cHelLab Manual nsics Investigation Using EnCase Module 12 EC-CouncilCentHNOUAedee FORUM ‘Se ora cannot oculo 12 Forensics Investigation Using EnCase Forensics Investigation Using EnCase EnCaie®) Foren, the oudusrysendant compuaer investigation sition, is fr Jaren rations wk need to condac fic, frecal sands data clecion = and inecigatons using a repeatable and defonsible process et ttt Lab Scenario Cr vate oloemation Five members trom the management team of Ace-4 Company were given ge ‘complete access to the confidential business strategy blueprine during peak ae ee period ro accomplish the task of launching their product as Det the eet ai igaed eomnng,Jst «dey before sis prodaaenuach date itorae ewer the Beare co Pic art Jeompany launcied the simular product as theirs and (D wwomscotreviw ting less than the macket price ‘Ace-1 Company called for a board meesing to discuss upon this matter. An T investigator was hired by the company to investigate any fraudulent trading. q [ ad (Upon Investigition, mey discovered that Lraniet (ember from tne monagemens team) copied the butiness etrawpy bhuapein ta hi pen drive ond sent it tothe cival company using his personal email id frora his laptop. Ding the invescgation, investigator Found suspect email on his laptop, 2 Toot Be demonstratedin Lab Objectives thelibere "Tue cbjeincfwis bb sw pve ape tnedge on conduceg ig avaliable crale an eoeple fonenics investigation From beginning to the end eee vt a | Touts 0 a Lab Environment Forensics tnvesugavon To cary outthe lab you ned: Using EnCase. a S + Asjstem running with Windows Server 2008, + Avweb browser with an inermet connection, j © Administrative peivileges eo run the woul, : “ALi Keane, pestan Seicy PohFORE ‘St ord can nro Mehta 42 Perenaine Invectgnton Ung Entane + BaCase Pounsic located at CACHPL -Toots\eHFt vB Module 12 Forensics Investigation Using EnGasclEnGase Forensic. 1 You.can alee dvumbsad the lates val versinn of EnCase Focensk toot from netpuwww guuldancesoftware.com upon registrar. {TF yu inset eo downlad the atest version, then the sercershots shown in the hb mighcbe different. Lab Duration Time: 4) Minutes Overview of EnCase Forensic Eo Cace® Focensic solution, Its reaminers sceute data from a wide vatiey of devices, unearth potential evidence ith disk level Forensic analysis, and craft ‘comprehensive reports on theie findings, all while maintaining the integay Of their evidence Lab Tasks Nota: The older version of the En@ase tool is presented here for demonstration purposes only: Please talk to you ins actor for demonstration of the latest version Cf the tool We insist you to dowaload and install the latesc version of the tol 1, Nvigate to CACHE! Tools\CHFI v8 Medule 12 Forensics Investigation Using EncasoEnvase rorenst Double-click the EnGases “The EnCase window appears as shown inthe folowing figure: c, this shows the homepage of dhe wl 4, Te configure FiaCase, cle Tools > Options. aes eaccteetaee EC-CouncilA Moduto 12 - Forensics Investigation Usioa EnCase Driditwege SN ca ow ve ite tin ew 3 "Thicicplays Optinna svar he dion talb and charge the vetting ss per the requirement. LU neries ms —* Conon he er fede cio ican FIGURE aan Been pn Wh 1. Setthe parameters like date Ferma, time format, ata eave,ete inthe Global eb oF the Options wizard, La nae PgCeACHNOUA EGE ORL ‘Mole 12-Formis invesogavon Us Ercan RGURE Le st Foon Com Wate Sng Ghat Cave tne Debug nb ofthe optNe wiza die dala dsbugsing insorearion end apions. Choose the Debug Legging option m dteraine ‘what action is caken if EnCase crashes. OURS 1 Fat Fonsi po inn Showing Deg Tab 1-Click the Gators tab of the Options wizard end then double-click the lined clemeut wo changeit eolor in association wth various case elements ‘Unt Rishon wegen Sop by "ATR eared Roo Seay Peto ena‘cettHNOUAedee foRUn Medulo 12 Ferensicsinvestaation Usina EnCase [FICURE 14 Bo Foi Opn ini ng a Ta AL Clic the Fante tb ofthe @pdiane-wissed and then double slick ehe Hoe! clement to charge the fontof various case elements, Tartana Fag a _cemcknowedee forum Move 19 Famed Inuncigation ing nace FAGURE 18 Kacane Fans Opis Sn Shag ae Th Cie tha Storage Bathe eb of che Optlone wiser ind provice path for GUE 19: ise Foeack Opens Wink Sonne Serre as TH 6, Navigate to @CHFI-ToolsiCHFI vB Module 12 Forensics Investigation Using EnCaselEncase Forensic SS ana OY ‘Big Remiral Rapes Sy Prk Piesanclliang Fe-auncil‘cemtknouedee forum Moxie 12—Foronses Investigation Usig ErCase 7. Drag and drop the ViewPartitienTable.£01 evidence file on to the Tree BESPEES | Pere ofthe LnCase Forensic 1 dopa Guee Option win. ‘dala Edonoe " 8. In the Case options window, enter che case information (Case name, Eee ecewe ‘examiner name, et:) and click the Finish button. Ir displays Default Export FIGURE 110 feCaseFoenst’ Ca Optone Wed ¥. in the Detautt Export Folder wicow, click Yes, FIGUAE 11 tue Femi Dea Eg Ps Up kw 10 Tn the Temporary Folder pop up wicdow, click Yes. ‘Sp Nang ee Cpgh BHC Coad Abtighs Reve. praheton Sot) Praha a a a Ts ars liTOURE ite Fores Te Pep Op Roe 11. Inthe indox Felder pop up window, click Yes. 12, Main Kineae Forensie window with evidence He tthe race wil apoea.I covtais + Trae Pane! Shows evidence associated with a casein a hierarchical ree forma * View Panes Displays whatever is aelected inthe Table pane. "This data can be viewed in vaticus formats, depending on the dat ype agg Pymiak bnyee Cayeghs Oy SES ‘bhi Rowe Repeal rbd Ef-Council council,orgNE cEAKKNOULEdEE FORUM ‘Sie ora cannot Iecute 12 rorenates tmnsatignhns Unig Ene + emer rane: Proves wok to Gite te evierss, nan EnScript, aad choose other dispay options + Table Panes Dieplays the colacad evidence i 4m dlisplay varies when you select different viewing factions. Dre» iltoces eae Sree ene 19, In the Tree rane, select die cridewce dist yon lnaye ade! to dhe ase ere soe awe adder] PARTITION) tn view she folder and files of the evidence in ED cist est Riss poten er ge CET Hana Paget‘ceneknowedee forum Mes $2 Fegan ventas stn Ean 14, The Gases window contains che bs: Home tab, Entrige tb, Bookmart toh, Search Hits tb, Records ‘ab, Devices tab, Secure Storege tah, and 1 Fences Cie Tis Cotes to view the content of the evidence 15, In the View Pane, click the Hex opti ic hexadecimal format. 000 eFv2 cay G00 2003]f"8-4= faa geca 9¢00 6490 o009]] =a foo once fe08 e20 0003] fea na nd Omen a a98 ab00 900) ‘000 tnz4 g042 oot aoe 003 gave vest 95g 998 9029 Gaus 2600 9300 voas (ier neue S143 $000 die? aac tar dura 020 oo: S309 0099 Sens aed a09e S1a9 9980 2009 A369 24 5 tit oaad. fans aus Soa aS tse 16, li he Wiew Pam Ulsh Uns Report option to view dhe spore the ecidence ‘AM ghee Bench dy Pkin Et-Council© AIOURE HIE Rice ami Mew Pe Coil eh eet ecaiecs ec lenenoe + fob.78 a. acs ee + Rebelo rer ‘Ha es +300 wi (es ‘noosa clo arco, a Babli LGU 9 tne ek ee Dent Neneern 18, Select the particule evidence file in the Tree Pane co view the respective ‘ides and hes inthe Table Pane on ~ You ean also doublecick the cvideece in the Fable Pame wy view is ‘conteat. See the report of the curenely selene partron co Fle in Wane C2 tects he leh ipa fee soumbee FIGURE 120 ftom roi Maia Window eer” aecemtHNOUAedee foRumn dit 18 Forenin Invatigaton Using Ronen 19, Tosce the other propertics offiks and Folders, move the ceoll bar present arthe botiom of the Table Pane wands cight ape 6 ‘oe. 30 a0 notgons agree RE coal AbiigilRowtnd Ryesldea Seay Prt Fe-Council‘centHNOUAedee FORUM ‘Sie ora cannot Mie 12-Fornies imvatigation Unig Ease tae 20, Tn the cane reno ntin window, slert the erin the Tee Pane Ua reaicain ck te matna Busoni te Fable Pane, Ie enables you eal times that a file sas created, written, accessed, mocified, deleted, and Sue. Sabet be Baal aenge Neca Ean es require percent + ae 9 heslayep seeds 4 eepaes Yom man Eee ae A So FIGURE 124 Fai owen Shige D recuesas 21. Tn the EnGase Forensic min window, click the Blak button in the Table emt Pane for the Bisk Wiew ofthe evden: ew ape res, Siete neat ewe we ete enn ping 7 Ted LGR 6 En ore Sn Dk Vie ‘22, Navigate to CACHFI - ToolsiCHFI vB Medlulo 42 Forensics Investigation Using En@aselinCacn Paranal rack al ed ‘Adding Other udenceFaesto 2: Now diag and diop the MO E-mail ien£04 and Number XP.E04 evidence Emons Forancte hs 0 wo di Tew Pane of ds ree Fevers Cliche EH Suton io che Tee Pane to expand the te view. THE Nava ‘apc Hicing Foca ven Crag HC Court "AR Revered Reon ec PiedFIGURE 1.26 EaCate Fox Shing Ney Ade ence Ps 24, avigues beret vaiius fobs evi is e Free Pate sleet the les or folders that you wart to expott an then tight-cick and select Export option, [evil open Export window: oR Navigutco £4 > Export trapeers var ‘Compr Hack FrenseTveiganr Cop HY HL Lael ‘At ibe Raed epee a Sch Poted Rpeeouncil.ory EC-CouncitCentHnOUAedee foRU ‘Sat ors canon Modisle 12 - Forensics kwestigation Using EnCase 25, In the Export window, select Only Ghecked Rews option ard select the ‘els that you want wo be displayed inthe export le. Check the Output pitt and then click the Finish bureon, Note: The Bxport window tikes che defile puth for the Output Fite However you can chine the path by cckingon the £if baszon, GD nrecicnerew feet dees Inde Tate nosey ‘orga ee LA Tete eet Sep esses Soamviagett” Iran ‘sve dy ne FEET Tak Manes pe‘centknowLedee forum ‘Sit ora canon Module 12 Forensics irveston Usin Enns Selec she files thar ou want to buyukenare Right eek and then cheese Beckman Bata optic zy. on Navigate to Bait Bookmark Data FIGURE 16a Fan Mn Wino 28, In the @ookmark Nata window, select Create new bookmark folder puon, type the name ia the Folder Name fe en click OK. TIGURE 11 tao Fei Met Da Wind “Trap iacng Pek nearer Corps one ‘i Agi Revel epost ia eed 72 Ee-Council Roouncil.org,forum Ty ‘Bow eneonnascont Mode 12 -Forunsics nvestigtin Using ExCase SST CO nts eases tab options, lick the Bookmarks tab 10 see the bookmarks ia the Table Pane. FLOURE 1.32 EC Fo CesT Cpa 20, ick ice the Seareh burton, Itwillopen the Search window. “Bi tasx ‘Searching Files FIGURE 115 FC ome Tote f 21; In the Seareh window; select dae proper opdoas and then click che Start bottoa. Once search completed, it ill splay the Searching widow: Spee mpeg Fame pepo EE Cod Sm fttepa tered peice yoshicentHnoWLedee forum FIGURE 134 Eee Foret Seek Wnt 52, In the Searching pop up wiedow, sleet the Console, Note, sx! Log Record opbons ae then cick OK Ee . ee SIGUINE 136 Baa Shing Maden Fee fest de sO Sc ee nee star oo ANE es ce opie ves Eioerct pe cease ‘Comune Haig ana Tegner ppg Room ‘psa Revel race Sy Poe weccouncil.org[centknowedee forum LOUNE 16 aCe Foci ab Opean 4. The Search Hits cab gives the folder view of the search cesnlhe LGU 137 ae mi’ Sea Ta 35, To see the actual content of particular folder. click the Raconte heswon ia the Cases ab options. La Ba ae Soros Hanke ene inept apg OH HG F Alga kaw Ngaio er bossFie say vans been ed rly se 36. Selecta one eareor in the Tree view, it wil splay al ens tha fall tie ee al Sera To Fee atanig Ustifuacgsgs fee IGURE 10 Che Fran eons Ta TR Naa age Comer Hasin * 3//ueww ecgouneil arg E6-CouncilFORE ‘Se ors cannes Module 12-Ferenicsnvetigaton Using EnCana 37, Click the Secure Storage burton in the Cases tb options to view the files sehich stores user credential (aser IDs, password), Clie ca pactcul fle in the Tree Pane o se the iafiuinatin of the Bl in Table Pare TAGURE fine Ri Sn Sp Lab Analysic ‘Analyze and document the results related to the lab exercise. Give you expert eo Cc tape otha PLUASE TALK TO YOUR INSTRUCTOR IF AYE QUESTIONS RELATED TO THIS ‘Lab Questions 1, Detecmine how t create a new‘CentHNOUAedee FORUM ‘Sie ora canoe eat 12— Ferntree Using Eee Case Study: Disaster Recovery Investigation Jsson worked fora lange accounting firm H&M Consultants in Dallas, Texas: He prepared financial balance sheet and accountng ceports for big corporat Gicats. His drone to subenit the annua ae Fling for dncobisun Enterprtees was cn Fray by 10am, He wore aed and completed the entre Tax fling report 02 Thurs righ ar fet hat be bal done «tic opont that wl bos it romodoa opporurises within the company, Hele Gaede iy aud wens bone, Jocon's bday lenves his ecenputeeewitrhel oe “The next sicening jason seived at che office al gor realy tm pon he doeument for RS fing submission, Apparent, there was a power outage within the bua de t9 voltage Dictation Jason noticed dat his computers turned offSo he tres to switch iton, and to hs shock the computer tad to boot with the folowing tnéinegedeplayds The NTOSERNL cei coerapted along with serous darmage ro ourdita fies. Pease einstall she Operatiny Systems and recover data trom backup Jison’s comparer was noton the network and never backed up. He picked up the Saiiand calle dic eocapuays IT bes desk Gor eaieares Thocomptay Th hdp fen oll Joos har he data carga be eoveze and avised has wy hie w foeernie acestigannr who might ass i tis simaion. Jeson searched Coogle for slilled eomputer eranaien invectigater and Beian ‘ame pops up as link “We have CFT on board to investiga all your Compucer Forensics azedh" Jasor. looked up Beian's telephone numnbee from the web page and Jed hur immediatly over che phone, Forensic Methodology Used 4, Reon vikited Jason lek ond semnowel tha hol el eal Fen hie computer, 2. He placed the bard disk carefully in ant-statc bags andl transported it w the forensics laboratory, 2. He exeaed a bitstream image o Linene dd commands hare disk using tole such as RLDeive arc "ogee sng Fei lengua gpigit Joy HL TanGT ‘aligge Reaet Repraanes Sac Poe yi E¢-Counell10, nL 2 3. 1% 1". FORE ‘Se ora ean nroee [Medio 12 - Forensics lnvestaton Using ExCase Brian generated MDS hashes of the hewream image. He prepared « chainat-euetody decunent and stored the original hard disk a secure loeaton [Brian was asked to retrieve the following: + TRS Fes bb Spreadsheet files ‘Helou dhe bit sucam inige w evidence fie iu EnGuse Foremte ‘Prnage num he fad das ove He observed the folowing: 1, The Operating, Sytem is Windows XF Professional with SP2 b. Memory is 2 Ghz € Thesine oF C: drive is 30 Gb and he has only one partition He viewed the boot sector files and notied that he was unable to veces fies Jocaced i this chrectory eswindowsisystems32 ‘The parition able iedicated chat G: deve was corrupted This prevented the stem from booting. He used Enease Hex Baiting uty to fix dhe partion eble, He saved the hard disk image and mounted asa primacy device ia another ‘computer ‘The computer booted normally and he copied all dhe [RS Tax files, spreadsheet ducuments wx DVD-ROM Ban prepared 2 professional forensics report base! on the actions he has taken poirseor the data, ‘He printed copy oF ue repunci PDP fora and amracted dhe restored Ales in an encrypted /pastworl preteered VT-RCIM {Heian delivered the report tothe company slang with the fee For the foesezics setviow he rendered. ‘Siero Pap [apie Hala Prete Tseng’ Cony © EET Migs Revered Repro Pc.