SlideShare a Scribd company logo

Advanced Computer ForensicsWindows EnCase Forensics LabDue d.docx

Download as DOCX, PDF
G
galerussel59292

Advanced Computer Forensics Windows EnCase Forensics Lab Due date: Please submit your work to Windows EnCase Lab dropbox by July 2nd, 2013. Lab Setup for using RLES vCloud This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. If you did the Linux forensics lab on RLES vCloud, you should have created a vApp with the Linux VMware image. If you did not use the RLES vCloud for your first lab, please follow the instruction described in the Linux Forensics Lab to create a vApp. Now, you will add the vApp template, Windows 7 w/FTK 7 EnCase image, from the Public Catalogs to the same vApp following the instruction of Add Virtual Machines to a vApp (Page 8 in RLES vCloud User Guide) with the following setting: · Set network to be Net_Network · Select DHCP to create an IP address (when you use DHCP, fencing option is NOT necessary.) Note: If you get an error when trying to start a vApp (or a VM within a vApp), try these steps: 1. Open up your vApp and click on the Virtual Machines tab.  Right-click your VM and choose "Properties". 2. Click on the Hardware tab.  At the bottom of the page, click on the MAC address and choose "Reset". 3. Click OK.  When it asks if you want to enable guest customization, click No. 4. Give it a minute to update your VM, then try starting it. Power on the Windows Virtual machine and login to the system with: Username: Student Password: student EnCase 7 is installed on the virtual machine. When you start the EnCase application, you should see “EnCase Forensic (not Acquisition)” on the top of the application. EnCase 7 Tutorial · The EnCase Forensics V7 User Guide posted in myCourses under Hands-on Labs. · EnCase 7 Essentials webinar series at http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx The following image files will be used for this lab and they are located in the local drive E:\ 1) WinLabRaw.img – Raw Image from dd 2) WinLabEnCase.E01 -- EnCase evidence file Note: “WinLabEnCase Image” in this documentation = “Lab5 image” in your EnCase image. PART I: Familiar with EnCase Exercise 1: Starting a New Case Launch EnCase for Windows – make sure that you are in the EnCase forensics mode (on the top of the software, you should see EnCase Forensic Training, NOT acquisition mode.) Click the “New Case” button under CASE FILE to begin a new case. Use the #1 Basic Template and name the case “Case 1” Record the defaults that EnCase gives you for its folders. It is safe to use these defaults in our experiments. Add a Raw Image to the exist case You can add a raw disk image, for example, the dd image, to your case. Click EVIDENCE > Add Evidence, then click Add Raw Image Enter “WinLabRaw Image” in the “Name” field. Under “Image Type” choose “Disk” and click “OK”. Under Component Files, click New, locate and select the “WinLabRaw.img” file from E:\ The image will now be added to your case. Double clic.

Education
1 of 14
Advanced Computer Forensics Windows EnCase Forensics Lab Due date: Please submit your work to Windows EnCase Lab dropbox by July 2nd, 2013. Lab Setup for using RLES vCloud This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. If you did the Linux forensics lab on RLES vCloud, you should have created a vApp with the Linux VMware image. If you did not use the RLES vCloud for your first lab, please follow the instruction described in the Linux Forensics Lab to create a vApp. Now, you will add the vApp template, Windows 7 w/FTK 7 EnCase image, from the Public Catalogs to the same vApp following the instruction of Add Virtual Machines to a vApp (Page 8 in RLES vCloud User Guide) with the following setting: · Set network to be Net_Network · Select DHCP to create an IP address (when you use DHCP, fencing option is NOT necessary.) Note: If you get an error when trying to start a vApp (or a VM within a vApp), try these steps: 1. Open up your vApp and click on the Virtual Machines tab. Right-click your VM and choose "Properties". 2. Click on the Hardware tab. At the bottom of the page, click on the MAC address and choose "Reset". 3. Click OK. When it asks if you want to enable guest customization, click No.
4. Give it a minute to update your VM, then try starting it. Power on the Windows Virtual machine and login to the system with: Username: Student Password: student EnCase 7 is installed on the virtual machine. When you start the EnCase application, you should see “EnCase Forensic (not Acquisition)” on the top of the application. EnCase 7 Tutorial · The EnCase Forensics V7 User Guide posted in myCourses under Hands-on Labs. · EnCase 7 Essentials webinar series at http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx The following image files will be used for this lab and they are located in the local drive E: 1) WinLabRaw.img – Raw Image from dd 2) WinLabEnCase.E01 -- EnCase evidence file Note: “WinLabEnCase Image” in this documentation = “Lab5 image” in your EnCase image. PART I: Familiar with EnCase Exercise 1: Starting a New Case Launch EnCase for Windows – make sure that you are in the EnCase forensics mode (on the top of the software, you should see EnCase Forensic Training, NOT acquisition mode.) Click the “New Case” button under CASE FILE to begin a new
case. Use the #1 Basic Template and name the case “Case 1” Record the defaults that EnCase gives you for its folders. It is safe to use these defaults in our experiments. Add a Raw Image to the exist case You can add a raw disk image, for example, the dd image, to your case. Click EVIDENCE > Add Evidence, then click Add Raw Image Enter “WinLabRaw Image” in the “Name” field. Under “Image Type” choose “Disk” and click “OK”. Under Component Files, click New, locate and select the “WinLabRaw.img” file from E: The image will now be added to your case. Double click on the hyperlink of WinLbRaw Image, you will be able to view the files and folders from the image. Question 1: What is the file system of this raw Image? (Hint: 1. Check “report” from the bottom pane OR 2. choose “Disk View…” from the top drop-down disk manual, then click the first sector (in red), the volume boot, and read the text in the bottom pane.) Question 2: What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)? Add the EnCase Image, WinLabEnCase.E01 located at E:, to
the exist case via EnCase’s “Add Evidence” from the top menu, choose Add Evidence File… Question 3: What type of files can be added using EnCase’s “Add Evidence Files” Now you have two evidences added into the case. You can view either one by selecting View->Evidence from the top View menu. Exercise 2: Using Encase Set the Time Zone EnCase v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence. When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.) Question 4: Where does the Time Zone information reside in a Windows system? (Hint: See EnCase 7 User guide, page 122 or watch Processing Evidence Part 1 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx). Before starting the evidence analysis, you should verify that time zone settings for the evidence are configured properly and modify the time zone setting if necessary. In our case, since we did not include the complete Windows’ image, let’s assume the computer’s time zone is North American Eastern Time Zone time zone. Verify the time zone setting by opening the WinLabEnCase image and selecting “Device -> Modify Time Zone Settings”. Question 5: How do you modify Time Zone Settings, show a
screen shot below.Now that you have the evidence added and the time zone set, you can analyze the evidence. Timeline View The Timeline view gives you a graphical overview of file creation, modification and access times and dates in a calendar view. It allows you to look for patterns. Green Select the WinLabEnCase Image and click on the Timeline tab in the Views pane. The timeline view can be zoomed from a yearly view to a minute-by-minute view using Higher Resolution button and Lower Resolution button. The colored dots represent activity on a particular file. The legend for the colors can be found by clicking “Options” button from the top menu. Question 6: Why is Timeline View useful for your investigation?Gallery View The Gallery view allows you to quickly see all the pictures in the case. Now let’s switch to the WinLabRaw image by View -> Evidence then open the WinLabRaw Image. Green select “WinLab Raw image”, in the Views pane, select the Gallery tab. You will now see all of the pictures contained in the WinLabRaw Image. The Gallery view displays graphics files based on file extension. Question 7: In the Raw Image, how many pictures are shown in Gallery View?Process the Evidence (watch Processing Evidence Part 2 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx)
Select Process Evidence… from the Add Evidence menu. Click the Process check box for the evidences that you intend to run through the Evidence Processor. The Evidence Processor Task list is shown at the bottom pane. You have the freedom to enable the tasks to run. For example, you may want to run certain tasks in the beginning, such as file signature and hash analysis, then later add other options, such as parsing compound files. However, you have to run certain tasks at a particular time. For example, you must run Recover Folders in the initial processing step. Tasks you must run in a specific step are marked with a red flag icon. Note: If a task name is listed in a blue font, click on its task name to configure it. If a task name is listed in a black font, no further configuration is necessary Select the WinLabRaw Image, enable the top five tasks and run the evidence processor. Recover folders. Recover Folders will recover all deleted folders. Note: For this image, you may not see anything interesting. Question 8: Read the EnCase manual to find out how Recover- Folders recover deleted folders for FAT and NTFS file systems respectively? File Signature Analysis A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header. Encase has a list of known file extensions and headers that it
uses to identify files. From the “View” menu select “File Types” to see the list of file types. Question 9: What information is listed for each file type? Question 10: What can an investigator do if the header of a file is unknown in your current setting of the EnCase? When EnCase finished the file signature analysis. Select the WinLabRaw Image and take a look at the “Signature Analysis” and “Signature” Columns in the “Table” view. Question 11: What different terms you see in the Signature Analysis column? Question 12: Do you find any signature mismatch? List them. Examine the WinLabRaw image in the gallery view again. Question 13: Are there any graphics files on the WinLabRaw image whose file extensions have been changed? List them. Question 14: If a file’s extension has been changed to a non- graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? If not, what could you do to fix this? Hash Analysis A hash is a digital fingerprint of a file or collection of data. EnCase uses the MD5 (and/or SHA1) algorithm to create hash(s) or “digital fingerprint” of a file. The Evidence Processor’s Hash Analysis that we have run earlier has created the MD5 and SHA-1 hash values for the Raw image.
Check the “WinLabRaw Image” evidence in the table view, and make sure that the hash columns are filled. Question 15: What are the types of files that will not have a hash generated? Question 16: What are the three most common uses for hashes analysis? Compound Files Compound files are files with multiple layers and/or metadata such as Outlook Express email folders (.dbx), registry files, or OLE files. In EnCase 7, you have several ways to expand the compound files. You can run the EnCase Evidence Processor on the EnCase image, select Expand compound files to expand all achieves and registry files OR you can expand the individual compound file. Here we will try the second method by only expanding the individual compound file. Let’s look at the NTUSER.DAT registry file from WinLabEncase image. View -> Evidence and click on WinLabEncase image, In the Table view locate the file “Documents and SettingsPSMITHNTUSER.DAT” and expand the EnCase image to find the “Documents and SettingsPSMITHNTUSER.DAT” file by right click the file and choose Entries -> View File Structures. (Note: other registry files exist in C:windowssystem32config folder. They are not included in this image.) Double click on NTUSER.DAT
Question 17: Did anything happen? Do you find any important information? If so, what kind of information you got? Searching for Email (See Email from the EnCase V7 Essential webinar) EnCase can search various types of email artifacts including Outlook (2000/2003), Outlook Express, Exchange, Lotus Notes, AOL and Thunderbird’s MBOX. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and ONLY check Find Email (uncheck other tasks). Double click on “Find Email” and check Search for Additional Lost or Deleted Items box for a search for deleted e-mails. Click OK to run the processor. The processed e-mail will be found under the Records view. A list of processed e-mail archives will be displayed under the Email Folder. To open an e-mail archive, click on the hyperlink of the name of the archive Question 18: What interesting information do you see from emails? EnCase v7 also supports two forms of e-mail threading analysis, Conversations and Related messages. Double click on Deleted Items.dbx. In the Records tab, from the Find related items menu, click Show related messages button. Question 19: Read EnCase Forenscis V7 User Guide (page 208),
briefly describe what are these features. Question 20: Under the Records view, you should also see Thumbnails under WinLabRaw Image, what are thumbnails? List three of them.Searching for Internet Artifacts (Processed Evidence Results Part 2) Internet history contains rich evidences. EnCase will collect Internet-related artifacts, such as browser histories and cached web pages. You also have the option to search unallocated space for the Internet artifacts. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and check Find internet artifacts. Double click the Find internet artifacts hyperlink and choose “search unallocated space for internet artifacts” and run the processor. The processed internet artifacts will be found under the Records view. Select the Internet folder of Records and then click on the Internet hyperlink. Question 21: What kind of information do you see in the record for Internet? Question 22: How does “search unallocated space for internet artifacts” affect your search results in the record? Searching in EnCase v7 There are three principal methods of searching through evidence in EnCase v7: · Index searches – Evidence data is indexed prior to searching
· Raw searches – Searches based on non-indexed, raw data · Tag searches – Searches based on user-defined tags Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times. Using EnCase indexing search (Viewing Index and Search Results Part 1) Text indexing allows you to quickly query the transcript of entries. Creating an index builds a list of words from the contents of an evidence file that contain pointers to their occurrence in the file. Two steps are involved in using the index: Generating an index and Searching an Index. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and check “Index Text And MetaData” and only set index slack and Unallocated, then click OK to run the processor. To search an index, first open the search tab by clicking “View” -> Search, then click on Index button. Type “search” in the index space and hit the run button (a green arrow at the same line of the Index button). The search result is shown in the table view. You can read the file by right-click on the tile and choose Go to file, then view the content at the low pane by choose text, Doc, Transcript or Picture depending on the file type. Question 23: What are the results?List 2 files that contain the term “search” in their contents. Searching for Keywords This option runs a raw keyword search during the processing. You can either use Evidence Process Search for Keywords
before analysis or the Raw Keyword search function outside the Evidence Processor during analysis. Let’s try the keyword search outside the Evidence Processor. Click “View” -> “Evidence”, then click Raw Search All top- down menu and choose New Raw Search All… Use “New” to add a single keyword, “microsoft” (no quotes). Under Search Option, add the Unicode in addition to the default ANSI Latin-1 If you have multiple keywords to add at once, you can use “Add Keyword List” to add them. Now use “Add Keyword List” to add in the following keywords: computer this Again, under Search Option, add the Unicode in addition to the default ANSI Latin-1 Choose “Search entry slack” from the top checkboxes. Questions 24: What are the other search options besides “Search entry slack”? Click “Run…” under Raw Search All When the search is done, to view the search results, let’s go to the View keywords hits (the yellow key symbol) sub-tab of Search tab. In the keywords tree pane, we will see all the keywords we created. To see the result of any keyword, simply click on the keyword.
Question 25: What do you see from Search Hits? List two files from the search hits. Bookmarks and Tags Bookmarks allow you to mark folders, files, search results, or parts of a file for later reference and for inclusion in reports. Bookmarking in Evidence View Go to the “WinLabRaw Image” evidence, click on the “Gallery”, blue-check the additional images that you identified after “Signature Analysis”. Use the Bookmark drop-down menu to create bookmarks for the selected entry (or entries) by selecting Single item…. Or Selected items… (for multiple entries). Place the evidence bookmarks in the appropriate folder of your case report template or you can create a new folder. To view the bookmarking you created: “view” -> Bookmarks Action 26: Include a screenshot of the bookmarks you created in the Bookmarks tab. Tags The EnCase v7 tagging feature allows you to mark evidence items from Records, Evidence, or Bookmarks for review. You can use the default tags created by EnCase or define your own tags. Tags tab can be found from the Records, Evidence, or Bookmark tabs, Let’s create a tag and then tag the two files from your keyword search exercise using this tag. Go to the evidence that contains these two suspicious files. Click “Tags” -> Manage tags…. , then create a tag named Suspicious Files, displayed as “Files” in Red color (right-click
the Background Color and choose edit). Select and blue check these two suspicious files, then use “Tags -> Tag selected items…” to tag them using the “Files” tag. The tag should be shown in the Table view of the “Tag” column. Action 27: Show the tagged Files in the Table view. Question 28: What is the “One-click tagging” feature (see EnCase User Guide, page 234)? Action 29: Finally, go back Process Evidence… from the Add Evidence menu. Selected the WinlabEnCase image, expend Modules, and choose one function from Modules and include your results below. PAGE 1 Advanced Computer Forensics - EnCase

Recommended

R&D on PVS-Studio
R&D on PVS-StudioR&D on PVS-Studio
R&D on PVS-Studio
PVS-Studio
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlow
PVS-Studio
 
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
Andrey Karpov
 
Database Management Assignment Help
Database Management Assignment Help Database Management Assignment Help
Database Management Assignment Help
Database Homework Help
 
Tutorial_Tricentis_Tosca_Testsuite.pdf
Tutorial_Tricentis_Tosca_Testsuite.pdfTutorial_Tricentis_Tosca_Testsuite.pdf
Tutorial_Tricentis_Tosca_Testsuite.pdf
AnithaMuthukumaran2
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
ssusere6dc9d
 
Image Processing and Deep Learning (EEEM063) DIGITS Introd
Image Processing and Deep Learning (EEEM063) DIGITS IntrodImage Processing and Deep Learning (EEEM063) DIGITS Introd
Image Processing and Deep Learning (EEEM063) DIGITS Introd
MalikPinckney86
 

Recommended

R&D on PVS-Studio
R&D on PVS-StudioR&D on PVS-Studio
R&D on PVS-Studio
PVS-Studio
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlow
PVS-Studio
 
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
Andrey Karpov
 
Database Management Assignment Help
Database Management Assignment Help Database Management Assignment Help
Database Management Assignment Help
Database Homework Help
 
Tutorial_Tricentis_Tosca_Testsuite.pdf
Tutorial_Tricentis_Tosca_Testsuite.pdfTutorial_Tricentis_Tosca_Testsuite.pdf
Tutorial_Tricentis_Tosca_Testsuite.pdf
AnithaMuthukumaran2
 
Windows FTK Forensics.pdf
Windows FTK Forensics.pdfWindows FTK Forensics.pdf
Windows FTK Forensics.pdf
ssusere6dc9d
 
Image Processing and Deep Learning (EEEM063) DIGITS Introd
Image Processing and Deep Learning (EEEM063) DIGITS IntrodImage Processing and Deep Learning (EEEM063) DIGITS Introd
Image Processing and Deep Learning (EEEM063) DIGITS Introd
MalikPinckney86
 
html
htmlhtml
html
Michael Freire T
 
How java works
How java worksHow java works
How java works
RaxTonProduction
 
How java works
How java worksHow java works
How java works
thiruvenkatz
 
Integrating Maven with Eclipse
Integrating Maven with EclipseIntegrating Maven with Eclipse
Integrating Maven with Eclipse
Nikhil Bharati
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
Melissa Moore
 
Performance Analysis of Idle Programs
Performance Analysis of Idle ProgramsPerformance Analysis of Idle Programs
Performance Analysis of Idle Programs
greenwop
 
SessionCreatorHelp
SessionCreatorHelpSessionCreatorHelp
SessionCreatorHelp
Sven Finsterwalder
 
Nexteer Internship Technical Paper
Nexteer Internship Technical PaperNexteer Internship Technical Paper
Nexteer Internship Technical Paper
Ethan Williams
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java Programming
Katy Allen
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
Wipro
 
Hands On Intro to Node.js
Hands On Intro to Node.jsHands On Intro to Node.js
Hands On Intro to Node.js
Chris Cowan
 
Implementing xpages extension library
Implementing xpages extension libraryImplementing xpages extension library
Implementing xpages extension library
dominion
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
budbarber38650
 
Maven: Managing Software Projects for Repeatable Results
Maven: Managing Software Projects for Repeatable ResultsMaven: Managing Software Projects for Repeatable Results
Maven: Managing Software Projects for Repeatable Results
Steve Keener
 
Installing d space on windows
Installing d space on windowsInstalling d space on windows
Installing d space on windows
Bibliounivbtn
 
Klarf View Users Guide
Klarf View Users GuideKlarf View Users Guide
Klarf View Users Guide
Stuart Riley
 
Prg 218 entire course
Prg 218 entire coursePrg 218 entire course
Prg 218 entire course
grades4u
 
Lesson 5 - Create Projects And Upload Files
Lesson 5 - Create Projects And Upload FilesLesson 5 - Create Projects And Upload Files
Lesson 5 - Create Projects And Upload Files
Informatica
 
Class 1 blog
Class 1 blogClass 1 blog
Class 1 blog
Narcisa Velez
 
Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)
QA Programmer
 
Assessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docxAssessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docx
galerussel59292
 
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docxAssessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
galerussel59292
 

More Related Content

Similar to Advanced Computer ForensicsWindows EnCase Forensics LabDue d.docx

Nexteer Internship Technical Paper
Nexteer Internship Technical PaperNexteer Internship Technical Paper
Nexteer Internship Technical Paper
Ethan Williams
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java Programming
Katy Allen
 
Implementing xpages extension library
Implementing xpages extension libraryImplementing xpages extension library
Implementing xpages extension library
dominion
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
budbarber38650
 
Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)
QA Programmer
 

Similar to Advanced Computer ForensicsWindows EnCase Forensics LabDue d.docx (20)

html
htmlhtml
html
 
How java works
How java worksHow java works
How java works
 
How java works
How java worksHow java works
How java works
 
Integrating Maven with Eclipse
Integrating Maven with EclipseIntegrating Maven with Eclipse
Integrating Maven with Eclipse
 
Lab 1 Essay
Lab 1 EssayLab 1 Essay
Lab 1 Essay
 
Performance Analysis of Idle Programs
Performance Analysis of Idle ProgramsPerformance Analysis of Idle Programs
Performance Analysis of Idle Programs
 
SessionCreatorHelp
SessionCreatorHelpSessionCreatorHelp
SessionCreatorHelp
 
Nexteer Internship Technical Paper
Nexteer Internship Technical PaperNexteer Internship Technical Paper
Nexteer Internship Technical Paper
 
Designing A Project Using Java Programming
Designing A Project Using Java ProgrammingDesigning A Project Using Java Programming
Designing A Project Using Java Programming
 
Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#Memory profiler and garbage collector in C#
Memory profiler and garbage collector in C#
 
Hands On Intro to Node.js
Hands On Intro to Node.jsHands On Intro to Node.js
Hands On Intro to Node.js
 
Implementing xpages extension library
Implementing xpages extension libraryImplementing xpages extension library
Implementing xpages extension library
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
 
Maven: Managing Software Projects for Repeatable Results
Maven: Managing Software Projects for Repeatable ResultsMaven: Managing Software Projects for Repeatable Results
Maven: Managing Software Projects for Repeatable Results
 
Installing d space on windows
Installing d space on windowsInstalling d space on windows
Installing d space on windows
 
Klarf View Users Guide
Klarf View Users GuideKlarf View Users Guide
Klarf View Users Guide
 
Prg 218 entire course
Prg 218 entire coursePrg 218 entire course
Prg 218 entire course
 
Lesson 5 - Create Projects And Upload Files
Lesson 5 - Create Projects And Upload FilesLesson 5 - Create Projects And Upload Files
Lesson 5 - Create Projects And Upload Files
 
Class 1 blog
Class 1 blogClass 1 blog
Class 1 blog
 
Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)Maven TestNg frame work (1) (1)
Maven TestNg frame work (1) (1)
 

More from galerussel59292

Assessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docxAssessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docx
galerussel59292
 
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docxAssessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
galerussel59292
 
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docxAssessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
galerussel59292
 
Assessment 4 Instructions Final Care Coordination Plan .docx
Assessment 4 Instructions Final Care Coordination Plan .docxAssessment 4 Instructions Final Care Coordination Plan .docx
Assessment 4 Instructions Final Care Coordination Plan .docx
galerussel59292
 
Assessment 3PRINTPatient Discharge Care Planning .docx
Assessment 3PRINTPatient Discharge Care Planning .docxAssessment 3PRINTPatient Discharge Care Planning .docx
Assessment 3PRINTPatient Discharge Care Planning .docx
galerussel59292
 
Assessment 4 ContextRecall that null hypothesis tests are of.docx
Assessment 4 ContextRecall that null hypothesis tests are of.docxAssessment 4 ContextRecall that null hypothesis tests are of.docx
Assessment 4 ContextRecall that null hypothesis tests are of.docx
galerussel59292
 
Assessment 3PRINTLetter to the Editor Population Health P.docx
Assessment 3PRINTLetter to the Editor Population Health P.docxAssessment 3PRINTLetter to the Editor Population Health P.docx
Assessment 3PRINTLetter to the Editor Population Health P.docx
galerussel59292
 
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docxAssessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
galerussel59292
 
Assessment 3 Instructions Professional Product     Develop a .docx
Assessment 3 Instructions Professional Product     Develop a .docxAssessment 3 Instructions Professional Product     Develop a .docx
Assessment 3 Instructions Professional Product     Develop a .docx
galerussel59292
 
Assessment 3 Instructions Care Coordination Presentation to Colleag.docx
Assessment 3 Instructions Care Coordination Presentation to Colleag.docxAssessment 3 Instructions Care Coordination Presentation to Colleag.docx
Assessment 3 Instructions Care Coordination Presentation to Colleag.docx
galerussel59292
 
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docx
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docxAssessment 3Essay TIPSSWK405 The taskEssayWhen.docx
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docx
galerussel59292
 
Assessment 3 Health Assessment ProfessionalCommunication.docx
Assessment 3 Health Assessment ProfessionalCommunication.docxAssessment 3 Health Assessment ProfessionalCommunication.docx
Assessment 3 Health Assessment ProfessionalCommunication.docx
galerussel59292
 
Assessment 3Disaster Plan With Guidelines for Implementation .docx
Assessment 3Disaster Plan With Guidelines for Implementation .docxAssessment 3Disaster Plan With Guidelines for Implementation .docx
Assessment 3Disaster Plan With Guidelines for Implementation .docx
galerussel59292
 
Assessment 3 ContextYou will review the theory, logic, and a.docx
Assessment 3 ContextYou will review the theory, logic, and a.docxAssessment 3 ContextYou will review the theory, logic, and a.docx
Assessment 3 ContextYou will review the theory, logic, and a.docx
galerussel59292
 
Assessment 2Quality Improvement Proposal Overview .docx
Assessment 2Quality Improvement Proposal Overview .docxAssessment 2Quality Improvement Proposal Overview .docx
Assessment 2Quality Improvement Proposal Overview .docx
galerussel59292
 
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docxAssessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
galerussel59292
 
Assessment 2PRINTBiopsychosocial Population Health Policy .docx
Assessment 2PRINTBiopsychosocial Population Health Policy .docxAssessment 2PRINTBiopsychosocial Population Health Policy .docx
Assessment 2PRINTBiopsychosocial Population Health Policy .docx
galerussel59292
 
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docxAssessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
galerussel59292
 
Assessment 2-Analysing factual  texts This assignment re.docx
Assessment 2-Analysing factual  texts This assignment re.docxAssessment 2-Analysing factual  texts This assignment re.docx
Assessment 2-Analysing factual  texts This assignment re.docx
galerussel59292
 
Assessment 2DescriptionFocusEssayValue50Due D.docx
Assessment 2DescriptionFocusEssayValue50Due D.docxAssessment 2DescriptionFocusEssayValue50Due D.docx
Assessment 2DescriptionFocusEssayValue50Due D.docx
galerussel59292
 

More from galerussel59292 (20)

Assessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docxAssessment 4 Instructions Health Promotion Plan Presentation.docx
Assessment 4 Instructions Health Promotion Plan Presentation.docx
 
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docxAssessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
Assessment 4 Instructions Remote Collaboration and Evidence-Based C.docx
 
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docxAssessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
Assessment 4Cost Savings AnalysisOverviewPrepare a spreads.docx
 
Assessment 4 Instructions Final Care Coordination Plan .docx
Assessment 4 Instructions Final Care Coordination Plan .docxAssessment 4 Instructions Final Care Coordination Plan .docx
Assessment 4 Instructions Final Care Coordination Plan .docx
 
Assessment 3PRINTPatient Discharge Care Planning .docx
Assessment 3PRINTPatient Discharge Care Planning .docxAssessment 3PRINTPatient Discharge Care Planning .docx
Assessment 3PRINTPatient Discharge Care Planning .docx
 
Assessment 4 ContextRecall that null hypothesis tests are of.docx
Assessment 4 ContextRecall that null hypothesis tests are of.docxAssessment 4 ContextRecall that null hypothesis tests are of.docx
Assessment 4 ContextRecall that null hypothesis tests are of.docx
 
Assessment 3PRINTLetter to the Editor Population Health P.docx
Assessment 3PRINTLetter to the Editor Population Health P.docxAssessment 3PRINTLetter to the Editor Population Health P.docx
Assessment 3PRINTLetter to the Editor Population Health P.docx
 
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docxAssessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
Assessment 3 Instructions Disaster Recovery PlanDevelop a d.docx
 
Assessment 3 Instructions Professional Product     Develop a .docx
Assessment 3 Instructions Professional Product     Develop a .docxAssessment 3 Instructions Professional Product     Develop a .docx
Assessment 3 Instructions Professional Product     Develop a .docx
 
Assessment 3 Instructions Care Coordination Presentation to Colleag.docx
Assessment 3 Instructions Care Coordination Presentation to Colleag.docxAssessment 3 Instructions Care Coordination Presentation to Colleag.docx
Assessment 3 Instructions Care Coordination Presentation to Colleag.docx
 
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docx
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docxAssessment 3Essay TIPSSWK405 The taskEssayWhen.docx
Assessment 3Essay TIPSSWK405 The taskEssayWhen.docx
 
Assessment 3 Health Assessment ProfessionalCommunication.docx
Assessment 3 Health Assessment ProfessionalCommunication.docxAssessment 3 Health Assessment ProfessionalCommunication.docx
Assessment 3 Health Assessment ProfessionalCommunication.docx
 
Assessment 3Disaster Plan With Guidelines for Implementation .docx
Assessment 3Disaster Plan With Guidelines for Implementation .docxAssessment 3Disaster Plan With Guidelines for Implementation .docx
Assessment 3Disaster Plan With Guidelines for Implementation .docx
 
Assessment 3 ContextYou will review the theory, logic, and a.docx
Assessment 3 ContextYou will review the theory, logic, and a.docxAssessment 3 ContextYou will review the theory, logic, and a.docx
Assessment 3 ContextYou will review the theory, logic, and a.docx
 
Assessment 2Quality Improvement Proposal Overview .docx
Assessment 2Quality Improvement Proposal Overview .docxAssessment 2Quality Improvement Proposal Overview .docx
Assessment 2Quality Improvement Proposal Overview .docx
 
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docxAssessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
Assessment 2by Jaquetta StevensSubmission dat e 14 - O.docx
 
Assessment 2PRINTBiopsychosocial Population Health Policy .docx
Assessment 2PRINTBiopsychosocial Population Health Policy .docxAssessment 2PRINTBiopsychosocial Population Health Policy .docx
Assessment 2PRINTBiopsychosocial Population Health Policy .docx
 
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docxAssessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
Assessment 2 Instructions Ethical and Policy Factors in Care Coordi.docx
 
Assessment 2-Analysing factual  texts This assignment re.docx
Assessment 2-Analysing factual  texts This assignment re.docxAssessment 2-Analysing factual  texts This assignment re.docx
Assessment 2-Analysing factual  texts This assignment re.docx
 
Assessment 2DescriptionFocusEssayValue50Due D.docx
Assessment 2DescriptionFocusEssayValue50Due D.docxAssessment 2DescriptionFocusEssayValue50Due D.docx
Assessment 2DescriptionFocusEssayValue50Due D.docx
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 

Advanced Computer ForensicsWindows EnCase Forensics LabDue d.docx

  • 1. Advanced Computer Forensics Windows EnCase Forensics Lab Due date: Please submit your work to Windows EnCase Lab dropbox by July 2nd, 2013. Lab Setup for using RLES vCloud This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. If you did the Linux forensics lab on RLES vCloud, you should have created a vApp with the Linux VMware image. If you did not use the RLES vCloud for your first lab, please follow the instruction described in the Linux Forensics Lab to create a vApp. Now, you will add the vApp template, Windows 7 w/FTK 7 EnCase image, from the Public Catalogs to the same vApp following the instruction of Add Virtual Machines to a vApp (Page 8 in RLES vCloud User Guide) with the following setting: · Set network to be Net_Network · Select DHCP to create an IP address (when you use DHCP, fencing option is NOT necessary.) Note: If you get an error when trying to start a vApp (or a VM within a vApp), try these steps: 1. Open up your vApp and click on the Virtual Machines tab. Right-click your VM and choose "Properties". 2. Click on the Hardware tab. At the bottom of the page, click on the MAC address and choose "Reset". 3. Click OK. When it asks if you want to enable guest customization, click No.
  • 2. 4. Give it a minute to update your VM, then try starting it. Power on the Windows Virtual machine and login to the system with: Username: Student Password: student EnCase 7 is installed on the virtual machine. When you start the EnCase application, you should see “EnCase Forensic (not Acquisition)” on the top of the application. EnCase 7 Tutorial · The EnCase Forensics V7 User Guide posted in myCourses under Hands-on Labs. · EnCase 7 Essentials webinar series at http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx The following image files will be used for this lab and they are located in the local drive E: 1) WinLabRaw.img – Raw Image from dd 2) WinLabEnCase.E01 -- EnCase evidence file Note: “WinLabEnCase Image” in this documentation = “Lab5 image” in your EnCase image. PART I: Familiar with EnCase Exercise 1: Starting a New Case Launch EnCase for Windows – make sure that you are in the EnCase forensics mode (on the top of the software, you should see EnCase Forensic Training, NOT acquisition mode.) Click the “New Case” button under CASE FILE to begin a new
  • 3. case. Use the #1 Basic Template and name the case “Case 1” Record the defaults that EnCase gives you for its folders. It is safe to use these defaults in our experiments. Add a Raw Image to the exist case You can add a raw disk image, for example, the dd image, to your case. Click EVIDENCE > Add Evidence, then click Add Raw Image Enter “WinLabRaw Image” in the “Name” field. Under “Image Type” choose “Disk” and click “OK”. Under Component Files, click New, locate and select the “WinLabRaw.img” file from E: The image will now be added to your case. Double click on the hyperlink of WinLbRaw Image, you will be able to view the files and folders from the image. Question 1: What is the file system of this raw Image? (Hint: 1. Check “report” from the bottom pane OR 2. choose “Disk View…” from the top drop-down disk manual, then click the first sector (in red), the volume boot, and read the text in the bottom pane.) Question 2: What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)? Add the EnCase Image, WinLabEnCase.E01 located at E:, to
  • 4. the exist case via EnCase’s “Add Evidence” from the top menu, choose Add Evidence File… Question 3: What type of files can be added using EnCase’s “Add Evidence Files” Now you have two evidences added into the case. You can view either one by selecting View->Evidence from the top View menu. Exercise 2: Using Encase Set the Time Zone EnCase v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence. When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.) Question 4: Where does the Time Zone information reside in a Windows system? (Hint: See EnCase 7 User guide, page 122 or watch Processing Evidence Part 1 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx). Before starting the evidence analysis, you should verify that time zone settings for the evidence are configured properly and modify the time zone setting if necessary. In our case, since we did not include the complete Windows’ image, let’s assume the computer’s time zone is North American Eastern Time Zone time zone. Verify the time zone setting by opening the WinLabEnCase image and selecting “Device -> Modify Time Zone Settings”. Question 5: How do you modify Time Zone Settings, show a
  • 5. screen shot below.Now that you have the evidence added and the time zone set, you can analyze the evidence. Timeline View The Timeline view gives you a graphical overview of file creation, modification and access times and dates in a calendar view. It allows you to look for patterns. Green Select the WinLabEnCase Image and click on the Timeline tab in the Views pane. The timeline view can be zoomed from a yearly view to a minute-by-minute view using Higher Resolution button and Lower Resolution button. The colored dots represent activity on a particular file. The legend for the colors can be found by clicking “Options” button from the top menu. Question 6: Why is Timeline View useful for your investigation?Gallery View The Gallery view allows you to quickly see all the pictures in the case. Now let’s switch to the WinLabRaw image by View -> Evidence then open the WinLabRaw Image. Green select “WinLab Raw image”, in the Views pane, select the Gallery tab. You will now see all of the pictures contained in the WinLabRaw Image. The Gallery view displays graphics files based on file extension. Question 7: In the Raw Image, how many pictures are shown in Gallery View?Process the Evidence (watch Processing Evidence Part 2 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/261 7/index.aspx)
  • 6. Select Process Evidence… from the Add Evidence menu. Click the Process check box for the evidences that you intend to run through the Evidence Processor. The Evidence Processor Task list is shown at the bottom pane. You have the freedom to enable the tasks to run. For example, you may want to run certain tasks in the beginning, such as file signature and hash analysis, then later add other options, such as parsing compound files. However, you have to run certain tasks at a particular time. For example, you must run Recover Folders in the initial processing step. Tasks you must run in a specific step are marked with a red flag icon. Note: If a task name is listed in a blue font, click on its task name to configure it. If a task name is listed in a black font, no further configuration is necessary Select the WinLabRaw Image, enable the top five tasks and run the evidence processor. Recover folders. Recover Folders will recover all deleted folders. Note: For this image, you may not see anything interesting. Question 8: Read the EnCase manual to find out how Recover- Folders recover deleted folders for FAT and NTFS file systems respectively? File Signature Analysis A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header. Encase has a list of known file extensions and headers that it
  • 7. uses to identify files. From the “View” menu select “File Types” to see the list of file types. Question 9: What information is listed for each file type? Question 10: What can an investigator do if the header of a file is unknown in your current setting of the EnCase? When EnCase finished the file signature analysis. Select the WinLabRaw Image and take a look at the “Signature Analysis” and “Signature” Columns in the “Table” view. Question 11: What different terms you see in the Signature Analysis column? Question 12: Do you find any signature mismatch? List them. Examine the WinLabRaw image in the gallery view again. Question 13: Are there any graphics files on the WinLabRaw image whose file extensions have been changed? List them. Question 14: If a file’s extension has been changed to a non- graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? If not, what could you do to fix this? Hash Analysis A hash is a digital fingerprint of a file or collection of data. EnCase uses the MD5 (and/or SHA1) algorithm to create hash(s) or “digital fingerprint” of a file. The Evidence Processor’s Hash Analysis that we have run earlier has created the MD5 and SHA-1 hash values for the Raw image.
  • 8. Check the “WinLabRaw Image” evidence in the table view, and make sure that the hash columns are filled. Question 15: What are the types of files that will not have a hash generated? Question 16: What are the three most common uses for hashes analysis? Compound Files Compound files are files with multiple layers and/or metadata such as Outlook Express email folders (.dbx), registry files, or OLE files. In EnCase 7, you have several ways to expand the compound files. You can run the EnCase Evidence Processor on the EnCase image, select Expand compound files to expand all achieves and registry files OR you can expand the individual compound file. Here we will try the second method by only expanding the individual compound file. Let’s look at the NTUSER.DAT registry file from WinLabEncase image. View -> Evidence and click on WinLabEncase image, In the Table view locate the file “Documents and SettingsPSMITHNTUSER.DAT” and expand the EnCase image to find the “Documents and SettingsPSMITHNTUSER.DAT” file by right click the file and choose Entries -> View File Structures. (Note: other registry files exist in C:windowssystem32config folder. They are not included in this image.) Double click on NTUSER.DAT
  • 9. Question 17: Did anything happen? Do you find any important information? If so, what kind of information you got? Searching for Email (See Email from the EnCase V7 Essential webinar) EnCase can search various types of email artifacts including Outlook (2000/2003), Outlook Express, Exchange, Lotus Notes, AOL and Thunderbird’s MBOX. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and ONLY check Find Email (uncheck other tasks). Double click on “Find Email” and check Search for Additional Lost or Deleted Items box for a search for deleted e-mails. Click OK to run the processor. The processed e-mail will be found under the Records view. A list of processed e-mail archives will be displayed under the Email Folder. To open an e-mail archive, click on the hyperlink of the name of the archive Question 18: What interesting information do you see from emails? EnCase v7 also supports two forms of e-mail threading analysis, Conversations and Related messages. Double click on Deleted Items.dbx. In the Records tab, from the Find related items menu, click Show related messages button. Question 19: Read EnCase Forenscis V7 User Guide (page 208),
  • 10. briefly describe what are these features. Question 20: Under the Records view, you should also see Thumbnails under WinLabRaw Image, what are thumbnails? List three of them.Searching for Internet Artifacts (Processed Evidence Results Part 2) Internet history contains rich evidences. EnCase will collect Internet-related artifacts, such as browser histories and cached web pages. You also have the option to search unallocated space for the Internet artifacts. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and check Find internet artifacts. Double click the Find internet artifacts hyperlink and choose “search unallocated space for internet artifacts” and run the processor. The processed internet artifacts will be found under the Records view. Select the Internet folder of Records and then click on the Internet hyperlink. Question 21: What kind of information do you see in the record for Internet? Question 22: How does “search unallocated space for internet artifacts” affect your search results in the record? Searching in EnCase v7 There are three principal methods of searching through evidence in EnCase v7: · Index searches – Evidence data is indexed prior to searching
  • 11. · Raw searches – Searches based on non-indexed, raw data · Tag searches – Searches based on user-defined tags Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times. Using EnCase indexing search (Viewing Index and Search Results Part 1) Text indexing allows you to quickly query the transcript of entries. Creating an index builds a list of words from the contents of an evidence file that contain pointers to their occurrence in the file. Two steps are involved in using the index: Generating an index and Searching an Index. Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and check “Index Text And MetaData” and only set index slack and Unallocated, then click OK to run the processor. To search an index, first open the search tab by clicking “View” -> Search, then click on Index button. Type “search” in the index space and hit the run button (a green arrow at the same line of the Index button). The search result is shown in the table view. You can read the file by right-click on the tile and choose Go to file, then view the content at the low pane by choose text, Doc, Transcript or Picture depending on the file type. Question 23: What are the results?List 2 files that contain the term “search” in their contents. Searching for Keywords This option runs a raw keyword search during the processing. You can either use Evidence Process Search for Keywords
  • 12. before analysis or the Raw Keyword search function outside the Evidence Processor during analysis. Let’s try the keyword search outside the Evidence Processor. Click “View” -> “Evidence”, then click Raw Search All top- down menu and choose New Raw Search All… Use “New” to add a single keyword, “microsoft” (no quotes). Under Search Option, add the Unicode in addition to the default ANSI Latin-1 If you have multiple keywords to add at once, you can use “Add Keyword List” to add them. Now use “Add Keyword List” to add in the following keywords: computer this Again, under Search Option, add the Unicode in addition to the default ANSI Latin-1 Choose “Search entry slack” from the top checkboxes. Questions 24: What are the other search options besides “Search entry slack”? Click “Run…” under Raw Search All When the search is done, to view the search results, let’s go to the View keywords hits (the yellow key symbol) sub-tab of Search tab. In the keywords tree pane, we will see all the keywords we created. To see the result of any keyword, simply click on the keyword.
  • 13. Question 25: What do you see from Search Hits? List two files from the search hits. Bookmarks and Tags Bookmarks allow you to mark folders, files, search results, or parts of a file for later reference and for inclusion in reports. Bookmarking in Evidence View Go to the “WinLabRaw Image” evidence, click on the “Gallery”, blue-check the additional images that you identified after “Signature Analysis”. Use the Bookmark drop-down menu to create bookmarks for the selected entry (or entries) by selecting Single item…. Or Selected items… (for multiple entries). Place the evidence bookmarks in the appropriate folder of your case report template or you can create a new folder. To view the bookmarking you created: “view” -> Bookmarks Action 26: Include a screenshot of the bookmarks you created in the Bookmarks tab. Tags The EnCase v7 tagging feature allows you to mark evidence items from Records, Evidence, or Bookmarks for review. You can use the default tags created by EnCase or define your own tags. Tags tab can be found from the Records, Evidence, or Bookmark tabs, Let’s create a tag and then tag the two files from your keyword search exercise using this tag. Go to the evidence that contains these two suspicious files. Click “Tags” -> Manage tags…. , then create a tag named Suspicious Files, displayed as “Files” in Red color (right-click
  • 14. the Background Color and choose edit). Select and blue check these two suspicious files, then use “Tags -> Tag selected items…” to tag them using the “Files” tag. The tag should be shown in the Table view of the “Tag” column. Action 27: Show the tagged Files in the Table view. Question 28: What is the “One-click tagging” feature (see EnCase User Guide, page 234)? Action 29: Finally, go back Process Evidence… from the Add Evidence menu. Selected the WinlabEnCase image, expend Modules, and choose one function from Modules and include your results below. PAGE 1 Advanced Computer Forensics - EnCase