File000132

430 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

File000132

  1. 1. Module XIX – Forensic Investigation Using Encase
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Verizon to Use Guidance Software’s EnCase eDiscovery on a Pay-Per-Use Basis Source: http://www.tmcnet.com/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Official Licensed Content Provided by EnCase to EC-Council
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Evidence Files • Verifying the File’s Integrity • Hashing • Configuring EnCase • Searching • Bookmarks • Viewing the Recovered Files • Master Boot Record • NTFS Starting Point • Hash Values • Signature Analysis • Email Recovery This module will familiarize you with:
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Evidence File Configuring EnCase Hashing Bookmarks Searching Verifying the File’s Integrity Master Boot Record Viewing the Recovered Files Hash Values Signature Analysis E-mail Recovery NTFS Starting Point
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence File Evidence file is the core component in EnCase The file can be referred as a forensic image file It is widely known throughout the law enforcement and computer security industries • Header • Checksum • Data blocks • Footer It consists of:
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Verifying Evidence Files After burning the discs, run Verify Evidence Files on each disc to verify that the burn was thorough and that the evidence file segment is intact
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence File Format Each Evidence file is an exact, sector by sector copy of a floppy or hard disk Every byte of the file is verified using 32-bit CRC, which makes it virtually impossible to tamper with the evidence once it has been acquired EnCase compresses large disk into a small size reducing up to 50% of the disk’s size
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Verifying the Evidence File Integrity Whenever an evidence file is added to the case, EnCase will begin verifying integrity of the drive for corruption, bad sectors etc.
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hashing EnCase calculates MD5 Hash when it acquires a physical drive or logical drive
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Acquiring Image Click File -> Add Raw Images to acquire images To acquire USB image, the USB drive should not be connected to the forensic computer prior to the boot process Select the device type to make an image
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Configuring EnCase Click Tools > Options to configure EnCase in various settings
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EnCase Options Screen
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EnCase Screens TREE PANE TABLE PANE FILTER PANEVIEW PANE
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited View Menu Various utilities can be launched using View menu
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Device Tab Device tab shows information about the currently selected device
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Files and Folders Files Folders
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bottom Pane Bottom pane
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewers in View Pane Text Hex Doc Transcript Picture Report Console Details
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Status Bar
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Status Bar (cont’d) • PS physical sector number • Logical sector number • Cluster number • Sector offset • File offset • Length Status bar provides the sector’s details for a selected file:
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching EnCase provides powerful searching capabilities Keywords searches can be performed at a logical level (file level) or physical level (byte by byte)
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searching (cont’d) EnCase has the following advanced search capabilities to find the information of investigative importance: • Concurrent search • Proximity search • Internet and email search • Email address search • Global Regular Expressions Post (GREP) search • File finder • Search options include: • Case sensitive • GREP • RTL reading • Active code-page
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keywords Keyword must be added before you can start searching They are saved in keywords.ini file They can be added based on what you are investigating For example, you might want to add keywords such as: • kill, suicide, cheat, Swiss bank, San Francisco etc.
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keywords: Screenshot
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Keywords Right click Keyword and select New
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Grouping Keywords can be grouped for organizing the search terms Right click in Keyword > select New Folder and type the folder’s name
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Add Multiple Keywords Right click the Folder > Keyword list
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Starting the Search Searches can be carried out using file/folder or entire drive Check the keywords that needs to be searched Click Search button
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Hits Tab Search Hits Tab reveals the search listings
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Search Hits
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarks EnCase allows files, folders, or sections of a file to be bookmarked for easy reference Click View > Cases Sub-Tabs > Bookmark
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Bookmarks Bookmarks can be created by clicking ‘New Folder’ in right click menu
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Adding Bookmarks Right click on any file > Bookmark Data
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmarking Selected Data Highlight the text and select Bookmark Data
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering Deleted Files/folders in FAT Partition Right-click FAT drive and select Recover Folders
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering Deleted Files/folders in FAT Partition (cont’d)
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Recovered Files Select the Recovered Folder to view the deleted files/folders
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering Folders in NTFS EnCase searches the unallocated clusters in Master File Table (MFT) to recover the files/folders Use the same method as FAT system to recover the files This process can be slow and may take 60 minutes (1 hour) for 100 GB hard drive
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering Folders in NTFS (cont’d) Right-click on the volume and select Recover Folders Choose OK to begin the search for NTFS folders
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Master Boot Record Master Boot Record (MBR) resides at the first sector (Sector 0) Sector Offset (SO 446) contains the partition table MBR allows 4 entries: • Each entry is 16 bytes long • Partition entries range from (LE 64 – Hex 55 AA)
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Master Boot Record (cont’d) Select Sectors (SO 446 – LE 64) Right-click and select Bookmark Select Windows > Partition Entry Enter a name to bookmark
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Bookmark Data Partition table
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NTFS Starting Point
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing Disk Geometry Highlight the case and click Report in the bottom View pane
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering the Deleted Partitions • Search for the following in the unused disk area: • MSWIN4.1 (FAT Partition) • NTFS (NTFS Partition) • Look manually at the disk end of the first volume Two ways to check for deleted partitions:
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recovering the Deleted Partitions (cont’d) To delete the partition, right- click and select it Right-click the area to recover and select Add Partition
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hash Values
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Hash Sets Select the files to be included in the hash set Right-click > Create Hash Set
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited MD5 Hash EnCase can create a hash value (digital fingerprint) for any file in the case It uses 128 bit MD5 algorithm Hash sets are a collection of hash files Chances of two files having the same hash is 2128 which is nearly impossible
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating Hash Click Search > Select Compute hash value This will create hash for every allocated file
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewers EnCase can use external viewers to view files Viewers makes a copy of a file to the temporary folder before launching the file Encase uses the following viewers: • External viewer • Program registered in Windows • EnCase viewer • Timeline
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewers (cont’d) Click viewers in View menu > File viewers Create new viewer and enter the application path
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Signature Analysis ISO and ITU work to standardize the types of electronic data For the standardized file types, a signature or header is stored along with the data Applications use the header to correctly parse the data You can view the file signature to identify the data even though its extension has been renamed Example: jennifer.exe  jennifer.dll
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Signature Analysis (cont’d) Select View menu > File Signatures
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Signature Analysis (cont’d) You can search using signature analysis
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Viewing the Results
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copy/UnErase Files or Folders Encase provides a feature to recover and unerase files byte-per-byte Right-click a file/folder > select Copy/UnErase
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited E-mail Recovery • Documents and Settings[username]Local SettingsApplication DataIdentities[userid]MicrosoftOutlook Express Default path for Outlook Express 5/6 in Windows XP is: • Inbox.mbx • Outbox.mbx • Sent Items.mbx • Deleted Items.mbx • Drafts.mbx Outlook mailbox filenames are as follows: View the above files in EnCase
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting The final stage of the forensic analysis is reporting Report must be easy to understand and should cover in-depth information about the evidence Click the Report in Bookmarks menu
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Final Report
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IE Cache Images
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Evidence file is the core component in EnCase Each Evidence file is an exact, sector by sector copy of a floppy or hard disk EnCase calculates MD5 Hash when it acquires a physical drive or logical drive EnCase provides powerful searching capabilities EnCase allows files, folders, or sections of a file to be bookmarked for easy reference EnCase searches unallocated clusters in Master File Table (MFT) to recover files/folders EnCase can create a hash value (digital fingerprint) for any file in the case
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×