Beruflich Dokumente
Kultur Dokumente
VERSION 7.03
USER’S GUIDE
EnCase®, EnScript®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software in the
United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as
the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to
infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc.
Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no
part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they
are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com.
Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.
Contents
Overview 11
EnCase Forensic ............................................................................................................................................... 12
EnCase Enterprise ............................................................................................................................................ 12
Processing Evidence 69
Overview .......................................................................................................................................................... 70
Running Evidence Processor Options Incrementally ....................................................................................... 73
Processing Devices from a Local Preview ................................................................................................... 76
Processing Devices from a Network Preview ............................................................................................. 77
Processing Evidence during a Sweep ......................................................................................................... 78
Recovering Folders........................................................................................................................................... 79
Analyzing File Signatures ................................................................................................................................. 79
Analyzing Protected Files ................................................................................................................................. 79
Analyzing Hashes ............................................................................................................................................. 80
Expanding Compound Files .............................................................................................................................. 80
Finding Email .................................................................................................................................................... 80
Finding Internet Artifacts ................................................................................................................................. 80
Searching With Keywords ................................................................................................................................ 82
Adding a New Keyword .............................................................................................................................. 84
Creating a New Keyword List ..................................................................................................................... 85
Creating an Index ............................................................................................................................................. 85
Indexing Personal Information ................................................................................................................... 86
Indexing Text in Slack and Unallocated Space............................................................................................ 87
Creating Thumbnails ........................................................................................................................................ 88
Running EnScript Modules ............................................................................................................................... 88
System Info Parser ...................................................................................................................................... 89
IM Parser .................................................................................................................................................... 89
File Carver ................................................................................................................................................... 89
Windows Event Log Parser ......................................................................................................................... 90
Windows Artifact Parser............................................................................................................................. 90
Unix Login ................................................................................................................................................... 91
Linux Syslog Parser ..................................................................................................................................... 91
FastBloc SE 391
Overview ........................................................................................................................................................ 392
Write Blocking and Write Protecting a Device ............................................................................................... 392
Write Blocking a USB, FireWire, or SCSI Device ....................................................................................... 392
Write Protecting a USB, FireWire, or SCSI Device .................................................................................... 393
Removing Write Block from a USB, FireWire, or SCSI Device ................................................................... 394
Disk Caching and Flushing the Cache ............................................................................................................. 394
Troubleshooting ............................................................................................................................................. 394
Support 455
Technical Support .......................................................................................................................................... 455
Live Chat ................................................................................................................................................... 455
Technical Support Request Form ............................................................................................................. 455
Email ......................................................................................................................................................... 455
Telephone ................................................................................................................................................ 455
Support Portal .......................................................................................................................................... 456
Registration .............................................................................................................................................. 457
User, Product, and Foreign Language Forums ......................................................................................... 457
Posting to a Forum ................................................................................................................................... 458
Searching .................................................................................................................................................. 458
Bug Tracker............................................................................................................................................... 458
Knowledge Base ....................................................................................................................................... 458
MyAccount ............................................................................................................................................... 459
Index 461
CHAPTER 1
Overview
In This Chapter
EnCase Forensic
EnCase Enterprise
12 EnCase® Examiner Version 7.03
EnCase Forensic
EnCase Forensic enables you to collect forensically sound data and conduct complex large scale
investigations from beginning to end.
EnCase Forensic is created to be used by:
Those responsible for collecting evidence.
Forensic examiners and analysts.
Forensic examiners who develop and use EnScript code to automate repetitive or complex
tasks.
With EnCase Forensic these types of investigators can:
Acquire data in a forensically sound manner using software with an unparalleled record in
courts worldwide.
Investigate and analyze data from multiple platforms—Windows, Linux, AIX, OS X, Solaris,
and more—using a single tool.
Find information despite efforts to hide, cloak, or delete.
Easily manage large volumes of computer evidence, viewing all relevant files, including
deleted files, file slack, and unallocated space.
Create exact duplicates of original data, verified by hash and Cyclic Redundancy Check (CRC)
values.
Transfer evidence files directly to law enforcement or legal representatives.
Review options that allow non-investigators, such as attorneys, to review evidence with ease.
Use reporting options for quick report preparation.
EnCase Enterprise
"EnCase Enterprise is a forensically sound data acquisition and analysis tool built to scale across the
network. The following components work together to let you conduct network-based investigations
simultaneously on multiple machines:
Servlets
After a command from the Examiner has been authorized by the SAFE server and verified by the
network device, a servlet is deployed to target machines to execute the command. The servlet runs as a
process or service with administrative privileges and has access to the each target machine at the bit
level.
Work with your network administrator to determine the best methods for deploying the servlets,
taking into account your network topology, network operating system, and management tools. Tools
you can use to distribute the servlets include:
Windows networks logon scripts or group policies
IBM Tivoli push technology
HP Open View push technology
Microsoft SMS push technology
CA Unicenter TNG push technology
Symantec Ghost Console push technology
CHAPTER 2
Obtaining Updates
EnCase Requirements
Configuration Options
Overview
This chapter describes how to install EnCase Forensic Examiner, EnCase Enterprise Examiner, and
EnCase Processor.
EnCase Forensic Examiner, EnCase Enterprise Examiner, and EnCase Processor are both installed
using the same installer. Your security key, or dongle, contains programmatic flags that determine
whether EnCase Forensic Examiner, EnCase Enterprise Examiner, or EnCase Processor functionality is
available to you. If you do not use a security key, your NAS license contains the appropriate flags for
your product. Unless otherwise specifically noted, the term EnCase refers to both products.
This chapter lists the default locations of installation directories and files and also provides
information about configuring EnCase settings.
Obtaining Updates
When you receive your product, register it with Guidance Software to receive updates. Registration is
located at the https://www.guidancesoftware.com/registration.aspx site.
If you have trouble registering your product, contact Customer Service.
If you have trouble downloading the updates once registered, contact Technical Support on page 455.
EnCase Requirements
Before you begin, make sure you have:
An EnCase security key (also known as a dongle), or a NAS license and connection information
An optional certificate file for users who want to activate an EnCase Version 6 dongle to run
EnCase Version 7
Downloaded installation files for the current release of EnCase
For best performance, examination computers should have at least the following hardware and
software configuration:
Configuration Requirements
Class Desktop or server class hardware (32- or 64-bit)
Evidence Storage Drive SATA 7200 RPM (a separate evidence storage drive is
recommended)
Configuration Requirements
Evidence Backup SATA 7200 RPM (a separate evidence storage drive is
recommended)
3. Click Allow.
Uninstalling EnCase
The uninstaller works only on identical software versions.
To uninstall EnCase:
1. Have backups of evidence and case files prior to making modifications to any software on an
examination machine.
2. Close any running versions of EnCase.
3. Open the Windows Control Panel and double click Change or Remove Programs.
4. Select the EnCase version to remove and click Change/Remove.
5. The EnCase uninstall wizard runs and the first screen displays.
6. Enter or navigate to the installation location in the Install Path field. The default is
C:\Program Files\Encase7.
7. Click Next. The uninstall wizard opens.
8. Click Next.
9. Select Uninstall and click Next. A progress bar displays during the uninstall process.
10. The last page of the uninstall wizard displays. Select Reboot Later or Reboot Now and click
Finish.
20 EnCase® Examiner Version 7.03
Reinstalling EnCase
Use the EnCase Installation Wizard to reinstall EnCase. Reinstalling creates a new log file and
reinstalls the following items:
Application files
Registry keys
Needed user files
Default configuration files
Note: If you previously modified EnScripts without placing the modified EnScripts in another folder,
they are lost during reinstallation.
Reinstalling does not change:
Licenses
Certificates
User settings
When reinstalling EnCase, make sure that your dongle is inserted. If support on the dongle has
expired, a warning message displays.
Configuration Options
You can configure options for EnCase according to your needs or preferences, using the Configuration
Options tabbed dialog. Each tab allows you to select a panel that controls a group of options, described
in the following sections. To access the Configuration Options, select Options from the Home tab.
Installing and Configuring Encase 21
Global Options
The Global tab contains settings that apply to all cases.
Auto Save Minutes (0 = None) is the number of minutes between automatic saves of case files.
Automatically saved data is written to *.CBAK files in the EnCase7 backup directory. The default
setting is ten minutes.
Backup Files is the maximum number of files stored as backups when you save a case. The default is
9.
Use Recycle Bin for Cases determines whether the current case file is moved to the Recycle Bin or
overwritten when you manually save a case file.
Enable Picture Viewer allows graphics to be displayed in various views.
Enable ART Image Display determines whether to display ART image files. When EnCase encounters
corrupt ART image files, application problems can occur. This setting enables you to minimize the
impact of corrupted ART files.
Invalid Picture Timeout (seconds) indicates the amount of time EnCase attempts to read a corrupt
image file before timing out. After a timeout occurs, the corrupt file is sent to the cache and no attempt
is made to re-read it.
Force ordered rendering in gallery forces images to appear in order, from left to right, sequentially by
row. If you leave this box unchecked, images will appear in a gallery view as they become available.
Although images appear in order, the former view takes longer to complete, whereas images that
appear when rendering is not forced but not in order appear more rapidly.
Current Code Page specifies the current code page, which is the character set for the language and
case data. The default value is Western European (Windows).
22 EnCase® Examiner Version 7.03
Change Code Page enables you to change the default value of the code page from Western European
(Windows) to another available code page. Set the global code page to display foreign language
characters correctly.
Show True indicates a value of true in table columns displayed in the Table tab of the Table pane. The
default indicator is a bullet, which you can change to a different character.
Show False indicates a value of false in table columns displayed in the Table tab of the Table pane. The
default indicator is a blank space, which you can change.
Default Char specifies the character that EnCase uses on its displays to indicate that a box or cell is
checked.
Flag Lost Files specifies whether the disk map shows lost clusters. Lost clusters are clusters that
EnCase cannot determine as being used even though the file system indicates them as being used.
Detect FastBloc Hardware determines whether or not to search for legacy FastBloc hardware write
blockers.
Do not verify evidence when opened lets you turn off file content verification. This can be a time
consuming process. Select this option if you want to turn off file content verification.
Date Options
Customize date/time information associated with a case using the Date tab in Options.
Display time zone on dates includes the time zone in date/time columns.
Date Format includes these options:
MM/DD/YY (06/21/08)
DD/MM/YY (21/06/08)
Other enables you to specify your own date format
Current Day displays the current date in the specified date format
Installing and Configuring Encase 23
NAS Options
The options on the NAS tab configure EnCase to receive the software's licensing information from an
EnCase Network Authentication Server (NAS) instead of from a dongle inserted into the machine.
Use Network Authentication Server for licensing: Check this box to indicate use of the NAS licensing
system to run the copy of EnCase on your computer.
NAS Key Path: Specifies the full path of the user's licensing file. The NAS file for general licensing of
EnCase is default.nas.
SAFE Key Path: Enter the full path of the location of the EnCase SAFE public key file. This SAFE token
file has a file signature of .SAFE and is found on the SAFE authentication server.
SAFE Address: Enter the IP address or machine name of the computer running the EnCase SAFE. If
you are using a port other than 4445, precede the port number with the computer's IP address (for
example, 192.168.1.34:5656).
Status: Displays the name or IP address of the computer on which the EnCase licensing files currently
reside.
Create User Key...: Opens the Create User Key dialog. Do not use this button unless you are creating
separate licenses for each computer belonging to your NAS setup. For more information about using
individual licenses, see the EnCase Safe Administration Guide.
24 EnCase® Examiner Version 7.03
Color Options
Use the Colors tab to change the default colors associated with various case elements. This dialog
shows the current foreground and background colors for the case element.
Font Options
Use the Fonts tab to customize the fonts used for EnCase user interface items, and in data panels and
reports.
Debug Options
Use the Debug tab to specify debugging information and options.
The Startup panel displays operating system, application, and session information about your
computer and about EnCase.
If the pane is empty, click Show Startup Log to display the information. The information is useful for
troubleshooting purposes.
System Cache specifies the amount of physical memory for caching reads and writes of files on disk.
The default value is 20 percent of the computer's physical memory (RAM).
Minimum (MB): The minimum size of the system cache in Megabytes; the default value is 1.
Maximum (MB): The maximum size of the system cache in Megabytes. The default value
depends on the amount of physical memory available on the computer. You can manually set
this value up to the maximum amount of physical memory available (although this is not
recommended).
Controlled by EnCase: Clicking this box allows EnCase to control the size of the system cache
(recommended).
Do not warn at startup: If you check this box, EnCase will not display warning messages
when possible system memory issues occur.
Set Defaults: Click this button to reset the system cache values to their default values.
Debug Logging allows you to select which logging action to take in the event of a crash:
Off: No debug logging is performed (default).
Stack: This option saves a stack dump if EnCase crashes. This file contains data that the
crashing subsystem used, the system DLLs loaded at the time of the event, and the version of
EnCase. In most cases, the information written to the Stack dump log does not contain case
specific data.
Heap: This option saves a heap dump if EnCase crashes. It is the recommended option for
most EnCase crash issues. The heap contains data from process memory that the program uses
while running, which results in a considerably larger dump file (potentially in the gigabyte
range) than a stack dump. Note that a heap dump frequently contains case specific data,
including data from the evidence.
Note: For the quickest debugging of the crash, Guidance Software recommends selecting the Heap option.
28 EnCase® Examiner Version 7.03
Enterprise Options
The Enterprise tab provides private key caching and reconnect options.
• Private Key Caching specifies the number of minutes for the EnCase private key
password to be held in memory.
• Auto Reconnect Attempts is the number of times EnCase should attempt reconnection to
a servlet.
• Auto Reconnect Intervals is the number of seconds EnCase should wait before trying to
reconnect to a servlet if previous attempts have failed.
3. From the Device menu select Modify time zone settings. The Time Properties dialog displays.
Application Folder
This folder contains application files that are used by EnCase. User data and user configuration
settings are not saved in this location.
Windows 7 and Windows Vista default path: \Program Files\EnCase7
Windows XP: \Program Files\EnCase7
User Data
User-created files and backup user data are stored in the following default folders:
Windows 7 and Windows Vista path: \Users\<Username>\Documents\EnCase
Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
The current path used to store user data can be seen under Paths on the EnCase home page.
Case Backup
Backup case data is saved in the following locations, based on your operating system:
Windows 7 and Windows Vista path: \Users\<Username>\Documents\
EnCase\Cases\Backup
Windows XP: \Documents and Settings\<Username>\My Documents\
EnCase\Cases\Backup
Case Folder
Case files are stored in the following locations, based on your operating system:
Windows 7 and Windows Vista default path:
\Users\<Username>\Documents\EnCase\Cases\<Case Name>
Windows XP: \Documents and Settings\<Username>\My
Documents\EnCase\Cases\<Case Name>
Evidence Cache
The evidence cache folder contains the cache, index, and Evidence Processor results for a device.
Windows 7 and Windows Vista default path:
\Users\<Username>\Documents\EnCase\Evidence Cache\<Hash>
Windows XP: \Documents and Settings\<Username>\My
Documents\EnCase\Evidence Cache\<Hash>
32 EnCase® Examiner Version 7.03
Item Description
Logos Default report logo
Case Operations
Case Portability
34 EnCase® Examiner Version 7.03
Overview
This chapter describes how to use EnCase to create and start work on a case. It explains the major
components of the user interface, and how to use them to access EnCase features.
The chapter guides you through the initial stages of case creation and the basics of using case
templates, describes the process of adding evidence to a case and setting case options, shows how to
work with cases, and describes the case portability feature. In EnCase, a case is stored in a folder, with
subfolders for case-specific information such as tags and search results. The case folder and the
components contained within that folder directly associate the investigative work you perform with
the evidence. As a result, the folder should not be directly accessed.
The chapter's purpose is to get you started with EnCase case creation, explain how to access the main
features of this digital forensic tool, and give you a sense of the structure used to gather and process
your case evidence.
The Home page, like all pages within EnCase, is divided into several sections, each with a specific set
of functions. In descending order, they are:
Working with Cases 35
Application Toolbar Appears below the title bar, and provides dropdown menus to
major areas of functionality. The menus and their selections remain
primarily static throughout your investigation. Later in this
chapter, they are described in more detail .
Tabs Similar to tabs in Internet browsers, each top level tab displays a
page that groups a portion of EnCase functionality. When you open
EnCase for the first time, only the Home tab is displayed.
Tab Toolbar These components include the back and forward arrows, which
function the same as in any standard browser, and various viewing
options that allow you to resize the panel dimensions to whatever
best suits your needs. This toolbar also contains menus and buttons
that are specific to the selected tab.
Page body The Page body varies, depending on the tab you are viewing. The
Home page consists of labels that identify the product, the case, the
functionality available, and sections that identify categories of
EnCase components with links to the features and actions
belonging to each category.
4. You can enter a case Name at this point, then click OK.
Case Templates
When you create a new case, you will see a list of available templates (these are.CaseTemplate
files). EnCase supplies several predefined templates, using the pound sign # as a prefix, whose
names appear in this box along with any saved templates.
To select a template:
• Click on a name from the case Templates list to select it. In the above figure, the Basic
template is selected.
Although you can configure a new case completely from scratch using the blank template (None),
Guidance Software recommends using a template, as it simplifies the case creation process. Each
case template contains a uniquely configured set of the following:
• Case Info items with default values
• Bookmark folders and notes
• Tags
• Report templates
• User-defined report styles
You can also create your own templates by saving any case as a template. Afterwards, the new
template will appear in the Templates list and will be available for future use. If you intend to
create a number of cases with a similar structure, it makes sense to save one of them as a template
and use it to generate the other cases. Case templates can be shared with other users just by
sending them the Case template file.
Working with Cases 37
Click OK to apply the case options. The Home tab will then display a page for this particular
case with the case name displayed at the top. This case page lists hyperlinks to many common
EnCase features and, you can use it as the control center for this case. You are now ready to
begin building your case.
Working with Cases 39
The Add Evidence menu also contains these selections and, a selection to access the Evidence
Processor. For more information, see the Evidence Processor Overview.
The following list describes the possible evidence selections:
Add Local Device
Initiate the process of adding a local device attached directly to your local computer. This can be the
main system drive, a device attached through a Tableau write-blocker, any other device connected to
an internal bus connection, floppy drives, optical media, card readers, or any device connected to a
USB port.
Add Evidence File
Specify an evidence file to add to the active case. This can be an EnCase Evidence file (E01 or Ex01),
Logical Evidence file (L01 or Lx01), VMWare (vmdk), Virtual PC file (vhd), or SafeBack (*.001) file.
Add Raw Image
Add a raw or dd image file of a physical device to the active case.
40 EnCase® Examiner Version 7.03
Acquire Smartphone
Acquires a smartphone. After clicking the Acquire Smartphone link, the dialog allows you to specify
the device type and the kinds of data that you want to collect into an evidence file.
Add Crossover Preview
Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also
negates the need for a hardware write blocker. It may be desirable in situations where physical access
to the subject machine's internal media is difficult or is not practical. This selection is the
recommended method for acquiring laptops and exotic RAID arrays.
Process Evidence
Process the case evidence, in an automated fashion, across a wide selection of parameters. This option
is only available when one or more evidence items are added to the case. The Evidence Processor
includes features such as:
Analyzing file signatures. See Analyzing File Signatures on page 79.
Creating an index of the case evidence data. See Creating an Index on page 85.
Searching for email threads and conversations. See Finding Email on page 80.
Searching Internet artifacts. See Finding Internet Artifacts on page 80.
See the Evidence Processor Overview on page 70 for more information on the processing of evidence.
Case Operations
Use the Case menu and the Case selections on the Case Home page to work with the parameters of
and perform actions on your case.
Following is a list of basic operations for working with a case. Use the menu items on the Case menu,
and the links beneath the Case section on the Case panel for these operations:
Case Selections
Click OK. You can then reassociate the evidence to the new location when you drill into the evidence
or view the evidence for the first time. Saving the case after that commits the change.
Alternatively, you can use the Update Paths button:
1. On the Evidence tab, click the checkbox for the evidence file where you want to change the
path, then click Update Paths.
2. In the Update Paths dialog, choose an existing path from the dropdown menu.
Working with Cases 43
3. In the New Path box, enter or browse to the new path you want.
4. Click OK.
Case Portability
The Case Package option offers a convenient way of sharing entire cases among users, or porting a
case to a different computer or environment.
An EnCase package can contain the entire contents of a case, including the evidence and cache files, or
a subset of case-related items. You decide which case items to include when saving a case package.
To save a case as a package:
1. On the Home page, click Case > Create Package; the Create Package dialog appears.
2. The Create Package dialog offers several options for including case-related material in an
EnCase case package:
• The default Copy option (shown above) includes only the Required Items for the case file
and the Primary Evidence Cache.
• If you click the Archive option, all Packaged Items are automatically checked. Although
you gain the advantage of packaging all evidence files and the secondary evidence cache,
the package size can be extremely large. In the figure below, the size is 1.4 GB.
44 EnCase® Examiner Version 7.03
• If you click the Customize option, the set of Packaged Items, you can manually check any
combination of packaged items that you want to include in the case package.
3. Save the case package to a Folder either by using the default folder path or by using the
browse button to locate a folder in which to store the package.
CHAPTER 4
Types of Acquisitions
Sources of Acquisitions
Canceling an Acquisition
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
Reacquiring Evidence
Restoring A Drive
Acquiring Devices and Evidence 47
Overview
With EnCase, you can directly process and analyze storage device and evidence file previews with
some limitations; however, if you want to use all of EnCase's processing and analysis features, you
need to perform a storage device or evidence file acquisition and save the evidence in a standard
format.
With EnCase, you can reacquire and translate raw evidence files into EnCase evidence files that
include CRC block checks, hash values, compression, and encryption. You can also add EnCase
evidence files created in other cases. EnCase can read and write to current or legacy EnCase evidence
files and EnCase logical evidence files.
When you are logged into a SAFE, you can acquire storage devices from a network preview. With the
LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with EnCase,
you can perform network crossover acquisitions.
This chapter provides detailed information about all types of EnCase acquisitions.
Types of Acquisitions
EnCase can acquire evidence in four basic formats:
Current EnCase evidence files (Ex01): Ex01 format improves upon the E01 format with LZ
compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,
SHA-1 hashing, or both.
Current Logical evidence files (Lx01): Lx01 format improves upon the L01 format with LZ
compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not
available for logical evidence files.
Legacy EnCase evidence files (E01): E01 format makes current acquisitions accessible to legacy
versions of EnCase.
Legacy Logical evidence files (L01): L01 format makes current logical acquisitions accessible to
legacy versions of EnCase.
Smartphone acquisitions create either E01 files (physical acquisitions) or L01 files (logical acquisitions).
Sources of Acquisitions
Sources for acquisitions within EnCase include:
Previewed memory or local devices such as hard drives, memory cards, or flash drives.
Previewed devices connected to a SAFE such as hard drives, memory cards, or flash drives.
Evidence files supported by EnCase, including legacy EnCase evidence files (E01), legacy
logical evidence files(L01), current EnCase evidence files(Ex01), current logical evidence files
(Lx01), DD images, SafeBack images, VMware files (.vmdk), or Virtual PC files (.vhd). You can
use these to create legacy EnCase evidence files and legacy logical evidence files, or you can
reacquire them as EnCase Ex01 or Lx01 format, adding encryption, new hashing options, and
improved compression.
Single files dragged and dropped onto the EnCase user interface. These include ISO files, and
they create L01 or Lx01 logical evidence files.
Smartphones, using the Acquire Smartphone dialog box.
Network crossover using LinEn and EnCase to create E01 files or L01 files. This strategy is
useful when you want to preview a device without disassembling the host computer. This is
usually the case for a laptop, a machine running a RAID, or a machine running a device with
no available supporting controller.
48 EnCase® Examiner Version 7.03
2. The Acquire Device dialog opens. It contains three tabs: Location, Format, and Advanced.
Acquiring Devices and Evidence 49
• Specify the Evidence File Format. The default evidence file (that is, in EnCase Version 7
format) extension is Ex01. A Legacy evidence file(that is, the format previous to EnCase
Version 7) is E01. Note that selecting Legacy enables the Password button. Using a
password on legacy EnCase evidence files is optional. If you wish to use one, click to open
a dialog to enter and confirm a password. Make certain you keep a record of the password
in a secure location, because EnCase does not have a password recovery tool.
• In the Verification Hash dropdown list, select a hashing algorithm:
− None
− MD5
− SHA-1
− MD5 and SHA-1
• Specify Compression as Enabled or Disabled.
• Specify the File Segment Size (MB) (minimum: 30MB, maximum: 8,796,093,018,112MB,
default: 2048MB).
Acquiring Devices and Evidence 51
• You encrypt EnCase evidence files using either an encryption keypair or a password, but
not both. You may only choose one of those options at a time.
• In the upper pane, you may select an existing encryption keypair or click the symbol with
a key on the upper menu to create a new keypair. After generating a new keypair, you
need to click the Update option on the upper menu in order to see the new keypair.
• In the lower pane, you may select an existing password or create a new password by
clicking the New symbol on the lower menu to create a new password.
• Check the box to the left of either the keypair or the password you want to use to encrypt
your evidence and then click OK.
• Bear in mind that once your data is encrypted, you will not be able to decrypt it without
the correct keypair or password used to encrypt it. EnCase does not contain any tools to
"break" the encryption on the EnCase evidence files.
52 EnCase® Examiner Version 7.03
• Specify block size (minimum: 64, maximum: 1024). Higher block sizes will allow slightly
faster acquisitions and smaller evidence files, but if an evidence file becomes damaged,
you will lose a larger block of data.
• Specify error granularity (what portion of the block is zeroed out if an error is
encountered):
− Standard (same value as the block size).
− Exhaustive (sets granularity to 1 sector; this retains more data but takes more time)
• Specify the start sector (minimum: 0, maximum: maximum number of sectors of the
source).
• Specify the stop sector (minimum: 0, maximum: maximum number of sectors of the
source).
7. Click the Threads button to open the Threads dialog:
• Reader Threads (enabled only if the file format is E01) allow you to control how many
threads are reading from the source device (1-5 available; default is 0).
• Worker Threads (enabled for both EnCase Evidence file formats, E01 and Ex01) allow you
to control data compression calculation (1-20 available; default is 5).
8. When you finish making your selections, click OK.
9. You may then select your processing options by checking the box under the Process column
for that evidence item and making your choices in the bottom sections of the Evidence
Processor screen.
Acquiring Devices and Evidence 53
10. Once you set the acquisition options for the items you want to acquire and the processing
options, click OK at the bottom of the Evidence Processor. The status bar at the bottom of the
page displays the progress of each acquisition and processing. Once an acquisition completes,
the Evidence Processor will process that acquired image before it begins acquiring the next
item.
3. The monitor connects to the remote target machine and displays the acquisition's progress.
• To see the current completion status of the acquisition of a device, select the device and
click Check Status.
• To cancel an acquisition, select the device and click Cancel Acquisition.
Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, the acquisition can be restarted.
To cancel an acquisition while it is running:
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog displays.
2. Click Yes. The acquisition is canceled. You can restart it at a later time.
Remote acquisitions can also be canceled using the Remote Acquisition Monitor. See Monitoring a
Remote Acquisition on page 53.
Single Files
Folders and single files can be added to a case by either dragging and dropping them onto the EnCase
interface using Windows Explorer or using the Edit Single Files dialog. Once a file or folder has been
added to a case, the evidence page shows an item in the table for Single Files. Files and folders appear
in a tree structure subordinate to Single Files when displayed in the Entries view.
5. Select one or more evidence files, then click Open. During verification, a progress bar displays
in the bottom right corner of the window.
Acquiring Devices and Evidence 57
Software RAID
EnCase applications support these software RAIDs:
Windows NT: see Windows NT Software Disk Configurations
Windows 2000: see Dynamic Disk
Windows XP: see Dynamic Disk
Windows 2003 Servers: see Dynamic Disk
Windows Vista: see Dynamic Disk (on page 62)
Windows Server 2008: see Dynamic Disk
Windows Server 2008R2: see Dynamic Disk
Windows 7: see Dynamic Disk (on page 62)
RAID-10
RAID-10 arrays require at least 4 drives, implemented as a striped array of RAID-1 arrays.
Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003 Server,
Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The information
pertinent to building the configuration resides at the end of the disk rather than in a registry key.
Therefore, each physical disk in this configuration contains the information necessary to reconstruct
the original setup. EnCase applications read the Dynamic Disk partition structure and resolve the
configurations based on the information extracted.
To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case. In
the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on the
menu bar to change to the Entries view of the Evidence tab. Select the devices then click the pull-down
menu at the top right of the Evidence tab. Select Device and choose Scan Disk Configuration.
If the resulting disk configurations seem incorrect, you can manually edit them by returning to the
highest Evidence view of the Evidence tab. Select the Disk Configuration item, click the pull-down
menu from the top-right corner of the Evidence tab, and select Edit Disk Configuration.
You can collect this data from the BIOS of the controller card for a hardware set, or from the registry
for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can still
rebuild the virtual disk using parity information from the other disks in the configuration, which is
detected automatically during the reconstruction of hardware disk configurations using the Scan Disk
Configuration command.
When rebuilding a RAID from the first two disks, results from validating parity are meaningless,
because you create the parity to build the missing disk.
To acquire a disk configuration set as one disk:
1. Add the evidence files to one case.
2. On the Evidence tab, click the down arrow in the far right corner for a dropdown menu, then
click Create Disk Configuration.
3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the
appropriate disk configuration.
4. Right click the empty space under Component Devices and click New.
5. Enter the start sector and size of the selected disk configuration, select the drive image which
belongs as the first element of the RAID, then click OK.
6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.
7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a Physical
Disk Image, and whether it uses Right-Handed Striping.
8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase will
generate a new item in your Evidence tab containing the RAID rebuilt to your specifications.
This new Disk Configuration can be acquired to an EnCase Evidence file and processed in the
EnCase Evidence Processor just like a physical drive.
64 EnCase® Examiner Version 7.03
Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it results in
the creation of an EnCase evidence file containing the content of the raw evidence file and providing
the opportunity to hash the evidence, add case metadata, and CRC block checks.
You can move EnCase evidence files into a case even if they were acquired elsewhere. Make sure all
segments of the evidence file set are in the same folder. Using Windows Explorer, navigate to the
location of the EnCase evidence files. Drag the first file of the set onto the open instance of EnCase and
the remaining files will automatically be added, reassembling the evidence in your new case.
You may also want to reacquire an existing EnCase evidence file to change the compression settings or
the file segment size.
3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the
Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.
5. A Disk Image object appears in the Evidence tab.
6. You may reacquire this image as you would any other supported evidence or previewed
device.
Acquiring Devices and Evidence 67
Restoring A Drive
The following steps describe how to restore a drive. Note that before you begin, you first need to add
evidence to the case.
1. From EnCase’s top toolbar, select the Evidence option from the View dropdown.
2. In the Table view, click the evidence file with the device you would like to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
displays.
4. Click Next to collect local hard drives.
5. From the list of Local Devices, click the drive you want to restore.
6. Click Next. The Drives dialog appears.
7. Select options for wiping and verification.
8. Click Finish.
9. A dialog will appear asking you to verify the local drive selection. Verify that you are
restoring to the correct drive by typing Yes, then click OK.
The bar in the lower right corner of the screen tracks the progress of the restore.
CHAPTER 5
Processing Evidence
In This Chapter
Overview
Recovering Folders
Analyzing Hashes
Finding Email
Creating an Index
Creating Thumbnails
Overview
This chapter provides detailed information on the Evidence Processor, which processes evidence files
in a large production environment. As a standalone product, the Evidence Processor is referred to as
the EnCase Processor, which, aside from some licensing and set up differences (EnCase Processor-
specific dongle), functions in exactly the same way as the Evidence Processor. Rather than installing
separate instances of EnCase to perform processing only on multiple machines, you can install
separate EnCase Processors and dongles instead for a fraction of the cost of a full EnCase license. For
information on installing EnCase Processor, see Installing and Configuring EnCase on page 15. All
references to the Evidence Processor apply to EnCase Processor.
The Evidence Processor lets you run, in a single automated session, a collection of potent analytic tools
against your case data. It can optimize the order and combinations of processing operations while
running this multi-threaded process.
Since you can run the Evidence Processor unattended, you can work on other aspects of the case while
this tool is processing data. The output of the Evidence Processor is stored, per device, on disk instead
of memory. This lets you simultaneously process multiple devices across several computers, which can
then be brought together at a later time for a case, without the data commingling. By storing cache files
on disk, you are also able to scale to much larger data sets and do not need to wait for data to resolve
when reopening cases: the Evidence Processor processes your data in short order for the key analytic
and reporting phases of your investigation.
Run the Evidence Processor after reviewing your evidence, adding it to a case, validating the data for
browsing, and setting the time zones. (Examiners who want to work cases with the methodology they
used in earlier versions of EnCase can continue doing so.)
The Evidence Processor contains numerous useful features:
The convenience of acquiring devices right from the Evidence Processor.
The convenience of processing, with limited options, local and network previews without
acquiring the devices.
Note: Network preview is only available when you are logged into a SAFE. For information about
installing a SAFE, see the SAFE Administration Guide.
Saving sets of the Evidence Processor options as templates to be run with little or no
modification at a later date.
On-screen instructions that guide you through the use of each setting.
Automatic processing of the results from any current EnScript modules according to the
current processor settings (Index, Keyword search, etc.).
If additional evidence becomes available at a later date, you can rerun the same options on the
updated data.
The following evidence processing functions are available:
Folder recovery
Hash analysis
Compound file expansion
Email search
Internet artifact search
Keyword search
Index creation (not available for local and network previews)
Processing Evidence 71
File and edit settings for the Evidence Processor selections pane are located in its toolbar.
Setting Description
Split Mode Change the display format of the options pane.
Load Settings Load a saved template to run against the current data.
Dropdown side menu Perform actions such as printing the results and changing the
layout of the Evidence Processor panes.
You need to run certain options at a particular time. For example, you must run Recover Folders in the
initial processing step. Options you must run in a specific step are marked with a flag icon. An option
with a lock icon indicates settings for that option cannot be changed.
You can run modules over and over again with different settings each time. The results of each run are
added to the case.
74 EnCase® Examiner Version 7.03
Clicking an option displays information about that option in the right pane. If you need to include the
option in the current run, that is indicated as well.
Clicking an option with a lock icon displays the settings for that option.
Processing Evidence 75
After a processing run, a dot displays in the Previously Processed column and the lower right pane
displays previous processing settings.
Also, previously processed evidence must be processed with the same options in order for it to be
processed together. All evidence processed at one time must use the same settings.
76 EnCase® Examiner Version 7.03
6. Under Process, select the checkboxes for the local devices you want to process.
7. Review and, if necessary, modify the current processing options.
8. Click OK.
Processing Evidence 77
3. Select the checkbox for the sources you want to process and click Next. A list of network
devices displays.
4. Select the checkboxes of the network devices you want to add to the preview and click Finish.
The Evidence tab displays with a preview of the chosen network devices.
78 EnCase® Examiner Version 7.03
5. In the Evidence tab, click Process Evidence. The Evidence Processor dialog displays.
6. Under Process, select the checkboxes for the network devices you want to process.
7. Review and, if necessary, modify the current processing options.
8. Click OK.
Considerations as you process evidence during a network sweep include the following:
There are no limitations on the number of nodes.
Once you cancel a process, you cannot resume.
This feature creates one logical evidence file per node per sweep.
Performance is expected to be in the range of less than one minute per node.
You must log in to a SAFE before running Sweep Enterprise.
No multiple SAFE support is provided.
This feature works for all servlets.
You can run unlimited multiple sweeps within the same case. Repeated sets are not
overwritten.
This feature analyzes partially completed jobs.
Functionality includes servlet check-in and deployment through ePO.
Recovering Folders
Running the Recover Folders task on FAT partitions searches through the unallocated clusters of a
specific FAT partition for the “dot, double-dot” signature of a deleted folder. When the signature
matches, EnCase can rebuild files and folders that were within the deleted folder.
This task can recover NTFS files and folders from Unallocated Clusters and continue to parse through
the current Master File Table (MFT) records for files without parent folders. This operation is
particularly useful when a drive has been reformatted or the MFT is corrupted. Recovered files are
placed in the gray Recovered Folders virtual folder in the root of the NTFS partition.
Analyzing Hashes
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary
data written in hexadecimal notation. In EnCase, it is the result of a hash function run against any
mounted drive, partition, file, or chunk of data. The most common uses for hashes are to:
Identify when a chunk of data changes, which frequently indicates evidence tampering.
Verify that data has not changed, in which case the hash should be the same both before and
after the verification.
Compare a hash value against a library of known good and bad hashes, seeking a match.
The Evidence Processor's hash analysis setting allows you to create MD5 and SHA-1 hash values for
files, so that you can later use them for the reasons specified above. When you click the Hash Analysis
hyperlinked name, the Edit Settings dialog displays, allowing you to check whether to run either or
both of these hashing algorithms.
Finding Email
Select this setting to extract individual messages and attachments from email archives. Find Email
supports the following email types:
PST (Microsoft Outlook)
NSF (Lotus Notes)
DBX (Microsoft Outlook Express)
EDB (Microsoft Exchange)
AOL
MBOX
This setting prepares email archives for the use of email threading and related EnCase email
functionality during case analysis.
To select which email archive types to search:
1. Click Find Email.
2. Click the email archive file types whose messages you want to examine, and click OK.
After processing is completed, EnCase can analyze the messages and component files extracted from
the email archives, according to the other Evidence Processor settings you selected.
Currently, six browsers and two types of Internet history are supported. They are:
Internet Explorer: History and cache
Macintosh Internet Explorer: History and cache
Safari: History and cache
Firefox: History and cache
Opera: History and cache
Google Chrome:
• History: A list of Web sites recently visited. This typically consists of Web sites, usage, and
time related data.
• Cookies: A list of recent authentication and session data for sites with persistent usage.
This typically consists of Web site, expiration times, and sit specific cookie data.
• Cache: A list of recently cached files.
• Downloads: A list of recently downloaded files. This typically consists of Web sites, file
names, location, size, and date.
• Keyword Search: A list of recent keyword searches. This typically consists of search terms
and the search result page.
• Login Data: A list of login data. This typically consists of Web sites, username, password,
and SSL information.
• Top Sites: A list of top Web sites. This typically consists of Web site information, rank,
thumbnails, and redirect information.
Note: EnCase does not provide the ability to recover Google Chrome Internet artifacts from
unallocated clusters.
Note: The difference between a regular search and a search of unallocated is that keywords are added internally and
marked with a special tag indicating that it is for Internet history searching only.
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in
a SQLite database and displays them in the Records tab.
The types of Firefox 3 artifacts parsed are:
Cookies
Downloads
History
Bookmarks
Form data
Note: The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name
columns.
"Frecency" is a valid word used by Mozilla. Do not mistake it for "frequency." For more information, see the
Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm.
The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a
person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the
places.sqlite file.
Mozilla stores a URL's host name in reverse. EnCase displays it as such in the Rev Host Name column.
82 EnCase® Examiner Version 7.03
From wherever you access it, the Keyword list displays a list of existing keywords in the case:
Select Search entry slack to include file slack in the keyword search.
Use initialized size enables you to search a file as the operating system displays it, rather than
searching its full logical size.
• In NTFS file systems, applications are allowed to reserve disk space for future operations.
The application sets the logical size of the file larger than currently necessary, to allow for
expected future expansion, while setting the Initialized Size smaller so that it only needs to
parse a smaller amount of data. This enables the file to be loaded faster.
• If a file has an initialized size that is less than the logical size, the OS shows the data area
between the initialized size and logical size as zeros. In actuality, this area of the file may
contain remnants of previous files, similar to file slack. By default, EnCase displays,
searches and exports the area past the initialized size as it appears on the disk, not as the
OS displays it. This enables you to find file remnants in this area.
• Select Initialized Size to see a file as its application sees it and the OS displays it.
• Note that when a file is hashed within EnCase, the initialized size is used. This means that
the entire logical file is hashed, but the area past the initialized size is set to zeros. Since
this is how a normal application sees the file, this enables users to verify file hashes with
another utility that reads the file via the OS.
Select Undelete entries before searching to undelete deleted files before they are searched for
keywords.
Select Skip contents for known files to only search the slack areas of known files identified by
a hash library.
Add Keyword List opens a dialog in which to enter a list of words and assign certain
properties to them as a group. See Creating a New Keyword List on page 85.
Double clicking a keyword, or clicking Edit, opens up the keyword so you can modify its
properties.
Highlight a keyword and click Delete to remove it from the list.
If a path box displays at the top of the dialog, that path and name is where the search is stored.
84 EnCase® Examiner Version 7.03
2. Enter the search expression and name, and select the desired options:
• Search Expression is the actual text being searched. Use a character map to create a non-
English search string if your keyboard is not mapped to the appropriate non-English key
mapping.
• Name is the search expression name listed in the folder.
• ANSI Latin - 1 searches documents using the ANSI Latin - 1 code page.
• UTF-8 meets the requirements of byte-oriented and ASCII-based systems. UTF-8 is
defined by the Unicode Standard. Each character is represented in UTF-8 as a sequence of
up to four bytes, where the first byte indicates the number of bytes to follow in a multi-
byte sequence.
Note: UTF-8 is commonly used in Internet and Web transmission.
• UTF-7 encodes the full BMP repertoire using only octets with the high-order bit clear (7 bit
US-ASCII values, [US-ASCII]). It is deemed a mail-safe encoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.
• Unicode: select if you are searching a Unicode encoded file. Unicode uses 16 bits to
represent each character. Unicode on Intel-based PCs is referred to as Little Endian. The
Unicode option searches the keywords that appear in Unicode format only. For more
details on Unicode, see http://www.unicode.org.
Note: The Unicode standard attempts to provide a unique encoding number for every character,
regardless of platform, computer program, or language.
Processing Evidence 85
2. Add the keywords you want to use, one for each line.
3. Select options to apply to all keywords from the checkboxes on the left. Individual words can
have their options modified separately by editing them in the New Keyword dialog.
4. When done, click OK. The list populates the Keyword list and is saved in the path defined at
the top of that dialog.
Creating an Index
Choose this selection to create a searchable index of the data in the case. Creating an index allows you
to quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all files,
emails, and module output are indexed, including such EnScript modules as the IM Parser and System
Info Parser. The advantage of having all those items indexed is that users will later be able to search
across all types of information and view results in email, files, smartphones, and any other processed
data in one search results view. You can adjust parameters for index creation such as the minimum
word length to index, or whether to use a noise file (a file containing specific words to ignore).
86 EnCase® Examiner Version 7.03
Compared to keyword searches, which search on the raw text, index searches search the content and
metadata for files on the device.
Generating an index can take time; however, the trade-off in time spent creating the index yields a
greater payoff with near instantaneous search times. Guidance Software recommends always indexing
your case data.
2. Select the Personal Information checkbox and click Personal Information. The Personal
Information dialog displays.
1. After you have selected the evidence you want to acquire and process with the Evidence
Processor, select the Index text checkbox and click Index text. The Edit Settings dialog
displays.
Creating Thumbnails
When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for
all image files in the selected evidence. This facilitates image browsing.
IM Parser
The IM Parser allows you to search for Instant Messenger artifacts from MSN , Yahoo, and AOL
Instant messenger clients. These artifacts include messages and buddy list contents. It also allows you
to select where to search from several general location categories.
When you enable IM Parser processing and click the module name, the following dialog appears that
allows you to configure its options:
File Carver
The File Carver module allows you to search evidence for file fragments based on a specific set of
parameters, such as known file size and file signature. It can also examine unallocated space. It allows
the searching of file fragments anywhere on the disk. The parameters for carving a file (file size and
destination) are set on the Export Settings dialog of the File Carver. To add an additional file type to
carve for, you need to add an entry with header information and, optionally, footer information, to the
File Types table.
You can blue check entries and choose to search selected files. The HTML files that the module carves
are adjudicated to be HTML, based on certain keywords appearing in the files. Carved files can be
exported to disk so that they can be loaded with native applications.
90 EnCase® Examiner Version 7.03
Note: The value of 4096 bytes is the default carve size when no footer is provided and no default length is provided in the
File Types table.
Unix Login
This module parses files with the names "wtmp" and "utmp," but also allows for processing by
condition.
Conditions
Viewing Evidence
Viewing Email
94 EnCase® Examiner Version 7.03
Overview
After creating a case and adding evidence, you can browse and manipulate your views of the evidence
in a wide variety of ways:
You can search through processed evidence quickly, after it has been indexed.
The Gallery view provides thumbnails of images.
Conditions cull down the viewed data into a manageable subset.
Filters enable you to eliminate data based on a wide variety of attributes.
You can browse through evidence directly from evidence files or devices.
This chapter provides an overview of the EnCase Interface and describes all the ways you can browse
and view collected evidence.
The Table view shows the Table pane on the top and the View pane on the bottom. There is no Tree
pane.
The Traeble view combines the Tree and Table panes on the top, and retains the View pane on the
bottom. The view provides the ability to browse the folder structure in the Name column.
96 EnCase® Examiner Version 7.03
The Tree view displays the Tree pane on the left and the View pane on the right. There is no Table
view. This is the suggested view for looking at Email records.
There are three methods used within EnCase to focus on specific files or folders. These methods have
different purposes:
• Highlighting a folder displays the entries within that folder in the Table Pane.
• Clicking the "home plate" next to a folder name displays all the entries, files, and sub-
folders for that folder in the Table Pane. This is sometimes called "green plating" an item
and overrides the highlighting option.
• Selecting a checkbox next to an item in any view selects that item for an action, such an
analysis or keyword search. This is sometimes called "blue checking" an item.
− The number of currently selected items display in the Selected box above the Table
pane.
− To clear all selected entries, clear the blue check from the Selected box.
VFS Name is used to display the name for files mounted with the EnCase Virtual File System
(VFS) module in Windows Explorer. This replaces the Unique Name column in previous
versions of EnCase.
Original Path displays information derived from data in the Recycle Bin. For files within the
Recycle Bin, this column shows where they originated when they were deleted. For
deleted/overwritten files, this column shows the file that has overwritten the original.
Symbolic Link displays data pertaining to the equivalent of a Windows Shortcut in Linux and
UNIX.
Is Duplicate displays True (Yes) if the displayed file is a duplicate of another.
Is Internal indicates whether the file is an internal system file, such as the $MFT on an NTFS
volume.
Is Overwritten indicates if the first or more clusters of an entry has been overwritten by a
subsequent object.
• The Report tab provides a readable, formatted view of metadata. This is the view
preferred for email.
• On the Text tab, you can view files in ASCII or Unicode text.
− You can modify how text in this tab is displayed. See Changing Text Styles on page
105.
− When viewing search results, select Compressed View in the Transcript tab to see
only lines with raw keyword search hits.
− Use the Previous/Next Hit buttons to move through hits within the file. If there are
no more hits in the file, the next item opens and the first hit is found.
102 EnCase® Examiner Version 7.03
• The Decode tab allows you to decode swept data in the Hex tab in a variety of different
formats. You can then make that sweeping text into a bookmark.
• The Doc tab provides native views of formats supported by Oracle Outside In technology.
Browsing and Viewing Evidence 103
• The Transcript tab displays the same formats as the Doc tab, but filters out formatting and
noise, allowing you to view files that cannot display effectively in the Text tab.
− The Transcript tab displays the extracted text from the file.
− When viewing search results, select Compressed View to see only lines with index
query hits.
− Use the Previous/Next Hit buttons to move through hits within the file. If there are
no more hits in the file, the next item opens and the first hit is found.
104 EnCase® Examiner Version 7.03
• View graphics files on the Picture tab. If the highlighted file in the Table pane is an image
that can be decoded internally, EnCase lets you select the Picture view in the View Pane
and displays the image.
• File extents shows the sector information about the selected file. This works on entry
evidence only.
• The Permissions tab displays the security permissions for a file, including the name and
security identification number (SID) of the user(s) who have permission to read, write, and
execute a file.
1. Click New to create a new text style. The New Text Style dialog displays.
• Unicode specifies little-endian Unicode. If UTF-7 or UTF-8 is used, select Other, not
Unicode.
• Unicode Big-Endian specifies big-endian Unicode.
• Other lets you select from the Code Page list.
• The Code Page list contains a list of supported code pages.
3. Click OK to save the new text style and return to the Text Styles dialog.
4. Click OK to have the new style available. The new text style is now applied to the Text tab in
the View Pane
Decoding Data
Anything highlighted on the Text or Hex tabs can be decoded in a variety of ways on the Decode tab.
1. On the Text or Hex tabs in the View pane, select the code you want to view.
110 EnCase® Examiner Version 7.03
2. Open the Decode tab and select from the list of decoding options.
Browsing and Viewing Evidence 111
Close the View pane to return the View pane to the main window.
112 EnCase® Examiner Version 7.03
Using Views/Tabs
There are a variety of different views available on your information that can be accessed from the
View menu.
Clicking these views opens up a new tab in the EnCase window.
3. To change the color of the text, right click the Foreground color and select the new color from
the dropdown menu. If the color you want is not an option, double click the foreground color
and select from the color palette.
4. To change the background color, right click the Background color and select the new color
from the dropdown menu. If the color you want is not an option, double click the foreground
color and select from the color palette.
5. Click OK.
The Evidence tab table view shows the evidence currently loaded into your case. Notice when you are
showing a list of evidence the Viewing button shows as Viewing (Evidence):
Clicking any one of these pieces of evidence opens it up more fully. Notice when you are viewing an
expanded view of an entry, the Viewing button shows as Viewing (Entry):
Clicking on the Viewing button enables you to move between the top level list of devices or an
expanded view of specific evidence:
Browsing and Viewing Evidence 115
If you want to see all the evidence expanded into to the same entry screen, go to the top level list of
devices, select all evidence files you want to see, and click Open:
The display changes to show the expanded view of all selected evidence entries.
The status bar at the bottom of the screen displays your current positioning within the device. This is
useful especially when documenting the location of evidence found in unallocated space.
The status of any processing activity displays in the lower right of the status bar. On the right, the
status bar shows the full path of the highlighted item. If a deleted/overwritten file is highlighted, it
indicates the overwriting file.
116 EnCase® Examiner Version 7.03
Select Auto Extents to automatically highlight all of the remaining extents that make up the file
associated with the selected sector. If Auto Extents is off, double click a sector to show the remaining
associated extents.
If an entry does not show as a blue link, select it and click View File Structure from the Entries
dropdown. The View File Structure command automatically expands, or mounts, the file. After
initially mounting the file, the expanded data can be seen in the Records tab as well.
2. Select the filter you want from either Records or Entries, and click Open. The Filter dialog
displays.
• When selected, Run filter on all evidence in case causes the condition to run on all
evidence in the case.
• Clearing the checkbox causes the condition to run only on the currently viewed evidence.
3. Click OK to run the filter. Depending on which filter you selected, additional dialogs may
display. When a filter or condition is being run, the name of that filter or query shows in the
lower right of the status bar. When complete, the results are shows in the Results tab.
Creating a Filter
In addition to using the filters already provided, you can create your own filters.
Note: You need a working knowledge of EnScript to make a new filter. If you do not have this working knowledge, you
may be able to create a condition to perform the same function.
1. Select New Filter from the Filter dropdown. The New Filter dialog displays:
• When selected, Run filter on all evidence in case causes the condition to run on all
evidence in the case.
• Clearing the checkbox causes the condition to run only on the currently viewed evidence.
Browsing and Viewing Evidence 121
4. Click OK. The New Filter tab displays, showing a source editor.
5. Enter EnScript code as required to accomplish your task. The newly created filter displays at
the bottom of the filters list.
Editing a Filter
You can change an existing filter's behavior by editing it.
1. Select Edit from the Filter dropdown. A list of all customized and pre-configured filters
display.
2. Select the filter you want to edit and click Open. The source code opens in a Filter tab.
3. In the Filter pane, click the Filters tab.
4. Right click the filter you wish to edit area and click Edit Source. The existing code displays in
the Table pane.
5. Edit the code as needed.
6. To change the name of the filter, click Options and modify the name or path of the filter.
Deleting a Filter
Default filters are read-only and cannot be modified or deleted. However, you can delete any custom
filter you have created:
1. To permanently delete a filter select Edit from the Filter dropdown. A list of all customized
and pre-configured filters display.
2. Right click the filter you want to delete, and click Delete.
3. Click Yes to confirm.
Sharing Filters
You can export your own filters and import filters created by other EnCase users.
1. To copy a filter for exporting, select Edit from the Filter dropdown. A list of all customized
and pre-configured filters display.
2. Right click the filter you want to export, and click Copy.
3. Navigate to the place you want to store the file, and click Paste.
4. To import a filter created by someone else, navigate to the folder where that filter is stored and
move it to your user storage location for filters (default is My Documents\EnCase\Filters).
122 EnCase® Examiner Version 7.03
Conditions
Conditions are compilations of search terms that instruct EnCase to find certain data based on a certain
property of information. Individual search terms are ordered hierarchically in the condition so that the
data is searched or processed in the correct order for greatest efficiency.
Conditions are similar to filters in that they display only those entries that match a specific set of
criteria in the Table pane. Both conditions and filters are EnScript code that performs a filtering
process on your data.
The difference between filters and conditions is that creating a condition does not require that you can
program in EnScript. Through a special interface you can create them without coding directly in
EnScript.
Once a condition has been created, you can run it on any evidence within the case. There are no
default conditions.
• When selected, Run filter on all evidence in case causes the condition to run on all
evidence in the case.
• Clearing the checkbox causes the condition to run only on the currently viewed evidence.
Browsing and Viewing Evidence 123
• If you want to edit the source code directly, click Edit Source Code.
• To nest terms, create a folder by right clicking on the parent condition folder in the Tree
pane and choosing New Folder. Place the nested terms inside the parent folder.
• If you want to change the AND/OR logic within the condition, right click the term and
select Change Logic. This changes the AND operator to an OR, and vice versa.
• If you want to negate the logic of a term, right click the term and select Not.
• Repeat the steps above to create as many terms as you want to make the condition as
detailed as possible.
Note: The Hash Sets property values show as integers.
4. When done, click OK to close the New Term dialog. The new condition displays in the Edit
condition dialog.
5. Repeat for as many conditions as you require. As you accumulate conditions, make sure they
appear in the correct hierarchical order for greatest efficiency.
• When you run the condition, the terms are evaluated in the order in which they display.
• Conditions work from the top to the bottom, hence, the sequence within the condition tree
directly affects how well the condition works. To be most effective, for example, place an
extension search for all .docx files before a keyword search. This saves processing time by
not looking for keywords in files that may not even contain text.
− Folders operate much like parentheses in mathematical problems, in that the folder
allows its contents to be grouped together based upon the logic.
− Logic operators operate on the folder in which they appear and do not impact the
folders above or below them.
• To nest terms, right click the parent condition folder in the tree and choose New Folder.
Place the nested terms inside the parent folder.
• To toggle the AND/OR logic within the condition, right click the term and select Change
Logic. This changes the AND operator to an OR, and vice versa.
• To negate the logic of a term, right click the term and select Not.
6. Click OK to save and close the dialog.
Browsing and Viewing Evidence 125
Editing Conditions
1. Select Edit from the Condition dropdown. A list of all conditions display.
2. Select the condition you want to edit and click Open. The Condition dialog displays.
3. Edit the condition as needed.
4. To change the name of the condition, modify the name within the path of the condition.
5. When done, click OK.
Sharing Conditions
You can export your own conditions and import conditions created by other EnCase users.
1. To copy a condition for exporting, select Edit from the Condition dropdown. A list of all
conditions display.
2. Right click the condition you want to export, and click Copy.
3. Navigate to the place you want to store the file, and click Paste.
4. To import a condition created by someone else, navigate to the folder where that condition is
stored and move it to your user storage location for filters (default is My
Documents\EnCase\Condition).
Printing a Condition
The Report tab in the Condition dialog provides a plain text representation of the condition. You can
print or export this report by right clicking within this tab and selecting Save As. The export dialog
provides a variety of options for saving the report.
To view all the results of the modules used for processing evidence, expand the Evidence
Processor Modules node in the Tree pane of the Records tab and browse through the various
items, Use the Fields tab in the lower pane to view the most information.
To view smartphone data, open the evidence file in either the Records or Evidence tab. The
report view is the best way to view all smartphone information.
In the table pane, select the item you want to research and click Go To File. The view changes to
display the device where the entry is located. If an attachment of an email is selected, you are taken
into the email file, with the email message that contains the attachment selected.
If an item resides in a top level device, the file structure may not display any change when the Go To
File button is clicked because there are no additional levels to go up.
1. From the Evidence or Records tab, select the item you want to research and then click Find
Related.
Browsing Images
The Gallery view of the Evidence or Records tabs provides a quick and easy way to view images. This
view is best used when viewing your evidence in a tree-table.
Images in the Gallery view are sorted by extension by default.
You can access all images within a highlighted folder, highlighted volume, or the entire case. If a
folder is highlighted in the Tree pane, all files in the folder display in the Table pane. Clicking a
folder's Set Include selects all files in that folder and files in any of its subfolders. Once selected on the
Table pane, any images in the selected files display in the Gallery view.
To reduce the number of images displayed in a row in the Gallery view, right click any image,
then click Fewer Columns.
To increase the number of images displayed per row in the Gallery view, right click any
image, then click More Columns.
You can bookmark images in the Gallery view by right clicking on the image and selecting the
type of bookmark to assign to it.
You can view ownership permissions for an image by selecting the image and clicking on the
Permissions tab in the lower pane.
By default, the Gallery view displays files based on their file extension. For example, if a .jpg file has
been renamed to .dll, it will not be displayed in the Gallery view until you run a Signature Analysis.
Once the signature analysis recognizes the file was renamed and that the file is actually an image, it
displays in the Gallery view.
EnCase includes built-in crash protection, which prevents corrupted graphic images from displaying
in the Gallery view. The timeout defaults to 12 seconds for the thread trying to read a corrupt image
file. You can modify the timeout on the Global tab of the Options dialog.
The corrupt images are stored in a CorruptPictures folder in the Case folder so they are recognized as
corrupt the next time they are accessed.
128 EnCase® Examiner Version 7.03
If the cache gets full you can clear it out by selecting the arrow dropdown menu in the Evidence view
and selecting Clear invalid image cache.
When viewing images in the Gallery tab, click on a thumbnail image to see its location in the
navigation trail at the bottom of the screen. To go to the location of the image, select the thumbnail and
click Go to file.
To tag or bookmark the image, select the thumbnail and tag or bookmark as required.
Viewing Evidence
Guidance Software recommends using processed data for rapid searching and viewing of data within
your case. However, there are many ways to view, filter, and find unprocessed data.
Note: If the EDB file is not dirty, the only available option is Calculate unallocated space.
5. To parse the dirty EDB file, check Scan Dirty Database, then click OK.
Browsing and Viewing Evidence 133
Viewing Email
You can open .PST and other types of mail storage files and view the individual emails within. View
the higher order of email folder structure on the Evidence tab. Once the email is processed, you can
double click on the storage file to drill down to the individual mail messages.
The default view for Email is the Tree view. This shows the report in full screen, in as close to native
format as possible. Empty fields do not display in the report view. The Fields tab shows all available
metadata about the email and its collection, including the Transport Msg ID.
Use the Search Results tab and Find Email to view data across multiple repositories. You may also
want to view all your indexed evidence and then show only items with an item type of Email. You can
further drill down by finding subsets of sender, date range, etc.
EnCase allows you to track email threads and view related messages. Before you can analyze email
threading, you must have already run the Evidence Processor against your case evidence with the
Find email option selected. To avoid displaying the same message multiple times, EnCase removes
duplicate messages in both the Show Conversation and Show Related email views.
Viewing Attachments
In the tree view, email attachments are shown as children under the parent email.
EnCase allows you to view attachments on email messages that you select.
To view the content of an attachment:
1. In the Evidence tab, select the message with the attachment that you want to view.
2. Click the Doc button in the View pane. The contents of the message attachment are displayed.
Show Conversation
Email threading is based on conversation-thread related information found in the email message
headers. EnCase uses email header metadata (including message ID and in-reply-to headers) to
reconstruct email conversation threads. Email conversation thread reconstruction is done during
processing, so conversations are not available on data that has not been processed.
Different email systems use different methods of identifying conversations; for example:
The header fields Message-ID, Reply-To-ID, and References.
The header field Conversation Index.
The header field Thread-Index.
Multiple mechanisms, because the messages of interest cross email system boundaries. In these
cases, EnCase builds a separate conversation tree for each type of data found in the header (for
example, one using Message-ID/References and another using Conversation Indexes) and displays
the conversation tree containing the most email.
EnCase can display conversations for all supported email types except AOL, because AOL messages
do not store thread-related information. However, the feature cannot always reconstruct complete
conversations when the conversations include messages from multiple email systems. For example,
EnCase cannot fully recreate a conversation where some users are using Outlook, some are using
Lotus Notes, and others Thunderbird.
134 EnCase® Examiner Version 7.03
If an email does not have any of the message header fields specified above, EnCase cannot construct a
conversation thread for it. Selecting such an email and clicking Show Conversation results in a tree
containing only the selected email.
Before you can analyze email threading, you must have already run the Evidence Processor against
your case evidence with the Find email option selected.
To show an email conversation:
1. In the Evidence tab select an email or email store in the Table pane.
2. From the Find Related menu, select Show Conversation.
The picture below shows a conversation list for a selected email. Note how the email messages
contained within the conversation list are identified by their conversation index ID.
Exporting to *.msg
The Export to .msg option for mail files and mail files attachments lets you preserve the folder
structure from the parsed volume down to the entry or entries selected. This option is available for the
highlighted entry or selected items.
1. In the Tree pane, select the email message(s) you want to export.
2. Right click and select Export to *.msg. The Export Email dialog displays.
Sweep Enterprise
In This Chapter
Overview
Overview
Sweep Enterprise provides a way to look quickly across the enterprise and examine forensics artifacts
which you can parse and view to identify machines you want to investigate further.
Sweep Enterprise runs these modules:
System Info Parser
Snapshot
File Processor
Enter the nodes manually or cut and paste them, then click the right arrow.
140 EnCase® Examiner Version 7.03
Deleting Nodes
To delete nodes from the target list:
1. Select the nodes you want to delete.
2. In Sweep Enterprise Run Options, click Quick Sweep View (Recommended), then click Next.
Sweep Enterprise 141
3. The Confirmation Page displays, showing the target node list and module selections.
Note: The System Info Parser and Snapshot modules are the defaults for Quick Sweep View. To run the
File Processor module, use Customize Job Settings.
4. Click Finish. The word "Processing" displays in the lower right corner of the screen to indicate
Sweep Enterprise is running.
142 EnCase® Examiner Version 7.03
2. In Sweep Enterprise Run Options, click Customize Job Settings, then click Next.
3. The Module Settings dialog opens, displaying available modules in the left pane, information
about the currently selected module in the right pane, and additional information in the lower
pane.
The System Info Parser and Snapshot modules are selected by default.
Sweep Enterprise 143
Notes:
• A snapshot of each target is generated for all collection jobs; therefore, you cannot clear
the checkbox for the Snapshot module.
• The File Processor module is not selected by default because it has a significantly higher
run time than the other modules.
4. Click a module's name to display options for running that module. Select or clear options as
desired, then click OK.
a. System Info Parser module: This module identifies hardware, software, and user
information from Windows computers. It automatically detects the operating system
present on the device, then collects the specified artifacts.
b. Snapshot module: This module collects a snapshot of a machine at a given time, including:
• ARP
• DNS entries
• Program instances
• Network interface
• Network users
• Open files
• Open ports
• Processes
• Machine name
• Domain name
• IP address
• System version
• Time zone
144 EnCase® Examiner Version 7.03
c. File Processor module: This is a multipurpose module that enables you to select from
three types of file processing, then choose how you want to handle the final results. You
can also choose to gather the collected files into a LEF. Click Next to display the options
dialog for the processing type you select.
Sweep Enterprise 145
5. When you finish selecting modules and their associated options, click Next.
6. The Confirmation Page displays, showing the target node list and module selections. In the
example below, the only module selected is Snapshot.
146 EnCase® Examiner Version 7.03
7. Click Finish. Processing displays in the lower right corner of the screen to indicate Sweep
enterprise is running.
Status Tab
The Status tab only shows information and displays these columns:
Machine Name
Module Name: System Info Parser, Snapshot, or File Processor
Collected: Number of items collected for a particular module
Sweep Enterprise 147
Collection Status
The Available Views list (shown above) displays views that returned data during the sweep. Click
Unavailable Views to see views that did not return any data.
The available and unavailable views lists update if there are changes. Click Refresh to see any
updates.
The numbers at the bottom of the Analysis Browser tab indicate the number of pages of information.
The current page number displays in red.
150 EnCase® Examiner Version 7.03
For each item in the expanded view, there is a help topic. Click About to view it. This example shows
the help topic for Domain Name Services:
To sort a column in the Analysis Browser, double click the column heading.
Target Constraint
Target Constraint allows you to limit the views to only selected targets in a sweep.
1. Click Target Constraint to open the dialog.
Sweep Enterprise 151
2. Select the checkboxes for the targets you want, or enter them manually, then click OK. The
results will be limited to the targets you specified.
Expanded view:
2. The Constraint dialog displays. From the Column dropdown menu, click User. In the Data
text box, enter Administrator.
3. Click OK. The results list now shows only administrators in the User column.
Reports
Reports show analysis results organized in tables. Specify the tables you want, then use Report Builder
to create the report.
154 EnCase® Examiner Version 7.03
2. The Tables Added dialog displays, indicating the items you checked will be added to the
tables available for building the report.
Sweep Enterprise 155
3. Click OK. All tables in the right pane are checked by default. Clear any checkboxes for tables
you do not want to include in the report, then click Add Selected to Report.
5. Accept the default table title or enter your own title, then click OK.
Note: You can create your own title for any table in the report. In the right pane, click the checkbox
for the table you want and follow steps 4 and 5 above.
156 EnCase® Examiner Version 7.03
8. Select the tables you want to include, then click View Report. The Analysis Report Preview
dialog displays.
Saving a Report
1. Right click anywhere in the report preview, then click Save As in the dropdown menu.
2. The Save As dialog displays. Select the output format you want, enter or browse to a path,
then click OK.
158 EnCase® Examiner Version 7.03
Case Analyzer
Use the Case Analyzer EnScript to analyze collected data at the case level.
1. Open the case you want to analyze.
2. In the EnScript dropdown menu, click Case Analyzer.
3. The Data Browser dialog displays. It functions in the same way as the Analysis Browser tab.
For more information, see Analysis Browser Tab on page 147.
Evidence Processor
You can also use the EnCase Evidence Processor to analyze data collected by Sweep Enterprise. For
details, see Processing Evidence on page 69.
CHAPTER 8
Searching Through
Evidence
In This Chapter
Overview
Overview
You can perform simple or complex search queries using the Search tab. You can open the Search tab
from either the Home page menu of the case or from the View menu.
There are three principal methods of searching through evidence in EnCase:
Index Searches
Index searching allows you to rapidly search for terms in a generated index, and is the recommended
type of search in EnCase. Index searching looks through a list of words identified when processing the
data on a device. Querying an evidence file's index locates terms much more quickly than using non-
indexed queries.
When generating an index, the content of the file is extracted using Outside In technology and built-in
text extraction. The text is broken into words which are then added, along with the metadata of the
file, to the index. Unlike raw keyword searches, indexing is done against the transcript content of the
file so that text contained in files can be properly identified.
Indexes are generated using the Evidence Processor. Generating an index creates index files associated
with devices.
See Searching Indexed Data on page 163 for information about creating and running index
searches.
See Search Operators on page 165 for a full list of search syntax options.
Tag Searches
EnCase also provides the capability to search for items that have been flagged with user-defined tags.
Using tags you can search through collected evidence for all items that include one or many tags.
See Finding Tagged Items on page 169 for information about creating and running tag
searches.
2. Using the tools provided in the Index tab, construct your search query in the index text box.
• Entering a term in the text box instantly shows all variations of the occurrence of that term
in the indexed data in the table below.
• Clicking a hyperlinked term shows all the occurrences of that term in the right table pane.
164 EnCase® Examiner Version 7.03
• The button bar provides a variety of tools for constructing your search query. You may
have to expand the left pane to see all the buttons.
− Field opens a dropdown from which you can target a specific data field for your
search. After adding the field name, type the value that you wish to find in the
index text box.
− Patterns displays a dropdown menu of numerical patterns. Click the desired
pattern to embed the corresponding search term.
− Stem displays a list of possible stemming alternatives to the currently selected term.
You can delete stem alternatives from the list, and you can select from a variety of
languages.
− Case Sensitive embeds a code that causes the following term to be either case
sensitive <c> or case insensitive <c->. By default the terms are case insensitive.
− Logic inserts a Boolean AND or OR into the search query. Clicking the logic button
changes the operator. Highlight an existing AND or OR to switch the operator.
− Expand opens the highlighted term, when applicable, and displays it in its own
window.
− The Copy, Cut, and Paste buttons enable you to move and copy text in the search
term easily.
− Find enables you to find search expressions within the search term.
− Click Test to check the validity of the term as it is currently constructed. If there is
an error, a popup displays.
− A complete list of search syntax options can be found in Search Operators on page
165.
• The down arrow to the right of the button bar opens to provide two more options for
viewing the search query:
− Print opens a print dialog for printing the query or exporting it to PDF.
− Line Numbers adds line numbers to the index text box.
• Ctrl-Enter adds a line to the index text box.
3. To run the search query in the index text box, position your cursor in the text box and click
Enter, or click the green Run button.
Searching Through Evidence 165
Search Operators
By default, EnCase searches for items containing all the terms in the search query. For instance, the
search query George Washington searches for all items that contain both the term George and the term
Washington.
You can search for documents containing either term by using the OR operator: George OR
Washington.
You can use the AND operator for clarity: George AND Washington.
However, the latter term produces exactly the same results as the original search term.
Proximity
To search for two terms within a specified number of words from each other, use the w/ operator:
George w/3 Washington
Abraham w/5 Lincoln
Exact phrases
You can search for exact phrases using quotation marks (“”), which is the same as using the pre/1
operator:
“George Washington” is the same as George pre/1 Washington
Searching for two words in quotes causes both words individually to be highlighted as search hits, as
well as the original phrase.
2. Click on a tag directly to display all items with that tag in the table pane.
3. Select multiple tags and click Run to see items containing any of the selected tags.
170 EnCase® Examiner Version 7.03
• Use the path box at the top of the dialog to specify the name and location for the search.
• Select Search entry slack to include file slack in the keyword search.
• Select Skip contents for known files to only search the slack areas of known files
identified by a hash library.
• Select Undelete entries before searching to undelete deleted files before they are searched
for keywords.
• Use initialized size enables you to search a file as the operating system displays it, rather
than searching its full logical size.
− In NTFS file systems, applications are allowed to reserve disk space for future
operations. The application sets the logical size of the file larger than currently
necessary, to allow for expected future expansion, while setting the Initialized Size
smaller so that it only needs to parse a smaller amount of data. This enables the file
to be loaded faster.
Searching Through Evidence 171
− If a file has an initialized size that is less than the logical size, the OS shows the data
area between the initialized size and logical size as zeros. In actuality, this area of
the file may contain remnants of previous files, similar to file slack. By default,
EnCase displays, searches and exports the area past the initialized size as it appears
on the disk, not as the OS displays it. This enables you to find file remnants in this
area.
− Select Initialized Size to see a file as its application sees it and the OS displays it.
− Note that when a file is hashed within EnCase, the initialized size is used. This
means that the entire logical file is hashed, but the area past the initialized size is set
to zeros. Since this is how a normal application sees the file, this enables users to
verify file hashes with another utility that reads the file via the OS.
• Add Keyword List opens a dialog in which to enter a list of words and assign certain
properties to them as a group. See Creating a New Keyword List on page 85.
• Split Mode enables you to configure the layout of the dialog.
• New opens the New Keyword dialog where you can add a new keyword. See Adding a
New Keyword on page 84.
• Double clicking a keyword, or clicking Edit, opens up the keyword so you can modify its
properties.
• Highlight a keyword and click Delete to remove it from the list.
4. When done, click OK to save the search.
3. Click a keyword hyperlink to see all responsive items for that keyword in the table pane.
4. Select multiple keywords and click the Run button to see a combination of all search results.
172 EnCase® Examiner Version 7.03
• Use the Percent or Zoom buttons to make the text in the text box larger or smaller.
• To print or create a PDF of the summary, click the down arrow on the right and select
Print.
Searching Through Evidence 173
• Use the Review tab to see a compressed list of metadata, keyword, and index search hits.
− This tab combines information found on the Fields, Transcript, and Text tabs,
showing fields and individual lines containing search hits.
− Click on the linked Search Hits line number to view the search hit on that line in
context.
− Use the Next/Previous Item buttons to click through each item in the list.
• Content hits are also highlighted in the Transcript, Text, and Hex tabs while metadata hits
are highlighted in the Fields tab.
− Click Compressed View on the Transcript, Text, and Hex tabs to see only the lines
containing highlighted search hits.
− Use the Next/Previous Hit buttons to click through each hit in the file. If there are
no more hits in the file, the next item opens and the first hit is found.
• For more information about the viewing options, see Viewing Content in the View Pane
on page 100.
174 EnCase® Examiner Version 7.03
5. Select a saved search in the left pane. The results of that search display in the right table pane.
Click individual items to see more information in the lower viewing tabs.
Searching Through Evidence 175
2. Double click a file type. The Edit File Type dialog displays.
4. Change the Search Expression and other options as desired, then click OK.
Note: If you modify a built-in File Type, it is marked as User Defined. EnCase does not overwrite User
Defined File Types, even when a new version of EnCase is installed.
178 EnCase® Examiner Version 7.03
5. You can run both hash and file signature analysis. To run only file signature analysis, clear the
MD5 and SHA1 checkboxes.
6. Click OK.
Note: After running file signature analysis, you need to manually refresh the device. Return to Evidence view and drill into
the device again.
Searching Through Evidence 179
To copy files:
1. From the Evidence tab, click the Entries dropdown menu and select Copy Files. The Copy
Files dialog displays:
• Copy Files contains settings that determine the content of the evidence file to be copied.
− Logical File Only performs the copy function on the logical file only, not including
the file slack.
− Entire Physical File performs the copy function on the entire physical file,
including the logical file and file slack.
− RAM and Disk Slack performs the copy function on both the RAM and disk slack.
− RAM Slack Only performs the copy function on the RAM slack only.
180 EnCase® Examiner Version 7.03
• The Character Mask settings determine what characters are written into the file or files
created by the copy function.
− Select None if you do not want any characters masked or omitted from the
filenames of the resulting files.
− Select Do not Write Non-ASCII Characters to mask or omit non-ASCII characters
from the filenames of the resulting files. All characters except non-ASCII characters
are retained.
− Select Replace NON-ASCII Characters with DOT to replace non-ASCII characters
with periods in the filenames of the resulting files.
• Checking Show Errors causes the application to notify you when errors occur. This
prevents the unattended execution of the Copy Files operation.
3. Click Next. The Destination dialog displays.
• Copy displays the number of files to be copied, and the total number of bytes of the file or
files created.
• Path shows the path and filename of the file or files to be created. (Default is My
Documents\EnCase\[case name]\Export.)
• Split files above contains the maximum length, not exceeding 2000MB, of any file created
by the Copy Files function. When the total number of bytes in an output file exceeds this
value, the additional output continues in a new file.
• Use Initialized Size determines whether to use the initialized size of an entry, rather than
the default logical size or the physical size. This setting is only enabled for NTFS file
systems. When an NTFS file is written, the initialized size can be smaller than the logical
size, in which case the space after the initialized size is zeroed out.
4. Click Finish. The Copy Files operation executes. The resulting files are saved in the directory
specified in the Destination dialog.
Searching Through Evidence 181
To copy folders:
1. Select the folder or folders to copy.
2. From the Evidence tab, click the Entries dropdown menu and select Copy Folders. The Copy
Folders dialog displays:
The process for creating, reviewing, and returning a review package follows this work flow:
The EnCase examiner searches and compiles a results list that is exported into a review
package.
The reviewer receives and opens the review package.
The reviewer browses through and analyzes the contents of the review package. Existing tags
can be used or the reviewer can create customized tags.
The reviewer exports the tagged review package and sends the exported file back to the
EnCase examiner. The export package contains only the GUIDs of the items, so can be emailed
back as a small file without revealing any case information.
The EnCase examiner imports the analyzed review package and views the tagged items
within EnCase.
• Only Checked Rows exports the selected rows in the search list. If a range of rows is
selected, only checked rows within that range are exported. When cleared, all rows are
exported.
• Show Folders exports items along with any relevant folder structure. When selected, all
items are exported. When cleared, only items in the current table view are exported.
• Select the fields you want to export in the Fields list.
• By default, all tags are automatically exported for use by the reviewer. Clear the
checkboxes on the left for any tags you do not want to export.
• The Export Tag checkbox determines whether to export the tagging information already
entered on any of the items. When cleared, any tagging choices you have made are
omitted from the review package. When checked, your tagging selections remain intact.
• Enter or browse to the name and path for the export files.
2. Click OK. A status bar displays the export process. When the export process is completed, the
review package window opens to allow the examiner to confirm the contents.
Searching Through Evidence 183
2. Scroll through the items on top and use the bottom pane to review their content.
3. Click on the area of the tag column beneath the desired tag to tag or untag an item.
• You can expand the tagging column to see the names of the tags.
• You can tag each item with as many tags as desired. Newly added item tags are identified
with a plus icon.
• Click on an existing item tag to delete it. A minus icon displays where the item tag used to
be.
• Item tags added by the original examiner are included in the review package. Item tags
specified by the original examiner can be removed.
• When reviewing bookmarks, each bookmark displays on a separate row so separate tags
can be applied to individual bookmarks. These bookmarks are aggregated within the item
when reviewed in EnCase.
184 EnCase® Examiner Version 7.03
4. To create a customized tag, click Create Tag in the menu bar. The Create Tag dialog displays.
• Enter the name for the tag in the Name text box.
• If you want to display a shorter name, enter that in the Display text box.
• Click OK to create the tag and close the dialog.
5. To delete one or more tags, click Delete Tags in the menu bar. The Delete Tag dialog displays.
To revert to the last saved tagging choices, click Revert in the menu bar. The Revert dialog
displays.
• Check each tag you want restored to its last saved state.
• Click OK to revert the tags and close the dialog.
Searching Through Evidence 185
2. Enter the path where the .EnReview file is stored and click Next. A list of Tags added to the
review package displays.
• Only tags that had changes since the last saved change are displayed in the list.
• Uncheck any tags you do not wish to import.
• Item tags that were present when the review package was exported, and then
subsequently removed by the reviewer, are removed in the examiner's case when the
returned review package is imported.
• If multiple reviewers are analyzing the same review package, the same rules apply to each
.EnReview file.
− If an item tag was present when the review package was exported, and one
reviewer removed it while another reviewer left if in, then the tag is removed in the
examiner's case when the returned review packages are imported.
− The order in which the review packages are imported does not make a difference.
3. Click Finish when done. The tag changes in the review package are incorporated into EnCase.
Note: Tags that were applied to separate bookmarks within a particular item are aggregated. Therefore,
each item in EnCase displays all tags that have been applied to all its bookmarks.
CHAPTER 9
Hashing Evidence
In This Chapter
Overview
Hashing Features
Overview
Analyzing a large set of files by identifying and matching the unique hash value of each file is an
important part of the computer forensics process. Using the hash library feature of EnCase, you can
import or custom build a library of hash sets, allowing you to identify file matches in the examined
evidence.
A hash function is a way of creating a digital fingerprint from data. The function substitutes or
transposes data to create a hash value. Hash analysis compares case file hash values with known,
stored hash values.
The hash value is commonly represented as binary data written in hexadecimal notation. If a hash
value is calculated for a piece of data, and one bit of that data changes, a hash function with strong
mixing property will produce a completely different hash value.
Hashing creates a digital fingerprint of a file. A fundamental property of all hash functions is that if
two hashes (calculated using the same algorithm) are different, then the two inputs are different in
some way. On the other hand, matching hash values strongly suggests the equality of the two inputs.
Computer forensics analysts often create different hash sets of known illicit images, hacker tools, or
non-compliant software to quickly isolate known "bad" files in evidence. Hash sets can also be created
to identify files whose contents are known to be of no interest, such as operating system files and
commonly used applications. Hash sets are distributed and shared among users and agencies in
multiple formats. These formats include NSRL, EnCase hash sets, Bit9, and others.
Until recently, the hash set standard to identify a file was the MD5 hash calculation. Large hash
distribution sets, such as the NSRL set, are now distributed using the SHA-1 hash calculation. EnCase
will offer continued support for MD5 hash sets, from old versions of EnCase and other products, as
well as the new SHA-1 hash format sets.
EnCase uses an extensible format for hash sets that allows:
Storing metadata along with the hash value in field form.
Support of MD5, SHA-1, and additional hash formats within the same file structure.
Storing tags associated with items in the hash set.
Hashing Features
EnCase hashing features include the following:
A versatile user interface for hash library management that allows:
• Creation of hash sets and libraries
• Importing and exporting hash sets
• Querying hash sets
• Viewing hash sets or individual hash items
Hash libraries can contain multiple hash sets, and each set can be enabled or disabled.
You can create as many hash libraries or hash sets as needed.
If a hash belongs to multiple hash sets in a library, every match will be reported.
Each case can use a maximum of two different hash libraries at the same time.
Hashing Evidence 189
From the Manage Hash Library dialog you can manage any existing hash libraries or create a new one.
You use its toolbar to:
Create a new hash library or edit an existing library.
Create new hash sets within a library or edit an existing hash set within a library.
Import and export hash sets from one library to another.
Query a hash library for a particular value.
Browse for a folder to hold the hash library. If you use an existing folder, it must be empty
(otherwise, the contents of the folder will be deleted).
Provide a name for the hash library (for example, Windows 7 Files, Company Secrets, or Hash
Library #1) and select OK.
The path and name of your Hash Library will now appear in the Hash Library Path field.
If you wish to import hash sets from another library, select Import Hash Sets from the toolbar.
You can then browse to a library and select individual sets to import. If you wish to create new
hash sets for this library, proceed to the next section.
Hash sets (which contain the individual hash entries) are located within hash libraries. There are two
steps to creating a hash set. The first step is to create an empty hash set within a library, and the
second is to add information to it. To create a hash set, perform the steps described below:
1. Click Tools > Manage Hash Library.
2. Make sure that you either browse and point to an existing hash library or create a new one.
This is the hash library to which you will add the hash set.
3. On the Manage Hash Library page toolbar, click New Hash Set. The Create Hash Set dialog
displays.
4. Enter a Hash Set Name, and enter information for Hash Set Category and Hash Set Tags.
• The Hash Set Category can be used to identify the type of hash set. Although the most
common values are Known and Notable, you can specify any single value. You can use
the category to find or eliminate files.
• Hash Set Tags allow you to specify multiple identifiers for a hash set. As with Hash
Categories, you can use the Hash Set Tag to find or eliminate files.
5. Click OK and click OK again when you are prompted to add the new hash set. The new hash
set is listed under Existing Hash Sets in the Manage Hash Library page.
4. On the Evidence tab, under the Entries view, click the Entries dropdown menu and select
Add to Hash Library.
5. Choose the Hash Library to add the hash items to by using the Hash Library Type dropdown
menu. Select the Primary or Secondary hash library (see below for information on setting the
Primary and Secondary libraries), or Other, if you need to place the item in another library.
6. Once you have selected a library, select one or more previously created hash sets (by checking
their boxes) from the Existing Hash Sets window. If you need to create a new Hash Set, right
click in the Existing Hash Sets table and select New Hash Set. The New Hash Set dialog
appears, as described below.
7. On the Add to Hash Library page, Fields list, select the metadata fields you want to add to the
hash library for the selected items. Some fields are added by default, however, you can add
other optional fields. All fields that are added to the hash set will be reported when a hash
comparison matches a particular hash set; click OK.
Note: Adding additional fields does not increase the comparison time, but does increase the size of the
library.
5. In the above example, the Matching Hash Items table shows that a match occurred against an
MD5 hash in the selected hash library.
6. You can obtain more detailed information about the matched hash item by clicking either
Show Metadata (shown in above panel) or Show Hash Sets.
192 EnCase® Examiner Version 7.03
3. Select whether you want to change the existing category or tag on the Hash Sets, then enter the
new value in the text box.
4. Click Finish.
Hashing Evidence 193
2. Use the browse buttons (...) to locate the path of the Version 7 hash library in which to import
the hash sets, and the path of the legacy EnCase hash sets.
3. Click OK to complete the operation.
Bookmarking Items
In This Chapter
Overview
Decoding Data
196 EnCase® Examiner Version 7.03
Overview
EnCase allows files, sections of file content belonging to different data types, and data structures to be
selected, annotated, and stored in a special set of folders. These marked data items are bookmarks, and
the folders where they are stored are bookmark folders.
Bookmarks are stored in a .Case file, and all metadata and content associated with a bookmark is
stored in the actual bookmark. Unlike previous versions of EnCase, there is no "resolving bookmarks
stage" when opening a case.
Bookmarks and the organization of their folders are essential to creating a solid and presentable body
of case evidence. You can examine bookmarks closely for their value as case evidence, and
additionally, use the bookmark folders and their data items to create case reports. For more
information, see Generating Reports on page 215.
4. On the menu bar, click Bookmark > Raw text or right click the highlighted text and click
Bookmark > Raw text.
5. The Raw Text dialog displays. Type some identifying text in the Comments box on the
Properties tab that makes it easy to identify the bookmarked content.
6. Click the Destination Folder tab, which displays the Bookmark folder hierarchy for the
current case, and click the bookmark folder in which to place this sweeping bookmark. In the
example below, the Highlighted Data subfolder is selected. Note that you can always rename
the bookmark folders or move the bookmark later.
4. Since the examiner is investigating date/time data in this example, expand the Dates folder
and click some of the options.
5. The Windows Date/Time option yields a satisfactory representation of the data, as shown
below.
Bookmarking Items 199
6. To bookmark the data, right click the Windows Date/Time node, and select Bookmark > Data
Structure or on the menu bar, click Bookmark > Data Structure.
7. In the Data Structure dialog, type text about the Data Structure bookmark in the Comments
box and click the Destination Folder tab.
8. In the Destination Folder box, click the folder where you want to store this Data Structure
bookmark.
9. Click OK.
3. The Single item dialog opens. On the Properties tab, type some identifying text in the
Comment. Alternatively, you can use the browse button to view a list of existing comments,
and select one of those.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy. Click the
bookmark folder where you want to store the bookmark.
Bookmarking Items 201
5. Click OK.
3. The Selected items dialog opens. Type some identifying text in the Comment box on the
Properties tab that describes the file. You can also use the browse button to view a list of
existing comments, and use one of those.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy, and click the
bookmark folder where you want to store the bookmarks.
5. Click OK.
Table Bookmark
You can select a table to bookmark. Highlighting a table and selecting it as a Table bookmark allows
you to save its metadata and store it in a bookmark folder. Table bookmarks are especially useful for
representing evidence data in reports.
Transcript Bookmark
If the Transcript tab in the Viewer pane is active, you can bookmark transcript text.
The Transcript tab extracts text from a file containing mixtures of text and formatting or graphic
characters. The transcript view is useful for creating bookmarks inside files that are not normally
stored as plain text, such as Excel spreadsheets.
202 EnCase® Examiner Version 7.03
Notes Bookmark
Notes differ from other bookmarks in that you use them with other bookmarks to annotate report
data. They do not mark distinct evidence items like other types of bookmarks. The Notes bookmark
has a field reserved only for comment text that can hold up to 1000 characters.
To create a notes bookmark:
1. Click the Bookmarks tab.
2. On the Table toolbar, click Add Note.
4. Type a Name for the note bookmark, then type text in the Comment box or browse for a list of
previous comments. This is the bookmark text to which the note will be added.
5. Click OK.
To show the notes in their true order in the bookmark folder hierarchy, click Split Mode on the
Bookmark toolbar and select Traeble view.
Use the Report tab in the View pane to show how the note actually displays in reports, as shown
above.
3. The Single item dialog opens. On the Properties tab, type identifying text in the Comment
box.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy. Click the
bookmark folder where you want to store the bookmark.
204 EnCase® Examiner Version 7.03
5. Click OK.
3. To expand the Bookmarks folder, click its tab. This displays the default Bookmark folders
(shown both in the Tree and Table panes).
Guidance Software recommends using the supplied labels for the bookmark folders to organize the
types of bookmarked content (documents, pictures, email, and Internet artifacts). Although this folder
organization is entirely flexible, bookmark folders are directly linked to the Report Template that is
also included in the default templates. If case grows to where it needs more bookmark folders or a
greater level of bookmark organization, you can create new folders or modify the folder organization,
but you may need to make changes to the Report Template.
Editing a Bookmark
1. Click Edit... and modify the text in the Comments box of the Properties tab.
2. You can also click the browse button (...) in the dialog to view a list of bookmark comments.
3. Select a comment from the list to replace the current comment.
4. Click OK.
Renaming a Bookmark
1. From the Home page, click View > Bookmarks.
2. In Table view, find the bookmark folder with the bookmark you want to rename.
3. The Table pane displays the list of bookmarks for the selected folder. Select the cell for the
bookmark to rename.
4. Right click the bookmark folder or the cell you want to rename.
5. Click Rename. The bookmark name is highlighted.
6. Enter a new name for the bookmark and click OK.
Decoding Data
Following are the types of data the View Types decoder supports (available in the View pane when
you select the Decode tab).
Bookmarking Items 207
Text
Text is a parent object containing child objects for formatting you can use when displaying
bookmarked content as text.
Do not Show hides the content of the bookmark. This works for all underlying data types.
High ASCII displays the text in 256-bit ASCII.
Low ASCII displays the text in 128-bit ASCII.
Hex displays the text as hexadecimal digits, rather than characters.
Unicode displays the text in Unicode.
ROT 13 Encoding decodes ROT 13 encoded text to ASCII text.
Base64 Encoding decodes Base64 encoded text to ASCII text.
UUE Encoded decodes UUE encoded text to ASCII text.
Quoted Printable is an encoding using printable ASCII characters and the equals (=) sign to transmit
8-bit data over a 7-bit data path.
HTML renders HTML coded as it appears in a browser.
HTML (Unicode) renders the HTML coded as it appears in a browser using Unicode.
Picture
Picture displays images in their native format.
Base64 Encoded Picture displays Base64 encoded images.
UUE Encoded Picture displays UUE encoded images.
Integers
8-bit displays the bookmarked content as 8-bit integers.
16-bit displays the bookmarked content as 16-bit Little-Endian integers.
16-bit Big Endian displays the bookmarked content as 16-bit Big-Endian integers.
32-bit displays the bookmarked content as 32-bit Little-Endian integers.
32-bit Big Endian displays the bookmarked content as 32-bit Big-Endian integers.
64-bit displays the bookmarked content as 64-bit Little-Endian integers.
64-bit Big Endian displays the bookmarked content as 64-bit Big-Endian integers.
Dates
DOS Date displays a packed 16-bit value that specifies the month, day, year, and time of day an MS-
DOS file was last written to.
DOS Date u(GMT) displays a packed 16-bit value that specifies the time portion of the DOS Date as
GMT time.
UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of 01/01/1970 at
00:00:00 GMT.
UNIX Date Big-endian displays a Unix timestamp in seconds based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT, as Big-Endian integers.
208 EnCase® Examiner Version 7.03
UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT.
HFS Date displays a numeric value on a Macintosh that specifies the month, day, year, and time when
the file was last written to.
HFS Plus Date is an improved version of HFS Date. It displays a numeric value on a Macintosh that
specifies the month, day, year, and time when the file was last written to. HFS Plus is also referred to
as "Mac Extended."
Windows Date/Time displays a numeric value on a Windows system that specifies the month, day,
year, and time when the file was last written to.
Windows Date/Time (Localtime) displays a numeric value on a Windows system for the local time
specifying the month, day, year, and time when the file was last written to.
OLE Date displays a date as a double-precision floating point value that counts the time from 30
December 1899 00:00:00.
Lotus Date displays a date from a Lotus Notes database file.
Windows
Includes the following items:
Partition Entry
DOS Directory Entry
Win95 Info File Record
DOS Directory Entry
GUID
UUID
SID
CHAPTER 11
Tagging Items
In This Chapter
Overview
Creating Tags
Tagging an Item
Hiding a Tag
Deleting Tags
Overview
The EnCase tagging feature allows you to mark evidence items for review. You define tags on a per
case basis and default tags can be part of a Case Template.
Any item that you can currently bookmark can also be tagged. You can search for tagged items, view
them on the Search Results tab, and view the tags associated with a particular item in the Evidence or
Record View.
Following is a list of tag features and characteristics:
You can create tags as part of a case or add them to a Case Template. You can customize each
of the tags with specific colors and display text.
Tags are persistent when you are working with entries and when you save and re-open a case.
Each item, entry, email, or record can have multiple tags.
You can edit saved tags: change their colors and text, hide specific tags from viewing, and
delete a tag.
Tags are local to a specific case (that is, you cannot create global tags), and the maximum
number of tags that you can use for a case is 63.
You can directly manipulate tags on the EnCase user interface: modify the order in which they
are displayed, delete them from the display, and so forth.
You can build searches based on tags you have created and also tag search results. You can
also combine tags with index and keyword search queries.
You can sort the tag column to find items with multiple tags.
Creating Tags
To create a tag:
1. On the Records, Evidence, or Bookmark tab, click Tags on the toolbar.
4. On the New Tag Item page, enter a Name for the tag (for internal use), the Display Text that
will appear in the Tag column (Guidance Software recommends using short display names to
conserve space), and the Frame Color (foreground and background colors) for the tag. You
can also "hide," or prevent the tag from displaying by checking its Hidden box.
5. Repeat the preceding two steps until you have created the set of tags you want. You can
always add, remove, and rename tags while working on a case.
Tagging an Item
To tag an evidence item, do the following:
1. On the Evidence tab, display your evidence items. (You can also assign tags to Records and
Bookmarks.)
2. Highlight or check the evidence item to which you want to assign a tag.
3. Display a list of available tags by clicking Tags > Show Tag Pane. A pane appears in the lower
right corner of the EnCase user interface. The pane contains a list of default and custom tags
and the number of occurrences of each tag.
4. Check the tag that you want to assign to an evidence item (this example uses the Review tag).
5. The tag that you selected appears in the Tag column of the selected evidence item.
212 EnCase® Examiner Version 7.03
You can also tag an item by clicking on its position in the Tag column, as follows:
1. Display a list of available tags by clicking Tags > Show Tag Pane. The order that the tags are
shown in the table (top to bottom) corresponds to the order in which they will be displayed in
the Tag column (from left to right).
2. Click the space in item's Tag column where the tag would be displayed. The tag will then
appear.
3. As an example, if you configured two tags:
• The left half of the Tag column is used to display the first tag.
• The right half of the Tag column is used to display the second tag.
4. Click the first half of the tag cell to display the item's first tag, and the second half of the tag
cell to display the item's second tag.
5. To remove a tag from displaying, click the tag.
Hiding a Tag
If you have configured a tag that you do not currently want to show in the Tag column or the Tag
pane, you can hide the tag using the Manage Tags dialog. This will not delete a tag, but prevent it from
displaying.
To hide a tag, follow these steps:
1. On the Evidence tab, click the Tags button.
2. On the Manage Tags dialog, check the box in the Hidden column for the cell corresponding to
the tag you want to hide.
Tagging Items 213
Deleting Tags
Tags that you do not want to use can be deleted from the Manage Tags window. Deleting a tag
removes the tag name from the case and deletes all references to the tag in the tag database. This action
cannot be undone.
If you attempt to delete a tag, and the tag is assigned to a case item, a warning dialog will display. The
dialog will indicate the number of tags to be deleted. If no items are tagged with that tag name, then
no warning dialog will be displayed.
To delete a tag, follow these steps:
1. On the Evidence tab, click the Tags button.
2. On the Manage Tags window, check the row containing the tag that you want to delete.
3. On the Manage Tags toolbar, click the Delete button.
Generating Reports
In This Chapter
Overview
Viewing a Report
216 EnCase® Examiner Version 7.03
Overview
The final phase of a forensic examination is reporting the findings, which should be well organized
and presented in a format that the target audience understands. EnCase adds several enhancements to
its reporting capabilities, including:
Reporting templates you can use as is or modify to suit your needs.
Capability to control a report's format, layout, and style.
Ability to add notes and tags to a report.
Reports in EnCase consist of three parts:
Bookmark folders where reference to specific items and notes are stored.
Report templates that hold formatting, layout, and style information. A report template links
to bookmark folders to populate content into a report.
Case Information items, where you can define case-specific variables to be used throughout
the report.
2. From the dropdown menu, select the type of bookmark you want to create, enter a name and
optional comment, and click OK.
3. View your bookmarks in the Bookmarks tab.
See Bookmarking Items on page 195 for more information.
A report component is designated as either a Report or Section, as shown in the Type column.
Typically, Report components only contain formatting information for components beneath them,
whereas Section components contain formatting information and Report elements for an individual
section. The columns to the right of Type indicate whether a formatting option is user defined or
inherited from the component above it in the template hierarchy.
Generating Reports 219
3. Enter a Name.
4. Select a Type (Section or Report).
5. If you want to customize Format styles, check the appropriate boxes, or leave the boxes clear
to use the default styles.
6. Click OK. The new template component displays below the row you highlighted.
2. Click the paper size option you want. There are options for millimeters as well as inches.
3. The default orientation is Portrait. Click the Landscape checkbox to change the orientation.
4. Click User defined to enable the Page Width and Page Height boxes, where you can specify
dimensions manually.
Margins
1. Right click the Margins column, then click Edit in the dropdown menu. The Margins dialog
opens.
2. Enter the margins you want in inches. By default, the top margin is 1 inch, the left margin is
0.75 inches, and the right and bottom margins are 0.5 inches.
Generating Reports 221
2. Formatting options (Document, Styles, Case Info Items, etc.) display at the top of the dialog.
Report Styles
As in Microsoft Word, you use styles to set text formatting options. EnCase comes with many default
styles to use in report templates, and you can also create your own styles. To override a default style,
create a user style with the same name.
Style options include:
Font type and size
Alignment (centered, left and right justified)
Indentation (left, right, first line)
Space before/after
Borders
Tabs
Text color
Background color
To create a user defined style:
1. In the Report Templates tab, click Styles in the tab toolbar.
222 EnCase® Examiner Version 7.03
2. The Styles dialog opens, with tabs for Default Styles and User Styles.
5. Enter a name for the style and your desired configuration options. Double click Font, Text
Foreground, or Text Background to open dialogs for specifying those options.
a. Double click Font to open the Font dialog, where you can specify:
− Font face
− Font style (Regular, Italic, Bold, Bold Italic)
− Size
− Effects (Strikeout, Underline)
− Color
Generating Reports 223
b. Double click Text Foreground or Text Background to open the Color dialog, where you
can select a default color or specify a custom color:
f. In the Relative box, set the margin that the tab stop should be relative to. Choose Left to
position the tab stop a set distance to the right of the left margin, choose Center to position
it a distance from the center point between the margins, or choose Right to position it a set
distance to the left of the right margin.
Note: The ability to set the relative position of the tab enables users to create a report template that
can be used with various paper sizes (i.e., letter, landscape, A4, etc.) and various orientations
(i.e., portrait or landscape) without having to reset the margins for the various page widths.
Default templates supplied with EnCase are configured in this manner so that they can be used
in different locales without requiring significant modifications.
8. When you are finished, click OK. The new style and its attributes display in the User Styles
list.
Inserting a Picture
1. Right click an item in the tree where you want to insert a picture, then click Edit in the
dropdown menu.
2. The Edit dialog opens. Select the Body Text tab, then place your cursor where you want to
insert the picture in the Report Object Code.
3. Click Picture.
226 EnCase® Examiner Version 7.03
4. In the Picture dialog, browse to the file you want to insert, specify a size (width and height in
inches), then click OK.
Inserting a Table
1. Right click an item in the tree where you want to insert a table, then click Edit in the
dropdown menu.
2. The Edit dialog opens. Select the Body Text tab, then place your cursor where you want to
insert the table into the Report Object Code.
3. Click Add Table.
4. Make a selection from the dropdown list. The dialog for that item opens. The example below
shows the Evidence dialog.
Generating Reports 227
a. On the Columns tab, click the checkboxes for the columns you want to display.
b. On the View Options tab, select the checkboxes for the visual elements you want to
display. The tabs and options vary depending on the selection you make in step 3.
Excluded Checkbox
Depending on your target audience, you may want to exclude parts of a report. For example, an
investigator may need to see actual pictures in a report, whereas another reader does not. You can
customize content by clicking the checkbox for elements you want to exclude.
2. In the Report Title field, enter the name of the report. The default report title format is [Case
Name] - File Report.
3. In the Report Prepared By field, enter the name of the examiner. The default examiner name is
drawn from the specified examiner in Case Info.
4. On the left side of the dialog, specify how you want to group your report.
230 EnCase® Examiner Version 7.03
• By file path: sorts files by the file system's location of each file, sorted according to Item
Path.
• By file size: sorts files according to size in Kilobytes.
• By file category: sorts files alphabetically, according to file category. You can choose to
sort by three-character file extension within category by selecting the Sort by Extension
checkbox.
5. On the right side of the dialog, specify whether to include all files, only files in the current
view, and/or files created within a specified range. To specify a creation date range:
a. Select the checkbox for Only Files Created Between
b. Enter the Start Date directly, or click the calendar browser button to the right.
c. Enter the End Date directly, or click the calendar browser button to the right.
6. At the bottom of the dialog, use the field selector to include/exclude and order the fields for
your report.
d. In the Available fields box on the left, select any field you want to include in your report
and click the right arrow.
e. In the Selected fields box on the right, select any field you want to exclude from your
report and click the left arrow.
7. To order the selected fields for your report, select each field and move it with the Up or Down
button.
Generating Reports 231
8. Click OK. The File Report EnScript generates the file report, and it appears in the File Report
window.
232 EnCase® Examiner Version 7.03
Viewing a Report
To view a report:
1. In the Report Templates tab, click View Report from the tab toolbar. The dropdown menu
lists all reports that have the Show Tab option set.
Generating Reports 233
2. Select the report you want to see. The report displays in the viewer.
To save a report, right click on the report and select Save As.
Smartphone Support
In This Chapter
Overview
Installing Drivers
Overview
EnCase can acquire smartphones connected directly to the Examiner computer. Removable Subscriber
Identity Module (SIM) cards that securely store the identifying information of the subscriber as well as
telephone numbers, preferences, text messages, and other information, can also be acquired.
Logical data acquisition is supported for the BlackBerry, iPhone, Palm, Android, Windows Mobile,
and Symbian devices. Data acquired from these devices are stored in a logical evidence (.L01) file
which can then be analyzed. For navigation and analysis purposes, the structure of all .L01 files
collected from any type of smartphone is always the same.
For some Palm, WinCE, and Android devices, there is additional support for physical memory
acquisition. For physical memory acquisitions, an evidence file (.E01) is created.
The smartphone acquisition dialog displays all supported smart phones, arranged by manufacturer.
Specific notes for each phone are detailed in the help pane at the top of the dialog.
SD cards are acquired in the same way as other mass storage devices, such as thumb drives, by adding
a local device. Using an SD card reader (not included), use the forensic machine's USB port to acquire
the data on the SD card.
The following table shows the platform/acquisition combinations supported using the latest drivers:
• EnCase cannot acquire smartphones running Palm OS or iOS under Windows XP 64 bit.
• EnCase cannot acquire smartphones running iOS under Windows XP 64 bit.
• EnCase cannot acquire a smartphone running under Windows Server 2003 or 2008.
Before you begin a smartphone acquisition:
1. Know the manufacturer and model, if possible, of the phone.
2. If you did not obtain the owner's manual with a phone you are acquiring, locate and
download one from the Web.
3. Make sure you know the location of the on/off button on the face of the smartphone.
4. Determine if the smart phone has a SIM card. If it does, you will acquire data using the SIM
card reader as a separate step from acquiring data from the smart phone. A SIM card reader is
included in an optional cable kit that may be purchased separately. See Acquiring SIM Cards
on page 244.
5. If you have not acquired from this type of phone previously, Windows will recognize it as
new hardware. You may have to download the drivers from the manufacturer's web site if
Guidance Software is unable to provide them. See Installing Drivers on page 247.
At the end of an acquisition, you can generate a summary report. You can also use an existing .L01 file
to create reports. See Creating a Smartphone Report on page 250.
Smartphone Support 237
3. Open your case in EnCase and navigate to the Add Evidence screen.
Smartphone Support 239
For Android physical acquisition, select the Perform Physical Acquisition checkbox in the Acquire
Smartphone dialog box.
4. After the EnCase SD card reader is successfully inserted, open Windows File Explorer and
navigate to the SD card drive.
5. Open the drive, which should not have any data in it.
6. Navigate to the root folder where EnCase is installed on your machine.
7. Locate the \Mobile\Install\WinMobile folder and open it.
8. Copy the NeutrinoCE file and the 2577 folder to the empty EnCase SD card drive.
After the SD card is installed with the correct data, you can use the SD card to acquire the mobile
device.
On some phones, the SD card autorun feature will not work. If you suspect your device is not
automatically running this program, you need to execute it manually.
1. In Windows Mobile, start the File Explorer.
2. In the File Explorer, open the Storage Card folder to see its folders and files.
3. In the Storage Card folder, select the 2577 folder.
4. From within the 2577 folder, select Autorun.
5. After you see the boot-up message box, continue using the mobile device acquisition wizard in
EnCase.
If the Windows Mobile phone (such as the HTC Touch) does not have an SD card reader, you can use
the ActiveSync program from Microsoft. The free download is available on the Microsoft.com Web site
for Windows Mobile.
1. Connect the phone to the computer with ActiveSync installed. You can connect directly to the
USB port of the computer.
2. The Active Sync Device Center starts automatically. Cancel the Pocket PC Synch Setup Wizard.
You can copy files without going through the entire setup process.
3. Either from Windows Explorer or using the ActiveSync interface, navigate to the phone's file
system.
Smartphone Support 243
Troubleshooting:
If the Windows Mobile device is accidentally unplugged during acquisition, you must reboot the
device before re-starting the acquisition.
244 EnCase® Examiner Version 7.03
4. If the EnCase SD card reader (listed as a USB Mass Storage Device) is denoted by the
question mark icon, it is not being recognized. If it is denoted with the controller icon shown
here, then it is being successfully recognized and some other problem exists.
5. If the question mark icon is showing, right-click USB Mass Storage Device and select Update
Driver. The Windows Hardware Update Wizard starts.
6. Complete the Windows Hardware Update Wizard to update the device driver. When done, a
message indicates that the hardware has been detected. The EnCase SD Card Reader light
illuminates when detected.
Removing the SIM card may cause call log information to be deleted from some smart phones. We
recommend that you acquire the phone data first, before removing and acquiring the SIM image.
Note: Refer to the smart phone owner's manual for information on how to remove the SIM card.
With the smart phone to be acquired powered off and disconnected from the forensic computer,
remove the SIM card from the phone and do the following:
1. With the SIM card reader disconnected from the forensic computer, put the SIM card into the
SIM card reader with the beveled edge of the card facing out.
2. With the SIM card in the SIM card reader, connect the SIM card reader to a USB port on your
forensic computer.
3. From the Add Evidence screen, choose Acquire Smartphone, and then select SIM Card
Reader.
Note: If the LEF created by acquiring the SIM card is less than 5KB in size, a system warning asks if you want to delete it.
This is because a threshold of 5KB is set in EnCase; a LEF smaller than 5KB created in EnCase might be empty.
Disconnect the SIM card reader from the forensic computer and remove the SIM card from the reader.
With the smart phone powered off, return the SIM card to the phone.
You may need to provide the ID on the SIM (ICCID). The ICCID may be found in one of three
ways:
• The ICCID number is imprinted on the SIM along with the name of the network provider.
• To get the ICCID number, select the Acquire ICC Id# Only option instead of the Acquire
SIM Image option. This procedure writes the ICCID number into the Activity Log in the
Acquisition page.
• After adding the LEF to a case, you can locate the ICCID number on the Records tab.
Show the Common SIM Fields and select the Sim Iccid column if it is not already
displayed.
For most smart phones, enter the eight-digit PUK code directly into the phone. Submitting the
correct PUK resets the PIN and the attempt counter. After selecting OK, you may be prompted
to enter a new four to eight digit PIN code. You may then be asked to re-enter your chosen
PIN code for verification. On other smart phone types, you enter the PUK code as follows:
**05*(PUK Code)*(new PIN)*(new PIN)# [send].
Please refer to the smart phone manufacturer user manual or website for instructions for your
phone.
A backup file path displays for you to enter or browse to the location of the backup file you want to
acquire.
Installing Drivers
When you connect a phone that you have not previously acquired, the Windows operating system
automatically looks for the suitable device driver for this hardware.
EnCase automatically installs some device drivers when they are needed for a particular acquisition.
But because of the rapid release of new phone models and drivers, you may need to download the
drivers from the manufacturer's Web site.
248 EnCase® Examiner Version 7.03
Although Guidance Software is consistently updating drivers, the drivers we ship are not always able
to be signed by Microsoft. If you see the following dialog, click Continue Anyway.
After the hardware drivers are recognized, the acquisition continues normally.
3. To specifically include tagged items, select Include Tags. The Edit Settings dialog displays
showing all available tags to include.
To save the Smartphone Report Builder, you must print or export it to a file. If you close it
before exporting or printing, you need to generate the report again.
• In the Report Section, select from the list of data elements to display your comment in
that section. All possible data elements are shown, even if the particular acquisition did
not contain this type of data.
• To place a comment before the data, enter it in the Note (section top) area. You can have
separate notes before and after the data, or include the same note in either place, or both.
• Entering a comment in the Note (section bottom) area places the comment after the data.
2. Click OK to write all comments to the report and close the dialog.
1. In the Report Builder, click Export Location Data in the top toolbar. The KML Export dialog
displays.
2. Enter or browse to an output folder and create a name for the output file.
3. Select the location data type you want to export.
4. Click OK. The location data is exported as a KML file.
5. Open the file in any geo-mapping application to view the location data.
CHAPTER 14
Text Styles
Overview
This chapter describes how to use EnCase when working with evidence in languages other than
English.
The Unicode standard attempts to provide a unique encoding number for every character regardless
of platform, computer program, or language. Unicode encompasses a number of encodings. In this
document, Unicode refers to UTF-16 (Unicode 16-bit Transformation Format). Currently more than
100 Unicode code pages are available. Because EnCase applications support Unicode, investigators can
search for and display Unicode characters, and thus support more languages.
EnCase also supports code pages, which describe character encodings for a particular languages or set
of languages that use the same superset of characters. In some cases, it is necessary to assign a code
page to properly display the language. Thus, EnCase supports both Unicode character sets that do not
require a code page as well as legacy character encodings (for example, ISO Latin, Arabic, and
Chinese) that do require a specific code page to display properly. You only need to use a code page in
EnCase when your non-English document contains a set of these legacy character mappings.
Other character codes besides 16-bit Unicode are supported for working with non-Unicode non-
English-language text.
Working with non-English languages typically involves performing these tasks:
Changing the default Code Page. See Changing the Default Code Page on page 257.
Adjusting the date format. See Setting the Date Format on page 258.
Assigning a Unicode font. See Assigning a Unicode Font on page 258.
Creating non-English language search terms
Bookmarking non-English language text
Viewing Unicode files. See Viewing Unicode Files on page 258.
Viewing Non-Unicode files
Global internationalization settings are located in the Options dialog. From this tab you can configure
EnCase to display non-English characters in status bars and tabs, dialogs, tables, data views (including
text, hex, transcripts), and in the EnScript script editor.
• Unicode specifies little-endian Unicode. If UTF-7 or UTF-8 is used, select Other, not
Unicode.
• Unicode Big-Endian specifies big-endian Unicode.
• Other lets you select a specific code page from the list.
3. Select the appropriate option and click OK.
Text Styles
The display of non-English language content is controlled by both the type face of the content, and the
text style applied to the content. A text style applies various attributed to fonts, including:
Line wrapping
Line length
Replacement character
Reading direction
Font color
Class of encoding
Specific encoding
Text styles are global and can be applied to any case after they are defined. Text styles are applied in
the Text and Hex panes. See Changing Text Styles on page 105.
1. Click Start > Control Panel > Region and Language Options.
The Regional Options tab of the Regional and Language Options dialog displays.
1. Click Start > All Programs > Accessories > System Tools > Character Map.
2. The Character Map utility displays.
3. Click the desired character, then click Select.
4. The character is added to the Characters to Copy box.
5. Repeat step 2 to add more characters.
6. Click Copy, then paste the characters where you want to use them.
CHAPTER 15
Using LinEn
In This Chapter
Overview
Overview
The LinEn™ utility is an acquisition tool for creating evidence files using a Linux "live" CD that does
not alter any potential evidence on the drives to be acquired. You run the LinEn CD on a Linux
operating system to perform drive-to-drive and crossover acquisitions.
LinEn runs in 32-bit mode, independently of the Linux operating system to quickly acquire data from
a large set of devices.
The Creating ISO progress bar displays on the Copy Files dialog. Once the modified ISO file is
created, the wizard closes.
6. Burn the ISO file onto a blank CD/DVD using the disk burning software of your choice.
You now have a boot disk to run Linux and LinEn while you acquire the subject Linux device.
Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also
negates the need for a hardware write blocker. It may be desirable in situations where physical access
to the subject machine's internal media is difficult or not practical. This is the recommended method
for acquiring laptops and exotic RAID arrays. This method is slower than a drive-to-drive acquisition
because data is transferred over a network cable, making it especially sensitive to the speed of the
network cards housed in both machines.
Note: If there are too many drives and/or partitions to display, you will see a warning message.
266 EnCase® Examiner Version 7.03
3. Click Acquire.
4. Choose the physical drive or logical partition you want to acquire. The Acquire Device <drive>
dialog displays.
5. Enter the full path and file name for the acquired evidence file, then click OK.
6. Optional: Provide an alternate path in the event that the output path from step 5 runs out of
disk space.
7. Click OK.
Using LinEn 267
11. Enter a name for the evidence file (maximum 50 characters), then click OK.
12. Verify that the current date and time stamp are accurate, then click OK.
13. Enter a brief note (maximum 200 characters), then click OK.
Using LinEn 269
15. Choose whether to perform a hash of the evidence file after acquisition. The two hash
algorithms are MD5 and SHA1.
17. Specify the total sectors to acquire, then click OK. By default, the field prepopulates with the
maximum number of sectors of the drive or partition.
18. Specify the maximum file size (in megabytes) for the evidence file and segment files, then click
OK. By default, the field prepopulates with a maximum size of 640 megabytes.
19. Specify the block size for the evidence file, then click OK. By default, the field prepopulates
with a block size of 64 sectors.
Using LinEn 271
21. Enter the number of worker threads, then click OK. These threads perform compression on
the buffer.
22. Enter the number of reader threads, then click OK. These threads read from the device and fill
in a data buffer.
272 EnCase® Examiner Version 7.03
25. When the acquisition is complete, click OK. The LinEn main window displays. The subject has
been acquired and is stored on the storage drive.
26. Connect the storage drive to the investigator's machine.
27. Add the EnCase evidence file using the Sessions Sources dialog of the Add Device wizard. See
Completing the Sessions Sources Dialog.
During the acquisition or hashing process, a pipe character (|) prints to the console for each percentage
completed.
There are two ways to provide necessary information to LinEn:
Command line options
Configuration file
-p <Evidence Path> EvidencePath Path and file name of the evidence to be created
(maximum 32,768 characters)
-m <Evidence Name> EvidenceName Name of evidence within the evidence file (maximum
50 characters)
-l <Max File Size> MaxFileSize Maximum file size of each evidence file (in MB:
minimum 1, maximum 10,485,760)
-b <Block Size> BlockSize Sectors per block for the evidence file (minimum 1,
maximum 1024)
-cl CommandLine Do not ask for required values, just error out
-date <date/time> Lets the user input the correct date/time. Must be
quoted in the format "MM/dd/yy hh:mm:sstt" or
"MM/dd/yy hh:mmtt" (where tt is AM or PM).
Configuration File
You can create a configuration file to fill in some or all of the variables. The configuration file needs to
be in the format OptionName=Value. All of these options have the same restrictions as their
command line counterparts.
Options for the configuration file are:
Notes Notes
Note: Any options specified on the command line take precedence over those in the configuration file.
Once the selected operation is complete, results print to the console. Read errors and read error sectors
show only if there are actual errors.
Hashing Results
Name: <EvidenceName>
Sectors: 0-<TotalSectors>
MD5 Value: <Md5Value>
SHA1 Value: <SHA1Value>
Read Errors: <ReadErrors> The hash value may not be accurate
Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Acquisition Results
<EvidenceName> acquired to <EvidencePath>
Elapsed Time: <ElapsedTime>
MD5 Value: <Md5Value>
SHA1 Value: <SHA1Value>
Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Mode Selection
LinEn starts up in BIOS mode. A disk acquired in this mode reports only the disk size as seen and
translated by the BIOS. As a result, no data contained in a DCO are seen or reported. The Mode
selection in LinEn provides a solution.
Notice Disk1 in the figure. It shows a disk size of 26.8 GB. If this is acquired now, only that quantity of
data is identified.
The Linux distribution in use must support Direct ATA mode for this function to work.
To test for the presence of a DCO:
Using LinEn 277
1. Start LinEn in the normal manner on a computer that supports Direct ATA. The main screen
shows a Mode button.
2. Enter M to select Mode. A second screen displays offering three acquisition selections:
BIOS
ATA
Cancel
If a DCO is present on the disk, the original LinEn screen reports the correct disk size and the
correct number of sectors. Disk1 in the following illustration shows the true disk size, 75.5 GB.
4. Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn.
6. On the forensic machine, specify an IP address of 10.0.0.1 for the subject machine.
7. Launch EnCase on the forensic machine.
8. On the Home page, create a new case or open an existing case.
9. Click Add Evidence > Add Crossover Preview.
10. Select Network Crossover, and click Select.
11. Select the physical disk or logical partition to acquire or preview and click OK.
You can preview and acquire the contents of the device through EnCase. For more information about
acquisition, see Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) (on
page 57) and Acquiring a Disk Running in Direct ATA Mode (on page 59).
Evidence Verification
Verify Menu Option
Status Reporting
The status screen contains a Verify option, indicating whether the evidence file will be verified
after acquisition.
The status bar at the bottom of the screen displays the number of bytes read and written, as
well as percent complete.
After acquisition, the Acquisition Completed dialog shows compression percentage.
2. Click Hash.
Using LinEn 281
3. Select a drive, then click OK. The Start Sector dialog displays.
4. Specify a start sector to hash, then click OK. By default, the field prepopulates with a start
sector of 0.
5. Specify a stop sector to hash, then click OK. By default, the field prepopulates with a stop
sector of the last sector of the drive or partition being analyzed.
6. Select an algorithm to use in performing the hash. The options are MD5 and SHA1.
7. A hash value is calculated for the selected sectors. You can save this hash value to a file.
282 EnCase® Examiner Version 7.03
3. In the user interface, select the Help button, then press Enter.
Overview
EnCase Decryption Suite (EDS) enables the decryption of encrypted files and folders by domain and
local users. You can use EDS on the following forms of encryption:
Disk and volume encryption
• Microsoft BitLocker
• GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption
• Utimaco SafeGuard Easy
• McAfee SafeBoot
• WinMagic SecureDoc Full Disk Encryption
• PGP Whole Disk Encryption
• Checkpoint FDE (Full Disk Encryption)
File based encryption
• Microsoft Encrypting File System (EFS)
• CREDANT Mobile Guardian
• RMS
Mounted files
• PST (Microsoft Outlook)
• S/MIME encrypted email in PST files
• NSF (Lotus Notes)
• Protected storage (ntuser.dat)
• Security hive
• Active Directory 2003 (ntds.dit)
• EnCase Logical Evidence File Version 2 Encryption
GuardianEdge X X X
Encryption
Anywhere
GuardianEdge Full X X X
Disk Encryption
Utimaco X X
SafeGuard Easy
Mobile Guardian X X
Offline
Microsoft X Key
BitLocker
Microsoft X Keys
Encrypting File
System (EFS)
ZIP X
S/MIME X PFX
3. The second Analyze EFS dialog displays with the Documents and Settings Path and Registry
Path fields populated by default. For unusual system configurations, data disks, and other
operating systems these values will be blank. You can modify them to point to the user profile
folders and/or the registry path.
6. When you are done reviewing the EFS status, click Finish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
Missing Images
If images that should have rendered display as blank, select the arrow dropdown menu in Evidence
view and click Clear invalid image cache.
Enter Items
Enter Syskey
You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the wizard
is already completed.
1. Click View > Secure Storage.
EnCase Decryption Suite 293
2. Click on the right-sided menu for the Table tab and click Enter Items...
3. Select the location of the Syskey (for example, a file path or a floppy disk) or enter the
password manually.
4. Click OK.
User Password
If you know the user's password:
1. Right click the root entry of Secure Storage.
2. Select Enter Items from the dropdown list, then select the User Password tab.
3. Enter the password.
4. Click OK.
294 EnCase® Examiner Version 7.03
If the Syskey is protected and you do not know the password, an attack on the SAM file for user
passwords will not be successful. This is a rare situation. Most Windows machines will not have a
protected Syskey. EDS includes a dictionary attack option to get past a protected Syskey. You can
obtain dictionary files from a number of sources. To access setup, right click the root of Secure Storage
and select Dictionary Attack.
During the Analyze EFS scanning of the registry, EnCase alerts you if the Syskey is password
protected or has been exported to a floppy disk. In these cases, the Analyze EFS wizard prompts you
to enter the Syskey password and/or insert the floppy disk containing the Syskey or browse to the
Syskey file location. The Syskey file is called startkey.key, and you should examine any floppy
disks collected at a scene for the presence of this file. If the Syskey file is recovered on a floppy disk, it
can be copied/unerased from EnCase to the examination machine, and you can browse to the
startkey.key location. This process is the same as when you use the Password Recovery Disk.
3. Click the option button, File or Floppy, where the file is located.
4. Enter the path or browse to it, then click OK.
15. Enter the Password in the next prompt, then click OK.
A status screen confirms successful completion and the Private Key displays in the Secure
Storage tab.
4. Click OK.
5. The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected
To associate *nix users with volumes:
1. Click View > Secure Storage.
2. Click on the right-sided menu for the Table tab and click Associate Selected...
EnCase Decryption Suite 297
4. Expand the Volumes tree and select the volumes that you want to associate.
Once these steps are completed, SafeBoot displays in the Help/About screen.
Note: If no EDS cert is found or the integration dlls are not properly installed, the physical device
mounts, but the encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR
only for the boot disk, always preview the boot disk first, then preview any other disk in a multi-disk
machine configuration.
To acquire a SafeBoot encrypted device:
1. Use the Add Device wizard to add the physical device.
2. In the Evidence tab, click the device under the Name column.
300 EnCase® Examiner Version 7.03
3. When prompted, select the appropriate encryption algorithm from the list, then enter a user
name, server name, machine name, and password when in online mode.
The offline dialog is similar. The Online checkbox is blank and only the Machine Name,
Transfer Database field, and Algorithm are available:
4. Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to enter them again.
EnCase Decryption Suite 301
When a decryption is successful, the Tree pane shows a SafeBoot folder, the Table pane contains a list
of decrypted files while the Text pane shows contents of a decrypted file.
The next figure shows the same files as they display encrypted.
302 EnCase® Examiner Version 7.03
1. In the SGE credentials dialog, enter a user name but leave the password blank.
2. Click OK.
3. A Challenge Response dialog displays with the challenge code in blue. Keep this dialog open
while performing the next steps.
304 EnCase® Examiner Version 7.03
6. Click Next to begin generating a one time password (OTP). The Authorization Account dialog
displays.
8. Enter the User ID that was used to derive the challenge code, then click Next.
306 EnCase® Examiner Version 7.03
9. The Challenge Code dialog displays. Enter the challenge code generated by EnCase from step
3.
12. The Summary dialog displays with the response code in blue.
13. In the EnCase dialog from step 3, select the code length and enter the response code to enable
decryption of the selected encrypted evidence.
Workarounds
There are two workarounds for this problem. The first solution:
1. Obtain both disks.
• The internal disk holding the SafeGuard Easy kernel (disk 1)
• The external (that is, non-bootable) disk (disk 2)
2. Open the kernel on disk 1. You can then access disk 2.
The second solution:
1. Obtain a SafeGuard Enterprise (SGN) kernel backup file of disk 1.
2. Restore disk 1 to an empty disk.
3. Add the non-bootable disk as disk 2. The information in the newly restored kernel gives you
access to disk 2.
2. Click Next.
3. The following dialog, which provides the Password in the text field, displays:
310 EnCase® Examiner Version 7.03
4. Click Finish to decrypt the selected disk. The following figure shows a successful decryption;
note the folder tree in the Evidence tab, and the dlls listed in the Table tab:
5. If the decryption was unsuccessful or the user canceled the dialog, the screen would appear as
follows. Note that the highlighted string "Protect!" in the View pane is a Check Point indicator
that the disk is encrypted.
EnCase Decryption Suite 311
Challenge-Response Authentication
1. Selecting the disk in Evidence > Table displays the same initial dialog as the user name and
password authentication dialog:
2. Click Next.
312 EnCase® Examiner Version 7.03
3. The following dialog indicates that the Challenge-Response form of Check Point Full Disk
Authentication was used to encrypt the selected disk. Use the Check Point tool to generate a
response for the challenge shown in the dialog. Copy the Response from the tool into the
EnCase dialog.
EnCase Decryption Suite 313
4. Click Finish. If the EnCase Evidence tab and Table view appear as they do below, with no
partitions, folders, or files visible, and the "Protect!" string visible in the View pane, then the
decryption was unsuccessful (or the user canceled the dialog). It is possible that the Response
is incorrect or that Check Point is unable to decrypt the selected disk.
These keys are matched by Key Protector GUID in the BitLocker metadata.
3. The Recovery Key option button is selected by default. Browse to the location of the required
.BEK recovery key.
4. Browse to the folder containing BitLocker keys and select the specified .BEK file.
5. Click OK.
316 EnCase® Examiner Version 7.03
5. Find and open the .TXT file that matches the Password ID.
6. Copy and paste the recovery password into the BitLocker Credentials dialog.
7. Click OK.
318 EnCase® Examiner Version 7.03
This picture shows Secure Storage after the Analyze EFS process:
Once you preview a machine's disk or open an evidence file, the Master Boot Record (MBR) is checked
against known signatures to determine whether the disk is encrypted. The SecureDoc signature is
WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password
associated with the file.
SecureDoc users have either administrator or user privileges:
Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc.
Users can only change their passwords.
An installer is provided to place these integration DLLs in %ENCASE%\Lib\WinMagic\SecureDoc:
SDForensic.dll
SDC.dll
SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
1. When adding a SecureDoc disk, Encase prompts for three credentials:
a. The path to the file containing the user keys (extension .dbk).
b. The password associated with the key file.
EnCase Decryption Suite 323
c. The path to the emergency disk folder corresponding to the physical disk under
examination.
2. Click the Users tab to go to the Internal Users page. Note which user displays the Recovery
icon associated with a user name.
3. Click the user name associated with the Recovery icon. The Internal User Information page
displays.
4. Click the Whole Disk Encryption button to see the machine associated with this user.
5. Click the WDRT icon.
328 EnCase® Examiner Version 7.03
6. The Whole Disk Recovery Token page displays. Note the token key consisting of 28
alphanumeric characters.
7. In EnCase, enter the token key in the Whole Disk Recovery Token field of the PGP Whole
Disk Encryption credentials dialog, then click OK.
Note: You can enter the token key with or without dashes.
6. In the User Access section at the bottom of the screen, export the key as an .asc file.
7. In EnCase, enter the full path to the .asc file in the Additional Decryption Key (ADK) Path
field, as well as the passphrase protecting the file, in the PGP Whole Disk Encryption
credentials dialog.
330 EnCase® Examiner Version 7.03
Click OK.
1. The dialog populates with a known user name and password, Server, Machine ID, and the
Shield CREDANT ID (SCID). CREDANT files are processed and decrypted with no further
interaction, given that the credentials are correct.
Note: If the registry file is unencrypted, then the Server, Shield CID, and Machine ID are pre-
populated for the boot volume disk.
332 EnCase® Examiner Version 7.03
The offline dialog is similar. The Online checkbox is blank and the Machine ID and SCID fields are
unavailable.
2. Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to re-enter them.
The illustration below shows results of a successful decryption:
The Tree pane shows a CREDANT folder
The Table pane contains a list of decrypted files
EnCase Decryption Suite 333
The next illustration shows the same files as they appear unencrypted.
334 EnCase® Examiner Version 7.03
MUID Machine ID for the target device (also known as the Unique ID
or hostname)
EnCase Decryption Suite 335
3. Place the .bin file downloaded from the CREDANT server in a path accessible from the
Examiner machine. Open EnCase and create a new case or open an existing one. You must
have EnCase Decryption Suite installed on the Examiner machine that decrypts the
CREDANT-encrypted data.
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the
target device while specifying the same output file. The keys for each user are appended to this output
file.
4. Acquire a device with CREDANT encrypted files, or load an evidence file into the case. The
Enter Credentials dialog displays, prompting you for only the Username, Password,
Server/Offline Server File, Machine ID, and Shield CREDANT ID (SCID) information.
Note: In Offline mode, the only information you must provide is the Password and Server/Offline
Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
When EnCase decrypts CREDANT encrypted files, the key information is placed in Secure Storage in
EnCase, and saved with the case. You do not have to re-enter this information.
5. Enter the path to the PFX certificate and the password, then click OK.
When parsing is complete and successful a directory list displays. In the illustration, the folder is
entitled smime.p7m (S/MIME data comes as an attachment of the email). In Entries view, the text of
the email is shown in the Text pane while the email's attachments appear in the Table pane.
3. Click OK.
4. Click OK.
Encrypted Block
The example below shows an encrypted block at offset 0x22000:
The decryption algorithm uses a seed that is based on the basic seed from the header and the block
offset.
Decrypted Block
Here is an example of a decrypted object map at offset 0x22000:
344 EnCase® Examiner Version 7.03
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated with the
data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty:
2. If more than one version of EnCase is listed, select the version you want to target.
3. Click Finish. If the installation is successful, this message displays:
4. Click OK.
348 EnCase® Examiner Version 7.03
MSO
1. Right click the MSO-protected file (that is, a Word document created with Office 2003) you
want to decrypt, then click View File Structure. This dialog opens:
OPC
1. Right click the OPC-protected file (that is, a Word document created with Office 2007) you
want to decrypt, then click View File Structure. This dialog opens:
In Windows 2000, however, the Master Key is protected by the user’s password hash with a
mechanism that slows down any attack. The Master Key protects the user’s private key. And the user’s
private key protects a key within the $EFS stream that allows for decryption of the EFS encrypted file.
Built-In Attacks
Specific items do have associated passwords. If they are not automatically retrieved, you can use a trial
and error mechanism. This may or may not succeed.
352 EnCase® Examiner Version 7.03
External Attack
Local users can be attacked with third party tools. There are freeware tools, and their performance is
much greater than EnCase because they can run on many computers at the same time and/or use
rainbow tables. EnCase can export the local user’s password hashes in the PWDUMP format that most
tools read. This is done from the User List.
User List
The User List of Secure Storage shows Local Users, Domain Users, Nix Users, and/or Nix Groups from
the local machine or evidence file. Information such as:
last logon date
user SID
NT hash
LanManager hash
is also associated with each account
EnCase Decryption Suite 353
Integrated Attack
There are three different sources for words to be tested:
Internal passwords: These are the password items in the secure storage
Dictionary words: The dictionary is a plain text file that can be in ANSI-Latin1 or UTF16.
Every word needs to be on its own line (it can contain any character, including spaces).
Brute force: Automatically generates words from an alphabet with a length in a given range
There are four “mutators” that can be applied:
Toggle Case: Tries all the upper/lower case variations
Append Digits
Prepend Digits
Combine Words: The words are combined with each other. For example, if the dictionary
contains the words "old" and "dog", the result is these four words:
• old
• dog
• olddog
• dogold
Third-Party Tools
VFS Server
Troubleshooting
356 EnCase® Examiner Version 7.03
Overview
The Virtual File System (VFS) module allows investigators to mount computer evidence as a read-
only, offline network drive for examination through Windows Explorer. The feature allows
investigators several examination options, including using third-party tools to examine evidence
served by EnCase.
For users of EnCase Forensic, the VFS module enables the use of third-party tools against hard drives
previewed through a FastBloc device or a crossover cable, including deleted files.
This mount level is helpful to examine files in paths that exceed the Windows limit of 264
characters in the full path and name of a file
Using the Server extension, you can also mount evidence to be shared with other investigators through
a LAN. The Virtual File System Server is discussed later in this manual.
Virtual File System 357
3. Click the Client Info tab to set the volume letter to be assigned to the network share in
Windows Explorer.
4. Windows Explorer assigns the next available volume letter by default. You can also use any
other unassigned letter.
Assigning a specific volume letter can be useful when attempting to virtually reconstruct a
mapped network drive, such as for a database:
• If you currently have mapped networked drives or if you allow Windows to assign the
drive letter, it takes a few seconds for Windows to query the system to find an available
drive letter
• If you specified an available volume letter, the mounting is virtually instantaneous.
A confirmation popup window informs you that the mount was successful with the volume letter. The
"shared hand" icon appears at the level you designated as the mount point for the shared drive.
You can mount at the device, volume, or folder level with VFS. To do this:
1. Select the Entry that you want to mount in the entry window and click on Mount As Network
Share through the Device pull down menu item and Share sub-menu item. In the example,
the BBasher entry is selected below to be mounted in Windows Explorer.
Virtual File System 359
2. Windows Explorer view of the mounted Entry will look like that below.
Compound Files
You can mount several different compound files, including Microsoft Word, Excel, Outlook Express,
and Outlook, in the EnCase interface.
To do this:
1. Find the compound file that you want to view.
2. Perform a View File Structure on the compound file from the Entries dropdown menu.
In the example below, a View File Structure was performed on a Microsoft Word .doc file. After the
View File Structure operation is complete, a menu hyperlink appears in the entry name.
360 EnCase® Examiner Version 7.03
1. Click on the hyperlink and you will see the contents of the compound file shown below.
2. Mount the compound file by selecting Mount as Network Share from the Device dropdown
menu. The contents of the compound file will be shown in Windows Explorer, as shown
below.
VFS is a dynamic engine and will serve the data as it is presented by the EnCase software.
To view the original Word document file:
1. Close the mounted compound file.
2. In Windows Explorer, click F5 to refresh the screen.
If you have currently selected data within the compound file, an error message reports that the
data is no longer available, since it was closed inside EnCase.
3. Select the parent folder of the file to view and open the file.
Following is an example view of an encrypted evidence file when VFS is used in conjunction with
EDS:
The following is a view of the above encrypted file in its decrypted state when using VFS in
conjunction with EDS:
For more information on using the EDS Module to decrypt EFS protected files and folders, see the EDS
Module chapter of this document.
362 EnCase® Examiner Version 7.03
RAIDs
You can browse RAIDs mounted inside EnCase in Windows Explorer. In the example below, a
software RAID 5 comprised of three drives was mounted, then made available for browsing in
Windows Explorer with VFS.
Deleted Files
The VFS module allows you to view deleted and overwritten files in Windows Explorer.
An investigator may locate a file in Windows Explorer to view or analyze, but finds that it is not
possible to open the file. If a file does not open, review the original data in the EnCase interface to see
if the file is valid, and is not corrupted or partially overwritten.
When the device is loaded into EnCase, the partition and file system are not read and interpreted. The
entire device can then be mounted with VFS and be available for examination in Windows Explorer as
Unused Disk Area, including slack space.
364 EnCase® Examiner Version 7.03
Another option is to copy only slack area from evidence to the examination computer as a logical file:
1. Select the entry with slack space you want to examine.
2. Select Copy Files from the Entries dropdown menu.
3. Select the All selected files button under From, and the Merge into one file button under To,
and click Next.
4. In the Copy section of the Options screen, select RAM and Disk Slack to copy the RAM slack
(also known as sector slack) and the Disk Slack (also known as cluster slack).
5. Select the appropriate Character Mask option for non-ASCII characters, or leave the default
and click Next.
6. Set the destination path and the name of the file to contain the slack and click Finish.
Virtual File System 365
7. The progress of the copying process will show on the bottom right and the results will be put
in the logs and the console.
The file containing the slack from the evidence is now available for examination by third-party utilities
on the local examination machine. In the example below, a file is open in WordPad.
In the example below, the /(root) partition is represented by the high-dot. The /home partition is
represented by ·home.
In this example, the / (root) partition of a Solaris workstation is mounted and the parent folder name
(the partition name) is displayed as the high-dot.
Note: Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in
Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the
partition or folder level.
2. The thread bar at the bottom right will disappear indicating the evidence was successfully
dismounted.
Open hidden and deleted files if Show hidden files and folders is enabled in Windows
Explorer using the Folder Options in the Tools menu
Use the thumbnail viewer in Windows Explorer to view images in the manner seen by the
original user
: To view hidden entries, it may be necessary to update your Windows Explorer settings to show all hidden files and
folders.
Third-Party Tools
Using VFS, investigators can examine evidence outside EnCase using third-party tools capable of
requesting and interpreting data from Windows Explorer. However, Guidance Software does not
certify the performance or accuracy of results obtained through any tools not developed by Guidance.
Virtual File System 369
Malware Scanning
A frequent use for VFS is to mount computer evidence and scan for viruses, Trojans, and other
malware programs:
1. Mount the evidence through VFS either locally on the examination machine, or remotely
through VFS Server.
You can mount the evidence at the device, volume, or folder levels as described previously.
The "shared hand" icon indicates the level of the virtual file system mount.
The antivirus software can read the Virtual File System presented to Windows Explorer. The requested
data is served by EnCase to Windows Explorer, then to the program for scanning. In this case, the
MyDoom virus was found on the computer evidence mounted with VFS.
The examination reports and logs generated by the third-party tools can then be reviewed and
included in the investigator's report.
WordPad can open most text-based files to allow you to view the contents. In the example
below, a Linux file is opened with WordPad in Windows Explorer from an evidence file
mounted with VFS.
QuickView Plus
Another popular viewing program, QuickView Plus, can be used to view dozens of file formats,
without the native applications installed on the examination machine.
VFS Server
The VFS module has a server extension so that investigators can share the mounted evidence with
other investigators on the local area network/intranet through VFS. The extension enables clients to
mount the network share served by the VFS Server through a network connection, under the following
conditions:
Only the machine that is running the VFS Server needs a security key (dongle) inserted.
A security key is not required to connect to the VFS Server and access the served data in
Windows Explorer.
372 EnCase® Examiner Version 7.03
The client machine(s) must have EnCase installed to access the VFS client drivers, but can run
in Acquisition mode
The number of clients that can connect to the VFS Server depends upon the number of VFS
Server connections purchased. This information is contained in the VFS Certificate or is
programmed into the security key.
To determine if the VFS Server is enabled and to view the number of available client connections, do
the following:
1. Select About EnCase from the Help menu.
2. If the VFS module is not listed, or the number of clients is insufficient, contact Guidance
Software Customer Service to purchase additional clients.
You have the option of creating a network share from any of the cases, drives, or folders
within it. This allows you to share only what is necessary.
5. Since this is the VFS Server machine, select Establish local server for the location on the Server
Info tab.
6. Enter a Port number or use the default of 8177. The Server IP Address is grayed out since the
server's IP address is the one assigned to the machine where the mount is taking place.
7. Note the server machine's IP address for use with the client.
8. Set the maximum number of clients who can connect to the server, with the default being the
maximum allowed by your VFS Server certificate.
Virtual File System 373
Since VFS is mounting the evidence as a networked shared drive, the serving port must be assigned.
To allow recovery from errors in Windows, the VFS service runs for the life of the Windows session
from that port.
The VFS Server can also serve the data locally to the investigator's machine. aware that it uses one of
the server connections.
7. To also mount and view the shared drive locally, leave the Mount share locally box checked
and input a volume Letter.
By default, the volume letter field displays an asterisk, indicating that the next available drive
letter will be used. Mounting the share locally uses one of your VFS Server connections.
If you are only serving the share to remote clients, clear Mount share locally. The volume
letter is disabled.
The VFS Server mounts the share and allows connections on the assigned port. The shared hand icon
displays at the VFS mount point. You can continue your examination while it is shared. Performance
depends on the size and type of the examined evidence, processing power of the server and client
machines, and the bandwidth of the network.
Troubleshooting
Virtual File System is not listed under Modules
If you are using cert files, check to see that the VFS certificate is located in the proper Certs directory
(typically C:\Program Files\EnCase7\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure that the
software is not in Acquisition mode). You do not need to have the security key installed on a machine
connecting to a remote VFS Server.
If you are using cert files, the certificate file is issued for a specific security key. Check the security key
ID to verify it is the correct one issued for the certificate.
Third-Party Tools
PDE Troubleshooting
378 EnCase® Examiner Version 7.03
Overview
The EnCase Physical Disk Emulator (PDE) module allows investigators to mount computer evidence
as a local drive for examination through Windows Explorer. The power of this feature is well
articulated in many forums. Most notably, this allows investigators many options in their
examinations, including the use of third-party tools with evidence served by EnCase.
We are committed to the concept of providing an integrated product to our customers. Third-party
tools continue to be developed to complement the core functions and features of EnCase, and
Guidance Software encourages their creation and use. PDE allows third-party access to all supported
computer evidence and file system formats. EnCase continues its evolution towards becoming a server
of forensic data, whether in an image file, a preview of an offline computer or hard drive, or a live
machine on a network.
Using PDE
1. Select the device you want to mount as Physical disk in the Entries window pane in EnCase
and click Mount as Emulated Disk through the Device menu item and Share submenu item.
Physical Disk Emulator 379
In the example below, an evidence file called BBasher.#01 is opened in EnCase and being
mounted as a physical disk.
The evidence file after being mounted looks like the example below in EnCase, Windows
Explorer, and Windows Disk Management control panel.
Cache Options
If a physical device or volume (not a CD) is selected, decide whether to cache data. By default, caching
is disabled. Use the write cache if programs need to access the files in an emulated read/write mode.
If cache is enabled, changes made by programs are sent to a separate cache file specified on your local
system.
1. To create a new write cache file for an EnCase Differential Evidence File, clear the Disable
caching checkbox.
2. Select Create new cache in the Cache Type group and specify a Write cache path.
3. Select Use existing cache and ensure the existing write cache file is specified in the Write
cache path field.
If you choose to use an existing cache path, make sure to use a write cache file that was created with
the evidence you are currently mounting.
Caching is necessary for PDE to function with VMware. In this state, Windows caches file deletions
and additions. This is used to boot the drive with VMware as described later in this section. Caching is
also necessary when mounting certain volume types.
CD Options
If a CD is mounted, the CD Session to view option is enabled to specify which session on a multi-
session CD should display in Windows. The default session is the last session on the active CD, which
is the one normally seen by Windows.
1. To view a prior session, select that here.
2. Click OK to continue.
3. If a message displays saying the software you are installing has not passed the Windows Logo
test, click Continue Anyway.
Physical Disk Emulator 381
This allows Windows to add the evidence file as a drive with its own drive letter.
1. In the EnCase interface, click Save emulated disk state from the Device menu and the Share
submenu.
The cache is saved in the path specified for write caching. Each time after the initial save, an instance
number is appended to the cache file. These cache files can later be used to remount the evidence in its
saved state, but you must have all of the preceding cache files, located in the same directory.
To end the emulation:
1. Double click the flashing Physical Disk Emulator indicator in the lower right of the application
window.
2. Click Yes in the Thread Status window to cancel the disk emulation.
The purpose of the final cache is to create a compressed and merged Differential Evidence File
(*.D01) containing the cached data. With the Save Emulated Disk State option selected, there are
multiple cache files for the same mounted evidence session. The final cache merges all these files. If
there is no need to save the final file, select Discard final cache.
Use the Differential Evidence File to open the evidence file and view the emulated disk with the
cached changes applied.
Physical Disk Emulator 383
After the disk mounts, Windows Explorer reflects the cached changes.
When the device is dismounted, a status screen informs whether the disk was dismounted
successfully.
Third-Party Tools
Investigators with the PDE Module can use Windows Explorer to browse the structure of computer
evidence. They can also utilize third-party tools capable of requesting and interpreting data from
Windows Explorer to examine evidence outside of EnCase. Guidance Software does not certify the
performance or accuracy of results obtained through any tools not developed by Guidance.
Malware Scanning
A common use for EnCase PDE is to mount computer evidence for scanning for viruses, Trojans, and
other malware programs. First, mount the drive or volume from the evidence file through PDE.
In Windows Explorer, select the newly mounted drive (in this case, F:). If an antivirus program is
installed and integrated with Windows Explorer, it can be used to scan for viruses. The program reads
the emulated disk presented to Windows Explorer. EnCase serves the requested data to Windows
Explorer, then to the program for scanning.
Select the Disk Management option: right click My Computer in Windows, then select
Manage.
Note: There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical
disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are
plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in
Disk Management. If you encounter a message stating "The specified device is not a valid physical disk device," it is most
likely a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows,
particularly XP, blue screens if it detects multiple instances of the same drive. Use only evidence files of other machines.
Physical Disk Emulator 385
6. Select an operating system from the Version dropdown menu to identify the operating system
version installed on the evidence file, then click Next.
7. In the Name the Virtual Machine dialog, enter a virtual machine name.
As an option, you can click Browse to change the location for VMware's configuration files.
8. Click Next.
386 EnCase® Examiner Version 7.03
9. Assign the amount of memory for VMware to use, then click Next.
Selecting Do not use a network connection is recommended in the event that there is some
type of malware installed on the machine the evidence file was created from.
11. Accept the default setting in the Select I/O Adapter Types dialog, then click Next.
13. Select the disk that represents the mounted drive using PDE.
14. Accept the default setting of Use Entire Disk, then Click Next.
15. Use the default disk file specified in the Specify Disk File dialog, then click Finish.
Physical Disk Emulator 387
If the disk file is not recognized as a Virtual machine, you can change the name of the file
(taking care to leave the .vmdk extension).
VMware returns to the main screen, showing the newly created virtual machine.
2. As with booting restored hard drives, the virtual machine may require a user name and
password to proceed.
3. Since popups (such as AOL Instant Messenger) can cause driver problems, save the state of
the virtual machine regularly.
388 EnCase® Examiner Version 7.03
What do I do if I see the message "The file specified is not a virtual disk" after running the New
Virtual Machine wizard?
After completing the new virtual machine wizard in VMware, you may receive an error message ("The
file specified is not a virtual disk."). This issue is with VMware, not EnCase. Running the new virtual
machine wizard again usually resolves this issue.
Note that any applications you were running when you suspended the virtual machine are
running and the content is the same as when you suspended the virtual machine.
You can obtain additional VMware troubleshooting information from their knowledge base at
http://www.vmware.com/support/kb/enduser/std_alp.php?
390 EnCase® Examiner Version 7.03
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help
menu
If you are using cert files, check to see that the PDE certificate is located in the Cert directory
(typically C:\Program Files\EnCase6\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure that
the program is not in Acquisition mode).
If you are using cert files, check the security key ID to verify it is the correct one issued for the
certificate.
Although menus exist for PDE Server operation, it is not currently functional.
A message is encountered stating that PDE cannot remove the device when attempting to
dismount the device mounted
The error message may occur if Windows is accessing a file on the mounted device (for
example, the directory is opened in Windows Explorer or a file is opened in a third-party
application). To resolve the issue, close all Windows applications accessing the mounted
device, then click OK.
An error message is encountered stating that you need to reboot your machine, followed by a
"Rejected connection" message
This issue is due to the device driver not being released properly. The only way to resolve this
issue is to close all applications (including the EnCase application) and reboot the forensic
machine. You should not encounter the error again when the machine is rebooted.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical
Services.
CHAPTER 19
FastBloc SE
In This Chapter
Overview
Troubleshooting
392 EnCase® Examiner Version 7.03
Overview
The FastBloc® SE (Software Edition) module is a collection of tools designed to control reads and
writes to a drive attached to a computer through USB, FireWire, and SCSI. It enables the safe
acquisition of subject media in Windows to an EnCase® evidence file.
When FastBloc SE module's write blocking capability is enabled, it ensures that no data are written to
or modified on a write blocked device.
Files deleted from or added to the device appear in Windows as modified, but the
modifications are saved in a local cache, not on the device itself. This mode does not prompt
errors when attempting to write to the drive.
Write Protected: A write protected device is protected against writes or modifications when
the device is attached to a PC.
If writes or modifications to the device are attempted, Windows responds with an error
message.
4. Click Write Blocked. The progress bar indicates EnCase is waiting for a device to be inserted.
5. Insert the USB, FireWire, or SCSI device.
Note: Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable
carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
6. Click Close.
In the Choose Devices window, the device and volume (if present) on the write blocked
channel have a green box around the icon in the Name column, and a bullet appears in the
Write Blocked column for each.
2. Remove the device physically when the wizard confirms safe removal.
Troubleshooting
The Write Block option does not appear in the Tools menu
Check that the security key is in the machine. If the security key is missing or not functioning properly,
EnCase opens in Acquisition mode.
If the subject drive does not spin, or is making unusual sounds (whirring, clicking, etc.), the drive may
be defective and you may not be able to acquire it by normal methods.
If the subject drive is spinning, check the data cables. You may want to try using a 40-wire cable if you
are using an 80-wire cable.
Check the USB or FireWire port to ensure proper functioning: insert a known good device. Make sure
the port is recognized in Device Manager.
There are different hash values each time the drive is hashed
This indicates a failing drive. Because the number of sector errors increases each time, hash values
change. Since the first acquisition typically contains the least number of bad sectors, use that file for
analysis.
If the subject drive is in an enclosure when you try to acquire it, it may become hot during the
acquisition. Try removing the drive from the enclosure to keep it cooler, which may reduce the
number of sector errors.
CHAPTER 20
Deploying Servlets
Deploying OS X Servlets
Overview
To gather information from network machines, EnCase Enterprise uses servlets installed on the
individual machines. These servlets are verified with the SAFE using private/public key encryption
and are shown as running services on the target machines.
Once a servlet is deployed on the network machine, or node, it runs as a service with administrative
privileges and provides full access to the machine. After the SAFE server authenticates and verifies a
command from the examiner, the servlet executes it on the node machine.
You can use Check In servlets outside your network using an Internet connection. To investigate
machines using a Check-In servlet, use the Sweep Enterprise EnScript program.
Port Configuration
By default, the servlet service uses port 4445 to listen for commands from the SAFE server.
A different port can be specified as part of the SAFE installation.
If the SAFE port number and the device port number do not match, the servlet port number
should be specified when configuring the SAFE and adding the machine to the network tab.
Non-default port numbers can be specified:
• Navigate to Add Evidence > Add Network Preview and click Add Text List at the top of
the Add Network Preview dialog.
• Enter the machine name or IP address in this dialog as [machine name or IP]:[Port number].
Guidance Software suggests that machines running on a non-standard port be individually
defined on the Network and Role tabs. By defining the machine on these tabs, the port
information is saved in the network tree, eliminating the need to type it in the Add Text List
dialog each time you connect to the node.
Be sure that the address of the device is specifically included, either individually or within a
range, in the Network tab.
Permissions must also be defined for that machine in the user role.
The servlet port number must be specified as detailed above when connecting. The servlet can be
installed using the -L switch to specify a different port number. See Deploying Windows Servlets on
page 401.
Deploying and Running Servlets 399
Linux Kernels 2.2 and newer with the Process File System (procfs)
The following variables are used in this chapter to refer to the specifics on your installation.
Variable Description
<node> Node machine name
<host path> Path on the SAFE machine where the servlet resides (typically C:\Program
Files\EnCase SAFE\Servlets)
<servlet name> Name of the servlet or package for Solaris and AIX nodes
Deploying Servlets
Deploying servlets consists of using enterprise push technology to install the servlet on the remote
machine. All enterprise push technologies require an agent running on the target systems to deploy
and execute files.
The steps for deployment and execution depend on which file is used and by which method you
would like to have the servlet executed.
You can deploy and execute the servlet in a variety of ways:
Deploy the servlet as a service
Deploy the executable file only and execute it when needed
Execute the servlet via inetd or xinetd
Execute the servlet via an initialization script
Some operating systems write to the registry or other parts of the system when an executable is
launched. If you do not wish to write to the file system, execute the servlet from other media such as a
CD-ROM, although some operating systems do not support operating the servlet from removable
media. See Running Windows Servlets as a Service or as a Process on page 402.
If you choose to execute your servlet from another device, you must manually place the media
containing the servlet in the appropriate location prior to executing it. For example, if a CD containing
the servlet is placed into a system’s CD-ROM drive, you need to know the drive letter of that CD-ROM
before you can execute the servlet remotely.
When deploying servlets, the following files are used:
The Servlet contains the code to be executed on each network node. The name of the servlet
depends on the operating system.
The Servlet Setup file is used on Windows operating systems only. This file contains multiple
servlets and automatically detects which servlet to install when you run the setup file. Its file
name is either setup.exe or setup.msi.
The Servlet Package file is used on Solaris and AIX machines. These files contain multiple
servlets for multiple versions of the operating systems. The file names are GSIservl.tar for
Solaris and encase.servlet.rte.bff for AIX.
The Servlet Configuration file is used for the Check In servlet exclusively on *Nix machines.
This file contains the information used to check in that is otherwise contained in the Windows
Registry for Windows machines.
The procedure for removing the Check-In servlet depends on whether the servlet resides on a Unix or
Windows system.
Option Description
-l <port> Specifies the port where the servlet listens
Code Description
0 Status OK
1 No Node Certificate
2 No Security Key
Option Description
-drop Drops this servlet to the local directory
-p <path> Sets the path for installing the servlet binaries; the default is %systemroot%\system32
-n <name> Sets the name of the servlet binary and the service name; the default is enstart.exe for the binary and
enstart for the Windows Service Name
402 EnCase® Examiner Version 7.03
Option Description
-r Removes the service, the registry entry, and the binary; this does not remove the directory where the
binary resides
-s Starts servlet in stealth mode, hiding it from the Task Manager (32-bit servlets only)
There are several methods you can use to deploy servlets to Windows machines:
Active Directory
Domain Push
PsTools
IPC$ and PsExec
Removable Media and PsExec
Which method you should use depends on your network configuration and user account/password
policy.
Even though PsExec returns an error, it completes with an error code of 0. Running net start
on the remote machine verifies that enstart is running.
Note: The PsExec utility transmits the password across the network in plain text, which may present a
problem if intercepted by unintended persons using a packet sniffer.
Even though PsExec returns several errors, it completes each node with an error code of 0. Running
net start on any of the successful remote machines verifies that enstart is running.
406 EnCase® Examiner Version 7.03
4. Click the down arrow on the far right of the Add Network Preview dialog and select Save As.
The Save As dialog displays.
• Select Only Checked Rows if you wish to only include the machines you have blue
checked in the current view.
• Set the Stop row to be the maximum number of rows that EnCase will include in the
export file. Set this equal to the last row number if you wish to include all machines in the
view. This value must be assigned even if you are exporting only checked rows.
• Select only the Name field from the list of available fields.
• Keep the Output Format default (Tab Delimited).
• Specify the desired export path and filename.
5. When done, click OK to export the list.
6. In the output file, you need to remove the line numbers and column header fields before
Psexec can utilize the file. The information can be removed by any desired method. Two
suggested methods are:
408 EnCase® Examiner Version 7.03
• Drag and drop the exported file into a blank Excel spreadsheet. Excel should
automatically format the data into two columns. The first column and first row can be
deleted for clarity. Alternately, the list of machines starting on row #2 can be simply
copied and pasted into a text editor such as Notepad and saved. If there are any leading
spaces in the machine names they can be removed by doing a find and replace in Excel or
Notepad. (Set the find value to a space character, and replace it with nothing).
• Use a text editor that is capable of selecting columns (such as Notepad++) to simply
highlight and delete the unnecessary information.
If you are creating multiple IPC$ connections (specific or all nodes on a subnet), every node machine
must have one common username.
1. Open a command shell on the examiner machine.
2. Execute one of the following commands:
• For a single node: net use \\<node name>\ipc$/u:<username> <password>
• For multiple, specific nodes: for /f %1 in (<node list>) do net use
\\%1\ipc$/u:%1\<username> <password>
• All nodes on a subnet: for /L %1 in (1,1,254) do net use
\\<A.B.C>.%1\ipc$ <username> <password>
Parameter Description
<node list> The text file containing the list of node names; the default name
is export.txt
<node name> The name of the node with the IPC$ connection
<A.B.C> The first three octets of the IP address subnet to which you
want to deploy, for example, 10.0.0
Enter the password for the node if prompted and press Enter.
After IPC$ is connected, you can deploy by copying the servlet to the nodes.
410 EnCase® Examiner Version 7.03
Parameter Description
<servlet> The name of the servlet, usually setup.exe for running as a service, and
enstart.exe for running as a process
<node name> The name of the node for the IPC$ connection
<node list> The text file containing the list of node names; the default is export.txt
<A.B.C.> The first three octets of the IP address subnet where you want to
deploy, for example, 10.0.0
Now that you have copied the servlet to the node, you need to execute the servlet. See
Executing the Servlet using PsExec on page 410.
Deploying and Running Servlets 411
Parameter Description
<node list> The text file containing the list of node names; the default name is
export.txt
<node name> The name of the node with the IPC$ connection
<A.B.C> The first three octets of the IP address subnet to which you want to
deploy, for example, 10.0.0
<servlet> The name of the servlet, usually setup.exe for running as a service, and
enstart.exe for running as a process
Running net start on the remote machine verifies that enstart is running.
412 EnCase® Examiner Version 7.03
Parameter Description
<node name> The name of the node with the IPC$ connection
<servlet path> The location and path of the servlet, usually enstart.exe for running as
a process, or setup.exe for running as a service
Running net start on the remote machine verifies that enstart is running.
Option Description
-d Runs as daemon
-p <path> Specifies the servlet path. Used for auto-updating. Do not use when running
from read-only media. Do not include the servlet itself with the -p option;
instead, provide the path where it resides.
You can copy the servlet to the nodes using one of the following:
Removable media (see Copying *NIX Servlets Using Removable Media on page 413)
SSH and SCP (see Copying *NIX Servlets Using SSH and SCP on page 413)
Telnet and FTP (see Copying *NIX Servlets Using Telnet and FTP on page 414)
Note: If you are using Solaris, you may need to use the command volcheck before the mount
command, if the mount command gives an error.
5. Create a destination folder using the command: mkdir -p <deploy path>.
6. Copy the servlet using the command: cp <mount point>/<servlet name> <deploy
path>.
If you want to use the check-in feature, perform these steps.
1. Copy the servlet configuration file using the command cp <mount point>/nixcheckin
<deploy path>.
2. Rename the nixcheckin file using the command: mv nixcheckin .<servlet name>.
3. Make the servlet executable using the chmod command: chmod 700 <deploy path>.
ssh2 root@<node>.
4. If you are copying to a location that is not yet mounted (such as a network share), mount it
now.
5. Copy the servlet using the command:
scp2 <host path>\<servlet name> root@<node>:<deploy path>
Enter the password for the root account and the transfer will start.
If you want to use the check-in feature:
1. Copy the servlet configuration file using the command:
scp2 <host path>\nixcheckin root@<node>:<deploy path>
Enter the password for the root account. The transfer will then start.
If you receive similar output, the xinetd is running and you can proceed:
/var/run/xinetd.pid
service enlinuxpc
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enlinuxpc
server_args = -i -p /usr/local/encase
5. Restart the xinetd service by issuing the following command: /etc/rc.d/init.d/xinetd restart.
The output shown below indicates xinetd has restarted.
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
After xinetd restarts the servlet executes. For confirmation that the servlet is running, see Verifying
Servlet Deployment on page 444.
#!/bin/sh
case $1 in
'start')
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
;;
esac
A symbolic link must be placed in the desired run level to call the script. The best run level to use in
Linux is three. Set this as follows:
cd /etc/init.d/rc3.d
ln –s /etc/init.d/enlinuxpc S94enlinuxpc
For confirmation that the servlet is running, see Verifying Servlet Deployment on page 444.
If you receive output similar to below, then inetd is running and you can proceed.
/usr/sbin/inetd -s
Make an entry in the /etc/services file for the port the servlet will listen from, as follows:
<servlet name> 4445/tcp # EnCase Servlet
For confirmation that the servlet is running, see Verifying Servlet Deployment on page 444.
Solaris Version
It is important to identify the version of Solaris you are using to deploy the correct servlet. After
logging into Solaris, note the information that is given to you. The version is the number immediately
after the decimal point. For example:
Solaris 8: Sun Microsystems Inc. SunOS 5.8 Generic Patch December 2002.
Solaris 9: Sun Microsystems Inc. SunOS 5.9 Generic May 2002.
You can also get the version using the following command: dmesg | grep bit.
The command gives you the Solaris version in a format such as: Feb 13 10:07:06 soldev9-64x
genunix: [ID 540533 kern.notice] ^MSunOS Release 5.9 Version
Generic_112233-07 64-bit.
32-Bit – kernel/unix
64-Bit – boot-file=kernel/sparcv9/unix
Would you like to install the Encase Enterprise Edition Servlet for
Solaris [y, n, q]? (default is yes, q to quit)
Deploying and Running Servlets 421
6. To accept the default location, press Enter, or enter an alternate destination and press Enter.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
If you receive similar output, the xinetd is running and you can proceed:
/var/run/xinetd.pid
service enlinuxpc
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enlinuxpc
server_args = -i -p /usr/local/encase
5. Restart the xinetd service by issuing the following command: /etc/rc.d/init.d/xinetd restart.
The output shown below indicates xinetd has restarted.
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
After xinetd restarts the servlet executes. For confirmation that the servlet is running, see Verifying
Servlet Deployment on page 444.
#!/bin/sh
case $1 in
'start')
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
Esac
A symbolic link must be placed in the desired run level to call the script. The best run level to use in
Solaris is run level two. Set this as follows:
cd /etc/rc2.d
For confirmation that the servlet is running, see Verifying Servlet Deployment on page 444.
Deploying OS X Servlets
There are two OS X servlets. The servlet named enosx is for PPC Macs; the servlet named enosxintel is
for Intel based Macs. Please use the appropriate servlet for the hardware you are using.
The following deployment scripts are provided as a suggestion only and should be modified to reflect
the actual servlet that you are using. You are welcome to modify the scripts or write your own to suit
your own environment and requirements.
Before deploying OS X servlets:
1. Identify attributes of the target systems, such as DNS names, IP addresses, and operating
systems.
2. Verify that the machine the servlet is deployed from has network connectivity to all target
systems.
3. Guidance Software recommends installing an SSH client with file transfer capabilities.
4. Guidance Software recommends running SSHD on the target systems.
Deploy an OS X servlet by copying it, using one of the methods documented in Copying *NIX Servlets
on page 412.
Determine how you want to deploy the servlet. Note that some install methods require certain
versions of OS X:
See Running in OS X Using xinetd on page 424 (OS X 10.2-10.3)
See Running in OS X using launchd on page 426 (OS X 10.4 or newer)
Verify the servlet is connected using one of the methods discussed in Verifying Servlet Deployment on
page 444.
Deploying and Running Servlets 425
If you receive similar output, the xinetd is running and you can proceed:
root 1270 0.0 0.1 2048 828 ? S Sep09 0:00 xinetd -stayalive –pidfile
/var/run/xinetd.pid
service enlinuxpc
disable = no
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enosx
server_args = -i -p /usr/local/encase
5. Using a text editor such as vi, open the configuration file /etc/services.
6. Comment out the existing entries for the port you are using, one for UDP and one for TCP as
shown here:
upnotifyp 4445/udp # UPNOTIFYP
7. Create new entries for the port you are using. Below are two examples:
426 EnCase® Examiner Version 7.03
3. Create two executable files within the folder in the /Library/StartupItems/ using the
commands:
touch /Library/StartupItems/EnCase/StartupParameters.plist
touch /Library/StartupItems/EnCase/EnCase
#!/bin/sh
. /etc/rc.common
StartService ()
/usr/local/encase/enosx -d -p /usr/local/encase
StopService ()
/bin/kill ${pid}
RestartService ()
/bin/kill ${pid}
/usr/local/encase/enosx -d -p /usr/local/encase
RunService "$1"
428 EnCase® Examiner Version 7.03
Provides = ("EnCase");
OrderPreference = "Last";
Messages =
};
7. Restart the machine, or execute the process directly passing the start, stop, and restart options.
For confirmation that the servlet is running, see Verifying Servlet Deployment on page 444.
Supported Hardware
HP 9000 server family with HP PA-8900 processors
Additional Resources
Installing HP-UX Applications (http://docs.hp.com/en/5990-8144/ch07s01.html#babjhibf)
swinstall(1M) (http://docs.hp.com/en/B3921-60631/swinstall.1M.html)
Deploying and Running Servlets 429
4. Click Enter. The installation screen displays and begins searching for installation files.
5. When it appears in the list, select GSIservl by highlighting the green box and clicking the
spacebar.
Note: Be sure to select the top level file. If you accidentally drill down and only select to install a part
of the package the servlet will not work.
6. To mark the file for installation, navigate to the Actions menu and select Mark for Install.
a. Use Tab to move up to the menu bar.
b. Use the arrow keys to move back and forth.
c. Use the Enter key to pull down a menu item or select a menu item.
Deploying and Running Servlets 431
Note: You cannot install a file without marking it for installation first. If you receive an error message,
go back and perform the steps to mark the file for installation.
7. Click Enter. The file now shows as Partial in the Marked? column.
8. To install the file, navigate to the Actions menu and select Install.
432 EnCase® Examiner Version 7.03
10. When analysis is complete, click OK. The installation screen displays.
Note: EnCase supports ePO 4.5 Server and McAfee Agent 4.5.
4. Click the Check In Package button. The Check In Package dialog displays.
4. Click Browse and navigate to the GuidanceServletExtension.zip file. This File is part of
the SAFE installation process, and is stored in the EnCase SAFE\ePO folder.
5. Click Open. The Install Extension window displays details about the extension package.
438 EnCase® Examiner Version 7.03
6. Click OK. The Configuration window shows the Guidance extension is installed.
2. In the left pane, select the location for deploying the servlet.
3. In the right pane, click Client Tasks.
Deploying and Running Servlets 439
4. Click New Task at the bottom of the page. The Description tab of the Client Task Builder
displays.
9. In the command line text box, provide the setup arguments needed to copy setup.exe.
• -f "<UNC path to the servlet setup.exe file>" This must be available to the target via a
network share. Guidance Software recommends you create a \\share visible to network
targets (nodes) to contain the servlet. Copy the current setup.exe from the root directory of
the SAFE to this share, and specify the share path in the cmd switches when you check in
the agent.
When you update the SAFE, be sure to copy the new servlet to the \\share.
Alternatively, you can create a directory or use the ePO folder for this share.
• -u <username>
• -d <domain>
• -t <password>
• -o <setup options>
− -o setup options must be in quotes to be passed to the servlet setup program.
• -v <servlet version>
− Use the -v servlet version option to notify already installed servlets that an update
is needed.
10. Click Next. The Schedule tab of the Client Task Builder displays.
Deploying and Running Servlets 441
11. Select the time for the installation, then click Next. The Summary tab of the Client Task
Builder displays.
12. Verify that the information on the Summary tab is correct, then click Save.
Note: Any authentication errors are shown in the log file C:\Windows\Temp\ServletSetupError.Log on the
agent machine.
CHAPTER 21
Verifying Servlet
Deployment
In This Chapter
Verifying Servlet Deployment
If you do not see the default name enstart or enstart64 process running, confirm that you have
not renamed the process to something else, or try reinstalling the servlet on the node.
Verifying Servlet Deployment 445
3. Confirm the machine is listening on the port number for which your SAFE is configured. The
default port number is 4445 as shown in the picture above.
Repeat steps 1-3 on your SAFE to ensure it is also listening on the same port.
At the command prompt, type TELNET <IP> <port> and press Enter.
A successful telnet connection to the SAFE or servlet results in a momentary pause with no
feedback in the telnet window. Press enter a few times and you should get output similar to
this:
2. Repeat the previous step from your SAFE machine. This confirms that your SAFE can get to
the client.
The output is of the form <package name> <version> <status> <comment> for
example:
2. Compare the status output to the information below to determine if the servlet is operating as
desired.
• APPLIED: The specified fileset is installed on the system. The APPLIED state means that
the fileset can be rejected with the installp command and the previous level of the fileset
restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.
• APPLYING: An attempt was made to apply the specified fileset, but it did not complete
successfully, and cleanup was not performed.
• BROKEN: The specified fileset or fileset update is broken and should be reinstalled before
being used.
• COMMITTED: The specified fileset is installed on the system. This means that a
commitment has been made to this level of the software. A committed fileset update
cannot be rejected, but a committed fileset base level and its updates (regardless of state)
can be removed or deinstalled by the installp command.
• COMMITTING: An attempt was made to commit the specified fileset, but it did not
complete successfully, and cleanup was not performed.
• REJECTING: An attempt was made to reject the specified fileset, but it did not complete
successfully, and cleanup was not performed.
CHAPTER 22
Parameter Description
<node name> The name of the node machine
<servlet name> The name of the servlet, usually setup.exe for running as a service,
and enstart.exe for running as a process.
After the check in configuration file is deleted, the servlet resumes typical operation.
Stopping and Removing Enterprise Servlets 449
No output is returned. This stops the enstart service, deletes enstart.exe and enstart_.sys
(regardless of what they were named during the installation), and removes registry entries relating to
the servlet.
3. Delete <servlet name>.exe and <servlet name>_.sys. The files can be located in the
following locations, which vary by the operating system.
4. Remove the following registry keys using regedit.exe for Windows XP/2003 machine or
regedt32.exe for all other machines:
• HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\LEGACY_ENSTART
• HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Enum\Root\LEGACY_ENSTART
• HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet002\Services\enstart
• HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet002\Enum\Root\LEGACY_ENSTART
Note: In order to delete ~LEGACY_ENSTART keys, you must first change permission to Full Control
for Everyone using the appropriate registry editor listed above.
Not all of the above listed keys may exist on all machines.
5. Using the appropriate registry editor for your machine, search for and delete any remaining
values and keys that have enstart in the name.
If your results appear similar to the output below, then the servlet is running as a process.
If the results appear similar to the output below, the servlet is running as a process.
Note: 2360 is the PID on the machine used in this example. The PID on your machine will differ.
Stopping and Removing Enterprise Servlets 451
4. If the output to the above command returns nothing, then the servlet is probably running
using inetd or xinetd. Determine if the servlet is running using xinetd by looking in the
/etc/xinetd.d directory for a configuration file typically named enlinuxpc for Linux or
enosx for OS X. If you find the file, then the servlet is running using xinetd.
5. If you are using Linux, determine if the servlet is running using inetd by viewing the contents
of the /etc/inetd.conf file. If you find an uncommented line referring to the servlet (as
shown below), then the servlet is running using inetd.
enlinuxpc stream tcp6 wait root
/usr/local/encase/
6. If you are using OS X 10.4 or newer, determine if the servlet is being launched during startup
by looking for a folder called EnCase in the /Library/StartupItems folder.
3. If you have an OS X 10.4 or newer and the servlet is running from launchd, remove the
directory that contains the startup files by executing:
4. rm –R /Library/StartupItems/EnCase
5. If the servlet is running using inetd, open /etc/inetd.conf using a text editor such as vi.
locate and delete (or comment out) the entries referring to your servlet. Save and close the
configuration file. Some examples are:
enosx stream tcp6 wait root /usr/local/encase/
If the servlet is running using inetd or xinetd, open the /etc/services file and comment out or
delete the line referring to your servlet, then save and close the file.
452 EnCase® Examiner Version 7.03
3. Remove the directory containing the servlet using the following command:
rm –R /usr/local/encase
Note: Do not type the bff file extension when entering the command.
The installer determines the correct servlet to remove and output information regarding the
removal.
2. Remove the EnCase directory and any remnants with the following command:
rm –R /usr/local/encase
If you need to manually start the SAFE again, use the command net start safe and press Enter.
Support
Guidance Software develops solutions that search, identify, recover, and deliver digital information in
a forensically sound and cost effective manner. Since our founding in 1997, we have moved into
network enabled investigations and enterprise wide integration with other security technologies.
This section provides information on our support for you through:
Technical Support
Support Portal
Professional Services
Training
Technical Support
Guidance Software offers several support options, including:
Live Chat
Support Request Form
Email
Telephone
Live Chat
From the Guidance Software Support Portal, described below, you can chat live with a Technical
Services engineer. From the Support Portal main page, select Live Chat to connect directly to an
engineer.
Email
Although technical support is available by email, you will receive faster service using the online
Technical Support Request Form (https://support.guidancesoftware.com/node/381). To request
assistance by email, email technicalsupport@guidancesoftware.com. Please include as much detail as
possible about the issue, and the best way to contact you.
Telephone
Telephone technical support is provided 24 hours a day, excluding weekends and holidays, through
the regional support numbers listed below. All technical support inquiries are automatically routed to
the open US or UK office, depending on the time of day.
456 EnCase® Examiner Version 7.03
For your convenience, the following numbers have been provided to our English-based support.
Germany: 0-800-181-4625
China: 10-800-130-0976
Australia: 1-800-750-639
Hong Kong: 800-96-4635
New Zealand: 0-800-45-0523
Japan: 00-531-13-0890
Support Portal
Guidance Software offers a Support Portal to our registered users, providing technical forums, a
knowledge base, a bug tracking database, and a Support request form. The Portal gives you access to
all support-related issues in one site. This includes:
Live Chat
Knowledge Base
Bug Tracker
Technical Services Request form
Download Center
Support 457
If you do not have access to the Support Portal, please use the Support Portal registration form
(https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registration requires you to choose a unique username and password. Please provide all requested
information, including dongle ID, phone, email address, organization, etc. This helps us identify you
as a registered owner of EnCase. You will receive an email momentarily asking you to confirm your
email address. Once you have verified your email address, you will be added to the Registration List.
Please allow 24 business hours for your account to be approved.
Once your registration is approved, you can access the Support Portal at
https://support.guidancesoftware.com/. The Support Portal provides a tutorial that briefly overviews
the site.
The forums allow registered users to post questions, exchange information, and hold discussions with
Guidance Software and thousands of experienced and skilled users in the EnCase community.
Different discussion groups are available as follows:
EnCase product groups:
EnCase User’s Group
EnCase Enterprise
EnCase eDiscovery
EnScript Development
458 EnCase® Examiner Version 7.03
Posting to a Forum
To create a new post, click the New Thread icon.
Click the Post Reply icon to reply to a post, or use the Quick Reply icon at the bottom of each post.
Searching
The forums contain an accumulation of over ten years of information. Use the Search button to search
for keywords, or click Advanced Search for more specific search options.
Bug Tracker
Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement
requests. It is broken down by product, showing the current number of bugs/enhancements and public
bugs for each product. To access the Bug Tracker, click Bug Tracker
(https://support.guidancesoftware.com/forum/project.php) in the Support Portal.
Knowledge Base
The Knowledge Base covers a variety of niche information on various topics. You can also submit
your own articles to help other EnCase users.
Support 459
From here, you can browse, search, and write Knowledge Base articles.
MyAccount
Register your product with Guidance Software to receive updates. Registration is located at
https://www.guidancesoftware.com/myaccount/registration.aspx
If you have any trouble registering your product, contact Customer Service. If you have any trouble
downloading the updates once registered, contact Technical Support.
Index
Analyzing and Reporting on Acquired Data • 248
A Analyzing and Tagging a Review Package • 183
Accessing the Local Disk in Windows Explorer • 381 Analyzing File Signatures • 79
Accessing the Share • 367 Analyzing Hashes • 80
Acquiring a Disk Running in Direct ATA Mode • 59, Analyzing Individual Search Results • 173
276 Analyzing Protected Files • 79
Acquiring a Drive from a Network Preview • 57 Application Folder • 29
Acquiring a DriveSpace Volume • 64 Arrow Drop Down Pane Arrow Menu • 112
Acquiring a Local Drive • 57 Assigning a Unicode Font • 258
Acquiring Apple iOS Devices • 240 Associate Selected • 296
Acquiring Apple iTunes Backup Files • 247 Associating File Types with a File Viewer • 107
Acquiring BlackBerry Desktop Manager Backup Available Smartphone Data • 249
Files • 247
B
Acquiring Device Configuration Overlays (DCO) and
Host Protected Areas (HPA) • 57, 275 BitLocker Encryption Support (Volume Encryption)
Acquiring Devices and Evidence • 45 • 313
Acquiring Disk Configurations • 60 Body Text Tab • 228
Acquiring Google Android Devices • 240 Bookmark Template Folders • 204
Acquiring in Windows using FastBloc SE • 59 Bookmarking Data for Reports • 216
Acquiring in Windows without a Tableau or Bookmarking Items • 195
FastBloc Write Blocker • 59 Bookmarking Pictures in Gallery View • 203
Acquiring Mass Storage Devices • 246 Boot Evidence Files and Live Systems with VMware
Acquiring Nokia Symbian S60 Devices • 241 • 384
Acquiring Non-local Drives • 57 Booting the Virtual Machine • 387
Acquiring Other Types of Supported Evidence Files Browsing and Viewing Evidence • 93
• 64 Browsing Images • 127
Acquiring Palm OS Devices • 244 Browsing Through Evidence • 125
Acquiring RIM BlackBerry Devices • 240 Bug Tracker • 458
Acquiring SIM Cards • 244
Acquiring Smartphone Devices • 238 C
Acquiring Windows Mobile 6.x Devices • 241 Canceling an Acquisition • 54
Acquiring with the Evidence Processor • 48 Case Analyzer • 158
Adding a Constraint to Analysis Data • 152 Case Backup • 31
Adding a New Keyword • 84 Case Folder • 31
Adding an External File Viewer • 105 Case Operations • 41
Adding and Deleting Nodes in the Target List • 139 Case Portability • 43
Adding and Modifying File Signature Associations • CD-DVD Inspector File Support • 64
175 Challenge-Response Authentication • 311
Adding Custom Notes to the Smartphone Report • Changing Categories and Tags for Multiple Hash
252 Sets • 192
Adding Evidence to a Case • 39 Changing Evidence Cache Location • 118
Adding Hash Libraries to a Case • 192 Changing Text Color • 113
Adding Hash Values to a Hash Set • 190 Changing Text Styles • 105
Adding Raw Image Files • 66 Changing the Default Code Page • 257
Analysis Browser Tab • 147 Changing the Evidence Path if the Evidence File is
Analyze EFS • 289 Moved • 42
Changing the Mount Point • 366 Crossover Cable Preview or Acquisition • 277
Changing the Tag Order • 213 Customizing Headers and Footers • 221
Check for Evidence when Loading a Case • 126
Check Point Full Disk Encryption Support (Volume D
Encryption) • 308 Data Structure Bookmark • 198
Checking In the ePO Servlet Package • 434 Date Options • 22
Closing and Changing the Emulated Disk • 383 Dates • 207
Closing the Connection • 374 Debug Options • 27
Color Options • 24 Decoding Data • 109, 206
Combining Search Criteria from Multiple Tabs • Decrypted Block • 343
172 Decrypting a BitLocker Encrypted Device Using
Compound Files • 359 Recovery Key • 314
Conditions • 122 Decrypting a BitLocker Encrypted Device Using
Configuration Options • 20 Recovery Password • 316
Configuring EnCase to Display Non-English Decrypting S/MIME Email Messages in an Evidence
Characters • 256 File Created in Windows Vista • 340
Configuring Paper Layout • 220 Deleted Files • 362
Configuring the Keyboard for a Specific Non-English Deleting a Bookmark Folder • 206
Language • 259 Deleting a Filter • 121
Configuring the PDE Client • 380 Deleting Tags • 213
Configuring the Server • 372 Deploying a Solaris Servlet Using xinetd • 421
Configuring Time Zone Settings • 28 Deploying AIX Servlets • 423
Configuring Windows for Non-English Language • Deploying and Running Servlets • 397
259 Deploying Check In Servlets • 400
Configuring Your Linux Distribution • 262 Deploying in Solaris Using inittab • 422
Connecting the Clients • 374 Deploying Linux Servlets • 414
Copying *NIX Servlets • 412 Deploying NetWare Servlets • 433
Copying *NIX Servlets Using Removable Media • Deploying OS X Servlets • 424
413 Deploying Servlets • 400
Copying *NIX Servlets Using SSH and SCP • 413 Deploying Solaris Servlets • 418
Copying *NIX Servlets Using Telnet and FTP • 414 Deploying the ePO Servlet • 438
Copying the Servlet Using XCOPY • 410 Deploying the Linux Servlet using inetd • 417
Creating a Filter • 120 Deploying the Linux Servlet Using inittab • 416
Creating a Hash Library • 189 Deploying the Linux Servlet Using xinetd • 415
Creating a Hash Set • 189 Deploying Windows Servlets • 401
Creating a LinEn Boot Disk • 262 Deploying Windows Servlets Using a Domain Push
Creating a New Condition • 123 • 404
Creating a New Keyword List • 85 Deploying Windows Servlets Using IPC$ and PSExec
Creating a Review Package • 182 • 408
Creating a Smartphone Report • 250 Deploying Windows Servlets Using PsTools • 404
Creating a Text File of Nodes • 406 Deploying Windows Servlets Using Removable
Creating an Index • 85 Media and PsExec • 412
Creating Custom File Types • 128 Deploying Windows Servlets with Active Directory
Creating IPC$ Connections • 408 • 404
Creating New Bookmark Folders • 205 Determining Local Mailbox Encryption • 342
Creating Tags • 210 Dictionary and Built-In Attacks • 351
Creating Thumbnails • 88 Disk and Volume Encryption • 287
CREDANT Encryption Support (File-Based Disk Caching and Flushing the Cache • 394
Encryption) • 330 Disk Configuration Set Acquired as One Drive • 62
CREDANT Encryption Support (Offline Scenario) • Disk Configurations Acquired as Separate Drives •
334 62
CREDANT Files and Logical Evidence (L01) Files • Dismounting the Network Share • 366
335 Displaying Related Messages • 134
Displaying Smartphone Data • 248 Font Options • 25
Drive-to-Drive Acquisition Using LinEn • 265 Formatting Report Templates • 219
Dynamic Disk • 62 Full Volume Encryption (FVE) AutoUnlock
Mechanism • 318
E
G
Editing a Bookmark • 206
Editing a Filter • 121 Generating Reports • 215
Editing Bookmark Content • 206 Global Application Data • 32
Editing Bookmark Folders • 206 Global Options • 21
Editing Conditions • 125 GuardianEdge Encryption Support • 323
Editing Report Object Code • 224 GuardianEdge Hard Disk and Symantec Endpoint
EDS Commands and Tabs • 289 Encryption Support • 324
Email • 455
EnCase Decryption Suite • 285 H
EnCase Enterprise • 12 Hardware Disk Configuration • 60
EnCase Evidence Files • 54 Hashing Evidence • 187
EnCase Forensic • 12 Hashing Features • 188
EnCase Requirements • 16 Hashing the Subject Drive Using LinEn • 280
EnCase Version 7 Application Folder Locations • 29 Hiding a Tag • 212
Encrypted Block • 343 Highlighted Data or Sweeping Bookmark • 196
Encrypting File System • 360 HP-UX VxFS and Servlet Support • 428
Enter Items • 292
Entering Non-English Content without Using Non- I
English Keyboard Mapping • 260 IM Parser • 89
Enterprise Options • 28 Importing a Review Package • 185
Entries View Right Click Menu • 116 Importing Hash Sets • 193
Evidence Cache • 31 Indexing Personal Information • 86
Evidence File Formats Supported by EnCase PDE • Indexing Text in Slack and Unallocated Space • 87
378 Initial Preparation • 384
Evidence File Formats Supported by VFS • 356 Inserting a Picture • 225
Evidence Processor • 160 Inserting a Table • 226
Evidence Verification • 279 Installing and Configuring Encase • 15
Excluded Checkbox • 228 Installing Drivers • 247
Executing the Servlet using PsExec • 411 Installing EnCase Forensic and EnCase Enterprise •
Expand Data View • 151 18
Expanding Compound Files • 80 Installing the HP-UX Servlet • 429
Exporting a Review Package • 185 Installing the Optional Guidance Software Servlet
Exporting Data for Additional Analysis • 179 Extension • 436
Exporting Location Data • 252 Installing the Tar Package • 419
Exporting Search Results for Review • 181 Integers • 207
Exporting to *.msg • 135 Internal Files and File System Files • 362
ext2, ext3, UFS, and Other File Systems • 365
K
F
Knowledge Base • 458
FastBloc SE • 391
File Carver • 89 L
File Report EnScript • 229 Launching EnCase for the First Time • 34
Filtering Your Evidence • 119 LinEn Command Line • 272
Finding Data Using Signature Analysis • 175 LinEn Evidence Verification and Status Reporting •
Finding Email • 80 278
Finding Internet Artifacts • 80 LinEn Manual Page • 282
Finding Tagged Items • 169 LinEn Setup Under Red Hat • 263
Finding the Location of an Evidence Item • 126
LinEn Setup Under SUSE • 263 PGP Decryption using the Passphrase • 330
Linux Syslog Parser • 91 PGP Whole Disk Encryption (WDE) Support • 326
Live Chat • 455 Physical Disk Emulator • 377
Localization of Report Layout • 224 Physical RAID Encryption Support • 319
Locally Encrypted NSF Parsing Results • 344 Picture • 207
Logical Evidence Files • 55 Post Collection Analysis • 158
Lotus Notes Local Encryption Support • 342 Posting to a Forum • 458
Printing a Condition • 125
M Processing Devices from a Local Preview • 76
Malware Scanning • 369 Processing Devices from a Network Preview • 77
McAfee Endpoint Encryption Support • 336 Processing Evidence • 69
McAfee ePolicy Orchestrator (ePO) Integration • Processing Evidence during a Sweep • 78
434
Q
Mode Selection • 276
Monitoring a Remote Acquisition • 53 Querying a Hash Library • 191
Mount Network Share Options • 357
Mounting a Single Drive, Device, Volume, or Folder R
• 357 RAID-10 • 60
Mounting Evidence with VFS • 356 RAIDs • 362
Mounting Non-Windows Devices • 381 RAM and Disk Slack • 363
Multiple Notable Files Bookmark • 201 Raw Image Files • 55
MyAccount • 459 Raw Text Bookmark • 196
Reacquiring Evidence • 65
N
Reacquiring Evidence Files • 65
NAS Options • 23 Recovering Folders • 79
Navigating the Evidence Tab • 113 Recovering NSF Passwords • 341
Navigating the Records Tab • 118 Recovery Key and Recovery Password Files • 313
Navigating the Table Pane • 97 Registration • 457
Navigating the Tree Pane • 96 Reinstalling EnCase • 20
New Virtual Machine Wizard • 385 Removing Check In Functionality • 448
Notable File Bookmark • 199 Removing the AIX Package • 452
Notes Bookmark • 202 Removing the NetWare Servlet • 452
NSF Encryption Support • 340 Removing the Servlet from Linux or OS X • 450
NSRL Hash Sets • 193 Removing the Servlet in Windows • 449
Removing the Solaris Package • 452
O Removing Write Block from a USB, FireWire, or
Obtaining a Linux Distribution • 263 SCSI Device • 394
Obtaining Additional Decryption Key (ADK) Renaming a Bookmark • 206
Information • 328 Repairing and Recovering Inconsistent EDB
Obtaining Updates • 16 Database Files • 131
Obtaining Whole Disk Recovery Token Information Report Styles • 221
• 327 Report Template Structure • 217
Other File Systems • 365 Reports • 153
Other Tools and Viewers • 369 Restoring A Drive • 67
Overview • 11, 16, 34, 47, 70, 94, 138, 162, 188, Restrict Access by IP Address • 373
196, 210, 216, 236, 256, 262, 287, 356, 378, 392, Retaining the GUID During Evidence Reacquisition
398 • 65
Retrieving Keyword Search Results • 171
P RMS Decryption at the File Level • 349
Parsing a Locally Encrypted Mailbox • 342 RMS Decryption at the Volume Level • 348
PDE Troubleshooting • 390 RMS Protected Email in PST • 350
Performing Acquisitions with LinEn • 263 RMS Standalone Installer • 347
Running a Default Filter • 119
Running a Linux Servlet as a Process • 415 Status Tab • 146
Running a NetWare Servlet as a Process • 433 Stopping a Servlet Using PsTools • 448
Running a Servlet as a NetWare Service • 433 Stopping and Removing Enterprise Servlets • 447
Running a Solaris Servlet as a Process • 421 Stopping and Removing Servlets • 448
Running an Existing Condition • 122 Stopping the SAFE • 453
Running EnScript Modules • 88 Successful BitLocker Decryption • 320
Running Evidence Processor Options Incrementally Support • 455
• 73 Support for EXT4 Linux Software RAID Arrays • 61
Running File Signature Analysis against Selected Support Portal • 456
Files • 178 Supported CREDANT Encryption Algorithms • 334
Running in OS X Using launchd • 426 Supported Encryption Products • 288
Running in OS X Using xinetd • 425 Supported GuardianEdge Encryption Algorithms •
Running the Customize Job Settings Option • 142 324
Running the File Report EnScript • 229 Supported Smartphone Operating Systems • 237
Running the HP-UX Servlet • 432 Supported Utimaco SafeGuard Easy Encryption
Running the Quick Sweep View Option • 140 Algorithms • 302
Running Windows Servlets as a Service or as a Sweep Enterprise • 137
Process • 402 Sweep Enterprise Dialog
Status and Analysis Browser • 146
S Sweep Enterprise Options • 140
S/MIME Encryption Support • 336 Symantec and McAfee EndPoint Encryption
Safeboot Encryption Support • 298 Support • 336
Saved BitLocker Credentials in Secure Storage • System Info Parser • 89
321
Saving and Dismounting the Emulated Disk • 381
T
Saving the File Report • 232 Table Bookmark • 201
Search Operators • 165 Tagging an Item • 211
Searching • 458 Tagging Items • 209
Searching Indexed Data • 163 Target Constraint • 150
Searching Through Evidence • 161 Technical Support • 455
Searching Through Raw Data • 170 Technical Support Request Form • 455
Searching With Keywords • 82 Telephone • 455
Secure Storage Items • 297 Temporary Files Redirection • 383
Secure Storage Tab • 291 Temporary Files Reminder • 371
Secure Storage Tab and EFS • 291 Text • 207
Selecting Pane Views • 94 Text Styles • 259
Setting Individual Case Options • 40 The EnCase Interface • 94
Setting the Date Format • 258 Third-Party Tools • 368, 383
Setup for a Drive-to-Drive Acquisition • 264 Transcript Bookmark • 201
Shared File Options • 26 Troubleshooting • 375, 394
Sharing Conditions • 125 Troubleshooting a Failed S/MIME Decryption • 340
Sharing Filters • 121 Types of Acquisitions • 47
Show Conversation • 133 Types of Evidence Files • 54
Showing Duplicate Email Messages in a
Conversation • 135 U
Single Files • 55 Undocking the View Pane • 111
Single Notable File Bookmark • 200 Uninstalling EnCase • 19
Smartphone Support • 235 Unix Login • 91
Software RAID • 60 Unsuccessful BitLocker Decryption • 321
Sources of Acquisitions • 47 User Application Data • 32
Starting Physical Disk Emulator • 378 User Data • 30
Starting Sweep Enterprise • 138 User, Product, and Foreign Language Forums • 457
Status Reporting • 280 Username and Password Authentication • 308
Using a Case Template to Create a Case • 35 Windows NT Software Disk Configurations • 61
Using a Write Blocker • 58 Windows Rights Management Services (RMS)
Using Disk View to See Data on a Device • 117 Support • 346
Using LinEn • 261 Windows-based Acquisitions with Tableau and
Using Physical Disk Emulator • 378 FastBloc Write Blockers • 58
Using PsTools to Deploy Servlets to a Single WinMagic SecureDoc Encryption Support • 321
Machine • 405 Working with Bookmark Folders • 204
Using PsTools to Deploy Servlets to Multiple Working with Bookmark Types • 196
Machines • 405 Working with Cases • 33
Using Report Templates • 217 Working with Columns • 100
Using the EnCase Interface • 367 Working with Hash Libraries • 189
Using the Network Authentication Server • 20 Working with Non-English Languages • 255
Using Third-Party Tools • 383 Write Blocking a USB, FireWire, or SCSI Device •
Using Views/Tabs • 112 392
Using Windows Explorer • 367 Write Blocking and Write Protecting a Device • 392
Utimaco Challenge/Response Support • 302 Write Protecting a USB, FireWire, or SCSI Device •
Utimaco SafeGuard Easy Encryption Known 393
Limitation • 308
Utimaco SafeGuard Easy Encryption Support • 302
V
Verifying AIX Servlet Deployment • 446
Verifying Evidence Files • 55
Verifying Servlet Deployment • 443, 444
Verifying Servlet Deployment Using Telnet • 445
Verifying Servlet Deployment with Net Start
Command • 444
Verifying Servlet Deployment with Netstat
Command • 445
VFS Server • 371
Viewing a Report • 232
Viewing Attachments • 133
Viewing Compound Files • 131
Viewing Content in the View Pane • 100
Viewing Email • 133
Viewing Evidence • 128
Viewing Information in a Timeline • 99
Viewing Multiple Evidence Files Simultaneously •
129
Viewing Notes Bookmarks • 202
Viewing Processed Evidence • 131
Viewing Related Items • 126
Viewing Saved Search Results • 174
Viewing Tagged Items • 212
Viewing Unicode Files • 258
Virtual File System • 355
VMware/EnCase PDE FAQs • 388
W
Windows • 208
Windows Artifact Parser • 90
Windows Event Log Parser • 90
Windows Key Architecture • 351