The Top EnCase Tech Support Questions & Whats new at Guidance Software?

Presented at the

HTCIA meeting, New York

by: Bill Siebert

Parallel port preview/acquire not connecting

1.

Make sure the Windows version of EnCase and the DOS version of EnCase are the same; i.e., if you have EnCase 3.19 on your Windows side, you MUST have EnCase for DOS 3.19 on your EnCase boot floppy disk. Make sure the parallel-port settings in the BIOS are the same for both the Subject PC and the Storage PC. The recommended BIOS settings are: Bi-Directional EPP ECP + EPP ECP

2.

How to acquire using a NIC

1. 2. 3. 4. 5.

Boot the suspect machine into DOS with one of the new automated EnCase Network boot disks Type EN at the dos prompt. Select sever and then network. Boot the forensic machine into Windows. Make sure the network settings are correct in the windows machine: TCP/IP protocol must be installed IP address should be set at 10.0.0.50 Subnet mask should be 255.255.255.0 You must remove your WINS and DNS settings Open EnCase, choose preview/acquire Select network for source

What file systems does EnCase support?

EnCase can interpret the following file systems: FAT12 FAT32 EXT2 (Linux) HFS+ (Mac and PowerMac) CDFS (CD-ROM) Note: FAT16 NTFS HFS UFS (Unix) UDFS *

If EnCase does not recognize the file system on the drive (HPFS for example), it will show the unrecognized file system as an "unallocated cluster" file. You can still search for keywords and file headers, and make bookmarks, but you will not see file names or folder structure. You can still perform EScript searches against these file systems as well.

How to mass copy/unerase bookmarks copy/unerase

1. 2. 3. 4. 5. 6. 7.
Check the check box of the top-most bookmark. <Shift> click on check box of bottom-most bookmark. All bookmarks will be checked. Right-click anywhere in the Table view. Select the "Tag Selected Files" command. Switch to the case tab and you will notice that the files corresponding to the bookmarks you checked are now also all checked. In the Table view, right-click on any one selected file and choose "Copy/Unerase". Specify that you want to copy/unerase "all selected files". Click Next, Next, and then Finish.

How to bookmark multiple recovered graphic images

To move recovered graphics files from the recovered graphics files folder into one of the Final Report folders, typically the Pictures folder, do this: 1. Go to the bookmark tab on the left 2. Highlight Recovered Graphics Files folder 3. Go to the Table view on the right 4. Drag and drop the desired images, by the number next to the file, into the folder of choice. Note: At this time, you cannot multiple-select the images. You have to drag and drop them one at a time.

Time/Date stamp issues

Last Accessed: The Last Accessed column gives a date of the last access date of the file. A file does not have to be altered for the Last Accessed date to changeonly accessed (opened). Last Written: The Last Written column indicates the last date and time that a file was actually opened, edited, then saved. If a file is merely opened then closed (but not altered), or opened, edited, and closed with no save, then this column will not update. File Created: This tells us when that particular file was created at that location. So, if a file was edited and changed on January 3rd, and then copied to a floppy diskette on January 15th, and you acquired that floppy diskette on January 28th, you would notice that the file (on the floppy) was created after it was last written or even accessed! Entry Modified: This is only pertinent to NTFS (Windows NT, Windows 2000) and Linux file system files. It refers to the pointer for the file entry and the information that that pointer contains, such as the size of the file. So, if you were to change a file, but

How to add an external file viewer

1. Navigate to Tools!File Signatures and Viewers!Viewers Tab 2. Right click and select New File Viewer. 3. After you add the file viewer, go back to the file signatures page and associate the new viewer with whatever type of file you wish.

How to acquire a laptop hard drive

There are 4 ways to acquire a laptop hard drive. In order, from fastest to slowest: 1. Remove hard drive from Laptop and acquire using FastBloc (You will need to buy a 40-pin standard IDE connector to laptop HDD connector which runs about $10 at any computer store) 2. Remove hard drive from Laptop and acquire using DOS. Again, you will need to buy that adapter. 3. Using the EnCase Network Boot disk and a compatible Network Card in both the laptop and your forensic machine, use the 10bT crossover cable and acquire through that. 4. Using the parallel port cable. This method is extremely slow, however on some laptops, it is the only way to acquire them.

Note: Many laptop hard drives are "married to the motherboard" so that they will not work correctly if you try to acquire them outside of the laptop. For that reason, many people only consider using methods 3 & 4. Method 3 is definitely faster than number 4.

How to find a deleted partition

1.

Run a hex search for the characters '55' and 'AA' and see if you can find the end of a partition. If you do, count 63 sectors to the right of that. If there is a "MSWIN4.1" or "NTFS" text in that sector, then that sector (with the text) is the beginning of a new partition. Right-click that sector and click Add Partition."

2.

Note:

You can find more information regarding recovering partitions in Chapter 19 of the EnCase 3.18 User Manual.

How to acquire a PDA

The only Palms supported, at this time, are the following: III series V series VII series M105 M100 Note: You can acquire other PDAs that use the Palm OS 3.0, such as certain models of the Handspring Visor.

How to acquire a PDA

1. Put the PDA in its cradle Attach the cradle cable to an available serial port on your compute Boot up the computer into Window Launch EnCase for windows. Turn Palm PDA on. Put in Console mode. Lower-case cursive l on left-side of "graffiti" area Double-dot on left-side of "graffiti" area Number '2' on right side of "graffiti" area Putting a Palm in Console mode... Note: You will be able to tell when a Palm is in "console mode" by a slightly longer "beep" sound than the normal "beep" sound. To get out of console mode, you must reset the Palm. If you do not hear a "beep" sound when putting the Palm into Console mode, check the system volume settings for System Sound, Alarm Sound, and Game Sound. They should all be set to "High".

Note:

How to acquire a PDA

2. Back at your computer, click the Acquire (or Preview) button in EnCase. Source: "Local Devices". Include: "Palm Pilot" only. You will see all serial devices attached to your computer. Click Next. Enter your information (Evidence number, case number, Investigators name etc) on the acquisition screen. Click Next. Choose to acquire only, or add and verify into the case. Click Next. Choose compression and hashing options, and provide a file name. Click Finish. You will see the Palm acquiring. It takes a while. When finished, you will get a message telling you so. Add the evidence file to a new (or existing) case. You will see the Palm in the Case view. Getting out of Console Mode: 1. You have to reset the Palm. To reset a Palm, look for a small circular whole on the back of the Palm with the word RESET by it. Insert a pen tip in there. You will not be able to HotSync a Palm until it is out of Console mode, so be sure to do that.

Note:

Whats new at Guidance Software?

EnCase Enterprise Edition

" EnCase Enterprise Edition allows investigators, inside or outside a network, to examine a target node in a forensic process " Security controls are at a domain level and allow for multiple/remote domains " EnCase Enterprise Edition operates in the Guidance Software Secure Network Application Environment " The components of EnCase Enterprise Edition are S.A.F.E. - Secure Authentication for Forensic Examinations EnCase Node Servlet EnCase V3 Enterprise Client

Design Features
Based on a secure public key authentication, 128-bit encryption for 128-bit transmissions and files

" Granular user permissions " Vendor must authorize each SAFE setup " Tamper resistant storage of SAFE private key on SAFE " Secure backup of SAFE private key for disaster recovery " Secure binding between SAFE hardware and SAFE private key " All session keys generated on SAFE hardware " Prevent replay attacks without relying on synchronized clocks " Node can validate SAFE public key with vendor signature

S.A.F.E. Server

" Defines EnCase Examiner Access Permissions

" Maintains EnCase Authentication Keys " Authenticates Examiners " Controls Examiners Privileges " Controls Access to Target Node via Servlet # Enables/Disables Examiner Sessions " Monitors and Logs Sessions

Multi-SAFE Environment

Keymaster 1

Keymaster 2

Node 1

SAFE1

SAFE2

Examiner

Node 2

Consultant

EnCase v3 Enterprise Client

" Designed for EnCase Enterprise Edition " Enhanced user interface for network node definition " Encrypted evidence files " Contains all Features of EnCase v3 " Used standalone for viewing Enterprise Edition encrypted evidence files

Corporate Advantage
$ $ $

Best Practice Incident Response Situation: Employee deletes files and company data or information Action: Use EnCase to search for deleted files Secure scene Preview media or drive Use undelete to recover files Recover deleted folders and file fragments Document findings in report Outcome: Files recovered, evidence is secured and available for judgment on the act. Without a forensic copy, litigation for possible malicious intent would be compromised.

Corporate Advantage
Best Practice Incident Response
$ $

Situation: Unusual activity of an employees computer use after work, possible inappropriate graphics or content. Action: Use EnCase to determine misuse. Gallery view for visual review Recover deleted files Review files with after hours activity in the Timeline view Document findings in report Outcome: Verified use, you have court approved evidence in support your HR policies toward computer use. HR takes action if necessary.

Corporate Advantage
Best Practice Exit Interview
$ $

Situation: Employee leaves the company, involved in projects and programs or not, on good terms or not. Action: Use EnCase to search for intellectual property, deleted files, programs, databases and communications. Secure scene Image PC drive(s) Recover deleted folders and file fragments Search using key words or code names Document findings in report Outcome: Understand exposure to intellectual property on the subject drive and now able to pursue recourse up to litigation if necessary. Imaging the drive of all exits (good or bad) helps reduce HR issues resulting from employees feeling singled out.

Bill Siebert
Director of Computer Investigative Services Guidance Software

CIS@GuidanceSoftware.com www.GuidanceSoftware.com