|
EnCase Navigating Encase Tree Pane, Table Pane, Bottom Pane and Filter Pane
|
tarix | 08.10.2017 | ölçüsü | 444 b. | | #4021 |
|
EnCase
Navigating Encase Tree Pane, Table Pane, Bottom Pane and Filter Pane - Highlighting a folder
- Home plate > Select the polygon to the left of the folder name.
- Blue check mark > Select the square to the left of the folder name – Used for keyword search
New Case Encase – New case - Select the “New” icon
- Name – case1
- Examiner Name – Your name
- Export Folder – c:\cases\case1\export
- Temporary Folder – c:\cases\case1\temp
Saving a Case Save the Case - Select the “Save” icon
- Select your folder
- Change case name to lower case and remove any space
Global Settings Tools > Options > Global - Auto save - set it to 5, increase to 30+ if making a long running search.
- Enable picture viewer, art and png image display
- Invalid picture timeout leave at 12 sec
- Date and Time – MM/DD/YY and 12:00
- Show Yes / No
Preview Device (HD, Floppy, Thumb Drive, etc) Select the “Add Device” button. Next select the appropriate device. - Generally you will select “Local Drives”
- For DOS acquisition select Network Crossover.
Preview Device (HD, Floppy, Thumb Drive, etc) Select the drive letter which represents the device to be imaged. - Floppy – Generally select the A drive.
- USB and Firewire acquisitions – Select drive E, F, etc.
Preview Device (HD, Floppy, Thumb Drive, etc) Adding evidence number and name. - Right click on the drive letter.
- Select > Edit
Preview Device (HD, Floppy, Thumb Drive, etc) Enter an evidence number: - Such as (070418-0010)
- Year 07, month 04 day 18, evidence number 0010.
Enter evidence name. - It’s a good idea to add device type in name i.e., desktop, floppy, laptop, etc.
- Example: smithdesktopHD1, smithdesktopHD2, smithfloppy1, etc.
Acquiring Previewed Device If a previewed device warrants acquisition: Right click on the device and select Acquire.
Acquiring Previewed Device Select - Replace source device - This will replace the preview item.
Note! Search, Hash and Signature Analysis - Ensure that it is not selected – Acquisition will proceed faster.
Acquiring Previewed Device Set the following: - File segment size - 640
- Compression - None
- Password – Leave blank!!!!
- Generate image hash
- Output path – Check to ensure the correct one is selected.
Adding Previously Acquired Evidence (HD, Floppy, etc.) Create a new case or open an existing case. Select > Add Device
Adding Previously Acquired Evidence (HD, Floppy, etc.) Select the appropriate folder i.e., “Local” and then the appropriate file, or
Adding Previously Acquired Evidence (HD, Floppy, etc.) Right click on the “Evidence Files” folder and then select New to create a new path.
Adding Previously Acquired Evidence (HD, Floppy, etc.) Browse the file system until you find that location of the previously acquired evidence.
Boot Disk Creation
Boot Disk Creation Test diskette by rebooting from diskette. Run EnCase DOS program “en”
Boot Disk Creation ENBD – EnCase Network Boot Disk - Save the ENBD file to your desktop.
- http://www.guidancesoftware.com/support/downloads.aspx
- Insert floppy in drive.
- Run ENBD setup file.
- When finished add the en.exe file.
- Do not write protect the ENBD disk.
Boot Disk Creation
Boot Disk Creation Add the en.exe file. - C:\program files\encase\en.exe
Keyword Search Global keywords - These words are made available to all your cases.
- View > Keywords
Case specific keywords - These words are only available in this case.
- View > Cases Sub-Tabs > Keywords
Keyword Search Keyword Sources - Investigating officer
- HR
- Attorney
- Management
- Contract, Internet, Previous cases
Keyword Search Keyword Folder - Right-click on Keyword folder
- Select > New Folder
- Add Folder Name
Examples - Email addresses
- IP addresses
- Phone numbers
Keyword Search To add a single Keyword - Right-click on Keyword Folder > Select New
- Search Expression – word, phrase, GREP expression.
- Case sensitive – Check to make case sensitive.
- GREP – Limits false hits.
- Active Code Page – Allows foreign languages
- Unicode – Foreign language char. Check to locate both ASCII and Unicode.
Keyword Search To add a list of keywords - Right-click on Keyword Folder > Select Add Keyword List
- Enter words
Keyword Search Before beginning a search you must select the word or group of words you want EnCase to find. To do so, place a blue check next to the word or folder containing the words EnCase should locate. To begin a search, click on the Search button.
Keyword Search Search each file – Must be checked to activate a keyword search. Verify file sign – Don’t check Compute hash value - File hash analysis. Search file slack – Search space between logical file and physical file. Undelete files – Logical undelete. Search between starting cluster & following unallocated cluster. Search with known hashes – will not search known hashes. Selected keywords only – Unless selected, all keywords are searched.
Search Results Search Hits – To view search results. View > Cases > Search Hits Refresh - Use during a search to display current results.
Search Results {·0·9·7·F·7·3·7·E·-·1·6·1·B·-·1·1·D·4·-·A·8·7·5·-·0·0·6·0·9·7·2·0·4·6·2·B·} {·7·0·7·B·B·5·4·A·-·B·F·2·F·-·1·1·D·3·-·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·} {·7·E·8·E·2·E·A·A·-·C·6·1·0·-·1·1·D·3·-·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·} {·7·1·D·1·9·1·F·2·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·} {·7·1·D·1·9·1·F·4·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·} {·7·1·D·1·9·1·F·6·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}
Search Results Exclude – The item is not deleted from the case. Red highlight. Export – Creates a tab-delimitated text file which can be imported in to Excel. Tag File – Will place a blue check on the file to identify it in Home view
Bookmarking Sweeping Bookmarks Files Notes File Group
Bookmarking – Sweeping Bookmarks Sweeping bookmark – Used to capture notable data. Highlight the item >Right click > Select Bookmarks
Bookmarking - Sweeping Bookmarks
Bookmarking - Sweeping Bookmarks Destination folder – Select a folder (i.e., Floppy) or create a new folder by right clicking on Bookmarks > New Folder > Enter new folder name. Add Comment – i.e., “Bad stuff doc appears to be created on suspects machine.” Data type – Select Style > ISO Latin > ISO Latin @ 100 View results - Select Bookmarks button > Report button
Bookmarking – Files Used to flag files that contain important case information. Right click on a file. Select Bookmark Files
Bookmarking – Files Add the bookmarked item to a folder by selecting an existing folder, or Select “Create new bookmark folder” and enter the name. View Bookmarks - Select Bookmarks button > Bookmarks Home plate > Report button
Bookmarking – Notes Allows you to add a note to a bookmarked item. - i.e., add a note to a bookmarked file.
Formatting includes bold, italic, font size and text indent. - However, only text indent is worth using.
Bookmarking – Notes To add a note to a bookmarked file/item. Add your notes and indent text as needed.
Bookmarking – File Group In Tree view select (with a blue checkmark) the folder containing the files you want to bookmark. Rt click on the folder and select Bookmark Data. Ensure that “Bookmark Selected Items” is checked. Select “ok” View Bookmarks - Select Bookmarks button > Bookmarks Home plate > Report button.
Bookmarking – File Group
Bookmarking - Report
Evidence File Restoring a drive Compression - To compress data files once the HD has been acquired.
- Rt click on device > Select Acquire > Replace Source Device > Compression - Best
View > File Signatures - Used to compare file headers with file extensions
File Signatures To Start: Click on Search button. Ensure that only the “Verify file signatures” option is selected. Click on the Start button. The process will run in the background. Click on Save - Once the process is done.
File Signatures _ Deleted X – Deleted, overwritten file - Starting cluster is occupied by another file.
O – Undeleted by EnCase. O – Directory entry with a file name but no starting cluster.
File Signatures Signature Analysis - Select the case / device “home plate”
- Table View - Sort order
Secondary sorts
File Signatures *Alias - The header and the extension don’t agree
- The header exists in the Signature table
- Generally renamed extension – Encase displays file type.
!Bad Signature - The header and the extension don’t agree
- The extension exists in the Signature table
- The header does not exist in the Signature table
Match - Header & extension agree. Unknown –Header & extension do not exist in Signature table.
Exporting Files Use the blue checkmark to select files to export. Right click in the table view. Select > Copy/UnErase.
Exporting Files
Exporting Files
Exporting Report Select Report button In Table View - Right Click on report
- Select Export
- Select Format
- Input path
Windows Artifacts – INFO2 Sort by name – Double click on the “Name”. Click on the first file, under name, in the Table View. Type “info” real fast.
Windows Artifacts – INFO2 Highlight text starting with C:\Documents and end with .doc Right click > Bookmark Data
Windows Artifacts – INFO2 Note that the SID number (S-1-5- . . .-1003) ends with 1003. Under Data Type, Select Windows > Win2000 Info File Record
Windows Artifacts – INFO2 Deleted - Note the date & time, is it relevant? Path – Note the files location and what was deleted.
Windows Artifacts – Link Files Shortcut files – Record creation, access and last written dates. - Provides insight to how a computer was configured at a given point in time.
- May indicate when an application was installed.
- When created after application install it supports the allegation that the user had knowledge of a file or application.
- Contains the fully qualified path to the file referenced.
- Provides evidence of the existence of an application which is no longer installed.
Windows Artifacts – Link Files Sort by file type – Double click on the “File Ext” column. Then sort by name – Press on the Shirt key and Double click on the “Name” column. Click on the first file, under “File Ext” and type “lnk” real fast.
Windows Artifacts – Link Files Note, you should now be at the start of the lnk files. Click on the first link file, under “Name” and type “art” real fast.
Windows Artifacts – Link Files
Windows Artifacts – Link Files Select the Hex button. FO28 - Start at byte offset 28 LE24 - Highlight the next 24 bytes.
Windows Artifacts – Link Files Right click on your selection and select Bookmark Data.
Windows Artifacts – Link Files Select Dates > Windows Date/Time
Windows Artifacts – Link Files Note, the date and time associated with this link file.
Windows Artifacts Volume Serial Number To associate the link file with the current volume. Select file > In text mode select the path > select Hex mode.
Windows Artifacts Volume Serial Number Allocate the Hex value 10 that appears before the path selection. Note the value of the four bytes prior to the hex 10.
Windows Artifacts Volume Serial Number Select “Entries” in the Tree Pane and the drive in the Table Pane. Next, select the Report button in the Bottom Pane. Allocate the volume serial number.
Windows Artifacts Volume
Windows Artifacts Application Data Outlook Express – Email storage location. Documents & Settings > User Name > Local Settings > Application Data > Identities > GUID number > Microsoft > Outlook Express.
Windows Artifacts Root Folder Named after the user login name. Ntuser.dat – Last written time represents the users last logout time.
Windows Artifacts Recent Folder Recently accessed files – Great place to start investigating a case. Start > All Programs > My Recent Documents – Represent link files. Documents & Settings > User Name > Recent While windows only displays the last 15 documents, the Recent folder could contain hundreds of link file names, which may be of value. A shortcut may refer to a volume that wasn’t present when evidence was collected.
Windows Artifacts Desktop Folder Documents & Settings > User Name > Desktop. Desktop items may be the result of the following four sources; the users Desktop folder, Registry, All Users desktop folder and Domain Group policy.
Windows Artifacts My Documents Documents & Settings > User Name > My Documents. Windows will generally store files in this folder.
Windows Artifacts Sent To Folder Contains only those items added by the user. Drive letters for attached media can be found here.
Windows Artifacts Temp Folder Documents & Settings > User Name > Local Settings > Temp Note, this folder is specific to the user. May contain evidence of application installation.
Windows Artifacts Thumb Files
Windows Artifacts Favorites Folder Documents & Settings > User Name > Favorites .url - Users Internet Explorer & Windows Explorer favorites settings. Note the unique header – It can be used to local deleted shortcuts.
Windows Artifacts Cookies Folder Documents & Settings > User Name > Cookie. Small text files which may provide insight into sites visited by the user. The index.dat file contains data about each cookie. Use an external viewer.
Windows Artifacts History Folder Documents & Settings > User Name > Local Settings > History. Contains all the history for 20 days – the default period. .IE5 folder – Contains
Windows Artifacts Temporary Internet Files
Windows Artifacts Swap File Pagefile.sys – Represents windows virtual RAM. Search with the Unicode option enabled.
In order for a machine to enter sleep mode the contents of RAM must be written to hiberfil.sys The contents reflects the last time the machine entered hibernation.
Windows Artifacts Print Spooling Windows > System32 > spool > printers. Two files are created shadow (SHD) and spool (SPL). SHD – contains username, file name, printer & print mode. SPL - contains print data.
Windows Artifacts Print Spooling Rarely find in allocated space. - Generally, found in unallocated space, page file, hibernation file and slack space.
Search String: - \x01\x00\x00\x00..\x00.{34,34}EMF
Windows Artifacts Print Spooling Right click on selected data > Bookmark Data EMF will generally provide positive results, while emf0 will not.
Windows Artifacts Print Spooling
Windows Artifacts – Time
Windows Artifacts – Time
Windows Artifacts – Time
File Viewers View > File Viewers Right Click > File Viewer Select New Enter program name Enter path to program.exe
File Viewers View > File Types Table view > Sort by extension
File Viewers Right click on extension Select Installed Viewer Select appropriate File Viewer
Conclusion Starting a New Case Adding a Device Creating a Boot Disk Keyword Search Bookmarking File Signatures Exporting Files/Report File Viewers
Dostları ilə paylaş: |
|
|