Excerpts from EnCase Introduction to Computer Forensics

Transcription

1 Guidance Software, Inc. 572 East Green Street #300 Pasadena, CA Tel: (626) Fax: (626) web: Excerpts from EnCase Introduction to Computer Forensics EnCase Introduction to Computer Forensics Revision Copyright 2003, Guidance Software, Inc. EnCase is a trademark of Guidance Software, Inc. All rights reserved. No part of this publication may be copied without the express written permission of Guidance Software, Inc., 572 East Green Street #300, Pasadena, CA 91101

2

3 CONTENTS ENCASE CONCEPTS...2 EVIDENCE FILE...2 CASE FILE...4 ENCASE.INI FILES...4 CREATING A CASE... 5 CASE MANAGEMENT...5 CREATING AN EVIDENCE FILE FROM A FLOPPY DISKETTE... 8 CREATING AN EVIDENCE FILE FROM A FLOPPY DISKETTE...8 NAVIGATING THE CASE VIEW BASIC LAYOUT...20 SEARCHING THE CASE ADDING KEYWORDS...29 STARTING A SEARCH...33 VIEWING THE SEARCH RESULTS TWO METHODS OF DISPLAYING SEARCH HITS...36 BOOKMARKING YOUR FINDINGS UNDERSTANDING BOOKMARKS...38 BOOKMARKING FILES...38 TIMELINE VIEWER YEAR VIEW...42 MONTH VIEW...43 WEEK VIEW...45 DAY VIEW...45 HOUR VIEW...46 MINUTE VIEW...46 SEARCHING UNALLOCATED SPACE WINDOWS ARTIFACTS TEMPORARY DIRECTORY...53 WINDOWS DESKTOP FOLDER...53 SEND TO FOLDER...53 START MENU FOLDER...53 REGISTRY...53 TEMPORARY INTERNET FILES FOLDER...53

4 EnCase Concepts Lesson 1 EVIDENCE FILE The central component of the EnCase methodology is the Evidence File. This file contains three basic components (the header, checksum and data blocks) that work together to provide a secure and self-checking description of the state of a computer disk at the time of analysis. Cyclical Redundancy Check (CRC) The Cyclical Redundancy Check is a variation of the checksum, and works in much the same way. The advantage of the CRC is that it is order sensitive. That is, the string 1234 and 4321 will produce the same checksum, but not the same CRC. In fact, the odds that two sectors containing different data will produce the same CRC is roughly one in a billion. Most hard drives store one CRC for every sector. When a read error is generated from a disk, this usually means that the CRC value of the sector on the disk does not match the value that is recomputed by the drive hardware after the sector is read. If this happens, a low-level disk read error occurs. Evidence File Format Each file is an exact, sector-by-sector copy of a floppy or hard disk. When the file is created, the user supplies information relevant to the investigation. EnCase archives this and other information inside the Evidence File along with the contents of the disk. Every byte of the file is verified using a 32-bit CRC, making it extremely difficult, if not impossible, to tamper with the evidence once it has been acquired. This allows the investigators and legal team to confidently stand by the evidence in court. Rather than compute a CRC value for the entire disk image, EnCase computes a CRC for every block of 64 sectors (32KB) written to the Evidence File. This provides a good compromise between integrity and speed. A typical disk image will have many tens of thousands of CRC checks. The investigator will be able to identify the location of any error in the file and disregard that group of sectors, if necessary. Figure 1-1 Parts of a complete EnCase evidence file Compression Compression technology allows EnCase to store the data from a large disk in a relatively small file. EnCase uses an industry standard compression algorithm to achieve an average size reduction of 50%. If most of the disk is unused, the compression ratio may be much higher. This can result in great savings in disk storage space. Compressed Evidence Files take longer to generate because of

5 EnCase Concepts 3 the additional processing time required to compress the information. Compression NEVER has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones. Verifying an Evidence File Automatically Whenever an Evidence File is added to a case, EnCase will begin to verify the integrity of the entire disk image in the background. This is usually quite fast for small (floppy) Evidence Files but can take a long time for hard disk files. During the verification process, the investigator can continue working on the case normally. If the case is saved and closed while the verification process is running, the verification process is canceled. This process then starts over when the case is reopened. Verifying an Evidence File Manually To re-verify an Evidence File manually, click on the Case tab and select the appropriate Evidence File. RIGHT-CLICK and select Verify File Integrity. A confirmation box will appear. Click Yes to begin. Figure 1-2 Verifying EnCase evidence file integrity

6 4 CONTENTS Disk and Volume Hash Values EnCase calculates an MD5 hash when it acquires a physical drive or logical volume. The hash value is written into the Evidence File and becomes part of the documentation of the evidence. When an Evidence File is added to a case, EnCase automatically verifies the CRC values and recomputes the hash value for the evidence data within the Evidence File. The hash value that is stored in the Evidence File and the hash value that is computed when the Evidence File is added to a case both appear in the Report for immediate confirmation that the Evidence File has not changed since it was acquired. To recompute the hash value of the drive or volume at any time select Case View, RIGHT- CLICK on a physical drive or logical volume, and select Hash. Figure 1-3 Recalculating the Hash value of an Encase evidence file CASE FILE A case file is a text file that contains pointers to the evidence and additional information specific to that case, such as bookmarks, search results, sorts, hash analysis and signature analysis results. A case file is created when the user saves the case. (Refer to Lesson 5, Creating a Case ). EnCase.INI FILES EnCase version 4 uses.ini files to maintain global settings, or settings that always take place, such as filters, file types and file signatures. This information is global and not specific to any particular case. These files can be moved from one computer to another.

7 Creating a Case 5 Creating a Case Lesson 2 A powerful feature of EnCase is its ability to organize different types of media together so that they can be searched as a unit, rather than individually. This saves time and allows the examiner to expend most if his or her efforts examining the evidence, rather than dealing with different types of media. CASE MANAGEMENT Before starting an investigation and acquiring media, consider how to access the Case once it has been created. It may be necessary for more than one investigator to view the information simultaneously. In such a case, the Evidence Files should be placed on a central file server, and copies of the Case file placed on each investigator s computer (since Case files cannot be accessed by more than one person at a time). One method of organization is to create a folder for each case, and to place the Case File and Evidence Files associated with that case in that folder. The reports and evidence copies may be placed in the same folder, or in sub-folders. Creating a TEMP folder in that folder allows the segregation and control of the temporary files that are created in the course of the investigation. Create a new folder for every case Create a Temp folder to keep the temporary files organized Figure 2-1 Creating folder structure The EnCase Forensic Methodology strongly recommends that the examiner use a second hard drive, or at least a second partition on the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an entire hard drive or partition, rather than individual folders, to ensure all of the temporary, suspect-related data is destroyed. This will aid in deflecting any claims of cross-contamination by the opposing counsel if the forensic hard drive is used in other cases.

8 6 CONTENTS Start EnCase and select File New OR click on the NEW icon on the toolbar. The CASE OPTIONS dialog box will appear, which allows the selection of EXPORT and TEMPORARY folders for the new case. Figure 2-2 Creating a new case Browse to the folders that you created for this case, then click on OK.

9 Creating a Case 7 Next, select File Save or click on the Save icon on the toolbar. Navigate to the appropriate folder and enter a name for the case. Click on Save to save the new case file. Figure 2-3 Saving a case

10 8 CONTENTS Creating an Evidence File from a Floppy Diskette Lesson 3 CREATING AN EVIDENCE FILE FROM A FLOPPY DISKETTE Do the following before inserting a floppy diskette into the laboratory machine: 1) Write protect the floppy (you should see light through both holes). 2) Inspect the floppy for damage, especially on the slide. 3) Label the floppy with a tag or marker. Start EnCase and select the Add Device icon. Place the floppy in the lab machine s floppy drive, and place a check in the Local Drives box in the right pane. Click Next. Figure 3-1 Selecting a local drive

11 Creating an Evidence File from a Floppy Diskette 9 The local devices will be displayed in the following dialog box. Select the Local Drives folder in the left pane then put a check in the checkbox next to the A in the right pane and click Next. Figure 3-2 Selecting the floppy drive Encase will access and display the selected drive. Right-click in the area next to the floppy disk Icon and select Edit. Figure 3-3 Preparing to edit device attributes

12 10 CONTENTS Encase will allow you to change the default device attributes. This allows you to assign an Evidence Number, Evidence Name and add notes pertaining to the media. When finished select OK then Next. Figure 3-4 Editing device attributes EnCase will now display the Evidence Name you gave. Select Finish. Figure 3-5 Accepting final changes

13 Creating an Evidence File from a Floppy Diskette 11 EnCase will then read the media and add it to the new case as a preview only. To acquire the media, RIGHT-CLICK on it and select Acquire OR select the media and click the Acquire button. Figure 3-6 Acquiring from the preview Select the File Segment Size for archiving purposes (the 640-megabytes default makes files that fit on CDs). Select Generate Image Hash to prompt EnCase to generate a hash of the contents of the disk being acquired. This value can later be compared to the hash of the Evidence File contents to confirm that the data is identical. Choose the level of compression that EnCase will use when creating the Evidence File (This has no effect on the evidence, but may affect the amount of time that it takes to make the Evidence File.) Because compression is a computationally intensive process, it may take up to three times longer to create a compressed Evidence File than to create an uncompressed one. However, in most cases, the compressed file will be 2-3 times smaller than an uncompressed Evidence File. By default, the Start Sector and Stop Sector boxes will display the total sectors on the media. If the media contains a restored image, such as one generated by a forensic acquisition tool, the examiner may select only the sectors containing the restored image, excluding the unused sectors.

14 12 CONTENTS. Figure 3-7 Options window for acquire If the Evidence File is to be protected from unauthorized use, enter a password (The same password is typed twice to ensure the password was typed correctly.) Do not use this feature if there is a chance the password will be forgotten. The password must be entered every time the Evidence File or a Case that refers to it is opened. There is no simple way to recover a forgotten password. Utilize the browse button to navigate to the desired Output Path and enter the desired file name. Figure 3-8 Selecting a location to place the evidence files(s)

15 Creating an Evidence File from a Floppy Diskette 13 Click Save and the selected path and file name will be displayed in the Output Path. Figure 3-9 Verify all options for accuracy then select OK Then click OK. When the Evidence File has been created, EnCase presents a message box that displays the path and file name of the output file, along with the time elapsed. Select OK. Figure 3-10 Message displayed when acquisition is complete The next screen will pop up when you acquire removable media. Select Yes of you have more removable media to acquire or No if you are done acquiring evidence on this drive. Select No. Figure 3-11 Option to continue with other removable media

16 14 CONTENTS It is important to remember that the process described above has only created an evidence file. The evidence file has not been added to the case. The Brady s Floppy evidence seen within EnCase is still just a preview. If you begin examining the Brady s Floppy evidence currently loaded within EnCase you will notice the floppy disk will be accessed from time to time. EnCase will need to access the drive to obtain more information to display while in Preview mode. It is possible to add the Brady s Floppy evidence file at this time while the Brady s Floppy preview is still open. This could cause some confusion, as the name displayed within EnCase is the same for both the preview and the acquired evidence file. See the example below. Figure 3-12 An example of a confusing event To avoid the confusion, right-click on the preview and select Close prior to adding the evidence file. See the example below. Figure 3-13 Closing the preview prior to adding the evidence file helps to avoid confusion

17 Creating an Evidence File from a Floppy Diskette 15 EnCase will ask if you want to remove the Brady s Floppy 001 preview from the case. Select Yes. Figure 3-14 Warning screen prior to closing preview Now add the evidence file that was acquired during the preview. Select Add Device on the button bar. You will get the following screen. Figure 3-15 Default evidence paths from original installation

18 16 CONTENTS EnCase needs to know where the evidence file is located. Right-click in the left pane over the Evidence Files folder and select New. Figure 3-16 Creating a new evidence folder Navigate to where the evidence file is located and select that folder. Click Ok. Figure 3-17 Browsing to folder that contains EnCase evidence files

19 Creating an Evidence File from a Floppy Diskette 17 Any evidence file located within that subdirectory will be available for addition to your case. Any subdirectory created within that folder which contains an evidence file will be available as well.

20 18 CONTENTS Highlight the newly created folder in the left pane. On the right pane you will see any evidence files located within that subdirectory. Place a checkmark in the box next to Brady's Floppy 001 and select Next. Figure 3-18 Selecting the evidence file Verify that the selected evidence file was the correct file and select Next. Figure 3-19 Selecting the Brady s Floppy 001 evidence file

21 Creating an Evidence File from a Floppy Diskette 19 When you get to the final screen, select Finish. Figure 3-20 Final step to adding an EnCase evidence file to a case EnCase will now display the evidence in the left pane in Case view. Figure 3-21 Examining the evidence file

22 20 CONTENTS Navigating the Case View Lesson 4 BASIC LAYOUT EnCase opens into the Case View by default when a new case is created. The case view is used to navigate through the evidence that has been added to the case. From this view, one can view the files on a single piece of evidence or all the files found on several pieces of evidence. The Picture Gallery, Timeline, Disk View, and Evidence Table are all accessed from the Case View. The screen is initially divided into three sections, referred to as the left pane, right pane, and bottom pane. LEFT PANE RIGHT PANE BOTTOM PANE Figure 4-1 View of the 3 panes

23 Navigating the Case View 21 Left Pane This view works like Windows Explorer, providing the user with a tree-structured view of the evidence, and illustrating the relationship of each folder hierarchically. It presents each Evidence File as a folder that contains additional folders and files. Only Evidence Files and the folders contained within them are displayed in this view. Individual files are not displayed. An icon that quickly identifies the type of evidence precedes each Evidence File. Three icons are used as follows: Represents removable media such as: floppy diskettes, flash cards, zip disks, and jazz disks. Represents hard drives. Represents CD-Rom disks. Figure 4-2 Expanding folders to examine contents within The plus and minus signs can be used to expand and contract the tree structure. Right-clicking on a folder will bring up a context menu, with the choice to expand or contract everything from the selected position. Everything in the case will be affected by right-clicking on the Case folder. Figure 4-3 Bookmarking a folder structure

24 22 CONTENTS Right Pane The right pane, by default, is in the Table View. Within this view are the sub-folders and files that are contained within the folder that is selected in the left pane. Selected Folder Figure 4-4 Highlighting a file in the right pane If a folder is selected and there is one sub-folder, the sub-folder will be displayed. However, the files within the sub-folder will not be displayed. To see all the files, the pointed box must be highlighted in the left pane. click on the pointed box to see all of the files within that folder structure. Notice that there are only 11 files within the Class Material folder shown below. Figure 4-5 Examining a folder without show all box selected With the pointed box selected, all the files appear from the sub-folder within the Class Material folder. We now see 13 files in the right pane shown below. All files view Figure 4-6 Examining a folder with the show all box selected

25 Navigating the Case View 23 Bottom Pane The bottom pane displays the contents of the items selected in the right pane The bottom pane has default settings that should be understood. EnCase checks the contents of a file to see if it is an image that can be decoded internally. If so, EnCase will automatically switch to picture view in the bottom pane and display the image. Figure 4-7 Picture shown automatically in bottom pane A large amount of evidence gathering is conducted from the bottom pane. Here, the user can select various amounts of data and bookmark that information, which can then be included in the report. Refer to the Bookmarking chapter for more on creating bookmarks. Within this pane, the data can be viewed in a number of formats to facilitate easier retrieval by the investigator.

26 24 CONTENTS Here the same picture is viewed in Hexadecimal: Figure 4-8 Viewing a picture in the bottom pane as hex Here is a text file displayed in text view: Figure 4-9 Text file in the bottom pane

27 Navigating the Case View 25 Although the text is readable, its format can be improved by selecting View then Text Styles. Figure 4-10 Changing text style for bottom pane Select Low Bit-ASCII in the left pane then 80 in the right pane. The changes in the bottom pane will be displayed immediately. Figure 4-11 View of bottom pane with new text style active

28 26 CONTENTS It is important to be aware of one s current positioning within the Case, especially when documenting the location of evidence found in unallocated space. The status bar found in the bottom pane will provide that information. Status Bar Figure 4-12 Location of status bar The codes are translated as follows: PS Physical Sector number LS Logical Sector number CL Cluster number SO Sector Offset - the distance in bytes from the beginning of the sector. FO File Offset - the distance in bytes from the beginning of the file. LE Length - the number in bytes of the selected area. C / H / S Cylinder / Head / Sector

29 Navigating the Case View 27 Removing the Left Pane The bar between the left and right panes can be moved to allow you to see more of either side. To see more of the right pane drag the dividing bar to the left or select the left arrow icon on the bar. Before: Dividing Bar Icons on Bar Figure 4-13 Location of bar separating left from right pane After: Figure 4-14 View of right pane only You can select the right arrow on the same bar to cause the right pane to disappear or you can move the bar to the right. If you want the bar to go back to its normal position just click the square icon on the bar.

30 28 CONTENTS Isolating the Bottom Pane The bottom pane can be isolated as well to all the examination more of the contents of a file. Placing the mouse cursor on the pane divider for the lower pane, hold the left mouse button and drag the lower pane upward to increase the size. You will also notice more arrows on the right side of the middle bar. You can select those arrows to eliminate the top or bottom panes altogether and you can use the square icon to reset the screen to a default location. Before: Dividing Bar Arrows and square icons to move the dividing bar Figure 4-15 Location of dividing bar between upper and bottom panes After: Figure 4-16 View of bottom pane expanded to maximum size

31 Searching the Case 29 Searching the Case Lesson 5 EnCase provides a powerful search engine to locate information anywhere on the physical or logical media. After creating a Case file, a search may be conducted on keywords and their options. ADDING KEYWORDS Always create a good keyword list prior to beginning the case. Often the investigating officer provides the keyword list. It is a good idea to review the report and search warrant for additional keywords. Keywords can be divided into groups and structured in the Keyword View. This structure is used in the Bookmark View to display the results of the search. The Keyword View can be accessed by selecting the View menu, and selecting Keywords. Figure 5-1 Selecting Keywords view

32 30 CONTENTS Creating Keyword Groups To create a group, RIGHT-CLICK on the folder tree icon where you want to create the folder and select New Folder. Type a name for the folder. Two keyword groups, called Names and , have been created in the following example. Under each group are sub-folders for the keywords associated with Suspect1, Suspect2, and the victims in the case. Selecting New Folder will allow the creation of folders, and they will bear the name New Folder when initially created. RIGHT-CLICK on the newly created folder, and select Rename or highlight the folder and press the F2 key, and enter the text for the desired folder name. Figure 5-2 Creating a new folder to manage keywords Folders can be moved and relocated into parent folders by dragging and dropping into the desired parent folder.

33 Searching the Case 31 Entering Keywords After creating the groups, add the keywords into each group. Keywords may be added whether or not the keyword search is to be conducted during the first search effort. The keywords are selectable. To add a keyword, select the appropriate folder and press the INSERT KEY or RIGHT-CLICK on the folder and select New. The third method is to highlight the folder in the left pane in which you want to create the keyword then right-click in the right pane and select New. The New Keyword dialog box will appear. Figure 5-3 Entering a new keyword Options can also be set from this window in regards to: Search Expression Enter your search expression in this box. It may be a simple keyword, phrase, or a GREP expression. Description You may change the default and put something more descriptive that will help you remember what you were searching for. Case Sensitive EnCase will locate the keyword regardless of its case size, unless this box is checked. If checked, EnCase will only locate the keyword if the case sensitivity is the same as the keyword the examiner typed or pasted. GREP GREP is used to assist in narrowing the search, in limiting the false hits, and in cases where only certain portions of the keyword being looked for is known.

34 32 CONTENTS Active Code Page This will search using the active code page(s) that Windows is using right now (this is set through the Control Panel of your examination PC). This allows the examiner to enter keywords in foreign languages. This needs to be checked unless you have other code pages selected. Unicode Unicode was developed in direct response to foreign language character sets. Most MS Office products will use Unicode as will NTFS systems, Windows 2000 and XP. EnCase will locate items in either plain ASCII Text or Unicode if the Unicode box IS CHECKED. But EnCase will only locate items in plain ASCII Text if the Unicode box is NOT CHECKED. Figure 5-4 Example of plain text Figure 5-5 Example of Unicode Unicode Big-Endian Non-Intel PC data formatting scheme that stores multiple-byte numerical values with the most significant byte values first, which is the reverse of Little Endian. UTF-8 UTF stands for Universal Character Set Transformation Format. Applications have several options for how they encode Unicode. The most common encoding is UTF-8, which is the 8-bit form of Unicode. This option offers foreign language support. UTF-7 UTF-7 is a special format that encodes Unicode characters within US-ASCII in a way that all mail systems can accommodate.

35 Searching the Case 33 Type the keyword and press Enter or click on OK. After entering the keywords, they can be viewed in their individual folders or all together. To view them all together, click on the pointed box next to the Keywords folder. Figure 5-6 Viewing all keywords located within Keywords view STARTING A SEARCH Starting a search is simple, and just deciding if the entire case needs to be searched, or just an individual Evidence File, folder, or file can save time. For example, when searching for deleted evidence that may be in unallocated space, such as a file header, select just the unallocated space as opposed to the entire Case. Also, remember that a search may be executed for all keywords, or only selected keywords. To begin a search, click on the Search button on the toolbar. Next, click on Start. There are several options that can be selected when running a search. Each option may display significantly different results when the search is executed. The following diagram describes each function.

36 34 CONTENTS Detailed Search Options Figure 5-7 Search options Files to analyze - Searching the entire case means that EnCase will search every aspect of every Evidence File added to the case. If there are 10 floppy diskettes and five hard drives, all 10 floppy diskettes and all five hard drives will be searched. A search for selected files will cause EnCase to search only for files that have been blue-checked. The indicator box below the Selected Files option shows the number of files to be searched. Search each file for keywords - When checked, a keyword search will occur. When unchecked, the other checked functions will be performed, however the keyword search will not. The reason for this is that one may want to run a signature analysis, or a hash analysis, without running a keyword search. Verify file signatures - This option will conduct a signature analysis on the files selected to be analyzed (all or selected). Refer to the chapter on Signature Analysis for further information. Compute hash value - This option will conduct a hash analysis on the files selected to be analyzed. Refer to the Hash Analysis section for further information. Always compute hash value This option will conduct a hash analysis on any additional evidence files added to the case while the evidence file is checked being verified. Search file slack - This option tells EnCase to search the slack area that exists between the end of the logical files to the end of their respective physical files. Search only slack area of files with known hashes - This option is used in conjunction with a hash analysis. If a file is identified from the Hash Library, then it will not be searched. However, the slack area behind the file (as described above) will be searched. If this option is turned off, EnCase will ignore the hash analysis. Selected keywords only - This section allows the search to include all keywords, or just a selected number of keywords. The display box shows the number of keywords that will be used in the search.

37 Viewing the Search Results 35 Viewing the Search Results Lesson 6 As the search hits accumulate, view the results in the Search Hits View. Select View then select Search Hits. Figure 6-1 Changing to Search Hits view You will now need to select which search hits you want to view. Select the View Search Hits button located on the button bar. View Search Hits Button Figure 6-2 Selecting the View Search Hits button

38 36 CONTENTS Select the desired search hits by placing a check mark within the check box next to each keyword you want to view. When you are finished, select OK. Figure 6-3 Selecting desired keywords to view Encase will display the selected keywords in one of two ways. You can select Show Flat or Show By Keyword on the button bar. Two methods of displaying search hits Show Flat Show Flat will display all the selected keywords in a single view within the right pane. This could be helpful to locate multiple keywords within a single file quickly. The picture below is an example of the Show Flat view. Notice that the Show Flat button is grayed out and the Show By Keyword button is available to select. Figure 6-4 View keywords as Flat or sorted by Keyword

39 Viewing the Search Results 37 Show By Keyword Select the Show By Keyword button on the button bar. The keywords selected to view are separated into their own folders in the left pane. Note the magnifying glass icon located to the left of each keyword. Highlight a folder in the left pane. The search hits for the selected search term are displayed in the right pane. Figure 6-5 Viewing keywords with the Show by Keyword button selected In either view, when you select a search hit in the right pane, the search term is highlighted in a dark blue color in the lower pane. All other search hits within view in the bottom pane are highlighted in yellow. To document the hits in the report, or for further information on Bookmarking, refer to the Bookmarking sections in this manual.

40 38 CONTENTS Bookmarking Your Findings Lesson 7 EnCase allows the investigator to mark files or file sections that are of interest. These marks are called Bookmarks. All bookmarks are saved in the Case file and can be viewed at any time by clicking on the Bookmark tab. UNDERSTANDING BOOKMARKS There are five different types of bookmarks. A unique icon precedes each type. Here is a list of the different types of icons followed by their descriptions. Notable File Bookmark - Any one file that was bookmarked individually. This is a fully customizable bookmark. Highlighted Data Bookmark - Created by sweeping data. This is a fully customizable bookmark. Notes Bookmark - Allows the investigator to write anything into the Report. It has a few formatting features, and is not a bookmark of evidence. Folder Information Bookmark - Bookmarks the tree structure of a folder. There is no comment on this bookmark. Options include showing the device information and the number of columns to use for the tree structure. File Group - Indicates that a group of selected files was bookmarked. There is no comment on this bookmark. It is meant to be placed into a folder that explains the meaning of the group of files. This avoids the same comment being repeated continuously for each bookmark. A notes bookmark can precede this group of files to explain its meaning. BOOKMARKING FILES Bookmarks can be made from anywhere data or folders exist. The type of bookmark, however, must be chosen. Bookmarking sweeping bookmarks will be explored in this section. Refer to the Advanced Bookmarking section for further information on additional types of bookmarking.

41 Bookmarking Your Findings 39 Sweeping Bookmark The Sweeping Bookmark can be used to show specific highlighted data. Click onto the Bomb keyword folder in the left pane. Click on the second hit in the right pane and look in the bottom pane. A text document called 1-16.txt is referenced in the bottom pane. It begins with the words IGNITION DEVICES. Use the View, Text Styles options discussed earlier to set the view to Low Bit 80. Sweep, by left-clicking and holding, a few paragraphs. Right-click in the highlighted area. Select Bookmark Data. Figure 7-1 Example of a creating a sweeping bookmark

42 40 CONTENTS Select a folder in which to place the bookmark or create a new folder in the destination folder window. To create a new bookmark folder, highlight where you would like to create the new folder and select New Folder Figure 7-2 Creating a new folder for bookmark Name the folder. Give your bookmark a comment, if desired, and select the View Type in the Data Type window. Select Low ASCII text for this example. Select OK. Figure 7-3 Selecting a view type for bookmark

43 Bookmarking Your Findings 41 Switch to the Bookmarks View and highlight the Bomb Documents folder in the left pane. Switch to Report View in the right pane and see the results as they would show in the final report. Figure 7-4 Examining the bookmark in the report view in the right pane This is one of the most common bookmark types. This is a popular bookmark, as it places actual data directly into the report.

44 42 CONTENTS Timeline Viewer Lesson 8 The timeline viewer enables the investigator to graphically view dates and times of computer use, which can be important evidence in a case. For instance, the pattern may reveal that the computer was used between 8:00 a.m. and 5:00 p.m., then again between 7:00 p.m. and 8:00 p.m. These types of patterns are easily identified using the timeline viewer. By default, the timeline will show all dates: created, written, accessed, modified and deleted. Modified times are not a feature of DOS or Windows 95 or 98. Deleted times can only be obtained from the Recycle Bin. The timeline viewer is shown below in the lowest resolution. YEAR VIEW The year view is divided up into three sections. The year is at the top of each column. The horizontal numbers are the months, and the vertical numbers are the days. Switch to all files by clicking on the pointed box next to the word Cases in the left pane. Then switch the right pane into Timeline view. Pull the horizontal scroll bar all the way to the left. This may be confusing at first, but will become clear as the user acclimates to the screen. Figure 8-1 Year view within Timeline

45 Timeline Viewer 43 Month View The month view displays the days of the week that files were accessed, as well as in which hour they were accessed as well. From the edit menu select Higher Resolution. Figure 8-2 Right-Click and select Higher Resolution to change to Month view Higher and lower resolution options will not be available unless the user has clicked the timeline. View the data in columns. Look vertically at the columns for the month of April. There was a great deal of activity on April 4th, 5th, and 6th and again on the 11 th 12 th, and 13 th. There was little or no activity for the rest of the month. Figure 8-3 Month view within Timeline viewer

46 44 CONTENTS Accessed dates do not show times in DOS and Windows 95 and 98, although they do in Windows NT. To view the pattern of hourly activity on DOS and Windows 95 and 98, turn off the accessed times and view the same screen horizontally. Leave the accessed dates on for Windows NT on an NTFS system. The quantum has both files systems so it may be viewed both ways. Last accessed off: Figure 8-4 View options can be changed using checkmarks at the top Activity was between 9 and 1900 hours (7:00 p.m.). Last accessed on: Figure 8-5 Note activity within certain times Activity was between 9 and 1900 hours (7:00 p.m.). Note the accessed dates from the NTFS volume and compare them to the above.

47 Timeline Viewer 45 WEEK VIEW The week view shows Monday through Sunday. Monday s date is at the top of the column. This view provides more detail of the pattern established above, revealing the number of files with the boxes. Here is the same pattern with the actual numbers of files in the boxes. DAY VIEW The day view is shown in columns, with no horizontal indicators or rows. Each hour of the day will contain a dot if any of the selected times fall within that hour. If there are too many dots to display the entire row turns gray. There are different colored dots for the different selected times. Figure 8-6 Weekly view within Timeline viewer Figure 8-7 Day view within Timeline viewer

48 HOUR VIEW The hour view breaks the computer time use down to the minute. Each column will reflect one hour, with each minute being an entire row. The activity within the hour may be seen. Figure 8-8 Hour view within Timeline viewer MINUTE VIEW The minute view breaks down each minute into a column, with individual columns for each second. The activity shown below took place on 2:46:44 p.m. on April 5 th, Figure 8-9 Minute view within Timeline viewer Click on any of the dots in the timeline view and the file will show in the bottom pane. Use the arrow keys on the keyboard to move around the files. A bookmarking feature for the timeline view is not yet available. A good screen capture utility such as Paraben s Screen Capture 4 ( is recommended for the graphical view. Remember to make a bookmark indicating the screen capture.

49 Searching Unallocated Space 47 Searching Unallocated Space Lesson 9 After files are erased, disk optimization and other processes may remove the directory entries and data is left on the disk with no indication that it is there. Searching the unallocated space for known file headers and their associated end-of-file markers (if any) is one method of identifying such files. This exercise illustrates the technique of searching for a JPEG header to locate JPEGs in unallocated space. Although JPEG is used in this example, this technique can be used with any file format whose header and end-of-file markers are known. 1) In Case view, select the volume whose unallocated space is to be searched. Click on Volume C:. In the right pane place a blue check mark in the box next to unallocated clusters. Figure 9-1 Select Unallocated Clusters in the right pane

50 48 Searching Unallocated Space 2) Go to the Keywords view and create a new folder called File Headers. Figure 9-2 Create a file headers folder within Keywords view 3) To identify the JPG header, click on View File Signatures and scroll down to JPEG Image. Select JPEG Image and Right-Click. Select Edit. Figure 9-3 Locate the JPEG header from the File Signatures view 4) Select Header in the Edit Signature box. The Text box will contain the header for the selected file type (JPG). RIGHT-CLICK in the text box and select Copy or click CONTROL-C to copy. Click Cancel to close the Edit Signature box and click CLOSE to close the File Signatures box. Figure 9-4 Copy the JPEG header

51 Searching Unallocated Space 49 5) In Keyword view, RIGHT-CLICK on the File Headers folder and select New. RIGHT-CLICK in the Text box and select Paste or click Control-V. Make sure that GREP is selected. Figure 9-5 Paste the JPEG header into a New keyword in Keywords view 6) When finished, click OK. Click on the keyword so it is the only keyword selected. 7) Click on the Search button. Make sure the search criteria are for Selected Files Only, and Selected Keywords only. Turn off Verify file signatures and Compute hash value. Click on Start Analysis. Figure 9-6 Start a search using the JPEG header keyword

52 50 Searching Unallocated Space Switch to Search Hits view. Click the View Search Hits button and select the jpeg header. This process illustrates that evidence can be found in both allocated and unallocated space. Unallocated space should always be examined for evidentiary artifacts. Figure 9-7 View search hits and examine within bottom pane Once the search is completed, review the hits to determine the relevance to the investigation. To bookmark a search hit as a picture, select the Hex tab in the lower pane, and place the mouse cursor directly on the first byte of the image of interest. RIGHT-CLICK and select Bookmark Data. Figure 9-8 Right-Click on search hit within bottom pane and Bookmark Data

53 Searching Unallocated Space 51 In the following dialog box, select Picture in the View Types pane, type the desired comment, and select the appropriate destination folder for the bookmark. Figure 9-9 Select Picture as File Type

54 The bookmarked data in the selected folder will be displayed as an image within the report view, as shown below. Figure 9-10 Examine the newly created bookmark in the Report view on the right pane

55 Windows Artifacts 53 Windows Artifacts Lesson 10 The evolution of the search and recovery tools in EnCase enable computer investigators to raise their focus from detecting the evidence to identifying system-generated indicators that qualify and give meaning to the evidence. Beyond determining the existence of a keyword of interest, or locating a graphical image that appears to constitute evidence, the investigator explores attendant artifacts that are produced by the operating system that can serve to confirm or refute a user s assertions of lack of intent or lack of knowledge. TEMPORARY DIRECTORY Programs hold files that must temporarily exist while the program operates in the Windows Temporary Directory. Ordinarily, programs delete all their temporary files when they are shut down properly. If Windows crashes, some temporary files may remain until the user deletes them. WINDOWS DESKTOP FOLDER The Windows Desktop Folder contains all of the icons, folders and files that are located on the desktop. A good place to begin an investigation is by observing what programs the suspect had on the desktop. Check for removable media icons, such as a zip drive or jazz drive icon. SEND TO FOLDER The Send To Folder provides some options as to where to send a file. This is a right-click option in Windows and another good place to check for removable media. START MENU FOLDER The Start Menu Folder contains all of the links that exist on the Windows Start menu. This is a good location to check for applications relevant to the investigator s case. REGISTRY The Registry is used to configure Windows and related programs. Programs register themselves here and sometimes depend on the information in the registry to operate correctly. The registry may contain a good deal of evidence. The base registry files are the system.dat and user.dat files. TEMPORARY INTERNET FILES FOLDER The Temporary Internet Files Folder stores html pages, and associated files, so that next time the web sites are visited the images do not have to be downloaded again. This artifact leaves several items of evidence on computers. Internet , such as Hotmail, is stored in the temporary Internet files folder.