ence study guide | opentext · ence study guide copyright © 2018 opentext 3 enfuse™ o registered...

Version 8

EnCE Study Guide

Copyright © 2018 OpenText 1

Certification Background

The EnCase® Certified Examiner program was created to meet the requests of EnCase software (EnCase) users as well as to provide a recognized level of competency for the examiner. While many different certifications exist, the EnCE provides an additional level of certification and offers a measure of professional advancement and qualifications.

Certain qualifications must be met to enter the certification process. An application and a detailed explanation can be found at:

https://www.guidancesoftware.com/training/certifications?cmpid=nav_r#EnCE

The cost is USD 200.00 within the U.S. and USD 300.00 internationally payable by credit card, check, or purchase order. The certification program does not generate profits for OpenText; the testing fee covers the cost of processing and grading both phases of the test. Once payment has been received and processed, the certification coordinator will email testing instructions to you.

The certification process addresses both EnCase and general areas of computer forensics. It involves a written test consisting of 180 questions (174 for international candidates; no legal questions). Two hours are provided to complete the written exam, which is true/false and multiple choice.

Once the Phase I results are received, the instructions for completing Phase II will be provided to you in an email message from [email protected]. This message will be sent to the address you provided on your application. If you fail the Phase I test, you will be required to wait 60 days from the date the test was taken before being allowed to re-take the test.

Your Phase II email message will include directions for accessing a “certification” version of EnCase, evidence files, and objectives or issues you must address. You must “work” the case, compile your report, and then send the report to the certification coordinator for review and grading within 60 days. You must fully answer a minimum of 15 of the 18 questions in order for your submission to be considered for grading. Any questions left unanswered will count against your grade. If you do not finish the Phase II in the time allotted, you will be required to wait 60 days from the date that the test was due and restart from the beginning.

Those who fail the EnCE Phase II exam must wait 60 days prior to retesting. If after resubmitting Phase II you fail again, you must begin the retesting process from Phase I.

EnCE Study Guide


Beginning the Certification Process

The first step toward certification is to review the qualifications and complete the application available at:


Submit the completed application to the EnCE certification coordinator at the address provided. Once your application has been received and accepted, payment instructions will be provided to you. Upon receipt of payment, you will be provided with login credentials to enroll in Phase I of the testing process.

The test is available in English and Spanish.

Phase I Testing Options

ExamBuilder

o ExamBuilder provides online testing services and are available at all times.

o Once you receive email instructions from the certification coordinator, visit the ExamBuilder website at https://testing.exambuilder.com/ to enroll in the Phase I testing process. Follow the instructions for log in.

o If you have questions about the enrollment process, contact the certification coordinator at (626) 463-7966 or [email protected].

EnCE® Prep Course

o This course is designed for EnCase users preparing for certification. The certification is based upon the skills and knowledge presented in the OpenText Foundations in Digital Forensics and Building an Investigation courses. The EnCE Prep course is not intended to be a replacement for these two classes; instead it is a thorough but accelerated review of the covered subjects.

o The Phase I written examination will not be given during class. Once you complete the class, you will be given login instructions. You will have 30 business days from the last day of class to take Phase I. After the 30 days, access to the exam will be terminated.

o Complete details for this course can be found at:

https://www.guidancesoftware.com/training/courses/df310

EnCE Study Guide


Enfuse™

o Registered attendees at our annual Enfuse conference may elect to take the Phase I test during the conference at no additional charge.

o All requirements must be met prior to attending Enfuse. Anyone interested in taking the Phase I test at Enfuse must fill out an application and return it to the certification coordinator one (1) month prior to the conference via fax, email, or mail. Only those who have preregistered and been approved will be admitted to take the Phase I test at Enfuse.

o Please visit https://www.guidancesoftware.com/enfuse-conference for more information.

Maintaining Your Certification

Payment of USD 75 via credit card, check, or purchase order is required for renewal completion. The payment must accompany a completed renewal form and the supporting documentation detailed as follows.

EnCase Certified Examiners are required to achieve one of the following items prior to their expiration date in order to renew.

Attend a minimum of thirty-two (32) credit hours of documented, continuing education in computer forensics or incident response to maintain the certification: *

o The training should either be for OpenText Guidance courses, from your agency, or an accredited source. Training should be either in a classroom lab setting or online. Proof of attendance should be provided via a certificate, transcript, or official letter.

o Earn one (1) credit hour for each classroom hour of training and ½ credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor.

Achieve a computer forensics or incident response related certification within the renewal period. A certificate of completion must be submitted as documentation.

Attend one Enfuse conference within the renewal period. Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE. Register online at https://www.guidancesoftware.com/enfuse-conference. Renewal forms will be available for download from printing stations during the conference. Please check the box on the renewal form, and registration will be on file with OpenText certification.

* Training and teaching hours may be combined to reach the total 32 hours required. Documentation may be a

certificate of completion, official letter from the provider, or transcript.

EnCE Study Guide


The following are guidelines for submitting renewal credit for attendance at any other computer forensic conference other than Enfuse:

o Only labs count (seminars or product demos are not considered)

o Calculate one (1) CPE for every hour in a lab

o Send a copy of the conference agenda and indicate the labs attended and how many CPE each one is worth

Please do not submit your renewal documents separately. Keep all certificates together and only send them when you have the requirement fulfilled. When you are ready, email the renewal form and any certificates/letters/documents to [email protected]. These materials can also be sent via fax or regular mail.

The requirements must be met within the renewal period. (i.e., if the renewal date is June 1, 2012, the requirements must have been achieved between June 1, 2009 and June 1, 2012).

Should your certification expire, you will be required to restart the EnCE process from Phase I. Extensions will not be granted. If you are unsure of your expiration date, please email [email protected].

Complete renewal details are available at:


Other Study Material

This study guide highlights the topics contained in the EnCE test, including good forensic practices, legal issues, computer knowledge, knowledge of EnCase software, evidence discovery techniques, and understanding file system artifacts. If you need reference materials to prepare for a specific topic or portion of the exam, some recommended study materials are listed below:

DF120-Foundations in Digital Forensics manual by OpenText

DF210-Building an Investigation manual by OpenText

EnCase® Legal Journal by OpenText

EnCase® User's Manual by OpenText

EnCE Study Guide


EnCE® Preparation Training

Examining computer-based evidence with EnCase

Computer knowledge

Good forensic practices

Legal

Examining Computer‐based Evidence

The EnCase evidence file

EnCase concepts

The EnCase environment

EnCase Evidence Processor

Index queries and raw keyword searching

File signature and hash analysis

The EnCase Evidence File

Bit stream image of evidence written to a file

The EnCase Evidence File Contains Case Data

Cannot be changed after evidence file is created

Contains:

o Case number

o Examiner name

o Evidence number

o Unique description

o Date/time of computer system clock

o Acquisition notes

o Serial number of physical hard drive

The EnCase Evidence File Verification Cyclical Redundancy Check

o 32-bit CRC for (by default) 64 sectors (32 KB) of data

– If no compression is used

o Calculated when evidence file is added to a case and rechecked every time the data block is accessed

o Verification hash – “digital signature” of all data in evidence file

– MD5 – 128-bit/32 characters

– SHA1 – 160 bit

– Can choose MD5 and SHA1, MD5 or SHA1, or neither

EnCE Study Guide


The EnCase Evidence File Characteristics Logical file that can be renamed and moved

Can be broken into multiple segments, with a maximum segment size dependent on the file system to which the evidence file is written

Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value

Can be password protected or encrypted and can be reacquired to remove or change password/encryption

Individual segments can be verified by the CRCs when compression is not used

o If compression is used, the decompression algorithm is used

Error granularity is often used to adjust the writing of data to an evidence file, when a read error of the subject media occurs

o Standard – Size of the data blocks

o Exhaustive – Sector-by-sector

Evidence File Verification Data in the entire evidence file is verified by verification hash compared to the

acquisition hash value of the original evidence

Data in each data block is verified by a CRC when no compression is used

Both the MD5 and/or SHA-1 hash and CRCs must match for the evidence file to be verified

o If any compression is used, the compression algorithm is used to verify data blocks

EnCase Concepts The case file – .case

o Compound file containing:

– Pointers to the locations of evidence files on forensic workstation

– Results of file signature and hash analysis

– Bookmarks

– Investigator’s notes

A case file can contain any number of hard drives or removable media

The case file should be archived with the evidence cache and evidence files as it contains all of the investigator’s “notes” or work product

o Use the “Create Package” feature

EnCE Study Guide


The Configuration .ini Files Contain “global options” used for all cases

Some configuration .ini files:

o FileTypes.ini

– Organizes files into groups by extension; determines which viewer to use

– File Signature Table

o Local.ini

– Global configuration settings

o Viewers.ini

– Installed viewers associated to EnCase

The EnCase Methodology Case management

o Use large-capacity, high-RPM (revolutions per minute) hard drives with single partition for evidence files

o Wipe the drive to eliminate any claims or arguments of cross contamination

o Give the hard drive a unique label prior to acquisitions to differentiate your drives from that of the suspect

o Separate folders for each case are recommended

– Use unique directory names

– Each case requires an Export, Temp, and EvidenceCache folder

EvidenceCache – Storing cache files and containers for processed evidence

Export – Default folder for exporting evidence

Temp – Default temporary folder for file viewing

Evidence Processor After adding evidence to a case and confirming that the data is valid and

browsable, the first task you undertake is to run the EnCase® Evidence Processor.

The Evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data.

Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data.

After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation.

The following evidence processing functions are available:

o Recover folders – Recover files that have been deleted or corrupted on FAT and NTFS volumes

o Hash analysis – Generate MD5 and/or SHA-1 hash values for files and compare against your case Hash Library

EnCE Study Guide


o Expand compound files – Expand compound and compressed files, such as ZIP, RAR, and GZ

o Find email – Extract individual messages from email archive files, such as PST (Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, MBOX, and EMLX

o Find internet artifacts – Collect Internet-related artifacts, such as browser histories and cached web pages

– You also have the option to search unallocated space for the Internet artifacts

o Search for keywords – Search raw (not transcript) text for specific keywords

o Index text – Create an index for when you need to search for keywords in compound files (Microsoft® Office 2007 and 2010) and across large amounts of data

– You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file

o File signature analysis – Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file’s header

o Protected file analysis – Identify encrypted and password-protected files

o Creating thumbnails from images – Creates image thumbnails for faster display in the EnCase GUI

Search Queries – Index The case index is created with the EnCase Evidence Processor

Creating an index will allow you to instantly search for terms in a variety of ways

o You can adjust parameters for index creation, such as the minimum word length to index or whether to use a noise file (a file containing specific words to ignore)

Compared to keyword searches that search on the raw text, index searches will search on the transcript output of the file, which is critical for Microsoft Office 2007 and 2010 files

Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times

o Guidance recommends always indexing your case data

Search Queries – Index Once your case has been indexed, keyword searched, tagged, or any combination

of the three, you can then search for desired information. To create a unified search do the following:

o Go to the View menu and select Indexed Items

o In the Index window, enter the index query term or index search queries along with a logic operator (for example – “or” or “and”) to search the index

EnCE Study Guide


o A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term

o EnCase will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters

– At any time you can double click on a query term and it will show the information about that term

o Click on the Run or Play button to run the query

Raw Keyword Searching EnCase for Windows®

o Logical raw keyword searching is conducted on allocated files

o Physical searching is conducted upon the unallocated areas of the physical disk

o Logical search will find a word fragmented between two noncontiguous clusters, whereas a physical search will miss the fragmented word

Case Sensitive

o Not set by default

– Selecting will limit hits to exact case of words entered

– Can be used with GREP and Unicode

GREP

o Box must be selected for EnCase to use GREP expression, otherwise EnCase will search for the literal entered characters

– Can be used with Case Sensitive and Unicode options

Unicode

o Set by default; selecting this box will enable EnCase to search for keywords in both ANSI and Unicode

– Recommended to be selected for most searches

– Can be used with GREP and Case Sensitive options

– Unicode uses two bytes for each character allowing the representation of 65,536 characters

Global Regular Expression and Print (GREP) * An asterisk after a character matches any number of occurrences of that

character, including zero. For example, “john,*smith” would match “john,smith,” “john,,smith,” and “johnsmith.”

+ A plus sign after a character matches any number of occurrences of that character except zero. For example “john,+smith” would match “john,smith” or “john,,smith,” but would NOT match “johnsmith.”

# A pound / hash sign matches any numeric character [0-9]. For example ###-#### matches any phone number in the form 327-4323.

EnCE Study Guide


(ab) The parentheses allow the examiner to group individual characters together as an AND statement.

{m,n} The curly braces state number of times to repeat, i.e., m to n times

| The pipe is an OR statement and can be used with the parentheses, i.e., (com)|(net)|(org) for the end of an email address.

[] Characters in brackets match any one character that appears in the brackets. For example “smit[hy]” would match “smith” and “smity.”

[^] A circumflex at the start of the string in brackets means NOT. Hence [^hy] matches any characters except h and y.

[-] A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e, inclusive.

\ A backslash before a character indicates that the character is to be treated literally and not as a GREP character.

File Signatures and File Viewers File Signatures

o Stored in the EnCase configuration file FileTypes.ini

o New file signatures can be added manually

o The terms “file signature” and “file header” mean the same thing, the standard hex characters at the beginning of a certain file type

File Types – Viewers

o EnCase uses the FileTypes.ini file to store external viewer information and associate file extensions with external viewers

o When the examiner double clicks on a file, EnCase will copy the file to the Temp folder and launch the Windows-associated viewer or user-defined external viewer to read the file

Hash Sets and Hash Library Hash sets can be built with one file or any number of selected files

o The sets contain the hash values of the file(s) in the set and selected metadata

The hash value of a file is computed only from the logical file independent of the file name, time/date stamps, and the slack space of the physical file

The Hash Library is built from selected hash sets

o The examiner can exclude specific hash sets to remain within the scope of the examination

o You can have two Hash Libraries for each case

EnCE Study Guide


Signature and Hash Analysis Signature Analysis – File extensions are compared to the file signature (header)

according to the File Types Table

Hash Analysis – The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets containing hash values and file metadata

Both analyses can be used to help identify suspect files and/or exclude known or benign files

o The results of both analyses are viewed in the Table view of the Evidence Entry tab

Computer Knowledge Understanding data and binary

The BIOS

Computer boot sequence

File systems

Computer hardware concepts

Understanding Data and Binary Bits and Bytes

Bit Name Binary 1 = Bit 1

4 = Nibble 0000

8 = Byte 0000-0000

16 = Word 0000-0000 0000-0000

32 = Dword 0000-0000 0000-0000

0000-0000 0000-0000

64 = Qword You get the idea

ASCII and Unicode

o The ASCII table (American Standard Code for Information Interchange) is based on a 7-bit system

– The first 128 characters make up the ASCII table and represent alpha/numeric values common punctuation and other values

– The remaining 128 characters are called “high-bit characters”

– Together 256 characters can be addressed

o Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode

– Unicode uses two bytes for each character, allowing the representation of 65,536 characters

EnCE Study Guide


Basic Input/Output System

o The BIOS checks and configures the computer system after power is turned on

o The BIOS chip is usually found on the motherboard

o The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the internal clock

Computer boot sequence

File System Fundamentals File slack is comprised of drive slack and sector/RAM slack

o Sector/RAM slack

– Data from the end of the logical file to the end of that sector

The 10-byte file written to a 512-byte sector will have 502 bytes of sector/RAM slack in the same sector that contains the logical data

– Sector/RAM slack is zeroed out prior to writing it to the drive (00 00)

– In Windows 95A and older, sector/RAM slack will contain actual data from RAM, and it will be stored on the drive with the file

o Drive slack

– Data that is contained in the remaining sectors of a cluster that are not a part of the current logical file

– A logical file of 10 bytes stored in a four-sector cluster will have three sectors of drive slack

File Allocation Table

o Often found on legacy hard drives and removable devices

o FAT tracks

– File fragmentation

– All of the addressable clusters in the partition

– Clusters marked bad

o Directory records

– File name

– Date/time stamps (Created, Accessed, Written)

– Starting cluster

– File logical size

o A directory (or folder) is a file with a unique header and a logical size of zero

When a file is deleted from a FAT system

o 1st character of directory entry changed to E5h

o FAT entry values change from allocated to unallocated (0)

o No effect on the data within the clusters

EnCE Study Guide


When EnCase “virtually” undeletes a file

o Directory entry read

– Obtains starting extent, logical size

– Obtains number of clusters by dividing logical size by bytes per cluster

o FAT examined to determine if starting cluster/extent is in use

o If starting extent is in use, EnCase deems this file to be “Deleted/Overwritten”

File Allocation Table versions

o FAT 16

– 2 ^ 16 = 65,536 total allocation units available (clusters)

o FAT 32

– 2 ^ 28 = 268,435,456 total allocation units

– 4 bits are reserved by Microsoft

o Two copies of the FAT are stored for backup purposes

o A cluster is composed of multiple sectors

– A sector contains 512 user-addressable data bytes

File Systems – exFAT exFAT was originally created for USB flash drives and SD cards, but can be used

to format volumes under Windows 7

o ExFAT is recognized by Windows operating systems XP and after

The exFAT file system uses 32 bits within the table and has a limit of 4,294,967,285 (232 – 11) cluster addresses

The exFAT file system uses free space bitmaps to reduce fragmentation and free space allocation/detection issues

o Each cluster is tracked in the bitmap

o A single bit is used for each cluster on the volume

When a file is created within exFAT, a different sequence of events may occur than in FAT

o If the file is fragmented, then exFAT functions as FAT does

o If the file is not fragmented, the FAT is not updated

Within the directory entries of the exFAT file system, there are multiple, 32-byte records at least three for each directory entry. Each record has an identifier byte:

o Directory Entry Record – Record ID 85 (hex) – Contains Attributes, Created, Accessed, and Last Written dates/times

o Stream Extension Record – Record ID c0 (hex) – Contains logical size, starting extent, size of filename, CRC of filename, and whether the FAT is being used to track the clusters allocated to the file

o File Name Extension Record – Record ID C1 (hex) – Contains the filename in Unicode; additional records may be needed for longer file names

EnCE Study Guide


When a file is deleted, the first bit of the identifier of the record is changed from 1 to 0, changing the identifier to reflect a record not in use

o It is also possible for the Directory Entry Record to be changed in this manner if the file is renamed

This means that if the file was fragmented and there was a cluster chain, the chain is not destroyed on deletion

In exFAT, since allocation status is in the bitmap, there is no need to zero out the cluster run

o As long as the clusters themselves have not been reused for newer files, it is possible to accurately recover even heavily fragmented files that were deleted because the cluster run would still be intact

File Systems – NTFS Master File Table (MFT) – administratively documents all files/folders on NTFS

volume

MFT – comprised of records – 1024 bytes each

MFT grows but doesn’t shrink

At least one MFT record is allocated to each file and folder on volume

Bitmap file documents if clusters are allocated or unallocated

Two types of files: Resident and Nonresident

File Systems – NTFS

Resident files

o Data resides within MFT record for file

o Data does not begin at the beginning of a sector/cluster

o Logical size = physical size

Nonresident files

o Data not within MFT Record

o MFT record houses pointers to clusters storing file

o Pointers in the form of a “data run”

Both types of files may be hashed as long as logical size is greater than 0

Computer Hardware Concepts The computer chassis or case is often incorrectly referred to as the CPU

CPU = Central Processing Unit and is represented by a chip installed on the motherboard

Also installed on the motherboard are the Random Access Memory, the Read Only Memory, and add-in cards, such as video cards and Network Interface Cards (NIC).

Integrated Drive Electronics (IDE) and Serial Advanced Technology Attachment (SATA) disk drives can be attached directly to the motherboard with a ribbon cable

EnCE Study Guide


Geometry of hard drives

o Cylinder/Heads/Sectors (older drives)

– C x H x S x 512 bytes per sector = total bytes

o Logical Block Addressing

– Total number of sectors available x 512 bytes = total bytes

Master Partition Table

Volume Boot Record

Partition tables

Partition recovery

Good Forensic Practice First response

Acquisition of digital evidence

Operating system artifacts

First Response At the scene

o Photograph, take notes, sketch

o Image RAM

– EnCase® Portable or WinEn

o Take down the system – whether pull plug or shut down depends on circumstances

– Shut down – if UNIX/Linux or server

– Pull plug – it depends on circumstances

o Disconnect computers’ hard drive(s)

o Access BIOS

– Obtain system date and time

– Obtain boot sequence

Booting turned-off machines

o LinEn (Linux EnCase) CD

– Disk-to-disk imaging with Tableau hardware write-blocker

– Network cross-over cable

o EnCase Portable

Inspection of media

o Internal Inspection

– Check for disconnected media

– Additional media connected, etc.

EnCE Study Guide


o External Inspection

– Check for connected media

– Check for additional devices/media

Onsite triage

o Tableau – fastest

– Gallery view, hash/file signature analysis, logical and physical searches with GREP, copy/unerase, EnScript programs, etc.

o Network cable preview – fast

– Gallery view, hash/file signature analysis, logical and physical searches with GREP, copy/unerase, EnScript programs, etc.

Evidence Processor available on live devices

o EnCase Portable – fast

– Triage and Collection jobs: Pictures, keyword search, hash sets, filtering with conditions, Snapshot, Internet history

– Acquisition of digital evidence

Tag media and transport

o Tag evidence

– Evidence should be inspected for damage

– Evidence should be documented and labeled

– Evidence should be properly bagged in preparation for transport

o Transport evidence

– Evidence should be properly secured for transportation

– Evidence should be stored properly

Computer Forensic Examiner Must be trained

Must use best forensic practices available

Must avoid damaging or altering evidence

Should test and validate computer forensic tools and techniques prior to using them on original evidence

Acquisition of Digital Evidence File Systems Supported by EnCase

o FAT 12, 16, 32, exFAT

o NTFS

o EXT2/3/4 (Linux)

o Reiser (Linux)

EnCE Study Guide


o UFS (Solaris)

o CDFS (Joliet, ISO9660, UDF)

o DVD

o Macintosh HFS/HFS+, Mac OS X (BSD)

o HP-UX

o Etc…

Smartphones and tablets

If the file system is not supported by EnCase, the examiner can still conduct a physical text search, run EnScript programs for file headers and footers, etc.

The examiner can also restore the physical drive to a drive of equal or larger size

o The restored drive is verified by the MD5 and/or SHA1 hash value

A volume may also be restored to a partition containing the same file system

o The restored partition is verified by the MD5 and/or SHA1 hash value

Laboratory Procedures Cross contamination

o Wipe lab examination drives

o Use EnCase case management methodology

Chain-of-custody

o Signed and dated log tracking evidence possession

o Controlled access to lab area / secured evidence

Storage

o Clean, temperature-controlled environment

o Legacy portable electronic devices may lose battery power, potentially erasing all data

Operating System Artifacts Recycler

NTFS directory entries and structure

Windows artifacts

o Recent

o Link files

o Desktop

o Send To

o Temp

o Internet Explorer history, cache, favorites, cookies

EnCE Study Guide


o Enhanced metafiles; print spooler

o Windows 7/8.x/10 – C:\Users\

o Registry files – global and user account specific

o Swap file – pagefile.sys

o Hibernation/Standby file – hiberfil.sys

Legal Issues Best Evidence Rule

o A printout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data

o Compression of acquired data does not affect admissibility under the Best Evidence Rule

o If original evidence must be returned to the owner, the forensic image could be considered the Best Evidence

Daubert/Frye

o Legal test to determine if a scientific or technical process for obtaining, enhancing, or analyzing evidence is acceptable

Elements of Daubert

o Has the process been tested and subject to peer review?

o Does the process enjoy general acceptance in the related community?

o Can the findings be duplicated or repeated?

Commercially available software has a greater opportunity for peer review, testing, and validation

EnCE Study Guide


EnCE® Preparation Training Version 8

OpenText Confidential. ©2018 All Rights Reserved. 2

Phase I Instructions

• The EnCE written test (Phase I) is administered using the ExamBuilderweb testing service.

• Applicants are given 120 minutes to answer 180 questions (U.S.). International applicants are not presented with questions on legal considerations in digital forensics.

• Open book/open notes, but consider you have 40 seconds per question. Is there time?

• Minimum score of 80% to pass.

EnCE Study Guide



Phase II Instructions

• If you pass Phase I, you’ll receive an email from the Certification Coordinator with detailed instructions on completing Phase II.

• You have 60 calendar days to complete the examination. The time period will begin five days after you receive the confirmation email from the Certification Coordinator.

• Extensions beyond the original 60 days may be granted per the discretion of the

Certification Coordinator up to an additional 30 days.

• Please email [email protected] to request an extension.


• EnCase® Forensic and Acquisition Concepts

• EnCase Functions

• Data Allocation and File Systems

• Searching Evidence with EnCase

• Examining Evidence with EnCase

• Legal

EnCE Written Exam Pools

EnCE Study Guide



EnCase Forensic and Acquisition Concepts

• Creating a Case

• Navigating the EnCase Environment

• The EnCase® Evidence Processor

• Digital Evidence Handling

• EnCase Concepts

• Acquisition Concepts

• Single Files and Logical Evidence Files

• Closing Your Case – Reacquire/Restore/Archive the Case


Creating a Case

• Upon creating a case, a unique directory structure for case management and an EnCase case file are created. This is created by EnCase.

• Lab drives receiving forensic images or other case data should have a unique volume label.

• Prior to acquiring digital evidence or adding it to a case, all hardware should be tested and verified and all drives to be used to receive forensic images should be wiped and prepared.

• EnCase Version 8 uses Pathways to assist the examiner by providing links to suggested steps in the examination process.

EnCE Study Guide



The EnCase Base Case Folder

• The EnCase base case folder is the location where EnCase creates the case’s unique folder structure and case file and, by default, writes all associated case data.

• Default folders include Export, Temp, Searches, and Tags.

• EvidenceCache location chosen at time of case creation.


Navigating the EnCase Environment

Tree Pane Table Pane

View Pane Filter Pane

GPS BAR

EnCE Study Guide



Navigating the EnCase Environment – GPS Bar

An understanding of the EnCase interfaceis needed for successful completion of the practical exercise.

Path to object Physical

SectorLogical Sector

ClusterSector Offset

File Offset

Length (#) of bytes

highlighted


The EnCase Evidence Processor

• Designed to process all or selected evidence in a case with the core analysis tools of EnCase in an automated workflow.

• Considerations

• Must have evidence in case

• Acquire first recommended

• Account for disk space

• Determine Time Zone

EnCE Study Guide



The EnCase Evidence Processor (cont.)

• The Evidence Processor lets you run, in a single unattended, automated session, a collection of potent analytic tools against your case data allowing you to work on other aspects of the case while this tool is processing data.


Digital Evidence Handling

• Sources of digital evidence include computers, servers, removable media, virtual drives and cloud services.

• Proper identification, handling, cautions, and options for collection of a computer in both powered on and powered off state.

• Proper documentation of scene and evidence prior to and during collection. Establish and document chain-of-custody.

• What is the BIOS? What information should be obtained from the BIOS?

• Basic Input Output System

• System date/time

• System boot order

EnCE Study Guide



Digital Evidence Handling – Boot Sequence

Power Button

BIOS

POST

BIOS FROM ADD-IN CARDS

The BIOS immediately runs POST and then prepares the system for the first program to run.

LOAD RAM WITH BIOS DATA

POST (Power On Self Test) checks the system board, memory (RAM), keyboard, floppy disk, hard disk, etc., for presence and reliability.

Add-in cards such as SCSI drive controller cards can have a BIOS on the card that loads at this time. These BIOS normally detect devices and load information into the BIOS data area in RAM.

A special RAM BIOS data area of 256 bytes contains the results of the system check identifying the location of attached devices.

Boot Sequence?


Digital Evidence Handling – Boot Sequence

Boot Sequence?

A: C:

Other DevicesPresent? No

YesMay display error or shift to boot another

device

Boot Record?

No

Yes

Command.Com

Config.sys

Msdos.sys

Io.sys

Autoexec.bat

Master Boot Record

Go to Boot Partition

Boot Record

Io.sys

Msdos.sys

Config.sys

Command.Com

Autoexec.bat

Optional

EnCE Study Guide



Digital Evidence Handling (cont.)

• ASCII stands for American Standard Code for Information Interchange.

• Number of characters addressable by ASCII and Unicode:

• ASCII = 256

• Unicode = 65,536

• Binary is base 2, represented by the characters 0 and 1.

• Decimal is base 10, represented by the characters 0-9.

• Hexidecimal is base 16, represented by the characters 0-9, A-F.

• Hexadecimal uses two characters to represent one byte.

• A single Unicode printed character is composed of two bytes of data.


Digital Evidence Handling (cont.)

• Bits and Bytes

Bit Name Binary

1 = Bit 1

4 = Nibble 0000

8 = Byte 0000-0000

16 = Word 0000-0000 0000-0000

32 = Dword 0000-0000 0000-0000

0000-0000 0000-0000

64 = Qword You get the idea

EnCE Study Guide



EnCase Concepts – The EnCase Case File• The EnCase Case file - .case extension

• Compound file containing:

• Pointers to locations of evidence files on forensic workstation

• Results of file signature and hash analysis

• Bookmarks

• Investigator’s notes

• A case file can contain any number of items of evidence.

• The case file should be archived with the evidence cache and evidence files as it contains all of the investigator’s notes.

• Use the “Create Package” feature


EnCase Concepts – The EnCase Evidence File• A bit stream image of the source data written to a file or multiple file segments.

• Logical file(s) that can be renamed and moved.

• Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written.

• Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value.

• Compression does not affect acquisition or verification hash values as these are calculated over

uncompressed data.

• Can be password protected or encrypted and can be reacquired to remove or change password/encryption.

• Individual segments can be verified by the CRCs when compression is not used or by the compression algorithm if compression is used.

EnCE Study Guide



EnCase Concepts – The EnCase Evidence File (E01)

• Header

• Case data cannot be changed after evidence file is created.

• Contains examiner input information (evidence name, evidence number, case name,

notes) and information obtained from device being acquired (if supported through

connection).

• Is compressed and not plain-text readable.



• Data Blocks

• Data read from source in block size (default 64 sectors/32 KB) and written to evidence file.

• Cyclical Redundancy Check

• 32-bit CRC calculated over data written to data block.

• If no compression is used

• Calculated when evidence file is added to case and rechecked every time the data block is

accessed.

EnCE Study Guide




• Acquisition Hash - “digital signature” of all data in evidence file• MD5 – 128 bit digest value

• SHA1 – 160 bit digest value

• Examiner can choose either, both, or neither

• Not required but highly recommended


EnCase Acquisition Concepts

• Current EnCase Evidence File – Ex01 file extension.

• Allows for symmetric (password) encryption and asymmetric (private/public key pair)

encryption.

• Evidence can be previewed prior to acquisition and acquired from the same view.

• Consideration of RAM/Volatile data prior to removing power from computer.

• Write protection considerations – FastBloc® SE built into EnCase.

• Error Granularity – if a read error occurs, controls the amount of data within the data block to be zeroed out:

• Standard – the entire data block (64 sectors / 32 KB, by default).

• Exhaustive – only the sector reporting the error (increases acquisition time).

EnCE Study Guide



EnCase Acquisition Concepts

• Name – Name displayed in EnCase (mandatory)

• Evidence Number – Examiner assigned (mandatory)

• Case Number – Examiner assigned (mandatory)

• Examiner Name – Person acquiring evidence (mandatory)

• Output Path – where to write the EnCase acquired evidence files

• Alternate Path – spill over location if Output Path fills


EnCase Acquisition Concepts• Evidence File Format

• Legacy = E01

• Current = Ex01

• Verification Hash• MD5

• SHA1

• MD5 & SHA1

• None

• Compression• Enable

• Disabled

• File Segment Size –Size of file segments in megabytes

EnCE Study Guide



EnCase Acquisition Concepts• Block Size – Size of data in

sectors written to the data blocks of evidence file

• Error Granularity - If a read error occurs, controls the amount of data within the data block to be zeroed out

• Start Sector – Sector where EnCase will begin reading data to be written to the forensic image

• Stop Sector – Sector where EnCase will stop reading data to be written to the forensic image


Single Files and Logical Evidence Files

• EnCase Logical Evidence Files• A container file to which an examiner can write files and/or folders from evidence within

EnCase that preserves the object’s logical data and associated metadata.

• Single Files• Individual files that exist on media accessible to the forensic examiner’s workstation that

are added to EnCase from their current location.

EnCE Study Guide



Closing Your Case• Reacquisition of EnCase Evidence Files

• Creates a separate forensic image, using the same process, from an existing evidence file.

• Things you can change:

• Compression – apply/remove • Encryption – apply/remove

• Format – Current/Legacy • Segment Size

• Hash Algorithm • Start/Stop sectors

• Block Size

• Things you can not change:

• Name within EnCase • Evidence Number

• Case Number • Examiner Name

• Notes


Closing Your Case

• Restoring Evidence Files

• Physical Drive – Target Media Requirements

• Must be equal or greater number of sectors as source image file.

• Recommended that target media be forensically prepared (wiped) prior to restoration

• Logical Volume – Target Media Requirements

• A volume must be created of equal or greater size

• This volume must be the same file system as the volume being restored

• Recommended the volume be formatted with the same size clusters

• Recommended that target media be forensically prepared (wiped) prior to restoration

EnCE Study Guide



Closing Your Case

• Archiving The Case:• A case is backed up, relocated, archiving through the Create Package feature

in EnCase

• Items backed up:

• Required Items – Case file, case folder structure under base case folder

• Primary Evidence Cache

• Secondary Cache

• Evidence Files


EnCase Functions

• File Signature Analysis

• Hash Analysis and Entropy

• Compound File Examinations

• External Viewers

• Detailed Copy Options

• Report Creation for the EnCE Practical

EnCE Study Guide



File Signature Analysis

• A comparison of a file’s extension and signature (header) to a known table

to determine the file’s true identity.

• EnCase stores file signatures within the File Types.ini file and they are

viewed in the File Types Table within EnCase.

• File signature over all objects can by initiated through the EnCase

Evidence Processor or over selected objects in the evidence Table view

from the Entries menu.


File Signature Analysis (cont.)

• File Signature Analysis returns one of four responses:

• Match – the file’s extension and signature are present in the EnCase File

Types Table and are in the same record.

• Alias – the file’s extension and signature are present in the EnCase File Types

Table but not in the same record.

• Bad Signature – The file’s extension is present in the EnCase File Types

Table but the file’s signature is not.

• Unknown – Neither the file’s extension or signature is present in the EnCase

File Types Table.

EnCE Study Guide



Hash Analysis and Entropy

• EnCase calculates a MD5 and/or SHA1 hash value for acquisitions and objects within evidence

• MD5 = 128 bit hash value

• SHA1 = 160 bit hash value

• Hash libraries provide a manner of organizing hash values

• A hash library contains one or more hash sets

• A hash set contains one or more hash values

• Hash values are the individual hash digests calculated over individual objects

• Analogy – A neighborhood library (hash library) contains shelves (hash sets),

which contain individual books (hash values)


Hash Analysis and Entropy (cont.)

• EnCase uses hashing to determine

• A file’s potential investigative significance by comparing the file’s calculated

hash value to hash values stored in a hash library; AND

• The accuracy of acquired evidence through comparison of the hash value

calculated from the data read from the original source to that written to the

forensic image.

EnCE Study Guide



Hash Analysis and Entropy (cont.)

• Entropy is useful in determining and comparing the randomness of a file:

• Calculates a value on a scale from 0-8 out to four decimal points (ex: 7.9788).

• 0 being low randomness to 8 being high randomness.

• Entropy does not identify the file’s data - Two very different files can have the same

entropy value.

• Entropy is useful to locate compressed and encrypted files.

• Hash Analysis and Entropy over all objects can by initiated through the EnCase Evidence Processor or over selected objects in the evidence Table view from the Entries menu.


Compound File Examinations• Compound files are files that maintain an internal file structure within the base file.

• Once the compound file’s structure is calculated by EnCase, the objects within the

structure can be processed, viewed, searched, filtered and bookmarked.

• Examples of compound files are Windows registry hives and Zip archives.

EnCE Study Guide



External Viewers

• External viewers are applications installed or available that run within the Windows operating system of the examiner’s workstation and are often used for viewing files within evidence in their native formats.

• Methods of viewing file content within the EnCase interface include:

• EnCase Internal Viewer

• Windows Associated Application

• User-Defined External Viewer


External Viewers (cont.)

• As part an The EnCase File Types Table contains records of file types to include the extension(s), file signature (header), footer (if applicable to the file type), EnCase category and the associated viewer that EnCase will use to view the file’s content.

• External viewers are not required to be associated to a file type in the EnCase File Types Table. The can be installed within EnCase without association to a file type within the table.

• When viewing a file within an evidence file with an external viewer, EnCasecopies the file to the temp folder. EnCase deletes the files when the EnCase application is closed normally.

EnCE Study Guide



Detailed Copy Options

• Copy file(s) from the evidence in an open case to a volume accessible to the examiner’s workstation.

• Be mindful of file size limits due to file system of target volume.

• Can be done with files on previewed devices and acquired evidence.

• Two methods to copy files from evidence in EnCase:

• Copy Files – Copies highlighted or selected (blue checked) files.

• Copy Folders – Copies all or selected files in folders and subfolders and mirrors

folder structure.


Copy Files• Copies highlighted or selected (blue checked) files.

• Enacted from the Entries/Artifacts/Results pull-down or right click context menu.

EnCE Study Guide



Copy Folders• Copies all or selected files in folders and subfolders and mirrors folder structure.

• Enacted from the Entries/Artifacts/Results dropdown or right click context menu.


Output Differences• Stuff.vhd was selected and each function was initiated on the selected file

from the top of the folder structure on the folder (left) pane.

EnCE Study Guide



Output Differences

Copy FILESCopy FOLDERS


Report Creation for EnCE Practical

• It’s your report so do it however you would like to present your work.

• BUT…… here are a few tips from the Training staff that review and grade the submitted reports:

• Use the Flexible Template.

• Create a separate bookmark folder for each question; summarize the question.

• Follow the direction for each question within its respective bookmark folder.

• Keep it organized so you can easily tell if you have completely answered each

question by looking in each question’s folder.

• If you are entering a lot of text in a Notes bookmark, first type it in a word

processor with spell check and then copy the text into the bookmark.

EnCE Study Guide



Data Allocation and File Systems

• Data Allocation and File Descriptions

• FAT, ExFAT, and NT File Systems

• Volume Recovery


Data Allocation and File Descriptions

• A sector is the smallest area on digital media that can be read from and written to.

• A cluster is a grouping of sectors created during the formatting of a volume which represents the smallest allocation unit addressable by the file system.

• A cluster can only contain the data for one object; data from two objects cannot occupy the same cluster.

• EnCase physical size of an item = the total size of all the clusters allocated to the file measured in bytes.

• EnCase logical size of an item = the total size of the data making up the object.

EnCE Study Guide



Data Allocation and File Descriptions – Slack Area

• In the above representation, cluster size is 4 sectors (512b/sector).

• A file with a logical size of 724 bytes was written to the cluster.

• The remaining space in the cluster is termed “slack.”


• RAM Slack (green) = Area from the end of the logical file to the end of the sector. Post Windows 95b, data in this area is hex 00.

• Disk Slack (orange) = Area from beginning of sector following end of logical file data to end of cluster.

• File Slack (red) = RAM Slack + Disk Slack.

• EnCase, by default, displays logical file data in black and slack space in red.


EnCE Study Guide




Last byte oflogical file

First byte ofRAM slack

Last byte ofRAM Slack

First byte ofdisk slack


FAT, ExFAT, and NT File Systems

• A file system, at a minimum, must perform these functions:

• Track the name and attributes of the object

• Track the starting extent of the object

• Track the fragmentation of the object

• Track the allocation status of all clusters in the volume

EnCE Study Guide



FAT – File Allocation Table File System• File Allocation Table:

• Tracks the allocation status of the clusters and the fragmentation of the object.

• Four values possible:

• 0 = Cluster unallocated.

• # = Cluster allocated and file continues in cluster number referenced.

• EOF = Cluster allocated and file data ends (End of File).

• BAD = Bad sector reported within cluster.

• Directory:

• Tracks the name and attributes of the object, the logical size and the starting cluster.

• Each record is 32 bytes.


FAT – File Allocation Table File System

• FAT 16

• 2 ^ 16 = 65,536 total addressable allocation units (clusters)

• FAT 32

• 2 ^ 28 = 268,435,456 total addressable allocation units (clusters)

• 4 bits are reserved

• Two copies of the File Allocation Table are maintained – FAT1 & FAT2

• Maximum file size is 4 GB

• A FAT directory entry has a logical size of Zero (0) bytes

EnCE Study Guide




Cluster Status

2 EOF

3 04 05 06 07 08 09 0

Name Ext Dates Logical Size Starting Cluster

Stuff txt CAM 200 2

• A FAT volume is formatted with a cluster size of 4 sectors (512 b/sector), cluster size = 2048 b.

• Stuff.txt with a logical size of 200 b is written to the volume, occupying 1 cluster.

File Allocation Table Directory



Cluster Status

2 EOF

3 4

4 EOF

5 0

6 0

7 0

8 0

9 0



Stuff txt CAM 200 2

Shop txt CAM 3000 3

Directory

• Shop.txt with a logical size of 3000 b is written to the volume, occupying 2 clusters.

EnCE Study Guide




Cluster Status

2 5

3 4

4 EOF

5 6

6 7

7 EOF

8 0

9 0



Stuff txt CAM 6500 2

Shop txt CAM 3000 3

Directory

• Stuff.txt is edited and grows to a size of 6500 b.

• Stuff.txt now occupies 4 clusters.

• Stuff.txt is now a fragmented file.



Cluster Status

2 0

3 4

4 EOF

5 0

6 0

7 0

8 0

9 0



E5tuff txt CAM 6500 2

Shop txt CAM 3000 3

Directory

• Stuff.txt is deleted.

• The first character of the file name is changed to a hex E5.

• The cluster cell status for those occupied by the file are set to unallocated in the FAT.

EnCE Study Guide




Cluster Status

2 0

3 4

4 EOF

5 0

6 0

7 0

8 0

9 0



E5tuff txt CAM 6500 2

Shop txt CAM 3000 3

Directory

• When EnCase virtually undeletes a file:• Obtains info from directory, replacing first character of file

name with _

• If starting cluster has been reused, EnCase deems this file to be “Deleted/Overwritten”

• Cannot rebuild fragmented file – chain no longer present


ExFAT File System• ExFAT was originally created for USB flash drives and flash memory cards,

but can be used to format volumes.

• ExFAT is recognized by Windows operating systems XP(SP2) and after Mac OS-X 10.6.5 (Snow Leopard) and after.

• The ExFAT file system uses 32 bits within the table and has a limit of 4,294,967,285 ((2 ^ 32) – 11) cluster addresses.

• Major Components of ExFAT

• Directory - Tracks object name, attributes, CAM dates, size and starting cluster

• Consists of 3 – 32 byte records per object

• File Allocation Table – Tracks fragmentation ONLY

• $Bitmap – Tracks cluster allocation

EnCE Study Guide



ExFAT File System – Directory

RECORD (32 bytes) FUNCTION IDENTIFIER (Hex)

Directory Entry Record Tracks the object’s attributes and CAM dates in DOS format

Allocated Object: 85Deleted Object: 05

Stream Extension Record Tracks the object’s logical size and starting cluster as well as the length of the file name

Allocated Object: C0Deleted Object: 40

File Name Extension Record Tracks the object’s name in Unicode

Allocated Object: C1Deleted Object: 41


ExFAT File System – Directory

Directory Entry Record

Stream Extension

Record

File Name Extension

Record

Unicode File Name

EnCE Study Guide



ExFAT File System – File Allocation Table

• Unlike FAT, is only used to track fragmentation of objects.

• Three possible entries in the table:

• # – Pointer to next fragment (cluster) in the chain.

• FFFFFFFF (hex) – Indicates the end of the fragmentation.

• 00000000 (hex) – Indicate there is no fragmentation within the referenced cluster.

• When an object is deleted, the FAT cells are NOT overwritten until reused.

• Recovering a deleted fragmented file is possible on an ExFAT volume.


ExFAT File System - $Bitmap

• Each byte within this file documents 8 clusters (1 cluster per bit, 8 bits per byte).

• Convert the byte to binary to determine allocation of individual clusters.

Hex value = 9F

Binary:

9 F

1 0 0 1 1 1 1 1

Unallocated Allocated

EnCE Study Guide



NT File System – aka NTFS• Every object that exists on an NTFS volume is tracked by the file system.

• The Master File Table ($MFT) contains a record for every object within the volume, including itself.

• Each record is 1024 bytes.

• The $MFT grows but never shrinks.

• Records are reused before new records are added.

• Each record consists of a header followed by a series of attributes. Each attribute records information about the object, including the object’s name, logical size, CAM dates, attributes, starting cluster and fragmentation.

• If an object’s data can be stored within its $MFT record, it will and the object is considered a “Resident” object. If the object’s data is stored outside the object’s $MFT record it is considered a “Non-Resident” object.

• Each NTFS volume will have its own $MFT, even for volumes on the same physical disk.

• Cluster allocation is tracked by the $Bitmap in the same manner as ExFAT.


NT File System – $MFT Record

End of Record

Record Header

Standard Information Attribute

File Name Attribute

File Name Attribute

Object ID AttributeData Attribute

Data Attribute (ADS)

EnCE Study Guide



FAT, ExFAT, and NT File Systems – OverviewMinimum Requirements FAT exFAT NTFS

Track name and attributes of object

Directory File Name Extension Record (Name)

Directory Extension Record (Attributes)

$MFT

Track starting extent of object Directory Stream Extension Record $MFT

Track fragmentation of object FAT FAT $MFT

Track allocation of all clusters in volume

FAT $Bitmap $Bitmap


FAT, ExFAT, and NT File Systems – Impacts of Deleting an Object

FILE SYSTEM CHANGES

FAT • First character of file name changed to E5h in directory.• The cluster cell status for those occupied by the file are set to unallocated in the FAT.

ExFAT • Directory Entry Record header changed to 05h.• Stream Extension Record header changed to 40h.• File Name Extension Record header changed to 41h.• $Bitmap cluster references updated to show unallocated.

NTFS • Object’s $MFT record allocation status updated to deleted file/folder.• $Bitmap cluster references updated to show unallocated.

EnCE Study Guide



Volume Recovery• Auditing the drive space of evidence should be performed prior to the processing

and examination of the evidence.

• Auditing the drive space is the process of accounting for every sector and its assignment on the evidence and recovering any deleted/hidden partitions/volumes.

• Physical Device is a representation of all sectors on the evidence.

• A partition is a logical structure within the physical device:

• Contains one of more volumes

• To contain a bootable operating system, must be marked as the Active partition

• Volume is a logical structure within a partition.


Volume Recovery – Master Boot Record

• The first sector of a hard disk drive (PS0) contains the Master Boot Record

• Located at sector offset (SO) 446.

• Contains 4,16-byte entries documenting the partition type, active status, relative

starting sector, and total number of sectors for each partition.

• Can document two types of partitions – Primary and Extended

• Primary

• One volume per partition.

• Required for bootable operating system.

• Extended

• Multiple volumes within one partition.

EnCE Study Guide



Volume Recovery – Volume Boot Record

• The first sector of a volume contains the Volume Boot Record.

• Contains all information about the volume, including total number of sectors in the volume.

• NTFS Backup Volume Boot Record is located in the last sector of the volume and is not included in the total sector count in VBR.

• FAT32 Backup Volume Boot Record is located six sector after the primary Volume Boot Record.


Searching Evidence with EnCase

• Bookmarks and Tags

• Index Search Queries

• Raw Keyword Searching

• GREP Operators

EnCE Study Guide



Bookmarks and Tags

• Bookmarking is a method of identifying and organizing items of interest to the investigation for inclusion into the examiner’s report.

• Objects can be bookmarked from multiple views in EnCase and from some EnScript® programs.

• Methods/Types of Bookmarks:

• Single File

• Selected Items

• Raw Text

• Data Structure

• Notes Bookmark


Bookmarks and Tags

• Tags are used to identify and categorize objects in a manner that persists in all views in EnCase.

• Tag something in Search Hits and the tag carries into Evidence, Artifacts, and

Bookmarks.

• Tags persist when a case is saved, closed, and reopened.

• Tags are local to a specific case but can be preset in a case template.

• Tags are set from the Tags column, the keyboard hotkeys, the Filter pane, and Tagging selected items from the Manage Tags menu.

• The maximum number of tags possible in a case is 63.

EnCE Study Guide



Index Search Queries• Index search queries are performed through the Indexed Items view.

• Index searches are reviewed in the Transcript tab in the View pane.


Index Search Queries

• Index search queries will locate matches in an object’s data and EnCaseFields (metadata).

• EnCase performs logical indexing and will locate queries that traverse fragmentation boundaries.

EnCE Study Guide



Index Search Queries

• When entering two or more keywords in an index search query, the default logic is OR.

• EnCase index query operators:

• AND • OR

• Case sensitive • Stemming

• Item Type


Raw Keyword Searching• A raw search is a search for a specific pattern (word, string, hex values)

against the binary data as it exists in the evidence.

• A raw search can be run from the EnCase Evidence Processor, Raw Search All from Evidence View Evidence, and Raw Search Selected from the Entries menu in Evidence, Viewing (Entries).

EnCE Study Guide



Raw Keyword Searching

• Raw keyword searches are stored as individual files with a .Keywords file extension.

• Logical vs. Physical Raw Search:

• Searches in allocated clusters of volumes are logical searches and

fragmentation will not affect the ability of EnCase to locate responsive finds.

• Searches in unallocated clusters of volumes and unused disk space are

physical searches, and EnCase will not locate keywords that traverse a

fragmentation boundary as it has no way to establish the fragmentation chain

in these areas.


Raw Keyword Search Options

• Search entry slack – Allows for the search to include the slack area of files/folders.

• Skip contents for known files – Skips searching files present in the hash library with a category of “known.”

EnCE Study Guide



Raw Keyword Search Options

• Undelete entries before searching – EnCase will virtually undelete an entry identified as Deleted and then logically search the entry.

• Use initialized size – EnCase will search the initialized size of a file rather than the actual logical size.


GREP Operators• GREP is not turned on by default in

a raw search.

• GREP symbols will not be recognized as such unless the option is selected by the examiner.

• GREP operators to know:

• \x • ? • ()

• . • + • ^

• # • [] • \

• | • *

EnCE Study Guide



Examining Evidence with EnCase

• Windows Registry

• Time Zone Settings

• Windows Artifacts

• Shortcuts (LNK Files)

• Recycle Bin Recovery

• Print Spooler

• Email

• Internet Artifacts

• Removable USB Device Identification


Windows Registry• The Windows Registry is best described as a database containing settings

for the computer’s hardware, operating system, applications, services, security and users.

• Registry files are called “hives.” The Windows registry is made up of several hives, both global and user.

• Global

• HKEY_Local_Machine (HKLM)

• %windir%\System32\config

• SAM, Security, System and Software

• User

• HKEY_Current_User (HKCU)

• Root folder of user’s profile (C:\Users\<profile name>)

• NTUSER.DAT

EnCE Study Guide



Time Zone Settings

• EnCase methodology is to set the time zone of the evidence prior to processing and examination.

• Time zone settings are stored in the System registry hive.

• The time zone setting is modified in EnCase using the Modify Time Zone Settings option in the Device menu.

• An examiner can determine a Windows computer’s time zone setting by manually examining the System registry hive or by utilizing the Triage or Full Investigation Pathway.


Time Zone Settings Device menu

EnCE Study Guide



Windows Artifacts• The last written date of a NTUSER.DAT registry hive may indicate the last

date/time that a user logged off the system.

• A user’s profile folder is named using the user’s account name.

• In Windows Vista-10 systems, common sub-folders of the user’s profile’s AppData folder include Local, LocalLow and Roaming.

• Icons on the user’s Desktop are stored in:

• C:\Users\<account>\Desktop AND C:\Users\Public\Desktop

• Pagefile.sys, also known as the Windows swap file, is located in the root of the boot volume and is used as virtual memory, supplementing the onboard RAM.

• Two formats used for printing within Windows are Raw and Enhanced Metafile (EMF)


Shortcuts (LNK Files)

• Windows creates LNK files of files/folders accessed with Windows Explorer.

• C:\Users\<account>\AppData\Roaming\Microsoft\Windows\Recent

• Shortcuts (LNK files) can be located and decoded using the EnCase Evidence Processor Windows Artifacts Module.

• Link files are created:

• Manually by the user

• By an application when installed or used

• By a user double clicking (opening) and object through Windows Explorer

EnCE Study Guide




• Information contained within LNK files:

• Path to target file and file name

• Volume name target resides on

• Volume serial number target resides on

• Created, Last Accessed and Last Written dates of target file when link file was created or last updated

• Target file logical size

• And there’s more but that’s all we need for the EnCE



Created, Last Accessed, Last Written DatesFO:28, LE:24

Logical Size

FO:52, LE:8

Volume Serial

Number

Volume Name

Volume Name

Path and File NamePath and File Name

EnCE Study Guide



Recycle Bin Recovery

• A user’s Recycle Bin is named using the user’s Windows Security Identifier (SID).

• The SAM registry hive, the Profile list located in the SOFTWARE registry hive and the EnCase Analyze EFS function can be used to link the SID to the profile name.

• The Windows Recycle Bin can be turned off by the user or administrator. The setting is stored in the user’s NTUSER.DAT registry hive.

• EnCase uses the information in the OS created $I file to populate the Name and File Deleted date/time fields for objects located in the Recycle Bin. If the name is replaced, the true name is listed in the Short Name field.


How the Recycle Bin Works

• Moving a file to the Recycle Bin:

• File name is changed to $R, followed by six OS assigned characters and the original

file extension.

• A $I followed by the same OS assigned six characters and original file extension is

created to track the file’s original location, logical size and date/time moved to the

Recycle Bin.

• Moving a folder containing files to the Recycle Bin:

• Folder is renamed same as above.

• $I created same as above.

• No change to the file names of the files within the folder.

EnCE Study Guide



Email

• Email types supported by EnCase:

• PST (Microsoft Outlook)

• NSF (Lotus Notes)

• DBF (Microsoft Outlook Express)

• EDB (Microsoft Exchange)

• AOL

• MBOX

• EMLX


Email

• Email is located and processed using the EnCase Evidence Processor.

• Email is reviewed in the Artifacts tab.

• EnCase, as part of the processing, threads email:

• Show conversation – uses header fields to determine threading.

• Show related messages – uses Subject field only.

EnCE Study Guide



Internet Artifacts

• Internet artifacts are located and processed using the EnCase Evidence Processor.

• Internet Artifacts are reviewed in the Artifacts tab.

• EnCase locates and processed Cookies, History, Bookmarks and cache from supported browsers:

• Internet Explorer history contains web sites visited and files accessed through Windows Explorer.

• Internet Explorer • Mozilla Firefox • Google Chrome

• Opera • Mac Safari


Removable USB Device Identification• USB Device Descriptor – information about the device stored within the

circuitry of the device.

• Vendor ID (VID) – identifies the vendor/manufacturer

• Product ID (PID) – identifies the product

• Serial Number (iSerial) – unique identifier of the device to the system

• First time a USB device is connected to the system is determined by examining the setupapi.dev.log file.

• The SYSTEM registry hive is examined to determine USB drives connected to a Windows system.

• Users’ NTUSER.DAT registry hives are examined to determine which users were logged on when a USB device was connected to a Windows system.

EnCE Study Guide



Legal Considerations in Digital Forensics (U.S. Only)

• Best Evidence Rule, Federal Rule of Evidence, section 1001(3)

• “[if] data are stored in a computer or similar device, any printout or other output readable

by sight, shown to reflect the data accurately, is an ‘original.’”

• Important concept is the accuracy of the visual output once it is mounted or rendered.

• Compression does not affect Best Evidence as long as the decompression process does

not impact the accuracy of the evidence.

• Daubert Merrell Dow Pharmaceuticals, Inc. and Frye v United States are the court decisions that set forth the legal test(s) to determine the validity of scientific evidence and its relevance to the case at issue.

• Daubert has superseded Frye and is the current standard in U.S. courts.



• Frye vs United States:

• Evidence “be sufficiently established to have gained general acceptance in the particular field in which it belongs.”

• Daubert v Merrell Dow Pharmaceuticals, Inc. (Daubert analysis):

• Theory or technique can be an has been tested; AND

• Theory or technique can be and has been subjected to peer review or publication; AND

• Theory or technique has a high known or potential rate of error; AND

• Theory or technique enjoys general acceptance with the relevant scientific community.

EnCE Study Guide




• Commercially available software is favored by the courts, as such software isreadily available for testing and its market allows the capabilities and accuracy tobecome generally known through widespread commercial availability and use.

• U.S. courts have ruled that an EnCase hash analysis is considered a search.

• All examiners, not just those acting as agents for the government, requireauthorization to search, seize and examine digital based evidence.

• An examiner has a legal duty to utilize proper computer forensic protocols.

• This material is presented in greater detail in the EnCase Legal Journal• https://www.guidancesoftware.com/document/publication/encase-legal-journal---5th-edition

1055 East Colorado Boulevard

Suite 400

Pasadena, CA 91106-2375

Phone: 626.229.9191 ext. 9468

[email protected]

opentext.com/encasetraining

mailto:[email protected]

ence study guide | opentext · ence study guide copyright © 2018 opentext 3 enfuse™ o registered...

Documents