excerpts from encase® introduction to computer...

Guidance Software, Inc.

215 N. Marengo Ave., Second Floor Pasadena, CA 91101

Tel: (626) 229-9191 Fax: (626) 229-9199

e-mail: [email protected]

web: www.GuidanceSoftware.com

EnCa Co

Q

No part of this pub

Excerpts from se® Introduction to mputer Forensics

uickStart Training Manual for Education Distribution Revision 4.0Copyright ©2003, Guidance Software, Inc.

EnCase is a trademark of Guidance Software, Inc.All rights reserved.

lication may be copied without the express written permission of Guidance Software, Inc.,215 N. Marengo Ave., Second Floor, Pasadena, CA 91101

CONTENTS

ENCASE® CONCEPTS............................................................................................................... 2

EVIDENCE FILE ..................................................................................................................................................2 CASE FILE............................................................................................................................................................4 ENCASE .INI FILES.............................................................................................................................................4

CREATING A CASE ................................................................................................................... 5 CASE MANAGEMENT........................................................................................................................................5 RUNNING THE DEMO FROM A LOCAL HARD DRIVE ................................................................................8

NAVIGATING THE CASE VIEW........................................................................................... 11 BASIC LAYOUT.................................................................................................................................................11

SEARCHING THE CASE ......................................................................................................... 21 ADDING KEYWORDS ......................................................................................................................................21 STARTING A SEARCH .....................................................................................................................................25

VIEWING THE SEARCH RESULTS ..................................................................................... 28 BOOKMARKING YOUR FINDINGS..................................................................................... 30

UNDERSTANDING BOOKMARKS .................................................................................................................30 BOOKMARKING VIEW....................................................................................................................................30 BOOKMARKING DATA ...................................................................................................................................31

SEARCHING UNALLOCATED SPACE ................................................................................ 34 WINDOWS ARTIFACTS.......................................................................................................... 41 SOFTWARE RAID EVIDENCE .............................................................................................. 42

Copyright © 2003 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.

Lesson 1

EnCase® Concepts

EVIDENCE FILE The central component of the EnCase methodology is the Evidence File. This file contains three basic components (the header, checksum and data blocks) that work together to provide a secure and self-checking description of the state of a computer disk at the time of analysis.

Cyclical Redundancy Check (CRC) The Cyclical Redundancy Check is a variation of the checksum, and works in much the same way. The advantage of the CRC is that it is order sensitive. That is, the string “1234” and “4321” will produce the same checksum, but not the same CRC. In fact, the odds that two sectors containing different data will produce the same CRC is roughly one in a billion.

Most hard drives store one CRC for every sector. When a read error is generated from a disk, this usually means that the CRC value of the sector on the disk does not match the value that is recomputed by the drive hardware after the sector is read. If this happens, a low-level disk read error occurs.

Evidence File Format Each file is an exact, sector-by-sector copy of a floppy or hard disk. When the file is created, the user supplies information relevant to the investigation. EnCase archives this and other information inside the Evidence File along with the contents of the disk. Every byte of the file is verified using a 32-bit CRC, making it extremely difficult, if not impossible, to tamper with the evidence once it has been acquired. This allows the investigators and legal team to confidently stand by the evidence in court.

Rather than compute a CRC value for the entire disk image, EnCase computes a CRC for every block of 64 sectors (32KB) written to the Evidence File. This provides a good compromise between integrity and speed. A typical disk image will have many tens of thousands of CRC checks. The investigator will be able to identify the location of any error in the file and disregard that group of sectors, if necessary.

Figure 1-1 Parts of a complete EnCase evidence file

Compression Compression technology allows EnCase to store the data from a large disk in a relatively small file. EnCase uses an industry standard compression algorithm to achieve an average size reduction of 50%. If most of the disk is unused, the compression ratio may be much higher. This can result in great savings in disk storage space. Compressed Evidence Files take longer to generate because of


EnCase® Concepts 3

the additional processing time required to compress the information. Compression NEVER has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.

Verifying an Evidence File Automatically Whenever an Evidence File is added to a case, EnCase will begin to verify the integrity of the entire disk image in the background. This is usually quite fast for small (floppy) Evidence Files but can take a long time for hard disk files. During the verification process, the investigator can continue working on the case normally. If the case is saved and closed while the verification process is running, the verification process is canceled. This process then starts over when the case is re-opened.

Verifying an Evidence File Manually To re-verify an Evidence File manually, click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear. Click Yes to begin.

Figure 1-2 Verifying EnCase evidence file integrity


4 EnCase® Concepts

Disk and Volume Hash Values EnCase calculates an MD5 hash when it acquires a physical drive or logical volume. The hash value is written into the Evidence File and becomes part of the documentation of the evidence. When an Evidence File is added to a case, EnCase automatically verifies the CRC values and recomputes the hash value for the evidence data within the Evidence File. The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate confirmation that the Evidence File has not changed since it was acquired. To recompute the hash value of the drive or volume at any time, select Case View, RIGHT-CLICK on a physical drive or logical volume, and select Hash.

Figure 1-3 Recalculating the Hash value of an Encase evidence file

CASE FILE A case file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results. A case file is created when the user saves the case.

EnCase .INI FILES EnCase version 4 uses .INI files to maintain global settings, or settings that always take place, such as filters, file types and file signatures. This information is global and not specific to any particular case. These files can be moved from one computer to another.


Lesson 2

Creating a Case

STUDENT NOTE: In this evaluation version, a case file has already been created for you. To open the case file, click File>Open and navigate to the location of the Student Demo.Case file.

A powerful feature of EnCase is its ability to organize different types of media together so that they can be searched as a unit, rather than individually. This saves time and allows the examiner to expend most of his or her efforts toward examining the evidence, rather than dealing with different types of media.

CASE MANAGEMENT Before starting an investigation and acquiring media, consider how to access the Case once it has been created. It may be necessary for more than one investigator to view the information simultaneously. In such a case, the Evidence Files should be placed on a central file server, and copies of the Case file placed on each investigator’s computer (since Case files cannot be accessed by more than one person at a time).

One method of organization is to create a folder for each case, and to place the Case File and Evidence Files associated with that case in that folder. The reports and evidence copies may be placed in the same folder, or in sub-folders. Creating a TEMP folder in that folder allows the segregation and control of the temporary files that are created in the course of the investigation.

Copyright

Create a new folder for every case

Create a Temp folder to keep the temporary files organized

Figure 2-1 Creating folder structure

The EnCase Forensic Methodology strongly recommends that the examiner use a second hard drive, or at least a second partition on the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an entire hard drive or partition, rather than individual folders, to ensure all of the temporary, suspect-related data is destroyed. This will aid in deflecting any claims of cross-contamination by the opposing counsel if the forensic hard drive is used in other cases.

© 2003 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.

6 Creating a Case

Start EnCase and select File…New OR click on the NEW icon on the toolbar. The CASE OPTIONS dialog box will appear, which allows the selection of EXPORT and TEMPORARY folders for the new case.

Figure 2-2 Creating a new case

Browse to the folders that you created for this case, then click on OK.


Creating a Case 7

Next, select File…Save or click on the Save icon on the toolbar. Navigate to the appropriate folder and enter a name for the case. Click on Save to save the new case file.

Figure 2-3 Saving a case


8 Creating a Case

RUNNING THE DEMO FROM A LOCAL HARD DRIVE If you would like to run this demo version of EnCase from a local hard drive, you just need to copy the evidence files and make a couple of path changes. This section will step you through that process.

This demo version will only work with these evidence files.

Create a Case Management Structure Create a folder structure on your hard drive similar to the one displayed at the beginning of this lesson. This folder structure can be created on your primary hard drive.

Copy All Evidence Files Your demo CD contains five evidence files:

Figure 2-4 Demo version contains five evidence files

Copy each of these evidence files to the \Cases\Brady\Evidence Files folder.

Copy Case File Your demo CD contains a case file named Student Demo.Case. Copy this file to the \Cases\Brady folder. Make sure that you adjust the read-only file attribute so you can save your work.

Figure 2-5 Change read-only attribute


Creating a Case 9

Remove the CD You can now remove your demo CD and store it.

Start EnCase Start EnCase and open the Student Demo case file. This is accomplished by clicking on File>Open and navigate to \Cases\Brady.

When the case file opens, it will not be able to locate the evidence files. You will receive the following prompt:

Figure 2-6 Error message displayed due to the evidence files being moved

Click Yes and navigate to the path of the evidence files (\Cases\Brady\Evidence Files). Select the Quantum.E01 and click Open.

Figure 2-7 Navigate to the new path and select Quantum.E01


10 Creating a Case

All of your evidence files will open.

The last change you need to make is to set the path of the new export and temporary folders. Click on Tools>Options. Change the path and click OK.

Now save your case.


Lesson 3

Navigating the Case View

EnCase opens into the Case View by default when a new case is created. The case view is used to navigate through the evidence that has been added to the case. From this view, you can view the files on a single piece of evidence or all the files found on several pieces of evidence. The Picture Gallery, Timeline, Disk View, and Evidence Table are all accessed from the Case View.

BASIC LAYOUT

The screen is initially divided into three sections, referred to as the left pane, right pane, and bottom pane.

LEFT PANE RIGHT PANE

BOTTOM PANE

Figure 3-1 View of the three panes


12 Navigating the Case View

Left Pane

This view works like Windows Explorer, providing the user with a tree-structured view of the evidence, and illustrating the relationship of each folder hierarchically. It presents each Evidence File as a folder that contains additional folders and files. Only Evidence Files and the folders contained within them are displayed in this view. Individual files are not displayed. An icon that quickly identifies the type of evidence precedes each Evidence File. Three icons are used as follows:

Represents removable media such as: floppy diskettes, flash cards, zip disks, and jazz disks.

Represents hard drives.

Represents CD-Rom disks.

Figure 3-2 Expanding folders to examine contents within

The plus and minus signs can be used to expand and contract the tree structure.

Right-clicking on a folder will bring up a context menu, with the choice to expand or contract everything from the selected position. Everything in the case will be affected by right-clicking on the Case folder.

Figure 3-3 Context menu controlled by right-clicking on a folder


Navigating the Case View 13

Right Pane The right pane, by default, is in the Table View. Within this view are the sub-folders and files that are contained within the folder that is highlighted in the left pane. Highlighting a folder affects the display in the right pane.

Figure 3-4 Highlighting a file in the right pane

If a folder is highlighted and there is one sub-folder, the sub-folder will be displayed. However, the files within the sub-folder will not be displayed.

Notice that there are only 22 files and folders within the My Documents folder shown above.

To see all the files, the polygon (or home plate icon) must be highlighted in the left pane. Click on the polygon icon to see all of the files within that folder structure.

With the polygon icon (sometimes referred to as the “show all” icon) selected, all the files appear from the sub-folders within the My Documents folder. We now see 1,437 files and folders in the right pane shown below.

Figure 3-5 Examining a folder with the show all icon selected

The polygon icon is used to “Show All” files below the affected folder. Holding down the control key and clicking the pointed box allows multiple folders to be affected this way, showing all files below each folder.



Bottom Pane

The bottom pane displays the contents of the items selected in the right pane

The bottom pane has default settings that should be understood. EnCase checks the contents of a file to see if it is an image that can be decoded internally. If so, EnCase will automatically switch to picture view in the bottom pane and display the image.

Figure 3-6 Picture shown automatically in bottom pane

A large amount of evidence gathering is conducted from the bottom pane. Here, the user can select various amounts of data and bookmark that information, which can then be included in the report. Refer to the “Bookmarking” chapter for more on creating bookmarks. Within this pane, the data can be viewed in a number of formats to facilitate easier retrieval by the investigator.



Here the same picture is viewed in Hexadecimal:

Figure 3-7 Viewing a picture in the bottom pane as hex

Here is a text file displayed in text view:

Figure 3-8 Text file in the bottom pane



Although the text is readable, its format can be improved by selecting View, then Text Styles.

Figure 3-9 Changing text style for bottom pane

Select Low Bit-ASCII in the left pane then ASCII @ 80 in the right pane. The changes in the bottom pane will be displayed immediately.

Figure 3-10 View of bottom pane with new text style active



It is important to be aware of your current positioning within the Case, especially when documenting the location of evidence found in unallocated space. The status bar found in the bottom pane will provide that information.

Status Bar

Figure 3-11 Location of status bar

The codes are translated as follows:

PS Physical Sector number

LS Logical Sector number

CL Cluster number

SO Sector Offset - the distance in bytes from the beginning of the sector.

FO File Offset - the distance in bytes from the beginning of the file.

LE Length - the number in bytes of the selected area.



Removing the Left Pane

The bar between the left and right panes can be moved to allow you to see more of either side. To see more of the right pane, drag the dividing bar to the left or select the left arrow icon on the bar.

Before:

Icons on Bar

Figure 3-

After:

You can select the right arroto the right. If you want the

Copyright © 2003 Guidance Software, Inc. May

Dividing Bar

12 Location of bar separating left from right pane

Figure 3-13 View of right pane only

w on the same bar to cause the right pane to disappear or you can move the bar bar to go back to its normal position, click the square icon on the bar.

not be copied or reproduced without the written permission of Guidance Software, Inc.


Isolating the Bottom Pane The bottom pane can be isolated as well to examine more of the contents of a file. Placing the mouse cursor on the pane divider for the lower pane, hold the left mouse button and drag the lower pane upward to increase the size. You will also notice more arrows on the right side of the middle bar. You can select those arrows to eliminate the top or bottom panes altogether and you can use the square icon to reset the screen to a default location.

Before:

Dividing Bar

Arrows and square icons to move the dividing bar

Figure 3-14 Location of dividing bar between upper and bottom panes

After:

Figure 3-15 View of bottom pane expanded to maximum size


Lesson 4

Searching the Case

EnCase provides a powerful search engine to locate information anywhere on the physical or logical media. After creating a Case file, a search may be conducted on keywords and their options.

ADDING KEYWORDS Always create a good keyword list prior to beginning the case. The investigating officer often provides the keyword list. It is a good idea to review the report and search warrant for additional keywords. Keywords can be divided into groups (folders) and structured in the Keyword View. This structure is used in the Bookmark View to display the results of the search. Access the Keyword View by selecting the View menu, and selecting Keywords.

Figure 4-1 Selecting Keywords view


22 Searching the Case

Creating Keyword Groups To create a group, RIGHT-CLICK on the folder tree icon where you want to create the folder and select New Folder. Type a name for the folder. Two keyword groups, called Names and e-mail, have been created in the following example. Under each group are sub-folders for the keywords associated with Suspect1, Suspect2, and the victims in the case.

Selecting New Folder will allow the creation of folders, and they will bear the name “New Folder” when initially created. RIGHT-CLICK on the newly created folder, and select Rename or highlight the folder and press the F2 key, and enter the text for the desired folder name.

Figure 4-2 Creating a new folder to manage keywords

Folders can be moved and relocated into parent folders by dragging and dropping into the desired parent folder.


Searching the Case 23

Entering Keywords After creating the groups, add the keywords into each group. Keywords may be added whether or not the keyword search is to be conducted during the first search effort. The keywords are selectable. To add a keyword, select the appropriate folder and press the INSERT KEY or RIGHT-CLICK on the folder and select New. The third method is to highlight the folder in the left pane in which you want to create the keyword then right-click in the right pane and select New. The New Keyword dialog box will appear.

Figure 4-3 Entering a new keyword

Options can also be set from this window in regards to:

Search Expression Enter your search expression in this box. It may be a simple keyword, phrase, or a GREP expression.

Description You may change the default and put something more descriptive that will help you remember what you were searching for.

Case Sensitive EnCase will locate the keyword regardless of its case size, unless this box is checked. If checked, EnCase will only locate the keyword if the case sensitivity is the same as the keyword the examiner typed or pasted.

GREP GREP is used to assist in narrowing the search, in limiting the false hits, and in cases where only certain portions of the keyword being sought are known.



Active Code Page This will search using the active code page(s) that Windows is using right now (this is set through the Control Panel of your examination PC). This allows the examiner to enter keywords in foreign languages. This needs to be checked unless you have other code pages selected.

Unicode Unicode was developed in direct response to foreign language character sets. Most MS Office products will use Unicode, as will NTFS systems, Windows 2000 and XP. EnCase will locate items in either plain ASCII Text or Unicode if the Unicode box IS CHECKED. However, EnCase will only locate items in plain ASCII Text if the Unicode box is NOT CHECKED.

Figure 4-4 Example of plain text

Figure 4-5 Example of Unicode

Unicode Big-Endian Non-Intel PC data formatting scheme that stores multiple-byte numerical values with the most significant byte values first, which is the reverse of Little Endian.

UTF-8 UTF stands for Universal Character Set Transformation Format. Applications have several options for how they encode Unicode. The most common encoding is UTF-8, which is the 8-bit form of Unicode. This option offers foreign language support.

UTF-7 UTF-7 is a special format that encodes Unicode characters within US-ASCII in a way that all mail systems can accommodate.



Type the keyword and press Enter or click on OK.

After entering the keywords, they can be viewed in their individual folders or all together. To view them all together, click on the pointed box next to the Keywords folder.

Figure 4-6 Viewing all keywords located within Keywords view

STARTING A SEARCH Starting a search is simple, and deciding if the entire case needs to be searched, or just an individual Evidence File, folder, or file can save time. For example, when searching for deleted evidence that may be in unallocated space, such as a file header, select just the unallocated space as opposed to the entire Case. Also, remember that a search may be executed for all keywords, or only selected keywords.

To begin a search, click on the Search button on the toolbar.

Next, click on Start.

There are several options that can be selected when running a search. Each option may display significantly different results when the search is executed. The following diagram describes each function.



Detailed Search Options

Figure 4-7 Search options

Files to analyze - Searching the entire case means that EnCase will search every aspect of every Evidence File added to the case. If there are 10 floppy diskettes and five hard drives, all 10 floppy diskettes and all five hard drives will be searched. A search for selected files will cause EnCase to search only for files that have been blue-checked. The indicator box below the Selected Files option shows the number of files to be searched.

Search each file for keywords - When checked, a keyword search will occur. When unchecked, the other checked functions will be performed, however the keyword search will not. The reason for this is that you may want to run a signature analysis, or a hash analysis, without running a keyword search.

Verify file signatures - This option will conduct a signature analysis on the files selected to be analyzed (all or selected). Refer to the chapter on “Signature Analysis” for further information.

Compute hash value - This option will conduct a hash analysis on the files selected to be analyzed. Refer to the “Hash Analysis” section for further information.

Always compute hash value – This option will conduct a hash analysis on any additional evidence files added to the case while the evidence file is checked being verified.

Search file slack - This option tells EnCase to search the slack area that exists between the end of the logical files to the end of their respective physical files.

Search only slack area of files with known hashes - This option is used in conjunction with a hash analysis. If a file is identified from the Hash Library, then it will not be searched. However, the slack area behind the file (as described above) will be searched. If this option is turned off, EnCase will ignore the hash analysis.

Selected keywords only - This section allows the search to include all keywords, or just a selected number of keywords. The display box shows the number of keywords that will be used in the search.



At the conclusion of the search, the examiner will see a Status window. This information may be saved in a Note Bookmark (discussed later) or in the console mode for input to an EnScript, or for copying to another document outside of the EnCase environment.

Figure 4-8 Status – Results of Search


Lesson 5

Viewing the Search Results

As the search hits accumulate, view the results in the Search Hits View. Select View then select Search Hits.

Figure 5-1 Changing to Search Hits view

All search hits are automatically displayed (for evidence files in the active case). The View Search Hits button located on the button bar allows selection of what form the search hits should be displayed in.

Figure 5-2 Selecting the View Search Hits bu

Copyright © 2003 Guidance Software, Inc. May not be copied or reproduced without the written permission

View Search Hits Button

tton

of Guidance Software, Inc.

Viewing the Search Results 29

There are fifteen different combinations of displaying search hits. The examiner may alter the arrangement of the options by left-clicking and dragging an item with the mouse to a new location in the arrangement order. The examiner may also choose which options are displayed by placing a blue check in the box to the left of the item. In the arrangement below, the examiner has chosen to display the keyword hits by device first, then keyword.

Figure 5-3 Selecting arrangement of options

This results in the following display

Figure 5-4 Case View of above selected arrangement of options

In the above arrangement, the keywords are separated into their own folders in the left pane. Note the magnifying glass icon located to the left of each keyword. Highlight a folder in the left pane. The search hits for the selected search term are displayed in the right pane.


Lesson 6

Bookmarking Your Findings

EnCase allows the investigator to mark files or file sections that are of interest. These marks are called Bookmarks. All bookmarks are saved in the Case file and can be viewed at any time by clicking on the Bookmark tab. They may be viewed in the Table view for organization purposes, or the Report view for final viewing purposes. If a device or compound file is removed or “dismounted” from the case file, the bookmarks and search hits will be unavailable.

UNDERSTANDING BOOKMARKS There are five different types of bookmarks. A unique icon precedes each type. Here is a list of the different types of icons followed by their descriptions.

Notable File Bookmark - Any one file that was bookmarked individually. This is a fully customizable bookmark.

Highlighted Data Bookmark - Created by sweeping data. This is a fully customizable bookmark.

Notes Bookmark - Allows the investigator to write anything into the Report. It has a few formatting features, and is not a bookmark of evidence.

Folder Information Bookmark - Bookmarks the tree structure of a folder. There is no comment on this bookmark. Options include showing the device information and the number of columns to use for the tree structure.

File Group - Indicates that a group of selected files was bookmarked. There is no comment on this bookmark. It is meant to be placed into a folder that explains the meaning of the group of files. This avoids the same comment being repeated continuously for each bookmark. A notes bookmark can precede this group of files to explain its meaning.

It is suggested that the examiner create a folder structure in the Bookmarks view to organize bookmarks. The folder structure may indicate topical areas of investigation or types of bookmarks.

BOOKMARKING VIEW The Bookmark view has many organizational functions that are similar to the search hits view (described in a preceding lesson). It is suggested that the examiner create a folder structure in the Bookmarks view to organize bookmarks. The folder structure may indicate topical areas of investigation or types of bookmarks.


Bookmarking Your Findings 31

BOOKMARKING DATA Bookmarks can be made from anywhere data or folders exist. The type of bookmark, however, must be chosen.

Sweeping Bookmark The Sweeping Bookmark can be used to show specific highlighted data.

Click onto the Bomb keyword folder in the left pane. Click on hit #702 in the right pane and look in the bottom pane. A text document called 1-16.txt is referenced in the bottom pane. It begins with the words IGNITION DEVICES.

Use the View, Text Styles options discussed earlier to set the view to Low Bit – ASCII @ 80.

Sweep, by left-clicking and holding, a few paragraphs. Right-click in the highlighted area. Select Bookmark Data.

Figure 6-1 Example of a creating a sweeping bookmark


32 Bookmarking Your Findings

Select a folder in which to place the bookmark or create a new folder in the destination folder window. To create a new bookmark folder, highlight where you would like to create the new folder and select New Folder…

Figure 6-2 Creating a new folder for bookmark

Name the folder. Give your bookmark a comment, if desired, and select the View Type in the Data Type window. Select Low ASCII text for this example. Select OK.

Figure 6-3 Selecting a view type for bookmark


Bookmarking Your Findings 33

Switch to the Bookmarks View and highlight the Bomb Documents folder in the left pane. Switch to Report View in the right pane and see the results as they would be shown in the final report.

Figure 6-4 Examining the bookmark in the report view in the right pane

This is one of the most common bookmark types. This is a popular bookmark, as it places actual data directly into the report.


Lesson 7

Searching Unallocated Space

After files are erased, application programs and normal processes of most operating systems will overwrite their directory entries. In many cases, the data is left on the disk with no indication that it is there. Searching the unallocated space for known file headers and their associated end-of-file markers (if any) is one method of identifying such data. This lesson illustrates the technique of searching for a JPEG header to locate JPEGs in unallocated space. Although JPEG is used in this example, this technique can be used with any file format whose header and end-of-file markers are known.

1) In Case view, select the volume whose unallocated space is to be searched. Click on Volume C. Place a blue checkmark n the right pane in the box next to unallocated clusters.

Figure 7-1 Select Unallocated Clusters in the right pane


Searching Unallocated Space 35

2) Go to the Keywords view and create a new folder called File Headers.

Figure 7-2 Create a file headers folder within Keywords view

3) To identify the JPG header, click on View…File Signatures and scroll down to JPEG Image.

Select JPEG Image and right-click. Select Edit.

Figure 7-3 Locate the JPEG header from the File Signatures view

4) Select Header in the Edit Signature box. The Text box will contain the header for the selected file type (JPG). RIGHT-CLICK in the text box and select Copy or click CONTROL-C to copy. Click Cancel to close the Edit Signature box and click CLOSE to close the File Signatures box.

Figure 7-4 Copy the JPEG header


36 Searching Unallocated Space

5) In Keyword view, RIGHT-CLICK on the File Headers folder and select New. RIGHT-CLICK in the Text box and select Paste or click Control-V. Make sure that GREP is selected. Give your search expression a name of JPG Header.

Figure 27-7-5 Paste the JPEG header into a New keyword in Keywords view

6) When finished, click OK. Select/Blue Check the keyword – ensure it is the only keyword selected.

7) Click on the Search button. Make sure the search criteria are for Selected Files Only, and Selected Keywords only. Turn off Verify file signatures and Compute hash value. Click on Start Analysis.

Figure 27-7-6 Start a search using the JPEG header keyword


At the conclusion of the search, a Searching Status screen is displayed. The examiner may choose to save this to the console, or as a note bookmark, or to not save it at all.

Figure 27-7 Status screen after search completes.

Switch to Search Hits view. Click on the Search Hit and view the results.

This process illustrates that evidence can be found in both allocated and unallocated space. Unallocated space should always be examined for evidentiary artifacts.

Figure 7-8 View search hits and examine within bottom pane



Once the search is completed, review the hits to determine the relevance to the investigation. To see the search hits as pictures, in the right pane, table view, scroll to the column entitled Picture, which is deactivated for all search hits. Select/Blue Check all search hits, right-click anywhere in the Picture column, and select Picture-Invert Selected Items. You can now view the pictures in the bottom pane or switch the view above the right pane to Gallery.

Figure 7-9 Select search hits, display as picture


Searching Unallocated Space 39

To Bookmark the pictures stored within unallocated space, Select/Blue Check all search hits to be bookmarked, right-click and select Bookmark Selected Hits

Figure 7-10 Select search hits, Bookmark

Create a new Bookmark Folder to contain these images. Name it appropriately

Figure 7-11 Save images in Bookmark Folder

The bookmarked data in the selected folder will be displayed as an image within the report view, as shown below:



Figure 7-12 JPG images displayed in Report


Lesson 8

Windows Artifacts

The evolution of the search and recovery tools in EnCase enable computer investigators to raise their focus from detecting the evidence to identifying system-generated indicators that qualify and give meaning to the evidence. Beyond determining the existence of a keyword of interest, or locating a graphical image that appears to constitute evidence, the investigator explores attendant artifacts that are produced by the operating system that can serve to confirm or refute a user’s assertions of lack of intent or lack of knowledge.

TEMPORARY DIRECTORY Programs hold files that must temporarily exist while the program operates in the Windows Temporary Directory. Ordinarily, programs delete all their temporary files when they are shut down properly. If Windows crashes, some temporary files may remain until the user deletes them.

WINDOWS DESKTOP FOLDER The Windows Desktop Folder contains all of the icons, folders and files that are located on the desktop. A good place to begin an investigation is by observing what programs the suspect had on the desktop. Check for removable media icons, such as a zip drive or jazz drive icon.

SEND TO FOLDER The Send To Folder provides some options as to where to send a file. This is a right-click option in Windows and another good place to check for removable media.

START MENU FOLDER The Start Menu Folder contains all of the links that exist on the Windows Start menu. This is a good location to check for applications relevant to the investigator’s case.

REGISTRY The Registry is used to configure Windows and related programs. Programs register themselves here and sometimes depend on the information in the registry to operate correctly. The registry may contain a good deal of evidence. The base registry files are the system.dat and user.dat files.

TEMPORARY INTERNET FILES FOLDER The Temporary Internet Files Folder stores html pages, and associated files, so that next time the websites are visited the images do not have to be downloaded again. This artifact leaves several items of evidence on computers. Internet e-mail, such as Hotmail, is stored in the temporary Internet files folder.


Lesson 9

Software RAID Evidence

STUDENT NOTE: A software RAID has been added to your case for demonstration purposes. The boot drive that contains the keys to recreate the software RAID has also been added to the case file.

EnCase will read the structure of the evidence files and will alert the examiner that the three hard drives formed some type of RAID array.

Figure 9-1 - EnCase recognizes the drives are part of a RAID


Software RAID Evidence 43

To virtually recreate the software RAID, you must scan the disk configuration of the drive containing the keys to the RAID. In this case, it is the boot disk containing the operating system forming the RAID. Right-click on the boot drive and scan its configuration.

Figure 9-2 - Scan the Disk Configuration of the disk with the keys


44 Software RAID Evidence


EnCase will virtually recreate the software RAID, including the last assigned volume drive letter. You can then browse and search the logical file structure.

Figure 9-3 - Software RAID rebuilt