You are on page 1of 18

version6

E n C a s e F o r e n s i c
Quick Start Guide


Thank you for purchasing EnCase Forensic version 6. This guide provides additional information on resources, products and services to support your day-to-day operations.

B O X


C O N T

q This Quick Start/Reference Guide contains:


n Overview n Support and Resources

EnCase Forensic
q q q q q q

EnCase Forensic software CD EnCase Forensic User Manual EnCase Modules Manual (Corporate Deluxe version only) Aladdin HASP HL USB security key (dongle) Crossover cable Guidance Software lanyard

Download Latest Updates

In order to download product updates and other resources you must register your copy of EnCase with us online. You can register within EnCase under the Help menu or by visiting www.guidancesoftware.com.

E N T S


O V E R V


Buttons explained
ITEM New DESCRIPTION Creates a new case. The examiner must specify the case name, the examiners name, and the export and temp folders. Opens an existing case. Browse to a .Case file and click Open. Saves the currently open case files. If a case has not been saved before, the case file must be named, then saved. Prints the currently active panel to the specified printer. It is possible to print any panel from the Cases panel to the Timeline panel and more. Click this button to add either a device (to be previewed) or an evidence file of previously acquired media. Cases can hold both live devices and evidence files. Click this button to search for Keywords, Internet History, and Email, as well as to perform File Signature and Hash Analysis.

Open Save Print

Add Device

Search

I E W


Right Pane Panels Explained


ITEM Table DESCRIPTION The Table panel contains all the attributes of a particular entry. The examiner can review file information by file extension, file name, last accessed time, physical size, and many other criteria. Examiners can sort by any column simply by double-clicking the column header. The Report panel reports the information it has about the current file, folder, volume, or disk selected in the right pane, such as date and time stamps and file permissions. From the Bookmark panel, the Report panel provides documentation of all evidence that the examiner has bookmarked during the investigation. The report is a compilation of all bookmarks within the case. The Gallery panel is a quick and easy way to view any and all images stored on the subject media. It is possible to view all images within a folder, a volume, or the entire case. The Timeline panel is a great resource for looking at patterns of file activity. The Timeline panel displays date and time stamps for file creation, last written, last accessed, and entry modified. The Disk panel is a graphic representation of the sectors of the evidence file. For each file selected in the Table panel, the Disk panel displays where that file resides in the evidence file. Shows the code that comprises an EnScript program or filter.

Report

Gallery

Timeline

Disk

Code

Left Pane Panels explained


ITEM Cases Entries DESCRIPTION The Cases panel contains the currently open cases. The Entries panel shows the devices associated with a highlighted case and the file structure in Windows Explorer-type tree format.

Bookmarks

The Bookmarks panel contains bookmarked evidence, such as bookmarked files, bookmarked images, bookmarked text fragments, customized note bookmarks, and more. Bookmarked items can be dragged from one bookmark folder to another by the examiner. Search hits generated from keyword searches are placed in the Search Hits panel. Each keyword triggers the creation of a folder of the same name under the Search Hits panel. Keyword hits are then placed in their corresponding folder. From this panel, the user can view the results of Internet History and Email searches (browser cache, history, email and attachments). Use Gallery to view images from Browser Cache. The Devices panel displays devices information regarding the devices in a case: acquisition notes, the examiners name, the acquisition and verification hash values, and more. This panel allows the user to extract username and password information from encrypted files when the EnCase EDS module is used. Keywords allow the examiner to search a single case or all open cases with words, phrases and even hex strings. Keywords can be entered as case-sensitive, UTF7, UTF8, and more. A separate Keywords panel opens for each case so that the user can isolate keyword lists to certain cases. This panel is used for Archiving evidence files to CDs or DVDs. This panel is used to create, view, and modify encryption keys.

Search Hits

Records

Devices

Secure Storage Keywords

Archive Files Encryption Keys

EnScript Types EnScript

The EnScript Types panel is a reference resource for coding EnScript programs, containing a complete list of all EnScript program types. This panel is where EnScript programs can be reviewed, added, edited, and deleted. EnScript programs are small programs or macros that are designed to automate forensic procedures. EnScript programs can access and manipulate almost all areas of the the EnCase Forensic interface, from searching to creating bookmarks to putting information in the report. File signatures are the unique hex header signature associated with file types. For example, an industrystandard JPEG image has the hex header signature of \xFF\xD8\xFF[\xFE\xE0]\x00. From this panel, file signatures can be added, edited and deleted. File types are used to categorize file extensions in order to provide easy identification or grouping of files in EnCase Forensic; a great deal of extensions are already categorized in this panel. File viewers are associations that EnCase uses between file types and applications to open files outside of EnCase. For example, EnCase cannot natively view AVI files (video). Thus an examiner would set up an association between a viewer, such as Windows Media Player, and the AVI file type. Hash sets are a collection of hash values of files that belong to the same application. For example, if the C:\Windows folder is hashed on a clean system, the resulting collection of hash values could be labeled Windows Hash Set. From this panel, Hash Sets can be added, edited and deleted. Text Styles are used to change the way text is displayed and is helpful in viewing non-English languages. EnCase Forensic ships with several default text styles, but more can be added.

File Signatures

File Types

File Viewers

Hash Sets

Text Styles

Lower Pane Panels explained


ITEM Text DESCRIPTION The Text panel is for viewing text in the highlighted file above. The Text panel contains the output of the data in the selected Text Style, for the currently selected file. Portions of the text can be bookmarked or exported by sweeping (clicking and dragging), right clicking and choosing to either bookmark or export the highlighted data. The Hex panel contains the data, in hex format, of the currently selected file. The right pane displays the text of the corresponding hex characters. The Doc panel is used to view file content as if it was being viewed through the application that created the file natively. For instance, a Microsoft Excel entry will be shown in the Doc panel with cells and values displayed. The Transcript panel is used to view file content of entries while suppressing formatting and other document noise to improve searching and viewing capabilities. The Picture panel displays the highlighted file as an image. If the file is not an image, then the Picture tab will be grayed-out. EnCase Forensic can natively display GIF, JPG, BMP, and TIFF files. The Report panel displays the attributes of the currently selected file. The data shown is the same data as what is the Table panel, but displayed in a report format in addition to the security attributes (if NTFS). The Console panel displays output from EnScript programs that send output to the Console panel upon execution. The Output panel is used to by EnScript programs to display debug information for troubleshooting code. The Codepage panel allows you to associate a codepage with a selected file.

Hex

Doc

Transcript

Picture

Report

Console

Output Codepage

Filters

The Filters panel is where the examiner can quickly and easily create and edit filters. When a filter is activated, only the files that fit the filter criteria, such as Pictures only or Files Accessed After February, 00 only are displayed. The Queries panel combines the functionality of filters together, creating customized, powerful queries that drastically reduce the time taken to navigate files. For example, to view only log files, mail files, and all DOC, TXT, WP, and HTML files, use the Compound Filter Query to combine the separate filters into one complex query.

Queries

Navigation explained
ITEM All Files DESCRIPTION The All Files button, the home-plate shaped trigger next to the check box with each folder, is an invaluable navigation tool for the EnCase Forensic interface. For whatever folder the All Files button is activated (green), in the active view on the right (Table, Timeline, Gallery, Report or Code view), all files and all folders within that particular folder will be displayed. In this way, it is possible to see files of many folders at once, not simply one folder at a time. The Lock check box is used to lock the selected view when scrolling through files. For example, if the Lock is checked on the Hex view, switching to a graphic image in the Table view above will not automatically switch the lower-pane to the Picture view.

Lock-box

Case Management
Before starting a case, it is important to create case organization guidelines. Consider how case files and evidence files will be organized on the hard drive. Most examiners have a large hard drive dedicated to evidence file storage, the Storage drive. They might put all evidence files into folders for each case they are working on. For example, if an examiner was working three cases, he might have a d:\smith folder, a d:\potter folder, and a d:\jones folder. If you organize each case into a folder named after the subject, such as d:\jones, then your Default Export folder and Temporary folder might be d:\jones\export and d:\jones\temp, respectively. Booting a Subject computer safely:
n n

Confirm the subject computer is off. Pull the power cord plug from behind the back of the computer if unsure. Open the computer and inspect the inside for unusual connections or configurations. It is not unheard of for a computer to house a disconnected hard drive. Disconnect the power cables to all the resident hard drives. Insert the EnCase Boot Disk and turn on the computer. Run the CMOS setup routine to ensure that the computer is set to boot from the floppy drive. Verify that the computer is set to boot from the floppy drive by looking at the boot order settings. Exit the BIOS and save changes. Allow the computer to continue to boot from the floppy. In certain instances the computers floppy drive may not be functional due to dust, wear or other reasons. Confirm that a boot from the floppy is possible. Power off the computer and reconnect the disk drive power cables. Confirm the EnCase Boot Disk is still in the floppy drive and turn on the computer and allow the computer to boot to the floppy drive.

n n n n n n

n n

Methods of Acquisition, Equipment Needed


Network Cable Acquisition
n n n n

ENBD Crossover network cable A supported PCI NIC or PCMCIA NIC for the Subject computer Subject computer and examiners computer

Process: Install the supported NIC into the Subject PC. Attach the crossover network cable to the two computers. Boot the Subject computer with the ENBD and choose Auto. Power on the examiners PC into Windows and launch EnCase software. Click the Add Device button and specify the Network Crossover option. The remote computer should be seen. Preview and acquire. FastBloc2 Write-Blocking Device Acquisitions
n n

FastBloc Lab Edition or Field Edition The Subject media (IDE hard drive)

Process: Attach the Subject HD to the FastBloc write-blocking device and the FastBloc write-blocking device to the examiners computer. Power up into Windows and launch EnCase Forensic. Click the Add Device button and specify the Local Drives option. Select the FastBloc write-blocking device. Preview and acquire. Palm PDA Acquisition
n n

Subject Palm PDA and cradle Examiners computer

Process: Put Palm in Console mode. Place Palm in cradle. Power on examiners computer into Windows and launch EnCase Forensic. Click the Add Device button. Select the Palm Pilot option. The Palm will be seen. Preview and acquire.

ACQUISITION OPTIONS
. Enter the Name of the target system, unique Evidence number and detailed Notes.
NOTE: After the acquisition, you cannot change the information entered, therefore, take extreme care in what you enter.

. By default, the Start Sector is set at 0 and Stop Sector is set at the last sector of the target machines hard drive. The ability to change the start and stop sector is indispensable when dealing with
0

damaged hard drives or when you have limited amount of storage space while acquiring a server. . Select the appropriate compression based on your speed concerns and desired file size. . For increased security, you may enter a Password. However, if you forget the password, there is no way to access the evidence files. . By default, EnCase Forensic will split the evidence File Segment Size into 60 MB segments, making it convenient to back up the evidence files to CD-R. This value may be set between  MB 000 MB. 6. It is recommended that the Generate Image Hash checkbox be checked for all systems acquired. This will generate a MD hash of the target system to ensure the integrity of the evidence. The Read Ahead option caches blocks of data ahead of time so that they are available for commands in the process, decreasing acquisition time. The size of the block is dependent on the value of the Block size (Sectors) option. 7. Granularity specifies the number of sectors within a block of data containing a read error to be zeroed out, from the default of 6 sectors incrementally down to . The size of the block is dependent on the value of the Block size (Sectors) option. The Block size determines the number of sectors to use to generate a CRC value. 8. To prevent cross-contamination, it is recommended to use a unique folder for each case with export and temp subfolders. When acquiring a device, make sure that the correct Output Path is shown in this box for storage of evidence files. An Alternate Path can be specified ahead of time if the Output Path runs out of space during the acquisition.


Beginning Investigations
n

Recover Folders: The Recover Folders command works only on FAT6 and FAT evidence files. This command searches the unallocated clusters of the FAT partition for the dot, double-dot signature of a deleted folder. When the signature matches, EnCase Forensic can rebuild the files and folders that were within that folder, recovering potentially gigs of data. Signature Analysis: A signature analysis compares a files extension to the files hex header signature. File types each have their own extension and many have standardized file signatures. If the file extension does not match the files signature, there is a good chance that that file has been tampered with in an attempt to hide evidence. One of the first tasks an examiner should run, therefore, is a Signature Analysis to quickly locate possibly suspect files. Hash Analysis: By using the MD hash algorithm, it is possible to generate a digital fingerprint of any file. By comparing this hash value to hash values in hash sets in the examiners hash library, it is possible to expeditiously categorize Known and Notable files, allowing the examiner to identify suspect files. A hash analysis is a crucial step early in an investigation. The more complete the examiners hash library, the more effective the analysis.

EnScript Programs
Main EnScript programs are used to launch additional EnScript modules. Case Processor is used against mounted devices or evidence files. Some of the available EnScript modules included within EnCase Forensic are:
n n

File Finder: Recovers JPG, GIF, BMP, EMF files, etc., putting all results under the Bookmark panel within the case. Initialize Case: Captures critical information about an investigation and the evidence being examined, including user information, user settings, system settings, installed software and more. Additional EnScript programs include Scan Registry, Windows Event Log Parser, Credit Card Finder, Partition Finder, HTML Parser and EDS Registry.



NOTES:



S U P P O R T


&

R E S

Contact Information Headquarters Sales Technical Support Customer Service Training and Certification Professional Services U.K. Technical Support Germany Australia New Zealand Japan Hong Kong China

Phone 626-229-9191 ext. 563 ext. 565 ext. 564 ext. 566 ext. 210

E-mail info@guidancesoftware.com sales@guidancesoftware.com technicalsupport@guidancesoftware.com customerservice@guidancesoftware.com training@guidancesoftware.com servicesdivision@guidancesoftware.com

+44 (0) 175 355 2252 Europe.support@guidancesoftware.com option 4 0-800-181-4625 1-800-750-639 0-800-45-0523 00-531-13-0890 800-96-4635 10-800-130-0976 asiapacsupport@guidancesoftware.com asiapacsupport@guidancesoftware.com asiapacsupport@guidancesoftware.com

Toll-free International Numbers

Visit http://www.guidancesoftware.com for in-depth information and resources.

Other Resources:
EnCase Legal Journal: http://www.guidancesoftware.com/downloads/Legal_Journal_July_06.pdf Guidance Software white-papers: http://www.guidancesoftware.com/support/resources.asp

O U R C E S


2006 Guidance Software, Inc. All Rights Reserved. Guidance Software and the Guidance Software logo are trademarks, and EnCase, EnScript and FastBloc are registered trademarks of Guidance Software, Inc. All other trademarks are the properties of their respective owners.

6

80-06-00060 11/06