EnCase

EnCase is a widely used forensic analysis tool kit. It is used by significant numbers of law enforcement investigators, and it is also used by enterprises such as financial institutions to aid in internal investigations. EnCase, like the Forensic Toolkit, is geared toward the analyst who may not want or need to know the details of hard drives and operating system data structures. Also, as discussed in Chapter 21, EnCase encompasses both acquisition and analysis tools, making it a complete solution for successfully completing nearly any investigation. EnCase costs from $2000 to $2500, depending on whether you are a law enforcement or a commercial customer, respectively. EnCase, like FTK, requires a dongle to use the analytical portion of the suite.

EnCase can analyze nearly every popular file system, including NTFS, FAT32, EXT2, and others. This makes it a versatile tool for organizations with multiple platforms. EnCase can be purchased from Guidance Software at http://www.encase.com.

Implementation

EnCase is a GUI tool and requires no command-line arguments to run. When you start EnCase, you click New on the top of the toolbar to create a new case. EnCase asks you for the directories for exporting documents and saving any temporary files, as shown in the following illustration. We highly suggest that you change the default directories to directories unique for the case you are working on. This will keep the data from different cases separate, thereby improving integrity.

Once the case has been created, save the case file. This can be done by clicking the Save button on the toolbar. After you have initially saved the case file, it is time to add your evidence to the case. There are several ways to add evidence to EnCase, including adding raw images created with other programs and adding the physical media directly (preferably using a read-only bay such as EnCase’s FastBlock). Adding a physical device is easy. Simply click the Add button in the toolbar, select Local Drives, and then click Next. Finally, select the drive or drives you want to add:

Click Next and then Finish.

Adding a raw image is also easy. Choose File | Add Raw Image, and right-click the blank space under Component Files and choose to insert a new image. You can choose from multiple options regarding the image and partition type:

The first time you load an evidence file, EnCase will attempt to verify the data added to the case. It is important that you understand that the EnCase evidence file uses a proprietary format. When the data is captured, the checksum information is saved directly to the EnCase evidence file. This integrity verification process calculates the checksums in the evidence file and flags any data that has been altered. While this process is running, the analyst can still perform forensics on the evidence loaded, although tasks will run a little more slowly than they would if this process were finished.

When the verification process is complete, the results are reported on the evidence history screen. You can view the specifics of the evidence files loaded by clicking Cases at the upper-left of the EnCase window and viewing the Evidence tab at the bottom of the window. Each line represents an evidence file loaded, and the information regarding the verification of the checksum is displayed for future reference.

Figure 23-6 gives a view of the devices we have loaded into EnCase for the examination.

Figure 23-6: The devices loaded for examination

Additionally, EnCase can open dd image files. Since image files created with dd can be acquired by nearly anyone, this additional functionality extends EnCase’s power.

The first action you will usually want to run on evidence loaded in EnCase is a checksum and signature match of all logical files discovered. This can be accomplished by clicking Search on the EnCase toolbar to display the Search screen:

Typically, you will want to choose Verify File Signatures and Compute Hash Value. These settings will compute the hash values for every file in the case. In the Cases view in the left pane of the EnCase window, you can add a check mark to specific folders, drives, and images to be searched. Additionally, EnCase will examine the headers and footers of each file and assign a file signature. For instance, Microsoft Office documents contain known headers and footers, and this process will assign the signature “Microsoft Word Document” to a file.txt file if the header is discovered. This is useful in case the attacker is renaming file extensions to thwart the investigator.

The following screen shows the MD5 checksums computed for arbitrary files in the evidence we added to our case at the beginning of this section. It is reported under the column heading entitled Hash Value:

Another action we will want to begin once the evidence has been added to the case is to recover folders that were deleted from the disk. What we will be doing is searching the entire disk for the “.” and “..” combinations that represent directory entries. Once EnCase has located them, it will place the folders in a folder titled Recovered Folders under the disks in which they were discovered. To start this process, we right-click the disk drive and select Recover Folders. This process will run and update its status in the title bar.

Another function EnCase provides is the ability to create scripts that can be executed on evidence for any case. We choose View | Scripts to begin. Guidance Software bundles several example EScripts with the default installation of EnCase. One of the scripts that is extremely useful is the Internet History script. This script locates all of the index.dat files left behind by Internet Explorer, which contain the web browsing history. (For further discussion of the index.dat files, see Chapter 24.) This script can alternatively search the entire physical disk, but it is time consuming. More scripts are available via the user forum at the EnCase web site (http://www.encase.com).

When a script you want to run is loaded, right-click the script name and select Run.

In the case of the Internet History script, it will prompt you for the directory in which you want to save the report. For this example, we selected C:\Evid\Export\. Once the script has finished running, we can specify the C:\Evid\Export directory and double-click the index.htm file. That file will contain the index page for the report, as shown here:

When we click one of the files listed in the index page of the Internet History report, we see each instance of a URL that the subject’s web browser opened. Here are two examples of interesting links; the subject in this case could be thinking about traveling to Brazil:

Two other useful example scripts recover INFO2 records and JPG, GIF, and EMF graphics files. The INFO2 records are files that record information about files deleted to the Recycle Bin in Windows operating systems. They may help prove the time and content of what the attacker intentionally deleted. JPG and GIF files are the graphics files typically used in web pages. Fragments of those web pages, including contraband (for example, pornography) may still exist on the disk. EMF files are print jobs for Windows operating systems; any files printed may be located to help you prove your case. These scripts place the results in the Bookmarks folder, in folders titled Recovered Recycle Bin Records and Recovered Graphics Files, respectively. The programming language itself is beyond the scope of this book, so for more information, you should consult the online resources provided for EScripts at http://www.encase.com. Figure 23-7 shows the results of the graphic file discovery, using EScripts.

Figure 23-7: Graphic file discovery results

Earlier, we discussed the ability of EnCase to give each file a signature depending on its file extension and content. Since EnCase cannot view (natively) every file that exists, you may want to link external viewers to different file types. A new external viewer can be established by choosing View | File Viewers. Right-click the working space in the right pane, and select New. If you are using QuickViewPlus, you’ll see the following window:

At this point, you can add different viewers such as Quick View Plus (which is discussed in Chapter 24). After the viewer has been added, whenever you encounter a file that you want to view with an external viewer, right-click the file, choose Send To, and then choose the viewer that you’ve established.

EnCase supports several viewing modes. The Gallery view displays all the graphics files in the directory. The Table view provides a detailed file listing that includes attributes such as time and date stamps, file size, and so on. The Timeline view, shown in Figure 23-8, shows a plot of the created, modified, and access timestamps for the files selected.

Figure 23-8: Timeline view

The Report view, shown next, lists the details for the evidence file that contains the data. Any file or file fragment that the investigator flagged by right-clicking the Bookmark selector will appear in the report (unless it was specifically omitted by the investigator). If you right-click within the report, you can export it in Rich Text Format (RTF) so that you can cut and paste pertinent data into your investigation documentation.

Another function an analyst often uses is the keyword searching function, which allows the analyst to search for credit card numbers, contraband material, or other information. EnCase provides a mechanism to accomplish this task in the background so the analyst can return to work. For this example, we now want to add a new keyword to search for. We will search for the keyword nuclear in our evidence. The keyword can be added by choosing View | Keywords and right-clicking the working pane. The New Keyword dialog box allows us to establish complex rules to refine the search:

The grep functionality supports complex keywords. For instance, you can develop grep keyword strings to look for credit card numbers, such as ####-####-####-####.

To begin the search, click OK. While the search is progressing, you will see the progress bar in the lower status area. Double-click this at any time to cancel the search. The results, shown in Figure 23-9, will be placed on the Search Hits tab accessible by choosing View | Search Hits.

Figure 23-9: Search hits

The results include the file (if applicable) in which the keyword was located, and some data before and after the keyword’s location in the evidence. You can then view this file as you would any other file. If you want to export the results of the search into a text file (right-click the working pane, choose Export from the pop-up menu, and click OK), you will notice 38 different attributes for each occurrence.

After selecting the particular file shown in the illustration, if we switch back to the Cases tab in the upper-left corner, we can see the file that contained the keyword in full. It may be prudent for us to copy this file to the disk for further analysis. The particular file we have selected is a web page of interest; therefore, we may want to copy it to our local disk to present it as evidence. To copy the files (or folders), right-click the files and choose Copy/UnErase and follow the prompts:

This action produces a Destination dialog box that asks for the location to which to copy the selected files and folders. In this case, we select the directory C:\evid\export as the export destination folder for the files of interest. (Now you know why we suggested you use a different export directory for every case!) We then click Finish; when the process is complete, the files of interest will be available locally for further review.

Another useful function that EnCase provides to the analyst is the ability to use hash sets. Hash sets contain the MD5 checksums for many well-known files, such as system files, that can be identified quickly. These can help reduce the number of files that the analyst needs to examine, because known files may not need to be examined. Hash sets can also be used to locate well-known contraband or hacking tools. The results of hash set analysis will appear in the Hash Category in the file detail view.

You can enter a hash set in a case by choosing View | Hash Sets. Right-clicking the working pane allows you to import a hash set of your choice. In the next illustration, we select Import Hashkeeper. A great location from which to download hash sets is from the EnCase web site mentioned earlier.

EnCase lets you view files that may contain information deeper within them. For instance, the Windows registry files are proprietary files that basically need the original system in a running state for adequate analysis. EnCase can expand the registry files for viewing offline, which is a real time and energy saver for the analyst. After a registry file is located, right-click and choose View File Structure to see the file reconstructed. Here we view the registry structure for NTUSER.DAT:

The registry assumes a pseudo-file structure within EnCase; we can search this structure and view the keys. Deeper keys into the registry act as deeper directories in EnCase.