ence study guide | opentext · ence study guide copyright © 2018 opentext 3 enfuse™ o registered...
TRANSCRIPT
EnCE Study Guide
Copyright © 2018 OpenText 1
Certification Background
The EnCase® Certified Examiner program was created to meet the requests of EnCase software (EnCase) users as well as to provide a recognized level of competency for the examiner. While many different certifications exist, the EnCE provides an additional level of certification and offers a measure of professional advancement and qualifications.
Certain qualifications must be met to enter the certification process. An application and a detailed explanation can be found at:
https://www.guidancesoftware.com/training/certifications?cmpid=nav_r#EnCE
The cost is USD 200.00 within the U.S. and USD 300.00 internationally payable by credit card, check, or purchase order. The certification program does not generate profits for OpenText; the testing fee covers the cost of processing and grading both phases of the test. Once payment has been received and processed, the certification coordinator will email testing instructions to you.
The certification process addresses both EnCase and general areas of computer forensics. It involves a written test consisting of 180 questions (174 for international candidates; no legal questions). Two hours are provided to complete the written exam, which is true/false and multiple choice.
Once the Phase I results are received, the instructions for completing Phase II will be provided to you in an email message from [email protected]. This message will be sent to the address you provided on your application. If you fail the Phase I test, you will be required to wait 60 days from the date the test was taken before being allowed to re-take the test.
Your Phase II email message will include directions for accessing a “certification” version of EnCase, evidence files, and objectives or issues you must address. You must “work” the case, compile your report, and then send the report to the certification coordinator for review and grading within 60 days. You must fully answer a minimum of 15 of the 18 questions in order for your submission to be considered for grading. Any questions left unanswered will count against your grade. If you do not finish the Phase II in the time allotted, you will be required to wait 60 days from the date that the test was due and restart from the beginning.
Those who fail the EnCE Phase II exam must wait 60 days prior to retesting. If after resubmitting Phase II you fail again, you must begin the retesting process from Phase I.
EnCE Study Guide
Copyright © 2018 OpenText 2
Beginning the Certification Process
The first step toward certification is to review the qualifications and complete the application available at:
https://www.guidancesoftware.com/training/certifications?cmpid=nav_r#EnCE
Submit the completed application to the EnCE certification coordinator at the address provided. Once your application has been received and accepted, payment instructions will be provided to you. Upon receipt of payment, you will be provided with login credentials to enroll in Phase I of the testing process.
The test is available in English and Spanish.
Phase I Testing Options
ExamBuilder
o ExamBuilder provides online testing services and are available at all times.
o Once you receive email instructions from the certification coordinator, visit the ExamBuilder website at https://testing.exambuilder.com/ to enroll in the Phase I testing process. Follow the instructions for log in.
o If you have questions about the enrollment process, contact the certification coordinator at (626) 463-7966 or [email protected].
EnCE® Prep Course
o This course is designed for EnCase users preparing for certification. The certification is based upon the skills and knowledge presented in the OpenText Foundations in Digital Forensics and Building an Investigation courses. The EnCE Prep course is not intended to be a replacement for these two classes; instead it is a thorough but accelerated review of the covered subjects.
o The Phase I written examination will not be given during class. Once you complete the class, you will be given login instructions. You will have 30 business days from the last day of class to take Phase I. After the 30 days, access to the exam will be terminated.
o Complete details for this course can be found at:
https://www.guidancesoftware.com/training/courses/df310
EnCE Study Guide
Copyright © 2018 OpenText 3
Enfuse™
o Registered attendees at our annual Enfuse conference may elect to take the Phase I test during the conference at no additional charge.
o All requirements must be met prior to attending Enfuse. Anyone interested in taking the Phase I test at Enfuse must fill out an application and return it to the certification coordinator one (1) month prior to the conference via fax, email, or mail. Only those who have preregistered and been approved will be admitted to take the Phase I test at Enfuse.
o Please visit https://www.guidancesoftware.com/enfuse-conference for more information.
Maintaining Your Certification
Payment of USD 75 via credit card, check, or purchase order is required for renewal completion. The payment must accompany a completed renewal form and the supporting documentation detailed as follows.
EnCase Certified Examiners are required to achieve one of the following items prior to their expiration date in order to renew.
Attend a minimum of thirty-two (32) credit hours of documented, continuing education in computer forensics or incident response to maintain the certification: *
o The training should either be for OpenText Guidance courses, from your agency, or an accredited source. Training should be either in a classroom lab setting or online. Proof of attendance should be provided via a certificate, transcript, or official letter.
o Earn one (1) credit hour for each classroom hour of training and ½ credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor.
Achieve a computer forensics or incident response related certification within the renewal period. A certificate of completion must be submitted as documentation.
Attend one Enfuse conference within the renewal period. Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE. Register online at https://www.guidancesoftware.com/enfuse-conference. Renewal forms will be available for download from printing stations during the conference. Please check the box on the renewal form, and registration will be on file with OpenText certification.
* Training and teaching hours may be combined to reach the total 32 hours required. Documentation may be a
certificate of completion, official letter from the provider, or transcript.
EnCE Study Guide
Copyright © 2018 OpenText 4
The following are guidelines for submitting renewal credit for attendance at any other computer forensic conference other than Enfuse:
o Only labs count (seminars or product demos are not considered)
o Calculate one (1) CPE for every hour in a lab
o Send a copy of the conference agenda and indicate the labs attended and how many CPE each one is worth
Please do not submit your renewal documents separately. Keep all certificates together and only send them when you have the requirement fulfilled. When you are ready, email the renewal form and any certificates/letters/documents to [email protected]. These materials can also be sent via fax or regular mail.
The requirements must be met within the renewal period. (i.e., if the renewal date is June 1, 2012, the requirements must have been achieved between June 1, 2009 and June 1, 2012).
Should your certification expire, you will be required to restart the EnCE process from Phase I. Extensions will not be granted. If you are unsure of your expiration date, please email [email protected].
Complete renewal details are available at:
https://www.guidancesoftware.com/training/certifications?cmpid=nav_r#EnCE
Other Study Material
This study guide highlights the topics contained in the EnCE test, including good forensic practices, legal issues, computer knowledge, knowledge of EnCase software, evidence discovery techniques, and understanding file system artifacts. If you need reference materials to prepare for a specific topic or portion of the exam, some recommended study materials are listed below:
DF120-Foundations in Digital Forensics manual by OpenText
DF210-Building an Investigation manual by OpenText
EnCase® Legal Journal by OpenText
EnCase® User's Manual by OpenText
EnCE Study Guide
Copyright © 2018 OpenText 5
EnCE® Preparation Training
Examining computer-based evidence with EnCase
Computer knowledge
Good forensic practices
Legal
Examining Computer‐based Evidence
The EnCase evidence file
EnCase concepts
The EnCase environment
EnCase Evidence Processor
Index queries and raw keyword searching
File signature and hash analysis
The EnCase Evidence File
Bit stream image of evidence written to a file
The EnCase Evidence File Contains Case Data
Cannot be changed after evidence file is created
Contains:
o Case number
o Examiner name
o Evidence number
o Unique description
o Date/time of computer system clock
o Acquisition notes
o Serial number of physical hard drive
The EnCase Evidence File Verification Cyclical Redundancy Check
o 32-bit CRC for (by default) 64 sectors (32 KB) of data
– If no compression is used
o Calculated when evidence file is added to a case and rechecked every time the data block is accessed
o Verification hash – “digital signature” of all data in evidence file
– MD5 – 128-bit/32 characters
– SHA1 – 160 bit
– Can choose MD5 and SHA1, MD5 or SHA1, or neither
EnCE Study Guide
Copyright © 2018 OpenText 6
The EnCase Evidence File Characteristics Logical file that can be renamed and moved
Can be broken into multiple segments, with a maximum segment size dependent on the file system to which the evidence file is written
Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value
Can be password protected or encrypted and can be reacquired to remove or change password/encryption
Individual segments can be verified by the CRCs when compression is not used
o If compression is used, the decompression algorithm is used
Error granularity is often used to adjust the writing of data to an evidence file, when a read error of the subject media occurs
o Standard – Size of the data blocks
o Exhaustive – Sector-by-sector
Evidence File Verification Data in the entire evidence file is verified by verification hash compared to the
acquisition hash value of the original evidence
Data in each data block is verified by a CRC when no compression is used
Both the MD5 and/or SHA-1 hash and CRCs must match for the evidence file to be verified
o If any compression is used, the compression algorithm is used to verify data blocks
EnCase Concepts The case file – .case
o Compound file containing:
– Pointers to the locations of evidence files on forensic workstation
– Results of file signature and hash analysis
– Bookmarks
– Investigator’s notes
A case file can contain any number of hard drives or removable media
The case file should be archived with the evidence cache and evidence files as it contains all of the investigator’s “notes” or work product
o Use the “Create Package” feature
EnCE Study Guide
Copyright © 2018 OpenText 7
The Configuration .ini Files Contain “global options” used for all cases
Some configuration .ini files:
o FileTypes.ini
– Organizes files into groups by extension; determines which viewer to use
– File Signature Table
o Local.ini
– Global configuration settings
o Viewers.ini
– Installed viewers associated to EnCase
The EnCase Methodology Case management
o Use large-capacity, high-RPM (revolutions per minute) hard drives with single partition for evidence files
o Wipe the drive to eliminate any claims or arguments of cross contamination
o Give the hard drive a unique label prior to acquisitions to differentiate your drives from that of the suspect
o Separate folders for each case are recommended
– Use unique directory names
– Each case requires an Export, Temp, and EvidenceCache folder
EvidenceCache – Storing cache files and containers for processed evidence
Export – Default folder for exporting evidence
Temp – Default temporary folder for file viewing
Evidence Processor After adding evidence to a case and confirming that the data is valid and
browsable, the first task you undertake is to run the EnCase® Evidence Processor.
The Evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data.
Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data.
After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation.
The following evidence processing functions are available:
o Recover folders – Recover files that have been deleted or corrupted on FAT and NTFS volumes
o Hash analysis – Generate MD5 and/or SHA-1 hash values for files and compare against your case Hash Library
EnCE Study Guide
Copyright © 2018 OpenText 8
o Expand compound files – Expand compound and compressed files, such as ZIP, RAR, and GZ
o Find email – Extract individual messages from email archive files, such as PST (Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, MBOX, and EMLX
o Find internet artifacts – Collect Internet-related artifacts, such as browser histories and cached web pages
– You also have the option to search unallocated space for the Internet artifacts
o Search for keywords – Search raw (not transcript) text for specific keywords
o Index text – Create an index for when you need to search for keywords in compound files (Microsoft® Office 2007 and 2010) and across large amounts of data
– You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file
o File signature analysis – Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file’s header
o Protected file analysis – Identify encrypted and password-protected files
o Creating thumbnails from images – Creates image thumbnails for faster display in the EnCase GUI
Search Queries – Index The case index is created with the EnCase Evidence Processor
Creating an index will allow you to instantly search for terms in a variety of ways
o You can adjust parameters for index creation, such as the minimum word length to index or whether to use a noise file (a file containing specific words to ignore)
Compared to keyword searches that search on the raw text, index searches will search on the transcript output of the file, which is critical for Microsoft Office 2007 and 2010 files
Generating an index can take time, however, the trade-off in time spent creating the index yields a greater payoff with near instantaneous search times
o Guidance recommends always indexing your case data
Search Queries – Index Once your case has been indexed, keyword searched, tagged, or any combination
of the three, you can then search for desired information. To create a unified search do the following:
o Go to the View menu and select Indexed Items
o In the Index window, enter the index query term or index search queries along with a logic operator (for example – “or” or “and”) to search the index
EnCE Study Guide
Copyright © 2018 OpenText 9
o A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term
o EnCase will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters
– At any time you can double click on a query term and it will show the information about that term
o Click on the Run or Play button to run the query
Raw Keyword Searching EnCase for Windows®
o Logical raw keyword searching is conducted on allocated files
o Physical searching is conducted upon the unallocated areas of the physical disk
o Logical search will find a word fragmented between two noncontiguous clusters, whereas a physical search will miss the fragmented word
Case Sensitive
o Not set by default
– Selecting will limit hits to exact case of words entered
– Can be used with GREP and Unicode
GREP
o Box must be selected for EnCase to use GREP expression, otherwise EnCase will search for the literal entered characters
– Can be used with Case Sensitive and Unicode options
Unicode
o Set by default; selecting this box will enable EnCase to search for keywords in both ANSI and Unicode
– Recommended to be selected for most searches
– Can be used with GREP and Case Sensitive options
– Unicode uses two bytes for each character allowing the representation of 65,536 characters
Global Regular Expression and Print (GREP) * An asterisk after a character matches any number of occurrences of that
character, including zero. For example, “john,*smith” would match “john,smith,” “john,,smith,” and “johnsmith.”
+ A plus sign after a character matches any number of occurrences of that character except zero. For example “john,+smith” would match “john,smith” or “john,,smith,” but would NOT match “johnsmith.”
# A pound / hash sign matches any numeric character [0-9]. For example ###-#### matches any phone number in the form 327-4323.
EnCE Study Guide
Copyright © 2018 OpenText 10
(ab) The parentheses allow the examiner to group individual characters together as an AND statement.
{m,n} The curly braces state number of times to repeat, i.e., m to n times
| The pipe is an OR statement and can be used with the parentheses, i.e., (com)|(net)|(org) for the end of an email address.
[] Characters in brackets match any one character that appears in the brackets. For example “smit[hy]” would match “smith” and “smity.”
[^] A circumflex at the start of the string in brackets means NOT. Hence [^hy] matches any characters except h and y.
[-] A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e, inclusive.
\ A backslash before a character indicates that the character is to be treated literally and not as a GREP character.
File Signatures and File Viewers File Signatures
o Stored in the EnCase configuration file FileTypes.ini
o New file signatures can be added manually
o The terms “file signature” and “file header” mean the same thing, the standard hex characters at the beginning of a certain file type
File Types – Viewers
o EnCase uses the FileTypes.ini file to store external viewer information and associate file extensions with external viewers
o When the examiner double clicks on a file, EnCase will copy the file to the Temp folder and launch the Windows-associated viewer or user-defined external viewer to read the file
Hash Sets and Hash Library Hash sets can be built with one file or any number of selected files
o The sets contain the hash values of the file(s) in the set and selected metadata
The hash value of a file is computed only from the logical file independent of the file name, time/date stamps, and the slack space of the physical file
The Hash Library is built from selected hash sets
o The examiner can exclude specific hash sets to remain within the scope of the examination
o You can have two Hash Libraries for each case
EnCE Study Guide
Copyright © 2018 OpenText 11
Signature and Hash Analysis Signature Analysis – File extensions are compared to the file signature (header)
according to the File Types Table
Hash Analysis – The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets containing hash values and file metadata
Both analyses can be used to help identify suspect files and/or exclude known or benign files
o The results of both analyses are viewed in the Table view of the Evidence Entry tab
Computer Knowledge Understanding data and binary
The BIOS
Computer boot sequence
File systems
Computer hardware concepts
Understanding Data and Binary Bits and Bytes
Bit Name Binary 1 = Bit 1
4 = Nibble 0000
8 = Byte 0000-0000
16 = Word 0000-0000 0000-0000
32 = Dword 0000-0000 0000-0000
0000-0000 0000-0000
64 = Qword You get the idea
ASCII and Unicode
o The ASCII table (American Standard Code for Information Interchange) is based on a 7-bit system
– The first 128 characters make up the ASCII table and represent alpha/numeric values common punctuation and other values
– The remaining 128 characters are called “high-bit characters”
– Together 256 characters can be addressed
o Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode
– Unicode uses two bytes for each character, allowing the representation of 65,536 characters
EnCE Study Guide
Copyright © 2018 OpenText 12
Basic Input/Output System
o The BIOS checks and configures the computer system after power is turned on
o The BIOS chip is usually found on the motherboard
o The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the internal clock
Computer boot sequence
File System Fundamentals File slack is comprised of drive slack and sector/RAM slack
o Sector/RAM slack
– Data from the end of the logical file to the end of that sector
The 10-byte file written to a 512-byte sector will have 502 bytes of sector/RAM slack in the same sector that contains the logical data
– Sector/RAM slack is zeroed out prior to writing it to the drive (00 00)
– In Windows 95A and older, sector/RAM slack will contain actual data from RAM, and it will be stored on the drive with the file
o Drive slack
– Data that is contained in the remaining sectors of a cluster that are not a part of the current logical file
– A logical file of 10 bytes stored in a four-sector cluster will have three sectors of drive slack
File Allocation Table
o Often found on legacy hard drives and removable devices
o FAT tracks
– File fragmentation
– All of the addressable clusters in the partition
– Clusters marked bad
o Directory records
– File name
– Date/time stamps (Created, Accessed, Written)
– Starting cluster
– File logical size
o A directory (or folder) is a file with a unique header and a logical size of zero
When a file is deleted from a FAT system
o 1st character of directory entry changed to E5h
o FAT entry values change from allocated to unallocated (0)
o No effect on the data within the clusters
EnCE Study Guide
Copyright © 2018 OpenText 13
When EnCase “virtually” undeletes a file
o Directory entry read
– Obtains starting extent, logical size
– Obtains number of clusters by dividing logical size by bytes per cluster
o FAT examined to determine if starting cluster/extent is in use
o If starting extent is in use, EnCase deems this file to be “Deleted/Overwritten”
File Allocation Table versions
o FAT 16
– 2 ^ 16 = 65,536 total allocation units available (clusters)
o FAT 32
– 2 ^ 28 = 268,435,456 total allocation units
– 4 bits are reserved by Microsoft
o Two copies of the FAT are stored for backup purposes
o A cluster is composed of multiple sectors
– A sector contains 512 user-addressable data bytes
File Systems – exFAT exFAT was originally created for USB flash drives and SD cards, but can be used
to format volumes under Windows 7
o ExFAT is recognized by Windows operating systems XP and after
The exFAT file system uses 32 bits within the table and has a limit of 4,294,967,285 (232 – 11) cluster addresses
The exFAT file system uses free space bitmaps to reduce fragmentation and free space allocation/detection issues
o Each cluster is tracked in the bitmap
o A single bit is used for each cluster on the volume
When a file is created within exFAT, a different sequence of events may occur than in FAT
o If the file is fragmented, then exFAT functions as FAT does
o If the file is not fragmented, the FAT is not updated
Within the directory entries of the exFAT file system, there are multiple, 32-byte records at least three for each directory entry. Each record has an identifier byte:
o Directory Entry Record – Record ID 85 (hex) – Contains Attributes, Created, Accessed, and Last Written dates/times
o Stream Extension Record – Record ID c0 (hex) – Contains logical size, starting extent, size of filename, CRC of filename, and whether the FAT is being used to track the clusters allocated to the file
o File Name Extension Record – Record ID C1 (hex) – Contains the filename in Unicode; additional records may be needed for longer file names
EnCE Study Guide
Copyright © 2018 OpenText 14
When a file is deleted, the first bit of the identifier of the record is changed from 1 to 0, changing the identifier to reflect a record not in use
o It is also possible for the Directory Entry Record to be changed in this manner if the file is renamed
This means that if the file was fragmented and there was a cluster chain, the chain is not destroyed on deletion
In exFAT, since allocation status is in the bitmap, there is no need to zero out the cluster run
o As long as the clusters themselves have not been reused for newer files, it is possible to accurately recover even heavily fragmented files that were deleted because the cluster run would still be intact
File Systems – NTFS Master File Table (MFT) – administratively documents all files/folders on NTFS
volume
MFT – comprised of records – 1024 bytes each
MFT grows but doesn’t shrink
At least one MFT record is allocated to each file and folder on volume
Bitmap file documents if clusters are allocated or unallocated
Two types of files: Resident and Nonresident
File Systems – NTFS
Resident files
o Data resides within MFT record for file
o Data does not begin at the beginning of a sector/cluster
o Logical size = physical size
Nonresident files
o Data not within MFT Record
o MFT record houses pointers to clusters storing file
o Pointers in the form of a “data run”
Both types of files may be hashed as long as logical size is greater than 0
Computer Hardware Concepts The computer chassis or case is often incorrectly referred to as the CPU
CPU = Central Processing Unit and is represented by a chip installed on the motherboard
Also installed on the motherboard are the Random Access Memory, the Read Only Memory, and add-in cards, such as video cards and Network Interface Cards (NIC).
Integrated Drive Electronics (IDE) and Serial Advanced Technology Attachment (SATA) disk drives can be attached directly to the motherboard with a ribbon cable
EnCE Study Guide
Copyright © 2018 OpenText 15
Geometry of hard drives
o Cylinder/Heads/Sectors (older drives)
– C x H x S x 512 bytes per sector = total bytes
o Logical Block Addressing
– Total number of sectors available x 512 bytes = total bytes
Master Partition Table
Volume Boot Record
Partition tables
Partition recovery
Good Forensic Practice First response
Acquisition of digital evidence
Operating system artifacts
First Response At the scene
o Photograph, take notes, sketch
o Image RAM
– EnCase® Portable or WinEn
o Take down the system – whether pull plug or shut down depends on circumstances
– Shut down – if UNIX/Linux or server
– Pull plug – it depends on circumstances
o Disconnect computers’ hard drive(s)
o Access BIOS
– Obtain system date and time
– Obtain boot sequence
Booting turned-off machines
o LinEn (Linux EnCase) CD
– Disk-to-disk imaging with Tableau hardware write-blocker
– Network cross-over cable
o EnCase Portable
Inspection of media
o Internal Inspection
– Check for disconnected media
– Additional media connected, etc.
EnCE Study Guide
Copyright © 2018 OpenText 16
o External Inspection
– Check for connected media
– Check for additional devices/media
Onsite triage
o Tableau – fastest
– Gallery view, hash/file signature analysis, logical and physical searches with GREP, copy/unerase, EnScript programs, etc.
o Network cable preview – fast
– Gallery view, hash/file signature analysis, logical and physical searches with GREP, copy/unerase, EnScript programs, etc.
Evidence Processor available on live devices
o EnCase Portable – fast
– Triage and Collection jobs: Pictures, keyword search, hash sets, filtering with conditions, Snapshot, Internet history
– Acquisition of digital evidence
Tag media and transport
o Tag evidence
– Evidence should be inspected for damage
– Evidence should be documented and labeled
– Evidence should be properly bagged in preparation for transport
o Transport evidence
– Evidence should be properly secured for transportation
– Evidence should be stored properly
Computer Forensic Examiner Must be trained
Must use best forensic practices available
Must avoid damaging or altering evidence
Should test and validate computer forensic tools and techniques prior to using them on original evidence
Acquisition of Digital Evidence File Systems Supported by EnCase
o FAT 12, 16, 32, exFAT
o NTFS
o EXT2/3/4 (Linux)
o Reiser (Linux)
EnCE Study Guide
Copyright © 2018 OpenText 17
o UFS (Solaris)
o CDFS (Joliet, ISO9660, UDF)
o DVD
o Macintosh HFS/HFS+, Mac OS X (BSD)
o HP-UX
o Etc…
Smartphones and tablets
If the file system is not supported by EnCase, the examiner can still conduct a physical text search, run EnScript programs for file headers and footers, etc.
The examiner can also restore the physical drive to a drive of equal or larger size
o The restored drive is verified by the MD5 and/or SHA1 hash value
A volume may also be restored to a partition containing the same file system
o The restored partition is verified by the MD5 and/or SHA1 hash value
Laboratory Procedures Cross contamination
o Wipe lab examination drives
o Use EnCase case management methodology
Chain-of-custody
o Signed and dated log tracking evidence possession
o Controlled access to lab area / secured evidence
Storage
o Clean, temperature-controlled environment
o Legacy portable electronic devices may lose battery power, potentially erasing all data
Operating System Artifacts Recycler
NTFS directory entries and structure
Windows artifacts
o Recent
o Link files
o Desktop
o Send To
o Temp
o Internet Explorer history, cache, favorites, cookies
EnCE Study Guide
Copyright © 2018 OpenText 18
o Enhanced metafiles; print spooler
o Windows 7/8.x/10 – C:\Users\
o Registry files – global and user account specific
o Swap file – pagefile.sys
o Hibernation/Standby file – hiberfil.sys
Legal Issues Best Evidence Rule
o A printout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data
o Compression of acquired data does not affect admissibility under the Best Evidence Rule
o If original evidence must be returned to the owner, the forensic image could be considered the Best Evidence
Daubert/Frye
o Legal test to determine if a scientific or technical process for obtaining, enhancing, or analyzing evidence is acceptable
Elements of Daubert
o Has the process been tested and subject to peer review?
o Does the process enjoy general acceptance in the related community?
o Can the findings be duplicated or repeated?
Commercially available software has a greater opportunity for peer review, testing, and validation
EnCE Study Guide
Copyright © 2018 OpenText 19
EnCE® Preparation Training Version 8
OpenText Confidential. ©2018 All Rights Reserved. 2
Phase I Instructions
• The EnCE written test (Phase I) is administered using the ExamBuilderweb testing service.
• Applicants are given 120 minutes to answer 180 questions (U.S.). International applicants are not presented with questions on legal considerations in digital forensics.
• Open book/open notes, but consider you have 40 seconds per question. Is there time?
• Minimum score of 80% to pass.
EnCE Study Guide
Copyright © 2018 OpenText 20
OpenText Confidential. ©2018 All Rights Reserved. 3
Phase II Instructions
• If you pass Phase I, you’ll receive an email from the Certification Coordinator with detailed instructions on completing Phase II.
• You have 60 calendar days to complete the examination. The time period will begin five days after you receive the confirmation email from the Certification Coordinator.
• Extensions beyond the original 60 days may be granted per the discretion of the
Certification Coordinator up to an additional 30 days.
• Please email [email protected] to request an extension.
OpenText Confidential. ©2018 All Rights Reserved. 4
• EnCase® Forensic and Acquisition Concepts
• EnCase Functions
• Data Allocation and File Systems
• Searching Evidence with EnCase
• Examining Evidence with EnCase
• Legal
EnCE Written Exam Pools
EnCE Study Guide
Copyright © 2018 OpenText 21
OpenText Confidential. ©2018 All Rights Reserved. 5
EnCase Forensic and Acquisition Concepts
• Creating a Case
• Navigating the EnCase Environment
• The EnCase® Evidence Processor
• Digital Evidence Handling
• EnCase Concepts
• Acquisition Concepts
• Single Files and Logical Evidence Files
• Closing Your Case – Reacquire/Restore/Archive the Case
OpenText Confidential. ©2018 All Rights Reserved. 6
Creating a Case
• Upon creating a case, a unique directory structure for case management and an EnCase case file are created. This is created by EnCase.
• Lab drives receiving forensic images or other case data should have a unique volume label.
• Prior to acquiring digital evidence or adding it to a case, all hardware should be tested and verified and all drives to be used to receive forensic images should be wiped and prepared.
• EnCase Version 8 uses Pathways to assist the examiner by providing links to suggested steps in the examination process.
EnCE Study Guide
Copyright © 2018 OpenText 22
OpenText Confidential. ©2018 All Rights Reserved. 7
The EnCase Base Case Folder
• The EnCase base case folder is the location where EnCase creates the case’s unique folder structure and case file and, by default, writes all associated case data.
• Default folders include Export, Temp, Searches, and Tags.
• EvidenceCache location chosen at time of case creation.
OpenText Confidential. ©2018 All Rights Reserved. 8
Navigating the EnCase Environment
Tree Pane Table Pane
View Pane Filter Pane
GPS BAR
EnCE Study Guide
Copyright © 2018 OpenText 23
OpenText Confidential. ©2018 All Rights Reserved. 9
Navigating the EnCase Environment – GPS Bar
An understanding of the EnCase interfaceis needed for successful completion of the practical exercise.
Path to object Physical
SectorLogical Sector
ClusterSector Offset
File Offset
Length (#) of bytes
highlighted
OpenText Confidential. ©2018 All Rights Reserved. 10
The EnCase Evidence Processor
• Designed to process all or selected evidence in a case with the core analysis tools of EnCase in an automated workflow.
• Considerations
• Must have evidence in case
• Acquire first recommended
• Account for disk space
• Determine Time Zone
EnCE Study Guide
Copyright © 2018 OpenText 24
OpenText Confidential. ©2018 All Rights Reserved. 11
The EnCase Evidence Processor (cont.)
• The Evidence Processor lets you run, in a single unattended, automated session, a collection of potent analytic tools against your case data allowing you to work on other aspects of the case while this tool is processing data.
OpenText Confidential. ©2018 All Rights Reserved. 12
Digital Evidence Handling
• Sources of digital evidence include computers, servers, removable media, virtual drives and cloud services.
• Proper identification, handling, cautions, and options for collection of a computer in both powered on and powered off state.
• Proper documentation of scene and evidence prior to and during collection. Establish and document chain-of-custody.
• What is the BIOS? What information should be obtained from the BIOS?
• Basic Input Output System
• System date/time
• System boot order
EnCE Study Guide
Copyright © 2018 OpenText 25
OpenText Confidential. ©2018 All Rights Reserved. 13
Digital Evidence Handling – Boot Sequence
Power Button
BIOS
POST
BIOS FROM ADD-IN CARDS
The BIOS immediately runs POST and then prepares the system for the first program to run.
LOAD RAM WITH BIOS DATA
POST (Power On Self Test) checks the system board, memory (RAM), keyboard, floppy disk, hard disk, etc., for presence and reliability.
Add-in cards such as SCSI drive controller cards can have a BIOS on the card that loads at this time. These BIOS normally detect devices and load information into the BIOS data area in RAM.
A special RAM BIOS data area of 256 bytes contains the results of the system check identifying the location of attached devices.
Boot Sequence?
OpenText Confidential. ©2018 All Rights Reserved. 14
Digital Evidence Handling – Boot Sequence
Boot Sequence?
A: C:
Other DevicesPresent? No
YesMay display error or shift to boot another
device
Boot Record?
No
Yes
Command.Com
Config.sys
Msdos.sys
Io.sys
Autoexec.bat
Master Boot Record
Go to Boot Partition
Boot Record
Io.sys
Msdos.sys
Config.sys
Command.Com
Autoexec.bat
Optional
EnCE Study Guide
Copyright © 2018 OpenText 26
OpenText Confidential. ©2018 All Rights Reserved. 15
Digital Evidence Handling (cont.)
• ASCII stands for American Standard Code for Information Interchange.
• Number of characters addressable by ASCII and Unicode:
• ASCII = 256
• Unicode = 65,536
• Binary is base 2, represented by the characters 0 and 1.
• Decimal is base 10, represented by the characters 0-9.
• Hexidecimal is base 16, represented by the characters 0-9, A-F.
• Hexadecimal uses two characters to represent one byte.
• A single Unicode printed character is composed of two bytes of data.
OpenText Confidential. ©2018 All Rights Reserved. 16
Digital Evidence Handling (cont.)
• Bits and Bytes
Bit Name Binary
1 = Bit 1
4 = Nibble 0000
8 = Byte 0000-0000
16 = Word 0000-0000 0000-0000
32 = Dword 0000-0000 0000-0000
0000-0000 0000-0000
64 = Qword You get the idea
EnCE Study Guide
Copyright © 2018 OpenText 27
OpenText Confidential. ©2018 All Rights Reserved. 17
EnCase Concepts – The EnCase Case File• The EnCase Case file - .case extension
• Compound file containing:
• Pointers to locations of evidence files on forensic workstation
• Results of file signature and hash analysis
• Bookmarks
• Investigator’s notes
• A case file can contain any number of items of evidence.
• The case file should be archived with the evidence cache and evidence files as it contains all of the investigator’s notes.
• Use the “Create Package” feature
OpenText Confidential. ©2018 All Rights Reserved. 18
EnCase Concepts – The EnCase Evidence File• A bit stream image of the source data written to a file or multiple file segments.
• Logical file(s) that can be renamed and moved.
• Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written.
• Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value.
• Compression does not affect acquisition or verification hash values as these are calculated over
uncompressed data.
• Can be password protected or encrypted and can be reacquired to remove or change password/encryption.
• Individual segments can be verified by the CRCs when compression is not used or by the compression algorithm if compression is used.
EnCE Study Guide
Copyright © 2018 OpenText 28
OpenText Confidential. ©2018 All Rights Reserved. 19
EnCase Concepts – The EnCase Evidence File (E01)
• Header
• Case data cannot be changed after evidence file is created.
• Contains examiner input information (evidence name, evidence number, case name,
notes) and information obtained from device being acquired (if supported through
connection).
• Is compressed and not plain-text readable.
OpenText Confidential. ©2018 All Rights Reserved. 20
EnCase Concepts – The EnCase Evidence File (E01)
• Data Blocks
• Data read from source in block size (default 64 sectors/32 KB) and written to evidence file.
• Cyclical Redundancy Check
• 32-bit CRC calculated over data written to data block.
• If no compression is used
• Calculated when evidence file is added to case and rechecked every time the data block is
accessed.
EnCE Study Guide
Copyright © 2018 OpenText 29
OpenText Confidential. ©2018 All Rights Reserved. 21
EnCase Concepts – The EnCase Evidence File (E01)
• Acquisition Hash - “digital signature” of all data in evidence file• MD5 – 128 bit digest value
• SHA1 – 160 bit digest value
• Examiner can choose either, both, or neither
• Not required but highly recommended
OpenText Confidential. ©2018 All Rights Reserved. 22
EnCase Acquisition Concepts
• Current EnCase Evidence File – Ex01 file extension.
• Allows for symmetric (password) encryption and asymmetric (private/public key pair)
encryption.
• Evidence can be previewed prior to acquisition and acquired from the same view.
• Consideration of RAM/Volatile data prior to removing power from computer.
• Write protection considerations – FastBloc® SE built into EnCase.
• Error Granularity – if a read error occurs, controls the amount of data within the data block to be zeroed out:
• Standard – the entire data block (64 sectors / 32 KB, by default).
• Exhaustive – only the sector reporting the error (increases acquisition time).
EnCE Study Guide
Copyright © 2018 OpenText 30
OpenText Confidential. ©2018 All Rights Reserved. 23
EnCase Acquisition Concepts
• Name – Name displayed in EnCase (mandatory)
• Evidence Number – Examiner assigned (mandatory)
• Case Number – Examiner assigned (mandatory)
• Examiner Name – Person acquiring evidence (mandatory)
• Output Path – where to write the EnCase acquired evidence files
• Alternate Path – spill over location if Output Path fills
OpenText Confidential. ©2018 All Rights Reserved. 24
EnCase Acquisition Concepts• Evidence File Format
• Legacy = E01
• Current = Ex01
• Verification Hash• MD5
• SHA1
• MD5 & SHA1
• None
• Compression• Enable
• Disabled
• File Segment Size –Size of file segments in megabytes
EnCE Study Guide
Copyright © 2018 OpenText 31
OpenText Confidential. ©2018 All Rights Reserved. 25
EnCase Acquisition Concepts• Block Size – Size of data in
sectors written to the data blocks of evidence file
• Error Granularity - If a read error occurs, controls the amount of data within the data block to be zeroed out
• Start Sector – Sector where EnCase will begin reading data to be written to the forensic image
• Stop Sector – Sector where EnCase will stop reading data to be written to the forensic image
OpenText Confidential. ©2018 All Rights Reserved. 26
Single Files and Logical Evidence Files
• EnCase Logical Evidence Files• A container file to which an examiner can write files and/or folders from evidence within
EnCase that preserves the object’s logical data and associated metadata.
• Single Files• Individual files that exist on media accessible to the forensic examiner’s workstation that
are added to EnCase from their current location.
EnCE Study Guide
Copyright © 2018 OpenText 32
OpenText Confidential. ©2018 All Rights Reserved. 27
Closing Your Case• Reacquisition of EnCase Evidence Files
• Creates a separate forensic image, using the same process, from an existing evidence file.
• Things you can change:
• Compression – apply/remove • Encryption – apply/remove
• Format – Current/Legacy • Segment Size
• Hash Algorithm • Start/Stop sectors
• Block Size
• Things you can not change:
• Name within EnCase • Evidence Number
• Case Number • Examiner Name
• Notes
OpenText Confidential. ©2018 All Rights Reserved. 28
Closing Your Case
• Restoring Evidence Files
• Physical Drive – Target Media Requirements
• Must be equal or greater number of sectors as source image file.
• Recommended that target media be forensically prepared (wiped) prior to restoration
• Logical Volume – Target Media Requirements
• A volume must be created of equal or greater size
• This volume must be the same file system as the volume being restored
• Recommended the volume be formatted with the same size clusters
• Recommended that target media be forensically prepared (wiped) prior to restoration
EnCE Study Guide
Copyright © 2018 OpenText 33
OpenText Confidential. ©2018 All Rights Reserved. 29
Closing Your Case
• Archiving The Case:• A case is backed up, relocated, archiving through the Create Package feature
in EnCase
• Items backed up:
• Required Items – Case file, case folder structure under base case folder
• Primary Evidence Cache
• Secondary Cache
• Evidence Files
OpenText Confidential. ©2018 All Rights Reserved. 30
EnCase Functions
• File Signature Analysis
• Hash Analysis and Entropy
• Compound File Examinations
• External Viewers
• Detailed Copy Options
• Report Creation for the EnCE Practical
EnCE Study Guide
Copyright © 2018 OpenText 34
OpenText Confidential. ©2018 All Rights Reserved. 31
File Signature Analysis
• A comparison of a file’s extension and signature (header) to a known table
to determine the file’s true identity.
• EnCase stores file signatures within the File Types.ini file and they are
viewed in the File Types Table within EnCase.
• File signature over all objects can by initiated through the EnCase
Evidence Processor or over selected objects in the evidence Table view
from the Entries menu.
OpenText Confidential. ©2018 All Rights Reserved. 32
File Signature Analysis (cont.)
• File Signature Analysis returns one of four responses:
• Match – the file’s extension and signature are present in the EnCase File
Types Table and are in the same record.
• Alias – the file’s extension and signature are present in the EnCase File Types
Table but not in the same record.
• Bad Signature – The file’s extension is present in the EnCase File Types
Table but the file’s signature is not.
• Unknown – Neither the file’s extension or signature is present in the EnCase
File Types Table.
EnCE Study Guide
Copyright © 2018 OpenText 35
OpenText Confidential. ©2018 All Rights Reserved. 33
Hash Analysis and Entropy
• EnCase calculates a MD5 and/or SHA1 hash value for acquisitions and objects within evidence
• MD5 = 128 bit hash value
• SHA1 = 160 bit hash value
• Hash libraries provide a manner of organizing hash values
• A hash library contains one or more hash sets
• A hash set contains one or more hash values
• Hash values are the individual hash digests calculated over individual objects
• Analogy – A neighborhood library (hash library) contains shelves (hash sets),
which contain individual books (hash values)
OpenText Confidential. ©2018 All Rights Reserved. 34
Hash Analysis and Entropy (cont.)
• EnCase uses hashing to determine
• A file’s potential investigative significance by comparing the file’s calculated
hash value to hash values stored in a hash library; AND
• The accuracy of acquired evidence through comparison of the hash value
calculated from the data read from the original source to that written to the
forensic image.
EnCE Study Guide
Copyright © 2018 OpenText 36
OpenText Confidential. ©2018 All Rights Reserved. 35
Hash Analysis and Entropy (cont.)
• Entropy is useful in determining and comparing the randomness of a file:
• Calculates a value on a scale from 0-8 out to four decimal points (ex: 7.9788).
• 0 being low randomness to 8 being high randomness.
• Entropy does not identify the file’s data - Two very different files can have the same
entropy value.
• Entropy is useful to locate compressed and encrypted files.
• Hash Analysis and Entropy over all objects can by initiated through the EnCase Evidence Processor or over selected objects in the evidence Table view from the Entries menu.
OpenText Confidential. ©2018 All Rights Reserved. 36
Compound File Examinations• Compound files are files that maintain an internal file structure within the base file.
• Once the compound file’s structure is calculated by EnCase, the objects within the
structure can be processed, viewed, searched, filtered and bookmarked.
• Examples of compound files are Windows registry hives and Zip archives.
EnCE Study Guide
Copyright © 2018 OpenText 37
OpenText Confidential. ©2018 All Rights Reserved. 37
External Viewers
• External viewers are applications installed or available that run within the Windows operating system of the examiner’s workstation and are often used for viewing files within evidence in their native formats.
• Methods of viewing file content within the EnCase interface include:
• EnCase Internal Viewer
• Windows Associated Application
• User-Defined External Viewer
OpenText Confidential. ©2018 All Rights Reserved. 38
External Viewers (cont.)
• As part an The EnCase File Types Table contains records of file types to include the extension(s), file signature (header), footer (if applicable to the file type), EnCase category and the associated viewer that EnCase will use to view the file’s content.
• External viewers are not required to be associated to a file type in the EnCase File Types Table. The can be installed within EnCase without association to a file type within the table.
• When viewing a file within an evidence file with an external viewer, EnCasecopies the file to the temp folder. EnCase deletes the files when the EnCase application is closed normally.
EnCE Study Guide
Copyright © 2018 OpenText 38
OpenText Confidential. ©2018 All Rights Reserved. 39
Detailed Copy Options
• Copy file(s) from the evidence in an open case to a volume accessible to the examiner’s workstation.
• Be mindful of file size limits due to file system of target volume.
• Can be done with files on previewed devices and acquired evidence.
• Two methods to copy files from evidence in EnCase:
• Copy Files – Copies highlighted or selected (blue checked) files.
• Copy Folders – Copies all or selected files in folders and subfolders and mirrors
folder structure.
OpenText Confidential. ©2018 All Rights Reserved. 40
Copy Files• Copies highlighted or selected (blue checked) files.
• Enacted from the Entries/Artifacts/Results pull-down or right click context menu.
EnCE Study Guide
Copyright © 2018 OpenText 39
OpenText Confidential. ©2018 All Rights Reserved. 41
Copy Folders• Copies all or selected files in folders and subfolders and mirrors folder structure.
• Enacted from the Entries/Artifacts/Results dropdown or right click context menu.
OpenText Confidential. ©2018 All Rights Reserved. 42
Output Differences• Stuff.vhd was selected and each function was initiated on the selected file
from the top of the folder structure on the folder (left) pane.
EnCE Study Guide
Copyright © 2018 OpenText 40
OpenText Confidential. ©2018 All Rights Reserved. 43
Output Differences
Copy FILESCopy FOLDERS
OpenText Confidential. ©2018 All Rights Reserved. 44
Report Creation for EnCE Practical
• It’s your report so do it however you would like to present your work.
• BUT…… here are a few tips from the Training staff that review and grade the submitted reports:
• Use the Flexible Template.
• Create a separate bookmark folder for each question; summarize the question.
• Follow the direction for each question within its respective bookmark folder.
• Keep it organized so you can easily tell if you have completely answered each
question by looking in each question’s folder.
• If you are entering a lot of text in a Notes bookmark, first type it in a word
processor with spell check and then copy the text into the bookmark.
EnCE Study Guide
Copyright © 2018 OpenText 41
OpenText Confidential. ©2018 All Rights Reserved. 45
Data Allocation and File Systems
• Data Allocation and File Descriptions
• FAT, ExFAT, and NT File Systems
• Volume Recovery
OpenText Confidential. ©2018 All Rights Reserved. 46
Data Allocation and File Descriptions
• A sector is the smallest area on digital media that can be read from and written to.
• A cluster is a grouping of sectors created during the formatting of a volume which represents the smallest allocation unit addressable by the file system.
• A cluster can only contain the data for one object; data from two objects cannot occupy the same cluster.
• EnCase physical size of an item = the total size of all the clusters allocated to the file measured in bytes.
• EnCase logical size of an item = the total size of the data making up the object.
EnCE Study Guide
Copyright © 2018 OpenText 42
OpenText Confidential. ©2018 All Rights Reserved. 47
Data Allocation and File Descriptions – Slack Area
• In the above representation, cluster size is 4 sectors (512b/sector).
• A file with a logical size of 724 bytes was written to the cluster.
• The remaining space in the cluster is termed “slack.”
OpenText Confidential. ©2018 All Rights Reserved. 48
• RAM Slack (green) = Area from the end of the logical file to the end of the sector. Post Windows 95b, data in this area is hex 00.
• Disk Slack (orange) = Area from beginning of sector following end of logical file data to end of cluster.
• File Slack (red) = RAM Slack + Disk Slack.
• EnCase, by default, displays logical file data in black and slack space in red.
Data Allocation and File Descriptions – Slack Area
EnCE Study Guide
Copyright © 2018 OpenText 43
OpenText Confidential. ©2018 All Rights Reserved. 49
Data Allocation and File Descriptions – Slack Area
Last byte oflogical file
First byte ofRAM slack
Last byte ofRAM Slack
First byte ofdisk slack
OpenText Confidential. ©2018 All Rights Reserved. 50
FAT, ExFAT, and NT File Systems
• A file system, at a minimum, must perform these functions:
• Track the name and attributes of the object
• Track the starting extent of the object
• Track the fragmentation of the object
• Track the allocation status of all clusters in the volume
EnCE Study Guide
Copyright © 2018 OpenText 44
OpenText Confidential. ©2018 All Rights Reserved. 51
FAT – File Allocation Table File System• File Allocation Table:
• Tracks the allocation status of the clusters and the fragmentation of the object.
• Four values possible:
• 0 = Cluster unallocated.
• # = Cluster allocated and file continues in cluster number referenced.
• EOF = Cluster allocated and file data ends (End of File).
• BAD = Bad sector reported within cluster.
• Directory:
• Tracks the name and attributes of the object, the logical size and the starting cluster.
• Each record is 32 bytes.
OpenText Confidential. ©2018 All Rights Reserved. 52
FAT – File Allocation Table File System
• FAT 16
• 2 ^ 16 = 65,536 total addressable allocation units (clusters)
• FAT 32
• 2 ^ 28 = 268,435,456 total addressable allocation units (clusters)
• 4 bits are reserved
• Two copies of the File Allocation Table are maintained – FAT1 & FAT2
• Maximum file size is 4 GB
• A FAT directory entry has a logical size of Zero (0) bytes
EnCE Study Guide
Copyright © 2018 OpenText 45
OpenText Confidential. ©2018 All Rights Reserved. 53
FAT – File Allocation Table File System
Cluster Status
2 EOF
3 04 05 06 07 08 09 0
Name Ext Dates Logical Size Starting Cluster
Stuff txt CAM 200 2
• A FAT volume is formatted with a cluster size of 4 sectors (512 b/sector), cluster size = 2048 b.
• Stuff.txt with a logical size of 200 b is written to the volume, occupying 1 cluster.
File Allocation Table Directory
OpenText Confidential. ©2018 All Rights Reserved. 54
FAT – File Allocation Table File System
Cluster Status
2 EOF
3 4
4 EOF
5 0
6 0
7 0
8 0
9 0
File Allocation Table
Name Ext Dates Logical Size Starting Cluster
Stuff txt CAM 200 2
Shop txt CAM 3000 3
Directory
• Shop.txt with a logical size of 3000 b is written to the volume, occupying 2 clusters.
EnCE Study Guide
Copyright © 2018 OpenText 46
OpenText Confidential. ©2018 All Rights Reserved. 55
FAT – File Allocation Table File System
Cluster Status
2 5
3 4
4 EOF
5 6
6 7
7 EOF
8 0
9 0
File Allocation Table
Name Ext Dates Logical Size Starting Cluster
Stuff txt CAM 6500 2
Shop txt CAM 3000 3
Directory
• Stuff.txt is edited and grows to a size of 6500 b.
• Stuff.txt now occupies 4 clusters.
• Stuff.txt is now a fragmented file.
OpenText Confidential. ©2018 All Rights Reserved. 56
FAT – File Allocation Table File System
Cluster Status
2 0
3 4
4 EOF
5 0
6 0
7 0
8 0
9 0
File Allocation Table
Name Ext Dates Logical Size Starting Cluster
E5tuff txt CAM 6500 2
Shop txt CAM 3000 3
Directory
• Stuff.txt is deleted.
• The first character of the file name is changed to a hex E5.
• The cluster cell status for those occupied by the file are set to unallocated in the FAT.
EnCE Study Guide
Copyright © 2018 OpenText 47
OpenText Confidential. ©2018 All Rights Reserved. 57
FAT – File Allocation Table File System
Cluster Status
2 0
3 4
4 EOF
5 0
6 0
7 0
8 0
9 0
File Allocation Table
Name Ext Dates Logical Size Starting Cluster
E5tuff txt CAM 6500 2
Shop txt CAM 3000 3
Directory
• When EnCase virtually undeletes a file:• Obtains info from directory, replacing first character of file
name with _
• If starting cluster has been reused, EnCase deems this file to be “Deleted/Overwritten”
• Cannot rebuild fragmented file – chain no longer present
OpenText Confidential. ©2018 All Rights Reserved. 58
ExFAT File System• ExFAT was originally created for USB flash drives and flash memory cards,
but can be used to format volumes.
• ExFAT is recognized by Windows operating systems XP(SP2) and after Mac OS-X 10.6.5 (Snow Leopard) and after.
• The ExFAT file system uses 32 bits within the table and has a limit of 4,294,967,285 ((2 ^ 32) – 11) cluster addresses.
• Major Components of ExFAT
• Directory - Tracks object name, attributes, CAM dates, size and starting cluster
• Consists of 3 – 32 byte records per object
• File Allocation Table – Tracks fragmentation ONLY
• $Bitmap – Tracks cluster allocation
EnCE Study Guide
Copyright © 2018 OpenText 48
OpenText Confidential. ©2018 All Rights Reserved. 59
ExFAT File System – Directory
RECORD (32 bytes) FUNCTION IDENTIFIER (Hex)
Directory Entry Record Tracks the object’s attributes and CAM dates in DOS format
Allocated Object: 85Deleted Object: 05
Stream Extension Record Tracks the object’s logical size and starting cluster as well as the length of the file name
Allocated Object: C0Deleted Object: 40
File Name Extension Record Tracks the object’s name in Unicode
Allocated Object: C1Deleted Object: 41
OpenText Confidential. ©2018 All Rights Reserved. 60
ExFAT File System – Directory
Directory Entry Record
Stream Extension
Record
File Name Extension
Record
Unicode File Name
EnCE Study Guide
Copyright © 2018 OpenText 49
OpenText Confidential. ©2018 All Rights Reserved. 61
ExFAT File System – File Allocation Table
• Unlike FAT, is only used to track fragmentation of objects.
• Three possible entries in the table:
• # – Pointer to next fragment (cluster) in the chain.
• FFFFFFFF (hex) – Indicates the end of the fragmentation.
• 00000000 (hex) – Indicate there is no fragmentation within the referenced cluster.
• When an object is deleted, the FAT cells are NOT overwritten until reused.
• Recovering a deleted fragmented file is possible on an ExFAT volume.
OpenText Confidential. ©2018 All Rights Reserved. 62
ExFAT File System - $Bitmap
• Each byte within this file documents 8 clusters (1 cluster per bit, 8 bits per byte).
• Convert the byte to binary to determine allocation of individual clusters.
Hex value = 9F
Binary:
9 F
1 0 0 1 1 1 1 1
Unallocated Allocated
EnCE Study Guide
Copyright © 2018 OpenText 50
OpenText Confidential. ©2018 All Rights Reserved. 63
NT File System – aka NTFS• Every object that exists on an NTFS volume is tracked by the file system.
• The Master File Table ($MFT) contains a record for every object within the volume, including itself.
• Each record is 1024 bytes.
• The $MFT grows but never shrinks.
• Records are reused before new records are added.
• Each record consists of a header followed by a series of attributes. Each attribute records information about the object, including the object’s name, logical size, CAM dates, attributes, starting cluster and fragmentation.
• If an object’s data can be stored within its $MFT record, it will and the object is considered a “Resident” object. If the object’s data is stored outside the object’s $MFT record it is considered a “Non-Resident” object.
• Each NTFS volume will have its own $MFT, even for volumes on the same physical disk.
• Cluster allocation is tracked by the $Bitmap in the same manner as ExFAT.
OpenText Confidential. ©2018 All Rights Reserved. 64
NT File System – $MFT Record
End of Record
Record Header
Standard Information Attribute
File Name Attribute
File Name Attribute
Object ID AttributeData Attribute
Data Attribute (ADS)
EnCE Study Guide
Copyright © 2018 OpenText 51
OpenText Confidential. ©2018 All Rights Reserved. 65
FAT, ExFAT, and NT File Systems – OverviewMinimum Requirements FAT exFAT NTFS
Track name and attributes of object
Directory File Name Extension Record (Name)
Directory Extension Record (Attributes)
$MFT
Track starting extent of object Directory Stream Extension Record $MFT
Track fragmentation of object FAT FAT $MFT
Track allocation of all clusters in volume
FAT $Bitmap $Bitmap
OpenText Confidential. ©2018 All Rights Reserved. 66
FAT, ExFAT, and NT File Systems – Impacts of Deleting an Object
FILE SYSTEM CHANGES
FAT • First character of file name changed to E5h in directory.• The cluster cell status for those occupied by the file are set to unallocated in the FAT.
ExFAT • Directory Entry Record header changed to 05h.• Stream Extension Record header changed to 40h.• File Name Extension Record header changed to 41h.• $Bitmap cluster references updated to show unallocated.
NTFS • Object’s $MFT record allocation status updated to deleted file/folder.• $Bitmap cluster references updated to show unallocated.
EnCE Study Guide
Copyright © 2018 OpenText 52
OpenText Confidential. ©2018 All Rights Reserved. 67
Volume Recovery• Auditing the drive space of evidence should be performed prior to the processing
and examination of the evidence.
• Auditing the drive space is the process of accounting for every sector and its assignment on the evidence and recovering any deleted/hidden partitions/volumes.
• Physical Device is a representation of all sectors on the evidence.
• A partition is a logical structure within the physical device:
• Contains one of more volumes
• To contain a bootable operating system, must be marked as the Active partition
• Volume is a logical structure within a partition.
OpenText Confidential. ©2018 All Rights Reserved. 68
Volume Recovery – Master Boot Record
• The first sector of a hard disk drive (PS0) contains the Master Boot Record
• Located at sector offset (SO) 446.
• Contains 4,16-byte entries documenting the partition type, active status, relative
starting sector, and total number of sectors for each partition.
• Can document two types of partitions – Primary and Extended
• Primary
• One volume per partition.
• Required for bootable operating system.
• Extended
• Multiple volumes within one partition.
EnCE Study Guide
Copyright © 2018 OpenText 53
OpenText Confidential. ©2018 All Rights Reserved. 69
Volume Recovery – Volume Boot Record
• The first sector of a volume contains the Volume Boot Record.
• Contains all information about the volume, including total number of sectors in the volume.
• NTFS Backup Volume Boot Record is located in the last sector of the volume and is not included in the total sector count in VBR.
• FAT32 Backup Volume Boot Record is located six sector after the primary Volume Boot Record.
OpenText Confidential. ©2018 All Rights Reserved. 70
Searching Evidence with EnCase
• Bookmarks and Tags
• Index Search Queries
• Raw Keyword Searching
• GREP Operators
EnCE Study Guide
Copyright © 2018 OpenText 54
OpenText Confidential. ©2018 All Rights Reserved. 71
Bookmarks and Tags
• Bookmarking is a method of identifying and organizing items of interest to the investigation for inclusion into the examiner’s report.
• Objects can be bookmarked from multiple views in EnCase and from some EnScript® programs.
• Methods/Types of Bookmarks:
• Single File
• Selected Items
• Raw Text
• Data Structure
• Notes Bookmark
OpenText Confidential. ©2018 All Rights Reserved. 72
Bookmarks and Tags
• Tags are used to identify and categorize objects in a manner that persists in all views in EnCase.
• Tag something in Search Hits and the tag carries into Evidence, Artifacts, and
Bookmarks.
• Tags persist when a case is saved, closed, and reopened.
• Tags are local to a specific case but can be preset in a case template.
• Tags are set from the Tags column, the keyboard hotkeys, the Filter pane, and Tagging selected items from the Manage Tags menu.
• The maximum number of tags possible in a case is 63.
EnCE Study Guide
Copyright © 2018 OpenText 55
OpenText Confidential. ©2018 All Rights Reserved. 73
Index Search Queries• Index search queries are performed through the Indexed Items view.
• Index searches are reviewed in the Transcript tab in the View pane.
OpenText Confidential. ©2018 All Rights Reserved. 74
Index Search Queries
• Index search queries will locate matches in an object’s data and EnCaseFields (metadata).
• EnCase performs logical indexing and will locate queries that traverse fragmentation boundaries.
EnCE Study Guide
Copyright © 2018 OpenText 56
OpenText Confidential. ©2018 All Rights Reserved. 75
Index Search Queries
• When entering two or more keywords in an index search query, the default logic is OR.
• EnCase index query operators:
• AND • OR
• Case sensitive • Stemming
• Item Type
OpenText Confidential. ©2018 All Rights Reserved. 76
Raw Keyword Searching• A raw search is a search for a specific pattern (word, string, hex values)
against the binary data as it exists in the evidence.
• A raw search can be run from the EnCase Evidence Processor, Raw Search All from Evidence View Evidence, and Raw Search Selected from the Entries menu in Evidence, Viewing (Entries).
EnCE Study Guide
Copyright © 2018 OpenText 57
OpenText Confidential. ©2018 All Rights Reserved. 77
Raw Keyword Searching
• Raw keyword searches are stored as individual files with a .Keywords file extension.
• Logical vs. Physical Raw Search:
• Searches in allocated clusters of volumes are logical searches and
fragmentation will not affect the ability of EnCase to locate responsive finds.
• Searches in unallocated clusters of volumes and unused disk space are
physical searches, and EnCase will not locate keywords that traverse a
fragmentation boundary as it has no way to establish the fragmentation chain
in these areas.
OpenText Confidential. ©2018 All Rights Reserved. 78
Raw Keyword Search Options
• Search entry slack – Allows for the search to include the slack area of files/folders.
• Skip contents for known files – Skips searching files present in the hash library with a category of “known.”
EnCE Study Guide
Copyright © 2018 OpenText 58
OpenText Confidential. ©2018 All Rights Reserved. 79
Raw Keyword Search Options
• Undelete entries before searching – EnCase will virtually undelete an entry identified as Deleted and then logically search the entry.
• Use initialized size – EnCase will search the initialized size of a file rather than the actual logical size.
OpenText Confidential. ©2018 All Rights Reserved. 80
GREP Operators• GREP is not turned on by default in
a raw search.
• GREP symbols will not be recognized as such unless the option is selected by the examiner.
• GREP operators to know:
• \x • ? • ()
• . • + • ^
• # • [] • \
• | • *
EnCE Study Guide
Copyright © 2018 OpenText 59
OpenText Confidential. ©2018 All Rights Reserved. 81
Examining Evidence with EnCase
• Windows Registry
• Time Zone Settings
• Windows Artifacts
• Shortcuts (LNK Files)
• Recycle Bin Recovery
• Print Spooler
• Internet Artifacts
• Removable USB Device Identification
OpenText Confidential. ©2018 All Rights Reserved. 82
Windows Registry• The Windows Registry is best described as a database containing settings
for the computer’s hardware, operating system, applications, services, security and users.
• Registry files are called “hives.” The Windows registry is made up of several hives, both global and user.
• Global
• HKEY_Local_Machine (HKLM)
• %windir%\System32\config
• SAM, Security, System and Software
• User
• HKEY_Current_User (HKCU)
• Root folder of user’s profile (C:\Users\<profile name>)
• NTUSER.DAT
EnCE Study Guide
Copyright © 2018 OpenText 60
OpenText Confidential. ©2018 All Rights Reserved. 83
Time Zone Settings
• EnCase methodology is to set the time zone of the evidence prior to processing and examination.
• Time zone settings are stored in the System registry hive.
• The time zone setting is modified in EnCase using the Modify Time Zone Settings option in the Device menu.
• An examiner can determine a Windows computer’s time zone setting by manually examining the System registry hive or by utilizing the Triage or Full Investigation Pathway.
OpenText Confidential. ©2018 All Rights Reserved. 84
Time Zone Settings Device menu
EnCE Study Guide
Copyright © 2018 OpenText 61
OpenText Confidential. ©2018 All Rights Reserved. 85
Windows Artifacts• The last written date of a NTUSER.DAT registry hive may indicate the last
date/time that a user logged off the system.
• A user’s profile folder is named using the user’s account name.
• In Windows Vista-10 systems, common sub-folders of the user’s profile’s AppData folder include Local, LocalLow and Roaming.
• Icons on the user’s Desktop are stored in:
• C:\Users\<account>\Desktop AND C:\Users\Public\Desktop
• Pagefile.sys, also known as the Windows swap file, is located in the root of the boot volume and is used as virtual memory, supplementing the onboard RAM.
• Two formats used for printing within Windows are Raw and Enhanced Metafile (EMF)
OpenText Confidential. ©2018 All Rights Reserved. 86
Shortcuts (LNK Files)
• Windows creates LNK files of files/folders accessed with Windows Explorer.
• C:\Users\<account>\AppData\Roaming\Microsoft\Windows\Recent
• Shortcuts (LNK files) can be located and decoded using the EnCase Evidence Processor Windows Artifacts Module.
• Link files are created:
• Manually by the user
• By an application when installed or used
• By a user double clicking (opening) and object through Windows Explorer
EnCE Study Guide
Copyright © 2018 OpenText 62
OpenText Confidential. ©2018 All Rights Reserved. 87
Shortcuts (LNK Files)
• Information contained within LNK files:
• Path to target file and file name
• Volume name target resides on
• Volume serial number target resides on
• Created, Last Accessed and Last Written dates of target file when link file was created or last updated
• Target file logical size
• And there’s more but that’s all we need for the EnCE
OpenText Confidential. ©2018 All Rights Reserved. 88
Shortcuts (LNK Files)
Created, Last Accessed, Last Written DatesFO:28, LE:24
Logical Size
FO:52, LE:8
Volume Serial
Number
Volume Name
Volume Name
Path and File NamePath and File Name
EnCE Study Guide
Copyright © 2018 OpenText 63
OpenText Confidential. ©2018 All Rights Reserved. 89
Recycle Bin Recovery
• A user’s Recycle Bin is named using the user’s Windows Security Identifier (SID).
• The SAM registry hive, the Profile list located in the SOFTWARE registry hive and the EnCase Analyze EFS function can be used to link the SID to the profile name.
• The Windows Recycle Bin can be turned off by the user or administrator. The setting is stored in the user’s NTUSER.DAT registry hive.
• EnCase uses the information in the OS created $I file to populate the Name and File Deleted date/time fields for objects located in the Recycle Bin. If the name is replaced, the true name is listed in the Short Name field.
OpenText Confidential. ©2018 All Rights Reserved. 90
How the Recycle Bin Works
• Moving a file to the Recycle Bin:
• File name is changed to $R, followed by six OS assigned characters and the original
file extension.
• A $I followed by the same OS assigned six characters and original file extension is
created to track the file’s original location, logical size and date/time moved to the
Recycle Bin.
• Moving a folder containing files to the Recycle Bin:
• Folder is renamed same as above.
• $I created same as above.
• No change to the file names of the files within the folder.
EnCE Study Guide
Copyright © 2018 OpenText 64
OpenText Confidential. ©2018 All Rights Reserved. 91
• Email types supported by EnCase:
• PST (Microsoft Outlook)
• NSF (Lotus Notes)
• DBF (Microsoft Outlook Express)
• EDB (Microsoft Exchange)
• AOL
• MBOX
• EMLX
OpenText Confidential. ©2018 All Rights Reserved. 92
• Email is located and processed using the EnCase Evidence Processor.
• Email is reviewed in the Artifacts tab.
• EnCase, as part of the processing, threads email:
• Show conversation – uses header fields to determine threading.
• Show related messages – uses Subject field only.
EnCE Study Guide
Copyright © 2018 OpenText 65
OpenText Confidential. ©2018 All Rights Reserved. 93
Internet Artifacts
• Internet artifacts are located and processed using the EnCase Evidence Processor.
• Internet Artifacts are reviewed in the Artifacts tab.
• EnCase locates and processed Cookies, History, Bookmarks and cache from supported browsers:
• Internet Explorer history contains web sites visited and files accessed through Windows Explorer.
• Internet Explorer • Mozilla Firefox • Google Chrome
• Opera • Mac Safari
OpenText Confidential. ©2018 All Rights Reserved. 94
Removable USB Device Identification• USB Device Descriptor – information about the device stored within the
circuitry of the device.
• Vendor ID (VID) – identifies the vendor/manufacturer
• Product ID (PID) – identifies the product
• Serial Number (iSerial) – unique identifier of the device to the system
• First time a USB device is connected to the system is determined by examining the setupapi.dev.log file.
• The SYSTEM registry hive is examined to determine USB drives connected to a Windows system.
• Users’ NTUSER.DAT registry hives are examined to determine which users were logged on when a USB device was connected to a Windows system.
EnCE Study Guide
Copyright © 2018 OpenText 66
OpenText Confidential. ©2018 All Rights Reserved. 95
Legal Considerations in Digital Forensics (U.S. Only)
• Best Evidence Rule, Federal Rule of Evidence, section 1001(3)
• “[if] data are stored in a computer or similar device, any printout or other output readable
by sight, shown to reflect the data accurately, is an ‘original.’”
• Important concept is the accuracy of the visual output once it is mounted or rendered.
• Compression does not affect Best Evidence as long as the decompression process does
not impact the accuracy of the evidence.
• Daubert Merrell Dow Pharmaceuticals, Inc. and Frye v United States are the court decisions that set forth the legal test(s) to determine the validity of scientific evidence and its relevance to the case at issue.
• Daubert has superseded Frye and is the current standard in U.S. courts.
OpenText Confidential. ©2018 All Rights Reserved. 96
Legal Considerations in Digital Forensics (U.S. Only)
• Frye vs United States:
• Evidence “be sufficiently established to have gained general acceptance in the particular field in which it belongs.”
• Daubert v Merrell Dow Pharmaceuticals, Inc. (Daubert analysis):
• Theory or technique can be an has been tested; AND
• Theory or technique can be and has been subjected to peer review or publication; AND
• Theory or technique has a high known or potential rate of error; AND
• Theory or technique enjoys general acceptance with the relevant scientific community.
EnCE Study Guide
Copyright © 2018 OpenText 67
OpenText Confidential. ©2018 All Rights Reserved. 97
Legal Considerations in Digital Forensics (U.S. Only)
• Commercially available software is favored by the courts, as such software isreadily available for testing and its market allows the capabilities and accuracy tobecome generally known through widespread commercial availability and use.
• U.S. courts have ruled that an EnCase hash analysis is considered a search.
• All examiners, not just those acting as agents for the government, requireauthorization to search, seize and examine digital based evidence.
• An examiner has a legal duty to utilize proper computer forensic protocols.
• This material is presented in greater detail in the EnCase Legal Journal• https://www.guidancesoftware.com/document/publication/encase-legal-journal---5th-edition
1055 East Colorado Boulevard
Suite 400
Pasadena, CA 91106-2375
Phone: 626.229.9191 ext. 9468
opentext.com/encasetraining