EnCase Examiner v7.03 User's Guide

EnCase Examiner®
VERSION 7.03
USER’S GUIDE
GUIDANCE SOFTWARE | USER’S GUIDE | ENCASE EXAMINER

Copyright © 1997-2012 Guidance Software, Inc. All rights reserved.
EnCase®, EnScript®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software in the
United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as
the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to
infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc.
Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no
part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they
are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com.
Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.
Contents
Overview 11
EnCase Forensic ............................................................................................................................................... 12
EnCase Enterprise ............................................................................................................................................ 12
Installing and Configuring Encase 15

Overview .......................................................................................................................................................... 16
Obtaining Updates ........................................................................................................................................... 16
EnCase Requirements ...................................................................................................................................... 16
Installing EnCase Forensic and EnCase Enterprise ........................................................................................... 18
Uninstalling EnCase .................................................................................................................................... 19
Reinstalling EnCase ..................................................................................................................................... 20
Using the Network Authentication Server ....................................................................................................... 20
Configuration Options ...................................................................................................................................... 20
Global Options ............................................................................................................................................ 21
Date Options .............................................................................................................................................. 22
NAS Options ............................................................................................................................................... 23
Color Options.............................................................................................................................................. 24
Font Options ............................................................................................................................................... 25
Shared File Options .................................................................................................................................... 26
Debug Options ............................................................................................................................................ 27
Enterprise Options...................................................................................................................................... 28
Configuring Time Zone Settings ....................................................................................................................... 28
EnCase Version 7 Application Folder Locations ............................................................................................... 29
Application Folder ...................................................................................................................................... 29
User Data .................................................................................................................................................... 30
User Application Data................................................................................................................................. 32
Global Application Data .............................................................................................................................. 32
Working with Cases 33

Overview .......................................................................................................................................................... 34
Launching EnCase for the First Time ................................................................................................................ 34
Using a Case Template to Create a Case .......................................................................................................... 35
Adding Evidence to a Case ............................................................................................................................... 39
Setting Individual Case Options ....................................................................................................................... 40
Case Operations ............................................................................................................................................... 41
Changing the Evidence Path if the Evidence File is Moved ........................................................................ 42
Case Portability ................................................................................................................................................ 43
Acquiring Devices and Evidence 45

Overview .......................................................................................................................................................... 47
Types of Acquisitions ....................................................................................................................................... 47
Sources of Acquisitions .................................................................................................................................... 47
Acquiring with the Evidence Processor............................................................................................................ 48
Monitoring a Remote Acquisition .................................................................................................................... 53
Canceling an Acquisition .................................................................................................................................. 54
Types of Evidence Files .................................................................................................................................... 54
EnCase Evidence Files................................................................................................................................. 54
Logical Evidence Files ................................................................................................................................. 55
Raw Image Files .......................................................................................................................................... 55
Single Files .................................................................................................................................................. 55
Verifying Evidence Files ................................................................................................................................... 55
Acquiring a Local Drive..................................................................................................................................... 57
Acquiring Non-local Drives ......................................................................................................................... 57
Acquiring a Drive from a Network Preview ..................................................................................................... 57
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .......................................... 57
Using a Write Blocker....................................................................................................................................... 58
Windows-based Acquisitions with Tableau and FastBloc Write Blockers .................................................. 58
Acquiring in Windows using FastBloc SE .................................................................................................... 59
Acquiring in Windows without a Tableau or FastBloc Write Blocker ......................................................... 59
Acquiring a Disk Running in Direct ATA Mode ................................................................................................. 59
Acquiring Disk Configurations .......................................................................................................................... 60
Software RAID ............................................................................................................................................ 60
RAID-10 ...................................................................................................................................................... 60
Hardware Disk Configuration ..................................................................................................................... 60
Windows NT Software Disk Configurations ............................................................................................... 61
Support for EXT4 Linux Software RAID Arrays ........................................................................................... 61
Dynamic Disk .............................................................................................................................................. 62
Disk Configuration Set Acquired as One Drive ........................................................................................... 62
Disk Configurations Acquired as Separate Drives ...................................................................................... 62
Acquiring Other Types of Supported Evidence Files ........................................................................................ 64
CD-DVD Inspector File Support ........................................................................................................................ 64
Acquiring a DriveSpace Volume ....................................................................................................................... 64
Reacquiring Evidence ....................................................................................................................................... 65
Reacquiring Evidence Files ......................................................................................................................... 65
Retaining the GUID During Evidence Reacquisition ................................................................................... 65
Adding Raw Image Files ................................................................................................................................... 66
Restoring A Drive ............................................................................................................................................. 67
Processing Evidence 69
Overview .......................................................................................................................................................... 70
Running Evidence Processor Options Incrementally ....................................................................................... 73
Processing Devices from a Local Preview ................................................................................................... 76
Processing Devices from a Network Preview ............................................................................................. 77
Processing Evidence during a Sweep ......................................................................................................... 78
Recovering Folders........................................................................................................................................... 79
Analyzing File Signatures ................................................................................................................................. 79
Analyzing Protected Files ................................................................................................................................. 79
Analyzing Hashes ............................................................................................................................................. 80
Expanding Compound Files .............................................................................................................................. 80
Finding Email .................................................................................................................................................... 80
Finding Internet Artifacts ................................................................................................................................. 80
Searching With Keywords ................................................................................................................................ 82
Adding a New Keyword .............................................................................................................................. 84
Creating a New Keyword List ..................................................................................................................... 85
Creating an Index ............................................................................................................................................. 85
Indexing Personal Information ................................................................................................................... 86
Indexing Text in Slack and Unallocated Space............................................................................................ 87
Creating Thumbnails ........................................................................................................................................ 88
Running EnScript Modules ............................................................................................................................... 88
System Info Parser ...................................................................................................................................... 89
IM Parser .................................................................................................................................................... 89
File Carver ................................................................................................................................................... 89
Windows Event Log Parser ......................................................................................................................... 90
Windows Artifact Parser............................................................................................................................. 90
Unix Login ................................................................................................................................................... 91
Linux Syslog Parser ..................................................................................................................................... 91
Browsing and Viewing Evidence 93

Overview .......................................................................................................................................................... 94
The EnCase Interface ....................................................................................................................................... 94
Selecting Pane Views .................................................................................................................................. 94
Navigating the Tree Pane ........................................................................................................................... 96
Navigating the Table Pane .......................................................................................................................... 97
Viewing Content in the View Pane ........................................................................................................... 100
Using Views/Tabs ..................................................................................................................................... 112
Arrow Drop Down Pane Arrow Menu ...................................................................................................... 112
Changing Text Color ................................................................................................................................. 113
Navigating the Evidence Tab .................................................................................................................... 113
Navigating the Records Tab ...................................................................................................................... 118
Filtering Your Evidence .................................................................................................................................. 119
Running a Default Filter ............................................................................................................................ 119
Creating a Filter ........................................................................................................................................ 120
Editing a Filter........................................................................................................................................... 121
Deleting a Filter ........................................................................................................................................ 121
Sharing Filters ........................................................................................................................................... 121
Conditions ...................................................................................................................................................... 122
Running an Existing Condition .................................................................................................................. 122
Creating a New Condition ........................................................................................................................ 123
Editing Conditions .................................................................................................................................... 125
Sharing Conditions.................................................................................................................................... 125
Printing a Condition .................................................................................................................................. 125
Browsing Through Evidence ........................................................................................................................... 125
Check for Evidence when Loading a Case................................................................................................. 126
Finding the Location of an Evidence Item ................................................................................................ 126
Viewing Related Items .............................................................................................................................. 126
Browsing Images ...................................................................................................................................... 127
Viewing Evidence ........................................................................................................................................... 128
Creating Custom File Types ...................................................................................................................... 128
Viewing Multiple Evidence Files Simultaneously ..................................................................................... 129
Viewing Processed Evidence .......................................................................................................................... 131
Viewing Compound Files .......................................................................................................................... 131
Repairing and Recovering Inconsistent EDB Database Files ..................................................................... 131
Viewing Email ................................................................................................................................................. 133
Viewing Attachments ............................................................................................................................... 133
Show Conversation ................................................................................................................................... 133
Displaying Related Messages ................................................................................................................... 134
Showing Duplicate Email Messages in a Conversation ............................................................................ 135
Exporting to *.msg ................................................................................................................................... 135
Sweep Enterprise 137

Overview ........................................................................................................................................................ 138
Starting Sweep Enterprise ............................................................................................................................. 138
Adding and Deleting Nodes in the Target List ............................................................................................... 139
Sweep Enterprise Options ............................................................................................................................. 140
Running the Quick Sweep View Option ................................................................................................... 140
Running the Customize Job Settings Option ............................................................................................ 142
Sweep Enterprise Dialog: Status and Analysis Browser ................................................................................. 146
Status Tab ................................................................................................................................................. 146
Analysis Browser Tab ............................................................................................................................... 147
Post Collection Analysis ................................................................................................................................. 158
Case Analyzer ........................................................................................................................................... 158
Evidence Processor .................................................................................................................................. 160
Searching Through Evidence 161

Overview ........................................................................................................................................................ 162
Searching Indexed Data ................................................................................................................................. 163
Search Operators ..................................................................................................................................... 165
Finding Tagged Items ..................................................................................................................................... 169
Searching Through Raw Data ......................................................................................................................... 170
Retrieving Keyword Search Results ............................................................................................................... 171
Combining Search Criteria from Multiple Tabs .............................................................................................. 172
Analyzing Individual Search Results ............................................................................................................... 173
Viewing Saved Search Results ........................................................................................................................ 174
Finding Data Using Signature Analysis ........................................................................................................... 175
Adding and Modifying File Signature Associations .................................................................................. 175
Running File Signature Analysis against Selected Files .................................................................................. 178
Exporting Data for Additional Analysis .......................................................................................................... 179
Exporting Search Results for Review ............................................................................................................. 181
Creating a Review Package....................................................................................................................... 182
Analyzing and Tagging a Review Package ................................................................................................ 183
Exporting a Review Package ..................................................................................................................... 185
Importing a Review Package .................................................................................................................... 185
Hashing Evidence 187

Overview ........................................................................................................................................................ 188
Hashing Features ........................................................................................................................................... 188
Working with Hash Libraries .......................................................................................................................... 189
Creating a Hash Library ............................................................................................................................ 189
Creating a Hash Set .................................................................................................................................. 189
Adding Hash Values to a Hash Set ............................................................................................................ 190
Querying a Hash Library ........................................................................................................................... 191
Adding Hash Libraries to a Case ............................................................................................................... 192
Changing Categories and Tags for Multiple Hash Sets ............................................................................. 192
Importing Hash Sets ................................................................................................................................. 193
NSRL Hash Sets ......................................................................................................................................... 193
Bookmarking Items 195
Overview ........................................................................................................................................................ 196
Working with Bookmark Types ...................................................................................................................... 196
Highlighted Data or Sweeping Bookmark................................................................................................. 196
Notable File Bookmark ............................................................................................................................. 199
Table Bookmark ........................................................................................................................................ 201
Transcript Bookmark ................................................................................................................................ 201
Notes Bookmark ....................................................................................................................................... 202
Bookmarking Pictures in Gallery View ........................................................................................................... 203
Working with Bookmark Folders.................................................................................................................... 204
Bookmark Template Folders .................................................................................................................... 204
Creating New Bookmark Folders .............................................................................................................. 205
Editing Bookmark Folders......................................................................................................................... 206
Deleting a Bookmark Folder ..................................................................................................................... 206
Editing Bookmark Content ............................................................................................................................. 206
Editing a Bookmark .................................................................................................................................. 206
Renaming a Bookmark ............................................................................................................................. 206
Decoding Data ................................................................................................................................................ 206
Text ........................................................................................................................................................... 207
Picture ...................................................................................................................................................... 207
Integers..................................................................................................................................................... 207
Dates......................................................................................................................................................... 207
Windows................................................................................................................................................... 208
Tagging Items 209

Overview ........................................................................................................................................................ 210
Creating Tags .................................................................................................................................................. 210
Tagging an Item .............................................................................................................................................. 211
Viewing Tagged Items .................................................................................................................................... 212
Hiding a Tag.................................................................................................................................................... 212
Deleting Tags .................................................................................................................................................. 213
Changing the Tag Order ................................................................................................................................. 213
Generating Reports 215

Overview ........................................................................................................................................................ 216
Bookmarking Data for Reports....................................................................................................................... 216
Using Report Templates ................................................................................................................................. 217
Report Template Structure....................................................................................................................... 217
Formatting Report Templates .................................................................................................................. 219
Localization of Report Layout ................................................................................................................... 224
Editing Report Object Code ...................................................................................................................... 224
Body Text Tab ........................................................................................................................................... 228
File Report EnScript ........................................................................................................................................ 229
Running the File Report EnScript.............................................................................................................. 229
Saving the File Report ............................................................................................................................... 232
Viewing a Report ............................................................................................................................................ 232
Smartphone Support 235

Overview ........................................................................................................................................................ 236
Supported Smartphone Operating Systems .................................................................................................. 237
Acquiring Smartphone Devices ...................................................................................................................... 238
Acquiring Apple iOS Devices..................................................................................................................... 240
Acquiring RIM BlackBerry Devices............................................................................................................ 240
Acquiring Google Android Devices ........................................................................................................... 240
Acquiring Nokia Symbian S60 Devices ..................................................................................................... 241
Acquiring Windows Mobile 6.x Devices ................................................................................................... 241
Acquiring Palm OS Devices ....................................................................................................................... 244
Acquiring SIM Cards ................................................................................................................................. 244
Acquiring Mass Storage Devices .............................................................................................................. 246
Acquiring Apple iTunes Backup Files ........................................................................................................ 247
Acquiring BlackBerry Desktop Manager Backup Files .............................................................................. 247
Installing Drivers ............................................................................................................................................ 247
Analyzing and Reporting on Acquired Data ................................................................................................... 248
Displaying Smartphone Data .................................................................................................................... 248
Available Smartphone Data...................................................................................................................... 249
Creating a Smartphone Report ................................................................................................................ 250
Exporting Location Data ........................................................................................................................... 252
Working with Non-English Languages 255

Overview ........................................................................................................................................................ 256
Configuring EnCase to Display Non-English Characters ................................................................................. 256
Changing the Default Code Page ................................................................................................................... 257
Setting the Date Format ................................................................................................................................ 258
Assigning a Unicode Font ............................................................................................................................... 258
Viewing Unicode Files .................................................................................................................................... 258
Text Styles ...................................................................................................................................................... 259
Configuring Windows for Non-English Language........................................................................................... 259
Configuring the Keyboard for a Specific Non-English Language .............................................................. 259
Entering Non-English Content without Using Non-English Keyboard Mapping ....................................... 260
Using LinEn 261

Overview ........................................................................................................................................................ 262
Creating a LinEn Boot Disk ............................................................................................................................. 262
Configuring Your Linux Distribution ............................................................................................................... 262
Obtaining a Linux Distribution.................................................................................................................. 263
LinEn Setup Under SUSE ........................................................................................................................... 263
LinEn Setup Under Red Hat ...................................................................................................................... 263
Performing Acquisitions with LinEn ............................................................................................................... 263
Setup for a Drive-to-Drive Acquisition ..................................................................................................... 264
Drive-to-Drive Acquisition Using LinEn .................................................................................................... 265
LinEn Command Line ................................................................................................................................ 272
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .................................. 275
Acquiring a Disk Running in Direct ATA Mode ......................................................................................... 276
Mode Selection ........................................................................................................................................ 276
Crossover Cable Preview or Acquisition ................................................................................................... 277
LinEn Evidence Verification and Status Reporting ......................................................................................... 278
Evidence Verification................................................................................................................................ 279
Status Reporting ....................................................................................................................................... 280
Hashing the Subject Drive Using LinEn .......................................................................................................... 280
LinEn Manual Page......................................................................................................................................... 282
EnCase Decryption Suite 285
Overview ........................................................................................................................................................ 287
Disk and Volume Encryption .................................................................................................................... 287
Supported Encryption Products ............................................................................................................... 288
EDS Commands and Tabs ............................................................................................................................... 289
Analyze EFS ............................................................................................................................................... 289
Secure Storage Tab ................................................................................................................................... 291
Safeboot Encryption Support ......................................................................................................................... 298
Utimaco SafeGuard Easy Encryption Support ................................................................................................ 302
Supported Utimaco SafeGuard Easy Encryption Algorithms .................................................................... 302
Utimaco Challenge/Response Support..................................................................................................... 302
Utimaco SafeGuard Easy Encryption Known Limitation ........................................................................... 308
Check Point Full Disk Encryption Support (Volume Encryption) .................................................................... 308
Username and Password Authentication ................................................................................................. 308
Challenge-Response Authentication ........................................................................................................ 311
BitLocker Encryption Support (Volume Encryption) ...................................................................................... 313
Recovery Key and Recovery Password Files ............................................................................................. 313
Decrypting a BitLocker Encrypted Device Using Recovery Key ................................................................ 314
Decrypting a BitLocker Encrypted Device Using Recovery Password....................................................... 316
Full Volume Encryption (FVE) AutoUnlock Mechanism............................................................................ 318
Physical RAID Encryption Support ............................................................................................................ 319
Successful BitLocker Decryption............................................................................................................... 320
Unsuccessful BitLocker Decryption .......................................................................................................... 321
Saved BitLocker Credentials in Secure Storage ........................................................................................ 321
WinMagic SecureDoc Encryption Support ..................................................................................................... 321
GuardianEdge Encryption Support................................................................................................................. 323
Supported GuardianEdge Encryption Algorithms .................................................................................... 324
GuardianEdge Hard Disk and Symantec Endpoint Encryption Support ................................................... 324
If EnCase Reports GuardianEdge/Symantec dlls Cannot be Opened ....................................................... 325
PGP Whole Disk Encryption (WDE) Support .................................................................................................. 326
Obtaining Whole Disk Recovery Token Information ................................................................................ 327
Obtaining Additional Decryption Key (ADK) Information ......................................................................... 328
PGP Decryption using the Passphrase ...................................................................................................... 330
CREDANT Encryption Support (File-Based Encryption) .................................................................................. 330
Supported CREDANT Encryption Algorithms ............................................................................................ 334
CREDANT Encryption Support (Offline Scenario) ..................................................................................... 334
CREDANT Files and Logical Evidence (L01) Files ....................................................................................... 335
McAfee Endpoint Encryption Support ........................................................................................................... 336
Symantec and McAfee EndPoint Encryption Support.................................................................................... 336
S/MIME Encryption Support .......................................................................................................................... 336
Troubleshooting a Failed S/MIME Decryption ......................................................................................... 340
Decrypting S/MIME Email Messages in an Evidence File Created in Windows Vista ............................... 340
NSF Encryption Support ................................................................................................................................. 340
Recovering NSF Passwords ....................................................................................................................... 341
Lotus Notes Local Encryption Support ........................................................................................................... 342
Determining Local Mailbox Encryption .................................................................................................... 342
Parsing a Locally Encrypted Mailbox ........................................................................................................ 342
Encrypted Block ........................................................................................................................................ 343
Decrypted Block ....................................................................................................................................... 343
Locally Encrypted NSF Parsing Results ..................................................................................................... 344
Windows Rights Management Services (RMS) Support ................................................................................ 346
RMS Standalone Installer ......................................................................................................................... 347
RMS Decryption at the Volume Level....................................................................................................... 348
RMS Decryption at the File Level ............................................................................................................. 349
RMS Protected Email in PST ..................................................................................................................... 350
Windows Key Architecture ............................................................................................................................ 351
Dictionary and Built-In Attacks ...................................................................................................................... 351
Dictionary Attack ...................................................................................................................................... 351
Built-In Attacks ......................................................................................................................................... 351
Virtual File System 355

Overview ........................................................................................................................................................ 356
Evidence File Formats Supported by VFS ....................................................................................................... 356
Mounting Evidence with VFS ......................................................................................................................... 356
Mounting a Single Drive, Device, Volume, or Folder ............................................................................... 357
Mount Network Share Options ................................................................................................................ 357
Compound Files ........................................................................................................................................ 359
Encrypting File System ............................................................................................................................. 360
RAIDs ........................................................................................................................................................ 362
Deleted Files ............................................................................................................................................. 362
Internal Files and File System Files ........................................................................................................... 362
RAM and Disk Slack .................................................................................................................................. 363
Other File Systems.................................................................................................................................... 365
ext2, ext3, UFS, and Other File Systems ................................................................................................... 365
Dismounting the Network Share ................................................................................................................... 366
Changing the Mount Point ....................................................................................................................... 366
Accessing the Share ....................................................................................................................................... 367
Using the EnCase Interface ...................................................................................................................... 367
Using Windows Explorer .......................................................................................................................... 367
Third-Party Tools ............................................................................................................................................ 368
Malware Scanning .................................................................................................................................... 369
Other Tools and Viewers .......................................................................................................................... 369
Temporary Files Reminder ....................................................................................................................... 371
VFS Server ...................................................................................................................................................... 371
Configuring the Server ............................................................................................................................. 372
Restrict Access by IP Address ................................................................................................................... 373
Connecting the Clients ............................................................................................................................. 374
Closing the Connection ............................................................................................................................ 374
Troubleshooting ............................................................................................................................................. 375
Physical Disk Emulator 377

Overview ........................................................................................................................................................ 378
Evidence File Formats Supported by EnCase PDE .................................................................................... 378
Using Physical Disk Emulator ......................................................................................................................... 378
Starting Physical Disk Emulator ................................................................................................................ 378
Configuring the PDE Client ....................................................................................................................... 380
Mounting Non-Windows Devices............................................................................................................. 381
Accessing the Local Disk in Windows Explorer ......................................................................................... 381
Saving and Dismounting the Emulated Disk ............................................................................................. 381
Closing and Changing the Emulated Disk ................................................................................................. 383
Temporary Files Redirection .................................................................................................................... 383
Third-Party Tools ............................................................................................................................................ 383
Using Third-Party Tools ............................................................................................................................ 383
Boot Evidence Files and Live Systems with VMware ..................................................................................... 384
Initial Preparation ..................................................................................................................................... 384
New Virtual Machine Wizard ................................................................................................................... 385
Booting the Virtual Machine .................................................................................................................... 387
VMware/EnCase PDE FAQs ............................................................................................................................ 388
PDE Troubleshooting...................................................................................................................................... 390
FastBloc SE 391
Overview ........................................................................................................................................................ 392
Write Blocking and Write Protecting a Device ............................................................................................... 392
Write Blocking a USB, FireWire, or SCSI Device ....................................................................................... 392
Write Protecting a USB, FireWire, or SCSI Device .................................................................................... 393
Removing Write Block from a USB, FireWire, or SCSI Device ................................................................... 394
Disk Caching and Flushing the Cache ............................................................................................................. 394
Troubleshooting ............................................................................................................................................. 394
Deploying and Running Servlets 397

Overview ........................................................................................................................................................ 398
Deploying Servlets.......................................................................................................................................... 400
Deploying Check In Servlets ........................................................................................................................... 400
Deploying Windows Servlets.......................................................................................................................... 401
Running Windows Servlets as a Service or as a Process........................................................................... 402
Deploying Windows Servlets with Active Directory ................................................................................. 404
Deploying Windows Servlets Using a Domain Push ................................................................................. 404
Deploying Windows Servlets Using PsTools ............................................................................................. 404
Creating a Text File of Nodes .................................................................................................................... 406
Deploying Windows Servlets Using IPC$ and PSExec ............................................................................... 408
Deploying Windows Servlets Using Removable Media and PsExec ......................................................... 412
Copying *NIX Servlets .................................................................................................................................... 412
Copying *NIX Servlets Using Removable Media ....................................................................................... 413
Copying *NIX Servlets Using SSH and SCP ................................................................................................ 413
Copying *NIX Servlets Using Telnet and FTP ............................................................................................ 414
Deploying Linux Servlets ................................................................................................................................ 414
Running a Linux Servlet as a Process ........................................................................................................ 415
Deploying the Linux Servlet Using xinetd ................................................................................................. 415
Deploying the Linux Servlet Using inittab................................................................................................. 416
Deploying the Linux Servlet using inetd ................................................................................................... 417
Deploying Solaris Servlets .............................................................................................................................. 418
Installing the Tar Package ......................................................................................................................... 419
Running a Solaris Servlet as a Process ...................................................................................................... 421
Deploying a Solaris Servlet Using xinetd .................................................................................................. 421
Deploying in Solaris Using inittab ............................................................................................................. 422
Deploying AIX Servlets ................................................................................................................................... 423
Deploying OS X Servlets ................................................................................................................................. 424
Running in OS X Using xinetd ................................................................................................................... 425
Running in OS X Using launchd ................................................................................................................. 426
HP-UX VxFS and Servlet Support.................................................................................................................... 428
Installing the HP-UX Servlet...................................................................................................................... 429
Running the HP-UX Servlet ....................................................................................................................... 432
Deploying NetWare Servlets .......................................................................................................................... 433
Running a NetWare Servlet as a Process .................................................................................................. 433
Running a Servlet as a NetWare Service .................................................................................................. 433
McAfee ePolicy Orchestrator (ePO) Integration ............................................................................................ 434
Checking In the ePO Servlet Package ....................................................................................................... 434
Installing the Optional Guidance Software Servlet Extension .................................................................. 436
Deploying the ePO Servlet ....................................................................................................................... 438
Verifying Servlet Deployment 443

Verifying Servlet Deployment ........................................................................................................................ 444
Verifying Servlet Deployment with Net Start Command ............................................................................... 444
Verifying Servlet Deployment with Netstat Command ................................................................................. 445
Verifying Servlet Deployment Using Telnet ................................................................................................... 445
Verifying AIX Servlet Deployment .................................................................................................................. 446
Stopping and Removing Enterprise Servlets 447

Stopping and Removing Servlets ................................................................................................................... 448
Stopping a Servlet Using PsTools ................................................................................................................... 448
Removing Check In Functionality ................................................................................................................... 448
Removing the Servlet in Windows ................................................................................................................. 449
Removing the Servlet from Linux or OS X ...................................................................................................... 450
Removing the Solaris Package ....................................................................................................................... 452
Removing the AIX Package............................................................................................................................. 452
Removing the NetWare Servlet ..................................................................................................................... 452
Stopping the SAFE .......................................................................................................................................... 453
Support 455
Technical Support .......................................................................................................................................... 455
Live Chat ................................................................................................................................................... 455
Technical Support Request Form ............................................................................................................. 455
Email ......................................................................................................................................................... 455
Telephone ................................................................................................................................................ 455
Support Portal .......................................................................................................................................... 456
Registration .............................................................................................................................................. 457
User, Product, and Foreign Language Forums ......................................................................................... 457
Posting to a Forum ................................................................................................................................... 458
Searching .................................................................................................................................................. 458
Bug Tracker............................................................................................................................................... 458
Knowledge Base ....................................................................................................................................... 458
MyAccount ............................................................................................................................................... 459
Index 461
CHAPTER 1
Overview
In This Chapter
 EnCase Forensic
 EnCase Enterprise
12 EnCase® Examiner Version 7.03
EnCase Forensic
EnCase Forensic enables you to collect forensically sound data and conduct complex large scale
investigations from beginning to end.
EnCase Forensic is created to be used by:
 Those responsible for collecting evidence.
 Forensic examiners and analysts.
 Forensic examiners who develop and use EnScript code to automate repetitive or complex
tasks.
With EnCase Forensic these types of investigators can:
 Acquire data in a forensically sound manner using software with an unparalleled record in
courts worldwide.
 Investigate and analyze data from multiple platforms—Windows, Linux, AIX, OS X, Solaris,
and more—using a single tool.
 Find information despite efforts to hide, cloak, or delete.
 Easily manage large volumes of computer evidence, viewing all relevant files, including
deleted files, file slack, and unallocated space.
 Create exact duplicates of original data, verified by hash and Cyclic Redundancy Check (CRC)
values.
 Transfer evidence files directly to law enforcement or legal representatives.
 Review options that allow non-investigators, such as attorneys, to review evidence with ease.
 Use reporting options for quick report preparation.
EnCase Enterprise
"EnCase Enterprise is a forensically sound data acquisition and analysis tool built to scale across the
network. The following components work together to let you conduct network-based investigations
simultaneously on multiple machines:
The SAFE server

The SAFE (Secure Authentication For EnCase) server is used to administer access rights, provide for
secure data transmission, and broker communications between the network and the EnCase Enterprise
user.
The SAFE:
 Authenticates investigators using public key cryptology.
 Uses role-based permissions to control access and ensure proper enforcement of policies.
 Generates logs for many transactions that can be used to establish an initial chain of custody.
For information about the installation, configuration, and administration of the SAFE please refer to
the EnCase SAFE Administration Guide.
The EnCase Examiner

The EnCase Enterprise Examiner application is based on the standalone version of EnCase Forensic.
The Enterprise Examiner uses a secure virtual connection to communicate with the target machines.
The number of concurrent connections controls the number of machines that can be analyzed
simultaneously.
Overview 13
The EnCase Examiner enables you to:

 Add and list the SAFE nodes available on the network
 Provide logon access to the SAFE for those nodes
 Add and list network devices connected to each of the SAFE nodes
The Examiner uses servlets to remotely discover, preview, and acquire data.
Servlets
After a command from the Examiner has been authorized by the SAFE server and verified by the
network device, a servlet is deployed to target machines to execute the command. The servlet runs as a
process or service with administrative privileges and has access to the each target machine at the bit
level.
Work with your network administrator to determine the best methods for deploying the servlets,
taking into account your network topology, network operating system, and management tools. Tools
you can use to distribute the servlets include:
 Windows networks logon scripts or group policies
 IBM Tivoli push technology
 HP Open View push technology
 Microsoft SMS push technology
 CA Unicenter TNG push technology
 Symantec Ghost Console push technology
CHAPTER 2
Installing and Configuring

Encase
In This Chapter
 Overview
 Obtaining Updates
 EnCase Requirements
 Installing EnCase Forensic and EnCase Enterprise
 Using the Network Authentication Server
 Configuration Options
 Configuring Time Zone Settings
 EnCase Version 7 Application Folder Locations

Overview
This chapter describes how to install EnCase Forensic Examiner, EnCase Enterprise Examiner, and
EnCase Processor.
EnCase Forensic Examiner, EnCase Enterprise Examiner, and EnCase Processor are both installed
using the same installer. Your security key, or dongle, contains programmatic flags that determine
whether EnCase Forensic Examiner, EnCase Enterprise Examiner, or EnCase Processor functionality is
available to you. If you do not use a security key, your NAS license contains the appropriate flags for
your product. Unless otherwise specifically noted, the term EnCase refers to both products.
This chapter lists the default locations of installation directories and files and also provides
information about configuring EnCase settings.
Obtaining Updates
When you receive your product, register it with Guidance Software to receive updates. Registration is
located at the https://www.guidancesoftware.com/registration.aspx site.
If you have trouble registering your product, contact Customer Service.
If you have trouble downloading the updates once registered, contact Technical Support on page 455.
EnCase Requirements
Before you begin, make sure you have:
 An EnCase security key (also known as a dongle), or a NAS license and connection information
 An optional certificate file for users who want to activate an EnCase Version 6 dongle to run
EnCase Version 7
 Downloaded installation files for the current release of EnCase
For best performance, examination computers should have at least the following hardware and
software configuration:
Configuration Requirements
Class Desktop or server class hardware (32- or 64-bit)
Operating Systems  Windows XP Professional

 Windows Server 2003 Standard
 Windows Server 2008 R2 Standard
 Windows Vista
 Windows 7 (32-bit)
 Windows 7 (64-bit) (recommended)
OS Drive SATA 7200 RPM
Evidence Storage Drive SATA 7200 RPM (a separate evidence storage drive is
recommended)
Optical drive Dual Layer DVD +/-RW Drive

Configuration Requirements
Evidence Backup SATA 7200 RPM (a separate evidence storage drive is
recommended)
Processor (CPU)  Dual Core processor

 Quad Core processor (recommended)
 Intel Itanium processors are not supported
Memory (RAM)  4 GB RAM (32-bit computer)

 4 GB RAM (64-bit computer)
 16 GM RAM (recommended)
Hard Drive Capacity 300 MB of free hard drive space
Display Single 19" or greater

Dual display (recommended)
Network Configuration Gigabit Ethernet (GbE)
I/O Interfaces USB 2.0 Parallel (for acquisitions)
Flash Media Readers Multi-Reader
RAID Card A RAID setup is optional, but recommended to improve disk

I/O speed, to allow for data redundancy, or both. A RAID
setup could be applied to evidence storage or backup
volumes.
 Hardware raid
 PCI-Express
 Ability to support three or more SATA drives
 Support for raid 1, 0, 5, and 10
64-bit OS restrictions: For complete case analysis, Guidance Software recommends

running EnCase on the same platform as the operating
system. Running 32-bit EnCase on a 64-bit platform provides
only basic snapshot information such as ports or processes.
Some decryption products, however, only contain 32-bit
integration. In these circumstances, when decrypting devices,
columns, or files, you may need to run the 32-bit version of
EnCase on a 64-bit version of Windows.
64-bit versions of Windows XP, Server 2003 and 2008,
Server 2008 R2, Vista, and Windows 7 can be run with both
32-and 64-bit EnCase.
Installing EnCase Forensic and EnCase Enterprise

1. Open the EnCase Examiner.exe installation file. Do not insert your security key until after
installation is complete.
2. Accept the default installation location, or enter your own installation path and click Next.
• If you used the same directory for a previous installation of EnCase, the installer
overwrites any existing program files, logs, and drivers.
3. If it displays, read the EnCase License Agreement, click the I Agree checkbox, then click Next.
4. If you have the option, select Install or Reinstall and click Next.
5. Depending on your installation, the Installer may display several checkboxes:
• Install Help installs the latest version of help files. Guidance Software recommends
always selecting this box. If this box is not available, the help files are automatically
installed.
• Install HASP Drivers installs the latest version of the HASP dongle drivers. Guidance
Software recommends selecting this checkbox if you are upgrading from a previous
version of EnCase, or if you are working in an environment using a mix of both
Sentinel/Aladdin HASP drivers and Codemeters. If you are reinstalling and have already
installed the HASP drivers and the checkbox is present, leave the box cleared.
• Install HASP Drivers and Install CodeMeter Drivers checkboxes are both displayed and
checked if you do not have a previous version of EnCase installed. Guidance Software
recommends leaving them both selected.
• Reinstall CodeMeter Drivers and Reinstall HASP Drivers may display if the installer
detects you have previous versions of the drivers installed.
6. Click Next. When the installation wizard has finished copying and installing EnCase, select
whether to Reboot Now and complete the installation immediately, or Reboot Later. To
ensure the registration of certain dlls and enable the drivers, Guidance Software recommends
rebooting at this time.
7. After the computer has rebooted, insert the dongle into a USB port on your computer. With
the program successfully installed, the shortcut to EnCase displays on your Desktop. If you
are using a CodeMeter dongle, the CodeMeter icon in the Windows system tray turns blue.
You are now ready to start using the product.
All EnCase users must have administrator permissions to view local devices on Windows computers
running Vista operating systems and above.
To run EnCase as an administrator:

1. Right click the EnCase icon and click Run as Administrator.
2. Windows displays a prompt with the heading An unidentified program wants access to your
computer:
3. Click Allow.
Uninstalling EnCase
The uninstaller works only on identical software versions.
To uninstall EnCase:
1. Have backups of evidence and case files prior to making modifications to any software on an
examination machine.
2. Close any running versions of EnCase.
3. Open the Windows Control Panel and double click Change or Remove Programs.
4. Select the EnCase version to remove and click Change/Remove.
5. The EnCase uninstall wizard runs and the first screen displays.
6. Enter or navigate to the installation location in the Install Path field. The default is
C:\Program Files\Encase7.
7. Click Next. The uninstall wizard opens.
8. Click Next.
9. Select Uninstall and click Next. A progress bar displays during the uninstall process.
10. The last page of the uninstall wizard displays. Select Reboot Later or Reboot Now and click
Finish.
Reinstalling EnCase
Use the EnCase Installation Wizard to reinstall EnCase. Reinstalling creates a new log file and
reinstalls the following items:
 Application files
 Registry keys
 Needed user files
 Default configuration files
Note: If you previously modified EnScripts without placing the modified EnScripts in another folder,
they are lost during reinstallation.
Reinstalling does not change:
 Licenses
 Certificates
 User settings
When reinstalling EnCase, make sure that your dongle is inserted. If support on the dongle has
expired, a warning message displays.
Using the Network Authentication Server

The EnCase Network Authentication Server (NAS) distributes licenses to a group of users across a
network, which eliminates the need for using an individual dongle for each computer. This set-up is
typically used in laboratory environments with multiple examiners and multiple copies of EnCase.
After NAS is set up and running, computers running EnCase do not use a dongle, but instead use
NAS.
NAS is connected to the EnCase SAFE, an authentication server and integral component of EnCase
security. The SAFE is an EnCase product with a separate installation and configuration. NAS requires
installation of an EnCase SAFE.
After NAS is running, the computer running EnCase can still use a physical security key.
When EnCase starts on a computer, it searches for a security key to provide licensing information. If
no security key is installed, EnCase then searches for a NAS to provide its license. If none is found,
EnCase opens in Acquisition mode.
For more detailed information about implementing NAS and installing the EnCase SAFE, see the
EnCase SAFE Administration Guide.
Configuration Options
You can configure options for EnCase according to your needs or preferences, using the Configuration
Options tabbed dialog. Each tab allows you to select a panel that controls a group of options, described
in the following sections. To access the Configuration Options, select Options from the Home tab.
Global Options
The Global tab contains settings that apply to all cases.
Auto Save Minutes (0 = None) is the number of minutes between automatic saves of case files.
Automatically saved data is written to *.CBAK files in the EnCase7 backup directory. The default
setting is ten minutes.
Backup Files is the maximum number of files stored as backups when you save a case. The default is
9.
Use Recycle Bin for Cases determines whether the current case file is moved to the Recycle Bin or
overwritten when you manually save a case file.
Enable Picture Viewer allows graphics to be displayed in various views.
Enable ART Image Display determines whether to display ART image files. When EnCase encounters
corrupt ART image files, application problems can occur. This setting enables you to minimize the
impact of corrupted ART files.
Invalid Picture Timeout (seconds) indicates the amount of time EnCase attempts to read a corrupt
image file before timing out. After a timeout occurs, the corrupt file is sent to the cache and no attempt
is made to re-read it.
Force ordered rendering in gallery forces images to appear in order, from left to right, sequentially by
row. If you leave this box unchecked, images will appear in a gallery view as they become available.
Although images appear in order, the former view takes longer to complete, whereas images that
appear when rendering is not forced but not in order appear more rapidly.
Current Code Page specifies the current code page, which is the character set for the language and
case data. The default value is Western European (Windows).
Change Code Page enables you to change the default value of the code page from Western European
(Windows) to another available code page. Set the global code page to display foreign language
characters correctly.
Show True indicates a value of true in table columns displayed in the Table tab of the Table pane. The
default indicator is a bullet, which you can change to a different character.
Show False indicates a value of false in table columns displayed in the Table tab of the Table pane. The
default indicator is a blank space, which you can change.
Default Char specifies the character that EnCase uses on its displays to indicate that a box or cell is
checked.
Flag Lost Files specifies whether the disk map shows lost clusters. Lost clusters are clusters that
EnCase cannot determine as being used even though the file system indicates them as being used.
Detect FastBloc Hardware determines whether or not to search for legacy FastBloc hardware write
blockers.
Do not verify evidence when opened lets you turn off file content verification. This can be a time
consuming process. Select this option if you want to turn off file content verification.
Date Options
Customize date/time information associated with a case using the Date tab in Options.
Display time zone on dates includes the time zone in date/time columns.
Date Format includes these options:
 MM/DD/YY (06/21/08)
 DD/MM/YY (21/06/08)
 Other enables you to specify your own date format
 Current Day displays the current date in the specified date format
Time Format includes these options:

 12:00:00PM uses a 12 hour clock for the time format
 24:00:00 uses a 24 hour clock for the time format
 Other enables you to specify your own time format
 Current Time displays the current time in the specified time format
NAS Options
The options on the NAS tab configure EnCase to receive the software's licensing information from an
EnCase Network Authentication Server (NAS) instead of from a dongle inserted into the machine.
Use Network Authentication Server for licensing: Check this box to indicate use of the NAS licensing
system to run the copy of EnCase on your computer.
NAS Key Path: Specifies the full path of the user's licensing file. The NAS file for general licensing of
EnCase is default.nas.
SAFE Key Path: Enter the full path of the location of the EnCase SAFE public key file. This SAFE token
file has a file signature of .SAFE and is found on the SAFE authentication server.
SAFE Address: Enter the IP address or machine name of the computer running the EnCase SAFE. If
you are using a port other than 4445, precede the port number with the computer's IP address (for
example, 192.168.1.34:5656).
Status: Displays the name or IP address of the computer on which the EnCase licensing files currently
reside.
Create User Key...: Opens the Create User Key dialog. Do not use this button unless you are creating
separate licenses for each computer belonging to your NAS setup. For more information about using
individual licenses, see the EnCase Safe Administration Guide.
Color Options
Use the Colors tab to change the default colors associated with various case elements. This dialog
shows the current foreground and background colors for the case element.
To change the colors for a listed EnCase element:

1. Double click the Foreground or Background associated with an element.
2. Click a box in the Color dialog to select that color.
3. Click Define Custom Colors to select from a larger palette of colors.
4. Click OK to accept the color change or Cancel to revert to the previous color.
Font Options
Use the Fonts tab to customize the fonts used for EnCase user interface items, and in data panels and
reports.
To customize the font for an element:

1. Double click the box associated with an item.
2. In the Font dialog, select your options and click OK. The text box previews the current font
options.
Shared File Options

Use the Shared Files tab to specify a path to a folder containing files that require shared access.
Specifying the shared files folder allows easy access to:

 Shared scripts
 Filters
 Searches
 Conditions
 Keywords
Debug Options
Use the Debug tab to specify debugging information and options.
The Startup panel displays operating system, application, and session information about your
computer and about EnCase.
If the pane is empty, click Show Startup Log to display the information. The information is useful for
troubleshooting purposes.
System Cache specifies the amount of physical memory for caching reads and writes of files on disk.
The default value is 20 percent of the computer's physical memory (RAM).
 Minimum (MB): The minimum size of the system cache in Megabytes; the default value is 1.
 Maximum (MB): The maximum size of the system cache in Megabytes. The default value
depends on the amount of physical memory available on the computer. You can manually set
this value up to the maximum amount of physical memory available (although this is not
recommended).
 Controlled by EnCase: Clicking this box allows EnCase to control the size of the system cache
(recommended).
 Do not warn at startup: If you check this box, EnCase will not display warning messages
when possible system memory issues occur.
 Set Defaults: Click this button to reset the system cache values to their default values.
Debug Logging allows you to select which logging action to take in the event of a crash:
 Off: No debug logging is performed (default).
 Stack: This option saves a stack dump if EnCase crashes. This file contains data that the
crashing subsystem used, the system DLLs loaded at the time of the event, and the version of
EnCase. In most cases, the information written to the Stack dump log does not contain case
specific data.
 Heap: This option saves a heap dump if EnCase crashes. It is the recommended option for
most EnCase crash issues. The heap contains data from process memory that the program uses
while running, which results in a considerably larger dump file (potentially in the gigabyte
range) than a stack dump. Note that a heap dump frequently contains case specific data,
including data from the evidence.
Note: For the quickest debugging of the crash, Guidance Software recommends selecting the Heap option.
Enterprise Options
The Enterprise tab provides private key caching and reconnect options.
• Private Key Caching specifies the number of minutes for the EnCase private key
password to be held in memory.
• Auto Reconnect Attempts is the number of times EnCase should attempt reconnection to
a servlet.
• Auto Reconnect Intervals is the number of seconds EnCase should wait before trying to
reconnect to a servlet if previous attempts have failed.
Configuring Time Zone Settings

To configure time zone settings:
1. From within a case, click the Evidence tab to view a list of your devices in the Table tab.
2. Click the name of the device you want to modify.
3. From the Device menu select Modify time zone settings. The Time Properties dialog displays.
4. Select the time zone that you wish to use.

5. If the time zone supports Daylight Savings Time, and there are different rules for different
years, EnCase automatically applies the proper rules for the particular year. To override this
behavior, select Use single DST offset. This causes a single offset and enables you to choose
the year for the correct bias.
6. Click OK. The time zone is listed in the Report tab for that device.
EnCase Version 7 Application Folder Locations

The current path used to store user data, user application data, and global application data can be seen
under Paths on the EnCase home page. All path locations can be configured.
Application Folder
This folder contains application files that are used by EnCase. User data and user configuration
settings are not saved in this location.
 Windows 7 and Windows Vista default path: \Program Files\EnCase7
 Windows XP: \Program Files\EnCase7
Folder Name Description

Certs License certificates
Condition Default conditions
Config Application configuration options
Drivers Application drivers
EnScript Default EnScripts and EnPacks


Filter Default filters
Help Help files
Installers EnCase Installation Executables
Lib Application library files
License EnLicense files
Mobile Mobile phone drivers
Noise Default noise file
Template Default case templates
User Data
User-created files and backup user data are stored in the following default folders:
 Windows 7 and Windows Vista path: \Users\<Username>\Documents\EnCase
 Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
The current path used to store user data can be seen under Paths on the EnCase home page.

Cases Individual Case Folders (described below)
Condition User-defined conditions
EnScript User-defined EnScripts
EvidenceCache (see below)
Filter User-defined filters
Keys Encryption keys
Keyword User defined keyword searches
Logs Console logs
Search User-defined searches
Template User-defined case templates

Case Backup
Backup case data is saved in the following locations, based on your operating system:
 Windows 7 and Windows Vista path: \Users\<Username>\Documents\
EnCase\Cases\Backup
 Windows XP: \Documents and Settings\<Username>\My Documents\
EnCase\Cases\Backup
Case Folder
Case files are stored in the following locations, based on your operating system:
 Windows 7 and Windows Vista default path:
\Users\<Username>\Documents\EnCase\Cases\<Case Name>
 Windows XP: \Documents and Settings\<Username>\My
Documents\EnCase\Cases\<Case Name>
Corrupt Pictures Corrupt pictures
Email Email thread database
Export Default Case Export folder
Results Results of search queries (stored within the

..<Case Name>\Results folder)
Searches Keyword search results (non-Evidence Processor)
Tags Tag database
Temp Default Case Temp folder
<Case Name>.Case EnCase Case file
Evidence Cache
The evidence cache folder contains the cache, index, and Evidence Processor results for a device.
 Windows 7 and Windows Vista default path:
\Users\<Username>\Documents\EnCase\Evidence Cache\<Hash>
 Windows XP: \Documents and Settings\<Username>\My
Documents\EnCase\Evidence Cache\<Hash>
User Application Data

Configuration files and temporary user files associated with a specific user and EnCase installation
folder are stored in the following locations:
 Windows 7 and Windows Vista path: \Users\<Username>\App
Data\Roaming\EnCase\EnCase7-<#>\Config
 Windows XP: \Documents and Settings\<Username>\Application
Data\EnCase\EnCase7-<#>\Config
The current path used to store user application data can be seen under Paths on the EnCase home
page.
Global Application Data

Global EnCase files are stored in the following location:
Windows 7 and Windows Vista path:
 \Users\All Users\AppData\Roaming\EnCase
 \Users\All Users\AppData\Roaming\EnCase\EnCase7-<#>
Windows XP:
 \Documents and Settings\All Users\Application Data\EnCase
 \Documents and Settings\All Users\Application Data\EnCase\EnCase7-<#>
Note: \Users\All Users\AppData = \ProgramData
The current path used to store global application data can be seen under Paths on the EnCase home
page.
Item Description
Logos Default report logo
Config NAS and other global configuration files
ParseCache Parse cache files
Storage EnScript configuration files
Noise Index noise file

CHAPTER 3
Working with Cases

In This Chapter
 Overview
 Launching EnCase for the First Time
 Using a Case Template to Create a Case
 Adding Evidence to a Case
 Setting Individual Case Options
 Case Operations
 Case Portability
Overview
This chapter describes how to use EnCase to create and start work on a case. It explains the major
components of the user interface, and how to use them to access EnCase features.
The chapter guides you through the initial stages of case creation and the basics of using case
templates, describes the process of adding evidence to a case and setting case options, shows how to
work with cases, and describes the case portability feature. In EnCase, a case is stored in a folder, with
subfolders for case-specific information such as tags and search results. The case folder and the
components contained within that folder directly associate the investigative work you perform with
the evidence. As a result, the folder should not be directly accessed.
The chapter's purpose is to get you started with EnCase case creation, explain how to access the main
features of this digital forensic tool, and give you a sense of the structure used to gather and process
your case evidence.
Launching EnCase for the First Time

When you launch a fully licensed version of EnCase for the first time, your main screen appears as
shown below:
The Home page, like all pages within EnCase, is divided into several sections, each with a specific set
of functions. In descending order, they are:
Application Toolbar Appears below the title bar, and provides dropdown menus to
major areas of functionality. The menus and their selections remain
primarily static throughout your investigation. Later in this
chapter, they are described in more detail .
Tabs Similar to tabs in Internet browsers, each top level tab displays a
page that groups a portion of EnCase functionality. When you open
EnCase for the first time, only the Home tab is displayed.
Tab Toolbar These components include the back and forward arrows, which
function the same as in any standard browser, and various viewing
options that allow you to resize the panel dimensions to whatever
best suits your needs. This toolbar also contains menus and buttons
that are specific to the selected tab.
Page body The Page body varies, depending on the tab you are viewing. The
Home page consists of labels that identify the product, the case, the
functionality available, and sections that identify categories of
EnCase components with links to the features and actions
belonging to each category.
Using a Case Template to Create a Case

After installing and configuring EnCase, you can create a new case with an EnCase-supplied case
template. Following are instructions for creating a new case with a case template. After you create a
case, most of the EnCase features and their navigation paths become available. You begin creating a
case under the FILE category of the Home tab.
To create a new case:
1. Click New Case beneath the FILE category on the Home tab.
2. The Case Options dialog displays. This dialog is where you select a case template. You must
also name the case.
3. In the figure below, the #Basic template is selected.
4. You can enter a case Name at this point, then click OK.
Case Templates
When you create a new case, you will see a list of available templates (these are.CaseTemplate
files). EnCase supplies several predefined templates, using the pound sign # as a prefix, whose
names appear in this box along with any saved templates.
To select a template:
• Click on a name from the case Templates list to select it. In the above figure, the Basic
template is selected.
Although you can configure a new case completely from scratch using the blank template (None),
Guidance Software recommends using a template, as it simplifies the case creation process. Each
case template contains a uniquely configured set of the following:
• Case Info items with default values
• Bookmark folders and notes
• Tags
• Report templates
• User-defined report styles
You can also create your own templates by saving any case as a template. Afterwards, the new
template will appear in the Templates list and will be available for future use. If you intend to
create a number of cases with a similar structure, it makes sense to save one of them as a template
and use it to generate the other cases. Case templates can be shared with other users just by
sending them the Case template file.
Case Options Settings

Name: A text string you enter to identify the Case file. In EnCase Version 7, a case is no longer
contained within a single file, but is a folder containing many components, like folders for
temporary directories, tags, and search results. The name specified in this field will be used to
name the Case folder, as well as components contained within that folder.
Full case path: The folder in which the case file is stored. This path is determined by the Base case
folder, followed by a subfolder with the case name.
Base case folder: The location where the above case folder will be created. By default, EnCase uses
a folder beneath the user's My Documents folder.
Primary evidence cache: EnCase Version 7 uses cache files to speed up application
responsiveness, enhance stability, and provide scalability across large data sets. The primary
evidence cache folder is where EnCase will save and/or access these files. Cache files may be
created in advance through the Evidence Processor, and a user can point to the folder that contains
this cache data. Although there is an evidence cache for each device in a case, the evidence cache
does not need to be stored with the evidence files. If cache files have not been created for a device,
they will be stored in this folder when the Evidence Processor is run.
Use base case folder for primary evidence cache: Check this box if you want to use the base case
folder specified above for the case's primary evidence cache. If you select this option, the Primary
evidence cache folder box is disabled.
Secondary evidence cache: EnCase allows you to specify a secondary location where a previously
created evidence cache can be found. This allows you to specify a folder on a network share or
other location to store cache files. Unlike the primary evidence cache folder, EnCase only reads
previously created files from this location. All new cache files are stored in the Primary evidence
cache folder.
Case info: Case Info Items are user configurable name-value pairs that document information
about the current case. Primarily, you use this user-definable information to insert into a Report.
To create Case Info Items, use the New button above the table to generate as many name-value
pairs as you need.
Click OK to apply the case options. The Home tab will then display a page for this particular
case with the case name displayed at the top. This case page lists hyperlinks to many common
EnCase features and, you can use it as the control center for this case. You are now ready to
begin building your case.
Adding Evidence to a Case

Once a case is created, you can add evidence to it by selecting the Add Evidence hyperlink on the case
page, or by selecting the Add Evidence dropdown menu from the application toolbar.
If you click the Add Evidence link on the Case page, the page changes to one like that shown below.
At any time, you can use the back or forward buttons to help navigate through the different Home tab
pages.
The Add Evidence menu also contains these selections and, a selection to access the Evidence
Processor. For more information, see the Evidence Processor Overview.
The following list describes the possible evidence selections:
Add Local Device
Initiate the process of adding a local device attached directly to your local computer. This can be the
main system drive, a device attached through a Tableau write-blocker, any other device connected to
an internal bus connection, floppy drives, optical media, card readers, or any device connected to a
USB port.
Add Evidence File
Specify an evidence file to add to the active case. This can be an EnCase Evidence file (E01 or Ex01),
Logical Evidence file (L01 or Lx01), VMWare (vmdk), Virtual PC file (vhd), or SafeBack (*.001) file.
Add Raw Image
Add a raw or dd image file of a physical device to the active case.
Acquire Smartphone
Acquires a smartphone. After clicking the Acquire Smartphone link, the dialog allows you to specify
the device type and the kinds of data that you want to collect into an evidence file.
Add Crossover Preview
Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also
negates the need for a hardware write blocker. It may be desirable in situations where physical access
to the subject machine's internal media is difficult or is not practical. This selection is the
recommended method for acquiring laptops and exotic RAID arrays.
Process Evidence
Process the case evidence, in an automated fashion, across a wide selection of parameters. This option
is only available when one or more evidence items are added to the case. The Evidence Processor
includes features such as:
 Analyzing file signatures. See Analyzing File Signatures on page 79.
 Creating an index of the case evidence data. See Creating an Index on page 85.
 Searching for email threads and conversations. See Finding Email on page 80.
 Searching Internet artifacts. See Finding Internet Artifacts on page 80.
See the Evidence Processor Overview on page 70 for more information on the processing of evidence.
Setting Individual Case Options

As opposed to the Configuration Options, Case Options are specific to individual cases. You access
case options from the Case Home page by clicking Case > Options or by selecting Options from the
Case dropdown menu.
To configure case options:

1. You cannot change the Name or the Full case path; they are there for informational purposes
only. You can change the following options:
• Primary evidence cache: Use the browse button to change this folder to use that of the
Primary evidence cache. This selection is disabled if you checked Use base case folder for
primary evidence cache when first creating the case.
• Secondary evidence cache: If your case requires a second cache, use the browse button to
change this folder to use that of the Secondary evidence cache.
2. To add or edit Case Info items, click the appropriate button on the Case info toolbar.
• Split mode: Use this button to select from different views of the Case info items.
• Edit: Click the cell in the Case info table whose information you want to change, then click
Edit and modify the information.
• Delete: Select the row to delete, then click this button.
• New: Adds a new blank row to the Case info table.
Case Operations
Use the Case menu and the Case selections on the Case Home page to work with the parameters of
and perform actions on your case.
Following is a list of basic operations for working with a case. Use the menu items on the Case menu,
and the links beneath the Case section on the Case panel for these operations:
Case Selections
Save Saves the current case file. The default file

extension for a case file is Case; the default
extension for a backup case file is cbak.
Save As... Use to save and rename the current case

file, or create a copy of the case file with a
different name.
Create Package Use to package a case, so as to share it with

other users or environments.
Save As Template... Use to save the case as an EnCase template

to use with new cases. The file extension
for a case template is CaseTemplate.
Close Closes the active case file.

Open... Opens an existing case file. Note that you

can have more than one case file active at a
time.
New Case... Opens the Case Options dialog so that you

can create a new case file.
Options... Allows you to edit the Case Options for the

active case.
Hash Libraries... Displays the Hash Libraries dialog, which

provides a list of hash libraries and hash
sets used in the current case, and allows
you to change libraries, or enable and
disable hash libraries and sets.
Changing the Evidence Path if the Evidence File is Moved

If you try to open a case where one or more of the evidence file locations have changed, this prompt
displays:
Click OK. You can then reassociate the evidence to the new location when you drill into the evidence
or view the evidence for the first time. Saving the case after that commits the change.
Alternatively, you can use the Update Paths button:
1. On the Evidence tab, click the checkbox for the evidence file where you want to change the
path, then click Update Paths.
2. In the Update Paths dialog, choose an existing path from the dropdown menu.
3. In the New Path box, enter or browse to the new path you want.
4. Click OK.
Case Portability
The Case Package option offers a convenient way of sharing entire cases among users, or porting a
case to a different computer or environment.
An EnCase package can contain the entire contents of a case, including the evidence and cache files, or
a subset of case-related items. You decide which case items to include when saving a case package.
To save a case as a package:
1. On the Home page, click Case > Create Package; the Create Package dialog appears.
2. The Create Package dialog offers several options for including case-related material in an
EnCase case package:
• The default Copy option (shown above) includes only the Required Items for the case file
and the Primary Evidence Cache.
• If you click the Archive option, all Packaged Items are automatically checked. Although
you gain the advantage of packaging all evidence files and the secondary evidence cache,
the package size can be extremely large. In the figure below, the size is 1.4 GB.
• If you click the Customize option, the set of Packaged Items, you can manually check any
combination of packaged items that you want to include in the case package.
3. Save the case package to a Folder either by using the default folder path or by using the
browse button to locate a folder in which to store the package.
CHAPTER 4
Acquiring Devices and

Evidence
In This Chapter
 Overview
 Types of Acquisitions
 Sources of Acquisitions
 Acquiring with the Evidence Processor
 Monitoring a Remote Acquisition
 Canceling an Acquisition
 Types of Evidence Files
 Verifying Evidence Files
 Acquiring a Local Drive
 Acquiring a Drive from a Network Preview
 Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
 Using a Write Blocker
 Acquiring a Disk Running in Direct ATA Mode
 Acquiring Disk Configurations
 Acquiring Other Types of Supported Evidence Files

 CD-DVD Inspector File Support
 Acquiring a DriveSpace Volume
 Reacquiring Evidence
 Adding Raw Image Files
 Restoring A Drive
Overview
With EnCase, you can directly process and analyze storage device and evidence file previews with
some limitations; however, if you want to use all of EnCase's processing and analysis features, you
need to perform a storage device or evidence file acquisition and save the evidence in a standard
format.
With EnCase, you can reacquire and translate raw evidence files into EnCase evidence files that
include CRC block checks, hash values, compression, and encryption. You can also add EnCase
evidence files created in other cases. EnCase can read and write to current or legacy EnCase evidence
files and EnCase logical evidence files.
When you are logged into a SAFE, you can acquire storage devices from a network preview. With the
LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with EnCase,
you can perform network crossover acquisitions.
This chapter provides detailed information about all types of EnCase acquisitions.
Types of Acquisitions
EnCase can acquire evidence in four basic formats:
 Current EnCase evidence files (Ex01): Ex01 format improves upon the E01 format with LZ
compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,
SHA-1 hashing, or both.
 Current Logical evidence files (Lx01): Lx01 format improves upon the L01 format with LZ
compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not
available for logical evidence files.
 Legacy EnCase evidence files (E01): E01 format makes current acquisitions accessible to legacy
versions of EnCase.
 Legacy Logical evidence files (L01): L01 format makes current logical acquisitions accessible to
legacy versions of EnCase.
Smartphone acquisitions create either E01 files (physical acquisitions) or L01 files (logical acquisitions).
Sources of Acquisitions
Sources for acquisitions within EnCase include:
 Previewed memory or local devices such as hard drives, memory cards, or flash drives.
 Previewed devices connected to a SAFE such as hard drives, memory cards, or flash drives.
 Evidence files supported by EnCase, including legacy EnCase evidence files (E01), legacy
logical evidence files(L01), current EnCase evidence files(Ex01), current logical evidence files
(Lx01), DD images, SafeBack images, VMware files (.vmdk), or Virtual PC files (.vhd). You can
use these to create legacy EnCase evidence files and legacy logical evidence files, or you can
reacquire them as EnCase Ex01 or Lx01 format, adding encryption, new hashing options, and
improved compression.
 Single files dragged and dropped onto the EnCase user interface. These include ISO files, and
they create L01 or Lx01 logical evidence files.
 Smartphones, using the Acquire Smartphone dialog box.
 Network crossover using LinEn and EnCase to create E01 files or L01 files. This strategy is
useful when you want to preview a device without disassembling the host computer. This is
usually the case for a laptop, a machine running a RAID, or a machine running a device with
no available supporting controller.
Sources for acquisitions outside EnCase include:

 LinEn for disk-to-disk acquisitions that do not require a hardware write blocker.
 WinEn for acquiring physical memory from a live Windows computer.
 Tableau Forensic Duplicators (TD1, TD2, and TD3).
Acquiring with the Evidence Processor

If you are already previewing devices or have added raw images or evidence files to your case, the
Evidence Processor provides a convenient interface to acquire these items. Items previewed as single
files need to be acquired in the Entry view of EnCase. If your case has both single files and previewed
devices, acquire the single files to a logical evidence file before running the Evidence Processor to
process the single files in the same run.
To acquire using the Evidence Processor:
1. Select the Acquire checkbox next to the item you want to acquire.
2. The Acquire Device dialog opens. It contains three tabs: Location, Format, and Advanced.
3. Select the Location tab to:
• Enter the evidence name.

• Enter the evidence number.
• Enter the Case number.
• Enter the examiner name.
• Select Remote Acquisition to acquire a network storage device.
− When selected, evidence is acquired by the servlet and saved to the specified
location. This avoids transfer of the entire device to the Examiner (as would occur in
a standard, non-remote acquisition.)
− When the Remote Acquisition Credentials dialog displays, enter the username and
password, if needed, to access the remote location.
− An .E01 evidence file is output to the specified location.
• Enter or browse to a different output path.
− When doing a remote acquisition, you must enter a full output path for the storage
location in the Output Path box.
• Enter or browse to an alternate path. The alternate path provides a secondary location for
EnCase to continue writing segments of the evidence file if the Output Path does not
contain enough space to write the entire evidence file.
4. Select the Format tab to:
• Specify the Evidence File Format. The default evidence file (that is, in EnCase Version 7
format) extension is Ex01. A Legacy evidence file(that is, the format previous to EnCase
Version 7) is E01. Note that selecting Legacy enables the Password button. Using a
password on legacy EnCase evidence files is optional. If you wish to use one, click to open
a dialog to enter and confirm a password. Make certain you keep a record of the password
in a secure location, because EnCase does not have a password recovery tool.
• In the Verification Hash dropdown list, select a hashing algorithm:
− None
− MD5
− SHA-1
− MD5 and SHA-1
• Specify Compression as Enabled or Disabled.
• Specify the File Segment Size (MB) (minimum: 30MB, maximum: 8,796,093,018,112MB,
default: 2048MB).
5. Click the Encryption button to open the Encryption Details dialog.
• You encrypt EnCase evidence files using either an encryption keypair or a password, but
not both. You may only choose one of those options at a time.
• In the upper pane, you may select an existing encryption keypair or click the symbol with
a key on the upper menu to create a new keypair. After generating a new keypair, you
need to click the Update option on the upper menu in order to see the new keypair.
• In the lower pane, you may select an existing password or create a new password by
clicking the New symbol on the lower menu to create a new password.
• Check the box to the left of either the keypair or the password you want to use to encrypt
your evidence and then click OK.
• Bear in mind that once your data is encrypted, you will not be able to decrypt it without
the correct keypair or password used to encrypt it. EnCase does not contain any tools to
"break" the encryption on the EnCase evidence files.
6. Select the Advanced tab to:
• Specify block size (minimum: 64, maximum: 1024). Higher block sizes will allow slightly
faster acquisitions and smaller evidence files, but if an evidence file becomes damaged,
you will lose a larger block of data.
• Specify error granularity (what portion of the block is zeroed out if an error is
encountered):
− Standard (same value as the block size).
− Exhaustive (sets granularity to 1 sector; this retains more data but takes more time)
• Specify the start sector (minimum: 0, maximum: maximum number of sectors of the
source).
• Specify the stop sector (minimum: 0, maximum: maximum number of sectors of the
source).
7. Click the Threads button to open the Threads dialog:
• Reader Threads (enabled only if the file format is E01) allow you to control how many
threads are reading from the source device (1-5 available; default is 0).
• Worker Threads (enabled for both EnCase Evidence file formats, E01 and Ex01) allow you
to control data compression calculation (1-20 available; default is 5).
8. When you finish making your selections, click OK.
9. You may then select your processing options by checking the box under the Process column
for that evidence item and making your choices in the bottom sections of the Evidence
Processor screen.
10. Once you set the acquisition options for the items you want to acquire and the processing
options, click OK at the bottom of the Evidence Processor. The status bar at the bottom of the
page displays the progress of each acquisition and processing. Once an acquisition completes,
the Evidence Processor will process that acquired image before it begins acquiring the next
item.
Monitoring a Remote Acquisition

Use the Remote Acquisition Monitor to check the progress of the acquisition on a remote machine.
1. From the EnScript menu, select Remote Acquisition Monitor. The Remote Acquisition
Monitor displays.
• Click SAFE Logon to log onto the SAFE.

• Click Choose Role to choose permissions. The selected role must have permission to
acquire evidence.
• Enter the machine name or IP address for the remote target machine.
2. Click OK.
3. The monitor connects to the remote target machine and displays the acquisition's progress.
• To see the current completion status of the acquisition of a device, select the device and
click Check Status.
• To cancel an acquisition, select the device and click Cancel Acquisition.
Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, the acquisition can be restarted.
To cancel an acquisition while it is running:
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog displays.
2. Click Yes. The acquisition is canceled. You can restart it at a later time.
Remote acquisitions can also be canceled using the Remote Acquisition Monitor. See Monitoring a
Remote Acquisition on page 53.
Types of Evidence Files

EnCase Evidence Files
Legacy EnCase evidence files (E01) are a byte-for-byte representation of a physical device or logical
volume. Current EnCase evidence files (Ex01) can be encrypted; however, Ex01 files are not backward-
compatible with legacy versions of EnCase.
EnCase evidence files provide forensic-level metadata, the device-level hash value, and the content of
an acquired device.
Dragging and dropping an E01 or Ex01 file anywhere on the EnCase interface adds it to the currently
opened case.
Logical Evidence Files

Logical evidence files (L01) are created from previews, existing evidence files, or Smartphone
acquisitions. These are typically created after an analysis locates some files of interest, and for forensic
reasons, they are kept in a forensic container.
Current logical evidence files (Lx01) files provide encryption and hashing options, but they are not
backward-compatible with legacy versions of EnCase.
When an L01 or Lx01 file is verified, the stored hash value is compared to the entry's current hash
value.
 If the hash of the current content does not match the stored hash value, the hash is followed by
an asterisk (*).
 If no content for the entry was stored upon file creation, but a hash was stored, the hash is not
compared to the empty file hash.
 If no hash value was stored for the entry upon file creation, no comparison is done, and a new
hash value is not populated.
Raw Image Files

Raw image files are a dump of the device or volume; there are no hash comparisons and CRC checks.
Therefore, it is not as forensically sound as EnCase image files. Although the files are not in EnCase
format, EnCase supports a number of popular formats.
Before you can acquire raw image files, they must be added to a case. Raw image files are converted to
EnCase evidence files during the acquisition process, adding CRC checks and hash values if selected.
Single Files
Folders and single files can be added to a case by either dragging and dropping them onto the EnCase
interface using Windows Explorer or using the Edit Single Files dialog. Once a file or folder has been
added to a case, the evidence page shows an item in the table for Single Files. Files and folders appear
in a tree structure subordinate to Single Files when displayed in the Entries view.
Verifying Evidence Files

Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not
tampered with. Verified CRC information is written out to a log file. If CRC verification fails, a
notification appears and you can log the error to the console, bookmark tab, or log file.
1. Acquire the evidence files.
2. Add the evidence files to your case.
3. Click Tools > Verify Evidence Files.
4. The Verify Evidence Files file dialog opens.
5. Select one or more evidence files, then click Open. During verification, a progress bar displays
in the bottom right corner of the window.
Acquiring a Local Drive

Before you begin, verify that the local drive to be acquired was added to the case.
1. To protect the local machine from changing the contents of the drive while its content is being
acquired, use a write blocker. See Using a Write Blocker on page 57.
2. Verify that the device being acquired shows in the Tree pane or the Table pane as write
protected. See Live Device and FastBloc Indicators.
Acquiring Non-local Drives

The acquisition of non-local drives involves LinEn, which acquires these drives by performing a
network crossover acquisition. When you use the LinEn utility to acquire a disk through a disk-to-disk
acquisition, you must add the resulting EnCase evidence file to the case using the Add Device wizard.
Acquiring a Drive from a Network Preview

If you are logged in to a SAFE, you can add a network preview of the local devices of any available
machines. The device can then be acquired as a remote acquisition. See Acquiring with the Evidence
Processor on page 48 and Monitoring a Remote Acquisition on page 53.
Before you begin, verify that the network device to be acquired was added to the case.
To protect the network machine from changing the contents of the device while its content is being
acquired, use a write blocker. See Using a Write Blocker on page 57.
Acquiring Device Configuration Overlays (DCO) and Host

Protected Areas (HPA)
EnCase applications can detect and image DCO and/or HPA areas on any ATA-6 or higher-level disk
drive. These areas are detected using LinEn (Linux) or a Tableau write blocker. EnCase applications
running in Windows with a hardware write blocker will not detect DCOs or HPAs.
This applies to EnCase applications using:
 Tableau
 LinEn when the Linux distribution used supports Direct ATA mode
The application now shows if a DCO area exists in addition to the HPA area on a target drive.
HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot
see it, and it can only be accessed by reconfiguring the disk. HPA and DCO are extremely similar: the
difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at reboot.
When supported, EnCase applications see both areas if they coexist on a hard drive.
It is important to note that if you choose to remove DCO, it will make a permanent change to the drive
controller of the device.
Using a Write Blocker

Write blockers prevent inadvertent or intentional writes to an evidence disk. Their use is described in
these sections:
 Windows-based Acquisitions with Tableau and FastBloc Write Blockers (on page 58)
 Acquiring in Windows using FastBloc SE (on page 59)
 Acquiring in Windows without a Tableau or FastBloc Write Blocker (on page 59)
FastBloc supports AMD 64-bit architecture. By replacing the existing IDE and SCSI controller driver
with the new Guidance driver, only read-only requests are sent to the attached hard drives.
There is also support for the AMD Athlon™ 64 processor, for systems running Microsoft Windows XP
64-bit edition, and for Microsoft Windows Server 2003 64-bit edition.
Windows-based Acquisitions with Tableau and FastBloc Write Blockers

The following write blockers are supported in EnCase:
 Tableau T35es
 Tableau T35es-RW
 Tableau T4
 Tableau T6es
 Tableau T8-R2
 Tableau T9
 FastBloc FE
 FastBloc 2 FE v1
 FastBloc 2 FE v2
 FastBloc LE
 FastBloc 2 LE
 FastBloc 3 FE
Computer investigations require a fast, reliable means to acquire digital evidence. These are hardware
write blocking devices that enable the safe acquisition of subject media in Windows to an EnCase
evidence file. Before write blockers were developed, non-invasive acquisitions were exclusively
conducted in cumbersome command line environments.
The hardware versions of these write blockers are not standalone products. When attached to a
computer and a subject hard drive, a write blocker provides investigators with the ability to quickly
and safely preview or acquire data in a Windows environment. The units are lightweight, self-
contained, and portable for easy field acquisitions, with on-site verification immediately following the
acquisition.
Support for Tableau write blocker devices enables EnCase to:
 Identify a device connected through the Tableau device as write blocked.
 Access the Host Protected Area (HPA) and access, via removing, the Device Configuration
Overlay (DCO) area of a drive using the Tableau device.
Note: EnCase does not support access of DCO areas via EnScript. By default, HPA is automatically
disabled on the device.
Acquiring in Windows using FastBloc SE

Guidance Software now includes the FastBloc SE module with EnCase. This is a software write blocker
that can be applied to devices connected by USB, FireWire, or SCSI interfaces. For more information,
see the Using the FastBloc SE Module chapter.
Acquiring in Windows without a Tableau or FastBloc Write Blocker

Never acquire hard drives in Windows without a write blocker because Windows writes to any local
hard drive visible to it. Windows will, for example, put a Recycle Bin file on every hard drive that it
detects and will also change Last Accessed date and time stamps for those drives.
Media that Windows cannot write to are safe to acquire from within Windows, such as CD-ROMs,
write protected floppy diskettes, and write protected USB thumb drives.
Acquiring a Disk Running in Direct ATA Mode

If the Linux distribution supports the ATA mode, you will see a Mode option. You must set the mode
before acquiring the disk. An ATA disk can be acquired via the drive-to-drive method. The ATA mode
is useful for cases when the evidence drive has a Host Protected Area (HPA) or Drive Control Overlay
(DCO). Only Direct ATA Mode can review and acquire these areas.
Ensure LinEn is configured as described in Linen Setup Under SUSE, and autofs is disabled (cleared).
Linux is running in Direct ATA Mode.
1. If the FAT32 storage partition to be acquired has not been mounted, mount it.
2. Navigate to the folder where LinEn resides and type ./linen in the console.
3. The LinEn main screen displays.
4. Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATA
mode.
5. Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive
Acquisition Using LinEn.
Acquiring Disk Configurations

Guidance Software uses the term disk configuration instead of RAID. A software disk configuration is
controlled by the operating system software (or LVM software), whereas a controller card controls a
hardware disk configuration. In a software disk configuration, information pertinent to the layout of
the partitions across the disks is located in the registry or at the end of the disk, depending on the
operating system; in a hardware disk configuration, it is stored in the BIOS of the controller card. With
each of these methods, you can create six disk configuration types:
 Spanned
 Mirrored
 Striped
 RAID-5
 RAID-10
 Basic
Software RAID
EnCase applications support these software RAIDs:
 Windows NT: see Windows NT Software Disk Configurations
 Windows 2000: see Dynamic Disk
 Windows XP: see Dynamic Disk
 Windows 2003 Servers: see Dynamic Disk
 Windows Vista: see Dynamic Disk (on page 62)
 Windows Server 2008: see Dynamic Disk
 Windows Server 2008R2: see Dynamic Disk
 Windows 7: see Dynamic Disk (on page 62)
RAID-10
RAID-10 arrays require at least 4 drives, implemented as a striped array of RAID-1 arrays.
Hardware Disk Configuration

Hardware disk configurations can be acquired:
 As one drive
 As separate drives
Both Raid-5 and Raid-10 can be acquired.
Windows NT Software Disk Configurations

In a Windows NT file system, you can use the operating system to create different types of disk
configurations across multiple drives. The possible disk configurations are:
 Spanned
 Mirrored
 Striped
 RAID 5
 Basic
The information detailing the types of partitions and the specific layout across multiple disks is
contained in the registry of the operating system. EnCase applications can read this registry
information and resolve the configuration based on the key. The application can then virtually mount
the software disk configuration within the EnCase case.
There are two ways to obtain the registry key:
 Acquiring the drive
 Backing up the drive
Acquire the drive containing the operating system. It is likely that this drive is part of the disk
configuration set, but in the event it is not—such as the disk configuration being used for storage
purposes only—acquire the OS drive and add it to the case along with the disk configuration set
drives.
To make a backup disk on the subject machine, use Windows Disk Manager and select Backup from
the Partition option.
This creates a backup disk of the disk configuration information, placing the backup on a CD or DVD.
You can then copy the file into your EnCase application using the Single Files option, or you can
acquire the CD or DVD and add it to the case. The case must have the disk configuration set drives
added to it as well. This situation only works if you are working with a restored clone of a subject
computer. It is also possible a registry backup disk is at the location.
In the Evidence tab of EnCase, select the device containing the registry or the backup disk and all
devices which are members of the RAID. Click the Open button to go to the Entry view of the
Evidence tab. Select the disk containing the registry, click the pull-down on the upper right menu of
the Evidence tab. Select Device, then select Scan Disk Configuration. At this point, the application
attempts to build the virtual devices using information from the registry key.
Support for EXT4 Linux Software RAID Arrays

EnCase provides the ability to parse EXT4 Linux Software RAID arrays (for Ubuntu version 9.1 and
version 10.04), using the Scan for LVM option in the Device dropdown menu.
These configurations are supported:
 RAID 1 (mirror)
 RAID 10
Note: EnCase does not support partial reconstruction of RAIDs. After parsing, all RAID devices must
have full descriptors or the process will fail.
Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003 Server,
Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The information
pertinent to building the configuration resides at the end of the disk rather than in a registry key.
Therefore, each physical disk in this configuration contains the information necessary to reconstruct
the original setup. EnCase applications read the Dynamic Disk partition structure and resolve the
configurations based on the information extracted.
To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case. In
the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on the
menu bar to change to the Entries view of the Evidence tab. Select the devices then click the pull-down
menu at the top right of the Evidence tab. Select Device and choose Scan Disk Configuration.
If the resulting disk configurations seem incorrect, you can manually edit them by returning to the
highest Evidence view of the Evidence tab. Select the Disk Configuration item, click the pull-down
menu from the top-right corner of the Evidence tab, and select Edit Disk Configuration.
Disk Configuration Set Acquired as One Drive

Unlike software disk configurations, those controlled by hardware contain necessary configuration
information in the card’s BIOS. Because the disk configuration is controlled by hardware, EnCase
cannot reconstruct the configurations from the physical disks. However, since the pertinent
information to rebuild the set is contained within the controller, the computer (with the controller
card) actually sees a hardware disk configuration as one (virtual) drive, regardless of whether the set
consists of two or more drives. Therefore, if the investigator acquires the set in its native environment,
the disk configuration can be acquired as one drive, which is the easiest option. The best method for
performing such an acquisition is to conduct a crossover network cable acquisition.
Note: The LinEn boot disk for the subject computer needs to have Linux drivers for that particular RAID controller card.
To acquire the set:
1. Keep the disk configuration intact in its native environment.
2. Boot the subject computer with a Live Linux Boot Disk containing the LinEn utility and
configured with the drivers for the RAID controller card.
3. Launch the LinEn utility.
Note: The BIOS interprets the disk configuration as one drive, so EnCase applications will as well. The
investigator sees the disk configuration as one drive.
4. Acquire the disk configuration as you normally acquire a single hard drive, depending on the
means of acquisition. Crossover network cable or drive-to-drive acquisition is straightforward,
as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native environment,
EnCase applications can edit the hardware set manually.
Disk Configurations Acquired as Separate Drives

Sometimes acquiring the hardware disk configuration as one drive is not possible, or the method of
assembling a software disk configuration seems incorrect. Editing a disk configuration requires this
information:
 Stripe size
 Start sector
 Length per physical disk
 Whether the striping is right handed
You can collect this data from the BIOS of the controller card for a hardware set, or from the registry
for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can still
rebuild the virtual disk using parity information from the other disks in the configuration, which is
detected automatically during the reconstruction of hardware disk configurations using the Scan Disk
Configuration command.
When rebuilding a RAID from the first two disks, results from validating parity are meaningless,
because you create the parity to build the missing disk.
To acquire a disk configuration set as one disk:
1. Add the evidence files to one case.
2. On the Evidence tab, click the down arrow in the far right corner for a dropdown menu, then
click Create Disk Configuration.
3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the
appropriate disk configuration.
4. Right click the empty space under Component Devices and click New.
5. Enter the start sector and size of the selected disk configuration, select the drive image which
belongs as the first element of the RAID, then click OK.
6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.
7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a Physical
Disk Image, and whether it uses Right-Handed Striping.
8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase will
generate a new item in your Evidence tab containing the RAID rebuilt to your specifications.
This new Disk Configuration can be acquired to an EnCase Evidence file and processed in the
EnCase Evidence Processor just like a physical drive.
Acquiring Other Types of Supported Evidence Files

In addition to the native EnCase file formats, *.Ex01, *.E01, *.Lx01, and *.L01, EnCase supports
SafeBack files (*.001), VMware files (*.vmdk), and Virtual PC files (*.vhd) directly. To add any of these
types of evidence files:
1. Use Add Evidence File from the Add Evidence view of the Home tab, or click the Add
Evidence pull-down menu while in the Evidence tab and select Add Evidence File.
2. The Add Evidence File Dialog displays. Use the pull-down menu at the bottom right corner of
the dialog to change to appropriate file extension for your evidence or choose the All
Evidence Files option.
3. Navigate to the location of your evidence and select the first file of the evidence set as you
would for EnCase evidence files and click Open.
CD-DVD Inspector File Support

EnCase applications support viewing files created using CD/DVD Inspector, a third-party product.
Treat these files as single files when adding them, as zip files, or as composite files when using the file
viewer. Drag single files into the application.
Acquiring a DriveSpace Volume

DriveSpace volumes are only recognized as such after they are acquired and mounted into a case. On
the storage computer, mount the DriveSpace file as a volume, then acquire it again to see the directory
structure and files.
To acquire a DriveSpace volume:
1. A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpace
volume. A FAT16 partition can only be created with a FAT16 OS (such as Windows 95).
2. Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using
format.exe.
3. Image the DriveSpace volume.
4. Add the evidence file to a new case and search for a file named DBLSPACE.000 or
DRVSPACE.000.
5. Right click the file and copy/unerase it to the FAT16 partition on the storage computer.
6. In Windows 98, click Start > All Programs > Accessories > System Tools > DriveSpace.
7. Launch DriveSpace.
8. Select the FAT16 partition containing the compressed “.000” file.
9. Select Advance Mount.
10. Select DRVSPACE.000, then click OK, noting the drive letter assigned to it. The Compressed
Volume File (.000) from the previous drive is now seen as folders and files in a new logical
volume.
11. Acquire this new volume.
12. Create the evidence file and add to your case. You can now view the compressed drive.
Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it results in
the creation of an EnCase evidence file containing the content of the raw evidence file and providing
the opportunity to hash the evidence, add case metadata, and CRC block checks.
You can move EnCase evidence files into a case even if they were acquired elsewhere. Make sure all
segments of the evidence file set are in the same folder. Using Windows Explorer, navigate to the
location of the EnCase evidence files. Drag the first file of the set onto the open instance of EnCase and
the remaining files will automatically be added, reassembling the evidence in your new case.
You may also want to reacquire an existing EnCase evidence file to change the compression settings or
the file segment size.
Reacquiring Evidence Files

Start by adding the evidence file(s) to your case as previously described. You can reacquire evidence
either from the Evidence tab or through the Evidence processor. To acquire in the Evidence tab:
1. Select the items you want to reacquire.
2. Click the Open button to change to the Entries view of the Evidence tab.
3. Highlight the item you want to reacquire, click Acquire on the top menu, and select Acquire
from the pull-down.
4. Complete the Acquire Device dialog as you would for previewed evidence.
5. You can repeat steps 3 and 4 for each device or volume you want to reacquire.
To reacquire using the Evidence Processor:
1. Click the Process Evidence button while in the Evidence tab, click Add Evidence and select
Process Evidence, or click Process Evidence on the Home tab.
2. Select the Acquire box for the first item you want to reacquire to launch the Acquire Device
dialog for that item.
3. Complete the Acquire device dialog as you would for previewed evidence.
4. You can repeat steps 2 and 3 for each device or volume you want to reacquire.
Retaining the GUID During Evidence Reacquisition

In the previous version of EnCase, the globally unique identifier (GUID) assigned to the evidence
changed if the evidence was reacquired. EnCase now provides an option that retains the GUID when
evidence is reacquired. To retain the GUID, select the Keep GUID checkbox that now appears in the
Advanced tab of the Acquire Device dialog. To access the Acquire Device dialog, select the device for
acquisition in the Evidence Processor.
Adding Raw Image Files

Reacquiring raw evidence files like DD images or CD-ROM .iso files embeds the file containing the
image of the device contents within an EnCase evidence file adding case metadata, CRC block checks
and, optionally, the hash value of that image.
To acquire a raw evidence file:
1. In the Add Evidence dropdown menu, click Add Raw Image.
2. The Add Raw Image dialog opens.
3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the
Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.
5. A Disk Image object appears in the Evidence tab.
6. You may reacquire this image as you would any other supported evidence or previewed
device.
Restoring A Drive
The following steps describe how to restore a drive. Note that before you begin, you first need to add
evidence to the case.
1. From EnCase’s top toolbar, select the Evidence option from the View dropdown.
2. In the Table view, click the evidence file with the device you would like to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
displays.
4. Click Next to collect local hard drives.
5. From the list of Local Devices, click the drive you want to restore.
6. Click Next. The Drives dialog appears.
7. Select options for wiping and verification.
8. Click Finish.
9. A dialog will appear asking you to verify the local drive selection. Verify that you are
restoring to the correct drive by typing Yes, then click OK.
The bar in the lower right corner of the screen tracks the progress of the restore.
CHAPTER 5
Processing Evidence
In This Chapter
 Overview
 Running Evidence Processor Options Incrementally
 Recovering Folders
 Analyzing File Signatures
 Analyzing Protected Files
 Analyzing Hashes
 Expanding Compound Files
 Finding Email
 Finding Internet Artifacts
 Searching With Keywords
 Creating an Index
 Creating Thumbnails
 Running EnScript Modules

Overview
This chapter provides detailed information on the Evidence Processor, which processes evidence files
in a large production environment. As a standalone product, the Evidence Processor is referred to as
the EnCase Processor, which, aside from some licensing and set up differences (EnCase Processor-
specific dongle), functions in exactly the same way as the Evidence Processor. Rather than installing
separate instances of EnCase to perform processing only on multiple machines, you can install
separate EnCase Processors and dongles instead for a fraction of the cost of a full EnCase license. For
information on installing EnCase Processor, see Installing and Configuring EnCase on page 15. All
references to the Evidence Processor apply to EnCase Processor.
The Evidence Processor lets you run, in a single automated session, a collection of potent analytic tools
against your case data. It can optimize the order and combinations of processing operations while
running this multi-threaded process.
Since you can run the Evidence Processor unattended, you can work on other aspects of the case while
this tool is processing data. The output of the Evidence Processor is stored, per device, on disk instead
of memory. This lets you simultaneously process multiple devices across several computers, which can
then be brought together at a later time for a case, without the data commingling. By storing cache files
on disk, you are also able to scale to much larger data sets and do not need to wait for data to resolve
when reopening cases: the Evidence Processor processes your data in short order for the key analytic
and reporting phases of your investigation.
Run the Evidence Processor after reviewing your evidence, adding it to a case, validating the data for
browsing, and setting the time zones. (Examiners who want to work cases with the methodology they
used in earlier versions of EnCase can continue doing so.)
The Evidence Processor contains numerous useful features:
 The convenience of acquiring devices right from the Evidence Processor.
 The convenience of processing, with limited options, local and network previews without
acquiring the devices.
Note: Network preview is only available when you are logged into a SAFE. For information about
installing a SAFE, see the SAFE Administration Guide.
 Saving sets of the Evidence Processor options as templates to be run with little or no
modification at a later date.
 On-screen instructions that guide you through the use of each setting.
 Automatic processing of the results from any current EnScript modules according to the
current processor settings (Index, Keyword search, etc.).
 If additional evidence becomes available at a later date, you can rerun the same options on the
updated data.
The following evidence processing functions are available:
 Folder recovery
 Hash analysis
 Compound file expansion
 Email search
 Internet artifact search
 Keyword search
 Index creation (not available for local and network previews)
 EnScript Module execution:

• Parsing system information
• Instant messaging
• File carving
• Other EnScript modules
Additionally, the following operations are typically run with the Evidence Processor:
 File signature analysis (not available for local and network previews)
 Protected file analysis
Before using the Evidence Processor:
 There must be evidence in your case to process.
 You should review your evidence to ensure that the device is properly configured and ready
for processing.
• RAID and LVM configurations are accounted for
• Whole disk encryption is removed
• Hidden partitions are added
 If you are previewing a local or network device, you can run most Evidence Processor options
before you acquire it. Exceptions include File Signature Analysis and Indexing Text. To run all
Evidence Processor options, you must acquire the device.
 Confirm that time zone settings are configured properly. Note that EnCase uses the time zone
setting of your examiner workstation if no time zone is set for the evidence. For more
information, see Configuring Time Zone Settings (on page 28).
Once you have added evidence to your case and configured the time zone settings, you must:
 Acquire the evidence. For more information see the EnCase Acquiring Evidence manual.
 Select which evidence you intend to run through the Processor.
The lower left pane of the Processor window contains a table with the following elements:
 A toolbar for managing the Processor tasks and modules.
 A list of the Processor tasks you can run, which includes a collection of EnScript modules.
 A checkbox that allows you to Enable (or disable) each processing task.
Use this pane to choose which processor tasks to run and to configure their settings. The previously
run settings are retained.
File and edit settings for the Evidence Processor selections pane are located in its toolbar.
Setting Description
Split Mode Change the display format of the options pane.
Edit Edit the options for a selected task in the window.
Save Settings Save the current selection of settings as an Evidence Processor

template.
Load Settings Load a saved template to run against the current data.
Dropdown side menu Perform actions such as printing the results and changing the
layout of the Evidence Processor panes.
To select an option, click its checkbox in the Enabled column.

 If a task name is listed in blue, click the name to begin configuring the task.
 If a task name is listed in black, there are no further configuration options for that task.
Running Evidence Processor Options Incrementally

You can add options in the Evidence Processor as you continue an investigation. For example, you
may want to run certain options in the beginning, such as file signature and hash analysis, then later
add other options, such as parsing compound files. You can select additional options on subsequent
Evidence Processor runs; however, you cannot remove previously run options.
When you select an item's Process checkbox, the lower right pane displays settings previously
processed. In this example, there are no previously processed settings.
You need to run certain options at a particular time. For example, you must run Recover Folders in the
initial processing step. Options you must run in a specific step are marked with a flag icon. An option
with a lock icon indicates settings for that option cannot be changed.
You can run modules over and over again with different settings each time. The results of each run are
added to the case.
Clicking an option displays information about that option in the right pane. If you need to include the
option in the current run, that is indicated as well.
Clicking an option with a lock icon displays the settings for that option.
After a processing run, a dot displays in the Previously Processed column and the lower right pane
displays previous processing settings.
You cannot process previously processed and unprocessed evidence together.
Also, previously processed evidence must be processed with the same options in order for it to be
processed together. All evidence processed at one time must use the same settings.
Processing Devices from a Local Preview

After adding a local device, you can run the Evidence Processor without first acquiring the device. All
options are available for processing except for Index text. The following procedure provides the steps
for processing devices from a local preview.
1. From the Home tab of an open case, click Add Evidence. The Add Evidence screen displays.
2. Click Add Local Device. The Add Local Device dialog displays.
3. Click Next. A list of local devices displays.
4. Select the checkboxes of the local devices you want to add to the preview and click Finish. The
Evidence tab displays with a preview of the chosen local devices.
5. In the Evidence tab, click Process Evidence. The Evidence Processor dialog displays.
6. Under Process, select the checkboxes for the local devices you want to process.
7. Review and, if necessary, modify the current processing options.
8. Click OK.
Processing Devices from a Network Preview

After adding a network preview, you can run the Evidence Processor without first acquiring any
network nodes. All options are available for processing except for Index text. The following procedure
provides the steps for processing devices from a network preview.
1. From the Home tab of an open case, click Add Evidence. The Add Evidence screen displays.
2. Click Add Network Preview. The Add Network Preview dialog displays.
3. Select the checkbox for the sources you want to process and click Next. A list of network
devices displays.
4. Select the checkboxes of the network devices you want to add to the preview and click Finish.
The Evidence tab displays with a preview of the chosen network devices.
5. In the Evidence tab, click Process Evidence. The Evidence Processor dialog displays.
6. Under Process, select the checkboxes for the network devices you want to process.
7. Review and, if necessary, modify the current processing options.
8. Click OK.
Processing Evidence during a Sweep

You can process evidence during a sweep of network nodes via Sweep Enterprise. Supported options
and modules include:
 Triage: refresh to see results as the Evidence Processor continues working.
 Recover folders
 Protected file analysis
 Thumbnail creation
 Hash analysis
 Expand compound files
 Find email
 Find internet artifacts
 Metadata
 Keywords
 Matching files reporting
 System Info Parser
 IM Parser
 File Carver
 Windows Event Log Parser
 Windows Artifact Parser
 Unix Login
 Linux Syslog Parser
 Snapshot
Considerations as you process evidence during a network sweep include the following:
 There are no limitations on the number of nodes.
 Once you cancel a process, you cannot resume.
 This feature creates one logical evidence file per node per sweep.
 Performance is expected to be in the range of less than one minute per node.
 You must log in to a SAFE before running Sweep Enterprise.
 No multiple SAFE support is provided.
 This feature works for all servlets.
 You can run unlimited multiple sweeps within the same case. Repeated sets are not
overwritten.
 This feature analyzes partially completed jobs.
 Functionality includes servlet check-in and deployment through ePO.
Recovering Folders
Running the Recover Folders task on FAT partitions searches through the unallocated clusters of a
specific FAT partition for the “dot, double-dot” signature of a deleted folder. When the signature
matches, EnCase can rebuild files and folders that were within the deleted folder.
This task can recover NTFS files and folders from Unallocated Clusters and continue to parse through
the current Master File Table (MFT) records for files without parent folders. This operation is
particularly useful when a drive has been reformatted or the MFT is corrupted. Recovered files are
placed in the gray Recovered Folders virtual folder in the root of the NTFS partition.
Analyzing File Signatures

A common technique for masking data is to rename a file and change its extension; for example, image
files might be renamed so that they look like dynamic-link library files. Signature analysis verifies file
type by comparing the file headers, or signature, with the file extension.
File extensions are the characters following the dot in a file name (for example, signature.txt); they
indicate the file's data type. For example, a .txt extension indicates a text file, a .bmp extension
indicates a bitmap image file. Standardized file types have unique signature-extension associations.
For example, BM8 is the file signature for all .bmp files.
The signature analysis process flags all files with signature-extension mismatches according to its File
Types tables. To view the Evidence Processor File Types table, click the View menu of the Home page
and select File Types. For more information, see Adding and Modifying File Signature Associations.
Signature analysis is always enabled so that it can support other Evidence Processor operations.
Analyzing Protected Files

Encrypted and password-protected files are identified, since further investigation may be needed to
process these files. The Evidence Processor's protected file analysis process uses Passware's toolkit to
identify the protected files. The strength of the protection is stored so that you can first try to decrypt
weaker passwords before applying them to more complex protection.
Because this process requires significant processing resources, process time may be unacceptably long.
If this process is not critical for your analysis, you can disable it.
Note: New encryption products and uncommon encryption products may not be detected.
Analyzing Hashes
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary
data written in hexadecimal notation. In EnCase, it is the result of a hash function run against any
mounted drive, partition, file, or chunk of data. The most common uses for hashes are to:
 Identify when a chunk of data changes, which frequently indicates evidence tampering.
 Verify that data has not changed, in which case the hash should be the same both before and
after the verification.
 Compare a hash value against a library of known good and bad hashes, seeking a match.
The Evidence Processor's hash analysis setting allows you to create MD5 and SHA-1 hash values for
files, so that you can later use them for the reasons specified above. When you click the Hash Analysis
hyperlinked name, the Edit Settings dialog displays, allowing you to check whether to run either or
both of these hashing algorithms.
Expanding Compound Files

Use this setting to expand archive files, including .zip and .rar files.
For archive files, EnCase will extract the compressed or archived files and process them according to
the other Evidence Processor settings that you have chosen. This includes nested archive files or zip
files within a zip file. Note that EnCase handles compound document types like Microsoft Office Word
separately.
Finding Email
Select this setting to extract individual messages and attachments from email archives. Find Email
supports the following email types:
 PST (Microsoft Outlook)
 NSF (Lotus Notes)
 DBX (Microsoft Outlook Express)
 EDB (Microsoft Exchange)
 AOL
 MBOX
This setting prepares email archives for the use of email threading and related EnCase email
functionality during case analysis.
To select which email archive types to search:
1. Click Find Email.
2. Click the email archive file types whose messages you want to examine, and click OK.
After processing is completed, EnCase can analyze the messages and component files extracted from
the email archives, according to the other Evidence Processor settings you selected.
Finding Internet Artifacts

Choose this Evidence Processor setting to find Internet-related artifacts, such as browser histories and
cached Web pages. The only setting that you can configure for Find Internet Artifacts is whether to
search within unallocated space.
Currently, six browsers and two types of Internet history are supported. They are:
 Internet Explorer: History and cache
 Macintosh Internet Explorer: History and cache
 Safari: History and cache
 Firefox: History and cache
 Opera: History and cache
 Google Chrome:
• History: A list of Web sites recently visited. This typically consists of Web sites, usage, and
time related data.
• Cookies: A list of recent authentication and session data for sites with persistent usage.
This typically consists of Web site, expiration times, and sit specific cookie data.
• Cache: A list of recently cached files.
• Downloads: A list of recently downloaded files. This typically consists of Web sites, file
names, location, size, and date.
• Keyword Search: A list of recent keyword searches. This typically consists of search terms
and the search result page.
• Login Data: A list of login data. This typically consists of Web sites, username, password,
and SSL information.
• Top Sites: A list of top Web sites. This typically consists of Web site information, rank,
thumbnails, and redirect information.
Note: EnCase does not provide the ability to recover Google Chrome Internet artifacts from
unallocated clusters.
Note: The difference between a regular search and a search of unallocated is that keywords are added internally and
marked with a special tag indicating that it is for Internet history searching only.
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in
a SQLite database and displays them in the Records tab.
The types of Firefox 3 artifacts parsed are:
 Cookies
 Downloads
 History
 Bookmarks
 Form data
Note: The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name
columns.
 "Frecency" is a valid word used by Mozilla. Do not mistake it for "frequency." For more information, see the
Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm.
 The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a
person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the
places.sqlite file.
 Mozilla stores a URL's host name in reverse. EnCase displays it as such in the Rev Host Name column.
Searching With Keywords

Keywords are text strings or search expressions created to find matching text within entries in a body
of evidence. A search expression can be a GREP expression, containing variables, and it can be flagged
to be case sensitive, a whole word search, or other options. You can also associate a particular
codepage to use with a keyword. Codepages are alphabet sets of a variety of Latin and non-Latin
character sets such as Arabic, Cyrillic, and Thai.
Note that if you are searching for a number and an application stores the number in a different format,
EnCase will not find it. For example, in Excel, if a Social Security number is entered without dashes as
612029229, Excel stores it in double precision 64-bit format as 00008096693DC241.
Often, examiners have ready-made lists of keywords to use in their searches. You may also want to
add additional keywords to use in your searches.
You can create and run keyword searches in several ways:
 From within the Evidence Processor
• Keyword searches created and conducted from within the Evidence Process are stored
with the device’s evidence cache files and can be used with any number of cases.
• Keyword searches that are not initiated from the Evidence Processor are stored with the
case and are case specific.
 By clicking Raw Search All on the Evidence Tab, when viewing evidence. This is the best way
to search through raw, non-indexed data.
 By clicking Raw Search when viewing entries.
• The targeted search only acts on items selected in the current view.
• To run a targeted search against two or more devices in your case, click Open in the
Evidence tab and select additional devices.
From wherever you access it, the Keyword list displays a list of existing keywords in the case:
 Select Search entry slack to include file slack in the keyword search.
 Use initialized size enables you to search a file as the operating system displays it, rather than
searching its full logical size.
• In NTFS file systems, applications are allowed to reserve disk space for future operations.
The application sets the logical size of the file larger than currently necessary, to allow for
expected future expansion, while setting the Initialized Size smaller so that it only needs to
parse a smaller amount of data. This enables the file to be loaded faster.
• If a file has an initialized size that is less than the logical size, the OS shows the data area
between the initialized size and logical size as zeros. In actuality, this area of the file may
contain remnants of previous files, similar to file slack. By default, EnCase displays,
searches and exports the area past the initialized size as it appears on the disk, not as the
OS displays it. This enables you to find file remnants in this area.
• Select Initialized Size to see a file as its application sees it and the OS displays it.
• Note that when a file is hashed within EnCase, the initialized size is used. This means that
the entire logical file is hashed, but the area past the initialized size is set to zeros. Since
this is how a normal application sees the file, this enables users to verify file hashes with
another utility that reads the file via the OS.
 Select Undelete entries before searching to undelete deleted files before they are searched for
keywords.
 Select Skip contents for known files to only search the slack areas of known files identified by
a hash library.
 Add Keyword List opens a dialog in which to enter a list of words and assign certain
properties to them as a group. See Creating a New Keyword List on page 85.
 Double clicking a keyword, or clicking Edit, opens up the keyword so you can modify its
properties.
 Highlight a keyword and click Delete to remove it from the list.
 If a path box displays at the top of the dialog, that path and name is where the search is stored.
Adding a New Keyword

1. In the Keyword list dialog, click New. The New Keyword dialog appears.
2. Enter the search expression and name, and select the desired options:
• Search Expression is the actual text being searched. Use a character map to create a non-
English search string if your keyboard is not mapped to the appropriate non-English key
mapping.
• Name is the search expression name listed in the folder.
• ANSI Latin - 1 searches documents using the ANSI Latin - 1 code page.
• UTF-8 meets the requirements of byte-oriented and ASCII-based systems. UTF-8 is
defined by the Unicode Standard. Each character is represented in UTF-8 as a sequence of
up to four bytes, where the first byte indicates the number of bytes to follow in a multi-
byte sequence.
Note: UTF-8 is commonly used in Internet and Web transmission.
• UTF-7 encodes the full BMP repertoire using only octets with the high-order bit clear (7 bit
US-ASCII values, [US-ASCII]). It is deemed a mail-safe encoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.
• Unicode: select if you are searching a Unicode encoded file. Unicode uses 16 bits to
represent each character. Unicode on Intel-based PCs is referred to as Little Endian. The
Unicode option searches the keywords that appear in Unicode format only. For more
details on Unicode, see http://www.unicode.org.
Note: The Unicode standard attempts to provide a unique encoding number for every character,
regardless of platform, computer program, or language.
• Unicode Big-endian: select if you are investigating a big-endian Unicode operating

system (such as a Motorola-based Macintosh). Big-endian Unicode uses the non-Intel data
formatting scheme. Big- endian operating systems address data by the most significant
numbers first.
• GREP uses GREP syntax (displayed on right) for the search.
• Case Sensitive searches the keyword only in the exact case specified.
• Whole Word searches for whole keywords only.
3. Open the Code Page tab to change the code page to use a different character set.
4. To test a search string against a known file, click the Keyword Tester tab.
• Locate a test file that contains the search string, enter the address into the Test Data field,
and click Load. The test file is searched and displays in the lower tab of the Keyword
Tester form.
• Hits are highlighted in both text view and hex view.
5. When done, click OK.
Creating a New Keyword List

When accessing the Keyword list from the Evidence tab by clicking Raw Search All, or when selecting
options for a Keyword search, you have the option of creating a keyword list.
1. From either location, from the New Keyword dialog click Add Keyword List. The Add
Keyword List dialog displays.
2. Add the keywords you want to use, one for each line.
3. Select options to apply to all keywords from the checkboxes on the left. Individual words can
have their options modified separately by editing them in the New Keyword dialog.
4. When done, click OK. The list populates the Keyword list and is saved in the path defined at
the top of that dialog.
Creating an Index
Choose this selection to create a searchable index of the data in the case. Creating an index allows you
to quickly search for terms in a variety of ways. Since the Evidence Processor is recursive, all files,
emails, and module output are indexed, including such EnScript modules as the IM Parser and System
Info Parser. The advantage of having all those items indexed is that users will later be able to search
across all types of information and view results in email, files, smartphones, and any other processed
data in one search results view. You can adjust parameters for index creation such as the minimum
word length to index, or whether to use a noise file (a file containing specific words to ignore).
Compared to keyword searches, which search on the raw text, index searches search the content and
metadata for files on the device.
Generating an index can take time; however, the trade-off in time spent creating the index yields a
greater payoff with near instantaneous search times. Guidance Software recommends always indexing
your case data.
Indexing Personal Information

When creating an index of case data, select Personal Information to include the following personal
information types.
 Credit cards
 Phone numbers
 Email addresses
 Social security numbers
The following procedure provides the steps for selecting personal information types.
1. In the Evidence Processor selections pane, select the Index text checkbox and expand Index
text.
2. Select the Personal Information checkbox and click Personal Information. The Personal
Information dialog displays.
3. Select the information types you want to include.

4. Click OK.
Indexing Text in Slack and Unallocated Space

As you select options for indexing within the Evidence Processor, you can choose to include text
identified in file slack and unallocated space, defined below.
 File slack: the area between the end of a file and the end of the last cluster used by that file.
 Unallocated space: the sectors that are not associated with an allocated file—the free space of
a disk or volume.
Unallocated space consists of either unwritten-to sectors or previously written-to sectors that no longer
have historical attribution data associated with them. All of these sectors are aggregated into
Unallocated Clusters. Unallocated Clusters are then divided into multiple sections, and these sections
are indexed with shared metadata. If a word at the end of one section of text spans to another section
of text, that word is skipped and not included in the indexed sections of text. Sectors that are not
assigned to any partition fall under Unused Disk Area. The Evidence Processor handles these sectors
and Unallocated Clusters similarly.
The Evidence Processor uses identification processes to identify and differentiate ASCII, UTF-8/16/32
encodings as well as a number of East Asian and western codepages. The Evidence Processor uses
built-in intelligence to index any text residing in slack and unallocated space.
Note: Indexing with East Asian script support is recommended, especially when Index Slack and Unallocated is enabled.
The additional processing enabled by this option prevents meaningless strings that are initially identified as Unicode strings
with Asian characters from being added to the index.
The following procedure provides the steps for including slack bytes and unallocated space when
indexing text.
1. After you have selected the evidence you want to acquire and process with the Evidence
Processor, select the Index text checkbox and click Index text. The Edit Settings dialog
displays.
2. If you want to use a noise file, specify or browse to the filepath.

3. Set the minimum and maximum word lengths (1-128 characters) for indexed text.
4. Select the checkbox for Index slack and unallocated.
5. If you want to index only the slack area of either known items or all items in the hash library,
select the corresponding checkbox.
6. To index using East Asian script support, select the corresponding checkbox.
7. Click OK.
Creating Thumbnails
When you select the Thumbnail creation option, the Evidence Processor creates thumbnail records for
all image files in the selected evidence. This facilitates image browsing.
Running EnScript Modules

The EnCase Evidence Processor has the ability to run add-in modules (EnScript packages) during
evidence processing. Some modules ship as part of EnCase, and you can also add your own EnScript
packages. For examples of custom modules, open the EnCase\EnScripts\EvidenceProcessor
folder.
Note: To make a copy of your custom code and modify it while still preserving the original, use the Save As option in the
dropdown menu.
For help programming with EnScript, you can attend a training class or visit the EnScript message
board at https://support.guidancesoftware.com/forum/forumdisplay.php?f=11.
Following is a list of the supplied EnScript modules and their capabilities.
System Info Parser

You can use the System Information Parser module to identify hardware, software, and user
information from Windows and Linux computers. The module automatically detects the operating
system present on the device, then collects the specified artifacts.
This module replaces the Windows Initialize Case, Mac Initialize Case, and Linux Initialize Case
modules of the previous version of EnCase.
The Standard options tab is used for both Windows and Linux evidence, with exceptions noted in the
user interface. They contain basic information categories for use in reports.
The Advanced tab scans for registry information on Windows devices only.
When evidence processing is complete, you can also search NetShare and USB registry information in
the Records tab. You can see the UNC path visit history, the history of connected devices, and you can
correlate USB devices to their drive letters.
IM Parser
The IM Parser allows you to search for Instant Messenger artifacts from MSN , Yahoo, and AOL
Instant messenger clients. These artifacts include messages and buddy list contents. It also allows you
to select where to search from several general location categories.
When you enable IM Parser processing and click the module name, the following dialog appears that
allows you to configure its options:
File Carver
The File Carver module allows you to search evidence for file fragments based on a specific set of
parameters, such as known file size and file signature. It can also examine unallocated space. It allows
the searching of file fragments anywhere on the disk. The parameters for carving a file (file size and
destination) are set on the Export Settings dialog of the File Carver. To add an additional file type to
carve for, you need to add an entry with header information and, optionally, footer information, to the
File Types table.
You can blue check entries and choose to search selected files. The HTML files that the module carves
are adjudicated to be HTML, based on certain keywords appearing in the files. Carved files can be
exported to disk so that they can be loaded with native applications.
The File Carver generates a report of carved files on disk by default.
Note: The value of 4096 bytes is the default carve size when no footer is provided and no default length is provided in the
File Types table.
Windows Event Log Parser

This module parses .evt and .evtx files for Windows Event Logs, and also allows for processing by
condition.
Windows Artifact Parser

The Windows Artifact Parser allows you to search for common Windows operating system artifacts of
potential forensic value, and parse them through a single module. Artifacts of interest include:
 Link files
 Recycle Bin artifacts
 MFT transaction logs
With these artifacts, you can elect to search unallocated, all files, or selected files. Once the artifacts
have been parsed, you can browse through the results in the Records tab. You can also index the
artifacts so that they are searchable. In addition, the artifacts can be bookmarked.
Unix Login
This module parses files with the names "wtmp" and "utmp," but also allows for processing by
condition.
Linux Syslog Parser

This module parses the Linux system Log files, which have different names and locations depending
upon the type of Linux used.
You can process files by signature, and use EnScript code to specify either entry or log event
conditions.
CHAPTER 6
Browsing and Viewing

Evidence
In This Chapter
 Overview
 The EnCase Interface
 Filtering Your Evidence
 Conditions
 Browsing Through Evidence
 Viewing Evidence
 Viewing Processed Evidence
 Viewing Email
Overview
After creating a case and adding evidence, you can browse and manipulate your views of the evidence
in a wide variety of ways:
 You can search through processed evidence quickly, after it has been indexed.
 The Gallery view provides thumbnails of images.
 Conditions cull down the viewed data into a manageable subset.
 Filters enable you to eliminate data based on a wide variety of attributes.
 You can browse through evidence directly from evidence files or devices.
This chapter provides an overview of the EnCase Interface and describes all the ways you can browse
and view collected evidence.
The EnCase Interface

Selecting Pane Views
The EnCase layout has three sections:
 Tree pane
 Table pane
 View pane
The selections in the Tree pane affect the Table pane; the selections in the Table pane affect the View
pane.
 See Navigating the Tree Pane on page 96 for more information about the Tree pane.
 See Navigating the Table Pane on page 97 for more information about the Table pane.
You can change the way the panes of the screen are configured with the Split Mode button:
The Tree-Table shows the Table pane on the left, the Table pane on the right, and the View pane on
the bottom. This is the traditional EnCase entries view.
The Table view shows the Table pane on the top and the View pane on the bottom. There is no Tree
pane.
The Traeble view combines the Tree and Table panes on the top, and retains the View pane on the
bottom. The view provides the ability to browse the folder structure in the Name column.
The Tree view displays the Tree pane on the left and the View pane on the right. There is no Table
view. This is the suggested view for looking at Email records.
Navigating the Tree Pane

The Tree view presents the evidence in a standard hierarchical folder structure. Only evidence files
and the folders contained within them are displayed in this view. Individual files are displayed in the
Table Pane (discussed later). The arrows can be used to expand and contract the tree structure just as
they are used in Windows® Explorer.
There are three methods used within EnCase to focus on specific files or folders. These methods have
different purposes:
• Highlighting a folder displays the entries within that folder in the Table Pane.
• Clicking the "home plate" next to a folder name displays all the entries, files, and sub-
folders for that folder in the Table Pane. This is sometimes called "green plating" an item
and overrides the highlighting option.
• Selecting a checkbox next to an item in any view selects that item for an action, such an
analysis or keyword search. This is sometimes called "blue checking" an item.
− The number of currently selected items display in the Selected box above the Table
pane.
− To clear all selected entries, clear the blue check from the Selected box.
Navigating the Table Pane

The Table Pane is visible in the Table and the Tree-Table views. The selection in the Tree pane
determines what is shown in the Table pane. See Navigating the Tree Pane on page 96 for the various
ways to select folders and files.
See Organizing Columns see "Working with Columns" on page 99 for information on column
management.
The Table Pane displays many columns of information about the displayed entries.
 Name is the file/folder/volume, etc., in the evidence file.
 Tag displays the tag(s) placed by you on an entry.
 File Ext is the entry’s extension, which initially determines whether this entry is displayed in
the Gallery view.
 Logical Size specifies the file size as the operating system addresses the file.
 Item Type identifies the type of evidence, such as Entry (file or folder), Email, Record, or
Document. This column is off by default.
 Category indicates the category of the file from the File Type table.
 Signature Analysis displays the results of a file signature analysis.

 Signature displays the signature of a Match or an Alias (renamed extension) resulting from
the signature analysis.
 Protected indicates if the file is identified as an encrypted or password protected file during
evidence processing.
 Protection Complexity provides details on the file’s protection
 Last Accessed displays the last date/time the file was accessed. This typically reflects the last
time the operating system or any compliant application touched the file (such as viewing,
dragging, or right clicking). Entries on FAT volumes do not have a last accessed time.
 File Created typically reflects the date/time the file/folder was created at that location. A
notable exception to this is the extraction of files/folders from a ZIP archive. Those objects will
carry the created date/time as they existed when the objects were placed in the archive.
 Last Written reflects the date/time the file was last opened, edited, and then saved. This
corresponds to the Modified time in Windows with which users are familiar.
 Is Picture indicates whether the file is an image.
 Code Page displays the character encoding table upon which the file is based.
 MD5 displays a 128-bit value for a file entry generated by a hash analysis process.
 SHA1 displays the SHA1 hash value for a file entry generated by a hash analysis process.
 From displays the sender of the email message. This column is not displayed by default.
 Recipient displays the receiver of the email message. This column is not displayed by default.
 Primary Device displays the primary device used. This column is not displayed by default.
 Item Path identifies the location of the file within the evidence file, including the evidence file
name and a volume identifier.
 Description describes the condition of the entry – whether it is a file or folder, deleted, or
deleted/overwritten.
 Is Deleted indicates if the entry is in a deleted state.
 Entry Modified indicates when the administrative data for the file was last altered for NTFS
and Linux.
 File Deleted displays the deleted date/time if the file is documented in the Recycle Bin’s Info2
file.
 File Acquired identifies the date/time the evidence file in which this entry resides was
acquired.
 Initialized Size indicates the size of the file when it is opened; applies only to NTFS file
systems.
 Physical Size specifies the size of the storage areas allocated to the file.
 Starting Extent identifies the starting cluster of the entry.
 File Extents displays the cluster fragments allocated to the file. Click within this column for an
entry and then click on the File Extents tab in the View Pane to see the cluster fragments.
 Permissions shows security settings of a file or folder in the View Pane.
 Physical Location displays the number of bytes into the device at which the data for an entry
begins.
 Physical Sector lists the sector number into the device at which the data for an entry begins.
 Evidence File displays where the entry resides.
 File Identifier displays an index number for a Master File Table (NTFS) or an Inode Table
(Linux/UNIX).
 GUID indicates the Global Unique Identifier for the entry; to enable tracking throughout the
examination process.
 Hash Sets: This column is hidden by default. If you choose to show this column, the Boolean
value displays as true if a file belongs to one or more hash sets.
 Short Name displays the name Windows gives the entry, using the DOS 8.3 naming
convention.
 VFS Name is used to display the name for files mounted with the EnCase Virtual File System
(VFS) module in Windows Explorer. This replaces the Unique Name column in previous
versions of EnCase.
 Original Path displays information derived from data in the Recycle Bin. For files within the
Recycle Bin, this column shows where they originated when they were deleted. For
deleted/overwritten files, this column shows the file that has overwritten the original.
 Symbolic Link displays data pertaining to the equivalent of a Windows Shortcut in Linux and
UNIX.
 Is Duplicate displays True (Yes) if the displayed file is a duplicate of another.
 Is Internal indicates whether the file is an internal system file, such as the $MFT on an NTFS
volume.
 Is Overwritten indicates if the first or more clusters of an entry has been overwritten by a
subsequent object.
Viewing Information in a Timeline

The Timeline view shows patterns of different types of dates and times. Zooming in enables you to see
time in a more granular way (up to a second-by-second timeline); zooming out provides a larger
overview (up to a year-by-year timeline).
Working with Columns

Table columns may be rearranged in any order by clicking and dragging the column heading and
dropping it into its new location.
To sort by a column, double click on the column heading. To institute a subsort, hold down the Shift
key and double click on the column heading. Columns may be sorted by up to five layers deep.
Columns may be locked on the left side of the Table view so they remain visible when horizontally
scrolling.
• To lock a column, click anywhere in the column and select Column > Set Lock from the
arrow dropdown menu on to the right of the Table pane. The selected column and all
columns to its left are now locked.
• If columns are rearranged, all columns to the left of that position remain locked.
• To release the lock, click anywhere in the column and select Column > Unlock from the
arrow dropdown menu on to the right of the Table pane.
Viewing Content in the View Pane

You can view information about a device or entry in a variety of ways in the EnCase View pane. The
Evidence, Results, and Records tabs have slightly different viewing options, but operate in generally
the same manner.
Whenever possible, when an entry is selected, the appropriate viewer for that item is used by default.
To keep the tabs from switching for different data types, click the Lock checkbox on the top right of
the View pane to lock the view to that tab.
The lower View pane provides several ways to view file content:
• The Fields tab displays all information available regarding an item. All fields shown on
this tab are indexed.
• The Report tab provides a readable, formatted view of metadata. This is the view
preferred for email.
• On the Text tab, you can view files in ASCII or Unicode text.
− You can modify how text in this tab is displayed. See Changing Text Styles on page
105.
− When viewing search results, select Compressed View in the Transcript tab to see
only lines with raw keyword search hits.
− Use the Previous/Next Hit buttons to move through hits within the file. If there are
no more hits in the file, the next item opens and the first hit is found.
• On the Hex tab, you can view files as straight hexadecimal.

− When viewing search results, select Compressed View to see only lines with raw
keyword search hits.
• The Decode tab allows you to decode swept data in the Hex tab in a variety of different
formats. You can then make that sweeping text into a bookmark.
• The Doc tab provides native views of formats supported by Oracle Outside In technology.
• The Transcript tab displays the same formats as the Doc tab, but filters out formatting and
noise, allowing you to view files that cannot display effectively in the Text tab.
− The Transcript tab displays the extracted text from the file.
− When viewing search results, select Compressed View to see only lines with index
query hits.
• View graphics files on the Picture tab. If the highlighted file in the Table pane is an image
that can be decoded internally, EnCase lets you select the Picture view in the View Pane
and displays the image.
• File extents shows the sector information about the selected file. This works on entry
evidence only.
• The Permissions tab displays the security permissions for a file, including the name and
security identification number (SID) of the user(s) who have permission to read, write, and
execute a file.
• Hash sets show hash information for entry evidence only.

Adding an External File Viewer

EnCase comes with the ability to view different types of files as they would appear in their native
application.
If you encounter a file type that EnCase does not have built-in capabilities to view you can add an
external viewer for that file type into EnCase.
1. From the Evidence tab, click Open with and select File Viewers. The Edit File Viewers list
displays.
2. Click New. The New File Viewer dialog displays.
• Name is the name of the file viewer.

• Check Maximize View Dialog to open the file viewer in a maximized new window.
• Application Path contains the filename and path to the viewer's executable.
• Command Line contains a reference to the executable and any parameters used to
customize the viewer.
3. Click OK. The new file viewer displays in the Edit File Viewers list for selection as needed.
Changing Text Styles

In the Text or Hex tabs, different viewing styles can be applied to display the text in configurations
that assist in viewing particular types of data. To change the style select the Text Styles menu from the
Text or Hex tabs in the View Pane.
1. Click New to create a new text style. The New Text Style dialog displays.
• Name is the name of the text style.

• Fit to page eliminates line breaks in displayed content, and displays all text in the
window.
• Line Breaks displays line breaks in the content.
• Max Size ignores line breaks in the content, and wraps lines at the value set in Wrap
Length.
• Wrap Length specifies the length where a line break occurs. When you select Max Size,
line breaks occur only at the value of this setting.
• RTL Reading sets the text display to read right-to-left (RTL).
2. Click on the Code Page tab to select the code page.
• Unicode specifies little-endian Unicode. If UTF-7 or UTF-8 is used, select Other, not
Unicode.
• Unicode Big-Endian specifies big-endian Unicode.
• Other lets you select from the Code Page list.
• The Code Page list contains a list of supported code pages.
3. Click OK to save the new text style and return to the Text Styles dialog.
4. Click OK to have the new style available. The new text style is now applied to the Text tab in
the View Pane
Associating File Types with a File Viewer

When you add a new file viewer to EnCase, you can associate that new viewer with a file type.
1. From the Evidence tab, select File Types from the View menu. The File Types tab displays.
2. Double click file type you wish to associate the new viewer with.
3. The Edit File type dialog displays.
• Description is the file type to associate with the file viewer.

• Extensions is a list of file types to associate with the file viewer.
• Select a Default Length to determine the end of the file.
− This is used if a footer for the file type has not been specified and is used to
determine the length of the file.
− If this is not set, a default length of 4096 bytes are used to determine the end of the
file.
− Longer lengths are recommended for pictures and ZIP files.
• The Viewer area contains options selecting the type of viewer to use:
− Click EnCase to associate the built-in EnCase viewer with the file type you define.
− Click Windows to associate Windows with the file type you define.
− Click Installed Viewer to associate an installed viewer with a file type. Use the
installed viewers tree to select the specific viewer.
• The Installed viewers tree lists the file viewers currently known to EnCase.
4. Click OK. All files of this file type are now associated with the selected file viewer.
Decoding Data
Anything highlighted on the Text or Hex tabs can be decoded in a variety of ways on the Decode tab.
1. On the Text or Hex tabs in the View pane, select the code you want to view.
2. Open the Decode tab and select from the list of decoding options.
Undocking the View Pane

You can undock the View pane for dual monitors.
Close the View pane to return the View pane to the main window.
Using Views/Tabs
There are a variety of different views available on your information that can be accessed from the
View menu.
Clicking these views opens up a new tab in the EnCase window.
Arrow Drop Down Pane Arrow Menu

Many generic functions (such as printing, saving, sorting, and managing columns) are accessible from
the dropdown menus to the right of the menu bar for each pane.
Other functions are also available in the arrow menus to the right side of the table.
Changing Text Color

You can change the way various types of text are displayed in EnCase. This is useful if, for example,
you want to change the way the uninitialized area of a file displays and differentiate it from the logical
size of the file.
To change the color display of text:
1. From the Tools menu, select Options.
2. In the Options dialog, click the Colors tab.
3. To change the color of the text, right click the Foreground color and select the new color from
the dropdown menu. If the color you want is not an option, double click the foreground color
and select from the color palette.
4. To change the background color, right click the Background color and select the new color
from the dropdown menu. If the color you want is not an option, double click the foreground
color and select from the color palette.
5. Click OK.
Navigating the Evidence Tab

When browsing and viewing your evidence, much of your time is going to be spent in the Evidence
and Records tabs.
Evidence is information you can view and process in EnCase from a variety of sources:
 EO1 and L01 files
 VMDK
 VHD
 Raw DD Image files
EnCase parses these files as they come in and each file is shown as a device on the interface. All parsed
data from a device is stored in a device cache so that it does not need to be reloaded each time it is
viewed.
The Evidence tab table view shows the evidence currently loaded into your case. Notice when you are
showing a list of evidence the Viewing button shows as Viewing (Evidence):
Clicking any one of these pieces of evidence opens it up more fully. Notice when you are viewing an
expanded view of an entry, the Viewing button shows as Viewing (Entry):
Clicking on the Viewing button enables you to move between the top level list of devices or an
expanded view of specific evidence:
If you want to see all the evidence expanded into to the same entry screen, go to the top level list of
devices, select all evidence files you want to see, and click Open:
The display changes to show the expanded view of all selected evidence entries.
The status bar at the bottom of the screen displays your current positioning within the device. This is
useful especially when documenting the location of evidence found in unallocated space.
The status of any processing activity displays in the lower right of the status bar. On the right, the
status bar shows the full path of the highlighted item. If a deleted/overwritten file is highlighted, it
indicates the overwriting file.
The following abbreviations are used in the status bar:
• PS is the physical sector number

• LS is the logical sector number
• CL is the cluster number
• SO is the distance in bytes from the beginning of the sector (sector offset).
• FO is the distance in bytes from the beginning of the file (file offset)
• LE is the number in bytes of the selected area (length).
Entries View Right Click Menu

In Entries view, right click any entry in the tree, then position the cursor over Entries to display the
Entries submenu.
• Copy Files opens the Copy Files dialog.

• Copy Folders opens the Copy Folders dialog.
• View File Structure opens the View File Structure dialog.
• Add to hash library opens the Manage Hash Library dialog.
• Hash\Sig Selected opens the Hash\Sig Selected dialog.
• Go To Overwriting File: If a file is overwritten, this option takes you to the overwriting
file.
Using Disk View to See Data on a Device

The Disk view allows viewing of files and folders in terms of where the data appeared on the media.
Placement of clusters and/or sectors and fragmentation of files may be observed.
Disk view is available from the Entry view of the Evidence tab. To open Disk View, select Disk View
from the Device menu.
 The file selected in the table is highlighted in the Disk View as dark blue squares.
 Allocated sectors are shown in light blue.
 Unallocated sectors are shown in gray.
Select Auto Extents to automatically highlight all of the remaining extents that make up the file
associated with the selected sector. If Auto Extents is off, double click a sector to show the remaining
associated extents.
Click on the Evidence tab to return to entries.

Changing Evidence Cache Location

EnCase provides a wizard that steps you through the process of changing the location of your
evidence cache.
To change the location of your evidence cache, do the following.
1. In the Evidence tab toolbar, click Change Caches. The Change Caches dialog displays.
To use the base Case folder for the primary evidence cache, select the corresponding checkbox.
1. To change the location of the primary evidence cache, click the Primary evidence cache
ellipsis button, browse to the new location, and click OK.
2. To add a secondary evidence cache location, click the Secondary evidence cache ellipsis
button, browse to the new location, and click OK.
3. Click Next. The Evidence Cache Preview dialog appears. Cache status is listed for each
evidence:
• Ready (Primary) means the new path contains a cache in the primary cache.
• Ready (Secondary) means the new path contains a cache in the secondary cache.
• Missing means the old location had a cache, but neither the primary nor secondary
locations have a cache for the evidence.
• None means there has never been a cache for this device.
4. Click Finish. If any of the evidences have a status of missing, a message dialog appears
informing you that a new evidence cache will be be created for the missing evidences. In order
to proceed, click Yes.
Navigating the Records Tab

The Records tab displays the inner structure of compressed files or other files that have needed
additional processing to be viewed. This would include email archives, .ZIP, .RAR files, Internet
artifacts, output for EnScript modules, smartphone data, and so on.
Entries that can be expanded and viewed in the records tab are shown as blue links and marked with a
green plus sign in the Entries view.
If an entry does not show as a blue link, select it and click View File Structure from the Entries
dropdown. The View File Structure command automatically expands, or mounts, the file. After
initially mounting the file, the expanded data can be seen in the Records tab as well.
Filtering Your Evidence

Filters are EnScripts that provide a table view of all entries that match a particular set of criteria. Filters
do not remove any items from the case; they simply specify which entries are shown in the Table pane.
Depending on what tab is currently selected, different types of filters are available. For example, the
filters available for search hits are different from those available for entries.
Both filters and conditions work the same way in terms of how they affect the items in the Table pane.
Running a Default Filter

EnCase comes with a number of pre-configured default filters for your use.
1. Click Run from the Filter dropdown menu on the toolbar. The Open File dialog displays.
2. Select the filter you want from either Records or Entries, and click Open. The Filter dialog
displays.
• When selected, Run filter on all evidence in case causes the condition to run on all
evidence in the case.
• Clearing the checkbox causes the condition to run only on the currently viewed evidence.
3. Click OK to run the filter. Depending on which filter you selected, additional dialogs may
display. When a filter or condition is being run, the name of that filter or query shows in the
lower right of the status bar. When complete, the results are shows in the Results tab.
Creating a Filter
In addition to using the filters already provided, you can create your own filters.
Note: You need a working knowledge of EnScript to make a new filter. If you do not have this working knowledge, you
may be able to create a condition to perform the same function.
1. Select New Filter from the Filter dropdown. The New Filter dialog displays:
2. Enter a new name and path for the condition, if desired.

3. Click OK. The Filter dialog displays.
4. Click OK. The New Filter tab displays, showing a source editor.
5. Enter EnScript code as required to accomplish your task. The newly created filter displays at
the bottom of the filters list.
Editing a Filter
You can change an existing filter's behavior by editing it.
1. Select Edit from the Filter dropdown. A list of all customized and pre-configured filters
display.
2. Select the filter you want to edit and click Open. The source code opens in a Filter tab.
3. In the Filter pane, click the Filters tab.
4. Right click the filter you wish to edit area and click Edit Source. The existing code displays in
the Table pane.
5. Edit the code as needed.
6. To change the name of the filter, click Options and modify the name or path of the filter.
Deleting a Filter
Default filters are read-only and cannot be modified or deleted. However, you can delete any custom
filter you have created:
1. To permanently delete a filter select Edit from the Filter dropdown. A list of all customized
and pre-configured filters display.
2. Right click the filter you want to delete, and click Delete.
3. Click Yes to confirm.
Sharing Filters
You can export your own filters and import filters created by other EnCase users.
1. To copy a filter for exporting, select Edit from the Filter dropdown. A list of all customized
and pre-configured filters display.
2. Right click the filter you want to export, and click Copy.
3. Navigate to the place you want to store the file, and click Paste.
4. To import a filter created by someone else, navigate to the folder where that filter is stored and
move it to your user storage location for filters (default is My Documents\EnCase\Filters).
Conditions
Conditions are compilations of search terms that instruct EnCase to find certain data based on a certain
property of information. Individual search terms are ordered hierarchically in the condition so that the
data is searched or processed in the correct order for greatest efficiency.
Conditions are similar to filters in that they display only those entries that match a specific set of
criteria in the Table pane. Both conditions and filters are EnScript code that performs a filtering
process on your data.
The difference between filters and conditions is that creating a condition does not require that you can
program in EnScript. Through a special interface you can create them without coding directly in
EnScript.
Once a condition has been created, you can run it on any evidence within the case. There are no
default conditions.
Running an Existing Condition

1. From the Evidence tab, select the condition you want to run from the Condition dropdown.
The Run Condition dialog displays.
• If you do not see the condition you want to run, click Run.
• Browse to the condition you want to run, select it, and click Open.
2. Review the condition and click OK to run it. The Filter dialog displays.
Creating a New Condition

1. From the Evidence tab, select New Condition from the Condition dropdown. The Condition
dialog displays:
2. Enter a new name and path for the condition, if desired.

3. Right click the Main function node on the conditions tree and select New. The New Term
dialog displays.
• Select a property, an operator, and, if appropriate, a value and choice.

− Properties allow you to specify what information you want to filter.
− Operators indicate how you want to filter the information. Operators that allow you
to enter values can use GREP expressions, or provide a list of values to find.
− For any condition using a literal comparison (such as Matches), make sure there are
no spaces at the end of any value string.
• If you want to edit the source code directly, click Edit Source Code.
• To nest terms, create a folder by right clicking on the parent condition folder in the Tree
pane and choosing New Folder. Place the nested terms inside the parent folder.
• If you want to change the AND/OR logic within the condition, right click the term and
select Change Logic. This changes the AND operator to an OR, and vice versa.
• If you want to negate the logic of a term, right click the term and select Not.
• Repeat the steps above to create as many terms as you want to make the condition as
detailed as possible.
Note: The Hash Sets property values show as integers.
4. When done, click OK to close the New Term dialog. The new condition displays in the Edit
condition dialog.
5. Repeat for as many conditions as you require. As you accumulate conditions, make sure they
appear in the correct hierarchical order for greatest efficiency.
• When you run the condition, the terms are evaluated in the order in which they display.
• Conditions work from the top to the bottom, hence, the sequence within the condition tree
directly affects how well the condition works. To be most effective, for example, place an
extension search for all .docx files before a keyword search. This saves processing time by
not looking for keywords in files that may not even contain text.
− Folders operate much like parentheses in mathematical problems, in that the folder
allows its contents to be grouped together based upon the logic.
− Logic operators operate on the folder in which they appear and do not impact the
folders above or below them.
• To nest terms, right click the parent condition folder in the tree and choose New Folder.
Place the nested terms inside the parent folder.
• To toggle the AND/OR logic within the condition, right click the term and select Change
Logic. This changes the AND operator to an OR, and vice versa.
• To negate the logic of a term, right click the term and select Not.
6. Click OK to save and close the dialog.
Editing Conditions
1. Select Edit from the Condition dropdown. A list of all conditions display.
2. Select the condition you want to edit and click Open. The Condition dialog displays.
3. Edit the condition as needed.
4. To change the name of the condition, modify the name within the path of the condition.
5. When done, click OK.
Sharing Conditions
You can export your own conditions and import conditions created by other EnCase users.
1. To copy a condition for exporting, select Edit from the Condition dropdown. A list of all
conditions display.
2. Right click the condition you want to export, and click Copy.
3. Navigate to the place you want to store the file, and click Paste.
4. To import a condition created by someone else, navigate to the folder where that condition is
stored and move it to your user storage location for filters (default is My
Documents\EnCase\Condition).
Printing a Condition
The Report tab in the Condition dialog provides a plain text representation of the condition. You can
print or export this report by right clicking within this tab and selecting Save As. The export dialog
provides a variety of options for saving the report.
Browsing Through Evidence

The easiest way to browse through evidence is by viewing it in either the Evidence or the Records
tabs. The Evidence tab displays the evidence currently loaded in your case; the Records tab displays
the inner structure of compressed files or other files that have needed additional processing to be
viewed.
 To browse through Internet artifacts, expand an Internet node in the Tree pane of the Records
tab. The Browser node contains the various Internet items. Use the Fields tab in the lower
pane to view the most information.
 To browse through Archives, expand the Archives node in the Tree pane of the Records tab
and browse through the various Archive items in the Table pane. Use the Fields tab in the
lower pane to view the most information.
 To view all the results of the modules used for processing evidence, expand the Evidence
Processor Modules node in the Tree pane of the Records tab and browse through the various
items, Use the Fields tab in the lower pane to view the most information.
 To view smartphone data, open the evidence file in either the Records or Evidence tab. The
report view is the best way to view all smartphone information.
Check for Evidence when Loading a Case

When you load a case, EnCase checks for the existence of evidence and displays a status in Evidence
view.
Finding the Location of an Evidence Item

When working with search results, the Go to File button helps you find the original location of an item
of processed data. This is useful for Module results or registry keys that need to be seen in context to
be useful.
In the table pane, select the item you want to research and click Go To File. The view changes to
display the device where the entry is located. If an attachment of an email is selected, you are taken
into the email file, with the email message that contains the attachment selected.
If an item resides in a top level device, the file structure may not display any change when the Go To
File button is clicked because there are no additional levels to go up.
Viewing Related Items

For processed evidence you can find items related by name, time, and hash value. When looking for
related items by time, you can select a duration.
1. From the Evidence or Records tab, select the item you want to research and then click Find
Related.
2. Select whether you want to find related by name or by time.

• An appropriate dialog displays depending on what you select.
• If you are finding related information by name, a search dialog displays with index, tag,
and keyword options. See Creating a Search Query.
3. Click Save & Run to run the query. When done, the results display in the Results tab, under
the name of the query.
Browsing Images
The Gallery view of the Evidence or Records tabs provides a quick and easy way to view images. This
view is best used when viewing your evidence in a tree-table.
Images in the Gallery view are sorted by extension by default.
You can access all images within a highlighted folder, highlighted volume, or the entire case. If a
folder is highlighted in the Tree pane, all files in the folder display in the Table pane. Clicking a
folder's Set Include selects all files in that folder and files in any of its subfolders. Once selected on the
Table pane, any images in the selected files display in the Gallery view.
 To reduce the number of images displayed in a row in the Gallery view, right click any image,
then click Fewer Columns.
 To increase the number of images displayed per row in the Gallery view, right click any
image, then click More Columns.
 You can bookmark images in the Gallery view by right clicking on the image and selecting the
type of bookmark to assign to it.
 You can view ownership permissions for an image by selecting the image and clicking on the
Permissions tab in the lower pane.
By default, the Gallery view displays files based on their file extension. For example, if a .jpg file has
been renamed to .dll, it will not be displayed in the Gallery view until you run a Signature Analysis.
Once the signature analysis recognizes the file was renamed and that the file is actually an image, it
displays in the Gallery view.
EnCase includes built-in crash protection, which prevents corrupted graphic images from displaying
in the Gallery view. The timeout defaults to 12 seconds for the thread trying to read a corrupt image
file. You can modify the timeout on the Global tab of the Options dialog.
The corrupt images are stored in a CorruptPictures folder in the Case folder so they are recognized as
corrupt the next time they are accessed.
If the cache gets full you can clear it out by selecting the arrow dropdown menu in the Evidence view
and selecting Clear invalid image cache.
When viewing images in the Gallery tab, click on a thumbnail image to see its location in the
navigation trail at the bottom of the screen. To go to the location of the image, select the thumbnail and
click Go to file.
To tag or bookmark the image, select the thumbnail and tag or bookmark as required.
Viewing Evidence
Guidance Software recommends using processed data for rapid searching and viewing of data within
your case. However, there are many ways to view, filter, and find unprocessed data.
Creating Custom File Types

You can add your own custom file types to use with file viewers and to perform file signature analysis.
From the File Types tab, you can add, deleted, and disable file types.
• You may delete a custom file type by selecting it in the File Types tab and clicking Delete.
• Default and shared files types cannot be deleted.
• Checking Disable causes that file type to be ignored.
To add a new file type:

1. Select File Types from the View menu. The File Types tab displays.
2. Click New. The New File Type dialog displays.
• Description is the file type to associate with the file viewer.

• Unique Tag is a unique four character identifier that must be defined for each file type.
• Extensions is a list of file types to associate with the file viewer.
• Category is the category for the type of file you are creating.
• Select a Default Length to determine the end of the file.
− This is used if a footer for the file type has not been specified and is used to
determine the length of the file.
− If this is not set, a default length of 4096 bytes are used to determine the end of the
file.
− Longer lengths are recommended for pictures and ZIP files.
• The Viewer area contains options selecting the type of viewer to use:
− Click EnCase to associate the built-in EnCase viewer with the file type you define.
− Click Windows to associate Windows with the file type you define.
− Click Installed Viewer to associate an installed viewer with a file type. Use the
installed viewers tree to select the specific viewer.
− The Installed viewers tree lists the file viewers currently known to EnCase.
3. Use the Header and Footer tabs to define the header and footer code that defines this file type.
• The header code is the definitive identifier of the type of file, and is used when comparing
against the file extension in a signature analysis.
• The footer code is used to identify the end of the file.
Viewing Multiple Evidence Files Simultaneously

1. Add the required evidence to your case.
2. View all your evidence as a list in the Evidence tab.
3. Select the evidence you want to expand and view as a group.
4. Click Open. The selected evidence displays in the Evidence tab.

Viewing Processed Evidence

Processing evidence automatically indexes and performs a file signature analysis on the data. It opens
up compressed or compound files, including ZIP and mail archives.
The easiest way to process evidence is to run it through the Evidence Processor.
Once evidence has been processed, it can be opened up and viewed in ways that are not possible
before the parsing and expanding processes are performed.
Viewing Compound Files

Compound files are compressed or files in an embedded structure, such as ZIP files, PST email files,
etc. For all the data to be seen in a compound file, it needs to be run through the Evidence Processor
and made into a L01 file. Compound files that have been deconstructed and parsed are called
"mounted" files.
To see the file structure of a compound file (manually mount), click that file and select View File
Structure. You can also run the file through the Evidence Processor. That process creates an evidence
file you can click to open or view in the Records tab.
The following can be expanded and viewed after processing:
 Registry files
 OLE files
 Compressed files
 Lotus Notes files
 MS Exchange files
 Exchange Server Synchronization
 Outlook express email
 Microsoft outlook email
 Macintosh .pax files
 Windows thumbs.db files
 American online.art files
 Office 2007 docs
 ZIP and RAR archive files
 thumbs.db
Repairing and Recovering Inconsistent EDB Database Files

The Microsoft Exchange Server stores email messages in an EDB file on a server. A corresponding log
file named E##.log is used to store data prior to committing it to the EDB file. When the log file
contains data that has not been committed to the EDB file, the EDB file is considered to be in an
inconsistent or "dirty" state. EnCase is unable to parse inconsistent EDB files.
When an EDB file is dirty, there are several tests that can be run on it to determine whether the files
are merely out of sync, or are in fact corrupt and unusable. Before running these tests, acquire the EDB
database, including the entire bin and mdbdata folders. Make sure all codepages are installed on your
computer.
To recover or repair a database:

The mdbdata folder contains the public and private databases and the transactional logs which are
most important when cleaning a database. The BIN folder contains eseutil.exe.
1. Run eseutil.exe from Windows > Start > Run.
2. Use the eseutil.exe command line tool to check the consistency of the state field as follows:
• [file location]\eseutil /mh [filepath]priv1.edb
• [file location]\eseutil /mh [filepath]pub1.edb
3. If the EDB file is in an inconsistent state, first try to recover, as follows:
• “C:\Exchange\BIN\Eseutil.exe” /r E##.
− /l<path> - location of log files
− /s<path> - location of system files
− /i<path> - ignore mismatched/missing database attachments
− /d<path> - location of database files
− /o - suppress logo
• Note that the three-character log file base name represents the first log file.
• Files are sequentially named, with E##.log being the first log file.
• Click Yes to run the repair.
4. Run a check (step 2) on the resulting EDB file. If the file is still in an inconsistent state, attempt
to repair the EDB file. This may result in the loss of some data currently in the .log files. Run
the repair as follows:
• “C:\Exchange\BIN\Eseutil.exe” /p <database name> [options]
− /s <file> - set streaming file name
− /i - bypass the database and streaming file mismatch error
− /o - suppress logo
− /createstm - create empty streaming file if missing
− /g - run integrity check before repairing
− /t <database> - set temporary database name
− /f <name> - set prefix to use for name of report files
To parse an inconsistent EDB file:

1. Run eseutil.exe from Windows > Start > Run.
2. EnCase checks the header of the database for its state.
3. Select the file and open View File Structure from the Entries dropdown.
4. The View File Structure dialog displays. If the EDB file is dirty, the dialog includes a Scan
Dirty Database option:
Note: If the EDB file is not dirty, the only available option is Calculate unallocated space.
5. To parse the dirty EDB file, check Scan Dirty Database, then click OK.
Viewing Email
You can open .PST and other types of mail storage files and view the individual emails within. View
the higher order of email folder structure on the Evidence tab. Once the email is processed, you can
double click on the storage file to drill down to the individual mail messages.
The default view for Email is the Tree view. This shows the report in full screen, in as close to native
format as possible. Empty fields do not display in the report view. The Fields tab shows all available
metadata about the email and its collection, including the Transport Msg ID.
Use the Search Results tab and Find Email to view data across multiple repositories. You may also
want to view all your indexed evidence and then show only items with an item type of Email. You can
further drill down by finding subsets of sender, date range, etc.
EnCase allows you to track email threads and view related messages. Before you can analyze email
threading, you must have already run the Evidence Processor against your case evidence with the
Find email option selected. To avoid displaying the same message multiple times, EnCase removes
duplicate messages in both the Show Conversation and Show Related email views.
To view an email message:

1. In the Records tab, double click the .PST file whose emails you want to search. The archive
displays in a new expanded tab.
2. Select an email to view it in the View pane.
Viewing Attachments
In the tree view, email attachments are shown as children under the parent email.
EnCase allows you to view attachments on email messages that you select.
To view the content of an attachment:
1. In the Evidence tab, select the message with the attachment that you want to view.
2. Click the Doc button in the View pane. The contents of the message attachment are displayed.
Show Conversation
Email threading is based on conversation-thread related information found in the email message
headers. EnCase uses email header metadata (including message ID and in-reply-to headers) to
reconstruct email conversation threads. Email conversation thread reconstruction is done during
processing, so conversations are not available on data that has not been processed.
Different email systems use different methods of identifying conversations; for example:
 The header fields Message-ID, Reply-To-ID, and References.
 The header field Conversation Index.
 The header field Thread-Index.
 Multiple mechanisms, because the messages of interest cross email system boundaries. In these
cases, EnCase builds a separate conversation tree for each type of data found in the header (for
example, one using Message-ID/References and another using Conversation Indexes) and displays
the conversation tree containing the most email.
EnCase can display conversations for all supported email types except AOL, because AOL messages
do not store thread-related information. However, the feature cannot always reconstruct complete
conversations when the conversations include messages from multiple email systems. For example,
EnCase cannot fully recreate a conversation where some users are using Outlook, some are using
Lotus Notes, and others Thunderbird.
If an email does not have any of the message header fields specified above, EnCase cannot construct a
conversation thread for it. Selecting such an email and clicking Show Conversation results in a tree
containing only the selected email.
Before you can analyze email threading, you must have already run the Evidence Processor against
your case evidence with the Find email option selected.
To show an email conversation:
1. In the Evidence tab select an email or email store in the Table pane.
2. From the Find Related menu, select Show Conversation.
The picture below shows a conversation list for a selected email. Note how the email messages
contained within the conversation list are identified by their conversation index ID.
Displaying Related Messages

All email messages with identical subject lines are considered related and displayed together. Viewing
related messages can sometimes produce more comprehensive results than browsing through
conversation threads.
EnCase can show related emails for all supported email types. Since Show Related only looks at the
subject line of a message, the emails displayed may not all be related, depending upon the uniqueness
of the subject line.
To show related messages:
1. In the Evidence tab select an email or email store in the Table pane.
2. From the Find Related menu, select Show Related Messages.
Showing Duplicate Email Messages in a Conversation

By default, when you view an email conversation, EnCase hides any duplicate email messages in that
conversation. To show all duplicates in a conversation, click Show Duplicates in the Show
Conversation or Show Related view toolbar. Duplicate email messages appear with red alerts that
indicate their status.
Exporting to *.msg
The Export to .msg option for mail files and mail files attachments lets you preserve the folder
structure from the parsed volume down to the entry or entries selected. This option is available for the
highlighted entry or selected items.
1. In the Tree pane, select the email message(s) you want to export.
2. Right click and select Export to *.msg. The Export Email dialog displays.
• Export Single exports only the selected message.

• Export All Checked exports all files checked.
• Preserve Folder Structure saves selected email folder structure information.
• Output Path captures the location of the export data file. The default is ...My
Documents\EnCase\Cases\[Case name]\Export.
3. Click OK. View the folder structure in the Export folder. Double click a message to view it in
read only format.
CHAPTER 7
Sweep Enterprise
In This Chapter
 Overview
 Starting Sweep Enterprise
 Adding and Deleting Nodes in the Target List
 Sweep Enterprise Options
 Sweep Enterprise Dialog: Status and Analysis Browser
 Post Collection Analysis

Overview
Sweep Enterprise provides a way to look quickly across the enterprise and examine forensics artifacts
which you can parse and view to identify machines you want to investigate further.
Sweep Enterprise runs these modules:
 System Info Parser
 Snapshot
 File Processor
Starting Sweep Enterprise

1. Start EnCase. Make sure you are connected to a SAFE and choose a role.
2. Open a case.
3. In the EnScript dropdown menu, click Sweep Enterprise.
4. The Sweep Enterprise | Target Node Selection dialog opens.

Adding and Deleting Nodes in the Target List

Adding Nodes
You can add nodes to the target list in two ways:
 Click the checkbox for the node you want to add, then click the right arrow. The selected
node(s) display in the target list.
 Enter the nodes manually or cut and paste them, then click the right arrow.
Deleting Nodes
To delete nodes from the target list:
1. Select the nodes you want to delete.
2. Click Delete Selected.
Sweep Enterprise Options

There are two Sweep Enterprise run options:
 Quick Sweep View (Recommended)
 Customize Job Settings
By default, Quick Sweep View runs the System Info Parser and Snapshot modules. Customize Job
Settings allows you to choose the modules you want to run.
Note: Due to the increased resources required to parse Linux log files, the System Info Parser module is enabled only for
Windows.
Running the Quick Sweep View Option

1. In the target list, click the checkboxes for the nodes you want to sweep. To select or clear all
nodes in the list, click Selected.
2. In Sweep Enterprise Run Options, click Quick Sweep View (Recommended), then click Next.
3. The Confirmation Page displays, showing the target node list and module selections.
Note: The System Info Parser and Snapshot modules are the defaults for Quick Sweep View. To run the
File Processor module, use Customize Job Settings.
4. Click Finish. The word "Processing" displays in the lower right corner of the screen to indicate
Sweep Enterprise is running.
Running the Customize Job Settings Option

1. In the target list, click the checkboxes for the nodes you want to sweep. To select or clear all
nodes in the list, click Selected.
2. In Sweep Enterprise Run Options, click Customize Job Settings, then click Next.
3. The Module Settings dialog opens, displaying available modules in the left pane, information
about the currently selected module in the right pane, and additional information in the lower
pane.
The System Info Parser and Snapshot modules are selected by default.
Notes:
• A snapshot of each target is generated for all collection jobs; therefore, you cannot clear
the checkbox for the Snapshot module.
• The File Processor module is not selected by default because it has a significantly higher
run time than the other modules.
4. Click a module's name to display options for running that module. Select or clear options as
desired, then click OK.
a. System Info Parser module: This module identifies hardware, software, and user
information from Windows computers. It automatically detects the operating system
present on the device, then collects the specified artifacts.
b. Snapshot module: This module collects a snapshot of a machine at a given time, including:
• ARP
• DNS entries
• Program instances
• Network interface
• Network users
• Open files
• Open ports
• Processes
• Machine name
• Domain name
• IP address
• System version
• Time zone
c. File Processor module: This is a multipurpose module that enables you to select from
three types of file processing, then choose how you want to handle the final results. You
can also choose to gather the collected files into a LEF. Click Next to display the options
dialog for the processing type you select.
5. When you finish selecting modules and their associated options, click Next.
6. The Confirmation Page displays, showing the target node list and module selections. In the
example below, the only module selected is Snapshot.
7. Click Finish. Processing displays in the lower right corner of the screen to indicate Sweep
enterprise is running.
Sweep Enterprise Dialog: Status and Analysis Browser

When processing begins, the Sweep Enterprise dialog displays. It contains two tabs:
 Status
 Analysis Browser
Status Tab
The Status tab only shows information and displays these columns:
 Machine Name
 Module Name: System Info Parser, Snapshot, or File Processor
 Collected: Number of items collected for a particular module
 Collection Status
Analysis Browser Tab

Use the Analysis Browser tab to drill down into the data collected by Sweep Enterprise and see details
that could be of interest for further investigation. You can also use the Analysis Browser to build
reports.
The Views include information on the following:

 Accounts and Users
 Hardware
 Legacy Snapshot Views
 Network
 Operating System
 Removable Media
 Shared and Mapped Devices
 Software
 User Activity
 Snapshot
 Targets Collected
 Target Files Collected
 Target Volumes
 Targets Failed
 File Processor
 File Processor
Click the arrow next to a folder to expand it and see more detailed views.
The Available Views list (shown above) displays views that returned data during the sweep. Click
Unavailable Views to see views that did not return any data.
The available and unavailable views lists update if there are changes. Click Refresh to see any
updates.
The numbers at the bottom of the Analysis Browser tab indicate the number of pages of information.
The current page number displays in red.
For each item in the expanded view, there is a help topic. Click About to view it. This example shows
the help topic for Domain Name Services:
To sort a column in the Analysis Browser, double click the column heading.
Target Constraint
Target Constraint allows you to limit the views to only selected targets in a sweep.
1. Click Target Constraint to open the dialog.
2. Select the checkboxes for the targets you want, or enter them manually, then click OK. The
results will be limited to the targets you specified.
Expand Data View

Click Expand Data View to resize the right pane and display more information.
Normal view:
Expanded view:
Adding a Constraint to Analysis Data

The Constraint button allows you to limit the results displayed based on the contents of a cell in a
column. For example, in the Users - Comprehensive view, suppose you want to see only
administrators in the User column:
1. In the Available Views list, click Users - Comprehensive, then click the Constraint button.
2. The Constraint dialog displays. From the Column dropdown menu, click User. In the Data
text box, enter Administrator.
3. Click OK. The results list now shows only administrators in the User column.
Reports
Reports show analysis results organized in tables. Specify the tables you want, then use Report Builder
to create the report.
Assembling and Building a Report

1. From the Available Views list in the left pane, check the items you want to include, then click
Add to Report.
2. The Tables Added dialog displays, indicating the items you checked will be added to the
tables available for building the report.
3. Click OK. All tables in the right pane are checked by default. Clear any checkboxes for tables
you do not want to include in the report, then click Add Selected to Report.
4. The Set Table Title dialog displays.
5. Accept the default table title or enter your own title, then click OK.
Note: You can create your own title for any table in the report. In the right pane, click the checkbox
for the table you want and follow steps 4 and 5 above.
6. Click Report Builder.
7. The Customize Report dialog displays.

8. Select the tables you want to include, then click View Report. The Analysis Report Preview
dialog displays.
Saving a Report
1. Right click anywhere in the report preview, then click Save As in the dropdown menu.
2. The Save As dialog displays. Select the output format you want, enter or browse to a path,
then click OK.
Post Collection Analysis

You can use Case Analyzer or Evidence Processor to analyze data collected by Sweep Enterprise.
Case Analyzer
Use the Case Analyzer EnScript to analyze collected data at the case level.
1. Open the case you want to analyze.
2. In the EnScript dropdown menu, click Case Analyzer.
3. The Sweep Enterprise Case or Job Analysis Selector displays.

Analyzing Sweep Enterprise Case Data

1. To analyze selected data in the case, click Analyze Sweep Enterprise Case Data, then click
OK.
2. The Data Browser dialog displays. It functions in the same way as the Analysis Browser tab.
For more information, see Analysis Browser Tab on page 147.
Analyzing Sweep Enterprise Jobs Data

1. To analyze data in a collection job, click Analyze Sweep Enterprise Jobs Data. The jobs
available for analysis display.
2. Select the job you want to analyze, then click OK.

3. The Data Browser dialog displays. It functions in the same way as the Analysis Browser tab.
For more information, see Analysis Browser Tab on page 147.
Evidence Processor
You can also use the EnCase Evidence Processor to analyze data collected by Sweep Enterprise. For
details, see Processing Evidence on page 69.
CHAPTER 8
Searching Through
Evidence
In This Chapter
 Overview
 Searching Indexed Data
 Finding Tagged Items
 Searching Through Raw Data
 Retrieving Keyword Search Results
 Combining Search Criteria from Multiple Tabs
 Analyzing Individual Search Results
 Viewing Saved Search Results
 Finding Data Using Signature Analysis
 Running File Signature Analysis against Selected Files
 Exporting Data for Additional Analysis
 Exporting Search Results for Review

Overview
You can perform simple or complex search queries using the Search tab. You can open the Search tab
from either the Home page menu of the case or from the View menu.
There are three principal methods of searching through evidence in EnCase:
Index Searches
Index searching allows you to rapidly search for terms in a generated index, and is the recommended
type of search in EnCase. Index searching looks through a list of words identified when processing the
data on a device. Querying an evidence file's index locates terms much more quickly than using non-
indexed queries.
When generating an index, the content of the file is extracted using Outside In technology and built-in
text extraction. The text is broken into words which are then added, along with the metadata of the
file, to the index. Unlike raw keyword searches, indexing is done against the transcript content of the
file so that text contained in files can be properly identified.
Indexes are generated using the Evidence Processor. Generating an index creates index files associated
with devices.
 See Searching Indexed Data on page 163 for information about creating and running index
searches.
 See Search Operators on page 165 for a full list of search syntax options.
Tag Searches
EnCase also provides the capability to search for items that have been flagged with user-defined tags.
Using tags you can search through collected evidence for all items that include one or many tags.
 See Finding Tagged Items on page 169 for information about creating and running tag
searches.
Keyword Searches through Raw Data

You can query the results of a previously executed keyword search. Keyword searches are created
either from within the Evidence Processor or by performing a raw search on your case data. Keyword
searching searches the raw binary form of a file; it does not search the metadata of the file.
 See Retrieving Keyword Search Results on page 171 to view the results of a previously
executed keyword search.
 See Adding a New Keyword see "Creating a New Keyword List" on page 85 to learn how to
add a new keyword from the Evidence Processor or when performing a raw search.
 See Creating a New Keyword List on page 85 to learn how to add a new keyword list.
Combining Different Types of Searches

You can combine the results of the three types of searches.
 See Viewing a Description of Active Search Criteria for information about how to view or
print a description of all current search criteria.
 See Combining Search Results from Multiple Tabs see "Combining Search Criteria from
Multiple Tabs" on page 171 to create a cumulative list of search results.
Viewing and Saving Search Results

Any set of search results can be saved and viewed later.
 See Viewing Saved Search Results on page 173 for details.
Searching Remote Devices

Hashing and non-indexed searches can be performed on remote devices.
In order to maximize performance, the following types of files can be searched and hashed remotely:
 Uncompressed, unencrypted and/or non-resident files.
 NTFS compressed files.
 EFS encrypted files.
 Resident files.
Encrypted files (other than EFS) cannot be searched and hashed remotely.
Searching Indexed Data

Searching through indexed data is the quickest way to find a specific sub-set of evidence items.
1. In the Search tab, open the Index sub-tab.
2. Using the tools provided in the Index tab, construct your search query in the index text box.
• Entering a term in the text box instantly shows all variations of the occurrence of that term
in the indexed data in the table below.
• Clicking a hyperlinked term shows all the occurrences of that term in the right table pane.
• The button bar provides a variety of tools for constructing your search query. You may
have to expand the left pane to see all the buttons.
− Field opens a dropdown from which you can target a specific data field for your
search. After adding the field name, type the value that you wish to find in the
index text box.
− Patterns displays a dropdown menu of numerical patterns. Click the desired
pattern to embed the corresponding search term.
− Stem displays a list of possible stemming alternatives to the currently selected term.
You can delete stem alternatives from the list, and you can select from a variety of
languages.
− Case Sensitive embeds a code that causes the following term to be either case
sensitive <c> or case insensitive <c->. By default the terms are case insensitive.
− Logic inserts a Boolean AND or OR into the search query. Clicking the logic button
changes the operator. Highlight an existing AND or OR to switch the operator.
− Expand opens the highlighted term, when applicable, and displays it in its own
window.
− The Copy, Cut, and Paste buttons enable you to move and copy text in the search
term easily.
− Find enables you to find search expressions within the search term.
− Click Test to check the validity of the term as it is currently constructed. If there is
an error, a popup displays.
− A complete list of search syntax options can be found in Search Operators on page
165.
• The down arrow to the right of the button bar opens to provide two more options for
viewing the search query:
− Print opens a print dialog for printing the query or exporting it to PDF.
− Line Numbers adds line numbers to the index text box.
• Ctrl-Enter adds a line to the index text box.
3. To run the search query in the index text box, position your cursor in the text box and click
Enter, or click the green Run button.
Search Operators
By default, EnCase searches for items containing all the terms in the search query. For instance, the
search query George Washington searches for all items that contain both the term George and the term
Washington.
 You can search for documents containing either term by using the OR operator: George OR
Washington.
 You can use the AND operator for clarity: George AND Washington.
However, the latter term produces exactly the same results as the original search term.
Proximity
To search for two terms within a specified number of words from each other, use the w/ operator:
 George w/3 Washington
 Abraham w/5 Lincoln
One word before another

You can also search for documents where the first term precedes the second by no more than a
specified number of words:
 George pre/3 Washington
 Abraham pre/3 Lincoln
Keywords apart from each other

To search for documents where the terms are not within a certain number of words of each other, use
the nw/ or the npre/ operators:
 George nw/3 Washington
 Abraham npre/3 Lincoln
Exact phrases
You can search for exact phrases using quotation marks (“”), which is the same as using the pre/1
operator:
 “George Washington” is the same as George pre/1 Washington
Searching for two words in quotes causes both words individually to be highlighted as search hits, as
well as the original phrase.
Near the front or end of the document

You can use the reserved words firstword and lastword with the proximity operators to refer to the
beginning or end of the document. For example,
 George w/3 firstword
finds documents where George is one of the first three words in the document, and
 Washington nw/20 lastword
finds documents where Washington is not any of the last twenty words in the document.
With two variables

Use parentheses to group multiple words within a search term. For example, in the following search
term:
 Bill w/5 (Clinton or Gates)
the index marks as responsive all items containing the word Bill within five words of either Clinton or
Gates.
With multiple variables

You can also construct a complex proximity search that includes Boolean operators on both sides. For
example, in the following search expression:
 (Bill and William) w/5 (Clinton and Gates)
the index marks as responsive all items containing both the words Bill and William within five words
of both Clinton and Gates.
Grouping Search Queries Together

You can group search queries together using parentheses to form logical expressions. How you use
parentheses indicates to the search engine the order in which it should look for the search terms. For
instance:
 (George and Washington) or (Abraham and Lincoln)
finds all items with either both the terms George and Washington or both the terms Abraham and
Lincoln
You can nest parenthetical expressions; for example:
 (George and (Washington or Bush))
finds all items that contain the term George and either the terms Washington or Bush.
Alternatively,
 (George and Washington) or Bush)
finds all items that contain the terms George and Washington, or Bush.
You can use parentheses to join proximity queries (pre/, w/) to Boolean logic queries (AND, OR). For
example,
 Delaware and (George pre/3 Washington)
finds all items that contain the term Delaware and that also contain the term George no more than
three words before Washington.
Searching for Terms in Document or Email Fields

By default, EnCase searches for terms in every indexed text field of the document or email. You can
restrict the fields that you search using the bracket ([ ]) field specifier. For instance, to search only for
terms in the subject line, use:
 [Subject]George
You can use parentheses to group terms together within a field:
 [Subject](George Washington)
 [Subject](George pre/2 Washington)
You can use aliases to group together a section of fields:

 [Address] searches the [To], [From], [CC] and [BCC] fields
 [Date] searches the [Accessed], [Created], [Modified], [Written], [Sent] and [Received] fields
Common fields for all items are:
 [Name]Name of file.File extension (the file will not be found unless it contains the extension)
 [Extension]File extension
 [Category]Category of file, such as Picture
Searching for Date Fields or Date Properties

You can search for items by date or date range using field syntax. Dates are entered in ISO 8601 syntax
between # marks, and can be general, such as:
 [Created]#2004#
Or very specific:
 [Created]#2004-11-19T11:54:03#
You can also search for date ranges using an ellipsis (...):
 [Created]#2004-02-03...2004-02-17#
The above term searches for any item with a creation date between Feb. 03, 2004 and Feb. 17, 2004. You
can search for items before or after a particular date by leaving off one end of the range:
 [Created]#2004-02-03...#
 [Created]#...2004-02-17#
File date fields are:
 Accessed
 Created
 Modified
 Written
Email date fields are:
 Sent
 Received
 Created
Searching for Numeric Properties

You can search for items by number range using field syntax. Numbers are entered between # marks
and can be specific, such as:
 [Logical Size]#1034#
Or a range, using ellipses, such as:
 [Logical Size]#1000...3000#
The above term searches for any item with a size between 1000 bytes and 3000 bytes. You can search
for numbers above or below a particular point by leaving one end of the range off:
 [Logical Size]#...3000#
 [Logical Size]#1000...#
Searching for Case Sensitive Terms

By default, all index queries are case-insensitive. You can make queries case-sensitive by using the <c>
operator:
 <c>George
 <c>(George and Washington)
You can specify case-sensitive queries for fields:
 <c>[subject](George pre/3 Washington)
Using Wildcards to Search for Patterns

You can search for incomplete words or word prefixes using the ? and * operators.
Wildcard for single characters
The ? operator stands as a placeholder for any single characters. For instance,
 c?t
results in hits for documents containing cat, cot, and cut, but not caught.
Wildcard for multiple characters
The * operator stands as a placeholder for any number of characters. For instance,
 ind*
results in hits for documents containing indecisive, indignant, and Indiana.
Multiple wildcards
A term may contain multiple wildcards (either * or ?), but may not contain wildcards at both the
beginning and end of the term. For instance,
 ind*ia*a
 c?t?
 *fi?y
are valid terms. However,
 *india*
 ?cat?
 *fish?
are not valid terms.
Using wildcards with punctuation
The wildcards ? and * only work for the following punctuation types:
 Dash (-)
 Underscore (_)
 Period (.)
 Comma (,)
 At symbol (@)
 Apostrophe (')
Note: Punctuation characters will not be found using wildcards if they are at the beginning or end of
words.
Using Stemming Lists to Search for Similar Words

You can use the stemming operator ~ to search for similar terms. By default, the stemming operator
replaces your term with all terms similar to it in the English language. For instance,
 swim~
results in hits for documents containing swim, swim's, swimming, swam, swum, etc. Stemming uses
the language packs on the server to find terms similar to your original term.
When you test your term, a stemming list is added to the term. Stemming lists are contained within
the <> characters and clearly display the stems for the keyword. For instance, the default stemming list
for swim is:
 <s:swim swim’s swims swims’ swimming swam swum swim>
You can override the default stemming behavior by modifying the stemming list. For instance,
 <s:swim swam swum>
would result in hits for documents containing swam and swum, but not swimming, swim's, etc. You
can incorporate stemming into any location you could use the OR operator. For instance,
 run~ and [Created]#2002#
 <s:run ran running runner>
results in hits for documents created in 2002 and contain at least one of run, ran, running, or runner.
Finding Tagged Items

Finding tagged data enables you to quickly review items that have been flagged for special attention.
Clicking in the tag column in the table pane automatically adds or removes a tag from that item.
1. In the Search tab, open the Tags sub-tab.
2. Click on a tag directly to display all items with that tag in the table pane.
3. Select multiple tags and click Run to see items containing any of the selected tags.
Searching Through Raw Data

Although index searching is the recommended type of search, there may be times when you want to
perform a search across the raw contents of a device. In those cases, you can perform a keyword search
on your non-indexed case data. Keyword searching only searches the raw binary form of a file, so
some content may not be discovered if it is compressed or otherwise hidden.
To create a new raw keyword search within a case:
1. In the Evidence tab, select the device(s) you wish to search.
Note: You can also create a new raw keyword search for specifically selected items by going to the
Entry > Raw Search Selected menu.
2. Click Raw Search All.
3. Select an existing search or click New Raw Search All to create a new search. The New Raw
Search All Entries dialog displays.
• Use the path box at the top of the dialog to specify the name and location for the search.
• Select Search entry slack to include file slack in the keyword search.
• Select Skip contents for known files to only search the slack areas of known files
identified by a hash library.
• Select Undelete entries before searching to undelete deleted files before they are searched
for keywords.
• Use initialized size enables you to search a file as the operating system displays it, rather
than searching its full logical size.
− In NTFS file systems, applications are allowed to reserve disk space for future
operations. The application sets the logical size of the file larger than currently
necessary, to allow for expected future expansion, while setting the Initialized Size
smaller so that it only needs to parse a smaller amount of data. This enables the file
to be loaded faster.
− If a file has an initialized size that is less than the logical size, the OS shows the data
area between the initialized size and logical size as zeros. In actuality, this area of
the file may contain remnants of previous files, similar to file slack. By default,
EnCase displays, searches and exports the area past the initialized size as it appears
on the disk, not as the OS displays it. This enables you to find file remnants in this
area.
− Select Initialized Size to see a file as its application sees it and the OS displays it.
− Note that when a file is hashed within EnCase, the initialized size is used. This
means that the entire logical file is hashed, but the area past the initialized size is set
to zeros. Since this is how a normal application sees the file, this enables users to
verify file hashes with another utility that reads the file via the OS.
• Add Keyword List opens a dialog in which to enter a list of words and assign certain
properties to them as a group. See Creating a New Keyword List on page 85.
• Split Mode enables you to configure the layout of the dialog.
• New opens the New Keyword dialog where you can add a new keyword. See Adding a
New Keyword on page 84.
• Double clicking a keyword, or clicking Edit, opens up the keyword so you can modify its
properties.
• Highlight a keyword and click Delete to remove it from the list.
4. When done, click OK to save the search.
Retrieving Keyword Search Results

You can retrieve previously executed keyword search results from the Search tab.
1. In the Search tab, open the Keyword sub-tab.
2. A list of keywords displays. This can be used with the Evidence Processor or when performing
a search through raw data.
3. Click a keyword hyperlink to see all responsive items for that keyword in the table pane.
4. Select multiple keywords and click the Run button to see a combination of all search results.
Combining Search Criteria from Multiple Tabs

Search for data using any combination of index searching, tags, and keywords. All tabs with active
criteria display with a red triangle.
1. Click the Run All button with the red triangle.
2. The search results display in the table pane.

3. To see a description of all active search criteria click the Summary tab.
• Use the Percent or Zoom buttons to make the text in the text box larger or smaller.
• To print or create a PDF of the summary, click the down arrow on the right and select
Print.
Analyzing Individual Search Results

Use the viewing options at the bottom of the Search or Results tab to see information about a single
search result in a variety of ways.
• Use the Review tab to see a compressed list of metadata, keyword, and index search hits.
− This tab combines information found on the Fields, Transcript, and Text tabs,
showing fields and individual lines containing search hits.
− Click on the linked Search Hits line number to view the search hit on that line in
context.
− Use the Next/Previous Item buttons to click through each item in the list.
• Content hits are also highlighted in the Transcript, Text, and Hex tabs while metadata hits
are highlighted in the Fields tab.
− Click Compressed View on the Transcript, Text, and Hex tabs to see only the lines
containing highlighted search hits.
− Use the Next/Previous Hit buttons to click through each hit in the file. If there are
• For more information about the viewing options, see Viewing Content in the View Pane
on page 100.
Viewing Saved Search Results

1. Collect a set of search results and click Save Results.
2. The Save Results dialog displays.
3. Enter the name for your search and click OK.

4. From the View menu, select Results. The Results tab displays.
5. Select a saved search in the left pane. The results of that search display in the right table pane.
Click individual items to see more information in the lower viewing tabs.
Finding Data Using Signature Analysis

Signature analysis compares file headers with file extensions in order to verify file type. For
standardized file types, a signature, or recognizable file header, is always associated with a specific file
type extension.
File extensions are the characters following the dot in a file name (for example, signature.doc). They
often indicate the file's data type. For example, a .txt extension denotes a text file, while .doc indicates a
document file.
The file headers of each unique file type contain identifying information called a signature. For
example, .BMP graphic files have BM8 as a signature.
A technique often used to hide data is to attempt to disguise the true nature of the file by renaming it
and changing its extension. Because a .jpg image file assigned a .dll extension is not usually recognized
as a picture, comparing a file’s signature with its extension identifies files that were deliberately
changed. For example, a file with a .dll extension and a .jpg signature should pique an investigator's
interest.
The software performs the signature analysis function in the background on all processed evidence.
Information about results of a file signature analysis are shown in Evidence tables, in the Signature
Analysis column:
 Match indicates data in the file header, extension, and File Signature table all match.
 Alias means the header is in the File Signature table but the file extension is incorrect, for
example, a JPG file with a .ttf extension. This indicates a file with a renamed extension. The
name in the Legend column below (next to the asterisk) displays the type of file identified by
the file signature. An alias is preceded by an asterisk, such as *AOL ART.
 Unknown means neither the header nor the file extension is in the File Signature table.
 !Bad Signature means the file's extension has a header signature listed in the File Signature
table, but the file header found in the case does not match the File Signature table for that
extension.
Adding and Modifying File Signature Associations

All file signatures are associated with file types in the File Type table.
Occasionally a file signature may not be in the table. Use this procedure to add a new one. Before you
do this, you need to know the file signature search expression (not necessarily the same as the three
letter file extension).
To add a new file signature and file type:

1. From the View menu, select File Types. The File Type table displays.
2. Double click a file type. The Edit File Type dialog displays.
• Create a descriptive name for the new file type.

• Enter one or more three letter extensions for the file type, on separate lines.
3. Click the Header tab to display the file signature information:
• Enter the file signature in the Search Expression field.

• Select GREP if the expression uses GREP variables to locate the file signature.
• Select Case Sensitive if case sensitivity is desired.
4. Click OK. The new file type and associated file signature is added to the table.
To change an existing file signature:

1. From the View menu, select File Types. The File Type table displays.
2. Double click a file type. The Edit File Type dialog displays.
3. Click the Header tab to display the file signature information:
4. Change the Search Expression and other options as desired, then click OK.
Note: If you modify a built-in File Type, it is marked as User Defined. EnCase does not overwrite User
Defined File Types, even when a new version of EnCase is installed.
Running File Signature Analysis against Selected Files

You can run file signature analysis on a previewed device without first acquiring the device using
Evidence Processor.
1. On the Evidence tab, drill into the device where you want to run file signature analysis.
2. Blue check the specific files you want to run signature analysis on.
3. Right click Entries. In the dropdown menu, click Hash\Sig Selected.
4. The Hash\Sig Selected dialog opens.
5. You can run both hash and file signature analysis. To run only file signature analysis, clear the
MD5 and SHA1 checkboxes.
6. Click OK.
Note: After running file signature analysis, you need to manually refresh the device. Return to Evidence view and drill into
the device again.
Exporting Data for Additional Analysis

You can copy files in their native format from EnCase to other media or folders for sharing or further
analysis. This feature can also recover and restore deleted files on a byte-per-byte basis.
You can copy both files and folders. Copying folders preserve their internal structure.
To copy files:
1. From the Evidence tab, click the Entries dropdown menu and select Copy Files. The Copy
Files dialog displays:
• Select Highlighted File to copy the highlighted file.

• Select All selected files to copy the currently selected files in the table.
• Separate Files outputs each file to its own file.
• Merge into one file merges the output of all selected files into one file.
• Replace first character of FAT deleted files with determines which character is used to
replace the first character in the filename of deleted files in the FAT file system. Deleted
files on a FAT volume have a hex \xE5 character at the beginning. The underscore ( _ )
character is used by default to replace this character.
2. Click Next. The Options dialog displays.
• Copy Files contains settings that determine the content of the evidence file to be copied.
− Logical File Only performs the copy function on the logical file only, not including
the file slack.
− Entire Physical File performs the copy function on the entire physical file,
including the logical file and file slack.
− RAM and Disk Slack performs the copy function on both the RAM and disk slack.
− RAM Slack Only performs the copy function on the RAM slack only.
• The Character Mask settings determine what characters are written into the file or files
created by the copy function.
− Select None if you do not want any characters masked or omitted from the
filenames of the resulting files.
− Select Do not Write Non-ASCII Characters to mask or omit non-ASCII characters
from the filenames of the resulting files. All characters except non-ASCII characters
are retained.
− Select Replace NON-ASCII Characters with DOT to replace non-ASCII characters
with periods in the filenames of the resulting files.
• Checking Show Errors causes the application to notify you when errors occur. This
prevents the unattended execution of the Copy Files operation.
3. Click Next. The Destination dialog displays.
• Copy displays the number of files to be copied, and the total number of bytes of the file or
files created.
• Path shows the path and filename of the file or files to be created. (Default is My
Documents\EnCase\[case name]\Export.)
• Split files above contains the maximum length, not exceeding 2000MB, of any file created
by the Copy Files function. When the total number of bytes in an output file exceeds this
value, the additional output continues in a new file.
• Use Initialized Size determines whether to use the initialized size of an entry, rather than
the default logical size or the physical size. This setting is only enabled for NTFS file
systems. When an NTFS file is written, the initialized size can be smaller than the logical
size, in which case the space after the initialized size is zeroed out.
4. Click Finish. The Copy Files operation executes. The resulting files are saved in the directory
specified in the Destination dialog.
To copy folders:
1. Select the folder or folders to copy.
2. From the Evidence tab, click the Entries dropdown menu and select Copy Folders. The Copy
Folders dialog displays:
Select the desired options:
• Source displays the folder to copy.

• Copy displays the number of files to copy, and the total number of bytes in the file or files
created.
• Path shows the path and filename of the file or files to be created. (Default is My
Documents\EnCase\[case name]\Export.)
• Replace first character of FAT deleted files with determines which character is used to
replace the first character in the filename of deleted files in the FAT file system.
• Split files above contains the maximum length, not exceeding 2000 MB, of any file created
by Copy Folders. When the total number of bytes in an output file exceeds this value, the
additional output is continued in a new file.
• Copy only selected files inside each folder copies individual files selected within a folder
or folders.
• Checking Show Errors causes the application to notify you when errors occur. This
prevents the unattended execution of the copy operation.
3. Click Finish. The Copy Folder operation executes.
Exporting Search Results for Review

You can consolidate search results into a review package that can be reviewed by external parties.
Review packages can be a combination of email or file results from indexed or raw keyword searches;
you can also create review packaged from bookmarks. The review package is a self-contained
application viewable in a web browser that does not require EnCase in order for it to be opened and
worked with. Reviewers can use existing tags or make customized tags for flagging items of interest in
the review package. When the information is imported back into EnCase, using a generated .EnReview
file, you can then see the tags that were added by the reviewer.
All file types can be packaged for review. Raw and indexed searches cull through the content and
metadata of pictures, email, and office documents. Metadata information is culled for other file types.
The process for creating, reviewing, and returning a review package follows this work flow:
 The EnCase examiner searches and compiles a results list that is exported into a review
package.
 The reviewer receives and opens the review package.
 The reviewer browses through and analyzes the contents of the review package. Existing tags
can be used or the reviewer can create customized tags.
 The reviewer exports the tagged review package and sends the exported file back to the
EnCase examiner. The export package contains only the GUIDs of the items, so can be emailed
back as a small file without revealing any case information.
 The EnCase examiner imports the analyzed review package and views the tagged items
within EnCase.
Creating a Review Package

After you have performed a search, you can package up a set of results for external review. Both email
records and files can be reviewed.
To create a review package:
1. From any item view, select Review Package > Export from the toolbar.
• Only Checked Rows exports the selected rows in the search list. If a range of rows is
selected, only checked rows within that range are exported. When cleared, all rows are
exported.
• Show Folders exports items along with any relevant folder structure. When selected, all
items are exported. When cleared, only items in the current table view are exported.
• Select the fields you want to export in the Fields list.
• By default, all tags are automatically exported for use by the reviewer. Clear the
checkboxes on the left for any tags you do not want to export.
• The Export Tag checkbox determines whether to export the tagging information already
entered on any of the items. When cleared, any tagging choices you have made are
omitted from the review package. When checked, your tagging selections remain intact.
• Enter or browse to the name and path for the export files.
2. Click OK. A status bar displays the export process. When the export process is completed, the
review package window opens to allow the examiner to confirm the contents.
Analyzing and Tagging a Review Package

Review Packages are created much like web pages. They have an .hta extension and can be opened
by Windows as a native .html application.
The review application displays two panes. The pane on top displays the items exported from EnCase.
The pane on the bottom displays specific information about the currently selected item.
1. To open an .hta review package, double click on the .hta file. The EnCase Document
Review window displays.
2. Scroll through the items on top and use the bottom pane to review their content.
3. Click on the area of the tag column beneath the desired tag to tag or untag an item.
• You can expand the tagging column to see the names of the tags.
• You can tag each item with as many tags as desired. Newly added item tags are identified
with a plus icon.
• Click on an existing item tag to delete it. A minus icon displays where the item tag used to
be.
• Item tags added by the original examiner are included in the review package. Item tags
specified by the original examiner can be removed.
• When reviewing bookmarks, each bookmark displays on a separate row so separate tags
can be applied to individual bookmarks. These bookmarks are aggregated within the item
when reviewed in EnCase.
4. To create a customized tag, click Create Tag in the menu bar. The Create Tag dialog displays.
• Enter the name for the tag in the Name text box.
• If you want to display a shorter name, enter that in the Display text box.
• Click OK to create the tag and close the dialog.
5. To delete one or more tags, click Delete Tags in the menu bar. The Delete Tag dialog displays.
• Check the tag(s) you want to delete.

• Click OK to delete the tags and close the dialog.
6. Tags can always be reverted to their last saved state. The last saved state is the state the tags
were in when they were originally imported, or the state they were in the last time the review
package was exported with the Commit Changes checkbox checked.
To revert to the last saved tagging choices, click Revert in the menu bar. The Revert dialog
displays.
• Check each tag you want restored to its last saved state.
• Click OK to revert the tags and close the dialog.
Exporting a Review Package

You can create an .EnReview file from a review package that can be sent to an EnCase examiner to
import. When generating an .EnReview file, only the GUID and tag information of the items are
captured so there is no case information included in the file. The export file is small enough to be sent
through email. Only changes from the last saved state are stored in the export file.
1. To export a review package for import into EnCase, click Export in the menu bar. The Export
dialog displays.
• When checked, Commit Changes saves the current set of tags.

− Committing changes updates the review package's last saved state.
− The last saved state is then used as a baseline for future modifications.
• Enter the path for the review package to be saved.
2. Click OK. The review package is exported and saved as an .EnReview file in the desired
location.
3. Send the .EnReview file to the EnCase examiner for import back into EnCase.
Importing a Review Package

1. To import reviewed data select Review > Export from the toolbar. The Import dialog displays.
2. Enter the path where the .EnReview file is stored and click Next. A list of Tags added to the
review package displays.
• Only tags that had changes since the last saved change are displayed in the list.
• Uncheck any tags you do not wish to import.
• Item tags that were present when the review package was exported, and then
subsequently removed by the reviewer, are removed in the examiner's case when the
returned review package is imported.
• If multiple reviewers are analyzing the same review package, the same rules apply to each
.EnReview file.
− If an item tag was present when the review package was exported, and one
reviewer removed it while another reviewer left if in, then the tag is removed in the
examiner's case when the returned review packages are imported.
− The order in which the review packages are imported does not make a difference.
3. Click Finish when done. The tag changes in the review package are incorporated into EnCase.
Note: Tags that were applied to separate bookmarks within a particular item are aggregated. Therefore,
each item in EnCase displays all tags that have been applied to all its bookmarks.
CHAPTER 9
Hashing Evidence
In This Chapter
 Overview
 Hashing Features
 Working with Hash Libraries

Overview
Analyzing a large set of files by identifying and matching the unique hash value of each file is an
important part of the computer forensics process. Using the hash library feature of EnCase, you can
import or custom build a library of hash sets, allowing you to identify file matches in the examined
evidence.
A hash function is a way of creating a digital fingerprint from data. The function substitutes or
transposes data to create a hash value. Hash analysis compares case file hash values with known,
stored hash values.
The hash value is commonly represented as binary data written in hexadecimal notation. If a hash
value is calculated for a piece of data, and one bit of that data changes, a hash function with strong
mixing property will produce a completely different hash value.
Hashing creates a digital fingerprint of a file. A fundamental property of all hash functions is that if
two hashes (calculated using the same algorithm) are different, then the two inputs are different in
some way. On the other hand, matching hash values strongly suggests the equality of the two inputs.
Computer forensics analysts often create different hash sets of known illicit images, hacker tools, or
non-compliant software to quickly isolate known "bad" files in evidence. Hash sets can also be created
to identify files whose contents are known to be of no interest, such as operating system files and
commonly used applications. Hash sets are distributed and shared among users and agencies in
multiple formats. These formats include NSRL, EnCase hash sets, Bit9, and others.
Until recently, the hash set standard to identify a file was the MD5 hash calculation. Large hash
distribution sets, such as the NSRL set, are now distributed using the SHA-1 hash calculation. EnCase
will offer continued support for MD5 hash sets, from old versions of EnCase and other products, as
well as the new SHA-1 hash format sets.
EnCase uses an extensible format for hash sets that allows:
 Storing metadata along with the hash value in field form.
 Support of MD5, SHA-1, and additional hash formats within the same file structure.
 Storing tags associated with items in the hash set.
Hashing Features
EnCase hashing features include the following:
 A versatile user interface for hash library management that allows:
• Creation of hash sets and libraries
• Importing and exporting hash sets
• Querying hash sets
• Viewing hash sets or individual hash items
 Hash libraries can contain multiple hash sets, and each set can be enabled or disabled.
 You can create as many hash libraries or hash sets as needed.
 If a hash belongs to multiple hash sets in a library, every match will be reported.
 Each case can use a maximum of two different hash libraries at the same time.
Working with Hash Libraries

A hash library is a folder containing a database-like structure in which EnCase stores hash sets. To
work with hash libraries, click Tools > Manage Hash Library on the Application toolbar. The
following dialog displays:
From the Manage Hash Library dialog you can manage any existing hash libraries or create a new one.
You use its toolbar to:
 Create a new hash library or edit an existing library.
 Create new hash sets within a library or edit an existing hash set within a library.
 Import and export hash sets from one library to another.
 Query a hash library for a particular value.
Creating a Hash Library

To create a hash library, perform the steps described below:
 Click Tools > Manage Hash Library.
 On the Manage Hash Library page toolbar, click New Hash Library.
 Browse for a folder to hold the hash library. If you use an existing folder, it must be empty
(otherwise, the contents of the folder will be deleted).
 Provide a name for the hash library (for example, Windows 7 Files, Company Secrets, or Hash
Library #1) and select OK.
 The path and name of your Hash Library will now appear in the Hash Library Path field.
 If you wish to import hash sets from another library, select Import Hash Sets from the toolbar.
You can then browse to a library and select individual sets to import. If you wish to create new
hash sets for this library, proceed to the next section.
Creating a Hash Set

Hash sets are collections of hash values (representing unique files) usually belonging to a common
group. For example, a hash set of all Windows operating system files could be created and named
Windows System Files. When a hash analysis is run on an evidence file, the software identifies all files
included in that hash set. Those logical files can then be excluded from later searches and
examinations. This speeds up keyword searches and other analytic functions.
Hash sets, once created, can be added to on a case by case basis. Adding new files as time goes by
saves time and effort in subsequent investigations.
Hash sets (which contain the individual hash entries) are located within hash libraries. There are two
steps to creating a hash set. The first step is to create an empty hash set within a library, and the
second is to add information to it. To create a hash set, perform the steps described below:
1. Click Tools > Manage Hash Library.
2. Make sure that you either browse and point to an existing hash library or create a new one.
This is the hash library to which you will add the hash set.
3. On the Manage Hash Library page toolbar, click New Hash Set. The Create Hash Set dialog
displays.
4. Enter a Hash Set Name, and enter information for Hash Set Category and Hash Set Tags.
• The Hash Set Category can be used to identify the type of hash set. Although the most
common values are Known and Notable, you can specify any single value. You can use
the category to find or eliminate files.
• Hash Set Tags allow you to specify multiple identifiers for a hash set. As with Hash
Categories, you can use the Hash Set Tag to find or eliminate files.
5. Click OK and click OK again when you are prompted to add the new hash set. The new hash
set is listed under Existing Hash Sets in the Manage Hash Library page.
Adding Hash Values to a Hash Set

Once you have created a hash set within a library, you can add information to it:
1. Add the device or evidence from which you want to generate a hash value to a case.
2. Hash the files on the device by using the hashing feature of the Evidence Processor or Hash
Individual Files from the Entry > Entries menu item.
3. Using the Tree and Table panes, check those entries whose hash values you want to add to
the hash set.
4. On the Evidence tab, under the Entries view, click the Entries dropdown menu and select
Add to Hash Library.
5. Choose the Hash Library to add the hash items to by using the Hash Library Type dropdown
menu. Select the Primary or Secondary hash library (see below for information on setting the
Primary and Secondary libraries), or Other, if you need to place the item in another library.
6. Once you have selected a library, select one or more previously created hash sets (by checking
their boxes) from the Existing Hash Sets window. If you need to create a new Hash Set, right
click in the Existing Hash Sets table and select New Hash Set. The New Hash Set dialog
appears, as described below.
7. On the Add to Hash Library page, Fields list, select the metadata fields you want to add to the
hash library for the selected items. Some fields are added by default, however, you can add
other optional fields. All fields that are added to the hash set will be reported when a hash
comparison matches a particular hash set; click OK.
Note: Adding additional fields does not increase the comparison time, but does increase the size of the
library.
Querying a Hash Library

At times, an examiner may want to query a hash library for a particular hash value to verify its
existence and to examine the metadata that exists with that value.
To conduct a query of a known hash value:
1. On the Home page, click Tools > Manage Hash Library > Open Hash Library.
2. On the Browse for Folder dialog, browse to the folder containing the hash library to run the
query against and click OK. The Manage Hash Library dialog now lists the hash sets
belonging to the hash library you opened.
3. Click Query.
4. Paste the value into the Hash Value field on the Hash Library Query page and click Query.
5. In the above example, the Matching Hash Items table shows that a match occurred against an
MD5 hash in the selected hash library.
6. You can obtain more detailed information about the matched hash item by clicking either
Show Metadata (shown in above panel) or Show Hash Sets.
Adding Hash Libraries to a Case

Once you have created one or more Hash Libraries and added Hash Sets and hash values to the them,
you need to associate them with your case. Following is the method for associating Hash Libraries
with a case.
1. From the Case Home page, select Case > Hash Libraries
2. The Hash Library Info dialog appears and displays the location of the Primary and Secondary
Hash Libraries. EnCase Version 7 can use two Hash Libraries simultaneously so that you can
use a local library as well as a shared library.
3. To set the Primary Hash Library, click the Primary row in the table and select Change Hash
Library in the menu, or double click in the Hash Library Path cell next to Primary. Browse to
the folder that contains the Hash Library.
4. To enable the library, confirm that the Enable checkbox is checked for the Primary library.
5. In the Existing Hash Sets table, you will see a list of the Hash Sets contained in the selected
library. You can Enable/Disable sets by checking the Enable checkbox.
6. To manage the Secondary Hash Library, select the Secondary column and follow the same
steps.
7. Once you have defined a Primary or Secondary Hash Library, you can manage that library by
selecting it in the table and clicking Manage Hash Library in the menu.
Changing Categories and Tags for Multiple Hash Sets

When adding Hash Sets to a Hash Library, you can specify a Hash Category and multiple Hash Set
Tags for each set. If you want to change these values for a group of hash sets, you can modify them in
bulk.
To change the category and tags for multiple hash sets sets:
1. Click Tools > Manage Hash Library. The Manage Hash Library dialog displays.,
2. Select Edit Multiple. The Edit Multiple dialog displays.
3. Select whether you want to change the existing category or tag on the Hash Sets, then enter the
new value in the text box.
4. Click Finish.
Importing Hash Sets

EnCase lets you import hash sets into an EnCase hash library:
1. From the Home page, click Tools > Manage Hash Library.
2. Click Open Hash Library.
3. Browse to the location of the hash library and open it. The hash library location appears in the
Hash Library Path box, and several additional toolbar buttons are enabled.
4. Click Import Hash Set. and browse to the location of the hash set you want to import. The
hash set files must be in EnCase's proprietary format with a file extension of BIN.
5. Click Finish to complete the operation.
Importing EnCase Legacy Hash Sets

You can import legacy hash sets (from versions of EnCase prior to Version 7) into a Version 7 hash
library.
1. From the Home page, click Tools > Import EnCase Legacy Hash Sets... The Legacy EnCase
Hash Sets Import Dialog displays.
2. Use the browse buttons (...) to locate the path of the Version 7 hash library in which to import
the hash sets, and the path of the legacy EnCase hash sets.
3. Click OK to complete the operation.
NSRL Hash Sets

You may want to use the centralized National Software Reference Library (NSRL) hash sets with
EnCase.
Guidance Software has converted the National Software Reference Library RDS 2.32 March 2011
(http://www.nsrl.nist.gov/Downloads.htm) hash sets into EnCase Version 7 format.
CHAPTER 10
Bookmarking Items
In This Chapter
 Overview
 Working with Bookmark Types
 Bookmarking Pictures in Gallery View
 Working with Bookmark Folders
 Editing Bookmark Content
 Decoding Data
Overview
EnCase allows files, sections of file content belonging to different data types, and data structures to be
selected, annotated, and stored in a special set of folders. These marked data items are bookmarks, and
the folders where they are stored are bookmark folders.
Bookmarks are stored in a .Case file, and all metadata and content associated with a bookmark is
stored in the actual bookmark. Unlike previous versions of EnCase, there is no "resolving bookmarks
stage" when opening a case.
Bookmarks and the organization of their folders are essential to creating a solid and presentable body
of case evidence. You can examine bookmarks closely for their value as case evidence, and
additionally, use the bookmark folders and their data items to create case reports. For more
information, see Generating Reports on page 215.
Working with Bookmark Types

EnCase provides several types of bookmarks.
Highlighted Data or Sweeping Bookmark

The Highlighted Data bookmark, also known as a Sweeping bookmark, defines either:
 An expanse of Raw Text within a file or document. The raw text is usually a portion of ASCII
or Unicode text, or a hexadecimal string.
 A Data Structure. Data structure bookmarks mark evidence items of particular data
interpretation types.
Note: If there is an allocated file associated with a deleted, overwritten file, both files are bookmarked.
Raw Text Bookmark

You create a raw text bookmark in EnCase by clicking and dragging across raw text in the View pane,
just as you would drag-click to highlight content in a text editor. This is done from the Text, Hex, or
Decode tab of the View pane.
To create a raw text sweeping bookmark:
1. In the Evidence tab, go to the Table pane and select the file containing the content that you
want to bookmark.
2. In the View pane, click the appropriate tab (Text, Hex, or Decode).
3. Highlight the raw text you want to bookmark.
4. On the menu bar, click Bookmark > Raw text or right click the highlighted text and click
Bookmark > Raw text.
5. The Raw Text dialog displays. Type some identifying text in the Comments box on the
Properties tab that makes it easy to identify the bookmarked content.
6. Click the Destination Folder tab, which displays the Bookmark folder hierarchy for the
current case, and click the bookmark folder in which to place this sweeping bookmark. In the
example below, the Highlighted Data subfolder is selected. Note that you can always rename
the bookmark folders or move the bookmark later.
7. Click OK to create the bookmarked content in the highlighted folder.

Data Structure Bookmark

Data structure bookmarks mark items such as a Windows partition entry, a Unix text date, or Base64
encoded text. Following is one example of creating a sweeping Data Structure bookmark on a
date/time data item.
To create a data structure bookmark:
1. Select the evidence item of interest from the Table pane of the Evidence tab.
2. Examine the file content in the View pane by clicking the appropriate tab. For the purposes of
this example, we will assume that characters displayed in the pane are not in an easily
readable format.
3. Click the Decode tab. The View Types tree displays inside the left part of the View pane.
4. Since the examiner is investigating date/time data in this example, expand the Dates folder
and click some of the options.
5. The Windows Date/Time option yields a satisfactory representation of the data, as shown
below.
6. To bookmark the data, right click the Windows Date/Time node, and select Bookmark > Data
Structure or on the menu bar, click Bookmark > Data Structure.
7. In the Data Structure dialog, type text about the Data Structure bookmark in the Comments
box and click the Destination Folder tab.
8. In the Destination Folder box, click the folder where you want to store this Data Structure
bookmark.
9. Click OK.
Notable File Bookmark

Use a Notable File bookmark to mark one or more files. You can assign notable files into a bookmark
folder either singly or as a selection of files.
Single Notable File Bookmark

To bookmark a single notable file:
1. From the appropriate tab, select the file of interest in the Table pane by clicking its row. In the
example below, the text file brndlg.txt is selected.
2. On the toolbar, click Bookmark > Single item...
3. The Single item dialog opens. On the Properties tab, type some identifying text in the
Comment. Alternatively, you can use the browse button to view a list of existing comments,
and select one of those.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy. Click the
bookmark folder where you want to store the bookmark.
5. Click OK.
Multiple Notable Files Bookmark

You can also select a group of notable files to bookmark. This feature allows you to quickly store a
collection of notable files into a bookmark folder, which can contain other bookmarks.
Note: You cannot use this bookmark selection with sweeping bookmarks.
To bookmark a selection of notable files:
1. In the Table pane, select two or more files. When selecting multiple files in the Table pane,
use the checkboxes beside the files.
2. On the toolbar, click Bookmark > Selected items...
3. The Selected items dialog opens. Type some identifying text in the Comment box on the
Properties tab that describes the file. You can also use the browse button to view a list of
existing comments, and use one of those.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy, and click the
bookmark folder where you want to store the bookmarks.
5. Click OK.
Table Bookmark
You can select a table to bookmark. Highlighting a table and selecting it as a Table bookmark allows
you to save its metadata and store it in a bookmark folder. Table bookmarks are especially useful for
representing evidence data in reports.
Transcript Bookmark
If the Transcript tab in the Viewer pane is active, you can bookmark transcript text.
The Transcript tab extracts text from a file containing mixtures of text and formatting or graphic
characters. The transcript view is useful for creating bookmarks inside files that are not normally
stored as plain text, such as Excel spreadsheets.
Notes Bookmark
Notes differ from other bookmarks in that you use them with other bookmarks to annotate report
data. They do not mark distinct evidence items like other types of bookmarks. The Notes bookmark
has a field reserved only for comment text that can hold up to 1000 characters.
To create a notes bookmark:
1. Click the Bookmarks tab.
2. On the Table toolbar, click Add Note.
3. The New Bookmark dialog opens.
4. Type a Name for the note bookmark, then type text in the Comment box or browse for a list of
previous comments. This is the bookmark text to which the note will be added.
5. Click OK.
Viewing Notes Bookmarks

If you display note bookmarks (Bookmarks > Table) in Tree-Table view, each appears as a data row in
a flattened bookmark hierarchy.
To show the notes in their true order in the bookmark folder hierarchy, click Split Mode on the
Bookmark toolbar and select Traeble view.
Use the Report tab in the View pane to show how the note actually displays in reports, as shown
above.
Bookmarking Pictures in Gallery View

One of the most frequent uses for bookmarking items is to bookmark pictures or photos in Gallery
view. The procedure for bookmarking pictures is almost the same as bookmarking single or multiple
notable file items.
To bookmark a picture in Gallery view:
1. Click the Gallery view tab and browse through the pictures to find one you want.
2. Right click the image (in the example below, it is a photo of an aircraft carrier) and click
Bookmark > Single item...
3. The Single item dialog opens. On the Properties tab, type identifying text in the Comment
box.
4. Click the Destination Folder tab to display the case's Bookmark folder hierarchy. Click the
bookmark folder where you want to store the bookmark.
5. Click OK.
Working with Bookmark Folders

The bookmark folder structure is essential for organizing your bookmarks. You have a great deal of
flexibility in creating a folder structure that suits a particular case.
Bookmark folders are organized according to a standard tree structure, with a folder named
"Bookmark" at the top the hierarchy. The various bookmark folders (and subfolders) are beneath this
node.
If you are not using the default bookmark folders, assign bookmark folder names that identify their
content or are meaningful to your case team. For example, you can organize the folders by type of
computer evidence, or by relevance to a particular part of the case.
Note: Bookmark folders are nonspecific in nature. Any default folder or folder you create can hold any data type or
content.
Bookmark Template Folders

Cases that are created from EnCase supplied templates, such as the #Basic template, include a
selection of default bookmark folders. Guidance Software provides the #Basic template and the
#Forensic template. Depending on your needs, you may want to choose one of these when creating a
new case from the Case Options dialog.
To display the set of default bookmark folders for the #Basic template, start a case and choose the
#Basic template. To view the bookmark folders included in the template:
1. Click View > Bookmarks
2. In the Bookmarks tab, the Bookmarks root node folder displays at the top of the tree pane.
3. To expand the Bookmarks folder, click its tab. This displays the default Bookmark folders
(shown both in the Tree and Table panes).
Guidance Software recommends using the supplied labels for the bookmark folders to organize the
types of bookmarked content (documents, pictures, email, and Internet artifacts). Although this folder
organization is entirely flexible, bookmark folders are directly linked to the Report Template that is
also included in the default templates. If case grows to where it needs more bookmark folders or a
greater level of bookmark organization, you can create new folders or modify the folder organization,
but you may need to make changes to the Report Template.
Creating New Bookmark Folders

You can create new folders and subfolders at different levels of the bookmark folder hierarchy.
To create a new bookmark folder:
1. In the tree pane, right click the Bookmark root folder.
2. Click New Folder...
3. A new folder displays one level beneath the Bookmark root folder highlighted in blue.
4. Type a name for the folder and click Enter.
5. To create a new subfolder, repeat the process at the folder level.
Editing Bookmark Folders

To edit bookmark folders:
1. Click the Bookmark tab to display the tree of bookmark folders.
2. Select the bookmark folder you want to edit, right click to display its context menu and click
Edit.
3. The Edit <"Folder Name"> dialog opens.
4. Edit either Name or Comment for the bookmark folder, or both, and click OK.
Deleting a Bookmark Folder

To delete a bookmark folder:
1. In the tree or table view of the Bookmark tab, click the Bookmark folder you want to delete.
2. Right click the folder and click Delete Folder...
3. A Delete confirmation prompt displays. Click Yes to delete the folder. Use caution, since
deleting a bookmark folder also deletes any bookmarked items in the folder.
Editing Bookmark Content

You can edit bookmark content. You can edit most bookmark categories using a standard right click
context menu or by double clicking the bookmark.
Editing a Bookmark
1. Click Edit... and modify the text in the Comments box of the Properties tab.
2. You can also click the browse button (...) in the dialog to view a list of bookmark comments.
3. Select a comment from the list to replace the current comment.
4. Click OK.
Renaming a Bookmark
1. From the Home page, click View > Bookmarks.
2. In Table view, find the bookmark folder with the bookmark you want to rename.
3. The Table pane displays the list of bookmarks for the selected folder. Select the cell for the
bookmark to rename.
4. Right click the bookmark folder or the cell you want to rename.
5. Click Rename. The bookmark name is highlighted.
6. Enter a new name for the bookmark and click OK.
Decoding Data
Following are the types of data the View Types decoder supports (available in the View pane when
you select the Decode tab).
Text
Text is a parent object containing child objects for formatting you can use when displaying
bookmarked content as text.
Do not Show hides the content of the bookmark. This works for all underlying data types.
High ASCII displays the text in 256-bit ASCII.
Low ASCII displays the text in 128-bit ASCII.
Hex displays the text as hexadecimal digits, rather than characters.
Unicode displays the text in Unicode.
ROT 13 Encoding decodes ROT 13 encoded text to ASCII text.
Base64 Encoding decodes Base64 encoded text to ASCII text.
UUE Encoded decodes UUE encoded text to ASCII text.
Quoted Printable is an encoding using printable ASCII characters and the equals (=) sign to transmit
8-bit data over a 7-bit data path.
HTML renders HTML coded as it appears in a browser.
HTML (Unicode) renders the HTML coded as it appears in a browser using Unicode.
Picture
Picture displays images in their native format.
Base64 Encoded Picture displays Base64 encoded images.
UUE Encoded Picture displays UUE encoded images.
Integers
8-bit displays the bookmarked content as 8-bit integers.
16-bit displays the bookmarked content as 16-bit Little-Endian integers.
16-bit Big Endian displays the bookmarked content as 16-bit Big-Endian integers.
Dates
DOS Date displays a packed 16-bit value that specifies the month, day, year, and time of day an MS-
DOS file was last written to.
DOS Date u(GMT) displays a packed 16-bit value that specifies the time portion of the DOS Date as
GMT time.
UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of 01/01/1970 at
00:00:00 GMT.
UNIX Date Big-endian displays a Unix timestamp in seconds based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT, as Big-Endian integers.
UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT.
HFS Date displays a numeric value on a Macintosh that specifies the month, day, year, and time when
the file was last written to.
HFS Plus Date is an improved version of HFS Date. It displays a numeric value on a Macintosh that
specifies the month, day, year, and time when the file was last written to. HFS Plus is also referred to
as "Mac Extended."
Windows Date/Time displays a numeric value on a Windows system that specifies the month, day,
year, and time when the file was last written to.
Windows Date/Time (Localtime) displays a numeric value on a Windows system for the local time
specifying the month, day, year, and time when the file was last written to.
OLE Date displays a date as a double-precision floating point value that counts the time from 30
December 1899 00:00:00.
Lotus Date displays a date from a Lotus Notes database file.
Windows
Includes the following items:
 Partition Entry
 DOS Directory Entry
 Win95 Info File Record
 DOS Directory Entry
 GUID
 UUID
 SID
CHAPTER 11
Tagging Items
In This Chapter
 Overview
 Creating Tags
 Tagging an Item
 Viewing Tagged Items
 Hiding a Tag
 Deleting Tags
 Changing the Tag Order

Overview
The EnCase tagging feature allows you to mark evidence items for review. You define tags on a per
case basis and default tags can be part of a Case Template.
Any item that you can currently bookmark can also be tagged. You can search for tagged items, view
them on the Search Results tab, and view the tags associated with a particular item in the Evidence or
Record View.
Following is a list of tag features and characteristics:
 You can create tags as part of a case or add them to a Case Template. You can customize each
of the tags with specific colors and display text.
 Tags are persistent when you are working with entries and when you save and re-open a case.
 Each item, entry, email, or record can have multiple tags.
 You can edit saved tags: change their colors and text, hide specific tags from viewing, and
delete a tag.
 Tags are local to a specific case (that is, you cannot create global tags), and the maximum
number of tags that you can use for a case is 63.
 You can directly manipulate tags on the EnCase user interface: modify the order in which they
are displayed, delete them from the display, and so forth.
 You can build searches based on tags you have created and also tag search results. You can
also combine tags with index and keyword search queries.
 You can sort the tag column to find items with multiple tags.
Creating Tags
To create a tag:
1. On the Records, Evidence, or Bookmark tab, click Tags on the toolbar.
2. On the Tags dropdown menu, click Manage Tags.
3. On the Manage Tags toolbar, click New.

Tagging Items 211
4. On the New Tag Item page, enter a Name for the tag (for internal use), the Display Text that
will appear in the Tag column (Guidance Software recommends using short display names to
conserve space), and the Frame Color (foreground and background colors) for the tag. You
can also "hide," or prevent the tag from displaying by checking its Hidden box.
5. Repeat the preceding two steps until you have created the set of tags you want. You can
always add, remove, and rename tags while working on a case.
Tagging an Item
To tag an evidence item, do the following:
1. On the Evidence tab, display your evidence items. (You can also assign tags to Records and
Bookmarks.)
2. Highlight or check the evidence item to which you want to assign a tag.
3. Display a list of available tags by clicking Tags > Show Tag Pane. A pane appears in the lower
right corner of the EnCase user interface. The pane contains a list of default and custom tags
and the number of occurrences of each tag.
4. Check the tag that you want to assign to an evidence item (this example uses the Review tag).
5. The tag that you selected appears in the Tag column of the selected evidence item.
You can also tag an item by clicking on its position in the Tag column, as follows:
1. Display a list of available tags by clicking Tags > Show Tag Pane. The order that the tags are
shown in the table (top to bottom) corresponds to the order in which they will be displayed in
the Tag column (from left to right).
2. Click the space in item's Tag column where the tag would be displayed. The tag will then
appear.
3. As an example, if you configured two tags:
• The left half of the Tag column is used to display the first tag.
• The right half of the Tag column is used to display the second tag.
4. Click the first half of the tag cell to display the item's first tag, and the second half of the tag
cell to display the item's second tag.
5. To remove a tag from displaying, click the tag.
Viewing Tagged Items

The following figure shows the EnCase Tag menu and a portion of a results table with some of the
tagged items. Note how the Tag column can display multiple tags, customized with different text and
in different colors.
Hiding a Tag
If you have configured a tag that you do not currently want to show in the Tag column or the Tag
pane, you can hide the tag using the Manage Tags dialog. This will not delete a tag, but prevent it from
displaying.
To hide a tag, follow these steps:
1. On the Evidence tab, click the Tags button.
2. On the Manage Tags dialog, check the box in the Hidden column for the cell corresponding to
the tag you want to hide.
Tagging Items 213
Deleting Tags
Tags that you do not want to use can be deleted from the Manage Tags window. Deleting a tag
removes the tag name from the case and deletes all references to the tag in the tag database. This action
cannot be undone.
If you attempt to delete a tag, and the tag is assigned to a case item, a warning dialog will display. The
dialog will indicate the number of tags to be deleted. If no items are tagged with that tag name, then
no warning dialog will be displayed.
To delete a tag, follow these steps:
1. On the Evidence tab, click the Tags button.
2. On the Manage Tags window, check the row containing the tag that you want to delete.
3. On the Manage Tags toolbar, click the Delete button.
Changing the Tag Order

For cells with multiple tags, you can change the position of the tags:
1. Click on a tag in the cell.
2. Holding the mouse down, drag it to a different tag position in the cell.
CHAPTER 12
Generating Reports
In This Chapter
 Overview
 Bookmarking Data for Reports
 Using Report Templates
 File Report EnScript
 Viewing a Report
Overview
The final phase of a forensic examination is reporting the findings, which should be well organized
and presented in a format that the target audience understands. EnCase adds several enhancements to
its reporting capabilities, including:
 Reporting templates you can use as is or modify to suit your needs.
 Capability to control a report's format, layout, and style.
 Ability to add notes and tags to a report.
Reports in EnCase consist of three parts:
 Bookmark folders where reference to specific items and notes are stored.
 Report templates that hold formatting, layout, and style information. A report template links
to bookmark folders to populate content into a report.
 Case Information items, where you can define case-specific variables to be used throughout
the report.
Bookmarking Data for Reports

In EnCase, as you work on a case, you typically discover files, portions of files, and other items of
interest and save them as bookmarks. The report template links to bookmark folders to populate
content into the report. Bookmarks are saved in folders in the case file. When you create a new case
and apply one of the supplied case templates, EnCase provides bookmark folders by default. As an
example, the basic template provides these folders:
 Documents
 Pictures
 Email
 Internet Artifacts
You can also create your own folders.
To bookmark data into a folder:

1. Select the content you want from any tab (for example, Entries, Records, or Search Results)
and click Bookmark on the tab toolbar.
2. From the dropdown menu, select the type of bookmark you want to create, enter a name and
optional comment, and click OK.
3. View your bookmarks in the Bookmarks tab.
See Bookmarking Items on page 195 for more information.
Using Report Templates

A report template is one component of a case template. Each default case template includes a
customizable report template. Different case templates can contain different report templates, and each
of these templates is completely customizable. In addition to the report template, each case template
also includes bookmark folders that are referenced in the report.
Besides the default templates, you can define your own custom reports and save them as part of a case
template. For more information, see Using a Case Template to Create a Case (on page 35).
Report Template Structure

Before viewing a report, you need a report template, or outline of what the report will look like. This
structure consists of:
 Report sections: Sections contain groups of similar information and formatting, and provide
the ability to organize your report.
 Report formatting: This includes page layout, section design, and text styles.
 Report elements: These are collections of bookmarks. Bookmarks are a key element of the
report structure. You do not embed bookmarks into a report template, but embed a reference to
the contents of a bookmark folder.
To display the template, click Report Templates on the case Home tab:
A report component is designated as either a Report or Section, as shown in the Type column.
Typically, Report components only contain formatting information for components beneath them,
whereas Section components contain formatting information and Report elements for an individual
section. The columns to the right of Type indicate whether a formatting option is user defined or
inherited from the component above it in the template hierarchy.
To add new reports or sections to the template:

1. Highlight the row above the new element you want to add. Right click and select New from
the dropdown menu.
2. The New Report Template dialog opens.
3. Enter a Name.
4. Select a Type (Section or Report).
5. If you want to customize Format styles, check the appropriate boxes, or leave the boxes clear
to use the default styles.
6. Click OK. The new template component displays below the row you highlighted.
Formatting Report Templates

A wide range of formatting options is available for customizing EnCase reports. Guidance Software
recommends using the default case templates to start, then customizing them as needed.
Report templates follow a hierarchical tree to simplify formatting. Report sections inherit formatting
options from above so that changes to formatting only need to be made in one place.
You can customize these elements:

 Section Name: Used for organizational reference in the template only and does not populate
the report.
 Paper: Includes orientation and size.
 Margins: Set values for top, bottom, left, and right margins.
 Header/Footer: Specify a header and/or footer according to your needs.
 Data Formats: You can specify how a bookmark displays, including style and content.
 Section Body Text: The layout and content of each section is specified in the Body Text.
 Show Tab: Determines if this report or section displays in the View Report dropdown menu.
 Excluded: Provides the ability to exclude part of a report.
Configuring Paper Layout
Paper Size and Orientation

1. Right click the Paper column, then click Edit in the dropdown menu. The Paper layout dialog
opens.
2. Click the paper size option you want. There are options for millimeters as well as inches.
3. The default orientation is Portrait. Click the Landscape checkbox to change the orientation.
4. Click User defined to enable the Page Width and Page Height boxes, where you can specify
dimensions manually.
Margins
1. Right click the Margins column, then click Edit in the dropdown menu. The Margins dialog
opens.
2. Enter the margins you want in inches. By default, the top margin is 1 inch, the left margin is
0.75 inches, and the right and bottom margins are 0.5 inches.
Customizing Headers and Footers

You can customize how headers and footers are formatted and what information they contain.
1. Right click the Header or Footer column, then click Edit in the dropdown menu. The
appropriate dialog opens.
2. Formatting options (Document, Styles, Case Info Items, etc.) display at the top of the dialog.
Report Styles
As in Microsoft Word, you use styles to set text formatting options. EnCase comes with many default
styles to use in report templates, and you can also create your own styles. To override a default style,
create a user style with the same name.
Style options include:
 Font type and size
 Alignment (centered, left and right justified)
 Indentation (left, right, first line)
 Space before/after
 Borders
 Tabs
 Text color
 Background color
To create a user defined style:
1. In the Report Templates tab, click Styles in the tab toolbar.
2. The Styles dialog opens, with tabs for Default Styles and User Styles.
3. Select the User Styles tab.

4. Click New in the toolbar.
5. Enter a name for the style and your desired configuration options. Double click Font, Text
Foreground, or Text Background to open dialogs for specifying those options.
a. Double click Font to open the Font dialog, where you can specify:
− Font face
− Font style (Regular, Italic, Bold, Bold Italic)
− Size
− Effects (Strikeout, Underline)
− Color
b. Double click Text Foreground or Text Background to open the Color dialog, where you
can select a default color or specify a custom color:
c. Click the Paragraph checkbox to enable other options:

− Alignment (Centered, Left and Right Justified)
− Left Indent (in inches)
− Right Indent (in inches)
− First indent (in inches)
− Space Before (in points)
− Space After (in points)
6. To set a border click the Border button. Set the position, size and color of the border lines you
wish to incorporate.
7. To set tab stops within the style, click the Tabs button. Right click in the Tabs dialog and select
New to create a new tab.
d. In the Alignment box, choose how you want the text to align relative to the tab. Choices
are Left (left side of the text block is aligned with the tab stop), Center (text is centered in
relation to the tab) or Right (right side of the text block is aligned with the tab stop).
e. Set the Position for the tab stop in Inches.
f. In the Relative box, set the margin that the tab stop should be relative to. Choose Left to
position the tab stop a set distance to the right of the left margin, choose Center to position
it a distance from the center point between the margins, or choose Right to position it a set
distance to the left of the right margin.
Note: The ability to set the relative position of the tab enables users to create a report template that
can be used with various paper sizes (i.e., letter, landscape, A4, etc.) and various orientations
(i.e., portrait or landscape) without having to reset the margins for the various page widths.
Default templates supplied with EnCase are configured in this manner so that they can be used
in different locales without requiring significant modifications.
8. When you are finished, click OK. The new style and its attributes display in the User Styles
list.
You can also edit or delete an existing User Style.
Localization of Report Layout

Reports in EnCase are designed to work seamlessly in various regions regardless of local preferences
such as paper size. If created properly, report templates print correctly on 8 ½" x 11" paper or A4 paper
without requiring any changes to the templates.
All reports in EnCase obtain their paper settings from the Windows operating system. Windows stores
paper size in the Default Printer settings, so unless a specific paper size is defined in a report template
(Paper option), EnCase uses the paper size indicated there.
When reports are generated, margins will be set for the indicated paper size and the report will be
rendered in that composition. Users should utilize the ability to set tab stops relative to a specific
margin (described above) to ensure that tab stops also scale properly with the different paper
variations. Report templates supplied with EnCase are configured in this manner.
Editing Report Object Code

In order to give users complete flexibility in how they format the data and look of a report, EnCase
uses an optimized coding language called Report Object Code to specify the layout of pages and data.
Report Object Code is used in the report body, header/footer, and in the formatting options for
bookmarks. Report Object Code is similar to other scripting languages, but is specifically designed for
this purpose. Guidance Software recommends that if you are interested in modifying a report
template, or creating your own, to first refer to one of the supplied templates and see how Report
Object Code is structured and used.
All the items and formatting you can use in a report are available in the menus in the edit window.
Examples of how to insert certain items into the report are discussed in the topics below.
Inserting a Picture
1. Right click an item in the tree where you want to insert a picture, then click Edit in the
dropdown menu.
2. The Edit dialog opens. Select the Body Text tab, then place your cursor where you want to
insert the picture in the Report Object Code.
3. Click Picture.
4. In the Picture dialog, browse to the file you want to insert, specify a size (width and height in
inches), then click OK.
Inserting a Table
1. Right click an item in the tree where you want to insert a table, then click Edit in the
dropdown menu.
2. The Edit dialog opens. Select the Body Text tab, then place your cursor where you want to
insert the table into the Report Object Code.
3. Click Add Table.
4. Make a selection from the dropdown list. The dialog for that item opens. The example below
shows the Evidence dialog.
a. On the Columns tab, click the checkboxes for the columns you want to display.
b. On the View Options tab, select the checkboxes for the visual elements you want to
display. The tabs and options vary depending on the selection you make in step 3.
5. When you are finished, click OK.

Excluded Checkbox
Depending on your target audience, you may want to exclude parts of a report. For example, an
investigator may need to see actual pictures in a report, whereas another reader does not. You can
customize content by clicking the checkbox for elements you want to exclude.
Body Text Tab

The Body Text tab in the lower pane displays the Report Object Code for a selected object. For
example, if you select Title Page in the Report Templates tab, this code displays:
To add code, use the selectors in the Body Text toolbar:

 Document
 Styles
 Case Info Items
 Case
 Bookmark Folder
 Add Table
 Picture
 Language
 Text
To test if the code is well-formed, click Compile. To return to the last compilable code, click Revert.
Note: Unless you have experience writing and editing code, Guidance Software recommends using default code in the
report templates.
File Report EnScript

The File Report EnScript is a standalone script that produces a file listing that includes file metadata.
You can select which device to run the script against and set the following report information:
 Report name
 Examiner
 Grouping results
 All files or specified files
 Display fields
Running the File Report EnScript

1. From the EnScript menu, select File Report. The File Report - Settings dialog appears.
2. In the Report Title field, enter the name of the report. The default report title format is [Case
Name] - File Report.
3. In the Report Prepared By field, enter the name of the examiner. The default examiner name is
drawn from the specified examiner in Case Info.
4. On the left side of the dialog, specify how you want to group your report.
• By file path: sorts files by the file system's location of each file, sorted according to Item
Path.
• By file size: sorts files according to size in Kilobytes.
• By file category: sorts files alphabetically, according to file category. You can choose to
sort by three-character file extension within category by selecting the Sort by Extension
checkbox.
5. On the right side of the dialog, specify whether to include all files, only files in the current
view, and/or files created within a specified range. To specify a creation date range:
a. Select the checkbox for Only Files Created Between
b. Enter the Start Date directly, or click the calendar browser button to the right.
c. Enter the End Date directly, or click the calendar browser button to the right.
6. At the bottom of the dialog, use the field selector to include/exclude and order the fields for
your report.
d. In the Available fields box on the left, select any field you want to include in your report
and click the right arrow.
e. In the Selected fields box on the right, select any field you want to exclude from your
report and click the left arrow.
7. To order the selected fields for your report, select each field and move it with the Up or Down
button.
8. Click OK. The File Report EnScript generates the file report, and it appears in the File Report
window.
Saving the File Report

1. After verifying the content of the report, right click the report and select Save As.... The Save
As dialog displays.
2. Select the output format.

3. Specify a path for the output. To browse your file system, click the ellipsis button.
4. To open the report in the selected output format, select the Open file checkbox.
5. Click OK. If the Open file checkbox is selected, the file opens in the selected output format.
Viewing a Report
To view a report:
1. In the Report Templates tab, click View Report from the tab toolbar. The dropdown menu
lists all reports that have the Show Tab option set.
2. Select the report you want to see. The report displays in the viewer.
To save a report, right click on the report and select Save As.
These output formats are available:

 TEXT
 RTF
 HTML
 XML
 PDF
Once you select the output format, specify a Path and optionally set the Open file option if you want
the file to open in the default application after saving.
Note: To edit a report in Microsoft Word, save the report in RTF format. The EnCase RTF report is completely
compatible with Microsoft Word.
CHAPTER 13
Smartphone Support
In This Chapter
 Overview
 Supported Smartphone Operating Systems
 Acquiring Smartphone Devices
 Installing Drivers
 Analyzing and Reporting on Acquired Data

Overview
EnCase can acquire smartphones connected directly to the Examiner computer. Removable Subscriber
Identity Module (SIM) cards that securely store the identifying information of the subscriber as well as
telephone numbers, preferences, text messages, and other information, can also be acquired.
Logical data acquisition is supported for the BlackBerry, iPhone, Palm, Android, Windows Mobile,
and Symbian devices. Data acquired from these devices are stored in a logical evidence (.L01) file
which can then be analyzed. For navigation and analysis purposes, the structure of all .L01 files
collected from any type of smartphone is always the same.
For some Palm, WinCE, and Android devices, there is additional support for physical memory
acquisition. For physical memory acquisitions, an evidence file (.E01) is created.
The smartphone acquisition dialog displays all supported smart phones, arranged by manufacturer.
Specific notes for each phone are detailed in the help pane at the top of the dialog.
SD cards are acquired in the same way as other mass storage devices, such as thumb drives, by adding
a local device. Using an SD card reader (not included), use the forensic machine's USB port to acquire
the data on the SD card.
The following table shows the platform/acquisition combinations supported using the latest drivers:
• EnCase cannot acquire smartphones running Palm OS or iOS under Windows XP 64 bit.
• EnCase cannot acquire smartphones running iOS under Windows XP 64 bit.
• EnCase cannot acquire a smartphone running under Windows Server 2003 or 2008.
Before you begin a smartphone acquisition:
1. Know the manufacturer and model, if possible, of the phone.
2. If you did not obtain the owner's manual with a phone you are acquiring, locate and
download one from the Web.
3. Make sure you know the location of the on/off button on the face of the smartphone.
4. Determine if the smart phone has a SIM card. If it does, you will acquire data using the SIM
card reader as a separate step from acquiring data from the smart phone. A SIM card reader is
included in an optional cable kit that may be purchased separately. See Acquiring SIM Cards
on page 244.
5. If you have not acquired from this type of phone previously, Windows will recognize it as
new hardware. You may have to download the drivers from the manufacturer's web site if
Guidance Software is unable to provide them. See Installing Drivers on page 247.
At the end of an acquisition, you can generate a summary report. You can also use an existing .L01 file
to create reports. See Creating a Smartphone Report on page 250.
Supported Smartphone Operating Systems

The following smartphone operating systems are supported by EnCase:
Email Attachment Support

The following smartphones support collection of email attachments:
 Android attachments are collected from Gmail only.
 Blackberry attachments are collected from the default email client; attachments from other
email clients are stored on the sd card.
 Windows Mobile attachments are collected from the default email client (Pocket Outlook);
attachments from other email clients are stored in the acquired file system.
 Symbian attachments may be present in the acquired file system, even though email is not
supported.
Acquiring Smartphone Devices

1. Make sure the smart phone is on.
2. Connect the phone to the Examiner machine. If the Found New Hardware Wizard displays,
click Cancel to continue.
3. Open your case in EnCase and navigate to the Add Evidence screen.
4. Select Acquire Smartphone. The Acquire Smartphone dialog displays:
5. Select the device you want to acquire.

• All attached devices that have been automatically detected, display in a Detected section.
• If a device has not been automatically detected, select the device type from the Supported
section.
• Backup files that can be acquired are displayed in the Backups section.
Note: SD cards are acquired in the same way as any other disk drive, by adding a local device. Using an
SD card reader (not included), use the forensic machine's USB port to acquire the data on the SD card.
6. Perform any setup tasks required for the specific device, as indicated in the top help pane.
7. Select the data fields you want to acquire by using the checkboxes on the right.
• All Available Data acquires all items identified with a checkbox as well as any additional
data available from the specific device.
8. In the Output Path dialog, enter the file name for the acquisition.
• The default path is the case path.
• To change the path, click the browse button and navigate to the desired path.
9. Click Finish. The Acquisition in Progress status bar displays as the data on the device is
acquired.
10. When the acquisition is complete, the Evidence tab displays the new .L01 file.
Acquiring Apple iOS Devices

IPhone MMS messages are parsed to show associated multi-media files as well as text. IPhone system
log files capture the launch count, running time, and additional stored application values.
Raw data HPFX images obtained by third party tools can be parsed.
To ensure Apple iOS devices are properly detected and can be successfully acquired, be sure to couple
the correct iOS version of the iPhone with its compatible iTunes version.
IPhones encrypted with iTunes cannot be acquired by EnCase on a machine which is not matched to
the encrypted iPhone.
Acquiring RIM BlackBerry Devices

For password-protected BlackBerry smartphones, if a password prompt displays, enter the password
and click OK. After entering the password, the progress bar displays and the acquisition continues.
Images on the BlackBerry are stored on the SD card.
Email document attachments are not comprehensible when viewed via the Transcript tab in EnCase
because the BlackBerry converts the attachments to a proprietary format.
Acquiring Google Android Devices

By default, EnCase performs a logical acquisition on smartphones. Android OS security restrictions
and data protection mechanisms limit the forensic data types and range provided by a logical
acquisition.
To acquire all user data, perform a physical data acquisition; this produces a binary identical copy of
an Android phone's data storage.
Physical acquisition requires root-level access to the Android OS. If the physical acquisition procedure
fails to automatically obtain root access for a given device/OS combination, you must manually
research and apply the rooting procedure for that device/OS combination.
Note: Use extreme caution when manually rooting your device; performed incorrectly, the process can
alter or destroy the device's data and applications.
For Android physical acquisition, select the Perform Physical Acquisition checkbox in the Acquire
Smartphone dialog box.
Acquiring Nokia Symbian S60 Devices

To use the Nokia Symbian S60 devices, verify that the Nokia Connectivity Cable Driver and the PC
Connectivity Solution packages are properly installed. Setup files are located at
Mobile\Install\Symbian.
Set the USB mode to PC Suite Mode when device is connected.
Acquiring Windows Mobile 6.x Devices

To acquire a Windows Mobile device, you must first install the Smartphone Acquisition files onto the
SD card.
1. Insert the SD card into the full-sized Micro adapter.
2. Insert the adapter into the EnCase USB SD card reader.
3. Insert the EnCase SD card reader into a USB port. Make sure the light on the SD card reader
illuminates.
4. After the EnCase SD card reader is successfully inserted, open Windows File Explorer and
navigate to the SD card drive.
5. Open the drive, which should not have any data in it.
6. Navigate to the root folder where EnCase is installed on your machine.
7. Locate the \Mobile\Install\WinMobile folder and open it.
8. Copy the NeutrinoCE file and the 2577 folder to the empty EnCase SD card drive.
After the SD card is installed with the correct data, you can use the SD card to acquire the mobile
device.
On some phones, the SD card autorun feature will not work. If you suspect your device is not
automatically running this program, you need to execute it manually.
1. In Windows Mobile, start the File Explorer.
2. In the File Explorer, open the Storage Card folder to see its folders and files.
3. In the Storage Card folder, select the 2577 folder.
4. From within the 2577 folder, select Autorun.
5. After you see the boot-up message box, continue using the mobile device acquisition wizard in
EnCase.
If the Windows Mobile phone (such as the HTC Touch) does not have an SD card reader, you can use
the ActiveSync program from Microsoft. The free download is available on the Microsoft.com Web site
for Windows Mobile.
1. Connect the phone to the computer with ActiveSync installed. You can connect directly to the
USB port of the computer.
2. The Active Sync Device Center starts automatically. Cancel the Pocket PC Synch Setup Wizard.
You can copy files without going through the entire setup process.
3. Either from Windows Explorer or using the ActiveSync interface, navigate to the phone's file
system.
4. On the computer's file system, copy NeutrinoCE.exe and GSI_cert.cab from

\Mobile\Install\WinMobile in the EnCase installation folder to a temporary folder of
your choice on the device.
5. Disconnect the phone.

6. Using the phone's file browser, navigate to the temporary folder to which you copied the
EnCase files.
7. Click GSI_cert.cab to install the certificate on the phone.

8. Click NeutrinoCE.exe to install the software.
9. Re-connect the phone to the forensic computer and acquire the phone following the usual
methodology.
After acquiring the evidence, uninstall the EnCase Smartphone Acquisition software from the phone
by repeating the first three steps and then deleting the temporary folder.
You can also perform a physical acquisition of a Windows Mobile device. Check the Perform Physical
Acquisition checkbox in the Acquire Smartphone dialog to create a physical image of the entire device
and output as an .E01 file.
Troubleshooting:
If the Windows Mobile device is accidentally unplugged during acquisition, you must reboot the
device before re-starting the acquisition.
If the SD Card reader light does not illuminate:

1. Make sure the adapter is fully inserted.
2. Check to see if the adapter was inserted upside down.
If the adapter is inserted correctly, the problem might be that the driver is not detecting the EnCase SD
card reader.
To update the Windows driver:
1. In the Windows Start menu, right click My Computer and select Manage.
2. In the Computer Management window, in the left tree, select Device Manager. The list of
hardware and devices displays in the right pane.
3. In the right pane, expand Universal Serial Bus controllers.
4. If the EnCase SD card reader (listed as a USB Mass Storage Device) is denoted by the
question mark icon, it is not being recognized. If it is denoted with the controller icon shown
here, then it is being successfully recognized and some other problem exists.
5. If the question mark icon is showing, right-click USB Mass Storage Device and select Update
Driver. The Windows Hardware Update Wizard starts.
6. Complete the Windows Hardware Update Wizard to update the device driver. When done, a
message indicates that the hardware has been detected. The EnCase SD Card Reader light
illuminates when detected.
Acquiring Palm OS Devices

In order to acquire a Palm device, it must be first switched into debug mode.
Acquiring SIM Cards

Acquiring a SIM card is a separate step from acquiring the smartphone. A SIM card reader is included
in an optional cable kit that may be purchased separately. This kit includes:
 SD card
 EnCase SD card reader
 SIM USB card reader
 Full-sized Micro adapter
 Mini Micro adapter
 An assortment of cables
Removing the SIM card may cause call log information to be deleted from some smart phones. We
recommend that you acquire the phone data first, before removing and acquiring the SIM image.
Note: Refer to the smart phone owner's manual for information on how to remove the SIM card.
With the smart phone to be acquired powered off and disconnected from the forensic computer,
remove the SIM card from the phone and do the following:
1. With the SIM card reader disconnected from the forensic computer, put the SIM card into the
SIM card reader with the beveled edge of the card facing out.
2. With the SIM card in the SIM card reader, connect the SIM card reader to a USB port on your
forensic computer.
3. From the Add Evidence screen, choose Acquire Smartphone, and then select SIM Card
Reader.
Note: If the LEF created by acquiring the SIM card is less than 5KB in size, a system warning asks if you want to delete it.
This is because a threshold of 5KB is set in EnCase; a LEF smaller than 5KB created in EnCase might be empty.
Disconnect the SIM card reader from the forensic computer and remove the SIM card from the reader.
With the smart phone powered off, return the SIM card to the phone.
Acquiring password protected SIM cards

After you start an acquisition of a SIM Card Reader, EnCase checks to see if the SIM has any PINs
enabled. If there are no PINs enabled, acquisition proceeds normally.
Passwords are not required for an acquisition. However if the SIM is password protected and you do
not enter the correct password, not all of the data will be acquired.
Most SIM cards have two possible passwords or PINs, sometimes referred to as CHV1 (card holder
verification 1) and CHV2, or simply PIN 1 and PIN 2. In general, PIN 1 prevents access to your phone
so that when password protection or a PIN is enabled, your phone will prompt you for the SIM PIN
when the phone is powered on. Entering the wrong passwords or PIN1 value will prevent you from
making or receiving calls. PIN 2 (which is available on select SIMs) typically protects network settings,
depending on the operator, such as call barring or fixed dialing.
Both PINs contain four to eight digits and can be modified or disabled by the user. Typically SIM PIN
options can be adjusted in the security settings on the smart phone. There is usually one option to
enable the PIN(s), and another option to change the values of the PIN(s). Please refer to the smart
phone manufacturer user manual or website for directions on adjusting PIN values for that specific
phone.
SIM PINs protect the card even when it is placed in another phone, so that the SIM card cannot simply
be moved to another phone and used without authentication. The SIM PINs are different from smart
phone passwords that may be set on a smart phone itself. Please refer to the smart phone
manufacturer user manual or website for possible default PIN values.
If the SIM is password protected, do the following:
1. Select the Apply PIN option and enter the password in the Password 1 field.
2. If a second password is required, enter the password in the Password 2 field.
3. Click Verify Password.
4. Repeat steps 1 - 3 if the password does not verify. You may attempt to enter the correct
password three times. Entering a PIN through the Acquire Smartphone wizard counts as a
password attempt.
5. After three incorrect SIM password attempts, the PIN is locked and requires a PIN Unlocking
Key (PUK), obtained from the SIM network provider.
You may need to provide the ID on the SIM (ICCID). The ICCID may be found in one of three
ways:
• The ICCID number is imprinted on the SIM along with the name of the network provider.
• To get the ICCID number, select the Acquire ICC Id# Only option instead of the Acquire
SIM Image option. This procedure writes the ICCID number into the Activity Log in the
Acquisition page.
• After adding the LEF to a case, you can locate the ICCID number on the Records tab.
Show the Common SIM Fields and select the Sim Iccid column if it is not already
displayed.
For most smart phones, enter the eight-digit PUK code directly into the phone. Submitting the
correct PUK resets the PIN and the attempt counter. After selecting OK, you may be prompted
to enter a new four to eight digit PIN code. You may then be asked to re-enter your chosen
PIN code for verification. On other smart phone types, you enter the PUK code as follows:
**05*(PUK Code)*(new PIN)*(new PIN)# [send].
Please refer to the smart phone manufacturer user manual or website for instructions for your
phone.
Note: Ten incorrect PUK attempts will destroy the SIM.
Acquiring Mass Storage Devices

Guidance Software recommends acquiring SD cards separately to ensure all of the data on the card is
acquired.
SD cards are acquired in the same way as other mass storage devices, such as thumb drives, by adding
a local device. Using an SD card reader (not included), use the forensic machine's USB port to acquire
the data on the SD card.
Acquiring Apple iTunes Backup Files

To acquire an Apple iTunes backup file, select Apple iTunes in the Backups section of the Acquire
Smartphone dialog.
A backup file path displays for you to enter or browse to the location of the backup file you want to
acquire.
Acquiring BlackBerry Desktop Manager Backup Files

To acquire a BlackBerry Desktop Manager backup file, select BlackBerry Desktop Manager in the
Backups section of the Acquire Smartphone dialog. A backup file path displays for you to enter or
browse to the location of the backup file you want to acquire.
Installing Drivers
When you connect a phone that you have not previously acquired, the Windows operating system
automatically looks for the suitable device driver for this hardware.
EnCase automatically installs some device drivers when they are needed for a particular acquisition.
But because of the rapid release of new phone models and drivers, you may need to download the
drivers from the manufacturer's Web site.
Although Guidance Software is consistently updating drivers, the drivers we ship are not always able
to be signed by Microsoft. If you see the following dialog, click Continue Anyway.
After the hardware drivers are recognized, the acquisition continues normally.
Analyzing and Reporting on Acquired Data

Displaying Smartphone Data
A logical evidence (.L01) file containing smartphone data is created at the end of the acquisition
process. This includes SIM card and logical data acquisitions. Physical memory data is contained in an
.E01 file.
1. Open any smartphone .L01 or .E01 file in a case using the name you created when performing
the acquisition.
• Open the case.
• Select Browse Evidence.
• Select the file you wish to view.
• To add new files, select Add Evidence File from the Add Evidence menu, and browse to
open the desired file(s).
2. Double click on the evidence file opens it up in the Evidence tab.
• Further information about the data is displayed in the lower pane of the windows.
• To return to the list of all available evidence files, select either Evidence or Entry from the
Viewing menu.
• Fields displayed are specific to the data able to be acquired for the particular make and
model of smartphone, SIM card, or backup file.
• The records may contain additional data specific to the vendor and model of the smart
phone. When additional data exists, the Additional Fields column displays a flag.
Clicking the flag in this field displays the additional data.
• Visit Count data about bookmarked URLS is based on how many times the phone user
typed the URL, or tapped a user-defined, saved bookmark. For example, if the user typed
mlb.com but did not save it as a bookmark, EnCase displays as a bookmark visit count of
0, and a new visited URL with 1 visit. If the user tapped on the bookmark in the bookmark
list, then its view count was updated.
• Smartphone physical memory can be examined by opening the .E01 file and using the Hex
tab for viewing.
Available Smartphone Data

The data that can be captured from a smartphone is specific to that type of phone. Some of the data
common to most, but not all phones are listed below.
Smartphone data may include the following:
 Contacts from a phone book
 Call logs
 Images
 SMS and MMS messages
 Calendar entries
 Files stored on the phone
 File system objects
 Phone settings
 Audio and video clips
Phone information and settings may include:
 Serial number
 Manufacturer information
 Firmware/Hardware information
 IMSI number
 IMEI number
 Cell tower location
 Ringer volume
 Local Area Code (LAC)
 Cell ID (Cell tower ID)
 Network Codes
 Network Type
Network Codes include:
 Mobile country code
 Mobile network code
Network Types found on a SIM card include:
 Roaming
 Home
 None
SMS message data elements include:
 Memory Type
 Entry ID (message numbers)
 SMS Type
 SMSC Number
 Remote Number
An SMS message memory type will be either Phone or SIM.
An SMS Type will be either terminated (received by the phone) or originated (sent from the phone).
An SMSC Number is the number of the last, not the source, wireless access number. This number may
be an intermediary number used by the carrier.
Contact data includes the EntryID and the speed dial number associated with the phone number.
Creating a Smartphone Report

1. Select Smartphone Report from the Tools menu. The Smartphone Report Settings dialog
displays.
2. Click Evidence Images. The Edit Settings dialog displays.
• The default is to collect all evidence files in the list.

• Click Enable to select individual evidence files.
• Select the evidence files you want to use, and click OK.
3. To specifically include tagged items, select Include Tags. The Edit Settings dialog displays
showing all available tags to include.
• Select the tags you want to include, and click OK.

4. To specifically exclude tagged items, select Exclude Tags. The Edit Settings dialog displays
showing all available tags to exclude.
• The default is to exclude all tags in the list.

• Click Enable to select individual tags.
• Select the tags you want to exclude, and click OK.
5. The Data Settings pane on the right displays a list of your current selections. When done, click
OK to generate the report.
6. The generated report displays in the Smartphone Report Builder window. Toolbars at the top
of the window provide reporting options.
• Select the checkboxes in the lower toolbar to display available data types.
• Click the zoom control to expand or reduce the visible size of the report.
• Show Short Report (default) displays a summary report showing only selected data
fields. Pictures are scaled to save space.
• Show Detailed Report displays a longer report showing all fields for each data type.
Pictures are presented in a larger format.
• Print uses the standard EnCase print dialog for sending the report to your printer, or
creating a PDF file.
• Export uses the standard EnCase print dialog for creating and saving the report in TEXT,
RTF, or HTML file formats.
• Add Custom Notes allows you to enter your own comments to sections of the report. See
Adding Custom Notes to the Smartphone Report on page 252.
• View Single Category causes the checkboxes to become single option controls; when
View Single Category is checked, you can only select one checkbox at a time in the lower
toolbar.
• Export Location Data allows you to export data to a KML output file. See Exporting
Location Data on page 252.
To save the Smartphone Report Builder, you must print or export it to a file. If you close it
before exporting or printing, you need to generate the report again.
Adding Custom Notes to the Smartphone Report

1. In the Report Builder, click Add Custom Notes in the top toolbar. The Add Custom Note
dialog displays.
• In the Report Section, select from the list of data elements to display your comment in
that section. All possible data elements are shown, even if the particular acquisition did
not contain this type of data.
• To place a comment before the data, enter it in the Note (section top) area. You can have
separate notes before and after the data, or include the same note in either place, or both.
• Entering a comment in the Note (section bottom) area places the comment after the data.
2. Click OK to write all comments to the report and close the dialog.
Exporting Location Data

Location and map data acquired from smartphones can be exported in KML format, which can be
viewed using Google Maps or other geo-mapping tool (like Marble).
• Visited and bookmarked map locations and map routes can be exported for BlackBerry
and iPhone devices.
• Last known location and the location daemon log for GPS/Radio data can be exported for
iPhone devices.
• Last known location and log cell tower IDs for GPS/Radio data can be exported for
Android devices.
The amount and the format of the location data that can be acquired varies greatly for each phone
family. The .L01 files have slightly different structure with respect to location data presentation.
1. In the Report Builder, click Export Location Data in the top toolbar. The KML Export dialog
displays.
2. Enter or browse to an output folder and create a name for the output file.
3. Select the location data type you want to export.
4. Click OK. The location data is exported as a KML file.
5. Open the file in any geo-mapping application to view the location data.
CHAPTER 14
Working with Non-English

Languages
In This Chapter
 Overview
 Configuring EnCase to Display Non-English Characters
 Changing the Default Code Page
 Setting the Date Format
 Assigning a Unicode Font
 Viewing Unicode Files
 Text Styles
 Configuring Windows for Non-English Language

Overview
This chapter describes how to use EnCase when working with evidence in languages other than
English.
The Unicode standard attempts to provide a unique encoding number for every character regardless
of platform, computer program, or language. Unicode encompasses a number of encodings. In this
document, Unicode refers to UTF-16 (Unicode 16-bit Transformation Format). Currently more than
100 Unicode code pages are available. Because EnCase applications support Unicode, investigators can
search for and display Unicode characters, and thus support more languages.
EnCase also supports code pages, which describe character encodings for a particular languages or set
of languages that use the same superset of characters. In some cases, it is necessary to assign a code
page to properly display the language. Thus, EnCase supports both Unicode character sets that do not
require a code page as well as legacy character encodings (for example, ISO Latin, Arabic, and
Chinese) that do require a specific code page to display properly. You only need to use a code page in
EnCase when your non-English document contains a set of these legacy character mappings.
Other character codes besides 16-bit Unicode are supported for working with non-Unicode non-
English-language text.
Working with non-English languages typically involves performing these tasks:
 Changing the default Code Page. See Changing the Default Code Page on page 257.
 Adjusting the date format. See Setting the Date Format on page 258.
 Assigning a Unicode font. See Assigning a Unicode Font on page 258.
 Creating non-English language search terms
 Bookmarking non-English language text
 Viewing Unicode files. See Viewing Unicode Files on page 258.
 Viewing Non-Unicode files
Configuring EnCase to Display Non-English Characters

When working with non-English languages, an examiner must consider and decide whether to
undertake the following tasks.
Setting the Windows Operating Environment

 If you are running a non-English version of Windows, make sure that you have correctly
installed and configured the appropriate Microsoft language pack.
 Make certain that you have installed the set of fonts needed to support the character set for
your non-English version of Windows, or have installed a Unicode font.
 Optionally configure your system to support the keyboard and input language desired.
Configuring EnCase Global Settings

 Optionally set the date format that is commonly used with the language.
 Select a default font for each available user interface element.
Usage with Evidence

 You can create and search for non-English language search terms, bookmark non-English
language text, browse through tables and trees in non-English text, and so forth.
 You can override the global settings when viewing content in the Text or Hex tabs of the View
pane (for more information, see "Changing Text Styles" in the Browsing and Viewing chapter).
Global internationalization settings are located in the Options dialog. From this tab you can configure
EnCase to display non-English characters in status bars and tabs, dialogs, tables, data views (including
text, hex, transcripts), and in the EnScript script editor.
Changing the Default Code Page

The code page you use with EnCase determines the character set required by the language. By default,
EnCase uses the default Windows code page (Windows-1252), which handles the majority of Western
languages. You may also configure EnCase for Unicode or a specific code page as a global default.
To change the code page:
1. In the Options dialog open the Global tab.
2. Click Change Code Page. The Code Pages dialog displays.

• Unicode specifies little-endian Unicode. If UTF-7 or UTF-8 is used, select Other, not
Unicode.
• Unicode Big-Endian specifies big-endian Unicode.
• Other lets you select a specific code page from the list.
3. Select the appropriate option and click OK.
Setting the Date Format

After assigning a code page, you can set the date format to match the selected country:
1. In the Options dialog open the Date tab.
2. Configure the desired date and time format. See Date Options on page 22.
Assigning a Unicode Font

If you chose a Unicode option as an EnCase global default, you also need to assign a Unicode font for
interface elements where non-English language characters display.
1. In the Options dialog open the Fonts tab.
2. Double click the font box for the interface element. The Font dialog opens.
3. Change the font to Arial Unicode MS (or another available Unicode font) and click OK.
4. Repeat for each interface element that you want to configure.
5. Click OK. The interface elements you selected in the Fonts tab are now configured to display
characters according to the non-English, Unicode character set. See Font Options on page 25
for more information.
Viewing Unicode Files

Specific fonts in the Fonts dialog are installed in Windows. If no Unicode fonts are installed on your
computer, see "Install the Universal Font for Unicode" at http://office.microsoft.com/en-
us/help/HP052558401033.aspx.
Unicode interprets fonts as 16-bit words. When Unicode fonts are selected, 8-bit character sets and 7-
bit ASCII characters do not display correctly. Use an 8-bit font such as Courier New for English text.
To properly display the characters in certain code pages, you should select a Unicode display font.
Characters that are not supported by the font or code page display as a default character, typically
either a dot or a square. Modify this character when using text styles in the Text and Hex tabs of the
View pane.
By default, EnCase displays characters in ANSI (8-bit) format on the Text and Hex tabs in Courier
New font. Viewing Unicode files requires modifications to both the formatting and the font. First, the
file or document must be identified as Unicode. This is not always straightforward.
Text files (.txt) containing Unicode usually begin with a Unicode hex signature \xFF\xFE. However,
word processor documents written in Unicode are not so easy to identify. Typically, word processor
applications have signatures specific to the document, making identification of the file as Unicode
more difficult.
You can change the code page from either the Text or Hex tabs by clicking Codepage. A list of the
most recently used codepages displays.
1. To select a new codepage, click Code Pages. The Code Pages dialog displays.
2. Select the desired Unicode-based text style. See Changing the Default Code Page on page 257.
3. The text displayed in the Text or Hex tab updates to reflect the new encoding.
Text Styles
The display of non-English language content is controlled by both the type face of the content, and the
text style applied to the content. A text style applies various attributed to fonts, including:
 Line wrapping
 Line length
 Replacement character
 Reading direction
 Font color
 Class of encoding
 Specific encoding
Text styles are global and can be applied to any case after they are defined. Text styles are applied in
the Text and Hex panes. See Changing Text Styles on page 105.
Configuring Windows for Non-English Language

Configuring the Keyboard for a Specific Non-English Language
Windows lets you configure a keyboard for a specific non-English language. Once the keyboard is
configured, you need a keyboard map or familiarity with the keyboard layout of the language.
These instructions are for Windows XP. Configuring Windows 2000, NT, and 2003 is similar.
1. Click Start > Control Panel > Region and Language Options.
The Regional Options tab of the Regional and Language Options dialog displays.
2. In Standards and formats, select the desired language.

3. Select the Advanced tab.
The Advanced dialog displays.
4. In Code page conversion tables, check the desired code page.

5. Click OK.
The keyboard is mapped to the selected non-English language.

Entering Non-English Content without Using Non-English Keyboard

Mapping
Windows provides a character map so you can enter non-English character strings without remapping
the keyboard.
1. Click Start > All Programs > Accessories > System Tools > Character Map.
2. The Character Map utility displays.
3. Click the desired character, then click Select.
4. The character is added to the Characters to Copy box.
5. Repeat step 2 to add more characters.
6. Click Copy, then paste the characters where you want to use them.
CHAPTER 15
Using LinEn
In This Chapter
 Overview
 Creating a LinEn Boot Disk
 Configuring Your Linux Distribution
 Performing Acquisitions with LinEn
 LinEn Evidence Verification and Status Reporting
 Hashing the Subject Drive Using LinEn
 LinEn Manual Page

Overview
The LinEn™ utility is an acquisition tool for creating evidence files using a Linux "live" CD that does
not alter any potential evidence on the drives to be acquired. You run the LinEn CD on a Linux
operating system to perform drive-to-drive and crossover acquisitions.
LinEn runs in 32-bit mode, independently of the Linux operating system to quickly acquire data from
a large set of devices.
Creating a LinEn Boot Disk

To run LinEn on the subject machine, you need to create a LinEn boot disk. Also, you must have an
ISO image of one of the popular live Linux distributions you want to use, such as Knoppix, as a Linux
distribution does not install itself on the subject machine.
Note: As it is not practical to modify the settings of a live Linux distribution, ensure that the live distribution does not
automatically mount detected devices.
To create a LinEn Boot disk:
1. Using your EnCase application on the investigator's machine, click Tools > Create Boot Disk.
The Choose Destination dialog of the Create Boot Disk wizard displays.
2. Click ISO Image, then click Next. The Formatting Options dialog of the Create Boot Disk
wizard displays.
3. Provide a path and filename to the ISO image you downloaded earlier, optionally click Alter
Boot Table, and click Next. The Copy Files dialog of the Create Boot Disk wizard displays.
4. Right click in the right pane of the Copy Files page, and click New. The file browser opens.
5. Enter or select the path to the LinEn executable, normally c:\program
files\encase6\linen, click OK, then click Finish.
The Creating ISO progress bar displays on the Copy Files dialog. Once the modified ISO file is
created, the wizard closes.
6. Burn the ISO file onto a blank CD/DVD using the disk burning software of your choice.
You now have a boot disk to run Linux and LinEn while you acquire the subject Linux device.
Configuring Your Linux Distribution

Before you can run LinEn on Linux, you must configure the Linux distribution. Due to the nature of
Linux and its distributions, only the following ones are discussed:
 SUSE 9.1
 Red Hat
 Knoppix
Note: Because of the dynamic nature of Linux distributions, we recommend that you validate your Linux environment
before using it in the field.
The process describes an ideal setup that effectively runs the LinEn application in a forensically sound
manner.
To prevent inadvertent disk writes, modifications to the operating system need to be made. Linux has
an autofs feature, installed by default, that automatically mounts, and thus writes to, any medium
attached to the computer. It is essential that you disable autofs to prevent auto-mounting.
Using LinEn 263
Obtaining a Linux Distribution

You can obtain a Linux distribution from any Linux vendor.
If you intend to use a LinEn boot disk, you will need a live distribution, such as Knoppix, in order to
create a boot disk. If you intend to run LinEn on a installed version of Linux on your forensic machine,
we recommend using SUSE or Red Hat.
For the Linux distributions discussed in relation to LinEn, obtain a distribution from one of the
following:
 For the latest SUSE distribution, go to the Novell Web Site (http://www.novell.com/linux/).
 For the latest Red Hat distribution, go to the Red Hat Web site (http://www.redhat.com/).
 For the latest Knoppix distribution, go to the Knoppix Web site (http://www.knoppix.com/).
LinEn Setup Under SUSE

You must already have SUSE installed on your Linux machine.
1. Copy the LinEn executable from C:\Program Files\EnCase7 on your Windows machine
to the desired directory, /usr/local/encase on your Linux machine.
2. Open a command shell on your Linux machine and run LinEn as root/super user.
3. Enter chmod 700 /usr/local/encase/linen. This changes the permissions on the LinEn
executable, so that it can only be executed by root/super user.
4. Close the command shell.
5. Click Main Menu > System > Configuration > YaST. Yet Another Setup Tool (YaST) is used
to configure various settings for your Linux operating system.
6. Open the Runlevel Editor.
7. Ensure that autofs is disabled.
LinEn Setup Under Red Hat

You must have Red Hat installed on your Linux machine.
1. Copy the LinEn executable from C:\Program Files\EnCase7 on your Windows machine
to the desired directory, /usr/local/encase on your Linux machine.
2. Open a command shell on your Linux machine and run LinEn as root/super user.
3. Enter chmod 700 /usr/local/encase/linen. This changes the permissions on the LinEn
executable, so that it can only be executed by root/super user.
4. Close the command shell.
5. Click Main Menu > System Settings > Server Settings.
6. Ensure that autofs is disabled.
Performing Acquisitions with LinEn

The EnCase LinEn utility provides the following methods of acquiring evidence from a subject drive:
 Drive-to-drive acquisitions
 Crossover cable acquisitions
Drive-to-drive acquisitions provide the means to safely preview and acquire devices without using a
hardware write blocker. Drive-to-drive acquisitions use either the subject machine or the forensic
machine to perform the acquisitions. The drive-to-drive acquisition speed can be significantly faster
than EN.EXE and MS- DOS from previous versions, because Linux is a 32-bit operating system.
Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also
negates the need for a hardware write blocker. It may be desirable in situations where physical access
to the subject machine's internal media is difficult or not practical. This is the recommended method
for acquiring laptops and exotic RAID arrays. This method is slower than a drive-to-drive acquisition
because data is transferred over a network cable, making it especially sensitive to the speed of the
network cards housed in both machines.
Setup for a Drive-to-Drive Acquisition

When a subject drive from the subject machine cannot be acquired via a crossover cable acquisition,
the subject drive can be acquired via a drive-to-drive acquisition. Drive-to-drive acquisitions can be
done in the following ways:
 Running a LinEn boot disk on the forensic machine
 Running the LinEn utility from Linux already installed on the forensic machine
 Running a LinEn boot disk on the subject machine
Any of these cables can be used as a hard disk cable:
 IDE Cable
 USB Cable
 Firewire
 SATA
 SCSI
The following diagrams show setups for drive-to-drive acquisitions with:
1. The forensic machine, running LinEn from the LinEn Boot Disk, connected to the subject hard
drive.
2. The forensic machine, booted to Linux and running LinEn, connected to the subject hard
drive.
3. The subject machine, running LinEn from the LinEn Boot Disk , connected to the target hard
drive.
Using LinEn 265
Drive-to-Drive Acquisition Using LinEn

Before you begin, identify the subject drive to be acquired and the storage drive to hold the acquired
evidence file.
1. If the FAT32 storage partition to be acquired has not yet been mounted, do so.
2. Navigate to the folder where LinEn resides and enter ./linen in the console. The LinEn main
screen displays.
Note: If there are too many drives and/or partitions to display, you will see a warning message.
3. Click Acquire.
4. Choose the physical drive or logical partition you want to acquire. The Acquire Device <drive>
dialog displays.
5. Enter the full path and file name for the acquired evidence file, then click OK.
6. Optional: Provide an alternate path in the event that the output path from step 5 runs out of
disk space.
7. Click OK.
Using LinEn 267
8. Enter a case number, then click OK.
9. Enter an examiner name, then click OK.
10. Enter an evidence number, then click OK.

11. Enter a name for the evidence file (maximum 50 characters), then click OK.
12. Verify that the current date and time stamp are accurate, then click OK.
13. Enter a brief note (maximum 200 characters), then click OK.
Using LinEn 269
14. Choose whether to compress the file.
15. Choose whether to perform a hash of the evidence file after acquisition. The two hash
algorithms are MD5 and SHA1.
16. Optional: Enter a password.

17. Specify the total sectors to acquire, then click OK. By default, the field prepopulates with the
maximum number of sectors of the drive or partition.
18. Specify the maximum file size (in megabytes) for the evidence file and segment files, then click
OK. By default, the field prepopulates with a maximum size of 640 megabytes.
19. Specify the block size for the evidence file, then click OK. By default, the field prepopulates
with a block size of 64 sectors.
Using LinEn 271
20. Enter a level of error granularity, then click OK.
21. Enter the number of worker threads, then click OK. These threads perform compression on
the buffer.
22. Enter the number of reader threads, then click OK. These threads read from the device and fill
in a data buffer.
23. Click Yes or No to perform hashing in its own thread.
24. A summary report displays.
25. When the acquisition is complete, click OK. The LinEn main window displays. The subject has
been acquired and is stored on the storage drive.
26. Connect the storage drive to the investigator's machine.
27. Add the EnCase evidence file using the Sessions Sources dialog of the Add Device wizard. See
Completing the Sessions Sources Dialog.
LinEn Command Line

You can execute LinEn acquisition and hashing from a command line.
Note: You must use the -cl option to activate this feature.
Select the operation you want:
 -k for AcquireMode
 -o for HashMode
Note: You must choose either AcquiireMode or HashMode. LinEn will display an error message if you attempt to use both.
You can enter command line options with a single dash and the shortcut (for example, -p
<Evidence Path>) or with a double dash and the full tag (for example, --EvidencePath
<EvidencePath>).
Using LinEn 273
During the acquisition or hashing process, a pipe character (|) prints to the console for each percentage
completed.
There are two ways to provide necessary information to LinEn:
 Command line options
 Configuration file
Command Line Options
Shortcut Full Tag Description

-dev <Device Path> Device Device to be either acquired or hashed
-p <Evidence Path> EvidencePath Path and file name of the evidence to be created
(maximum 32,768 characters)
-m <Evidence Name> EvidenceName Name of evidence within the evidence file (maximum
50 characters)
-c <Case Number> CaseNumber Case number of the evidence (maximum 64 characters)
-x <Examiner> Examiner Examiner's name (maximum 64 characters)
-r <Evidence Number> EvidenceNumber Evidence number (maximum 64 characters)
-a <Alternate Paths> AlternatePath A semicolon delimited list of alternate paths (maximum

32,768 characters)
-n <Notes> Notes Notes (maximum 32,768 characters). Enclose notes in

quotes (for example, "This is a note").
-l <Max File Size> MaxFileSize Maximum file size of each evidence file (in MB:
minimum 1, maximum 10,485,760)
-d <Compress> Compress Level of compression (0=none, 1=fast, 2=best)
-g <Granularity> Granularity Error granularity in sectors (minimum 1, maximum

1024)
-b <Block Size> BlockSize Sectors per block for the evidence file (minimum 1,
maximum 1024)
-j <Configuration File Path to a configuration file holding variables for the

File> program (maximum 32,768 characters)
-t Hash Perform MD5 hashing on device
-1 SHA1 Perform SHA-1 hashing on device
-cl CommandLine Do not ask for required values, just error out
-k AcquireMode Acquire the selected device
-o HashMode Hash the selected device

Shortcut Full Tag Description

-? Help message
-pw <password> Password protects the resulting evidence file
-date <date/time> Lets the user input the correct date/time. Must be
quoted in the format "MM/dd/yy hh:mm:sstt" or
"MM/dd/yy hh:mmtt" (where tt is AM or PM).
-rdr <number> Readers Number of reader threads (acceptable value 1-5)
-wrk <number> Workers Number of worker threads (acceptable value 1-20)
-hsh Hasher Hash in its own thread (default: false)
-rerr ReadErrors Print read errors to STDERR (default: false)
-v Verbose Verbose output during acquisition or hashing (default:

false) (acceptable value TRUE or FALSE [only in file])
Non Interactive Command

 If (-cl) is set, LinEn is non interactive, allowing third party software to use its own scripting
 If (-cl) is set, users must pass all LinEn settings via a text file or via command line arguments
Configuration File
You can create a configuration file to fill in some or all of the variables. The configuration file needs to
be in the format OptionName=Value. All of these options have the same restrictions as their
command line counterparts.
Options for the configuration file are:
EvidencePath Path and file name of the evidence to be created
EvidenceName Name of the evidence within the evidence file
CaseNumber Case number of the evidence
Examiner Examiner's name
EvidenceNumber Evidence number
AlternatePath A semicolon delimited list of alternate paths
Notes Notes
MaxfileSize Maximum file size of each evidence file
Compress Level of compression (0=none, 1=fast, 2=best)
Granularity Error granularity in sectors

Using LinEn 275
BlockSize Sectors per block for the evidence file
Hash Turn on (TRUE) or turn off (FALSE) MD5 hashing
SHA1 Turn on (TRUE) or turn off (FALSE) SHA-1 hashing
Device Device to be acquired or hashed
CommandLine Exit if a required variable is not filled out (TRUE or FALSE)
AcquireMode Acquire the device chosen (TRUE or FALSE)
HashMode Hash the device chosen (TRUE or FALSE)
Note: Any options specified on the command line take precedence over those in the configuration file.
Once the selected operation is complete, results print to the console. Read errors and read error sectors
show only if there are actual errors.
Hashing Results
 Name: <EvidenceName>
 Sectors: 0-<TotalSectors>
 MD5 Value: <Md5Value>
 SHA1 Value: <SHA1Value>
 Read Errors: <ReadErrors> The hash value may not be accurate
 Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Acquisition Results
 <EvidenceName> acquired to <EvidencePath>
 Elapsed Time: <ElapsedTime>
 MD5 Value: <Md5Value>
 SHA1 Value: <SHA1Value>
 Read Error Sectors: <start1>-<stop1>, <start2>-<stop2>, etc.
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas

(HPA)
EnCase applications can detect and image DCO and/or HPA areas on any hard disk conforming to
ATA level6 or higher specifications. The DCO and HPA areas are detected using LinEn (Linux) or the
FastBloc SE module. The application now shows if a DCO area exists in addition to the HPA area on a
target drive.
FastBloc SE is a separately purchased component.
HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot
see it, and can only be accessed by a low level reconfiguration of the disk. HPA and DCO are
extremely similar; the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a
removed HPA at reboot. When supported, EnCase applications see both areas if they coexist on a hard
drive. For more information, see HPA and DCO Configured Disks.
Acquiring a Disk Running in Direct ATA Mode

If the Linux distribution supports ATA mode, you will see a Mode option. The mode must be set
before the disk is acquired. An ATA disk can be acquired via the drive-to-drive method. The ATA
mode is useful for cases when the evidence drive has a host protected area (HPA) or disk control
overlay (DCO). Only Direct ATA Mode can review and acquire these areas.
LinEn is configured as described in LinEn Setup, and autofs is disabled (cleared). Linux is running in
Direct ATA Mode.
To acquire a disk running in Direct ATA Mode:
1. If the FAT32 storage partition has not been mounted, mount it.
2. Navigate to the folder where LinEn resides and type ./linen in the console.
The LinEn Main Screen displays.
3. Select Mode, then select Direct ATA Mode.
The disk running in ATA mode can now be acquired.
4. Continue the drive-to-drive acquisition with Step 3 of Doing a Drive-to-Drive Acquisition

Using LinEn.
Mode Selection
LinEn starts up in BIOS mode. A disk acquired in this mode reports only the disk size as seen and
translated by the BIOS. As a result, no data contained in a DCO are seen or reported. The Mode
selection in LinEn provides a solution.
Notice Disk1 in the figure. It shows a disk size of 26.8 GB. If this is acquired now, only that quantity of
data is identified.
The Linux distribution in use must support Direct ATA mode for this function to work.
To test for the presence of a DCO:
Using LinEn 277
1. Start LinEn in the normal manner on a computer that supports Direct ATA. The main screen
shows a Mode button.
2. Enter M to select Mode. A second screen displays offering three acquisition selections:
BIOS
ATA
Cancel
3. Enter A to select ATA Mode.
If a DCO is present on the disk, the original LinEn screen reports the correct disk size and the
correct number of sectors. Disk1 in the following illustration shows the true disk size, 75.5 GB.
Acquire the disk according to protocol.
Crossover Cable Preview or Acquisition

You have a LinEn boot disk.
The investigator has identified the subject drive to be acquired.
To do a crossover cable acquisition:
1. Boot the source machine from the LinEn boot disk. Ensure the source machine has an operable
optical drive and will actually boot from a CD.
2. Connect the forensic machine to the subject machine using a crossover cable.
3. In Linux, ensure that the subject machine has an IP address assigned and a NIC card loaded
correctly by typing ifconfig eth0, then if no IP address is assigned, assign one by typing
ifconfig eth0 10.0.0.1 netmask 255.0.0.0, and check the IP address assignment
again by typing ifconfig eth0.
4. Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn.
The LinEn Main Screen displays.
5. Select Server, and press Enter.
The message Waiting to connect should display.
6. On the forensic machine, specify an IP address of 10.0.0.1 for the subject machine.
7. Launch EnCase on the forensic machine.
8. On the Home page, create a new case or open an existing case.
9. Click Add Evidence > Add Crossover Preview.
10. Select Network Crossover, and click Select.
11. Select the physical disk or logical partition to acquire or preview and click OK.
You can preview and acquire the contents of the device through EnCase. For more information about
acquisition, see Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) (on
page 57) and Acquiring a Disk Running in Direct ATA Mode (on page 59).
LinEn Evidence Verification and Status Reporting

You can now verify evidence files and review the status of the verification using LinEn.
Using LinEn 279
Evidence Verification
Verify Menu Option
1. The dialog asks you to specify a path.
2. Enter the path and name of the evidence file to be verified.

3. Select OK, then press Enter.
4. The Acquire Device dialog asks if you want to verify the evidence file.
5. Select Yes, then press Enter.
6. Verification displays on the same status screen as the acquisition.
Status Reporting
 The status screen contains a Verify option, indicating whether the evidence file will be verified
after acquisition.
 The status bar at the bottom of the screen displays the number of bytes read and written, as
well as percent complete.
 After acquisition, the Acquisition Completed dialog shows compression percentage.
Hashing the Subject Drive Using LinEn

1. Navigate to the folder where LinEn resides and enter ./linen in the console. The LinEn Main
Screen displays.
2. Click Hash.
Using LinEn 281
3. Select a drive, then click OK. The Start Sector dialog displays.
4. Specify a start sector to hash, then click OK. By default, the field prepopulates with a start
sector of 0.
5. Specify a stop sector to hash, then click OK. By default, the field prepopulates with a stop
sector of the last sector of the drive or partition being analyzed.
6. Select an algorithm to use in performing the hash. The options are MD5 and SHA1.
7. A hash value is calculated for the selected sectors. You can save this hash value to a file.
LinEn Manual Page

LinEn now includes a man page containing detailed information on block size and error granularity.
You can access it via the command line or from the Help button in the user interface.
Accessing from a Command Line

1. Place the linen.1.gz file in one of the man paths.
2. Type the command man linen.
3. Press Enter.
4. The man page displays.
Accessing from the User Interface

1. Place the linen.1.gz in one of the man paths.
2. Type the command ./linen.
Using LinEn 283
3. In the user interface, select the Help button, then press Enter.
4. The man page displays.

CHAPTER 16
EnCase Decryption Suite

In This Chapter
 Overview
 EDS Commands and Tabs
 Safeboot Encryption Support
 Utimaco SafeGuard Easy Encryption Support
 Check Point Full Disk Encryption Support (Volume Encryption)
 BitLocker Encryption Support (Volume Encryption)
 WinMagic SecureDoc Encryption Support
 GuardianEdge Encryption Support
 PGP Whole Disk Encryption (WDE) Support
 CREDANT Encryption Support (File-Based Encryption)
 McAfee Endpoint Encryption Support
 Symantec and McAfee EndPoint Encryption Support
 S/MIME Encryption Support
 NSF Encryption Support
 Lotus Notes Local Encryption Support
 Windows Rights Management Services (RMS) Support
 Windows Key Architecture

 Dictionary and Built-In Attacks

Overview
EnCase Decryption Suite (EDS) enables the decryption of encrypted files and folders by domain and
local users. You can use EDS on the following forms of encryption:
 Disk and volume encryption
• Microsoft BitLocker
• GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption
• Utimaco SafeGuard Easy
• McAfee SafeBoot
• WinMagic SecureDoc Full Disk Encryption
• PGP Whole Disk Encryption
• Checkpoint FDE (Full Disk Encryption)
 File based encryption
• Microsoft Encrypting File System (EFS)
• CREDANT Mobile Guardian
• RMS
 Mounted files
• PST (Microsoft Outlook)
• S/MIME encrypted email in PST files
• NSF (Lotus Notes)
• Protected storage (ntuser.dat)
• Security hive
• Active Directory 2003 (ntds.dit)
• EnCase Logical Evidence File Version 2 Encryption
Disk and Volume Encryption

When an Evidence File (.E01) or a new physical disk is added to a new case, the Master Boot Record
(MBR) is checked against known signatures to determine whether the respective disk is encrypted.
If the disk is encrypted, EnCase requests user credentials (see Supported Encryption Products on page
288 for a table listing required credentials for supported encryption products). Note that the
disk/volume encryption support in EnCase works only at the physical level.
 If the credentials are not correct, the User Credential dialog is again displayed. If this occurs,
enter the correct credentials to exit the dialog or press Cancel.
 If the correct credentials are entered, EnCase decrypts the disk. No password attacks are
supported.
EDS supports these disk/volume encryption products:
 Microsoft BitLocker
 GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption
 Utimaco SafeGuard Easy
 McAfee SafeBoot
 WinMagic SecureDoc Full Disk Encryption
 PGP Whole Disk Encryption
 Checkpoint Full Disk Encryption
Supported Encryption Products

The table below shows encryption products supported by EDS and credentials you need to provide in
order to use them with EnCase.
Product Password User Domain Machine Server Path Other

GuardianEdge X X
Encryption Plus
GuardianEdge X X X
Encryption
Anywhere
GuardianEdge Full X X X
Disk Encryption
Utimaco X X
SafeGuard Easy
McAfee SafeBoot X X X X Algorithm

Online
SafeBoot Offline X X Algorithm
CREDANT Mobile X X Machine X Shield

Guardian Online CREDANT CREDANT ID
ID
Mobile Guardian X X
Offline
Microsoft X Key
BitLocker
Microsoft X Keys
Encrypting File
System (EFS)
ZIP X
Lotus Mail X ID File
S/MIME X PFX
PGP Whole Disk X ADK requires path and Passphrase,

Encryption passphrase ADK, WDRT
FDE X X Recovery file path Challenge/

response
EDS Commands and Tabs

Analyze EFS
The Analyze EFS command scans a volume for data and processes it. You can also run Analyze EFS
from the secure storage; in that instance, it runs consecutively on all volumes in a case.
1. Right click the volume you want to analyze, then click Analyze EFS from the dropdown
menu.
2. The first Analyze EFS dialog displays. Click Next.

3. The second Analyze EFS dialog displays with the Documents and Settings Path and Registry
Path fields populated by default. For unusual system configurations, data disks, and other
operating systems these values will be blank. You can modify them to point to the user profile
folders and/or the registry path.
4. Click Next to begin the scan.

5. When the scan is complete, the EFS Status dialog shows statistical information on keys found
and decrypted and registry passwords recovered.
6. When you are done reviewing the EFS status, click Finish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
Missing Images
If images that should have rendered display as blank, select the arrow dropdown menu in Evidence
view and click Clear invalid image cache.
Secure Storage Tab

To organize security data gathered using Analyze EFS, EnCase includes a Secure Storage tab which
displays passwords, keys, and other items parsed from the system files and registry.
Although the tab is always present in the interface, you must install the EDS module to enable most of
the functionality.
Secure Storage Tab and EFS

To populate the Secure Storage tab:
1. Run Analyze EFS.
2. Select the Secure Storage tab.
3. Click an item in the Secure Storage tree to view its contents.
Enter Items
Enter Syskey
You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the wizard
is already completed.
1. Click View > Secure Storage.
2. Click on the right-sided menu for the Table tab and click Enter Items...
3. Select the location of the Syskey (for example, a file path or a floppy disk) or enter the
password manually.
4. Click OK.
User Password
If you know the user's password:
1. Right click the root entry of Secure Storage.
2. Select Enter Items from the dropdown list, then select the User Password tab.
3. Enter the password.
4. Click OK.
If the Syskey is protected and you do not know the password, an attack on the SAM file for user
passwords will not be successful. This is a rare situation. Most Windows machines will not have a
protected Syskey. EDS includes a dictionary attack option to get past a protected Syskey. You can
obtain dictionary files from a number of sources. To access setup, right click the root of Secure Storage
and select Dictionary Attack.
During the Analyze EFS scanning of the registry, EnCase alerts you if the Syskey is password
protected or has been exported to a floppy disk. In these cases, the Analyze EFS wizard prompts you
to enter the Syskey password and/or insert the floppy disk containing the Syskey or browse to the
Syskey file location. The Syskey file is called startkey.key, and you should examine any floppy
disks collected at a scene for the presence of this file. If the Syskey file is recovered on a floppy disk, it
can be copied/unerased from EnCase to the examination machine, and you can browse to the
startkey.key location. This process is the same as when you use the Password Recovery Disk.
Password Recovery Disk

Windows XP and 2003 Server enable local users to create a recovery disk containing their encrypted
password. The disk is designed to allow users to reset their password if they forget it, without losing
all of their EFS encrypted files and other important security credentials. The file is called
userkey.psw, and you should examine floppy diskettes recovered at the scene for the presence of
this file.
1. With the floppy disk inserted, or the file copied to a hard drive, right click the root entry of
Secure Storage.
2. Select Enter Items from the dropdown list, then select the Password Recovery Disk tab.
3. Click the option button, File or Floppy, where the file is located.
4. Enter the path or browse to it, then click OK.
Private Key File

If the logon password is unavailable, you can obtain the Domain Administrator's private key (PFX).
This also works for the user's key. To export and use the key:
1. As Domain Administrator, double click C:\Windows\system32\certmgr.msc to launch
the Microsoft Management Console.
2. Locate the Certificates folder containing the Domain Administrator's certificate.
3. Right click the certificate.
4. From the All Tasks menu, click Export.
5. In the Certificate Export Wizard, click Next.

6. Click Yes, export the private key, then click Next.
7. Accept the default for the export file format, then click Next.
8. Select a path and name the key (this assigns a .PFX extension), then click Next.
9. When prompted, note the password entered.
Note: The password cannot be left blank. It is needed when using the key.
10. Click Next. A confirmation window shows details about the export.
11. Click Finish to complete the export.
13. Select Enter Items from the dropdown list, then select the Private Key File tab.
14. Enter the path or browse to it.
15. Enter the Password in the next prompt, then click OK.
A status screen confirms successful completion and the Private Key displays in the Secure
Storage tab.
Enter Mail Certificate

You can enter a .PFX certificate to use for decrypting S/MIME-encrypted email found in PST files.
2. Select Enter Items from the dropdown list, then select the Enter Mail Certificate tab.
3. Enter the path to the .PFX certificate and the password.
4. Click OK.
5. The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected
To associate *nix users with volumes:
1. Click View > Secure Storage.
2. Click on the right-sided menu for the Table tab and click Associate Selected...
3. The Associate dialog appears.
4. Expand the Volumes tree and select the volumes that you want to associate.
Secure Storage Items

In the Report tab of the View pane, you can see details about the currently selected item in the secure
storage. The Text and Hex views show the raw data. These items have the following properties:
 Name
 Encrypted
 Type
 Subtype
 Password
 Password Type
The following items are of interest:
 Aliases: These are Security Identifiers (SIDs) that point to one or more SID entities. They have
a name and a comment.
 Groups: SIDs that point to one or more SID entities. They have a name and a comment. These
are defined groups such as Administrators and Guests.
 SAM Users: These are Local Users. The details are listed in the report tab of the View pane.
 Passwords: Found and examiner added passwords appear here.
 Net Logons: These are Local Users. The details are listed in the report tab of the View pane.
 Nix User/Group: Unix users/groups
 Lotus: Lotus Notes

 Email Certificates: These are used for S/MIME decryption and signature verification.
 Disk Credentials: Persistent key cache for disk/volume encryption products
 Master Keys: Every user with a private key has a master key that protects it. The master key
itself is encrypted with a hash of the user’s Windows password.
 Private Keys: Used in the decryption of EFS files
 Internet Explorer (IE) Passwords: Passwords from IE 6
 Policy Secrets: These are LSA secrets. They include the default password and passwords for
services. Some of these secrets are not passwords but binary data placed there by the system
and applications.
 SAM Keys/Policy Keys/Dpapi/CERT: For internal use
Safeboot Encryption Support

EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation. This
feature is automatically available to anyone using EnCase V7 with an EDS cert included with the
software. This feature is only supported for the EnCase V7 32-bit platform.
Additional SafeBoot support documentation can be found at
https://support.guidancesoftware.com/node/1551 https://support.guidancesoftware.com/node/1551
Before running the Safeboot decryption:
1. Install the SafeBoot Installer from the Guidance Software Support Portal:
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=170
1. From the SafeBoot server, copy the following files to your EnCase installation folder (for
example, C:\Program Files\EnCase7\Lib\SafeBoot). The files on your SafeBoot
Client machine (c:\Program Files\SafeBoot) do not work.
• SBAlg.dll
− Copy this file from the SafeBoot server under investigation.
− Be sure this is the file that matches the algorithm selected during the server
installation (the most common is AES-FIPS).
− To verify the algorithm for a particular DLL, view the properties description. The
corresponding SafeBoot algorithm can be referenced on the SafeBoot server by
replacing the <algorithm> by the proper name based on the encryption algorithm
that has been used to encrypt the drive. For example: If you are using AES256 - FIPS
algorithm, the path to the dll file is C:\Program Files\SBAdmin\ALGS\AES256
- FIPS\SBAlg.dll
• SDMCFG.INI
− This file supplies the logon ID and password to use in case of an automated start.
− It also contains a pointer to the port the server should speak on and its public and
private key information. Make sure that this port is open so the server and clients
can communicate.
− This file is required for online usage and keeps the communication port open
between SafeBoot server and clients.
− The SafeBoot clients V5+ can send encrypted data to a V5 server.
− V4 clients cannot send encrypted data to a V5 server, so for online usage, change
AuthType to 0 in the .ini file so you can decrypt both V5 and V4 clients.
− If you do not have or cannot get the SDMCFG.INI file, try creating a new empty text
file with this name instead. It needs to be there to work (even if it is an empty file).
2. Restart EnCase.
Once these steps are completed, SafeBoot displays in the Help/About screen.
Note: If no EDS cert is found or the integration dlls are not properly installed, the physical device
mounts, but the encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR
only for the boot disk, always preview the boot disk first, then preview any other disk in a multi-disk
machine configuration.
To acquire a SafeBoot encrypted device:
1. Use the Add Device wizard to add the physical device.
2. In the Evidence tab, click the device under the Name column.
3. When prompted, select the appropriate encryption algorithm from the list, then enter a user
name, server name, machine name, and password when in online mode.
The SafeBoot encrypted drive is parsed.
The offline dialog is similar. The Online checkbox is blank and only the Machine Name,
Transfer Database field, and Algorithm are available:
4. Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to enter them again.
When a decryption is successful, the Tree pane shows a SafeBoot folder, the Table pane contains a list
of decrypted files while the Text pane shows contents of a decrypted file.
The next figure shows the same files as they display encrypted.
Utimaco SafeGuard Easy Encryption Support

EnCase provides a way to view SafeGuard Easy (SGE) encrypted hard drives during an investigation.
This feature is only available to a user with an EDS cert enabled.
Note: If no EDS cert is found or the integration DLLs are not properly installed, the physical device mounts, but the
encrypted file structure cannot be parsed. Since SafeGuard Easy overwrites the original MBR only for the boot disk, only the
boot disk can be decrypted in EnCase.
1. Use the Add Device wizard to add the physical device.
2. EnCase detects the device and displays a username and password dialog.
3. Enter a valid username and password when in online mode.

4. Click OK.
5. Once a successful decryption is complete, save the case. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to enter them again.
Note: If the password is empty, the Challenge/Response wizard opens. For more information, see
Utimaco Challenge/Response Support.
Supported Utimaco SafeGuard Easy Encryption Algorithms

EnCase's Utimaco SafeGuard Easy decryption feature supports these encryption algorithms:
 AES192
 AES256
 DES
 3DES
Utimaco Challenge/Response Support

Utimaco has an alternate method for decrypting their data using a challenge/response code. Once the
code is authenticated, EnCase returns the key and any additional data (such as encrypted sectors)
necessary to decrypt the data.
1. In the SGE credentials dialog, enter a user name but leave the password blank.
2. Click OK.
3. A Challenge Response dialog displays with the challenge code in blue. Keep this dialog open
while performing the next steps.
4. Log in as Administrator. On the Windows Start page, click All

Programs > Utimaco > SafeGuard Easy > Response Code Wizard.
5. The Welcome dialog displays.

6. Click Next to begin generating a one time password (OTP). The Authorization Account dialog
displays.
7. Click Next. The Remote User ID dialog displays.
8. Enter the User ID that was used to derive the challenge code, then click Next.
9. The Challenge Code dialog displays. Enter the challenge code generated by EnCase from step
3.
10. Click Next. The Remote Command dialog displays.
11. Select One time logon, then click Next.

12. The Summary dialog displays with the response code in blue.
13. In the EnCase dialog from step 3, select the code length and enter the response code to enable
decryption of the selected encrypted evidence.
14. Click OK.

15. In the Summary dialog from step 12, click Close to close the SafeGuard Easy Response Code
Wizard, or click New to generate a new response code from a different challenge code.
Utimaco SafeGuard Easy Encryption Known Limitation

Utimaco SafeGuard Easy treats a machine with multiple hard drives as one hard drive consisting of all
sectors of all physical hard drives.
In contrast, EnCase examines each hard drive individually. This creates a problem:
 SafeGuard Easy overwrites only the Master Boot Record (MBR) of the boot disk
 Only the boot disk is detected as encrypted and then decrypted (given the correct credentials
are entered)
This means EnCase support for SafeGuard Easy is limited to decrypting only the boot disk, because
this is the only drive detected as encrypted by examining the MBR.
Workarounds
There are two workarounds for this problem. The first solution:
1. Obtain both disks.
• The internal disk holding the SafeGuard Easy kernel (disk 1)
• The external (that is, non-bootable) disk (disk 2)
2. Open the kernel on disk 1. You can then access disk 2.
The second solution:
1. Obtain a SafeGuard Enterprise (SGN) kernel backup file of disk 1.
2. Restore disk 1 to an empty disk.
3. Add the non-bootable disk as disk 2. The information in the newly restored kernel gives you
access to disk 2.
Check Point Full Disk Encryption Support (Volume Encryption)

Check Point's volume-based encryption supports the following two types of authentication:
 Username/password
 Challenge/response
When decrypting data that uses this form of encryption, begin as follows:
1. Add your evidence or preview the local disk that contains the Check Point encrypted volumes.
2. Go to the Evidence tab.
3. A dialog will appear, prompting you for credentials. EnCase supports two types of
authentication: username/password and challenge/response. Based on the username entered
in the dialog, EnCase determines which type of authentication is used.
Username and Password Authentication

1. Select the disk on Evidence > Table. The following dialog (sample data is used here) displays,
showing the user name and location of the recovery file path:
2. Click Next.
3. The following dialog, which provides the Password in the text field, displays:
4. Click Finish to decrypt the selected disk. The following figure shows a successful decryption;
note the folder tree in the Evidence tab, and the dlls listed in the Table tab:
5. If the decryption was unsuccessful or the user canceled the dialog, the screen would appear as
follows. Note that the highlighted string "Protect!" in the View pane is a Check Point indicator
that the disk is encrypted.
Challenge-Response Authentication
1. Selecting the disk in Evidence > Table displays the same initial dialog as the user name and
password authentication dialog:
2. Click Next.
3. The following dialog indicates that the Challenge-Response form of Check Point Full Disk
Authentication was used to encrypt the selected disk. Use the Check Point tool to generate a
response for the challenge shown in the dialog. Copy the Response from the tool into the
EnCase dialog.
4. Click Finish. If the EnCase Evidence tab and Table view appear as they do below, with no
partitions, folders, or files visible, and the "Protect!" string visible in the View pane, then the
decryption was unsuccessful (or the user canceled the dialog). It is possible that the Response
is incorrect or that Check Point is unable to decrypt the selected disk.
BitLocker Encryption Support (Volume Encryption)

Microsoft's BitLocker is available in Windows Vista Enterprise, Ultimate, and Windows 7 for client
computers and Windows Server 2008. It encrypts an entire volume using one of three modes to store
the encryption key:
 Transparent operation mode (requires Trusted Platform Module [TPM])
 User Authentication mode (requires TPM)
 USB Key mode (does not require TPM)
When BitLocker is enabled, a large file is created that holds all of unallocated (UAC) space, minus 6
Gigabytes.
Note: EnCase also supports Windows 7 BitLocker to Go.
Recovery Key and Recovery Password Files

The recovery key is a file with a GUID name (for example, 67FA3445-29D7-4AB5-8D0F-
7F69B88D1C04.BEK).
The recovery password is stored in a file with a GUID name (for example AE15E17A-C79E-4D3F-889F-
14FBF6E0F9E.TXT).
These keys are matched by Key Protector GUID in the BitLocker metadata.
Decrypting a BitLocker Encrypted Device Using Recovery Key

1. Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
2. The BitLocker Credentials dialog displays.
3. The Recovery Key option button is selected by default. Browse to the location of the required
.BEK recovery key.
4. Browse to the folder containing BitLocker keys and select the specified .BEK file.
5. Click OK.
Decrypting a BitLocker Encrypted Device Using Recovery Password

1. Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
3. Select the Recovery Password option button.

4. Browse to the folder containing BitLocker keys.
5. Find and open the .TXT file that matches the Password ID.
6. Copy and paste the recovery password into the BitLocker Credentials dialog.
7. Click OK.
Full Volume Encryption (FVE) AutoUnlock Mechanism

Encrypted data volumes are decrypted on the fly, given that the boot volume was successfully
decrypted by:
 Providing a valid recovery key or recovery password
 Running Analyze EFS on the decrypted boot volume
Each data volume has a corresponding registry key
(SYSTEM\ControlSet0xx\FVEAutoUnlock\{GUID}) containing the key (AutoUnlock Volume
Key, or AUVK) that can decrypt the Volume Master Key of that particular volume. This key has an
associated GUID matching the GUID of a key protector in the data volume metadata.
The picture below shows AutoUnlock registry keys for three volumes.
This picture shows Secure Storage after the Analyze EFS process:
Physical RAID Encryption Support

BitLocker supports only physical RAIDs, not logical RAIDs.
RAID 1: Example Using Two Physical Drives

1. Add a BitLocker encrypted primary RAID 1 volume into EnCase using Add Device or drop
and drag. This primary volume consists of:
• The boot disk
• The BitLocker volume (which is not encrypted)
3. Provide the credentials. See Decrypting a BitLocker Encrypted Device Using Recovery Key or
Decrypting a BitLocker Encrypted Device Using Recovery Password for details.
4. Click OK. EnCase decrypts the volume.
5. Add each additional physical disk in order, repeating steps 2-4 for each disk as needed.
Note: For information on acquiring and building RAIDs, see How to Acquire RAIDs
(https://support.guidancesoftware.com/node/100) on the Guidance Software Support Portal.
RAID 5: Example Using Three Physical Drives

To parse a RAID 5 drive, you must first build the RAID in EnCase.
1. Add a BitLocker encrypted primary RAID 5 volume into EnCase using Add Device or drop
and drag. This primary volume consists of:
• The boot disk
• The BitLocker volume (which is not encrypted)
2. Add each additional physical disk using Add Device or drop and drag.
Note: The BitLocker Credentials dialog does not display until you finish building the RAID. For
information on acquiring and building RAIDs, see How to Acquire RAIDs
(https://support.guidancesoftware.com/node/100) on the Guidance Software Support Portal.
3. When you finish building the RAID, EnCase displays the BitLocker Credentials dialog.
4. Provide the credentials. See Decrypting a BitLocker Encrypted Device Using Recovery Key or
Decrypting a BitLocker Encrypted Device Using Recovery Password for details.
5. Click OK. EnCase decrypts all available volumes.
Successful BitLocker Decryption

When decryption is successful, the volume's file system type displays in the first sector.
Unsuccessful BitLocker Decryption

If decryption fails, FVE-FS displays in the first sector.
Saved BitLocker Credentials in Secure Storage

After successful authentication, EnCase saves credentials in Secure Storage, so you do not have to re-
enter them the next time you open the saved case.
WinMagic SecureDoc Encryption Support

You can access the hard drive of a system encrypted with SecureDoc software. EnCase supports
SecureDoc version 4.5 and above.
There are three ways to add SecureDoc disks to EnCase:
 Preview the hard drive.
 Use the Add Device wizard.
 Drag evidence files into EnCase.
Once you preview a machine's disk or open an evidence file, the Master Boot Record (MBR) is checked
against known signatures to determine whether the disk is encrypted. The SecureDoc signature is
WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password
associated with the file.
SecureDoc users have either administrator or user privileges:
 Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc.
 Users can only change their passwords.
An installer is provided to place these integration DLLs in %ENCASE%\Lib\WinMagic\SecureDoc:
 SDForensic.dll
 SDC.dll
 SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
1. When adding a SecureDoc disk, Encase prompts for three credentials:
a. The path to the file containing the user keys (extension .dbk).
b. The password associated with the key file.
c. The path to the emergency disk folder corresponding to the physical disk under
examination.
2. Enter the credentials, then click OK.

3. If the credentials are correct, EnCase decrypts the disk and parses the file system structure.
4. When you save the case, the ranges of encrypted sectors and the original MBR are retained in
the case file for previewed drives as well as evidence files.
The disk view shows encrypted information in the Text and Hex panes for encrypted drives.
The disk view shows decrypted information in the Text and Hex panes for decrypted drives.
Acquiring the Device

Given that the correct credentials are provided, a local acquisition at the physical device level results in
acquisition of all decrypted logical volumes.
An enterprise acquisition at the physical device level results in acquisition of all sectors in an
encrypted state.
Note: To obtain decrypted data, perform a local acquisition on the result of the remote acquisition by providing the
correct credentials.
The completed acquisition contains the decrypted sectors.
GuardianEdge Encryption Support

EnCase supports the following GuardianEdge products:
 GuardianEdge Encryption Plus
 GuardianEdge Encryption Anywhere
 GuardianEdge Hard Disk Encryption
To decrypt, you need a cert file for your dongle to activate the EDS module in EnCase.
For Encryption Plus/Encryption Anywhere you also need:
 The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in
your EnCase installation
 The EPcrypto.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in

 Username
 Password
For Hard Disk Encryption/Encryption Anywhere you also need:
 The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in
 The EAECC.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in
 Username
 Password
 Domain
Upon previewing an encrypted device or adding a physical evidence file of an encrypted device,
EnCase prompts for the credentials. Once the correct credentials are added, the file and folder
structure of the device displays unencrypted.
Supported GuardianEdge Encryption Algorithms

EnCase's GuardianEdge decryption feature supports these encryption algorithms:
 AES128
 AES256
GuardianEdge Hard Disk and Symantec Endpoint Encryption Support

EnCase now supports these versions of Guardian Edge Hard Disk (GEHD) and the corresponding
versions of Symantec Endpoint Encryption (SEE):
 GEHD 9.2.2 and SEE 7.0.2
 GEHD 9.3.0 and SEE 7.0.3
 GEHD 9.4.0 and SEE 7.0.4
 GEHD 9.5.0 and SEE 7.0.5
 GEHD 9.5.1 and SEE 7.0.6
Affected dialogs which previously displayed the text "GuardianEdge" now show it as
"GuardianEdge/Symantec," as in this example:
If EnCase Reports GuardianEdge/Symantec dlls Cannot be Opened

EnCase may report that GuardianEdge/Symantec EAHD dlls could not be opened when attempting to
decrypt an SEE device from a Windows 7 x86 operating system on a Windows Vista x64 operating
system.
In this situation, EnCase's ability to decrypt the device is dependent on having the correct dll library
on the examiner machine. For example, a 32-bit examiner machine needs the 32-bit dll library; a 64-bit
examiner machine needs the 64-bit dll library.
The following dlls are required to decrypt an SEE encrypted device on a 32-bit examiner machine:
 EAECC.dll
 EPCL32.dll
The following dlls are required to decrypt an SEE encrypted device on a 64-bit examiner machine:
 EAECC.dll
 EPCL.dll
Place these dlls in the Lib\PC Guardian-Guardian-Edge\EAHD folder of your EnCase
installation.
Note: The version of the EAECC,dll must match the product version of SEE.
In addition to the above, you may need to install the following if they are not already present on the
system:
 GEHD 9.4.1/SEE 7.0.4: msvcp71.dll and msvcr71.dll
 GEHD 9.5.0/SEE 7.0.5: msvcp80.dll and msvcr80.dll (these must match the EnCase platform:
32 or 64-bit)
 GEHD 9.5.1/SEE 7.0.6: msvcp80.dll and msvcr80.dll (these must match the EnCase platform:
32 or 64-bit)
You can obtain the dll library you need from the SEE installation folders on the client machine.
Authenticating a Physical Drive in EnCase

Because GEHD has domainless client administrators, you need to use a default field for the domain:
1. Make sure you have the EnCase Decryption Suite module with PC Guardian support installed
(Help > About...).
2. In the domain field, enter EA#DOMAIN as the client administrator account.

For more information, see Knowledge Base article 00002281 in the GuardianEdge Customer Support
Portal (https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).
Decrypting a GuardianEdge Encrypted Device Running EnCase on a Vista Operating System

If you use EnCase on a Windows Vista operating system to decrypt a GuardianEdge encrypted device,
you need the following .dlls in the EnCase6\lib directory:
For GuardianEdge Encryption Anywhere and GuardianEdge Hard Disk Encryption:
• PC Guardian-Guardian Edge\EAHD\EAECC.dll
• PC Guardian-Guardian Edge\EAHD\EPCL32.dll
• PC Guardian-Guardian Edge\EAHD\msvcp71.dll
• PC Guardian-Guardian Edge\EAHD\msvcr71.dll
For GuardianEdge Encryption Plus:
• PC Guardian-Guardian Edge\EPHD\EPCL32.dll
• PC Guardian-Guardian Edge\EPHD\EPcrypto.dll
For msvcr71.dll and msvcp71.dll files, please contact GuardianEdge.
Using GuardianEdge Overall Authority

This applies to GuardianEdge version 8 and higher.
If you are using a GuardianEdge Overall Authority (GEOA) account, you must use EA#DOMAIN for the
domain.
Note: This does not apply to GuardianEdge Encryption Plus.
PGP Whole Disk Encryption (WDE) Support

Supported Software Versions and Platforms
 PGP 9.8 or later
 Windows Vista (all 32 and 64-bit versions)
 Windows XP (SP1 and SP2)
 Windows 2000 Professional (SP4)
 Mac OS 10.4, 10.5, and 10.6
To decrypt a PGP encrypted disk, you need one of the following:
 A Whole Disk Recovery Token (WDRT) from the PGP Universal Server
 An Additional Decryption Key (ADK) from the client machine
 The user's passphrase
Note: The PGPEnCase.dll resides in the installation folder of EnCase (typically C:\Program
Files\EnCase6\lib\PGP\WDE). When using ADK authentication, the PGPEnCase.dll should be copied to the same
location.
Obtaining Whole Disk Recovery Token Information

1. In an Internet browser, enter the PGP Universal Server's URL to gain access to the PGP
Universal Administration page. If you are not sure of the URL address, it is displayed in the
PGP Universal Server boot screen.
2. Click the Users tab to go to the Internal Users page. Note which user displays the Recovery
icon associated with a user name.
3. Click the user name associated with the Recovery icon. The Internal User Information page
displays.
4. Click the Whole Disk Encryption button to see the machine associated with this user.
5. Click the WDRT icon.
6. The Whole Disk Recovery Token page displays. Note the token key consisting of 28
alphanumeric characters.
7. In EnCase, enter the token key in the Whole Disk Recovery Token field of the PGP Whole
Disk Encryption credentials dialog, then click OK.
Note: You can enter the token key with or without dashes.
Obtaining Additional Decryption Key (ADK) Information

Note: The Additional Decryption Key option is available only if you are using the x32 bit installer of EnCase.
1. Log on to the PGP client workstation.
2. Click Start > Programs > PGP > PGP Desktop.
3. Locate the PGP SDK. Select it and drop it into the same folder as PGPEnCase.dll.
4. In the PGP Desktop - PGP Disk window, click the PGP Disk at the left side and select any disk
listed.
5. The Disk Properties display.
6. In the User Access section at the bottom of the screen, export the key as an .asc file.
7. In EnCase, enter the full path to the .asc file in the Additional Decryption Key (ADK) Path
field, as well as the passphrase protecting the file, in the PGP Whole Disk Encryption
credentials dialog.
PGP Decryption using the Passphrase

1. Enter the passphrase in the Passphrase field.
Click OK.
CREDANT Encryption Support (File-Based Encryption)

EnCase provides a way for you to decrypt CREDANT-encrypted files on Windows devices.
EnCase provides support for CREDANT Mobile Guardian versions 6.1 through 6.8.
Note: You can obtain the CREDANT API installer from CREDANT Technical Support. Install it, then begin the
examination.
EnCase reviews your mounted volumes and searches for CREDANT-encrypted files (that is, it
searches for CredDB.CEF). If it finds such a file, a logon dialog displays.
1. The dialog populates with a known user name and password, Server, Machine ID, and the
Shield CREDANT ID (SCID). CREDANT files are processed and decrypted with no further
interaction, given that the credentials are correct.
Note: If the registry file is unencrypted, then the Server, Shield CID, and Machine ID are pre-
populated for the boot volume disk.
The offline dialog is similar. The Online checkbox is blank and the Machine ID and SCID fields are
unavailable.
2. Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to re-enter them.
The illustration below shows results of a successful decryption:
 The Tree pane shows a CREDANT folder
 The Table pane contains a list of decrypted files
 The Text pane shows contents of a decrypted file
The next illustration shows the same files as they appear unencrypted.
Supported CREDANT Encryption Algorithms

EnCase's CREDANT decryption feature supports these encryption algorithms:
 AES128
 AES256
 3DES
 Rijndael 128
 Rijndael 256
 Blowfish
CREDANT Encryption Support (Offline Scenario)

If the machine to be investigated is not on the network with the CREDANT server, you must obtain
the CREDANT keys and store them in a location accessible to the Examiner machine.
Before you begin:
 Install the CREDANT Library Installer to run the utility with the appropriate DLLs. You can
obtain the installer from CREDANT technical support.
 Have EnCase Decryption Suite installed on the Examiner dongle that will decrypt the
CREDANT-encrypted data.
 Obtain the URL for the CREDANT Mobile Guardian (CMG) Device Server.
 Obtain an Administrator username and password. The CREDANT administrator must have
Forensic Administrator privileges, as specified in the CMG Server Web Interface for CMG v5.4
and later servers. The administrator must have Security Administrator privileges for the v5.3
server.
 Obtain the Administrator's login domain (for CMG 6.0 and later servers only), the Machine ID
for the target device (MUID), the Shield CREDANT ID (SCID), the Username that the key
material is being downloaded for, and the Password to use to encrypt the output .bin file.
1. At a computer that has communication to the CREDANT Server, run the utility
CEGetbundle.exe from the Windows command prompt. CEGetBundle.exe is supplied by
CREDANT in the CREDANT Library Installer, which also installs the DLLs necessary for the
decryption. Copy the integration DLLs and MAC file to the target device as well.
2. Supply the parameters as follows: CEGetBundle [-L] XURL -aAdminName -AAdminPwd [-
DAdminDomain] [-dDuid] [-sScid] [-uUsername] -oOutputFile -oOutputFile -IOutputPwd
-L Legacy mode for working with pre 5.4 server installs
URL Device Server URL (for example,

https://xserver.credant.com:8081/xapi)
AdminName Administrator user name
AdminPwd Administrator password
AdminDomain Administrator domain (optional: required only if the CMG

Server is configured to support multiple domains)
MUID Machine ID for the target device (also known as the Unique ID
or hostname)
SCID Shield CREDANT ID (also known as DCID or Device ID)
Username Name of the forensic administrator
OutputFile File to save the key material in
OutputPwd Password to encrypt output file
Here is a command example: cegetbundle -L -X"https://CredantServer:8081/xapi" -

a"Administrator" -Achangeit -d"CredantWorkstation.Credant.local" -sCI7M22CU -
u"Administrator" -o"C:\CredantUserKeys.bin" -iChangeIt
3. Place the .bin file downloaded from the CREDANT server in a path accessible from the
Examiner machine. Open EnCase and create a new case or open an existing one. You must
have EnCase Decryption Suite installed on the Examiner machine that decrypts the
CREDANT-encrypted data.
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the
target device while specifying the same output file. The keys for each user are appended to this output
file.
4. Acquire a device with CREDANT encrypted files, or load an evidence file into the case. The
Enter Credentials dialog displays, prompting you for only the Username, Password,
Server/Offline Server File, Machine ID, and Shield CREDANT ID (SCID) information.
Note: In Offline mode, the only information you must provide is the Password and Server/Offline
Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
When EnCase decrypts CREDANT encrypted files, the key information is placed in Secure Storage in
EnCase, and saved with the case. You do not have to re-enter this information.
CREDANT Files and Logical Evidence (L01) Files

To decrypt an encrypted EFS file, you need:
1. The EnCase EDS module.
2. The CredDB.CEF file residing in the folder. This is essential, since it contains the information
to get to the decryption key.
 If the file is encrypted, the CredDB.CEF stream is automatically stored with the file as
metadata.
 If the file is decrypted, the CredDB.CEF stream is not automatically stored, as it is not needed.
This does not prevent you from storing the stream by specifically saving it to the LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
McAfee Endpoint Encryption Support

EnCase provides support for McAfee Endpoint Encryption 6.0.
To decrypt files you need the recovery file from the EPO server in the form MachineName.xml and the
machine name.
The machine name must match the recovery filename as shown below:
Symantec and McAfee EndPoint Encryption Support

EnCase provides support for Symantec EndPoint Encryption 8.0 and McAfee EndPoint Encryption 6.
Note: EndPoint Encryption is not supported with local administrator accounts.
S/MIME Encryption Support

The EnCase S/MIME Encryption Support provides the ability to decrypt S/MIME-encrypted email
found in PST files. Email sent or rethe file extensions .pst, mbox and .edb support the S/MIME PKCS
#7 standard.
You must have PFX (PKCS 12 standard) certificates installed prior to parsing. PST, EDB, and MBOX
mail containers are supported.
To decrypt S/MIME data:
1. Open or create a case and select View > Secure Storage.
2. Right click a folder in the left pane. A dropdown menu displays.
3. Select Enter Items. The Enter Items dialog displays.
4. Select the Enter Mail Certificate tab.

Note: The only allowed certificate format is .PFX.
5. Enter the path to the PFX certificate and the password, then click OK.
The PFX cert is decrypted and stored in Secure Storage.
S/MIME decryption and signature verification happens in the background.

Given the proper password, the certificate is stored in Secure Storage under E-Mail Certificates folder.
After you import the required certificates into Secure Storage, you can parse the email container files
using the View File Structure feature in the Entry View.
S/MIME Email Certificate contents are displayed like this in Secure Storage:
When parsing is complete and successful a directory list displays. In the illustration, the folder is
entitled smime.p7m (S/MIME data comes as an attachment of the email). In Entries view, the text of
the email is shown in the Text pane while the email's attachments appear in the Table pane.
View and work with content in the Records tab.

Troubleshooting a Failed S/MIME Decryption

If decryption fails, you can examine the Records view to try to find the error.
Decrypting S/MIME Email Messages in an Evidence File Created in Windows

Vista
You cannot decrypt S/MIME email messages in an evidence file created in Windows Vista using an
examiner installed on Windows XP or earlier. This is because CryptoAPI on Vista (Crypto Next
Generation, or CNG) is not yet supported on XP.
So if an evidence file created in Vista contains S/MIME email, you should perform the examination to
decrypt them on a Vista machine as well, given that proper certificates are available.
NSF Encryption Support

The Lotus Notes email client has security built into the product. Notes was the first widely adopted
software product to use public key cryptography for client-server and server-server authentication and
for encryption of data, and it remains the product with the largest installed base of PKI users.
The EnCase® Suite can decrypt encrypted NSF documents and send them to recipients within the
same Domino server.
Each server user has an ID file that contains a user's:
 Encrypted private key
 Public key
 Password information
 Password recovery information
It also has an NSF file that represents the user's mailbox in 8.3 format in the default path <domino
installation folder>\data\mail\<user>.nsf.
Recovering NSF Passwords

To retrieve the recovery password, you must have proper administrative rights on the Domino server.
1. Open the Domino Server.
2. Log in as the server administrator.
3. Click OK.
The password ID list displays.
4. Click OK.
The recovery password displays.
5. Click OK and define users authorized to generate recovery passwords.

Lotus Notes Local Encryption Support

EnCase can decrypt a local Lotus Notes user mailbox (NSF file suffix). The local mailbox is a replica of
the corresponding encrypted mailbox on the Domino server.
Each Domino server user has a corresponding NSF file representing that user's mailbox in 8.3 format.
The default path is <Domino Installation Folder>\Data\Mail\<user>.nsf. The Lotus
Notes client is set up to use the local mailbox. Synchronization between the local and server mailboxes
occurs according to a replication schedule determined by the Domino administrator.
Encryption of the local mailbox is not mandatory but it is advisable, because without encryption a
person familiar with the NSF file structure could read email without needing Lotus Notes.
Encryption occurs at block level.
Determining Local Mailbox Encryption

Look in the header (the first 0x400 bytes) at offset 0x282. If the byte is 0x1, the mailbox is locally
encrypted.
Parsing a Locally Encrypted Mailbox

1. Obtain the corresponding ID file from the Domino server. All user ID files are backed up on
the server either on disk as a file or in the Domino directory as an attachment to email.
2. Parse it using View File Structure, so that the private key is inserted in Secure Storage.
Encrypted Block
The example below shows an encrypted block at offset 0x22000:
The decryption algorithm uses a seed that is based on the basic seed from the header and the block
offset.
Decrypted Block
Here is an example of a decrypted object map at offset 0x22000:
Locally Encrypted NSF Parsing Results

A successfully parsed locally encrypted NSF looks like this in Entry view:
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated with the
data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty:
Windows Rights Management Services (RMS) Support

EnCase provides the ability to use RMS to manage decryption of Microsoft Outlook email and
Microsoft Office documents across the network.
These products are supported:
 Office 2003 and 2007
 Outlook 2003, 2007, and 2010 PSTs
There are two ways to decrypt RMS protected files:
 At the volume level
 At the file level using View File Structure
For versions of Windows prior to Vista, you must install Microsoft Windows Rights Management
Services Client 1.0 (SP2) before running the RMS standalone installer.
Note: When decrypting RMS protected files, it is important to enter correct credentials. Since EnCase attempts to decrypt
RMS protected documents even when you enter incorrect credentials, for large PST files of several GB there could be a
long wait--up to several hours--before learning the credentials you entered did not work. So it is crucial to enter correct
RMS credentials in the first place.
RMS Standalone Installer

You must run the standalone installer to use RMS with EnCase. The installer creates a folder named
Microsoft in the root of the EnCase6\Lib directory. The full path is %Program
Files%\EnCase\Lib\Microsoft\RMS.
The installer drops these files and registry keys into the RMS directory:
• One executable, EnCaseIrmWrapper.exe
• Three .dlls: EnCaseRMSHelper.dll, MsoIrmProtector.dll, and
OpcIrmProtector.dll
• One .xml file, EnCaseRMSHelper.xml (also referred to as the manifest file)
• A Hashes.txt file, which has MD5 hashes for each file listed above
Running the Installer

For versions of Windows prior to Vista, you must install Microsoft Windows Rights Management
Services Client 1.0 (SP2) before running the RMS standalone installer.
1. Double click the executable to begin installation. The Windows RMS Library Installer dialog
opens.
2. If more than one version of EnCase is listed, select the version you want to target.
3. Click Finish. If the installation is successful, this message displays:
4. Click OK.
Configuring EnCase with RMS

 The RMS Super User group account must be added to the local Administrator group account
on the Examiner machine. The RMS Super User group should be enabled in the RMS server
during installation.
 A communication must be established to the RMS server, using one of the accounts in the RMS
Super User group, that will be used to unprotect documents and to activate the machine and
the current user (pull down .drm certs). To pull down the .drm certs from the RMS Server, you
can either try to protect a document using MS Office or use the UserActivation tool from the
RMS SDK.
 In case the RMS server uses HTTPS, the HTTPS communication certificate should be installed
under Trusted Root Certification Authorities for each account in the RMS Super User group
that can be used to unprotect documents.
 The RMS server URL (HTTPS) should be added to the local Intranet.
RMS Decryption at the Volume Level

1. On the Evidence menu, select the volume.
2. Click the Device dropdown and click Analyze RMS.
3. The RMS credentials dialog opens.
4. Enter a Username and Password, then click OK.

5. EnCase decrypts RMS protected files in the volume.
EnCase stores the credentials you entered, so the next time you do not need to enter them again.
RMS Decryption at the File Level

EnCase supports the following RMS protectors:
 MSO (Office 2003 RMS protector)
 OPC (Office 2007 RMS protector)
MSO
1. Right click the MSO-protected file (that is, a Word document created with Office 2003) you
want to decrypt, then click View File Structure. This dialog opens:
2. Select the Find RMS Content checkbox, then click OK.

3. The RMS credentials dialog opens:

5. EnCase decrypts RMS protected files in the volume.
EnCase stores the credentials you entered, so the next time you do not need to enter them again.
OPC
1. Right click the OPC-protected file (that is, a Word document created with Office 2007) you
want to decrypt, then click View File Structure. This dialog opens:
2. Follow steps two through five in MSO, above.
RMS Protected Email in PST

For PST files, to find email messages that are RMS protected:
1. Right click the PST file, then click View File Structure. This dialog opens:
2. Select the Find RMS Content checkbox, then click OK.

3. The RMS credentials dialog opens:

Windows Key Architecture

Windows has an elaborate key protection mechanism. The Syskey protects the policy key, the SAM
key, and others. These keys protect the user’s password hashes.
In Windows 2000, however, the Master Key is protected by the user’s password hash with a
mechanism that slows down any attack. The Master Key protects the user’s private key. And the user’s
private key protects a key within the $EFS stream that allows for decryption of the EFS encrypted file.
Dictionary and Built-In Attacks

Dictionary Attack
Software implementing this method normally uses a text file containing a large number of passwords
and phrases. Each is tried in turn in the hope that one of the words or phrases in the file will decrypt
the data involved.
A large number of dictionary files (sometimes called word lists) are on the Internet, or you can create
your own list. Creating your own list may be preferable if the person under investigation has a
particular interest, such as football.
There are freeware utilities on the Internet you can use to create a dictionary from combinations of
letters, numbers, and characters up to a predefined length. Free Wordlist Generator
(http://www.soft82.com/download/windows/free-wordlist-generator/) is one example.
EDS can attack NT based user account passwords and cached net logon passwords using a dictionary
attack.
Built-In Attacks
Specific items do have associated passwords. If they are not automatically retrieved, you can use a trial
and error mechanism. This may or may not succeed.
Items that can be Attacked

 Local users
 Network users that logged on (cached domain users)
 Syskey (password mode only)
 Master Key, if the user’s SAM or domain cache can’t be accessed (due to corruption, account
deletion or Syskey protection). This is much slower than attacking the Local/Network Users
External Attack
Local users can be attacked with third party tools. There are freeware tools, and their performance is
much greater than EnCase because they can run on many computers at the same time and/or use
rainbow tables. EnCase can export the local user’s password hashes in the PWDUMP format that most
tools read. This is done from the User List.
User List
The User List of Secure Storage shows Local Users, Domain Users, Nix Users, and/or Nix Groups from
the local machine or evidence file. Information such as:
 last logon date
 user SID
 NT hash
 LanManager hash
is also associated with each account
Integrated Attack
There are three different sources for words to be tested:
 Internal passwords: These are the password items in the secure storage
 Dictionary words: The dictionary is a plain text file that can be in ANSI-Latin1 or UTF16.
Every word needs to be on its own line (it can contain any character, including spaces).
 Brute force: Automatically generates words from an alphabet with a length in a given range
There are four “mutators” that can be applied:
 Toggle Case: Tries all the upper/lower case variations
 Append Digits
 Prepend Digits
 Combine Words: The words are combined with each other. For example, if the dictionary
contains the words "old" and "dog", the result is these four words:
• old
• dog
• olddog
• dogold
Brute Force Attack

A brute force attack works by trying to identify a password or passphrase by testing all possible
combinations of the characters of an alphabet. This alpahbet is in the text file pointed to by the
"alphabet path”. This is a is a plain text file that can be in ANSI-Latin1 or UTF16, where the first line
uses all the characters. This can generate massive amounts of words to test.
An example of an alphabet path is “abcdefghijklmnopqrstuvwxyz01234567890-( )“.
Depending on the settings, a dictionary attack can test thousands of passwords contained in a
dictionary file in a very brief time frame. It is usual to try a dictionary attack first, then progress to a
brute force attack if the password(s) cannot be found.
Any information concerning the possible structure/character length of the password helps
dramatically.
CHAPTER 17
Virtual File System

In This Chapter
 Overview
 Evidence File Formats Supported by VFS
 Mounting Evidence with VFS
 Dismounting the Network Share
 Accessing the Share
 Third-Party Tools
 VFS Server
 Troubleshooting
Overview
The Virtual File System (VFS) module allows investigators to mount computer evidence as a read-
only, offline network drive for examination through Windows Explorer. The feature allows
investigators several examination options, including using third-party tools to examine evidence
served by EnCase.
For users of EnCase Forensic, the VFS module enables the use of third-party tools against hard drives
previewed through a FastBloc device or a crossover cable, including deleted files.
Evidence File Formats Supported by VFS

VFS supports mounting any data that is visible in a case. All image file formats and file systems that
are supported by the EnCase software can be mounted with VFS.
Mounting Evidence with VFS

The VFS Module can mount computer evidence supported by EnCase as an offline, read-only network
drive in Windows Explorer.
You can mount evidence at one of four levels; however, you can designate only one mounting point at
a time. To change the mounting point, you need to dismount the evidence and mount at a new level to
include the desired devices.
The levels to which you can mount evidence are:
 Case level: Mounting from case-level is not supported by VFS
 Disk/Device level: Mounts a single physical disk or device, with access to all volumes on the
disk or device
 Volume level: Mounts a single volume/partition on a physical disk
 Folder level: The lowest level you can mount is at the folder level
This mount level is helpful to examine files in paths that exceed the Windows limit of 264
characters in the full path and name of a file
Using the Server extension, you can also mount evidence to be shared with other investigators through
a LAN. The Virtual File System Server is discussed later in this manual.
Mounting a Single Drive, Device, Volume, or Folder

Only one mount point can be designated at a time; to include other data, a mount point must be
selected that is in a parent relationship to both areas of data to be mounted.
To mount a single drive or device in a case file or a single volume or folder on a drive, click on the
Device menu, choose Share, then Mount as Network Share:
Mount Network Share Options

On the Server Info tab of the Mount as Network Share window, most of the server info is disabled
when establishing a local server. The only exception is the local port. VFS defaults to establishing a
local server, which is the option used when using VFS on the local machine.
Since VFS is mounting the evidence as a network shared drive, a local port must be assigned. To allow
recovery from errors in Windows, the VFS service runs for the life of the Windows session. This means
that the port number can be assigned the first time the VFS service is run to mount evidence.
Afterwards, the port number is grayed out and the assigned port number cannot be changed:
1. On the Server Info tab, set the local port or use the default setting.
2. Adjust the Max. clients allowed, up to the maximum number of clients purchased for VFS.
Note: To assign a new port number, the Windows session must be closed.
3. Click the Client Info tab to set the volume letter to be assigned to the network share in
Windows Explorer.
4. Windows Explorer assigns the next available volume letter by default. You can also use any
other unassigned letter.
Assigning a specific volume letter can be useful when attempting to virtually reconstruct a
mapped network drive, such as for a database:
• If you currently have mapped networked drives or if you allow Windows to assign the
drive letter, it takes a few seconds for Windows to query the system to find an available
drive letter
• If you specified an available volume letter, the mounting is virtually instantaneous.
A confirmation popup window informs you that the mount was successful with the volume letter. The
"shared hand" icon appears at the level you designated as the mount point for the shared drive.
You can mount at the device, volume, or folder level with VFS. To do this:
1. Select the Entry that you want to mount in the entry window and click on Mount As Network
Share through the Device pull down menu item and Share sub-menu item. In the example,
the BBasher entry is selected below to be mounted in Windows Explorer.
2. Windows Explorer view of the mounted Entry will look like that below.
Compound Files
You can mount several different compound files, including Microsoft Word, Excel, Outlook Express,
and Outlook, in the EnCase interface.
To do this:
1. Find the compound file that you want to view.
2. Perform a View File Structure on the compound file from the Entries dropdown menu.
In the example below, a View File Structure was performed on a Microsoft Word .doc file. After the
View File Structure operation is complete, a menu hyperlink appears in the entry name.
1. Click on the hyperlink and you will see the contents of the compound file shown below.
2. Mount the compound file by selecting Mount as Network Share from the Device dropdown
menu. The contents of the compound file will be shown in Windows Explorer, as shown
below.
VFS is a dynamic engine and will serve the data as it is presented by the EnCase software.
To view the original Word document file:
1. Close the mounted compound file.
2. In Windows Explorer, click F5 to refresh the screen.
If you have currently selected data within the compound file, an error message reports that the
data is no longer available, since it was closed inside EnCase.
3. Select the parent folder of the file to view and open the file.
Encrypting File System

Decrypted files can be viewed within Windows when you use VFS in conjunction with the EnCase
Decryption Suite (EDS) module. The evidence containing the decrypted files and folders can be
mounted with VFS for viewing the decrypted data within Windows Explorer and with third-party
tools.
Following is an example view of an encrypted evidence file when VFS is used in conjunction with
EDS:
The following is a view of the above encrypted file in its decrypted state when using VFS in
conjunction with EDS:
For more information on using the EDS Module to decrypt EFS protected files and folders, see the EDS
Module chapter of this document.
RAIDs
You can browse RAIDs mounted inside EnCase in Windows Explorer. In the example below, a
software RAID 5 comprised of three drives was mounted, then made available for browsing in
Windows Explorer with VFS.
Deleted Files
The VFS module allows you to view deleted and overwritten files in Windows Explorer.
An investigator may locate a file in Windows Explorer to view or analyze, but finds that it is not
possible to open the file. If a file does not open, review the original data in the EnCase interface to see
if the file is valid, and is not corrupted or partially overwritten.
Internal Files and File System Files

The EnCase application organizes some data on devices into virtual logical files to allow for better
organization and searching. Examples include Unallocated Clusters and Volume Slack on a volume,
and Unused Disk Area on a physical drive. Hidden file system files are also available, such as the
$MFT, FAT, or Inode Table directories on NTFS, FAT, and *nix file systems.
RAM and Disk Slack

VFS serves the actual logical files on devices along with virtual logical files that it organizes for
investigators. The physical files are not served, as Windows Explorer could not interact with the file
data correctly if the entire physical file was served.
For investigators, this means that the RAM (sector) slack and drive (file cluster) slack are not available
to third-party tools through VFS in Windows Explorer as a single file. There are, however, methods of
accessing the data in slack with third-party tools:
You can load a device without parsing the file system:
1. Launch the EnCase application.
2. Open a new case.
3. Load the device by clicking Add Local Device from the Add evidence dropdown menu.
4. Click the Next button to read the available local devices.

5. Clear the check from the Read File System column shown below.
When the device is loaded into EnCase, the partition and file system are not read and interpreted. The
entire device can then be mounted with VFS and be available for examination in Windows Explorer as
Unused Disk Area, including slack space.
Another option is to copy only slack area from evidence to the examination computer as a logical file:
1. Select the entry with slack space you want to examine.
2. Select Copy Files from the Entries dropdown menu.
3. Select the All selected files button under From, and the Merge into one file button under To,
and click Next.
4. In the Copy section of the Options screen, select RAM and Disk Slack to copy the RAM slack
(also known as sector slack) and the Disk Slack (also known as cluster slack).
5. Select the appropriate Character Mask option for non-ASCII characters, or leave the default
and click Next.
6. Set the destination path and the name of the file to contain the slack and click Finish.
7. The progress of the copying process will show on the bottom right and the results will be put
in the logs and the console.
The file containing the slack from the evidence is now available for examination by third-party utilities
on the local examination machine. In the example below, a file is open in WordPad.
Other File Systems

VFS can mount file systems other than those natively supported by Windows. Below is an example of
a Macintosh OS/X drive mounted with VFS.
ext2, ext3, UFS, and Other File Systems

Unix, Linux, and BSD devices can be mounted in Windows Explorer with VFS. One limitation is the
forward slash (/) used in *nix file systems. The forward slash is an invalid character in Windows and
cannot be displayed in the full path for Windows Explorer. For this reason, the forward slash is
represented by the high-dot (·).
In the example below, the /(root) partition is represented by the high-dot. The /home partition is
represented by ·home.
In this example, the / (root) partition of a Solaris workstation is mounted and the parent folder name
(the partition name) is displayed as the high-dot.
Note: Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in
Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the
partition or folder level.
Dismounting the Network Share

To dismount the network share, do the following:
1. Double click the thread bar at the bottom right of the interface that reads Virtual File System,
then click Yes.
2. The thread bar at the bottom right will disappear indicating the evidence was successfully
dismounted.
Changing the Mount Point

You can view one mount point at a time. To change the location of the mount point, you must close the
current mount point and open a new one.
Note: Be sure to dismount evidence that is served through VFS before closing EnCase. A reminder message displays if you
try to close the case or EnCase while evidence is mounted with VFS.
Accessing the Share

Using the EnCase Interface
VFS Name Column
A VFS Name column displays in Table view for the VFS Module. The column identifies the file name
given to a file served from EnCase and displayed in Windows Explorer through VFS. The VFS name
overcomes the Windows limitation of not allowing multiple files to share the same file name as
siblings in the same parent folder. The column is empty when the evidence is first mounted with VFS,
but populates when the share is accessed in Windows Explorer.
When an investigator selects a folder in Windows Explorer, the data is served by EnCase and
displayed in Windows Explorer. As the directories are browsed in Windows Explorer, the file names
populate in the VFS Name column, so an investigator can determine which file he or she is examining.
EnCase appends a pound sign (#) to the end of duplicate file names in the same folder in Windows
Explorer.
Using Windows Explorer

After mounting the shared network drive with VFS, open Windows Explorer. The new share is
represented with a network drive icon and assigned the appropriate volume letter. The name of the
share is gsisvr (for Guidance Software®, Inc. Server).
Several operations are then possible, including the following:

 Browse the mounted case and associated devices in Windows Explorer
 Open hidden and deleted files if Show hidden files and folders is enabled in Windows
Explorer using the Folder Options in the Tools menu
 Use the thumbnail viewer in Windows Explorer to view images in the manner seen by the
original user
: To view hidden entries, it may be necessary to update your Windows Explorer settings to show all hidden files and
folders.
Third-Party Tools
Using VFS, investigators can examine evidence outside EnCase using third-party tools capable of
requesting and interpreting data from Windows Explorer. However, Guidance Software does not
certify the performance or accuracy of results obtained through any tools not developed by Guidance.
Malware Scanning
A frequent use for VFS is to mount computer evidence and scan for viruses, Trojans, and other
malware programs:
1. Mount the evidence through VFS either locally on the examination machine, or remotely
through VFS Server.
You can mount the evidence at the device, volume, or folder levels as described previously.
The "shared hand" icon indicates the level of the virtual file system mount.
2. In Windows Explorer, select the gsisvr offline network drive.

3. Use antivirus software to scan the file.
In the example below, the Scan for Viruses option from Symantec AntiVirus is run by right clicking
the drive.
The antivirus software can read the Virtual File System presented to Windows Explorer. The requested
data is served by EnCase to Windows Explorer, then to the program for scanning. In this case, the
MyDoom virus was found on the computer evidence mounted with VFS.
The examination reports and logs generated by the third-party tools can then be reviewed and
included in the investigator's report.
Other Tools and Viewers

The third-party tools and viewers available to the investigator for forensic examination are now
greatly expanded with VFS. To use them:
 Double click a file served by VFS to open the data with the assigned program according to the
file extension.
Assigning File Extension to a Program

To assign an associated program to an extension:
1. Select Folder Options from the Windows Explorer Tools menu.
2. In the Folder Options window, click the File Types tab.

3. Select the desired extension, and the Details for section lists the program designated for that
extension.
In this example, JPEG files open with Adobe Photoshop CSn.
4. Click the Change button.
5. Select or browse to the new program.

Unix or Linux Files

Some files, such as in Unix and Linux, do not have file extensions. To view them:
1. Right click the file and select Open.
2. In the Open With window, select the desired application from the Programs list and click OK.
3. If the application is not listed, click Browse to find the application executable, or allow
Windows to search the Internet (if connected).
4. Click Other if the appropriate application is not available.
WordPad can open most text-based files to allow you to view the contents. In the example
below, a Linux file is opened with WordPad in Windows Explorer from an evidence file
mounted with VFS.
QuickView Plus
Another popular viewing program, QuickView Plus, can be used to view dozens of file formats,
without the native applications installed on the examination machine.
Temporary Files Reminder

EnCase allows investigators to redirect temporary files to a Temp/Trash folder on a secondary hard
drive for faster cleanup after an examination, and to prevent confidential or contraband materials from
being redirected by Windows to the investigator's own temp folder on the operating system drive.
When a file mounted with VFS in Windows Explorer is opened with a third-party tool, the Windows
operating system controls the temporary file creation on the operating system drive. Remember to
check the Windows Temp folder to perform any necessary post-examination cleanup.
VFS Server
The VFS module has a server extension so that investigators can share the mounted evidence with
other investigators on the local area network/intranet through VFS. The extension enables clients to
mount the network share served by the VFS Server through a network connection, under the following
conditions:
 Only the machine that is running the VFS Server needs a security key (dongle) inserted.
A security key is not required to connect to the VFS Server and access the served data in
Windows Explorer.
 The client machine(s) must have EnCase installed to access the VFS client drivers, but can run
in Acquisition mode
The number of clients that can connect to the VFS Server depends upon the number of VFS
Server connections purchased. This information is contained in the VFS Certificate or is
programmed into the security key.
To determine if the VFS Server is enabled and to view the number of available client connections, do
the following:
1. Select About EnCase from the Help menu.
2. If the VFS module is not listed, or the number of clients is insufficient, contact Guidance
Software Customer Service to purchase additional clients.
Configuring the Server

To configure the server:
1. On the VFS Server machine (with the security key inserted), open EnCase.
2. Open the case file(s).
3. Select the appropriate VFS mount point level:
• Case
• Drive/device
• Volume
• Folder
4. Right click the mount point and select Mount as Network Share.
You have the option of creating a network share from any of the cases, drives, or folders
within it. This allows you to share only what is necessary.
5. Since this is the VFS Server machine, select Establish local server for the location on the Server
Info tab.
6. Enter a Port number or use the default of 8177. The Server IP Address is grayed out since the
server's IP address is the one assigned to the machine where the mount is taking place.
7. Note the server machine's IP address for use with the client.
8. Set the maximum number of clients who can connect to the server, with the default being the
maximum allowed by your VFS Server certificate.
Since VFS is mounting the evidence as a networked shared drive, the serving port must be assigned.
To allow recovery from errors in Windows, the VFS service runs for the life of the Windows session
from that port.
The VFS Server can also serve the data locally to the investigator's machine. aware that it uses one of
the server connections.
Restrict Access by IP Address

By default, VFS Server is configured to allow access from all IP addresses. However, the preferred
method is to restrict access by IP address. To specify a range of machines:
1. Select Allow IP Range and specify the high and low IP values.
2. Select Allow specific IPs.

3. Right click in the Allowed IPs box.
4. Select New and enter the IP addresses.
5. To enter multiple IP addresses, repeat steps 3 and 4. To edit or delete existing IP addresses,
right click Allowed IPs.
6. Select the Client Info tab.

7. To also mount and view the shared drive locally, leave the Mount share locally box checked
and input a volume Letter.
By default, the volume letter field displays an asterisk, indicating that the next available drive
letter will be used. Mounting the share locally uses one of your VFS Server connections.
If you are only serving the share to remote clients, clear Mount share locally. The volume
letter is disabled.
The VFS Server mounts the share and allows connections on the assigned port. The shared hand icon
displays at the VFS mount point. You can continue your examination while it is shared. Performance
depends on the size and type of the examined evidence, processing power of the server and client
machines, and the bandwidth of the network.
Connecting the Clients

To connect the clients:
1. Install EnCase on the client.
2. Reboot the machine after installation for Windows to access the VFS drivers.
When launching EnCase, it is not necessary to have a security key present.
3. Click Tools > Mount as Network Share.

4. On the Server Info tab, enter the Server IP Address for the VFS Server machine, and enter the
port number on which the server is listening.
5. On the Client Info tab, select the Volume Letter to assign the share, or accept the next
available letter.
The confirmation message displays.
On the client machine, the share is available in Windows Explorer as gsisvr with the assigned drive
letter. The shared computer evidence can be examined as previously described.
Closing the Connection

When an investigator using a client machine has completed the examination of the shared drive, or
another investigator needs to use the connection, double click the progress bar at the lower right and
select Yes.
A confirmation window reports that the evidence is dismounted and the connection closed. The
shared hand icon is removed, indicating that Windows Explorer has disconnected the shared drive.
You can close EnCase on the client computer.
On the VFS Server machine, when all clients are finished and have dismounted the share, close the
VFS Server:
1. Double click the flashing Virtual File System bar in the lower right corner of EnCase.
2. You will be prompted to dismount the evidence file. Then you can close EnCase.
Troubleshooting
Virtual File System is not listed under Modules
If you are using cert files, check to see that the VFS certificate is located in the proper Certs directory
(typically C:\Program Files\EnCase7\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure that the
software is not in Acquisition mode). You do not need to have the security key installed on a machine
connecting to a remote VFS Server.
If you are using cert files, the certificate file is issued for a specific security key. Check the security key
ID to verify it is the correct one issued for the certificate.
A device can be mounted locally, but a local server cannot be set up

Select About EnCase from the Tools menu and ensure that Virtual File System Server is listed under
Modules. If the Server is not displayed, you may have the wrong cert installed, or you do not have
access to the Server edition.
A connection to a device mounted on a remote VFS server cannot be made

Confirm the IP address and port number of the Remote Server. If the IP address is correct, ping the
address to ensure connectivity.
Make sure the device is still mounted on the remote server.
Check to see how many machines are connected to the server, and determine how many clients are
permitted to connect to a VFS Server by selecting About EnCase from the Tools menu on the machine
running the VFS Server. Determine the number of allowed clients by looking at the number listed next
to the Virtual File System Server module.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 18
Physical Disk Emulator

In This Chapter
 Overview
 Using Physical Disk Emulator
 Third-Party Tools
 Boot Evidence Files and Live Systems with VMware
 VMware/EnCase PDE FAQs
 PDE Troubleshooting
Overview
The EnCase Physical Disk Emulator (PDE) module allows investigators to mount computer evidence
as a local drive for examination through Windows Explorer. The power of this feature is well
articulated in many forums. Most notably, this allows investigators many options in their
examinations, including the use of third-party tools with evidence served by EnCase.
We are committed to the concept of providing an integrated product to our customers. Third-party
tools continue to be developed to complement the core functions and features of EnCase, and
Guidance Software encourages their creation and use. PDE allows third-party access to all supported
computer evidence and file system formats. EnCase continues its evolution towards becoming a server
of forensic data, whether in an image file, a preview of an offline computer or hard drive, or a live
machine on a network.
Evidence File Formats Supported by EnCase PDE

EnCase PDE supports mounting of individual image files of hard drives and CDs, but not images or
previews of the local forensic machine's hard drive. All Image file formats and file systems that are
supported by the EnCase software can be mounted with PDE. In addition, the following live computer
forensic evidence is supported by PDE:
 Local machine preview of CDs
 Local machine preview of evidence hard drives through FastBloc® FE and LE hardware write-
blocking devices
 Crossover cable network preview of hard drives and CDs
 Parallel port preview of hard drives and CDs
 EnCase Enterprise and Field Intelligence Model (FIM) live network preview of hard drives
and CDs
Using Physical Disk Emulator

Note: Do not, under any circumstances, attempt to use PDE to mount EnCase images or previews of the local forensic
hard drives. Windows will blue screen if it detects multiple instances of the same drive. Use only evidence files of other
machines.
Starting Physical Disk Emulator

To mount a device using the Physical Disk Emulator, you must add a physical or logical disk image to
a case in the Entries subtab under Cases. PDE can only mount physical devices or volumes. If you
select a menu item from a non-mountable level, the PDE configuration is limited to client mode.
Using PDE
1. Select the device you want to mount as Physical disk in the Entries window pane in EnCase
and click Mount as Emulated Disk through the Device menu item and Share submenu item.
In the example below, an evidence file called BBasher.#01 is opened in EnCase and being
mounted as a physical disk.
The evidence file after being mounted looks like the example below in EnCase, Windows
Explorer, and Windows Disk Management control panel.
2. The Mount as Emulated Disk dialog displays.

Configuring the PDE Client

PDE assigns a local port the first time you run PDE. Afterwards the port number is disabled and you
cannot change it. To assign a new port number, close the Windows session and restart.
PDE does not use any other options in the Server Info tab.
To specify cache and CD options, click the Client Info tab.
Cache Options
If a physical device or volume (not a CD) is selected, decide whether to cache data. By default, caching
is disabled. Use the write cache if programs need to access the files in an emulated read/write mode.
If cache is enabled, changes made by programs are sent to a separate cache file specified on your local
system.
1. To create a new write cache file for an EnCase Differential Evidence File, clear the Disable
caching checkbox.
2. Select Create new cache in the Cache Type group and specify a Write cache path.
3. Select Use existing cache and ensure the existing write cache file is specified in the Write
cache path field.
If you choose to use an existing cache path, make sure to use a write cache file that was created with
the evidence you are currently mounting.
Caching is necessary for PDE to function with VMware. In this state, Windows caches file deletions
and additions. This is used to boot the drive with VMware as described later in this section. Caching is
also necessary when mounting certain volume types.
CD Options
If a CD is mounted, the CD Session to view option is enabled to specify which session on a multi-
session CD should display in Windows. The default session is the last session on the active CD, which
is the one normally seen by Windows.
1. To view a prior session, select that here.
2. Click OK to continue.
3. If a message displays saying the software you are installing has not passed the Windows Logo
test, click Continue Anyway.
This allows Windows to add the evidence file as a drive with its own drive letter.
Note: If using VMware, you need the physical device number.

Verify that the evidence file has been mounted with a drive letter by browsing in Windows Explorer.
With the drive letter, you can apply third-party tools.
When the share is created, a sharing (hand) icon appears on the device in the interface.
Mounting Non-Windows Devices

Devices with file systems other than NTFS or FAT can be mounted using PDE; however, the volume
cannot be seen by Windows (although the physical device can be seen in Disk Management). The
process to mount such a device is the same as that used to mount an NTFS or FAT device.
Accessing the Local Disk in Windows Explorer

After mounting the disk with PDE in the EnCase interface, open Windows Explorer. The new volume
is represented with a hard drive icon, assigned a volume letter, and labeled as a local disk.
Browse the mounted drive in Windows Explorer:
 To open hidden files, Enable Show hidden files and folders in Windows Explorer by selecting
Folder Options in the Tools menu
 To view deleted and system files and unallocated clusters, or to mount the evidence file use
the EnCase Virtual File System module
Files and folders on the mounted device can be accessed in Windows in the same manner as if the
device were an additional drive, although changes will be written to cache (if in use) instead of to the
device itself.
Saving and Dismounting the Emulated Disk

If write caching is enabled when mounting the device, you can save virtual changes made to the
evidence file.
1. In the EnCase interface, click Save emulated disk state from the Device menu and the Share
submenu.
The cache is saved in the path specified for write caching. Each time after the initial save, an instance
number is appended to the cache file. These cache files can later be used to remount the evidence in its
saved state, but you must have all of the preceding cache files, located in the same directory.
To end the emulation:
1. Double click the flashing Physical Disk Emulator indicator in the lower right of the application
window.
2. Click Yes in the Thread Status window to cancel the disk emulation.
If caching is enabled when mounting evidence, this screen displays:
The purpose of the final cache is to create a compressed and merged Differential Evidence File
(*.D01) containing the cached data. With the Save Emulated Disk State option selected, there are
multiple cache files for the same mounted evidence session. The final cache merges all these files. If
there is no need to save the final file, select Discard final cache.
Use the Differential Evidence File to open the evidence file and view the emulated disk with the
cached changes applied.
To apply the cached data:

1. Right click the device.
2. Select Mount as Emulated Disk.
3. Click the Client Info tab.
4. Clear the Disable caching checkbox.
5. Select Use existing cache.
6. Browse in the Write cache path field to find the *.D01 file.
After the disk mounts, Windows Explorer reflects the cached changes.
When the device is dismounted, a status screen informs whether the disk was dismounted
successfully.
Closing and Changing the Emulated Disk

To mount a different drive, first dismount the currently emulated drive as previously described. You
can then set a new mount point.
Note: Be sure to dismount evidence that is served through PDE before exiting. A reminder message displays if you attempt
to close the case or EnCase while evidence is mounted with PDE.
Temporary Files Redirection

EnCase allows investigators to redirect temporary files to a Temp/Trash folder on a secondary hard
drive for faster cleanup after an examination, and to prevent confidential or contraband material from
being redirected by Windows to the investigator's own temp folder on the operating system drive.
When opening a file mounted with PDE in Windows Explorer with a third party tool, the Windows
operating system controls the temporary file creation on the operating system drive, and any
necessary post examination cleanup is more involved.
Third-Party Tools
Investigators with the PDE Module can use Windows Explorer to browse the structure of computer
evidence. They can also utilize third-party tools capable of requesting and interpreting data from
Windows Explorer to examine evidence outside of EnCase. Guidance Software does not certify the
performance or accuracy of results obtained through any tools not developed by Guidance.
Using Third-Party Tools

The third-party tools and viewers available to the investigator for forensic examination are now
greatly expanded with EnCase PDE. To use a third-party tool, open the file as follows:
1. Double click a file served by PDE to have Windows Explorer request and receive the data from
EnCase.
2. Open the data with the assigned program according to the file extension.
Quick View Plus

A popular viewing program is Quick View Plus, which allows the investigator to view dozens of file
formats without the native applications installed on the examination machine.
Malware Scanning
A common use for EnCase PDE is to mount computer evidence for scanning for viruses, Trojans, and
other malware programs. First, mount the drive or volume from the evidence file through PDE.
In Windows Explorer, select the newly mounted drive (in this case, F:). If an antivirus program is
installed and integrated with Windows Explorer, it can be used to scan for viruses. The program reads
the emulated disk presented to Windows Explorer. EnCase serves the requested data to Windows
Explorer, then to the program for scanning.
Boot Evidence Files and Live Systems with VMware

Initial Preparation
For the Physical Disk Emulator to work properly, VMware version 4.5.1, build 7568 or later is
required. To use VMware to mount an evidence file:
1. Determine the operating system of the subject evidence file:
a. Use the Windows Initialize Case module from the Case Processor EnScript to determine
the operating system.
b. Check the contents of the boot.ini file, which is located on the partition root.
c. Examine the folder structure, noting the following:
Windows 2000, XP, and 2003 Server all use the C:\Documents and Settings folder
for user profiles and folders.
Windows NT and 2000 use the C:\WINNT folder for the system root.
Windows 9X, XP and 2003 Server use the C:\Windows folder for the system root.
2. Mount the physical disk containing the operating system using Physical Disk Emulator. Make
sure to enable caching.
3. Determine what physical disk number is assigned to it using one of these methods:
This information is provided when the device is mounted.
Select the Disk Management option: right click My Computer in Windows, then select
Manage.
Note: There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical
disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are
plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in
Disk Management. If you encounter a message stating "The specified device is not a valid physical disk device," it is most
likely a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows,
particularly XP, blue screens if it detects multiple instances of the same drive. Use only evidence files of other machines.
New Virtual Machine Wizard

To boot evidence files using VMware:
1. After you have gathered the needed information, launch VMware.
2. Select New Virtual Machine from the File menu.
3. At the New Virtual Machine Wizard screen, click Next.
4. Select Custom, then click Next.
5. Select the appropriate Guest Operating System radio button.
6. Select an operating system from the Version dropdown menu to identify the operating system
version installed on the evidence file, then click Next.
7. In the Name the Virtual Machine dialog, enter a virtual machine name.
As an option, you can click Browse to change the location for VMware's configuration files.
8. Click Next.
9. Assign the amount of memory for VMware to use, then click Next.
10. Select the type of network to use, then click Next.
Selecting Do not use a network connection is recommended in the event that there is some
type of malware installed on the machine the evidence file was created from.
11. Accept the default setting in the Select I/O Adapter Types dialog, then click Next.
12. Select Use a physical disk (for advanced users).
Ignore any subsequent warning messages.
13. Select the disk that represents the mounted drive using PDE.
14. Accept the default setting of Use Entire Disk, then Click Next.
15. Use the default disk file specified in the Specify Disk File dialog, then click Finish.
If the disk file is not recognized as a Virtual machine, you can change the name of the file
(taking care to leave the .vmdk extension).
VMware returns to the main screen, showing the newly created virtual machine.
Booting the Virtual Machine

Boot the virtual machine by starting VMware and following these steps:
1. Click the link for Start this virtual machine next to the green arrow. The evidence file is write
protected by EnCase, but PDE enables a write cache that interacts with VMware as if it were
mounting a disk in read/write mode. When the virtual machine starts, the operating system is
shown as if the forensic machine was booting the drive. It boots in the same manner as the
native machine.
2. As with booting restored hard drives, the virtual machine may require a user name and
password to proceed.
3. Since popups (such as AOL Instant Messenger) can cause driver problems, save the state of
the virtual machine regularly.
VMware/EnCase PDE FAQs

Can live evidence be booted with VMware?
Live computer evidence (network nodes in EnCase Enterprise and local CDs) can be mounted with
PDE but cannot be booted with VMware.
What version of VMware should be used with EnCase PDE?

PDE/VMware integration is with VMware version 4.5 and higher.
Why won't VMware recognize an emulated (mounted) disk?

You must launch VMware after emulating the disk with PDE, as VMware does not recognize a
physical drive added since it was started. In addition, VMware does not successfully boot evidence
files which contain Windows with a non-default IDE driver. This is a known issue. Additional
information is available at http://www.vmware.com/support/kb/enduser/std_adp?p_faqid=36.
What do I do if I see the message "The file specified is not a virtual disk" after running the New
Virtual Machine wizard?
After completing the new virtual machine wizard in VMware, you may receive an error message ("The
file specified is not a virtual disk."). This issue is with VMware, not EnCase. Running the new virtual
machine wizard again usually resolves this issue.
How do I start a VMware machine with my saved EnCase differential file?

Mount the disk using the existing cache file.
Why does VMware not recognize some physical disks?

If your evidence is successfully mounted, but VMware states that the physical disk the image is
mounted on is not a valid physical disk, it may be a result of a non-IDE device on a lower physical
device than the emulated disk.
Windows XP keeps popping up windows about installing drivers when I boot.

The EnCase PDE Module installs GSI-specific IDE drivers to be loaded in order to emulate the disk as
a drive in Windows with an assigned drive letter. A virtual IDE controller is created that can be seen in
Device Manager. If Windows is allowed to load default IDE drivers, the module will not work
properly. You can prevent this by canceling the attempt from the popup window. Once you have
bypassed this message, you can save the state so the next time the system reboots, Windows does not
attempt to load the drivers again.
How do I restart a VMware session from a saved state?

VMware's suspend and resume feature allows you to save the current state of your virtual machine,
then resume later with the virtual machine in the same state as when you stopped it. Once you resume
and do additional work in the virtual machine, there is no way to return to the state the virtual
machine was in when you suspended it. To preserve the state of the virtual machine so you can return
to the same state repeatedly, you need to take a snapshot. Instructions for using the snapshot are
available on VMware's Web site at http://www.vmware.com/support/
ws45/doc/preserve_snapshot_ws.html. The speed of the suspend and resume operations depends on
how much data changed while the virtual machine was running. In general, the first suspend
operation takes a bit longer than later operations. When you suspend a virtual machine, it creates a file
with a .vmss extension. This file contains the entire state of the virtual machine. When you resume the
virtual machine, its state is restored from the .vmss file.
To suspend a virtual machine:
1. If your virtual machine is running in full screen mode, return to window mode by pressing
Ctrl + Alt.
2. Click Suspend on the VMware Workstation toolbar.
3. When VMware Workstation completes the suspend operation, it is safe to exit VMware
Workstation (Exit from the File menu).
To resume a virtual machine:
1. Start VMware Workstation and choose a virtual machine you have suspended.
2. Click Resume on the VMware Workstation toolbar.
Note that any applications you were running when you suspended the virtual machine are
running and the content is the same as when you suspended the virtual machine.
You can obtain additional VMware troubleshooting information from their knowledge base at
http://www.vmware.com/support/kb/enduser/std_alp.php?
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help
menu
If you are using cert files, check to see that the PDE certificate is located in the Cert directory
(typically C:\Program Files\EnCase6\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure that
the program is not in Acquisition mode).
If you are using cert files, check the security key ID to verify it is the correct one issued for the
certificate.
I can mount a device locally, but cannot set up a local server
Although menus exist for PDE Server operation, it is not currently functional.
A message is encountered stating that PDE cannot remove the device when attempting to
dismount the device mounted
The error message may occur if Windows is accessing a file on the mounted device (for
example, the directory is opened in Windows Explorer or a file is opened in a third-party
application). To resolve the issue, close all Windows applications accessing the mounted
device, then click OK.
An error message is encountered stating that you need to reboot your machine, followed by a
"Rejected connection" message
This issue is due to the device driver not being released properly. The only way to resolve this
issue is to close all applications (including the EnCase application) and reboot the forensic
machine. You should not encounter the error again when the machine is rebooted.
Note: If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical
Services.
CHAPTER 19
FastBloc SE
In This Chapter
 Overview
 Write Blocking and Write Protecting a Device
 Disk Caching and Flushing the Cache
 Troubleshooting
Overview
The FastBloc® SE (Software Edition) module is a collection of tools designed to control reads and
writes to a drive attached to a computer through USB, FireWire, and SCSI. It enables the safe
acquisition of subject media in Windows to an EnCase® evidence file.
When FastBloc SE module's write blocking capability is enabled, it ensures that no data are written to
or modified on a write blocked device.
Write Blocking and Write Protecting a Device

Write Blocking a USB, FireWire, or SCSI Device
To write block a USB, FireWire, or SCSI device, EnCase intercepts the signal sent to Windows when a
device is attached to the computer. It then filters the driver for that device, enabling write protection.
There are three modes when using the FastBloc SE module on a USB, FireWire or SCSI device:
 Write Blocked: A write blocked device is protected against writing to or modifying files when
the device is attached to a PC.
Files deleted from or added to the device appear in Windows as modified, but the
modifications are saved in a local cache, not on the device itself. This mode does not prompt
errors when attempting to write to the drive.
 Write Protected: A write protected device is protected against writes or modifications when
the device is attached to a PC.
If writes or modifications to the device are attempted, Windows responds with an error
message.
 None: Removes write blocking from a device previously write blocked.

To write block a USB, FireWire, or SCSI device:
1. Make sure that the subject device is not attached.
2. Click Tools > FastBloc SE.
FastBloc SE 393
3. In the FastBloc SE dialog, select the Plug and Play tab.
4. Click Write Blocked. The progress bar indicates EnCase is waiting for a device to be inserted.
5. Insert the USB, FireWire, or SCSI device.
Note: Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable
carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
6. Click Close.
Verify Write Block

You can confirm successful write blocking of the device when previewing the device in EnCase:
1. Click the New icon on the top toolbar to open a new case and complete the required
information.
2. Click the Add Device icon.
3. Blue check Local Drives in the right pane, then click Next.
In the Choose Devices window, the device and volume (if present) on the write blocked
channel have a green box around the icon in the Name column, and a bullet appears in the
Write Blocked column for each.
Write Protecting a USB, FireWire, or SCSI Device

Follow the steps for Write Blocking a USB, FireWire, or SCSI Device, above, but in step 3, click Write
Protected.
Removing Write Block from a USB, FireWire, or SCSI Device

Removing a USB, FireWire, or SCSI Device
To remove a USB, FireWire or SCSI device:
1. Use the hardware removal tool in the System Tray in the lower right corner of the task bar to
remove the device.
In Windows XP, the tool is named Safely Remove Hardware.
2. Remove the device physically when the wizard confirms safe removal.
Removing Write Block from a Device

1. Click Tools > FastBloc SE.
2. Select the device where you want to remove write block, then click None.
3. Click Close to complete the process.
Removing Write Block from all Devices

1. In the FastBloc SE dialog, click Clear All.
2. Click Close.
Disk Caching and Flushing the Cache

To flush the write cache, reboot the computer or remove the media that is write blocked. Preview the
drive with the EnCase interface or browse using Windows Explorer to verify that the cache emptied.
Troubleshooting
The Write Block option does not appear in the Tools menu
Check that the security key is in the machine. If the security key is missing or not functioning properly,
EnCase opens in Acquisition mode.
Windows and EnCase do not recognize the attached device

Check all power and data connections to the device.
Check to see if the subject hard drive is spinning. If the device is connected via an external drive bay,
shut down the computer and try connecting the power connector (not the data connector) to a Molex®
power cable directly from the computer. Restart the computer. If the drive starts spinning, shut down
the computer again and swap cables.
FastBloc SE 395
If the subject drive does not spin, or is making unusual sounds (whirring, clicking, etc.), the drive may
be defective and you may not be able to acquire it by normal methods.
If the subject drive is spinning, check the data cables. You may want to try using a 40-wire cable if you
are using an 80-wire cable.
Check the USB or FireWire port to ensure proper functioning: insert a known good device. Make sure
the port is recognized in Device Manager.
Windows sees the subject drive, but EnCase does not

If you can see the physical drive but cannot see the contents of the drive, the EnCase interface may be
in acquisition mode. This may indicate that the security key is not installed.
You may have a corrupt version of EnCase. Uninstall EnCase, then download and reinstall the newest
version.
If possible, try to acquire on a completely different machine. This helps pinpoint the problem, as it
may be a hardware or operating system conflict.
Acquisition takes too long

If the acquisition started at a normal speed, then rapidly decreased later in the acquisition, there is a
good chance EnCase encountered bad sectors on the subject drive. Because the software makes
multiple attempts at reading bad sectors, acquisition time may increase.
Enabling compression dramatically increases acquisition time.
A completely slow acquisition may be the result of slower equipment.
If you are acquiring to external media (that is, the storage media is an external hard drive) the transfer
rates are significantly slower than with a directly connected hard drive.
If the subject drive is an older or slower model, acquisition speed is limited.
If the forensic machine has an older or slower storage drive, the acquisition is slowed by the drive's
write speed.
If you are acquiring a newer drive, try an 80-wire cable, as this allows faster throughput. Ensure the
FireWire/USB cable is securely connected at both ends.
If FireWire is not available, use a USB 2.0 connection (USB 2.0 is up to 40 times faster than USB 1.0). In
addition, when using USB, limit any other CPU-intensive tasks during the acquisition, since these
contribute to a loss of transfer speed.
Use FireWire ports whenever possible, since the interface is faster than USB.
Acquisition and verification hashes do not match

There may be a data integrity issue with the cable. Try using a 40-wire cable if you are using a 80-wire
cable, a shorter IDE cable, and/or a shielded IDE cable if possible.
Try using a different USB or FireWire cable.
There are different hash values each time the drive is hashed
This indicates a failing drive. Because the number of sector errors increases each time, hash values
change. Since the first acquisition typically contains the least number of bad sectors, use that file for
analysis.
There are multiple bad sectors after acquisition

This can indicate a defective drive. Ensure that the cables are securely connected to the controller and
the drive.
If the subject drive is in an enclosure when you try to acquire it, it may become hot during the
acquisition. Try removing the drive from the enclosure to keep it cooler, which may reduce the
number of sector errors.
CHAPTER 20
Deploying and Running

Servlets
In This Chapter
 Overview
 Deploying Servlets
 Deploying Check In Servlets
 Deploying Windows Servlets
 Copying *NIX Servlets
 Deploying Linux Servlets
 Deploying Solaris Servlets
 Deploying AIX Servlets
 Deploying OS X Servlets
 HP-UX VxFS and Servlet Support
 Deploying NetWare Servlets
 McAfee ePolicy Orchestrator (ePO) Integration

Overview
To gather information from network machines, EnCase Enterprise uses servlets installed on the
individual machines. These servlets are verified with the SAFE using private/public key encryption
and are shown as running services on the target machines.
Once a servlet is deployed on the network machine, or node, it runs as a service with administrative
privileges and provides full access to the machine. After the SAFE server authenticates and verifies a
command from the examiner, the servlet executes it on the node machine.
You can use Check In servlets outside your network using an Internet connection. To investigate
machines using a Check-In servlet, use the Sweep Enterprise EnScript program.
Port Configuration
By default, the servlet service uses port 4445 to listen for commands from the SAFE server.
 A different port can be specified as part of the SAFE installation.
 If the SAFE port number and the device port number do not match, the servlet port number
should be specified when configuring the SAFE and adding the machine to the network tab.
 Non-default port numbers can be specified:
• Navigate to Add Evidence > Add Network Preview and click Add Text List at the top of
the Add Network Preview dialog.
• Enter the machine name or IP address in this dialog as [machine name or IP]:[Port number].
 Guidance Software suggests that machines running on a non-standard port be individually
defined on the Network and Role tabs. By defining the machine on these tabs, the port
information is saved in the network tree, eliminating the need to type it in the Add Text List
dialog each time you connect to the node.
 Be sure that the address of the device is specifically included, either individually or within a
range, in the Network tab.
 Permissions must also be defined for that machine in the user role.
The servlet port number must be specified as detailed above when connecting. The servlet can be
installed using the -L switch to specify a different port number. See Deploying Windows Servlets on
page 401.
Supported Operating Systems

EnCase Enterprise supports the following operating systems for deploying and running servlets:
Windows XP (32 and 64-bit)

NT/2000
2003 Server (32 and 64-bit)
2008 Server (32 and 64-bit)
Vista (32 and 64-bit)
Windows 7 (32 and 64-bit)
Linux Kernels 2.2 and newer with the Process File System (procfs)
Solaris 8, 9,10 (32 and 64-bit, SPARC)
AIX 4.3, 5.1, 5.2, and 5.3 (32- and 64-bit)
OS X 10.2+ (supported on Intel and PPC)
HP/UX 11.0, 11.1x, and 11.2x
NetWare 5.1 SP8, 6.0 SP4, and 6.5
The following variables are used in this chapter to refer to the specifics on your installation.
Variable Description
<node> Node machine name
<deploy path> Path where the servlet will be installed

The following locations are used:
Linux: /usr/local/encase
Solaris: /var/spool/pkg
AIX: /opt
OS X: /usr/local/encase (if using xinetd) or /Library/Startupitems (if using launchd)
Netware: /system
<host path> Path on the SAFE machine where the servlet resides (typically C:\Program
Files\EnCase SAFE\Servlets)
<servlet name> Name of the servlet or package for Solaris and AIX nodes
Each servlet has unique command line switches.

Deploying Servlets
Deploying servlets consists of using enterprise push technology to install the servlet on the remote
machine. All enterprise push technologies require an agent running on the target systems to deploy
and execute files.
The steps for deployment and execution depend on which file is used and by which method you
would like to have the servlet executed.
You can deploy and execute the servlet in a variety of ways:
 Deploy the servlet as a service
 Deploy the executable file only and execute it when needed
 Execute the servlet via inetd or xinetd
 Execute the servlet via an initialization script
Some operating systems write to the registry or other parts of the system when an executable is
launched. If you do not wish to write to the file system, execute the servlet from other media such as a
CD-ROM, although some operating systems do not support operating the servlet from removable
media. See Running Windows Servlets as a Service or as a Process on page 402.
If you choose to execute your servlet from another device, you must manually place the media
containing the servlet in the appropriate location prior to executing it. For example, if a CD containing
the servlet is placed into a system’s CD-ROM drive, you need to know the drive letter of that CD-ROM
before you can execute the servlet remotely.
When deploying servlets, the following files are used:
 The Servlet contains the code to be executed on each network node. The name of the servlet
depends on the operating system.
 The Servlet Setup file is used on Windows operating systems only. This file contains multiple
servlets and automatically detects which servlet to install when you run the setup file. Its file
name is either setup.exe or setup.msi.
 The Servlet Package file is used on Solaris and AIX machines. These files contain multiple
servlets for multiple versions of the operating systems. The file names are GSIservl.tar for
Solaris and encase.servlet.rte.bff for AIX.
 The Servlet Configuration file is used for the Check In servlet exclusively on *Nix machines.
This file contains the information used to check in that is otherwise contained in the Windows
Registry for Windows machines.
Deploying Check In Servlets

Check In servlets are used in organizations with mobile users not connected continuously to the
network.
To define Check In servlet parameters and define on which computers you want to use this feature see
Creating the SAFE Machine Token.
If you have an existing infrastructure and have performed a quick update instead of the full update,
you can still use the Check In servlet by modifying the existing servlets. Do this by specifying the
parameters and machines with the Sweep Enterprise EnScript Program or, in the case of Unix/Linux-
based machines, copying an extra file to the machine. See Deploying Using Sweep Enterprise, Copying
the Servlet Using SSH and SCP see "Copying *NIX Servlets Using SSH and SCP" on page 413, and
Copying the Servlet Using Telnet and FTP see "Copying *NIX Servlets Using Telnet and FTP" on page
414.
To investigate machines using the Check-In servlet, use the Sweep Enterprise EnScript Program.
The procedure for removing the Check-In servlet depends on whether the servlet resides on a Unix or
Windows system.
Deploying Windows Servlets

The Microsoft Windows servlet name is enstart.exe. All Windows servlet files are incorporated
into a single executable, setup.exe. The servlet setup file for the XP and 2000 operating systems is
setup.msi. This file deploys the servlet using Active Directory.
The Windows servlet includes a snapshot kernel driver that is integral to the servlet, and is used when
providing snapshot data. This file is named enstart.sys. It is automatically dropped into
%windir%\system32\ when installing using setup.exe. If enstart.exe is manually deployed or
running as a process, then this driver file is not included and memory acquisitions and snapshots will
not be possible.
The following options are used with enstart.exe.
Option Description
-l <port> Specifies the port where the servlet listens
-diag Returns the following diagnostic codes:
Code Description
0 Status OK
1 No Node Certificate
2 No Security Key
4 No Serv (A problem exists with the service)
8 No Port (Unable to bind to port, port already in use)
-run Runs the server in the console
-c Starts the server in the console (32-bit servlets only)
-h Displays a help message
The following options are used with setup.exe and setup.msi.
Option Description
-drop Drops this servlet to the local directory
-p <path> Sets the path for installing the servlet binaries; the default is %systemroot%\system32
-n <name> Sets the name of the servlet binary and the service name; the default is enstart.exe for the binary and
enstart for the Windows Service Name
Option Description
-r Removes the service, the registry entry, and the binary; this does not remove the directory where the
binary resides
-s Starts servlet in stealth mode, hiding it from the Task Manager (32-bit servlets only)
-c Enables servlet check in functionality when used with setup.exe.

With setup.msi, the following command line should be used:
Msiexec.exe /I setup.msi /quiet ENSTCMDLINE=-c
There are several methods you can use to deploy servlets to Windows machines:
 Active Directory
 Domain Push
 PsTools
 IPC$ and PsExec
 Removable Media and PsExec
Which method you should use depends on your network configuration and user account/password
policy.
Running Windows Servlets as a Service or as a Process

When deploying servlets for Windows machines you need to determine if you want the servlet to run
as a service or as a process.
 When running as a service the servlet is run every time the network node is rebooted. This
method requires making registry entries to the system.
 Running as a process runs the servlet once; if the node is rebooted, it will no longer run the
servlet. Running the servlet as a process does not allow memory acquisitions or snapshots.
Running Windows Servlets as a Service

Installing the servlet to run as a service requires the setup.exe file. This file determines the version
of your operating system and installs the correct servlet.
Before deploying servlets to remote nodes as a service:
 Configure the following Windows Administration tool settings to:
• Enable the following Windows services:
− Remote Procedure Call (RPC)
− DCOM Server Process Launcher
− WMI Performance Adapter
• Disable the following Windows services:

− Windows Firewall (or add it to the rules to allow incoming port)
− In Vista, disable the Windows Firewall service and add it to the rules to allow
incoming port
• Synchronize the Local Security Policy between the remote node and the deploying
machine.
− Navigate to Administration tools Local Security Policy > Local Policies > Security
Options > Network access: Sharing and security model for local accounts.
− Set to Classic.
 Ensure that you have a SAFE installed and running on your network.
To run your servlet as a service:
1. Copy setup.exe or setup.msi from C:\Program Files\EnCase SAFE onto the node
using any of push technologies described in this chapter.
2. From the command line, execute one of the following commands:
• For the executable servlet, execute setup.exe -<options>
• For the msi servlet, execute msiexec.exe /i setup.msi /quiet ENSTCMDLINE=
"<options>"
− See notes below if you are using the msi servlet.
− ENSTCMDLINE is case sensitive.
The setup file automatically determines the operating system version and installs the correct servlet.
If you are using the msi servlet:
1. If you run the msiexec command on a machine that already has the msi and servlet
installed, it uninstalls the msi, but not the servlet. Running it again re-installs the msi, but does
not affect the servlet.
Note: If you want to remove the msi, you need to use the /x switch with msiexec.
2. If you want to uninstall the servlet and msi by using the msi, the only way to do it is to create
a batch file similar to the one below and execute it on the remote system, in the same directory
that setup.msi is located.
@echo off
:Uninstall msi package (using /x switch)
Msiexec.exe /x setup.msi /quiet
:Install msi, but feed servlet setup file a '-r' to uninstall servlet
Msiexec.exe /I setup.msi /quiet ENSTCMDLINE='-r'

:Uninstall msi package (again)
Msiexec.exe /x setup.msi /quiet
1. If you have a problem feeding the command line options to the msi, it is possible to edit the
msi as follows:
a. Set a Property with a name of ENSTCMDLINE
b. Set a Value of the command line options, such as -nABCDE_INFOSEC_Svc -c
Note: If you edit the msi database using tools such as Orca, and set the above property within the msi,
you do not need to send the command line to the remote system.
Running Windows Servlets as a Process

Running the servlet as a process does not allow memory acquisitions or snapshots.
Ensure that you have a SAFE installed and running on your network.
To run your servlet as a process:

1. Copy enstart.exe file from C:\Program Files\EnCase SAFE\Servlets onto the
node using any of push technologies. If the node is a 64-bit machine, copy enstart64.exe.
2. From the command line, execute enstart[64].exe -run -<options>.
Deploying Windows Servlets with Active Directory

Deploy servlets using Microsoft Active Directory by following these general steps.
 Identify target systems and users. Make an inventory of the platforms in use and determine if
all target systems are members of the Active Directory.
 Create a central distribution point. Select a central location from which to deploy or initiate
servlet installation. The target systems must be able to see this location.
 Place setup.exe or setup.msi, generated during SAFE installation, in the central location.
 Create a Push Script. This is a custom script that installs the servlet from the central
distribution point onto the target system and runs when a user logs in. See below for an
example.
 Deploy the Push Script.
• Place the script in your Active Directory controller so that it is run upon login.
• Place the push script in the location containing the servlets.
• Configure your domain so that the script executes each time the user logs on.
• Place the script on the Active Directory controller under
C:\%systemroot%\sysvol\domain\scripts.
• Add the script to the Domain Users Properties box under the Profile tab.
• Logging on to a target system opens and run a dialog showing enpush.bat.
Deploying Windows Servlets Using a Domain Push

If you do not use Active Directory, you can push the servlets using your Domain.
Make sure that you have created a push script as described in Deploying Servlets with Active
Directory see "Deploying Windows Servlets with Active Directory" on page 404.
1. Deploy the push script to a central location on the domain controller.
2. Add a user or group profile using User Manager that points to the location of your push
script.
3. Specify in the user's profile that the servlet is installed via the push script when the user
authenticates.
Deploying Windows Servlets Using PsTools

Traditionally, a combination of net use, xcopy, and PsExec utilities are used to manually deploy the
servlet from a Windows examiner to a Windows NT-based target machine. With newer version of
PsTools, however, PsExec can perform all these functions. These tools can save deployment time,
however files are copied to and deleted from the remote machine and services are started and stopped
throughout the process.
For complete details, refer to the Microsoft TechNet Internet site at http://technet.microsoft.com.
Using PsTools to Deploy Servlets to a Single Machine

The prerequisites for installing PsTools are:
 Know the IP address of the node you want to install the servlet on
 Have an administrative account and password to the node
 Know the absolute path to the servlet
1. Open a command shell on your Examiner machine.
2. Execute the following command: psexec \\<targetIP> -u
<administrative_account> -p <password> -s -c
<absolute_path_to_servlet>.
Note: If you do not use the -p option (to allow a password) in the command line, you must enter it
later. When using the -p option, the admin level password is visible in plain text on the screen.
Even though PsExec returns an error, it completes with an error code of 0. Running net start
on the remote machine verifies that enstart is running.
Note: The PsExec utility transmits the password across the network in plain text, which may present a
problem if intercepted by unintended persons using a packet sniffer.
Using PsTools to Deploy Servlets to Multiple Machines

To deploy to multiple machines using PSTools, prepare a text file created that includes the IP
addresses of all of the nodes to which you want to deploy the servlet.
You also need:
 An administrative account and password to the node
 The absolute path to the servlet
2. Execute the following command: psexec @e:\deploy\export.txt -u
<administrative_account> -p <password> -s -c
<absolute_path_to_servlet>.
If the -p option (to allow a password) is not used in the command line, you are prompted to type it
later. With the -p option used, the admin level password is visible in plain text on the screen. Do not
use this option if there are others present with whom you do not wish to share this password.
Note: The PsExec utility transmits the password across the network in plain text, which may present a
problem if intercepted by unintended persons using a packet sniffer.
Even though PsExec returns several errors, it completes each node with an error code of 0. Running
net start on any of the successful remote machines verifies that enstart is running.
Creating a Text File of Nodes

When creating the list of nodes to which you want to deploy the servlet, you can add all nodes to the
network tree and then export the list of machines to a text file. This text file can then be used to quickly
input the list of nodes.
1. Create all the nodes in the Network tab.
2. From the Add Evidence dropdown, select Add Network Preview. The Add Network Preview
dialog displays.
3. Select the folder that contains the nodes you wish to add. If you wish to create a partial list of
nodes, blue check the nodes you wish to include.
4. Click the down arrow on the far right of the Add Network Preview dialog and select Save As.
The Save As dialog displays.
• Select Only Checked Rows if you wish to only include the machines you have blue
checked in the current view.
• Set the Stop row to be the maximum number of rows that EnCase will include in the
export file. Set this equal to the last row number if you wish to include all machines in the
view. This value must be assigned even if you are exporting only checked rows.
• Select only the Name field from the list of available fields.
• Keep the Output Format default (Tab Delimited).
• Specify the desired export path and filename.
5. When done, click OK to export the list.
6. In the output file, you need to remove the line numbers and column header fields before
Psexec can utilize the file. The information can be removed by any desired method. Two
suggested methods are:
• Drag and drop the exported file into a blank Excel spreadsheet. Excel should
automatically format the data into two columns. The first column and first row can be
deleted for clarity. Alternately, the list of machines starting on row #2 can be simply
copied and pasted into a text editor such as Notepad and saved. If there are any leading
spaces in the machine names they can be removed by doing a find and replace in Excel or
Notepad. (Set the find value to a space character, and replace it with nothing).
• Use a text editor that is capable of selecting columns (such as Notepad++) to simply
highlight and delete the unnecessary information.
Deploying Windows Servlets Using IPC$ and PSExec

To use IPC$ in conjunction with PsExec when deploying servlets, you must first map an IPC$
connection.
The ability to map an IPC$ connection may be disabled on the target system, or denied through
network permissions. You only need to create the IPC$ connection if the account used to log into the
client system is not a member of the local administrator group on the target system(s), or a member of
the domain administrator group. You must have administrator credentials to deploy servlets.
Creating IPC$ Connections

If you want to create multiple specific IPC$ connections, you must have created a text file containing
the names of each node.
If you are creating multiple IPC$ connections (specific or all nodes on a subnet), every node machine
must have one common username.
1. Open a command shell on the examiner machine.
2. Execute one of the following commands:
• For a single node: net use \\<node name>\ipc$/u:<username> <password>
• For multiple, specific nodes: for /f %1 in (<node list>) do net use
\\%1\ipc$/u:%1\<username> <password>
• All nodes on a subnet: for /L %1 in (1,1,254) do net use
\\<A.B.C>.%1\ipc$ <username> <password>
Parameter Description
<node list> The text file containing the list of node names; the default name
is export.txt
<node name> The name of the node with the IPC$ connection
<A.B.C> The first three octets of the IP address subnet to which you
want to deploy, for example, 10.0.0
<username> The common username on all systems where you want to

deploy
<password> The common password on all systems where you want to

deploy; if you want to be prompted for the password, use an
asterisk (*)
Enter the password for the node if prompted and press Enter.
3. Confirm the IPC$ connection by executing the command: net use.
After IPC$ is connected, you can deploy by copying the servlet to the nodes.
Copying the Servlet Using XCOPY

Once you have an IPC$ connection mapped, do the following to copy the servlet over to your nodes.
1. Open the command shell on your Examiner machine.
2. Execute one of the following commands:
• Copying to a single node: xcopy /v <servlet> \\<node name>\c$
• Copying to multiple specific nodes: for /f %1 in (<node list>) do xcopy /v
/y <servlet> \\%1\c$
• Copying to an entire subnet: for /L %1 in (1,1,254) do xcopy /v /y
<servlet> \\<A.B.C>.%1\c$
<servlet> The name of the servlet, usually setup.exe for running as a service, and
enstart.exe for running as a process
<node name> The name of the node for the IPC$ connection
<node list> The text file containing the list of node names; the default is export.txt
<A.B.C.> The first three octets of the IP address subnet where you want to
deploy, for example, 10.0.0
Now that you have copied the servlet to the node, you need to execute the servlet. See
Executing the Servlet using PsExec on page 410.
Executing the Servlet using PsExec

In order to execute the servlet using PsExec, you must set up the following.
 IPC$ Connection established with node
 Servlet copied to node
 If you want to execute the servlet on multiple specific nodes, you must have a text file
containing the names of each node.
2. Execute one the following commands:
• Executing a servlet on a single node: psexec \\<node name> -s <servlet>
<servlet options>
• Executing a servlet on multiple specific nodes: for /f %1 in (<node list>) do
psexec \\%1 -s <servlet> <servlet options>
• Executing every servlet on a subnet: for /L %1 in (1,1,254) do psexec
\\<A.B.C>.%1 -s <servlet> <servlet options>
<node list> The text file containing the list of node names; the default name is
export.txt
<A.B.C> The first three octets of the IP address subnet to which you want to
deploy, for example, 10.0.0
<servlet> The name of the servlet, usually setup.exe for running as a service, and
enstart.exe for running as a process
<servlet options> Any servlet options you want to use
Running net start on the remote machine verifies that enstart is running.
Deploying Windows Servlets Using Removable Media and PsExec

When you want to deploy the servlet but do not want to copy the servlet onto the node it is best to
deploy using removable media and PsExec.
1. Copy your servlet onto removable media. Typically the servlet is enstart.exe. You do not want
to use setup.exe, as it creates a copy of itself on the node machine.
2. Insert the removable media into the node machine.
3. From your examiner machine, open a command shell.
4. Execute the command:
psexec \\<node name> -s <servlet path> -r
<servlet path> The location and path of the servlet, usually enstart.exe for running as
a process, or setup.exe for running as a service
Running net start on the remote machine verifies that enstart is running.
Copying *NIX Servlets

Because of the number of different distributions in Unix, there is no setup file. Instead, Guidance
Software provides the servlet for you to install as your distribution permits.
The following command line options are used with all *nix servlets:
Option Description
-d Runs as daemon
-i Uses stdin/out (inetd or xinetd)
-p <path> Specifies the servlet path. Used for auto-updating. Do not use when running
from read-only media. Do not include the servlet itself with the -p option;
instead, provide the path where it resides.

You can copy the servlet to the nodes using one of the following:
 Removable media (see Copying *NIX Servlets Using Removable Media on page 413)
 SSH and SCP (see Copying *NIX Servlets Using SSH and SCP on page 413)
 Telnet and FTP (see Copying *NIX Servlets Using Telnet and FTP on page 414)
Copying *NIX Servlets Using Removable Media

Deploying your servlet using removable media offers an extra layer of security because you do not
open a command shell across the network.
In order to copy the servlet using removable media, you need the following:
 Make sure your removable media contains enough storage space to fit the servlet and any
additional servlet configuration files. Many of the servlets do not fit on a floppy disk.
 You must have physical access to the machine to which you want to deploy the servlet to.
 You must know the specific instructions for mounting the removable media for your
distribution.
1. Insert media into your SAFE computer or another computer that contains the servlet and
servlet configuration files.
2. Copy the servlet and the servlet configuration file to the removable media. The servlet and
servlet configuration file is usually located at C:\Program Files\EnCase
SAFE\Servlets on your SAFE.
3. Remove the media and insert into the machine to which you want to copy the servlet.
4. Mount the device using the instructions specified in your operating system documentation.
For example, this command mounts a floppy drive on a Linux system:
mount –F pcfs /dev/diskette /floppy
Note: If you are using Solaris, you may need to use the command volcheck before the mount
command, if the mount command gives an error.
5. Create a destination folder using the command: mkdir -p <deploy path>.
6. Copy the servlet using the command: cp <mount point>/<servlet name> <deploy
path>.
If you want to use the check-in feature, perform these steps.
1. Copy the servlet configuration file using the command cp <mount point>/nixcheckin
<deploy path>.
2. Rename the nixcheckin file using the command: mv nixcheckin .<servlet name>.
3. Make the servlet executable using the chmod command: chmod 700 <deploy path>.
Copying *NIX Servlets Using SSH and SCP

Secure Shell (SSH) and Secure Copy (SCP) are recommended over other methods because they offer an
added layer of security.
From a machine containing the servlet or installation package:
1. Establish a connection by executing the command:
ssh2 root@<node>.
2. Enter the password for the root account.

3. Create a destination folder using the command:

mkdir -p <deploy path>
4. If you are copying to a location that is not yet mounted (such as a network share), mount it
now.
5. Copy the servlet using the command:
scp2 <host path>\<servlet name> root@<node>:<deploy path>
Enter the password for the root account and the transfer will start.
If you want to use the check-in feature:
1. Copy the servlet configuration file using the command:
scp2 <host path>\nixcheckin root@<node>:<deploy path>
Enter the password for the root account. The transfer will then start.
2. Rename the nixcheckin file using the command:

mv nixcheckin .<servlet name>
3. Make the servlet executable using the command:

chmod 700 <deploy path>
Copying *NIX Servlets Using Telnet and FTP

If your node machine does not have Secure Shell (SSH) or Secure Copy (SCP) installed, you can Telnet
into the machine and use the File Transfer Protocol (FTP).
1. Connect to your node using the command: ftp <node>.
2. Enter your username and password.
3. Enter bin to set the file transfer mode to binary.
4. Transfer the file using the command: put <host path>/<servlet name> <deploy
path>/<servlet name>.
5. If you want to use the Check In feature, transfer the servlet configuration file over using the
command: put <host path>/nixchekin <deploy path>/.<servlet name>.
Note: This command transfers and renames the nixcheckin file to a file with the name as your servlet,
preceded by a dot.
6. Enter quit to exit FTP.
7. Make the servlet executable using the command: chmod 700 <deploy path>.
Deploying Linux Servlets

The Linux servlet is typically named enlinuxpc. The servlet supports Linux versions that meet or
exceed the following criteria:
 Kernel is 2.2 or greater
 Must have the Process File System (procfs)
When using Auto-Update with Linux Servlets, the servlet must be executed specifying the auto-
update path using the /p option.
The process for deploying a Linux servlet is as follows:

1. Copy the servlet using removable media, SSH and SCP, or Telnet and FTP.
2. Determine how you want to deploy the Linux servlet. There are several possible methods:
• Running the servlet as a process
• Deploying using xinetd
• Deploying using inittab
• Deploying using inetd
Verify the servlet is connected using one of the methods discussed in Verifying Servlet Deployment on
page 444.
Running a Linux Servlet as a Process

When running the servlet as a process, the servlet will not run after the node machine has been
rebooted.
1. Copy the servlet to the node using removable media, SSH and SCP, or Telnet and FTP.
2. Insert the following before the STARTX command:
LOAD <servlet name>
Deploying the Linux Servlet Using xinetd

There are several ways to deploy a Linux servlet using xinetd. The directions here apply to a Red Hat
distribution.
1. Establish an SSH session by executing:
ssh2 root@<node>
2. Verify that xinetd is running using the command:

ps aux | grep xinetd | grep -v grep
If you receive similar output, the xinetd is running and you can proceed:
root 1270 0.0 0.1 2048 828 ? S Sep09
0:00 xinetd -stayalive –pidfile
/var/run/xinetd.pid
3. Create a configuration file named enlinuxpc in the /etc/xinetd.d directory.

4. Using a text editor such as vi, insert the following text into the file, then save and close it.
service enlinuxpc
socket_type = stream
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enlinuxpc
server_args = -i -p /usr/local/encase
5. Restart the xinetd service by issuing the following command: /etc/rc.d/init.d/xinetd restart.
The output shown below indicates xinetd has restarted.
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
After xinetd restarts the servlet executes. For confirmation that the servlet is running, see Verifying
Servlet Deployment on page 444.
Deploying the Linux Servlet Using inittab

You can deploy the Linux servlet by executing a script by inittab at the desired run level. In Linux this
is run at level three. This example is for SUSE 9.3.
1. Establish a SSH session:
ssh2 root@<node>
2. Create a script called <servlet name> in the /etc/initd.d directory.

3. Using a text editor such as VI, insert the following text into the file, then save and close it.
#!/bin/sh
#This script automatically starts and stops the <servlet name>

servlet
pid=`/usr/bin/ps -e | /usr/bin/grep enlinuxpc | /usr/bin/sed -e 's/^

*//' -e 's/ .*//'`
case $1 in
'start')
<servlet path name> -d -p <servlet path>
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/enlinuxpc {start|stop}"
;;
esac
A symbolic link must be placed in the desired run level to call the script. The best run level to use in
Linux is three. Set this as follows:
cd /etc/init.d/rc3.d
ln –s /etc/init.d/enlinuxpc S94enlinuxpc
For confirmation that the servlet is running, see Verifying Servlet Deployment on page 444.
Deploying the Linux Servlet using inetd

To deploy the Linux servlet from inetd:
1. Confirm that inetd is running by executing the command:
ps -ef | grep inetd | grep -v grep.
If you receive output similar to below, then inetd is running and you can proceed.
root 423 1 0 18:44:57 ? 0:00
/usr/sbin/inetd -s
2. Add a line to /etc/inetd.conf that refers to your servlet. Here is an example:

<servlet name> stream tcp6 wait root <deploy path>
<servlet name> <servlet name> -i -p <deploy path>
Make an entry in the /etc/services file for the port the servlet will listen from, as follows:
<servlet name> 4445/tcp # EnCase Servlet
Deploying Solaris Servlets

Solaris Servlet Files
The Solaris servlet differs from the Linux servlet in that it has separate files for each distribution and
kernel and it requires special drivers to function properly. The typical servlet name is
ensolsparc<version number> or ensolsparc<version number>64.
All Solaris servlet files are incorporated into a single package, called GSIservl.tar, which you can
install with the pkgadd utility. Individual servlet files are located on the SAFE machine in
C:\Program Files\EnCase SAFE\Servlets.
Solaris Version
It is important to identify the version of Solaris you are using to deploy the correct servlet. After
logging into Solaris, note the information that is given to you. The version is the number immediately
after the decimal point. For example:
Solaris 8: Sun Microsystems Inc. SunOS 5.8 Generic Patch December 2002.
Solaris 9: Sun Microsystems Inc. SunOS 5.9 Generic May 2002.
You can also get the version using the following command: dmesg | grep bit.
The command gives you the Solaris version in a format such as: Feb 13 10:07:06 soldev9-64x
genunix: [ID 540533 kern.notice] ^MSunOS Release 5.9 Version
Generic_112233-07 64-bit.
Identifying the Solaris Kernel

It is important to identify the Solaris kernel in order to deploy the correct servlet.
There are two ways to identify the kernel:
1. Analyze the dmesg output by executing the command: dmesg | grep bit. The last portion
of the dmesg output contains the kernel type. In this example, the kernel is 64-bit.
Feb 13 10:07:06 soldev9-64x genunix: [ID 540533 kern.notice] ^MSunOS
Release 5.9 Version Generic_112233-07 64-bit
2. Identify the kernel by analyzing the eeprom information by executing: /usr/sbin/eeprom

| grep boot-file. The result of the message indicates the kernel.
32-Bit – data not available
32-Bit – kernel/unix
64-Bit – boot-file: data not available
64-Bit – boot-file=kernel/sparcv9/unix
Before Deploying Solaris Servlets

1. Before deploying Solaris servlets, check the following:
• Identify attributes of the target systems, such as DNS names, IP addresses, and the
operating systems.
• Make sure that the machine the servlet is deployed from has network connectivity to all
target systems.
• We recommend that you install an SSH client with file transfer capabilities.
• We recommend that you run SSHD on the target systems.
• Note that Solaris servlets only function on SPARC architecture. The servlet does not
function properly on Intel architecture.
2. You must also determine properties for the node on which you want to install the servlet.
• Solaris version
• Kernel version
3. Copy your servlet to the Solaris node using removable media, SSH and SCP, or Telnet and
FTP.
4. Install the tar package.
5. Determine how you want to deploy the Solaris servlet. There are several possible methods:
• Running the servlet as a process
• Deploying using xinetd
• Deploying using inittab
page 444.
Installing the Tar Package

You must be logged in as root to install the tar package.
1. Change the directory to the location of the servlet with the command:
cd /var/spool/pkg
2. Decompress the tar package with the command:

tar xvf GSIservl.tar
3. Install the package with: pkgadd GSIservl

Would you like to install the Encase Enterprise Edition Driver for
Solaris [y, n, q]? (default is yes, q to quit)
4. Press y to install the Solaris driver.

Would you like to install the Encase Enterprise Edition Servlet for
Solaris [y, n, q]? (default is yes, q to quit)
5. Press y to install the Solaris servlet.

Where would you like to install the Encase Enterprise Edition Servlet
for Solaris [q, /usr/local]? (default is /usr/local, q to quit)
6. To accept the default location, press Enter, or enter an alternate destination and press Enter.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <GSIservl> [y,n,?]
7. Press y to continue with the installation.

8. At this point, you see the output of various sections of the install script. The installation
finishes with:
Installation of <GSIservl> was successful.
Running a Solaris Servlet as a Process

rebooted.
LOAD <servlet name>
Deploying a Solaris Servlet Using xinetd

There are several ways to deploy a Solaris servlet using xinetd. The directions here apply to a Red Hat
distribution.
1. Establish an SSH session by executing:
ssh2 root@<node>
2. Verify that xinetd is running using the command:

ps aux | grep xinetd | grep -v grep
root 1270 0.0 0.1 2048 828 ? S Sep09
0:00 xinetd -stayalive –pidfile
/var/run/xinetd.pid
3. Create a configuration file named enlinuxpc in the /etc/xinetd.d directory.

4. Using a text editor such as vi, insert the following text into the file, then save and close it.
service enlinuxpc
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enlinuxpc
5. Restart the xinetd service by issuing the following command: /etc/rc.d/init.d/xinetd restart.
The output shown below indicates xinetd has restarted.
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
After xinetd restarts the servlet executes. For confirmation that the servlet is running, see Verifying
Servlet Deployment on page 444.
Deploying in Solaris Using inittab

Another way to deploy the Solaris servlet is to write a script and have it executed by inittab at the
desired run level. In Solaris, the desired run level is two.
1. Establish a SSH session by executing:
ssh2 root@<node>
2. Create a script called <servlet name> in the /etc/initd.d directory.

3. Using a text editor such as vi, insert the following text into the file and save it.
#!/bin/sh
#This script automatically starts and stops the ensolsparc864 servlet
pid=`/usr/bin/ps -e | /usr/bin/grep <servlet name> | /usr/bin/sed -e

's/^ *//' -e 's/ .*//'`
case $1 in
'start')
<deploy path>/<servlet name> -d -p <deploy path>
;;
'stop')
if [ "${pid}" != "" ]
then
/usr/bin/kill ${pid}
fi
;;
*)
echo "usage: /etc/init.d/<servlet name> {start|stop}" ;;
Esac
4. To set permissions properly, execute:

chmod 744 /etc/init.d/<servlet name>
chgrp sys /etc/init.d/<servlet name>
A symbolic link must be placed in the desired run level to call the script. The best run level to use in
Solaris is run level two. Set this as follows:
cd /etc/rc2.d
ln –s /etc/init.d/<servlet name> S96<servlet name>
Deploying AIX Servlets

The AIX servlet is similar to the Solaris servlet. There are 32 and 64-bit versions of the servlet along
with drivers that are unique to the version of AIX you are using. The typical servlet name is
enaix<version number> and enaix<version number>64. All AIX servlet files are incorporated into a
single package, called encase.servlet.rte.bff, which can be installed using the installp utility.
Before deploying AIX servlets, do the following:
1. Identify attributes of the target systems, such as DNS names, IP addresses and the operating
systems.
2. Make sure that the machine the servlet is deployed from has network connectivity to all target
systems.
3. An SSH client with file transfer capabilities is recommended.

4. We recommend running SSHD on the target systems.
5. Deploy the servlet to your AIX node using removable media, SSH and SCP, or Telnet and FTP.
6. Install the AIX servlet package:
• You must be logged in as root in order to install the package.
• Install the package with the command: installp –a –d /opt
encase.servlet.rte. Do not type the bff file extension when entering this command.
• The installer determines the correct servlet to install and output information regarding the
install.
• The installation finishes with the following output: encase.servlet.rte 5.4.0.0
USR APPLY SUCCESS
page 444.
Deploying OS X Servlets
There are two OS X servlets. The servlet named enosx is for PPC Macs; the servlet named enosxintel is
for Intel based Macs. Please use the appropriate servlet for the hardware you are using.
The following deployment scripts are provided as a suggestion only and should be modified to reflect
the actual servlet that you are using. You are welcome to modify the scripts or write your own to suit
your own environment and requirements.
Before deploying OS X servlets:
1. Identify attributes of the target systems, such as DNS names, IP addresses, and operating
systems.
2. Verify that the machine the servlet is deployed from has network connectivity to all target
systems.
3. Guidance Software recommends installing an SSH client with file transfer capabilities.
4. Guidance Software recommends running SSHD on the target systems.
Deploy an OS X servlet by copying it, using one of the methods documented in Copying *NIX Servlets
on page 412.
Determine how you want to deploy the servlet. Note that some install methods require certain
versions of OS X:
 See Running in OS X Using xinetd on page 424 (OS X 10.2-10.3)
 See Running in OS X using launchd on page 426 (OS X 10.4 or newer)
page 444.
Running in OS X Using xinetd

The following directions apply to deploying the OS X servlet to a 10.2 or 10.3 operating system. If you
have a 10.4 or newer system, Guidance Software recommends you use the launchd method.
The example below uses the PPC Mac servlet enosx. If you are using an Intel-based MAC, use
enosxintel instead of enosx.
1. Establish an SSH session with:
ssh2 root@<node>
2. Verify xinetd is running using the following command:
ps aux | grep xinetd | grep -v grep.
root 1270 0.0 0.1 2048 828 ? S Sep09 0:00 xinetd -stayalive –pidfile
/var/run/xinetd.pid
3. Create a configuration file called enosx in the /etc/xinetd.d directory.

4. Using a text editor such as vi, insert the following text into the file and save and close:
#default: on
# description: EnCase servlet for Mac OS X 10.2-10.3
service enlinuxpc
disable = no
protocol = tcp
port = 4445
type = UNLISTED
wait = yes
user = root
server = /usr/local/encase/enosx
5. Using a text editor such as vi, open the configuration file /etc/services.
6. Comment out the existing entries for the port you are using, one for UDP and one for TCP as
shown here:
upnotifyp 4445/udp # UPNOTIFYP
upnotifyp 4445/tcp # UPNOTIFYP
7. Create new entries for the port you are using. Below are two examples:
enosx 4445/udp # EnCase
enosx 4445/tcp # EnCase
8. Save and close the /etc/services file.

9. Start the new service by issuing the following command:
/sbin/services enosx start
The servlet starts.

Running in OS X Using launchd

The following directions apply to deploying the OS X servlet to a 10.4 or newer operating system. If
you have a 10.2 or 10.3 system, Guidance Software recommends you use the xinetd method.
The example below uses the PPC Mac servlet enosx. If you are using an Intel-based MAC, use
enosxintel instead of enosx.
1. Create a folder named EnCase in the /Library/StartupItems directory.
2. Give the EnCase folder the appropriate permissions by executing the command:
chmod 755 /Library/StartupItems/EnCase
3. Create two executable files within the folder in the /Library/StartupItems/ using the
commands:
touch /Library/StartupItems/EnCase/StartupParameters.plist
touch /Library/StartupItems/EnCase/EnCase
4. Set the permissions of the EnCase file: chmod 755

/Library/StartupItems/EnCase/EnCase
5. Using a text editor such as vi, insert the following text into the EnCase file and save and close:
#!/bin/sh
. /etc/rc.common
StartService ()
ConsoleMessage "Starting EnCase Servlet"
/usr/local/encase/enosx -d -p /usr/local/encase
StopService ()
ConsoleMessage "Stopping EnCase Servlet"
pid=`/bin/ps -ax|/usr/bin/grep enosx|/usr/bin/grep -v

grep|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
RestartService ()
ConsoleMessage "Restarting EnCase Servlet"
pid=`/bin/ps -ax|/usr/bin/grep enosx|/usr/bin/grep -v

grep|/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`
/bin/kill ${pid}
/usr/local/encase/enosx -d -p /usr/local/encase
RunService "$1"
6. Insert the following text into the StartupParameters.plist file:

{
Description = "EnCase Forensic Servlet";
Provides = ("EnCase");
OrderPreference = "Last";
Messages =
start = "Starting EnCase Servlet";
stop = "Shutting down EnCase Servlet";
};
7. Restart the machine, or execute the process directly passing the start, stop, and restart options.
HP-UX VxFS and Servlet Support

EnCase can snapshot, preview, and acquire a machine using a servlet that runs on the HP-UX system.
Included is the capability to parse the Veritas File System (VxFS) on HP-UX machines. All traditional
servlet capabilities, such as hashing and searching, are included as well.
Supported Hardware
HP 9000 server family with HP PA-8900 processors
Supported Operating Systems

 HP-UX 11.0
 HP-UX 11.1x
 HP-UX 11.2x
Additional Resources
 Installing HP-UX Applications (http://docs.hp.com/en/5990-8144/ch07s01.html#babjhibf)
 swinstall(1M) (http://docs.hp.com/en/B3921-60631/swinstall.1M.html)
Installing the HP-UX Servlet

The HP-UX servlet is installed by the HP installer using the GSIservl.depot file.
Note: You cannot install the HP-UX servlet if another servlet is running or present on the system. If you receive an
installation error, remove the existing servlet from the system before attempting to install again.
To install the HP-UX servlet:
1. Place the GSIservl.depot file in any directory on your HP-UX machine. This file is found in
the base EnCase installation directory.
2. At a command prompt, type swinstall -s /<location>/GSIservl.depot
3. Click Enter. The swinstall usage installation instructions display.

4. Click Enter. The installation screen displays and begins searching for installation files.
5. When it appears in the list, select GSIservl by highlighting the green box and clicking the
spacebar.
Note: Be sure to select the top level file. If you accidentally drill down and only select to install a part
of the package the servlet will not work.
6. To mark the file for installation, navigate to the Actions menu and select Mark for Install.
a. Use Tab to move up to the menu bar.
b. Use the arrow keys to move back and forth.
c. Use the Enter key to pull down a menu item or select a menu item.
d. Use the spacebar to select an item in the list.
Note: You cannot install a file without marking it for installation first. If you receive an error message,
go back and perform the steps to mark the file for installation.
7. Click Enter. The file now shows as Partial in the Marked? column.
8. To install the file, navigate to the Actions menu and select Install.
9. Click Enter. The installation analysis dialog displays.
10. When analysis is complete, click OK. The installation screen displays.
11. Click Done when installation is complete.

12. Navigate to the File menu and click Exit.
Running the HP-UX Servlet

Once you install the HP-UX servlet, you must run it. After the servlet is running, EnCase can connect
to HP-UX machines and perform its usual functions.
By default, the HP-UX servlet is placed in the /opt/encase directory.
To run the HP-UX servlet:
1. Navigate to the /opt/encase directory.
2. Type ./enhpux -d in the command line to start the servlet.
• -d starts the servlet up as a daemon
• -h shows help instructions and other switches
Note: After a system reboot, you must restart the servlet manually; however, a system administrator can create a shell
script that restarts the servlet when the system reboots.
Deploying NetWare Servlets

Deploying NetWare servlets is similar to the process for Linux systems. The Netware servlet is named
ennovell.nlm.
Before deploying NetWare servlets, check the following:
1. Identify attributes of the target systems, such as DNS names, IP addresses and the operating
systems.
2. Make sure that the machine the servlet is deployed from has network connectivity to all target
systems.
3. We recommend installing an SSH client with file transfer capabilities.
4. We recommend running SSHD on the target systems.
Copy the servlet to the machine using one of the methods in Copying *NIX Servlets on page 412.
Deploy the servlets using one of the following methods:
 See Running a NetWare Servlet as a Process on page 433
 See Running a Servlet as a NetWare Service on page 433
Running a NetWare Servlet as a Process

rebooted.
LOAD <servlet name>
Running a Servlet as a NetWare Service

To run the servlet as a service:
1. From the console, type nwconfig to enter the NetWare configuration utility.
2. Select NCF File Options.
3. Select Edit Antoexec.ncf file.
4. Scroll to the end of the file.
LOAD <servlet name>
6. Press F10 to save and select Yes in the subsequent dialog.

7. Select Return to the previous menu.
8. Select Exit and select Yes to the subsequent dialog.
9. Reboot the NetWare machine to load the servlet.
McAfee ePolicy Orchestrator (ePO) Integration

McAfee ePolicy Orchestrator administrators can use ePO to deploy EnCase servlets to ePO-managed
nodes. Once installed, the EnCase servlet communicates the following information to the ePO agent:
 Installation status
 Language of the machine
 Version of the EnCase servlet ePO plugin
 Whether the servlet is running
 Directory where the servlet is installed
 Version of the installed servlet
Note: EnCase supports ePO 4.5 Server and McAfee Agent 4.5.
Checking In the ePO Servlet Package

The EnCase SAFE installer creates a folder name ePO in the root of the EnCase SAFE folder. Within
this ePO folder, the installer places two files: S_EESERV6003.zip and
GuidanceServletExtension.zip. You may need to make a note of these locations before
checking in the servlet package.
To check in the servlet package:
1. Log on to McAfee ePO as administrator.
2. Select the Software tab.
3. Choose the Master Repository table. The Packages in Master Repository table displays.
4. Click the Check In Package button. The Check In Package dialog displays.
5. Select Product or Update (.ZIP).

6. Browse to the location of the S_EESERV6003.zip file and click Next. The Package Options
tab displays the package information.
7. Click Save to finish placing the package in ePO.

Installing the Optional Guidance Software Servlet Extension

Instead of displaying S_EESERV6003 in the McAfee Machine Info tab, you have the option of
installing a Guidance Software extension package.
1. On the ePO Home page, click the Configuration icon, then click the Extensions tab.
2. In the lower left corner of the screen, click Install Extension.
3. The Install Extension window opens.

4. Click Browse and navigate to the GuidanceServletExtension.zip file. This File is part of
the SAFE installation process, and is stored in the EnCase SAFE\ePO folder.
5. Click Open. The Install Extension window displays details about the extension package.
6. Click OK. The Configuration window shows the Guidance extension is installed.
Deploying the ePO Servlet

Follow these steps to deploy the ePO servlet:
1. On the ePO Home page, click the Systems icon. The System Tree tab displays.
2. In the left pane, select the location for deploying the servlet.
3. In the right pane, click Client Tasks.
4. Click New Task at the bottom of the page. The Description tab of the Client Task Builder
displays.
5. Enter information in the appropriate fields.

• Name: Name of task
• Notes: Optional
• Type: Product Deployment (McAfee Agent)
6. Click Next. The Configuration tab of the Client Task Builder displays.
7. In Target platforms, select Windows.

8. In Products and components select:
• Product dropdown menu: EncaseServlet <version>
• Action: Install
• Language: Language Neutral
9. In the command line text box, provide the setup arguments needed to copy setup.exe.
• -f "<UNC path to the servlet setup.exe file>" This must be available to the target via a
network share. Guidance Software recommends you create a \\share visible to network
targets (nodes) to contain the servlet. Copy the current setup.exe from the root directory of
the SAFE to this share, and specify the share path in the cmd switches when you check in
the agent.
When you update the SAFE, be sure to copy the new servlet to the \\share.
Alternatively, you can create a directory or use the ePO folder for this share.
• -u <username>
• -d <domain>
• -t <password>
• -o <setup options>
− -o setup options must be in quotes to be passed to the servlet setup program.
• -v <servlet version>
− Use the -v servlet version option to notify already installed servlets that an update
is needed.
10. Click Next. The Schedule tab of the Client Task Builder displays.
11. Select the time for the installation, then click Next. The Summary tab of the Client Task
Builder displays.
12. Verify that the information on the Summary tab is correct, then click Save.
Note: Any authentication errors are shown in the log file C:\Windows\Temp\ServletSetupError.Log on the
agent machine.
CHAPTER 21
Verifying Servlet
Deployment
In This Chapter
 Verifying Servlet Deployment
 Verifying Servlet Deployment with Net Start Command
 Verifying Servlet Deployment with Netstat Command
 Verifying Servlet Deployment Using Telnet
 Verifying AIX Servlet Deployment

Verifying Servlet Deployment

After pushing servlets to the machines, check that the servlet is running and communicating with the
SAFE and Examiner. You can use the following methods to verify the servlet is running properly:
 Checking with the Net Start Command on page 444
 Checking with Netstat Command on page 444
 Checking using Telnet on page 445
 Checking AIX Servlets on page 446
You can also verify servlet deployment using Sweep Enterprise.
Verifying Servlet Deployment with Net Start Command

To use this method, you must have command line access to the node you want to examine.
1. Open a command shell on the target machine.
2. At the command prompt, type NET START and press Enter. You will see output similar to
this example.
If you do not see the default name enstart or enstart64 process running, confirm that you have
not renamed the process to something else, or try reinstalling the servlet on the node.
Verifying Servlet Deployment 445
Verifying Servlet Deployment with Netstat Command

To use this method, you must have command-line access to your client and SAFE.
1. Open a command shell on the client machine.
2. At the Windows command prompt, type example NETSTAT -NA | findstr 4445 and
press Enter. You will see output similar to this example.
3. Confirm the machine is listening on the port number for which your SAFE is configured. The
default port number is 4445 as shown in the picture above.
Repeat steps 1-3 on your SAFE to ensure it is also listening on the same port.
Verifying Servlet Deployment Using Telnet

This test requires command shell access from both the SAFE and client machines. The Telnet feature
may need to be turned on within Windows as this feature is off by default.
1. On your client machine, open a command shell.
At the command prompt, type TELNET <IP> <port> and press Enter.
• The IP can be an IP address, host name, or DNS name of the SAFE.

• The port number is the port number that the SAFE is listening on, typically 4445.
• If you see an error message such as the one shown here, then you know that the SAFE is
not listening on that port.
A successful telnet connection to the SAFE or servlet results in a momentary pause with no
feedback in the telnet window. Press enter a few times and you should get output similar to
this:
2. Repeat the previous step from your SAFE machine. This confirms that your SAFE can get to
the client.
Verifying AIX Servlet Deployment

You must be logged in as root in order to install the package.
To check the AIX servlet, do the following.
1. Execute the following command:
lslpp –l | grep encase
The output is of the form <package name> <version> <status> <comment> for
example:
encase.servlet.rte 5.4.0.0 COMMITTED encase AIX servlet
2. Compare the status output to the information below to determine if the servlet is operating as
desired.
• APPLIED: The specified fileset is installed on the system. The APPLIED state means that
the fileset can be rejected with the installp command and the previous level of the fileset
restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.
• APPLYING: An attempt was made to apply the specified fileset, but it did not complete
successfully, and cleanup was not performed.
• BROKEN: The specified fileset or fileset update is broken and should be reinstalled before
being used.
• COMMITTED: The specified fileset is installed on the system. This means that a
commitment has been made to this level of the software. A committed fileset update
cannot be rejected, but a committed fileset base level and its updates (regardless of state)
can be removed or deinstalled by the installp command.
• COMMITTING: An attempt was made to commit the specified fileset, but it did not
complete successfully, and cleanup was not performed.
• REJECTING: An attempt was made to reject the specified fileset, but it did not complete
successfully, and cleanup was not performed.
CHAPTER 22
Stopping and Removing

Enterprise Servlets
In This Chapter
 Stopping and Removing Servlets
 Stopping a Servlet Using PsTools
 Removing Check In Functionality
 Removing the Servlet in Windows
 Removing the Servlet from Linux or OS X
 Removing the Solaris Package
 Removing the AIX Package
 Removing the NetWare Servlet
 Stopping the SAFE

Stopping and Removing Servlets

In some circumstances you may want to stop or remove a servlet from a node. There are several ways
to do this, depending on the operating system of the node.
Stopping a Servlet Using PsTools

To stop the servlet on a node machine using PsKill do the following.
1. Open a command shell on the examiner computer.
2. Execute the following:
pskill \\<node name> <servlet name>
with the following parameters:
<node name> The name of the node machine
<servlet name> The name of the servlet, usually setup.exe for running as a service,
and enstart.exe for running as a process.
Removing Check In Functionality

The method used to remove the check in functionality depends upon the operating system of the node.
To remove the Check In servlet from a Windows computer:

You must have command line access on the machine and you must have a copy of the servlet to
redeploy.
To remove the check in functionality on a Windows machine:
 Open the command prompt on the machine and remove the servlet using the command:
setup -r
To remove the Check In servlet from a Linux computer:

Removing the check in functionality from Linux-based differs from that of Windows machines,
because Linux machines do not have a registry. Removing the functionality does not require removing
and reinstalling the servlet.
 From a command shell using either Telnet or SSH, delete the check-in configuration file using
the command:
rm .<servlet name>
After the check in configuration file is deleted, the servlet resumes typical operation.
Removing the Servlet in Windows

There are two ways to remove the servlet from a Windows machine:
 An automated procedure using a CD at each node
 A manual procedure you run in command mode at each node
To remove the servlet using an automated procedure:

For automated servlet removal, you need the following:
 Access to each node machine
 Each machine must have a removable media device, such as a floppy drive or CD-ROM drive
 The Setup.exe file from your SAFE
1. Copy setup.exe from your SAFE to the removable media. Setup.exe is typically located at
C:\Program Files\EnCase SAFE.
2. Insert the media into the machine node from which to remove the servlet. Open a command
window on the machine.
3. Execute the following command:
setup.exe -r
No output is returned. This stops the enstart service, deletes enstart.exe and enstart_.sys
(regardless of what they were named during the installation), and removes registry entries relating to
the servlet.
To remove the servlet manually

To manually remove a servlet from a machine, you must have access to the node.
1. Open a command window from the node machine.
2. Execute the command:
net stop <servlet name>
3. Delete <servlet name>.exe and <servlet name>_.sys. The files can be located in the
following locations, which vary by the operating system.
Operating System Location

XP / 2003 C:\Windows\System 32
NT 4.0 / Windows 2000 C:\WINNT\System32

4. Remove the following registry keys using regedit.exe for Windows XP/2003 machine or
regedt32.exe for all other machines:
• HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Enum\Root\LEGACY_ENSTART
ControlSet001\Services\enstart
ControlSet001\Enum\Root\LEGACY_ENSTART
ControlSet002\Services\enstart
ControlSet002\Enum\Root\LEGACY_ENSTART
Remove C:\WINDOWS\System32\enstart.exe from the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup key.
Note: In order to delete ~LEGACY_ENSTART keys, you must first change permission to Full Control
for Everyone using the appropriate registry editor listed above.
Not all of the above listed keys may exist on all machines.
5. Using the appropriate registry editor for your machine, search for and delete any remaining
values and keys that have enstart in the name.
Removing the Servlet from Linux or OS X

Unlike Windows, Linux does not provide an automatic method of removing the servlet. Follow these
procedures to manually remove the servlet:
Determine how the servlet is installed:

This procedure uses default paths and servlet names. If you changed the servlet name, port, or location
of the servlet, make the appropriate changes when following these steps.
In order to perform these commands you must be logged as root or use SU.
1. Ensure that the servlet is not currently being accessed by EnCase Examiner.
2. Determine if the servlet is running as a process by executing the following command:
netstat –an | grep 4445
If your results appear similar to the output below, then the servlet is running as a process.
tcp 0 0 0.0.0.0:4445 0.0.0.0:* LISTEN
3. Determine the servlet's process ID (PID) by executing the following command:

ps aux | grep <servlet name> | grep -v grep
If the results appear similar to the output below, the servlet is running as a process.
root 2360 0.0 0.1 1400 552 ? S Jun17 0:07 /usr/local/encase/enlinuxpc

–d –p /usr/local/encase
Note: 2360 is the PID on the machine used in this example. The PID on your machine will differ.
4. If the output to the above command returns nothing, then the servlet is probably running
using inetd or xinetd. Determine if the servlet is running using xinetd by looking in the
/etc/xinetd.d directory for a configuration file typically named enlinuxpc for Linux or
enosx for OS X. If you find the file, then the servlet is running using xinetd.
5. If you are using Linux, determine if the servlet is running using inetd by viewing the contents
of the /etc/inetd.conf file. If you find an uncommented line referring to the servlet (as
shown below), then the servlet is running using inetd.
enlinuxpc stream tcp6 wait root
/usr/local/encase/
enlinuxpc enlinuxpc -i -p /usr/local/encase
6. If you are using OS X 10.4 or newer, determine if the servlet is being launched during startup
by looking for a folder called EnCase in the /Library/StartupItems folder.
If the servlet is running as a process, stop the process

Determine if the servlet is running as a process. If the servlet is running as a process, you must kill the
process.
1. In order to kill the process, you must be logged on as root.
2. Kill the process for the servlet using the command below. The Process ID (PID) is the PID for
your servlet, as determined above.
kill -9 <PID number>
If the servlet is running as a service, stop the service

If the servlet is running using xinetd or inetd, then you must stop the service.
1. In order to stop the service, you must be logged on as root.
2. Stop the service by running the command:
/sbin/services <servlet name> stop
Delete the Servlet and Configuration Files

In order to delete the servlet you must log in as root.
1. Delete the servlet by executing the following command: rm –R /usr/local/encase
2. If the servlet is running using xinetd, delete the configuration file by executing:
rm /etc/xinetd.d/<servlet name>
3. If you have an OS X 10.4 or newer and the servlet is running from launchd, remove the
directory that contains the startup files by executing:
4. rm –R /Library/StartupItems/EnCase
5. If the servlet is running using inetd, open /etc/inetd.conf using a text editor such as vi.
locate and delete (or comment out) the entries referring to your servlet. Save and close the
configuration file. Some examples are:
enosx stream tcp6 wait root /usr/local/encase/
enosx enlinuxpc -i -p /usr/local/encase
If the servlet is running using inetd or xinetd, open the /etc/services file and comment out or
delete the line referring to your servlet, then save and close the file.
Removing the Solaris Package

You must be logged in as root to remove the tar package.
1. Kill the package with the command:
pkill ensolspar
2. Remove the package with the command:

pkgrm GSIservl
3. Remove the directory containing the servlet using the following command:
rm –R /usr/local/encase
Removing the AIX Package

You must be logged in as root to remove the AIX servlet package.
1. Remove the AIX with the command:
installp –u encase.servlet.rte
Note: Do not type the bff file extension when entering the command.
The installer determines the correct servlet to remove and output information regarding the
removal.
The removal process finishes with the message:
encase.servlet.rte 5.4.0.0 USR DEINSTALL SUCCESS
2. Remove the EnCase directory and any remnants with the following command:
rm –R /usr/local/encase
Removing the NetWare Servlet

To remove and unload the servlet:
1. Start the NetWare Remote Manager.
2. Log on as required.
3. Click List Modules in the left pane.
4. Click ennovell.nlm.
5. Click Unload.
6. Click Yes to confirm you want to unload the servlet. The servlet unloads.
7. Browse to the Sys:\System location and delete ennovell.nlm.
8. If you have the servlet configured to run as a service, remove the entry load ennovell.nlm
from your autoexec.ncf file. For information on editing this file, see Running a Servlet as a
NetWare Service on page 433.
Stopping the SAFE

To stop a SAFE do the following:
1. Open a command shell on your SAFE machine.
2. Enter the command net stop safe and press Enter.
If you need to manually start the SAFE again, use the command net start safe and press Enter.
Support
Guidance Software develops solutions that search, identify, recover, and deliver digital information in
a forensically sound and cost effective manner. Since our founding in 1997, we have moved into
network enabled investigations and enterprise wide integration with other security technologies.
This section provides information on our support for you through:
 Technical Support
 Support Portal
 Professional Services
 Training
Technical Support
Guidance Software offers several support options, including:
 Live Chat
 Support Request Form
 Email
 Telephone
Live Chat
From the Guidance Software Support Portal, described below, you can chat live with a Technical
Services engineer. From the Support Portal main page, select Live Chat to connect directly to an
engineer.
Technical Support Request Form

Please use the Online Request Form to request assistance from a Technical Services engineer. To access
the form, click Request Form (https://support.guidancesoftware.com/node/381). Note that all fields are
mandatory, and filling them out completely reduces the amount of time it takes to resolve an issue.
Email
Although technical support is available by email, you will receive faster service using the online
Technical Support Request Form (https://support.guidancesoftware.com/node/381). To request
assistance by email, email technicalsupport@guidancesoftware.com. Please include as much detail as
possible about the issue, and the best way to contact you.
Telephone
Telephone technical support is provided 24 hours a day, excluding weekends and holidays, through
the regional support numbers listed below. All technical support inquiries are automatically routed to
the open US or UK office, depending on the time of day.
US Office hours: Monday–Thursday 5 AM – 10 PM Pacific time, Friday 5 AM – 7 PM Pacific time

Tel: (626) 229-9191, Option 4
Fax: (626) 229-9199
215 North Marengo Avenue, Suite 250

Pasadena, CA 91101
UK Office hours: Monday–Friday 6 AM – 4 PM UK time
Ph: +44 (0) 175-355-2252, Option 4
Fax: +44 (0) 175-355-2232
Thames Central, 5th Floor

Hatfield Road
Slough, Berkshire UK SL1 1QE
For your convenience, the following numbers have been provided to our English-based support.
 Germany: 0-800-181-4625
 China: 10-800-130-0976
 Australia: 1-800-750-639
 Hong Kong: 800-96-4635
 New Zealand: 0-800-45-0523
 Japan: 00-531-13-0890
Support Portal
Guidance Software offers a Support Portal to our registered users, providing technical forums, a
knowledge base, a bug tracking database, and a Support request form. The Portal gives you access to
all support-related issues in one site. This includes:
 Live Chat
 Knowledge Base
 Bug Tracker
 Technical Services Request form
 Download Center
Support 457
If you do not have access to the Support Portal, please use the Support Portal registration form
(https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registration requires you to choose a unique username and password. Please provide all requested
information, including dongle ID, phone, email address, organization, etc. This helps us identify you
as a registered owner of EnCase. You will receive an email momentarily asking you to confirm your
email address. Once you have verified your email address, you will be added to the Registration List.
Please allow 24 business hours for your account to be approved.
Once your registration is approved, you can access the Support Portal at
https://support.guidancesoftware.com/. The Support Portal provides a tutorial that briefly overviews
the site.
User, Product, and Foreign Language Forums

The Guidance Software forums are resources for the computer forensics community to exchange ideas,
ask questions, and give answers. The forums are an invaluable resource for the forensic investigator.
To access the forums, click the Forum Tab (https://support.guidancesoftware.com/forum/) in the
Support Portal.
The forums allow registered users to post questions, exchange information, and hold discussions with
Guidance Software and thousands of experienced and skilled users in the EnCase community.
Different discussion groups are available as follows:
EnCase product groups:
 EnCase User’s Group
 EnCase Enterprise
 EnCase eDiscovery
 EnScript Development
Customer supported Foreign Language Groups

 French
 Arabic
 German
 Spanish
 Japanese
 Chinese
 Korean
Posting to a Forum
To create a new post, click the New Thread icon.
Click the Post Reply icon to reply to a post, or use the Quick Reply icon at the bottom of each post.
Searching
The forums contain an accumulation of over ten years of information. Use the Search button to search
for keywords, or click Advanced Search for more specific search options.
Bug Tracker
Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement
requests. It is broken down by product, showing the current number of bugs/enhancements and public
bugs for each product. To access the Bug Tracker, click Bug Tracker
(https://support.guidancesoftware.com/forum/project.php) in the Support Portal.
Knowledge Base
The Knowledge Base covers a variety of niche information on various topics. You can also submit
your own articles to help other EnCase users.
Support 459
To access the Knowledge Base, click Knowledge Base

(https://support.guidancesoftware.com/directory).
From here, you can browse, search, and write Knowledge Base articles.
MyAccount
Register your product with Guidance Software to receive updates. Registration is located at
https://www.guidancesoftware.com/myaccount/registration.aspx
If you have any trouble registering your product, contact Customer Service. If you have any trouble
downloading the updates once registered, contact Technical Support.
Index
Analyzing and Reporting on Acquired Data • 248
A Analyzing and Tagging a Review Package • 183
Accessing the Local Disk in Windows Explorer • 381 Analyzing File Signatures • 79
Accessing the Share • 367 Analyzing Hashes • 80
Acquiring a Disk Running in Direct ATA Mode • 59, Analyzing Individual Search Results • 173
276 Analyzing Protected Files • 79
Acquiring a Drive from a Network Preview • 57 Application Folder • 29
Acquiring a DriveSpace Volume • 64 Arrow Drop Down Pane Arrow Menu • 112
Acquiring a Local Drive • 57 Assigning a Unicode Font • 258
Acquiring Apple iOS Devices • 240 Associate Selected • 296
Acquiring Apple iTunes Backup Files • 247 Associating File Types with a File Viewer • 107
Acquiring BlackBerry Desktop Manager Backup Available Smartphone Data • 249
Files • 247
B
Acquiring Device Configuration Overlays (DCO) and
Host Protected Areas (HPA) • 57, 275 BitLocker Encryption Support (Volume Encryption)
Acquiring Devices and Evidence • 45 • 313
Acquiring Disk Configurations • 60 Body Text Tab • 228
Acquiring Google Android Devices • 240 Bookmark Template Folders • 204
Acquiring in Windows using FastBloc SE • 59 Bookmarking Data for Reports • 216
Acquiring in Windows without a Tableau or Bookmarking Items • 195
FastBloc Write Blocker • 59 Bookmarking Pictures in Gallery View • 203
Acquiring Mass Storage Devices • 246 Boot Evidence Files and Live Systems with VMware
Acquiring Nokia Symbian S60 Devices • 241 • 384
Acquiring Non-local Drives • 57 Booting the Virtual Machine • 387
Acquiring Other Types of Supported Evidence Files Browsing and Viewing Evidence • 93
• 64 Browsing Images • 127
Acquiring Palm OS Devices • 244 Browsing Through Evidence • 125
Acquiring RIM BlackBerry Devices • 240 Bug Tracker • 458
Acquiring SIM Cards • 244
Acquiring Smartphone Devices • 238 C
Acquiring Windows Mobile 6.x Devices • 241 Canceling an Acquisition • 54
Acquiring with the Evidence Processor • 48 Case Analyzer • 158
Adding a Constraint to Analysis Data • 152 Case Backup • 31
Adding a New Keyword • 84 Case Folder • 31
Adding an External File Viewer • 105 Case Operations • 41
Adding and Deleting Nodes in the Target List • 139 Case Portability • 43
Adding and Modifying File Signature Associations • CD-DVD Inspector File Support • 64
175 Challenge-Response Authentication • 311
Adding Custom Notes to the Smartphone Report • Changing Categories and Tags for Multiple Hash
252 Sets • 192
Adding Evidence to a Case • 39 Changing Evidence Cache Location • 118
Adding Hash Libraries to a Case • 192 Changing Text Color • 113
Adding Hash Values to a Hash Set • 190 Changing Text Styles • 105
Adding Raw Image Files • 66 Changing the Default Code Page • 257
Analysis Browser Tab • 147 Changing the Evidence Path if the Evidence File is
Analyze EFS • 289 Moved • 42
Changing the Mount Point • 366 Crossover Cable Preview or Acquisition • 277
Changing the Tag Order • 213 Customizing Headers and Footers • 221
Check for Evidence when Loading a Case • 126
Check Point Full Disk Encryption Support (Volume D
Encryption) • 308 Data Structure Bookmark • 198
Checking In the ePO Servlet Package • 434 Date Options • 22
Closing and Changing the Emulated Disk • 383 Dates • 207
Closing the Connection • 374 Debug Options • 27
Color Options • 24 Decoding Data • 109, 206
Combining Search Criteria from Multiple Tabs • Decrypted Block • 343
172 Decrypting a BitLocker Encrypted Device Using
Compound Files • 359 Recovery Key • 314
Conditions • 122 Decrypting a BitLocker Encrypted Device Using
Configuration Options • 20 Recovery Password • 316
Configuring EnCase to Display Non-English Decrypting S/MIME Email Messages in an Evidence
Characters • 256 File Created in Windows Vista • 340
Configuring Paper Layout • 220 Deleted Files • 362
Configuring the Keyboard for a Specific Non-English Deleting a Bookmark Folder • 206
Language • 259 Deleting a Filter • 121
Configuring the PDE Client • 380 Deleting Tags • 213
Configuring the Server • 372 Deploying a Solaris Servlet Using xinetd • 421
Configuring Time Zone Settings • 28 Deploying AIX Servlets • 423
Configuring Windows for Non-English Language • Deploying and Running Servlets • 397
259 Deploying Check In Servlets • 400
Configuring Your Linux Distribution • 262 Deploying in Solaris Using inittab • 422
Connecting the Clients • 374 Deploying Linux Servlets • 414
Copying *NIX Servlets • 412 Deploying NetWare Servlets • 433
Copying *NIX Servlets Using Removable Media • Deploying OS X Servlets • 424
413 Deploying Servlets • 400
Copying *NIX Servlets Using SSH and SCP • 413 Deploying Solaris Servlets • 418
Copying *NIX Servlets Using Telnet and FTP • 414 Deploying the ePO Servlet • 438
Copying the Servlet Using XCOPY • 410 Deploying the Linux Servlet using inetd • 417
Creating a Filter • 120 Deploying the Linux Servlet Using inittab • 416
Creating a Hash Library • 189 Deploying the Linux Servlet Using xinetd • 415
Creating a Hash Set • 189 Deploying Windows Servlets • 401
Creating a LinEn Boot Disk • 262 Deploying Windows Servlets Using a Domain Push
Creating a New Condition • 123 • 404
Creating a New Keyword List • 85 Deploying Windows Servlets Using IPC$ and PSExec
Creating a Review Package • 182 • 408
Creating a Smartphone Report • 250 Deploying Windows Servlets Using PsTools • 404
Creating a Text File of Nodes • 406 Deploying Windows Servlets Using Removable
Creating an Index • 85 Media and PsExec • 412
Creating Custom File Types • 128 Deploying Windows Servlets with Active Directory
Creating IPC$ Connections • 408 • 404
Creating New Bookmark Folders • 205 Determining Local Mailbox Encryption • 342
Creating Tags • 210 Dictionary and Built-In Attacks • 351
Creating Thumbnails • 88 Disk and Volume Encryption • 287
CREDANT Encryption Support (File-Based Disk Caching and Flushing the Cache • 394
Encryption) • 330 Disk Configuration Set Acquired as One Drive • 62
CREDANT Encryption Support (Offline Scenario) • Disk Configurations Acquired as Separate Drives •
334 62
CREDANT Files and Logical Evidence (L01) Files • Dismounting the Network Share • 366
335 Displaying Related Messages • 134
Displaying Smartphone Data • 248 Font Options • 25
Drive-to-Drive Acquisition Using LinEn • 265 Formatting Report Templates • 219
Dynamic Disk • 62 Full Volume Encryption (FVE) AutoUnlock
Mechanism • 318
E
G
Editing a Bookmark • 206
Editing a Filter • 121 Generating Reports • 215
Editing Bookmark Content • 206 Global Application Data • 32
Editing Bookmark Folders • 206 Global Options • 21
Editing Conditions • 125 GuardianEdge Encryption Support • 323
Editing Report Object Code • 224 GuardianEdge Hard Disk and Symantec Endpoint
EDS Commands and Tabs • 289 Encryption Support • 324
Email • 455
EnCase Decryption Suite • 285 H
EnCase Enterprise • 12 Hardware Disk Configuration • 60
EnCase Evidence Files • 54 Hashing Evidence • 187
EnCase Forensic • 12 Hashing Features • 188
EnCase Requirements • 16 Hashing the Subject Drive Using LinEn • 280
EnCase Version 7 Application Folder Locations • 29 Hiding a Tag • 212
Encrypted Block • 343 Highlighted Data or Sweeping Bookmark • 196
Encrypting File System • 360 HP-UX VxFS and Servlet Support • 428
Enter Items • 292
Entering Non-English Content without Using Non- I
English Keyboard Mapping • 260 IM Parser • 89
Enterprise Options • 28 Importing a Review Package • 185
Entries View Right Click Menu • 116 Importing Hash Sets • 193
Evidence Cache • 31 Indexing Personal Information • 86
Evidence File Formats Supported by EnCase PDE • Indexing Text in Slack and Unallocated Space • 87
378 Initial Preparation • 384
Evidence File Formats Supported by VFS • 356 Inserting a Picture • 225
Evidence Processor • 160 Inserting a Table • 226
Evidence Verification • 279 Installing and Configuring Encase • 15
Excluded Checkbox • 228 Installing Drivers • 247
Executing the Servlet using PsExec • 411 Installing EnCase Forensic and EnCase Enterprise •
Expand Data View • 151 18
Expanding Compound Files • 80 Installing the HP-UX Servlet • 429
Exporting a Review Package • 185 Installing the Optional Guidance Software Servlet
Exporting Data for Additional Analysis • 179 Extension • 436
Exporting Location Data • 252 Installing the Tar Package • 419
Exporting Search Results for Review • 181 Integers • 207
Exporting to *.msg • 135 Internal Files and File System Files • 362
ext2, ext3, UFS, and Other File Systems • 365
K
F
Knowledge Base • 458
FastBloc SE • 391
File Carver • 89 L
File Report EnScript • 229 Launching EnCase for the First Time • 34
Filtering Your Evidence • 119 LinEn Command Line • 272
Finding Data Using Signature Analysis • 175 LinEn Evidence Verification and Status Reporting •
Finding Email • 80 278
Finding Internet Artifacts • 80 LinEn Manual Page • 282
Finding Tagged Items • 169 LinEn Setup Under Red Hat • 263
Finding the Location of an Evidence Item • 126
LinEn Setup Under SUSE • 263 PGP Decryption using the Passphrase • 330
Linux Syslog Parser • 91 PGP Whole Disk Encryption (WDE) Support • 326
Live Chat • 455 Physical Disk Emulator • 377
Localization of Report Layout • 224 Physical RAID Encryption Support • 319
Locally Encrypted NSF Parsing Results • 344 Picture • 207
Logical Evidence Files • 55 Post Collection Analysis • 158
Lotus Notes Local Encryption Support • 342 Posting to a Forum • 458
Printing a Condition • 125
M Processing Devices from a Local Preview • 76
Malware Scanning • 369 Processing Devices from a Network Preview • 77
McAfee Endpoint Encryption Support • 336 Processing Evidence • 69
McAfee ePolicy Orchestrator (ePO) Integration • Processing Evidence during a Sweep • 78
434
Q
Mode Selection • 276
Monitoring a Remote Acquisition • 53 Querying a Hash Library • 191
Mount Network Share Options • 357
Mounting a Single Drive, Device, Volume, or Folder R
• 357 RAID-10 • 60
Mounting Evidence with VFS • 356 RAIDs • 362
Mounting Non-Windows Devices • 381 RAM and Disk Slack • 363
Multiple Notable Files Bookmark • 201 Raw Image Files • 55
MyAccount • 459 Raw Text Bookmark • 196
Reacquiring Evidence • 65
N
Reacquiring Evidence Files • 65
NAS Options • 23 Recovering Folders • 79
Navigating the Evidence Tab • 113 Recovering NSF Passwords • 341
Navigating the Records Tab • 118 Recovery Key and Recovery Password Files • 313
Navigating the Table Pane • 97 Registration • 457
Navigating the Tree Pane • 96 Reinstalling EnCase • 20
New Virtual Machine Wizard • 385 Removing Check In Functionality • 448
Notable File Bookmark • 199 Removing the AIX Package • 452
Notes Bookmark • 202 Removing the NetWare Servlet • 452
NSF Encryption Support • 340 Removing the Servlet from Linux or OS X • 450
NSRL Hash Sets • 193 Removing the Servlet in Windows • 449
Removing the Solaris Package • 452
O Removing Write Block from a USB, FireWire, or
Obtaining a Linux Distribution • 263 SCSI Device • 394
Obtaining Additional Decryption Key (ADK) Renaming a Bookmark • 206
Information • 328 Repairing and Recovering Inconsistent EDB
Obtaining Updates • 16 Database Files • 131
Obtaining Whole Disk Recovery Token Information Report Styles • 221
• 327 Report Template Structure • 217
Other File Systems • 365 Reports • 153
Other Tools and Viewers • 369 Restoring A Drive • 67
Overview • 11, 16, 34, 47, 70, 94, 138, 162, 188, Restrict Access by IP Address • 373
196, 210, 216, 236, 256, 262, 287, 356, 378, 392, Retaining the GUID During Evidence Reacquisition
398 • 65
Retrieving Keyword Search Results • 171
P RMS Decryption at the File Level • 349
Parsing a Locally Encrypted Mailbox • 342 RMS Decryption at the Volume Level • 348
PDE Troubleshooting • 390 RMS Protected Email in PST • 350
Performing Acquisitions with LinEn • 263 RMS Standalone Installer • 347
Running a Default Filter • 119
Running a Linux Servlet as a Process • 415 Status Tab • 146
Running a NetWare Servlet as a Process • 433 Stopping a Servlet Using PsTools • 448
Running a Servlet as a NetWare Service • 433 Stopping and Removing Enterprise Servlets • 447
Running a Solaris Servlet as a Process • 421 Stopping and Removing Servlets • 448
Running an Existing Condition • 122 Stopping the SAFE • 453
Running EnScript Modules • 88 Successful BitLocker Decryption • 320
Running Evidence Processor Options Incrementally Support • 455
• 73 Support for EXT4 Linux Software RAID Arrays • 61
Running File Signature Analysis against Selected Support Portal • 456
Files • 178 Supported CREDANT Encryption Algorithms • 334
Running in OS X Using launchd • 426 Supported Encryption Products • 288
Running in OS X Using xinetd • 425 Supported GuardianEdge Encryption Algorithms •
Running the Customize Job Settings Option • 142 324
Running the File Report EnScript • 229 Supported Smartphone Operating Systems • 237
Running the HP-UX Servlet • 432 Supported Utimaco SafeGuard Easy Encryption
Running the Quick Sweep View Option • 140 Algorithms • 302
Running Windows Servlets as a Service or as a Sweep Enterprise • 137
Process • 402 Sweep Enterprise Dialog
Status and Analysis Browser • 146
S Sweep Enterprise Options • 140
S/MIME Encryption Support • 336 Symantec and McAfee EndPoint Encryption
Safeboot Encryption Support • 298 Support • 336
Saved BitLocker Credentials in Secure Storage • System Info Parser • 89
321
Saving and Dismounting the Emulated Disk • 381
T
Saving the File Report • 232 Table Bookmark • 201
Search Operators • 165 Tagging an Item • 211
Searching • 458 Tagging Items • 209
Searching Indexed Data • 163 Target Constraint • 150
Searching Through Evidence • 161 Technical Support • 455
Searching Through Raw Data • 170 Technical Support Request Form • 455
Searching With Keywords • 82 Telephone • 455
Secure Storage Items • 297 Temporary Files Redirection • 383
Secure Storage Tab • 291 Temporary Files Reminder • 371
Secure Storage Tab and EFS • 291 Text • 207
Selecting Pane Views • 94 Text Styles • 259
Setting Individual Case Options • 40 The EnCase Interface • 94
Setting the Date Format • 258 Third-Party Tools • 368, 383
Setup for a Drive-to-Drive Acquisition • 264 Transcript Bookmark • 201
Shared File Options • 26 Troubleshooting • 375, 394
Sharing Conditions • 125 Troubleshooting a Failed S/MIME Decryption • 340
Sharing Filters • 121 Types of Acquisitions • 47
Show Conversation • 133 Types of Evidence Files • 54
Showing Duplicate Email Messages in a
Conversation • 135 U
Single Files • 55 Undocking the View Pane • 111
Single Notable File Bookmark • 200 Uninstalling EnCase • 19
Smartphone Support • 235 Unix Login • 91
Software RAID • 60 Unsuccessful BitLocker Decryption • 321
Sources of Acquisitions • 47 User Application Data • 32
Starting Physical Disk Emulator • 378 User Data • 30
Starting Sweep Enterprise • 138 User, Product, and Foreign Language Forums • 457
Status Reporting • 280 Username and Password Authentication • 308
Using a Case Template to Create a Case • 35 Windows NT Software Disk Configurations • 61
Using a Write Blocker • 58 Windows Rights Management Services (RMS)
Using Disk View to See Data on a Device • 117 Support • 346
Using LinEn • 261 Windows-based Acquisitions with Tableau and
Using Physical Disk Emulator • 378 FastBloc Write Blockers • 58
Using PsTools to Deploy Servlets to a Single WinMagic SecureDoc Encryption Support • 321
Machine • 405 Working with Bookmark Folders • 204
Using PsTools to Deploy Servlets to Multiple Working with Bookmark Types • 196
Machines • 405 Working with Cases • 33
Using Report Templates • 217 Working with Columns • 100
Using the EnCase Interface • 367 Working with Hash Libraries • 189
Using the Network Authentication Server • 20 Working with Non-English Languages • 255
Using Third-Party Tools • 383 Write Blocking a USB, FireWire, or SCSI Device •
Using Views/Tabs • 112 392
Using Windows Explorer • 367 Write Blocking and Write Protecting a Device • 392
Utimaco Challenge/Response Support • 302 Write Protecting a USB, FireWire, or SCSI Device •
Utimaco SafeGuard Easy Encryption Known 393
Limitation • 308
Utimaco SafeGuard Easy Encryption Support • 302
V
Verifying AIX Servlet Deployment • 446
Verifying Evidence Files • 55
Verifying Servlet Deployment • 443, 444
Verifying Servlet Deployment Using Telnet • 445
Verifying Servlet Deployment with Net Start
Command • 444
Verifying Servlet Deployment with Netstat
Command • 445
VFS Server • 371
Viewing a Report • 232
Viewing Attachments • 133
Viewing Compound Files • 131
Viewing Content in the View Pane • 100
Viewing Email • 133
Viewing Evidence • 128
Viewing Information in a Timeline • 99
Viewing Multiple Evidence Files Simultaneously •
129
Viewing Notes Bookmarks • 202
Viewing Processed Evidence • 131
Viewing Related Items • 126
Viewing Saved Search Results • 174
Viewing Tagged Items • 212
Viewing Unicode Files • 258
Virtual File System • 355
VMware/EnCase PDE FAQs • 388
W
Windows • 208
Windows Artifact Parser • 90
Windows Event Log Parser • 90
Windows Key Architecture • 351

EnCase Examiner v7.03 User&#39;s Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

EnCase Examiner v7.03 User&#39;s Guide

Hochgeladen von

Copyright:

Verfügbare Formate

EnCase Examiner®

GUIDANCE SOFTWARE | USER’S GUIDE | ENCASE EXAMINER

Installing and Configuring Encase 15

Working with Cases 33

Acquiring Devices and Evidence 45

Browsing and Viewing Evidence 93

Sweep Enterprise 137

Searching Through Evidence 161

Hashing Evidence 187

Tagging Items 209

Generating Reports 215

Smartphone Support 235

Working with Non-English Languages 255

Using LinEn 261

Virtual File System 355

Physical Disk Emulator 377

Deploying and Running Servlets 397

Verifying Servlet Deployment 443

Stopping and Removing Enterprise Servlets 447

The SAFE server

The EnCase Examiner

The EnCase Examiner enables you to:

Installing and Configuring

 Installing EnCase Forensic and EnCase Enterprise

 Using the Network Authentication Server

 Configuring Time Zone Settings

 EnCase Version 7 Application Folder Locations

Operating Systems  Windows XP Professional

OS Drive SATA 7200 RPM

Optical drive Dual Layer DVD +/-RW Drive

Processor (CPU)  Dual Core processor

Memory (RAM)  4 GB RAM (32-bit computer)

Hard Drive Capacity 300 MB of free hard drive space

Display Single 19" or greater

Network Configuration Gigabit Ethernet (GbE)

I/O Interfaces USB 2.0 Parallel (for acquisitions)

Flash Media Readers Multi-Reader

RAID Card A RAID setup is optional, but recommended to improve disk

64-bit OS restrictions: For complete case analysis, Guidance Software recommends

Installing EnCase Forensic and EnCase Enterprise

To run EnCase as an administrator:

Using the Network Authentication Server

Time Format includes these options:

To change the colors for a listed EnCase element:

To customize the font for an element:

Shared File Options

Specifying the shared files folder allows easy access to:

Configuring Time Zone Settings

4. Select the time zone that you wish to use.

EnCase Version 7 Application Folder Locations

Folder Name Description

Condition Default conditions

Config Application configuration options

Drivers Application drivers

EnScript Default EnScripts and EnPacks

Folder Name Description

Help Help files

Installers EnCase Installation Executables

Lib Application library files

License EnLicense files

Mobile Mobile phone drivers

Noise Default noise file

Template Default case templates

Folder Name Description

EnCase Examiner v7.03 User's Guide

EnCase Examiner v7.03 User's Guide