EnCase Navigating Encase Tree Pane, Table Pane, Bottom Pane and Filter Pane

EnCase

Navigating Encase

• Tree Pane, Table Pane, Bottom Pane and Filter Pane

• Highlighting a folder
• Home plate > Select the polygon to the left of the folder name.
• Blue check mark > Select the square to the left of the folder name – Used for keyword search

New Case

• Encase – New case

• Select the “New” icon
• Name – case1
• Examiner Name – Your name
• Export Folder – c:\cases\case1\export
• Temporary Folder – c:\cases\case1\temp

Saving a Case

• Save the Case

• Select the “Save” icon
• Select your folder
• Change case name to lower case and remove any space

Global Settings

• Tools > Options > Global

• Auto save - set it to 5, increase to 30+ if making a long running search.
• Enable picture viewer, art and png image display
• Invalid picture timeout leave at 12 sec
• Date and Time – MM/DD/YY and 12:00
• Show Yes / No

Preview Device (HD, Floppy, Thumb Drive, etc)

• Select the “Add Device” button.

• Next select the appropriate device.

• Generally you will select “Local Drives”
• For DOS acquisition select Network Crossover.

Preview Device (HD, Floppy, Thumb Drive, etc)

• Select the drive letter which represents the device to be imaged.

• Floppy – Generally select the A drive.
• USB and Firewire acquisitions – Select drive E, F, etc.

Preview Device (HD, Floppy, Thumb Drive, etc)

• Adding evidence number and name.

• Right click on the drive letter.
• Select > Edit

Preview Device (HD, Floppy, Thumb Drive, etc)

• Enter an evidence number:

• Such as (070418-0010)
• Year 07, month 04 day 18, evidence number 0010.

• Enter evidence name.

• It’s a good idea to add device type in name i.e., desktop, floppy, laptop, etc.
• Example: smithdesktopHD1, smithdesktopHD2, smithfloppy1, etc.

Acquiring Previewed Device

• If a previewed device warrants acquisition: Right click on the device and select Acquire.

Acquiring Previewed Device

• Select - Replace source device

• This will replace the preview item.

• Note! Search, Hash and Signature Analysis

• Ensure that it is not selected – Acquisition will proceed faster.

Acquiring Previewed Device

• Set the following:

• File segment size - 640
• Compression - None
• Password – Leave blank!!!!
• Generate image hash
• Output path – Check to ensure the correct one is selected.

Adding Previously Acquired Evidence (HD, Floppy, etc.)

• Create a new case or open an existing case.

• Select > Add Device

Adding Previously Acquired Evidence (HD, Floppy, etc.)

• Select the appropriate folder i.e., “Local” and then the appropriate file, or

Adding Previously Acquired Evidence (HD, Floppy, etc.)

• Right click on the “Evidence Files” folder and then select New to create a new path.

Adding Previously Acquired Evidence (HD, Floppy, etc.)

• Browse the file system until you find that location of the previously acquired evidence.

• For example:
• f:\cases\data

Boot Disk Creation

Boot Disk Creation

• Test diskette by rebooting from diskette.

• Run EnCase DOS program “en”

Boot Disk Creation

• ENBD – EnCase Network Boot Disk

• Save the ENBD file to your desktop.
• http://www.guidancesoftware.com/support/downloads.aspx
• Insert floppy in drive.
• Run ENBD setup file.
• When finished add the en.exe file.
• Do not write protect the ENBD disk.

Boot Disk Creation

Boot Disk Creation

• Add the en.exe file.

• C:\program files\encase\en.exe

Keyword Search

• Global keywords

• These words are made available to all your cases.
• View > Keywords

• Case specific keywords

• These words are only available in this case.
• View > Cases Sub-Tabs > Keywords

Keyword Search

• Keyword Sources

• Investigating officer
• Search warrant
• HR
• Attorney
• Management
• Contract, Internet, Previous cases

Keyword Search

• Keyword Folder

• Right-click on Keyword folder
• Select > New Folder
• Add Folder Name

• Examples

• Email addresses
• IP addresses
• Phone numbers

Keyword Search

• To add a single Keyword

• Right-click on Keyword Folder > Select New
• Search Expression – word, phrase, GREP expression.
• Case sensitive – Check to make case sensitive.
• GREP – Limits false hits.
• Active Code Page – Allows foreign languages
• Unicode – Foreign language char. Check to locate both ASCII and Unicode.

Keyword Search

• To add a list of keywords

• Right-click on Keyword Folder > Select Add Keyword List
• Enter words

Keyword Search

• Before beginning a search you must select the word or group of words you want EnCase to find.

• To do so, place a blue check next to the word or folder containing the words EnCase should locate.

• To begin a search, click on the Search button.

Keyword Search

• Search each file – Must be checked to activate a keyword search.

• Verify file sign – Don’t check

• Compute hash value - File hash analysis.

• Search file slack – Search space between logical file and physical file.

• Undelete files – Logical undelete. Search between starting cluster & following unallocated cluster.

• Search with known hashes – will not search known hashes.

• Selected keywords only – Unless selected, all keywords are searched.

Search Results

• Search Hits – To view search results.

• View > Cases > Search Hits

• Refresh - Use during a search to display current results.

Search Results

• {·0·9·7·F·7·3·7·E·-·1·6·1·B·-·1·1·D·4·-·A·8·7·5·-·0·0·6·0·9·7·2·0·4·6·2·B·}

• {·7·0·7·B·B·5·4·A·-·B·F·2·F·-·1·1·D·3·-·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}

• {·7·E·8·E·2·E·A·A·-·C·6·1·0·-·1·1·D·3·-·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}

• {·7·1·D·1·9·1·F·2·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}

• {·7·1·D·1·9·1·F·4·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}

• {·7·1·D·1·9·1·F·6·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}

Search Results

• Exclude – The item is not deleted from the case. Red highlight.

• Export – Creates a tab-delimitated text file which can be imported in to Excel.

• Tag File – Will place a blue check on the file to identify it in Home view

Bookmarking

• Sweeping Bookmarks

• Files

• Notes

• File Group

Bookmarking – Sweeping Bookmarks

• Sweeping bookmark – Used to capture notable data.

• Highlight the item >Right click > Select Bookmarks

Bookmarking - Sweeping Bookmarks

Bookmarking - Sweeping Bookmarks

• Destination folder – Select a folder (i.e., Floppy) or create a new folder by right clicking on Bookmarks > New Folder > Enter new folder name.

• Add Comment – i.e., “Bad stuff doc appears to be created on suspects machine.”

• Data type – Select Style > ISO Latin > ISO Latin @ 100

• View results - Select Bookmarks button > Report button

Bookmarking – Files

• Used to flag files that contain important case information.

• Right click on a file.

• Select Bookmark Files

Bookmarking – Files

• Add the bookmarked item to a folder by selecting an existing folder, or

• Select “Create new bookmark folder” and enter the name.

• View Bookmarks

• Select Bookmarks button > Bookmarks Home plate > Report button

Bookmarking – Notes

• Allows you to add a note to a bookmarked item.

• i.e., add a note to a bookmarked file.

• Formatting includes bold, italic, font size and text indent.

• However, only text indent is worth using.

Bookmarking – Notes

• To add a note to a bookmarked file/item.

• Select Bookmarks button
• Select Table button
• In Table View - Rt click on the appropriate file
• Select Add Note.

• Add your notes and indent text as needed.

Bookmarking – File Group

• In Tree view select (with a blue checkmark) the folder containing the files you want to bookmark.

• Rt click on the folder and select Bookmark Data.

• Ensure that “Bookmark Selected Items” is checked.

• Select “ok”

• View Bookmarks

• Select Bookmarks button > Bookmarks Home plate > Report button.

Bookmarking – File Group

Bookmarking - Report

Evidence File

• Restoring a drive

• Compression

• To compress data files once the HD has been acquired.
• Rt click on device > Select Acquire > Replace Source Device > Compression - Best

File Signatures

• View > File Signatures

• Used to compare file headers with file extensions

File Signatures

• To Start: Click on Search button.

• Ensure that only the “Verify file signatures” option is selected.

• Click on the Start button. The process will run in the background.

• Click on Save - Once the process is done.

File Signatures

• _ Deleted

• X – Deleted, overwritten file

• Starting cluster is occupied by another file.

• O – Undeleted by EnCase.

• O – Directory entry with a file name but no starting cluster.

File Signatures

• Signature Analysis

• Select the case / device “home plate”
• Table View - Sort order
• Signature
• File Ext
• Name

• Secondary sorts

• Shift > double-click

File Signatures

• *Alias

• The header and the extension don’t agree
• The header exists in the Signature table
• Generally renamed extension – Encase displays file type.

• !Bad Signature

• The header and the extension don’t agree
• The extension exists in the Signature table
• The header does not exist in the Signature table

• Match - Header & extension agree.

• Unknown –Header & extension do not exist in Signature table.

Exporting Files

• Use the blue checkmark to select files to export.

• Right click in the table view.

• Select > Copy/UnErase.

Exporting Files

Exporting Files

Exporting Report

• Select Report button

• In Table View

• Right Click on report
• Select Export
• Select Format
• Input path

Windows Artifacts – INFO2

• Sort by name – Double click on the “Name”.

• Click on the first file, under name, in the Table View.

• Type “info” real fast.

Windows Artifacts – INFO2

• Highlight text starting with C:\Documents and end with .doc

• Right click > Bookmark Data

Windows Artifacts – INFO2

• Note that the SID number (S-1-5- . . .-1003) ends with 1003.

• Under Data Type, Select Windows > Win2000 Info File Record

Windows Artifacts – INFO2

• Deleted - Note the date & time, is it relevant?

• Path – Note the files location and what was deleted.

Windows Artifacts – Link Files

• Shortcut files – Record creation, access and last written dates.

• Provides insight to how a computer was configured at a given point in time.
• May indicate when an application was installed.
• When created after application install it supports the allegation that the user had knowledge of a file or application.
• Contains the fully qualified path to the file referenced.
• Provides evidence of the existence of an application which is no longer installed.

Windows Artifacts – Link Files

• Sort by file type – Double click on the “File Ext” column.

• Then sort by name – Press on the Shirt key and Double click on the “Name” column.

• Click on the first file, under “File Ext” and type “lnk” real fast.

Windows Artifacts – Link Files

• Note, you should now be at the start of the lnk files.

• Click on the first link file, under “Name” and type “art” real fast.

Windows Artifacts – Link Files

Windows Artifacts – Link Files

• Select the Hex button.

• FO28 - Start at byte offset 28

• LE24 - Highlight the next 24 bytes.

Windows Artifacts – Link Files

• Right click on your selection and select Bookmark Data.

Windows Artifacts – Link Files

• Select Dates > Windows Date/Time

Windows Artifacts – Link Files

• Note, the date and time associated with this link file.

Windows Artifacts Volume Serial Number

• To associate the link file with the current volume.

• Select file > In text mode select the path > select Hex mode.

Windows Artifacts Volume Serial Number

• Allocate the Hex value 10 that appears before the path selection.

• Note the value of the four bytes prior to the hex 10.

Windows Artifacts Volume Serial Number

• Select “Entries” in the Tree Pane and the drive in the Table Pane.

• Next, select the Report button in the Bottom Pane.

• Allocate the volume serial number.

Windows Artifacts Volume

Windows Artifacts Application Data

• Outlook Express – Email storage location.

• Documents & Settings > User Name > Local Settings > Application Data > Identities > GUID number > Microsoft > Outlook Express.

Windows Artifacts Root Folder

• Named after the user login name.

• Ntuser.dat – Last written time represents the users last logout time.

Windows Artifacts Recent Folder

• Recently accessed files – Great place to start investigating a case.

• Start > All Programs > My Recent Documents – Represent link files.

• Documents & Settings > User Name > Recent

• While windows only displays the last 15 documents, the Recent folder could contain hundreds of link file names, which may be of value.

• A shortcut may refer to a volume that wasn’t present when evidence was collected.

Windows Artifacts Desktop Folder

• Documents & Settings > User Name > Desktop.

• Desktop items may be the result of the following four sources; the users Desktop folder, Registry, All Users desktop folder and Domain Group policy.

Windows Artifacts My Documents

• Documents & Settings > User Name > My Documents.

• Windows will generally store files in this folder.

Windows Artifacts Sent To Folder

• Contains only those items added by the user.

• Drive letters for attached media can be found here.

Windows Artifacts Temp Folder

• Documents & Settings > User Name > Local Settings > Temp

• Note, this folder is specific to the user.

• May contain evidence of application installation.

Windows Artifacts Thumb Files

Windows Artifacts Favorites Folder

• Documents & Settings > User Name > Favorites

• .url - Users Internet Explorer & Windows Explorer favorites settings.

• Note the unique header – It can be used to local deleted shortcuts.

Windows Artifacts Cookies Folder

• Documents & Settings > User Name > Cookie.

• Small text files which may provide insight into sites visited by the user.

• The index.dat file contains data about each cookie.

• Use an external viewer.

Windows Artifacts History Folder

• Documents & Settings > User Name > Local Settings > History.

• Contains all the history for 20 days – the default period.

• .IE5 folder – Contains

Windows Artifacts Temporary Internet Files

Windows Artifacts Swap File

• Pagefile.sys – Represents windows virtual RAM.

• Search with the Unicode option enabled.

Windows Artifacts Hibernation File

• In order for a machine to enter sleep mode the contents of RAM must be written to hiberfil.sys

• The contents reflects the last time the machine entered hibernation.

Windows Artifacts Print Spooling

• Windows > System32 > spool > printers.

• Two files are created shadow (SHD) and spool (SPL).

• SHD – contains username, file name, printer & print mode.

• SPL - contains print data.

Windows Artifacts Print Spooling

• Rarely find in allocated space.

• Generally, found in unallocated space, page file, hibernation file and slack space.

• Search String:

• \x01\x00\x00\x00..\x00.{34,34}EMF

Windows Artifacts Print Spooling

• Right click on selected data > Bookmark Data

• EMF will generally provide positive results, while emf0 will not.

Windows Artifacts Print Spooling

• Under Data Type, select:

• Picture > Picture.

Windows Artifacts – Time

Windows Artifacts – Time

Windows Artifacts – Time

File Viewers

• View > File Viewers

• Right Click > File Viewer

• Select New

• Enter program name

• Enter path to program.exe

File Viewers

• View > File Types

• Select File Types > Home plate

• Table view > Sort by extension

File Viewers

• Right click on extension

• Select Installed Viewer

• Select appropriate File Viewer

Conclusion

• Starting a New Case

• Adding a Device

• Creating a Boot Disk

• Keyword Search

• Bookmarking

• File Signatures

• Exporting Files/Report

• File Viewers