Encase Module

EnCaseVersion6.
12
ModulesManual
Copyright19972008GuidanceSoftware,Inc.Allrightsreserved. EnCase,EnScript,FastBloc,GuidanceSoftwareandEnCEareregisteredtrademarksortrademarksownedbyGuidanceSoftware intheUnitedStatesandotherjurisdictionsandmaynotbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybe claimedasthepropertyoftheirrespectiveowners.Productsandcorporatenamesappearinginthismanualmayormaynotbe registeredtrademarksorcopyrightsoftheirrespectivecompanies,andareusedonlyforidentificationorexplanationintotheowners' benefit,withoutintenttoinfringe. NopartofthisdocumentmaybecopiedorreproducedwithoutthewrittenpermissionofGuidanceSoftware,Inc.Productsand corporatenamesappearinginthismanualmayormaynotberegisteredtrademarksorcopyrightsoftheirrespectivecompanies,and areusedonlyforidentificationorexplanationintotheowners'benefit,withoutintenttoinfringe.Anyuseandduplicationofthis materialissubjecttothetermsofthelicenseagreementbetweenyouandGuidanceSoftware,Inc.Exceptasstatedinthelicense agreementorasotherwisepermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,nopartofthispublication maybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying, recording,scanningorotherwise.Productmanualsanddocumentationarespecifictothesoftwareversionsforwhichtheyarewritten. Forpreviousoroutdatedmanuals,productreleaseinformation,contactGuidanceSoftware,Inc.at: http://www.guidancesoftware.com.Specificationsandinformationcontainedinthismanualarefurnishedforinformationaluseonly, andaresubjecttochangeatanytimewithoutnotice.
Contents
CHAPTER1Introduction 3
Introduction ....................................................................................................................................................... 4 MinimumRecommendedRequirements .......................................................................................................... 4 InstallingtheEnCaseModules........................................................................................................................... 5 EnCaseDecryptionSuiteModule ...................................................................................................................... 7 EnCasePhysicalDiskEmulatorModule ............................................................................................................. 7 EnCaseVirtualFileSystemModule ................................................................................................................... 8 FastBlocSEModule............................................................................................................................................ 9 CD/DVDModule ................................................................................................................................................ 9
CHAPTER2EnCaseDecryptionSuite
11
Overview.......................................................................................................................................................... 12 EDSFeatures .................................................................................................................................................... 12 ProductMatrix................................................................................................................................................. 13 UsingEDS ......................................................................................................................................................... 14 SecureStorageTab .......................................................................................................................................... 17 SecureStorageItems ....................................................................................................................................... 23 SafeBootEncryptionSupport(DiskEncryption) .............................................................................................. 23 UtimacoSafeGuardEasyEncryptionSupport.................................................................................................. 26 BitLockerEncryptionSupport(VolumeEncryption) ........................................................................................ 32 WinMagicSecureDocEncryptionSupport....................................................................................................... 34 GuardianEdgeHardDiskEncryptionKnownLimitation................................................................................... 37 CREDANTEncryptionSupport(FileBasedEncryption).................................................................................... 37 CREDANTEncryptionSupport(OfflineScenario)............................................................................................. 41 S/MIMEEncryptionSupport ............................................................................................................................ 43 NSFEncryptionSupport................................................................................................................................... 49 LotusNotesLocalEncryptionSupport............................................................................................................. 51 WindowsKeyArchitecture .............................................................................................................................. 56 DictionaryAttack ............................................................................................................................................. 56
CHAPTER3PhysicalDiskEmulator
61
WhatisthePhysicalDiskEmulator?................................................................................................................ 62 UsingPhysicalDiskEmulator ........................................................................................................................... 62 ThirdPartyTools.............................................................................................................................................. 67 BootEvidenceFilesandLiveSystemswithVMware ....................................................................................... 68 VMware/EnCasePDEFAQs.............................................................................................................................. 72 PDETroubleshooting ....................................................................................................................................... 73
CHAPTER4VirtualFileSystem
75
WhatisVFS? .................................................................................................................................................... 76 MountingEvidencewithVFS ........................................................................................................................... 76 DismounttheNetworkShare .......................................................................................................................... 84 AccessingtheShare ......................................................................................................................................... 85
ThirdPartyTools.............................................................................................................................................. 86 VFSServer ........................................................................................................................................................ 89 Troubleshooting............................................................................................................................................... 93
CHAPTER5FastBlocSEModule
95
WhatistheFastBlocSEModule? .................................................................................................................... 96 BackgroundInformation.................................................................................................................................. 96 InstallingtheFastBlocSEModule.................................................................................................................... 97 UsingtheFastBlocSEModule ......................................................................................................................... 98 DiskCaching................................................................................................................................................... 103 Troubleshooting............................................................................................................................................. 103
CHAPTER6CD/DVDModule
107
WhatistheCD/DVDModule? ....................................................................................................................... 108 BurningEvidenceFilesDuringAcquisition..................................................................................................... 108 BurningLogicalEvidenceFilesDuringAcquisition......................................................................................... 110 BurningFilesandReports .............................................................................................................................. 110 BurningExistingEvidenceandLogicalEvidenceFiles.................................................................................... 114
GuidanceSoftware
117
LegalNotification........................................................................................................................................... 117 Support .......................................................................................................................................................... 117 CustomerService ........................................................................................................................................... 122 MessageBoards............................................................................................................................................. 123 Downloads ..................................................................................................................................................... 123 Training .......................................................................................................................................................... 123 ProfessionalServices ..................................................................................................................................... 123
Index
125
CHAPTER 1
Introduction
In This Chapter
Introduction Minimum Recommended Requirements Installing the EnCase Modules EnCase Decryption Suite Module EnCase Physical Disk Emulator Module EnCase Virtual File System Module FastBloc SE Module CD/DVD Module
EnCaseVersion6.12ModulesManual
Introduction
Sinceversion4ofEnCasesoftware,GuidanceSoftwarehasprovidedavarietyofsoftware modulesthatputpowerfulinvestigativetoolsatthedisposalofforensicinvestigators.These modulesareaddonstothesoftware,andrequirepurchasingcertificatesfrom www.guidancesoftware.comtoactivatethem. Thefollowingmodulesareavailableforversion6.01: EnCaseDecryptionSuite(EDS) PhysicalDiskEmulator(PDE) VirtualFileServer(VFS) FastBlocSoftwareEdition(SE) CDDVDModule Abriefdescriptionofthemodulesfollows;formoreinformationonhowtoconfigureanduseeach ofthemodules,pleaserefertotherespectivechaptersofthisdocument.
Minimum Recommended Requirements

Toensureacceptableperformance,machinesusingtheEnCasemodulesshouldfulfillthefollowing minimumspecifications: CurrentversionoftheEnCasesoftware(updatesareavailablefromtheWebsiteat http://www.guidancesoftware.com) PentiumIV1.4GHzprocessor 1GBofRAM Windows2000,XPProfessionalor2003Server Atleast100MBoffreeharddrivespace
VFS Module Specific Requirements

Atleast100Mb/snetworkinfrastructureforVFS
FastBloc SE Module Specific Requirements

OneofthefollowingIDEcontrollercards(WriteblockingonboardIDEdevicesarenotsupportedwith theFastBlocSEmodule): PromiseUltra133TX2 PromiseSATA150TX2plus(onlytheSATAadaptersaresupported) PromiseUltra100TX2 SIIGUltraATA/133PCI SIIGUltraATA100PCIRAID TekramUltraATA100RAID TowriteblockSCSIports,GuidanceSoftwarehastestedandrecommendsthefollowinghardware:
StarTechDRW150SCSIBKSCSIdrivebay Adaptec29160controllercard
Introduction
CD-DVD Module Specific Requirements

ACD/DVDburnermustbeinstalledontheforensicmachine.Theseburnersaresupported: AOPEN Plextor712A ASUS0402P SonyRU710A MemorexDVDdouble ToshibaR5372layer16Xw/USBbus PioneerDVR108
Installing the EnCase Modules

InordertoactivateoneoftheEnCasemodules,youmusthavealicensedcopyoftheEnCase softwareandpurchasetheappropriatemodulesfromGuidanceSoftware.Installingthemodulesis completedthroughoneoftwoways: CertificatesprogrammedontheSecuritykey CertificatefilesforyourSecuritykey
Certificates Programmed on the Security Key

IfyouorderedEnCasesoftwareatthesametimethatyouorderedthemodules,thenyoursecurity keywillbeprogrammedwiththeappropriatecertificates,andnootherfilesareneeded.
Certificate Files for Your Security Key

Ifyouorderedmodulesafteryouhavereceivedyourv6securitykey,thenyouwillreceive certificatefilesthatarematchedwithyoursecuritykey.Thecertificateactivatesthemodulewithin theEnCasesoftwarebycomparingthesecuritykeyserialnumberwiththeIDcontainedinthe certificate.SinceacertificatecancontainmorethanonesecurityID,anorganizationmaysubmitthe IDsforseveralsecuritykeys,andreceiveasinglecertificatepermoduleforallinvestigatorstouse. Beforeyouorderacertificate,determinethesecuritykeyIDnumbersasfollows: 1. 2. 3. Withasecuritykeyinplace,opentheEnCaseprogram Onthetopmenubar,clickHelpandselectAboutEnCase ThesecuritykeyID(DongleID)islistedatthebottomoftheleftpane
EnCaseVersion6.12ModulesManual ThisisthenumberthatyouwillneedtogivetoCustomerServicewhenyouorderyour modules.
4.
WhenyoureceivethecertfilefromCustomerService,savethecertfiletoC:\Program Files\EnCase6\Certs
Verifying the Modules are Installed

Toverifythemodulesthatareinstalled,performthefollowing: 1. 2. FromtheHelpmenu,selectAboutEnCase. Allinstalledmodulesarelistedintherightpane:
Introduction
64-bit Module Limitations

Whenusingthe64bitversionoftheEnCasesoftware,therearesomeimportantlimitationsto functionality: EDSisnotsupported PDEisnotsupported VFSisnotsupported TheFastBlocSEmoduleissupported,howeveronlyUSBacquisitionsaresupported Ifyouhavea64bitcomputer,youmayinstalla32bitoperatingsystemandthe32bitversionof theEnCasesoftwaretoremedythelimitations.
EnCase Decryption Suite Module

TheEnCaseDecryptionSuitemoduleallowsinvestigatorstodecryptfilesandfoldersprotectedby severalmethods: MicrosoftEncryptingFileSystem(EFS) MicrosoftOutlookPasswordProtectedPSTFiles EncryptedWindowsRegistryInformation PCGuardianEncryption SafeBootEncryption UtimacoSafeGuardEasyEncryption BitLockerEncryption WinMagicSecureDocEncryption GuardianEdgeHardDiskEncryption CREDANTEncryption S/MIMEEncryption NSFEncryption LotusNotesLocalEncryption TheEDSmodulesupportslocallyanddomainauthenticateduserswiththeMicrosoftEFS.The moduleworkswiththeoperatingsystemscapableofencryptingdatawithEFS,includingWindows 2000Professional,Windows2000Server,WindowsXPProfessional,andWindows2003Server.For Window2000operatingsystem,theEFSfilesandfolderscanbedecryptedautomaticallyif properlyconfiguredonadomain.
EnCase Physical Disk Emulator Module

ThePhysicalDiskEmulatorcanmountanyEnCasesupportedevidenceasanemulatedphysical device.Foralistoftheformatssupported,pleaseseeyourEnCaseUserManual.AnyWindows supportedfilesystemcanbeexaminedinWindowsasaphysicaldeviceconnectedtothemachine. IfthefilesystemisnotcompatiblewithWindows(suchasext2)thedevicewillstillappearindisk management.
EnCaseVersion6.12ModulesManual PDEcanbeusedinconjunctionwithVMwareWorkstationtobootEnCaseimagesofharddrives mountedwithPDE.Thisalsoprovidesinvestigatorswiththecapabilityofsharingevidencefiles thathavebeenaccessedremotely. Oncemounted,thereadonlymediaisavailabletonativeapplications,WindowsExplorer,orany thirdpartyWindowsutilityorcomputerforensictoolthatrecognizeslocaldevices.Someofthe functionalityprovidedusingadditionalsoftwareincludesthefollowing: Filecarvingutilities Virusscansoftware Spywaredetectors Trojandetectors Steganographydetectors WordIndexers Undeletesoftware Encryptiondetectionsoftware
EnCase Virtual File System Module

TheEnCaseVirtualFileSystemmoduleallowsinvestigatorstomountcomputerevidenceasaread onlyofflinenetworkdriveforexaminationthroughWindowsExplorer.Mostnotably,thisallows investigatorsmanyoptionsintheirexaminations,includingtheuseofthirdpartytoolswith evidenceservedbytheEnCaseprogram. VFSallowstheinvestigatortoviewfilesinWindowsExplorerthatwouldnotnormallybeaccessed bytheoperatingsystem,suchasmounted,deletedandfilesystemlevelartifacts. AllcomputerevidenceandimagefileformatssupportedbytheEnCasesoftwarecanbemounted withVFS.Fortheformatssupported,pleaseseeyourEnCaseUserManual. LivecomputerforensicevidencesupportedbyVFSincludes Localmachinepreviewofremovablemedia LocalmachinepreviewthroughtheFastBlocSEmodule LocalmachinepreviewthroughFastBlocClassic,FE,andLEhardwareblockers Crossovernetworkcablepreview LocalPalmPilotpreview EnCaseEnterpriseEditionandFieldIntelligenceModellivenetworkpreview TheVFSServerfeatureallowsinvestigatorstoservethemountedvirtualdrivetoother investigators,caseagents,attorneys,etc.,onthelocalareanetworkforreviewinWindows Explorer.
Introduction
FastBloc SE Module
FastBlocSoftwareEditionprovidesacollectionofdiskcontrollerutilitiessuchasthesamesafe subjectmediapreviewandacquisitioninWindowstoanEnCaseevidencefilecurrentlyavailable fromFastBlochardware,andwipingandrestoringofdrivesattachedtothePCIcontrollercard. IDE,SCSI,USBandFireWiredrivesattachedtosupportedPCIcontrollercardsarewriteblocked whenconfiguredassuchbythemodule.Wipingandrestoringofdrivesattachedtothecontrolleris alsopossible,withthelogicalrestoreretainingthesamehashvalueastheoriginaldrive.The FastBlocSEmodulealsoallowsaccesstoHPAandDCOareasofasuspectdriveinWindows(this functionalityisnotavailableusingahardwarewriteblockerwiththeEnCaseprogramin Windows).
CD/DVD Module
Withthismoduletheusercanwriteentries,reportsandotherselecteddatatoaCDorDVD.This includestheabilitytoselectandburnEnCaseEvidencefilesandLogicalEvidenceFiles,ortowrite themtomediaatacquisition.
CHAPTER 2
EnCase Decryption Suite

In This Chapter
Overview EDS Features Product Matrix Using EDS Secure Storage Tab Secure Storage Items SafeBoot Encryption Support (Disk Encryption) Utimaco SafeGuard Easy Encryption Support BitLocker Encryption Support (Volume Encryption) WinMagic SecureDoc Encryption Support GuardianEdge Hard Disk Encryption Known Limitation CREDANT Encryption Support (File-Based Encryption) CREDANT Encryption Support (Offline Scenario) S/MIME Encryption Support NSF Encryption Support Lotus Notes Local Encryption Support Windows Key Architecture Dictionary Attack
12
Overview
EnCaseDecryptionSuite(EDS)enablesdecryptionofencryptedfilesandfoldersbydomainusers andlocalusers,including: Diskandvolumeencryption MicrosoftBitLocker GuardianEdgeEncryptionAnywhere GuardianEdgePlus UtimacoSafeGuardEasy McAfeeSafeBoot Filebasedencryption MicrosoftEncryptingFileSystem(EFS) CREDANTMobileGuardian Mountedfiles PST(MicrosoftOutlook) S/MIMEencryptedemailinPSTfiles NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)
EDS Features
Disk and Volume Encryption
WhenanEvidenceFile(.E01)oranewphysicaldiskisaddedtoanewcase,theMasterBootRecord (MBR)ischeckedagainstknownsignaturestodeterminewhethertherespectivediskisencrypted. Ifthediskisencrypted,EnCaseasksforusercredentials(seetheProductMatrixonpage13fora tablelistingrequiredcredentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthedisk.Nopasswordattacksaresupported. EDSsupportsthesedisk/volumeencryptionproducts: MicrosoftBitLocker GuardianEdgeEncryptionAnywhere UtimacoSafeGuardEasy McAfeeSafeBoot
EnCaseDecryptionSuite
13
File Based Encryption

Encryptioncanbeappliedatthefileorfolderlevel.Iffilesorfoldersareencrypted,EnCaseasksfor credentials(seeProductMatrixonpage13foratablelistingrequiredcredentialsforsupported encryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthefilesorfolders. EDSsupportsthesefilebasedencryptionproducts: MicrosoftEncryptingFileSystem(EFS) CREDANTMobileGuardian
Mounted Files
EnCasecanreviewmountedfilesandsearchforencrypteddata.Ifmountedfilesareencrypted, EnCaseasksforusercredentials(seeProductMatrixonpage13foratablelistingrequired credentialsforsupportedencryptionproducts). Ifthecorrectcredentialsareentered,EnCasedecryptsthemountedfiles.Thesetypesofmounted filesaresupported: PST(MicrosoftOutlook) NSF(LotusNotes) Protectedstorage(ntuser.dat) Securityhive ActiveDirectory2003(ntds.dit)
Product Matrix
ThetablebelowshowsencryptionproductssupportedbyEDSandcredentialsyouneedtoprovide inordertousethemwithEnCase. Product
GuardianEdge Encryption Plus GuardianEdge Encryption Anywhere Utimaco SafeGuard Easy McAfee SafeBoot Online SafeBoot Offline
Password
X
User
X
Domain
Machine
Server
Path
Other
X X Algorithm
Algorithm
14
CREDANT Mobile Guardian Online Mobile Guardian Offline Microsoft BitLocker Microsoft Encrypting File System (EFS) ZIP Lotus Mail S/MIME X X Machine CREDANT ID X
Shield CREDANT ID
Key
Keys
X X X

ID File PFX
Using EDS
Analyze EFS
Thiscommandscansavolumefordataandprocessesit.YoucanalsorunAnalyzeEFSfromthe securestorage;inthatinstance,itrunsconsecutivelyonallvolumesinacase.
1.
EnCaseDecryptionSuite Rightclickthevolumeyouwanttoanalyze,thenclickAnalyzeEFSfromthedropdown menu.
15
2.
ThefirstAnalyzeEFSdialogdisplays.ClickNext.
16
EnCaseVersion6.12ModulesManual 3. ThesecondAnalyzeEFSdialogdisplayswiththeDocumentsandSettingsPathandRegistry Pathfieldspopulatedbydefault.Forunusualsystemconfigurations,datadisks,andother operatingsystemsthesevalueswillbeblank.Youcanmodifythemtopointtotheuser profilefoldersand/ortheregistrypath.
4. 5. ClickNexttobeginthescan. Whenthescaniscomplete,theEFSStatusdialogshowsstatisticalinformationonkeys foundanddecryptedandregistrypasswordsrecovered.
6.
EnCaseDecryptionSuite WhenyouaredonereviewingtheEFSstatus,clickFinish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
17
EFS Files and Logical Evidence (L01) Files

TodecryptanencryptedEFSfileyouneedthefollowing: 1. 2. 3. 4. TheEnCaseEDSmodule Thematching$EFSstream.Thisisessential,sinceitcontainsthedecryptionkey. Amatchingunencryptedprivatekey.Thiscanbetherecoveryagentskeyorauserskey. Fileslackmightbeneededifthefilesizeisnotamultipleof16.Thisisbecausefilesare decryptedin16bytechunks.
Note: For example, a 17-byte file needs 15 bytes of slack in order to decrypt the last chunk. Otherwise, only multiples of 16 are decrypted.
InEnCaseversion6.11,thescenariosforlogicalevidencefilesaredifferentfrompriorversionsof EnCase: 1. 2. 3. 4. Thefileisencryptedandthe$EFSstreamismissingfromthesamefolderwithintheL01:the filecannotbedecrypted. Thefileisencryptedandthe$EFSstreamisinthesamefolder:thefilecanbedecrypted (exceptfortheremainderofthefile,ifany). Thefileisdecryptedandthe$EFSstreamismissing:thefileremainsdecrypted. Thefileisdecryptedandthe$EFSstreamisinthesamefolder:thefilewillbedecrypted twice.

Note: The workaround in case 4 is to disable EFS or delete the private key from the secure storage.
Fromversion6.11on,allthescenariosabovearehandledgracefully,becausethe$EFSstreamis addedinternally. Ifthefileisencrypted,the$EFSstreamisautomaticallystoredwiththefileasmetadata. Ifthefileisdecrypted,the$EFSstreamisnotautomaticallystored,asitisnotneeded.This doesnotpreventyoufromstoringthestreambyspecificallysavingittotheLEF.

Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
Secure Storage Tab

ToorganizesecuritydatagatheredusingAnalyzeEFS,EnCaseincludesaSecureStoragetabwhich displayspasswords,keys,andotheritemsparsedfromthesystemfilesandregistry. Althoughthetabisalwayspresentintheinterface,youmustinstalltheEDSmoduletoenablemost ofthefunctionality.
Secure Storage Tab and EFS

TopopulatetheSecureStoragetab:
18
EnCaseVersion6.12ModulesManual 1. 2. RunAnalyzeEFS(seepage14). SelecttheSecureStoragetab.
3. ClickanitemintheSecureStoragetreetoviewitscontents.
Enter Items
Enter Syskey
YoucanenterSyskeyinformationbeforerunningtheAnalyzeEFSwizard,orafterwardsifthe wizardisalreadycompleted. 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheEnterSyskeytab. SelectthelocationoftheSyskey(forexample,afilepathorafloppydisk)orenterthe passwordmanually.
4. ClickOK.
19
User Password
Ifyouknowtheuserspassword: 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheUserPasswordtab. Enterthepassword.
4. ClickOK.
IftheSyskeyisprotectedandyoudonotknowthepassword,anattackontheSAMfileforuser passwordswillnotbesuccessful.Thisisararesituation.MostWindowsmachineswillnothavea protectedSyskey.EDSincludesadictionaryattackoptiontogetpastaprotectedSyskey.Youcan obtaindictionaryfilesfromanumberofsources.Toaccesssetup,rightclicktherootofSecure StorageandselectDictionaryAttack. DuringtheAnalyzeEFSscanningoftheregistry,EnCasealertsyouiftheSyskeyispassword protectedorhasbeenexportedtoafloppydisk.Inthesecases,theAnalyzeEFSwizardprompts youtoentertheSyskeypasswordand/orinsertthefloppydiskcontainingtheSyskeyorbrowseto theSyskeyfilelocation.TheSyskeyfileiscalledstartkey.key,andyoushouldexamineany floppydiskscollectedatasceneforthepresenceofthisfile.IftheSyskeyfileisrecoveredona floppydisk,itcanbecopied/unerasedfromEnCasetotheexaminationmachine,andyoucan browsetothestartkey.key location.ThisprocessisthesameaswhenyouusethePassword RecoveryDisk.
Password Recovery Disk

WindowsXPand2003Serverenablelocaluserstocreatearecoverydiskcontainingtheirencrypted password.Thediskisdesignedtoallowuserstoresettheirpasswordiftheyforgetit,without losingalloftheirEFSencryptedfilesandotherimportantsecuritycredentials.Thefileiscalled userkey.psw,andyoushouldexaminefloppydiskettesrecoveredatthesceneforthepresenceof thisfile. 1. Withthefloppydiskinserted,orthefilecopiedtoaharddrive,rightclicktherootentryof SecureStorage.
20
EnCaseVersion6.12ModulesManual 2. SelectEnterItemsfromthedropdownlist,thenselectthePasswordRecoveryDisktab.
3. 4. Clicktheoptionbutton,FileorFloppy,wherethefileislocated. Enterthepathorbrowsetoit,thenclickOK.
Private Key File

Ifthelogonpasswordisunavailable,youcanobtaintheDomainAdministratorsprivatekey(PFX). Thisalsoworksfortheuserskey.Toexportandusethekey: 1. 2. 3. 4. AsDomainAdministrator,doubleclickC:\Windows\system32\certmgr.mscto launchtheMicrosoftManagementConsole. LocatetheCertificatesfoldercontainingtheDomainAdministratorscertificate. Rightclickthecertificate. FromtheAllTasksmenu,clickExport.
5. 6. 7. 8. 9. IntheCertificateExportWizard,clickNext. ClickYes,exporttheprivatekey,thenclickNext. Acceptthedefaultfortheexportfileformat,thenclickNext. Selectapathandnamethekey(thisassignsa.PFXextension),thenclickNext. Whenprompted,notethepasswordentered.

Note: The password cannot be left blank. It is needed when using the key.
10. ClickNext.Aconfirmationwindowshowsdetailsabouttheexport. 11. ClickFinishtocompletetheexport. 12. RightclicktherootentryofSecureStorage. 13. SelectEnterItemsfromthedropdownlist,thenselectthePrivateKeyFiletab.
14. Enterthepathorbrowsetoit.
21
15. EnterthePasswordinthenextprompt,thenclickOK. AstatusscreenconfirmssuccessfulcompletionandthePrivateKeydisplaysintheSecure Storagetab.
Enter Mail Certificate

Youcanentera.PFXcertificatetousefordecryptingS/MIMEencryptedemailsfoundinPSTfiles. 1. 2. 3. RightclicktherootentryofSecureStorage. SelectEnterItemsfromthedropdownlist,thenselecttheEnterMailCertificatetab. Enterthepathtothe.PFXcertificateandthepassword.
4. 5. ClickOK. The.PFXcertisdecryptedandstoredinSecureStorage.
Associate Selected
Toassociate*nixuserswithvolumes: 1. 2. 3. SelecttheSecureStoragetab. Clickthecheckboxnexttotheitemoritemsyouwanttoassociate. Rightclickacheckeditem.
22
EnCaseVersion6.12ModulesManual 4. SelectAssociateSelectedfromthedropdownlist.
5. TheAssociatedialogdisplays.
6. ExpandtheVolumestreeandselectthevolumesyouwanttoassociate.
7. ClickOK.
23
Secure Storage Items

IntheReporttaboftheViewpaneyoucanseedetailsaboutthecurrentlyselectediteminthe securestorage.TheTextandHexviewsshowtherawdata.Theseitemshavethefollowing properties: Name Encrypted Type Subtype Password PasswordType Thefollowingitemsareofinterest: Aliases:TheseareSecurityIdentifiers(SIDs)thatpointtooneormoreSIDentities.Theyhavea nameandacomment. Groups:SIDsthatpointtooneormoreSIDentities.Theyhaveanameandacomment.Theseare definedgroupssuchasAdministratorsandGuests. SAMUsers:TheseareLocalUsers.ThedetailsarelistedinthereporttaboftheViewpane. Passwords:Foundandexamineraddedpasswordsappearhere. NetLogons:TheseareLocalUsers.ThedetailsarelistedinthereporttaboftheViewpane. NixUser/Group:Unixusers/groups Lotus:LotusNotes EmailCertificates:TheseareusedforS/MIMEdecryptionandsignatureverification. DiskCredentials:Persistentkeycachefordisk/volumeencryptionproducts MasterKeys:Everyuserwithaprivatekeyhasamasterkeythatprotectsit.Themasterkey itselfisencryptedwithahashoftheusersWindowspassword. PrivateKeys:UsedinthedecryptionofEFSfiles InternetExplorer(IE)Passwords:PasswordsfromIE6 PolicySecrets:TheseareLSAsecrets.Theyincludethedefaultpasswordandpasswordsfor services.Someofthesesecretsarenotpasswordsbutbinarydataplacedtherebythesystem andapplications. SAMKeys/PolicyKeys/Dpapi/CERT:Forinternaluse
SafeBoot Encryption Support (Disk Encryption)

EnCaseprovidesawayforyoutoviewSafeBootencryptedharddrivesduringaninvestigation. ThisfeatureisonlyavailabletoauserwithanEDScertenabled.
Note: If no EDS cert is found or the integration Dlls are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR only for the boot disk, always preview the boot disk first and then any other disk in a multi-disk machine configuration.
1.
UsetheAddDeviceWizardtoaddthephysicaldevice.
24
EnCaseVersion6.12ModulesManual 2. Whenprompted,selecttheappropriateencryptionalgorithmfromthelist,thenenterauser name,servername,machinename,andpasswordwheninonlinemode.
TheSafeBootencrypteddriveisparsed. Theofflinedialogissimilar.TheOnlinecheckboxisblankandonlytheMachineName, TransferDatabasefield,andAlgorithmareavailable:
3. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoenterthemagain.
25
Thisillustrationshowsresultsofasuccessfuldecryption.TheTreepaneshowsaSafeBoot folder,theTablepanecontainsalistofdecryptedfileswhiletheTextpaneshowscontents ofadecryptedfile.
4. Thenextfigureshowsthesamefilesastheyappearencrypted.
26
Supported SafeBoot Encryption Algorithms

EnCasesSafeBootdecryptionfeaturesupportstheseencryptionalgorithms: AES256FIPS AES256 DES RC512Rounds RC518Rounds
Utimaco SafeGuard Easy Encryption Support

EnCaseprovidesawayforyoutoviewSafeGuardEasy(SGE)encryptedharddrivesduringan investigation.ThisfeatureisonlyavailabletoauserwithanEDScertenabled.
Note: If no EDS cert is found or the integration DLLs are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeGuard Easy overwrites the original MBR only for the boot disk, only the boot disk can be decrypted in EnCase.
1. 2.
UsetheAddDeviceWizardtoaddthephysicaldevice. EnCasedetectsthedeviceanddisplaysausernameandpassworddialog.
3. 4. 5. Enteravalidusernameandpasswordwheninonlinemode. ClickOK. Onceasuccessfuldecryptioniscomplete,savethecase.Thecredentialsenteredinthe dialogarestoredinSecureStorage,eliminatingtheneedtoenterthemagain.

Note: If the password is empty, the Challenge/Response wizard opens. For more information, see Utimaco Challenge/Response Support on page 27.
Supported Utimaco SafeGuard Easy Encryption Algorithms

EnCasesUtimacoSafeGuardEasydecryptionfeaturesupportstheseencryptionalgorithms:
AES192 AES256 DES 3DES
27
Utimaco Challenge/Response Support

Utimacohasanalternatemethodfordecryptingtheirdatausingachallenge/responsecode.Once thecodeisauthenticated,EnCasereturnsthekeyandanyadditionaldata(suchasencrypted sectors)necessarytodecryptthedata. 1. IntheSGEcredentialsdialog,enterausernamebutleavethepasswordblank.
2. 3. ClickOK. AChallengeResponsedialogdisplayswiththechallengecodeinblue.Keepthisdialog openwhileperformingthenextsteps.
28
EnCaseVersion6.12ModulesManual 4. LoginasAdministrator.OntheWindowsStartpage,clickAll ProgramsUtimacoSafeGuardEasyResponseCodeWizard.
5. TheWelcomedialogdisplays.
6.
EnCaseDecryptionSuite ClickNexttobegingeneratingaonetimepassword(OTP).TheAuthorizationAccount dialogdisplays.
29
7. ClickNext.TheRemoteUserIDdialogdisplays.
8. EntertheUserIDthatwasusedtoderivethechallengecode,thenclickNext.
30
EnCaseVersion6.12ModulesManual 9. TheChallengeCodedialogdisplays.EnterthechallengecodegeneratedbyEnCasefrom step3.
10. ClickNext.TheRemoteCommanddialogdisplays.
11. SelectOnetimelogon,thenclickNext.
EnCaseDecryptionSuite 12. TheSummarydialogdisplayswiththeresponsecodeinblue.
31
13. IntheEnCasedialogfromstep3,selectthecodelengthandentertheresponsecodeto enabledecryptionoftheselectedencryptedevidence.
14. ClickOK. 15. IntheSummarydialogfromstep12,clickClosetoclosetheSafeGuardEasyResponse CodeWizard,orclickNewtogenerateanewresponsecodefromadifferentchallenge code.
32
Utimaco SafeGuard Easy Encryption Known Limitation

UtimacoSafeGuardEasytreatsamachinewithmultipleharddrivesasoneharddriveconsistingof allsectorsofallphysicalharddrives. Incontrast,EnCaseexamineseachharddriveindividually.Thiscreatesaproblem: SafeGuardEasyoverwritesonlytheMasterBootRecord(MBR)ofthebootdisk Onlythebootdiskisdetectedasencryptedandthendecrypted(giventhecorrect credentialsareentered) ThismeansEnCasesupportforSafeGuardEasyislimitedtodecryptingonlythebootdisk,because thisistheonlydrivedetectedasencryptedbyexaminingtheMBR.
Workarounds
Therearetwoworkaroundsforthisproblem.Thefirstsolution: 1. Obtainbothdisks. TheinternaldiskholdingtheSafeGuardEasykernel(disk1) Theexternal,i.e.,nonbootabledisk(disk2) 2. Openthekernelondisk1.Youcanthenaccessdisk2.
Thesecondsolution: 1. 2. 3. ObtainaSafeGuardEnterprise(SGN)kernelbackupfileofdisk1. Restoredisk1toanemptydisk. Addthenonbootablediskasdisk2.Theinformationinthenewlyrestoredkernelgives youaccesstodisk2.
BitLocker Encryption Support (Volume Encryption)

MicrosoftsBitLockerisavailableinWindowsVistaEnterpriseandUltimateeditions.Itencryptsan entirevolumeusingoneofthreemodestostoretheencryptionkey: Transparentoperationmode(requiresTrustedPlatformModule[TPM]) UserAuthenticationmode(requiresTPM) USBKeymode(doesnotrequireTPM) WhenBitLockerisenabled,alargefileiscreatedthatholdsallofunallocated(UAC)space,minus6 Gigabytes.
Recovery Key and Recovery Password Files

TherecoverykeyisafilewithaGUIDname(forexample,67FA344529D74AB58D0F 7F69B88D1C04.BEK). TherecoverypasswordisanAdvancedEncryptionStandard(AES)256keyinplaintext(.TXT).
EnCaseDecryptionSuite ThesekeysarematchedbyVolumeGUIDandKeyProtectorGUIDandareusuallystoredona removableflashdrive.
33
Decrypting a BitLocker Encrypted Device Using Recovery Key

1. 2. AddaBitLockerencrypteddeviceintoEnCaseusingAddDeviceordropanddrag. TheBitLockerCredentialsdialogdisplays.
3. 4. TheRecoveryKeyoptionbuttonisselectedbydefault.Browsetothelocationofthe.BEK recoverykey. ClickOK.
Decrypting a BitLocker Encrypted Device Using Recovery Password

1. AddaBitLockerencrypteddeviceintoEnCaseusingAddDeviceordropanddrag.
34
EnCaseVersion6.12ModulesManual 2. TheBitLockerCredentialsdialogdisplays.
3. 4. SelecttheRecoveryPasswordoptionbutton,thenentertherecoverypassword. ClickOK.
Aftersuccessfulauthentication,EnCasesavescredentialsinSecureStorage,soyoudonothaveto reenterthemthenexttimeyouopenthesavedcase.
WinMagic SecureDoc Encryption Support

YoucanaccesstheharddriveofasystemencryptedwithSecureDocsoftware.EnCasesupports SecureDocversion4.5andabove.
TherearethreewaystoaddSecureDocdiskstoEnCase: Previewtheharddrive UsetheAddDeviceWizard DragevidencefilesintoEnCase
35
Onceyoupreviewamachinesdiskoropenanevidencefile,theMasterBootRecord(MBR)is checkedagainstknownsignaturestodeterminewhetherthediskisencrypted.TheSecureDoc signatureisWMSD.
EachSecureDocuserhasakeyfilewhichcancontainmultiplekeysencryptedusingapassword associatedwiththefile. SecureDocusershaveeitheradministratororuserprivileges. Administratorscanencrypt/decryptdrives,resetpasswords,addkeystoakeyfile,etc. Userscanonlychangetheirpasswords AninstallerisprovidedtoplacetheseintegrationDLLsin %ENCASE%\Lib\WinMagic\SecureDoc: SDForensic.dll SDC.dll SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
1.
WhenaddingaSecureDocdisk,Encasepromptsforthreecredentials:
a. Thepathtothefilecontainingtheuserkeys(extension.dbk) b. Thepasswordassociatedwiththekeyfile
36
c. Thepathtotheemergencydiskfoldercorrespondingtothephysicaldiskunder
examination
2. 3. 4. Enterthecredentials,thenclickOK. Ifthecredentialsarecorrect,EnCasedecryptsthediskandparsesthefilesystemstructure. Whenyousavethecase,therangesofencryptedsectorsandtheoriginalMBRareretained inthecasefileforprevieweddrivesaswellasevidencefiles.
ThediskviewshowsencryptedinformationintheTextandHexpanesforencrypteddrives. ThediskviewshowsdecryptedinformationintheTextandHexpanesfordecrypteddrives.
Acquiring the Device

Alocalacquisitionatthephysicaldevicelevelresultsinacquisitionofalldecryptedlogical volumes. Anenterpriseacquisitionatthephysicaldevicelevelresultsinacquisitionofallsectorsinan encryptedstate.
Note: To obtain decrypted data, perform a local acquisition on the result of the remote acquisition.
Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is decrypted by SecureDoc's filter driver during a physical acquisition.
Youcanacquireeither: Alllogicalvolumesbyacquiringatthephysicallevel Anindividuallogicalvolumebyacquiringatthelogicallevel Thecompletedacquisitioncontainsthedecryptedvolumes.Youdonotneedapasswordtoview thefilestructure.
37
GuardianEdge Hard Disk Encryption Known Limitation

WithGuardianEdgeHardDiskEncryption(GEHD)version8.6andhigher,youcannotuseclient administratorcredentialstoauthenticatetoaphysicaldriveinEnCase. Whileaddingthephysicalharddrive(asopposedtoalogicalacquisition),anauthenticationscreen displays.Ifyouentertheclientadministratoraccount,password,anddomain,theauthentication screendisplaysrepeatedlywithoutgoingtothenextstep. BecauseGEHDhasdomainlessclientadministrators,youneedtouseadefaultfieldforthedomain: 1. MakesureyouhavetheEnCaseDecryptionSuitemodulewithPCGuardiansupport installed(HelpAboutEnCase).
2.
Inthedomainfield,enterEA#DOMAINastheclientadministratoraccount.
Formoreinformation,seeKnowledgeBasearticle00002281intheGuardianEdgeCustomerSupport Portal(https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).
CREDANT Encryption Support (File-Based Encryption)

EnCaseprovidesawayforyoutoaccessCREDANTencrypteddataonWindowsdevices.
Note: You can obtain the CREDANT API installer from CREDANT Technical Support. Install it, then begin the examination.
EnCasereviewsyourmountedfilesandlooksforCREDANTencrypteddata(CredDB.CEFfile).If itfindsthisdata,alogondialogdisplays.
38
EnCaseVersion6.12ModulesManual 1. Thedialogpopulateswithaknownusernameandpassword,Server,MachineID,andthe ShieldCREDANTID(SCID).CREDANTfilesareprocessedanddecryptedwithnofurther interaction,giventhatthecredentialsarecorrect.
39
Theofflinedialogissimilar.TheOnlinecheckboxisblankandtheMachineIDandSCIDfields areunavailable.
2.
Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthedialog arestoredinSecureStorage,eliminatingtheneedtoreenterthem.
Theillustrationbelowshowsresultsofasuccessfuldecryption:
40
EnCaseVersion6.12ModulesManual TheTreepaneshowsaCREDANTfolder TheTablepanecontainsalistofdecryptedfiles TheTextpaneshowscontentsofadecryptedfile
Thenextillustrationshowsthesamefilesastheyappearunencrypted.
41
Supported CREDANT Encryption Algorithms

EnCasesCREDANTdecryptionfeaturesupportstheseencryptionalgorithms: AES128 AES256 3DES Rijndael128 Rijndael256 Blowfish
CREDANT Encryption Support (Offline Scenario)

IfthemachinetobeinvestigatedisnotonthenetworkwiththeCREDANTserver,youmustobtain theCREDANTkeysandstoretheminalocationaccessibletotheExaminermachine. Beforeyoubegin: YoumustinstalltheCREDANTLibraryInstallertoruntheutilitywiththeappropriateDLLs. YoucanobtaintheinstallerfromCREDANTtechnicalsupport. YoumusthaveEnCaseDecryptionSuiteinstalledontheExaminerdonglethatwilldecryptthe CREDANTencrypteddata. YoumustobtaintheURLfortheCREDANTMobileGuardian(CMG)DeviceServer. YoumustobtainanAdministratorusernameandpassword.TheCREDANTadministrator musthaveForensicAdministratorprivileges,asspecifiedintheCMGServerWebInterfacefor CMGv5.4andlaterservers.TheadministratormusthaveSecurityAdministratorprivilegesfor thev5.3server. YoumustobtaintheAdministratorslogindomain(forCMG6.0andlaterserversonly),the MachineIDforthetargetdevice(MUID),theShieldCREDANTID(SCID),theUsernamethat thekeymaterialisbeingdownloadedfor,andthePasswordtousetoencrypttheoutput.bin file. 1. AtacomputerthathascommunicationtotheCREDANTServer,runtheutility CEGetbundle.exefromtheWindowscommandprompt.CEGetBundle.exeissuppliedby CREDANTintheCREDANTLibraryInstaller,whichalsoinstallstheDLLsnecessaryfor thedecryption.CopytheintegrationDLLsandMACfiletothetargetdeviceaswell. Supplytheparametersasfollows:CEGetBundle[L]XURLaAdminNameAAdminPwd[ DAdminDomain][dDuid][sScid][uUsername]oOutputFileoOutputFileIOutputPwd
-L URL Legacy mode for working with pre 5.4 server installs Device Server URL (e.g., https://xserver.credant.com:8081/xapi) Administrator user name Administrator password
2.
AdminName AdminPwd
42
AdminDomain Administrator domain (optional: required only if the CMG Server is configured to support multiple domains) Machine ID for the target device (also known as the Unique ID or hostname) Shield CREDANT ID (also known as DCID or Device ID) Name of the forensic administrator File to save the key material in Password to encrypt output file
MUID
SCID Username OutputFile OutputPwd
Hereisacommandexample:cegetbundleLXhttps://CredantServer:8081/xapi aAdministratorAchangeitdCredantWorkstation.Credant.localsCI7M22CU uAdministratoroC:\CredantUserKeys.biniChangeIt 3. Placethe.binfiledownloadedfromtheCREDANTserverinapathaccessiblefromthe Examinermachine.OpenEnCaseandcreateanewcaseoropenanexistingone.Youmust haveEnCaseDecryptionSuiteinstalledontheExaminermachinethatdecryptsthe CREDANTencrypteddata.

Note: In legacy mode, you must execute this utility for each user targeted for investigation on the target device while specifying the same output file. The keys for each user are appended to this output file.
4.
AcquireadevicewithCREDANTencryptedfiles,orloadanevidencefileintothecase.The EnterCredentialsdialogdisplays,promptingyouforonlytheUsername,Password, Server/OfflineServerFile,MachineID,andShieldCREDANTID(SCID)information.

Note: In Offline mode, the only information you must provide is the Password and Server/Offline Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
WhenEnCasedecryptsCREDANTencryptedfiles,thekeyinformationisplacedinSecureStorage inEnCase,andsavedwiththecase.Youdonothavetoreenterthisinformation.
CREDANT Files and Logical Evidence (L01) Files

TodecryptanencryptedEFSfileyouneedthefollowing: 1. 2. TheEnCaseEDSmodule TheCredDb.CEFfileresidinginthefolder.Thisisessential,sinceitcontainsthe informationtogettothedecryptionkey.
InEnCaseversionspriorto6.12,therearedifferentscenariosfromlogicalevidencefilesfromprior versionsofEnCase: 1. 2. 3. ThefileisencryptedandtheCredDB.CEFfileismissingfromthesamefolderwithintheL01: thefilecannotbedecrypted. ThefileisencryptedandtheCredDB.CEFfileisinthesamefolder:thefilecanbedecrypted. ThefileisdecryptedandtheCredDB.CEFfileismissing:thefileremainsdecrypted.
4.
EnCaseDecryptionSuite ThefileisdecryptedandtheCredDB.CEFstreamisinthesamefolder:thefilewillbe decryptedtwice.

Note: The workaround in case 4 is to cancel the CREDANT Credentials dialog or delete the CREDANT keys from the secure storage.
43
Fromversion6.12on,allthescenariosabovearehandledgracefully,becausetheCredDB.CEFfileis addedinternally. Ifthefileisencrypted,theCredDB.CEFstreamisautomaticallystoredwiththefileas metadata. Ifthefileisdecrypted,theCredDB.CEFstreamisnotautomaticallystored,asitisnot needed.Thisdoesnotpreventyoufromstoringthestreambyspecificallysavingittothe LEF.

Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
S/MIME Encryption Support

TheEnCaseS/MIMEEncryptionSupportprovidestheabilitytodecryptS/MIMEencryptedemails foundinPSTfiles.Emailsentorreceivedwiththefileextensions.pst,mboxand.edbsupportthe S/MIMEPKCS#7standard. YoumusthavePFX(PKCS12standard)certificatesinstalledpriortoparsing.PST,EDB,andMBOX mailcontainersaresupported. TodecryptS/MIMEdata: 1. 2. OpenorcreateacaseandenterSecureStorage. Rightclickonafolderintheleftpane. Adropdownmenudisplays.
44
EnCaseVersion6.12ModulesManual 3. SelectEnterItems. TheEnterItemsdialogdisplays.
4. SelecttheEnterMailCertificatetab.
Note: The only allowed certificate format is .PFX.
5.
EnterthepathtothePFXcertificateandthepassword,thenclickOK.
ThePFXcertisdecryptedandstoredinSecureStorage. S/MIMEdecryptionandsignatureverificationhappensinthebackground. Giventheproperpassword,thecertificateisstoredinSecureStorageunderEMailCertificates folder.AfteryouimporttherequiredcertificatesintoSecureStorage,youcanparsetheemail containerfilesusingtheViewFileStructurefeatureintheEntryView.
EnCaseDecryptionSuite S/MIMEEmailCertificatecontentsaredisplayedlikethisinSecureStorage:
45
46
EnCaseVersion6.12ModulesManual Whenparsingiscompleteandsuccessfuladirectorylistdisplays.Intheillustration,thefolderis entitledsmime.p7m(S/MIMEdatacomesasanattachmentoftheemail).InEntriesview,thetextof theemailisshownintheTextpanewhiletheemailsattachmentsappearintheTablepane.
ViewandworkwithcontentintheRecordstab.
47
Troubleshooting a Failed S/MIME Decryption

Ifdecryptionfails,youcancompareEntriesviewwithRecordsviewtotrytofindtheerror.
48
EnCaseVersion6.12ModulesManual Entriesview:
Recordsview:
49
Decrypting S/MIME Emails in an Evidence File Created in Windows Vista

YoucannotdecryptS/MIMEemailsinanevidencefilecreatedinWindowsVistausinganexaminer installedonWindowsXPorearlier.ThisisbecauseCryptoAPIonVista(CryptoNextGeneration, orCNG)isnotyetsupportedonXP. SoifanevidencefilecreatedinVistacontainsS/MIMEemails,youshouldperformtheexamination todecryptthemonaVistamachineaswell,giventhatpropercertificatesareavailable.
NSF Encryption Support

TheLotusNotesemailclienthassecuritybuiltintotheproduct.Noteswasthefirstwidelyadopted softwareproducttousepublickeycryptographyforclientserverandserverserverauthentication andforencryptionofdata,anditremainstheproductwiththelargestinstalledbaseofPKIusers. TheEnCaseSuitecandecryptencryptedNSFdocumentsandsendthemtorecipientswithinthe sameDominoserver. EachserveruserhasanIDfilethatcontainsausers: encryptedprivatekey publickey passwordinformation passwordrecoveryinformation ItalsohasanNSFfilethatrepresentstheusersmailboxin8.3formatinthedefaultpath<domino installation folder>\data\mail\<user>.nsf.
Recovering NSF Passwords

Toretrievetherecoverypassword,youmusthaveproperadministrativerightsontheDomino server.
50
EnCaseVersion6.12ModulesManual 1. OpentheDominoServer.
2. Loginastheserveradministrator.
3. ClickOK. ThepasswordIDlistdisplays.
4. ClickOK.
Therecoverypassworddisplays.
51
5. ClickOKanddefineusersauthorizedtogeneraterecoverypasswords.
Lotus Notes Local Encryption Support

EnCasecandecryptalocalLotusNotesusermailbox(NSFfilesuffix).Thelocalmailboxisareplica ofthecorrespondingencryptedmailboxontheDominoserver. EachDominoserveruserhasacorrespondingNSFfilerepresentingthatusersmailboxin8.3 format.Thedefaultpathis<Domino Installation Folder>\Data\Mail\<user>.nsf.The LotusNotesclientissetuptousethelocalmailbox.Synchronizationbetweenthelocalandserver mailboxesoccursaccordingtoareplicationscheduledeterminedbytheDominoadministrator. Encryptionofthelocalmailboxisnotmandatorybutitisadvisable,becausewithoutencryptiona personfamiliarwiththeNSFfilestructurecouldreademailwithoutneedingLotusNotes. Encryptionoccursatblocklevel.
Determining Local Mailbox Encryption

Lookintheheader(thefirst0x400bytes)atoffset0x282.Ifthebyteis0x1,themailboxislocally encrypted.
Parsing a Locally Encrypted Mailbox

1. ObtainthecorrespondingIDfilefromtheDominoserver.AlluserIDfilesarebackedupon theservereitherondiskasafileorintheDominodirectoryasanattachmenttoemail.
52
EnCaseVersion6.12ModulesManual 2. ParseitusingViewFileStructure,sothattheprivatekeyisinsertedinSecureStorage.
Encrypted Block
Theexamplebelowshowsanencryptedblockatoffset0x22000:
Thedecryptionalgorithmusesaseedthatisbasedonthebasicseedfromtheheaderandtheblock offset.
53
Decrypted Block
Hereisanexampleofadecryptedobjectmapatoffset0x22000:
54
Locally Encrypted NSF Parsing Results

AsuccessfullyparsedlocallyencryptedNSFlookslikethisinEntryview:
55
IfthecorrespondingIDfilecannotbeparsedsuccessfully,theSecureStorageisnotpopulatedwith thedataneededtoparsethelocallyencryptedNSF;thus,theLotusvolumeisempty:
56
Windows Key Architecture

Windowshasanelaboratekeyprotectionmechanism.TheSyskeyprotectsthepolicykey,theSAM key,andothers.Thesekeysprotecttheuserspasswordhashes.
InWindows2000,however,theMasterKeyisprotectedbytheuserspasswordhashwitha mechanismthatslowsdownanyattack.TheMasterKeyprotectstheusersprivatekey.Andthe usersprivatekeyprotectsakeywithinthe$EFSstreamthatallowsfordecryptionoftheEFS encryptedfile.
Dictionary Attack
Softwareimplementingthismethodnormallyusesatextfilecontainingalargenumberof passwordsandphrases.Eachistriedinturninthehopethatoneofthewordsorphrasesinthefile willdecryptthedatainvolved. Alargenumberofdictionaryfiles(sometimescalledwordlists)areontheInternet,oryoucan createyourownlist.Creatingyourownlistmaybepreferableifthepersonunderinvestigationhas aparticularinterest,suchasfootball. TherearefreewareutilitiesontheInternetyoucanusetocreateadictionaryfromcombinationsof letters,numbers,andcharactersuptoapredefinedlength.FreeWordlistGenerator (http://www.soft82.com/download/windows/freewordlistgenerator/)isoneexample. EDScanattackNTbaseduseraccountpasswordsandcachednetlogonpasswordsusinga dictionaryattack.
57
Built-in Attack
Specificitemsdohaveassociatedpasswords.Iftheyarenotautomaticallyretrieved,youcanusea trialanderrormechanism.Thismayormaynotsucceed.
Items that can be Attacked

Localusers Networkusersthatloggedon(cacheddomainusers) Syskey(passwordmodeonly) MasterKey,iftheusersSAMordomaincachecantbeaccessed(duetocorruption, accountdeletionorSyskeyprotection).Thisismuchslowerthanattackingthe Local/NetworkUsers
External Attack
Localuserscanbeattackedwiththirdpartytools.Therearefreewaretools,andtheirperformance ismuchgreaterthanEnCasebecausetheycanrunonmanycomputersatthesametimeand/oruse rainbowtables.EnCasecanexportthelocaluserspasswordhashesinthePWDUMPformatthat mosttoolsread.ThisisdonefromtheUserList.
58
User List
TheUserListofSecureStorageshowsLocalUsers,DomainUsers,NixUsers,and/orNixGroups fromthelocalmachineorevidencefile.Informationsuchas: lastlogondate userSID NThash LanManagerhash isalsoassociatedwitheachaccount
Integrated Attack
Therearethreedifferentsourcesforwordstobetested: Internalpasswords:Thesearethepassworditemsinthesecurestorage Dictionarywords:ThedictionaryisaplaintextfilethatcanbeinANSILatin1orUTF16. Everywordneedstobeonitsownline(itcancontainanycharacter,includingspaces). Bruteforce:Automaticallygenerateswordsfromanalphabetwithalengthinagivenrange Therearefourmutatorsthatcanbeapplied:
ToggleCase:Triesalltheupper/lowercasevariations AppendDigits PrependDigits
59
CombineWords:Thewordsarecombinedwitheachother.Forexample,ifthedictionary containsthewordsoldanddog,theresultisthesefourwords: old dog olddog dogold
Brute Force Attack

Abruteforceattackworksbytryingtoidentifyapasswordorpassphrasebytestingallpossible combinationsofthecharactersofanalphabet.Thisalpahbetisinthetextfilepointedtobythe alphabetpath.ThisisaisaplaintextfilethatcanbeinANSILatin1orUTF16,wherethefirstline usesallthecharacters.Thiscangeneratemassiveamountsofwordstotest. Anexampleofanalphabetpathisabcdefghijklmnopqrstuvwxyz01234567890(). Dependingonthesettings,adictionaryattackcantestthousandsofpasswordscontainedina dictionaryfileinaverybrieftimeframe.Itisusualtotryadictionaryattackfirstandthenprogress toabruteforceattackifthepassword(s)cannotbefound. Anyinformationconcerningthepossiblestructure/characterlengthofthepasswordhelps dramatically.
CHAPTER 3
Physical Disk Emulator

In This Chapter
What is the Physical Disk Emulator? Using Physical Disk Emulator Third-Party Tools Boot Evidence Files and Live Systems with VMware VMware/EnCase PDE FAQs PDE Troubleshooting
62
What is the Physical Disk Emulator?

TheEnCasePhysicalDiskEmulator(PDE)moduleallowsinvestigatorstomountcomputer evidenceasalocaldriveforexaminationthroughWindowsExplorer.Thepowerofthisfeatureis wellarticulatedinmanyforums.Mostnotably,thisallowsinvestigatorsmanyoptionsintheir examinations,includingtheuseofthirdpartytoolswithevidenceservedbytheEnCaseprogram. Wearecommittedtotheconceptofprovidinganintegratedproducttoourcustomers.Thirdparty toolscontinuetobedevelopedtocomplementthecorefunctionsandfeaturesoftheEnCase program,andweencouragetheircreationanduse.PDEallowsthirdpartyaccesstoallsupported computerevidenceandfilesystemformats.TheEnCaseprogramcontinuesitsevolutiontowards becomingaserverofforensicdata,whetherinanimagefile,apreviewofanofflinecomputeror harddrive,oralivemachineonanetwork.
Evidence File Formats Supported by EnCase PDE

EnCasePDEsupportsmountingofindividualimagefilesofharddrivesandCDs,butnotimages orpreviewsofthelocalforensicmachinesharddrive.AllImagefileformatsandfilesystemsthat aresupportedbytheEnCasesoftwarecanbemountedwithPDE.Inaddition,thefollowinglive computerforensicevidenceissupportedbyPDE: LocalmachinepreviewofCDs LocalmachinepreviewofevidenceharddrivesthroughFastBlocFEandLEhardware writeblockingdevices CrossovercablenetworkpreviewofharddrivesandCDs ParallelportpreviewofharddrivesandCDs EnCaseEnterpriseandFieldIntelligenceModel(FIM)livenetworkpreviewofharddrives andCDs
Using Physical Disk Emulator

Do not, under any circumstances, attempt to use PDE to mount EnCase images or previews of the local forensic hard drives. Windows will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
Starting Physical Disk Emulator

TomountadeviceusingthePhysicalDiskEmulator,youmustaddaphysicalorlogicaldiskimage toacaseintheEntriessubtabunderCases.PDEcanonlymountphysicaldevicesorvolumes.If youselectamenuitemfromanonmountablelevel,thePDEconfigurationislimitedtoclient mode.
PhysicalDiskEmulator
63
Using PDE
1. Rightclickthelogicalorphysicaldrive,andselectMountasEmulatedDisk.
2. TheMountasEmulatedDiskdialogdisplays.
Configuring the PDE Client

PDEassignsalocalportthefirsttimeyourunPDE.Afterwardstheportnumberisdisabledand youcannotchangeit.Toassignanewportnumber,closetheWindowssessionandrestart. PDEdoesnotuseanyotheroptionsintheServerInfotab.
64
EnCaseVersion6.12ModulesManual TospecifycacheandCDoptions,clicktheClientInfotab.
Cache Options
Ifaphysicaldeviceorvolume(notaCD)isselected,decidewhethertocachedata.Bydefault, cachingisdisabled.Usethewritecacheifprogramsneedtoaccessthefilesinanemulated read/writemode. Ifcacheisenabled,changesmadebyprogramsaresenttoaseparatecachefilespecifiedonyour localsystem. 1. 2. 3. TocreateanewwritecachefileanEnCaseDifferentialEvidenceFile,cleartheDisable cachingcheckbox. SelectCreatenewcacheintheCacheTypegroupandspecifyaWritecachepath. SelectUseexistingcacheandensuretheexistingwritecachefileisspecifiedintheWrite cachepathfield.
Ifyouchoosetouseanexistingcachepath,makesuretouseawritecachefilethatwascreatedwith theevidenceyouarecurrentlymounting. CachingisnecessaryforPDEtofunctionwithVMware.Inthisstate,Windowscachesfiledeletions andadditions.ThisisusedtobootthedrivewithVMwareasdescribedlaterinthissection. Cachingisalsonecessarywhenmountingcertainvolumetypes. [Placeholderforscreenshot]
CD Options
IfaCDismounted,theCDSessiontoviewoptionisenabledtospecifywhichsessiononamulti sessionCDshoulddisplayinWindows.ThedefaultsessionisthelastsessionontheactiveCD, whichistheonenormallyseenbyWindows. 1. 2. Toviewapriorsession,selectthathere. ClickOKtocontinue.
3.
65
IfamessagedisplayssayingthesoftwareyouareinstallinghasnotpassedtheWindows Logotest,clickContinueAnyway. ThisallowsWindowstoaddtheevidencefileasadrivewithitsowndriveletter.
If using VMware, you need the physical Device Number.
VerifythattheevidencefilehasbeenmountedwithadriveletterbybrowsinginWindows Explorer.Withthedriveletter,youcanapplythirdpartytools. Whentheshareiscreated,asharing(hand)iconappearsonthedeviceintheinterface.
Mounting Non-Windows Devices

DeviceswithfilesystemsotherthanNTFSorFATcanbemountedusingPDE;however,the volumecannotbeseenbyWindows(althoughthephysicaldevicecanbeseeninDisk Management).TheprocesstomountsuchadeviceisthesameasthatusedtomountanNTFSor FATdevice.
Accessing the Local Disk in Windows Explorer

AftermountingthediskwithPDEintheEnCaseinterface,openWindowsExplorer.Thenew volumeisrepresentedwithaharddriveicon,assignedavolumeletter,andlabeledasalocaldisk. BrowsethemounteddriveinWindowsExplorer: Toopenhiddenfiles,EnableShowhiddenfilesandfoldersinWindowsExplorerby selectingFolderOptionsintheToolsmenu Toviewdeletedandsystemfilesandunallocatedclusters,ortomounttheevidencefileuse theEnCaseVirtualFileSystemmodule FilesandfoldersonthemounteddevicecanbeaccessedinWindowsinthesamemannerasifthe devicewereanadditionaldrive,althoughchangeswillbewrittentocache(ifinuse)insteadofto thedeviceitself.
Saving and Dismounting the Emulated Disk

Ifwritecachingisenabledwhenmountingthedevice,youcansavevirtualchangesmadetothe evidencefile. 1. 2. IntheEnCaseinterface,rightclickthedrivemountedusingPDE. SelectSaveemulateddiskstate.
66
EnCaseVersion6.12ModulesManual Thecacheissavedinthepathspecifiedforwritecaching.Eachtimeaftertheinitialsave,an instancenumberisappendedtothecachefile.Thesecachefilescanlaterbeusedtoremountthe evidenceinitssavedstate,butyoumusthavealloftheprecedingcachefiles,locatedinthesame directory. Toendtheemulation: 1. 2. DoubleclicktheflashingPhysicalDiskEmulatorindicatorinthelowerrightofthe applicationwindow. ClickYesintheThreadStatuswindowtocancelthediskemulation.
Ifcachingisenabledwhenmountingevidence,thisscreendisplays:
ThepurposeofthefinalcacheistocreateacompressedandmergedDifferentialEvidenceFile (*.D01)containingthecacheddata.WiththeSaveEmulatedDiskStateoptionselected,thereare multiplecachefilesforthesamemountedevidencesession.Thefinalcachemergesallthesefiles.If thereisnoneedtosavethefinalfile,selectDiscardfinalcache. UsetheDifferentialEvidenceFiletoopentheevidencefileandviewtheemulateddiskwiththe cachedchangesapplied. Toapplythecacheddata: 1. 2. 3. 4. 5. 6. Rightclickthedevice. SelectMountasEmulatedDisk. ClicktheClientInfotab. CleartheDisablecachingcheckbox. SelectUseexistingcache. BrowseintheWritecachepathfieldtofindthe*.D01file. Afterthediskmounts,WindowsExplorerreflectsthecachedchanges. Whenthedeviceisdismounted,astatusscreeninformswhetherthediskwasdismounted successfully.
67
Closing and Changing the Emulated Disk

Tomountadifferentdrive,firstdismountthecurrentlyemulateddriveaspreviouslydescribed. Youcanthensetanewmountpoint.
Be sure to dismount evidence that is served through PDE before exiting. A reminder message appears if you attempt to close the case or the EnCase program while evidence is mounted with PDE.
Temporary Files Reminder

EnCaseForensic,EnterpriseandFIMallowinvestigatorstoredirecttemporaryfilestoa Temp/Trashfolderonasecondaryharddriveforfastercleanupafteranexamination,andto preventconfidentialorcontrabandmaterialsfrombeingredirectedbyWindowstothe investigatorsowntempfolderontheoperatingsystemdrive. WhenopeningafilemountedwithPDEinWindowsExplorerwithathirdpartytool,theWindows operatingsystemcontrolsthetemporaryfilecreationontheoperatingsystemdrive,andany necessarypostexaminationcleanupismorelaborious.
Third-Party Tools
InvestigatorswiththePDEModulecanuseWindowsExplorertobrowsethestructureofcomputer evidence.Theycanalsoutilizethirdpartytoolscapableofrequestingandinterpretingdatafrom WindowsExplorertoexamineevidenceoutsidetheEnCaseprogram.GuidanceSoftwaredoesnot certifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnotdevelopedby GuidanceSoftware.
Using Third-Party Tools

Thethirdpartytoolsandviewersavailabletotheinvestigatorforforensicexaminationarenow greatlyexpandedwithEnCasePDE.Touseathirdpartytool,openthefileasfollows: 1. 2. DoubleclickafileservedbyPDEtohaveWindowsExplorerrequestandreceivethedata fromtheEnCasesoftware. Openthedatawiththeassignedprogramaccordingtothefileextension.
Quick View Plus

ApopularviewingprogramisQuickViewPlus,whichallowstheinvestigatortoviewdozensof fileformatswithoutthenativeapplicationsinstalledontheexaminationmachine.
Malware Scanning
AcommonuseforEnCasePDEistomountcomputerevidenceforscanningforviruses,Trojans, andothermalwareprograms.First,mountthedriveorvolumefromtheevidencefilethroughPDE. InWindowsExplorer,selectthenewlymounteddrive(inthiscase,F:).Ifanantivirusprogramis installedandintegratedwithWindowsExplorer,itcanbeusedtoscanforviruses.Theprogram readstheemulateddiskpresentedtoWindowsExplorer.TheEnCaseprogramservestherequested datatoWindowsExplorer,andthentotheprogramforscanning.
68
Boot Evidence Files and Live Systems with VMware

Initial Preparation
ForthePhysicalDiskEmulatortoworkproperly,VMwareversion4.5.1,build7568orlateris required.TouseVMwaretomountanevidencefile: 1. Determinetheoperatingsystemofthesubjectevidencefileusingthefollowingmethods:
a. UsetheWindowsInitializeCasemodulefromtheCaseProcessorEnScriptprogram
todeterminetheoperatingsystem.
b. Checkthecontentsoftheboot.inifile,whichislocatedonthepartitionroot. c. Examinethefolderstructure,notingthefollowing:
Windows2000,XP,and2003ServerallusetheC:\Documents and Settings folderforuserprofilesandfolders. WindowsNTand2000usetheC:\WINNT folderforthesystemroot. Windows9X,XPand2003ServerusetheC:\Windowsfolderforthesystemroot. 2. 3. MountthephysicaldiskcontainingtheoperatingsystemusingPhysicalDiskEmulator. Makesuretoenablecaching Determinewhatphysicaldisknumberhasbeenassignedtoitusingoneofthesemethods: Thisinformationisprovidedwhenthedeviceismounted. SelecttheDiskManagementoptionbyrightclickingMyComputerinWindows,then selectManage.
There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in Disk Management. If you encounter a message stating, "The specified device is not a valid physical disk device", it is most likely as a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
New Virtual Machine Wizard

TobootevidencefilesusingVMware: 1. 2. 3. Afteryouhavegatheredtheneededinformation,launchVMware. SelectNewVirtualMachinefromtheFilemenu. AttheNewVirtualMachineWizardscreen,clickNext.
4. 4.SelectCustom,thenclickNext.
69
5.
SelecttheappropriateGuestOperatingSystemradiobutton.
6. 7.
SelectanoperatingsystemfromtheVersiondropdownmenutoidentifytheoperating systemversioninstalledontheevidencefile,thenNext. IntheNametheVirtualMachinedialog,enteravirtualmachinename.
Asanoption,youcanclickBrowsetochangethelocationforVMwaresconfigurationfiles. 8. ClickNext.
70
EnCaseVersion6.12ModulesManual 9. AssigntheamountofmemoryforVMwaretouse,thenclickNext.
10. Selectthetypeofnetworktouse,thenclickNext. SelectingDonotuseanetworkconnectionisrecommendedintheeventthatthereissome typeofmalwareinstalledonthemachinetheevidencefilewascreatedfrom.
11. AcceptthedefaultsettingintheSelectI/OAdapterTypesdialog,thenclickNext.
12. SelectUseaphysicaldisk(foradvancedusers). Ignoreanysubsequentwarningmessages. 13. SelectthediskthatrepresentsthemounteddriveusingPDE. 14. AcceptthedefaultsettingofUseEntireDisk,thenClickNext. 15. UsethedefaultdiskfilespecifiedintheSpecifyDiskFiledialog,thenclickFinish.
71
IfthediskfileisnotrecognizedasaVirtualmachine,youcanchangethenameofthefile (takingcaretoleavethe.vmdkextension).
VMwarereturnstothemainscreen,showingthenewlycreatedvirtualmachine.
Boot the Virtual Machine

BootthevirtualmachinebystartingVMwareandperformingthefollowing: 1. ClickthelinkforStartthisvirtualmachinenexttothegreenarrow. TheevidencefileiswriteprotectedbytheEnCaseprogram,butPDEenablesawritecache thatinteractswithVMwareasifitweremountingadiskinread/writemode.
Whenthevirtualmachinestarts,theoperatingsystemisshownasiftheforensicmachine wasbootingthedrive.Itbootsinthesamemannerasthenativemachine. 2. 3. Aswithbootingrestoredharddrives,thevirtualmachinemayrequireausernameand passwordtoproceed. Sincepopups(suchasAOLInstantMessenger)maycausedriverproblems,savethestate ofthevirtualmachineregularly.
72
VMware/EnCase PDE FAQs

Can live evidence be booted with VMware?
Livecomputerevidence(networknodesintheEnCaseEnterpriseprogramandlocalCDs)canbe mountedwithPDEbutcannotbebootedwithVMware.
What version of VMware should be used with EnCase PDE?

PDE/VMwareintegrationiswithVMwareversion4.5andhigher.
Why won't VMware recognize an emulated (mounted) disk?

YoumustlaunchVMwareafteremulatingthediskwithPDE,asVMwarewillnotrecognizea physicaldrivethathasbeenaddedsinceitwasstarted.Inaddition,VMwarewillnotsuccessfully bootevidencefileswhichcontainWindowswithanondefaultIDEdriver.Thisisaknownissue. Additionalinformationisavailableat http://www.vmware.com/support/kb/enduser/std_adp?p_faqid=36.
What do I do if I see the message "The file specified is not a virtual disk" after running the New Virtual Machine wizard?
OccasionallyaftercompletionofthenewvirtualmachinewizardinVMware,anerrormessage (Thefilespecifiedisnotavirtualdisk.)maybeencountered.ThisissueiswithVMware,notthe EnCaseprogram.RunningtheNewVirtualMachineWizardagainusuallyresolvesthisissue.
How do I start a VMware machine with my saved EnCase Differential File?

Mountthediskusingtheexistingcachefile.
Why does VMware not recognize some physical disks?

Ifyourevidenceissuccessfullymounted,butVMwarestatesthatthephysicaldiskthattheimageis mountedonisnotavalidPhysicalDisk,itmaybearesultofanonIDEdeviceonalowerPhysical Devicethantheemulateddisk.
Windows XP keeps popping up windows about installing drivers when I boot.

TheEnCasePDEModuleinstallsGSIspecificIDEdriverstobeloadedinordertoemulatethedisk asadrivewithinWindowswithanassigneddriveletter.AvirtualIDEcontrolleriscreatedthatcan beseeninDeviceManager.IfWindowsisallowedtoloaddefaultIDEdrivers,themodulewillnot workproperly.Youcanpreventthisbycancelingtheattemptfromthepopupwindow.Onceyou havebypassedthismessage,youcansavethestatesothatthenexttimethesystemisrebooted, Windowswillnotattempttoloadthedriversagain.
73
How do I restart a VMware session from a saved state?

VMwaressuspendandresumefeatureallowsyoutosavethecurrentstateofyourvirtualmachine, thenresumelaterwiththevirtualmachineinthesamestateitwaswhenyoustoppedit.Onceyou resumeanddoadditionalworkinthevirtualmachine,thereisnowaytoreturntothestatethe virtualmachinewasinatthetimeyoususpendedit.Topreservethestateofthevirtualmachineso thatyoucanreturntothesamestaterepeatedly,youwouldneedtotakeasnapshot.Instructions forusingthesnapshotareavailableatVMwareswebsiteathttp://www.vmware.com/support/ ws45/doc/preserve_snapshot_ws.html.Thespeedofthesuspendandresumeoperationsdepends onhowmuchdatahaschangedwhilethevirtualmachinehasbeenrunning.Ingeneral,thefirst suspendoperationtakesabitlongerthanlatersuspendoperationsdo.Whenyoususpendavirtual machine,afilewitha.vmssextensioniscreated.Thisfilecontainstheentirestateofthevirtual machine.Whenyouresumethevirtualmachine,itsstateisrestoredfromthe.vmssfile. Tosuspendavirtualmachine: 1. 2. 3. Ifyourvirtualmachineisrunninginfullscreenmode,returntowindowmodebypressing Ctrl+Alt. ClickSuspendontheVMwareWorkstationtoolbar. WhenVMwareWorkstationhascompletedthesuspendoperation,itissafetoexitVMware Workstation(ExitfromtheFilemenu).
Resumeavirtualmachineasfollows: 1. 2. StartVMwareWorkstationandchooseavirtualmachineyouhavesuspended. ClickResumeontheVMwareWorkstationtoolbar. Notethatanyapplicationsyouwererunningatthetimeyoususpendedthevirtual machinearerunningandthecontentisthesameasitwaswhenyoususpendedthevirtual machine. AdditionalVMwaretroubleshootingisavailablefromtheirknowledgebaseat http://www.vmware.com/support/kb/enduser/std_alp.php?
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help menu
Ifyouareusingcertfiles,checktoseethatthePDEcertificateislocatedintheCert directory(typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensure thattheprogramisnotinAcquisitionmode). Ifyouareusingcertfiles,checkthesecuritykeyIDtoensurethatitisthecorrectonefor whichthecertificatewasissued.
I can mount a device locally, but cannot set up a local server

AlthoughmenusexistforPDEServeroperation,itisnotcurrentlyfunctional.
74
A message is encountered stating that PDE cannot remove the device when attempting to dismount the device mounted
TheerrormessagemayoccurifWindowsisaccessingafileonthemounteddevice(e.g.,the directoryisopenedinWindowsExplorerorafileisopenedinathirdpartyapplication). Toresolvetheissue,closeallWindowsapplicationsaccessingthemounteddevice,then clickOK.
An error message is encountered stating that you need to reboot your machine, followed by a "Rejected connection" message
Thisissueisduetothedevicedrivernotbeingreleasedproperly.Theonlywaytoresolve thisissueistocloseallapplications(includingtheEnCaseapplication)andrebootthe forensicmachine.Youshouldnotencountertheerroragainwhenthemachineisrebooted.
If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 4
Virtual File System

In This Chapter
What is VFS? Mounting Evidence with VFS Dismount the Network Share Accessing the Share Third-Party Tools VFS Server Troubleshooting
76
What is VFS?
TheVirtualFileSystem(VFS)moduleallowsinvestigatorstomountcomputerevidenceasaread only,offlinenetworkdriveforexaminationthroughWindowsExplorer.Thevalueofthisfeatureis thatitallowsinvestigatorsmultipleexaminationoptions,includingtheuseofthirdpartytoolswith evidenceservedbytheEnCaseprogram. Wearecommittedtotheconceptofprovidinganintegratedproducttoourcustomers.Thirdparty toolswillcontinuetobedevelopedtocomplementthecorefunctionsandfeaturesoftheEnCase program,andweencouragetheircreationanduse.VFSallowsthirdpartyaccesstoallcomputer evidenceandfilesystemformatssupportedbythesoftware. ForourcustomersusingtheEnCaseForensicprogram,theVFSmodulehastheaddedpowerof enablinguseofthirdpartytoolsagainstharddrivespreviewedthroughaFastBlocdeviceora crossovercable,includingdeletedfiles.ForcustomersusingtheEnCaseEnterpriseprogram,VFS allowsuseofthirdpartytoolsagainstlivemachinesonthenetworkusingbestpractices,sincethe operatingsystemisbypassed.
Evidence File Formats Supported by VFS

VFSsupportsmountinganydatathatisvisibleinacase.Allimagefileformatsandfile systemsthataresupportedbytheEnCasesoftwarecanbemountedwithVFS.
Mounting Evidence with VFS

TheVFSModuleisabletomountcomputerevidencesupportedbytheEnCaseprogramasan offlinereadonlynetworkdriveinWindowsExplorer.Youcanmountevidenceatoneoffour levels;however,onlyonemountingpointcanbedesignatedatatime.Ifyouwanttochangethe mountingpoint,youneedtodismounttheevidenceandmountatanewleveltoincludethe desireddevices. Thelevelswhereyoucanmountevidenceare: Caselevel:MountingfromcaselevelisnotsupportedbyVFS Disk/Devicelevel:Mountsasinglephysicaldiskordevice,withaccesstoallvolumeson thediskordevice Volumelevel:Mountsasinglevolume/partitiononaphysicaldisk Folderlevel:Thelowestlevelyoucanmountisatthefolderlevel ThismountlevelishelpfultoexaminefilesinpathsthatexceedtheWindowslimitof264 charactersinthefullpathandnameofafile UsingtheServerextension,youcanalsomountevidencetobesharedwithotherinvestigators throughthelocalareanetwork.TheVirtualFileSystemServerisdiscussedlaterinthismanual.
Mounting a Single Drive, Device, Volume, or Folder

Onlyonemountpointcanbedesignatedatatime;toincludeotherdata,amountpointmustbe selectedthatisinaparentrelationshiptobothareasofdatatobemounted.
VirtualFileSystem
77
Tomountasingledriveordeviceinacasefileorasinglevolumeorfolderonadrive,rightclick thedriveordevice,andselectMountasNetworkShare:
Mount Network Share Options

OntheServerInfotaboftheMountasNetworkSharewindow,mostoftheserverinfoisdisabled whenestablishingalocalserver.Theonlyexceptionisthelocalport.VFSdefaultstoestablishinga localserver,whichistheoptionusedwhenusingVFSonthelocalmachine. SinceVFSismountingtheevidenceasanetworkshareddrive,alocalportmustbeassigned.To allowrecoveryfromerrorsinWindows,suchasacrashwhileusingthirdpartytoolsasdescribed laterinthismanual,theVFSservicerunsforthelifeoftheWindowssession.Thismeansthatthe portnumbercanbeassignedthefirsttimetheVFSserviceisruntomountevidence.Afterwardsthe portnumberisgrayedoutwiththeassignedportnumberunchangeable: 1. 2. OntheServerInfotab,setthelocalportorusethedefaultsetting. AdjusttheMax.clientsallowed,uptothemaximumnumberofclientspurchasedforVFS.
To assign a new port number, the Windows session must be closed, such as through a reboot.
3.
ClicktheClientInfotabtosetthevolumelettertobeassignedtothenetworksharein WindowsExplorer.
4.
ThedefaultsettingallowsWindowsExplorertoassignthenextavailablevolumeletter,or youcansetanyotherletterthatiscurrentlynotassigned. Assigningaspecificvolumelettercanbeusefulwhenattemptingtovirtuallyreconstructa mappednetworkdrive,suchasforadatabase:
78
EnCaseVersion6.12ModulesManual IfyoucurrentlyhavemappednetworkeddrivesorifyouletWindowsassignthedrive letter,ittakesafewsecondstoquerythesystemtofindanavailabledriveletter Ifyouspecifiedavolumeletter,anditisavailable,themountingisvirtually instantaneous Aconfirmationpopupwindowinformsyouthatthemountwassuccessful,withthevolumeletter. Thesharedhandiconappearsatthelevelyoudesignatedasthemountpointfortheshareddrive.
Compound Files
Manycompoundfiles,includingMicrosoftWord,Excel,OutlookExpress,andOutlookfiles,canbe mountedintheEnCaseinterface.Todothis: 1. 2. Rightclickthefile. SelectViewFileStructure. Intheexamplebelow,aMicrosoftWord.docfileismounted.Thedeviceisthenmounted withVFSatthedevicelevel.
3. Mountthecase,drive,volume,orfolderwithVFSasforasinglecase,drive,etc.byright clickingandselectingMountasNetworkShare,asdescribedaboveforsingleitems.
4.
VirtualFileSystem
79
ViewthemountedfileasafolderinWindowsExplorer,wherethecompoundfilestructure canbebrowsed.
VFSisadynamicengineandwillservethedataasitispresentedbytheEnCasesoftware. ToviewtheoriginalWorddocumentfile: 1. 2. Closethemountedcompoundfile. InWindowsExplorer,refreshthescreenusingtheF5key. Ifyouhavecurrentlyselecteddatawithinthecompoundfile,anerrormessagereportsthat thedataisnolongeravailable,sinceitwasclosedinsideoftheEnCaseprogram. 3. Selecttheparentfolderofthefiletoviewandopenthefile.
Encrypting File System

DecryptedfilescanbeviewedwithinWindowswhenyouuseVFSinconjunctionwiththeEnCase DecryptionSuite(EDS)module.Theevidencecontainingthedecryptedfilesandfolderscanbe mountedwithVFSforviewingthedecrypteddatawithinWindowsExplorer,andwiththirdparty tools. ForinformationonusingtheEDSModuletodecryptEFSprotectedfilesandfolders,seetheEDS Modulechapterofthisdocument.
RAIDs
RAIDsmountedinsidetheEnCaseprogramcanbebrowsedinWindowsExplorer.Intheexample below,asoftwareRAID5comprisedofthreedriveswasmountedandthenmadeavailablefor browsinginWindowsExplorerwithVFS.
Deleted Files
TheVFSmoduleallowsinvestigatorstoviewdeletedandoverwrittenfilesinWindowsExplorer.
80
EnCaseVersion6.12ModulesManual AninvestigatormaylocateafileinWindowsExplorertovieworanalyze,butfindsthatitisnot possibletoopenit.Ifafiledoesnotopen,reviewtheoriginaldataintheEnCaseinterfacetoseeif thefileisindeedvalidandisnotcorruptedorpartiallyoverwritten.
Internal Files and File System Files

TheEnCaseapplicationorganizessomedataondevicesintovirtuallogicalfilestoallowforbetter organizationandsearching.ExamplesincludeUnallocatedClustersandVolumeSlackonavolume, andUnusedDiskAreaonaphysicaldrive.Hiddenfilesystemfilesarealsoavailable,suchasthe $MFT,FAT,orInodeTabledirectoriesonNFTS,FAT,and*nixfilesystems.
RAM and Disk Slack

VFSservestheactuallogicalfilesondevicesalongwithvirtuallogicalfilesitorganizesfor investigators.Thephysicalfilesarenotserved,asWindowsExplorerwouldnotinteractwiththe filedatacorrectlyiftheentirephysicalfilewasserved.Forinvestigators,thismeanstheRAM (sector)slackanddrive(filecluster)slackarenotavailabletothirdpartytoolsthroughVFSin WindowsExplorerasasinglefile.Thereare,however,twowaystoaccessthedatainslackwith thirdpartytools: Thefirstmethodistoloadadevicewithoutparsingthefilesystem: 1. 2. 3. 4. 5. LaunchtheEnCaseapplication. Openanewcase. LoadthedevicebyclickingAddDevices. RightclickthedeviceandselectEdit. IntheDeviceAttributeswindow,clearthecheckfromtheReadFileSystembox.
VirtualFileSystem
81
WhenthedeviceisloadedintotheEnCaseprogram,thepartitionandfilesystemarenotreadand interpreted.TheentiredevicecanthenbemountedwithVFSandbeavailableforexaminationin WindowsExplorerasUnusedDiskArea,includingslackspace.
1. 2. 3.
Anotheroptionistocopyonlyslackareafromevidencetotheexaminationcomputerasa logicalfile: Selectthedevice(s)whereyouwanttoexaminetheslackspace. RightclickthefileandselectCopy/UnErase.
4.
SelecttheAllselectedfilesradiobuttonunderFrom,andtheMergeintoonefileradio buttonunderTo,thenclickNext.
5. 6. IntheCopysectionoftheOptionsscreen,selectRAMandDiskSlacktocopytheRAM slack(alsoknownassectorslack)andtheDiskSlack(alsoknownasclusterslack). SelecttheappropriateCharacterMaskoptionfornonASCIIcharacters,orleavethedefault andclickNext.
82
EnCaseVersion6.12ModulesManual 7. Setthedestinationpathandthenameofthefiletocontaintheslack,thenclickNext.
8.
ClickOKintheCopyingfilesdialogthatdisplaysattheendofthecopyingprocess.
Thefilecontainingtheslackfromtheevidenceisnowavailableforexaminationbythirdparty utilitiesonthelocalexaminationmachine.Intheexamplebelow,afileisopeninWordPad.
VirtualFileSystem
83
Other File Systems

VFScanmountfilesystemsotherthanthosenativelysupportbyWindows.Belowisanexampleof aMacintoshOS/XdrivemountedwithVFS.
BelowistheWindowsrepresentationofaPalmvolumemountedinVFS.
ext2, ext3, UFS, and Other File Systems

Unix,LinuxandBSDdevicescanbemountedinWindowsExplorerwithVFS.Onelimitationisthe forwardslash(/)usedin*nixfilesystems.TheforwardslashisaninvalidcharacterinWindows andcannotbedisplayedinthefullpathforWindowsExplorer.Forthisreason,theforwardslashis representedbythehighdot(). Intheexamplebelow,the/(root)partitionisrepresentedbythehighdot.The/home partition isrepresentedbyhome.
84
EnCaseVersion6.12ModulesManual Inthisexample,the/(root)partitionofaSolarisworkstationismountedandtheparentfolder name(thepartitionname)isdisplayedasthehighdot.
Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the partition or folder level.
Dismount the Network Share

Todismountthenetworkshare,dothefollowing: 1. DoubleclickthethreadbaratthebottomrightoftheinterfacethatreadsVirtualFile System,thenclickYes.
2.
Intheconfirmationthattheevidencewassuccessfullydismounted,selectanystatussaving optionsandclickOK.
Changing the Mount Point

Youcanonlyviewonemountpointatatime.Tochangethelocationofthemountpoint,youmust closethecurrentmountpointandopenanewone.
Be sure to dismount evidence that is served through VFS before closing the EnCase program. A reminder message appears if the case or the EnCase program is attempted to be closed while evidence is mounted with VFS.
VirtualFileSystem
85
Accessing the Share

Using the EnCase Interface
Unique Name Column
AUniqueNamecolumndisplaysinTableviewfortheVFSModule.Thecolumnidentifiesthefile namegiventoafileservedfromtheEnCaseprogramanddisplayedinWindowsExplorerthrough VFS.TheuniquenameovercomestheWindowslimitationofnotallowingmultiplefilestoshare thesamefilenameassiblingsinthesameparentfolder.Thecolumnisemptywhentheevidenceis firstmountedwithVFS,butispopulatedwhentheshareisaccessedinWindowsExplorer. WhenaninvestigatorselectsafolderinWindowsExplorer,thedataisservedbytheEnCase programanddisplayedinWindowsExplorer.AsthedirectoriesarebrowsedinWindowsExplorer, thefilenamesarepopulatedintheUniqueNamecolumn,soaninvestigatorcandeterminewhich fileheorsheisexamining.TheEnCaseprogramappendsapoundsign(#)totheendofduplicate filenameswithinthesamefolderinWindowsExplorer.
Using Windows Explorer

AftermountingthesharednetworkdrivewithVFS,openWindowsExplorer.Thenewshareis representedwithanetworkdriveiconandassignedtheappropriatevolumeletter.Thenameofthe shareisgsisvr(forGuidanceSoftware,Inc.Server).
Severaloperationsarethenpossible,includingthefollowing:
86
EnCaseVersion6.12ModulesManual BrowsethemountedcaseandassociateddevicesinWindowsExplorer OpenhiddenanddeletedfilesifShowhiddenfilesandfoldersisenabledinWindows ExplorerusingtheFolderOptionsintheToolsmenu
UsethethumbnailviewerinWindowsExplorertoviewimagesinthemannerseenbythe originaluser
Third-Party Tools
UsingVFS,investigatorscanexamineevidenceoutsidetheEnCaseprogrambyutilizingthirdparty toolscapableofrequestingandinterpretingdatafromWindowsExplorer.However,Guidance Softwaredoesnotcertifytheperformanceoraccuracyofresultsobtainedthroughanytoolsnot developedbyGuidanceSoftware.
Malware Scanning
AcommonuseforVFSistomountcomputerevidencetoscanforviruses,Trojans,andother malwareprograms: 1. MounttheevidencethroughVFSeitherlocallyontheexaminationmachine,orremotely throughVFSServer. Youcanmounttheevidenceatthedevice,volume,orfolderlevelsasdescribedpreviously. Thesharedhandiconindicatesthelevelofthevirtualfilesystemmount.
2. 3. InWindowsExplorer,selectthegsisvrofflinenetworkdrive. Useantivirussoftwaretoscanthefile.
VirtualFileSystem
87
Intheexamplebelow,theScanforVirusesoptionfromSymantecAntiVirusisrunbyright clickingthedrive.
TheantivirussoftwarecanreadtheVirtualFileSystempresentedtoWindowsExplorer.The requesteddataisservedbytheEnCaseprogramtoWindowsExplorer,andthentotheprogramfor scanning.Inthiscase,theMyDoomviruswasfoundonthecomputerevidencemountedwithVFS.
Theexaminationreportsandlogsgeneratedbythethirdpartytoolscanthenbereviewedand includedintheinvestigatorsinvestigativereport.
Other Tools and Viewers

Thethirdpartytoolsandviewersavailabletotheinvestigatorforforensicexaminationarenow greatlyexpandedwithVFS.Tousethem,dothefollowing: DoubleclickafileservedbyVFStoopenthedatawiththeassignedprogramaccordingtothe fileextension.
Assigning File Extension to a Program

Toassignanassociatedprogramtoanextension: 1. SelectFolderOptionsfromtheWindowsExplorerToolsmenu.
88
EnCaseVersion6.12ModulesManual 2. 3. IntheFolderOptionswindow,clicktheFileTypestab. Selectthedesiredextension,andtheDetailsforsectionliststheprogramdesignatedfor thatextension. Inthisexample,JPEGfilesopenwithAdobePhotoshopCS. 4. ClicktheChangebutton.
Selectorbrowsetothenewprogram.
Unix or Linux Files

Somefiles,likethoseinUnixandLinux,donothavefileextensions.Toviewthem: 1. 2. 3. 4. RightclickthefileandselectOpen. IntheOpenWithwindow,selectthedesiredapplicationfromtheProgramslistandclick OK. Iftheapplicationisnotlisted,clickBrowsetofindtheapplicationexecutable,orallow WindowstosearchtheInternet(ifconnected). ClickOtheriftheappropriateapplicationisnotavailable.
VirtualFileSystem
89
WordPadcanopenmosttextbasedfilestoallowyoutoviewthecontents.Intheexample below,aLinuxfileisopenedwithWordPadinWindowsExplorerfromanevidencefile mountedwithVFS.
QuickView Plus
Anotherpopularviewingprogram,QuickViewPlus,canbeusedtoviewdozensoffileformats, withoutthenativeapplicationsinstalledontheexaminationmachine.
Temporary Files Reminder

TheEnCaseprogramallowsinvestigatorstoredirecttemporaryfilestoaTemp/Trashfolderona secondaryharddriveforfastercleanupafteranexamination,andtopreventconfidentialor contrabandmaterialsfrombeingredirectedbyWindowstotheinvestigatorsowntempfolderon theoperatingsystemdrive. WhenafilemountedwithVFSinWindowsExplorerisopenedwithathirdpartytool,the Windowsoperatingsystemcontrolsthetemporaryfilecreationontheoperatingsystemdrive. RemembertochecktheWindowsTempfoldertoperformanynecessarypostexaminationcleanup.
VFS Server
TheVFSModulehasaserverextensionsothatinvestigatorscansharethemountedevidencewith otherinvestigatorsonthelocalareanetwork/intranetthroughVFS.Theextensionenablesanumber ofclientstomountthenetworkshareservedbytheVFSServerthroughanetworkconnection undertheseconditions: OnlythemachinethatisrunningtheVFSServerneedsasecuritykeyinserted AsecuritykeyisnotrequiredtoconnecttotheVFSServerandaccesstheserveddatain WindowsExplorer. Theclientmachine(s)musthavetheEnCaseprograminstalledtoaccesstheVFSclient driversbutcanruninAcquisitionmode ThenumberofclientsthatcanconnecttotheVFSServerdependsuponthenumberofVFS Serverconnectionspurchased.ThisinformationiscontainedintheVFSCertificateor programmedintothesecuritykey. TodetermineiftheVFSServerisenabledandtoviewthenumberofavailableclientconnections, dothefollowing:
90
EnCaseVersion6.12ModulesManual SelectAboutEnCasefromtheHelpmenu. IftheVFSmoduleisnotlisted,orthenumberofclientsisnotsufficient,contactCustomer Servicetopurchaseadditionalclients.
Configuring the Server

Configuretheserverasfollows: 1. 2. 3. OntheVFSServermachine(withthesecuritykeyinserted),opentheEnCaseprogram. Openthecasefile(s). SelecttheappropriateVFSmountpointlevel: Case Drive/device Volume Folder 4. RightclickthemountpointandselectMountasNetworkShare. Youhavetheoptionofcreatinganetworksharefromanyofthecases,drives,orfolders withinit.Thisallowsyoutoshareonlywhatisnecessarytoothers,whilestillhavingaccess tocasesanddevicesthatyoudonotwanttoshare. 5. SincethisistheVFSServermachine,selectEstablishlocalserverforthelocationonthe ServerInfotab.
6. 7. 8.
EnteraPortnumberorusethedefaultof8177.TheServerIPAddressisgrayedoutsince theserversIPaddressistheoneassignedtothemachinewherethemountistakingplace. NotetheservermachinesIPaddressforusewiththeclient. Setthemaximumnumberofclientswhocanconnecttotheserver,withthedefaultbeing themaximumallowedbyyourVFSServercertificate.
SinceVFSismountingtheevidenceasanetworkedshareddrive,theservingportmustbe assigned.ToallowrecoveryfromerrorsinWindows,suchasacrashwhileusingthirdpartytools asdescribedpreviously,theVFSservicerunsforthelifeoftheWindowssessionfromthatport. TheVFSServercanalsoservethedatalocallytotheinvestigatorsmachine.Beawarethatituses oneoftheserverconnections.
VirtualFileSystem
91
Restrict Access by IP Address

Bydefault,VFSServerisconfiguredtoallowaccessfromallIPaddresses.However,thepreferred methodistorestrictaccessbyIPaddress.Tospecifyarangeofmachines,dothefollowing: 1. SelectAllowIPRangeandspecifythehighandlowIPvalues.
2. 3. 4. SelectAllowspecificIPs. RightclickintheAllowedIPsbox. SelectNewandentertheIPaddresses. EntermultipleIPaddressesbyrepeatingthisaction.YoucanalsoeditordeleteexistingIP addressesbyrightclickingAllowedIPs.
5. SelecttheClientInfotab. Toalsomountandviewtheshareddrivelocally,leavetheMountsharelocallybox checkedandinputaVolumeLetter.
92
EnCaseVersion6.12ModulesManual Bydefault,thevolumeletterfieldhasanasteriskinit,signifyingthatthenextavailable driveletterwillbeused.MountingthesharelocallyusesoneofyourVFSServer connections. Ifyouareonlyservingthesharetoremoteclients,clearMountsharelocally,andthe VolumeLettergraysout,astheshareismountedonremoteclient(s). TheVFSServermountstheshareandallowsconnectionsontheassignedport.Thesharedhand iconappearsattheVFSmountpoint.Youcancontinueyourexaminationwhileitisbeingshared. Performancedependsonthesizeandtypeoftheexaminedevidence,processingpowerofthe serverandclientmachines,andthebandwidthofthenetwork.
Connecting the Clients

Toconnecttheclients: 1. 2. InstalltheEnCaseprogramontheclient. RebootthemachineafterinstallationforWindowstoaccesstheVFSdrivers. WhenlaunchingtheEnCaseprogram,itisnotnecessarytohaveasecuritykeypresent. 3. 4. 5. ClickToolsMountasNetworkShare. OntheServerInfotab,entertheServerIPAddressfortheVFSServermachine,andenter theportnumbertheserverislisteningon. OntheClientInfotab,selecttheVolumeLettertoassigntheshare,oracceptthenext availableletter.
Theconfirmationmessagedisplays. Ontheclientmachine,theshareisavailableinWindowsExplorerasgsisvr withtheassigned driveletter.Thesharedcomputerevidencecanbeexaminedaspreviouslydescribed.
Closing the Connection

Whenaninvestigatorusingaclientmachinehascompletedtheexaminationoftheshareddrive,or anotherinvestigatorneedstousetheconnection,doubleclicktheprogressbaratthelowerright andselectYes. Aconfirmationwindowreportsthattheevidenceisdismountedandtheconnectionclosed,andthe sharedhandiconisremoved,indicatingthatWindowsExplorerhasremovedtheshareddrive. TheEnCaseprogramcanbeclosedontheclientcomputer. OntheVFSServermachine,whenallclientsarefinishedandhavedismountedtheshare,closethe VFSServerbydoubleclickingontheflashingVirtualFileSystembarinthelowerrightcornerof theEnCaseapplicationwindow.Youwillbepromptedtodismounttheevidencefile,afterwhich youcanclosetheEnCaseprogram.
VirtualFileSystem
93
Troubleshooting
Virtual File System is not listed under Modules
Ifyouareusingcertfiles,checktoseethattheVFScertificateislocatedintheproperCerts directory(typicallyC:\Program Files\EnCase6\Certs). Makesurethesecuritykeyisinstalledandworkingproperly(checkthetitlebartoensurethatthe softwareisnotinAcquisitionmode).Youdonotneedtohavethesecuritykeyinstalledona machineconnectingtoaremoteVFSServer. Ifyouareusingcertfiles,thecertificatefileisissuedforaspecificsecuritykey;checkthesecurity keyIDtoensurethatitisthecorrectoneforwhichthecertificatewasissued.
I can mount a device locally, but cannot set up a local server

SelectAboutEnCasefromtheToolsmenuandensurethatVirtualFileSystemServerislisted underModules.IftheServerisnotdisplayed,youmayhavethewrongcertinstalled,oryoudonot haveaccesstotheServeredition.
I cannot connect to a device mounted on a remote VFS server

ConfirmtheIPaddressandportnumberoftheRemoteServer.IftheIPaddressiscorrect,pingthe addresstoensureconnectivity. Makesurethedeviceisstillmountedontheremoteserver. Checktoseehowmanymachinesareconnectedtotheserver,anddeterminehowmanyclientsare permittedtoconnecttoaVFSServerbyselectingAboutEnCasefromtheToolsmenuonthe machinerunningtheVFSServer.Determinethenumberofallowedclientsbylookingatthe numberlistednexttotheVirtualFileSystemServermodule.
If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 5
FastBloc SE Module
In This Chapter
What is the FastBloc SE Module? Background Information Installing the FastBloc SE Module Using the FastBloc SE Module Disk Caching Troubleshooting
96
What is the FastBloc SE Module?

TheFastBlocSE(SoftwareEdition)moduleisacollectionofdrivecontrollertoolsdesignedto controlreadsandwritestoadriveattachedtoacomputerthroughUSB,FireWire,SCSI,IDE,and SATAcontrollercardsinordertoenablethesafeacquisitionofsubjectmediafromWindowstoan EnCaseevidencefile.Inaddition,aninvestigatorcanwipedevicesattachedtoacontrollercard thatiscontrolledbytheFastBlocSEmodule,orrestorethemwhilemaintainingthehashvalueof thelogicalfile. WhenFastBlocSEmoduleswriteblockingcapabilityisenabled,itensuresthatnodataarewritten toormodifiedonawriteblockeddevice.TheWriteblockUSB,FireWire,SCSIDevicesoptionis usedtowriteblockandprotectattacheddrives. Inthepast,conductingaforensic,noninvasiveacquisitionofaharddiskdrivewasperformedin DOS,orthroughawriteprotectinghardwaredevice.Thiswasdonetocontrolwritesbythe operatingsystemtothesubjectdrive.TheFastBlocSEmoduleeliminatestheneedtohavea hardwarewriteblockerinstalledontheforensicmachineinordertoacquireEnCaseevidencefiles inaforensicallysoundmannerthroughWindows.
Background Information
HPA and DCO Configured Disks
Host Protected Area
HarddiskscanbeconfiguredwithaHostProtectedArea(HPA).Itisdesignedtoallowvendorsto storedatasafefromuseraccess,diagnosticsorMSWindowsbackuptools.Ifpresent,thedata storedinthisareaisinaccessiblebytheoperatingsystem,BIOSorthediskitself. Knowledgeofthisareaandtheabilitytoaccessitareimportant,asthereisthepotentialfora sophisticatedusertohidedataintheHPA.TheFastBlocSEmoduleseestheHPAifitispresent, andthecontenthiddentheredisplays.Diskintegrityremainsintactwhenpreviewingand acquiringdiskswithHPAs.
Device Configuration Overlay

TheDeviceConfigurationOverlay(DCO),sometimescalledtheDiskConfigurationOverlay,is similartotheHPAdiscussedabove.ItisanoptionalfeaturewithintheATAetseq.standard,andis supportedbymostharddisks.LiketheHPA,itcanalsobeusedtosegmentoffaportionofthe harddiskdrivecapacityfromviewbytheOSorfilesystem,usuallyfordiagnosticorrestoration purposes. ContentsoftheDCOcancontrolbehaviorofthedrive,andoneoftheDCOfieldscontrolsthe max_sectorsdrivedata.Itcanthusbeusedtoartificiallyrestrictaccesstothefulldrive.
Architecture
BoththeHPAandtheDCOaretypicallylocatedattheendsoftheharddisk.Ifpresent,theHPA areaisplacedonthedriveaftertheDCOisconfigured.Thisgivesthedrivethreetypesofstorage thatarelaidoutoneafteranotheronthedrive:
Normal HPAprotected DCOprotected
FastBlocSEModule
97
Overriding HPA and DCO Settings

ThewriteblockingfunctionalityoftheFastBlocSEmoduleisdesignedtopreventwritestoa suspectharddrivewhilepreviewing,examiningoracquiringthedeviceforforensicpurposes.The FastBlocSEmoduleallowsEnCasesoftwaretorecognizediskswithHPAandDCOregions. TheFastBlocSEmoduleautomaticallyoverridesHPAsettings,whichmakestheHPAareaofthe harddiskvisibletotheinvestigator.Todothis,ittemporarilyremovestheHPAsettingsandthen replacesthem,sonopermanentdiskalterationsaremade. IfonlyaDCOispresent,itisremovedtoallowtheEnCasesoftwaretoviewthedata.IfbothHPA andDCOarepresentinanareasimultaneously,theFastBlocSEmodulefirstremovestheHPA setting,thentheDCOsetting.TheHPAisremovedonlyifanHPAandDCOareaexist simultaneously.
ALERT! When the EnCase software encounters a hard drive with a defined DCO, or DCO and HPA, it must permanently remove both overlays to image the entire drive. Based on the design and published specifications of DCO and HPA, there is no known way to access the entire data area without making this change. Investigators must note that although this change does not affect the data contained on the drive, it is a permanent change to the drive controller that is not affected by powering down the drive. Investigators may wish to account for this anomaly in their documentation.
Installing the FastBloc SE Module

Theprocessforinstallingthemoduleinvolvesafewmorestepsthantheothermodules. 1. 2. 3. 4. InstalltheFastBlocSEmoduleaslistedinInstallingtheEnCaseModulesonpage5. Shutdowntheforensicmachine. InsertoneoftheIDEcontrollerslistedinFastBlocSEModuleSpecificRequirementson page4. Turnonthecomputer.
InstallthedriversthatcamewiththeIDEcontroller.
Consistent with sound computer forensic practices, test the FastBloc SE module with non-evidence media to verify the write blocking capability prior to using the device with actual evidence.
98
Using the FastBloc SE Module

Write Blocking IDE and SATA Controller Cards
TheFastBlocSEmodulewriteblocksPCIIDEandSATAcontrollercards.SeeFastBlocSEModule SpecificRequirementsonpage4foralistingofsupportedPCIIDEcontrollercards.Tosuccessfully preventwritesormodificationstoanIDEdevice,thecontrollerchanneliswriteblockedbeforethe deviceisattachedtothePC.WhenthechannelisprotectedwiththeGSIdriver,shutdownthe machineandattachthedevice.Onreboot,Windowswritepermissionsarerevoked. TowriteblockanIDEcontroller: 1. LaunchtheEnCaseProgramandselectWriteBlockIDEchannelfromtheToolsmenu.
2. InthelistofavailableIDEchannels,bluecheckthechanneltowriteblockandclickOK.
3. ApopupwindowmaydisplaysayingthatthesoftwarehasnotpassedWindowsLOGO testing.
4.
ClickContinueAnywaytoreplacetheinstalleddriverwiththeGSIdriver.
5. 6. 7. Shutdowntheforensicmachine.
FastBlocSEModule
99
Attachthesuspectsharddisktothecontrollerselectedinstep2. Restarttheforensiccomputer. Theselectedchanneliswriteblockedonsystemstartup.
Turning Off IDE Write Block Protection

Toturnoffthewriteblockprotection: 1. 2. 3. 4. 5. Shutdowntheforensiccomputer. Removethesuspectsharddisk. Repeatsteps1and2above,deselectingthewriteprotectedcontrollerinstep2. Reboottheforensicmachine. TheGSIdriverisreplacedwiththeoriginaldefaultWindowsdriver.
Write Blocking a USB, FireWire, or SCSI Device

TowriteblockaUSB,FireWire,orSCSIdevice,theEnCasesoftwareinterceptsthesignalsentto Windowswhenadeviceisattachedtothecomputer.Itthenfiltersthedriverforthatdevice, enablingwriteprotection. WhenusingtheFastblocSEmoduleonaUSB,FireWireorSCSIdevice,therearetwomodes,which bothprotectthedevicefrombeingmodifiedorwrittento: WriteBlocked:Awriteblockeddeviceisprotectedagainstwritingtoormodifyingfiles whenthedeviceisattachedtoaPC. FilesdeletedfromoraddedtothedeviceappearinWindowsasmodified,butthe modificationsaresavedinalocalcache,notonthedeviceitself.Thismodedoesnot prompterrorswhenattemptingtowritetothedrive. WriteProtected:Awriteprotecteddeviceisprotectedagainstwritesormodificationswhen thedeviceisattachedtoaPC. Ifwritesormodificationstothedeviceareattempted,Windowsrespondswithanerror message. Removingwriteprotectiontakeseffectonalldevicesthatareorhavebeenconnectedtothe PC. TowriteblockaUSB,FireWire,orSCSIdevice: 1. 2. Makesurenodevicesareattached. SelectWriteblockUSB,Firewire,SCSIdrivefromtheToolsmenu.
100
EnCaseVersion6.12ModulesManual 3. 4. SelectWriteBlockedinthedialog. InserttheUSB,FireWire,orSCSIdevice.

Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
5. 6.
Aconfirmationwindowdisplayswhenthedeviceissuccessfullyblocked. ClickFinish.
Verify Write Block

YoucanconfirmsuccessfulwriteblockingofthedevicewhenpreviewingthedeviceintheEnCase program: 1. 2. 3. ClicktheNewicononthetoptoolbartoopenanewcaseandcompletetherequired information. ClicktheAddDeviceicon. BluecheckLocalDrivesintherightpane,thenclickNext. IntheChooseDeviceswindow,thedeviceandvolume(ifpresent)onthewriteblocked channelhaveagreenboxaroundtheiconintheNamecolumn,andabulletappearsinthe WriteBlockedcolumnforeach.
Removing Write Block from a USB, FireWire, or SCSI Device

Removing the USB, FireWire, or SCSI Device
ToremoveaUSB,FireWireorSCSIdevice: 1. UsethehardwareremovaltoolintheSystemTrayinthelowerrightcornerofthetaskbar toremovethedevice.
FastBlocSEModule
101
InWindows2000,thistoolisnamedUnplugorEjectHardware;inWindowsXP,Safely RemoveHardware.
2.
Removethedevicephysicallywhenthewizardhasconfirmedsaferemoval.
Removing Write-Block
1. SelectWriteblockUSB,FireWire,SCSIdrivefromtheToolsdropdownmenu.
2. ClickClearAllinthewindowthatopens.
3. ClickYesontheprompttoconfirmtheremovalofallUSB,FireWire,andSCSIwrite blockeddevices.
Selecting Clear All removes write blocking and write protection on all USB, FireWire, and SCSI devices previously protected by the FastBloc SE module.
4.
Aconfirmationwindowdisplayswhenwriteblockissuccessfullyremoved.
102
EnCaseVersion6.12ModulesManual 5. ClickOKtofinalizewriteblockremoval.
Previewing a Write Blocked Device

Topreviewawriteblockeddevice: 1. 2. 3. Writeblockorwriteprotecttheappropriatedevicefollowingthestepsoutlinedpreviously inthismanual. CreateanewcaseintheEnCaseprogram. ClickAddDevice. IntheChooseDevicesdialog,abulletintheWriteBlockedcolumnindicatesthesubject mediaiswriteblocked.DeviceswriteblockedbytheFastBlocSEmodulealsohaveagreen squarearoundtheicon( ). 4. 5. Bluecheckawriteblockeddeviceorvolume,thenclickNext. ClickFinishinthePreviewDevicesscreentobeginpreviewingsubjectmedia.
Wiping
TheFastBlocSEmoduleallowswipingadeviceattachedtooneofthesupportedPCIIDEcontroller cardsmentionedinFastBlocSEModuleSpecificRequirementsonpage4.Wipingisdoneinthe samemannerasfordrivesattacheddirectlytothemotherboard.SeetheUsingEnCaseTools chapteroftheEnCaseEnterpriseUsersGuideforinstructionsonwipingadriveusingtheEnCase interface.
Restoring
TheFastBlocSEmodulealsoallowstherestorationofanevidencefiletoadeviceofsimilarsizeor largerattachedtooneofthesupportedPCIIDEcontrollercardspreviouslymentioned.Restorea deviceinthesamemanneraswithdrivesattacheddirectlytothemotherboard.SeetheUsing EnCaseToolschapteroftheEnCaseEnterpriseUsersGuidefordetails.
FastBlocSEModule
103
Disk Caching
WhentheFastBlocSEmoduleissettowriteblock,thewritesareactuallybeingcachedtothe investigatorsharddrive.Thisdoesnotoccurwithwriteprotect,sinceWindowsgeneratesanerror ratherthanallowingtheappearanceofthewritetotakeplace.
Write Block Validation Testing and Disk Caching

Donotuseevidenceharddrivestoperformwriteblockingcapabilitytests.AlthoughWindows mayappeartoallowmodificationsofthewriteblockedsubjectmedia,thisdoesnotactuallyoccur.
Disk Caching and Flushing the Cache

Toflushthewritecache,rebootthecomputerorremovethemediathatiswriteblocked.Preview thedrivewiththeEnCaseinterfaceorbrowseusingWindowsExplorertoverifythatthecache emptied.
Troubleshooting
The Write Block option does not appear in the Tools menu
MakesurethemodulewasinstalledasdescribedinInstallingtheEnCaseModulesonpage5. SelectAboutEnCasefromtheHelpmenutoverifythattheFastBlocSEmoduleislistedinthe window. Checkthatthesecuritykeyisinthemachine.Ifthesecuritykeyisout,ornotfunctioningproperly, theEnCaseprogramwillbeinAcquisitionmode. Ifyouareusingcertfiles,thecertfilemaybetiedtoadifferentsecuritykey.Consultan administratortodeterminetheassociatedsecuritykeyandcertfile.
Windows and the EnCase program do not recognize the attached device
Checkallpoweranddataconnectionstothedevice. Checktoseeifthesubjectharddriveisspinning.Ifthedeviceisconnectedviaanexternaldrive bay,shutdownthecomputerandtryconnectingthepowerconnector(notthedataconnector)toa Molexpowercabledirectlyfromthecomputer.Restartthecomputer.Ifthedrivestartsspinning, shutdownthecomputeragainandswapcables. Ifthesubjectdrivedoesnotspin,orismakingunusualsounds(whirring,clicking,etc.),thedrive maybedefectiveandyoumaynotbeabletoacquireitbynormalmethods. Ifthesubjectdriveisspinning,checkthedatacables.Youmaywanttotryusinga40wirecableif youareusingan80wirecable. ChecktheUSBorFireWireporttoensureproperfunctioningbyinsertingaknowngooddevice. MakesuretheportisrecognizedinDeviceManager.
104
Windows sees the subject drive, but the EnCase program does not
Ifyoucanseethephysicaldrivebutcannotseethecontentsofthedrive,theEnCaseinterfacemay beinacquisitionmode.Thismayindicatethatthesecuritykeyisnotinstalledor(ifyouareusing certfiles)isnottiedtothecertfile.RefertotheEnCaseUsersGuideforinstructionsonhowto installthesecuritykeydrivers. YoumayhaveacorruptversionoftheEnCaseprogram.Ifyouareusingcertfiles,makeabackup ofallyourcertfiles.DownloadandreinstallthenewestversionoftheEnCasesoftware. BesuretoselectLocalDevicesinsteadofEvidenceFileswhenyoubeginthepreviewprocess. Ifatallpossible,trytoacquireonacompletelydifferentmachine.Thishelpspinpointtheproblem, asitmaybeahardwareoroperatingsystemconflict.Ifyouareusingcertfiles,besuretousea securitykeytiedtothecertfile.
Acquisition takes too long

Iftheacquisitionstartedoutatanormalspeed,andthenrapidlydecreasedlaterintheacquisition, thereisagoodchancethattheEnCaseprogramhasencounteredbadsectorsonthesubjectdrive. Becausethesoftwarewillmakemultipleattemptsatreadingbadsectors,acquisitiontimemay increase. Enablingcompressiondramaticallyincreasesacquisitiontime. Acompletelyslowacquisitionmaybetheresultofslowerequipment. Ifyouareacquiringtoexternalmedia(i.e.,thestoragemediaisanexternalharddrive)thetransfer rateswillbesignificantlyslowerthanwithadirectlyconnectedharddrive. Ifthesubjectdriveisanolderorslowermodel,theacquisitionspeedislimited. Iftheforensicmachinehasanolderorslowerstoragedrive,theacquisitionisslowedbythedrives slowwritespeed. Ifyouareacquiringanewerdrive,tryan80wirecable,asthisallowsfasterthroughput.Ensurethe FireWire/USBcableissecurelyconnectedatbothends. IfFireWireisnotavailable,useaUSB2.0connection(USB2.0isupto40timesfasterthanUSB1.0). Inaddition,whenusingUSB,limitanyotherCPUintensivetasksduringtheacquisition,since thesecontributetoalossoftransferspeed. UseFireWireportswheneverpossible,sincetheinterfaceisfasterthanUSB.
Acquisition and verification hashes do not match

Theremaybeadataintegrityissuewiththecable.Tryusinga40wirecableifyouareusinga80 wirecable,ashorterIDEcable,and/orashieldedIDEcableifpossible. TryusingadifferentUSBorFireWirecable.
FastBlocSEModule
105
There are different hash values each time the drive is hashed
Thisindicatesafailingdrive.Becausethenumberofsectorerrorsincreaseseachtime,hashvalues change.Sincethefirstacquisitiontypicallycontainstheleastnumberofbadsectors,usethatfilefor analysis.
There are multiple bad sectors after acquisition

Thiscanindicateadefectivedrive.Ensurethatthecablesaresecurelyconnectedtothecontroller andthedrive. Ifthesubjectdriveisinanenclosurewhenyoutrytoacquireit,itmaybecomehotduringthe acquisition.Tryremovingthedrivefromtheenclosuretokeepitcooler,whichmayreducethe numberofsectorerrors.
CHAPTER 6
CD/DVD Module
In This Chapter
What is the CD/DVD Module? Burning Evidence Files During Acquisition Burning Logical Evidence Files During Acquisition Burning Files and Reports Burning Existing Evidence and Logical Evidence Files
108
What is the CD/DVD Module?

UsetheCD/DVDModuletoburnthefollowingtoaCDorDVD: EvidenceandLogicalEvidenceFilesduringacquisition Filesandfolders,aswellasreportsfromtheEnCaseprogram ExistingEvidenceFilesandLogicalEvidenceFiles Unlessspecifiedotherwise,filesburnedmaintainthefollowingproperties(ifavailable): EntryName(eitherentryorreport) LastWrittendate EntryCreateddate Logicalsize
Consistent with sound computer forensic practices, test the CD/DVD module with non-evidence media to verify proper installation and operation prior to using it with actual evidence.
Burning Evidence Files During Acquisition

Theprocessforburninganevidencefiletoremovablemediaatthetimeofanacquisitionstarts withapreview: 1. 2. 3. 4. Createanewcaseoropenanexistingone. AddaDeviceforpreviewasdescribedintheEnCaseUsersGuide. RightclickthedeviceiconintheCasetree,thenselectAcquire. WhenyougettotheOptionsscreen,selectBurnDisc,thenclickNext.
CD/DVDModule
109
Selecting CD Information
ToselectCDinformation,chooseappropriateoptionsfromthepreconfiguredsettingsintheCD Infodialog.
Joliet:ThisspecifiestheformatoftheimagetoadheretotheJolietstandard,whichallows longentrynames. UDF:ThisspecifiestheformatoftheimagetoadheretotheUDFstandard,whichisused primarilyforDVDs. Burn:ThisinitiatestheburnoftheimagetothedisconceyouclickFinish.Iftheboxis cleared,theArchiveFolderfortheimageisupdated,butnotburneduntilinitiatedbythe userintheArchiveEntriestab.AnISOisalsocreatedfortheusertoburnatanytimewith anyprogram. DeleteISOafterBurn:ThisdeletesthecreatedISOimagefromthetemporaryfolderset withthePathoptiononceitisburnedtomedia. Publisher:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhoburnedthe imagetodisc. Preparer:Thisoptionalfieldallowsyoutospecifythenameofthepersonwhoprepared theimageforburning. Path:ThisfieldsetsthepathforthetemporaryplacementoftheISOimagepriortobeing burned. CDBurners:Anymediaburnerrecognizedbythesystemappearsinthiswindow.Select themediaburnerofyourchoice. Ifarecognizedburnerisnotlisted,theburningoptionisdisabled.Theimageproduced containstheISO9660formatwithJolietselectedbydefault.IfJolietorUDFformatsare selected,additionaltreesarebuiltforthoseformats.ISO9660allowsonlyeightcharacter (oldDOS8.3)names.Nameslongerthaneightcharactersaretruncatedtothefirstfour charactersofthefilename,followedbyfourrandomnumbers.
110
Burning
Whentheinitialacquisitioniscomplete,thestatusscreendisplaysandtheburntoCDstarts, indicatedbyablueBurningthreaddisplayedontheEnCaseprogramstaskbar. Evidenceentriesareburnedaslongasthereisenoughroomleftonthemediumbasedonset segmentsize.Ifthereisnoroomleft,thediscisejectedandapromptappearsinstructingyouto insertanotherdisc. Evidenceentriesareverifiedontheremovablemediaaftertheyhavebeenburned.Aftertheentry isburned,astatuswindowreportstheresultsofthewriteandverification.
Burning Logical Evidence Files During Acquisition

Toburnalogicalevidencefileduringacquisition: 1. 2. 3. 4. 5. Previewthedevice. OntheEntriestab,selectthefoldersfortheLogicalEvidenceFile. RightclickandselectCreateLogicalEvidenceFile. IntheCreateLogicalEvidenceFiledialog,selectBurnDisc,thenclickNext. 5.IntheCDInfodialog,selectoptionsasdescribedabove.
Aseparatethreadrunsforburningthelogicalevidenceentrieswhiletheyarecreated.Theburnto discoccurswhenthefirstsegmentfinishesacquiring.Tocanceltheburn,doubleclicktheblue Burningstatusmessageonthebottomtaskbar.Logicalevidence,likeotherevidenceentries,is verifiedafterburned.Thestatuswindowattheendoftheprocesspresentstheverificationand acquisitionstatusfortheburnedentries.Ifthereisnoroomleftonadisc,thediscisejectedanda promptappearstoinsertanotherdisc.
Burning Files and Reports

Create a New Image Session
Tocreateanewimagesession:
1. 2. SelectArchiveFilesfromtheViewdropdownmenu.
CD/DVDModule
111
TocreateanewimagesessionforburningdatatoaCD/DVDfromselectedentriesor reports,rightclickintherootofArchiveFilesandselectNewImage. Bydefault,themoduleplacescacheditemsinC:\Program Files\EnCase6\Cache.To changetherootpath,rightclicktherootitem,selectChangeRootPath,andbrowsetoor createafolder.
Adisciconappearsinthetree,calleddiscimage1.Subsequentimagescreatedarenamed discimage2,discimage3,etc. 3. Torenameimages,rightclicktheimagefolder(orpressF2)andselectRename. AcachedimageofthisfileisstoredinC:\Program Files\EnCase6\Cachewiththe foldernameanda.cdiextension.
Preparing Entries for Burning

Toprepareentriesforburning: 1. 2. IntheEntriestab,selecttheentriestobesenttoremovablemedia. RightclickthedesiredfolderinthetreeandselectCopyFoldersorCopy/UnErasetoopen thestandardoptionwindowsforthosefeatures.
112
EnCaseVersion6.12ModulesManual UseCopyFolderstoaddtheselectedentriestothefolder,retainingtheexistingentries. Filesizesofselectedentriesretaintheoriginallogicalsizeofthefilebutnotthephysical size.
UseCopy/Unerasetomaintainstructurebasedontheoptionssetintheexportmenu,such asLogicalFile,EntirePhysicalFile,RAMandDiskSlack,etc.
3.
CD/DVDModule
113
RightclicktheArchiveFilesiconintheDestinationFolderwindowandselectNewImage. Bydefault,thisisdiscimage1.FolderscreatedpreviouslyarevisibleintheDestination Folderwindow.
4. 5. 6. 7.
Selecttheappropriatefolder,thenclickFinish. ClickOKtoaddtheentriestotheArchiveFilesfolder. Toviewtheaddedentries,navigatetotheArchiveFilestabandselectthefolderthewhere yousenttheentries. RightclickinthetableandselectUpdate.
Preparing Reports for Burning

Toprepareareportforburning: 1. 2. GotoReportviewineithertheTablePaneorViewPane. RightclickinthereportpaneandselectExport.
3. 4. 5. 6.
IntheExportReportdialog,selectBurntoDisc. Selecttheappropriateoutputformat,DocumentorWebPage. EnterthecompletepathinthePathfieldorbrowsetotheexportlocation. SelectaDestinationFolder. Ifentriesalreadyexistinthedestinationfolder,theselectedentriesareaddedtothem.
7.
ClickOKtoaddthereporttothediscimagefolder.
ThenewlyaddedreportisstoredundertheArchiveFilestabandsavedgloballysoyoucanaddto ordeletefromitatanytime.
114
Burning the Created Image folders to Disc

Priortoburningadiscimage,entriesandreportscanbemovedbetweenvolumesbydraggingand droppingthemfromoneimagetoanother.Eachimagemayhaveitsownformattingandoutput options: Toaccesstheoptionwindowtovieworeditthesettings,rightclickavolumeandselect Edit. TorenameavolumerightclickandselectRename. Toburntheimagetodisc: 1. 2. RightclicktheimagefolderandselectBurnDisc. IntheArchiveFilestab,thediscimagesappearwithentrieslistedintheTablepane.
3.
SelectappropriateoptionsfromthepreconfiguredsettingsintheCDInfodialogas describedabove. Whentheimageisburned,astatuswindowreportstheresultsofthewrite.
Burning Existing Evidence and Logical Evidence Files

EnCaseEvidenceFilesandLogicalEvidenceFilesthatarealreadycreatedcanbeburnedtomedia fromtheEnCaseinterface.Exceptionstothisfunctionalityare: SingleEntries Previeweddrives Mountedvolumes ddimages SafeBackImages VMwareimages VirtualPCimages Anyothernonevidence files
ToburnanEnCaseEvidenceFileorLogicalEvidenceFiletodisc,itmustfirstbeaddedintothe caseusingthestandardmethods: DragginganddroppingthefileintotheEnCaseinterface UsingAddDevice Toburnanexistingevidenceorlogicalevidencefile: 1. 2. OntheCasestab,selecttheDevicessubtab. Rightclickinthetableandselecttheimagetobeburned.Notethatonlythehighlighted deviceisburned,notselected(bluechecked)devices.
3. RightclickonthedeviceandselectBurntoDisc.
CD/DVDModule
115
4. ContinueasdescribedinSelectingCDInformationonpage109.
Guidance Software
Legal Notification
Nopartofthismanual,includingtheproductsandsoftwaredescribedinit,maybereproduced, transmitted,transcribed,storedinaretrievalsystem,ortranslatedintoanylanguageinanyformor byanymeans,exceptdocumentationkeptbythepurchaserforbackuppurposes,withoutthe expresswrittenpermissionofGuidanceSoftware,Inc.(GSI). GSIPROVIDESTHISMANUALASISWITHOUTWARRANTYOFANYKIND,EITHER EXPRESSORIMPLIED,INCLUDINGBUTNOTLIMITEDTOTHEIMPLIEDWARRANTIESOR CONDITIONSOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE.INNO EVENTSHALLGSI,ITSDIRECTORS,OFFICERS,EMPLOYEESORAGENTSBELIABLEFOR ANYINDIRECT,SPECIAL,INCIDENTAL,ORCONSEQUENTIALDAMAGES(INCLUDING DAMAGESFORLOSSOFPROFITS,LOSSOFBUSINESS,LOSSOFUSEORDATA, INTERRUPTIONOFBUSINESSANDTHELIKE),EVENIFGSIHASBEENADVISEDOFTHE POSSIBILITYOFSUCHDAMAGESARISINGFROMANYDEFECTORERRORINTHIS MANUALORPRODUCT. CEIC,EnCaseeDiscoverySuite,EnCaseEnterprise,EnCaseEnterpriseAIRS,EnCaseForensic, EnCE,EnScript,FastBloc,GuidanceSoftware,EnCaseNeutrino,Snapshot,andWaveShieldare registeredtrademarksortrademarksownedbyGSIintheUnitedStatesandotherjurisdictionsand maynotbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybeclaimedas thepropertyoftheirrespectiveowners.Productsandcorporatenamesappearinginthismanual mayormaynotberegisteredtrademarksorcopyrightsoftheirrespectivecompanies,andareused onlyforidentificationorexplanationintotheownersbenefit,withoutintenttoinfringe. ProductManualsandDocumentationarespecifictothesoftwareversionsforwhichtheyare written.Forpreviousoroutdatedmanuals,productreleaseinformation,contactGuidanceSoftware athttp://www.guidancesoftware.com. Specificationsandinformationcontainedinthismanualarefurnishedforinformationaluseonly, andaresubjecttochangeatanytimewithoutnotice.
Support
GuidanceSoftwaredevelopssolutionsthatsearch,identify,recover,anddeliverdigitalinformation inaforensicallysoundandcosteffectivemanner.Sinceourfoundingin1997,wehavemovedinto networkenabledinvestigations,andenterprisewideintegrationwithothersecuritytechnologies. Thissectionprovidesinformationonoursupportforyouthrough:
118
EnCaseVersion6.12ModulesManual Technicalmanualsandreleasenotes SupportportalontheWeb,includingaccesstodownloads TechnicalSupportDepartment CustomerServiceDepartment MessageBoards Training ProfessionalServices
Technical Manuals and Release Notes

GuidanceSoftwareprovidesprintedmanualsforallofourproductlines,aswellasPDFversionsof interimupdatesandreleasenotes,describingthenewfeaturesandproblemsfixed. Wewelcomeyourfeedbackonthedocumentation.Pleasefeelfreetocontactusat documentation@guidancesoftware.com(mailto:documentation@guidancesoftware.com).
Technical Support
GuidanceSoftwareprovidesavarietyofsupportoptions,includingphone,email,online submissionforms,anuptodateknowledgebase,andamessageboard(technicalforum). SupportisavailablefromSunday,7:00PMthroughFriday,6:00PMPacificTime(Monday,3:00AM toSaturday,1:00PMGMT).ThisexcludespublicholidaysintheUnitedStatesandtheUnited Kingdomduringrespectivebusinesshours.
Phone/Mail Support
USContactInfo: 215NorthMarengoAvenue Suite250 Pasadena,CA91101 Phone:16262299191,Option4 Fax:6262299199 UKContactInfo: ThamesCentral,5thFloor HatfieldRoad Slough,BerkshireUKSL11QE Phone:+44(0)1753552252,Option4 Fax:+44(0)1753552232 TollFreeNumbers: Germany:08001814625 China:108001300976 Australia:1800750639 HongKong:800964635 NewZealand:0800450523 Japan:00531130890
GuidanceSoftware
119
Online Support
GuidanceSoftwareoffersaSupportPortaltoourregisteredusers,providingtechnicalforums,a knowledgebase,abugtrackingdatabase,andanOnlineRequestform.ThePortalgivesyouaccess toallsupportrelatedissuesinonesite.Thisincludes: User,product,betatesting,andforeignlanguageforums(messageboards) KnowledgeBase BugTracker TechnicalServicesRequestform Downloadsofprevioussoftwareversions,drivers,etc. Otherusefullinks Althoughtechnicalsupportisavailablebyemail,youwillreceivemorethorough,quickerservice whenyouusetheonlineTechnicalSupportRequestForm (https://support.guidancesoftware.com/node/381).Notethatallfieldsaremandatory,andfilling themoutcompletelyreducestheamountoftimeittakestoresolveanissue. IfyoudonothaveaccesstotheSupportPortal,pleaseusetheSupportPortalregistrationform (https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registrationrequiresyoutochooseauniqueusernameandpassword.Pleaseprovideallrequested information,includingdongleID,phone,emailaddress,organization,etc.Thishelpsusidentify youasaregisteredownerofEnCase. Youwillreceiveanemailwithin24hours.Youmustfollowthelinkinthatemailbeforeyoucan postontheforums.Untilyoudothat,youwillnothavepermissiontopost.Onceyouhaveverified youremailaddress,youwillbeaddedtotheRegistrationList.Pleaseallow24businesshoursfor youraccounttobeapproved. Onceyourregistrationisapproved,youcanaccesstheSupportPortal (https://support.guidancesoftware.com/).TheSupportPortalprovidesatutorialthatbriefly overviewsthesite.
120
User, Product, and Foreign Language Forums

Toaccesstheforums,clickontheForumTab(https://support.guidancesoftware.com/forum/)inthe SupportPortal. Theforumsallowregistereduserstopostquestions,exchangeinformation,andholddiscussions withGuidanceSoftwareandotherusersintheEnCasecommunity.Differentdiscussiongroupsare availableasfollows: ForeignLanguageGroups French Arabic German Spanish Japanese Chinese Korean ForumGroups UserGroup ConsultantandPractitioners ComputerForensicHardwareIssues EnScriptForum ProductSpecificGroups EnCaseNeutrino Enterprise FIM eDiscovery Thesegroupsareonlyavailabletocustomerswhohavepurchasedtherespectiveproducts. Enteragroupbyclickingonthegroupname.
Posting to a Group
Tocreateanewpost,clickthe Clickthe post. icon.
icontoreplytoapost,orusetheQuickReplyiconatthebottomofeach
GuidanceSoftware
121
Searching
Theforumscontainanaccumulationofovertenyearsofinformation.Use the buttontosearchforkeywords,orclickAdvancedSearchformore specificsearchoptions.
Bug Tracker
UseBugTrackertosubmitandcheckthestatusandpriorityofsubmitteddefectandenhancement requests.Itisbrokendownbyproduct,showingthecurrentnumberofbugs/enhancementsand publicbugsforeachproduct.ToaccesstheBugTracker,clickonBugTracker (https://support.guidancesoftware.com/forum/project.php)intheSupportPortal.
Knowledge Base
Youcanfindanswerstofrequentlyaskedquestions(FAQs)andotherusefulproduct documentationintheKnowledgeBase.YoucanalsosubmityourownarticlestohelpotherEnCase users. ToaccesstheKnowledgeBase,clickonKnowledgeBase (https://support.guidancesoftware.com/directory)intheSupportPortal. Fromhere,youcanbrowse,search,andwriteKnowledgeBasearticles.
Online Technical Support Request Form

PleaseusetheRequestFormforassistancefromaTechnicalServicesengineer.Toaccesstheform, clickonRequestForm(https://support.guidancesoftware.com/node/381)intheSupportPortal.
122
Other Useful Links
TheSupportPortalslandingpagecontainsasectionofusefullinks,including: GuidanceSoftwareHomePage DownloadCentertodownloadsoftware,hardware,manuals,bootdisks,supportarticles, etc. MyAccounttoregisteryourdongleidtoreceiveuptodatesoftwarebyemail NVD(NationalVulnerabilityDatabase)InformationandResponses GuidanceProductVersionMatrixforcheckingcompatibilityofdifferentproductversions HardwareRecommendationsforEnCaseForensicandEnCaseEnterprise SubscribetoPublicBugs
Customer Service
TheGuidanceSoftwareCustomerServicesDepartmentisstaffedbyhighlytrained,friendlystaff capableofresolvinganyproblemregardingyourorder. Hoursandcontactinformationarelistedbelow. Phone:626.229.9191 Fax:626.229.9199 Email:customerservice@guidancesoftware.com(mailto:customerservice@guidancesoftware.com) Internet:http://www.guidancesoftware.com/support/cs_requestform.aspx Hours:MondaythroughFriday6:00a.m.to5:00p.m.,PacificTime
GuidanceSoftware
123
Message Boards
TheGuidanceSoftwaremessageboardsareresourcesforthecomputerforensicscommunityto exchangeideas,askquestions,andgiveanswers.Themessageboardsareaninvaluableresource fortheforensicinvestigator. Discussionsrangefrombasicacquisitiontechniquestoindepthanalysisofencryptedfilesand more.Thousandsofexperiencedandskilledusersareregisteredontheboards,reviewingposts everyday,andprovidingtheirexpertiseonallGuidanceSoftwareproducts. Moreinformationaboutthemessageboards,includinginformationonhowtojointhemessage board,islocatedat:http://www.guidancesoftware.com/support/messageboards.asp.
Downloads
Whenyoureceiveyourproduct,registerwithGuidanceSoftwaretoreceiveupdates.Registrationis locatedathttps://www.guidancesoftware.com/myaccount/registration.aspxsite. Ifyouhaveanytroubleregisteringyourproduct,contactCustomerService(seepage122).Ifyou haveanytroubledownloadingtheupdatesonceregistered,contactTechnicalSupport(seepage 118).
Training
GuidanceSoftwareoffersavarietyofprofessionalcoursesforthebeginner,intermediateand advanceduserofallitsapplications.Inadditiontoprovidingasolidgroundinginoursoftware,we alsoprovideourstudentswithacceptedbestpracticesforinvestigation,reportgenerationand evidencepreservation. GuidanceSoftwareofferscoursesforlawenforcementagencies,organizationsconcernedwith forensicsandincidentresponse,andadvancedtopicsforallusers.
Professional Services
TheGuidanceSoftwareProfessionalServicesDivision(PSD)combinesworldleadingcomputer investigationsexpertswithworldleadingforensictechnologytodeliverturnkeysolutionsto forensicinvestigations. GuidanceSoftwarehascombineditsindustryleadingcomputerinvestigationtechnologywitha teamofthemosthighlytrainedandcapableinvestigatorsintheworldtobringyoucomplete turnkeysolutionsforyourbusiness.Whenyoufaceinvestigativeissuesthatgobeyondyour internalcapabilities,ourprofessionalservicesgroupisabletorespondeitherremotelyorby comingonsitetoprovidetherighttechnologyandcomputerinvestigationspersonnelforthejob.
124
Internal Investigations
Theftofintellectualproperty Intrusionreconstruction Wrongfulterminationsuit
Compliance
SarbanesOxley PIIriskassessment CaliforniaSB1386
eDiscovery
Pendinglitigation Responsiveproduction Forensicpreservation
Information Security
Compromiseofsystemintegrity Policyreview Unauthorizeduse Forensiclabimplementation
Index
A
AccessingtheLocalDiskinWindowsExplorer 65 AccessingtheShare85 AnalyzeEFS14,18 AssociateSelected21
D
DecryptedBlock53 DecryptingS/MIMEEmailsinanEvidenceFile CreatedinWindowsVista49 DeletedFiles79 DeterminingLocalMailboxEncryption51 DictionaryAttack56 DiskandVolumeEncryption12 DiskCaching103 DiskCachingandFlushingtheCache103 DismounttheNetworkShare84 Downloads123
B
BackgroundInformation96 BitLockerEncryptionSupport(Volume Encryption)32 BootEvidenceFilesandLiveSystemswith VMware68 BoottheVirtualMachine71 BuiltinAttack57 Burning110 BurningEvidenceFilesDuringAcquisition108 BurningExistingEvidenceandLogicalEvidence Files114 BurningFilesandReports110 BurningLogicalEvidenceFilesDuringAcquisition 110 BurningtheCreatedImagefolderstoDisc114
E
EDSFeatures12 EFSFilesandLogicalEvidence(L01)Files17 EnCaseDecryptionSuite11 EnCaseDecryptionSuiteModule7 EnCasePhysicalDiskEmulatorModule7 EnCaseVirtualFileSystemModule8 EncryptedBlock52 EncryptingFileSystem79 EnterItems18 EvidenceFileFormatsSupportedbyEnCasePDE 62 EvidenceFileFormatsSupportedbyVFS76 ext2,ext3,UFS,andOtherFileSystems83
C
CD/DVDModule9,107 CDDVDModuleSpecificRequirements5 CertificateFilesforYourSecurityKey5 CertificatesProgrammedontheSecurityKey5 ChangingtheMountPoint84 ClosingandChangingtheEmulatedDisk67 ClosingtheConnection92 CompoundFiles78 ConfiguringthePDEClient63 ConfiguringtheServer90 ConnectingtheClients92 CreateaNewImageSession110 CREDANTEncryptionSupport(FileBased Encryption)37 CREDANTEncryptionSupport(OfflineScenario) 41 CREDANTFilesandLogicalEvidence(L01)Files 42 CustomerService122,123
F
FastBlocSEModule9,95 FastBlocSEModuleSpecificRequirements4, 97,98,102 FileBasedEncryption13
G
GuardianEdgeHardDiskEncryptionKnown Limitation37 GuidanceSoftware117
H
HPAandDCOConfiguredDisks96
I
InitialPreparation68 InstallingtheEnCaseModules5,97,103 InstallingtheFastBlocSEModule97
InternalFilesandFileSystemFiles80 Introduction3,4 SavingandDismountingtheEmulatedDisk65 SecureStorageItems23 SecureStorageTab17 SecureStorageTabandEFS17 SelectingCDInformation109,115 StartingPhysicalDiskEmulator62 Support117 SupportedCREDANTEncryptionAlgorithms41 SupportedSafeBootEncryptionAlgorithms26 SupportedUtimacoSafeGuardEasyEncryption Algorithms26
L
LegalNotification117 LocallyEncryptedNSFParsingResults54 LotusNotesLocalEncryptionSupport51
M
MalwareScanning86 MessageBoards123 MinimumRecommendedRequirements4 MountNetworkShareOptions77 MountedFiles13 MountingaSingleDrive,Device,Volume,or Folder76 MountingEvidencewithVFS76 MountingNonWindowsDevices65
T
TechnicalManualsandReleaseNotes118 TechnicalSupport118,123 TemporaryFilesReminder67,89 ThirdPartyTools67,86 Training123 Troubleshooting93,103 TroubleshootingaFailedS/MIMEDecryption47 TurningOffIDEWriteBlockProtection99
N
NewVirtualMachineWizard68 NSFEncryptionSupport49
U
UsingEDS14 UsingPhysicalDiskEmulator62 UsingtheEnCaseInterface85 UsingtheFastBlocSEModule98 UsingThirdPartyTools67 UsingWindowsExplorer85 UtimacoChallenge/ResponseSupport26,27 UtimacoSafeGuardEasyEncryptionKnown Limitation32 UtimacoSafeGuardEasyEncryptionSupport26
O
OtherFileSystems83 OtherToolsandViewers87 OverridingHPAandDCOSettings97 Overview12
P
ParsingaLocallyEncryptedMailbox51 PDETroubleshooting73 PhysicalDiskEmulator61 PreparingEntriesforBurning111 PreparingReportsforBurning113 PreviewingaWriteBlockedDevice102 ProductMatrix12,13 ProfessionalServices123
V
VerifyingtheModulesareInstalled6 VFSModuleSpecificRequirements4 VFSServer89 VirtualFileSystem75 VMware/EnCasePDEFAQs72
R
RAIDs79 RAMandDiskSlack80 RecoveringNSFPasswords49 RemovingWriteBlockfromaUSB,FireWire,or SCSIDevice100 Restoring102 RestrictAccessbyIPAddress91
W
WhatistheCD/DVDModule?108 WhatistheFastBlocSEModule?96 WhatisthePhysicalDiskEmulator?62 WhatisVFS?76 WindowsKeyArchitecture56 WinMagicSecureDocEncryptionSupport34 Wiping102 WriteBlockValidationTestingandDiskCaching 103
S
S/MIMEEncryptionSupport43 SafeBootEncryptionSupport(DiskEncryption) 23
WriteBlockingaUSB,FireWire,orSCSIDevice 99 WriteBlockingIDEandSATAControllerCards 98

Encase Module

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Encase Module

Uploaded by

Copyright:

Available Formats

EnCaseVersion6.

Minimum Recommended Requirements

VFS Module Specific Requirements

FastBloc SE Module Specific Requirements

CD-DVD Module Specific Requirements

Installing the EnCase Modules

Certificates Programmed on the Security Key

Certificate Files for Your Security Key

EnCaseVersion6.12ModulesManual ThisisthenumberthatyouwillneedtogivetoCustomerServicewhenyouorderyour modules.

Verifying the Modules are Installed

64-bit Module Limitations

EnCase Decryption Suite Module

EnCase Physical Disk Emulator Module

EnCase Virtual File System Module

EnCase Decryption Suite

File Based Encryption

EnCaseDecryptionSuite Rightclickthevolumeyouwanttoanalyze,thenclickAnalyzeEFSfromthedropdown menu.

EnCaseVersion6.12ModulesManual 3. ThesecondAnalyzeEFSdialogdisplayswiththeDocumentsandSettingsPathandRegistry Pathfieldspopulatedbydefault.Forunusualsystemconfigurations,datadisks,andother operatingsystemsthesevalueswillbeblank.Youcanmodifythemtopointtotheuser profilefoldersand/ortheregistrypath.

4. 5. ClickNexttobeginthescan. Whenthescaniscomplete,theEFSStatusdialogshowsstatisticalinformationonkeys foundanddecryptedandregistrypasswordsrecovered.

EFS Files and Logical Evidence (L01) Files

Secure Storage Tab

Secure Storage Tab and EFS

EnCaseVersion6.12ModulesManual 1. 2. RunAnalyzeEFS(seepage14). SelecttheSecureStoragetab.

Password Recovery Disk

Private Key File

5. 6. 7. 8. 9. IntheCertificateExportWizard,clickNext. ClickYes,exporttheprivatekey,thenclickNext. Acceptthedefaultfortheexportfileformat,thenclickNext. Selectapathandnamethekey(thisassignsa.PFXextension),thenclickNext. Whenprompted,notethepasswordentered.

10. ClickNext.Aconfirmationwindowshowsdetailsabouttheexport. 11. ClickFinishtocompletetheexport. 12. RightclicktherootentryofSecureStorage. 13. SelectEnterItemsfromthedropdownlist,thenselectthePrivateKeyFiletab.

15. EnterthePasswordinthenextprompt,thenclickOK. AstatusscreenconfirmssuccessfulcompletionandthePrivateKeydisplaysintheSecure Storagetab.

Enter Mail Certificate

Secure Storage Items

SafeBoot Encryption Support (Disk Encryption)

EnCaseVersion6.12ModulesManual 2. Whenprompted,selecttheappropriateencryptionalgorithmfromthelist,thenenterauser name,servername,machinename,andpasswordwheninonlinemode.

TheSafeBootencrypteddriveisparsed. Theofflinedialogissimilar.TheOnlinecheckboxisblankandonlytheMachineName, TransferDatabasefield,andAlgorithmareavailable:

Thisillustrationshowsresultsofasuccessfuldecryption.TheTreepaneshowsaSafeBoot folder,theTablepanecontainsalistofdecryptedfileswhiletheTextpaneshowscontents ofadecryptedfile.

Supported SafeBoot Encryption Algorithms

Utimaco SafeGuard Easy Encryption Support

3. 4. 5. Enteravalidusernameandpasswordwheninonlinemode. ClickOK. Onceasuccessfuldecryptioniscomplete,savethecase.Thecredentialsenteredinthe dialogarestoredinSecureStorage,eliminatingtheneedtoenterthemagain.

Supported Utimaco SafeGuard Easy Encryption Algorithms

AES192 AES256 DES 3DES

Utimaco Challenge/Response Support

2. 3. ClickOK. AChallengeResponsedialogdisplayswiththechallengecodeinblue.Keepthisdialog openwhileperformingthenextsteps.

EnCaseVersion6.12ModulesManual 4. LoginasAdministrator.OntheWindowsStartpage,clickAll ProgramsUtimacoSafeGuardEasyResponseCodeWizard.

EnCaseDecryptionSuite ClickNexttobegingeneratingaonetimepassword(OTP).TheAuthorizationAccount dialogdisplays.

EnCaseVersion6.12ModulesManual 9. TheChallengeCodedialogdisplays.EnterthechallengecodegeneratedbyEnCasefrom step3.

EnCaseDecryptionSuite 12. TheSummarydialogdisplayswiththeresponsecodeinblue.

13. IntheEnCasedialogfromstep3,selectthecodelengthandentertheresponsecodeto enabledecryptionoftheselectedencryptedevidence.

14. ClickOK. 15. IntheSummarydialogfromstep12,clickClosetoclosetheSafeGuardEasyResponse CodeWizard,orclickNewtogenerateanewresponsecodefromadifferentchallenge code.

Utimaco SafeGuard Easy Encryption Known Limitation

Thesecondsolution: 1. 2. 3. ObtainaSafeGuardEnterprise(SGN)kernelbackupfileofdisk1. Restoredisk1toanemptydisk. Addthenonbootablediskasdisk2.Theinformationinthenewlyrestoredkernelgives youaccesstodisk2.

BitLocker Encryption Support (Volume Encryption)

Recovery Key and Recovery Password Files

EnCaseDecryptionSuite ThesekeysarematchedbyVolumeGUIDandKeyProtectorGUIDandareusuallystoredona removableflashdrive.

Decrypting a BitLocker Encrypted Device Using Recovery Key

3. 4. TheRecoveryKeyoptionbuttonisselectedbydefault.Browsetothelocationofthe.BEK recoverykey. ClickOK.

Decrypting a BitLocker Encrypted Device Using Recovery Password

WinMagic SecureDoc Encryption Support

TherearethreewaystoaddSecureDocdiskstoEnCase: Previewtheharddrive UsetheAddDeviceWizard DragevidencefilesintoEnCase

Onceyoupreviewamachinesdiskoropenanevidencefile,theMasterBootRecord(MBR)is checkedagainstknownsignaturestodeterminewhetherthediskisencrypted.TheSecureDoc signatureisWMSD.

2. 3. 4. Enterthecredentials,thenclickOK. Ifthecredentialsarecorrect,EnCasedecryptsthediskandparsesthefilesystemstructure. Whenyousavethecase,therangesofencryptedsectorsandtheoriginalMBRareretained inthecasefileforprevieweddrivesaswellasevidencefiles.

Acquiring the Device

Youcanacquireeither: Alllogicalvolumesbyacquiringatthephysicallevel Anindividuallogicalvolumebyacquiringatthelogicallevel Thecompletedacquisitioncontainsthedecryptedvolumes.Youdonotneedapasswordtoview thefilestructure.

GuardianEdge Hard Disk Encryption Known Limitation

CREDANT Encryption Support (File-Based Encryption)

EnCaseVersion6.12ModulesManual 1. Thedialogpopulateswithaknownusernameandpassword,Server,MachineID,andthe ShieldCREDANTID(SCID).CREDANTfilesareprocessedanddecryptedwithnofurther interaction,giventhatthecredentialsarecorrect.