You are on page 1of 18

version6

E n C a s e® F o r e n s i c
Quick Start Guide 

This guide provides additional information on resources.Thank you for purchasing EnCase® Forensic version 6. B O X  C O N T . products and services to support your day-to-day operations.

guidancesoftware. E N T S  .com.q This Quick Start/Reference Guide contains: n Overview n Support and Resources EnCase Forensic q q q q q q EnCase Forensic software CD EnCase Forensic User Manual EnCase Modules Manual (Corporate Deluxe version only) Aladdin HASP HL USB security key (dongle) Crossover cable Guidance Software lanyard Download Latest Updates In order to download product updates and other resources you must register your copy of EnCase with us online. You can register within EnCase under the Help menu or by visiting www.

O V E R V  .

Browse to a . Cases can hold both “live” devices and evidence files. Open Save Print Add Device Search I E W  . Internet History. Prints the currently active panel to the specified printer. the case file must be named. Saves the currently open case files. then saved.Buttons explained ITEM New DESCRIPTION Creates a new case. Click this button to add either a device (to be previewed) or an evidence file of previously acquired media. Opens an existing case. If a case has not been saved before. The examiner must specify the case name. as well as to perform File Signature and Hash Analysis. the examiner’s name.Case file and click Open. and the export and temp folders. Click this button to search for Keywords. and Email. It is possible to print any panel from the Cases panel to the Timeline panel and more.

The Gallery panel is a quick and easy way to view any and all images stored on the subject media.  . last accessed. physical size. Shows the code that comprises an EnScript® program or filter. From the Bookmark panel. file name. Examiners can sort by any column simply by double-clicking the column header. For each file selected in the Table panel. volume. the Disk panel displays where that file resides in the evidence file. It is possible to view all images within a folder. and many other criteria. The Timeline panel displays date and time stamps for file creation. the Report panel provides documentation of all evidence that the examiner has bookmarked during the investigation. and entry modified. last accessed time.Right Pane Panels Explained ITEM Table DESCRIPTION The Table panel contains all the attributes of a particular entry. The Report panel reports the information it has about the current file. last written. Report Gallery Timeline Disk Code Left Pane Panels explained ITEM Cases Entries DESCRIPTION The Cases panel contains the currently open cases. or the entire case. or disk selected in the right pane. The Timeline panel is a great resource for looking at patterns of file activity. such as date and time stamps and file permissions. The examiner can review file information by file extension. The Entries panel shows the devices associated with a highlighted case and the file structure in Windows® Explorer-type tree format. folder. The Disk panel is a graphic representation of the sectors of the evidence file. a volume. The report is a compilation of all bookmarks within the case.

such as bookmarked files. the user can view the results of Internet History and Email searches (browser cache. email and attachments). Keywords allow the examiner to search a single case or all open cases with words. Keywords can be entered as case-sensitive. view. and modify encryption keys. phrases and even hex strings. Keyword hits are then placed in their corresponding folder. and more. the examiner’s name. Bookmarked items can be dragged from one bookmark folder to another by the examiner. Search hits generated from keyword searches are placed in the Search Hits panel. history. UTF7. Use Gallery to view images from Browser Cache. the acquisition and verification hash values. and more. Search Hits Records Devices Secure Storage Keywords Archive Files Encryption Keys  . bookmarked images. A separate Keywords panel opens for each case so that the user can isolate keyword lists to certain cases. UTF8. This panel is used for Archiving evidence files to CDs or DVDs.Bookmarks The Bookmarks panel contains bookmarked evidence. bookmarked text fragments. Each keyword triggers the creation of a folder of the same name under the Search Hits panel. From this panel. and more. customized “note” bookmarks. The Devices panel displays devices information regarding the devices in a case: acquisition notes. This panel allows the user to extract username and password information from encrypted files when the EnCase EDS module is used. This panel is used to create.

File types are used to categorize file extensions in order to provide easy identification or grouping of files in EnCase Forensic. Hash sets are a collection of hash values of files that belong to the same application. Text Styles are used to change the way text is displayed and is helpful in viewing non-English languages. a great deal of extensions are already categorized in this panel. edited and deleted. and the AVI file type. file signatures can be added. EnScript programs can access and manipulate almost all areas of the the EnCase Forensic interface. File viewers are associations that EnCase uses between file types and applications to open files outside of EnCase. edited. EnScript programs are small programs or macros that are designed to automate forensic procedures. if the C:\Windows folder is hashed on a “clean” system. For example. EnCase cannot natively view AVI files (video). This panel is where EnScript programs can be reviewed. but more can be added. containing a complete list of all EnScript program types. File Signatures File Types File Viewers Hash Sets Text Styles 6 .EnScript® Types EnScript® The EnScript Types panel is a reference resource for coding EnScript programs. EnCase Forensic ships with several default text styles. File signatures are the unique hex header signature associated with file types. For example. From this panel. edited and deleted. Thus an examiner would set up an association between a “viewer. From this panel.” such as Windows Media Player. added. from searching to creating bookmarks to putting information in the report. For example. and deleted. the resulting collection of hash values could be labeled “Windows Hash Set”. Hash Sets can be added. an industrystandard JPEG image has the hex header signature of \xFF\xD8\xFF[\xFE\xE0]\x00.

in hex format. JPG. and TIFF files. The Output panel is used to by EnScript programs to display debug information for troubleshooting code. The Hex panel contains the data. Portions of the text can be bookmarked or exported by “sweeping” (clicking and dragging). EnCase Forensic can natively display GIF. The Console panel displays output from EnScript programs that send output to the Console panel upon execution. then the Picture tab will be grayed-out. BMP. For instance. a Microsoft Excel entry will be shown in the Doc panel with cells and values displayed. The Transcript panel is used to view file content of entries while suppressing formatting and other document noise to improve searching and viewing capabilities. The Doc panel is used to view file content as if it was being viewed through the application that created the file natively. for the currently selected file. Hex Doc Transcript Picture Report Console Output Codepage 7 .Lower Pane Panels explained ITEM Text DESCRIPTION The Text panel is for viewing text in the highlighted file above. The Picture panel displays the highlighted file as an image. The data shown is the same data as what is the Table panel. The Codepage panel allows you to associate a codepage with a selected file. of the currently selected file. The Report panel displays the attributes of the currently selected file. The Text panel contains the output of the data in the selected Text Style. If the file is not an image. but displayed in a report format in addition to the security attributes (if NTFS). The right pane displays the text of the corresponding hex characters. right clicking and choosing to either bookmark or export the highlighted data.

Timeline. mail files. Lock-box 8 . The “Lock” check box is used to lock the selected view when scrolling through files. For whatever folder the “All Files” button is activated (green). if the “Lock” is checked on the Hex view. For example. In this way. powerful queries that drastically reduce the time taken to navigate files. Report or Code view). in the active view on the right (Table. 00 only” are displayed. and all DOC. The Queries panel combines the functionality of filters together.Filters The Filters panel is where the examiner can quickly and easily create and edit filters. not simply one folder at a time. to view only log files. only the files that fit the filter criteria. use the Compound Filter Query to combine the separate filters into one complex query. For example. such as “Pictures only” or “Files Accessed After February. creating customized. Gallery. WP. and HTML files. it is possible to see files of many folders at once. When a filter is activated. is an invaluable navigation tool for the EnCase Forensic interface. Queries Navigation explained ITEM “All Files” DESCRIPTION The “All Files” button. all files and all folders within that particular folder will be displayed. the “home-plate” shaped trigger next to the check box with each folder. switching to a graphic image in the Table view above will not automatically switch the lower-pane to the Picture view. TXT.

the “Storage” drive. Booting a Subject computer safely: n n Confirm the subject computer is off. They might put all evidence files into folders for each case they are working on. Disconnect the power cables to all the resident hard drives. For example. Confirm the EnCase Boot Disk is still in the floppy drive and turn on the computer and allow the computer to boot to the floppy drive. a d:\potter folder. if an examiner was working three cases. then your Default Export folder and Temporary folder might be d:\jones\export and d:\jones\temp. Power off the computer and reconnect the disk drive power cables. he might have a d:\smith folder. Most examiners have a large hard drive dedicated to evidence file storage. Pull the power cord plug from behind the back of the computer if unsure. and a d:\jones folder. Allow the computer to continue to boot from the floppy. Open the computer and inspect the inside for unusual connections or configurations. respectively. n n n n n n n n  .Case Management Before starting a case. Run the CMOS setup routine to ensure that the computer is set to boot from the floppy drive. Verify that the computer is set to boot from the floppy drive by looking at the boot order settings. It is not unheard of for a computer to house a disconnected hard drive. If you organize each case into a folder named after the subject. In certain instances the computer’s floppy drive may not be functional due to dust. Confirm that a boot from the floppy is possible. Exit the BIOS and save changes. Insert the EnCase Boot Disk and turn on the computer. Consider how case files and evidence files will be organized on the hard drive. wear or other reasons. it is important to create case organization guidelines. such as d:\jones.

Place Palm in cradle. Preview and acquire. ACQUISITION OPTIONS . Preview and acquire. Power up into Windows and launch EnCase Forensic. Enter the Name of the target system. . NOTE: After the acquisition. Select the FastBloc write-blocking device. Equipment Needed Network Cable Acquisition n n n n ENBD Crossover network cable A supported PCI NIC or PCMCIA NIC for the Subject computer Subject computer and examiner’s computer Process: Install the supported NIC into the Subject PC. Preview and acquire. take extreme care in what you enter. Click the Add Device button and specify the “Local Drives” option. Click the Add Device button and specify the “Network Crossover” option. The ability to change the start and stop sector is indispensable when dealing with 0 . By default. the Start Sector is set at 0 and Stop Sector is set at the last sector of the target machine’s hard drive. therefore.Methods of Acquisition. The remote computer should be seen. Power on examiner’s computer into Windows and launch EnCase Forensic. unique Evidence number and detailed Notes. you cannot change the information entered. FastBloc®2 Write-Blocking Device Acquisitions n n FastBloc® Lab Edition or Field Edition The Subject media (IDE hard drive) Process: Attach the Subject HD to the FastBloc write-blocking device and the FastBloc write-blocking device to the examiner’s computer. Attach the crossover network cable to the two computers. Power on the examiner’s PC into Windows and launch EnCase software. Click the Add Device button. The Palm will be seen. Palm PDA Acquisition n n Subject Palm PDA and cradle Examiner’s computer Process: Put Palm in “Console mode”. Select the “Palm Pilot” option. Boot the Subject computer with the ENBD and choose “Auto”.

When acquiring a device. This value may be set between  MB – 000 MB. To prevent cross-contamination. It is recommended that the Generate Image Hash checkbox be checked for all systems acquired. However. 6. making it convenient to back up the evidence files to CD-R. you may enter a Password. decreasing acquisition time.  . By default. Select the appropriate compression based on your speed concerns and desired file size. from the default of 6 sectors incrementally down to . . 8. . The Block size determines the number of sectors to use to generate a CRC value. The size of the block is dependent on the value of the Block size (Sectors) option. it is recommended to use a unique folder for each case with export and temp subfolders. The size of the block is dependent on the value of the Block size (Sectors) option. 7. The Read Ahead option caches blocks of data ahead of time so that they are available for commands in the process. if you forget the password. EnCase Forensic will split the evidence File Segment Size into 60 MB segments. . This will generate a MD hash of the target system to ensure the integrity of the evidence. make sure that the correct Output Path is shown in this box for storage of evidence files. An Alternate Path can be specified ahead of time if the Output Path runs out of space during the acquisition. Granularity specifies the number of sectors within a block of data containing a read error to be zeroed out. For increased security. there is no way to access the evidence files.damaged hard drives or when you have limited amount of storage space while acquiring a server.

Beginning Investigations n Recover Folders: The Recover Folders command works only on FAT6 and FAT evidence files. n  . therefore. File types each have their own extension and many have standardized file signatures. allowing the examiner to identify suspect files. n n EnScript® Programs Main EnScript programs are used to launch additional EnScript modules. user settings. etc. Windows Event Log Parser. is a Signature Analysis to quickly locate possibly suspect files. When the signature matches. Some of the available EnScript modules included within EnCase Forensic are: n n File Finder: Recovers JPG. Signature Analysis: A signature analysis compares a file’s extension to the file’s hex header signature.. the more effective the analysis. By comparing this hash value to hash values in hash sets in the examiner’s hash library. double-dot” signature of a deleted folder. recovering potentially gigs of data. Initialize Case: Captures critical information about an investigation and the evidence being examined. HTML Parser and EDS Registry. it is possible to expeditiously categorize “Known” and “Notable” files. EnCase Forensic can rebuild the files and folders that were within that folder. Partition Finder. A hash analysis is a crucial step early in an investigation. The more complete the examiner’s hash library. If the file extension does not match the file’s signature. Credit Card Finder. EMF files. One of the first tasks an examiner should run. GIF. BMP. Case Processor is used against mounted devices or evidence files. This command searches the unallocated clusters of the FAT partition for the “dot. putting all results under the Bookmark panel within the case. system settings. it is possible to generate a “digital fingerprint” of any file. Hash Analysis: By using the MD hash algorithm. Additional EnScript programs include Scan Registry. including user information. installed software and more. there is a good chance that that file has been tampered with in an attempt to hide evidence.

NOTES:  .

S U P P O R T  & R E S .

guidancesoftware.com for in-depth information and resources. 564 ext. Technical Support Germany Australia New Zealand Japan Hong Kong China Phone 626-229-9191 ext.pdf Guidance Software white-papers: http://www.com training@guidancesoftware.com asiapacsupport@guidancesoftware. 210 E-mail info@guidancesoftware.Contact Information Headquarters Sales Technical Support Customer Service Training and Certification Professional Services U.com option 4 0-800-181-4625 1-800-750-639 0-800-45-0523 00-531-13-0890 800-96-4635 10-800-130-0976 asiapacsupport@guidancesoftware.com servicesdivision@guidancesoftware.com +44 (0) 175 355 2252 Europe.com sales@guidancesoftware.com customerservice@guidancesoftware.com Toll-free International Numbers Visit http://www.asp O U R C E S  .guidancesoftware.K.com/downloads/Legal_Journal_July_06. Other Resources: EnCase Legal Journal: http://www.com/support/resources. 565 ext.guidancesoftware. 563 ext.support@guidancesoftware. 566 ext.com technicalsupport@guidancesoftware.com asiapacsupport@guidancesoftware.

EnScript and FastBloc are registered trademarks of Guidance Software. 6 80-06-00060 11/06 . Inc. and EnCase. All Rights Reserved. Inc. Guidance Software and the Guidance Software logo are trademarks.©2006 Guidance Software. All other trademarks are the properties of their respective owners.