File000132

Module XIX – Forensic Investigation Using Encase

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Verizon to Use Guidance Software’s EnCase eDiscovery on a Pay-Per-Use Basis

Source: http://www.tmcnet.com/



Official Licensed Content

Provided by EnCase to EC-Council



Module Objective

• Evidence Files• Verifying the File’s Integrity• Hashing• Configuring EnCase• Searching• Bookmarks• Viewing the Recovered Files• Master Boot Record• NTFS Starting Point• Hash Values• Signature Analysis• Email Recovery

This module will familiarize you with:



Module Flow

Evidence File

Configuring EnCase

Hashing

Bookmarks

Searching

Verifying the File’s Integrity Master Boot Record

Viewing the Recovered Files

Hash Values

Signature Analysis

E-mail Recovery

NTFS Starting Point



Evidence File

Evidence file is the core component in EnCase

The file can be referred as a forensic image file

It is widely known throughout the law enforcement and computer security industries

• Header

• Checksum

• Data blocks

• Footer

It consists of:



Verifying Evidence Files

After burning the discs, run Verify Evidence Files on each disc to verify that the burn was thorough and that the evidence file segment is intact



Evidence File Format

Each Evidence file is an exact, sector by sector copy of a floppy or hard disk

Every byte of the file is verified using 32-bit CRC, which makes it virtually impossible to tamper with the evidence once it has been acquired

EnCase compresses large disk into a small size reducing up to 50% of the disk’s size



Verifying the Evidence File Integrity

Whenever an evidence file is added to the case, EnCase will begin verifying integrity of the drive for corruption, bad sectors etc.



Hashing

EnCase calculates MD5 Hash when it acquires a physical drive or logical drive



Acquiring Image

Click File -> Add Raw Images to acquire images

To acquire USB image, the USB drive should not be connected to the forensic computer prior to the boot process

Select the device type to make an image



Configuring EnCase

Click Tools > Options to configure EnCase in various settings



EnCase Options Screen



EnCase Screens

TREE PANETABLE PANE

FILTER PANEVIEW PANE



View Menu

Various utilities can be launched using View menu



Device Tab

Device tab shows information about the currently selected device



Viewing Files and Folders

Files Folders



Bottom Pane

Bottom pane



Viewers in View Pane

Text

Hex

Doc

Transcript

Picture

Report

Console

Details



Status Bar



Status Bar (cont’d)

• PS physical sector number• Logical sector number• Cluster number• Sector offset• File offset• Length

Status bar provides the sector’s details for a selected file:



Searching

EnCase provides powerful searching capabilities

Keywords searches can be performed at a logical level (file level) or physical level (byte by byte)



Searching (cont’d)

EnCase has the following advanced search capabilities to find the information of investigative importance:

• Concurrent search• Proximity search• Internet and email search• Email address search• Global Regular Expressions Post (GREP) search• File finder• Search options include:

• Case sensitive• GREP• RTL reading• Active code-page



Keywords

Keyword must be added before you can start searching

They are saved in keywords.ini file

They can be added based on what you are investigating

For example, you might want to add keywords such as:

• kill, suicide, cheat, Swiss bank, San Francisco etc.



Keywords: Screenshot



Adding Keywords

Right click Keyword and select New



Grouping

Keywords can be grouped for organizing the search terms

Right click in Keyword > select New Folder and type the folder’s name



Add Multiple Keywords

Right click the Folder > Keyword list



Starting the Search

Searches can be carried out using file/folder or entire drive

Check the keywords that needs to be searched

Click Search button



Search Hits Tab

Search Hits Tab reveals the search listings



Search Hits



Bookmarks

EnCase allows files, folders, or sections of a file to be bookmarked for easy reference

Click View > Cases Sub-Tabs >Bookmark



Creating Bookmarks

Bookmarks can be created by clicking ‘New Folder’ in right click menu



Adding Bookmarks

Right click on any file > Bookmark Data



Bookmarking Selected Data

Highlight the text and select Bookmark Data



Recovering Deleted Files/folders in FAT Partition

Right-click FAT drive and select Recover Folders



Recovering Deleted Files/folders in FAT Partition (cont’d)



Viewing Recovered Files

Select the Recovered Folder to view the deleted files/folders



Recovering Folders in NTFS

EnCase searches the unallocated clusters in Master File Table (MFT) to recover the files/folders

Use the same method as FAT system to recover the files

This process can be slow and may take 60 minutes (1 hour) for 100 GB hard drive



Recovering Folders in NTFS (cont’d)

Right-click on the volume and select Recover Folders

Choose OK to begin the search for NTFS folders



Master Boot Record

Master Boot Record (MBR) resides at the first sector (Sector 0)

Sector Offset (SO 446) contains the partition table

MBR allows 4 entries:

• Each entry is 16 bytes long• Partition entries range from (LE 64 – Hex 55 AA)



Master Boot Record (cont’d)

Select Sectors (SO 446 – LE 64)

Right-click and select Bookmark

Select Windows > Partition Entry

Enter a name to bookmark



Bookmark Data

Partition table



NTFS Starting Point



Viewing Disk Geometry

Highlight the case and click Report in the bottom View pane



Recovering the Deleted Partitions

• Search for the following in the unused disk area:• MSWIN4.1 (FAT Partition)• NTFS (NTFS Partition)

• Look manually at the disk end of the first volume

Two ways to check for deleted partitions:



Recovering the Deleted Partitions (cont’d)

To delete the partition, right-click and select it

Right-click the area to recover and select Add Partition



Hash Values



Creating Hash Sets

Select the files to be included in the hash set

Right-click > Create Hash Set



MD5 Hash

EnCase can create a hash value (digital fingerprint) for any file in the case

It uses 128 bit MD5 algorithm

Hash sets are a collection of hash files

Chances of two files having the same hash is 2128 which is nearly impossible



Creating Hash

Click Search > Select Compute hash value

This will create hash for every allocated file



Viewers

EnCase can use external viewers to view files

Viewers makes a copy of a file to the temporary folder before launching the file

Encase uses the following viewers:

• External viewer• Program registered in Windows• EnCase viewer• Timeline



Viewers (cont’d)

Click viewers in View menu > File viewers

Create new viewer and enter the application path



Signature Analysis

ISO and ITU work to standardize the types of electronic data

For the standardized file types, a signature or header is stored along with the data

Applications use the header to correctly parse the data

You can view the file signature to identify the data even though its extension has been renamed

Example: jennifer.exe jennifer.dll



Signature Analysis (cont’d)

Select View menu > File Signatures



Signature Analysis (cont’d)

You can search using signature analysis



Viewing the Results



Copy/UnErase Files or Folders

Encase provides a feature to recover and unerase files byte-per-byte

Right-click a file/folder > select Copy/UnErase



E-mail Recovery

• \Documents and Settings\[username]\Local Settings\Application Data\Identities\[userid]\Microsoft\Outlook Express

Default path for Outlook Express 5/6 in Windows XP is:

• Inbox.mbx• Outbox.mbx• Sent Items.mbx• Deleted Items.mbx• Drafts.mbx

Outlook mailbox filenames are as follows:

View the above files in EnCase



Reporting

The final stage of the forensic analysis is reporting

Report must be easy to understand and should cover in-depth information about the evidence

Click the Report in Bookmarks menu



Final Report



IE Cache Images



Summary

Evidence file is the core component in EnCase

Each Evidence file is an exact, sector by sector copy of a floppy or hard disk

EnCase calculates MD5 Hash when it acquires a physical drive or logical drive

EnCase provides powerful searching capabilities

EnCase allows files, folders, or sections of a file to be bookmarked for easy reference

EnCase searches unallocated clusters in Master File Table (MFT) to recover files/folders

EnCase can create a hash value (digital fingerprint) for any file in the case





File000132

Technology

eccouncil copyright

evidence file evidence

evidence file integrity

evidence file format

evidence file segment

selected file

forensic image file

logical level file level