Forensic Secrets

Copyright © 2009 EnCEsecrets.com 1

 Table of Contents
• Purpose………………………………………….....3
• Test Strategy………………………………….…...5
• First Response…………………………………….8
• Recovering Deleted Partitions…………………..17
• Initial Processing………………………………...28
• Bookmarks………………………………………32
• Definitions………………………………………40
• Data Hiding………………………………………49
• File Types\File Viewers………………………….54
• Searches\Keywords………………………………58
• Recycle Bin Analysis\INFO2 Records…………...81
• INFO2 record analysis……………………………85
• Registry Analysis…………………………………91
• Microsoft Office………………………………….106
• Internet History………………………………..…109
• $MFT Analysis………………………………..…115
• Password Guessing………………………………120
• SID Analysis……………………………………..123
• Removable Media Analysis………………………128
• Link File Analysis………………………………..129
• Reporting…………………………………………137
• Resources…………………………………………145

Copyright © 2009 EnCEsecrets.com 2

 Notes
There are EnScripts that have been developed to
automate most of the tasks described herein. I choose
to complete most of my examinations manually as I
can’t be 100% certain of the integrity of a given
EnScript. For example, what if the EnScript was
created by an adversary? Could the results really be
relied on? If you were testifying in court, could you
explain how the EnScript worked? As such, the
methods described in this text are the manual
methods. If an EnScript for such a task exists I will
try to note it, but I will not go into the details of
executing the EnScript.

Copyright © 2009 EnCEsecrets.com 3

 Test Strategy
• Before starting the analysis, read all of the test
questions and try to create a strategy. This will help
guide your analysis and ultimately save you time as
you will not be as tempted to jump from question to
question.
• After reading the questions, create your Bookmark
structure. Remember that your report will contain the
names of the Bookmark folders as page titles so you
will want to name the folders appropriately prior to
submitting your final report.

Copyright © 2009 EnCEsecrets.com 4

 First Response
• Scenario: responding to a digital crime scene.
– Safety is the first consideration.
• Know what type of environment you’ll be entering.
– Home vs. business
– Reputation for the part of town in which it is located
– Will you be the first on scene?
– Will you be working solo or as part of a team?
– Can the dispatcher provide you with a history of other incidents that have taken place at
the scene?
– Is the suspect present?
– Has he\she been restrained?
– Read the Search Warrant
• Is your search limited in any way or are you given carte blanche to seize and search
any digital evidence?
– Secure the digital crime scene
• Photograph the environment before entering to preserve its initial state.
• If the computer is running, photograph the screen.
• Establish a perimeter around the computer(s).
• Restrict access to areas in which digital evidence is located.

• Coverage continues for 7 more pages in the Forensic Secrets

eBook: Buy Now!

Copyright © 2009 EnCEsecrets.com 5

 Recovering Deleted Volumes
• Master Boot Record (MBR)
– 512 bytes in length.
– Loads the Volume Boot Record from the active
partition.
– Contains the Master Partition Table.
– Partition table indicates the relative starting sector
for each partition that is or was on the hard drive.
– Locate the MBR, recover the partition table and
note the relative start sector for each partition.

Copyright © 2009 EnCEsecrets.com 6

 Recovering Deleted Volumes
• Partition Table begins at Sector Offset (SO) 446
• To view the Partition Table in EnCase
– Locate Sector Offset (SO) 446

Coverage continues for 4 more pages in the Forensic Secrets

eBook: Buy Now!

Copyright © 2009 EnCEsecrets.com 7

 Initial processing
• Once you have added the evidence to the case
and\or recovered any deleted volumes, save
your case. Select “Save all” from the File
menu to save the case as well as keywords,
settings, search hits, etc.
• Once you have saved the initial configuration
you can begin the initial processing steps.
These steps consist of a basic search that will
lay the foundation for the remainder of your
case.

Copyright © 2009 EnCEsecrets.com 8

 Bookmarks
• There are several types of bookmarks within EnCase
– Folder Information Bookmark
• The Folder Information Bookmark will document the specific details
regarding the evidence file (i.e. the hard drive or USB drive).
• To create a Folder Information Bookmark, right click the physical disk
in Tree view and select “Bookmark Folder Structure.”
– Select the Include Device Information checkbox and change the value in
the “Columns” box to zero. This will prevent the actual folder structure
from being displayed on the report.
– Select the destination bookmark folder for the report and click OK.

• Coverage of Sweeping Bookmarks, Highlighted Data

Bookmarks and Notes Bookmarks is included in the
Forensic Secrets eBook: Buy Now!

Copyright © 2009 EnCEsecrets.com 9

 Data hiding
• There are multiple methods of hiding data on a
computer hard drive. Among the most common
methods:
– Changing the extension on a file (ex. Renaming
Hotties.jpeg to Hotties.dll) to a casual user this picture
file would appear to be a system file because it appears
as jibberish when opened.
– Using a hex editor to write data into any of the disk
areas mentioned on the Disk Geography slides.
• Data hiding techniques are covered in 3 more
pages in the Forensic Secrets eBook: Buy Now!

Copyright © 2009 EnCEsecrets.com 10

 Installing a file viewer
• To install a file viewer within EnCase you
must:
– Install the program on your investigation machine
– Within EnCase click
• View  File Viewers
• Right click in Table pane, select New
• Name the file viewer, browse to the path to the
executable
– In order to use the file viewer to open a particular
file type, you must also associate the file type with
the file viewer

Copyright © 2009 EnCEsecrets.com 11

 Searching
• GREP vs. non-GREP
– GREP is a powerful search tool that allows you to
include variables in your search expressions that
will match strings of data that include those
variables. GREP is particularly useful when
searching for keywords with known format:
• Credit Card numbers
• Social Security Numbers
• Phone Numbers
• Domain names
• Email addresses

Copyright © 2009 EnCEsecrets.com 12

 Keyword Search
• The following explains how to set up case-level
keywords:
– Click Keywords from the Case toolbar
– Right Click in Table Pane and select New
• Enter the search expression and name for the search in the
appropriate fields.

• 19 more pages of searching techniques are

included in the Forensic Secrets eBook: Buy
Now!

Copyright © 2009 EnCEsecrets.com 13

 Recycle bin analysis
• When a file is moved to the Recycle bin:
– It is not deleted, it has just been moved to a different
folder where it will remain until the user exercises the
option to “empty the Recycle bin.”
– A sub-directory is created in C:\Recycler. The name of
the new subdirectory is equal to the SID of the user
deleting the file(s).
• C:\Recycler\S-1-5-21-91693892-2092266016-712603620-
145580
• Two more pages of Recycle Bin Analysis and 6
pages of coverage of INFO2 record analysis are
included in the Forensic Secrets eBook: Buy
Now!
Copyright © 2009 EnCEsecrets.com 14
 Registry Analysis
• The Windows registry contains a wealth of
information for forensic examiners. This
section contains information that is essential to
passing the EnCE practical examination.
Additional information can be found in Harlan
Carvey’s Windows Forensic Analysis.
• The Forensic Secrets eBook contains 14 pages
of Registry Analysis techniques that are
essential for passing the EnCE: Buy Now!

Copyright © 2009 EnCEsecrets.com 15

 Registry Analysis
• The Windows registry is comprised of four files or
hives.
– HKEY_LOCAL_MACHINE\SYSTEM
– HKEY_LOCAL_MACHINE\SOFTWARE
– HKEY_LOCAL_MACHINE\SECURITY
– HKEY_LOCAL_MACHINE\SAM
• The filenames, highlighted in red above, are all
located at the following path:
%Windir%\System32\Config\
– Within EnCase, navigate to %Windir%\System32 and
highlight the Config dierctory.
– The filenames do not have file extensions.

Copyright © 2009 EnCEsecrets.com 16

 Microsoft Office
• Microsoft Office is based on Microsoft’s
Object Linked Embedded (OLE) technology.
• OLE files are layered (compound) files;
EnCase allows an examiner to view each of the
layers by mounting the OLE file:
– Right-click the OLE file and select View File
Structure.
• The Forensic Secrets eBook contains two more
pages of critical information regarding
Microsoft Office files: Buy Now!
Copyright © 2009 EnCEsecrets.com 17
 Internet History Analysis
• You should have searched for Internet History
during the initial processing of the hard drive. To
view the results, switch the Tree Pane to Records
view.
• Expand the drive listed in Tree Pane and set-
include (homeplate) Internet Explorer.
• In Table Pane you will see the entire contents of
the Internet History search.
• The Forensic Secrets eBook contains 5 more
pages about Internet History Analysis: Buy Now!

Copyright © 2009 EnCEsecrets.com 18

 $MFT Analysis
• To locate the $MFT record entry:
– Set up a keyword for the file for which you are searching; i.e.
Forensics.doc. Select the keyword and then select the $MFT so
that it is the only file against which you are running the search.
– View your search hit and switch the View pane to Hex view.
• The search hit (filename) will appear (approximately) in the middle of
the $MFT record.
• Search upward and find the word “FILE” that precedes the filename.
• Click on the F in FILE and highlight (sweep) forward 1024 bytes.
This should place you at the character just before the next occurrence
of the word FILE.
• What you have highlighted is the $MFT record for the file in question.
• Techniques for extracting file dates from $MFT
records are included in the Forensic Secrets
eBook: Buy Now!

Copyright © 2009 EnCEsecrets.com 19

 Password guessing
• The odds are that during the course of a
forensic analysis you are going to run into
password protected files (.doc, .zip, etc.) or
entire password protected volumes (i.e.
TrueCrypt volume(s)).
• There is no single strategy for guessing
passwords and all efforts may ultimately be in
vain.

Copyright © 2009 EnCEsecrets.com 20

 SID Analysis
• There are a couple different methods for identifying a
user’s SID:
– Recycle bin record
– Registry analysis
• Locate the ProfileList Key in the Software hive of the registry.
• Expand the ProfileList Key and the SIDs are listed as subkeys.
• Highlight one of the SIDs and click on ProfileImagePath in Table
Pane.
• Switch View Pane to Text View using the Unicode @ 80 text style.
• The path to the relevant user’s profile will be listed in the View
Pane. You can determine the username from this information.
• Three more pages of SID Analysis are
included in the Forensic Secrets eBook: Buy
Now!

Copyright © 2009 EnCEsecrets.com 21

 Removable Media Analysis
• There are a couple strategies that can be used to prove
that a known USB drive was plugged into a hard
drive:
– Link file analysis
• Manual method - covered on the following pages.
• Link File Parser EnScript
– USB Device History Enscript
• Created by Lance Mueller http://www.forensickb.com
• Available at Guidance Software EnScript Library
– Setupapi.log may also contain connection information
regarding removable media that has been used on the
computer in question. Setupapi.log is best viewed in
ASCII@120 text style within EnCase.

Copyright © 2009 EnCEsecrets.com 22

 Link File Analysis
• Obtain the volume serial number for the USB
drive from the Folder Information Bookmark:
(3663-7FA8)

Copyright © 2009 EnCEsecrets.com 23

 Link File Analysis
• Click on a link (.lnk) file that points to a file on
the USB drive and switch to hex view.
• Search for the second occurrence of “10” in
the hex. Sweep the 4 bytes previous to the
second 10 and this is the volume serial number
of the USB drive from which the .lnk file was
created.
– Note that the volume serial number is Little Endian
encoded and will thus need to be read from right to
left to interpret.
Copyright © 2009 EnCEsecrets.com 24
 Reporting
• Reporting is one of the more challenging aspects of the
exam as creating reports within EnCase is not something
that is covered in tremendous detail in the GSI training
courses. Add to that the sometimes tempermental nature
of the bookmarks .
– Note: The Bold and Italic buttons within the Notes bookmark
will boldface or italicize all of the text within the notes
bookmark. Not just what you highlighted (as you would expect if
using a Word processor).

• The Forensic Secrets eBook includes 8 more

pages of coverage on the topic of Reporting: Buy
Now!
Copyright © 2009 EnCEsecrets.com 25
 Certification Secret
• If you choose “Page Break” as one of the
fields, you will also need to set the Page Break
column in Table view to Yes\True.
– Blue Check each bookmark folder in Tree Pane.
– Find the “Page Break” Column in Table pane, right
click the column heading and select “Page Break –
Invert Selected Items.”
• This will set the column to True\Yes or put a dot in each
box (default setting) and cause the page break to show
up when you switch to Report view.

Copyright © 2009 EnCEsecrets.com 26

 Additional Info
• The Forensic Secrets eBook also contains in-
depth descriptions of resident vs. non-resident
files, Internet Cookie analysis, and definitions for:
– Unused disk area
– Unallocated clusters
– Pagefile.sys
– Hiberfil.sys
– Volume slack
– File slack
– RAM slack
• Visit EnCESecrets to Buy Now!
 Questions
• If you have questions regarding whether
something