EnCase Computer Forensics -- The Official EnCE

Steve Bunting, EnCE, CCFT, has over 30 years of law enforcement and computer forensics experience. He is a Senior Forensic Consultant for Forward Discovery, a global forensics consulting organization. Previously he served as a captain with the University of Delaware Police Department, where he conducted examinations of computer systems for federal, state, and local law enforcement. He is also the coauthor of Mastering Windows Network Forensics and Investigation.

Introduction xxi

Assessment Test xxvii

Chapter 1 Computer Hardware 1

Computer Hardware Components 2

The Boot Process 14

Partitions 20

File Systems 25

Summary 27

Exam Essentials 27

Review Questions 28

Chapter 2 File Systems 33

FAT Basics 34

The Physical Layout of FAT 36

Viewing Directory Entries Using EnCase 52

The Function of FAT 58

NTFS Basics 73

CD File Systems 77

exFAT 79

Summary 83

Exam Essentials 84

Review Questions 85

Chapter 3 First Response 89

Planning and Preparation 90

The Physical Location 91

Personnel 91

Computer Systems 92

What to Take with You Before You Leave 94

Search Authority 97

Handling Evidence at the Scene 98

Securing the Scene 98

Recording and Photographing the Scene 99

Seizing Computer Evidence 99

Bagging and Tagging 110

Summary 113

Exam Essentials 113

Review Questions 115

Chapter 4 Acquiring Digital Evidence 119

Creating EnCase Forensic Boot Disks 121

Booting a Computer Using the EnCase Boot Disk 124

Seeing Invisible HPA and DCO Data 125

Other Reasons for Using a DOS Boot 126

Steps for Using a DOS Boot 126

Drive-to-Drive DOS Acquisition 128

Steps for Drive-to-Drive DOS Acquisition 128

Supplemental Information About Drive-to-Drive

DOS Acquisition 132

Network Acquisitions 135

Reasons to Use Network Acquisitions 135

Understanding Network Cables 136

Preparing an EnCase Network Boot Disk 137

Preparing an EnCase Network Boot CD 138

Steps for Network Acquisition 138

FastBloc/Tableau Acquisitions 151

Available FastBloc Models 151

FastBloc 2 Features 152

Steps for Tableau (FastBloc) Acquisition 154

FastBloc SE Acquisitions 163

About FastBloc SE 163

Steps for FastBloc SE Acquisitions 164

LinEn Acquisitions 168

Mounting a File System as Read-Only 168

Updating a Linux Boot CD with the Latest Version of LinEn 169

Running LinEn 171

Steps for LinEn Acquisition 173

Enterprise and FIM Acquisitions 176

EnCase Portable 180

Helpful Hints 188

Summary 189

Exam Essentials 192

Review Questions 194

Chapter 5 EnCase Concepts 199

EnCase Evidence File Format 200

CRC, MD5, and SHA-1 201

Evidence File Components and Function 202

New Evidence File Format 206

Evidence File Verification 207

Hashing Disks and Volumes 215

EnCase Case Files 217

EnCase Backup Utility 220

EnCase Configuration Files 227

Evidence Cache Folder 231

Summary 233

Exam Essentials 235

Review Questions 236

Chapter 6 EnCase Environment 241

Home Screen 242

EnCase Layout 246

Creating a Case 249

Tree Pane Navigation 255

Table Pane Navigation 266

Table View 266

Gallery View 275

Timeline View 277

Disk View 280

View Pane Navigation 284

Text View 284

Hex View 287

Picture View 288

Report View 289

Doc View 289

Transcript View 290

File Extents View 291

Permissions View 291

Decode View 292

Field View 294

Lock Option 294

Dixon Box 294

Navigation Data (GPS) 295

Find Feature 297

Other Views and Tools 298

Conditions and Filters 298

EnScript 299

Text Styles 299

Adjusting Panes 300

Other Views 306

Global Views and Settings 306

EnCase Options 310

Summary 318

Exam Essentials 320

Review Questions 321

Chapter 7 Understanding, Searching For, and Bookmarking Data 325

Understanding Data 327

Binary Numbers 327

Hexadecimal 333

Characters 336

ASCII 337

Unicode 338

EnCase Evidence Processor 340

Searching for Data 352

Creating Keywords 353

GREP Keywords 364

Starting a Search 373

Viewing Search Hits and Bookmarking Your Findings 376

Bookmarking 377

Summary 426

Exam Essentials 428

Review Questions 430

Chapter 8 File Signature Analysis and Hash Analysis 435

File Signature Analysis 436

Understanding Application Binding 437

Creating a New File Signature 438

Conducting a File Signature Analysis 442

Hash Analysis 449

MD5 Hash 449

Hash Sets and Hash Libraries 449

Hash Analysis 462

Summary 466

Exam Essentials 468

Review Questions 469

Chapter 9 Windows Operating System Artifacts 473

Dates and Times 475

Time Zones 475

Windows 64-Bit Time Stamp 476

Adjusting for Time Zone Offsets 481

Recycle Bin 487

Details of Recycle Bin Operation 488

The INFO2 File 488

Determining the Owner of Files in the Recycle Bin 493

Files Restored or Deleted from the Recycle Bin 494

Using an EnCase Evidence Processor to Determine the Status of Recycle Bin Files 496

Recycle Bin Bypass 498

Windows Vista/Windows 7 Recycle Bin 500

Link Files 504

Changing the Properties of a Shortcut 504

Forensic Importance of Link Files 505

Using the Link File Parser 509

Windows Folders 511

Recent Folder 515

Desktop Folder 516

My Documents/Documents 518

Send To Folder 518

Temp Folder 519

Favorites Folder 520

Windows Vista Low Folders 521

Cookies Folder 523

History Folder 526

Temporary Internet Files 532

Swap File 535

Hibernation File 536

Print Spooling 537

Legacy Operating System Artifacts 543

Windows Volume Shadow Copy 544

Windows Event Logs 549

Kinds of Information Available in Event Logs 549

Determining Levels of Auditing 552

Windows Vista/7 Event Logs 554

Using the Windows Event Log Parser 555

For More Information 558

Summary 559

Exam Essentials 564

Review Questions 566

Chapter 10 Advanced EnCase 571

Locating and Mounting Partitions 573

Mounting Files 588

Registry 595

Registry History 595

Registry Organization and Terminology 596

Using EnCase to Mount and View the Registry 601

Registry Research Techniques 605

EnScript and Filters 608

Running EnScripts 609

Filters and Conditions 611

Email 614

Base64 Encoding 619

EnCase Decryption Suite 622

Virtual File System (VFS) 629

Restoration 633

Physical Disk Emulator (PDE) 636

Putting It All Together 641

Summary 645

Exam Essentials 648

Review Questions 649

Appendix A Answers to Review Questions 653

Chapter 1: Computer Hardware 654

Chapter 2: File Systems 655

Chapter 3: First Response 657

Chapter 4: Acquiring Digital Evidence 658

Chapter 5: EnCase Concepts 659

Chapter 6: EnCase Environment 661

Chapter 7: Understanding, Searching For, and Bookmarking Data 662

Chapter 8: File Signature Analysis and Hash Analysis 663

Chapter 9: Windows Operating System Artifacts 664

Chapter 10: Advanced EnCase 665

Appendix B Creating Paperless Reports 667

Exporting the Web Page Report 669

Creating Your Container Report 671

Bookmarks and Hyperlinks 675

Burning the Report to CD or DVD 678

Appendix C About the Additional Study Tools 681

Additional Study Tools 682

Sybex Test Engine 682

Electronic Flashcards 682

PDF of Glossary of Terms 682

Adobe Reader 682

Additional Author Files 683

System Requirements 683

Using the Study Tools 683

Troubleshooting 683

Customer Care 684

Index 685