ENCASE

Implementation

EnCase is a GUI tool and requires no command-line arguments to run. When you start EnCase, you click New on the top of the toolbar to create a new case. EnCase asks you for the directories for exporting documents and saving any temporary files, as shown in the following illustration. We highly suggest that you change the default directories to directories unique for the case you are working on. This will keep the data from your different cases separate, thereby improving the integrity of your case data.

Once the case has been created, save the case file. This can be done by clicking the Save button on the toolbar. After you have initially saved the case file, it is time to add your evidence to the case. There are several ways to add evidence to EnCase, including adding raw images created with other programs and adding the physical media directly (preferably using a read-only bay such as EnCase's FastBlock). Adding a physical device is easy. Simply click the Add button in the toolbar, select Local Drives, and then click Next . Finally, select the drive or drives you want to add:

Click Next and then Finish.

Adding a raw image is also easy. Choose File Add Raw Image, and right-click the blank space under Component Files and choose to insert a new image. You can choose from multiple options regarding the image and partition type:

The first time you load an evidence file, EnCase will attempt to verify the data added to the case. It is important that you understand that the EnCase evidence file uses a proprietary format. When the data is captured, the checksum information is saved directly to the EnCase evidence file. This integrity verification process calculates the checksums in the evidence file and flags any data that has been altered . While this process is running, the analyst can still perform forensics on the evidence loaded, although tasks will run more slowly than they would if this process were finished.

When the verification process is complete, the results are reported on the evidence history screen. You can view the specifics of the evidence files loaded by clicking Cases at the upper-left part of the EnCase window and viewing the Evidence tab at the bottom of the window. Each line represents an evidence file loaded, and the information regarding the verification of the checksum is displayed for future reference.

Figure 23-6 gives a view of the devices we have loaded into EnCase for the examination. Additionally, EnCase can open dd image files. Since image files created with dd can be acquired by nearly anyone , this additional functionality extends EnCase's power.

The first action you will usually want to run on evidence loaded in EnCase is a checksum and signature match of all logical files discovered . This can be accomplished by clicking Search on the EnCase toolbar to display the Search screen.

Typically, you will want to choose Verify File Signatures and Compute Hash Value, as shown next. These settings will compute the hash values for every file in the case. In the Cases view in the left pane of the EnCase window, you can add a check mark to specific folders, drives, and images to be searched. Additionally, EnCase will examine the headers and footers of each file and assign a file signature. For instance, Microsoft Office documents contain known headers and footers, and this process will assign the signature "Microsoft Word Document" to a file.txt file if a different header is discovered. This is useful in case the attacker is renaming file extensions to thwart the investigator .

The following screen shows the MD5 checksums computed for arbitrary files in the evidence we added to our case at the beginning of this section. It is reported under the column heading entitled Hash Value:

Another action we will want to begin once the evidence has been added to the case is to recover folders that were deleted from the disk. What we will be doing is searching the entire disk for the "." and ".." combinations that represent directory entries. Once EnCase has located them, it will place the folders in a folder titled Recovered Folders under the disks in which they were discovered. To start this process, right-click the disk drive and select Recover Folders. This process will run and update its status in the title bar.

EnCase also provides the ability to create scripts that can be executed on evidence for any case. Choose View EScripts to begin. Guidance Software bundles several EScripts with the default installation of EnCase. From this view, you can right-click SweepCase and select Run. The logic behind this is that you can have multiple cases that can be searched at the same time for the same type of data. Some of the options shown in Figure 23-7 include searching for credit card numbers, AOL files, and Windows Event Logs.

Other useful example scripts recover INFO2 records and JPG, GIF, and EMF graphics files. The INFO2 records are files that record information about files deleted to the Recycle Bin in Windows operating systems. They may help prove the time and content of what the attacker intentionally deleted. JPG and GIF files are the graphics files typically used in web pages. Fragments of those web pages, including contraband (for example, pornography), may still exist on the disk. EMF files are print jobs for Windows operating systems; any files printed may be located to help you prove your case. These scripts place the results in the Bookmarks folder, in folders titled Recovered Recycle Bin Records and Recovered Graphics Files, respectively. The programming language itself is beyond the scope of this book, so for more information, you should consult the online resources provided for EScripts at http://www.encase.com.

Earlier, we discussed the ability of EnCase to give each file a signature depending on its file extension and content. Since EnCase cannot view (natively) every file that exists, you may want to link external viewers to different file types. A new external viewer can be established by choosing View File Viewers. Right-click the working space in the right pane and select New. At this point, you can add different viewers such as Quick View Plus (which is discussed in Chapter 24):

After the viewer has been added, whenever you encounter a file that you want to view with an external viewer, right-click the file, choose Send To, and then choose the viewer that you've established.

EnCase supports several viewing modes. The Gallery view displays all the graphics files in the directory. The Table view provides a detailed file listing that includes attributes such as timeand datestamps, file size , and so on. The Timeline view, shown in Figure 23-8, shows a plot of the created, modified, and access timestamps for the files selected.

Another function an analyst often uses is the keyword searching function, which allows the analyst to search for credit card numbers, contraband material, or other information. EnCase provides a mechanism to accomplish this task in the background so the analyst can return to work.

The searching function is somewhat tricky if you're not used to it. An easy way to grasp this is to picture two different parts that need direction. The first part is the search terms that need to be defined and checked off. The second part is selecting and checking off the devices and folders you want to search. Now, you can select the search function across the top row of buttons .

For this example, let's add a new keyword to search for. We will search for the keyword nuclear in our evidence. The keyword working pane is accessed by choosing View Keywords. Make sure to look at the examples and check or uncheck the ones you want. Next, add your specific search terms by right-clicking the working pane.

The New Keyword dialog box allows us to establish complex rules to refine the search:

The grep functionality supports complex keywords. For instance, you can develop grep keyword strings to look for credit card numbers, such as ####-####-####-####.

While the search is progressing, you will see the progress bar in the lower status area. Double-click this at any time to cancel the search. The results, shown in Figure 23-9, will be placed on the Search Hits tab accessible by choosing the Cases tab and then Search Hits.

The results include the file (if applicable ) in which the keyword was located, and some data before and after the keyword's location in the evidence. You can then view this file as you would any other file. If you want to export the results of the search into a text file (right-click the working pane, choose Export from the pop-up menu, and click OK), you will notice 38 different attributes for each occurrence.

Another useful function that EnCase provides to the analyst is the ability to use hash sets. Hash sets contain the MD5 checksums for many well-known files, such as system files, that can be identified quickly. These can help reduce the number of files that the analyst needs to examine because known files may not need to be examined. Hash sets can also be used to locate well-known contraband or hacking tools. The results of hash set analysis will appear in the Hash Category in the file detail view.

You can enter a hash set in a case by choosing View Hash Sets. Right-clicking the working pane allows you to import a hash set of your choice. In the illustration at right, Import Hashkeeper is selected. A great location from which to download hash sets is from the EnCase web site mentioned earlier.

EnCase lets you view files that may contain information deeper within them. For instance, the Windows registry files are proprietary files that basically need the original system in a running state for adequate analysis. EnCase can expand the registry files for viewing offline, which is a real time and energy saver for the analyst. After a registry file is located, right-click and choose View File Structure to see the file reconstructed. Pictured next is the registry structure for NTUSER.DAT showing the shared printers for the suspect's computer:

The registry assumes a pseudo-file structure within EnCase; we can search this structure and view the keys. Deeper keys into the registry act as deeper directories in EnCase.