ENCASE

Implementation

The first step when performing a forensic image with EnCase is to create a trusted boot disk. Some of the tools discussed in this chapter have wizards as simple as EnCase's, so which to use becomes a matter of preference and budget. To create a boot disk and use it to acquire a forensic image of a source hard drive with EnCase, follow these steps:

1. Open EnCase and choose Tools; then choose Create Boot Disk. You are presented with the following screen:

2. Choose the Target Drive destination and click Next . Be sure that you insert a fresh disk in the destination drive.

3. Select the option Change From A System Diskette To A Boot Floppy. Then click Next. Note this step works only with a Windows 95/98/Me boot disk with IO.SYS and COMMAND.COM.

4. If the option is available, select Full to format the floppy disk fully; otherwise , make sure that you do not select the Quick Format option. Click Start.

5. The EnCase acquiring tool will need to be copied to disk. The next screen copies the EnCase imaging tool to the floppy disk. In EnCase version 4, right-click the path field under Update Files and select New. Browse to the EnCase folder under Program Files and select en.exe. Click Finish to continue, and then click OK when the process completes.

6. When the copy is finished, remove the disk and label it appropriately. Write-protect the disk by flipping the tab in the upper corner.

   Note

   If you are interested in doing an acquisition over the network, common when acquiring RAID systems, Guidance Software offers an automated EnCase Network Boot Disk creation tool. It is located at http://www.guidancesoftware.com/support/articles/networkbootdisk.asp. Please note that the file en.exe must be copied over after you create the boot disk.

7. Create a storage directory where the evidentiary files will be created by EnCase. For example, enter C:\EVID\ as the directory.

   Tip	Remember that the storage directory needs to be on a FAT-formatted disk as DOS cannot write to NTFS.

8. In this example, remove the source hard drive from the suspect's computer and place it in the forensic workstation to perform the duplication. Be sure that before the forensic workstation is booted , it is set to boot from the floppy drive first and not the media removed from the source machine. This is usually specified in the BIOS. If there is any question, place the bootable floppy drive in the workstation before the source media is connected to double-check . In this example (from the Case Study), the 6GB Maxtor IDE hard drive was removed from the suspect's desktop computer.

9. Power on the workstation, and the floppy disk you created will be booted. When the DOS prompt is available, type the following command:

    A:\> en 

10. This command activates the EnCase imaging tool. When EnCase acquires a forensic image of a source hard drive, it saves it as a file in a proprietary format in the file system of your storage media. Here, you will use this tool to save a duplication of the source hard drive to the directory C:\EVID. In this example, the drive you are duplicating (the source) is drive 2 and the drive you are saving the duplication to is drive 0 (the C: drive). In the main screen of the acquiring tool, you can see these drives :

11. To safeguard the data to protect its integrity, all hard drives within the forensic workstation are locked (that is, they cannot be written to). The media containing the storage directory will need to be unlocked because you are saving a forensic image of the source hard drive to it. Therefore, TAB to the Lock option at the bottom of the screen and press ENTER. Then select the storage mediain this case, Disk 0.

12. Press ENTER. Disk 0 is now unlocked.

13. Once the storage media has been unlocked, TAB down and select Acquire to begin the forensic imaging process. The program will ask where the suspect media resides. Select the drive. In this example, the suspect media was connected to drive 2 in the forensic workstation.

14. The EnCase acquisition program then asks where the evidence files are to be created. The directory you created in step 7 will be entered here. Also, you must enter the full path name you want for this evidence file. Since this is the first piece of evidence in this case, we will name it Tag1; type C:\evid\tag1 . EnCase will automatically provide the filename extension. The first (and possibly only) piece will be called tag1.e01. If multiple pieces of the evidence file exist (because of the file size specified, the default is 640MB), they would be tag1.e02, tag1.e03, and so on.

15. In the next few steps, enter information specific to your particular case that will be permanently saved to the evidence file. All of the information will be written to the evidence file and available to EnCase once it is loaded into a case. (See Chapter 23 for more information on using EnCase as an analysis tool.) First, enter the case number assigned to this particular investigation.

16. Now enter the name of the examiner who acquired this evidence.

17. Enter the evidence number.

18. Enter a description for the piece of evidence.

19. The current date and time is read from the forensic workstation's BIOS. Double-check this date and time and note any differences with a calibrated timepiece. You should also note any differences between this time and that of the source computer for the analysis phase.

20. Enter any additional notes for the piece of evidence. You cannot be too descriptive as the field is not very large.

21. The next screen asks whether you want to compress the evidence files. In this example, No was selected because maximum speed was desired over extra space on the hard drive. If you have limited space on the hard drive, select Yes. Since compression is highly dependent on the contents of the source hard drive, the compression ratio varies.

    Note

    Enabling compression lengthens the acquisition time for the forensic image. Compression can also be done after analysis, if you change your mind. Also remember that a noncompressed image will require a drive larger than itself to be acquired. For instance, a 80GB drive cannot be imaged to another 80GB drive because the destination drive has less space due to boot records and file tables at a minimum.

22. EnCase asks whether you want to generate the MD5 checksums for the evidence files being created. We recommend you always select Yes at this step as it can only be done here! Without an MD5 hash, we cannot state at a later date that the data in the image has never been modified since we created it.

23. You can place a password on the evidence files for further protection. If you have reason to believe that someone may want to access these files who shouldn't have access, you may want to enter a password. Remember that if you place a password on the evidence files and lose it, there is no way to retrieve it (in some cases); however, tools such as AccessData's FTK can bypass the password and access the image directly. Press ENTER to use a blank password.

24. Specify the number of sectors that you want to acquire. In most cases, this will not change from what EnCase offers, so just press ENTER.

25. The next screen asks how large you want to make each file for the evidence file. EnCase will split large hard drives into multiple files for simpler management. Accept the default value of 640MB; you will then be able to move the individual evidence files to CD-ROM for archival later.

26. EnCase finally begins the forensic image process automatically when you are finished entering the information in the last step. The tool provides a status bar and alerts you to any errors that may occur, as shown here.

27. When EnCase has finished the duplication process, it alerts you and provides a status. Notice how a 6GB hard drive did not take long to duplicate without compression. Press ENTER to continue.

28. Select the item Quit to return to the DOS prompt. Shut down the forensic workstation and detach the suspect media.

Notice how, in this example, EnCase divided the hard drive into 10 files for the complete evidence file. You will import the files you just created while imaging into analysis tools in future chapters.

You have now completed a forensic image of a 6GB hard drive using EnCase.