Encase forensic v7 user guide

Advanced Computer Forensics

Windows EnCase Forensics Lab

Due date: Please submit your work to Windows EnCase Lab dropbox by July 2nd, 2013.

Lab Setup for using RLES vCloud

This lab is designed to function on the RLES vCloud. The interface is available by navigating to https://rlesvcloud.rit.edu/cloud/org/NAT. If you did the Linux forensics lab on RLES vCloud, you should have created a vApp with the Linux VMware image. If you did not use the RLES vCloud for your first lab, please follow the instruction described in the Linux Forensics Lab to create a vApp. Now, you will add the vApp template, Windows 7 w/FTK 7 EnCase image, from the Public Catalogs to the same vApp following the instruction of Add Virtual Machines to a vApp (Page 8 in RLES vCloud User Guide) with the following setting:

· Set network to be Net_Network

· Select DHCP to create an IP address (when you use DHCP, fencing option is NOT necessary.)

Note: If you get an error when trying to start a vApp (or a VM within a vApp), try these steps:

1. Open up your vApp and click on the Virtual Machines tab. Right-click your VM and choose "Properties".

2. Click on the Hardware tab. At the bottom of the page, click on the MAC address and choose "Reset".

3. Click OK. When it asks if you want to enable guest customization, click No.

4. Give it a minute to update your VM, then try starting it.

Power on the Windows Virtual machine and login to the system with:

Username: Student

Password: student

EnCase 7 is installed on the virtual machine. When you start the EnCase application, you should see “EnCase Forensic (not Acquisition)” on the top of the application.

EnCase 7 Tutorial

· The EnCase Forensics V7 User Guide posted in myCourses under Hands-on Labs.

· EnCase 7 Essentials webinar series at http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx

The following image files will be used for this lab and they are located in the local drive E:\

1) WinLabRaw.img – Raw Image from dd

2) WinLabEnCase.E01 -- EnCase evidence file

Note: “WinLabEnCase Image” in this documentation = “Lab5 image” in your EnCase image.

PART I: Familiar with EnCase

Exercise 1: Starting a New Case

Launch EnCase for Windows – make sure that you are in the EnCase forensics mode (on the top of the software, you should see EnCase Forensic Training, NOT acquisition mode.)

Click the “New Case” button under CASE FILE to begin a new case.

Use the #1 Basic Template and name the case “Case 1”

Record the defaults that EnCase gives you for its folders. It is safe to use these defaults in our experiments.

Add a Raw Image to the exist case

You can add a raw disk image, for example, the dd image, to your case.

Click EVIDENCE > Add Evidence, then click Add Raw Image

Enter “WinLabRaw Image” in the “Name” field.

Under “Image Type” choose “Disk” and click “OK”.

Under Component Files, click New, locate and select the “WinLabRaw.img” file from E:\

The image will now be added to your case. Double click on the hyperlink of WinLbRaw Image, you will be able to view the files and folders from the image.

Question 1: What is the file system of this raw Image?

(Hint: 1. Check “report” from the bottom pane OR

2. choose “Disk View…” from the top drop-down disk manual, image1.png

then click the first sector (in red), the volume boot, image2.png

and read the text in the bottom pane.)

Question 2: What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

Add the EnCase Image, WinLabEnCase.E01 located at E:\, to the exist case via EnCase’s “Add Evidence” from the top menu, choose Add Evidence File…

Question 3: What type of files can be added using EnCase’s “Add Evidence Files”

Now you have two evidences added into the case. You can view either one by selecting View->Evidence from the top View menu.

Exercise 2: Using Encase

Set the Time Zone

EnCase v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence.

When you acquire a computer as evidence it is important to make note of the computer’s time and time zone, especially if you need to correlate evidence from different time zones (never assume the time or time zone on a computer is correct.)

Question 4: Where does the Time Zone information reside in a Windows system? (Hint: See EnCase 7 User guide, page 122 or watch Processing Evidence Part 1 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx).

Before starting the evidence analysis, you should verify that time zone settings for the evidence are configured properly and modify the time zone setting if necessary.

In our case, since we did not include the complete Windows’ image, let’s assume the computer’s time zone is North American Eastern Time Zone time zone. Verify the time zone setting by opening the WinLabEnCase image and selecting “Device -> Modify Time Zone Settings”.

image3.png

Question 5: How do you modify Time Zone Settings, show a screen shot below.

Now that you have the evidence added and the time zone set, you can analyze the evidence.

Timeline View

The Timeline view gives you a graphical overview of file creation, modification and access times and dates in a calendar view. It allows you to look for patterns.

Green Select the WinLabEnCase Image and click on the Timeline tab in the Views pane.

The timeline view can be zoomed from a yearly view to a minute-by-minute view using Higher Resolution button and Lower Resolution button.

The colored dots represent activity on a particular file. The legend for the colors can be found by clicking “Options” button from the top menu.

Question 6: Why is Timeline View useful for your investigation?

Gallery View

The Gallery view allows you to quickly see all the pictures in the case. Now let’s switch to the WinLabRaw image by View -> Evidence then open the WinLabRaw Image. Green select “WinLab Raw image”, in the Views pane, select the Gallery tab.

You will now see all of the pictures contained in the WinLabRaw Image. The Gallery view displays graphics files based on file extension.

Question 7: In the Raw Image, how many pictures are shown in Gallery View?

Process the Evidence (watch Processing Evidence Part 2 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx)

Select Process Evidence… from the Add Evidence menu. Click the Process check box for the evidences that you intend to run through the Evidence Processor. The Evidence Processor Task list is shown at the bottom pane. You have the freedom to enable the tasks to run. For example, you may want to run certain tasks in the beginning, such as file signature and hash analysis, then later add other options, such as parsing compound files. However, you have to run certain tasks at a particular time. For example, you must run Recover Folders in the initial processing step. Tasks you must run in a specific step are marked with a red flag icon.

Note: If a task name is listed in a blue font, click on its task name to configure it. If a task name is listed in a black font, no further configuration is necessary

Select the WinLabRaw Image, enable the top five tasks and run the evidence processor.

image4.png

Recover folders.

Recover Folders will recover all deleted folders.

Note: For this image, you may not see anything interesting.

Question 8: Read the EnCase manual to find out how Recover-Folders recover deleted folders for FAT and NTFS file systems respectively?

File Signature Analysis

A file type (JPEG, Word Document, MP3 file) can be determined by the file’s extension and by a header that precedes the data in the file. If a file’s extension has been changed, then the only way to determine its type is by looking at its header.

Encase has a list of known file extensions and headers that it uses to identify files.

From the “View” menu select “File Types” to see the list of file types.

Question 9: What information is listed for each file type?

Question 10: What can an investigator do if the header of a file is unknown in your current setting of the EnCase?

When EnCase finished the file signature analysis. Select the WinLabRaw Image and take a look at the “Signature Analysis” and “Signature” Columns in the “Table” view.

Question 11: What different terms you see in the Signature Analysis column?

Question 12: Do you find any signature mismatch? List them.

Examine the WinLabRaw image in the gallery view again.

Question 13: Are there any graphics files on the WinLabRaw image whose file extensions have been changed? List them.

Question 14: If a file’s extension has been changed to a non-graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? If not, what could you do to fix this?

Hash Analysis

A hash is a digital fingerprint of a file or collection of data. EnCase uses the MD5 (and/or SHA1) algorithm to create hash(s) or “digital fingerprint” of a file.

The Evidence Processor’s Hash Analysis that we have run earlier has created the MD5 and SHA-1 hash values for the Raw image.

Check the “WinLabRaw Image” evidence in the table view, and make sure that the hash columns are filled.

Question 15: What are the types of files that will not have a hash generated?

Question 16: What are the three most common uses for hashes analysis?

Compound Files

Compound files are files with multiple layers and/or metadata such as Outlook Express email folders (.dbx), registry files, or OLE files.

In EnCase 7, you have several ways to expand the compound files. You can run the EnCase Evidence Processor on the EnCase image, select Expand compound files to expand all achieves and registry files OR you can expand the individual compound file.

Here we will try the second method by only expanding the individual compound file. Let’s look at the NTUSER.DAT registry file from WinLabEncase image.

View -> Evidence and click on WinLabEncase image,

In the Table view locate the file “Documents and Settings\PSMITH\NTUSER.DAT” and expand the EnCase image to find the “Documents and Settings\PSMITH\NTUSER.DAT” file by right click the file and choose Entries -> View File Structures. (Note: other registry files exist in C:\windows\system32\config folder. They are not included in this image.)

image5.png

Double click on NTUSER.DAT

Question 17: Did anything happen? Do you find any important information? If so, what kind of information you got?

Searching for Email (See Email from the EnCase V7 Essential webinar)

EnCase can search various types of email artifacts including Outlook (2000/2003), Outlook Express, Exchange, Lotus Notes, AOL and Thunderbird’s MBOX.

Select Process Evidence… from the Add Evidence menu. Select the WinLabEnCase image from the Evidence Process, and ONLY check Find Email (uncheck other tasks).

Double click on “Find Email” and check Search for Additional Lost or Deleted Items box for a search for deleted e-mails. Click OK to run the processor.

The processed e-mail will be found under the Records view.