Document Sample
EnCase Powered By Docstoc
Starting a New Case
Adding a Device
Creating a Boot Disk
Keyword Search
File Signatures
Exporting Files/Report
File Viewers
                     Navigating Encase

 Tree Pane, Table Pane, Bottom Pane and Filter Pane
      Highlighting a folder
      Home plate > Select the polygon to the left of the folder name.
      Blue check mark > Select the square to the left of the folder name
       – Used for keyword search
New Case

    Encase – New case
        Select the “New” icon
        Name – case1
        Examiner Name – Your
        Export Folder –
        Temporary Folder –
                 Saving a Case

 Save the Case
     Select the “Save” icon
     Select your folder
     Change case name to lower case and remove any
Global Settings

        Tools > Options > Global
             Auto save - set it to 5,
              increase to 30+ if making a
              long running search.
             Enable picture viewer, art
              and png image display
             Invalid picture timeout leave
              at 12 sec
             Date and Time –
              MM/DD/YY and 12:00
             Show Yes / No
    Preview Device
(HD, Floppy, Thumb Drive, etc)

               Select the “Add
                Device” button.
               Next select the
                appropriate device.
                    Generally you will
                     select “Local Drives”
                    For DOS acquisition
                     select Network
                     Preview Device
            (HD, Floppy, Thumb Drive, etc)

 Select the drive letter which represents the device to be
      Floppy – Generally select the A drive.
      USB and Firewire acquisitions – Select drive E, F, etc.
                        Preview Device
               (HD, Floppy, Thumb Drive, etc)

 Adding evidence number and name.
      Right click on the drive letter.
      Select > Edit
    Preview Device
(HD, Floppy, Thumb Drive, etc)

               Enter an evidence number:
                    Such as (070418-0010)
                         Year 07, month 04 day 18,
                          evidence number 0010.
               Enter evidence name.
                    It’s a good idea to add
                     device type in name i.e.,
                     desktop, floppy, laptop, etc.
                    Example: smithdesktopHD1,
                     smithfloppy1, etc.
Acquiring Previewed Device

             If a previewed device
              warrants acquisition:
              Right click on the
              device and select
Acquiring Previewed Device

             Select - Replace source
                  This will replace the
                   preview item.
             Note! Search, Hash
              and Signature Analysis
                  Ensure that it is not
                   selected – Acquisition
                   will proceed faster.
Acquiring Previewed Device

             Set the following:
                  File segment size - 640
                  Compression - None
                  Password – Leave
                  Generate image hash
                  Output path – Check to
                   ensure the correct one is
       Adding Previously Acquired
       Evidence (HD, Floppy, etc.)

 Create a new case or open an existing case.
 Select > Add Device
         Adding Previously Acquired
         Evidence (HD, Floppy, etc.)

 Select the appropriate folder i.e., “Local” and then the appropriate file,
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
              Right click on the
               “Evidence Files”
               folder and then
               select New to
               create a new path.
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
              Browse the file system
               until you find that
               location of the
               previously acquired
                   For example:
                       f:\cases\data
               Boot Disk Creation

Tools > Create Boot Disk
Boot Disk Creation

         Test diskette by
          rebooting from
         Run EnCase DOS
          program “en”
                Boot Disk Creation

 ENBD – EnCase Network Boot Disk
     Save the ENBD file to your desktop.
         http://www.guidancesoftware.com/support/downloads
     Insert floppy in drive.
     Run ENBD setup file.
     When finished add the en.exe file.
     Do not write protect the ENBD disk.
Boot Disk Creation
Boot Disk Creation

         Add the en.exe file.
              C:\program
Keyword Search

       Global keywords
            These words are made
             available to all your cases.
            View > Keywords
       Case specific keywords
            These words are only
             available in this case.
            View > Cases Sub-Tabs >
                   Keyword Search

 Keyword Sources
     Investigating officer
         Search warrant
     HR
     Attorney
     Management
     Contract, Internet, Previous cases
Keyword Search

       Keyword Folder
           Right-click on Keyword
           Select > New Folder
           Add Folder Name
       Examples
           Email addresses
           IP addresses
           Phone numbers
                     Keyword Search
 To add a single Keyword
      Right-click on Keyword Folder >
       Select New
      Search Expression – word, phrase,
       GREP expression.
      Case sensitive – Check to make
       case sensitive.
      GREP – Limits false hits.
      Active Code Page – Allows
       foreign languages
      Unicode – Foreign language char.
       Check to locate both ASCII and
Keyword Search

       To add a list of
            Right-click on Keyword
             Folder > Select Add
             Keyword List
            Enter words
                  Keyword Search

 Before beginning a search you must select the word or
  group of words you want EnCase to find.
 To do so, place a blue check next to the word or folder
  containing the words EnCase should locate.
 To begin a search, click on the Search button.
Keyword Search
       Search each file – Must be checked to
        activate a keyword search.
       Verify file sign – Don’t check
       Compute hash value - File hash
       Search file slack – Search space
        between logical file and physical file.
       Undelete files – Logical undelete.
        Search between starting cluster &
        following unallocated cluster.
       Search with known hashes – will not
        search known hashes.
       Selected keywords only – Unless
        selected, all keywords are searched.
                 Search Results

 Search Hits – To view search results.
 View > Cases > Search Hits
 Refresh - Use during a search to display current
Search Results
         {·0·9·7·F·7·3·7·E·-·1·6·1·B·-·1·1·D·4·-

         {·7·0·7·B·B·5·4·A·-·B·F·2·F·-·1·1·D·3·-

         {·7·E·8·E·2·E·A·A·-·C·6·1·0·-·1·1·D·3·-

         {·7·1·D·1·9·1·F·2·-·6·5·0·4·-·1·1·D·2·-

         {·7·1·D·1·9·1·F·4·-·6·5·0·4·-·1·1·D·2·-

         {·7·1·D·1·9·1·F·6·-·6·5·0·4·-·1·1·D·2·-
Search Results

       Exclude – The item is not
        deleted from the case. Red
       Export – Creates a tab-
        delimitated text file which can
        be imported in to Excel.
       Tag File – Will place a blue
        check on the file to identify it in
        Home view

 Sweeping Bookmarks
 Files
 Notes
 File Group
         Bookmarking – Sweeping

 Sweeping bookmark – Used to capture notable data.
 Highlight the item >Right click > Select Bookmarks
Bookmarking - Sweeping
             Bookmarking - Sweeping

 Destination folder – Select a folder (i.e., Floppy) or create a new folder by right
  clicking on Bookmarks > New Folder > Enter new folder name.
 Add Comment – i.e., “Bad stuff doc appears to be created on suspects machine.”
 Data type – Select Style > ISO Latin > ISO Latin @ 100
 View results - Select Bookmarks button > Report button
Bookmarking – Files

          Used to flag files that
           contain important case
          Right click on a file.
          Select Bookmark Files
Bookmarking – Files

          Add the bookmarked item
           to a folder by selecting an
           existing folder, or
          Select “Create new
           bookmark folder” and enter
           the name.
          View Bookmarks
               Select Bookmarks button >
                Bookmarks Home plate >
                Report button
               Bookmarking – Notes

 Allows you to add a note to a bookmarked item.
      i.e., add a note to a bookmarked file.
 Formatting includes bold, italic, font size and text indent.
      However, only text indent is worth using.
Bookmarking – Notes

        To add a note to a
         bookmarked file/item.
             Select Bookmarks button
             Select Table button
             In Table View - Rt click
              on the appropriate file
             Select Add Note.
        Add your notes and
         indent text as needed.
         Bookmarking – File Group

 In Tree view select (with a blue checkmark) the
  folder containing the files you want to bookmark.
 Rt click on the folder and select Bookmark Data.
 Ensure that “Bookmark Selected Items” is checked.
 Select “ok”
 View Bookmarks
      Select Bookmarks button > Bookmarks Home plate >
       Report button.
Bookmarking – File Group
Bookmarking - Report
                  Evidence File

 Restoring a drive
 Compression
     To compress data files once the HD has been
     Rt click on device > Select Acquire > Replace
      Source Device > Compression - Best
                     File Signatures

 View > File Signatures
      Used to compare file headers with file extensions
File Signatures

        To Start: Click on Search
        Ensure that only the
         “Verify file signatures”
         option is selected.
        Click on the Start button.
         The process will run in the
        Click on Save - Once the
         process is done.
File Signatures

     _ Deleted
     X – Deleted, overwritten file
        Starting cluster is occupied by
          another file.
     O – Undeleted by EnCase.
     O – Directory entry with a file name
      but no starting cluster.
File Signatures

        Signature Analysis
             Select the case / device
              “home plate”
             Table View - Sort order
                 Signature
                 File Ext
                 Name
        Secondary sorts
             Shift > double-click
                         File Signatures

 *Alias
       The header and the extension don’t agree
       The header exists in the Signature table
       Generally renamed extension – Encase displays file type.
 !Bad Signature
       The header and the extension don’t agree
       The extension exists in the Signature table
       The header does not exist in the Signature table
 Match - Header & extension agree.
 Unknown –Header & extension do not exist in Signature table.
                   Exporting Files

 Use the blue checkmark to select files to export.
 Right click in the table view.
 Select > Copy/UnErase.
Exporting Files
Exporting Files
Exporting Report

        Select Report button
        In Table View
             Right Click on report
             Select Export
             Select Format
             Input path
         Windows Artifacts – INFO2

 Sort by name – Double click on the “Name”.
 Click on the first file, under name, in the Table View.
 Type “info” real fast.
       Windows Artifacts – INFO2

 Highlight text starting with C:\Documents and end with .doc
 Right click > Bookmark Data
Windows Artifacts – INFO2

             Note that the SID
              number (S-1-5- . . .-
              1003) ends with 1003.
             Under Data Type,
              Select Windows >
              Win2000 Info File
       Windows Artifacts – INFO2

 Deleted - Note the date & time, is it relevant?
 Path – Note the files location and what was deleted.
       Windows Artifacts – Link Files

 Shortcut files – Record creation, access and last
  written dates.
      Provides insight to how a computer was configured at a
       given point in time.
      May indicate when an application was installed.
      When created after application install it supports the
       allegation that the user had knowledge of a file or
      Contains the fully qualified path to the file referenced.
      Provides evidence of the existence of an application
       which is no longer installed.
      Windows Artifacts – Link Files

   Sort by file type – Double click on the “File Ext” column.
   Then sort by name – Press on the Shirt key and Double click on the “Name” column.
   Click on the first file, under “File Ext” and type “lnk” real fast.
     Windows Artifacts – Link Files

 Note, you should now be at the start of the lnk files.
 Click on the first link file, under “Name” and type “art” real fast.
Windows Artifacts – Link Files
     Windows Artifacts – Link Files

 Select the Hex button.
 FO28 - Start at byte offset 28
 LE24 - Highlight the next 24 bytes.
    Windows Artifacts – Link Files

 Right click on your selection and select Bookmark
   Windows Artifacts – Link Files

 Select Dates > Windows Date/Time
     Windows Artifacts – Link Files

 Note, the date and time associated with this link file.
                Windows Artifacts
               Volume Serial Number

 To associate the link file with the current volume.
 Select file > In text mode select the path > select Hex mode.
                  Windows Artifacts
                 Volume Serial Number

 Allocate the Hex value 10 that appears before the path selection.
 Note the value of the four bytes prior to the hex 10.
                  Windows Artifacts
                 Volume Serial Number

 Select “Entries” in the Tree Pane and the drive in the Table Pane.
 Next, select the Report button in the Bottom Pane.
 Allocate the volume serial number.
Windows Artifacts
                    Windows Artifacts
                    Application Data

 Outlook Express – Email storage location.
 Documents & Settings > User Name > Local Settings > Application Data
  > Identities > GUID number > Microsoft > Outlook Express.
                   Windows Artifacts
                     Root Folder

 Named after the user login name.
 Ntuser.dat – Last written time represents the users last logout
                       Windows Artifacts
                        Recent Folder

 Recently accessed files – Great place to start investigating a case.
 Start > All Programs > My Recent Documents – Represent link files.
 Documents & Settings > User Name > Recent
 While windows only displays the last 15 documents, the Recent folder could
  contain hundreds of link file names, which may be of value.
 A shortcut may refer to a volume that wasn’t present when evidence was collected.
                 Windows Artifacts
                  Desktop Folder

 Documents & Settings > User Name > Desktop.
 Desktop items may be the result of the following four
  sources; the users Desktop folder, Registry, All Users
  desktop folder and Domain Group policy.
                Windows Artifacts
                 My Documents

 Documents & Settings > User Name > My
 Windows will generally store files in this folder.
                 Windows Artifacts
                  Sent To Folder

 Contains only those items added by the user.
 Drive letters for attached media can be found here.
                   Windows Artifacts
                     Temp Folder

 Documents & Settings > User Name > Local Settings > Temp
 Note, this folder is specific to the user.
 May contain evidence of application installation.
Windows Artifacts
  Thumb Files
         Sort by file type – Double click on
          the “File Ext” column.
         Then sort by name – Press on the
          Shirt key and Double click on the
          “Name” column.
         Click on the first file, under “File
          Ext” and type “db” real fast. Next,
          click on the first db file, under
          “Name” and type “thu” real fast.
         Right click on thumbs.db > View
          File Structure.
         Root Entry folder will contain
                     Windows Artifacts
                      Favorites Folder

 Documents & Settings > User Name > Favorites
 .url - Users Internet Explorer & Windows Explorer favorites settings.
 Note the unique header – It can be used to local deleted shortcuts.
                       Windows Artifacts
                        Cookies Folder

   Documents & Settings > User Name > Cookie.
   Small text files which may provide insight into sites visited by the user.
   The index.dat file contains data about each cookie.
   Use an external viewer.
                    Windows Artifacts
                     History Folder

 Documents & Settings > User Name > Local Settings > History.
 Contains all the history for 20 days – the default period.
 .IE5 folder – Contains
                  Windows Artifacts
                Temporary Internet Files

 Documents & Settings > User Name > Local Settings > Temporary Internet Files
  > Content.IE5
 Internet e-mail is stored here.
              Windows Artifacts
                 Swap File

 Pagefile.sys – Represents windows virtual RAM.
 Search with the Unicode option enabled.
                     Windows Artifacts
                      Hibernation File

 In order for a machine to enter sleep mode the contents of RAM must be
  written to hiberfil.sys
 The contents reflects the last time the machine entered hibernation.
                     Windows Artifacts
                      Print Spooling

   Windows > System32 > spool > printers.
   Two files are created shadow (SHD) and spool (SPL).
   SHD – contains username, file name, printer & print mode.
   SPL - contains print data.
                         Windows Artifacts
                          Print Spooling

 Rarely find in allocated space.
       Generally, found in unallocated space, page file, hibernation file and slack
 Search String:
       \x01\x00\x00\x00..\x00.{34,34}EMF
                      Windows Artifacts
                       Print Spooling

 Right click on selected data > Bookmark Data
 EMF will generally provide positive results, while emf0 will not.
              Windows Artifacts
               Print Spooling

 Under Data Type, select:
      Picture > Picture.
Windows Artifacts – Time
Windows Artifacts – Time
Windows Artifacts – Time
File Viewers

     View > File Viewers
     Right Click > File
     Select New
     Enter program name
     Enter path to
File Viewers

      View > File Types
      Select File Types >
       Home plate
      Table view > Sort by
File Viewers

      Right click on
      Select Installed Viewer
      Select appropriate File

 Starting a New Case
 Adding a Device
 Creating a Boot Disk
 Keyword Search
 Bookmarking
 File Signatures
 Exporting Files/Report
 File Viewers

Shared By: