Professional Documents
Culture Documents
12
ModulesManual
Copyright19972008GuidanceSoftware,Inc.Allrightsreserved. EnCase,EnScript,FastBloc,GuidanceSoftwareandEnCEareregisteredtrademarksortrademarksownedbyGuidanceSoftware intheUnitedStatesandotherjurisdictionsandmaynotbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybe claimedasthepropertyoftheirrespectiveowners.Productsandcorporatenamesappearinginthismanualmayormaynotbe registeredtrademarksorcopyrightsoftheirrespectivecompanies,andareusedonlyforidentificationorexplanationintotheowners' benefit,withoutintenttoinfringe. NopartofthisdocumentmaybecopiedorreproducedwithoutthewrittenpermissionofGuidanceSoftware,Inc.Productsand corporatenamesappearinginthismanualmayormaynotberegisteredtrademarksorcopyrightsoftheirrespectivecompanies,and areusedonlyforidentificationorexplanationintotheowners'benefit,withoutintenttoinfringe.Anyuseandduplicationofthis materialissubjecttothetermsofthelicenseagreementbetweenyouandGuidanceSoftware,Inc.Exceptasstatedinthelicense agreementorasotherwisepermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,nopartofthispublication maybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying, recording,scanningorotherwise.Productmanualsanddocumentationarespecifictothesoftwareversionsforwhichtheyarewritten. Forpreviousoroutdatedmanuals,productreleaseinformation,contactGuidanceSoftware,Inc.at: http://www.guidancesoftware.com.Specificationsandinformationcontainedinthismanualarefurnishedforinformationaluseonly, andaresubjecttochangeatanytimewithoutnotice.
Contents
CHAPTER1Introduction 3
Introduction ....................................................................................................................................................... 4 MinimumRecommendedRequirements .......................................................................................................... 4 InstallingtheEnCaseModules........................................................................................................................... 5 EnCaseDecryptionSuiteModule ...................................................................................................................... 7 EnCasePhysicalDiskEmulatorModule ............................................................................................................. 7 EnCaseVirtualFileSystemModule ................................................................................................................... 8 FastBlocSEModule............................................................................................................................................ 9 CD/DVDModule ................................................................................................................................................ 9
CHAPTER2EnCaseDecryptionSuite
11
Overview.......................................................................................................................................................... 12 EDSFeatures .................................................................................................................................................... 12 ProductMatrix................................................................................................................................................. 13 UsingEDS ......................................................................................................................................................... 14 SecureStorageTab .......................................................................................................................................... 17 SecureStorageItems ....................................................................................................................................... 23 SafeBootEncryptionSupport(DiskEncryption) .............................................................................................. 23 UtimacoSafeGuardEasyEncryptionSupport.................................................................................................. 26 BitLockerEncryptionSupport(VolumeEncryption) ........................................................................................ 32 WinMagicSecureDocEncryptionSupport....................................................................................................... 34 GuardianEdgeHardDiskEncryptionKnownLimitation................................................................................... 37 CREDANTEncryptionSupport(FileBasedEncryption).................................................................................... 37 CREDANTEncryptionSupport(OfflineScenario)............................................................................................. 41 S/MIMEEncryptionSupport ............................................................................................................................ 43 NSFEncryptionSupport................................................................................................................................... 49 LotusNotesLocalEncryptionSupport............................................................................................................. 51 WindowsKeyArchitecture .............................................................................................................................. 56 DictionaryAttack ............................................................................................................................................. 56
CHAPTER3PhysicalDiskEmulator
61
CHAPTER4VirtualFileSystem
75
CHAPTER5FastBlocSEModule
95
WhatistheFastBlocSEModule? .................................................................................................................... 96 BackgroundInformation.................................................................................................................................. 96 InstallingtheFastBlocSEModule.................................................................................................................... 97 UsingtheFastBlocSEModule ......................................................................................................................... 98 DiskCaching................................................................................................................................................... 103 Troubleshooting............................................................................................................................................. 103
CHAPTER6CD/DVDModule
107
WhatistheCD/DVDModule? ....................................................................................................................... 108 BurningEvidenceFilesDuringAcquisition..................................................................................................... 108 BurningLogicalEvidenceFilesDuringAcquisition......................................................................................... 110 BurningFilesandReports .............................................................................................................................. 110 BurningExistingEvidenceandLogicalEvidenceFiles.................................................................................... 114
GuidanceSoftware
117
LegalNotification........................................................................................................................................... 117 Support .......................................................................................................................................................... 117 CustomerService ........................................................................................................................................... 122 MessageBoards............................................................................................................................................. 123 Downloads ..................................................................................................................................................... 123 Training .......................................................................................................................................................... 123 ProfessionalServices ..................................................................................................................................... 123
Index
125
CHAPTER 1
Introduction
In This Chapter
Introduction Minimum Recommended Requirements Installing the EnCase Modules EnCase Decryption Suite Module EnCase Physical Disk Emulator Module EnCase Virtual File System Module FastBloc SE Module CD/DVD Module
EnCaseVersion6.12ModulesManual
Introduction
Sinceversion4ofEnCasesoftware,GuidanceSoftwarehasprovidedavarietyofsoftware modulesthatputpowerfulinvestigativetoolsatthedisposalofforensicinvestigators.These modulesareaddonstothesoftware,andrequirepurchasingcertificatesfrom www.guidancesoftware.comtoactivatethem. Thefollowingmodulesareavailableforversion6.01: EnCaseDecryptionSuite(EDS) PhysicalDiskEmulator(PDE) VirtualFileServer(VFS) FastBlocSoftwareEdition(SE) CDDVDModule Abriefdescriptionofthemodulesfollows;formoreinformationonhowtoconfigureanduseeach ofthemodules,pleaserefertotherespectivechaptersofthisdocument.
StarTechDRW150SCSIBKSCSIdrivebay Adaptec29160controllercard
Introduction
4.
WhenyoureceivethecertfilefromCustomerService,savethecertfiletoC:\Program Files\EnCase6\Certs
Introduction
EnCaseVersion6.12ModulesManual PDEcanbeusedinconjunctionwithVMwareWorkstationtobootEnCaseimagesofharddrives mountedwithPDE.Thisalsoprovidesinvestigatorswiththecapabilityofsharingevidencefiles thathavebeenaccessedremotely. Oncemounted,thereadonlymediaisavailabletonativeapplications,WindowsExplorer,orany thirdpartyWindowsutilityorcomputerforensictoolthatrecognizeslocaldevices.Someofthe functionalityprovidedusingadditionalsoftwareincludesthefollowing: Filecarvingutilities Virusscansoftware Spywaredetectors Trojandetectors Steganographydetectors WordIndexers Undeletesoftware Encryptiondetectionsoftware
Introduction
FastBloc SE Module
FastBlocSoftwareEditionprovidesacollectionofdiskcontrollerutilitiessuchasthesamesafe subjectmediapreviewandacquisitioninWindowstoanEnCaseevidencefilecurrentlyavailable fromFastBlochardware,andwipingandrestoringofdrivesattachedtothePCIcontrollercard. IDE,SCSI,USBandFireWiredrivesattachedtosupportedPCIcontrollercardsarewriteblocked whenconfiguredassuchbythemodule.Wipingandrestoringofdrivesattachedtothecontrolleris alsopossible,withthelogicalrestoreretainingthesamehashvalueastheoriginaldrive.The FastBlocSEmodulealsoallowsaccesstoHPAandDCOareasofasuspectdriveinWindows(this functionalityisnotavailableusingahardwarewriteblockerwiththeEnCaseprogramin Windows).
CD/DVD Module
Withthismoduletheusercanwriteentries,reportsandotherselecteddatatoaCDorDVD.This includestheabilitytoselectandburnEnCaseEvidencefilesandLogicalEvidenceFiles,ortowrite themtomediaatacquisition.
CHAPTER 2
12
EnCaseVersion6.12ModulesManual
Overview
EnCaseDecryptionSuite(EDS)enablesdecryptionofencryptedfilesandfoldersbydomainusers andlocalusers,including: Diskandvolumeencryption MicrosoftBitLocker GuardianEdgeEncryptionAnywhere GuardianEdgePlus UtimacoSafeGuardEasy McAfeeSafeBoot Filebasedencryption MicrosoftEncryptingFileSystem(EFS) CREDANTMobileGuardian Mountedfiles PST(MicrosoftOutlook) S/MIMEencryptedemailinPSTfiles NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)
EDS Features
Disk and Volume Encryption
WhenanEvidenceFile(.E01)oranewphysicaldiskisaddedtoanewcase,theMasterBootRecord (MBR)ischeckedagainstknownsignaturestodeterminewhethertherespectivediskisencrypted. Ifthediskisencrypted,EnCaseasksforusercredentials(seetheProductMatrixonpage13fora tablelistingrequiredcredentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthedisk.Nopasswordattacksaresupported. EDSsupportsthesedisk/volumeencryptionproducts: MicrosoftBitLocker GuardianEdgeEncryptionAnywhere UtimacoSafeGuardEasy McAfeeSafeBoot
EnCaseDecryptionSuite
13
Mounted Files
EnCasecanreviewmountedfilesandsearchforencrypteddata.Ifmountedfilesareencrypted, EnCaseasksforusercredentials(seeProductMatrixonpage13foratablelistingrequired credentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthemountedfiles.Thesetypesofmounted filesaresupported: PST(MicrosoftOutlook) NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)
Product Matrix
ThetablebelowshowsencryptionproductssupportedbyEDSandcredentialsyouneedtoprovide inordertousethemwithEnCase. Product
GuardianEdge Encryption Plus GuardianEdge Encryption Anywhere Utimaco SafeGuard Easy McAfee SafeBoot Online SafeBoot Offline
Password
X
User
X
Domain
Machine
Server
Path
Other
X X Algorithm
Algorithm
14
EnCaseVersion6.12ModulesManual
CREDANT Mobile Guardian Online Mobile Guardian Offline Microsoft BitLocker Microsoft Encrypting File System (EFS) ZIP Lotus Mail S/MIME X X Machine CREDANT ID X
Shield CREDANT ID
Key
Keys
X X X
ID File PFX
Using EDS
Analyze EFS
Thiscommandscansavolumefordataandprocessesit.YoucanalsorunAnalyzeEFSfromthe securestorage;inthatinstance,itrunsconsecutivelyonallvolumesinacase.
1.
15
2.
ThefirstAnalyzeEFSdialogdisplays.ClickNext.
16
6.
EnCaseDecryptionSuite WhenyouaredonereviewingtheEFSstatus,clickFinish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
17
18
3. ClickanitemintheSecureStoragetreetoviewitscontents.
Enter Items
Enter Syskey
YoucanenterSyskeyinformationbeforerunningtheAnalyzeEFSwizard,orafterwardsifthe wizardisalreadycompleted. 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheEnterSyskeytab. SelectthelocationoftheSyskey(forexample,afilepathorafloppydisk)orenterthe passwordmanually.
4. ClickOK.
EnCaseDecryptionSuite
19
User Password
Ifyouknowtheuserspassword: 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheUserPasswordtab. Enterthepassword.
4. ClickOK.
IftheSyskeyisprotectedandyoudonotknowthepassword,anattackontheSAMfileforuser passwordswillnotbesuccessful.Thisisararesituation.MostWindowsmachineswillnothavea protectedSyskey.EDSincludesadictionaryattackoptiontogetpastaprotectedSyskey.Youcan obtaindictionaryfilesfromanumberofsources.Toaccesssetup,rightclicktherootofSecure StorageandselectDictionaryAttack. DuringtheAnalyzeEFSscanningoftheregistry,EnCasealertsyouiftheSyskeyispassword protectedorhasbeenexportedtoafloppydisk.Inthesecases,theAnalyzeEFSwizardprompts youtoentertheSyskeypasswordand/orinsertthefloppydiskcontainingtheSyskeyorbrowseto theSyskeyfilelocation.TheSyskeyfileiscalledstartkey.key,andyoushouldexamineany floppydiskscollectedatasceneforthepresenceofthisfile.IftheSyskeyfileisrecoveredona floppydisk,itcanbecopied/unerasedfromEnCasetotheexaminationmachine,andyoucan browsetothestartkey.key location.ThisprocessisthesameaswhenyouusethePassword RecoveryDisk.
20
EnCaseVersion6.12ModulesManual 2. SelectEnterItemsfromthedropdownlist,thenselectthePasswordRecoveryDisktab.
3. 4. Clicktheoptionbutton,FileorFloppy,wherethefileislocated. Enterthepathorbrowsetoit,thenclickOK.
14. Enterthepathorbrowsetoit.
EnCaseDecryptionSuite
21
4. 5. ClickOK. The.PFXcertisdecryptedandstoredinSecureStorage.
Associate Selected
Toassociate*nixuserswithvolumes: 1. 2. 3. SelecttheSecureStoragetab. Clickthecheckboxnexttotheitemoritemsyouwanttoassociate. Rightclickacheckeditem.
22
EnCaseVersion6.12ModulesManual 4. SelectAssociateSelectedfromthedropdownlist.
5. TheAssociatedialogdisplays.
6. ExpandtheVolumestreeandselectthevolumesyouwanttoassociate.
7. ClickOK.
EnCaseDecryptionSuite
23
1.
UsetheAddDeviceWizardtoaddthephysicaldevice.
24
3. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoenterthemagain.
EnCaseDecryptionSuite
25
4. Thenextfigureshowsthesamefilesastheyappearencrypted.
26
EnCaseVersion6.12ModulesManual
1. 2.
UsetheAddDeviceWizardtoaddthephysicaldevice. EnCasedetectsthedeviceanddisplaysausernameandpassworddialog.
EnCaseDecryptionSuite
27
28
5. TheWelcomedialogdisplays.
6.
29
7. ClickNext.TheRemoteUserIDdialogdisplays.
8. EntertheUserIDthatwasusedtoderivethechallengecode,thenclickNext.
30
10. ClickNext.TheRemoteCommanddialogdisplays.
11. SelectOnetimelogon,thenclickNext.
31
32
EnCaseVersion6.12ModulesManual
Workarounds
Therearetwoworkaroundsforthisproblem.Thefirstsolution: 1. Obtainbothdisks. TheinternaldiskholdingtheSafeGuardEasykernel(disk1) Theexternal,i.e.,nonbootabledisk(disk2) 2. Openthekernelondisk1.Youcanthenaccessdisk2.
33
34
EnCaseVersion6.12ModulesManual 2. TheBitLockerCredentialsdialogdisplays.
3. 4. SelecttheRecoveryPasswordoptionbutton,thenentertherecoverypassword. ClickOK.
Aftersuccessfulauthentication,EnCasesavescredentialsinSecureStorage,soyoudonothaveto reenterthemthenexttimeyouopenthesavedcase.
EnCaseDecryptionSuite
35
EachSecureDocuserhasakeyfilewhichcancontainmultiplekeysencryptedusingapassword associatedwiththefile. SecureDocusershaveeitheradministratororuserprivileges. Administratorscanencrypt/decryptdrives,resetpasswords,addkeystoakeyfile,etc. Userscanonlychangetheirpasswords AninstallerisprovidedtoplacetheseintegrationDLLsin %ENCASE%\Lib\WinMagic\SecureDoc: SDForensic.dll SDC.dll SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
1.
WhenaddingaSecureDocdisk,Encasepromptsforthreecredentials:
a. Thepathtothefilecontainingtheuserkeys(extension.dbk) b. Thepasswordassociatedwiththekeyfile
36
EnCaseVersion6.12ModulesManual
c. Thepathtotheemergencydiskfoldercorrespondingtothephysicaldiskunder
examination
ThediskviewshowsencryptedinformationintheTextandHexpanesforencrypteddrives. ThediskviewshowsdecryptedinformationintheTextandHexpanesfordecrypteddrives.
Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is decrypted by SecureDoc's filter driver during a physical acquisition.
EnCaseDecryptionSuite
37
2.
Inthedomainfield,enterEA#DOMAINastheclientadministratoraccount.
Formoreinformation,seeKnowledgeBasearticle00002281intheGuardianEdgeCustomerSupport Portal(https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).
EnCasereviewsyourmountedfilesandlooksforCREDANTencrypteddata(CredDB.CEFfile).If itfindsthisdata,alogondialogdisplays.
38
EnCaseDecryptionSuite
39
Theofflinedialogissimilar.TheOnlinecheckboxisblankandtheMachineIDandSCIDfields areunavailable.
2.
Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoreenterthem.
Theillustrationbelowshowsresultsofasuccessfuldecryption:
40
Thenextillustrationshowsthesamefilesastheyappearunencrypted.
EnCaseDecryptionSuite
41
2.
AdminName AdminPwd
42
EnCaseVersion6.12ModulesManual
AdminDomain Administrator domain (optional: required only if the CMG Server is configured to support multiple domains) Machine ID for the target device (also known as the Unique ID or hostname) Shield CREDANT ID (also known as DCID or Device ID) Name of the forensic administrator File to save the key material in Password to encrypt output file
MUID
4.
WhenEnCasedecryptsCREDANTencryptedfiles,thekeyinformationisplacedinSecureStorage inEnCase,andsavedwiththecase.Youdonothavetoreenterthisinformation.
4.
43
44
4. SelecttheEnterMailCertificatetab.
Note: The only allowed certificate format is .PFX.
5.
EnterthepathtothePFXcertificateandthepassword,thenclickOK.
EnCaseDecryptionSuite S/MIMEEmailCertificatecontentsaredisplayedlikethisinSecureStorage:
45
46
ViewandworkwithcontentintheRecordstab.
EnCaseDecryptionSuite
47
48
EnCaseVersion6.12ModulesManual Entriesview:
Recordsview:
EnCaseDecryptionSuite
49
50
EnCaseVersion6.12ModulesManual 1. OpentheDominoServer.
2. Loginastheserveradministrator.
3. ClickOK. ThepasswordIDlistdisplays.
4. ClickOK.
Therecoverypassworddisplays.
EnCaseDecryptionSuite
51
5. ClickOKanddefineusersauthorizedtogeneraterecoverypasswords.
52
EnCaseVersion6.12ModulesManual 2. ParseitusingViewFileStructure,sothattheprivatekeyisinsertedinSecureStorage.
Encrypted Block
Theexamplebelowshowsanencryptedblockatoffset0x22000:
Thedecryptionalgorithmusesaseedthatisbasedonthebasicseedfromtheheaderandtheblock offset.
EnCaseDecryptionSuite
53
Decrypted Block
Hereisanexampleofadecryptedobjectmapatoffset0x22000:
54
EnCaseVersion6.12ModulesManual
EnCaseDecryptionSuite
55
IfthecorrespondingIDfilecannotbeparsedsuccessfully,theSecureStorageisnotpopulatedwith thedataneededtoparsethelocallyencryptedNSF;thus,theLotusvolumeisempty:
56
EnCaseVersion6.12ModulesManual
Dictionary Attack
Softwareimplementingthismethodnormallyusesatextfilecontainingalargenumberof passwordsandphrases.Eachistriedinturninthehopethatoneofthewordsorphrasesinthefile willdecryptthedatainvolved. Alargenumberofdictionaryfiles(sometimescalledwordlists)areontheInternet,oryoucan createyourownlist.Creatingyourownlistmaybepreferableifthepersonunderinvestigationhas aparticularinterest,suchasfootball. TherearefreewareutilitiesontheInternetyoucanusetocreateadictionaryfromcombinationsof letters,numbers,andcharactersuptoapredefinedlength.FreeWordlistGenerator (http://www.soft82.com/download/windows/freewordlistgenerator/)isoneexample. EDScanattackNTbaseduseraccountpasswordsandcachednetlogonpasswordsusinga dictionaryattack.
EnCaseDecryptionSuite
57
Built-in Attack
Specificitemsdohaveassociatedpasswords.Iftheyarenotautomaticallyretrieved,youcanusea trialanderrormechanism.Thismayormaynotsucceed.
External Attack
Localuserscanbeattackedwiththirdpartytools.Therearefreewaretools,andtheirperformance ismuchgreaterthanEnCasebecausetheycanrunonmanycomputersatthesametimeand/oruse rainbowtables.EnCasecanexportthelocaluserspasswordhashesinthePWDUMPformatthat mosttoolsread.ThisisdonefromtheUserList.
58
EnCaseVersion6.12ModulesManual
User List
Integrated Attack
Therearethreedifferentsourcesforwordstobetested: Internalpasswords:Thesearethepassworditemsinthesecurestorage Dictionarywords:ThedictionaryisaplaintextfilethatcanbeinANSILatin1orUTF16. Everywordneedstobeonitsownline(itcancontainanycharacter,includingspaces). Bruteforce:Automaticallygenerateswordsfromanalphabetwithalengthinagivenrange Therearefourmutatorsthatcanbeapplied:
EnCaseDecryptionSuite
59
CHAPTER 3
62
EnCaseVersion6.12ModulesManual
PhysicalDiskEmulator
63
Using PDE
1. Rightclickthelogicalorphysicaldrive,andselectMountasEmulatedDisk.
2. TheMountasEmulatedDiskdialogdisplays.
64
EnCaseVersion6.12ModulesManual TospecifycacheandCDoptions,clicktheClientInfotab.
Cache Options
Ifaphysicaldeviceorvolume(notaCD)isselected,decidewhethertocachedata.Bydefault, cachingisdisabled.Usethewritecacheifprogramsneedtoaccessthefilesinanemulated read/writemode. Ifcacheisenabled,changesmadebyprogramsaresenttoaseparatecachefilespecifiedonyour localsystem. 1. 2. 3. TocreateanewwritecachefileanEnCaseDifferentialEvidenceFile,cleartheDisable cachingcheckbox. SelectCreatenewcacheintheCacheTypegroupandspecifyaWritecachepath. SelectUseexistingcacheandensuretheexistingwritecachefileisspecifiedintheWrite cachepathfield.
CD Options
IfaCDismounted,theCDSessiontoviewoptionisenabledtospecifywhichsessiononamulti sessionCDshoulddisplayinWindows.ThedefaultsessionisthelastsessionontheactiveCD, whichistheonenormallyseenbyWindows. 1. 2. Toviewapriorsession,selectthathere. ClickOKtocontinue.
3.
PhysicalDiskEmulator
65
66
Ifcachingisenabledwhenmountingevidence,thisscreendisplays:
ThepurposeofthefinalcacheistocreateacompressedandmergedDifferentialEvidenceFile (*.D01)containingthecacheddata.WiththeSaveEmulatedDiskStateoptionselected,thereare multiplecachefilesforthesamemountedevidencesession.Thefinalcachemergesallthesefiles.If thereisnoneedtosavethefinalfile,selectDiscardfinalcache. UsetheDifferentialEvidenceFiletoopentheevidencefileandviewtheemulateddiskwiththe cachedchangesapplied. Toapplythecacheddata: 1. 2. 3. 4. 5. 6. Rightclickthedevice. SelectMountasEmulatedDisk. ClicktheClientInfotab. CleartheDisablecachingcheckbox. SelectUseexistingcache. BrowseintheWritecachepathfieldtofindthe*.D01file. Afterthediskmounts,WindowsExplorerreflectsthecachedchanges. Whenthedeviceisdismounted,astatusscreeninformswhetherthediskwasdismounted successfully.
PhysicalDiskEmulator
67
Third-Party Tools
InvestigatorswiththePDEModulecanuseWindowsExplorertobrowsethestructureofcomputer evidence.Theycanalsoutilizethirdpartytoolscapableofrequestingandinterpretingdatafrom WindowsExplorertoexamineevidenceoutsidetheEnCaseprogram.GuidanceSoftwaredoesnot certifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnotdevelopedby GuidanceSoftware.
Malware Scanning
AcommonuseforEnCasePDEistomountcomputerevidenceforscanningforviruses,Trojans, andothermalwareprograms.First,mountthedriveorvolumefromtheevidencefilethroughPDE. InWindowsExplorer,selectthenewlymounteddrive(inthiscase,F:).Ifanantivirusprogramis installedandintegratedwithWindowsExplorer,itcanbeusedtoscanforviruses.Theprogram readstheemulateddiskpresentedtoWindowsExplorer.TheEnCaseprogramservestherequested datatoWindowsExplorer,andthentotheprogramforscanning.
68
EnCaseVersion6.12ModulesManual
a. UsetheWindowsInitializeCasemodulefromtheCaseProcessorEnScriptprogram
todeterminetheoperatingsystem.
b. Checkthecontentsoftheboot.inifile,whichislocatedonthepartitionroot. c. Examinethefolderstructure,notingthefollowing:
Windows2000,XP,and2003ServerallusetheC:\Documents and Settings folderforuserprofilesandfolders. WindowsNTand2000usetheC:\WINNT folderforthesystemroot. Windows9X,XPand2003ServerusetheC:\Windowsfolderforthesystemroot. 2. 3. MountthephysicaldiskcontainingtheoperatingsystemusingPhysicalDiskEmulator. Makesuretoenablecaching Determinewhatphysicaldisknumberhasbeenassignedtoitusingoneofthesemethods: Thisinformationisprovidedwhenthedeviceismounted. SelecttheDiskManagementoptionbyrightclickingMyComputerinWindows,then selectManage.
There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in Disk Management. If you encounter a message stating, "The specified device is not a valid physical disk device", it is most likely as a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
4. 4.SelectCustom,thenclickNext.
PhysicalDiskEmulator
69
5.
SelecttheappropriateGuestOperatingSystemradiobutton.
6. 7.
Asanoption,youcanclickBrowsetochangethelocationforVMwaresconfigurationfiles. 8. ClickNext.
70
EnCaseVersion6.12ModulesManual 9. AssigntheamountofmemoryforVMwaretouse,thenclickNext.
11. AcceptthedefaultsettingintheSelectI/OAdapterTypesdialog,thenclickNext.
PhysicalDiskEmulator
71
IfthediskfileisnotrecognizedasaVirtualmachine,youcanchangethenameofthefile (takingcaretoleavethe.vmdkextension).
VMwarereturnstothemainscreen,showingthenewlycreatedvirtualmachine.
72
EnCaseVersion6.12ModulesManual
What do I do if I see the message "The file specified is not a virtual disk" after running the New Virtual Machine wizard?
OccasionallyaftercompletionofthenewvirtualmachinewizardinVMware,anerrormessage (Thefilespecifiedisnotavirtualdisk.)maybeencountered.ThisissueiswithVMware,notthe EnCaseprogram.RunningtheNewVirtualMachineWizardagainusuallyresolvesthisissue.
PhysicalDiskEmulator
73
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help menu
Ifyouareusingcertfiles,checktoseethatthePDEcertificateislocatedintheCert directory(typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensure thattheprogramisnotinAcquisitionmode). Ifyouareusingcertfiles,checkthesecuritykeyIDtoensurethatitisthecorrectonefor whichthecertificatewasissued.
74
EnCaseVersion6.12ModulesManual
A message is encountered stating that PDE cannot remove the device when attempting to dismount the device mounted
TheerrormessagemayoccurifWindowsisaccessingafileonthemounteddevice(e.g.,the directoryisopenedinWindowsExplorerorafileisopenedinathirdpartyapplication). Toresolvetheissue,closeallWindowsapplicationsaccessingthemounteddevice,then clickOK.
An error message is encountered stating that you need to reboot your machine, followed by a "Rejected connection" message
Thisissueisduetothedevicedrivernotbeingreleasedproperly.Theonlywaytoresolve thisissueistocloseallapplications(includingtheEnCaseapplication)andrebootthe forensicmachine.Youshouldnotencountertheerroragainwhenthemachineisrebooted.
If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 4
76
EnCaseVersion6.12ModulesManual
What is VFS?
TheVirtualFileSystem(VFS)moduleallowsinvestigatorstomountcomputerevidenceasaread only,offlinenetworkdriveforexaminationthroughWindowsExplorer.Thevalueofthisfeatureis thatitallowsinvestigatorsmultipleexaminationoptions,includingtheuseofthirdpartytoolswith evidenceservedbytheEnCaseprogram. Wearecommittedtotheconceptofprovidinganintegratedproducttoourcustomers.Thirdparty toolswillcontinuetobedevelopedtocomplementthecorefunctionsandfeaturesoftheEnCase program,andweencouragetheircreationanduse.VFSallowsthirdpartyaccesstoallcomputer evidenceandfilesystemformatssupportedbythesoftware. ForourcustomersusingtheEnCaseForensicprogram,theVFSmodulehastheaddedpowerof enablinguseofthirdpartytoolsagainstharddrivespreviewedthroughaFastBlocdeviceora crossovercable,includingdeletedfiles.ForcustomersusingtheEnCaseEnterpriseprogram,VFS allowsuseofthirdpartytoolsagainstlivemachinesonthenetworkusingbestpractices,sincethe operatingsystemisbypassed.
VirtualFileSystem
77
Tomountasingledriveordeviceinacasefileorasinglevolumeorfolderonadrive,rightclick thedriveordevice,andselectMountasNetworkShare:
3.
ClicktheClientInfotabtosetthevolumelettertobeassignedtothenetworksharein WindowsExplorer.
4.
78
Compound Files
Manycompoundfiles,includingMicrosoftWord,Excel,OutlookExpress,andOutlookfiles,canbe mountedintheEnCaseinterface.Todothis: 1. 2. Rightclickthefile. SelectViewFileStructure. Intheexamplebelow,aMicrosoftWord.docfileismounted.Thedeviceisthenmounted withVFSatthedevicelevel.
3. Mountthecase,drive,volume,orfolderwithVFSasforasinglecase,drive,etc.byright clickingandselectingMountasNetworkShare,asdescribedaboveforsingleitems.
4.
VirtualFileSystem
79
ViewthemountedfileasafolderinWindowsExplorer,wherethecompoundfilestructure canbebrowsed.
RAIDs
RAIDsmountedinsidetheEnCaseprogramcanbebrowsedinWindowsExplorer.Intheexample below,asoftwareRAID5comprisedofthreedriveswasmountedandthenmadeavailablefor browsinginWindowsExplorerwithVFS.
Deleted Files
TheVFSmoduleallowsinvestigatorstoviewdeletedandoverwrittenfilesinWindowsExplorer.
80
VirtualFileSystem
81
1. 2. 3.
4.
SelecttheAllselectedfilesradiobuttonunderFrom,andtheMergeintoonefileradio buttonunderTo,thenclickNext.
82
EnCaseVersion6.12ModulesManual 7. Setthedestinationpathandthenameofthefiletocontaintheslack,thenclickNext.
8.
ClickOKintheCopyingfilesdialogthatdisplaysattheendofthecopyingprocess.
Thefilecontainingtheslackfromtheevidenceisnowavailableforexaminationbythirdparty utilitiesonthelocalexaminationmachine.Intheexamplebelow,afileisopeninWordPad.
VirtualFileSystem
83
BelowistheWindowsrepresentationofaPalmvolumemountedinVFS.
84
Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the partition or folder level.
2.
Intheconfirmationthattheevidencewassuccessfullydismounted,selectanystatussaving optionsandclickOK.
VirtualFileSystem
85
Severaloperationsarethenpossible,includingthefollowing:
86
UsethethumbnailviewerinWindowsExplorertoviewimagesinthemannerseenbythe originaluser
Third-Party Tools
UsingVFS,investigatorscanexamineevidenceoutsidetheEnCaseprogrambyutilizingthirdparty toolscapableofrequestingandinterpretingdatafromWindowsExplorer.However,Guidance Softwaredoesnotcertifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnot developedbyGuidanceSoftware.
Malware Scanning
AcommonuseforVFSistomountcomputerevidencetoscanforviruses,Trojans,andother malwareprograms: 1. MounttheevidencethroughVFSeitherlocallyontheexaminationmachine,orremotely throughVFSServer. Youcanmounttheevidenceatthedevice,volume,orfolderlevelsasdescribedpreviously. Thesharedhandiconindicatesthelevelofthevirtualfilesystemmount.
2. 3. InWindowsExplorer,selectthegsisvrofflinenetworkdrive. Useantivirussoftwaretoscanthefile.
VirtualFileSystem
87
Intheexamplebelow,theScanforVirusesoptionfromSymantecAntiVirusisrunbyright clickingthedrive.
Theexaminationreportsandlogsgeneratedbythethirdpartytoolscanthenbereviewedand includedintheinvestigatorsinvestigativereport.
88
Selectorbrowsetothenewprogram.
VirtualFileSystem
89
QuickView Plus
Anotherpopularviewingprogram,QuickViewPlus,canbeusedtoviewdozensoffileformats, withoutthenativeapplicationsinstalledontheexaminationmachine.
VFS Server
TheVFSModulehasaserverextensionsothatinvestigatorscansharethemountedevidencewith otherinvestigatorsonthelocalareanetwork/intranetthroughVFS.Theextensionenablesanumber ofclientstomountthenetworkshareservedbytheVFSServerthroughanetworkconnection undertheseconditions: OnlythemachinethatisrunningtheVFSServerneedsasecuritykeyinserted AsecuritykeyisnotrequiredtoconnecttotheVFSServerandaccesstheserveddatain WindowsExplorer. Theclientmachine(s)musthavetheEnCaseprograminstalledtoaccesstheVFSclient driversbutcanruninAcquisitionmode ThenumberofclientsthatcanconnecttotheVFSServerdependsuponthenumberofVFS Serverconnectionspurchased.ThisinformationiscontainedintheVFSCertificateor programmedintothesecuritykey. TodetermineiftheVFSServerisenabledandtoviewthenumberofavailableclientconnections, dothefollowing:
90
6. 7. 8.
VirtualFileSystem
91
92
EnCaseVersion6.12ModulesManual Bydefault,thevolumeletterfieldhasanasteriskinit,signifyingthatthenextavailable driveletterwillbeused.MountingthesharelocallyusesoneofyourVFSServer connections. Ifyouareonlyservingthesharetoremoteclients,clearMountsharelocally,andthe VolumeLettergraysout,astheshareismountedonremoteclient(s). TheVFSServermountstheshareandallowsconnectionsontheassignedport.Thesharedhand iconappearsattheVFSmountpoint.Youcancontinueyourexaminationwhileitisbeingshared. Performancedependsonthesizeandtypeoftheexaminedevidence,processingpowerofthe serverandclientmachines,andthebandwidthofthenetwork.
VirtualFileSystem
93
Troubleshooting
Virtual File System is not listed under Modules
Ifyouareusingcertfiles,checktoseethattheVFScertificateislocatedintheproperCerts directory(typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensurethatthe softwareisnotinAcquisitionmode).Youdonotneedtohavethesecuritykeyinstalledona machineconnectingtoaremoteVFSServer. Ifyouareusingcertfiles,thecertificatefileisissuedforaspecificsecuritykey;checkthesecurity keyIDtoensurethatitisthecorrectoneforwhichthecertificatewasissued.
CHAPTER 5
FastBloc SE Module
In This Chapter
What is the FastBloc SE Module? Background Information Installing the FastBloc SE Module Using the FastBloc SE Module Disk Caching Troubleshooting
96
EnCaseVersion6.12ModulesManual
Background Information
HPA and DCO Configured Disks
Host Protected Area
HarddiskscanbeconfiguredwithaHostProtectedArea(HPA).Itisdesignedtoallowvendorsto storedatasafefromuseraccess,diagnosticsorMSWindowsbackuptools.Ifpresent,thedata storedinthisareaisinaccessiblebytheoperatingsystem,BIOSorthediskitself. Knowledgeofthisareaandtheabilitytoaccessitareimportant,asthereisthepotentialfora sophisticatedusertohidedataintheHPA.TheFastBlocSEmoduleseestheHPAifitispresent, andthecontenthiddentheredisplays.Diskintegrityremainsintactwhenpreviewingand acquiringdiskswithHPAs.
Architecture
BoththeHPAandtheDCOaretypicallylocatedattheendsoftheharddisk.Ifpresent,theHPA areaisplacedonthedriveaftertheDCOisconfigured.Thisgivesthedrivethreetypesofstorage thatarelaidoutoneafteranotheronthedrive:
FastBlocSEModule
97
InstallthedriversthatcamewiththeIDEcontroller.
Consistent with sound computer forensic practices, test the FastBloc SE module with non-evidence media to verify the write blocking capability prior to using the device with actual evidence.
98
EnCaseVersion6.12ModulesManual
2. InthelistofavailableIDEchannels,bluecheckthechanneltowriteblockandclickOK.
3. ApopupwindowmaydisplaysayingthatthesoftwarehasnotpassedWindowsLOGO testing.
4.
ClickContinueAnywaytoreplacetheinstalleddriverwiththeGSIdriver.
5. 6. 7. Shutdowntheforensicmachine.
FastBlocSEModule
99
100
5. 6.
Aconfirmationwindowdisplayswhenthedeviceissuccessfullyblocked. ClickFinish.
FastBlocSEModule
101
InWindows2000,thistoolisnamedUnplugorEjectHardware;inWindowsXP,Safely RemoveHardware.
2.
Removethedevicephysicallywhenthewizardhasconfirmedsaferemoval.
Removing Write-Block
1. SelectWriteblockUSB,FireWire,SCSIdrivefromtheToolsdropdownmenu.
2. ClickClearAllinthewindowthatopens.
3. ClickYesontheprompttoconfirmtheremovalofallUSB,FireWire,andSCSIwrite blockeddevices.
Selecting Clear All removes write blocking and write protection on all USB, FireWire, and SCSI devices previously protected by the FastBloc SE module.
4.
Aconfirmationwindowdisplayswhenwriteblockissuccessfullyremoved.
102
EnCaseVersion6.12ModulesManual 5. ClickOKtofinalizewriteblockremoval.
Wiping
TheFastBlocSEmoduleallowswipingadeviceattachedtooneofthesupportedPCIIDEcontroller cardsmentionedinFastBlocSEModuleSpecificRequirementsonpage4.Wipingisdoneinthe samemannerasfordrivesattacheddirectlytothemotherboard.SeetheUsingEnCaseTools chapteroftheEnCaseEnterpriseUsersGuideforinstructionsonwipingadriveusingtheEnCase interface.
Restoring
TheFastBlocSEmodulealsoallowstherestorationofanevidencefiletoadeviceofsimilarsizeor largerattachedtooneofthesupportedPCIIDEcontrollercardspreviouslymentioned.Restorea deviceinthesamemanneraswithdrivesattacheddirectlytothemotherboard.SeetheUsing EnCaseToolschapteroftheEnCaseEnterpriseUsersGuidefordetails.
FastBlocSEModule
103
Disk Caching
WhentheFastBlocSEmoduleissettowriteblock,thewritesareactuallybeingcachedtothe investigatorsharddrive.Thisdoesnotoccurwithwriteprotect,sinceWindowsgeneratesanerror ratherthanallowingtheappearanceofthewritetotakeplace.
Troubleshooting
The Write Block option does not appear in the Tools menu
MakesurethemodulewasinstalledasdescribedinInstallingtheEnCaseModulesonpage5. SelectAboutEnCasefromtheHelpmenutoverifythattheFastBlocSEmoduleislistedinthe window. Checkthatthesecuritykeyisinthemachine.Ifthesecuritykeyisout,ornotfunctioningproperly, theEnCaseprogramwillbeinAcquisitionmode. Ifyouareusingcertfiles,thecertfilemaybetiedtoadifferentsecuritykey.Consultan administratortodeterminetheassociatedsecuritykeyandcertfile.
Windows and the EnCase program do not recognize the attached device
Checkallpoweranddataconnectionstothedevice. Checktoseeifthesubjectharddriveisspinning.Ifthedeviceisconnectedviaanexternaldrive bay,shutdownthecomputerandtryconnectingthepowerconnector(notthedataconnector)toa Molexpowercabledirectlyfromthecomputer.Restartthecomputer.Ifthedrivestartsspinning, shutdownthecomputeragainandswapcables. Ifthesubjectdrivedoesnotspin,orismakingunusualsounds(whirring,clicking,etc.),thedrive maybedefectiveandyoumaynotbeabletoacquireitbynormalmethods. Ifthesubjectdriveisspinning,checkthedatacables.Youmaywanttotryusinga40wirecableif youareusingan80wirecable. ChecktheUSBorFireWireporttoensureproperfunctioningbyinsertingaknowngooddevice. MakesuretheportisrecognizedinDeviceManager.
104
EnCaseVersion6.12ModulesManual
Windows sees the subject drive, but the EnCase program does not
Ifyoucanseethephysicaldrivebutcannotseethecontentsofthedrive,theEnCaseinterfacemay beinacquisitionmode.Thismayindicatethatthesecuritykeyisnotinstalledor(ifyouareusing certfiles)isnottiedtothecertfile.RefertotheEnCaseUsersGuideforinstructionsonhowto installthesecuritykeydrivers. YoumayhaveacorruptversionoftheEnCaseprogram.Ifyouareusingcertfiles,makeabackup ofallyourcertfiles.DownloadandreinstallthenewestversionoftheEnCasesoftware. BesuretoselectLocalDevicesinsteadofEvidenceFileswhenyoubeginthepreviewprocess. Ifatallpossible,trytoacquireonacompletelydifferentmachine.Thishelpspinpointtheproblem, asitmaybeahardwareoroperatingsystemconflict.Ifyouareusingcertfiles,besuretousea securitykeytiedtothecertfile.
FastBlocSEModule
105
There are different hash values each time the drive is hashed
Thisindicatesafailingdrive.Becausethenumberofsectorerrorsincreaseseachtime,hashvalues change.Sincethefirstacquisitiontypicallycontainstheleastnumberofbadsectors,usethatfilefor analysis.
CHAPTER 6
CD/DVD Module
In This Chapter
What is the CD/DVD Module? Burning Evidence Files During Acquisition Burning Logical Evidence Files During Acquisition Burning Files and Reports Burning Existing Evidence and Logical Evidence Files
108
EnCaseVersion6.12ModulesManual
CD/DVDModule
109
Selecting CD Information
ToselectCDinformation,chooseappropriateoptionsfromthepreconfiguredsettingsintheCD Infodialog.
Joliet:ThisspecifiestheformatoftheimagetoadheretotheJolietstandard,whichallows longentrynames. UDF:ThisspecifiestheformatoftheimagetoadheretotheUDFstandard,whichisused primarilyforDVDs. Burn:ThisinitiatestheburnoftheimagetothedisconceyouclickFinish.Iftheboxis cleared,theArchiveFolderfortheimageisupdated,butnotburneduntilinitiatedbythe userintheArchiveEntriestab.AnISOisalsocreatedfortheusertoburnatanytimewith anyprogram. DeleteISOafterBurn:ThisdeletesthecreatedISOimagefromthetemporaryfolderset withthePathoptiononceitisburnedtomedia. Publisher:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhoburnedthe imagetodisc. Preparer:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhoprepared theimageforburning. Path:ThisfieldsetsthepathforthetemporaryplacementoftheISOimagepriortobeing burned. CDBurners:Anymediaburnerrecognizedbythesystemappearsinthiswindow.Select themediaburnerofyourchoice. Ifarecognizedburnerisnotlisted,theburningoptionisdisabled.Theimageproduced containstheISO9660formatwithJolietselectedbydefault.IfJolietorUDFformatsare selected,additionaltreesarebuiltforthoseformats.ISO9660allowsonlyeightcharacter (oldDOS8.3)names.Nameslongerthaneightcharactersaretruncatedtothefirstfour charactersofthefilename,followedbyfourrandomnumbers.
110
EnCaseVersion6.12ModulesManual
Burning
Whentheinitialacquisitioniscomplete,thestatusscreendisplaysandtheburntoCDstarts, indicatedbyablueBurningthreaddisplayedontheEnCaseprogramstaskbar. Evidenceentriesareburnedaslongasthereisenoughroomleftonthemediumbasedonset segmentsize.Ifthereisnoroomleft,thediscisejectedandapromptappearsinstructingyouto insertanotherdisc. Evidenceentriesareverifiedontheremovablemediaaftertheyhavebeenburned.Aftertheentry isburned,astatuswindowreportstheresultsofthewriteandverification.
1. 2. SelectArchiveFilesfromtheViewdropdownmenu.
CD/DVDModule
111
112
UseCopy/Unerasetomaintainstructurebasedontheoptionssetintheexportmenu,such asLogicalFile,EntirePhysicalFile,RAMandDiskSlack,etc.
3.
CD/DVDModule
113
4. 5. 6. 7.
3. 4. 5. 6.
7.
ClickOKtoaddthereporttothediscimagefolder.
ThenewlyaddedreportisstoredundertheArchiveFilestabandsavedgloballysoyoucanaddto ordeletefromitatanytime.
114
EnCaseVersion6.12ModulesManual
3.
3. RightclickonthedeviceandselectBurntoDisc.
CD/DVDModule
115
4. ContinueasdescribedinSelectingCDInformationonpage109.
Guidance Software
Legal Notification
Nopartofthismanual,includingtheproductsandsoftwaredescribedinit,maybereproduced, transmitted,transcribed,storedinaretrievalsystem,ortranslatedintoanylanguageinanyformor byanymeans,exceptdocumentationkeptbythepurchaserforbackuppurposes,withoutthe expresswrittenpermissionofGuidanceSoftware,Inc.(GSI). GSIPROVIDESTHISMANUALASISWITHOUTWARRANTYOFANYKIND,EITHER EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOTHEIMPLIEDWARRANTIESOR CONDITIONSOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.INNO EVENTSHALLGSI,ITSDIRECTORS,OFFICERS,EMPLOYEESORAGENTSBELIABLEFOR ANYINDIRECT,SPECIAL,INCIDENTAL,ORCONSEQUENTIALDAMAGES(INCLUDING DAMAGESFORLOSSOFPROFITS,LOSSOFBUSINESS,LOSSOFUSEORDATA, INTERRUPTIONOFBUSINESSANDTHELIKE),EVENIFGSIHASBEENADVISEDOFTHE POSSIBILITYOFSUCHDAMAGESARISINGFROMANYDEFECTORERRORINTHIS MANUALORPRODUCT. CEIC,EnCaseeDiscoverySuite,EnCaseEnterprise,EnCaseEnterpriseAIRS,EnCaseForensic, EnCE,EnScript,FastBloc,GuidanceSoftware,EnCaseNeutrino,Snapshot,andWaveShieldare registeredtrademarksortrademarksownedbyGSIintheUnitedStatesandotherjurisdictionsand maynotbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybeclaimedas thepropertyoftheirrespectiveowners.Productsandcorporatenamesappearinginthismanual mayormaynotberegisteredtrademarksorcopyrightsoftheirrespectivecompanies,andareused onlyforidentificationorexplanationintotheownersbenefit,withoutintenttoinfringe. ProductManualsandDocumentationarespecifictothesoftwareversionsforwhichtheyare written.Forpreviousoroutdatedmanuals,productreleaseinformation,contactGuidanceSoftware athttp://www.guidancesoftware.com. Specificationsandinformationcontainedinthismanualarefurnishedforinformationaluseonly, andaresubjecttochangeatanytimewithoutnotice.
Support
GuidanceSoftwaredevelopssolutionsthatsearch,identify,recover,anddeliverdigitalinformation inaforensicallysoundandcosteffectivemanner.Sinceourfoundingin1997,wehavemovedinto networkenabledinvestigations,andenterprisewideintegrationwithothersecuritytechnologies. Thissectionprovidesinformationonoursupportforyouthrough:
118
Technical Support
GuidanceSoftwareprovidesavarietyofsupportoptions,includingphone,email,online submissionforms,anuptodateknowledgebase,andamessageboard(technicalforum). SupportisavailablefromSunday,7:00PMthroughFriday,6:00PMPacificTime(Monday,3:00AM toSaturday,1:00PMGMT).ThisexcludespublicholidaysintheUnitedStatesandtheUnited Kingdomduringrespectivebusinesshours.
Phone/Mail Support
USContactInfo: 215NorthMarengoAvenue Suite250 Pasadena,CA91101 Phone:16262299191,Option4 Fax:6262299199 UKContactInfo: ThamesCentral,5thFloor HatfieldRoad Slough,BerkshireUKSL11QE Phone:+44(0)1753552252,Option4 Fax:+44(0)1753552232 TollFreeNumbers: Germany:08001814625 China:108001300976 Australia:1800750639 HongKong:800964635 NewZealand:0800450523 Japan:00531130890
GuidanceSoftware
119
Online Support
GuidanceSoftwareoffersaSupportPortaltoourregisteredusers,providingtechnicalforums,a knowledgebase,abugtrackingdatabase,andanOnlineRequestform.ThePortalgivesyouaccess toallsupportrelatedissuesinonesite.Thisincludes: User,product,betatesting,andforeignlanguageforums(messageboards) KnowledgeBase BugTracker TechnicalServicesRequestform Downloadsofprevioussoftwareversions,drivers,etc. Otherusefullinks Althoughtechnicalsupportisavailablebyemail,youwillreceivemorethorough,quickerservice whenyouusetheonlineTechnicalSupportRequestForm (https://support.guidancesoftware.com/node/381).Notethatallfieldsaremandatory,andfilling themoutcompletelyreducestheamountoftimeittakestoresolveanissue. IfyoudonothaveaccesstotheSupportPortal,pleaseusetheSupportPortalregistrationform (https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registrationrequiresyoutochooseauniqueusernameandpassword.Pleaseprovideallrequested information,includingdongleID,phone,emailaddress,organization,etc.Thishelpsusidentify youasaregisteredownerofEnCase. Youwillreceiveanemailwithin24hours.Youmustfollowthelinkinthatemailbeforeyoucan postontheforums.Untilyoudothat,youwillnothavepermissiontopost.Onceyouhaveverified youremailaddress,youwillbeaddedtotheRegistrationList.Pleaseallow24businesshoursfor youraccounttobeapproved. Onceyourregistrationisapproved,youcanaccesstheSupportPortal (https://support.guidancesoftware.com/).TheSupportPortalprovidesatutorialthatbriefly overviewsthesite.
120
EnCaseVersion6.12ModulesManual
Posting to a Group
Tocreateanewpost,clickthe Clickthe post. icon.
icontoreplytoapost,orusetheQuickReplyiconatthebottomofeach
GuidanceSoftware
121
Searching
Theforumscontainanaccumulationofovertenyearsofinformation.Use the buttontosearchforkeywords,orclickAdvancedSearchformore specificsearchoptions.
Bug Tracker
UseBugTrackertosubmitandcheckthestatusandpriorityofsubmitteddefectandenhancement requests.Itisbrokendownbyproduct,showingthecurrentnumberofbugs/enhancementsand publicbugsforeachproduct.ToaccesstheBugTracker,clickonBugTracker (https://support.guidancesoftware.com/forum/project.php)intheSupportPortal.
Knowledge Base
Youcanfindanswerstofrequentlyaskedquestions(FAQs)andotherusefulproduct documentationintheKnowledgeBase.YoucanalsosubmityourownarticlestohelpotherEnCase users. ToaccesstheKnowledgeBase,clickonKnowledgeBase (https://support.guidancesoftware.com/directory)intheSupportPortal. Fromhere,youcanbrowse,search,andwriteKnowledgeBasearticles.
122
EnCaseVersion6.12ModulesManual
Customer Service
TheGuidanceSoftwareCustomerServicesDepartmentisstaffedbyhighlytrained,friendlystaff capableofresolvinganyproblemregardingyourorder. Hoursandcontactinformationarelistedbelow. Phone:626.229.9191 Fax:626.229.9199 Email:customerservice@guidancesoftware.com(mailto:customerservice@guidancesoftware.com) Internet:http://www.guidancesoftware.com/support/cs_requestform.aspx Hours:MondaythroughFriday6:00a.m.to5:00p.m.,PacificTime
GuidanceSoftware
123
Message Boards
TheGuidanceSoftwaremessageboardsareresourcesforthecomputerforensicscommunityto exchangeideas,askquestions,andgiveanswers.Themessageboardsareaninvaluableresource fortheforensicinvestigator. Discussionsrangefrombasicacquisitiontechniquestoindepthanalysisofencryptedfilesand more.Thousandsofexperiencedandskilledusersareregisteredontheboards,reviewingposts everyday,andprovidingtheirexpertiseonallGuidanceSoftwareproducts. Moreinformationaboutthemessageboards,includinginformationonhowtojointhemessage board,islocatedat:http://www.guidancesoftware.com/support/messageboards.asp.
Downloads
Whenyoureceiveyourproduct,registerwithGuidanceSoftwaretoreceiveupdates.Registrationis locatedathttps://www.guidancesoftware.com/myaccount/registration.aspxsite. Ifyouhaveanytroubleregisteringyourproduct,contactCustomerService(seepage122).Ifyou haveanytroubledownloadingtheupdatesonceregistered,contactTechnicalSupport(seepage 118).
Training
GuidanceSoftwareoffersavarietyofprofessionalcoursesforthebeginner,intermediateand advanceduserofallitsapplications.Inadditiontoprovidingasolidgroundinginoursoftware,we alsoprovideourstudentswithacceptedbestpracticesforinvestigation,reportgenerationand evidencepreservation. GuidanceSoftwareofferscoursesforlawenforcementagencies,organizationsconcernedwith forensicsandincidentresponse,andadvancedtopicsforallusers.
Professional Services
TheGuidanceSoftwareProfessionalServicesDivision(PSD)combinesworldleadingcomputer investigationsexpertswithworldleadingforensictechnologytodeliverturnkeysolutionsto forensicinvestigations. GuidanceSoftwarehascombineditsindustryleadingcomputerinvestigationtechnologywitha teamofthemosthighlytrainedandcapableinvestigatorsintheworldtobringyoucomplete turnkeysolutionsforyourbusiness.Whenyoufaceinvestigativeissuesthatgobeyondyour internalcapabilities,ourprofessionalservicesgroupisabletorespondeitherremotelyorby comingonsitetoprovidetherighttechnologyandcomputerinvestigationspersonnelforthejob.
124
EnCaseVersion6.12ModulesManual
Internal Investigations
Theftofintellectualproperty Intrusionreconstruction Wrongfulterminationsuit
Compliance
SarbanesOxley PIIriskassessment CaliforniaSB1386
eDiscovery
Pendinglitigation Responsiveproduction Forensicpreservation
Information Security
Compromiseofsystemintegrity Policyreview Unauthorizeduse Forensiclabimplementation
Index
A
AccessingtheLocalDiskinWindowsExplorer 65 AccessingtheShare85 AnalyzeEFS14,18 AssociateSelected21
D
DecryptedBlock53 DecryptingS/MIMEEmailsinanEvidenceFile CreatedinWindowsVista49 DeletedFiles79 DeterminingLocalMailboxEncryption51 DictionaryAttack56 DiskandVolumeEncryption12 DiskCaching103 DiskCachingandFlushingtheCache103 DismounttheNetworkShare84 Downloads123
B
BackgroundInformation96 BitLockerEncryptionSupport(Volume Encryption)32 BootEvidenceFilesandLiveSystemswith VMware68 BoottheVirtualMachine71 BuiltinAttack57 Burning110 BurningEvidenceFilesDuringAcquisition108 BurningExistingEvidenceandLogicalEvidence Files114 BurningFilesandReports110 BurningLogicalEvidenceFilesDuringAcquisition 110 BurningtheCreatedImagefolderstoDisc114
E
EDSFeatures12 EFSFilesandLogicalEvidence(L01)Files17 EnCaseDecryptionSuite11 EnCaseDecryptionSuiteModule7 EnCasePhysicalDiskEmulatorModule7 EnCaseVirtualFileSystemModule8 EncryptedBlock52 EncryptingFileSystem79 EnterItems18 EvidenceFileFormatsSupportedbyEnCasePDE 62 EvidenceFileFormatsSupportedbyVFS76 ext2,ext3,UFS,andOtherFileSystems83
C
CD/DVDModule9,107 CDDVDModuleSpecificRequirements5 CertificateFilesforYourSecurityKey5 CertificatesProgrammedontheSecurityKey5 ChangingtheMountPoint84 ClosingandChangingtheEmulatedDisk67 ClosingtheConnection92 CompoundFiles78 ConfiguringthePDEClient63 ConfiguringtheServer90 ConnectingtheClients92 CreateaNewImageSession110 CREDANTEncryptionSupport(FileBased Encryption)37 CREDANTEncryptionSupport(OfflineScenario) 41 CREDANTFilesandLogicalEvidence(L01)Files 42 CustomerService122,123
F
FastBlocSEModule9,95 FastBlocSEModuleSpecificRequirements4, 97,98,102 FileBasedEncryption13
G
GuardianEdgeHardDiskEncryptionKnown Limitation37 GuidanceSoftware117
H
HPAandDCOConfiguredDisks96
I
InitialPreparation68 InstallingtheEnCaseModules5,97,103 InstallingtheFastBlocSEModule97
InternalFilesandFileSystemFiles80 Introduction3,4 SavingandDismountingtheEmulatedDisk65 SecureStorageItems23 SecureStorageTab17 SecureStorageTabandEFS17 SelectingCDInformation109,115 StartingPhysicalDiskEmulator62 Support117 SupportedCREDANTEncryptionAlgorithms41 SupportedSafeBootEncryptionAlgorithms26 SupportedUtimacoSafeGuardEasyEncryption Algorithms26
L
LegalNotification117 LocallyEncryptedNSFParsingResults54 LotusNotesLocalEncryptionSupport51
M
MalwareScanning86 MessageBoards123 MinimumRecommendedRequirements4 MountNetworkShareOptions77 MountedFiles13 MountingaSingleDrive,Device,Volume,or Folder76 MountingEvidencewithVFS76 MountingNonWindowsDevices65
T
TechnicalManualsandReleaseNotes118 TechnicalSupport118,123 TemporaryFilesReminder67,89 ThirdPartyTools67,86 Training123 Troubleshooting93,103 TroubleshootingaFailedS/MIMEDecryption47 TurningOffIDEWriteBlockProtection99
N
NewVirtualMachineWizard68 NSFEncryptionSupport49
U
UsingEDS14 UsingPhysicalDiskEmulator62 UsingtheEnCaseInterface85 UsingtheFastBlocSEModule98 UsingThirdPartyTools67 UsingWindowsExplorer85 UtimacoChallenge/ResponseSupport26,27 UtimacoSafeGuardEasyEncryptionKnown Limitation32 UtimacoSafeGuardEasyEncryptionSupport26
O
OtherFileSystems83 OtherToolsandViewers87 OverridingHPAandDCOSettings97 Overview12
P
ParsingaLocallyEncryptedMailbox51 PDETroubleshooting73 PhysicalDiskEmulator61 PreparingEntriesforBurning111 PreparingReportsforBurning113 PreviewingaWriteBlockedDevice102 ProductMatrix12,13 ProfessionalServices123
V
VerifyingtheModulesareInstalled6 VFSModuleSpecificRequirements4 VFSServer89 VirtualFileSystem75 VMware/EnCasePDEFAQs72
R
RAIDs79 RAMandDiskSlack80 RecoveringNSFPasswords49 RemovingWriteBlockfromaUSB,FireWire,or SCSIDevice100 Restoring102 RestrictAccessbyIPAddress91
W
WhatistheCD/DVDModule?108 WhatistheFastBlocSEModule?96 WhatisthePhysicalDiskEmulator?62 WhatisVFS?76 WindowsKeyArchitecture56 WinMagicSecureDocEncryptionSupport34 Wiping102 WriteBlockValidationTestingandDiskCaching 103
S
S/MIMEEncryptionSupport43 SafeBootEncryptionSupport(DiskEncryption) 23
WriteBlockingaUSB,FireWire,orSCSIDevice 99 WriteBlockingIDEandSATAControllerCards 98