The Top EnCase Tech Support Questions


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Gates Rubber: Competing Expert Testimony in a copyright infringement case. Gates Rubber hired a computer expert who failed to perform a forensic exam and instead installed utilities on the target drive, made logical file copies, changed the access dates and overwrote 7-8 percent of the hard drive in the process. The Court issued harsh evidentiary sanctions and issue the quoted ruling in response. -This is an important opinion in the field of computer forensics. It established that an examiner has a legal duty to use the best available methods in handling computer evidence.
  • The Top EnCase Tech Support Questions

    1. 1. Presented at the HTCIA meeting, New York by: Bill Siebert The Top EnCase Tech Support Questions & What’s new at Guidance Software?
    2. 2. <ul><li>Make sure the Windows version of EnCase and the DOS version of EnCase are the same; i.e., if you have EnCase 3.19 on your Windows side, you MUST have EnCase for DOS 3.19 on your EnCase boot floppy disk. </li></ul><ul><li>Make sure the parallel-port settings in the BIOS are the same for both the Subject PC and the Storage PC. The recommended BIOS settings are: </li></ul><ul><li>  </li></ul><ul><li> Bi-Directional </li></ul><ul><li> EPP </li></ul><ul><li> ECP + EPP </li></ul><ul><li> ECP </li></ul>Parallel port preview/acquire not connecting
    3. 3. How to acquire using a NIC <ul><li>Boot the suspect machine into DOS with one of the new automated EnCase Network boot disks </li></ul><ul><li>Type “EN” at the dos prompt. </li></ul><ul><li>Select sever and then network. </li></ul><ul><li>Boot the forensic machine into Windows. </li></ul><ul><li>Make sure the network settings are correct in the windows machine: </li></ul><ul><li> TCP/IP protocol must be installed </li></ul><ul><li> IP address should be set at </li></ul><ul><li> Subnet mask should be </li></ul><ul><li> You must remove your WINS and DNS settings </li></ul><ul><li>Open EnCase, choose preview/acquire </li></ul><ul><li>Select network for source </li></ul>
    4. 4. What file systems does EnCase support? <ul><li>EnCase can interpret the following file systems: </li></ul><ul><li> FAT12  FAT16 </li></ul><ul><li> FAT32  NTFS </li></ul><ul><li> EXT2 (Linux)  HFS </li></ul><ul><li> HFS+ (Mac and PowerMac)  UFS (Unix) </li></ul><ul><li>CDFS (CD-ROM)  UDFS * </li></ul><ul><li>Note: If EnCase does not recognize the file system on the drive (HPFS for example), it will show the unrecognized file system as an &quot;unallocated cluster&quot; file. You can still search for keywords and file headers, and make bookmarks, but you will not see file names or folder structure. You can still perform EScript searches against these file systems as well. </li></ul>
    5. 5. How to mass copy/unerase bookmarks <ul><li>Check the check box of the top-most bookmark. </li></ul><ul><li><Shift> click on check box of bottom-most bookmark. All bookmarks will be checked. </li></ul><ul><li>Right-click anywhere in the Table view. Select the &quot;Tag Selected Files&quot; command. </li></ul><ul><li>Switch to the case tab and you will notice that the files corresponding to the bookmarks you checked are now also all checked. </li></ul><ul><li>In the Table view, right-click on any one selected file and choose &quot;Copy/Unerase&quot;. </li></ul><ul><li>Specify that you want to copy/unerase &quot;all selected files&quot;. </li></ul><ul><li>Click Next, Next, and then Finish. </li></ul>
    6. 6. How to bookmark multiple recovered graphic images To move recovered graphics files from the recovered graphics files folder into one of the Final Report folders, typically the Pictures folder, do this: 1. Go to the bookmark tab on the left 2. Highlight Recovered Graphics Files folder 3. Go to the Table view on the right 4. Drag and drop the desired images, by the number next to the file, into the folder of choice.   Note: At this time, you cannot multiple-select the images. You have to drag and drop them one at a time.
    7. 7. Time/Date stamp issues Last Accessed: The Last Accessed column gives a date of the last access date of the file. A file does not have to be altered for the Last Accessed date to change—only accessed (opened). Last Written: The Last Written column indicates the last date and time that a file was actually opened, edited, then saved. If a file is merely opened then closed (but not altered), or opened, edited, and closed with no save, then this column will not update. File Created: This tells us when that particular file was created at that location. So, if a file was edited and changed on January 3rd, and then copied to a floppy diskette on January 15th, and you acquired that floppy diskette on January 28th, you would notice that the file (on the floppy) was created after it was last written or even accessed! Entry Modified: This is only pertinent to NTFS (Windows NT, Windows 2000) and Linux file system files. It refers to the pointer for the file entry and the information that that pointer contains, such as the size of the file. So, if you were to change a file, but
    8. 8. How to add an external file viewer <ul><li>Navigate to Tools  File Signatures and Viewers  Viewers Tab </li></ul><ul><li>Right click and select New File Viewer. </li></ul><ul><li>After you add the file viewer, go back to the file signatures page and associate the new viewer with whatever type of file you wish. </li></ul>
    9. 9. How to acquire a laptop hard drive There are 4 ways to acquire a laptop hard drive. In order, from fastest to slowest:   1. Remove hard drive from Laptop and acquire using FastBloc (You will need to buy a 40-pin standard IDE connector to laptop HDD connector which runs about $10 at any computer store) 2. Remove hard drive from Laptop and acquire using DOS. Again, you will need to buy that adapter. 3. Using the EnCase Network Boot disk and a compatible Network Card in both the laptop and your forensic machine, use the 10bT crossover cable and acquire through that. 4. Using the parallel port cable. This method is extremely slow, however on some laptops, it is the only way to acquire them.   Note: Many laptop hard drives are &quot;married to the motherboard&quot; so that they will not work correctly if you try to acquire them outside of the laptop. For that reason, many people only consider using methods 3 & 4. Method 3 is definitely faster than number 4.
    10. 10. How to find a deleted partition <ul><li>Run a hex search for the characters '55' and 'AA' and see if you can find the end of a partition. If you do, count 63 sectors to the right of that. If there is a &quot;MSWIN4.1&quot; or &quot;NTFS&quot; text in that sector, then that sector (with the text) is the beginning of a new partition. </li></ul><ul><li>Right-click that sector and click “Add Partition.&quot; </li></ul><ul><li>  </li></ul><ul><li>Note: You can find more information regarding recovering partitions in Chapter 19 of the EnCase 3.18 User Manual. </li></ul>
    11. 11. How to acquire a PDA The only Palms supported, at this time, are the following:  III series  V series  VII series  M105  M100 Note: You can acquire other PDAs that use the Palm OS 3.0, such as certain models of the Handspring Visor.
    12. 12. How to acquire a PDA <ul><li>Put the PDA in its cradle </li></ul><ul><li>Attach the cradle cable to an available serial port on your compute </li></ul><ul><li>Boot up the computer into Window </li></ul><ul><li>Launch EnCase for windows. </li></ul><ul><li>Turn Palm PDA on. Put in Console mode. </li></ul><ul><li>Lower-case cursive l on left-side of &quot;graffiti&quot; area </li></ul><ul><li>Double-dot on left-side of &quot;graffiti&quot; area </li></ul><ul><li>Number '2' on right side of &quot;graffiti&quot; area </li></ul><ul><li>Putting a Palm in Console mode... </li></ul><ul><li>Note: You will be able to tell when a Palm is in &quot;console mode&quot; by a slightly longer &quot;beep&quot; sound than the normal &quot;beep&quot; sound. To get out of console mode, you must reset the Palm. </li></ul><ul><li>Note: If you do not hear a &quot;beep&quot; sound when putting the Palm into Console mode, check the system volume settings for System Sound, Alarm Sound, and Game Sound. They should all be set to &quot;High&quot;. </li></ul>
    13. 13. How to acquire a PDA <ul><li>Back at your computer, click the Acquire (or Preview) button in EnCase. </li></ul><ul><li>Source: &quot;Local Devices&quot;. Include: &quot;Palm Pilot&quot; only. </li></ul><ul><li>You will see all serial devices attached to your computer. Click Next. </li></ul><ul><li>Enter your information (Evidence number, case number, Investigator’s name etc…) on the acquisition screen. Click Next. </li></ul><ul><li>Choose to acquire only, or add and verify into the case. Click Next. </li></ul><ul><li>Choose compression and hashing options, and provide a file name. Click Finish. </li></ul><ul><li>You will see the Palm acquiring. It takes a while. </li></ul><ul><li>When finished, you will get a message telling you so. </li></ul><ul><li>Add the evidence file to a new (or existing) case. </li></ul><ul><li>You will see the Palm in the Case view. </li></ul><ul><li>  Getting out of Console Mode: </li></ul><ul><li>1. You have to reset the Palm. To reset a Palm, look for a small circular whole on the back of the Palm with the word RESET by it. Insert a pen tip in there. </li></ul><ul><li>Note: You will not be able to HotSync a Palm until it is out of Console mode, so be sure to do that. </li></ul>
    14. 14. What’s new at Guidance Software? EnCase Enterprise Edition
    15. 15. <ul><li>EnCase Enterprise Edition allows investigators, inside or outside a network, to examine a target node in a “forensic” process </li></ul><ul><li>Security controls are at a domain level and allow for multiple/remote domains </li></ul><ul><li>EnCase Enterprise Edition operates in the Guidance Software Secure Network Application Environment </li></ul><ul><li>The components of EnCase Enterprise Edition are </li></ul><ul><ul><li>S.A.F.E. - Secure Authentication for Forensic Examinations </li></ul></ul><ul><ul><li>EnCase Node Servlet </li></ul></ul><ul><ul><li>EnCase V3 Enterprise Client </li></ul></ul>EnCase Enterprise Edition
    16. 16. <ul><li>Based on a secure public key authentication, 128-bit encryption for transmissions and files </li></ul><ul><li>Granular user permissions </li></ul><ul><li>Vendor must authorize each SAFE setup </li></ul><ul><li>Tamper resistant storage of SAFE private key on SAFE </li></ul><ul><li>Secure backup of SAFE private key for disaster recovery </li></ul><ul><li>Secure binding between SAFE hardware and SAFE private key </li></ul><ul><li>All session keys generated on SAFE hardware </li></ul><ul><li>Prevent replay attacks without relying on synchronized clocks </li></ul><ul><li>Node can validate SAFE public key with vendor signature </li></ul>Design Features
    17. 17. <ul><li>Defines EnCase Examiner Access Permissions </li></ul><ul><li>Maintains EnCase Authentication Keys </li></ul><ul><li>Authenticates Examiners </li></ul><ul><li>Controls Examiners’ Privileges </li></ul><ul><li>Controls Access to Target Node via Servlet </li></ul><ul><ul><li>Enables/Disables Examiner Sessions </li></ul></ul><ul><li>Monitors and Logs Sessions </li></ul>S.A.F.E. Server
    18. 18. SAFE1 Node 1 Keymaster 1 Consultant SAFE2 Node 2 Keymaster 2 Examiner Multi-SAFE Environment
    19. 19. <ul><li>Designed for EnCase Enterprise Edition </li></ul><ul><li>Enhanced user interface for network node definition </li></ul><ul><li>Encrypted evidence files </li></ul><ul><li>Contains all Features of EnCase v3 </li></ul><ul><li>Used “standalone” for viewing Enterprise Edition encrypted evidence files </li></ul>EnCase v3 Enterprise Client
    20. 20. <ul><li>Best Practice “Incident Response” </li></ul><ul><li>Situation : Employee deletes files and company data or information </li></ul><ul><li>Action : Use EnCase to search for deleted files </li></ul><ul><ul><li>Secure scene </li></ul></ul><ul><ul><li>Preview media or drive </li></ul></ul><ul><ul><li>Use undelete to recover files </li></ul></ul><ul><ul><li>Recover deleted folders and file fragments </li></ul></ul><ul><ul><li>Document findings in report </li></ul></ul><ul><li>Outcome : Files recovered, evidence is secured and available for judgment on the act. Without a forensic copy, litigation for possible malicious intent would be compromised. </li></ul>Corporate Advantage
    21. 21. Corporate Advantage <ul><li>Best Practice “Incident Response” </li></ul><ul><li>Situation : Unusual activity of an employee’s computer use after work, possible inappropriate graphics or content. </li></ul><ul><li>Action : Use EnCase to determine misuse. </li></ul><ul><ul><li>Gallery view for visual review </li></ul></ul><ul><ul><li>Recover deleted files </li></ul></ul><ul><ul><li>Review files with after hours activity in the Timeline view </li></ul></ul><ul><ul><li>Document findings in report </li></ul></ul><ul><li>Outcome : Verified use, you have court approved evidence in support your HR policies toward computer use. HR takes action if necessary. </li></ul>
    22. 22. Corporate Advantage <ul><li>Best Practice “Exit Interview” </li></ul><ul><li>Situation : Employee leaves the company, involved in projects and programs or not, on good terms or not. </li></ul><ul><li>Action : Use EnCase to search for intellectual property, deleted files, programs, databases and communications. </li></ul><ul><ul><li>Secure scene </li></ul></ul><ul><ul><li>Image PC drive(s) </li></ul></ul><ul><ul><li>Recover deleted folders and file fragments </li></ul></ul><ul><ul><li>Search using key words or code names </li></ul></ul><ul><ul><li>Document findings in report </li></ul></ul><ul><li>Outcome : Understand exposure to intellectual property on the subject drive and now able to pursue recourse up to litigation if necessary. Imaging the drive of all exits (good or bad) helps reduce HR issues resulting from employees feeling singled out. </li></ul>
    23. 23. Bill Siebert Director of Computer Investigative Services Guidance Software [email_address]