Microsoft Word EnCase Forensic Version 11 User's Guide doc
Yüklə 2,21 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- To test for the presence of a DCO
- Doing a Crossover Cable Preview or Acquisition
- Server
- Devices
- Hashing the Subject Drive Using LinEn
- To perform a hash using LinEn
- Start Sector
Using LinEn 55
LinEn starts up in BIOS mode. A disk acquired in this mode reports only disk size seen by the BIOS. As a result, no data contained in a DCO are seen or reported. The Mode selection in LinEn provides a solution. Notice Disk1 in the figure. It shows a disk size of 26.8 GB. If this is acquired now, only that quantity of data is identified.
The Linux distribution in use must support Direct ATA mode for this function to work. To test for the presence of a DCO, 1.
Start LinEn in the normal manner on a computer that supports Direct ATA. The main screen shows a Mode button.
2.
Enter ʹMʹ to select Mode. A second screen displays offering three acquisition selections:
BIOS ATA
Cancel
3.
Enter ʹAʹ to select ATA Mode. 56
EnCase Forensic Version 6.11 Userʹs Guide
If a DCO is present on the disk, the original LinEn screen reports the correct disk size and the correct number of sectors. Disk1 in the following illustration shows the true disk size, 75.5 GB.
Doing a Crossover Cable Preview or Acquisition You have a LinEn boot disk. The investigator has identified the subject drive to be acquired.
1.
Boot the subject machine from the LinEn boot disk. 2.
Connect the forensic machine to the subject machine using a crossover cable. 3.
In Linux, ensure that the subject machine has an IP address assigned and a NIC card loaded appropriately by typing ifconfig eth0 , then if no IP address is assigned, assign one by typing ifconfig eth0 10.0.0.1 netmask 255.0.0.0 , and check the IP address assignment again by typing ifconfig eth0 . 4. Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn. The LinEn Main Screen displays.
Using LinEn 57
5. Select Server, and press Enter. The message Waiting to connect should display.
6.
Specify an IP address of 10.0.0.1 on the forensic machine for the subject machine. 7.
Launch the EnCase application on the forensic machine. 8.
Create a new case, or open an existing case. 9.
Right‐click on the Devices object, and click Add Device. 10.
Select Network Crossover, and click Next. 11.
12.
Click Finish. The contents of the selected device reached through the network crossover connection are previewed. To acquire the content, perform an acquisition as described in Specifying and Running an Acquisition
58
EnCase Forensic Version 6.11 Userʹs Guide
This allows the investigator to know the hash value of the drive. LinEn is configured as described in the setup topics, and autofs is disabled. The investigator has identified the subject drive to be hashed.
1.
Navigate to the folder where LinEn resides and type ./linen in the console. The LinEn Main Screen displays. 2.
The Hash dialog displays. 3.
Select a drive, and click OK. The Start Sector dialog displays. 4.
The Stop Sector dialog displays. 5.
Accept the default or enter the desired Stop Sector, and click OK. The (Hash Results) dialog displays. 6.
If you are saving the hash value to a file, the Save Hash Value to a File dialog displays; otherwise, the LinEn Main Screen displays. 7.
The hash value is saved, and the LinEn Main Screen displays. A hash value is calculated for the selected sectors of the selected file. You can save this hash value to a file.
The Main Window 60
Panes and their Specific Tabs 98
Navigating the Tree Pane 115
Modifying the Table Pane 122
Modifying the View Pane 148
CHAPTER 5 Navigating the EnCase Interface
Yüklə 2,21 Mb. Dostları ilə paylaş:
|