EnCase

 < Day Day Up > 



EnCase, written by Guidance Software, is widely used by law enforcement and commercial enterprises for forensic duplication (and as you will see later, it also helps in the analysis phase). This section walks you through the process of creating a forensic duplication using this tool. EnCase can be purchased from Guidance Software at http://www.encase.com.

Implementation

The first step when performing a forensic duplication with EnCase is to create a trusted boot disk. None of the tools discussed in this chapter have wizards as simple as EnCase’s. To create a boot disk and use it to acquire a forensic duplication of a source hard drive with EnCase, you simply follow these steps:

  1. Open EnCase and choose Tools; then choose Create Boot Disk. You are presented with the following screen:

    click to expand

  2. Choose the Target Drive destination and click Next. Be sure that you insert a fresh disk in the destination drive.

  3. Select the option Change From A System Diskette To A Boot Floppy. Then click Next. Note this step works only with a Windows 95/98/Me boot disk with io.sys and command.com.

    click to expand

  4. If the option is available, select Full to format the floppy disk fully. Otherwise, make sure that you do not select the Quick Format option. Click Start.

  5. The EnCase acquiring tool will need to be copied to disk. The next screen copies the EnCase imaging tool to the floppy disk. In EnCase version 4, right-click the path field under Update Files and select New. Browse to the EnCase folder under Program Files and select en.exe. Click Finish to continue, and then click OK when the process completes.

    click to expand

  6. When the copy is finished, remove the disk and label it appropriately. Write-protect the disk by flipping the tab in the upper corner.

    Note 

    Guidance Software offers an automated EnCase Network Boot Disk creation tool. It is located at http://www.guidancesoftware.com/support/articles/networkbootdisk.shtm. The instructions are easy to follow, and Guidance offers support for more than 190 kinds of network cards. You must manually copy the en.exe file after you create the boot disk.

  7. Create a storage directory where the evidentiary files will be created by EnCase. For example, enter C:\EVID\ as the directory.

  8. In this example, remove the source hard drive from the suspect’s computer and place it in the forensic workstation to perform the duplication. Be sure that before the forensic workstation is booted, it is set to boot from the floppy drive first and not the media removed from the source machine. This is usually specified in the BIOS. If there is any question, place the bootable floppy drive in the workstation before the source media is connected to double-check.

    In this example (from the Case Study), the 6GB Maxtor IDE hard drive was removed from the suspect’s desktop computer.

  9. Power on the workstation, and the floppy disk you created will be booted. When the DOS prompt is available, type the following command:

    A:\> en

    This command activates the EnCase imaging tool. When EnCase acquires a forensic duplication of a source hard drive, it saves it as a file in a proprietary format in the file system of your storage media. Here, you will use this tool to save a duplication of the source hard drive to the directory C:\EVID. In this example, the drive you are duplicating (the source) is drive 2, and the drive you are saving the duplication to is drive 0 (the C: drive). In the main screen of the acquiring tool, you can see these drives:

    click to expand

  10. To safeguard the data to protect its integrity, all hard drives within the forensic workstation are locked (that is, they cannot be written to). The media containing the storage directory will need to be unlocked because you are saving a forensic duplication of the source hard drive to it. Therefore, TAB to the Lock option at the bottom of the screen and press ENTER. Then select the storage media—in this case, Disk 0.

    click to expand

  11. Press ENTER. Disk 0 is now unlocked.

    click to expand

  12. Once the storage media has been unlocked, TAB down and select Acquire to begin the forensic duplication process. The program will ask where the suspect media resides. Select the drive. In this example, the suspect media was connected to drive 2 in the forensic workstation.

    click to expand

  13. The EnCase acquisition program then asks where the evidence files are to be created. The directory you created in step 7 will be entered here. Also, you must enter the full path name you want for this evidence file. Since this is the first piece of evidence in this case, we will name it Tag1; type C:\evid\tag1. EnCase will automatically provide the filename extension. The first (and possibly only) piece will be called tag1.e01. If multiple pieces of the evidence file exist (because of the file size specified, the default is 640MB), they would be tag1.e02, tag1.e03, and so on.

    click to expand

  14. In the next few steps, enter information specific to your particular case that will be permanently saved to the evidence file. All of the information will be written to the evidence file and available to EnCase once it is loaded into a case. (See Chapter 23 for more information on using EnCase as an analysis tool.) First enter the case number assigned to this particular investigation.

  15. Then enter the name of the examiner who acquired this evidence.

  16. Enter the evidence number.

    click to expand

  17. Enter a description for the piece of evidence.

    click to expand

  18. The current date and time is read from the forensic workstation’s BIOS. Double-check this date and time and note any differences with a calibrated time piece. You should also note any differences between this time and that of the source computer for the analysis phase.

  19. Enter any additional notes for the piece of evidence. You cannot be too descriptive as the field is not very large.

    click to expand

  20. The next screen asks whether you want to compress the evidence files. In this example, No was selected because maximum speed was desired over extra space on the hard drive. If you have limited space on the hard drive, select Yes. Since compression is highly dependent on the contents of the source hard drive, the compression ratio varies.

    click to expand

    Note 

    Enabling compression lengthens the acquisition time for the forensic duplication. Compression can also be done after analysis, if you change your mind.

  21. EnCase asks whether you want to generate the MD5 checksums for the evidence files being created. We recommend you always select Yes at this step as it can only be done here!

    click to expand

  22. You can place a password on the evidence files for further protection. In this instance, this was not done, to ensure the chain of custody of evidence. If you have reason to believe that someone may want to access these files who shouldn’t have access, you may want to enter a password. Remember that if you place a password on the evidence files and lose it, there is no way to retrieve it (in some cases). Press ENTER to use a blank password.

    Tip 

    Do not password protect the forensic duplication unless you have a very good reason to do so.

  23. Specify the number of sectors that you want to acquire. In most cases, this will not change from what EnCase offers, so just press ENTER.

    click to expand

  24. The next screen asks how large you want to make each file for the evidence file. EnCase will split large hard drives into multiple files for simpler management. Accept the default value of 640MB; you will then be able to move the individual evidence files to CD-ROM for archival later.

  25. EnCase finally begins the forensic duplication process automatically when you are finished entering the information in the last step. The tool provides a status bar and alerts you to any errors that may occur as shown next.

    click to expand

  26. When EnCase has finished the duplication process, it alerts you and provides a status. Notice how a 6GB hard drive did not take long to duplicate without compression. Press ENTER to continue.

  27. Select the item Quit to return to the DOS prompt. Shut down the forensic workstation and detach the suspect media.

Notice how, in this example, EnCase divided the hard drive into 10 files for the complete evidence file. You will import the files you just created in the forensic duplication into analysis tools in future chapters.

click to expand

You have now completed a forensic duplication of a 6GB hard drive using EnCase.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net