Encase recover folders

Advanced Computer Forensics

Windows EnCase Forensics Lab

Exercise 1: Starting a New Case

Question 1: What is the file system of this raw Image?

(Hint: 1. Check “report” from the bottom pane OR

2. choose “Disk View…” from the top drop-down disk manual, image1.png

then click the first sector (in red), the volume boot, image2.png

and read the text in the bottom pane.)

FAT 12

Question 2: What is the first character (in Hex) of the filename of a deleted file (check week 6 lecture recording)?

EB

Question 3: What type of files can be added using EnCase’s “Add Evidence Files”

Legacy evidence files , current evidence files , safeback files , vmware files , logical files , current logical , virtual files

Exercise 2: Using Encase

Set the Time Zone

Question 4: Where does the Time Zone information reside in a Windows system? (Hint: See EnCase 7 User guide, page 122 or watch Processing Evidence Part 1 from http://www.encaseondemand.com/EnCasev7Essentials/tabid/2617/index.aspx).

It stored in registry in the path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation key

Question 5: How do you modify Time Zone Settings, show a screen shot below.

image3.jpg

Now that you have the evidence added and the time zone set, you can analyze the evidence.

Timeline View

Question 6: Why is Timeline View useful for your investigation?

Help us to get a better information which help us in the investigation .

Gallery View

Question 7: In the Raw Image, how many pictures are shown in Gallery View?

Three images

Question 8: Read the EnCase manual to find out how Recover-Folders recover deleted folders for FAT and NTFS file systems respectively?

FAT : searches through the unallocated clusters of a specific FAT partition for the “dot, double-dot” signature of a deleted folder; when the signature matches, EnCase can rebuild the files and folders that were within that deleted folder.

NTFS: EnCase can recover NTFS files and folders from Unallocated Clusters and continue to parse through the current Master File Table (MFT) records for files without parent folders. This is particularly useful when a drive has been reformatted or the MFT is corrupted. Lost files that are recovered are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition. To recover folders on an NTFS partition, right-click on the volume and select Recover Folders

Question 9: What information is listed for each file type?

File name , file extension , header signature and unique tag .

Question 10: What can an investigator do if the header of a file is unknown in your current setting of the EnCase?

Changing the settings of encase or try to open the file with any software

Question 11: What different terms you see in the Signature Analysis column?

Alias , unknown , match and bad signature

Question 12: Do you find any signature mismatch? List them.

No

Question 13: Are there any graphics files on the WinLabRaw image whose file extensions have been changed? List them.

Yes there are

(3) file3.xls

(4) files.csv

(5) tt-logo.gif

(7)file6.

(8) file7.zip

Question 14: If a file’s extension has been changed to a non-graphics file type (such as changing jpg to txt), will it be displayed in the Gallery view? If not, what could you do to fix this?

It won’t display but we need to signature analysis regarding to type .

Question 15: What are the types of files that will not have a hash generated?

The deleted files

Question 16: What are the three most common uses for hashes analysis?

secure files , very helpful in investigation , we can compare the hashes to know if we have the right file .

Compound Files

Question 17: Did anything happen? Do you find any important information? If so, what kind of information you got?

The files expanded and we can see all the folders and the files inside each folder

Question 18: What interesting information do you see from emails?

I can find different folders like deleted items , inbox , sent item and folders

Question 19: Read EnCase Forenscis V7 User Guide (page 208), briefly describe what are these features.

These features are very helpful in investigation with this features we can focus on a specific subject which we want and help us in email investigation

Question 20: Under the Records view, you should also see Thumbnails under WinLabRaw Image, what are thumbnails? List three of them.

Thumbnails are the files which we flagged and we interesting to focus on it in the investigation

Question 21: What kind of information do you see in the record for Internet?

We can find information regarding to internet browser like cookies history and bookmark

Question 22: How does “search unallocated space for internet artifacts” affect your search results in the record?

This search will look for all files that have relation with the internet on the entire hard disk even in the unallocated space

Question 23: What are the results? List 2 files that contain the term “search” in their contents.

The results are all the files which have the word search in their titles and contents

Search[1]

Search contractors

Questions 24: What are the other search options besides “Search entry slack”?

Skip contents for known files , undelete entries before searching and use initialized size

Question 25: What do you see from Search Hits? List two files from the search hits.

Search hits are more or same number as items for computer keyword , I found three hits

Raytheon.htm

Monster.htm

Serach.htm

Action 26: Include a screenshot of the bookmarks you created in the Bookmarks tab.

image4.jpg

Action 27: Show the tagged Files in the Table view.

image5.jpg

Question 28: What is the “One-click tagging” feature (see EnCase User Guide, page 234)?

Add each pic we click on it to the important files which we interesting on investigate them

Action 29: Finally, go back Process Evidence… from the Add Evidence menu. Selected the WinlabEnCase image, expend Modules, and choose one function from Modules and include your results below.

image6.jpg

image7.jpg

PAGE

1

Advanced Computer Forensics - EnCase