needs All fields that are added to the set will be reported when a hash comparison matches a particular hash set; the more fields that you add to a set, the larger the set becomes
10. Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
198
EnCase® Forensic v7 Essentials Training OnDemand
11. If the hash values were added to a library that was set as the Primary or Secondary hash library, you can check whether the item was successfully added to the hash set as follows:
On the Table tab, highlight the row containing the item In the bottom pane, click Hash Sets; the hash set name, hash library, and other hashing information about the item should appear
Figure 7-43 Hash set details displayed
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
199
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
200
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 8 E-mail Results
E-mail is a key area for forensic investigation; it not only maintains a record of individual and corporate communications, but also contains date stamps, provides additional names or corporate entities, and may contain attachments. All of which can add to an investigation and supply further leads. When e-mail is viewed in a case, EnCase® v7 can search for specific kinds of mail and parse its contents for examination. EnCase v7 lets you view e-mail in a format that is similar to common e-mail programs (for example, the Microsoft Office Outlook client). The views are customizable (you can view the data in tree, table, or composite views), allowing you to see only the data you want in the format you find most convenient. EnCase v7 also allows you to track e-mail threads. In most situations, thread tracking can span multiple e-mail repositories, simplifying investigations that were previously complex and timeconsuming. You use the Find related – Show conversation (e-mail thread) and Find related – Show related messages to view e-mails across multiple repositories. Before conducting your e-mail analysis, make sure that you have already processed your case data with the Evidence Processor Find email selection checked.
Figure 8-1 Find e-mail
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
202
EnCase® Forensic v7 Essentials Training OnDemand
The processed e-mail will be found under the Records view.
Figure 8-2 ViewRecords
A list of processed e-mail archives will be displayed under the Email folder. To open an e-mail archive, click on the hyperlink of the name of the archive.
Figure 8-3 Click on the e-mail name hyperlink “outlook.ost”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
203
The Tree-Table and the Traeble views are the most popular for e-mail review. Open the Root folder in the outlook.ost e-mail archive.
Figure 8-4 Select the mode and open Root folder
In this example, open the folder structure down to the IPM_SUBTREE. In Microsoft Exchange, the public folder database is divided into two trees: the IPM_Subtree and the non-IPM_Subtree. The IPM_Subtree contains folders visible to users and clients. For example, a folder created by Microsoft Outlook exists in the IPM_Subtree. A folder in the IPM_Subtree can be searched, accessed directly by users, and used to store user data. The non-IPM_Subtree contains folders not directly accessible by users, and therefore, it will not be found in an e-mail archive on workstation.1
Figure 8-5 Open the IPM_SUBTREE
1 http://technet.microsoft.com/en-us/library/aa997291(EXCHG.65).aspx
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
204
EnCase® Forensic v7 Essentials Training OnDemand
You will then be able to examine the e-mail folders, including Deleted Items, Inbox, Sent Items, etc. As you select the e-mails, you will see the attachment icon for e-mail containing attachment(s). In the following image, an expanded tree view of an Outlook.ost file and its folders is shown in the left pane, while the messages belonging to the .ost file are shown in the right pane, and the contents of a selected message are shown in the bottom pane.
Figure 8-6 Sent Items: E-mail with attachments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
205
You export out an e-mail message into a *.msg by right-clicking on the message and choosing Export to *.msg… You can also bookmark the e-mail message in the same context window.
Figure 8-7 Export to .msg
You can bookmark an e-mail message as a Single item… or multiple e-mails at once as Selected items… just as you did with evidence entries.
Figure 8-8 Bookmark e-mail
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
206
EnCase® Forensic v7 Essentials Training OnDemand
You can double-click on the e-mail to open it and review the attachments.
Figure 8-9 E-mail attachments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
207
If the user has organized e-mail into subfolders, those will be available for examination.
Figure 8-10 E-mail subfolders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
208
EnCase® Forensic v7 Essentials Training OnDemand
DISPLAYING E-MAIL THREADS
EnCase v7 analyzes two forms of e-mail threading: Conversations Related messages
To choose which form of threading to examine: 1. 2. In the Records tab, click the Find related menu Click either the Show conversation or Show related messages button
Figure 8-11 E-mail – Find RelatedShow conversation
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
209
SHOW CONVERSATION
E-mail threading is based on conversation-thread related information found in the e-mail message headers. Different e-mail systems use different methods of identifying conversations; for example: The header fields Message-ID, Reply-To-ID, and References The header field Conversation Index The header field Thread-Index
Multiple mechanisms because the messages of interest cross e-mail-system boundaries.
In these circumstances EnCase v7 builds a separate conversation tree for each type of data found in the header (for example, one using Message ID/References and another using Conversation Indexes) and displays the conversation tree containing the most e-mail.
EnCase v7 can display conversations for all supported e-mail types except AOL. This is because AOL messages do not store thread-related information. However the feature cannot always reconstruct complete conversations when the conversations include messages from multiple e-mail systems. For example EnCase v7 cannot fully recreate a conversation where some users are using Outlook, some are using Lotus Notes, and others Thunderbird ’s mbox. You can use the Find relatedShow related messages to aid with those types of investigations. If an e-mail does not have any of the message header fields previously specified, EnCase v7 cannot construct a conversation thread for it. Selecting such an e-mail message and clicking Show Conversation results in a tree containing only the selected e-mail message. The following figure shows a conversation list for a selected e-mail (note how the e-mails contained within the conversation list are identified by their conversation index ID).
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
210
EnCase® Forensic v7 Essentials Training OnDemand
If an e-mail message references an e-mail ID that is not found, it will display as <Message not present>, such as shown in the following example.
Figure 8-12 E-mail conversation
When completed, use the Back button to return to the e-mail archive.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
211
SHOW RELATED MESSAGES
The Show related messages feature is based solely on the e-mail’s subject line. The feature is useful when an examiner suspects that the Show conversation view is not displaying a complete conversation thread. All e-mails with identical subject lines are considered related and displayed together. EnCase v7 can show related e-mails for all supported e-mail types. There are no limitations caused by e-mails originating from different e-mail systems. Since the Show related messages view only looks at the subject line of a message, the e-mails displayed may not all be related, depending upon the uniqueness of the subject line.
Figure 8-13 Show related messages
Following is an example of a list of related e-mails. The list is displayed in the left pane; the content of the first e-mail in the list is displayed in the Report tab.
Figure 8-14 Related messages
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
212
EnCase® Forensic v7 Essentials Training OnDemand
DEDUPLICATING MESSAGES
Multiple copies of an e-mail often exist because: An e-mail was sent to multiple e-mail aliases The sender’s Sent Items and the recipient’s Inbox are located in a single case multiple times in different e-mail archives
By default, EnCase hides any duplicate e-mail messages in a conversation, to avoid displaying the same message multiple times, EnCase v7 deduplicates (or removes duplicates) messages in both the Show conversation and Show related messages e-mail views. The deduplication is done with the Message ID, Thread ID, or Conversation ID; depending on the type of email program. You can now view duplicate e-mail messages in a conversation thread. To show all duplicates in a conversation, click Show Duplicates in the Records tab toolbar. Duplicate e-mail messages now appear with red alerts that indicate their status.
Figure 8-15 Show Duplicates
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
213
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
214
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 9 Bookmarking and Tagging Your Findings
BOOKMARKING DATA FOR REPORTS
As you work on a case in EnCase® v7, you typically discover files, portions of files, and other objects that are of interest as potential evidence; you can save these items for inclusion in the examination report. These marked sections are referred to as “bookmarks.” Bookmarks are saved in folders in the case file. You can view them by selecting the Bookmarks link under Report on the Case Home page. Bookmarks can also contain comments and notes for tracking, accounting, and reporting purposes. You place bookmarks into bookmark folders and give them names associated with meaningful aspects of the case. The case templates that came with EnCase v7 will give you an idea of the power of bookmarks in building a report. NOTE: If a device or compound file is removed or “dismounted” from the case file, the bookmarks and search hits that resolve within that “mounted” file will be unavailable.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
216
EnCase® Forensic v7 Essentials Training OnDemand
To bookmark data into a folder: 1. Click the Bookmarks link on the Case Home page in the Reports section
Figure 9-1 Bookmarks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
217
2. 3.
The Bookmarks tab will open Expand the Bookmarks folder to see the tree structure with the bookmarks made thus far in your examination
Figure 9-2 Bookmark tab
4.
The case template folders will be available to hold your bookmarks and you can add any desired notes to the folders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
218
EnCase® Forensic v7 Essentials Training OnDemand
5.
You can rename, create new, or delete folders as appropriate for your case.
Figure 9-3 Customize Bookmark folder structure
6. 7. 8.
As a reminder from previous lessons, to bookmark data, select the content from almost any tab and click the Bookmark drop-down menu on the Tab toolbar Select the appropriate bookmark type (Single File… or Selected Files…), add a name and comment as desired, and click OK View your bookmarks in the Bookmarks tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
219
BOOKMARKING A SINGLE ITEM
As a reminder, Single Item bookmarks are used to identify individual files that contain important information to the current case. If the file is not an image file, the contents of the file will not be bookmarked. Only the metadata information about a non-image file is displayed in the report. This type of bookmark is often used for marking non-image files that will be copied from the evidence file and placed on a CD for presentation to an attorney or case agent. It may also be used to show specific fields of important files. Highlight the entry or record item bookmarked. Right-click on the highlighted item and select
BookmarkSingle item…
Figure 9-4 Bookmarking a Single Item…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
220
EnCase® Forensic v7 Essentials Training OnDemand
You can add a comment to the bookmarked evidence and you also have the ability to use previous comments to save time.
Figure 9-5 Bookmark comments
Choose the folder in the case template to add the evidence.
Figure 9-6 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
221
BOOKMARK MULTIPLE ITEMS
Selected Items bookmarks are similar to Single Item bookmarks except that they are used to mark a group of files not a single, highlighted file. A group of files is normally bookmarked because of some distinct quality that exists in all the selected files. It may be that all the files are images or perhaps they were all created at the same time. Another possibility is that the files are all of the same type: Accounts, checks, database files, etc. Before beginning, ensure that no blue-check exists in the Selected box. The first step is to select the files you wish to bookmark. From the EvidenceViewing (Entry) view, blue-check several files to bookmark. The Selected box will indicate how many files are blue-checked or selected. Right-click anywhere in the Table view and select BookmarkSelected Items…
Figure 9-7 Select items to bookmark; right-click
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
222
EnCase® Forensic v7 Essentials Training OnDemand
Choose the folder in the Case Template in which to add the evidence. It will default to the lastselected folder to save time, so you don’t have to select the destination folder for each bookmark.
Figure 9-8 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
223
NOTE BOOKMARK
From the Bookmarks, Evidence, Record, Search Hits, and other evidentiary views, the Note Bookmark provides you more formatting flexibility than the other comment methods discussed thus far. This bookmark is designed for text data – up to one-thousand characters. To create a Note Bookmark, right-click in the Table Pane and select Add Note… (Insert).
Figure 9-9 Add a Note Bookmark
Add the desired text and click OK. For example, translation of the file names: German : English Fälschungen : Counterfeiting Kreditkartenverkauf : Credit Card Sales Missbrauch von CC : Abuse of CC
Figure 9-10 Bookmark Note
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
224
EnCase® Forensic v7 Essentials Training OnDemand
You may change the order of the bookmarks in a folder in the report. Left-click on the entry and drag the entire row to the new position.
Figure 9-11 Rearranging bookmarks
Figure 9-12 New order of Bookmarks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
225
You can rename the folder (F2), reorder folders, add new folders, and arrange the examination report as appropriate.
Figure 9-13 Rename the folder
Figure 9-14 Renamed folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
226
EnCase® Forensic v7 Essentials Training OnDemand
TAGS
The EnCase v7 tagging feature allows you to mark evidence items for review. You define tags on a per-case basis, and default tags can be part of a Case Template. Any item that you can currently bookmark can also be tagged. You can search for tagged items, view them on the Search Results tab, and view the tags associated with a particular item in an Evidence or Records table. Following is a list of tag features and characteristics: You can create tags as part of a case or add them to a Case Template. You can customize each of the tags with specific colors and display text. You can edit saved tags: change their colors and text, hide specific tags from viewing, and delete a tag. Tags are local to a specific case (that is, you cannot create global tags), and the maximum number of tags that you can use for a case is 63. You can directly manipulate tags on the EnCase® user interface: change their order, delete them, and so forth. You can modify the order in which tags are displayed in the Tag column. Once you have created a tag, you can build searches based on tags and also tag search results. You can also combine tags with index and keyword search queries. You can create tags using EnScript modules.
CREATING TAGS
To create a tag: 1. From the Records, Evidence, or Bookmark tabs, click Tags on the toolbar
Figure 9-15 Creating a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
227
2.
On the Tags drop-down menu, click Manage Tags…
Figure 9-16 Tag menu
3.
Sample tags are available for you to utilize as appropriate to your case, such as:
Review – Review later as time permits Add to Report – Reminder to add to the report Follow Up with Submitter – Entry or recording requiring follow-up discussion
or review with the person submitting the evidence for analysis
Ignore – Already reviewed and not relevant to the current investigation
4.
If you wish to add additional tags, click New from the Manage Tags toolbar
Figure 9-17 Manage tags
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
228
EnCase® Forensic v7 Essentials Training OnDemand
5.
On the New Tag Item panel, enter a Name, the Display text that you want to appear in the tag column (use short display names to conserve space in the column), and the Frame Color (foreground and background colors) for the tag; you can also hide or disable the tag by checking its Hidden box In this example, you can create a tag for images depicting apparent minors engaged in sexually explicit conduct for submission to the National Child Victim Identification Program
6.
Figure 9-18 New Tag Item
7.
Repeat the steps until you have created the tags you want; you can always add, remove, and rename tags later
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
229
8.
Click OK and the tag will now be available for your case work
Figure 9-19 New tag
At anytime you can display a list of available tags by clicking TagsShow tag pane. You can use this to toggle the Tag pane on and off.
Figure 9-20 Show tag pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
230
EnCase® Forensic v7 Essentials Training OnDemand
The Manage tags pane will appear in the bottom right corner to assist you in your tag management.
Figure 9-21 Manage tags pane
TAGGING MULTIPLE EVIDENCE ITEMS
You can tag multiple files at once. Blue-check the selected items and then select the Tags menu, choosing Tag selected items… (Ctrl-T).
Figure 9-22 Tag selected items…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
231
Choose the tag you wish to apply to the evidence items.
Figure 9-23 Tagging selected items…
The evidence items will have the tag displayed in the Tag column of the Table Pane.
Figure 9-24 Tagging selected items
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
232
EnCase® Forensic v7 Essentials Training OnDemand
USING THE TAG PANE AND COLUMN
Another method of tagging is to use the Tag Pane. To tag an evidence item, do the following: 1. 2. 3. Your evidence items are available on the Evidence tab; you can also assign tags to Records and Bookmarks Select the evidence item to be assigned a tag by highlighting or checking it Check the tag that you want to assign to an evidence item (this example uses the new tag you created)
Figure 9-25 Select the tag for the evidence item
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
233
4.
The tag you selected appears in the Tag column of the selected evidence item
Figure 9-26 Tag in Table view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
234
EnCase® Forensic v7 Essentials Training OnDemand
One-click Tagging
You can also set a tag by clicking on its position in the Tag column.
1. To set a tag using the Tag column, click the space in the Tag column where the tag would
be displayed and it will then appear
As an example, if you have two tags configured, half of the column will be used to display the first tag and the second half of the column will be used to display the second tag If you click in the first half of the tag cell for the item you wish to tag, that will apply the first tag to that item and it will now appear in the column To remove a tag, simply click the tag in the column
Figure 9-27 Tagging with a click
You can change the order of the tags on a row by clicking on a tag and dragging it in the Tag pane.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
235
TAGGING IN THE SEARCH VIEW
In the Tags tab of the Search view, you can find tagged data to quickly review items that have been flagged for special attention. Clicking in the Tag column in the Table Pane automatically adds or removes a tag from that item.
Figure 9-28 Tagging with a click – Search View
HIDING A TAG
If you have a tag that you do not currently want to show in the Tag column or the Tag pane, you can hide the tag using the options available from Manage tags window. This will not delete a tag, but will simply hide it from view. To hide a tag, follow these steps: 1. 2. From the Evidence tab, click the Tags button In the Manage tags dialog, check the box in the Hidden column for the cell corresponding to the tag you want to hide
Figure 9-29 Hiding a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
236
EnCase® Forensic v7 Essentials Training OnDemand
DELETING TAGS
Tags that you do not want to use can be deleted from the Manage tags window. Deleting a tag removes the tag name from the case, and deletes all references to the tag in the tag database. This
action cannot be undone.
When deleting a tag, if that tag has been assigned to an item in the case, a warning dialog will indicate the number of tags to be deleted. If no items are tagged with that tag name, then no warning will be displayed. To delete a tag, follow these steps: 1. 2. 3. On the Evidence tab, click the Tags button On the Manage tags dialog, check the row containing the tag that you want to delete On the Manage tags toolbar, click Delete
Figure 9-30 Deleting a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
237
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
238
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 10 Reporting
The final phase of a forensic examination is reporting the findings, which must be well-organized and presented in a format that the target audience will understand. EnCase ® v7 has added several enhancements to its reporting capabilities that strengthen this phase of the process. These include: The additional of reporting templates that you can use as is or adjust to suit your needs The capability to control a report’s format, layout, and style The ability to add notes and tags to a report
Reports in EnCase v7 consist of two parts: 1. 2. Report templates that hold the formatting, layout, and style of the report. Bookmark folders where reference to specific items and notes are stored. The Report template links to bookmark folders to populate content into the report.
USING REPORT TEMPLATES
A report template is one component of a case template. Each of the default case templates has a customizable report template included. Different case templates may contain different report templates, and each of these templates is completely customizable. In addition to the report template, each case template also includes bookmark folders that are referenced in the report. Besides the default templates, you can define your own custom reports and save them as part of a case template. EnCase v7 includes the ability to create reports from additional metadata fields for entries and records. The report template builder makes all evidence fields available and, if selected, the field values display in the report. You can customize reports by specifying which fields to add to the report template. To add a field, select it from the report fields available. You can choose to include the value in the field as well as the name of the field. Then, when you generate a report, EnCase v7 includes both selected fields and the content with which they are populated in the specified area of the report. All entry, record, and item (bookmark) fields can be added to report templates. Multi-value fields, such as file extents and permissions, have two options for inclusion: cell and table. Adding the cell data displays the value of the field as displayed within the Entry table view. Adding the table data displays the value of the field as displayed in the Details tab.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
240
EnCase® Forensic v7 Essentials Training OnDemand
Report Template Structure
Before viewing a report, you need a report template or outline of what the report will look like. The report template also defines how your case data is formatted and styled. This structure consists of: 1. 2. 3.
Report Sections – Sections contain groups of like information and formatting and
provide the ability to organize your report
Report Formatting – This includes page layout, section design, and text styles Report elements – Collections of bookmarks, a key element of the report structure (you do not embed bookmarks into a report template, but embed a reference to the contents of
a bookmark folder)
Figure 10-1 Report Templates
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting Following is an example of the Forensic report template (Report TemplatesTable).
241
For organization and flexibility in reporting, a report component can be designated as either a Report or Section, as shown in the Type column of each Table row. Report components typically only contain formatting information for components beneath them, while section components contain formatting information and report elements. The columns to right of Type indicate whether a particular formatting option is user-defined or inherited from the report or section above it in the hierarchy of rows.
Figure 10-2 Report Template
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
242
EnCase® Forensic v7 Essentials Training OnDemand
To add new reports or sections to the template: 1. 2. Highlight the row above the new element that you want to add Click New… on the Table tab
Figure 10-3 New Report template
3.
The New Report Template dialog appears
Figure 10-4 New Report Template dialog
4. 5. 6. 7.
Type a name for the new report template component Select a type (Section or Report) for the new template component Select whether you want to customize a Format style by checking its box or use the default format style by leaving the box clear Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
243
The new template component will appear below the row that you highlighted.
Figure 10-5 New report section
FORMATTING REPORT TEMPLATES
There is a wide range of formatting options available for customizing EnCase v7 reports. Guidance Software recommends using the default case templates as a starting point, such as the Forensic template used in this instruction, and customizing them as necessary. These templates provide examples of most reporting options. As displayed in the previous screenshots, report templates can and should be designed as a hierarchal tree to simplify formatting. If properly designed, report sections will inherit formatting options from above, therefore, changes to the formatting will only have to be made in one location. The following is a list of items that can be customized:
Section Name – This name is for organizational reference in the template only and does
not populate into the report
Paper – This includes orientation and size Margins – Values can be set for top, bottom, left, and right margins Header/Footer – You can design a completely customized header or footer that contains
Case Info Items and other various data
Data Formats – The display characteristics of each bookmark type can be customized;
this includes data style and content
Section Body Text – The layout and content of each section is specified in the Body Text Show Tab – This options determines if this report or section is displayed as a tab in the
Reports tab
Excluded – Provides the ability to quickly exclude a section from a report if it is not
applicable
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
244
EnCase® Forensic v7 Essentials Training OnDemand
Editing a Formatting Option
To edit a formatting option: 1. 2. 3. Right-click on a cell that represents the report element and the formatting component you want to edit Click Edit... on the cell’s context menu Change the default values for the formatting option to the values you want
In the following example, the Margins cell for the Body element is selected and the left and right margins are changed from the default values to one inch
Figure 10-6 Report Margins
4.
Click OK when you are finished
NOTE: Remember formatting options, from beginning to end, are inherited by default. Therefore, in this example, the margins for the report components that follow the one you customized will inherit those margin settings unless you edit them.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
245
REPORT STYLES
As in Microsoft Word, styles are used to set text formatting options. EnCase v7 comes with many default styles that can be used in report templates and you can create your own styles. You can override a default style by creating a user style with the same name. Options that can be designated in a style include: Font type and font size Alignment (left, center, right, justified) Indenting (left, right, first line) Space before/after Borders Tabs Text color Background color
To Create a User-defined Style
From the Report Template tab, select Styles from the Tab toolbar. A new window appears that contains a tab for Default Styles, which displays the available default styles, and a tab for User Styles: 1. Switch to the User Styles tab
Figure 10-7 Styles
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
246
EnCase® Forensic v7 Essentials Training OnDemand
2.
Select New from the toolbar
The ability to edit or delete an existing user style can also be found in the toolbar
Figure 10-8 User Styles
3.
Provide a name for the style and desired configuration options
Font, Text Foreground, and Text Background can all be set by double-clicking on the appropriate field
Figure 10-9 New user style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
247
VIEWING A REPORT
Once you have configured your report template and added bookmarks to the appropriate folders, there are two ways to view a report: 1. From the Report Templates tab, select View Report from the tab toolbar
This will list all reports that have the Show Tab option set Selecting a report from the menu takes you to the Reports tab to view the selected report
Figure 10-10 View Report
2.
You can also select the Reports tab from the case Home page or the View menu
In the Reports tab you will see a tab for each report that has the Show Tab option set
Figure 10-11 Reports
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
248
EnCase® Forensic v7 Essentials Training OnDemand
Reports are dynamically generated every time that you switch to a specific report in the Reports tab. To save a report, right-click on the report and select Save As. The following output formats are available: TEXT RTF HTML XML PDF
Figure 10-12 Save the Report
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
249
Once you select the output format, specify a Path and optionally set the Open file option if you want the file to open in the default application after saving.
Figure 10-13 Output Format
NOTE: It is recommended that if you wish to edit your report in Microsoft Word, you save the report in RTF format. The EnCase® RTF report is completely compatible with Microsoft Word.
Figure 10-14 Report open in Microsoft Word
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
250
EnCase® Forensic v7 Essentials Training OnDemand
CASE ARCHIVING AND PORTABILITY
Cases in EnCase v7 have a significant amount of user data stored in the evidence cache and files other than just the .case file itself. You may need to package up your evidence and case and move or share it between multiple users. The new case packaging feature in EnCase v7 allows you to package up all of the relevant items associated with a case and put them in a single folder for archiving or case portability. In the Case menu, select Create Package.
Figure 10-15 Create a Case Package
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
251
The Create Package interface will appear with packaging options:
Copy – Copy the case file, evidence cache(s), and other required files for case portability
between examiners
Archive – Archive the case file, evidence cache(s), other required files, and the evidence
files of the case
Customize – Choose what files to package
Figure 10-16 Create Package options
The case information is displayed, including: Current case name and location Size of required items Size of optional items Total size
The Create Package options include: Target location to save the case package Checkbox for evidence files (only if items exist and are available) Checkbox for Primary Evidence cache items (only if items exist) Checkbox for Secondary Evidence cache items (only if items exist and primary is selected)
When the data is backed up to the target folder each evidence file or file set will be put into its own subfolder. A progress bar will show you the percentage complete.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
252
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
253
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
254
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 11 Appendix A – Index Queries
CREATING A SEARCH QUERY
Once your case has been indexed, keyword searched, tagged, or any combination of the three, you can then search for desired information. To create a unified search do the following: 1. Go to the Home screen and click the Search button
Figure 11-1 New Search…
2. 3.
In the Index window, enter the keyword(s) to query the index, such as “Tyler” A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term; this is extremely helpful when crafting a query so that you can immediately see if the term exists in the index. EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters; at any time you can double-click on a query term and it will show the information about that term
4.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
256
EnCase® Forensic v7 Essentials Training OnDemand
5.
Click on the Play button to run the query
Figure 11-2 New Search interface
Search New
By default, EnCase v7 searches for items containing all the keywords in the search term. For instance, the search term “George Washington” searches for all items that contain both the word “George” and the word “Washington:” You can search for documents containing either keywords by using the OR operator, e.g., George OR Washington You can use the AND operator for clarity, e.g., George AND Washington
However the latter term produces exactly the same results as the original search term.
Proximity
To search for two keywords within a specified number of words from each other, use the w/ operator: George w/3 Washington Abraham w/5 Lincoln
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
257
One Word before Another
You can also search for documents where the first keyword precedes the second by no more than a specified number of words: George pre/3 Washington Abraham pre/3 Lincoln
Keywords Apart From Each Other
To search for documents where the keywords are not within a certain number of words of each other, use the nw/ or the npre/ operators: George nw/3 Washington Abraham npre/3 Lincoln
Exact phrases
You can search for exact phrases using quotation marks (“”), which is the same as using the pre/1 operator: “George Washington” is the same as George pre/1 Washington
Near the Front or End of the Document
You can use the reserved words “firstword” and “lastword” with the proximity operators to refer to the beginning or end of the document. For example: George w/3 firstword
o
Finds documents where George is one of the first three words in the document, and
Washington nw/20 lastword
o
Finds documents where Washington is not any of the last twenty words in the document
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
258
EnCase® Forensic v7 Essentials Training OnDemand
With Two Variables
Use parentheses to group multiple words within a search term. For example in the following search term: Bill w/5 (Clinton or Gates)
The index marks as responsive all items containing the word “Bill” within five words of either Clinton or Gates.
With Multiple Variables
You can also construct a complex proximity search that includes Boolean operators on both sides. For example in the following search expression: (Bill and William) w/5 (Clinton and Gates)
The index marks as responsive all items that contain both the words “Bill” and “William” within five words of both Clinton and Gates.
Grouping Search Queries Together
You can group search queries together using parentheses to form logical expressions. How you use parentheses indicates to the search engine the order in which it should look for the search terms. For instance: (George and Washington) or (Abraham and Lincoln) o Finds all items with either both the words “George” and “Washington” or both the words “Abraham” and “Lincoln”
You can nest parenthetical expressions; for example: (George and (Washington or Bush)) o Finds all items that contain the word “George” and either the words “Washington” or “Bush”
Alternatively, (George and Washington) or Bush) o Finds all items that contain the words “George” and “Washington,” or “Bush”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
259
You can use parentheses to join proximity queries (pre/, w/) to Boolean logic queries (AND, OR). For example, Delaware and (George pre/3 Washington) o Finds all items that contain the word “Delaware” and that also contain the word “George” no more than three words before Washington
You cannot use parentheses to put a Boolean term into a proximity term:
Disallowed: George pre/3 (Washington and State)
Instead, express this term as follows: (George pre/3 Washington) and (George pre/3 State)
Searching for Keywords in Document or E-mail Fields
By default, EnCase v7 searches for keywords in every indexed text field of the document or e-mail. You can restrict the fields that you search using the bracket ([ ]) field specifier. For instance, to search only for keywords in the subject line, use: [Subject]George
You can use parentheses to group keywords together within a field: [Subject](George Washington) [Subject](George pre/2 Washington)
You can use aliases to group together a section of fields: [Address] searches the [To], [From], [CC] and [BCC] fields [Date] searches the [Accessed], [Created], [Modified], [Written], [Sent] and [Received] fields
Common fields for all items are: [Name]Name of file.File extension (the file will not be found unless it contains the extension) [Extension]File extension [Category]Category of file, such as Picture
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
260
EnCase® Forensic v7 Essentials Training OnDemand
Searching for Date Fields or Date Properties
You can search for items by date or date range using field syntax. Dates are entered in ISO 8601 syntax between # marks and can be general, such as: [Created]#2004#
Or very specific: [Created]#2004-11-19T11:54:03#
You can also search for date ranges using an ellipsis ( ...): [Created]#2004-02-03...2004-02-17#
The previous term searches for any item with a creation date between Feb. 03, 2004 and Feb. 17, 2004. You can search for items before or after a particular date by leaving off one end of the range: [Created]#2004-02-03...# [Created]#...2004-02-17#
File date fields are: Accessed Created Modified Written
E-mail date fields are: Sent Received Created
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
261
Searching for Numeric Properties
You can search for items by number range using field syntax. Numbers are entered between # marks and can be specific, such as: [Size]#1034# Analyzing Collected Data 355
Or a range, using ellipses, such as: [Size]#1000...3000#
The previous term searches for any item with a size between 1000 bytes and 3000 bytes. You can search for numbers above or below a particular point by leaving one end of the range off: [Size]#...3000# [Size]#1000...#
Searching for Case-sensitive Terms
By default, all index queries are case-insensitive. You can make queries case-sensitive by using the <c> operator: <c>George <c>(George and Washington)
You can specify case-sensitive queries for fields: <c>[subject](George pre/3 Washington)
Using Wildcards to Search for Patterns
You can search for incomplete words or word prefixes using the ? and * operators.
Wildcard for single characters The ? operator stands as a placeholder for any single characters. For instance, c?t
o
Results in hits for documents containing “cat,” “cot,” and “cut,” but not “caught”
Wildcard for multiple characters The * operator stands as a placeholder for any number of characters. For instance, ind*
o
Results in hits for documents containing “indecisive,” “indignant,” and “Indiana”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
262
EnCase® Forensic v7 Essentials Training OnDemand
Multiple wildcards A keyword may contain multiple wildcards (either * or ?), but may not contain wildcards at both the beginning and end of the word. For instance, ind*ia*a c?t? *fi?y
o
Are valid keywords
However: *india* ?cat? *fish?
o
Are not valid keywords
Using wildcards with punctuation The wildcards ? and * only work for the following punctuation types: Dash (-) Underscore (_) Period (.) Comma (,) At symbol (@) Apostrophe (')
NOTE: Punctuation characters will not be found using wildcards if they are at the beginning or end of words.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
263
Using Stemming Lists to Search for Similar Words
You can use the stemming operator (~) to search for similar words. By default, the stemming operator replaces your word with all words similar to it in the English language. For instance: swim~
o
Results in hits for documents containing ”swim,” “swim’s,” “swimming,” “swam,” “swum,” etc. Stemming uses the language packs on the server to find words similar to your original term.
When you test your term, a stemming list is added to the term. Stemming lists are contained within the <> characters and clearly display the stems for the keyword. For instance, the default stemming list for swim is: <s:swim swim’s swims swims’ swimming swam swum swim>
You can override the default stemming behavior by modifying the stemming list. For instance: <s:swim swam swum>
o
would result in hits for documents containing “swam” and “swum,” but not “swimming,” “swim’s,” etc.
You can incorporate stemming into any location for which you would use the OR operator. For instance: run~ and [Created]#2002# <s:run ran running runner>
o
Results in hits for documents created in 2002 and contain at least one of instance “run,” “ran,” “running,” or “runner”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
264
EnCase® Forensic v7 Essentials Training OnDemand
FIELDS IN INDEX QUERIES
Index queries can be created that target data in specific data fields. By selecting the Fields button on the toolbar, you can double-click on a field name and add it to your query. After adding the field name, type the value for which you wish to query. Category, Item Type, and Signature Analysis have sub-menus with their values. Following is an example of the field chooser.
Figure 11-3 Search query field chooser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
265
INDEX QUERY LOGIC
In addition to adding fields into your query, you can also add additional types of logic to customize the result set. The available options are: Case sensitivity Stemming Terms w/ combining logic Preview dictionary w/ hit count Can combine w/ keyword searches and tags Can filter or condition on search results Can combine multiple search results w/ and/or logic Can view previously run searches
UNIFYING SEARCH RESULTS
EnCase v7 allows you to view search results from a variety of sources, using the single Search Results tab. The results can span numerous types of data (for example, files on the Entry tab, e-mail information, and Internet artifacts) and contain the results of a filter, condition, or search (including Index, Keyword, and/or Tags). All of the operations mentioned previously produce distinct result sets. The queries that are used to display the result sets are stored as files in the users EnCase v7 directory. Search Result sets can display quickly because they show a subset of available metadata for each item. To view additional information about an item, simply select the item and click Go to file in the tab toolbar. The unified metadata available in the Search Results table is:
Name
o o o
For an Entry Item: Entry Name For an Email Record: Email Subject For an Internet History Record: URL
Logical Size
o o
Entry: Logical Size Record: Logical Size (PR_LOGICAL_SIZE)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
266
EnCase® Forensic v7 Essentials Training OnDemand
Last Accessed Date
o o o o
Entry: Accessed Record: Accessed (PR_ACCESSED) Entry: Created Record: Created (PR_CREATION_TIME)
Last Written Date From
o o
Email Record: From field Internet History Record: User
Recipients
o
Email Record: Aggregation of To\Cc\Bcc fields
Comment Item Type Category Primary Device Item Path
The Search Result table displays two additional columns that are dynamically generated based on the items in the table:
Extension
o
Generated from the Search Result Name at display time
Tags
o
Generated from the current case at display time
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
267
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
268
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
215 N. Marengo Ave., Suite 250 Pasadena, CA 91101 Tel: (626) 229-9191 Fax: (626) 229-9199 e-mail: [email protected] web: www.GuidanceSoftware.com
EnCase® Forensic v7 Essentials
EnCase® Forensic v7 Essentials Training OnDemand – v7.04.01i (06.06.2012) Copyright ©2012, Guidance Software, Inc.
EnCase is a trademark of Guidance Software, Inc. All rights reserved. No part of this publication may be copied without the express written permission of Guidance Software, Inc. 215 N. Marengo Ave., Suite 250, Pasadena, CA 91101
GUIDANCE SOFTWARE | Training
Guidance Software Training
World-Class Training... Flexible Options
Features & Benefits
Guidance Software Training
The best training available on critical, real-world issues. Corporations and government agencies use EnCase® software solutions to search, collect, preserve and analyze digital information for the purposes of computer forensics and enterprise investigations, as well as information assurance, e-discovery collection, data loss prevention, compliance with mandated regulations, and more. Guidance Software Training courses and programs help organizations maximize their use of EnCase products. Guidance Software offers world-class training in enterprise investigations, such as e-discovery and computer security incident response; and in forensic investigations, including all aspects of law enforcement and government examinations. As the volume and sophistication of digital investigations continue to increase, investigators and examiners can stay ahead of the curve and maintain departmental efficiency by taking advantage of high-level, extensive curriculum, and affordable packages. Guidance Software has created multiple training options to help ensure your team remains up-todate and certified on the most current practices in digital investigations.
-
Structured management, budgeting and reduction of training expenses Qualify for CPE credits on all classroom courses Attendance at all courses, including EnCase® Training OnDemand, qualifies for training hours earned towards EnCE® certification or renewal Train in one of our state-of-the-art facilities, at one of our Authorized Training Partners throughout the world, or our EnCE®-certified instructors can come to you Customize a course to suit your organization’s needs Enroll in one of our online courses with EnCase® Training OnDemand Enhance professional standing by participating in one or both of our certification programs: the EnCase® Certified Examiner (EnCE®) or EnCase® Certified eDiscovery Practitioner (EnCEP®)
EnCase® Annual Training Passport
Keep your staff up-to-date with the latest techniques and allow for improved planning. Organizations must ensure that their investigative staff is properly trained to handle the continually evolving landscape of computer investigations. Budget burdens and scheduling conflicts may limit the amount of training your staff receives. Guidance Software’s Annual Training Passport allows you to pay one discounted, flat rate for up to two years of unlimited training for your staff. No other company offers training this extensive at such a deep discount.
EnCase® Annual Passport Fees per student
http://www.guidancesoftware.com /computer-forensics-trainingcertifications.htm
Program
One Year Annual Training Passport Two Year Annual Training Passport One Year upgrade Two Year upgrade
For More Info...
Please contact Guidance Software Training at: [email protected] or call 626-229-9191 Ext. 566
Price U S D $5,500 $10,000 $3,500 $7,000
Price G B P £3,437.50 £6,250.00 £2,187.50 £4,375.00
Details, terms and conditions of the program and upgrade options can be viewed at: http://www.guidancesoftware.com/computer-forensics-training-annual-training-passport.htm
Guidance Training Option Program (GTO)
Take advantage of maximum flexibility in scheduling and course selection. Organizations must constantly train investigative personnel to maintain the broad-based, changing skill set required for today’s digital investigations. With increasing caseloads, personnel changes and unpredictable schedules, meeting this obligation can prove challenging. Guidance Software has developed a solution that addresses these challenges at a practical price. Groups can purchase five or more classes at a reduced rate and use those training seats in the way that best suits your needs.
Program
GTO (5-seat minimum)
U S D (per seat) $2,095
G B P (per seat) £1,309.38
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at [email protected] or 626-229-9191 ext. 566.
www.guidancesoftware.com
GUIDANCE SOFTWARE | Training
Training Facilities
Los Angeles, CA (Pasadena, CA) 215 North Marengo Avenue Suite 250 Pasadena, CA 91101 Washington, DC (Dulles, VA) 21000 Atlantic Boulevard Suite 750 Dulles, VA 20166 Chicago, IL (Rosemont, IL) 9450 West Bryn Mawr Avenue Suite 200 Rosemont, IL 60018 Houston, TX 1300 Post Oak Boulevard Suite 550 Houston, TX 77056 London, UK (Slough) Thames Central, 5th Floor Hatfield Road, Slough, Berkshire UK SL1 1QE We also have Authorized Training Partners all over the world For a complete listing visit: http://www.guidancesoftware.com/ computer-forensics-training-partners. html
EnCase® Mobile Training Courses
If your organization needs EnCase® training, but does not have a computer training laboratory or a travel budget, this program is designed for you. Guidance Software brings all the necessary equipment and materials to your site and our instructor conducts the course. This program is ideal for organizations with limited travel budgets, as well as those who need to train a number of employees at the same time, but cannot afford to have so many of their personnel away. Students receive the same high-quality instruction as they would at a Guidance Software training facility. The pricing is the same as our regular instructor-led courses with the following additional charges:
Program
Training Instructor Fee - 1 instructor / up to 12 students Training Instructor Fee - 2 instructors / 13 to 24 students Standard Shipping U.S. Standard Shipping International
Price U S D $4,500 $9,000 $500 $800
Price G B P £2,812.50 £5,625.00 £500.00
For a complete list of mobile options call Guidance Software Training at 626-229-9191 ext. 566 or visit our website at: http://www.guidancesoftware.com/computer-forensics-training-mobile-onsite.htm
EnCase® Certified Computer Examiner (EnCE®) Certification Bootcamp
The EnCE® certification has become the gold standard for digital examiners. With this program, students can prepare for certification while learning how to maximize their use of EnCase® software and solutions. The bundle provides all required training and test preparation for EnCE® certification. Students participating in this bootcamp take advantage of three courses: the EnCase® OnDemand Computer Forensics I, EnCase® OnDemand Computer Forensics II, and the EnCase® EnCE® Prep course, which is taken in the classroom. On the final afternoon of the EnCE® Prep course, the EnCE® written examination will be administered to the students in a monitored, timed environment.
EnCE Certification Bootcamp
®
Price U S D $4,485
Price G B P £2,803.13
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at [email protected] or 626-229-9191 ext. 566. Our Customers
Guidance Software’s customers are corporations and government agencies in a wide variety of industries, such as financial and insurance, technology, defense, energy, pharmaceutical, manufacturing and retail. Our EnCase® customer base includes more than 100 of the Fortune 500 and more than half of the Fortune 50, including: Allstate, Chevron, Ford, General Electric, Honeywell, Northrop Grumman, Pfizer, UnitedHealth Group and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to eDiscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase® Enterprise platform is used by more than sixty percent of the Fortune 100, and thousands attend Guidance Software’s renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from Law Technology News, KMWorld, Government Security News, and Law Enforcement Technology.
©2012 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
www.guidancesoftware.com
T FS 0130-11019
ENCASE® FORENSIC V7 ESSENTIALS TRAINING ONDEMAND CONTENTS
GETTING STARTED WITH ENCASE ............................................................................................................................. 1
EnCase® Forensic v7.................................................................................................................................................................. 1 Now Included Standard In EnCase v7 ................................................................................................................................... 2 Encryption Support ................................................................................................................................................................... 3 Major Improvements In EnCase v7 ........................................................................................................................................ 3 Installing EnCase Forensic v7 .................................................................................................................................................. 4 Installing the Cert File .............................................................................................................................................................. 9 Running EnCase ...................................................................................................................................................................... 10
ENCASE® CONCEPTS ................................................................................................................................................. 15
EnCase® Forensic ..................................................................................................................................................................... 15 Forensically Sound Acquisitions ........................................................................................................................................... 15 Forensic Workflow .................................................................................................................................................................. 16 EnCase® Evidence .Ex01 and .Lx01 v2 .................................................................................................................................. 16 Case File.................................................................................................................................................................................... 18 EnCase® Configuration Files .................................................................................................................................................. 18 EnScript® Programs ................................................................................................................................................................. 20 Filters and Conditions ............................................................................................................................................................ 21 EnCase v7 Application Folder Locations ............................................................................................................................. 22 EnCase v7 Graphical User Interface ..................................................................................................................................... 26 View Menus ............................................................................................................................................................................. 29
HOW TO CREATE A CASE .......................................................................................................................................... 33
Case Management ................................................................................................................................................................... 33 New Case.................................................................................................................................................................................. 35 Working with Cases ................................................................................................................................................................ 39 Saving Your Case .................................................................................................................................................................... 42 Case Backup Dashboard......................................................................................................................................................... 44 Use Current Case..................................................................................................................................................................... 47 Create a Custom Backup ........................................................................................................................................................ 48 Specify Case File ...................................................................................................................................................................... 50 Specify Backup Location ........................................................................................................................................................ 51 Restoring from Backup ........................................................................................................................................................... 52 Deleting a Backup ................................................................................................................................................................... 55 Changing Case Backup Settings ............................................................................................................................................ 56 EnCase Global Configuration Settings ................................................................................................................................. 57 Hash Library and Analysis .................................................................................................................................................... 64 Working with Hash Libraries ................................................................................................................................................ 65 Opening a Hash Library ......................................................................................................................................................... 66 Modifying Category and Tags for Multiple Hash Sets....................................................................................................... 68 New Hash Library................................................................................................................................................................... 69 Add Hash Sets ......................................................................................................................................................................... 71 Case Hash Library ................................................................................................................................................................... 72 Importing EnCase Legacy Hash Sets .................................................................................................................................... 75
ADDING EVIDENCE TO A CASE................................................................................................................................. 79
New Method to Add Evidence .............................................................................................................................................. 79 Add Evidence File ................................................................................................................................................................... 83 Evidence Tab ............................................................................................................................................................................ 85 Navigating the EnCase Evidence .......................................................................................................................................... 87 Right-click ................................................................................................................................................................................ 92 Additional Views .................................................................................................................................................................... 92
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ii
EnCase® Forensic v7 Essentials Training OnDemand
Organizing Columns .............................................................................................................................................................. 96 Other Table Pane Views ......................................................................................................................................................... 96 Bookmarking in Evidence View ........................................................................................................................................... 97 Timeline View ......................................................................................................................................................................... 99 Disk View............................................................................................................................................................................... 100 View Pane .............................................................................................................................................................................. 101 Status Bar ............................................................................................................................................................................... 108
PROCESSING EVIDENCE FILES ................................................................................................................................ 113
Evidence Processor ............................................................................................................................................................... 113 Determine the Time Zone Setting ....................................................................................................................................... 114 Configuring Time Zone Settings ......................................................................................................................................... 118 Preparing the Evidence to Process...................................................................................................................................... 120 Managing Evidence Processor Settings ............................................................................................................................. 122 Using the Processor Settings Toolbar ................................................................................................................................. 122 Evidence Processing Tasks .................................................................................................................................................. 125 Recover Folders ..................................................................................................................................................................... 125 File Signature Analysis......................................................................................................................................................... 126 Protected File Analysis ......................................................................................................................................................... 126 Thumbnail Creation ............................................................................................................................................................. 126 Hash Analysis ....................................................................................................................................................................... 126 Expand Compound Files ..................................................................................................................................................... 127 Find E-mail ............................................................................................................................................................................ 127 Find Internet Artifacts .......................................................................................................................................................... 127 Search for Keywords ............................................................................................................................................................ 128 Additional Methods for Entering Keywords .................................................................................................................... 132 Index Text and Metadata ..................................................................................................................................................... 134 Modules.................................................................................................................................................................................. 136 Processing a Live Device...................................................................................................................................................... 141 Evidence Processor Threading Model ................................................................................................................................ 142
VIEWING INDEX AND SEARCH RESULTS ............................................................................................................... 147
Search Types .......................................................................................................................................................................... 147 Index Searches ....................................................................................................................................................................... 147 Creating a Search Query ...................................................................................................................................................... 148 Save the search results.......................................................................................................................................................... 151 Continue the investigation .................................................................................................................................................. 153 Find Related........................................................................................................................................................................... 156 Viewing Keyword Search Results....................................................................................................................................... 161 Raw Searches ......................................................................................................................................................................... 164 Tag Searches .......................................................................................................................................................................... 166 Search Summary ................................................................................................................................................................... 166
PROCESSED EVIDENCE RESULTS ............................................................................................................................ 169
File Types ............................................................................................................................................................................... 169 File Signatures ....................................................................................................................................................................... 170 Adding / Editing a File Type ............................................................................................................................................... 177 Processed Evidence .............................................................................................................................................................. 177 Compound (Compressed Archive) Files ........................................................................................................................... 178 Internet Artifacts ................................................................................................................................................................... 181 Analyzing the Internet Artifacts ......................................................................................................................................... 184 Evidence Processor Modules ............................................................................................................................................... 192 Creating a Hash Set .............................................................................................................................................................. 195 Adding Hash Values to a Hash Set .................................................................................................................................... 197
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Contents
iii
E-MAIL RESULTS ...................................................................................................................................................... 201
Displaying E-mail Threads .................................................................................................................................................. 208 Show Conversation ............................................................................................................................................................... 209 Show Related Messages........................................................................................................................................................ 211 Deduplicating Messages....................................................................................................................................................... 212
BOOKMARKING AND TAGGING YOUR FINDINGS ................................................................................................ 215
Bookmarking Data for Reports ............................................................................................................................................ 215 Bookmarking a Single Item .................................................................................................................................................. 219 Bookmark Multiple Items .................................................................................................................................................... 221 Note Bookmark...................................................................................................................................................................... 223 Tags ......................................................................................................................................................................................... 226 Creating Tags ......................................................................................................................................................................... 226 Tagging Multiple Evidence Items ....................................................................................................................................... 230 Using the Tag Pane and Column ........................................................................................................................................ 232 Tagging in the Search View ................................................................................................................................................. 235 Hiding a Tag .......................................................................................................................................................................... 235 Deleting Tags ......................................................................................................................................................................... 236
REPORTING .............................................................................................................................................................. 239
Using Report Templates ....................................................................................................................................................... 239 Formatting Report Templates .............................................................................................................................................. 243 Report Styles .......................................................................................................................................................................... 245 Viewing a Report................................................................................................................................................................... 247 Case Archiving and Portability ........................................................................................................................................... 250
APPENDIX A – INDEX QUERIES ............................................................................................................................... 255
Creating a Search Query....................................................................................................................................................... 255 Fields in Index Queries ......................................................................................................................................................... 264 Index Query Logic................................................................................................................................................................. 265 Unifying Search Results ....................................................................................................................................................... 265
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 1 Getting Started with EnCase
ENCASE® FORENSIC V7
EnCase Forensic v7 (EnCase v7) is the next advancement in computer forensics technology, workflow, and best practices. With powerful automation capabilities, streamlined user interface, and optimized case management, EnCase v7 will transform how you perform investigations. Just a few of the paradigm-shifting features are: Intuitive, streamlined interface Powerful processing capabilities Find evidence faster with unified search Review e-mail the way you want it Smartphone acquisition Quick case access Increased scalability
At the core of EnCase v7 is our commitment to robust file and operating system support. With version 7, you will be able to investigate more file and operating systems than ever before.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
2
EnCase® Forensic v7 Essentials Training OnDemand
Leveraging the indexing engine from our EnCase® Command Center (EnCase® eDiscovery and EnCase® Cybersecurity) products, you will now have search results across multiple types of files all in one location, including files, e-mail, instant message (IM) conversations, Smartphones, etc. Dramatically change the workflow through the product to improve efficiency through automation Harness the power of indexing and searching versus browsing for the “needle” of evidence in the ever-increasing volume of the digital “haystack” Use the index to build relationships between items throughout EnCase v7, including items from EnScript® processing and Smartphone acquisitions Increase the usability of the software to find evidence faster
Figure 1-1 New workflow in EnCase v7
NOW INCLUDED STANDARD IN ENCASE V7
The EnCase Forensic modules are now all included in v7, including: Smartphone support EnCase® Decryption Suite (EDS) – Provides the ability to decrypt supported full disk and volume encryption and encrypted registry entries EnCase® Physical Disk Emulator (PDE) Module – Mount evidence files, including deleted files, as a virtual physical disk on your computer EnCase® Virtual File System (VFS) Module – Mount evidence files as an offline network share in your Windows® operating system EnCase® FastBloc Software Edition (SE) – Software write blocker ensures that no writes occur to a removable device during preview or acquisition
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
3
ENCRYPTION SUPPORT
EnCase v7 supports the following encryption products. Vendor
Check Point
Product
Check Point Full Disk Encryption (formerly Pointsec PC) Mobile Guardian
Supported Versions
6.3.1 up to 7.4
64-bit Support
Yes
CREDANT
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8 7 and 8 9.2.2 , 9.3.0, 9.4.0, 9.5.0, 9.5.1 4.5, 6 (Windows and Macintosh) Vista, 7 4.5, 5.5
No
GuardianEdge Encryption Plus/Anywhere GuardianEdge Hard Disk Encryption
No Yes
McAfee
SafeBoot
No
Microsoft Sophos
BitLocker and BitLocker To Go SafeGuard Easy (formerly Utimaco) PGP Whole Disk Encryption Endpoint Encryption
Yes Yes
Symantec Symantec
9.8, 9.9, 10 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 8.0 4.5, 4.6
Yes Yes
WinMagic
SecureDoc Full Disk Encryption
No
MAJOR IMPROVEMENTS IN ENCASE V7
In addition to the enhanced workflow, you will notice a number of improvements in the functionality of EnCase v7: No longer will you have to wait for a case to open. File system, e-mail, and other compound structures will now have their structures cached out to disk, so you are no longer restricted in the amount of memory you have on disk when viewing large amounts of data. o EnCase v7 will be able to bring these items into memory as needed when navigating through the case.
You can now mark files with user-defined tags to help remember important information about the file. These tags can be used later for filtering and reporting. We have streamlined the number of configuration items; for example the view for configuring file types, file signature, and file viewers have been combined into File Types.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
4
EnCase® Forensic v7 Essentials Training OnDemand
We have made the configuration settings accessible at the time that you are accessing that area; for example Text Styles are now set in the text pane itself. We’ve separated EnCase v7 configuration settings from user settings. This allows us to update the delivered configuration files while leaving your files untouched. The Evidence Processor helps automate your work in preparing for an investigation. Viewing and working with e-mail is easier in EnCase v7. Searching is more powerful and has a new index engine. There are new templates for customize reports. Smartphone support is included. New file system and file type support: o o o o EXT4, including Linux Software RAID 1 and 10 Arrays for Ubuntu version 9.1 and version 10.04 HFSX Microsoft® Office 2010 support Check Point®/Pointsec™
INSTALLING ENCASE FORENSIC V7
To install EnCase v7: 1. Obtain the most current installation file available or insert the EnCase ® Forensic installation DVD into your drive
If the installation does not auto start from the DVD, browse to locate and run Setup.exe
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
5
2.
The welcome page of the install wizard appears
Note that the bottom right corner of the dialog displays the version of EnCase that will be installed into this path first, followed automatically by EnCase v7
Figure 1-2 Welcome screen of installation wizard
3. 4.
Click Next> If the folder does not yet exist, click Yes
Figure 1-3 Click “Yes” to create a new folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
6
EnCase® Forensic v7 Essentials Training OnDemand
5.
If you are upgrading, click OK or Cancel to go back and change the installation folder.
Figure 1-4 Select option to change installation folder
6. 7.
Following is a license agreement page for EnCase Forensic Read and acknowledge your acceptance of the license agreement by clicking Next>
Figure 1-5 License Agreement
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
7
8.
The next window offers to install additional properties if it is a first-time installation with no security key drivers installed NOTE: If this is the first installation of EnCase® software, remove any dongles and check the box next to Install HASP Drivers to install or upgrade the drivers needed for the EnCase® dongles.
9.
Click Next>
Figure 1-6 Installation path
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
8
EnCase® Forensic v7 Essentials Training OnDemand
o
You should see that the setup has completed successfully
Figure 1-7 Successful installation
10. You may be notified that your system should be rebooted; to ensure the registration of certain DLLs and enable the drivers, etc., it is strongly encouraged to reboot at this time 11. Make the reboot selection and click Finish
With the program successfully installed, the shortcut to EnCase v7 will appear on your Desktop.
Figure 1-8 Program icon
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
9
INSTALLING THE CERT FILE
The next step is to install the cert files. If you have cert files to install, those files need to be copied into the Certs folder. By default the location is: C:\Program Files\EnCase7\Certs
NOTE: With Windows 7 and Vista, you will need to copy the cert files onto your hard drive from the Internet and then copy them into the C:\Program Files\EnCase7\Certs directory. The security permissions of Windows 7 and Vista prevent direct copying from e-mail or the Internet into C:\Program Files.
Figure 1-9 Install cert files into the Certs folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
10
EnCase® Forensic v7 Essentials Training OnDemand
RUNNING ENCASE
Double-click on the EnCase v7 icon on your Desktop to run EnCase for the first time. Please take a moment to register you EnCase v7.
Figure 1-10 Register EnCase Forensic v7
Follow the instructions on the webpage, depending if you have Internet connectivity
Figure 1-11 Register EnCase Forensic v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
11
EnCase will open to the Home screen.
Figure 1-12 EnCase Forensic v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
12
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Getting Started with EnCase
13
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
14
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 2 EnCase® Concepts
ENCASE® FORENSIC
EnCase Forensic v7 (EnCase v7) provides investigators with a single tool for conducting largescale and complex investigations from beginning to end. It features superior analytics, enhanced e-mail/Internet support, and a powerful scripting engine. With EnCase v7 you can: Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide Investigate and analyze data from multiple platforms – Windows, Linux, AIX, OS X, Solaris, and more – using a single tool Find information despite efforts to hide, cloak, or delete Easily manage large volumes of computer evidence, viewing all relevant files, including deleted files, file slack, and unallocated space Transfer evidence files directly to law enforcement or legal representatives as necessary Review options that allow non-investigators, such as attorneys, to review evidence with ease Use reporting options for quick report preparation
FORENSICALLY SOUND ACQUISITIONS
EnCase v7 produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 and/or SHA1 hash values for related image files and assigning Cyclic Redundancy Check (CRC) values to the data (when no compression is used). These checks and balances reveal any inconsistencies with acquired data. EnCase v7 maintains the reliability and functionality of previous versions while simplifying usage, adding powerful new features, and significantly increasing performance. EnCase v7 is accessible to several types of users: Those responsible for collecting evidence Forensic examiners and analysts Forensic examiners who develop and use EnScript ® code to automate repetitive or complex tasks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
16
EnCase® Forensic v7 Essentials Training OnDemand
FORENSIC WORKFLOW
EnCase v7 facilitates the forensic workflow process through the: 1. 2. 3. Preview and processing of case data Analysis of evidence Reporting of findings
ENCASE® EVIDENCE .EX01 AND .LX01 V2
EnCase v7 has new evidence file (.Ex01) and logical evidence file (.Lx01) formats.. The existing EnCase® evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format. Many of the central design principles of the E01 format have been retained. The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC (when no compression is used), and all of the source data stored in the file is hashed with the MD5 and/or SHA1 algorithms if requested by the user. The Ex01 enhancements do not affect features of the file, such as those that have been relied upon by many courts to rule on the acceptance of the file as a container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data. The new Ex01 format introduces the following capabilities: Support for encryption of the data Ability to use different compression algorithms Improved support for multi-threaded acquisitions where sectors can be out of order Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills) Alignment considerations to improve efficiency and performance Improved support for resuming acquisitions Internal improvements of the data structures
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
17
E01 had the ability of using a “soft” password, meaning that the data itself was not encrypted. Ex01 encrypts the data symmetrically, using AES-256 by default. The encryption key for this can be protected with: A password that generates a symmetric key An asymmetric key pair Both of the above
Figure 2-1 New EnCase® evidence file format
For instruction on acquiring digital evidence, please consider one or more of the following courses:
Course
First Responder with EnCase® Forensic, Tableau, and EnCase® Portable EnCase® Computer Forensics I EnCase® Portable Configuration and Examinations
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/comput er-forensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
18
EnCase® Forensic v7 Essentials Training OnDemand
CASE FILE
In prior versions of EnCase, the case file is a text file that contains information specific to one case. In EnCase v7, a case is no longer contained within a single file, but is stored within a folder containing many components. The case contains pointers to any number of evidence files or previewed devices, bookmarks, search results, sorts, hash analysis results, signature analysis reports, etc. Before media can be previewed or evidence files analyzed, a case file must be created when you run EnCase. The case cannot be simultaneously accessed by more than one examiner at a time. In EnCase v7, the default location for saving the case files is the User Data folder.
Verifying an Evidence File Automatically
Whenever an evidence file is added to a case, EnCase v7 will begin to verify the integrity of the entire disk image in the background. This is usually quite fast for small (removable devices) evidence files, but can take longer for hard disk evidence files. You may begin the examination while the verification occurs.
ENCASE® CONFIGURATION FILES
Prior to EnCase v7
In prior versions of EnCase, configuration files were contained in a series of initialization (.INI) files that contained global settings for EnCase. These files contained the signature table, file types, file viewers, filters, global keywords, etc. These files applied global configurations to every case and evidence file used within the EnCase® environment. They were stored (by default) in the folder where EnCase is installed, usually C:\Program Files\EnCase6\Config.
Configuration Changes in EnCase v7
In EnCase v7, there are major changes in the way EnCase stores configuration settings. These changes were necessary to better support the Windows operating systems (specifically Vista and Windows 7) protocols in regards to user and application data management. Windows guidelines encourage all user data to be stored in specific locations to facilitate better system security and a better customer experience (customers can go to one place to find their data). Likewise, Windows encourages applications to put volatile data in an Application data area, so that it is clear to you what data is part of an application and what data is considered user data. An additional benefit of these changes in v7 is the resolution of a long-standing issue with updating .ini files. In prior versions, if you modified your FileTypes.ini file, you would not receive updates to those files from Guidance Software as they would write over your custom configuration.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
19
Configuration Files Locations
The following location list defines the areas used by EnCase v7 and gives a brief description of which types of files should reside in which location:
User Data
(C:\Users\<username>\My Documents \EnCase)
o
This folder is for user-created files that are not necessarily EnCase-version or installation specific. Files like case files and EnScript® files would default to this folder.
User Application Data
(C:\Users\<username>\AppData\Roaming\EnCase1)
o
This folder is for configuration files and user temp files that pertain to a specific user and installation folder of EnCase (Window sizes, fonts, etc.)
Global Application Data
(C:\Users\Default\AppData\Roaming\<EnCase-1>)
o
This folder contains files that are for the configuration of EnCase regardless of the user (NAS settings, etc.)
Program Files Folder
o
This folder contains files that are created by the installer and are unmodified by the application
Shared Files Folder
o
This folder can be pointed to a folder where you keep shared files (EnScript® modules, Searches, Conditions, File Types, Text Styles, and Keys)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
20
EnCase® Forensic v7 Essentials Training OnDemand
ENSCRIPT® PROGRAMS
EnScript programs are saved in two or three directories: The EnScript modules shipped with EnCase continue to be stored in the C:\Program Files\EnCase7\EnScript folder Your EnScript programs are now stored in your user folder under C:\Users\<userfolder>\EnCase\EnScript You can also specify a shared folder to be able to browse to your EnScript® library
You now run your EnScript modules from the toolbar drop-down instead of the former tree control in the lower right pane.
Figure 2-2 EnScript toolbar
When you select Run… or Edit…, you are presented with a file selection dialog that allows for easy browsing to all of the default locations via an EnCase tree on the left side. NOTE: On operating systems prior to Windows Vista, this functionality will not be available and you will need to manually navigate to the EnCase v7-shipped EnScript folder or your shared folders.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
21
FILTERS AND CONDITIONS
Filters and conditions were previously all saved in a single .ini file in the C:\Program Files\EnCase6\Config directory. In EnCase v7, filters and conditions are now being saved in individually named files with the extension .EnFilter or.EnCondition, respectively. The filters you create are saved in a separate folder from the EnCase delivered filters. This allows you to create and edit you own filters and removes the need for overwriting similarly named filters or the wholesale loss of your filters when there is an EnCase update. The functions for selecting and creating filters are the same as EnScript modules.
File Viewers
There are no default viewers shipped with EnCase v7, so any viewers you add will be saved in an .ini file that only exists in your user directory.
Text Styles
Text styles are split into separate files and are viewable by you in a settings dialog that separates your user entries from the Guidance Software delivered entries with tabs.
File Types Combined with Signatures
File Types and File Signatures are combined into a single table. These are handled as two or three separate settings files; your user settings will override the shipped and shared settings. In this case a new column is displayed that shows you the items that have been modified by you. When you change an item or create new items, these items are identifiable by the User Modified column. If you want to get back the default settings for an item, select the item and then choose Reset to Default to get the Guidance Software default settings for the item.
Figure 2-3 File Types View
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
22
EnCase® Forensic v7 Essentials Training OnDemand
ENCASE V7 APPLICATION FOLDER LOCATIONS
Application Folder
This folder contains files created by the EnCase installer that are not modified by EnCase. Windows 7 and Windows Vista default path: \Program Files\EnCase7 Windows XP: \Program Files\EnCase7
Folder Name
Certs Condition Config Drivers EnScript Filter Help Lib License Mobile Noise Template ViewLib
Description
License certificates Default conditions Application configuration options Application drivers Default EnScript programs Default filters Help files Application library files EnLicense files Mobile phone drivers Default noise file for the Index Default case templates Outside in libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
23
User Data
The following are user-created files that are not necessarily EnCase-version or installation specific: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Backup: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Folder Name
Condition EnScript Filter Keys Keyword Logs Search Template
Description
User-defined conditions User-defined EnScript modules User-defined filters Encryption keys User-defined keyword searches Console logs User-defined searches User-defined case templates
Case Folder
This folder contains all files that make up an EnCase v 7 case: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\<Case Name> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\<Case Name>
Item
Corrupt Pictures E-mail Export Results Searches Tags Temp <Case Name>.Case
Description
Corrupt pictures E-mail thread database Default case export folder Results of search queries Keyword search results (non-Evidence Processor) Tag database Default case temp folder EnCase case file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
24
EnCase® Forensic v7 Essentials Training OnDemand
Evidence Cache
This folder contains the cache, index, and keywords results for a device that are created by the EnCase® Evidence Processor: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\Evidence Cache\<Hash> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\Evidence Cache\<Hash>
Item
Device Cache DeviceIndex Searches
Description
Device caches Device index Keyword search results (Evidence Processor)
User Application Data
This folder contains configuration files and temporary user files associated with a specific user and EnCase installation folder. Windows 7 and Windows Vista path: \Users\<Username>\App Data\Roaming\EnCase\EnCase7-<#> Windows XP: \Documents and Settings\<Username>\Application Data\EnCase\EnCase7-<#>
Folder
Config
Description
User-edited application configuration files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
25
Global Application Data
This folder contains files that are used to configure EnCase v7 regardless of the user: Windows 7 and Windows Vista path:
o
\ProgramData\EnCase\EnCase7-<#>
Windows XP:
o o
\Documents and Settings\All Users\Application Data\EnCase \Documents and Settings\All Users\Application Data\EnCase\EnCase7-<#> NOTE: \Users\All Users\AppData = \ProgramData
Item
Logos Config ParseCache Storage
Description
Default report logo NAS and other global configuration files Parse cache files EnScript configuration files
Shared Files
This is a folder location in which you store shared files, such as EnScript programs, searches, conditions, keys, file types, text styles, and so forth. Windows 7 and Windows Vista path: <User Defined> Windows XP: <User Defined>
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
26
EnCase® Forensic v7 Essentials Training OnDemand
ENCASE V7 GRAPHICAL USER INTERFACE
The significant changes to the Graphical User Interface (GUI) are detailed as follows.
Web Browser-like Tabs
The new tabs are used as destinations for information, such as browsing file entries, searching the index, and configuration. You can choose the tabs that you would like to have visible, and you can have multiple instances of certain types of tabs open, which allows the browsing and searching of multiple items.
Figure 2-4 Browser-like tabs
What’s New in EnCase v7 versus v6
There are several changes to the GUI for EnCase v7 that improve the workflow and efficiency of computer forensic examinations.
Bottom Right Pane Removed – There is no longer a general-purpose, bottom right-hand
pane. This gives you more control over what you are viewing and dramatically reduces the number of tabs you need to navigate.
Main Application Tool Bar Removed – The old text menu bar with applications was
removed. There are now top-level, drop-down menus that provide greater flexibility.
Figure 2-5 Top-level, drop-down menus
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
27
New Side Bar Menu – Each pane now has a side bar menu for common functions, such
as Conditions, Filters, and Tags.
Figure 2-6 Side bar menus
Flexible Pane Layouts – Rather than the static four panes of v6, you can set a preferred
layout for each view:
o o o o
Table Tree-Table Traeble Tree
Figure 2-7 Flexible pane layouts
Floating Box for Text – If the data in a table cell is truncated by the column size, hovering
over it will display the content in a floating box.
Figure 2-8 Floating text box
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
28
EnCase® Forensic v7 Essentials Training OnDemand
Tabs for Multi-dimensional Cell Data – The bottom pane contains tabs for multidimensional data, such as Fields, Permissions, Hash Set Properties, and File Extents. This is different from the single Additional Details tab in v6, and the tabs are available regardless of what cell is currently highlighted.
Figure 2-9 Multi-dimensional cell data tabs
Drop-down Menus – In contrast to the trees in v6, you now have drop-down menus for
selecting functions; for example:
o
Text Styles – Now available via a drop-down menu in the TextHexTranscript
view
o
Filters – Now available via a drop-down in the View Pane top menu bar.
Figure 2-10 Drop-down menus
Configuration Settings – The configuration items are now accessible where they are
needed. For example, you can create and/or select keywords at the time the search is executed, such as under Raw Search All…
Figure 2-11 Configuration
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
29
VIEW MENUS
The following is a summary of the major changes in the EnCase v7 GUI.
EnCase v6 Function
Archive Files Cases Encryption Keys File Signatures File Types File Viewers Hash Sets Keywords EnScript Filters Conditions Display Queries Text Styles
EnCase v7 Location
Removed Cases drop-down menu Accessed where used Removed (merged with File Types) Accessed where used; View drop-down menu Accessed where used Accessed where used; View drop-down menu Accessed where used; Entries Keyword Search toolbar item To EnScript drop-down To Filter drop-down on Entries, Records, Search Results To Condition drop-down on Entries, Records, Search Results To individual Filter tabs No longer a function in EnCase To drop-down above Text/Hex/etc., view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
30
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase® Concepts
31
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
32
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 3 How to Create a Case
One of the most powerful features of EnCase® v7 is its ability to organize different types of media together, so that they can be indexed and searched as a unit rather than individually. This process saves time and allows you to concentrate on examining the evidence.
CASE MANAGEMENT
Before starting an investigation and acquiring media, consider how the case will be accessed once it has been created. It may be necessary for more than one investigator to view the information simultaneously. In such an instance the evidence files should be placed on a central file server and copies of the case file should be placed on each investigator’s computer (since case files cannot be accessed by more than one person at a time). The EnCase® Forensic methodology strongly recommends that you use a second hard drive, or at least a second partition on the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an entire hard drive or partition rather than individual folders to ensure that all of the temporary, suspect-related data is destroyed. This will aid in deflecting any claims of cross contamination by the opposing counsel if the forensic hard drive is used in other cases. Of course the evidence in the EnCase® evidence files is always protected from crosscontamination. One method of organization is to create a folder for each case and to place the associated case file and evidence files in that folder. Reports and evidence copies can then be placed in the same folder or in subfolders. Create a Cases folder on your evidence drive for case management.
Figure 3-1 Creating the folder structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
34
EnCase® Forensic v7 Essentials Training OnDemand
Start EnCase v7.
Figure 3-2 EnCase v7
The Home page, like all pages within EnCase, is divided into several sections, each with a specific set of functions. In descending order, they are as follows:
Application Toolbar Appears below the title bar and provides drop-down menus to
major functionality. The menus and their selections are primarily static throughout your investigation. The menus and their selections are discussed in more detail later in this lesson.
Tabs Similar to tabs in Internet browsers, each top-level tab displays a
page that groups EnCase functionality. When you open EnCase for the first time, only the Home tab is available.
Tab Toolbar These components include the back and forward arrows, which
function the same as in any standard browser as well as various viewing options that allow you to resize the panel dimensions to whatever best suits your needs. This toolbar also contains menus and buttons that are specific to the selected tab.
Page body The Page body varies, depending on the tab that you are viewing.
The Home page consists of labels that identify the product, case, functionality available, and sections that identify categories of EnCase components and contain links to the features or actions belonging to each category.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
35
NEW CASE
To start a new case, click on the New Case link.
Figure 3-3 New case
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
36
EnCase® Forensic v7 Essentials Training OnDemand
The Case Options dialog box will appear, allowing for the selection of the Base case and evidence cache folders for the new case. By default, paths to your user directory are displayed. The investigator should change these paths to those specific to the case in order to segregate case data.
Figure 3-4 Creating a new case
A. Case Template
When you create a new case, you will see a list of available templates (these are .CaseTemplate files). EnCase supplies several predefined templates whose names appear in this box along with any saved templates. To select a template: Click on a name from the case Templates list to select it. In the previous figure, the #2 Forensic template is selected.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
37
Although you can configure a new case completely from scratch, Guidance Software recommends using a template as it simplifies the case-creation process. Each case template contains a uniquely configured set of the following: Case info items with default values Bookmark folders and notes Tag names Report template User-defined report styles
You can also create your own templates by saving any case as a template. Afterwards, the new template will appear in the Templates list and will be available for future use. If you intend to create a number of cases with a similar structure, it makes sense to save one of them as a template and use it to generate the other cases.
B. Case Information Case info – Case info items are user-configurable, name-value pairs that document
information about the current case. These items are primarily used to insert user-definable information into a report. To update a value, double-click on the row. To create case info items, use the New button above the table to generate as many namevalue pairs as you need.
Figure 3-5 Case Information for Report
C. Case Name Name –Text string you enter to identify the case file. In EnCase v7, a case is no longer
contained within a single file, but is stored within a folder containing many components. The name specified in this field will be used to name the case folder as well as components contained within that folder.
Full Case Path – The folder in which the case file is stored. This field is not writable.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
38
EnCase® Forensic v7 Essentials Training OnDemand
D. Case Folders Base Case folder – This is the location where the case folder will be created. By default
EnCase uses a folder under your My Documents folder.
Primary evidence cache – EnCase v7 uses cache files to speed up application responsiveness,
enhance stability, and provide scalability across large data sets. The primary evidence cache folder is the location where EnCase will save and/or access these files. Cache files may be created in advance through the Evidence Processor and you can simply point to a folder that contains this data. Although there is an evidence cache for each device in a case, the evidence cache does not need to be stored with the evidence files. If cache files have not been created for a device, they will be stored in this folder when the Evidence Processor is run.
Secondary evidence cache – EnCase allows you to specify a secondary location where a
previously created evidence cache can be found. This allows you to specify a folder on a network share or other location where cache files may be stored. Unlike the primary evidence cache folder, EnCase will only read previously created files from this location. All new cache files will be stored in the Primary evidence cache folder.
E. Backup settings Backup every 30 minutes – By default, EnCase will back up your case every 30 minutes.
Since backups can take a significant amount of time, they occur in a background thread, allowing you to continue with your work. Concerning the case backup:
Can be canceled at any time, like any other background thread Stops silently if the case is closed If interrupted, continues at a later time, resuming where it left off (not copying the unchanged files again) Runs on this schedule: o o o Every 30 minutes while a case is open When a case is opened, if that case has not been opened for more than 30 minutes 30X minutes after the case is opened, if the case has not been opened for X minutes where X is less than 30
Stops if the Evidence Processor is running Does not run if the Evidence Processor is already running Disables the automated backup timer while running
Maximum case backup size (GB) – By default, EnCase will allocate a maximum of 50GB of
space for the case backup files
Backup location – This is the location where the backup files saved. By default EnCase uses a
folder under your My Documents/CaseBackup folder.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
39
The last backup folder location, maximum amount of disk space, and enable/disable backup are saved in the global settings and are automatically populated when you create a new case. Click OK to apply the case options. To aid you, these constraints are checked: If you create a case with backup disabled, a dialog asks if you are sure you want to disable backup for this case. A warning displays if the backup location is not a valid path Choosing a backup and case folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the case. Choosing a backup and evidence folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the evidence cache.
The Home tab will then display a page for this particular case with the case name displayed at the top. This case page lists hyperlinks to many common EnCase features and you can use it as the main landing page for this case. You are now ready to begin building your case.
WORKING WITH CASES
Use the Case menu and the Case selections on the Case Home page to work with the parameters of and perform actions on your case. Following are a list of basic operations for working with a case. Use the menu items on the Case menu and the links beneath the Case section on the Case panel for these operations.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
40
EnCase® Forensic v7 Essentials Training OnDemand
Case Selections Save (Ctrl-S) Saves the current case file. The default suffix for a case file is *.Case;
the default suffix for a backup case file is *.cbak.
Save As... Used to save and rename the current case file or create a copy of the
case file with a different name.
Create Package (Ctrl-P) Creates a case package file for portability with the evidence. Case Backup Accesses the Case Backup dashboard. Save As Template... Used to save the case as an EnCase template to use with new cases.
The extension for a case template file is *.CaseTemplate.
Close Closes the active case file. Open... Opens an existing case file. (Note that you can have more than one
case file active at a time.)
New Case... Opens the Case Options dialog so that you can create a new case file. Options... Allows you to edit the Case Options for the active case. Hash Libraries... Displays the Hash Libraries dialog, which provides a list of hash
libraries and hash sets used in the current case and allows you to change libraries or enable and disable hash libraries and sets.
If you need to update the Case options later, they are available under the Case menu.
Figure 3-6 Accessing case options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
41
Make any required changes to the case information and click OK. NOTE: You cannot change the information contained in the Name or Case path fields; this information in displayed for reference purposes only and is read only.
Figure 3-7 Case Options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
42
EnCase® Forensic v7 Essentials Training OnDemand
SAVING YOUR CASE
Click on the Save link on the Home page to save your case.
Figure 3-8 Case Home
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
43
Notice that several folders were created in the case folder:
EvidenceCache – Storing cache files and containers for processed evidence Email – E-mail processing folder Documents – Default folder for documents Searches – Default folders for saving Search queries Export – Default folder for exporting evidence Tags – Tags storage Temp – Default temporary folder for file viewing
Later, other folders will be created during process:
CorruptPictures – Holds corrupt pictures during the thumbnails creation process Results – Stores the results of index queries
Figure 3-9 Default case folders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
44
EnCase® Forensic v7 Essentials Training OnDemand
Create a folder named “LocalEvidence” and copy the TDurden.Ex01 evidence file from the EnCase Essentials OnDemand distribution website into the folder.
Figure 3-10 EnCase Essentials evidence
CASE BACKUP DASHBOARD
The Case Backup dashboard is the management interface for interacting with all backups for a particular case. The dialog shows a list of all available case backups in a tree format and sorts them by type (types are described in the following section). To modify case backup options, click CaseCase BackupUse Current Case.
Figure 3-11 Case Backup options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
45
The Case Backup menu opens a backup folder location and displays the case backup dashboard. The dashboard’s input is the folder location, which comes from three possible locations. The Case Backup menu allows you to obtain the backup folder location from:
Use Current Case: Uses the backup folder location from the currently open and active
case
Specify Case File: Reads from and uses the backup folder location from an unopened
case file through an open file dialog
Specify Backup Location: Uses the backup folder location specified by the user through
a folder dialog
For each case backup, the dashboard displays these columns: Name Created Size (in bytes, KB, MB, GB, etc.) Custom name (if available) Comment (if available)
Figure 3-12 Case Backup dashboard
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
46
EnCase® Forensic v7 Essentials Training OnDemand
The dashboard shows a list of all available case backups in a tree format and sorts them by type. Daily, weekly, and monthly backups are created as a result of aging scheduled backups. The backup types and their aging attributes are:
Custom: This is a user-created backup where you can provide a custom name and
comments. Custom backups are retained until explicitly deleted.
Scheduled: A scheduled backup is created when you open a new case or schedule a backup manually using the Create Scheduled option. Daily: Every scheduled backup that is closest to that day’s local midnight time is copied
and stored as a daily backup.
Weekly: Every daily backup that is closest to that week’s Sunday local midnight time is
copied and stored as a weekly backup.
Monthly: Every daily backup that is closest to that month’s first day at local midnight
time of the next month is copied and stored as a monthly backup.
By default, the database stores a maximum of: 48 scheduled backups Seven daily backups Five weekly backups
Monthly backups are kept until the maximum size allowed is exceeded. Oldest monthly backups are deleted to stay under the maximum size allowed.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
47
USE CURRENT CASE
1. Click CaseCase BackupUse Current Case and the dashboard displays. To create a scheduled backup click Create Scheduled.
Figure 3-13 Backup – Current Case
2.
The Create Scheduled Backup dialog displays.
Figure 3-14 Case Scheduled Backup
3.
Click OK. The Created Scheduled Backup progress bar displays.
Figure 3-15 Create Scheduled Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
48
EnCase® Forensic v7 Essentials Training OnDemand
4.
After the backup is scheduled, the Create Scheduled Backup dialog closes. To verify that the backup was scheduled, click the Scheduled folder in the Backups directory.
Figure 3-16 Scheduled Backup
CREATE A CUSTOM BACKUP
1. Click CaseCase BackupUse Current Case and the dashboard displays. To create a custom backup click Create Custom.
Figure 3-17 Create Custom Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
49
2.
The Create Custom Backup dialog displays.
Figure 3-18 Create Custom Backup Dialogue
3. 4.
Enter a custom name and, if desired, a comment, then click OK. To verify that the custom backup was created, click the Custom folder in the Backups directory.
Figure 3-19 Custom Backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
50
EnCase® Forensic v7 Essentials Training OnDemand
SPECIFY CASE FILE
Specify Case File reads from and uses the backup folder location from an unopened case file.
1. With no case open, click CaseCase BackupSpecify Case File.
Figure 3-20 Specify Case File…
1.
The Open File dialog displays.
Figure 3-21 Open Case File
2.
Select the case file you want then click Open. The dashboard displays for the case file you selected.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
51
3.
If you desire to restore a backup, select a backup file and click Restore.
Figure 3-22 Restore Case Backup
SPECIFY BACKUP LOCATION
To specify a backup location click CaseCase BackupSpecify Backup Location. 1. The Browse for FolderCase Backup Location dialog displays.
Figure 3-23 Browse for Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
52
EnCase® Forensic v7 Essentials Training OnDemand
2. 3.
Navigate to the location you want for the backup, then click OK. The Case Backup Folder is displayed. Click OK.
Figure 3-24 Confirm case backup folder
RESTORING FROM BACKUP
Restoring from backup restores the following types of data: Case file Everything in the case folder, except: o o o Export folder Temp folder Evidence files (.E01, .L01, .Ex01, and .Lx01)
Primary evidence cache (only those evidence caches referenced in the case) Secondary evidence cache (only those evidence caches referenced in the case) Dates, times, and sizes for all files.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
53
How to Restore from Backup
Click CaseCase BackupSpecify Case File or Specify Backup Location. 1. 2. 3. With no case open, select the case you want to back up then click Open to display the dashboard In the dashboard, select the folder in the Backups directory, which contains the backup you want to restore. Blue-check one (and only one) backup then click Restore.
Figure 3-25 Restore backup
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
54
EnCase® Forensic v7 Essentials Training OnDemand
4.
The Restore Backup dialog displays. Click either Restore to original case locations (default) or Restore to new locations, then click Next>.
Figure 3-26 Create Custom
If you click Restore to original case locations, the Name, Location, and Full Case Path fields populate automatically and you cannot edit them. All other options are disabled. if you click Restore to new locations, the Name, Location, and Full Case Path fields populate and you cannot edit them. However all other options are enabled, and you can change any of them. When you are done, click Finish.
5.
NOTE: Restoring will overwrite the contents of the selected Case directory.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
55
DELETING A BACKUP
To delete a backup go to the dashboard using any of the options in the CaseCase Backup dropdown menu. From the Backups directory, open the folder containing the backup you want to delete. 1. Blue-check the backup or backups you want to delete, then click Delete.
Figure 3-27 Delete selected backups
2.
A warning message displays:
Figure 3-28 Create Custom
3.
To continue, click OK. The selected backups are deleted.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
56
EnCase® Forensic v7 Essentials Training OnDemand
CHANGING CASE BACKUP SETTINGS
To change case backup settings, a case must be open: 1. 2. Click Case > Case Backup > Use Current Case On the dashboard, click Change Settings The Change Case Backup Settings dialog displays
Figure 3-29 Create Custom
3.
You can make these changes: Enable or disable Backup every 30 minutes Maximum case backup size (GB) Backup location
4.
Make the changes you want, then click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
57
ENCASE GLOBAL CONFIGURATION SETTINGS
EnCase configuration settings that are global may be found by selecting ToolsOptions….
Figure 3-30 Global configuration settings available in the Options window
The Options tab can modify the EnCase core configuration The Global tab allows various features to be changed, including the Auto Save Feature, picture, and timeout options The Date tab allows you to set the format for date and time stamps The NAS tab contains all of the settings needed to enable the network authentication of the EnCase® dongle if on a server instead of the local machine The Colors tab provides the ability to set the color scheme for different elements of the EnCase® interface The Fonts tab can alter screen fonts typically used for foreign-language support The Shared Files tab provides the ability to set the path to where user and application data is stored as well as the evidence and cache folders The Debug tab is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
58
EnCase® Forensic v7 Essentials Training OnDemand
Global
This tab allows you to select options that establish the global-configuration settings for a case.
Figure 3-31 Options window – Global tab
Picture Options
Enable Picture Viewer – This option allows pictures to be displayed in various views. Enable ART image display – This option provides you with the ability to not display files
with these characteristics, which if corrupted, may cause an Internet browser like Internet Explorer to crash.
Invalid Picture Timeout – This option enables EnCase to stop trying to read a corrupted
image file. Instead the file is cached so that EnCase will not attempt to read it in the future. The default is 12 seconds.
Force ordered rendering in Gallery – This new option for EnCase v7 was added to force
the rendering of pictures in the Gallery to be in order from top left to bottom right. Checking this box forces the order rendering, while turning the option off makes EnCase render small pictures immediately and queue up the longer/bigger pictures.
o
This option is off by default because the Gallery view flows better from a userinterface perspective. However some users like to go to the Gallery view and scroll down one row at a time to see the pictures show up in order from left to right. This option was created for those users.
Code Page
Code Page – Set the default code page for text viewing.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
59
Additional Options
Show True / Show False – This option defines the data that will appear in a Table column, indicating whether a condition is true or false. It is best to set these items to something that can be easily understood (such as “Yes” for true and “No” for false) rather than retain the default settings of bullet for “true” and blank for “false.” Default Char – The character used for non printable values, such as 00h, 01h, 02h, etc. Flag Lost Files – This option is unchecked by default, which means that lost clusters are
treated as unallocated space, decreasing the amount of time required to access the evidence file through a case file. If this option is checked, EnCase will tag all lost clusters in Disk view (indicated by yellow blocks with a question mark). This option must be set before an evidence file is added to the case.
Detect FastBloc – Detect legacy FastBloc for write blocking during evidence acquisition. Don’t verify evidence when opened – Open evidence without verifying acquisition hash
and CRC.
Date
This tab allows you to configure the date and time displays, including displaying the time zone on dates.
Date Format includes these options:
MM/DD/YY (for example, 06/21/08) DD/MM/YY (for example, 21/06/08) Other enables you to specify your own date format Current Day displays the current date in the specified date format
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
60
EnCase® Forensic v7 Essentials Training OnDemand
Time Format includes these options: 12:00:00PM uses a 12-hour clock for the time format 24:00:00 uses a 24-hour clock for the time format Other enables you to specify your own time format Current Time displays the current time in the specified time format
Figure 3-32 Options window – Date tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
61
NAS NAS (Network Authentication Server) – This option allows multiple copies of EnCase to
authenticate to a single hardware key. This is typically used in lab environments with multiple examiners and multiple copies of EnCase.
Figure 3-33 Options window – NAS tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
62
EnCase® Forensic v7 Essentials Training OnDemand
Colors
This tab allows you to change the colors for different elements of the EnCase interface.
Figure 3-34 Options window – Colors tab
Fonts
This option allows you to alter fonts for viewing convenience and to accommodate the special font requirements of some foreign languages to display correctly.
Figure 3-35 Options window – Fonts tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
63
Shared Paths
This option allows you to specify the folder for shared files, such as the filetypes.ini file, EnScript modules, filters, searches, conditions, and keywords.
Figure 3-36 Options window – Shared Paths tab
Debug
This option is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem.
Figure 3-37 Options window – Debug Path tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
64
EnCase® Forensic v7 Essentials Training OnDemand
HASH LIBRARY AND ANALYSIS
Analyzing a large set of files, by identifying and matching the unique hash value of each file, is an important part of the computer forensics process. Using the hash library feature of EnCase v7, you can import or custom build a library of hash sets, allowing you to identify file matches in the examined evidence. Computer forensics analysts often create different hash sets of known illicit images, hacker tools, or non-compliant software to quickly isolate known “bad” files in evidence. Hash sets are distributed and shared among users and agencies in multiple formats. These formats include NSRL, EnCase hash sets, Bit9, and others. Until recently, the hash set standard to identify a file was the MD5 hash calculation. Large hash distribution sets, such as the NSRL set, are now distributed using the SHA-1 hash calculation. EnCase will offer continued support for MD5 hash sets from old versions of EnCase and other products as well as the new SHA-1 hash format sets. EnCase uses an extensible format for hash sets that allows: Storing metadata along with the hash value in field form Support of MD5, SHA-1, and additional hash formats within the same file structure The association of tags with items in the hash set
Hashing Features
EnCase v7 contains several new and expanded hashing features: A versatile user interface for hash library management: you can create hash sets and libraries, import and export hash libraries, query hash sets, and view hash sets or individual hash items Hash libraries can contain multiple hash sets and each set can be enabled or disabled You can create as many hash libraries or hash sets as you want If a hash belongs to multiple sets, every match will be reported Each case can use up to two different hash libraries at the same time You can save individual hashes in a separate folder without placing them in a specific hash set or hash library (for example, you may want to retain a hash of an item for later use without committing it to a particular hash set or library)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
65
WORKING WITH HASH LIBRARIES
A hash library is a folder containing the file-based, database-like structure in which EnCase stores hash sets. To work with hash libraries, click on ToolsManage Hash Library… on the Application Toolbar.
Figure 3-38 Managing hash library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
66
EnCase® Forensic v7 Essentials Training OnDemand
OPENING A HASH LIBRARY
From the Manage Hash Library dialog you can manage any existing hash libraries or create a new one. You use its toolbar to: Create a new hash library or edit an existing library Create new hash sets within a library or edit an existing hash set within a library Import and export hash sets from one library to another Query a hash library for a particular value
NSRL
You may wish to use a centralized hash library or one already created. Guidance Software, Inc. has converted the National Software Reference Library (NSRL) RDS 2.32 March 2011 (http://www.nsrl.nist.gov/Downloads.htm) hash set into the EnCase v7 format. You can obtain the converted hash set from the EnCase Support Portal (https://support.guidancesoftware.com/) Download the converted NSRL hash sets from the EnCase Support Portal at: https://support.guidancesoftware.com/
Place them in a directory that it easily accessible and usable, such as: C:\Program Files\EnCase7\Hash Libraries\NSRL Hash Library
Figure 3-39 NSRL Hash Library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
67
To open a hash library, click Open Hash Library and browse to the directory from the Manage Hash Library panel toolbar.
Figure 3-40 NSRL hash library
Browse to C:\Program Files\EnCase7\Hash Libraries\NSRL Hash Library and click OK.
Figure 3-41 NSRL hash library in EnCase v7
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
68
EnCase® Forensic v7 Essentials Training OnDemand
MODIFYING CATEGORY AND TAGS FOR MULTIPLE HASH SETS
Rather than modifying each matching file set individually, you can now change the category and tags for multiple hash sets in a hash library. In the Manage Hash Library dialog, blue-check the appropriate hash sets and then select Edit Multiple.
Figure 3-42 Edit multiple hash sets
The Edit Multiple dialog displays.
Figure 3-43 Edit Multiple hash sets – category and tags
Select whether you want to change the existing category or tag on the hash sets, then enter the new value in the text box.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
69
NEW HASH LIBRARY
To create a new hash library, do the following within the Manage Hash Library interface: 1. On the Manage hash library panel toolbar, click New hash library
Figure 3-44 New Hash Library
2.
Browse for a directory or create a new folder to hold the hash library
Figure 3-45 Browse for Hash Library
NOTE: If you use an existing folder, it must be empty (otherwise, the contents of the folder will be deleted). 3. Provide a name for the hash library (for example, “Hash Library #1”)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
70
EnCase® Forensic v7 Essentials Training OnDemand
4.
Click OK
Figure 3-46 Hash library created
If you wish to import hash sets from another library, select Import Hash Sets from the toolbar. You can then browse to a library and select individual sets to import, such as importing the NSRL library into your new Hash Library #1. NOTE: Ctrl+Space Bar will select all of the hash sets.
Click Finish to import the hash sets; for now, click Cancel. NOTE: With 11 GBs of hash sets, importing the NSRL RDS will take a long time.
Figure 3-47 Import Hash Sets
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
71
ADD HASH SETS
We will add new hash sets to the current hash library after running the EnCase Evidence Processor.
Figure 3-48 New Hash Set
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
72
EnCase® Forensic v7 Essentials Training OnDemand
CASE HASH LIBRARY
Your case can have up to two hash libraries. From the case Home screen, click on Hash Libraries.
Figure 3-49 Hash Libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
73
To select a hash library, click on Change Hash Library. Browse to the Primary hash library and click OK.
Figure 3-50 Change hash library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
74
EnCase® Forensic v7 Essentials Training OnDemand
The Primary hash library will now be enabled and ready for use with the Evidence Processor. You can also select a Secondary hash library.
Figure 3-51 Case Hash Libraries
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
75
IMPORTING ENCASE LEGACY HASH SETS
EnCase v7 has an EnScript program to import hash sets from prior versions of EnCase. From the Tools menu, select Import EnCase Legacy Hash Sets… to run the EnScript module.
Figure 3-52 Manage Hash Library
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
76
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
How to Create a Case
77
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
78
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 4 Adding Evidence to a Case
NEW METHOD TO ADD EVIDENCE
Add Device in EnCase® v6
In EnCase v6, the Add Devices wizard allowed you to do the following:
Preview devices (local and enterprise) Preview physical and process memory (local and enterprise) Preview via a crossover cable Add image files (including E01s, L01s, Safeback, vmdk, etc.) Preview a Palm device
New Add Evidence Function in EnCase® v7
Again, for instruction on acquiring digital evidence please consider attending one or more of the following courses:
Course
First Responder with EnCase Forensic, Tableau, and EnCase® Portable
®
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/computerforensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
EnCase Computer Forensics I EnCase® Portable Configuration and Examinations
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
80
EnCase® Forensic v7 Essentials Training OnDemand
In EnCase v7, functionality that was in EnCase v6 Add Devices wizard is split into separate menus. These menus are accessed from the Add Evidence button on the Home page or the drop-down menu.
Figure 4-1 Add Evidence
The Add Evidence window appears for the Case.
Figure 4-2 Add Evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
81
The new menus are:
Add Local Device – Initiate the process of adding a local device attached directly to your
local computer. This can be the main system drive, removable drive write blocked with FastBloc SE, or a device attached through a Tableau write blocker.
Figure 4-3 New EnCase v7 Add Local Device interface
Add Evidence File – Specify an evidence file to add to the active case. This can be an
EnCase evidence file (E01) or logical evidence file (L01).
Add Raw Image – Add a raw or dd image file of a physical device to the active case.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
82
EnCase® Forensic v7 Essentials Training OnDemand
Acquire Smartphone – Acquires a Smartphone. After clicking the Acquire Smartphone
link, the dialog allows you to specify the device type and the kinds of data that you want to collect into an evidence file. o EnCase supports both iOS 5.0 and iOS 5.1 for iPhone and iPad devices. The supported features are the same for all iOS versions, from iOS version 3.0 through 5.1.
Figure 4-4 New EnCase v7 Smartphone interface
Add Crossover Preview – Crossover-cable acquisitions require both a subject and
forensic machine. This type of acquisition also negates the need for a hardware write blocker. It may be desirable in situations where physical access to the subject machine ’s internal media is difficult or not practical. This is the recommended method for acquiring Macintosh laptops (or others with difficult hard drive removal) and exotic RAID arrays. This option allows you to preview a machine acquired through a crossover-cable acquisition. NOTE: Guidance Software is no longer supporting legacy Palm devices.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
83
ADD EVIDENCE FILE
For this course, we will add the TDurden.Ex01 evidence file. There are two methods, select the Add Evidence menu or hyperlink.
Figure 4-5 Add Evidence hyperlink and menu
Or, if the Add Evidence hyperlink was selected, click on Add Evidence File.
Figure 4-6 Add evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
84
EnCase® Forensic v7 Essentials Training OnDemand
Browse to the TDurden.Ex01 evidence file that you copied to the examination drive and click Open.
Figure 4-7 Selecting the evidence file
EnCase v7 will then add the device to the case Evidence tab and automatically begin the verification process of the evidence file hash value and CRCs, unless you specifically choose the option to not verify evidence files (certainly not recommended).
Figure 4-8 Added evidence verifying
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
85
When completed, save your case.
Figure 4-9 Saving your case
EVIDENCE TAB
The Evidence tab allows you to browse selected devices as in previous versions of EnCase® software (EnCase). To browse a single item of evidence, click on the hyperlink in the Name column. Click on TDurden. EnCase will parse the Master File Table (MFT) and allow you to browse the file structure.
Figure 4-10 Click the hyperlink for the evidence device
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
86
EnCase® Forensic v7 Essentials Training OnDemand
If you desire to open two or more devices, blue-check the evidence and click Open.
Figure 4-11 Open Selected Evidence
To remove evidence, blue-check the device and click Remove Selected Evidence.
Figure 4-12 Remove Selected Evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
87
NAVIGATING THE ENCASE EVIDENCE
When you load evidence, the Evidence tab will open a Tree-Table view for evidence browsing as familiar to EnCase® software users. The Evidence browsing screen is divided into three sections: Tree Pane (left pane) Table Pane (right pane) View Pane (bottom pane)
The selections in the Tree Pane affect the Table Pane; the selections in the Table Pane affect the View Pane.
Figure 4-13 Browsing evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
88
EnCase® Forensic v7 Essentials Training OnDemand
You can change the split of the screen with the Split Mode button and select the preferredviewing screen based on the investigation you are conducting.
Figure 4-14 Split Mode
Table – Table in top pane and View in bottom pane (no Tree view) Tree-Table – Default view with Tree in left pane, Table in right pane and, View in bottom
pane); this is the traditional EnCase® Entries view
Traeble – Table in top pane and View in bottom pane with the ability browse the folder
structure in the Name column
Tree – Tree in left pane and View in right pane (no Table view)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
89
Tree Pane / Evidence View
Within the Tree view you have a tree-structured view of the evidence. It presents each evidence file as a folder that contains additional folders. Only evidence files and the folders contained within them are displayed in this view. Individual files are displayed in the Table Pane (discussed later). The arrows can be used to expand and contract the tree structure just as they are used in Windows® Explorer.
Figure 4-15 Collapsing a folder structure
There are three methods used within EnCase v7 to focus on specific files or folders. These methods have different purposes:
Highlighting a folder displays the entries within that folder in the Table Pane (this is used for viewing information only).
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
90
EnCase® Forensic v7 Essentials Training OnDemand
The Set Included Folders option method (sometimes called the “polygon” or “home plate”) displays all the entries, files, and folders for that folder and all subfolders in the Table Pane. It overrides the highlighting option. It is activated by clicking on the polygon next to the tree of the folder name in the Tree Pane in the EvidenceViewing (Entry) view and in any other views displaying a similar folder structure. This is used for viewing information only. When a folder is included, the other folders are grayed out. All files and folders within the folder and subfolders are displayed in the Table Pane. To deactivate this function, click on the Set Include Option icon again or click twice on another include icon.
Figure 4-16 “Set including” a folder structure
The blue-check or Select for future action method is used for designating files or folders on which to perform an analysis operation, such as a keyword search. This can be implemented from a variety of views. It is activated by clicking on the square next to the tree of the entry name in any view.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
91
In the following example, several folders have been selected. These folders have a white background within the blue-checked square ( ) indicating that all entries within the folder have been selected. If there is a gray background within the blue-checked square ( ), it indicates not all entries within the folder have been selected. The Selected box above the Table Panes indicates how many entries have been selected. To deselect all entries, click within this Selected box to remove the blue-check and to remove blue-checks from elements of the EvidenceViewing(Entry) view and the Table Pane.
Figure 4-17 Blue-checking entries and the Selected box
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
92
EnCase® Forensic v7 Essentials Training OnDemand
RIGHT-CLICK
Veteran users of previous versions of EnCase are trained to right-click on an object in the Tree Pane to bring up a context menu with many selection options. Also, there is a drop-down menu on the far right side of the menu bar.
Figure 4-18 The new drop-down menu in EnCase v7
ADDITIONAL VIEWS
Within the Tree Pane there are many views that can be accessed for different purposes. All of these views may be accessed through the tabs available above the Tree Pane or through the View menu. Any tabs not displayed above the Tree Pane will be displayed by selection through the View menu.
Figure 4-19 ViewCases menu
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
93
Table Pane
By default the Table Pane is in the Table view. Within this view are the subfolders and files that are contained within the folder(s) and highlighted or included (Set Included Folders) in the Tree Pane. Highlighting or including (Set Included Folders) a folder affects the display in the Table Pane as previously explained. The highlighting and Set Included Folders features are intended to view desired files and folders in the Table Pane. If there are one or more folders designated with the include feature, the highlighting feature will not change the number of files/folders displayed in the Table Pane. This differs from the Selected box located to the right of the pointed box. This is intended to select with a blue-check the files and folders on which to perform certain operations, including but not limited to searching, copying, and exporting. With the Set Included Folders feature activated, the select operation will not alter the number of files/folders displayed in the Table Pane. The Table view in the Table Pane displays many columns of information about the displayed entries:
Name identifies the file/folder/volume, etc., in the evidence file. Tag displays the tag(s) placed by you on an entry. File Ext displays the entry’s extension, which initially determines whether this entry is
displayed in the Gallery view.
Logical Size specifies the file size as the operating system addresses the file. Item Type identifies the type of evidence, such as Entry (file or folder), Email, Record, or
Document.
Category indicates the category of the file from the File Type table. File Type (formerly Signature) displays signature of a Match or an Alias (renamed
extension).
Signature Analysis the results of a file signature analysis. File Types Tag displays the Unique Tag (from the File Types table) for the entry after a
file signature analysis (this column can be activated from the Show Columns drop-down menu) This column was formerly called the “Signature Tag.”
Last Accessed displays the last accessed date/time. This typically reflects the last time the
operating system or any compliant application touched the file (such as viewing, dragging, or right-clicking). Entries on FAT volumes do not have a last-accessed time.
File Created typically reflects the date/time the file/folder was created at that location. A
notable exception to this is the extraction of files/folders from a ZIP archive. Those objects will carry the created date/time as they existed when the objects were placed in the archive.
Last Written reflects the date/time the file was last opened, edited, and then saved. This
corresponds to the Modified time in Windows with which users are familiar.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
94
EnCase® Forensic v7 Essentials Training OnDemand
Is Picture displays true if the file is an image.
NOTE: The display depends on how the Show True/False options were set in the ToolsOptionsGlobal menu.
Code Page displays the character encoding table upon which the file is based. MD5 displays a 128-bit value for a file entry generated by a hash analysis process. SHA1 displays the SHA-1 hash value for a file entry generated by a hash analysis process. Item Path identifies the location of the file within the evidence file, including the
evidence file name and a volume identifier.
Description describes the condition of the entry – whether it is a file or folder, deleted, or
deleted/overwritten.
Protected indicates if the file is identified as an encrypted or password-protected file
during the Evidence Processing.
Protection complexity provides details on the file’s protection. Is Deleted displays True if the entry is in a deleted state; blank if it is not. Entry Modified indicates when the administrative data for the file was last altered for
NTFS and Linux.
File Deleted displays the deleted date/time if the file is documented in the Recycle Bin’s
Info2 file.
File Acquired identifies the date/time the evidence file in which this entry resides was
acquired.
Initialized Size indicates the size of the file when it is opened; applies only to NTFS file
systems.
Physical Size specifies the size of the storage areas allocated to the file. Starting Extent identifies the starting cluster of the entry. File Extents displays the cluster fragments allocated to the file. Click within this column for an entry and then click on the Details tab in the View Pane to see the cluster
fragments.
Permissions shows security settings of a file or folder in the View Pane. Physical Location displays the number of bytes into the device at which the data for an
entry begins.
Physical Sector lists the sector number into the device at which the data for an entry
begins.
Evidence File displays where the entry resides. File Identifier displays an index number for a Master File Table (NTFS) or an Inode Table
(Linux/UNIX).
GUID indicates the Global Unique Identifier for the entry; to enable tracking throughout
the examination process.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
95
Hash Sets displays if a file belongs to one or more hashsets, generated by including hash
sets in a hash library in a hash analysis process.
Short Name displays the name Windows gives the entry, using the DOS 8.3 naming
convention.
VFS Name is used to display the name for files mounted with the EnCase® Virtual File
System (VFS) module in Windows Explorer. This replaces the Unique Name column in previous versions of EnCase.
Original Path displays information derived from data in the Recycle Bin. For files within
the Recycle Bin, this column shows where they originated when they were deleted. For deleted/overwritten files, this column shows the file that has overwritten the original.
Symbolic Link displays data pertaining to the equivalent of a Windows Shortcut in Linux
and UNIX.
Is Duplicate displays True (Yes) if the displayed file is a duplicate of another. Is Internal indicates whether the file is an internal system file, such as the $MFT on an
NTFS volume.
Is Overwritten indicates if the first or more clusters of an entry has been overwritten by a
subsequent object.
You can use the Show Columns drop-down menu on dialog box to hide or show columns from your Table Pane.
Figure 4-20 Show Columns
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
96
EnCase® Forensic v7 Essentials Training OnDemand
ORGANIZING COLUMNS
Table columns may be rearranged in any order just as is done in Microsoft® Excel. Click and hold down on the column heading then drag and drop it into its new location. Columns may be sorted by up to five layers deep. To sort by a particular column, double-click on the column heading. To institute a sub-sort, hold down the Shift key and double-click on the column heading. Columns may be locked on the left side of the Table view so that when you scroll to the right of the Table view, the initial columns are still visible. To lock a column, right-click on the column heading, select Columns, and select Set Lock. The lock is instituted on the position of the column. If other columns are moved into that position, they are locked. To release the lock, right-click on the column, select Columns, and then Unlock.
OTHER TABLE PANE VIEWS
Gallery
The Gallery view displays images in a thumbnail view. These images are displayed (by default) based on their extension. The Signature Analysis function enables files to be analyzed to see if they were renamed to disguise their existence on the media. To reduce the increase of the number of images displayed at any one file, right-click in the Gallery and select Fewer/More Columns/Rows.
Figure 4-21 Gallery view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
97
BOOKMARKING IN EVIDENCE VIEW
While browsing or following a lead in the Evidence view, should you find evidence you wish to bookmark for inclusion in your final report, blue-check the entry (entries). Use the Bookmark menu to select Single item… (Ctrl-B) or Selected items… (Ctrl-Shift-B) as appropriate.
Figure 4-22 Bookmarking selected items
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
98
EnCase® Forensic v7 Essentials Training OnDemand
Place the evidence bookmarks in the appropriate folder of your case report template or you can create a new folder. NOTE: If you bookmark several files (Ctrl+Shift+B), you are not able to add a Bookmark comment. If wish to add a comment to an individual file, then bookmark that Single File (Ctrl+B).
Figure 4-23 Bookmarking selected images
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
99
TIMELINE VIEW
The Timeline view shows patterns of different types of dates and times. You can zoom in (higher resolution) to a second-by-second timeline and zoom out (lower resolution) to a year-by-year timeline.
Figure 4-24 Timeline view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
100
EnCase® Forensic v7 Essentials Training OnDemand
DISK VIEW
The Disk view allows viewing of files and folders in terms of where the data appeared on the media. Placement of clusters and/or sectors and fragmentation of files may be observed.
Figure 4-25 Select “Disk View…”
EnCase v7 has a new Auto Extents option in Disk view. When you select a sector, it autohighlights all of the extents that make up the file. This is different behavior from EnCase v6 (you had to double-click on the sector), and currently you can turn it off with the checkbox. Click on the Evidence tab to return to the entries browsing.
Figure 4-26 Auto Extents – Disk View
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
101
VIEW PANE
The View Pane displays the contents of the item highlighted in the Table Pane. The View Pane has default settings that should be understood. Initially the View Pane defaults to the Fields view. You can undock the View Pane for dual monitors.
Figure 4-27 Undock the View Pane
To return the View Pane to the main EnCase v7 interface, close the View Pane.
Figure 4-28 Close the undocked View Pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
102
EnCase® Forensic v7 Essentials Training OnDemand
Fields
The Fields tab provides you with a table of the metadata (data about the file) for the entry. In EnCase v7, all of the fields are able to be searched in an Index query.
Figure 4-29 DOCX file in the View Pane – Fields tab
Text
The following screenshot displays a document file in Text view.
Figure 4-30 Document file in the View Pane – Text tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
103
Although the text is readable, its format can be improved by altering the text style from the Text Styles menu in the View Pane.
Figure 4-31 Changing text style for View Pane
By default, EnCase v7 includes two Unicode and two ASCII code pages:
Unicode - Fit to page Unicode - Line breaks at 120 characters ASCII (Western European) - Fit to page ASCII (Western European) - Line breaks at 120 characters
Click New to create a new text style. Give it a name, such as “German – Line Breaks,” and then select the line Wrap or Line Breaks. The changes will be displayed immediately in the View Pane. Click on the Code Page tab to select the code page.
Figure 4-32 Creating a new text style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
104
EnCase® Forensic v7 Essentials Training OnDemand
Click OK to save the new text style.
Figure 4-33 Selecting the code page
Click OK to have the new code page available.
Figure 4-34 New text style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
105
The new text style is now applied to the Text tab in the View Pane
Figure 4-35 Text tab in View Pane
Doc
Here is the same document file displayed in Doc view where it is converted to appear as in the authoring application, Microsoft® Word.
Figure 4-36 DOC file in the View Pane – Doc tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
106
EnCase® Forensic v7 Essentials Training OnDemand
Transcript
The Transcript tab displays the extracted text from the file. This is the searchable text when conducting a Transcript search with the Index, such as Microsoft® 2007 and 2010 files, including .docx, xlsx, and pptx.
Figure 4-37 DOCX file in the View Pane – Transcript tab
Permissions
The Permissions tab displays the security permissions for a file, including the name and security identification number (SID) of the user(s) who have permission to read, write, and execute a file.
Figure 4-38 DOCX file in the View Pane – Permissions tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
107
Picture
EnCase checks the contents of the file highlighted in the Table Pane to see if it is an image that can be decoded internally. If so, EnCase will provide the ability for you to select the Picture view in the View Pane and display the image.
Figure 4-39 Picture view in View Pane
If numerous files highlighted in the Table Pane are images, EnCase v7 will default to the Picture view for subsequent images. If a Microsoft Word document is then highlighted, EnCase v7 will change the default view in the View Pane to Text. If you wish to have every highlighted item displayed in Hex or Text view, you need only click on the square beside Lock to lock that view. To unlock the view, remove the blue-check from the box.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
108
EnCase® Forensic v7 Essentials Training OnDemand
Hex
The following screenshot displays the same picture viewed in hexadecimal.
Figure 4-40 Viewing a picture in the View Pane as Hex
STATUS BAR
It is important to be aware of your current positioning within the case, especially when documenting the location of evidence found in unallocated space. The status bar found at the bottom of the screen will provide that information.
Figure 4-41 Location of status bar
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
109
The abbreviations represent:
PS LS CL SO FO LE
Physical sector number Logical sector number Cluster number Sector offset – The distance in bytes from the beginning of the sector File offset – The distance in bytes from the beginning of the file Length – The number in bytes of the selected area
The status bar also shows the full path of the item highlighted. If a deleted/overwritten file is highlighted, it indicates the overwriting file. Full-path information is available on all tabs that have the Item Path column (Entries, Records, Search Results, and Bookmarks, as examples). The sector information is available on the Entries and Disk views.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
110
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Adding Evidence to a Case
111
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
112
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 5 Processing Evidence Files
EVIDENCE PROCESSOR
After adding evidence to a case and confirming that the data is valid and browsable, the first task you undertake is to run the EnCase® Evidence Processor. The Evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data. Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data. After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation. Evidence Processor functions fall into two categories: Preparation Processing
Before using the Evidence Processor: There must be evidence in your case to process If you are previewing a device, you must acquire that device prior to processing or as part of the processing You should confirm that time zone settings for the evidence are configured properly NOTE: EnCase® v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
114
EnCase® Forensic v7 Essentials Training OnDemand
DETERMINE THE TIME ZONE SETTING
B
Before running the core tasks of the EnCase Evidence Processor, you should confirm the time zone setting of the device. This information is found in the SYSTEM registry hive for Windows 2000, XP, Vista, and 7. The SYSTEM hive is located in C:\Windows\System32\Config.
Figure 5-1 SYSTEM hive
To view the data in the SYSTEM hive, use the View File Structure feature in EnCase v7. With the SYSTEM hive selected in the Table Pane, right-click on the file or use the Entries drop-down menu. Select EntriesView File Structure.
Figure 5-2 View File Structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
115
EnCase v7 will read the header of the file to detect if it can be processed. You have the option to calculate the unallocated space of the compound file and find deleted content. Click OK to begin the parsing process.
Figure 5-3 View File Structure – Continue parsing
EnCase v7 will scan and parse the registry file and then build a cache file. This allows the file structure of the registry to be written to disk rather than stored in RAM as in previous versions of EnCase.
Figure 5-4 Creating cache file for the registry hive
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
116
EnCase® Forensic v7 Essentials Training OnDemand
When the parsing is completed, a plus icon (+) will appear and the file name will become a hyperlink, indicating it is a processed compound file. Double-click on the file to open the file cache for examination.
Figure 5-5 Double-click on hyperlinked file name
The time zone setting is stored at: HKEY_LOCAL_MACHINE\System\ControlSet001\Control\TimeZoneInformation\ TimeZoneKeyName
Browse the registry file to that location to find the text string with time zone. On the TDurden evidence, it is set to Pacific Standard Time.
Figure 5-6 Time zone information in registry
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
117
Check to confirm the dynamic Daylight Time disabled is off (indicated by Hex 00 00 00 00). This means daylight saving time is indeed utilized for this device.
Figure 5-7 Daylight Savings
Use the back button to return to the main Evidence tab.
Figure 5-8 Back to Evidence tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
118
EnCase® Forensic v7 Essentials Training OnDemand
CONFIGURING TIME ZONE SETTINGS
To configure time zone settings: 1. Go to the main Evidence tab
A list of your devices displays in the Table Pane
Figure 5-9 Back to the main Evidence tab
2. 3. 4.
Right-click on the TDurden evidence file Right-click on Device in the context drop-down menu Click Modify time zone settings...
The Case Time Settings dialog appears
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
119
5.
To aaccount for daylight savings time, select the Pacific Time (US & Canada) time zone, and click OK NOTE: The daylight saving time start-and-end dates changed in 2007. You have the ability to choose which version to apply.
Figure 5-10 Changing the time zone setting
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
120
EnCase® Forensic v7 Essentials Training OnDemand
PREPARING THE EVIDENCE TO PROCESS
Now that you have the evidence added and the time zone set, you can process the evidence. As a reminder, oonce you have added evidence to your case, you must: Acquire the evidence (if not already acquired). Select the evidence that you intend to run through the Evidence Processor. You can add options in the Evidence Processor as you continue an investigation. For example, you may want to run certain options in the beginning, such as file signature and hash analysis, then later add other options, such as parsing compound files. You can select additional options on subsequent Evidence Processor runs, however, you cannot remove previously run options. You need to run certain options at a particular time. For example, you must run Recover Folders in the initial processing step. Options you must run in a specific step are marked with a flag icon. An option with a lock icon indicates settings for that option cannot be changed. You can run modules over and over again with different settings each time. The results of each run are added to the case. You cannot process previously processed and unprocessed evidence together. Also, previously processed evidence must be processed with the same options in order for it to be processed together. All evidence processed at one time must use the same settings.
To acquire and/or run select evidence through the Evidence Processor in a single operation, select Process Evidence… from the Add Evidence menu.
Figure 5-11 Process Evidence…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
121
It will take a few moments to initialize the Evidence Processor and you will see the status in the bottom right corner. You can run the Evidence Processor using a template with saved or preconfigured settings or you can select the analytic tools to enable and customize their settings prior to running it. If additional evidence becomes available at a later date, you can always rerun the same options on that data. The Evidence Name pane contains checkboxes for acquiring and processing evidence. Note that you must acquire previewed evidence before you can process it. Initially, the checkboxes in the Evidence Name pane are cleared. Check the boxes for the evidence you want to acquire and/or process. If you have already acquired an item of evidence named in the list, you do not need to check the Acquire box for that item. In the following example, we acquire devices “1” and “RAM” by checking their boxes under Acquire and set them up for processing by checking their boxes under Process.
Figure 5-12 Example of acquiring and processing evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
122
EnCase® Forensic v7 Essentials Training OnDemand
MANAGING EVIDENCE PROCESSOR SETTINGS
The lower left pane of the Evidence Processor dialog contains a table with the following elements: A toolbar A list of the Evidence Processor tasks A checkbox that allows you to enable (or disable) each task
Use this pane to choose the processor settings to run and to configure their settings.
USING THE PROCESSOR SETTINGS TOOLBAR
File and edit settings for the Evidence Processor selections pane are located in its toolbar.
Figure 5-13 Evidence Processor toolbar
Setting Split Mode Save Settings Load Settings Edit
Description
Change the display format of the options pane Save the current selection of settings as an Evidence Processor template Load a saved template to run against the current data Edit the options for a selected task in the window results and changing the layout of the Evidence Processor panels
Drop-down side menu Allows you to perform actions, such as printing the
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
123
Click the Process check box for the TDurden evidence file to enable the Evidence Processor Task list.
Figure 5-14 Enable the Evidence Processor
A major benefit of the Evidence Processor is that its settings do not require your interaction during operation. Functions with the lock cannot be changed or disabled. Functions with the red flag cannot be run at a future time on the evidence if they are not selected initially. The following evidence processing functions are available:
Recover folders – Recover files that have been deleted or corrupted on FAT and
NTFS volumes
File signature analysis – Determine if the extension of a file has been altered and whether
or not the extension matches the file type as specified by the file’s header
Protected file analysis – Identify encrypted and password-protected files with the
Passware Encryption Analyzer
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
124
EnCase® Forensic v7 Essentials Training OnDemand
Thumbnail creation – Creates image thumbnails for faster display in the EnCase ® GUI Hash analysis – Generate MD5 and/or SHA1 hash values for files and compare against
your case Hash Library
Expand compound files – Expand compound and compressed files, such as ZIP, RAR,
GZ, and Windows registry archives
Find email – Extract individual messages from e-mail archive files, such as PST
(Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, and MBOX.
Find internet artifacts – Collect Internet-related artifacts, such as browser histories and
cached web pages. You also have the option to search unallocated space for the Internet artifacts.
Search for keywords – Search raw (not transcript) text for specific keywords. Index text and metadata – Create an index for when you need to search for keywords in
compound files (Microsoft Office 2007 and 2010) and across large amounts of data. You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file (which does not index specific and common words).
The Evidence Processor contains numerous useful features: The simultaneous processing of multiple devices The convenience of acquiring devices right from the Evidence Processor Saving sets of Evidence Processor options as templates to be run with little or no modification at a later date The ability to be run from the command line On-screen instructions that guide you through the use of each setting Automatic processing of the results from any EnScript modules according to the current processor settings (Index, Keyword search, etc.)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
125
EVIDENCE PROCESSING TASKS
Use the Evidence Processor pane to select the processing tasks to configure and run. To select an option, click its Enable checkbox: If a task name is listed in a blue font, click on its task name to configure it If a task name is listed in a black font, no further configuration is necessary
Figure 5-15 Evidence Processor tasks
RECOVER FOLDERS
Running the Recover Folders task on FAT partitions will search through the unallocated clusters of a specific FAT partition for the “dot, double -dot” signature of a deleted folder. When the signature matches, EnCase v7 can rebuild files and folders that were within the deleted folder. This task can recover NTFS files and folders from unallocated clusters and continue to parse through the current Master File Table (MFT) records for files without parent folders. This operation is particularly useful when a drive has been reformatted or the MFT is corrupted. Recovered files are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
126
EnCase® Forensic v7 Essentials Training OnDemand
FILE SIGNATURE ANALYSIS
A common technique used to hide data and disguise the true nature of a file is to rename the file and change its extension; for example, renaming an image file with a .jpg extension to a file with a .dll extension, which is not associated with a graphics file. This process will determine whether the extension of a file has been modified and whether it matches the type of file that is specified by the file’s header bytes. The process is not userconfigurable and is always enabled because it is necessary to support other operations within EnCase v7.
PROTECTED FILE ANALYSIS
Encrypted and password-protected files are frequently good ways to hide data. The Evidence Processor’s protected file analysis process uses the Passware Encryption Analyzer (http://www.lostpassword.com/encryption-analyzer.htm) to identify these types of files and information about the application used to protect them. Starting with Passware 11.7, you can export the index and known passwords as a dictionary used for decrypting protected files. Using this feature requires a valid installation of the Passware Kit.
THUMBNAIL CREATION
By default, the Evidence Processor generates thumbnails for all image files and stores them as part of the cache. Because thumbnails are smaller and load faster, generating thumbnails significantly improves the speed with which you can work with pictures in EnCase v7.
HASH ANALYSIS
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in hexadecimal notation. In EnCase v7, it is the result of a hash function run against any mounted drive, partition, file, or chunk of data. The most common uses for hashes are to: Identify when a chunk of data changes, which frequently indicates evidence tampering Verify that data has not changed in which case the hash should be the same both before and after the verification Compare a hash value against a library of known good and bad hashes, seeking a match
The Evidence Processor’s hash analysis setting allows you to create MD5 and SHA-1 hash values for files, so that you can later use them for the reasons specified previously. When you click the Hash Analysis hyperlinked name, the Edit Settings dialog appears, allowing you to check whether to run either or both of these hashing algorithms.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
127
EXPAND COMPOUND FILES
Use this setting to expand archive files, including .zip and .rar files, and/or registry archives. For archive files, EnCase v7 will extract the compressed or archived files and process them, according to the other Evidence Processor settings that you have chosen. This includes nested archive files or zip files within a zip file.
FIND E-MAIL
Select this setting to extract individual messages from e-mail archives. To select the e-mail archive types to search for messages: 1. 2. 3. Click Find Email Click the e-mail archive file types whose messages you want to examine and click OK Check the Search for Additional Lost or Deleted Items box for a search for deleted e-mails
After processing is completed, EnCase v7 can analyze the component files extracted from the archives, according to the other Evidence Processor settings you selected.
Thread E-mail
By default, the Evidence Processor performs a thread analysis on e-mail messages that it processes. Once your evidence has been processed, you can track the different e-mail threads and communication patterns among senders and receivers of the messages with the Show conversation and Show related messages e-mail features.
FIND INTERNET ARTIFACTS
Choose this Evidence Processor setting to find Internet-related artifacts, such as browser histories and cached web pages. You can also use this setting to search for Internet artifacts of various types within unallocated space.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
128
EnCase® Forensic v7 Essentials Training OnDemand
SEARCH FOR KEYWORDS
Use this option to run a raw keyword search during the processing. Once you enable Search for Keywords by checking its box, the keyword list for the current case is displayed in the right panel. NOTE: For faster results, it is recommended that the Raw Keyword search function outside the Evidence Processor be used. However the search function is provided to allow more automated processing before analysis.
Figure 5-16 Raw text search with keywords
To edit the keyword settings, click Search for keywords. The Edit keyword list dialog appears.
Figure 5-17 Edit keywords dialog
In the dialog, use the checkboxes and toolbar items to: Add a keywords list to a file Add new keywords Edit keywords Delete keywords Specify where and how to search Change the layout of the keyword table
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
129
New Keyword
To add a new keyword, click New in the Edit keyword dialog. The New Keyword dialog appears.
Figure 5-18 New Keyword dialog
1. 2.
Search Expression – Enter your search expression in this box. It may be a simple
keyword, phrase, or a GREP expression. If you intend to search for keywords using a different character set, you may need to change the code page. In that case, click the Code Page tab, scroll through the list, and check the code page Name you want.
3.
Name – Although not required, you may enter a descriptive name that will help you
remember what the search expression is intended to search for. This is very useful with GREP search expressions and foreign language searches.
4.
Case Sensitive – EnCase v7 will locate the keyword regardless of the individual
characters’ case unless this box is checked. If checked, EnCase v7 will only locate the keyword if the case sensitivity is the same as the search expression entered.
5.
GREP – The GREP option must be selected when utilizing GREP search characters. GREP
is used to narrow the search, limit false-positive search hits, and in those cases where only certain portions of the keyword being sought are known.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
130
EnCase® Forensic v7 Essentials Training OnDemand
6.
ANSI Latin 1 – This default option will search for characters contained within the ANSI
Latin-1 code page, which is the default code page for the Microsoft Windows operating system. In earlier versions of EnCase® software, this option was called “Active Code Page.” Since the active code page varied according to the active code page enabled on your computer, this option was replaced by ANSI Latin-1 to ensure consistent results.
7.
Unicode – Unicode was developed in direct response to foreign language character sets.
Most MS Office products use Unicode as does Windows 2000, XP, Vista, and 7. Enabling both ANSI Latin-1 and Unicode options will locate both ASCII and Unicode characters. However selecting the Unicode option alone (without the ANSI Latin-1 option or appropriate code page selected) will find data stored in Unicode only. For more details on Unicode, please see http://www.unicode.org.
Figure 5-19 Example of plain text
Figure 5-20 Example of Unicode
8.
Unicode Big-Endian – Non-Intel based data formatting scheme that stores multiplebyte numerical values with the most significant byte values first, which is the reverse of little Endian.
9.
UTF-8 – UTF stands for Universal Character Set Transformation Format. Applications
have several options for how they encode Unicode. The most common encoding is UTF-8, which is the 8-bit form of Unicode. This option offers foreign language support.
10. UTF-7 – UTF-7 is a special format that encodes Unicode characters within US-ASCII in a way that all mail systems can accommodate. 11. Whole Word – EnCase v7will locate the keyword as a whole word not within a larger word (i.e., Chris not Christopher)
When finished, click OK to save the keyword in your case.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
131
Other Keyword Search Options Search entry slack – This option tells EnCase v7 to search the slack area, which exists
between the end of the logical data to the end of the physical file for all items searched.
Use initialized size – This option tells EnCase v7 to search only the initialized size of an entry
as opposed to the logical or physical size. When a file is opened on the NTFS file system, if the initialized size is smaller than the logical size, the space after the initialized size is zeroed out. Searching the initialized size searches only data a user would see within a file.
Undelete entries before searching – This option will logically “undelete” deleted files prior
to searching. If a file is deleted, EnCase v7 and other tools can determine if the assigned starting cluster is not currently assigned to another file (if it is assigned, then the file is deemed deleted/overwritten). The unallocated clusters after the starting cluster may or may not belong to the deleted file. Choosing this option assumes that the unallocated clusters after the starting cluster do belong to the deleted file. This is the same assumption made when copying out a deleted file. Choosing this option will find a keyword fragmented between the starting cluster and the subsequent unallocated cluster. If determining the presence of a keyword on the media is critical to an investigation, you should also search for portions of the keyword, including utilizing GREP search expressions for fragments of the keyword.
Search only slack area of entries in Hash Library – This option is used in conjunction with a
hash analysis. If a file is identified from the hash library, then it will not be searched. However the slack area behind the file (as described previously) will be searched. If this option is turned off, EnCase v7 will ignore the hash analysis.
Figure 5-21 Search options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
132
EnCase® Forensic v7 Essentials Training OnDemand
ADDITIONAL METHODS FOR ENTERING KEYWORDS
Add Keyword List
To add a list of keywords, as opposed to adding one keyword at a time, select Add Keyword List. Keyword lists can be entered from the keyboard or pasted from a text document with one search expression and a line return per line. Options can be selected for all keywords and modified later if needed. Example keywords include:
Fälschung Policemen Invoice Fälschungen account
Figure 5-22 Add Keyword List screen
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
133
You can edit individual keywords to add code pages.
Figure 5-23 Code Pages
When completed with the keyword editing, click OK.
Figure 5-24 Current keyword options
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
134
EnCase® Forensic v7 Essentials Training OnDemand
INDEX TEXT AND METADATA
Choose this selection to create a searchable index of the data in the case. Creating an index will allow you to instantly search for terms in a variety of ways. You can adjust parameters for index creation, such as the minimum word length to index or whether to use a noise file (a file containing specific words to ignore). Compared to keyword searches that search on the raw text, index searches will search on the transcript output of the file, which is critical for Microsoft Office 2007 and 2010 files. Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times. Guidance Software, Inc. recommends always indexing your case data. EnCase supports indexing text in slack bytes and unallocated space. As you select options for indexing within the Evidence Processor, you can choose to include text identified in file slack and unallocated space, defined below. This increases the total time for indexing text, but you could find the value of the indexed text to be worth the investment of time and resources.
File slack – The area between the end of a file and the end of the last cluster or sector
used by that file.
Unallocated space – The sectors that are not associated with an allocated file—the free
space of a disk or volume.
Figure 5-25 Index text and metadata
Unallocated space consists of either unwritten-to sectors or previously written-to sectors that no longer have historical attribution data associated with them. All these sectors are aggregated into Unallocated Clusters. Unallocated Clusters are then divided into multiple sections, and these sections are indexed with shared metadata. If a word at the end of one section of text spans to another section of text, that word is skipped and not included in the indexed sections of text.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
135
The Evidence Processor uses identification processes to identify and differentiate ASCII, UTF-8/16/32 encodings as well as a number of East Asian and western codepages. The Evidence Processor uses built-in intelligence to index any text residing in slack and unallocated space. NOTE: Indexing with East Asian script support is recommended, especially when Index Slack and Unallocated is enabled. The additional processing enabled by this option prevents meaningless strings that are otherwise identified as Unicode strings with Asian characters from being added to the index.
Sectors that are not assigned to any partition scheme fall under Unused Disk Area. The Evidence Processor handles these sectors and Unallocated Clusters similarly. The following procedure provides the steps for including slack bytes and unallocated space when indexing text. After you have selected the evidence you want to acquire and process with the Evidence Processor, select the Index text checkbox and click Index text. The Edit Settings dialog displays. 1. 2. 3. 4. 5. 6. If you want to use a noise file, specify or browse to the filepath of your noise file Set the minimum word length (1-128 characters) for indexed text Select the checkbox for index slack and unallocated If you want to index only the slack area of either known items or all items in the hash library, select the corresponding checkbox To index using East Asian script support, select the corresponding checkbox Click OK
Personal Information
Credit Cards – Search document, database, and Internet files as categorized by the
EnCase® File Types for the following credit card number formats: Visa, MasterCard, American Express, and Discover
o
Utilizes credit-card industry algorithms to validate the credit card number with about 90% accuracy
Phone Numbers – Search document, database, and Internet files as categorized by the
EnCase File Types for phone numbers with and/or without the area code
Email – Search document, database, and Internet files as categorized by the EnCase File
Types for e-mail addresses
Social Security Numbers – Search document, database, and Internet files as categorized
by the EnCase File Types for nine-digit United States Social Security numbers
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
136
EnCase® Forensic v7 Essentials Training OnDemand
MODULES
The Evidence Processor has the ability to run add-in modules during processing. Some modules will ship as part of EnCase v7 and you can add your own modules as well. Click on the Modules folder to open it and access additional evidence processing features. You should select the modules that are relevant to your case. The modules will add additional time to your processing, depending on the size of the evidence and the type of module selected as well as the module settings. Searching the unallocated clusters for evidence fragments, for example, will increase the processing time. NOTE: As best practice, you should not enable all modules by default. We will outline the essential function of each module.
Click on the hyperlinked name of the module to configure the settings.
Figure 5-26 Evidence Processor Modules
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
137
System Info Parser – Report on the core system information for Linux and Windows,
including:
o o o o o o o o o o o
Startup routine (Linux only) User activity (Linux only) Operating system Hardware Software Accounts/users Network information Shared/mapped drives USB Devices Network Shares Advanced : Windows Registry – – – – – – Time zone setting Auto start Hardware User activity User defined keys Networking and other autorun When you select the System Info option in the Evidence Processor, you can search NetShare and USB registry information in the Records tab. You can see the UNC path visit history, the history of connected devices, and you can correlate USB devices to their drive letters.
IM Parser – Search for Instant Messenger artifacts from MSN®, Yahoo®, and AOL Instant
Messenger clients. These artifacts include messages and buddy-list contents. It also allows you to select where to search from several general location categories.
o
All or selected files, and/or Unallocated Clusters
File Carver – Search evidence for file fragments based on a specific set of parameters,
such as known file size and file o The EnCase File Carver function automatically checks file headers for file length information and uses the actual number of bytes carved, by default. This produces more accurate carved files. When there is no file length information in the header, the footer or the default length is used. This additional parsing is not user configurable. Search all or selected files, file slack, and/or unallocated clusters for deleted or embedded files by header
o
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
138
EnCase® Forensic v7 Essentials Training OnDemand
o
Over 300 file types are supported for carving, including carving HTML files and webmail by keywords Running the File Carver in Evidence Processor gives you three options; you can select from either the full file types table, from the optimized file types table, or from both. Optimized file types include:
– – – – – –
o
Compound document file Outlook personal folder Audio Video Interleave Flash video files Enhanced Metafile Graphic Microsoft bitmap format
o
When the File Carver finishes, you can see the files carved and optionally export the files for review.
Windows Event Log Parser – Locate and parse Windows Event Logs
o
Parse EVT and EVTX files, including filtering by type of event
Windows Artifact Parser – Report on Windows artifacts, including
o o o o
Link files Recycle Bin files MFT (NTFS Master File Table) transactions All or selected files, and/or unallocated clusters
Unix Login – Search UNIX log files for specific events Linux Syslog Parser – Search Linux syslog files for specific events Snapshot – (Live preview of devices only) – Running processes, open ports, logged on
users, etc.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
139
For now, select System Info Parser and Windows Artifacts Parser.
Figure 5-27 EnCase Evidence Processor
After finishing the EnCase Evidence Processor configuration, click OK. The time acquired to complete the processing depends on the size of evidence and the processing options selected. More processing power, RAM, disk I/O, etc., will affect the speed. NOTE: With the options selected in the example, it will take several hours to fully process the evidence dependent upon your machine’s processor, RAM, hard drives, etc . However you can continue to browse, examine, and bookmark the evidence as you would with prior versions of EnCase.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
140
EnCase® Forensic v7 Essentials Training OnDemand
You will see the Evidence Processor running in the lower right corner and you can continue your analysis of the evidence when it processes.
Figure 5-28 EnCase Evidence Processor running
As the modules are processed, you will see the status change.
Figure 5-29 EnCase Evidence Processor running – Modules
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
141
PROCESSING A LIVE DEVICE
The EnCase Evidence Processor also can process live devices. This allows you to bypass acquiring evidence before and directly process the evidence. All options are available for all processing except for Index text. The following procedure provides the steps for processing devices from a device preview. From the Home tab of an open case, click Add Evidence. The Add Evidence screen displays. Click Add Local Device… or Add Crossover Preview... The Add Device dialog displays.
Figure 5-30 Add live device
1.
Select the checkboxes of the devices you want to add to the preview and click Finish
The Evidence tab displays with a preview of the chosen devices
2.
In the Evidence tab, click Process Evidence
The Evidence Processor dialog displays.
3. 4. 5.
Under Process, select the checkboxes for the live devices you want to process Review and, if necessary, modify the current processing options Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
142
EnCase® Forensic v7 Essentials Training OnDemand
EVIDENCE PROCESSOR THREADING MODEL
The EnCase Evidence Processor has improved threading capabilities. Please see the diagram for more detail.
Figure 5-31 EnCase Evidence Processor threading model
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
143
Figure 5-32 EnCase Evidence Processor – evidence cache and index
Figure 5-33 Evidence Cache folder structure
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
144
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processing Evidence Files
145
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
146
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 6 Viewing Index and Search Results
EnCase® v7 provides core enhancements to searching, such as: The ability to search across multiple types of data, including files, e-mail, and Internet history, as well as view the results on a single screen A powerful index search capability The ability to search based on user-customized tags
SEARCH TYPES
There are three principal methods of searching through evidence in EnCase v7:
Index searches – Evidence data is indexed through the EnCase® Evidence Processor prior
to searching
Raw searches – Searches based on non-indexed, raw data Tag searches – Searches based on user-defined tags
INDEX SEARCHES
Using the Evidence Processor, you create an index, a list of words from the contents of a device. The index entries contain pointers to the occurrences of the specific word on the device. There are two steps to using indexes: Generating an index (covered in the previous Processing Evidence Files lesson) Searching an index
Generating an index creates index files associated with devices. Creating an index can be time consuming, depending on the amount of evidence you are indexing as well as the capabilities of your computer hardware. Evidence file size, and thus the resultant index size, is an important consideration when building an index. Attempts to index extremely large evidence files can tax a computer's resources.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
148
EnCase® Forensic v7 Essentials Training OnDemand
You generate a search index early in the EnCase v7 workflow sequence as follows:
Make sure that your case contains the device you want to index As you may recall from a prior lesson, click Process Evidence from the Evidence menu
o
The Evidence Processor displays; this dialog contains the selection for indexing text
Follow the instructions detailed in the Processing Evidence Files lesson
During the creation of an index, the transcript text of the file is extracted using Outside In technology, and then the text is broken into words that are added to the index. Unlike raw keyword searches, indexing is done against the transcript content of the file so that text contained in compound files, such as Microsoft Office 2007 and 2010 files, can be properly identified. Although EnCase v7 does not create a transcript of slack space and unallocated space, they are processed and broken into words in the best manner possible so that EnCase v7 can find hits in those areas also. Index searching (queries) allows you to rapidly search for terms in the generated index and it is the recommended type of search in EnCase v7.
CREATING A SEARCH QUERY
Once your case has been indexed, keyword searched, tagged, or any combination of the three, you can then search for desired information. To create a unified search do the following: 1. Go to the Home screen and click the Search button.
Figure 6-1 New Search…
2. 3.
In the Index window, enter the keyword(s) to query the Index, such as “Tyler.” A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term. This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
149
4.
EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters. At any time you can double-click on a query term and it will show the show the information about that term Click on the Play button to run the query.
5.
Figure 6-2 New Search interface
For examples of index query options, see the Appendix A – Index Queries at the end of this manual. EnCase v7 will run the query display the results in the Table Pane of the Search view. You can review the file entries that contain the search term; for example, the webpage search[1].htm displays as follows.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
150
EnCase® Forensic v7 Essentials Training OnDemand
The Index query hits are displayed in yellow in the Transcript tab of the View Pane. Use the Next Hit button to view the search hit in a large file. NOTE: Raw Keyword search hits can be viewed in the Text tab.
Figure 6-3 Search result
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
151
SAVE THE SEARCH RESULTS
You can save the results of the search for future quick access in the Results view. Click on the Searches drop-down menu and select Save As…
Figure 6-4 Save Search Result
The default location is the Search folder under your case.
Figure 6-5 Saving search result
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
152
EnCase® Forensic v7 Essentials Training OnDemand
When appropriate, you can switch over to the Results tab to view the saved results.
Figure 6-6 Results tab
The saved search is available for analysis.
Figure 6-7 Results tab – saved search
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
153
CONTINUE THE INVESTIGATION
Returning to the Search view, you can switch over to the Doc view to see the webpage in HTML.
Figure 6-8 Doc view
To see the file in the context of the evidence, click on Go to file.
Figure 6-9 Go to file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
154
EnCase® Forensic v7 Essentials Training OnDemand
You will be taken to the Entries view of the Search Results tab to analyze the evidence in context.
Figure 6-10 File in context of entries
You can bookmark the evidence from either the Search, Results or the Evidence view.
Figure 6-11 Bookmark in Results view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
155
You can add a comment to the bookmarked evidence and have the ability to use previous comments to save time.
Figure 6-12 Bookmark comments
Choose the folder in the case template to add the evidence or create a new folder. It will default to the last-selected folder to save time, so you don’t have to selec t the destination folder for each bookmark.
Figure 6-13 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
156
EnCase® Forensic v7 Essentials Training OnDemand
Use the Back button to return to the Search Results view of the query results.
Figure 6-14 Back to Search Results query
FIND RELATED
New to EnCase v7 is the Find related button, allowing you to find related files and folders by name or by time. In this instance, in the Results view you found a link file called “Nasty.lnk,” showing that the user knew the folder or file was on the computer system and made an affirmative act by manually opening the folder or file. This would be a good artifact to bookmark and investigative lead to follow.
Figure 6-15 Bookmark the evidence
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
157
Click on Find related by name….
Figure 6-16 Find related by name…
The name will appear in a new Index query. Click on the hyperlink below the Index window to see the results in the Table Pane.
Figure 6-17 Index query
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
158
EnCase® Forensic v7 Essentials Training OnDemand
Shorten the text query to ”Nasty” to see additional related items of evidence. Click on the hyperlink to see the results in the Table Pane.
Figure 6-18 Query for “Nasty”
When you find a file you wish to investigate further, use the Go to file button to view it in the context of the Evidence folder structure.
Figure 6-19 Go to file
In this case, the file was located because it is in the folder called “Nasty.” As you can see, the index allows searching on both file content and metadata.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
159
If the file is a picture, you can use the Picture view in the View Pane to show the image.
Figure 6-20 Gallery view
You can look at the Permissions tab to see that tyler.durden has access permission for the file.
Figure 6-21 File permissions
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
160
EnCase® Forensic v7 Essentials Training OnDemand
And then you may wish to add the evidence to your report template with a bookmark on all of the files.
Figure 6-22 Bookmarking selected files
NOTE: If you bookmark several files, you are not able to add a Bookmark comment. If wish to add a comment, then bookmark a Single File.
Figure 6-23 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
161
VIEWING KEYWORD SEARCH RESULTS
Once your case has been keyword searched for raw text, you can then search for desired information. 1. Click the Search button on the Home page
Figure 6-24 Search view
2.
Click on the Keywords button to view the search results.
Figure 6-25 Keywords
3.
Click on the hyperlink for the desired keyword to display the results in the Table Pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
162
EnCase® Forensic v7 Essentials Training OnDemand
You can review the file entries that contain the search term; for example, the document called “Fälschungen.doc” displays as is shown in the following screenshot. “Fälschungen” means “counterfeiting” in German. Use the Next Hit button to view the search hit in a large file.
Figure 6-26 Search result
To see the file in the context of the evidence, click on Go to file.
Figure 6-27 Go to file
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
163
You will be taken to the Entries view of the Search tab to analyze the evidence in context.
Figure 6-28 File in context of entries
Use the Back button to return to the Search view.
Figure 6-29 Back to Search query
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
164
EnCase® Forensic v7 Essentials Training OnDemand
RAW SEARCHES
Although index searching is the recommended type of search, there may be times when you want to perform a search across the raw contents of a device. In those cases, you can perform a keyword or non-indexed search on your case data. Because keyword searching only searches the raw binary form of a file, some content may not be discovered if it is compressed or obfuscated. To perform a raw keyword search on your data, make sure that your case contains the device that you want to search. For information, see the Search for Keywords option of the Evidence Processor. In addition to keyword searching using the Evidence Processor, you can also initiate a raw keyword search of one or more devices from the Evidence tab. To initiate a search in this manner, follow these steps: 1. 2. 3. Navigate to the Evidence tab and then to the top level of the tab (using the View dropdown menu on the tab toolbar) Select the device or devices that you wish to search using the checkboxes on the left side of the table Select Raw Search All from the tab toolbar
Figure 6-30 New Keyword Search All Entries…
4.
Select a previously run search or create a new search
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
165
5.
Add the keywords and options that you wish to use just like in the Evidence Processor and select OK
Figure 6-31 Edit Keywords dialog
Case and Evidence Keywords
Keyword searches that are not initiated from the Evidence Processor are stored with the case and are case specific. Keyword searches that are conducted with the Evidence Processor are stored with the device’s cache files and can be used with any number of cases.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
166
EnCase® Forensic v7 Essentials Training OnDemand
TAG SEARCHES
EnCase v7 also provides the capability to search for instances of a particular tag that you have created. Suppose you create a collection of three tags associated with pieces of evidence, one of which is named “Submit to National Child Victim Identification Program.” You can search through your evidence for all instances of that tag and the result set that displays will consist only of evidence with that tag. You can also tag files in this view. For more information, see Lesson 9, Bookmarking and Tagging Your Findings.
Figure 6-32 Tag Searches
SEARCH SUMMARY
To see a description of all active search criteria click the Summary tab.
Figure 6-33 Search Summary
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Viewing Index and Search Results
167
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
168
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 7 Processed Evidence Results
FILE TYPES
When an evidence file is opened in EnCase® v7, the file system contained on the device is parsed and displayed for browsing in the EvidenceViewing (Entry) tab. Files may be navigated and viewed in the table area of the Table Pane. EnCase v7 displays files, folders, and other objects on the media, including those that are deleted or overwritten, by maintaining invalid starting cluster addresses as well as other attributes or characteristics. The Description column provides information regarding the object’s attributes, status (allocated or deleted), and other details dependent upon what the entry represents. To remove unnecessary complexity in EnCase v7, the File Types, File Viewers, and File Signatures tables in previous versions of EnCase® software are now contained in one location, the File Types view. Click on the View menu and select File Types.
Figure 7-1 File Types and Entry Description column
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
170
EnCase® Forensic v7 Essentials Training OnDemand
FILE SIGNATURES
As stated previously, the File Signatures table has been incorporated into File Types in EnCase v7. There are thousands of file types. Some file types have been standardized. The International Standards Organization (ISO) and the International Telecommunications Union, Telecommunication Standardization Sector (ITU-T) are working to standardize different types of electronic data. Typical graphical images, such as the JPEG (Joint Photographic Experts Group), have been standardized by both of these organizations. When file types become standardized, a signature or header that programs can recognize usually precedes the data. File headers are the first few bytes of a file and are associated with specific file extensions. File extensions are the three or four characters that follow the last dot in a filename. They reveal the type of data that the file represents. If one were to see a .TXT extension, a data type of text would be expected. Many programs rely specifically on the extension to reflect the proper data type. Windows, for example, associates file types with applications programs by use of file extensions. Some users have been known to change file extensions to hide the true nature of the files. A JPEG (image file) that has an incorrect extension, such as .DLL, will not be recognized by most programs as a picture.
Figure 7-2 File Types
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
171
By default EnCase v7 displays graphic files, such as that mentioned in the previous example, in the Gallery view based on their extensions. By running the file signature analysis process, EnCase v7 compares the file’s signature with the extension of the file, and then compares bo th with the File Types table to determine if the file extension has been changed. This process is essential to properly identify and classify files on a subject’s hard drive.
File Types table contains the following information about each type of file:
Name (required) – Name of the file type Extensions (Extensions or Header required) – Extension(s) of the file type Category (required) – The category of the file (used for the Entry Description) Viewer (required) – The default viewer if the file is opened from EnCase v7 Header Signature (Extensions or Header required) – Header associated with the file
type; may be a keyword string or GREP expression
Header GREP – True or false for correct searching/analysis Header Case Sensitive – True or false for correct searching/analysis Footer Signature – If available; used for file carving Footer GREP – True or false for correct searching/analysis Footer Case Sensitive – True or false for correct searching/analysis Unique Tag – Allows filtering for the file type tag (signature) with a unique tag name for
the file type
Default Length – 0 unless changed by user User Defined – If you edit or create a new a file type, it will be marked True as user
defined (this will prevent it from being overwritten when an update is released by Guidance Software)
Disabled – Check the box to disable the File Type for file signature analysis
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
172
EnCase® Forensic v7 Essentials Training OnDemand
Before a File Signature Analysis is run with the Evidence Processor, the Evidence tab Entry columns will display the following:
Signature Analysis
o
Blank
File Type
o
Blank
Figure 7-3 Before file Signature Analysis
You can also run the File Signature and Hash Analysis independent of the Evidence Processor. Select the desired files and choose the Entries drop-down menu. Select Hash\Sig Selected…
Figure 7-4 Hash\Sig Selected Files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
173
Select the options for hashing and file signatures and click OK.
Figure 7-5 Hash\Sig Selected Options
After Signature Analysis, the columns will display the results of the analysis:
Signature Analysis
o
Displays the results of a Signature Analysis
–
Match
Signature matches a File Type Header and the Extension is included in the extensions for that File Type Signature does not match any File Type Header, but there is a File Type that matches the extension A .txt file with data at the beginning of the file not defined as a header within the File Signatures table is identified as a Match
–
Alias
Signature matches a File Type Search Expression Header, but the extension is not included in the extensions for that File Type
–
Bad Signature
Signature does not match any File Type Header, but there is a matching File Type Extension
–
Unknown
Signature does not match any File Type Header and there is no matching File Type Extension
File Type (formerly Signature)
o If Signature Analysis records a Match or Alias, EnCase v7 will display the File Type property of the File Type associated with the Signature Analysis
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
174
EnCase® Forensic v7 Essentials Training OnDemand
Now that the columns are aligned, start examining the file signatures. Use the Set Included Folders option to display all entries in the Table view. Sort the columns in the following order:
First level – Signature Analysis Second level – File Type Third level – Name
The arrows on each column heading should appear as they are displayed in the following screenshot. NOTE: Shift-double-click to enable secondary sorts.
Figure 7-6 After File Signature Analysis
To examine the signatures, scroll up or down while viewing the Signature column.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
175
You can bookmark discovered evidence items. Blue-check the entries, right-click, and choose BookmarkSelected Items… You can also use the Bookmark drop-down on the menu bar.
Figure 7-7 BookmarkSelected Items…
Choose the appropriate Destination Folder in the Report template.
Figure 7-8 Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
176
EnCase® Forensic v7 Essentials Training OnDemand
You can also activate the File Type Tag column to aid in your investigation. This will show you the Unique Tag for the File Type validated in the File Signature Analysis.
Figure 7-9 File Type Tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
177
ADDING / EDITING A FILE TYPE
It is likely you will need to edit something within the File Types table or you may need to create a new entry within the table. The following example shows you how to edit an entry in the table. You would use the same steps in adding a new entry. Edit a signature by selecting directly within the appropriate row and clicking Edit. Click on the New button above the File Types table to add a new entry.
Figure 7-10 Editing a File Type
PROCESSED EVIDENCE
The processed evidence will be found under the Records view.
Figure 7-11 Records view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
178
EnCase® Forensic v7 Essentials Training OnDemand
COMPOUND (COMPRESSED ARCHIVE) FILES
In EnCase® v6, mounted compound (compressed archive) files were held in memory, so you could have access to all the data in the case at once. However when you tried to mount numerous large archive files, you would run into system limitations. This would also cause the case file to open very slowly as the archive files were mounted into RAM. In EnCase v7 you are able to view all available archives found and processed in the EnCase® Evidence Processor. As a reminder, we selected the Expand compound files task with the Archives as a file type.
Figure 7-12 Evidence Processor – Expand compound files
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
179
The processed compound files are in the Records view, where you can browse individual files under the Archive folder.
Figure 7-13 Records view
The way to search and view data across multiple archives is through a Search using an Index query and viewed through the Search tab.
Figure 7-14 Records view – Archive folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
180
EnCase® Forensic v7 Essentials Training OnDemand
The compressed files are displayed under the Archive folder where they can be sorted and browsed for an examination. Click on the blue hyperlinked name of the archive to open it for review.
Figure 7-15 Archive folder
You can open the compound file and view the contents. In this case, it is a steganography program, which you may wish to Bookmark as relevant evidence.
Figure 7-16 Browsing Archive file
Use the Back button to return to the Record view.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
181
INTERNET ARTIFACTS
To review the processed Internet artifacts, select the Internet folder in the Tree Pane and then the Internet hyperlink in the Table Pane.
Figure 7-17 Accessing processed Internet artifacts
The Internet browsers with discovered and processed artifacts will be displayed in folders, such Internet Explorer and Mozilla as shown in the following figure. If applicable, those artifacts that are recovered and cannot be associated with a specific browser are placed in an Unknown Browser folder.
Figure 7-18 Internet artifacts organized by browser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
182
EnCase® Forensic v7 Essentials Training OnDemand
Currently, six browsers are supported. They are: Internet Explorer Macintosh Internet Explorer Safari Firefox Opera Chrome
NOTE: The difference between a regular search for Internet artifacts and a search of Internet artifacts in the unallocated clusters, is that keywords are added internally and marked with a special tag indicating that it is for Internet history searching only.
Internet Explorer 9 Support
EnCase supports Internet Explorer 9 bookmarks, parsing all Internet Explorer 9 artifacts, including: Bookmarks Cookies Downloads Keyword searches History Login data Cache Visited links Web data
This gives you the option to search allocated or unallocated files for these Internet Explorer 9 artifacts. When processing is finished, you can also view and search inside Internet history items for these artifacts.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
183
Google Chrome Internet Artifacts
EnCase v7 includes support for parsing these Google Chrome Internet artifacts:
Term
History Cookies
Definition
A list of Web sites recently visited. This typically consists of Web sites, usage, and time related data. A list of recent authentication and session data for sites with persistent usage. This typically consists of Web site, expiration times, and site-specific cookie data. A list of recently cached files. A list of recently downloaded files, typically consisting of Web sites, file names, location, size, and date. A list of recent keyword searches. This typically consists of search terms and the search result page. A list of login data. This typically consists of Web sites, username, password, and SSL information. A list of top Web sites such as Web site information, rank, thumbnails, and redirect information.
Cache Downloads Keyword Search Login Data Top Sites
NOTE: EnCase does not currently provide the ability to recover Google Chrome Internet artifacts from unallocated clusters.
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in a SQLite database and displays them in the Records tab. The types of Firefox 8 artifacts parsed are: Bookmarks Cookies Downloads Keyword Searches History Form Data Cache Visited Links Web Data NOTE: The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name columns.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
184
EnCase® Forensic v7 Essentials Training OnDemand
“Frecency” is a valid word used by Mozilla. Do not mistake it for “frequency.” For more information, see the Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm. The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the places.sqlite file. Mozilla stores a URL’s host name in reverse. EnCase displays it as such in the Rev Host Name column.
Enhanced Firefox 10 and IE 9 Browsing History Support
EnCase now recovers more browsing history from Firefox 10 and Internet Explorer 9. This provides up to three weeks of browsing history and can result in recovering thousands of cookies, downloads, bookmarks, and website visits. System time will not be changed to mimic the time span on the system being acquired to ensure valid data is recovered.
ANALYZING THE INTERNET ARTIFACTS
The Internet artifacts are organized into categories. You can bookmark the relevant evidence found to be included within the report.
Cookies – Text file stored on a hard drive by the web browser;may be used for
authentication, shopping, preferences, etc. NOTE: You can sort on the Name column to make the examination more efficient.
Figure 7-19 Internet cookies
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
185
Bookmarks – Also known as “Favorites” or “Internet shortcuts”
Figure 7-20 Bookmarks – Internet Shortcut
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
186
EnCase® Forensic v7 Essentials Training OnDemand
Cache – Files are written to the hard drive to increase the in loading speed of frequently
visited web pages
o
Code – Downloaded code from visited websites, including animated GIFs
Figure 7-21 Internet Cache – Code
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
187
o
XML – Extensible Markup Language pages visited by the browser
Figure 7-22 Internet Cache – XML
o
HTML – Hypertext Markup Language of visited web pages. Best viewed in the
Doc view. Placeholders for images are depicted by the box with the “X.”
Figure 7-23 Internet Cache – HTML
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
188
EnCase® Forensic v7 Essentials Training OnDemand
o
Image – Best viewed in the Gallery view for quick review. The Timeline view will
assist with tracking user activity; the Table view contains the URL (Uniform Recourse Link) of the source website and date/time stamps, also available in the Report tab of the Review Pane.
Figure 7-24 Internet Cache – ImageGallery
o
Text – Text from visited web pages
Figure 7-25 Internet Cache – Text
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
189
History – Record of the browsing through the web browser
o
Daily History – URLs from browsing as stored in the Daily History record, including
Windows Explorer browsing by the user
Figure 7-26 Internet History – Daily History
o
Weekly History – URLs from browsing as stored in the Daily History record
Figure 7-27 Internet History – Weekly History
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
190
EnCase® Forensic v7 Essentials Training OnDemand
o
Visited Link – Website URL (Uniform Recourse Link) visited by browser
Figure 7-28 Internet History – Visited Link
o
Typed URL – URLs typed directly into the browser by the user as stored in the user’s
NTUSER.DAT registry type. This is strong evidence of a deliberate act by the user.
Figure 7-29 Internet History – Typed URL
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
191
Downloads (Mozilla) – Files downloaded via the browser
Figure 7-30 Internet artifacts – Downloads
Use the Back button to return to the Records view
Figure 7-31 Back to Records
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
192
EnCase® Forensic v7 Essentials Training OnDemand
EVIDENCE PROCESSOR MODULES
The results of the Evidence Processor modules are also under the Records tab. Select the Evidence Processor Module Results. The results are divided into categories:
Entries – Files and folders on the file system Records – Evidence extracted, such as registry entries, link files, etc.
Click on the hyperlinked name to examine the results.
Figure 7-32 Evidence Processor Modules
Results – Modules
The results are organized according to the module name as shown in the following screenshot of a deleted image in the Recycle Bin.
Figure 7-33 Windows Artifacts Parser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
193
Click on the hyperlinked name to examine the multidimensional data, such as V12.jpg. The parsed record is displayed and can be included in a report as a bookmark.
Figure 7-34 Parsed Recycle Bin record
Use the Back button to return to the Evidence Processor Module results.
Figure 7-35 Back to Results
The Windows Artifact Parser includes other artifacts, such as the Link Parser.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
194
EnCase® Forensic v7 Essentials Training OnDemand
Click on the name to view the parsed link file.
Figure 7-36 Link Parser
You can bookmark relevant evidence, such as the user accessing the Nasty folder containing previously bookmarked evidence items.
Figure 7-37 Bookmark comments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
195
Place the bookmark into the appropriate Destination Folder.
Figure 7-38 Bookmark Destination Folder
CREATING A HASH SET
Hash sets (which contain the individual hash entries) are located within hash libraries. There are two steps to creating a hash set. The first step is to create an empty hash set within a library, and the second is to add information to it. To create a hash, you perform the following steps: 1. Click ToolsManage Hash Library
Figure 7-39 Manage Hash Library…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
196
EnCase® Forensic v7 Essentials Training OnDemand
2. 3.
Make sure that you either browse and point to an existing hash library or create a new one (this is the hash library to which you will add the hash set) On the Manage Hash Library panel toolbar, click New Hash Set
Figure 7-40 New Hash Set
4.
Enter a Hash Set Name and information for Hash Set Category and Hash Set Tags
Figure 7-41 Enter specific set information
5.
Click OK and click OK again when you are prompted to add the new hash set.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
197
The new hash set is listed under Existing Hash Sets in the Manage Hash Library panel.
Figure 7-42 Newly created hash set
ADDING HASH VALUES TO A HASH SET
Once you have created a hash set within a library, you can add information to it. The steps for adding hash values to a hash set are as follows: 1. 2. 3. 4. 5. 6. Add the device or evidence from which you want to generate a hash value to a case Hash the files on the device by using the hashing feature of the Evidence Processor Go to the table of evidence files or images whose hashes you want to add to the hash set On the Evidence tab under the Entries table, expand the Entries view In the Table tab, check those entries whose hash values you want to add to the hash set In the Tab toolbar, click the Entries drop-down menu (indicated by a red arrow), and select Add to Hash Library...
The Add to Hash Library Panel displays
7.
Choose the Hash Library to which to add the hash items by using the Hash Library Type drop-down menu
Select the Primary or Secondary hash library if they are defined or you can select Other and browse to a library
8. 9.
Once you have selected a library, select one or more previously created hash sets from the Existing Hash Sets window On the Add to Hash Library panel Fields list, select the fields you want to add to the hash library for the selected items
Some fields are added by default, however, you can add other optional fields, depending on your needs All fields that are added to the set will be reported when a hash comparison matches a particular hash set; the more fields that you add to a set, the larger the set becomes
10. Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
198
EnCase® Forensic v7 Essentials Training OnDemand
11. If the hash values were added to a library that was set as the Primary or Secondary hash library, you can check whether the item was successfully added to the hash set as follows:
On the Table tab, highlight the row containing the item In the bottom pane, click Hash Sets; the hash set name, hash library, and other hashing information about the item should appear
Figure 7-43 Hash set details displayed
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Processed Evidence Results
199
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
200
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 8 E-mail Results
E-mail is a key area for forensic investigation; it not only maintains a record of individual and corporate communications, but also contains date stamps, provides additional names or corporate entities, and may contain attachments. All of which can add to an investigation and supply further leads. When e-mail is viewed in a case, EnCase® v7 can search for specific kinds of mail and parse its contents for examination. EnCase v7 lets you view e-mail in a format that is similar to common e-mail programs (for example, the Microsoft Office Outlook client). The views are customizable (you can view the data in tree, table, or composite views), allowing you to see only the data you want in the format you find most convenient. EnCase v7 also allows you to track e-mail threads. In most situations, thread tracking can span multiple e-mail repositories, simplifying investigations that were previously complex and timeconsuming. You use the Find related – Show conversation (e-mail thread) and Find related – Show related messages to view e-mails across multiple repositories. Before conducting your e-mail analysis, make sure that you have already processed your case data with the Evidence Processor Find email selection checked.
Figure 8-1 Find e-mail
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
202
EnCase® Forensic v7 Essentials Training OnDemand
The processed e-mail will be found under the Records view.
Figure 8-2 ViewRecords
A list of processed e-mail archives will be displayed under the Email folder. To open an e-mail archive, click on the hyperlink of the name of the archive.
Figure 8-3 Click on the e-mail name hyperlink “outlook.ost”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
203
The Tree-Table and the Traeble views are the most popular for e-mail review. Open the Root folder in the outlook.ost e-mail archive.
Figure 8-4 Select the mode and open Root folder
In this example, open the folder structure down to the IPM_SUBTREE. In Microsoft Exchange, the public folder database is divided into two trees: the IPM_Subtree and the non-IPM_Subtree. The IPM_Subtree contains folders visible to users and clients. For example, a folder created by Microsoft Outlook exists in the IPM_Subtree. A folder in the IPM_Subtree can be searched, accessed directly by users, and used to store user data. The non-IPM_Subtree contains folders not directly accessible by users, and therefore, it will not be found in an e-mail archive on workstation.1
Figure 8-5 Open the IPM_SUBTREE
1 http://technet.microsoft.com/en-us/library/aa997291(EXCHG.65).aspx
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
204
EnCase® Forensic v7 Essentials Training OnDemand
You will then be able to examine the e-mail folders, including Deleted Items, Inbox, Sent Items, etc. As you select the e-mails, you will see the attachment icon for e-mail containing attachment(s). In the following image, an expanded tree view of an Outlook.ost file and its folders is shown in the left pane, while the messages belonging to the .ost file are shown in the right pane, and the contents of a selected message are shown in the bottom pane.
Figure 8-6 Sent Items: E-mail with attachments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
205
You export out an e-mail message into a *.msg by right-clicking on the message and choosing Export to *.msg… You can also bookmark the e-mail message in the same context window.
Figure 8-7 Export to .msg
You can bookmark an e-mail message as a Single item… or multiple e-mails at once as Selected items… just as you did with evidence entries.
Figure 8-8 Bookmark e-mail
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
206
EnCase® Forensic v7 Essentials Training OnDemand
You can double-click on the e-mail to open it and review the attachments.
Figure 8-9 E-mail attachments
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
207
If the user has organized e-mail into subfolders, those will be available for examination.
Figure 8-10 E-mail subfolders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
208
EnCase® Forensic v7 Essentials Training OnDemand
DISPLAYING E-MAIL THREADS
EnCase v7 analyzes two forms of e-mail threading: Conversations Related messages
To choose which form of threading to examine: 1. 2. In the Records tab, click the Find related menu Click either the Show conversation or Show related messages button
Figure 8-11 E-mail – Find RelatedShow conversation
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
209
SHOW CONVERSATION
E-mail threading is based on conversation-thread related information found in the e-mail message headers. Different e-mail systems use different methods of identifying conversations; for example: The header fields Message-ID, Reply-To-ID, and References The header field Conversation Index The header field Thread-Index
Multiple mechanisms because the messages of interest cross e-mail-system boundaries.
In these circumstances EnCase v7 builds a separate conversation tree for each type of data found in the header (for example, one using Message ID/References and another using Conversation Indexes) and displays the conversation tree containing the most e-mail.
EnCase v7 can display conversations for all supported e-mail types except AOL. This is because AOL messages do not store thread-related information. However the feature cannot always reconstruct complete conversations when the conversations include messages from multiple e-mail systems. For example EnCase v7 cannot fully recreate a conversation where some users are using Outlook, some are using Lotus Notes, and others Thunderbird ’s mbox. You can use the Find relatedShow related messages to aid with those types of investigations. If an e-mail does not have any of the message header fields previously specified, EnCase v7 cannot construct a conversation thread for it. Selecting such an e-mail message and clicking Show Conversation results in a tree containing only the selected e-mail message. The following figure shows a conversation list for a selected e-mail (note how the e-mails contained within the conversation list are identified by their conversation index ID).
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
210
EnCase® Forensic v7 Essentials Training OnDemand
If an e-mail message references an e-mail ID that is not found, it will display as <Message not present>, such as shown in the following example.
Figure 8-12 E-mail conversation
When completed, use the Back button to return to the e-mail archive.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
211
SHOW RELATED MESSAGES
The Show related messages feature is based solely on the e-mail’s subject line. The feature is useful when an examiner suspects that the Show conversation view is not displaying a complete conversation thread. All e-mails with identical subject lines are considered related and displayed together. EnCase v7 can show related e-mails for all supported e-mail types. There are no limitations caused by e-mails originating from different e-mail systems. Since the Show related messages view only looks at the subject line of a message, the e-mails displayed may not all be related, depending upon the uniqueness of the subject line.
Figure 8-13 Show related messages
Following is an example of a list of related e-mails. The list is displayed in the left pane; the content of the first e-mail in the list is displayed in the Report tab.
Figure 8-14 Related messages
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
212
EnCase® Forensic v7 Essentials Training OnDemand
DEDUPLICATING MESSAGES
Multiple copies of an e-mail often exist because: An e-mail was sent to multiple e-mail aliases The sender’s Sent Items and the recipient’s Inbox are located in a single case multiple times in different e-mail archives
By default, EnCase hides any duplicate e-mail messages in a conversation, to avoid displaying the same message multiple times, EnCase v7 deduplicates (or removes duplicates) messages in both the Show conversation and Show related messages e-mail views. The deduplication is done with the Message ID, Thread ID, or Conversation ID; depending on the type of email program. You can now view duplicate e-mail messages in a conversation thread. To show all duplicates in a conversation, click Show Duplicates in the Records tab toolbar. Duplicate e-mail messages now appear with red alerts that indicate their status.
Figure 8-15 Show Duplicates
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
213
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
214
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 9 Bookmarking and Tagging Your Findings
BOOKMARKING DATA FOR REPORTS
As you work on a case in EnCase® v7, you typically discover files, portions of files, and other objects that are of interest as potential evidence; you can save these items for inclusion in the examination report. These marked sections are referred to as “bookmarks.” Bookmarks are saved in folders in the case file. You can view them by selecting the Bookmarks link under Report on the Case Home page. Bookmarks can also contain comments and notes for tracking, accounting, and reporting purposes. You place bookmarks into bookmark folders and give them names associated with meaningful aspects of the case. The case templates that came with EnCase v7 will give you an idea of the power of bookmarks in building a report. NOTE: If a device or compound file is removed or “dismounted” from the case file, the bookmarks and search hits that resolve within that “mounted” file will be unavailable.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
216
EnCase® Forensic v7 Essentials Training OnDemand
To bookmark data into a folder: 1. Click the Bookmarks link on the Case Home page in the Reports section
Figure 9-1 Bookmarks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
217
2. 3.
The Bookmarks tab will open Expand the Bookmarks folder to see the tree structure with the bookmarks made thus far in your examination
Figure 9-2 Bookmark tab
4.
The case template folders will be available to hold your bookmarks and you can add any desired notes to the folders
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
218
EnCase® Forensic v7 Essentials Training OnDemand
5.
You can rename, create new, or delete folders as appropriate for your case.
Figure 9-3 Customize Bookmark folder structure
6. 7. 8.
As a reminder from previous lessons, to bookmark data, select the content from almost any tab and click the Bookmark drop-down menu on the Tab toolbar Select the appropriate bookmark type (Single File… or Selected Files…), add a name and comment as desired, and click OK View your bookmarks in the Bookmarks tab
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
219
BOOKMARKING A SINGLE ITEM
As a reminder, Single Item bookmarks are used to identify individual files that contain important information to the current case. If the file is not an image file, the contents of the file will not be bookmarked. Only the metadata information about a non-image file is displayed in the report. This type of bookmark is often used for marking non-image files that will be copied from the evidence file and placed on a CD for presentation to an attorney or case agent. It may also be used to show specific fields of important files. Highlight the entry or record item bookmarked. Right-click on the highlighted item and select
BookmarkSingle item…
Figure 9-4 Bookmarking a Single Item…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
220
EnCase® Forensic v7 Essentials Training OnDemand
You can add a comment to the bookmarked evidence and you also have the ability to use previous comments to save time.
Figure 9-5 Bookmark comments
Choose the folder in the case template to add the evidence.
Figure 9-6 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
221
BOOKMARK MULTIPLE ITEMS
Selected Items bookmarks are similar to Single Item bookmarks except that they are used to mark a group of files not a single, highlighted file. A group of files is normally bookmarked because of some distinct quality that exists in all the selected files. It may be that all the files are images or perhaps they were all created at the same time. Another possibility is that the files are all of the same type: Accounts, checks, database files, etc. Before beginning, ensure that no blue-check exists in the Selected box. The first step is to select the files you wish to bookmark. From the EvidenceViewing (Entry) view, blue-check several files to bookmark. The Selected box will indicate how many files are blue-checked or selected. Right-click anywhere in the Table view and select BookmarkSelected Items…
Figure 9-7 Select items to bookmark; right-click
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
222
EnCase® Forensic v7 Essentials Training OnDemand
Choose the folder in the Case Template in which to add the evidence. It will default to the lastselected folder to save time, so you don’t have to select the destination folder for each bookmark.
Figure 9-8 Bookmark Destination Folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
223
NOTE BOOKMARK
From the Bookmarks, Evidence, Record, Search Hits, and other evidentiary views, the Note Bookmark provides you more formatting flexibility than the other comment methods discussed thus far. This bookmark is designed for text data – up to one-thousand characters. To create a Note Bookmark, right-click in the Table Pane and select Add Note… (Insert).
Figure 9-9 Add a Note Bookmark
Add the desired text and click OK. For example, translation of the file names: German : English Fälschungen : Counterfeiting Kreditkartenverkauf : Credit Card Sales Missbrauch von CC : Abuse of CC
Figure 9-10 Bookmark Note
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
224
EnCase® Forensic v7 Essentials Training OnDemand
You may change the order of the bookmarks in a folder in the report. Left-click on the entry and drag the entire row to the new position.
Figure 9-11 Rearranging bookmarks
Figure 9-12 New order of Bookmarks
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
225
You can rename the folder (F2), reorder folders, add new folders, and arrange the examination report as appropriate.
Figure 9-13 Rename the folder
Figure 9-14 Renamed folder
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
226
EnCase® Forensic v7 Essentials Training OnDemand
TAGS
The EnCase v7 tagging feature allows you to mark evidence items for review. You define tags on a per-case basis, and default tags can be part of a Case Template. Any item that you can currently bookmark can also be tagged. You can search for tagged items, view them on the Search Results tab, and view the tags associated with a particular item in an Evidence or Records table. Following is a list of tag features and characteristics: You can create tags as part of a case or add them to a Case Template. You can customize each of the tags with specific colors and display text. You can edit saved tags: change their colors and text, hide specific tags from viewing, and delete a tag. Tags are local to a specific case (that is, you cannot create global tags), and the maximum number of tags that you can use for a case is 63. You can directly manipulate tags on the EnCase® user interface: change their order, delete them, and so forth. You can modify the order in which tags are displayed in the Tag column. Once you have created a tag, you can build searches based on tags and also tag search results. You can also combine tags with index and keyword search queries. You can create tags using EnScript modules.
CREATING TAGS
To create a tag: 1. From the Records, Evidence, or Bookmark tabs, click Tags on the toolbar
Figure 9-15 Creating a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
227
2.
On the Tags drop-down menu, click Manage Tags…
Figure 9-16 Tag menu
3.
Sample tags are available for you to utilize as appropriate to your case, such as:
Review – Review later as time permits Add to Report – Reminder to add to the report Follow Up with Submitter – Entry or recording requiring follow-up discussion
or review with the person submitting the evidence for analysis
Ignore – Already reviewed and not relevant to the current investigation
4.
If you wish to add additional tags, click New from the Manage Tags toolbar
Figure 9-17 Manage tags
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
228
EnCase® Forensic v7 Essentials Training OnDemand
5.
On the New Tag Item panel, enter a Name, the Display text that you want to appear in the tag column (use short display names to conserve space in the column), and the Frame Color (foreground and background colors) for the tag; you can also hide or disable the tag by checking its Hidden box In this example, you can create a tag for images depicting apparent minors engaged in sexually explicit conduct for submission to the National Child Victim Identification Program
6.
Figure 9-18 New Tag Item
7.
Repeat the steps until you have created the tags you want; you can always add, remove, and rename tags later
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
229
8.
Click OK and the tag will now be available for your case work
Figure 9-19 New tag
At anytime you can display a list of available tags by clicking TagsShow tag pane. You can use this to toggle the Tag pane on and off.
Figure 9-20 Show tag pane
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
230
EnCase® Forensic v7 Essentials Training OnDemand
The Manage tags pane will appear in the bottom right corner to assist you in your tag management.
Figure 9-21 Manage tags pane
TAGGING MULTIPLE EVIDENCE ITEMS
You can tag multiple files at once. Blue-check the selected items and then select the Tags menu, choosing Tag selected items… (Ctrl-T).
Figure 9-22 Tag selected items…
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
231
Choose the tag you wish to apply to the evidence items.
Figure 9-23 Tagging selected items…
The evidence items will have the tag displayed in the Tag column of the Table Pane.
Figure 9-24 Tagging selected items
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
232
EnCase® Forensic v7 Essentials Training OnDemand
USING THE TAG PANE AND COLUMN
Another method of tagging is to use the Tag Pane. To tag an evidence item, do the following: 1. 2. 3. Your evidence items are available on the Evidence tab; you can also assign tags to Records and Bookmarks Select the evidence item to be assigned a tag by highlighting or checking it Check the tag that you want to assign to an evidence item (this example uses the new tag you created)
Figure 9-25 Select the tag for the evidence item
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
233
4.
The tag you selected appears in the Tag column of the selected evidence item
Figure 9-26 Tag in Table view
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
234
EnCase® Forensic v7 Essentials Training OnDemand
One-click Tagging
You can also set a tag by clicking on its position in the Tag column.
1. To set a tag using the Tag column, click the space in the Tag column where the tag would
be displayed and it will then appear
As an example, if you have two tags configured, half of the column will be used to display the first tag and the second half of the column will be used to display the second tag If you click in the first half of the tag cell for the item you wish to tag, that will apply the first tag to that item and it will now appear in the column To remove a tag, simply click the tag in the column
Figure 9-27 Tagging with a click
You can change the order of the tags on a row by clicking on a tag and dragging it in the Tag pane.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
235
TAGGING IN THE SEARCH VIEW
In the Tags tab of the Search view, you can find tagged data to quickly review items that have been flagged for special attention. Clicking in the Tag column in the Table Pane automatically adds or removes a tag from that item.
Figure 9-28 Tagging with a click – Search View
HIDING A TAG
If you have a tag that you do not currently want to show in the Tag column or the Tag pane, you can hide the tag using the options available from Manage tags window. This will not delete a tag, but will simply hide it from view. To hide a tag, follow these steps: 1. 2. From the Evidence tab, click the Tags button In the Manage tags dialog, check the box in the Hidden column for the cell corresponding to the tag you want to hide
Figure 9-29 Hiding a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
236
EnCase® Forensic v7 Essentials Training OnDemand
DELETING TAGS
Tags that you do not want to use can be deleted from the Manage tags window. Deleting a tag removes the tag name from the case, and deletes all references to the tag in the tag database. This
action cannot be undone.
When deleting a tag, if that tag has been assigned to an item in the case, a warning dialog will indicate the number of tags to be deleted. If no items are tagged with that tag name, then no warning will be displayed. To delete a tag, follow these steps: 1. 2. 3. On the Evidence tab, click the Tags button On the Manage tags dialog, check the row containing the tag that you want to delete On the Manage tags toolbar, click Delete
Figure 9-30 Deleting a tag
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Bookmarking and Tagging Your Findings
237
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
238
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 10 Reporting
The final phase of a forensic examination is reporting the findings, which must be well-organized and presented in a format that the target audience will understand. EnCase ® v7 has added several enhancements to its reporting capabilities that strengthen this phase of the process. These include: The additional of reporting templates that you can use as is or adjust to suit your needs The capability to control a report’s format, layout, and style The ability to add notes and tags to a report
Reports in EnCase v7 consist of two parts: 1. 2. Report templates that hold the formatting, layout, and style of the report. Bookmark folders where reference to specific items and notes are stored. The Report template links to bookmark folders to populate content into the report.
USING REPORT TEMPLATES
A report template is one component of a case template. Each of the default case templates has a customizable report template included. Different case templates may contain different report templates, and each of these templates is completely customizable. In addition to the report template, each case template also includes bookmark folders that are referenced in the report. Besides the default templates, you can define your own custom reports and save them as part of a case template. EnCase v7 includes the ability to create reports from additional metadata fields for entries and records. The report template builder makes all evidence fields available and, if selected, the field values display in the report. You can customize reports by specifying which fields to add to the report template. To add a field, select it from the report fields available. You can choose to include the value in the field as well as the name of the field. Then, when you generate a report, EnCase v7 includes both selected fields and the content with which they are populated in the specified area of the report. All entry, record, and item (bookmark) fields can be added to report templates. Multi-value fields, such as file extents and permissions, have two options for inclusion: cell and table. Adding the cell data displays the value of the field as displayed within the Entry table view. Adding the table data displays the value of the field as displayed in the Details tab.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
240
EnCase® Forensic v7 Essentials Training OnDemand
Report Template Structure
Before viewing a report, you need a report template or outline of what the report will look like. The report template also defines how your case data is formatted and styled. This structure consists of: 1. 2. 3.
Report Sections – Sections contain groups of like information and formatting and
provide the ability to organize your report
Report Formatting – This includes page layout, section design, and text styles Report elements – Collections of bookmarks, a key element of the report structure (you do not embed bookmarks into a report template, but embed a reference to the contents of
a bookmark folder)
Figure 10-1 Report Templates
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting Following is an example of the Forensic report template (Report TemplatesTable).
241
For organization and flexibility in reporting, a report component can be designated as either a Report or Section, as shown in the Type column of each Table row. Report components typically only contain formatting information for components beneath them, while section components contain formatting information and report elements. The columns to right of Type indicate whether a particular formatting option is user-defined or inherited from the report or section above it in the hierarchy of rows.
Figure 10-2 Report Template
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
242
EnCase® Forensic v7 Essentials Training OnDemand
To add new reports or sections to the template: 1. 2. Highlight the row above the new element that you want to add Click New… on the Table tab
Figure 10-3 New Report template
3.
The New Report Template dialog appears
Figure 10-4 New Report Template dialog
4. 5. 6. 7.
Type a name for the new report template component Select a type (Section or Report) for the new template component Select whether you want to customize a Format style by checking its box or use the default format style by leaving the box clear Click OK
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
243
The new template component will appear below the row that you highlighted.
Figure 10-5 New report section
FORMATTING REPORT TEMPLATES
There is a wide range of formatting options available for customizing EnCase v7 reports. Guidance Software recommends using the default case templates as a starting point, such as the Forensic template used in this instruction, and customizing them as necessary. These templates provide examples of most reporting options. As displayed in the previous screenshots, report templates can and should be designed as a hierarchal tree to simplify formatting. If properly designed, report sections will inherit formatting options from above, therefore, changes to the formatting will only have to be made in one location. The following is a list of items that can be customized:
Section Name – This name is for organizational reference in the template only and does
not populate into the report
Paper – This includes orientation and size Margins – Values can be set for top, bottom, left, and right margins Header/Footer – You can design a completely customized header or footer that contains
Case Info Items and other various data
Data Formats – The display characteristics of each bookmark type can be customized;
this includes data style and content
Section Body Text – The layout and content of each section is specified in the Body Text Show Tab – This options determines if this report or section is displayed as a tab in the
Reports tab
Excluded – Provides the ability to quickly exclude a section from a report if it is not
applicable
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
244
EnCase® Forensic v7 Essentials Training OnDemand
Editing a Formatting Option
To edit a formatting option: 1. 2. 3. Right-click on a cell that represents the report element and the formatting component you want to edit Click Edit... on the cell’s context menu Change the default values for the formatting option to the values you want
In the following example, the Margins cell for the Body element is selected and the left and right margins are changed from the default values to one inch
Figure 10-6 Report Margins
4.
Click OK when you are finished
NOTE: Remember formatting options, from beginning to end, are inherited by default. Therefore, in this example, the margins for the report components that follow the one you customized will inherit those margin settings unless you edit them.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
245
REPORT STYLES
As in Microsoft Word, styles are used to set text formatting options. EnCase v7 comes with many default styles that can be used in report templates and you can create your own styles. You can override a default style by creating a user style with the same name. Options that can be designated in a style include: Font type and font size Alignment (left, center, right, justified) Indenting (left, right, first line) Space before/after Borders Tabs Text color Background color
To Create a User-defined Style
From the Report Template tab, select Styles from the Tab toolbar. A new window appears that contains a tab for Default Styles, which displays the available default styles, and a tab for User Styles: 1. Switch to the User Styles tab
Figure 10-7 Styles
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
246
EnCase® Forensic v7 Essentials Training OnDemand
2.
Select New from the toolbar
The ability to edit or delete an existing user style can also be found in the toolbar
Figure 10-8 User Styles
3.
Provide a name for the style and desired configuration options
Font, Text Foreground, and Text Background can all be set by double-clicking on the appropriate field
Figure 10-9 New user style
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
247
VIEWING A REPORT
Once you have configured your report template and added bookmarks to the appropriate folders, there are two ways to view a report: 1. From the Report Templates tab, select View Report from the tab toolbar
This will list all reports that have the Show Tab option set Selecting a report from the menu takes you to the Reports tab to view the selected report
Figure 10-10 View Report
2.
You can also select the Reports tab from the case Home page or the View menu
In the Reports tab you will see a tab for each report that has the Show Tab option set
Figure 10-11 Reports
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
248
EnCase® Forensic v7 Essentials Training OnDemand
Reports are dynamically generated every time that you switch to a specific report in the Reports tab. To save a report, right-click on the report and select Save As. The following output formats are available: TEXT RTF HTML XML PDF
Figure 10-12 Save the Report
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
249
Once you select the output format, specify a Path and optionally set the Open file option if you want the file to open in the default application after saving.
Figure 10-13 Output Format
NOTE: It is recommended that if you wish to edit your report in Microsoft Word, you save the report in RTF format. The EnCase® RTF report is completely compatible with Microsoft Word.
Figure 10-14 Report open in Microsoft Word
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
250
EnCase® Forensic v7 Essentials Training OnDemand
CASE ARCHIVING AND PORTABILITY
Cases in EnCase v7 have a significant amount of user data stored in the evidence cache and files other than just the .case file itself. You may need to package up your evidence and case and move or share it between multiple users. The new case packaging feature in EnCase v7 allows you to package up all of the relevant items associated with a case and put them in a single folder for archiving or case portability. In the Case menu, select Create Package.
Figure 10-15 Create a Case Package
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
251
The Create Package interface will appear with packaging options:
Copy – Copy the case file, evidence cache(s), and other required files for case portability
between examiners
Archive – Archive the case file, evidence cache(s), other required files, and the evidence
files of the case
Customize – Choose what files to package
Figure 10-16 Create Package options
The case information is displayed, including: Current case name and location Size of required items Size of optional items Total size
The Create Package options include: Target location to save the case package Checkbox for evidence files (only if items exist and are available) Checkbox for Primary Evidence cache items (only if items exist) Checkbox for Secondary Evidence cache items (only if items exist and primary is selected)
When the data is backed up to the target folder each evidence file or file set will be put into its own subfolder. A progress bar will show you the percentage complete.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
252
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
253
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
254
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 11 Appendix A – Index Queries
CREATING A SEARCH QUERY
Once your case has been indexed, keyword searched, tagged, or any combination of the three, you can then search for desired information. To create a unified search do the following: 1. Go to the Home screen and click the Search button
Figure 11-1 New Search…
2. 3.
In the Index window, enter the keyword(s) to query the index, such as “Tyler” A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term; this is extremely helpful when crafting a query so that you can immediately see if the term exists in the index. EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters; at any time you can double-click on a query term and it will show the information about that term
4.
Copyright © 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
256
EnCase® Forensic v7 Essentials Training OnDemand
5.
Click on the Play button to run the query
Figure 11-2 New Search interface
Search New
By default, EnCase v7 searches for items containing all the keywords in the search term. For instance, the search term “George Washington” searches for all items that contain both the word “George” and the word “Washington:” You can search for documents containing either keywords by using the OR operator, e.g., George OR Washington You can use the AND operator for clarity, e.g., George AND Washington
However the latter term produces exactly the same results as the original search term.
Proximity
To search for two keywords within a specified number of words from each other, use the w/ operator: George w/3 Washington Abraham w/5 Lincoln
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
257
One Word before Another
You can also search for documents where the first keyword precedes the second by no more than a specified number of words: George pre/3 Washington Abraham pre/3 Lincoln
Keywords Apart From Each Other
To search for documents where the keywords are not within a certain number of words of each other, use the nw/ or the npre/ operators: George nw/3 Washington Abraham npre/3 Lincoln
Exact phrases
You can search for exact phrases using quotation marks (“”), which is the same as using the pre/1 operator: “George Washington” is the same as George pre/1 Washington
Near the Front or End of the Document
You can use the reserved words “firstword” and “lastword” with the proximity operators to refer to the beginning or end of the document. For example: George w/3 firstword
o
Finds documents where George is one of the first three words in the document, and
Washington nw/20 lastword
o
Finds documents where Washington is not any of the last twenty words in the document
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
258
EnCase® Forensic v7 Essentials Training OnDemand
With Two Variables
Use parentheses to group multiple words within a search term. For example in the following search term: Bill w/5 (Clinton or Gates)
The index marks as responsive all items containing the word “Bill” within five words of either Clinton or Gates.
With Multiple Variables
You can also construct a complex proximity search that includes Boolean operators on both sides. For example in the following search expression: (Bill and William) w/5 (Clinton and Gates)
The index marks as responsive all items that contain both the words “Bill” and “William” within five words of both Clinton and Gates.
Grouping Search Queries Together
You can group search queries together using parentheses to form logical expressions. How you use parentheses indicates to the search engine the order in which it should look for the search terms. For instance: (George and Washington) or (Abraham and Lincoln) o Finds all items with either both the words “George” and “Washington” or both the words “Abraham” and “Lincoln”
You can nest parenthetical expressions; for example: (George and (Washington or Bush)) o Finds all items that contain the word “George” and either the words “Washington” or “Bush”
Alternatively, (George and Washington) or Bush) o Finds all items that contain the words “George” and “Washington,” or “Bush”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
259
You can use parentheses to join proximity queries (pre/, w/) to Boolean logic queries (AND, OR). For example, Delaware and (George pre/3 Washington) o Finds all items that contain the word “Delaware” and that also contain the word “George” no more than three words before Washington
You cannot use parentheses to put a Boolean term into a proximity term:
Disallowed: George pre/3 (Washington and State)
Instead, express this term as follows: (George pre/3 Washington) and (George pre/3 State)
Searching for Keywords in Document or E-mail Fields
By default, EnCase v7 searches for keywords in every indexed text field of the document or e-mail. You can restrict the fields that you search using the bracket ([ ]) field specifier. For instance, to search only for keywords in the subject line, use: [Subject]George
You can use parentheses to group keywords together within a field: [Subject](George Washington) [Subject](George pre/2 Washington)
You can use aliases to group together a section of fields: [Address] searches the [To], [From], [CC] and [BCC] fields [Date] searches the [Accessed], [Created], [Modified], [Written], [Sent] and [Received] fields
Common fields for all items are: [Name]Name of file.File extension (the file will not be found unless it contains the extension) [Extension]File extension [Category]Category of file, such as Picture
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
260
EnCase® Forensic v7 Essentials Training OnDemand
Searching for Date Fields or Date Properties
You can search for items by date or date range using field syntax. Dates are entered in ISO 8601 syntax between # marks and can be general, such as: [Created]#2004#
Or very specific: [Created]#2004-11-19T11:54:03#
You can also search for date ranges using an ellipsis ( ...): [Created]#2004-02-03...2004-02-17#
The previous term searches for any item with a creation date between Feb. 03, 2004 and Feb. 17, 2004. You can search for items before or after a particular date by leaving off one end of the range: [Created]#2004-02-03...# [Created]#...2004-02-17#
File date fields are: Accessed Created Modified Written
E-mail date fields are: Sent Received Created
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
261
Searching for Numeric Properties
You can search for items by number range using field syntax. Numbers are entered between # marks and can be specific, such as: [Size]#1034# Analyzing Collected Data 355
Or a range, using ellipses, such as: [Size]#1000...3000#
The previous term searches for any item with a size between 1000 bytes and 3000 bytes. You can search for numbers above or below a particular point by leaving one end of the range off: [Size]#...3000# [Size]#1000...#
Searching for Case-sensitive Terms
By default, all index queries are case-insensitive. You can make queries case-sensitive by using the <c> operator: <c>George <c>(George and Washington)
You can specify case-sensitive queries for fields: <c>[subject](George pre/3 Washington)
Using Wildcards to Search for Patterns
You can search for incomplete words or word prefixes using the ? and * operators.
Wildcard for single characters The ? operator stands as a placeholder for any single characters. For instance, c?t
o
Results in hits for documents containing “cat,” “cot,” and “cut,” but not “caught”
Wildcard for multiple characters The * operator stands as a placeholder for any number of characters. For instance, ind*
o
Results in hits for documents containing “indecisive,” “indignant,” and “Indiana”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
262
EnCase® Forensic v7 Essentials Training OnDemand
Multiple wildcards A keyword may contain multiple wildcards (either * or ?), but may not contain wildcards at both the beginning and end of the word. For instance, ind*ia*a c?t? *fi?y
o
Are valid keywords
However: *india* ?cat? *fish?
o
Are not valid keywords
Using wildcards with punctuation The wildcards ? and * only work for the following punctuation types: Dash (-) Underscore (_) Period (.) Comma (,) At symbol (@) Apostrophe (')
NOTE: Punctuation characters will not be found using wildcards if they are at the beginning or end of words.
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
263
Using Stemming Lists to Search for Similar Words
You can use the stemming operator (~) to search for similar words. By default, the stemming operator replaces your word with all words similar to it in the English language. For instance: swim~
o
Results in hits for documents containing ”swim,” “swim’s,” “swimming,” “swam,” “swum,” etc. Stemming uses the language packs on the server to find words similar to your original term.
When you test your term, a stemming list is added to the term. Stemming lists are contained within the <> characters and clearly display the stems for the keyword. For instance, the default stemming list for swim is: <s:swim swim’s swims swims’ swimming swam swum swim>
You can override the default stemming behavior by modifying the stemming list. For instance: <s:swim swam swum>
o
would result in hits for documents containing “swam” and “swum,” but not “swimming,” “swim’s,” etc.
You can incorporate stemming into any location for which you would use the OR operator. For instance: run~ and [Created]#2002# <s:run ran running runner>
o
Results in hits for documents created in 2002 and contain at least one of instance “run,” “ran,” “running,” or “runner”
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
264
EnCase® Forensic v7 Essentials Training OnDemand
FIELDS IN INDEX QUERIES
Index queries can be created that target data in specific data fields. By selecting the Fields button on the toolbar, you can double-click on a field name and add it to your query. After adding the field name, type the value for which you wish to query. Category, Item Type, and Signature Analysis have sub-menus with their values. Following is an example of the field chooser.
Figure 11-3 Search query field chooser
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
265
INDEX QUERY LOGIC
In addition to adding fields into your query, you can also add additional types of logic to customize the result set. The available options are: Case sensitivity Stemming Terms w/ combining logic Preview dictionary w/ hit count Can combine w/ keyword searches and tags Can filter or condition on search results Can combine multiple search results w/ and/or logic Can view previously run searches
UNIFYING SEARCH RESULTS
EnCase v7 allows you to view search results from a variety of sources, using the single Search Results tab. The results can span numerous types of data (for example, files on the Entry tab, e-mail information, and Internet artifacts) and contain the results of a filter, condition, or search (including Index, Keyword, and/or Tags). All of the operations mentioned previously produce distinct result sets. The queries that are used to display the result sets are stored as files in the users EnCase v7 directory. Search Result sets can display quickly because they show a subset of available metadata for each item. To view additional information about an item, simply select the item and click Go to file in the tab toolbar. The unified metadata available in the Search Results table is:
Name
o o o
For an Entry Item: Entry Name For an Email Record: Email Subject For an Internet History Record: URL
Logical Size
o o
Entry: Logical Size Record: Logical Size (PR_LOGICAL_SIZE)
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
266
EnCase® Forensic v7 Essentials Training OnDemand
Last Accessed Date
o o o o
Entry: Accessed Record: Accessed (PR_ACCESSED) Entry: Created Record: Created (PR_CREATION_TIME)
Last Written Date From
o o
Email Record: From field Internet History Record: User
Recipients
o
Email Record: Aggregation of To\Cc\Bcc fields
Comment Item Type Category Primary Device Item Path
The Search Result table displays two additional columns that are dynamically generated based on the items in the table:
Extension
o
Generated from the Search Result Name at display time
Tags
o
Generated from the current case at display time
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Appendix A – Index Queries
267
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
268
EnCase® Forensic v7 Essentials Training OnDemand
Notes
Copyright © 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
